Use Case Questions

I had some questions about ziti, maybe compared to others.

I briefly tested OpenZiti awhile back, and stopped once I realized that all traffic is routed through the edge router. Due to the setup I had during testing I may not have given the platform a fair chance.

Some of the other issue may just be due to a lack of easy to digest documentation. Nothing against the team, however as a primarily IT consultant for small/med businesses I may not have the same skillset of those who are using this for devops etc.

I had setup a controller/router with a free oracle VPS based around some guides I had found. Due to the free tier restrictions I found the performance to be very poor.

Anyhow, I figured I'd give it a second look and thought I'd ask some dumb easy questions first.

We are a small IT support shop (sort of MSP) so I'm also not opposed to utilizing netfoundry vs the open source model of just openziti.

The bulk of or clients fit into the following network model.

  1. Main office, typically with 1-5 servers. Basic LAN functions of file/print sharing. Usually hosting some sort of on premise accounting software. Usually some hosted services (commonly MS365 for email etc). A traditional VPN for remote user access into the network. Most utilize SSTP based RRAS on the windows server, locked down using DUO for MFA.

So it should seem obvious that some sort of overlay setup would both make access more seamless and secure than the current setup. Overall I like the more zero trust approach of OpenZiti vs other overlay products. Here are my more specific questions.

  1. Is it possible to utilize a hosted controller (either open source vis OpenZiti or netfoundry), yet have the edge router on premise at the main office location? In this case would the controller not be used for routing of data? Would this allow the on premise edge router to remain fully behing the corporate firewall, not port forwarding necessary?

  2. Is there any feasible way to extend this functionality, specifically to the ms365 solution, to allow for more secure access to the MS365 tenant? Yes we can simply go full MS with conditional access, devices managed via intune. However honestly we find the MS intune solutions very clunky, with far too much admin overhead for their benefits. yes they work but they are clunky, expensive for what they offer, and parts break far too often.

I guess it wasn't that many questions afterall.

Thanks

Hi @GoldenPSP, welcome back! :wink:

Most definitely. This is a very common use case for NetFoundry customers. You have the controller and at least one router in internet space (hosted by NetFoundry or yourself) and then you place routers in private (and often "trusted") IP space. You can also then use that router as an OpenZiti access point, keeping the traffic local to the private network while still having access from outside that private network. There are many topologies that can be applied.

Yes, given this topology, the "private" router in private IP space would link out to the public router in public IP space, and requires no special holes in the firewall other than outbound.

I am not well-versed with MS365. My perspective is that it's entirely internet facing, but if there are services that are on a private network within Azure, then yes the Azure private network can have a router deployed into it and provide reach into that private Azure space. This is a very common pattern too for services that are private to that network space. I don't have a ton of Azure experience to know for sure on this so hopefully this explanation makes enough sense?

Thanks!

In terms of MS365 I believe the only way you could make it work is by restricting logins from only certain locations. For example it is possible to restrict logins from only trusted IP's. So say you had 2 edge routers, one in the cloud and one in the corporate network, and as such you could make it so that all devices were originating from those 2 IP's you could then restrict the tenant logins from only those IP's It would be like a private version of how people use consumer VPN services to trick netflix to thinking they are in a specific country

If you could restrict the IP accessing services, then yes you should be able to accomplish what you're looking to do. To be honest, the hardest thing imo will be to ensure you're capturing the proper addresses when you establish the intercepts within the OpenZiti overlay. You (probably?) are aware, you can intercept any address using intercept configurations, but sometimes these cloud vendors change endpoints or rename services. I don't have a good feeling for how often this happens, it might actually be incredibly infrequent, I just don't know.

So it should work fine as long as you capture the different urls you need to and it should work fine until the endpoints change and new intercepts are required (if ever).

Sorry I can't give you a more concrete answer, I'm just not familiar enough to know in practice, how much of a pain point adjusting those intercepts will be. My gut tells me "probably never and it'll work great", but that's only my best guess at it.