Application Network Policy Configuration in Intranet Environments
# Problem Description
Enterprise tenants have varying network environments when accessing Zhuyun IDaaS. Zhuyun provides corresponding policies for different network environments based on this.
# Problem Analysis
Due to different security level requirements of various applications, restrictions on network inbound and outbound policies are necessary for some systems. The main types are as follows:
| Inbound Policy | Outbound Policy | Authentication Integration Policy | Synchronization Integration Policy |
|---|---|---|---|
| Allow Inbound | Allow Outbound | Direct Connection | Direct Connection |
| Allow Inbound after Whitelist Configuration | Allow Outbound | Direct Connection | Direct Connection |
| Disallow Inbound | Allow Outbound | Direct Connection | Sync Bridge |
| Disallow Inbound | Disallow Outbound | Deploy Proxy in DMZ Zone | Deploy Proxy in DMZ Zone + Sync Bridge |
# Solution
Please determine which integration policy to use based on the above list.
# Direct Connection Mode
- If the application system allows public network access and can access Zhuyun IDaaS, no network policy adjustment is needed for authentication and synchronization integration.
- If the application system can configure a public network access whitelist and can access Zhuyun IDaaS, you need to configure the inbound policy whitelist to allow IP: 47.92.171.137 to access for authentication and synchronization integration.
- If the application system does not allow inbound traffic but can access Zhuyun IDaaS outbound, no network policy adjustment is needed for authentication integration in this scenario. Synchronization requires using the Sync Bridge. Please refer to the following section on Sync Bridge.
# Sync Bridge
When an application does not allow inbound traffic but requires synchronization integration, the Sync Bridge must be used. The Bridge service requires providing a server within the service user's intranet environment to deploy Zhuyun's Bridge service. Please contact Zhuyun implementation and delivery personnel for installation. The deployment manual can be referred to at Application Sync Bridge
| Server Configuration | Quantity | System Version | Remarks |
|---|---|---|---|
| 4 cores / 8GB RAM / 60GB disk | 2 | Centos 7.6 x86_64 | Bridge Server |
Network Permission Configuration: The server must support external network access.
Note:
The above server requirement list is a suggested example list. The server configuration is the suggested minimum configuration. The system version is an example version; any mainstream Linux system version is acceptable. Here, Centos 7.6 x86_64 is used as an example. JDK version requirement: 17
# DMZ Zone Proxy
When an application does not allow inbound or outbound traffic, it is necessary to deploy Zhuyun's proxy service in the DMZ zone to complete the network connection between the application service and Zhuyun IDaaS. Using Zhuyun's proxy allows users to utilize Zhuyun IDaaS unified authentication services within the intranet environment.
The proxy service requires providing a server in the DMZ zone for the service user to deploy Zhuyun's Bridge service. Please contact Zhuyun implementation and delivery personnel for installation.
| Server Configuration | Quantity | System Version | Remarks |
|---|---|---|---|
| 4 cores / 8GB RAM / 60GB disk | 2 | Centos 7.6 x86_64 | nginx proxy server |
Network Permission Configuration: The server must support external network access.
Note:
The above server requirement list is a suggested example list. The server configuration is the suggested minimum configuration. The system version is an example version; any mainstream Linux system version is acceptable. Here, Centos 7.6 x86_64 is used as an example.
# Enterprise WeChat Proxy
When a tenant needs to use the Enterprise WeChat QR code login function, the service user must provide a server to deploy the Enterprise WeChat proxy service. If the DMZ zone proxy is used, the same machine can be shared. For deployment, please contact Zhuyun implementation and delivery personnel for installation.
| Server Configuration | Quantity | System Version | Remarks |
|---|---|---|---|
| 4 cores / 8GB RAM / 60GB disk | 2 | Centos 7.6 x86_64 | nginx proxy server |
Network Permission Configuration:
Server outbound policy must support access to the external network.
The internal network port 2443 needs to be mapped to the public network port 443.
Server inbound policy must allow access from IP: 47.92.171.137.
Notes:
The above server requirements list is a suggested example list.
The server configuration is the suggested minimum configuration.
The system version is an example version; any mainstream Linux system version is acceptable. Here, CentOS 7.6 x86_64 is used as an example.