Overview
Chrome Enterprise Premium is the zero trust solution from Google Cloud that provides secure access to private applications with integrated threat and data protection. Chrome Enterprise Premium uses Chrome to provide secure access for all web-based (HTTPS) applications.
The Chrome Enterprise Premium client connector extends support to non-web applications by creating a secure connection to applications running in both Google Cloud and non-Google Cloud environments with full context and identity-aware access.
How it works
The following diagram provides a high-level architectural overview of the client connector.
Following are the key components that make up the client connector:
Endpoint Verification and client agent: The client connector integrates with Endpoint Verification, a Chrome extension with a native lightweight agent that runs on user laptops or desktops, and reports device information. Endpoint Verification also acts as the control plane for the end user to start and stop connections to client gateways.
Client gateways: Regional, server-side components to which clients can connect. Client gateways are deployed by administrators. The gateways communicate with the Chrome Enterprise Premium enforcement system to enforce context-aware checks. The Chrome Enterprise Premium enforcement system uses Identity-Aware Proxy and Access Context Manager, a flexible Chrome Enterprise Premium zero trust policy engine.
The client connector sends traffic to your protected applications from end-user, client, devices through a secure channel, a gateway. You can connect to web and non-web applications running in Google Cloud or outside of Google Cloud. You can use Cloud VPN or Cloud Interconnect to connect to your applications that aren't in Google Cloud.
Before you begin
Before enabling the Chrome Enterprise Premium client connector, ensure that you have the following:
A Google Cloud organization domain.
A Google Cloud project with assigned billing.
Google Workspace Cloud Identity user accounts. If you need to create Cloud Identity accounts, see Create Cloud Identity user accounts.
A non-web resource that you want to protect. The resource can be native to Google Cloud, on-premises, or on another public cloud. You can create a custom VPC or use your existing network with an application on Google Cloud. You can also connect your non-Google Cloud application by using Cloud VPN or Cloud Interconnect.
The following APIs enabled:
- Compute Engine APIs:
compute.googleapis.com
- Chrome Enterprise Premium API APIs:
beyondcorp.googleapis.com
- Service Networking
APIs:
servicenetworking.googleapis.com
- Access Context Manager
APIs:
accesscontextmanager.googleapis.com
- Compute Engine APIs:
The following IAM roles:
Project level: Compute Network Admin (
roles/compute.networkAdmin
), BeyondCorp Client Connector Admin (roles/beyondcorp.clientConnectorAdmin
)Organization level: Access Context Manager Admin (
roles/accesscontextmanager.policyAdmin
)
One of the recommended hardware configurations for the client:
- Apple® Mac® OS 10.11 and later with a minimum of two cores and 2GB of memory.
- Microsoft® Windows® 10 and later with a minimum of four cores and 2GB of memory.
Enable the Chrome Enterprise Premium client connector
Set up Private Services Access
The client connector uses Private Services Access to enable connectivity between the Google-managed VPC network and the consumer VPC network. This ensures that the traffic from users is routed to the consumer VPC network.
Console
Private Services Access requires that you reserve an IP address range so that there's no IP address collisions between your VPC network and the Google-managed VPC network. Complete the following steps to allocate an IP range:
Go to the VPC networks page in the Google Cloud console.
Go to VPC networksSelect the VPC network that is connected to your application.
Select the Private service connection tab.
In the Private service connection tab, select the Allocated IP ranges for services tab.
Click Allocate IP range.
Enter a Name and Description for the IP range to allocate.
Specify an IP range for the allocation:
- To specify an IP address range, select Custom and then enter
a CIDR block, such as
192.168.0.0/16
. - To specify a prefix length and let Google select an available range,
select Automatic and then enter a prefix length, such as
16
.
Specify a network of no less than
/24
.- To specify an IP address range, select Custom and then enter
a CIDR block, such as
Click Allocate to create the allocated range.
Create a VPC Network Peering connection by completing the following steps:
- Go to the VPC networks page in the Google Cloud console.
Go to VPC networks - Select the VPC network that is connected to your application.
- Select the Private service connection tab.
- In the Private service connection tab, select the Private connections to services tab.
- Click Create connection to create a private connection between your network and the client connector service.
- In the window that opens, leave the default for Connected Service Producer. For the Assigned allocation, select the allocated range that you created in the previous step.
- Click Connect to create the connection.
- Go to the VPC networks page in the Google Cloud console.
Create a firewall rule.
- In the Google Cloud console, go to the Firewall page.
Go to the Firewall page - Click Create firewall rule.
- Enter a Name for the firewall rule.
This name must be unique for the project. - Optional: You can enable firewall rules
logging:
- Click Logs > On.
- To omit metadata, expand Logs details and then clear Include metadata.
- Specify the Network that is connected to your application.
- Specify the Priority of the rule. The lower the number, the higher the priority.
- For the Direction of traffic, select Ingress.
- For the Action on match, select Allow.
- For Targets, select All instances in the network.
- For Source filter, select IPv4 ranges, and then enter the
address
andprefixLength
values from Step 1 to represent the allocated IP range in CIDR format. Use the format0.0.0.0/0
for any IPv4 source. - For Protocols and ports, select Allow all to have the rule apply to all protocols and destination ports.
- Click CREATE.
- In the Google Cloud console, go to the Firewall page.
gcloud
Private Services Access requires that you reserve an IP address range so that there's no IP address collisions between your VPC network and the Google-managed VPC network. Run the following command to allocate an IP range:
gcloud compute addresses create RESERVED_RANGE \ --network=CONSUMER_NETWORK \ --project=CONSUMER_PROJECT \ --prefix-length=16 \ --purpose=VPC_PEERING \ --global
Replace the following:
- RESERVED_RANGE: The name for the IP address range to be reserved for VPC Peering. The name can contain only lowercase letters, numbers, and hyphens.
- CONSUMER_NETWORK: The name of your VPC network connected to the application.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
.
Create the VPC peering connection.
gcloud services vpc-peerings connect \ --network=CONSUMER_NETWORK \ --project=CONSUMER_PROJECT \ --ranges=RESERVED_RANGE \ --service="servicenetworking.googleapis.com"
Replace the following:
- CONSUMER_NETWORK: The name of your VPC network connected to the application.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - RESERVED_RANGE: The name of your reserved range for VPC peering.
Get the details of the allocated IP range.
gcloud compute addresses describe RESERVED_RANGE \ --global \ --project=CONSUMER_PROJECT
Replace the following:
- RESERVED_RANGE: The name of your reserved range for VPC peering.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
.
Use the
address
andprefixLength
values from the output in the previous step to represent the allocated IP range in CIDR format, and then create a firewall rule.gcloud compute firewall-rules create "allow-peered-ingress" \ --network=CONSUMER_NETWORK \ --project=CONSUMER_PROJECT \ --direction ingress \ --action allow \ --source-ranges={Allocated IP range in CIDR format i.e. address/prefixLength} \ --rules=all
Replace the following:
- CONSUMER_NETWORK: The name of your VPC network connected to the application.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
.
For information about configuring firewall rules, see Use VPC firewall rules.
Set up the client connector resources
There are two types of resources that you must set up:
- Client connector service: Defines a common configuration for a group of client gateways.
- Client gateway: Refers to the client connector service and controls the regions where you want to manage user traffic.
Only one client connector service per domain and one client
gateway per region per client connector service is allowed. Additionally, you
can only use the following regions to host your client connector service and
gateway resources: asia-east1
, europe-west1
, us-east1
, and us-central1
.
Create the client connector service
Console
Go to the IAP admin page.
Click CONNECTORS > ENABLE CLIENT CONNECTOR.
Enter the VPC network that will receive traffic from managed clients.
Select the regions to which your clients can connect. Note that the client gateways are created in this step, so you do not have to create the gateways in the Create, verify, or remove client gateways procedure.
Enter the range of IP addresses for the applications that you want the client connector to reach.
Click ENABLE CLIENT CONNECTOR. It can take several minutes to create the connector.
gcloud
Run the following command:
gcloud beta beyondcorp client-connector services create CLIENT_CONNECTOR_SERVICE_NAME \ --project=CONSUMER_PROJECT \ --location=SERVICE_LOCATION \ --config-from-file=/path/to/file/config.json
where config.json
is:
{ "ingress": { "config": { "transportProtocol": "TCP", "destinationRoutes": [{ "address": "DESTINATION_ADDRESS", "netmask": "DESTINATION_MASK" }] } }, "egress": { "peeredVpc": { "networkVpc": "projects/CONSUMER_PROJECT/global/networks/CONSUMER_NETWORK" } } }
Replace the following:
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which to create the client
connector service. You can specify one of the following regions are
supported:
asia-east1
,europe-west1
,us-east1
, andus-central1
. - DESTINATION_ADDRESS: The host address of the destination
subnet hosting the application. For example, if your application uses
10.0.0.0/28
, the address is10.0.0.0
. - DESTINATION_MASK: The network mask of the destination subnet
hosting the application. For example, if your application uses
10.0.0.0/28
, then the mask is255.255.255.240
. - CONSUMER_NETWORK: The name of your VPC network connected to the application.
API
Run the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d @config.json \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices?client_connector_service_id=CLIENT_CONNECTOR_SERVICE_NAME
where config.json
is:
{ "ingress": { "config": { "transportProtocol": "TCP", "destinationRoutes": [{ "address": "DESTINATION_ADDRESS", "netmask": "DESTINATION_MASK" }] } }, "egress": { "peeredVpc": { "networkVpc": "projects/CONSUMER_PROJECT/global/networks/CONSUMER_NETWORK" } } }
Replace the following:
- DESTINATION_ADDRESS: The host address of the destination
subnet hosting the application. For example, if your application uses
10.0.0.0/28
, the address is10.0.0.0
. - DESTINATION_MASK: The network mask of the destination subnet
hosting the application. For example, if your application uses
10.0.0.0/28
, then the mask is255.255.255.240
. - CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - CONSUMER_NETWORK: The name of your VPC network connected to the application.
- SERVICE_LOCATION: The region in which to create the client connector service.
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
Verify that the client connector service was created by listing the service
Console
Go to the IAP admin page.
Click CONNECTORS. Your connector should be listed in the Client connector section and should have a green checkmark for the status.
gcloud
Run the following command.
gcloud beta beyondcorp client-connector services list \ --project=CONSUMER_PROJECT \ --location=SERVICE_LOCATION
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which to create the client connector service.
API
Run the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
Optional: Update a client connector service
Console
Update the destination routes by completing the following steps:
Go to the IAP admin page.
Click CONNECTORS.
In the Client connector section, click the pencil icon next to the client connector you want to update.
Enter the new host addresses and network masks of the destination subnets hosting the applications, and then click UPDATE CLIENT CONNECTOR.
gcloud
Update the destination routes by running the following command:
gcloud beta beyondcorp client-connector services update CLIENT_CONNECTOR_SERVICE_NAME \ --project=CONSUMER_PROJECT \ --location=SERVICE_LOCATION \ --config-from-file=/path/to/file/config.json
where config.json
is:
{ "ingress":{ "config":{ "destinationRoutes":[ { "address":"NEW_DESTINATION_ADDRESS1", "netmask":"NEW_DESTINATION_MASK1" }, { "address":"NEW_DESTINATION_ADDRESS2", "netmask":"NEW_DESTINATION_MASK2" } ] } } }
Replace the following:
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
- NEW_DESTINATION_ADDRESS1, NEW_DESTINATION_ADDRESS2: The new host addresses of the destination subnets hosting the applications.
- NEW_DESTINATION_MASK1, NEW_DESTINATION_MASK2: The new network masks for the destination subnets.
API
To update the destination routes, run the following command:
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d @update.json \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices/CLIENT_CONNECTOR_SERVICE_NAME?update_mask=ingress.config.destinationRoutes
Where update.json
is:
{ "ingress":{ "config":{ "destinationRoutes":[ { "address":"NEW_DESTINATION_ADDRESS1", "netmask":"NEW_DESTINATION_MASK1" }, { "address":"NEW_DESTINATION_ADDRESS2", "netmask":"NEW_DESTINATION_MASK2" } ] } } }
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- NEW_DESTINATION_ADDRESS1, NEW_DESTINATION_ADDRESS2: The new host addresses of the destination subnets hosting the applications.
- NEW_DESTINATION_MASK1, NEW_DESTINATION_MASK2: The new network masks for the destination subnets.
Optional: Remove a client connector service
Console
Go to the IAP admin page.
Click CONNECTORS.
In the Client connector section, click the garbage can icon to remove the client connector service and gateways. This can take several minutes.
gcloud
Run the following command.
gcloud beta beyondcorp client-connector services delete CLIENT_CONNECTOR_SERVICE_NAME \ --project CONSUMER_PROJECT \ --location SERVICE_LOCATION
Replace the following:
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
API
Run the following command.
curl -X DELETE \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices/CLIENT_CONNECTOR_SERVICE_NAME
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
Create, verify, or remove client gateways
Console
If you are using the console to set up the client connector, the client gateways are created when you created the client connector service in an earlier step.
To verify that the client gateways are up and running:
- Go to the IAP admin page.
- Click CONNECTORS. Your connector, along with the associated gateways, should be listed in the Client connector section and should have a green checkmark for the status.
Optional: To remove a client gateway, complete the following steps.
Go to the IAP admin page.
Click CONNECTORS.
In the Client connector section, click the pencil icon next to the client connector where you want to remove a gateway.
Remove a region from the connector service by unchecking the region checkbox from the Gateway regions dropdown list, and then click UPDATE CLIENT CONNECTOR.
gcloud
Create a client gateway.
gcloud beta beyondcorp client-connector gateways create CLIENT_GATEWAY_NAME \ --project CONSUMER_PROJECT \ --location GATEWAY_LOCATION \ --client-connector-service \ projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices/CLIENT_CONNECTOR_SERVICE_NAME
Replace the following:
- CLIENT_GATEWAY_NAME: The name of your client gateway.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - GATEWAY_LOCATION: The region in which to create the client gateway.
- SERVICE_LOCATION: The region in which the client connector service is located.
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
Verify that the client gateways are up and running.
gcloud beta beyondcorp client-connector gateways list \ --project CONSUMER_PROJECT \ --location GATEWAY_LOCATION
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - GATEWAY_LOCATION: The region in which the client gateway is located.
- CONSUMER_PROJECT: The ID of your project that hosts the
Optional: Remove a client gateway.
gcloud beta beyondcorp client-connector gateways delete CLIENT_GATEWAY_NAME \ --project CONSUMER_PROJECT \ --location GATEWAY_LOCATION
Replace the following:
- CLIENT_GATEWAY_NAME: The name of your client gateway.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - GATEWAY_LOCATION: The region in which the client gateway is located.
API
Run the following command.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d "{client_connector_service: \"projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices/CLIENT_CONNECTOR_SERVICE_NAME\"}" \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/GATEWAY_LOCATION/clientGateways?client_gateway_id=CLIENT_GATEWAY_NAME
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- GATEWAY_LOCATION: The region in which to create the client gateway.
- CLIENT_GATEWAY_NAME: The name of your client gateway.
This step can take several minutes to complete.
- CONSUMER_PROJECT: The ID of your project that hosts the
Verify that the client gateways are up and running.
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/GATEWAY_LOCATION/clientGateways
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - GATEWAY_LOCATION: The region in which the client gateway is located.
- CONSUMER_PROJECT: The ID of your project that hosts the
Optional: Remove a client gateway.
curl -X DELETE \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/GATEWAY_LOCATION/clientGateways/CLIENT_GATEWAY_NAME
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - GATEWAY_LOCATION: The region in which the client connector gateway is located.
- CLIENT_GATEWAY_NAME: The name of your client gateway.
- CONSUMER_PROJECT: The ID of your project that hosts the
Set up context-aware access policies
Determine the Principals or create a user group. Identify the users that require access to the protected non-web applications. Alternatively, you can create a user group to simplify configuration and management.
Optional: Create an access level in Access Context Manager to define a context-aware rule, which you can use to restrict access to your application.
Configure an IAM policy for the client connector service resource, and grant the principal or user group the Cloud BeyondCorp Client Connector Service User role (
roles/beyondcorp.clientConnectorServiceUser
) required to access the non-web apps. Optionally, you can specify an IAM condition to provision the role only when an access level is satisfied. To update the IAM policy for a resource, you can use the console or the API.In the console, complete the following steps:
- Go to the IAP admin page.
- Click APPLICATIONS.
- If you have not previously configured an OAuth consent screen, you must do so to complete this step. In the CONNECT NEW APPLICATION section, select your connector under Non-Web Applications.
- In the window that opens, click ADD PRINCIPAL.
- Grant the principal or user group the
Cloud BeyondCorp Client Connector Service User
role (roles/beyondcorp.clientConnectorServiceUser
), required to access the non-web apps. Optionally, you can specify an access level to provision the role only when the access level is satisfied. To specify an access level, you must be an Organization Administrator or have theview
andedit
permissions to the organization access levels. - Click SAVE.
Update an IAM policy
Console
- Go to the IAP admin page.
- Click the APPLICATIONS tab, and in the Resource list, expand Non-Web Applications.
- Select your client connector. A section with the IAM permissions associated with your connector opens.
- You can update the IAM policies associated with your client connector in the section that opens.
gcloud
Read the existing policy. The
getIamPolicy()
method reads the existing IAM policy for the client connector service resource intopolicy.json
.gcloud beta beyondcorp client-connector services get-iam-policy CLIENT_CONNECTOR_SERVICE_NAME \ --project=CONSUMER_PROJECT \ --location=SERVICE_LOCATION > policy.json
Replace the following:
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
Edit the returned policy. Update the bindings in
policy.json
to include the new IAM role assignment. You can do this in a text editor or programmatically. Example:{ "bindings": [ { "role": "roles/beyondcorp.clientConnectorServiceUser", "members": [ "user:EXAMPLE_USER@EXAMPLE.COM", "group:EXAMPLE_GROUP@EXAMPLE.COM", ], "condition": { "expression": "'accessPolicies/POLICY_NAME/accessLevels/LEVEL_NAME' in request.auth.access_levels", "title": "CONDITION_NAME" } } ] }
Replace the following:
- POLICY_NAME: The numeric name of your Access Context Manager access policy.
- LEVEL_NAME: The name of your Access Context Manager access level.
- CONDITION_NAME: The title text for the IAM condition.
Write the updated policy. You can use the
setIamPolicy()
method to write the updated IAM policy. Example:gcloud beta beyondcorp client-connector services set-iam-policy CLIENT_CONNECTOR_SERVICE_NAME policy.json \ --project=CONSUMER_PROJECT \ --location=SERVICE_LOCATION
Replace the following:
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
API
Read the existing policy. The
getIamPolicy()
method reads the existing IAM policy for the client connector service resource intopolicy.json
.curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices/CLIENT_CONNECTOR_SERVICE_NAME:getIamPolicy > policy.json
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- CONSUMER_PROJECT: The ID of your project that hosts the
Edit the returned policy. Update the bindings in
policy.json
to include the new IAM role assignment. You can do this in a text editor or programmatically. Example:{ "policy": { "bindings": [ { "role": "roles/beyondcorp.clientConnectorServiceUser", "members": [ "user:EXAMPLE_USER@EXAMPLE.COM", "group:EXAMPLE_GROUP@EXAMPLE.COM", ], "condition": { "expression": "'accessPolicies/POLICY_NAME/accessLevels/LEVEL_NAME' in request.auth.access_levels", "title": "CONDITION_NAME" } } ] } }
Replace the following:
- POLICY_NAME: The numeric name of your Access Context Manager access policy.
- LEVEL_NAME: The name of your Access Context Manager access level.
- CONDITION_NAME: The title text for the IAM condition.
Write the updated policy. You can use the
setIamPolicy()
method to write the updated IAM policy. Example:curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json" \ -d @policy.json \ https://beyondcorp.googleapis.com/v1/projects/CONSUMER_PROJECT/locations/SERVICE_LOCATION/clientConnectorServices/CLIENT_CONNECTOR_SERVICE_NAME:setIamPolicy
Replace the following:
- CONSUMER_PROJECT: The ID of your project that hosts the
CONSUMER_NETWORK
. - SERVICE_LOCATION: The region in which the client connector service is located.
- CLIENT_CONNECTOR_SERVICE_NAME: The name of your client connector service.
- CONSUMER_PROJECT: The ID of your project that hosts the
Install the client connector agent on endpoint devices (Windows or macOS)
Enable the Endpoint Verification extension by following the steps in Set up Endpoint Verification on your devices.
After Endpoint Verification is up and running, the Endpoint Verification extension for the updated user shows a START CONNECTION button. To access the protected non-web application, users can click the START CONNECTION button.
When a user initiates a connection for the first time, Endpoint Verification prompts the user to download and install the client connector binaries. Alternatively, you can download the client connector binaries at the following URLs:
After a connection is established, a user can access the protected resource. Users can choose to end the connection by clicking the END CONNECTION button.
Troubleshooting
If you run into problems using the client connector, the following information provides troubleshooting steps that might resolve your issue.
You can't access your application
The client connector gateway is running and the connection is successfully established, but you still can't reach your application.
Following are the most common reasons, and possible solutions, for this issue:
You didn't advertise the allocated IP range on Cloud VPN. If you use Cloud VPN to connect to the non-Google Cloud application, ensure that you also advertise the allocated IP range for Private Services Access to the peer router through the Border Gateway Protocol (BGP). For more information on how to do this, see Specify advertisements on a Cloud Router.
You specified an incorrect address and mask in destination routes. Ensure that the masked bits are zero when providing the address. For example,
10.0.10.1
is an invalid address to provide with a255.255.255.0 (/24)
network mask. The correct address is10.0.10.0
.Possible IP conflicts between the allocated IP range for Private Service Access and the IP subnets used by the network hosting the application. Ensure these ranges are mutually exclusive. This issue is most often seen when the application is hosted in a non-Google Cloud network.
You receive the message Unable to connect to the network
If you receive the message Unable to connect to the network. Check your network
connection and try again.
, the internet connection on your device is not active.
Resolution: Ensure that your internet connection is active and then try to connect again.
Audit logs
If you are an admin, you can view Chrome Enterprise Premium audit logs, including the client connector audit logs, in the Logging page of the Google Cloud console. For more information, see Chrome Enterprise Premium service audit logging.
If you are an end user, you can access connection logs by completing the following steps:
- Right-click on the Endpoint Verification extension in the browser.
- Click Options.
- Select the granularity for the log level. By default, the granularity level is set to Info.
- Click on Show Log.
What's next
- Chrome Enterprise Premium API
- gcloud beta beyondcorp
- Securing non-Google Cloud applications using the app connector