Network Policy Opening for Applications in Intranet Environments
Problem Description
Enterprise tenants have different network environments when accessing BambooCloud IDaaS. Based on this, BambooCloud provides corresponding strategies for different network environments.
Problem Analysis
Due to different security-level requirements of each application, some systems need to restrict inbound and outbound network policies. The main types are as follows:
| Inbound Policy | Outbound Policy | Authentication Integration Strategy | Synchronization Integration Strategy |
|---|---|---|---|
| Allow inbound | Allow outbound | Direct connection | Direct connection |
| Allow inbound via whitelist | Allow outbound | Direct connection | Direct connection |
| Disallow inbound | Allow outbound | Direct connection | Synchronization cloud bridge |
| Disallow inbound | Disallow outbound | Deploy proxy in DMZ zone | DMZ proxy + synchronization cloud bridge |
Solution
Please determine which integration strategy to use based on the table above.
Direct Connection Mode
- When the application system can be accessed from the public network and can access BambooCloud IDaaS, no network policy adjustment is needed for authentication or synchronization integration.
- When the application system can configure a public network access whitelist and can access BambooCloud IDaaS, configure the inbound whitelist to allow IP: 47.92.171.137 for authentication and synchronization integration.
- When the application system does not allow inbound access but can access BambooCloud IDaaS over the network, no network policy adjustment is needed for authentication; synchronization requires the cloud bridge. Refer to the following section on the synchronization cloud bridge.
Synchronization Cloud Bridge
When an application does not allow inbound access but still requires synchronization integration, the synchronization cloud bridge is needed. The cloud bridge service requires the service user to provide a server in the intranet environment to deploy BambooCloud's cloud bridge service. Please contact BambooCloud implementation and delivery personnel for installation. For the deployment manual, refer to Application Synchronization Cloud Bridge.
| Server Configuration | Quantity | OS Version | Remarks |
|---|---|---|---|
| 4 cores / 8 GB RAM / 60 GB disk | 2 | CentOS 7.6 x86_64 | Cloud bridge server |
Network Permission Configuration:
The server must support external network access.
Notes:
The above server requirements list is a recommended example.
The server configuration is the recommended minimum configuration.
The OS version is an example; any mainstream Linux version is acceptable. This example uses CentOS 7.6 x86_64.
JDK version requirement: 17
DMZ Zone Proxy
When an application does not allow inbound or outbound access, BambooCloud's proxy service must be deployed in the DMZ zone to connect the application service and BambooCloud IDaaS. After using the BambooCloud proxy, users can use BambooCloud IDaaS unified authentication services in an intranet environment.
The proxy service requires the service user to provide a server in the DMZ zone to deploy BambooCloud's cloud bridge service. Please contact BambooCloud implementation and delivery personnel for installation.
| Server Configuration | Quantity | OS Version | Remarks |
|---|---|---|---|
| 4 cores / 8 GB RAM / 60 GB disk | 2 | CentOS 7.6 x86_64 | Nginx proxy server |
Network Permission Configuration:
The server must support external network access.
Notes:
The above server requirements list is a recommended example.
The server configuration is the recommended minimum configuration.
The OS version is an example; any mainstream Linux version is acceptable. This example uses CentOS 7.6 x86_64.
WeCom Proxy
When a tenant needs to use the WeCom QR code login feature, the service user must provide a server to deploy the WeCom proxy service. If the DMZ zone proxy is used, it can share one server. Please contact BambooCloud implementation and delivery personnel for deployment and installation.
| Server Configuration | Quantity | OS Version | Remarks |
|---|---|---|---|
| 4 cores / 8 GB RAM / 60 GB disk | 2 | CentOS 7.6 x86_64 | Nginx proxy server |
Network Permission Configuration:
The server outbound policy must support external network access.
The intranet port 2443 must be mapped to public network port 443.
The server inbound policy must allow access from IP: 47.92.171.137.
Notes:
The above server requirements list is a recommended example.
The server configuration is the recommended minimum configuration.
The OS version is an example; any mainstream Linux version is acceptable. This example uses CentOS 7.6 x86_64.