Hi everyone,
I am created a Virtual Windows Server 2019 using VMWare, and have hosted a web application on that server. This windows server is tunneled to an edge router. On my host OS, which is the client, I am able to access this web application without the use of Ziti. The client also is tunneled to a ziti-edge-router. How can I make the web app go dark so that the only way I can access this web application is through ziti?
Hi @Rocket, welcome to community and to OpenZiti!
On my host OS, which is the client, I am able to access this web application without the use of Ziti.
Are you looking to make the web application dark even to the local host network? If so, the way would accomplish that is to adopt an OpenZiti SDK and compile it into your application. Doing that is what we call "ZTAA" or "zero trust application access". Adopting an OpenZiti SDK in that way, you can take the server listening on the local underlay network entirely off the underlay, so that it is exclusively accessible via the overlay! What technology are you using for the server? Python, Go, Java, something else? Our SDKs have examples as to how you would be able to accomplish this.
I assume that's what you were asking, but if not let us know. Cheers
I used javascript and HTML to develop this application. If you could provide me with some resources as to how I could implement OpenZiti SDK into my application I would greatly appreciate it.
Thank you very much for your assistance.
Ok. Is it a node-based application? Or is it javascript/html delivered from some other server tech? I need to know what server you’re running to answer best.
If the ziti router is on the same server as the web server tell the web server to only bind to localhost. Use the built in firewall to deny access across the network.
If the ziti router is on another device then configure the firewall to only listen to port 80/443 from the ziti router/client.
ZTHA or “Zero Trust Host Access”, as @gooseleggs points out, is a great option for those who can’t or just aren’t ready to adopt an OpenZiti SDK into their application. This will make your web server dark to the LAN/WAN and follows the general OpenZiti guidelines of “keep all firewalls closed to inbound connections”. This is the place many people start their OpenZiti journey from and is a terrific idea/option since you are keeping your firewall entirely closed and requires no additional coding of your application. The only way to make the application dark from local, host OS network is to include an SDK into the application itself and learn how to bind on the overlay.
You can also bind the application itself to 127.0.0.1 as well, further reinforcing that the application is only accessible from that host. (as opposed to binding to a routable IP on the LAN)
Sorry about the confusion. The app was deployed using IIS Manager on our Virtual Windows Server 2019. We did not compile the application ourselves. Is there any way to adopt an OpenZiti SDK or would I need to use the firewall to deny access?
Thanks for that info. If you’re not the author of the application, ZTHA as @gooseleggs mentioned, is undoubtedly the right decision. You would use the firewall to deny all inbound traffic to that server for the web application, yes that’s the proper way to use OpenZiti in this situation. Then, you app is only accessible from someone on the local machine (like, via RDP) or via OpenZiti and you have turned that web server dark to the LAN/WAN. You got it! 