Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Reverse Proxy for Slack

Skyhigh CASB can provide Cloud Access Policies to control services that users can access from managed or unmanaged devices. It also provides DLP Policies to block or monitor the sensitive information shared by users through Slack.

Slack supports reverse proxy with the following limitations:

  • If you have an unmanaged device/untrusted locations, your login activity to Slack via the desktop or mobile applications are blocked for Android and allows only browser access.
  • If you have unmanaged devices/untrusted locations with proxy browser access, downloads are blocked.
  • If you have unmanaged devices/untrusted locations with proxy browser access, and applied inline DLP for file downloads with the DLP response action as "send email notification" to send the user a warning email, then file downloads are blocked. To download files, apply Digital Rights Management (DRM) using Microsoft Information Protection (MIP)/Azure Information Protection (AIP).

NOTE: The request from iOS mobile native apps are not supported because Skyhigh CASB cannot detect it via reverse proxy. Therefore iOS Native Apps are not blocked via reverse proxy.

The unmanaged device is due to:

  • Lack of customer-supplied certificate. 
  • Lack of Skyhigh Security Agent.
  • Based on IdP details, the IdP identifies an unmanaged device that is a SAML attribute.

The untrusted location is due to:

  • Source IP range.
  • Geo-location. For example, China, Russia, etc.
  • Based on IdP details, the IdP identifies an untrusted location that is a SAML attribute.

Add Service Properties

Add the following Service Property to the managed Slack Proxy Instance:

search.replace.strings = {"searchReplaceList":[{"uri":"re:/client/TN1CWSGP7.*","searchStr":"re:script-src.*';", "replaceStr":""}]}

Raw Direct Configuration

 [
    {
      "dstHost": "skyhighqa4.enterprise.slack.com",
      "uri": "re:.*sso_failed.*",
      "phase": "REQUEST",
      "redirectUri": "/sso/saml/start?redir=%2F"
    }
  ]

NOTE: These properties are used to check the URI after login at the client-side in Slack and the URI value varies for different Slack domains.

Service Property

Perform a base64 encode for the preceding raw direct configuration and add a service property as follows:

redirect-config=WwogIHsKICAgICJkc3RIb3N0IjogInNreWhpZ2hxYTQuZW50ZXJwcmlzZS5zbGFjay5jb20iLAogICAgInVyaSI6ICJyZTouKnNzb19mYWlsZWQuKiIsCiAgICAicGhhc2UiOiAiUkVRVUVTVCIsCiAgICAicmVkaXJlY3RVcmkiOiAiL3Nzby9zYW1sL3N0YXJ0P3JlZGlyPSUyRiIKICB9Cl0= 

NOTE: The dstHost will not always be the same, it varies for different orgnaizations. Therefore the encoded value will be different.

Ways to Access Slack via Reverse Proxy

These are the different ways to access Slack via Proxy:

  • Desktop Browsers
  • Mobile Browsers
  • Desktop Native Apps
  • Mobile Native Apps

The ways to access Slack through various devices and browsers are described in the table.

Legends used in the table:
✔ - Verified and working.
✖ - Not working as expected.

Desktop and Mobile Browsers

The supported device with specifications and browsers versions for Slack are described in the following table:

Device Specification 

Mobile Browser Version 

Device: Android Tablet Lenovo

Android Version: 6.0.1

Google Chrome Version: 84.0.4147.111

Firefox Browser Version: 68.11.0

Name: iPad

Software Version: 14.0.1

Firefox Version: 28.2 (2470)

Google Chrome Version: 84.0.4147.71

Edge Version: 45.8.14

Safari: iPadOS Version 14.0.1

Desktop and Mobile Browsers

The table summarizes the supported devices via reverse proxy with CAP and DLP policies applied for Desktop and Mobile browsers.

NOTE: The desktop and Mobile browsers used are : 

  • Google Chrome Version: 86.0.4240.75 (Official Build) (64-bit)
  • Firefox Version: 81.0.2 (64-bit)
Device and Browser Managed device, Redirect All Managed device, Block IP range Managed device, Block geo-location Unmanaged device, Block Unmanaged device, Block downloads Unmanaged device, Block downloads on DLP sensitive data
Android Version 6.01                    ✔                   ✔                    ✔                   ✔

                  ✔

 

                 ✔

 

 iPad  Version 14.0.1

 

                 ✔                 ✔                  ✔                 ✔

                   ✔

 

                  ✔

Desktop Browser                 ✔               ✔                 ✔                  ✔                     ✔                  ✔

Desktop Native Apps

The table summarizes the supported devices via reverse proxy with CAP and DLP policies applied to it.

NOTE: Desktop Native App behaves like a browser and all browser conditions are applicable to Desktop Native Apps.

Device User-Agent Obtained Managed device, Redirect All Managed device, Block IP range Managed device, Block geo-location Unmanaged device, Block all

Desktop Native App Version: Windows Store 4.10.0 64-bit

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36

                       ✔

                  ✔

                       ✔

                       ✖

 

Desktop Native App Version: MacOS Catalina 10.15.6

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

              ✔

  ✔

             ✔

                     ✖

 

Mobile Native Apps

Slack via reverse proxy is available for both Android and iOS mobile native apps.

Device and Slack Version

User-Agent Obtained

Managed device, Redirect All

Managed device, Block IP range

Managed device, Block geo-location

Unmanaged device, Block all

Unmanaged device, Block downloads

Unmanaged device, Block downloads on DLP sensitive data

Android Version: 6.0.1 Tablet Lenovo

Slack Version: 20.09.20.0-30010667-9

Mozilla/5.0 (Linux; Android 6.0.1; Lenovo YT3-X90L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.110 Safari/537.36

           

             ✔

             

               ✔

             

               ✔

           

                 ✔

             

             ✖

 

             

               ✖

 

 

iPad Version: 14.0.1

Slack Version: 20.10.20

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15

               

            ✔

               

               ✔

               

                ✔

           

                ✖

 

           

                ✖

 

           

                 ✖

 

 

Device and Slack Version User-Agent Obtained Check Cert: Proxy Managed ,Block Unmanaged Check Cert: Redirect Managed, Block Unmanaged
Android Version: 
12
Slack Version: 22.11.20.0-90011960-11109
Mozilla/5.0 (Linux; Android 12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.105 Safari/637.36                         ✖                        ✔
 iPad Version: 15.5
Slack Version: 22.11.20(428731)
com.tinyspeck.chatlyio/22.10.50 (iPad; iOS 15.5; Scale/2.00)                        ✖                        ✔
  • Was this article helpful?