Workshop
- Identity provider
- WARP and device posture
- Cloudflare Tunnel
- Access and Private Network
- Browser isolation and App launcher
- Digital experience monitoring
Browser Isolation and App Launcher
Tasks
- Enforce Remote Browser Isolation (RBI) for a specific site
- Allow users to use clientless RBI for any site
- Enable App Launcher and add an RBI bookmark
Why?
- Remote Browser Isolation (RBI) lets you insulate end-user devices from browser-targeting malware by running the browser on Cloudflare’s infrastructure.
- Users can choose to use RBI on high-risk or sensitive websites, or you can enforce it for WARP traffic by ZT rules (then it becomes transparent for the user and since it is very fast, users typically don’t even notice)
- Access App Launcher lets your users conveniently view and open all applications and bookmarks they can access from a single dashboard.
Transparent RBI with WARP
1. Add an Isolate policy
- Navigate to Gateway ‣ Firewall policies ‣ HTTP
- Add a new policy that will Isolate all WARP traffic to
yahoo.comusing RBI - Disable keyboard on this site.
- Create the policy
2. Test with WARP
Make sure your WARP client is connected and open yahoo.com. The page will probably load as normal, so how do you know it’s using RBI? One way to confirm is right-clicking anywhere on the page. Your browser’s default context menu will be replaced by RBI’s.
And since we’ve disabled keyboard, another way to test the page is being rendered by RBI is to press any key. You should see an error.
Clientless remote browser
For this next exercise, let’s enable clientless RBI that can be used without WARP.
Additionally, let’s also lock one of our existing apps and only allow traffic to it if it was filtered by our organization’s Cloudflare Gateway. Then it will have to be accessed either through WARP or by using RBI.
1. Enable clientless RBI
- Navigate to Settings ‣ Browser Isolation
- Toggle Clientless Web Isolation ‣ Enabled, then under Permissions select Manage
- Add a Rule with Action
Allow. UnderInclude, grant permission to your email address and Save
2. Gateway posture check
Next, have WARP client check that Gateway is being used.
- Navigate to Settings ‣ WARP Client, scroll down until you reach Device posture, then under WARP client checks select Add new:
- When the attribute menu appears, select the Gateway device posture attribute:
- There are no parameters, just add it.
3. Have intranet require Gateway
Finally, we’ll make our existing intranet app accessible only through Gateway.
- Return to your intranet Access policy by navigating to Access ‣ Applications, open your intranet application and within it the policy you created previously
- Below your
Includerule, add a newRequirerule with Selector set to Gateway
- Save the policy.
4. Test with WARP
Now try to access the intranet URL from your VM with WARP turned on: https://intranet.<YOUR_DOMAIN>
This will work and intranet will load, because this request through WARP uses Gateway and the Selector you just created passes.
5. Test without WARP
Now turn off WARP and try reloading the page.
You should see a Forbidden failure message.
This is because your request no longer uses Gateway, and the Selector created above now fails.
Let’s now use clientless RBI to send the request through Gateway, even without WARP. Navigate to your Clientless Web Isolation URL https://<LAB_SLUG>.cloudflareaccess.com/browser and login.
Then use the RBI browser to navigate to your intranet URL intranet.<LAB_SLUG>.cfiq.io.
The AcmeCorp’s intranet should now successfully open because RBI sent the request through Gateway. Try again the right-click check to confirm the page was rendered through RBI.
App Launcher
1. Enable launcher
- In Zero Trust dashboard open Settings ‣ Authentication
- Select the Manage button next to App Launcher
- Click Add a rule to create an Access rule for the App Launcher. The example below shows an
Everyonepolicy for simplicity, but feel free to test out whatever rule definitions you’d like
2. Add a bookmark
- Open Access ‣ Applications and add a new application with the type Bookmark
- Set the Application URL as
https://<LAB_SLUG>.cloudflareaccess.com/browser, then click Add application.
3. Test
- Open your Access App Launcher at
https://<LAB_SLUG>.cloudflareaccess.com
Next to all of the Applications you’ve previously defined, you should now also see a tile representing your Browser Isolation bookmark.
Now, all of your users can access RBI effortlessly!