Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
We are a SaaS-based product but one of the client requirement is to make our application accessible only on their intranet. Is that even possible?
Yes, it’s possible.
Usually a company will have a border gateway that will NAT every request to the outside world, so every employee inside their network will be seem outside as having this only IP (or a few ones for load balancing). Even if this is not the case and every computer inside their network have a routable public IP, it can be done.
You only have to configure your firewall to only allow that IP (or that range).
If their IP is dynamic, you have to configure a VPN for that. You could create a tunnel between their network and your platform, so nobody outside their network can reach your application.
This depends on the capabilities of your SaaS.
- If access can be restricted based on IP addresses you can do what ThoriumBR suggested, i.e. restrict it to the public IP address(es) of the company. This might be sufficient or might be not, since this public IP address(es) might also be used from some potentially compromised system in the companies DMZ, like a compromised public facing webserver.
- If direct access from the internet can be switched off completely you can create a tunnel from inside the company to the SaaS. This might be some VPN tunnel, SSH based tunnel, (m)TLS tunnel using stunnel or similar. Since the tunnel entry is on the intranet and access to the SaaS is only possible trough the tunnel, the access is essentially intranet only.
Not the answer you’re looking for? Browse other questions tagged saas intranet or ask your own question.