Ziti Edge Tunnel (ZET) for Windows

I am looking to deploy a tunneller on a windows host. I have been looking at ZTHA | OpenZiti where it looks like I need a ZET. That is, I want to do ZTHA on a windows box. For this, I need just a tunneller. When I go to clients, I only have the option of ZDEW. Isn’t this the client only, or can it act as a tunneller as well. Basically, I have an application (web page) on a windows host, and I want a tunneller on that box to lift it to the overlay network. There will be no need for the ZDE functionality.

taking a different angle… I have developed a zitified reverse proxy… that takes a service hosted in the ziti overlay… and brings it back to the desktop as a local host.

Its sort of like a ziti tunneller… but it acts as a local host instead of a desktop app

Happy to chat more about this.

Maybe I could open source this if there was enough interest… as I developed this a while back… and its just sitting there doing nothing.

It needs a bit more work to get it production ready… but it does work to prove the concept.

A few more points about a zitified reverse proxy that I just realised

  1. you only need to have a public certificate for the local host..

  2. you can restrict authentication to the identity used to run the zitified reverse proxy

  3. you can implement a pre hook for APIs based upon the ziti identity

I have implemented all of these things in a demo I gave a while back.. which was my project in the NetFoundry Hackathon earlier this year.

Final note

I also believe you can use this to implement MFA for a web site / API.. with zero code changes.. because its managed by the zitified reverse proxy.

I can extend it to cater for this scenario if of interest.. I think it has a lot of utility

@TheLumberjack .. any thoughts.. is it worthy to develop a demo for this?

If I had a zitified web service, I would probably use the NGINX Ziti module to make it available on the general network. I recall that you did it for other services, so is more versatile.

However, this is a general question where I want to put a tunneller on a windows host and present applications/services on that host to the Ziti overlay.

Have you tried Zitify?

Seems as if this would do the job.

Hi @gooseleggs,

The term client in this instance I think is a bit misleading. All of the Ziti tunnel executables are capable of both dialing & binding services. ZDEW is using ziti-edge-tunnel underneath, just happens to have a nice UI & an easy installer.

So the answer to your original question is yes, you can bind a service to a ZDEW instance. If you absolutely don’t want the UI, you have the option of just using ziti-edge-tunnel by itself, keeping in mind it’s not an installer, just a binary.

1 Like

Thanks for the reply @emoscardini
Looking at that zip file, I wonder if it would be possible to make that an installer that installs it as a service on the windows host, or include a powershell script that does it to make it easy for deployment/installation. Might create something and hand back.

Is there a reason you don't want the UI available? You do not need the UI running for the ZDEW to function and it already installs ziti-edge-tunnel as a service.

If you really can't stomach having the UI installed, maybe the best thing is to provide an installation option that doesn't install the UI bits?

Thanks for the replies. I like less bloated options but I can live with having the GUI.

So I have got the bind settings working, and I was setting up a client, when they popped the question “Can you get back onto my machine?” which I would have said no prior to this thread, but now need to say “not unless I or another administrator configures it”. This leads to an interesting question…Is there a way to disable the bind capability of a client?

Having the ability to have the client be bound too could lead to some murky conversations. If it is a client only, then you can categorically state that there is no way to get back to the client. I am just thinking of the nefarious admin (as an example) [I know, if he doing that then that is probably the least of your problems!].

Not at this time. It’s a feature we have talked about but haven’t implemented. I think we agree the client should have the ability to deny “the network” from binding services without consent. It’s on the backlog.

Just wondering if there has been any further thought/progress to this. I am wanting to allow third parties into the overlay. But need to ensure them that it is only one way traffic coming in, ie from them to us, and we cannot reach back to them.

Unfortunately no, not yet. But thanks for the bump on this topic. We’ll see if we can get onto it soon. I filed an enhancement for it. I looked through all our issues and didn’t see it. dial-only setting · Issue #660 · openziti/ziti-tunnel-sdk-c · GitHub

I also made a board for ziti-edge-tunnel to keep an eye on the sorts of things that are going on. I’ll try to make sure we keep that up to date. I added the feature to that board, but I am pretty sure there are other items we have in the queue ahead of it.

Thanks. The list link is a 404 error. Is that because it is private or a bad link?

Sounds good. FYI - have adoption on hold for a small set of users waiting for this feature. If I include users home devices instead of work devices then it bumps it up significantly.

It was mistakenly private. I fixed that. Thanks.