Application Access (ZTNA)

Enterprise

Publish internal web applications to authenticated users without a VPN. Identity-aware reverse proxy with per-app policies.

How it works

RedFox acts as an identity-aware reverse proxy. When a user accesses a published application, RedFox authenticates the user (OIDC/SAML), evaluates policies (role, IP, time, device posture), and proxies the request to the internal application. The application itself is never exposed to the internet.

Use cases

Admin panels

Grafana, Kibana, Prometheus, Jenkins, Portainer — publish admin UIs securely without VPN.

Internal tools

Wiki, ticketing, HR systems, ERP dashboards — accessible from anywhere with identity verification.

Development environments

Staging servers, code review tools, CI/CD dashboards — scoped to the dev team.

Vendor access

Grant time-limited access to specific internal apps for contractors and vendors. JIT approval workflow supported.

Configuration

  1. Add an application — Navigate to Applications → Add Application. Provide a name, the internal URL (e.g. http://grafana:3000) and the public subdomain or path.
  2. Configure authentication — Choose OIDC or SAML. RedFox inserts identity headers (X-Forwarded-User, X-Forwarded-Groups) for the backend.
  3. Set access policies — Define who can access the app: specific roles, groups, IP ranges, time windows, or device compliance.
  4. TLS termination — RedFox handles TLS termination with auto-renewing Let's Encrypt or custom certificates.
  5. Publish — Enable the application. Users see it in their RedFox dashboard and access it via the assigned URL.

Policy engine

  • Role-based — Only users in specific RBAC roles can access the application
  • IP-based — Allow or deny access from specific IP ranges or geolocations
  • Time-based — Restrict access to business hours or specific maintenance windows
  • Device posture — Require compliant device (Intune, CrowdStrike) for sensitive applications
  • MFA step-up — Require additional MFA challenge for high-risk applications

Security

  • Zero Trust: every request is authenticated and authorized — no implicit trust
  • Internal applications are never exposed to the internet
  • All access is logged in the WORM audit trail with user identity, app, IP, user-agent
  • Session cookies are encrypted and bound to the user's IP (optional)
  • Rate limiting and WAF integration available per-application

Need help with ZTNA configuration? Contact [email protected]. For Enterprise licensing, reach out to [email protected].