Skip to main content

Video: Use CloudConnexa for Zero Trust Network Access to a Public SaaS Application

Abstract

This video shows you how to configure CloudConnexa to tunnel just the user traffic to the SaaS app and make that traffic egress from a connected private network. The SaaS app is then configured to only allow logins from the public IP address range of the private network. This configuration ends up securing the SaaS traffic and ensuring that the SaaS app can be accessed only via CloudConnexa.

This video shows you how to configure CloudConnexa to tunnel just the user traffic to the SaaS app and make that traffic egress from a connected private network. The SaaS app is then configured to only allow logins from the public IP address range of the private network. This configuration ends up securing the SaaS traffic and ensuring that the SaaS app can be accessed only via CloudConnexa.

Date published:

10/21/2022

Functionality covered:

Configuring Applications; Deploying Connector on AWS; steering traffic to configured domain names to CloudConnexa while other traffic is directly sent to the internet; login restriction to Salesforce based on IP address; access groups.

Description

In this video, we show how to use zero trust tenets to provide access to Salesforce.com to only authorized users.

First, we deploy a Connector on an AWS VPC to make the VPC part of the WPC. Then, we configure Salesforce.com as an application that is reachable from that VPC. Traffic will reach Salesforce.com from that VPC and will take the source IP address of the Connector because of NAT.

Next, we setup Salesforce.com to only accept logins from the IP address of the Connector on the AWS VPC. This means no one can login to your Salesforce app unless they connect to CloudConnexa. This adds another layer of protection because even if your Salesforce credentials are stolen, the bad actor cannot get access to Salesforce.

We then setup access control so that only users authorized to access Salesforce can do so when connected to CloudConnexa.

Now, when the user logs in to Salesforce, the following takes place:

  1. The connecting device needs to authenticate with a valid digital certificate.

  2. The User authenticates with CloudConnexa using username-password and 2FA.

  3. When the user tries to login to Salesforce.com, CloudConnexa checks whether the access policy allows access. If yes, it steers just the traffic destined for Salesforce.com into the encrypted tunnel to CloudConnexa (other internet traffic does not enter the tunnel). The traffic is then sent to Salesforce.com via the AWS VPC.

  4. Salesforce.com checks that the login request comes from the trusted IP address of the AWS VPC.

  5. The user then logs in to Salesforce using credentials.

Length

7:28 minutes

In this section: