A guide to remote enterprise application access… Part A | SolarBI

A guide to remote enterprise application access… Part A

Enterprise applications access - SolarBI
James Daley

James Daley

Co-Founder @ SolarBI

Let’s be honest, COVID-19 has quite simply thrown us a curveball.  Many of us are now working from home til further notice.  Here at SolarBI, we’re all nestled in at home, and once we discovered Cloudflare Access and Pritunl, it enabled enterprise application access from anywhere.  This gets technical but don’t be afraid, you got this.

This guide focuses on Cloudflare Access, which empowers enterprise application access from the public internet with an authentication layer to keep your enterprise applications secure.  Here at SolarBI, we have several enterprise applications that sit inside our network and we wanted to bring them outside securely for our team and a few external contractors.

Cloudflare is extending a deal in response to this pandemic, with free access to Cloudflare for Teams (this includes their Access and Gateway products) until September 2020.  

Here’s how we do it.

Firstly, here is the official doco on Cloudflare Access.  Check this out as a good starting point.

Cloudflare Access works by tunneling your enterprise applications to the Cloudflare network where users can securely authenticate.

I’m going to assume you’ve already created a Cloudflare account and added your domain to Cloudflare already (it’s free!).  Do it here if not.  Once you’re setup, head over to the Access tab.  This is where the magic happens.

Login Methods

This is where we add our identity provider to authenticate our users.   At SolarBI we use Google for almost everything.  Follow the instructions to set-up your chosen identity provider, or add a few.  Then choose a subdomain for users to login.  It’s pretty straight forward, so let’s keep moving.

Access Policies

Access Policies are where we control who can access what.  There are loads of combinations here so it’s best to think about how your users access your enterprise applications.  We have found grouping users by email domain is essential, along with having a ‘whitelist’ of external users by email address.  My advice is to keep it simple, security often becomes weak when we overcomplicate it.

Another neat rule is to bypass your office IP address so users don’t need to authenticate when in the office.  The detailed doco is here.

Access Groups

Access Groups lets you form groups to simplify your Access Policies.  We created an email domain group along with an external user group with individual email addresses of those we trust.  Then go back to the Access Policies and add the groups in.  The detailed doco is here.

Access App Launcher

The Access App Launcher is the interface where users log in and see tiles of your enterprise applications to access.  Its an additional layer of security you can control.  We added in our Access Groups here and kept on moving forward.  The detailed doco is here

Tunneling your enterprise applications

Ok so now we have the basics set up, we need to create a tunnel for your enterprise application to access the Cloudflare network.  

We do this by installing Argo Tunnel (aka. a tool called ‘cloudflared’).  Detailed instructions are here which walk you through the installation and config on your web servers.  Argo Tunnel supports many operating systems so it shouldn’t be an issue whatever OS you’re running.  Essentially we install ‘cloudflared’, which returns a URL to link your Cloudflare account with your enterprise application.  There is no need for firewall configuration or the like here, it runs over SSL.

Cloudflare Argo Tunnel - SolarBI

Something to note here, be careful when choosing a DNS record, you cannot choose one where you already have a CNAME or HOST A record.  Cloudflare automatically creates a new CNAME record for you, so I’ve found its best to delete your existing record, then allow Cloudflare to recreate it by itself.

As an example, we use an internal enterprise web portal at SolarBI, so we already had webportal.domain.com.  This record already existed and resolved internally.  I deleted the record from Cloudflare, then installed Argo Tunnel and registered it with webportal.domain.com.  Cloudflare created a CNAME record for me at this point.  

Testing it out

Hopefully you’ve got enterprise application access setup and tunneling through Cloudflare with a secure authentication layer in-front.  

Cloudflare Access Example - SolarBI
Cloudflare Access Example - SolarBI

Next week we’ll be setting up Pritunl, a remote access VPN server to gain deeper enterprise application access. Stay tuned and stay safe.

Share on whatsapp
Share on twitter
Share on linkedin
Share on email