# Network Filter: Restrict Admin Access by Network ### Overview The `NetworkFilter` setting allows you to restrict access to the admin panel based on the user’s network: * Full admin access is allowed only from the internal (On-Prem / AD) network * External users (e.g., via Internet) cannot access the admin interface * Authentication protocols (SAML, OIDC, WS-Fed) and device connections (PC/mobile) still work from external networks ### Use Case A system administrator wants to prevent unauthorized access to the Hideez Enterprise Server admin panel from external networks. By enabling `NetworkFilter`, only users connecting from the corporate network (e.g., office or VPN) can manage the system. External users can still authenticate to services but won’t be able to access server settings. ### System Requirements To enable this feature, you need: 1. A deployed instance of **Hideez Enterprise Server (HES)** with access to modify `appsettings.json` 2. **NGINX installed and running on a Linux server**, acting as a reverse proxy in front of HES 3. Administrative access to configure both the HES backend and NGINX frontend {% hint style="info" %} This feature will not function properly without the correct configuration **on both sides** — the Hideez Server **and** the NGINX reverse proxy on Linux. {% endhint %} ### How to Enable Network Filter Enabling `NetworkFilter` requires **two configuration steps**: ### Step 1: Configure Hideez Server (`appsettings.json`) On the server side, open the `appsettings.json` file (located in the HES installation directory) and add or verify the following setting: ``` "ServerSettings": "NetworkFilter": true } ``` ### Step 2: Configure NGINX on Linux to Identify Internal IPs On the NGINX side (running on Linux), configure IP detection and header injection. **Define internal network detection:** Add the following **before** your `location` block: ``` # Determine whether the client IP belongs to the internal network geo $is_local { default 0; # Example internal network 192.168.1.0/24 1; # Example individual IP 10.10.100.1/32 1; } # Map the result to a value for the X-Local-Network header map $is_local $x_source_type { 1 "true"; 0 "false"; } ``` This logic evaluates the client’s IP address and sets the `$x_source_type` variable accordingly. **Update your location block:** ``` location / { proxy_pass http://HES; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Local-Network $x_source_type; } ``` #### Example Configuration File (`appsettings.json`) ```json { "ConnectionStrings": { "DefaultConnection": "server=127.0.0.1;port=3306;database=db;uid=user;pwd=password", "Provider": "MySql" }, "Logging": { "LogLevel": { "Default": "Debug", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "ServerSettings": { "NetworkFilter": true }, "AllowedHosts": "*" ```