Office Implementation Requirements? And General Q/A

Hello! Very interested in OpenZiti and moving towards implementation. I do have several questions that I couldn’t get a strong handle on from the documentation and will provide our office setup for a description.

We are a small mac shop doing paperwork services for clients and government entities. We have 20 laptops, 20 apple phones given to each employee. Our west coast office is 5 laptops and 5 apple phones. We have a few employees who work from home, we also have 1 network attached printer in the main office. Our office setup is fairly standard of a small business, all our endpoints connect to a switch, which connects to a router, which connects to the modem protected by a firewall. We do not have or use a VPN. We have webhosting we pay for and do not manage, we occasionally give access to our webhosted sites to freelancers for their services (webdev, content, etc).

I’m interested in using OpenZiti for ZTN implementation but what I am having a hard time wrapping my head around is what type of hardware I will need or what steps I need to take to keep our remote employees communicating without issues. My understanding is that I will need to install tunneler apps on the macs and the phones obviously, and setup a controller opening one port for a rest api and another for management. Any Edge routers will have two inbound ports open one for fabric link and another for edge connections. Fabric routers will have a single inbound port open for fabric link.

But what type of hardware is needed for the controller, and edge & fabric routers? What about the west coast office & the work from home employees? I mean I guess they have no reason to get on our local network because we just communicate through email and apps like asana / photo-shelter but yeah, it still feels strange for them to just be left out there relying on their home setup. I surmise I would need to also stand up a controller and edge router at the west coast office at a minimum.

Essentially though what would our small network setup look like? Macs and phones equipped with tunneler apps connecting to a controller and an edge router w/ the edge router connecting to a modem connecting to the internet and from there accessing our non-zitified webservers as normal? Employees working from home or travelling still need to have their openziti app configured to dial in to our open-ziti controller first? If that was the case then I would need a server or host for the controller in the cloud correct?

Final questions, Is there a list of apps which have implemented OpenZiti? I think I saw something about OpenZiti undergoing a security audit, is that available if so?

I know you’re probably asking why I would consider this for a business of our size because a ZTN may seem like overkill but it comes down to government regulation and that I have the opportunity to do this while I believe in the principles behind ZTN. My questions may seem dunce-level but I have read quite a bit, and am just starting to put together something to package up to the executive team who will have similar questions and then also need convincing as to whether we should self-host or use NetFoundry’s cloudziti.

Hi @Merciless1, welcome to the forum! I don’t think your questions are “dunce level”, we all start somewhere. Also, I think it’s great that your non-gigantic company is approaching zero trust.

You’ve done a fine job with researching OpenZiti as is! You are quite a long way along already. I’ll try to answer all your questions:

It really depends on how much data you’re pushing. From what it sounds like, it won’t be tremendous amounts. I’d start out with something smallish, something with 8g of ram and 4 cpu is “probably” a good place to start. You can always add more routers, so I’d personally start small and add on as you need to.

I’d probably have an edge-router on the east coast and one on the west for starters and I’d let them have access. One of the great things about OpenZiti is that once it’s configured, the people traveling just have to have their tunneler on and they’ll be able to access “corporate” resources from anywhere.

I think I answered that - two public edge routers, 4 cpu each. I’d put the controller on one of the routers to start, myself but ideally you’d have a box alone for that just to keep the machines separate. I run my own home OpenZiti setup with the controller/router on the same machine and it’s a tiny, 2 cpu ‘micro’ from AWS.

I would say, they just need to have the tunneler ‘on’, and I’d just leave it on all the time. OpenZiti is already a split-tunnel setup. It only intercepts the services you want/need it to.

The awesome part about starting with tunneling apps is that it works with every app. I haven’t found one yet that we didn’t get working. There are some apps we have written which have the “next-level” of zero trust, application-embedded zero trust. Things like zssh/zscp, prometheus, kubectl, zdbc, but thinks like Mattermost - Why we switched to Mattermost - NetFoundry, jenkins, git, whatever your hosting in ‘private’ address space work fantastically with the tunnelers.

Again, welcome to OpenZiti. We look forward to seeing what you do with it. I hope I covered all your questions, but if you have more just ask!

Thank you! This has cleared up many of my questions and was exactly the sort of response I was looking for.

1 Like

I would add, for hosting controllers and fabric routers, you may want to check out the guide on deploying into Oracle. Firstly it gives a good set up guide which is broadly relevant to any cloud, secondly OCI have a generous free tier which will reduce your costs - Setting Up Oracle Cloud To Host OpenZiti

Welcome, @Merciless1! This is the type of first post I like to see!