Whilst Foldr is often installed as an on premise component of your network, most users expect anytime, anywhere access to their files.
Configuring external access to the Foldr Server allows users to work remotely as if they were on the corporate network from anywhere with an internet connection.
In this article we explain the options available for configuring remote access to your Foldr Server.
External Access and Security Concerns
Opening ports is not in and of itself dangerous. Millions of websites and applications are accessible on the Internet via open HTTP ports (usually 80 and/or 443). This would not be the case were it inherently dangerous to open HTTP ports. The server or device which is listening to requests, its level of security (or lack thereof), and what an attacker can do if they gain access to said device are where the dangers lie.
There will always be a certain level of risk with exposing something to the internet or untrusted users. However there are steps you can take to mitigate these risks and any potential impact that they may have:-
- Ensure that all users (including administrators) use strong passwords and enforce the use of Passkeys and/or MFA
- Limit access to or from certain IP groups and/or countries on your firewall
- Make sure you patch your servers regularly
- Have good, automated, tested backups to separate (ideally off-site) media
- Always use HTTPS/TLS (as Foldr does) when transmitting user data. Note that it is incorrect to assume that opening port 80 (standard HTTP) is by itself “insecure”. Many services (including Foldr) use port 80 to automatically redirect users to port 443 (HTTPS). Having port 80 open is only ever an issue if an application or service exchanges any user data via plain HTTP (Foldr does not).
- Check your access logs regularly
- Isolate and separate publicly accessible devices from any private/internal data and systems as much as possible and use separate VLANs if available
- Ultimately security is a team effort. A well-developed and properly configured application behind a correctly configured firewall with users who all understand best practices around passwords and authentication being monitored by an alert administrator should prove to be both secure and reliable.
Public IP
A common approach to provide remote access to Foldr is via a dedicated public IP.
Instructions
- First, request a dedicated static public IP address from your Internet service provider.
- Next, configure your firewall to route connections from this public IP address to the internal IP address of the Foldr virtual appliance. Only port TCP 443 (for HTTPS) is required open inbound, however we recommend that TCP port 80 (HTTP) is also opened to allow the use of the free signed SSL certificates offered through Let’s Encrypt. If port 80 is not opened, all users will be forced to enter ‘https://’ into a web browser to initiate a connection. For security reasons, all user sessions initiated on HTTP are automatically redirected to HTTPS.
- Finally, create an external DNS host (A) record for ‘foldr’ on the organisation’s public domain. The host record should resolve to your newly created static, public IP address. The external DNS for your public domain is most likely handled by whoever manages your website hosting.
- Users can now connect to Foldr remotely using a memorable and universally accessible address such as foldr.yourdomain.org
Reverse Proxy
You can also provide external access via a reverse proxy / web publishing service should you have one available on your network. A reverse proxy allows you to present multiple internal services via one dedicated IP address.
As the web publishing service / reverse proxy routes connections to the Foldr Server, a dedicated public IP address is not required.
Integration guide for Microsoft’s TMG or ISA reverse proxy. Foldr has also been tested against Microsoft’s ARR reverse proxy and also the Nginx reverse proxy running on Linux systems.
Port Forwarding
An option for smaller environments is to configure port forwarding on your router/firewall.
Configure inbound TCP 443 and TCP 80 (for HTTPS and HTTP respectively) requests to be forwarded to the internal address of your Foldr Server.
When using this option, only one service within your the network can use HTTPS externally and as such it is not suitable for environments that might be running web servers or web mail.
Cloudflare Tunnel
A fast and convenient method to provide external access to Foldr using Cloudflare Tunnel
Instructions
This option does not require you to create and manage inbound firewall rules, or use public IP addresses and the tunnel is managed/configured using the Cloudflare dashboard. More information on this option is available in the following KB article
Custom Ports
Foldr can be configured to run on a custom port other than 443 for client access if required. See here for more details.