Use Case Questions

Support General Questions
1

I had some questions about ziti, maybe compared to others.

I briefly tested OpenZiti awhile back, and stopped once I realized that all traffic is routed through the edge router. Due to the setup I had during testing I may not have given the platform a fair chance.

Some of the other issue may just be due to a lack of easy to digest documentation. Nothing against the team, however as a primarily IT consultant for small/med businesses I may not have the same skillset of those who are using this for devops etc.

I had setup a controller/router with a free oracle VPS based around some guides I had found. Due to the free tier restrictions I found the performance to be very poor.

Anyhow, I figured I'd give it a second look and thought I'd ask some dumb easy questions first.

We are a small IT support shop (sort of MSP) so I'm also not opposed to utilizing netfoundry vs the open source model of just openziti.

The bulk of or clients fit into the following network model.

  1. Main office, typically with 1-5 servers. Basic LAN functions of file/print sharing. Usually hosting some sort of on premise accounting software. Usually some hosted services (commonly MS365 for email etc). A traditional VPN for remote user access into the network. Most utilize SSTP based RRAS on the windows server, locked down using DUO for MFA.

So it should seem obvious that some sort of overlay setup would both make access more seamless and secure than the current setup. Overall I like the more zero trust approach of OpenZiti vs other overlay products. Here are my more specific questions.

  1. Is it possible to utilize a hosted controller (either open source vis OpenZiti or netfoundry), yet have the edge router on premise at the main office location? In this case would the controller not be used for routing of data? Would this allow the on premise edge router to remain fully behing the corporate firewall, not port forwarding necessary?

  2. Is there any feasible way to extend this functionality, specifically to the ms365 solution, to allow for more secure access to the MS365 tenant? Yes we can simply go full MS with conditional access, devices managed via intune. However honestly we find the MS intune solutions very clunky, with far too much admin overhead for their benefits. yes they work but they are clunky, expensive for what they offer, and parts break far too often.

I guess it wasn't that many questions afterall.

Thanks