Network Filter: Restrict Admin Access by Network

Overview

The NetworkFilter setting allows you to restrict access to the admin panel based on the user’s network:

  • Full admin access is allowed only from the internal (On-Prem / AD) network

  • External users (e.g., via Internet) cannot access the admin interface

  • Authentication protocols (SAML, OIDC, WS-Fed) and device connections (PC/mobile) still work from external networks

Use Case

A system administrator wants to prevent unauthorized access to the Hideez Enterprise Server admin panel from external networks. By enabling NetworkFilter, only users connecting from the corporate network (e.g., office or VPN) can manage the system. External users can still authenticate to services but won’t be able to access server settings.

System Requirements

To enable this feature, you need:

  1. A deployed instance of Hideez Enterprise Server (HES) with access to modify appsettings.json

  2. NGINX installed and running on a Linux server, acting as a reverse proxy in front of HES

  3. Administrative access to configure both the HES backend and NGINX frontend

This feature will not function properly without the correct configuration on both sides — the Hideez Server and the NGINX reverse proxy on Linux.

How to Enable Network Filter

Enabling NetworkFilter requires two configuration steps:

Step 1: Configure Hideez Server (appsettings.json)

On the server side, open the appsettings.json file (located in the HES installation directory) and add or verify the following setting:

"ServerSettings": 
  "NetworkFilter": true
}

Step 2: Configure NGINX on Linux to Identify Internal IPs

On the NGINX side (running on Linux), configure IP detection and header injection.

Define internal network detection:

Add the following before your location block:

# Determine whether the client IP belongs to the internal network
geo $is_local {
    default 0;
    # Example internal network
    192.168.1.0/24 1;
    # Example individual IP
    10.10.100.1/32 1;
}

# Map the result to a value for the X-Local-Network header
map $is_local $x_source_type {
    1 "true";
    0 "false";
}

This logic evaluates the client’s IP address and sets the $x_source_type variable accordingly.

Update your location block:

location / {
    proxy_pass http://HES;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Local-Network $x_source_type;
}

Example Configuration File (appsettings.json)

{
  "ConnectionStrings": {
    "DefaultConnection": "server=127.0.0.1;port=3306;database=db;uid=user;pwd=password",
    "Provider": "MySql"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Debug",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "ServerSettings": {
    "NetworkFilter": true
  },
  "AllowedHosts": "*"

Last updated

Was this helpful?