Configuring Userify for Private VPC/LAN


Email our fast, friendly support if you have a question not covered here: [email protected].

Configuring Userify for Private VPC/LAN

How should I architect Userify for a secure VPC or LAN that is only accessible from our corporate network/VPN?

We recommend you use LetsEncrypt rapid-rotation keys (built into Userify self-hosted editions.) This requires pointing a DNS A or CNAME record at the IP that you are hosting Userify on.

Userify is hardened against external attack like XSS and CSRF. The Userify server should be accessible to your corporate users.

The API configuration endpoints need to be only accessible to your servers or instances, and those do not need any dashboard access.

As long as corporate datacenter servers can access these internal network addresses, they can also be configured to utilize Userify as well as your cloud servers (and Userify is designed to keep serving logins for both cloud and corporate DC even if VPN connectivity is temporarily dropped.)

For Userify Enterprise with Active Directory: Ideally, co-locate Userify in your corporate datacenter next to your LDAP or AD server and do not expose LDAP (or other) ports even through a VPN. Treat your public cloud subnets as DMZs to your corporate zones and use Userify as an AD firewall, and only expose 443 on the Userify server to the public cloud. Optionally, using web server routing rules, block access to all Userify URLs except server configuration URLs (ie /api/userify/configure)

Configure your loghost to be a hardened rsyslog server in the same datacenter/VPC and configure a log archiver that pulls logs from the loghost. (Important: don’t push logs into your loghost or allow any access to the log archiver from the public cloud.)


Fast, free support is just a click away

Start managing your users and SSH keys in seconds     Try for free