Skip to content

Access a web application via its private hostname without WARP

Last reviewed: 10 months ago

With Cloudflare Browser Isolation and resolver policies, users can connect to private web-based applications via their private hostnames without needing to install the WARP client. By the end of this tutorial, users who pass your Gateway DNS and network policies will be able to access your private application at https://<your-team-name>.cloudflareaccess.com/browser/https://internalrecord.com.

Before you begin

Make sure you have:

Create a Cloudflare Tunnel

First, install cloudflared on a server in your private network:

  1. Log in to Zero Trust and go to Networks > Tunnels.

  2. Select Create a tunnel.

  3. Choose Cloudflared for the connector type and select Next.

  4. Enter a name for your tunnel. We suggest choosing a name that reflects the type of resources you want to connect through this tunnel (for example, enterprise-VPC-01).

  5. Select Save tunnel.

  6. Next, you will need to install cloudflared and run it. To do so, check that the environment under Choose an environment reflects the operating system on your machine, then copy the command in the box below and paste it into a terminal window. Run the command.

  7. Once the command has finished running, your connector will appear in Zero Trust.

    Connector appearing in the UI after cloudflared has run

  8. Select Next.

Add private network routes

  1. In the Private Networks tab, add the following IP addresses:

    • Private IP/CIDR of your application server (for example, 10.128.0.175/32)
    • Private IP/CIDR of your DNS server
  2. Select Save tunnel.

The application and DNS server are now connected to Cloudflare.

Enable Clientless Web Isolation

  1. In Zero Trust, go to Settings > Browser Isolation.
  2. Enable Clientless Web Isolation.
  1. For Permissions, select Manage.

  2. Select Add a rule.

  3. Create an expression that defines who can open the Clientless Web Isolation browser. For example,

    Rule actionRule typeSelectorValueAction
    AllowIncludeEmails ending in@example.comSelect Save.

To test, open a browser and go to https://<team-name>.cloudflareaccess.com/browser/https://<private-IP-of-application>.

Create a Gateway resolver policy

  1. Go to Gateway > Resolver policies.

  2. Select Add a policy.

  3. Create an expression to match against the private domain or hostname of the application:

    SelectorOperatorValue
    Domainininternalrecord.com
  4. In Select DNS resolver, select Configure custom DNS resolvers.

  5. Enter the private IP address of your DNS server.

  6. In the dropdown menu, select <IP-address> - Private.

  7. (Optional) Enter a custom port.

  8. Select Create policy.

To test, open a browser and go to https://<team-name>.cloudflareaccess.com/browser/https://internalrecord.com.

  1. Go to Gateway > Firewall policies > Network.

  2. Add a network policy that targets the private IP address of your application. You can optionally include any ports or protocols relevant for application access. For example,

    SelectorOperatorValueLogicAction
    Destination IPin10.128.0.175AndAllow
    Destination Portin80Or
    User Emailmatches regex.*example.com

For best practices on securing private applications, refer to Build secure access policies.

Connect as a user

Users can now access the application at the following URL:

https://<team-name>.cloudflareaccess.com/browser/https://internalrecord.com

The application will load in an isolated browser. You can optionally configure remote browser controls such as disabling copy/paste, printing, or keyboard input.