RedFox Bastion FAQ

A self-hosted Zero Trust bastion that provides browser-based SSH and RDP access to your infrastructure. Users authenticate via Microsoft Entra ID (OIDC) — no VPN, no shared SSH keys, no local passwords.

SSH is fully available now with browser-based terminal access (xterm.js). Application Access (ZTNA) reverse-proxies internal web applications (Enterprise). RDP, VNC, Database proxy and Kubernetes API proxy have code written but are not yet available in production builds (coming soon). All protocols will be accessible from a standard web browser.

No. RedFox acts as the access gateway itself. Users connect via HTTPS to the bastion, which then proxies the connection to the target host. The target only needs to be reachable from the bastion, not from the user's machine.

The Standard plan supports Entra ID (OIDC) natively. The Enterprise plan adds SAML 2.0 and LDAP federation, allowing any compatible identity provider (Okta, Google Workspace, Ping Identity, on-prem AD via ADFS, etc.).

SSH keys and service account passwords are encrypted AES-256-GCM in PostgreSQL. Users never see the actual secrets — RedFox injects them server-side at connection time. The encryption key can be stored in an environment variable or external vault.

Write Once, Read Many. Every session event (connect, disconnect, command) is appended to an immutable log that cannot be modified or deleted, even by administrators. This provides tamper-proof evidence for compliance audits (SOC 2, ISO 27001, NIS2).

Yes. Full SSH session recording and replay is available (Standard and Enterprise plans). Sessions are stored in the WORM audit trail and can be replayed in the browser. RDP recording is on the roadmap.

Just-In-Time access grants temporary elevated permissions with automatic expiration. An operator requests access to a target, an approver validates (or auto-approve rules trigger), and the access is revoked after the configured TTL.

Air-gap deployment is planned for a future release but is not yet available. It will include offline image bundles and offline-signed licences for Enterprise customers.

Inbound: 3000 (frontend), 7443 (Rust proxy), 8081 (Go gateway). Outbound: login.microsoftonline.com (OIDC), license.coderaft.io (licence validation, cached 48h). The bastion also needs connectivity to target hosts on their respective ports (22 for SSH, etc.).

Yes. All CodeRaft products run from a single docker-compose.yml and share PostgreSQL, Redis and Neo4j infrastructure. The frontend is a unified React SPA on port 3000 that adapts based on your licence.

Yes. RedFox Bastion runs as part of the CodeRaft Docker Compose stack. Install using curl -fsSL https://install.coderaft.io | bash (or irm https://install.coderaft.io/win | iex on Windows), then activate your licence in the Setup Wizard. The dashboard deploys products based on your licence.

2 GB RAM, 2 vCPU, 5 GB disk. For HA cluster (Enterprise): 4 GB RAM per node, shared PostgreSQL instance.