Skip to content

Isolate Access applications

Cloudflare Browser Isolation integrates with your web-delivered Access applications to protect sensitive applications from data loss. You can build Access policies that require certain users to access your application exclusively through Browser Isolation, while other users matching different policies continue to access the application directly. For example, you may wish to layer on additional security measures for third-party contractors or other users without a corporate device.

Cloudflare sends all isolated traffic through our Secure Web Gateway inspection engine, which allows you to apply Gateway HTTP policies such as:

  • Restrict specific actions and HTTP request methods.
  • Inspect the request body to match against Data Loss Prevention (DLP) profiles with as much specificity and control as if the user had deployed an endpoint agent.
  • Control users ability to cut and paste, upload and download files, or print while in an isolated session.

Prerequisites

Your browser must allow third-party cookies on the application domain.

Enable Browser Isolation

  1. In Zero Trust, go to Settings > Browser Isolation.
  2. Enable Clientless Web Isolation.
  1. Next, go to Access > Applications.
  2. Choose a self-hosted application and select Configure.
  3. Choose an Allow policy and select Configure.
  4. Under Additional settings, turn on Isolate application.
  5. Save the policy.

Browser Isolation is now enabled for users who match this policy. After the user logs into Access, the application will launch in a remote browser. To confirm that the application is isolated, refer to Check if a web page is isolated.

You can optionally add another Allow policy for users on managed devices who do not require isolation.

Example Access policies

In the following example, Policy 1 allows employees on corporate devices to access the application directly. Users who do not match Policy 1, such as employees and contractors on unmanaged devices, will load the application in an isolated browser.

flowchart LR
accTitle: Access policies for a private web application
A[Full-time employee]-->policy1-->D
B[Contractor]-->policy2-->E
subgraph C[Access application]
  policy1["Policy 1:
  Allow employees
  who pass device posture checks"]
  policy2["Policy 2:
  Allow and isolate contractors"]
end
D[Normal browsing]
E["Isolated browsing
with HTTP policies applied"]

Policy 1: Allow employees who pass device posture checks

ActionRule typeSelectorValue
AllowIncludeEmails ending in@team.com
RequireDevice Posture - Serial Number ListCorporate serial numbers
Additional settingsStatus
Isolate applicationDisabled

Policy 2: Allow and isolate contractors

ActionRule typeSelectorValue
AllowIncludeEmails ending in@team.com, @contractors.com
Additional settingsStatus
Isolate applicationEnabled

Example HTTP policies

Disable file downloads in isolated browser

Prevents users on unmanaged devices from downloading any files from your private application.

SelectorOperatorValueLogicAction
Hostininternal.site.comAndIsolate
Passed Device Posture Checksnot inCorporate serial numbers
Policy settingsStatus
Disable file downloadsEnabled

Block file downloads of sensitive data

Block users on unmanaged devices from downloading files that contain credit card numbers. This logic requires two policies:

SelectorOperatorValueLogicAction
Hostininternal.site.comAndBlock
DLP ProfileinFinancial InformationAnd
Passed Device Posture Checksnot inCorporate serial numbers