Hi there, kind of in the same situation here, what did you end up implementing?
Interesting. But it looks like it has a component that I would have to host somewhere. Is that correct?
It’s healthcare where nothing makes sense. The VPN isn’t really for security itself in this use case. It’s just a way to give the users a common IP for their traffic to come from to access their web app. The issue is that the web app uses IP whitelisting as part of it’s security (hosted in AWS, I believe). So, since the users of this app can technically be anywhere, whitelisting so many different IPs isn’t feasible. The company doesn’t have any physical presence (office space) of their own. They either work from home, or share office space with their clients (ie. they are a clinical research company and share space with the clinics/hospitals they are working for). P2P tunnels aren’t possible since there is nowhere for them to terminate. All of their user accounts exist in Azure and O365 for email. I’ll check the Azure P2S VPN. Everything I had read about Azure VPN prior seemed to be oriented towards accessing your own VMs in Azure, not as a VPN gateway. And the use for split-tunneling is so that this users can access medical record systems of the clinic/hospitals they are doing work for on the local network.
+1, this is a big ol XY Problem.
It’s not cloud-based. There is no one point of presence for the user base, so site-to-site tunnels aren’t possible. Whitelisting all possible IPs that the user’s could come from isn’t feasible either (especially since some would be dynamic IPs).
How is overall performance with it? How does their split-tunneling work?
Interesting. I’ll look into them further. Thanks!
Thanks. I’ll check that out too.
Sounds a bit like https://tailscale.com/, but closed source.
Also not really a solution to the problem. The issue is providing an exit node to an external vendor service.
I just threw up in my mouth a little.
Not sure what you mean.
I don’t think I’ve come across this company yet.
That had been my original thought (I run it at my company), but their cloud-hosted product is pricey with the low number of users that I have. They have no on-prem location to setup a firewall. And I have no frame of reference as to how much data will be used to calculate cost for hosting a PA VM-series in Azure.
Im testing it now, about as easy a gets as far as set up. Couple little things I don’t like but over all pretty awesome.
It ended up not getting implemented as far as I know. My director had found a product that was going to meet requirements but we were waiting on the company to make a few changes. I left that job a month ago, and I highly doubt it was implemented since then.
That one does, but you can use services like Cloudflare, Google IAP, Azure, etc.
But, really, this stuff is not hard to run in a cloud provider.
It’s healthcare where nothing makes sense.
Yes I remember my time there now, but it’s been a while.
Indeed, my suggesting Azure VPN was in the off-chance that this was all in-house, including the SaaS.
Probably won’t help you here with that SaaS’ requirement.
By the way, you don’t necessarily need a VPN, a proxy could likely do the same as long as it has a static outbound IP.
Since you seem to only have this requirement for this one webapp, a reverse proxy might work too.
One way or the other you’ll need to deploy something on the clients (either a VPN client, a certificate, etc.)
For my own stuff I deploy client SSL certs on devices, signed by my own CA, not to be confused with server SSL, that’d be the web service.
Reverse proxy only accepts connections from clients presenting a cert signed by my CA then proxies the connection to the actual server.
Reverse proxy could use a password instead of certs if managing certs is too complicated.
Either way you’ll need a static IP for a VM from a cloud provider.
Then you can use whatever: some sort of VPN + NAT. Or a reverse proxy like nginx.
Reverse proxy clarification:
Client device would be configured to hit shittywebapp.customer1.example.com instead of the actual SaaS… that’d be answered by an nginx proxy that has a static IP somewhere, that then proxies the request to the actual shittywebapp.com SaaS.
Cool thing about a reverse proxy is you don’t need a VPN client/server, it doesn’t need to be always corrected, there’s no encapsulation.
The client is the browser itself and the server just proxies the requests back to the actual SaaS.
If that’s your only need: reverse proxy
If you’d like to have web filtering too or would have other similar needs for another web service in the future: forward proxy
If you’d have a similar, non-http need or maybe peer-to-peer need in the future: VPN.
See if AWS has some sort of service similar to the Azure VPN where you can connect the service you want to access to the same virtual network as the VPN Gateway. I built an Azure gateway for this same reason as whitelisting the public IPs of employees for our Azure DBs added a lot of extra work as they change from time to time.
Edit: look into AWS Client VPN. Looks to be similar to Azure VPN. What is AWS Client VPN? - AWS Client VPN
XY problem is everywhere.
Not that OP has much of a choice in the matter, but it’d be way easier to just fix the shitty SaaS to actually work in a modern world.
overall performance is fine. There are essentially 2 products, zia and zpa. Essentially the client establishes 2 separate tunnels, one for internet access and the second for access to private applications.
ZPA works based on FQDN. You configure the application in the ZPA portal, so when any traffic from the user goes to the FQDN on the particular ports, the client pushes the traffic over the zpa tunnel.