# Network Filter: Restrict Admin Access by Network ### Overview The `NetworkFilter` setting allows you to restrict access to the admin panel based on the user’s network: * Full admin access is allowed only from the internal (On-Prem / AD) network * External users (e.g., via Internet) cannot access the admin interface * Authentication protocols (SAML, OIDC, WS-Fed) and device connections (PC/mobile) still work from external networks ### Use Case A system administrator wants to prevent unauthorized access to the Hideez Enterprise Server admin panel from external networks. By enabling `NetworkFilter`, only users connecting from the corporate network (e.g., office or VPN) can manage the system. External users can still authenticate to services but won’t be able to access server settings. ### System Requirements To enable this feature, you need: 1. A deployed instance of **Hideez Enterprise Server (HES)** with access to modify `appsettings.json` 2. **NGINX installed and running on a Linux server**, acting as a reverse proxy in front of HES 3. Administrative access to configure both the HES backend and NGINX frontend {% hint style="info" %} This feature will not function properly without the correct configuration **on both sides** — the Hideez Server **and** the NGINX reverse proxy on Linux. {% endhint %} ### How to Enable Network Filter Enabling `NetworkFilter` requires **two configuration steps**: ### Step 1: Configure Hideez Server (`appsettings.json`) On the server side, open the `appsettings.json` file (located in the HES installation directory) and add or verify the following setting: ``` "ServerSettings": "NetworkFilter": true } ``` ### Step 2: Configure NGINX on Linux to Identify Internal IPs On the NGINX side (running on Linux), configure IP detection and header injection. **Define internal network detection:** Add the following **before** your `location` block: ``` # Determine whether the client IP belongs to the internal network geo $is_local { default 0; # Example internal network 192.168.1.0/24 1; # Example individual IP 10.10.100.1/32 1; } # Map the result to a value for the X-Local-Network header map $is_local $x_source_type { 1 "true"; 0 "false"; } ``` This logic evaluates the client’s IP address and sets the `$x_source_type` variable accordingly. **Update your location block:** ``` location / { proxy_pass http://HES; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Local-Network $x_source_type; } ``` #### Example Configuration File (`appsettings.json`) ```json { "ConnectionStrings": { "DefaultConnection": "server=127.0.0.1;port=3306;database=db;uid=user;pwd=password", "Provider": "MySql" }, "Logging": { "LogLevel": { "Default": "Debug", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "ServerSettings": { "NetworkFilter": true }, "AllowedHosts": "*" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://enterprise.hideez.com/hideez-enterprise-server/administration/network-filter-restrict-admin-access-by-network.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.