Workshop
- Identity provider
- WARP and device posture
- Cloudflare Tunnel
- Access and Private Network
- Browser isolation and App launcher
- Digital experience monitoring
Access and Private Network
1. Onboard intranet
Next, let’s add the intranet application. Here we’ll want to set up access control so that only AcmeCorp's authorised 3rd party contractors and employees can access it.
Head again to Access ‣ Tunnels, click on your tunnel and select Configure:
We’ll onboard the intranet application via public hostname again, so that it can be accessed from anywhere on the internet. To do that, switch to the Public Hostname tab and click + Add a public hostname.
Set Subdomain to "intranet" and select the domain we provided you with.
The Service Type is be HTTP again but URL will be localhost:8000 this time, as the intranet web app runs on port 8000 on the origin server.
ℹ️
Any warnings about a missing DNS record can be ignored.
Your final configuration should look like this:
Next, because this is the company’s intranet, we want to limit access to this application only to company’s employees. To do that, we’ll need to create an Access policy.
- In Zero Trust dashboard navigate to the Access ‣ Applications ‣ Add an application
- Select Self-hosted
- Enter the subdomain you configured for your intranet (leave rest of the options untouched)
ℹ️
Again, you can ignore any warnings about a missing DNS record.
- Scroll to the bottom of the page and press Next
- Scroll to the bottom and press Next
- Create a policy that allows anyone with a company email (in this lab, that means anyone with an email ending in
@acmecorp.com) to access the application
- Scroll to the bottom and press Next
- On the final page, leave all fields blank and click the Add Application button at the bottom of the page
2. Test access to intranet
- Plug the Application URL into your browser:
- You should be redirected to your Cloudflare Team domain dedicated to your account:
<LAB_SLUG>.cloudflareacccess.com - You will be prompted by Cloudflare Access to log in using the SAML account you created in the Identity Provider section
Once you do, you should be able to access AcmeCorp’s intranet.
4.Onboard File Server
Last application we need to onboard is AcmeCorp’s SMB fileserver. Since this is not an HTTP-based application, we’ll onboard the private IP of the Linux server so any port on that IP can be reached. This will allow your clients to access that private IP through WARP, as if it existed in their local network.
- Retrieve the local IP address of your Linux server
ip address show eth0- Head back to your tunnel configuration, select the Private Network tab and Add a private network
- Add your linux server's IP as the Private Network to your tunnel and add a
/32CIDR subnet to only select this one host
- Next we need to create an Access policy for this private IP
- Navigate to Access ‣ Applications, Add an application and select a Private network application
- Use the private IP of your linux VM (this time without the CIDR subnet) as the Destination IP
- Press Next at the bottom of the page
- In the next step, Allow and Block policies will be automatically added for this application, just confirm them with no changes
- Click Add application
5. Test access to fileserver
Private network connectivity requires a client, so while the previous two tests could have been done from anywhere, this test needs to be run from a workstation with a connected WARP client, i.e. your Windows VM.
With a WARP client on, open File Explorer and open your Linux server’s IP address: \\10.x.x.x (note the two leading backslashes, those are important).
You should see two shares served from AcmeCorp’s fileserver.
