I'm currently using Ziti Edge on an IoT device to enable a Zero Trust Network Access (ZTNA) URL to be accessed from a PC without internet. Is it possible to use Ziti to allow access to third-party SaaS applications? like i need people to access attendance saas site from no internet PC is it allowed?
Hey there @ss_vinoth22, Do you mean the PC without internet can only communicate with other peers in its subnet (LAN), but doesn't have an outbound route to the public internet?
Yes, i have already implemented like this
Request from no-internet PC → OpenZiti Tunneler(verify and forward) → openziti router in aws → response to tunneler → no-internet PC.
this is working fine for any internal apps thats been self hosted in cloud .
but i need to allow saas products like Gmail, googledrive or attendance management cloud services, im not sure how to allow these apps via open ziti.
You can use FQDNs including wildcards. SaaS offerings can sometimes be difficult, depending on the level of specificity you want, embedded calls may be from other domains, etc., so it may be that you have to make a few services over time as you find them. However, you can build an intercept for *.google.com for example, which should get you most any Google service.
This got me thinking "Can I make a catch-all service?" I created a pair of configs in an attempt to intercept everything on the client side and allow everything on the hosting side (all protocols, all domain names, all ports). It didn't work with either *. or *, but it did with one or more TLDs like *.com.
neither me too.
im trying to enable moneyforward site,
added host as
{
"protocol": "tcp",
"address": "attendance.moneyforward.com",
"port": 443,
"httpChecks": ,
"portChecks":
}
intercept as
{
"portRanges": [
{
"high": 443,
"low": 443
}
],
"addresses": [
"*.moneyforward.com",
"www.googlemanager.com"
],
"protocols": [
"tcp"
]
}
this is not working
im getting error on page, it is failing on resolving cdn.moneyforward.com
This catch-all service works for me now with matching 0.0.0.0/0 IP intercept and host configs like these. This applies to IPv4, and IPv6 routes are unaffected.
intercept.v1
{
"name": "full-tunnel-intercept",
"configTypeId": "g7cIWbcGg",
"data": {
"portRanges": [
{
"low": 1,
"high": 65535
}
],
"addresses": [
"0.0.0.0/0"
],
"protocols": [
"tcp",
"udp"
]
}
}
host.v1
{
"name": "full-tunnel-host",
"configTypeId": "NH5p4FpGR",
"data": {
"forwardProtocol": true,
"forwardAddress": true,
"forwardPort": true,
"allowedAddresses": [
"0.0.0.0/0"
],
"allowedPortRanges": [
{
"low": 1,
"high": 65535
}
],
"allowedProtocols": [
"tcp",
"udp"
],
"httpChecks": [],
"portChecks": []
}
}
Thanks yeah this works. One more thing does Open ziti support SAML configurations?
like Google workspace or office 365 will have SAML , i need to allow only SAML SSO via Ziti. to avoid access personal account.
No, there's not currently a way to restrict specific application protocols for an authorized service. Ziti services are transport sockets and so will transmit any TCP or UDP payload at layer 4.
Im thinking to use openziti + cloudflare tunnel to access SAML based SaaS products, Have anyone has tried that before?
In this thread, we discussed creating a "full tunnel" experience with a Ziti service that forwards all outbound traffic to an exit point from the Ziti network.
I believe the aim was to funnel the endpoint's traffic through Ziti to ensure it arrived at a SaaS from an authorized source address.
How are you thinking of using cloudflared in tandem with OpenZiti? I have only a little experience with cloudflared, and it seems to be redundant to OpenZiti's ziti-edge-tunnel system service.
If accessing SaaS through a full tunnel service is still the topic of this thread, then I expect you are asking whether SAML would continue to function with a given SaaS if it were tunneled in this way, and I believe that it would.
You could also look at zrok frontdoor, which combine a public entry-point (similar to Cloudflare Tunnel), but is built on OpenZiti (the connection between the public frontend and your app happens over an OpenZiti connection). The Require Auth section of the zrok docs will also be of interest...