mirror of
https://github.com/netbirdio/docs.git
synced 2026-04-16 07:26:35 +00:00
Final Doc Restructure (#497)
This commit is contained in:
Brandon Hopkins
@@ -3,7 +3,7 @@ import { Heading } from '@/components/Heading'
|
||||
|
||||
const howToGuides = [
|
||||
{
|
||||
href: '/how-to/getting-started',
|
||||
href: '/get-started',
|
||||
name: 'Quickstart guide',
|
||||
description: 'Start using NetBird in under 5 minutes.',
|
||||
},
|
||||
@@ -14,29 +14,29 @@ const howToGuides = [
|
||||
'Learn how to use access controls to manage access to your machines.',
|
||||
},
|
||||
{
|
||||
href: '/how-to/add-users-to-your-network',
|
||||
href: '/manage/team/add-users-to-your-network',
|
||||
name: 'Add users to your network',
|
||||
description: 'learn how to add team members to your NetBird network.',
|
||||
description: 'Learn how to add team members to your NetBird network.',
|
||||
},
|
||||
{
|
||||
href: '/how-to/routing-traffic-to-private-networks',
|
||||
href: '/manage/network-routes/routing-traffic-to-private-networks',
|
||||
name: 'Route traffic to private networks',
|
||||
description:
|
||||
'Learn how to provide access to LANs, VPS, and corporate private networks.',
|
||||
},
|
||||
{
|
||||
href: '/how-to/configuring-default-routes-for-internet-traffic',
|
||||
href: '/manage/network-routes/configuring-default-routes-for-internet-traffic',
|
||||
name: 'Configure default routes and traffic for the Internet',
|
||||
description: 'Understand how to set up your network for accessing the internet through default routes, also known as "exit nodes".',
|
||||
},
|
||||
{
|
||||
href: '/how-to/monitor-system-and-network-activity',
|
||||
href: '/manage/activity/traffic-events-logging',
|
||||
name: 'Log and monitor network activity',
|
||||
description:
|
||||
'Learn how to keep track of system and network activities in your account.',
|
||||
},
|
||||
{
|
||||
href: '/how-to/manage-dns-in-your-network',
|
||||
href: '/manage/dns',
|
||||
name: 'Manage DNS in your network',
|
||||
description:
|
||||
'Learn how to configure name servers in your private network.',
|
||||
|
||||
@@ -210,10 +210,10 @@ export const docsNavigation = [
|
||||
title: 'Settings',
|
||||
isOpen: false,
|
||||
links: [
|
||||
{title: 'Authentication', href: '/how-to/enforce-periodic-user-authentication' },
|
||||
{title: 'Multi-Factor Authentication', href: '/how-to/multi-factor-authentication' },
|
||||
{title: 'Delete Account', href: '/how-to/delete-account' },
|
||||
{title: 'Plans and Billing', href: '/how-to/plans-and-billing' }
|
||||
{title: 'Authentication', href: '/manage/settings/enforce-periodic-user-authentication' },
|
||||
{title: 'Multi-Factor Authentication', href: '/manage/settings/multi-factor-authentication' },
|
||||
{title: 'Delete Account', href: '/manage/settings/delete-account' },
|
||||
{title: 'Plans and Billing', href: '/manage/settings/plans-and-billing' }
|
||||
|
||||
]
|
||||
},
|
||||
@@ -221,21 +221,21 @@ export const docsNavigation = [
|
||||
title: 'Integrations',
|
||||
isOpen: false,
|
||||
links: [
|
||||
{title: 'Enable Post Quantum Cryptography', href: '/how-to/enable-post-quantum-cryptography' },
|
||||
{title: 'Enable Post Quantum Cryptography', href: '/manage/integrations/enable-post-quantum-cryptography' },
|
||||
{
|
||||
title: 'MDM for Deployment',
|
||||
isOpen: true,
|
||||
links: [
|
||||
{title: 'Deploy with Jamf Pro', href: '/how-to/jamf-pro-netbird-integration' },
|
||||
{title: 'Deploy with Kandji', href: '/how-to/kandji-netbird-integration' },
|
||||
{title: 'Deploy with Intune', href: '/how-to/intune-netbird-integration' },
|
||||
{title: 'Deploy with Jamf Pro', href: '/manage/integrations/mdm-deployment/jamf-pro-netbird-integration' },
|
||||
{title: 'Deploy with Kandji', href: '/manage/integrations/mdm-deployment/kandji-netbird-integration' },
|
||||
{title: 'Deploy with Intune', href: '/manage/integrations/mdm-deployment/intune-netbird-integration' },
|
||||
]
|
||||
},
|
||||
{
|
||||
title: 'Kubernetes',
|
||||
isOpen: true,
|
||||
links: [
|
||||
{title: 'Operator', href: '/how-to/kubernetes-operator' },
|
||||
{title: 'Operator', href: '/manage/integrations/kubernetes' },
|
||||
]
|
||||
},
|
||||
]
|
||||
@@ -245,7 +245,7 @@ export const docsNavigation = [
|
||||
title: 'Public API',
|
||||
isOpen: false,
|
||||
links: [
|
||||
{ title: 'Access Public API', href: '/how-to/access-netbird-public-api' },
|
||||
{ title: 'Access Public API', href: '/manage/public-api' },
|
||||
|
||||
]
|
||||
},
|
||||
@@ -254,8 +254,8 @@ export const docsNavigation = [
|
||||
title: 'For Partners',
|
||||
isOpen: false,
|
||||
links: [
|
||||
{ title: 'Managed Service Providers', href: '/how-to/msp-portal' },
|
||||
{ title: 'Acronis NetBird integration', href: '/how-to/acronis-netbird-integration' },
|
||||
{ title: 'Managed Service Providers', href: '/manage/for-partners/msp-portal' },
|
||||
{ title: 'Acronis NetBird integration', href: '/manage/for-partners/acronis-integration' },
|
||||
|
||||
]
|
||||
},
|
||||
@@ -265,7 +265,7 @@ export const docsNavigation = [
|
||||
{
|
||||
title: 'CLIENT',
|
||||
links: [
|
||||
{ title: 'Profiles', href: '/how-to/profiles' },
|
||||
{ title: 'Profiles', href: '/client/profiles' },
|
||||
],
|
||||
|
||||
},
|
||||
@@ -301,8 +301,8 @@ export const docsNavigation = [
|
||||
{
|
||||
title: 'GET MORE HELP',
|
||||
links: [
|
||||
{ title: 'Troubleshooting client issues', href: '/how-to/troubleshooting-client' },
|
||||
{ title: 'Report bugs and issues', href: '/how-to/report-bug-issues' },
|
||||
{ title: 'Troubleshooting client issues', href: '/help/troubleshooting-client' },
|
||||
{ title: 'Report bugs and issues', href: '/help/report-bug-issues' },
|
||||
|
||||
],
|
||||
|
||||
|
||||
@@ -20,14 +20,14 @@ A **Peer** is a machine or any device that is connected to the network.
|
||||
It can be a Linux server running in the cloud or on-premises, a personal laptop, mobile phone, or even a Raspberry Pi.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/architecture/high-level-dia.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/about-netbird/high-level-dia.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
With NetBird clients installed and authorized on the Management service, machines form a mesh network connecting
|
||||
to each other directly via an encrypted point-to-point WireGuard tunnel.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/architecture/mesh.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/about-netbird/mesh.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
While it is possible to create a full mesh network, it might be not a desirable outcome.
|
||||
@@ -58,7 +58,7 @@ After that, they are able to establish a connection to the new peer.
|
||||
The Management service runs in the cloud NetBird-managed. It can also be self-hosted.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/architecture/management.png" alt="management-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/about-netbird/management.png" alt="management-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
### Client Application
|
||||
@@ -99,7 +99,7 @@ peers need to find each other and exchange the most suitable connection candidat
|
||||
This is done through Signal. After a connection has been established, Signal steps out.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/architecture/signal.png" alt="signal-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/about-netbird/signal.png" alt="signal-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -115,7 +115,7 @@ The Relay service is a [TURN server](https://webrtc.org/getting-started/turn-ser
|
||||
In fact, we use an open-source implementation called [Coturn](https://github.com/coturn/coturn).
|
||||
The purpose of the Relay service is to gracefully implement a "Plan B" by relaying traffic between peers when a direct point-to-point connection is not possible. However, starting with v0.29.0, a new WebSocket-based relay has been introduced with the intent of replacing the previous TURN relay (Coturn). [More info](https://netbird.io/knowledge-hub/september-newsletter).
|
||||
<p>
|
||||
<img src="/docs-static/img/architecture/relay.png" alt="relay-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/about-netbird/relay.png" alt="relay-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
|
||||
@@ -7,10 +7,10 @@ This feature also allows you to switch between self-hosted and cloud-hosted NetB
|
||||
to juggle multiple config files.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/profiles/profiles.png" alt="profiles" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/client/profiles/profiles.png" alt="profiles" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
Watch a short demo GIF demonstrating how profile switching works [here](/docs-static/img/how-to-guides/profiles/profiles.gif).
|
||||
Watch a short demo GIF demonstrating how profile switching works [here](/docs-static/img/client/profiles/profiles.gif).
|
||||
|
||||
## NetBird Profiles GUI Quickstart
|
||||
|
||||
@@ -37,7 +37,7 @@ if needed.
|
||||
* **Active and default** profiles cannot be removed.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/profiles/manage-profiles.png" alt="profiles" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/client/profiles/manage-profiles.png" alt="profiles" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
## What Is a Profile?
|
||||
@@ -477,7 +477,7 @@ For SFTP and SCP, use native clients (`sftp` and `scp` commands) which work with
|
||||
```
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/ssh/ssh-dashboard.png" alt="netbird ssh dashboard" className="imagewrapper-big" />
|
||||
<img src="/docs-static/img/manage/peers/ssh/ssh-dashboard.png" alt="netbird ssh dashboard" className="imagewrapper-big" />
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ NetBird has an official Android application that you can download at Google Play
|
||||
|
||||
<p>
|
||||
<a href="https://play.google.com/store/apps/details?id=io.netbird.client" target="_blank">
|
||||
<img src="/docs-static/img/how-to-guides/google-play-badge.png" alt="playstore" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/get-started/mobile/google-play-badge.png" alt="playstore" className="imagewrapper"/>
|
||||
</a>
|
||||
|
||||
</p>
|
||||
@@ -21,6 +21,6 @@ NetBird has an official iOS application that you can download from the App Store
|
||||
|
||||
<p>
|
||||
<a href="https://apps.apple.com/de/app/netbird-p2p-vpn/id6469329339?l=en-GB" target="_blank">
|
||||
<img src="/docs-static/img/how-to-guides/app-store-badge.svg" alt="appstore" className="imagewrapper" style={{ padding: '30px' }}/>
|
||||
<img src="/docs-static/img/get-started/mobile/app-store-badge.svg" alt="appstore" className="imagewrapper" style={{ padding: '30px' }}/>
|
||||
</a>
|
||||
</p>
|
||||
|
||||
@@ -22,7 +22,7 @@ Steps to reproduce the behavior:
|
||||
4. See error
|
||||
|
||||
**Have you performed any debugging steps?**
|
||||
Learn more at [troubleshooting guide](/how-to/troubleshooting-client)
|
||||
Learn more at [troubleshooting guide](/help/troubleshooting-client)
|
||||
|
||||
**Expected behavior**
|
||||
|
||||
@@ -170,20 +170,20 @@ To generate a bundle via GUI, you can access the application then go to `Setting
|
||||
the wizard to upload the bundle:
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/troubleshooting-client/ui-settings.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/help/troubleshooting-client/ui-settings.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
</p>
|
||||
<Note>
|
||||
If needed, you can update the upload URL and select to anonymize sensitive information like IP addresses and non-netbird.io domains in logs and status output.
|
||||
</Note>
|
||||
<p>
|
||||
<img src="/docs-static/img/troubleshooting-client/ui-bundle-wizard.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/help/troubleshooting-client/ui-bundle-wizard.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
</p>
|
||||
By default running with trace log enable before generating the bundle is selected. This will restart the client connections and provide a `disconnect to connected` information for our engineers.
|
||||
|
||||
If you uncheck this option, a bundle will be generated without running this step. Which is very useful when you have an
|
||||
issue that recovers when restarting the client.
|
||||
<p>
|
||||
<img src="/docs-static/img/troubleshooting-client/ui-bundle-success.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/help/troubleshooting-client/ui-bundle-success.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
</p>
|
||||
Once the bundle generation is complete, you can click on `Copy Key` to get the uploaded key and share with NetBird\'s team.
|
||||
|
||||
@@ -1,213 +0,0 @@
|
||||
# Introduction
|
||||
|
||||
NetBird’s **Traffic Events** feature provides a high-level view of traffic flows between network peers and resources.
|
||||
It captures connection events on the client (peer) side – for example, when `Peer A` connects to `Peer B` –
|
||||
allowing administrators to observe how devices communicate across the NetBird network.
|
||||
The primary purpose of traffic events is to help network admins monitor network activity,
|
||||
detect unusual or unauthorized connections, and troubleshoot connectivity issues in their NetBird mesh VPN.
|
||||
Unlike packet capture, **Traffic Events** record metadata about the traffic (addresses, ports, timestamps, etc.) rather than the contents,
|
||||
preserving privacy while still giving useful insight.
|
||||
|
||||
By focusing on client-side events, NetBird’s **Traffic Events** show what each peer is doing on the network.
|
||||
This includes which peers or services it is contacting, over which protocols, and when.
|
||||
Traffic Events are especially useful for verifying that access control policies are working as expected (e.g. confirming that a peer could reach an allowed resource,
|
||||
or that blocked traffic wasn’t forwarded).
|
||||
In essence, they provide an audit trail of network connections in your NetBird environment,
|
||||
helping administrators ensure the network is being used according to policy and to quickly identify
|
||||
any anomalies or needed configuration changes.
|
||||
|
||||
# Data Collected on Peers
|
||||
|
||||
When enabled, a NetBird peer will record metadata for each network flow that it participates in. The data collected typically includes:
|
||||
|
||||
* **Timestamp**: When the flow started and ended.
|
||||
* **Source and Destination IP Addresses**: The IP of the peer (source) and the IP of the remote endpoint (destination). For peer-to-peer traffic, these will be the NetBird network IPs (e.g. 100.x.x.x addresses of each peer). For traffic to an external resource (like a private server or subnet), the destination might be an IP in that remote network.
|
||||
* **Source and Destination Ports**: The network ports used by the connection (for TCP/UDP flows). ICMP flows will be identified by ICMP type rather than ports.
|
||||
* **Protocol**: The protocol of the traffic, such as TCP, UDP, or ICMP.
|
||||
* **Direction**: Whether the flow was incoming or outgoing.
|
||||
* **Volume of Data**: The amount of data transferred, measured in number of packets and bytes sent/received for the duration of the flow.
|
||||
|
||||
# Kernel Mode vs Userspace Mode
|
||||
|
||||
NetBird leverages WireGuard for its tunneling, and it can operate in two modes on client devices: kernel mode or userspace mode.
|
||||
In kernel mode, NetBird utilizes the operating system’s WireGuard kernel module (when available) for handling encryption and routing.
|
||||
This offers very efficient performance with low overhead, as the heavy lifting is done inside the OS kernel.
|
||||
NetBird is designed to take advantage of kernel-mode WireGuard whenever possible for direct peer-to-peer connections.
|
||||
If the kernel module isn’t available or if the platform doesn’t support it (for example, Windows, or certain BSD-based systems),
|
||||
NetBird falls back to a userspace implementation of WireGuard (running in the NetBird agent process).
|
||||
Userspace mode may introduce slightly higher CPU usage or latency since packets are handled in the application layer rather than the kernel,
|
||||
but it ensures compatibility across all environments.
|
||||
|
||||
# Log Retention
|
||||
|
||||
NetBird does not store Traffic Events indefinitely; instead, we follow a retention policy to
|
||||
balance storage use and privacy. By default, traffic event data is retained for 24 hours on the management system,
|
||||
after which older records are automatically deleted.
|
||||
|
||||
However, while in experimental mode, logs are retained for **48 hours**.
|
||||
Additionally, please note that the current API returns a maximum of **50,000 events**.
|
||||
We are actively working on expanding this limit in the coming days to support larger datasets and increased usage.
|
||||
|
||||
# Log Shipping
|
||||
|
||||
To enhance monitoring and centralized analysis, we support shipping Traffic Events to external logging solutions.
|
||||
This integration allows you to seamlessly forward Traffic Events from NetBird to DataDog, Amazon S3 or Amazon DataFirehose,
|
||||
where you can leverage advanced dashboards, alerting, and analytics to gain deeper insights into your network activity.
|
||||
|
||||
# Use Cases
|
||||
|
||||
This section outlines common scenarios in which Traffic Events are useful, explaining what administrators can glean in each case.
|
||||
We’ll also illustrate some scenarios with examples and screenshots of log data where applicable.
|
||||
|
||||
## 1. Peer-to-Peer Connections
|
||||
|
||||
When two NetBird peers communicate directly, a traffic event is generated on the peer that initiated the connection.
|
||||
This covers basic peer-to-peer traffic such as one workstation pinging another, an SSH session from one server to another,
|
||||
or any application data exchanged between two peers over NetBird.
|
||||
The log will show the source peer’s NetBird IP and the destination peer’s NetBird IP, along with the protocol and ports used.
|
||||
|
||||
#### **1.1. Example of a traffic event for a TCP connection between two peers.**
|
||||
|
||||
In the above example, a peer named `Nevada Windows` opened a TCP connection from source port `52480` to another peer named `acltest` on destination port `80`.
|
||||
Each peer would log the event from its perspective – typically, the initiator peer `Peer A` logs it as an outgoing connection and
|
||||
the responder peer `acltest` logs it as an incoming connection.
|
||||
|
||||
|
||||
#### **1.2. Example of a traffic event for an UDP connection between two peers.**
|
||||
|
||||
|
||||
In the case of UDP traffic between peers, the event will similarly record the source/dest IPs and ports and label the protocol as UDP.
|
||||
|
||||
#### 1.3. Example of a traffic event for an ICMP connection between two peers.
|
||||
|
||||
|
||||
ICMP flows (like a ping) will appear with protocol ICMP in the logs. For a ping, you’d see the two peers’ IPs and the fact it was ICMP;
|
||||
if packet/byte counting is on, you might see a couple of packets (an echo request and reply) recorded.
|
||||
|
||||
## 2. Peer-to-Resource Connections
|
||||
|
||||
#### 2.1. Peer-To-Host Connection
|
||||
|
||||
|
||||
|
||||
This scenario involves a NetBird peer accessing a specific host resource on an internal network, via a routing peer.
|
||||
In NetBird, you can define resources (in Access Control) that are single hosts (single IP addresses) which a peer should be allowed to reach.
|
||||
For example, you might have an on-premises service at IP `192.168.0.201` that is not itself running NetBird,
|
||||
but one of your NetBird peers `Routing Peer A` is in that network and can route traffic to it.
|
||||
Another peer `Peer A` somewhere else is granted access to that host through NetBird.
|
||||
When `Peer A` tries to connect (e.g. HTTPS on port 443) to the host resource `192.168.0.201` the traffic will go through `Routing Peer A`
|
||||
(which acts as a routing peer for that resource).
|
||||
|
||||
Traffic Events are extremely useful here to understand each step:
|
||||
|
||||
* On `Peer A`’s log, you would see an outgoing event with destination `192.168.0.201`:443 (for example) over TCP.
|
||||
The source would be `Peer A`’s NetBird IP and source port, destination the host’s IP and port 443.
|
||||
This confirms that Peer A attempted to reach the server.
|
||||
* On `Routing Peer A`’s log, you will see the related event: coming from `Peer A`
|
||||
(`Peer A`’s NB IP to `192.168.0.201` on port 443). Routing `Peer A` essentially bridges the two networks,
|
||||
so it sees an incoming event and forwards the traffic internally.
|
||||
|
||||
**Another Example**: Imagine DNS is disabled on a printer, and a user’s laptop `Peer A` tries to ping the printer’s IP
|
||||
via a NetBird routing peer. The logs on `Peer A` would show an ICMP flow to the printer’s IP;
|
||||
the routing peer’s logs would show the traffic coming from the laptop and going to the printer.
|
||||
If the ping fails, you could see whether the flow reached the printer or not.
|
||||
All of this without capturing packets – the flow records give a concise summary of what happened.
|
||||
In summary, for peer-to-host resource events, look at the initiating peer’s log for an outbound flow to the host’s IP,
|
||||
and the routing peer’s log for the corresponding transit.
|
||||
These flows confirm that NetBird is correctly carrying traffic to specific network resources in your network.
|
||||
|
||||
#### 2.2. Peer-To-Subnet Connection
|
||||
|
||||
Similar to the above, this scenario deals with a peer accessing an entire subnet (range of IPs) via a routing peer.
|
||||
NetBird allows administrators to define network routes (or the newer “Networks” feature) where a peer acts as a gateway to a subnet (for example, an office `LAN 10.0.5.0/24`).
|
||||
A common use case is site-to-site connectivity or allowing remote peers to access a whole VLAN or VPC through one NetBird node.
|
||||
|
||||
In a peer-to-subnet case, the Traffic Events will show when a peer communicates with any IP in the target subnet:
|
||||
|
||||
* On the client (peer) side, an outgoing traffic event will appear whenever it sends traffic to an IP within the allowed subnet. For instance,
|
||||
if `Peer A` (remote laptop) connects to `10.0.5.100` (an internal server in the subnet),
|
||||
`Peer A`’s logs will list a flow with destination `10.0.5.100` (and whatever port/protocol).
|
||||
* On the routing peer’s side (the peer that has access to that subnet),
|
||||
you’ll again see the flow coming from `Peer A`’s NetBird IP out to the `10.0.5.x` address.
|
||||
|
||||
One thing to note is that when a subnet is allowed, a peer might generate many traffic events if it scans
|
||||
or communicates with multiple hosts in that subnet. Each distinct connection (to each IP and port)
|
||||
is a separate traffic event. The logs can thus help you map out which internal hosts a remote peer is talking to.
|
||||
For example, you might see peer-a accessing `10.0.5.25 (file server)` on `TCP 445`, and also `10.0.5.100` on `TCP 3389 (RDP)`.
|
||||
This tells you which services are being used.
|
||||
|
||||
Traffic Events in this scenario can highlight if any unexpected access is happening.
|
||||
Perhaps a peer is only supposed to use a database, but you see events to a domain controller’s IP – that could be a red flag to investigate.
|
||||
Conversely, if a user complains they can’t access anything in the subnet, you could check the traffic events
|
||||
if absolutely no traffic events to that subnet appear in their peer log, maybe their client isn’t attempting the connection.
|
||||
|
||||
#### 2.3. Peer-To-Domain Connection
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
NetBird also supports defining resources by domain name – for example,
|
||||
an access policy might allow a peer to reach example.com or *.corp.internal.
|
||||
In these cases, the NetBird client will handle domain name resolution (often through NetBird’s DNS features)
|
||||
and then allow traffic to the resulting IP addresses if they match the domain policy.
|
||||
Traffic Events will capture the actual IP connections made, but it’s important to understand how domain-based rules reflect in the logs.
|
||||
|
||||
When a peer initiates a connection to an allowed domain (say, intranet.corp.internal), the following happens:
|
||||
|
||||
The peer resolves the domain to an IP using the routing peer's embedded resolver.
|
||||
The connection proceeds to that IP over the tunnel. The event on the peer will show a connection to that IP address (since that’s what ultimately happens on the network layer).
|
||||
|
||||
As a result, an administrator analyzing the logs may see a connection to an IP address, such as 10.8.0.5 on TCP 443,
|
||||
with an explicit reference to the domain it was resolved from.
|
||||
|
||||
The event for peer-to-domain scenarios will look just like any other peer-to-host event:
|
||||
peer’s NB IP -> some destination IP, protocol, port, bytes.
|
||||
The difference is that the allowed destination IP might not be static – it could change
|
||||
if the DNS name resolves differently. NetBird, however, will log whatever actual addresses were contacted.
|
||||
For example, consider a rule allowing access to pool.ntp.org (which resolves to various IPs).
|
||||
If a peer (Peer A) uses that, on Peer A’s log over time you might see events to multiple different IP addresses
|
||||
on UDP port 123 (NTP). Each of those events corresponds to the domain resource.
|
||||
|
||||
## 3. Site-to-Site Connections
|
||||
|
||||
In a site-to-site setup, NetBird connects two or more networks (sites) each with a routing peer.
|
||||
For example, an AWS VPC network and an on-prem network could be linked via their respective NetBird peers,
|
||||
so that machines in each site can talk to each other through the NetBird tunnel
|
||||
(often without each machine running NetBird – the routing peers relay traffic).
|
||||
Traffic Events become a powerful tool to monitor and troubleshoot this inter-site traffic.
|
||||
|
||||
Consider two sites: Site A (with subnet 10.1.0.0/16, routing peer = Peer-A) and Site B (with subnet 192.168.1.0/24, routing peer = Peer-B).
|
||||
NetBird is configured so that each site’s subnet is accessible to the other via the respective routing peers.
|
||||
Now suppose a host in Site A (10.1.0.50) is trying to reach a host in Site B (192.168.1.75) on some service.
|
||||
|
||||
Here’s how the Traffic Events play out:
|
||||
|
||||
* Peer-A’s logs (routing peer at Site A): Peer-A will log an incoming event from 10.1.0.50 (a host on its LAN)
|
||||
going to 192.168.1.75 via the NetBird tunnel.
|
||||
* Peer-B’s logs (routing peer at Site B): Correspondingly, Peer-B will log an incoming event from Peer-A (over NetBird)
|
||||
destined to 192.168.1.75 on its local network.
|
||||
|
||||
Using these logs, you can trace end-to-end connectivity between sites.
|
||||
If Site A can’t talk to Site B, check Peer-A’s logs: do we see events attempting to go out?
|
||||
If not, the issue might be that the Site A host isn’t routing to Peer-A.
|
||||
If yes, then check Peer-B’s logs: did it receive anything?
|
||||
If Peer-B’s log is empty for that traffic, then maybe the tunnel is down or ACL is missing.
|
||||
If Peer-B got it and forwarded to 192.168.1.75, but no reply came, then the problem is likely on the Site B host or network.
|
||||
Essentially, the Traffic Events allow you to break the problem into segments (A -> tunnel, tunnel -> B, B -> host, etc.).
|
||||
|
||||
Even in normal operation, site-to-site Traffic Events give visibility into the volume and types of traffic flowing between locations.
|
||||
This can be useful for capacity planning or security monitoring.
|
||||
For example, if one site suddenly starts sending a lot of data to another at odd hours, the logs on the routing peers will reflect that in bytes and packets counts.
|
||||
Administrators might set up external log analysis to alert on unusual site-to-site flow patterns (e.g., a spike in ICMP traffic or large data transfers).
|
||||
|
||||
# Privacy and Security Considerations
|
||||
**[CHECK] Add this section if needed**
|
||||
|
||||
# Conclusion
|
||||
|
||||
Traffic Events in NetBird provide network administrators with valuable visibility into the traffic within their secure network, all while operating at a high level that avoids delving into packet contents.
|
||||
In this documentation, we covered what Traffic Events are and how they function on NetBird clients:
|
||||
they record who is talking to whom, over what, and when, giving you an overview of network activity that is essential for both troubleshooting and security auditing.
|
||||
We outlined the data points collected (IPs, ports, timestamps, etc.) and noted that by default NetBird is careful not to log sensitive payload or DNS information, aligning the feature with privacy best practices.
|
||||
|
||||
@@ -18,7 +18,7 @@ Always keep your token safe and reset it if you suspect it has been compromised.
|
||||
|
||||
## Using personal access tokens
|
||||
|
||||
When establishing a connection using [PATs](/how-to/access-netbird-public-api), you will need your access token — you can create one in the [NetBird dashboard](https://app.netbird.io/users) under User settings. It is recommended to use [service users](/how-to/access-netbird-public-api) for all organization wide flows calling the API. Here's how to add the token to the request header using cURL:
|
||||
When establishing a connection using [PATs](/manage/public-api), you will need your access token — you can create one in the [NetBird dashboard](https://app.netbird.io/users) under User settings. It is recommended to use [service users](/manage/public-api) for all organization wide flows calling the API. Here's how to add the token to the request header using cURL:
|
||||
|
||||
```bash {{ title: 'Example request with personal access token' }}
|
||||
curl https://api.netbird.io/api/users \
|
||||
@@ -28,6 +28,6 @@ curl https://api.netbird.io/api/users \
|
||||
Always keep your token safe and reset it if you suspect it has been compromised.
|
||||
|
||||
<div className="not-prose mb-16 mt-6 flex gap-3">
|
||||
<Button href="/how-to/access-netbird-public-api#creating-an-access-token" arrow="right" children="How to create tokens" />
|
||||
<Button href="/manage/public-api#creating-an-access-token" arrow="right" children="How to create tokens" />
|
||||
</div>
|
||||
|
||||
|
||||
@@ -14,12 +14,12 @@ Use the NetBird Public API to manage users, peers, network rules and more from i
|
||||
|
||||
## Getting started {{ anchor: false }}
|
||||
|
||||
To get started, it is recommended to create a [service user](/how-to/access-netbird-public-api#creating-a-service-user), that can later be used to communicate with the NetBird API.
|
||||
To get started, it is recommended to create a [service user](/manage/public-api#creating-a-service-user), that can later be used to communicate with the NetBird API.
|
||||
To be able to send requests to our API you need to [authenticate](/api/guides/authentication) on each request. This can be done either by Bearer token from your identity provider or by creating a [personal access token](/api/guides/authentication#using-personal-access-tokens) in the NetBird dashboard.{{ className: 'lead' }}
|
||||
|
||||
<div className="not-prose">
|
||||
<Button
|
||||
href="/how-to/access-netbird-public-api#creating-an-access-token"
|
||||
href="/manage/public-api#creating-an-access-token"
|
||||
variant="text"
|
||||
arrow="right"
|
||||
children="Get your personal access token"
|
||||
|
||||
@@ -83,13 +83,13 @@ Starting version `0.48` NetBird supports port ranges in policies, allowing you t
|
||||
Make sure to set traffic direction only when TCP or UDP protocols are selected. Finally, provide a name and description for your policy.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/create-rule.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/access-control/create-rule.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
</p>
|
||||
If necessary, you can also add a [posture checks](/manage/access-control/posture-checks) to the policy. Posture checks are used to ensure that the peer meets certain security requirements before allowing it to connect. You can select from predefined posture checks or create custom ones.
|
||||
|
||||
Once you have finished configuring the policy, click `Add Policy` to save it. You will then see your new policy in the table.
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/new-rule-list.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/access-control/new-rule-list.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -105,7 +105,7 @@ If you create a new group when defining a policy, you will need to add a peer to
|
||||
You can assign a peer to a group by accessing the `Peers` section. Then, choose the specific peer you want to assign to a group. Click on the `Assigned Groups` select box and select the group(s) you wish to assign to this peer.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/associate-peer-groups.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/access-control/associate-peer-groups.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -119,14 +119,14 @@ To update a policy, just click on its name and customize it according to your re
|
||||
### Disabling Policies
|
||||
To disable a policy, use the switch in the `Active` column of the table.
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/disable-rule.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/access-control/disable-rule.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
### Deleting Policies
|
||||
To delete a policy, click on `Delete` in the table, and confirm the message that appears.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/delete-rule-menu.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/access-control/delete-rule-menu.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
## Managing Groups
|
||||
@@ -141,7 +141,7 @@ When you see a group input field anywhere in the dashboard (e.g. such as when cr
|
||||
2. Press 'Enter' to create the new group
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/groups/create-group-input.png" alt="Create group inline" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/access-control/groups/create-group-input.png" alt="Create group inline" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
**From Groups Page**<br/>
|
||||
@@ -150,7 +150,7 @@ When you see a group input field anywhere in the dashboard (e.g. such as when cr
|
||||
3. Provide a name for your new group
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/groups/create-group.png" alt="Create group from groups page" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/access-control/groups/create-group.png" alt="Create group from groups page" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
### Viewing Groups
|
||||
@@ -162,7 +162,7 @@ Navigate to `Access Control` > `Groups` to view all groups in your organization.
|
||||
- Usage status (used/unused groups)
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/groups/view-groups.png" alt="Groups overview page" className=""/>
|
||||
<img src="/docs-static/img/manage/access-control/groups/view-groups.png" alt="Groups overview page" className=""/>
|
||||
</p>
|
||||
|
||||
**Group Details**<br/>
|
||||
@@ -177,7 +177,7 @@ Navigate to `Access Control` > `Groups` and then click on any group name to view
|
||||
- **Setup Keys**: See setup keys with this group as an auto-assigned group
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/groups/view-group-detail.png" alt="Group details page" className=""/>
|
||||
<img src="/docs-static/img/manage/access-control/groups/view-group-detail.png" alt="Group details page" className=""/>
|
||||
</p>
|
||||
|
||||
### Renaming Groups
|
||||
@@ -192,7 +192,7 @@ Groups synchronized from Identity Providers (Google Workspace, Entra ID, etc.) c
|
||||
</Note>
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/groups/rename-group.png" alt="Rename group" className=""/>
|
||||
<img src="/docs-static/img/manage/access-control/groups/rename-group.png" alt="Rename group" className=""/>
|
||||
</p>
|
||||
|
||||
### Deleting Groups
|
||||
@@ -211,5 +211,5 @@ Groups with active dependencies cannot be deleted. First remove all dependencies
|
||||
</Note>
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/groups/delete-group.png" alt="Delete group" className=""/>
|
||||
<img src="/docs-static/img/manage/access-control/groups/delete-group.png" alt="Delete group" className=""/>
|
||||
</p>
|
||||
@@ -91,4 +91,4 @@ Use this to see who can access resources in your routed [networks](/manage/netwo
|
||||
- [Manage network access with Groups and Access Policies](/manage/access-control/manage-network-access)
|
||||
- [Apply posture checks to policies](/manage/access-control/posture-checks)
|
||||
- [Networks and routing peers](/manage/networks)
|
||||
- [MSP portal overview](/how-to/msp-portal)
|
||||
- [MSP portal overview](/manage/for-partners/msp-portal)
|
||||
|
||||
@@ -36,15 +36,15 @@ For example, let's create an access policy. While the steps are the same for mac
|
||||
- Set the source group to `IT Administrators` and the destination group to `Windows Workstations`
|
||||
- Configure the protocol and port settings based on required access patterns (e.g., TCP 22 for SSH access to servers, TCP 80 for web servers, etc.)
|
||||
|
||||
|
||||
|
||||
|
||||
Provide a descriptive name for the policy, such as "IT to Windows machines" that indicates its purpose, and click `Save` to create and activate the policy.
|
||||
|
||||
|
||||
|
||||
|
||||
This access policy will automatically apply to all devices managed by Acronis Cyber Protect Cloud that belong to users in the `IT Administrators` group, providing them secure access to designated resources while preventing lateral movement to unauthorized systems. The policy enforcement occurs at the network level, complementing Acronis Cyber Protect Cloud's device-level monitoring and management capabilities.
|
||||
|
||||
|
||||
|
||||
|
||||
Moreover, users will only gain this network access when their devices are actively monitored and maintained through Acronis Cyber Protect Cloud, creating a comprehensive security approach where device health monitoring and network access controls work together. This combination ensures that only properly managed and compliant devices can establish secure network connections to protected resources.
|
||||
|
||||
@@ -60,19 +60,19 @@ This section demonstrates how to create a software package in Acronis Cyber Prot
|
||||
|
||||
Log in to Acronis Cyber Protect Cloud, navigate to `SOFTWARE MANAGEMENT > My packages` and click the `Add package` button:
|
||||
|
||||
|
||||
|
||||
|
||||
In the `General information` tab, provide a descriptive name for the package (e.g., "NetBird EXE Installer") and specify the vendor name. Optionally, add a package description and select the appropriate license type from the dropdown menu. Click `Next` to continue.
|
||||
|
||||
|
||||
|
||||
|
||||
In the `Upload package` tab, enter the installer version (required field) and select the target architecture type. Click the `+ Upload` button in the top right corner to upload the NetBird installer package.
|
||||
|
||||
|
||||
|
||||
|
||||
Select the NetBird installer file from your local system. Once the upload completes, click `Next` to proceed.
|
||||
|
||||
|
||||
|
||||
|
||||
In the `Install / Uninstall commands` tab, configure the silent installation parameters by entering the following commands:
|
||||
|
||||
@@ -83,19 +83,19 @@ The `/S` parameter ensures silent installation without user prompts for NetBird'
|
||||
|
||||
> **Note**: If you're using NetBird's MSI installer instead of the EXE installer, use `/qn` in the **Installation options** field instead of `"{{full_path}}" /S`. The **Uninstallation options** field remains the same (`{{uninstall_cmd}} /S`) for both installer types. The `/qn` parameter provides quiet installation with no user interface for MSI packages.
|
||||
|
||||
|
||||
|
||||
|
||||
In the `Summary` tab, review all package configuration details for accuracy. Check the required boxes to confirm your settings and accept the End User License Agreement (EULA) terms. Click `Next` to proceed.
|
||||
|
||||
|
||||
|
||||
|
||||
The `Digital signature check` tab provides security verification options for the uploaded package. Enable digital signature checking to ensure package integrity and authenticity—this represents a security best practice for enterprise deployments. Click `Add package` to complete the package creation process.
|
||||
|
||||
|
||||
|
||||
|
||||
Acronis will perform the digital signature verification automatically. Once completed, you'll see a `Verified` status next to the NetBird package in your software library.
|
||||
|
||||
|
||||
|
||||
|
||||
With the NetBird package successfully added to your Acronis software library, you can now proceed to deploy it across your managed Windows machines.
|
||||
|
||||
@@ -107,43 +107,43 @@ Acronis Cyber Protect Cloud provides multiple deployment methods for installing
|
||||
|
||||
To install NetBird from the available packages, navigate to `SOFTWARE MANAGEMENT > My packages` and click the three-dot menu next to the NetBird package. Select `Install` from the dropdown options.
|
||||
|
||||
|
||||
|
||||
|
||||
In the `Deploy software` window, click `+ Add workloads` and select your target machines from the available endpoints.
|
||||
|
||||
|
||||
|
||||
|
||||
For this example, we selected a single endpoint called `Windows-11`. Click the `Install now` button to begin the immediate deployment process.
|
||||
|
||||
|
||||
|
||||
|
||||
Monitor the installation progress by navigating to `MONITORING > Activities`, where you can track the deployment status across all selected machines.
|
||||
|
||||
|
||||
|
||||
|
||||
Verify successful installation by navigating to `SOFTWARE MANAGEMENT > Software inventory`, where NetBird should appear in the installed software list for each target machine.
|
||||
|
||||
|
||||
|
||||
|
||||
**Method 2: Bulk Selection from Device Management**
|
||||
|
||||
Alternatively, navigate to `DEVICES > All devices` and select the checkboxes for all target endpoints you want to include in the deployment. Click on any selected device to open the right sidebar, then select `Deploy software`. This approach opens the same `Deploy software` interface with your pre-selected workloads ready for deployment.
|
||||
|
||||
|
||||
|
||||
|
||||
**Method 3: Scheduled Deployment Plans**
|
||||
|
||||
For more advanced deployment control, use Acronis' deployment plans feature. Navigate to `MANAGEMENT > Software deployment plans` and click `+ Create plan` in the upper right corner.
|
||||
|
||||
|
||||
|
||||
|
||||
In the `Create software deployment plan` window, click the pencil icon to customize the plan name, select either `Install` or `Uninstall` under Action, and click `Select software` to add the NetBird package. Configure your preferred deployment schedule by setting the specific date and time for automated execution.
|
||||
|
||||
|
||||
|
||||
|
||||
After configuring the plan parameters, click `Create` to save the plan for future use, or click `+ Add workloads` to immediately select target endpoints and execute the deployment.
|
||||
|
||||
|
||||
|
||||
|
||||
The advantage of deployment plans is that they enable scheduled, repeatable installations across multiple client environments, allowing MSPs to standardize NetBird deployments during designated maintenance windows while maintaining consistent configuration management across all managed endpoints.
|
||||
|
||||
@@ -255,7 +255,7 @@ Next, on the right sidebar:
|
||||
- If needed, Acronis lets you pass `Arguments` to the installer, such as setup keys and the management URL.
|
||||
- Once done, set the script's status to `Approved` and click `Save`.
|
||||
|
||||
|
||||
|
||||
|
||||
Using a similar procedure, you can add the following script to use the MSI installer instead of the EXE installer:
|
||||
|
||||
@@ -401,7 +401,7 @@ Write-Host "NetBird MSI installation completed successfully!" -ForegroundColor G
|
||||
|
||||
The script downloads the official `.msi` installer and uses the silent flag to install NetBird on Windows machines, just as the `.exe` installer.
|
||||
|
||||
|
||||
|
||||
|
||||
Likewise, you can add an **Uninstall NetBird** script:
|
||||
|
||||
@@ -528,7 +528,7 @@ Write-Host "NetBird uninstallation process completed!" -ForegroundColor Green
|
||||
|
||||
The script executes `netbird_uninstall.exe` using the silent flag to remove NetBird from Windows endpoints.
|
||||
|
||||
|
||||
|
||||
|
||||
If you need to edit or delete any script, you can do it by navigating to `MANAGEMENT > Script repository > My scripts`
|
||||
|
||||
@@ -540,11 +540,11 @@ As with packages, you can use different methods to deploy NetBird scripts to Win
|
||||
|
||||
Navigate to `MANAGEMENT > Script repository > My scripts`, click the three-dot menu on the script you want to install, and select `Script quick run`:
|
||||
|
||||
|
||||
|
||||
|
||||
Next, you can select the workloads where you want to run the script and click the `Run now` button.
|
||||
|
||||
|
||||
|
||||
|
||||
As before, you can follow the installation progress by navigating to `MONITORING > Activities`.
|
||||
|
||||
@@ -557,11 +557,11 @@ Navigate to `MANAGEMENT > Scripting plans` and click on `Create plan`. Next:
|
||||
- Add the desired workloads
|
||||
- Once ready, click the `Create` button.
|
||||
|
||||
|
||||
|
||||
|
||||
From `MANAGEMENT > Scripting plans`, you can click on the three-dot menu of any plan to view its details, edit it, or manually run it.
|
||||
|
||||
|
||||
|
||||
|
||||
## Installing NetBird in macOS using a Bash Script
|
||||
|
||||
@@ -588,7 +588,7 @@ Configure the following properties in the right sidebar:
|
||||
* **Arguments:** If needed, you can pass parameters to the script through the `Arguments` field, such as setup keys for automated enrollment.
|
||||
* Once configured, set the script's status to `Approved` and click `Save`.
|
||||
|
||||
|
||||
|
||||
|
||||
If you need to manage your scripts, you can do it by navigating to `MANAGEMENT > Script repository > My scripts`
|
||||
|
||||
@@ -604,7 +604,7 @@ Once the script is saved, you can run it on-demand from `My scripts` or add it t
|
||||
* Click `Run now` to deploy the script to the chosen devices.
|
||||
* To track the installation status, go to `MONITORING > Activities`.
|
||||
|
||||
|
||||
|
||||
|
||||
**Method 2: Scheduled Scripting Plans**
|
||||
|
||||
@@ -619,7 +619,7 @@ First, navigate to `MANAGEMENT > Scripting plans` and click `Create plan`. In t
|
||||
|
||||
Once all settings are configured, click `Create` to save and activate the plan.
|
||||
|
||||
|
||||
|
||||
|
||||
Tip: You can manually trigger any plan outside its schedule. Go to `MANAGEMENT > Scripting plans`, find the plan you want to execute, click its three-dot menu, and run it.
|
||||
|
||||
@@ -633,4 +633,4 @@ To confirm that your Acronis-deployed Windows (or macOS) endpoints successfully
|
||||
|
||||
This verification step ensures that your automated deployment process has completed successfully and that devices are ready to enforce the access control policies configured for your organization's security requirements.
|
||||
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ An MSP account is a standard NetBird account with the added 'Tenants' section, a
|
||||
With an MSP account, you can also manage your own internal network, just like with a regular NetBird account.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/tenants.png" alt="tenants" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/tenants.png" alt="tenants" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
The MSP Portal is designed to help you efficiently manage multiple tenant networks, providing a seamless experience for
|
||||
@@ -16,7 +16,7 @@ switching between tenants and your MSP account. You can do so without the need t
|
||||
or inconvenient customer-specific URLs.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/tenant-switch.png" alt="tenant-switch" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/tenant-switch.png" alt="tenant-switch" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
## How to Apply for an MSP Account?
|
||||
@@ -39,13 +39,13 @@ In the 'Tenants' section of your dashboard, click on the 'Add Tenant' button to
|
||||
|
||||
1. Provide the tenant's name and domain:
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/add-new-tenant-name-domain.png" alt="add-new-tenant-name-domain" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/add-new-tenant-name-domain.png" alt="add-new-tenant-name-domain" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
2. Define who can access the tenant account by selecting the user groups of your account and the applicable [user role](/manage/team/add-users-to-your-network#manage-user-roles) when they switch to the tenant. Only users from the selected groups will
|
||||
be able to switch to and manage the tenant account.
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/add-new-tenant-permissions.png" alt="add-new-tenant-permissions" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/add-new-tenant-permissions.png" alt="add-new-tenant-permissions" className="imagewrapper"/>
|
||||
</p>
|
||||
<Note>
|
||||
If a user belongs to multiple groups with different roles, the highest permission role will be applicable.
|
||||
@@ -58,13 +58,13 @@ be able to switch to and manage the tenant account.
|
||||
3. To ensure that you have rights to manage the tenant, you need to verify the ownership of the tenant domain by adding
|
||||
a TXT DNS record to the tenant's domain:
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/add-new-tenant-verify-domain.png" alt="add-new-tenant-verify-domain" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/add-new-tenant-verify-domain.png" alt="add-new-tenant-verify-domain" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
4. Once the domain is verified, select a plan for the tenant.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/add-new-tenant-plan.png" alt="add-new-tenant-plan" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/add-new-tenant-plan.png" alt="add-new-tenant-plan" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
### Existing Account
|
||||
@@ -75,12 +75,12 @@ The current account owner will be prompted to grant this access the next time th
|
||||
|
||||
1. Press the "Request Access" button if the account already exists:
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/tenant-already-exists.png" alt="tenant-already-exists" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/tenant-already-exists.png" alt="tenant-already-exists" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
2. Ask the account owner to log in to the dashboard and press "Grant Access"
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/tenant-grant-or-deny.png" alt="tenant-grant-or-deny" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/tenant-grant-or-deny.png" alt="tenant-grant-or-deny" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -96,7 +96,7 @@ Choose the tenant you want to manage from the dropdown list to switch to the ten
|
||||
you to the tenant's network.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/tenant-switch.png" alt="tenant-switch" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/tenant-switch.png" alt="tenant-switch" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -112,7 +112,7 @@ Note that your user will not appear in the 'Team' -> 'Users' section of the tena
|
||||
through the MSP account. However, your user will be visible in the Audit Log, labeled as 'External.'
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/tenant-audit-log.png" alt="audit-log" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/tenant-audit-log.png" alt="audit-log" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
## Tenant Usage, Billing and Subscription Management
|
||||
@@ -120,12 +120,12 @@ through the MSP account. However, your user will be visible in the Audit Log, la
|
||||
For your convenience, NetBird provides a daily usage overview.
|
||||
Please note that the usage displayed in the MSP portal may differ from what you see when switching to a tenant account.
|
||||
This is because the MSP portal shows billable usage — meaning only active users and machines are counted
|
||||
(see [NetBird plans](/how-to/plans-and-billing#net-bird-plans) for more details).
|
||||
(see [NetBird plans](/manage/settings/plans-and-billing#net-bird-plans) for more details).
|
||||
|
||||
The usage data is refreshed once per day and reflects the number of users and peers that will be included in your billing at the end of the cycle.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/msp-portal/tenant-usage.png" alt="tenant-usage" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/for-partners/msp-portal/tenant-usage.png" alt="tenant-usage" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
Each tenant you add is treated as an individual Stripe subscription under your MSP account. When you go to Manage Plan
|
||||
@@ -25,7 +25,7 @@ helm repo add netbirdio https://netbirdio.github.io/helms
|
||||
```shell
|
||||
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml
|
||||
```
|
||||
3. Add NetBird API token. You can create a PAT by following the steps [here](/how-to/access-netbird-public-api#creating-a-service-user).
|
||||
3. Add NetBird API token. You can create a PAT by following the steps [here](/manage/public-api#creating-a-service-user).
|
||||
```shell
|
||||
kubectl create namespace netbird
|
||||
kubectl -n netbird create secret generic netbird-mgmt-api-key --from-literal=NB_API_KEY=$(cat ~/nb-pat.secret)
|
||||
@@ -98,7 +98,7 @@ helm upgrade -f values.yaml -n netbird netbird-operator-config netbirdio/netbird
|
||||
|
||||
## Expose Kubernetes Control Plane to your NetBird Network
|
||||
To access your Kubernetes control plane from a NetBird network, you can expose your Kubernetes control plane as a
|
||||
[NetBird resource](/how-to/networks#resources) by enabling the following option in the netbird-operator-config values:
|
||||
[NetBird resource](/manage/networks#resources) by enabling the following option in the netbird-operator-config values:
|
||||
|
||||
```yaml
|
||||
kubernetesAPI:
|
||||
@@ -107,7 +107,7 @@ kubernetesAPI:
|
||||
The operator will create a NetBird network resource similar to the example below:
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/kubernetes/kubernetes-api.png" alt="API" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/integrations/kubernetes/kubernetes-api.png" alt="API" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
## Expose Kubernetes Services to NetBird Network
|
||||
@@ -143,7 +143,7 @@ spec:
|
||||
|
||||
This will create a Network and a resource similar to the example below:
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/kubernetes/resources-1.png" alt="resources" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/integrations/kubernetes/resources-1.png" alt="resources" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -201,7 +201,7 @@ kubernetesAPI:
|
||||
```
|
||||
After updating and [applying the configuration](#updating-or-modifying-the-operator-configuration), you should see a policy similar to the one below:
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/kubernetes/kubernetes-api-policy.png" alt="resources policy" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/integrations/kubernetes/kubernetes-api-policy.png" alt="resources policy" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
### Linking Policy Bases to Kubernetes Services
|
||||
@@ -229,7 +229,7 @@ spec:
|
||||
|
||||
The operator will create a policy in your management account similar to the one below:
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/kubernetes/resources-policy.png" alt="resources policy" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/integrations/kubernetes/resources-policy.png" alt="resources policy" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
You can reference multiple policy bases using a comma separated list of policy bases: `netbird.io/policy: "app-users,app-admins"`
|
||||
@@ -278,7 +278,7 @@ To enable sidecar functionality in your deployments, you first need to generate
|
||||
or by following [this guide](/manage/peers/register-machines-using-setup-keys) for more details.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/kubernetes/side-cars-setup-key.png" alt="Setup Keys" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/integrations/kubernetes/side-cars-setup-key.png" alt="Setup Keys" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
Next, you'll create a secret in Kubernetes and add a new resource called `NBSetupKey`. The `NBSetupKey` name can then be
|
||||
@@ -331,7 +331,7 @@ Starting with `v0.27.0`, NetBird supports extra DNS labels, allowing you to defi
|
||||
To use this feature, create a setup key with the “Allow Extra DNS Labels” option enabled. See the example below for reference:
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/kubernetes/side-cars-setup-key-with-extra-labels.png" alt="Setup keys with extra labels" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/integrations/kubernetes/side-cars-setup-key-with-extra-labels.png" alt="Setup keys with extra labels" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
And add the annotation `netbird.io/extra-dns-labels` to your pod; see the example below:
|
||||
@@ -37,11 +37,11 @@ Let's create a policy that enables the `Development` team to access the `Servers
|
||||
- Set the source group to `Development` (or the appropriate team group synchronized from Entra ID) and the destination group to `Servers`
|
||||
- Configure the protocol and port settings based on required access patterns (e.g., TCP 22 for SSH access to servers)
|
||||
|
||||
|
||||
|
||||
|
||||
Provide a descriptive name for the policy, such as "Dev Team Server Access" that indicates its purpose, and click `Save` to create and activate the policy.
|
||||
|
||||
|
||||
|
||||
|
||||
This access policy will automatically apply to all devices enrolled in Intune that belong to users in the `Development` group (as synchronized from **Entra ID**), providing them secure access to designated resources while preventing lateral movement to unauthorized systems.
|
||||
|
||||
@@ -68,21 +68,21 @@ Using the Win32 method requires you to convert either NetBird's `.exe` or `.msi`
|
||||
|
||||
- Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com), navigate to `Apps`, and click the `Windows` button.
|
||||
|
||||
|
||||
|
||||
|
||||
- Click the `+ Create` button to add a new Windows application
|
||||
|
||||
|
||||
|
||||
|
||||
- In the `App type` dropdown, select `Windows app (Win32)` and click `Select`
|
||||
|
||||
|
||||
|
||||
|
||||
- On the `Add App` screen, click `Select app package file` and browse to the location of the NetBird `.intunewin` file you created earlier
|
||||
|
||||
- Select the `.intunewin` file and click `OK`
|
||||
|
||||
|
||||
|
||||
|
||||
- On the `App information` tab, configure NetBird with the following values:
|
||||
|
||||
@@ -97,7 +97,7 @@ Using the Win32 method requires you to convert either NetBird's `.exe` or `.msi`
|
||||
|
||||
You can leave the rest of the fields empty.
|
||||
|
||||
|
||||
|
||||
|
||||
- Click `Next` to advance to the `Program` tab. Use the following commands in the install and uninstall fields:
|
||||
|
||||
@@ -108,14 +108,14 @@ You can leave the rest of the fields empty.
|
||||
|
||||
For this example, leave the rest of the configuration unchanged. Note that you can change the install behavior and users' ability to uninstall NetBird if required.
|
||||
|
||||
|
||||
|
||||
|
||||
- Click `Next` to advance to the `Requirements` tab. Here you can specify the architecture and minimum OS version required for installing NetBird. For instance:
|
||||
|
||||
- **Operating system architecture:** 64-bit
|
||||
- **Minimum operating system:** Windows 10 22H2
|
||||
|
||||
|
||||
|
||||
|
||||
- Click `Next` to advance to the `Detection rules` tab. Intune lets you choose between **using a custom detection script** or **manually configuring detection rules**. Select the latter and configure it as follows:
|
||||
|
||||
@@ -127,7 +127,7 @@ For this example, leave the rest of the configuration unchanged. Note that you c
|
||||
|
||||
Click `OK` when ready.
|
||||
|
||||
|
||||
|
||||
|
||||
For examples on registry-based detection rules, refer to [Intune documentation](https://learn.microsoft.com/en-us/intune/intune-service/apps/apps-win32-add#step-4-detection-rules)
|
||||
|
||||
@@ -137,19 +137,19 @@ For examples on registry-based detection rules, refer to [Intune documentation](
|
||||
|
||||
- On the `Assignments` tab, under `Required`, click `+ Add group`
|
||||
|
||||
|
||||
|
||||
|
||||
- Select the appropriate group that contains your users (like the `Development` group synchronized from Entra ID) and click `Select`
|
||||
|
||||
|
||||
|
||||
|
||||
- To continue, click `Next`. Review your configuration in the `Review + create` tab, then click `Create` to add NetBird to your Intune app catalog.
|
||||
|
||||
|
||||
|
||||
|
||||
- To verify that NetBird was added to Intune, navigate to `Apps > All Apps` to see your Windows applications:
|
||||
|
||||
|
||||
|
||||
|
||||
## Deploying NetBird as a Line-of-business (LOB) App
|
||||
|
||||
@@ -160,20 +160,20 @@ As a simpler alternative to the Win32 method described previously, you can deplo
|
||||
- Download the NetBird Windows MSI installer from the [NetBird installation documentation](https://docs.netbird.io/get-started/install/windows)
|
||||
- Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com), navigate to `Apps`, and click the `Windows` button.
|
||||
|
||||
|
||||
|
||||
|
||||
- Click the `+ Create` button to add a new Windows application
|
||||
|
||||
|
||||
|
||||
|
||||
- In the `App type` dropdown, select `Line-of-business app` and click `Select`
|
||||
|
||||
|
||||
|
||||
|
||||
- On the `Add App` screen, click `Select app package file` and browse to the location of the NetBird MSI file you downloaded earlier
|
||||
- Select the NetBird MSI installer and click `OK`
|
||||
|
||||
|
||||
|
||||
|
||||
Click `Next` to configure NetBird with the following details:
|
||||
|
||||
@@ -189,27 +189,27 @@ Click `Next` to configure NetBird with the following details:
|
||||
|
||||
You can leave the rest of the fields empty.
|
||||
|
||||
|
||||
|
||||
|
||||
When ready, click `Next` to proceed to the `Assignments` tab. Under `Required`, click `+ Add group`
|
||||
|
||||
|
||||
|
||||
|
||||
- Select the appropriate group that contains your users (like the `Development` group synchronized from Entra ID) and click `Select`
|
||||
|
||||
|
||||
|
||||
|
||||
- To continue, click `Next`. Review your configuration in the `Review + create` tab, then click `Create` to add NetBird to your Intune app catalog.
|
||||
|
||||
|
||||
|
||||
|
||||
After adding NetBird, you'll see an overview screen for the NetBird app, showing deployment status and management options.
|
||||
|
||||
|
||||
|
||||
|
||||
To verify that NetBird was added to Intune, navigate to `Home > Apps | Windows` to see all your Windows applications:
|
||||
|
||||
|
||||
|
||||
|
||||
### Deploying NetBird to Other Platforms
|
||||
|
||||
@@ -38,11 +38,11 @@ For this tutorial, we'll create a policy that allows the `Support` team to acces
|
||||
* Set the source group to `Support` and the destination group to `Servers`.
|
||||
* Configure the appropriate protocol and port settings (e.g., TCP 22 for SSH access).
|
||||
|
||||
|
||||
|
||||
|
||||
Give the policy a descriptive name (e.g., "Support team remote access") and click `Save` to create the policy.
|
||||
|
||||
|
||||
|
||||
|
||||
With this policy in place, any device assigned to the `Support` group will gain access to the `Servers` group as defined in the Access Control Policy.
|
||||
|
||||
@@ -68,7 +68,7 @@ In the `Options` tab:
|
||||
|
||||
Click `Save` to finish. If you see the message "Availability pending", click `Refresh` to update the package status.
|
||||
|
||||
|
||||
|
||||
|
||||
### Creating a Policy for NetBird
|
||||
|
||||
@@ -84,29 +84,29 @@ In the **Trigger** options, check the following boxes:
|
||||
|
||||
These trigger selections ensure NetBird is installed promptly and remains current on all managed devices. Leave the remaining options as default.
|
||||
|
||||
|
||||
|
||||
|
||||
In the `Packages` section, click `Configure` and add the corresponding NetBird package:
|
||||
|
||||
|
||||
|
||||
|
||||
Accept the default values for **Distribution Point** and **Action**
|
||||
|
||||
|
||||
|
||||
|
||||
In the `Scope` tab, specify the target computers (all computers, specific computers or groups, etc.). For simplicity in this example, use `All Computers`.
|
||||
|
||||
|
||||
|
||||
|
||||
Optionally, in the `User Interaction` tab:
|
||||
* Enter messages to display before and after the policy runs.
|
||||
* This can help inform users about the installation process.
|
||||
|
||||
|
||||
|
||||
|
||||
Click `Save` to finish.
|
||||
|
||||
|
||||
|
||||
|
||||
This configuration ensures NetBird is installed as soon as any machine enrolls, maintaining security across your device fleet.
|
||||
|
||||
@@ -133,7 +133,7 @@ After setting up NetBird deployment policy in Jamf Pro, it's crucial to verify t
|
||||
* In the device details, go to the `Management` tab and locate the `Policies` section.
|
||||
* Look for the NetBird policy in the list of applied policies.
|
||||
|
||||
|
||||
|
||||
|
||||
If you see the NetBird policy listed, that would indicate that NetBird has been successfully installed on the device.
|
||||
|
||||
@@ -28,11 +28,11 @@ For instance, let's suppose you want to create a policy that allows the `Support
|
||||
* Set the source group to `Support` and the destination group to `Servers`.
|
||||
* Choose the appropriate protocol and port settings (e.g., TCP 22).
|
||||
|
||||
|
||||
|
||||
|
||||
Give the policy a descriptive name (e.g., Support team remote access) and click `Save` to create the policy.
|
||||
|
||||
|
||||
|
||||
|
||||
Now that you've configured NetBird, let's shift the focus to Kandji MDM integration and set up the automated deployment of NetBird on support team devices.
|
||||
|
||||
@@ -40,13 +40,13 @@ Now that you've configured NetBird, let's shift the focus to Kandji MDM integrat
|
||||
|
||||
Navigate to `Library` and click `Add new`. Then, find and select `Custom Apps` and click `Add & Configure` to deploy a new [Custom App](https://www.support.kandji.io/support/solutions/articles/72000559807-deploying-custom-apps).
|
||||
|
||||
|
||||
|
||||
|
||||
Give the Custom App a descriptive name (e.g., NetBird_vX.XX_Support_Team, where X.XX is the current version of NetBird being deployed). Scroll down to **Install Details**, where you'll see different options.
|
||||
|
||||
Select `Installer Package` to install NetBird using the official macOS package. Using a package ensures you're installing the exact same version on all devices. This example uses the Apple Silicon package that you can download [here](https://pkgs.netbird.io/macos/arm64). Drag the file to the `Installer Package` field box to upload it to Kandji MDM.
|
||||
|
||||
|
||||
|
||||
|
||||
Next, click on `Add Preinstall Script` and paste the following code:
|
||||
|
||||
@@ -141,41 +141,41 @@ For instance, you can [create tags](https://www.support.kandji.io/support/soluti
|
||||
|
||||
To create a tag in Kandji MDM, go to `DEVICES`, click on the hamburger menu at the top right, and select `Manage tags`:
|
||||
|
||||
|
||||
|
||||
|
||||
A new pop-up window will appear; click `+ Add tag`, enter a name for the tag (e.g., `Support`), and click `Save`.
|
||||
|
||||
|
||||
|
||||
|
||||
Navigate to the `BLUEPRINTS` section in Kandji and click the `New Blueprint` dropdown. Select `New Assignment Map` from the options. In the new window, you'll be presented with preconfigured templates or the option to start a new Blueprint from scratch. For this custom NetBird deployment, choose to start a new Blueprint from scratch.
|
||||
|
||||
|
||||
|
||||
|
||||
Give the Blueprint a descriptive name (e.g., NetBird_Apple_Silicon) and click `Create Blueprint`. This action will open Kandji's visual Blueprint builder, where you'll configure the deployment logic for NetBird.
|
||||
|
||||
Click `Edit assignments` to start editing the Blueprint.
|
||||
|
||||
|
||||
|
||||
|
||||
You'll see a list of apps from the library on the left, including the recently created NetBird custom app. To implement the deployment logic, hover over the `+` sign and click it to add a new conditional block. This block will determine which devices receive the NetBird installation based on specific criteria.
|
||||
|
||||
|
||||
|
||||
|
||||
Next, click the pencil icon to edit the rules.
|
||||
|
||||
|
||||
|
||||
|
||||
In the **Assignment Rules** window, configure the conditions for NetBird installation. Use the `Support` tag to trigger the deployment, ensuring NetBird is installed only on devices assigned to the support team. Press `Confirm` to continue.
|
||||
|
||||
|
||||
|
||||
|
||||
Back to the visual Blueprint builder, locate the NetBird custom app and drag it into the newly created conditional block. This action associates the NetBird installation with the specified deployment criteria for the support team.
|
||||
|
||||
|
||||
|
||||
|
||||
Click `Save` to update the Blueprint with the new logic. This action also assigns the Blueprint to the NetBird custom app, finalizing the deployment pipeline configuration.
|
||||
|
||||
|
||||
|
||||
|
||||
## Testing and Verifying the Automated Provisioning Pipeline
|
||||
|
||||
@@ -183,10 +183,10 @@ Kandji checks devices every 15 minutes by default, so any device tagged with `Su
|
||||
|
||||
To verify the deployment pipeline, navigate to `DEVICES` in Kandji, select an enrolled device, and click `Edit device details` > `Edit tags`. Assign the `Support` tag to trigger the NetBird installation.
|
||||
|
||||
|
||||
|
||||
|
||||
You can also confirm the process in NetBird. Log in to a NetBird account with administrative privileges, navigate to the `Peers` section, and look for the new device.
|
||||
|
||||
|
||||
|
||||
|
||||
In this tutorial, you've learned how to integrate NetBird's VPN solution with Kandji MDM for Apple devices. By configuring NetBird Access Policies, creating Kandji MDM Blueprints, and setting up an automated deployment pipeline, you've established a robust system for managing network access across your organization.
|
||||
@@ -58,7 +58,7 @@ a domain name (eg: `example.com`) or a wildcard domain (eg: `*.example.com`) in
|
||||
put an IP address range. Then NetBird clients will start responding to and routing the given domain.
|
||||
|
||||
Please consult the
|
||||
[Debugging access to Domain Resources](/how-to/troubleshooting-client#debugging-access-to-domain-resources)
|
||||
[Debugging access to Domain Resources](/help/troubleshooting-client#debugging-access-to-domain-resources)
|
||||
documentation to troubleshoot common issues with this type of resources yourself.
|
||||
|
||||
<Note>
|
||||
@@ -86,7 +86,7 @@ On a technical level the feature works as follows:
|
||||
the result.
|
||||
4. the Local DNS Forwarder sets up routing rules for IP addresses returned from the query,
|
||||
before returning them to the Application
|
||||
- see [Trigger the Domain Resource](/how-to/troubleshooting-client#trigger-the-domain-resource)
|
||||
- see [Trigger the Domain Resource](/help/troubleshooting-client#trigger-the-domain-resource)
|
||||
to observe this behaviour "in action".
|
||||
3. the Application receives the result "as usual", except for a slight delay before all of the above takes place the
|
||||
first time a domain name is requested,
|
||||
|
||||
@@ -153,7 +153,7 @@ There is no response from the host. Now, ping the web server from your configure
|
||||
|
||||
As expected, all packets were transmitted. Now, you can securely SSH into your remote web server from your local peer, either using the NetBird-assigned domain name or IP address:
|
||||
|
||||
|
||||
|
||||
|
||||
This straightforward test confirms your successful implementation of a secure, firewall-free connection to your remote web server via NetBird, demonstrating its power in simplifying robust network security.
|
||||
|
||||
|
||||
@@ -67,7 +67,7 @@ On the machine you want to access via SSH, enable the NetBird SSH server.
|
||||
3. Click on **Allow SSH** to enable the SSH server
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/ssh/ssh-client.png" alt="netbird ssh client"
|
||||
<img src="/docs-static/img/manage/peers/ssh/ssh-client.png" alt="netbird ssh client"
|
||||
className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
@@ -121,7 +121,7 @@ Enable SSH on individual peers:
|
||||
3. Save the changes
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/ssh/ssh-dashboard.png"
|
||||
<img src="/docs-static/img/manage/peers/ssh/ssh-dashboard.png"
|
||||
alt="netbird ssh dashboard" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -22,14 +22,14 @@ The most common usage scenarios:
|
||||
|
||||
To create a service user, you'll need to log in to your organization's account at https://app.netbird.io and navigate to the "Team" -> "Service Users" section of your account.
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/service-user-overview.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/public-api/service-user-overview.png" alt="service-user-overview" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
From there, you can create a new service user and specify a role that the user should have.
|
||||
User role allows read-only access, use the admin for write access.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/service-user-creation.png" alt="service-user-creation-popup" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/public-api/service-user-creation.png" alt="service-user-creation-popup" className="imagewrapper"/>
|
||||
</p>
|
||||
‚
|
||||
<Note>
|
||||
@@ -41,20 +41,20 @@ User role allows read-only access, use the admin for write access.
|
||||
To create an access token, you'll need to log in to your account and navigate to the "Team" section and look for your user or create a [service user](#service-users) to use for your API requests.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/personal-access-token-overview.png" alt="personal-access-token-overview" width="780" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/public-api/personal-access-token-overview.png" alt="personal-access-token-overview" width="780" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
From there, you can create a new token and specify expiration for the token. You won't be able to modify your token.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/personal-access-token-creation.png" alt="personal-access-creation-popup" width="400" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/public-api/personal-access-token-creation.png" alt="personal-access-creation-popup" width="400" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
After the token was generated successfully you will see a plain version of your token to copy and store in a secure place.
|
||||
Be aware that once you close the popup it is impossible to see the plain version of the token again as NetBird only stores a hashed version of the token.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/overview/personal-access-token-example.png" alt="personal-access-token-example" width="400" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/public-api/personal-access-token-example.png" alt="personal-access-token-example" width="400" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -9,11 +9,11 @@ To delete your NetBird organization account, you must be a user with the [owner
|
||||
|
||||
Go to the `Settings` tab, then click on `Danger Zone`. Review the message and click on the `Delete Account` button.
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/account-settings-danger-zone.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/account-settings-danger-zone.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
To confirm, click on the `Delete` button.
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/account-settings-delete-account-confirm.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/manage/settings/account-settings-delete-account-confirm.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ After enabling, you can `Logout` and log back in to see the MFA prompt.
|
||||
- If a user is not part of the account and MFA is enabled, the first-time `Sign Up` will not require MFA. <br /> Only subsequent logins will require MFA.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/mfa/mfa-settings.png" alt="MFA Settings" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/mfa/mfa-settings.png" alt="MFA Settings" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -37,7 +37,7 @@ Click on a specific user to see their MFA status.
|
||||
- `Not enrolled` - MFA is enabled but user **has not completed** the MFA setup yet.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/mfa/mfa-not-enrolled.png" alt="MFA Status" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/mfa/mfa-not-enrolled.png" alt="MFA Status" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
## Reset MFA
|
||||
@@ -50,7 +50,7 @@ This will reset MFA for the user, and they will need to set it up again during t
|
||||
</Note>
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/mfa/mfa-reset-mfa.png" alt="MFA Reset" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/mfa/mfa-reset-mfa.png" alt="MFA Reset" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
## Get started
|
||||
@@ -13,7 +13,7 @@ It features peer-to-peer connections and encryption, access control, routing, an
|
||||
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/pricing-overview.png" alt="pricing-overview" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/pricing-overview.png" alt="pricing-overview" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
Details can be found on our [pricing page](https://netbird.io/pricing).
|
||||
@@ -33,7 +33,7 @@ If the next month only 70 connect, you pay for 70 users.
|
||||
Refer to our pricing calculator on the [pricing page](https://netbird.io/pricing#calculator) to estimate your monthly costs based on your expected usage.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/plans-and-billing/calculator.png" alt="pricing-calculator" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/plans-and-billing/calculator.png" alt="pricing-calculator" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
## Machine-based Usage
|
||||
@@ -61,14 +61,14 @@ automatically adjust the machine costs as detailed in the following sections.
|
||||
To start or change your current plan, navigate to `Settings` > `Plans & Billing` and choose the plan you wish to upgrade or downgrade to.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/plans-and-billing/chose-plan.png" alt="chose-plan" width="780" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/plans-and-billing/chose-plan.png" alt="chose-plan" width="780" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
**Payment Information**
|
||||
|
||||
Next, you'll be directed to enter your payment information. Available payment options currently include credit cards, Google Pay, and Link.
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/payment-information.png" alt="payment-information" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/payment-information.png" alt="payment-information" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -78,7 +78,7 @@ Next, you'll be directed to enter your payment information. Available payment op
|
||||
After successfully submitting your payment information, the updated version of your plan will be reflected in your account.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/how-to-guides/plans-and-billing/plans-billing-overview.png" alt="plans-billing-overview" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/manage/settings/plans-and-billing/plans-billing-overview.png" alt="plans-billing-overview" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -98,4 +98,4 @@ Your subscription cycle starts on the first day of your original subscription. I
|
||||
|
||||
## Deleting an Account
|
||||
|
||||
If you [delete your account](https://docs.netbird.io/how-to/delete-account), the final charge for your usage will be processed during the next daily statistics update cycle at 2 AM UTC.
|
||||
If you [delete your account](/manage/settings/delete-account), the final charge for your usage will be processed during the next daily statistics update cycle at 2 AM UTC.
|
||||
@@ -62,7 +62,7 @@ See the [Provision Users and Groups From Your Identity Provider](/manage/team/id
|
||||
## Manage user roles
|
||||
NetBird has five user roles - `Owner`, `Admin`, `Network Admin`, `Auditor` and `User`. The roles allow you to control the level of access to the management API of your account.
|
||||
|
||||
- `Owner` role - has full access to the account and can manage all aspects of the account. There can be only one account owner in NetBird. Users with the owner role can delete their organization account. See the [Delete NetBird account](/how-to/delete-account) section for more.
|
||||
- `Owner` role - has full access to the account and can manage all aspects of the account. There can be only one account owner in NetBird. Users with the owner role can delete their organization account. See the [Delete NetBird account](/manage/settings/delete-account) section for more.
|
||||
- `Admin` role - has full access to the account except that administrators can't delete or update the role of the Owner user and delete the organization account.
|
||||
- `Network Admin` role - has access to manage network configurations, including access policies, DNS settings, networks, and network routes, but they can only view user and device information and general settings.
|
||||
- `Auditor` role - can read all configurations but not modify any of them.
|
||||
|
||||
@@ -157,7 +157,7 @@ If everything works as expected, you'll see the message: "NetBird was verified s
|
||||
|
||||
On NetBird, click `Continue →`. You'll see instructions for configuring SCIM provisioning to NetBird.
|
||||
|
||||
|
||||
|
||||
|
||||
Back to Okta, click `Edit` as shown below.
|
||||
|
||||
|
||||
@@ -30,7 +30,7 @@ Create new zitadel project
|
||||
- Name: `NETBIRD`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-new-project.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-new-project.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
Create new zitadel application
|
||||
@@ -41,14 +41,14 @@ Create new zitadel application
|
||||
- TYPE OF APPLICATION: `User Agent`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-new-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-new-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Fill in the form with the following values and click `Continue`
|
||||
- Authentication Method: `PKCE`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-new-application-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-new-application-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Fill in the form with the following values and click `Continue`
|
||||
@@ -58,14 +58,14 @@ Create new zitadel application
|
||||
- Post Logout URIs: `https://<domain>/` and click `+`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-new-application-uri.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-new-application-uri.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Verify applications details and Click `Create` and then click `Close`
|
||||
- Under `Grant Types` select `Authorization Code`, `Device Code` and `Refresh Token` and click `save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-new-application-overview.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-new-application-overview.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Copy `Client ID` will be used later in the `setup.env`
|
||||
@@ -83,7 +83,7 @@ To configure `netbird` application token you need to:
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-token-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-token-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 3: Application Redirect Configuration
|
||||
@@ -102,7 +102,7 @@ To configure `netbird` application redirect you need to:
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-redirect-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-redirect-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 4: Create a Service User
|
||||
@@ -120,7 +120,7 @@ In this step we will create a `netbird` service user.
|
||||
- Click `Create`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-create-user.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-create-user.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
In this step we will generate `ClientSecret` for the `netbird` service user.
|
||||
@@ -129,7 +129,7 @@ In this step we will generate `ClientSecret` for the `netbird` service user.
|
||||
- Copy `ClientSecret` from the dialog will be used later to set `NETBIRD_IDP_MGMT_CLIENT_SECRET` in the `setup.env`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-service-user-secret.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-service-user-secret.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 5: Grant manage-users role to netbird service user
|
||||
@@ -143,7 +143,7 @@ In this step we will grant `Org User Manager` role to `netbird` service user.
|
||||
- Click `Add`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/zitadel-service-account-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/zitadel-service-account-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
Your authority OIDC configuration will be available under:
|
||||
@@ -205,7 +205,7 @@ to your network using the [Interactive SSO Login feature](/get-started/install#r
|
||||
over Keycloak.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-auth-grant.gif" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-auth-grant.gif" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 1: Check your Keycloak Instance
|
||||
@@ -229,7 +229,7 @@ To create a realm you need to:
|
||||
- Click `Create`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-create-realm.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-create-realm.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -246,7 +246,7 @@ In this step we will create a NetBird administrator user.
|
||||
- Click `Create`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-create-user.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-create-user.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
The user will need an initial password set to be able to log in. To do this:
|
||||
@@ -257,7 +257,7 @@ The user will need an initial password set to be able to log in. To do this:
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-set-password.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-set-password.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 4: Create a NetBird client
|
||||
@@ -274,14 +274,14 @@ In this step we will create NetBird application client and register with the Key
|
||||
- Your newly client `netbird-client` will be used later to set `NETBIRD_AUTH_CLIENT_ID` in the `setup.env`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-create-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-create-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
- Check the checkboxes as on the screenshot below and click Save
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-enable-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-enable-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 5: Adjust NetBird client access settings
|
||||
@@ -301,7 +301,7 @@ In this step we will configure NetBird application client access with the NetBir
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-access-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-access-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 6: Create a NetBird client scope
|
||||
@@ -319,7 +319,7 @@ In this step, we will create and configure the NetBird client audience for Keycl
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-create-client-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-create-client-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- While in the newly created Client Scope, switch to the `Mappers` tab
|
||||
@@ -327,7 +327,7 @@ In this step, we will create and configure the NetBird client audience for Keycl
|
||||
- Choose the `Audience` mapping
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-configure-audience-mapper.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Fill in the form with the following values:
|
||||
@@ -337,7 +337,7 @@ In this step, we will create and configure the NetBird client audience for Keycl
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-configure-audience-mapper-2.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-configure-audience-mapper-2.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 7: Add client scope to NetBird client
|
||||
@@ -353,7 +353,7 @@ In this step, we will create and configure the NetBird client audience for Keycl
|
||||
- The value `netbird-client` will be used as audience
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloack-add-client-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloack-add-client-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 8: Create a NetBird-Backend client
|
||||
@@ -370,13 +370,13 @@ In this step we will create NetBird backend client and register with the Keycloa
|
||||
- Your newly client `netbird-backend` will be used later to set `NETBIRD_IDP_MGMT_CLIENT_ID` in the `setup.env`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-create-backend-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-create-backend-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Check the checkboxes as on the screenshot below and click Save
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-backend-client-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-backend-client-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
The client will need secret to authenticate. To do this:
|
||||
@@ -384,7 +384,7 @@ The client will need secret to authenticate. To do this:
|
||||
- Copy `client secret` will be used later to set `NETBIRD_IDP_MGMT_CLIENT_SECRET` in the `setup.env`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-backend-client-credentials.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-backend-client-credentials.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 9: Add view-users role to netbird-backend
|
||||
@@ -398,13 +398,13 @@ The client will need secret to authenticate. To do this:
|
||||
- Select `Filter by clients` and search for `view-users`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-service-account-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-service-account-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Check the role checkbox and click assign
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/keycloak-add-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak-add-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -467,7 +467,7 @@ In this step, we will create OAuth2/OpenID Provider in Authentik.
|
||||
- type: `OAuth2/OpenID Provider`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-new-provider-type.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-new-provider-type.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Fill in the form with the following values and click `Finish`
|
||||
@@ -486,7 +486,7 @@ In this step, we will create OAuth2/OpenID Provider in Authentik.
|
||||
|
||||
Take note of `Client ID`, we will use it later
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-new-provider-config.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-new-provider-config.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 2: Create external applications
|
||||
@@ -501,7 +501,7 @@ In this step, we will create external applications in Authentik.
|
||||
- Provider: `Netbird`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-new-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-new-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 3: Create service account
|
||||
@@ -515,7 +515,7 @@ In this step, we will create service account.
|
||||
- Create Group: `Disable`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-new-service-account.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-new-service-account.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Take note of the NetBird service account `username`, we will need it later.
|
||||
@@ -525,7 +525,7 @@ Be sure to select the NetBird Service account object as the `User` when creating
|
||||
Take note of the app password as we will need it later.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-service-account-details.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-service-account-details.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 4: Add service account to admin group
|
||||
@@ -539,7 +539,7 @@ In this step, we will add `Netbird` service account to `authentik Admins` group.
|
||||
- Disable `Hide service-accounts` and verify if user `Netbird` is added to the group
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-add-user-group.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-add-user-group.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 5: Create a authentication flow for device token authentication
|
||||
@@ -553,7 +553,7 @@ In this step, we will add `Netbird` service account to `authentik Admins` group.
|
||||
- Authentication: `Require authentication`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-new-device-flow.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-new-device-flow.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Navigate to authentik admin interface
|
||||
@@ -563,7 +563,7 @@ In this step, we will add `Netbird` service account to `authentik Admins` group.
|
||||
- Click `Update`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/authentik-brand-device-flow.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik-brand-device-flow.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
Your authority OIDC configuration will be available under:
|
||||
@@ -632,7 +632,7 @@ Create new PocketID OIDC Client
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-oidc-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/pocketid-create-oidc-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Copy `Client ID` will be used later in the `setup.env`
|
||||
@@ -650,7 +650,7 @@ To configure the application token you need to:
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/pocketid-create-api-token.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/pocketid-create-api-token.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Copy `API Key` will be used later in the `setup.env`
|
||||
@@ -724,7 +724,7 @@ In this step, we will create and configure NetBird application in azure AD.
|
||||
- Redirect URI: select `Single-page application (SPA)` and URI as `https://<yournetbirddomain.com>/silent-auth`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-new-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-new-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 2. Platform configurations
|
||||
@@ -732,20 +732,20 @@ In this step, we will create and configure NetBird application in azure AD.
|
||||
- Under the `Single-page application` Section, add another URI `https://<yournetbirddomain.com>/auth`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-spa-uri-setup.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-spa-uri-setup.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Scroll down and setup other options as on the screenshot below and click Save
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-flows-setup.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-flows-setup.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Click `Add a Platform` and select `Mobile and desktop applications`
|
||||
- Fill in the form with the following values and click Configure
|
||||
- Custom redirect URIs: `http://localhost:53000`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-spa-uri-setup.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-spa-uri-setup.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 3. Create a NetBird application scope
|
||||
@@ -756,7 +756,7 @@ In this step, we will create and configure NetBird application in azure AD.
|
||||
- Scope name: `api`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-add-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-add-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Under `Authorized client Applications`, click on `+ add a client application` and enter the following:
|
||||
@@ -764,7 +764,7 @@ In this step, we will create and configure NetBird application in azure AD.
|
||||
- Client ID: same as your Application ID URI minus the `api://`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-add-application-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-add-application-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -776,7 +776,7 @@ Add `Netbird` permissions
|
||||
- Click `My APIs` tab, and select `Netbird`. Next check `api` permission checkbox and click `Add permissions`.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-netbird-api-permisssions.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-netbird-api-permisssions.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
Add `Delegated permissions` to Microsoft Graph
|
||||
@@ -786,14 +786,14 @@ Add `Delegated permissions` to Microsoft Graph
|
||||
- In `Select permissions` search for `User.Read` and under the `User` section select `User.Read.All` and click `Add permissions`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-openid-permissions.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-openid-permissions.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
- Click `Grant admin consent for Default Directory` and click `Yes`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-grant-admin-conset.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-grant-admin-conset.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 5. Update token version
|
||||
@@ -809,7 +809,7 @@ Add `Delegated permissions` to Microsoft Graph
|
||||
- Copy `Value` and save it as it can be viewed only once after creation.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/azure-client-secret.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/azure-client-secret.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Click `Overview` on left menu and take note of `Application (client) ID`, `Object ID` and `Directory (tenant) ID`
|
||||
@@ -870,7 +870,7 @@ In this step, we will create and configure Netbird single-page application in ok
|
||||
- Application type: `Single-Page Application`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/okta-new-single-page-application.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/okta-new-single-page-application.png" alt="high-level-dia" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
- Fill in the form with the following values and click `Save`
|
||||
@@ -881,7 +881,7 @@ In this step, we will create and configure Netbird single-page application in ok
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/okta-single-page-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/okta-single-page-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Navigate to Okta Admin Dashboard
|
||||
@@ -892,7 +892,7 @@ In this step, we will create and configure Netbird single-page application in ok
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/okta-single-sign-on-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/okta-single-sign-on-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 2. Create and configure Okta native application
|
||||
@@ -905,7 +905,7 @@ In this step, we will create and configure Netbird native application in okta.
|
||||
- Application type: `Native Application`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/okta-new-native-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/okta-new-native-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Fill in the form with the following values and click `Save`
|
||||
@@ -914,7 +914,7 @@ In this step, we will create and configure Netbird native application in okta.
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/okta-native-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/okta-native-application.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Navigate to Okta Admin Dashboard
|
||||
@@ -925,7 +925,7 @@ In this step, we will create and configure Netbird native application in okta.
|
||||
- Click `Save`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/okta-native-sign-on-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/okta-native-sign-on-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -941,7 +941,7 @@ In this step, we will generate netbird api token in okta for authorizing calls t
|
||||
- Take note of token value and click `OK, got it`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/okta-generate-token.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/okta-generate-token.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
|
||||
@@ -998,7 +998,7 @@ Before you start creating and configuring an Google Workspace application, ensur
|
||||
- Navigate to [OAuth consent](https://console.cloud.google.com/apis/credentials/consent) page
|
||||
- Select `Internal` User Type and click create
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-consent-screen-type.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-consent-screen-type.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Fill in the form with the following values and click `SAVE AND CONTINUE`
|
||||
@@ -1009,12 +1009,12 @@ Before you start creating and configuring an Google Workspace application, ensur
|
||||
- Click `ADD OR REMOVE SCOPES`
|
||||
- Select `/auth/userinfo.email`, `/auth/userinfo.profile` and `openid` scopes and then click `UPDATE`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-consent-screen-scopes.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-consent-screen-scopes.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Click `SAVE AND CONTINUE`
|
||||
- Verify the summary of the OAuth consent screen to ensure that everything is properly configured, and then click `BACK TO DASHBOARD`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-consent-screen-summary.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-consent-screen-summary.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 2: Create OAuth 2.0 credentials
|
||||
@@ -1026,11 +1026,11 @@ Before you start creating and configuring an Google Workspace application, ensur
|
||||
- Authorized JavaScript origins: `https://<your netbird domain>` and `http://localhost`
|
||||
- Authorized redirect URIs: `https://<your netbird domain>/auth`, `https://<your netbird domain>/silent-auth` and `http://localhost:53000`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-oauth-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-oauth-client.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Take note of `Client ID` and `Client Secret` and click `OK`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-oauth-client-created.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-oauth-client-created.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 3: Create service account
|
||||
@@ -1042,14 +1042,14 @@ Before you start creating and configuring an Google Workspace application, ensur
|
||||
- Take note of service account email address, we will use it later
|
||||
- Click `DONE`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-create.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-service-account-create.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 4: Create service account keys
|
||||
- Navigate to [API Credentials](https://console.cloud.google.com/apis/credentials) page
|
||||
- Under `Service Accounts` click the `netbird` to edit the service account
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-edit-service-account.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-edit-service-account.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Click the `Keys` tab
|
||||
- Click the `Add key` drop-down menu, then select `Create new key`
|
||||
@@ -1071,23 +1071,23 @@ Read how to manage and secure your service keys [here](https://cloud.google.com/
|
||||
- description: `User Management ReadOnly`
|
||||
- Click `CONTINUE`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-new-role-info.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Scroll down to `Admin API privileges` and add the following privileges
|
||||
- Users: `Read`
|
||||
- Click `CONTINUE`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-privileges-review.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click `CREATE ROLE`
|
||||
- Click `Assign service accounts`, add service account email address and then click `ADD`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-assign-role.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Click `ASSIGN ROLE` to assign service account to `User Management ReadOnly` role
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/google-service-account-privileges.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Navigate to [Account Settings](https://admin.google.com/ac/accountsettings/profile?hl=en_US) page and take note of `Customer ID`
|
||||
@@ -1194,14 +1194,14 @@ You can enable it by following these steps:
|
||||
- Click `Create`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/auth0-create-interactive-login-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/auth0-create-interactive-login-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Click `Settings` tab
|
||||
- Copy **`Client ID`** to `NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID` in the `setup.env` file
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/auth0-interactive-login-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/auth0-interactive-login-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Scroll down to the `Advanced Settings` section
|
||||
@@ -1209,7 +1209,7 @@ You can enable it by following these steps:
|
||||
- Click `Save Changes`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/auth0-grant-types.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/auth0-grant-types.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
#### Step 5: Create and configuire Machine to Machine application.
|
||||
@@ -1224,7 +1224,7 @@ This application will be used to authorize access to Auth0 Management API.
|
||||
- Click `Create`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/auth0-create-machine-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/auth0-create-machine-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Fill the form with the following values:
|
||||
@@ -1233,7 +1233,7 @@ This application will be used to authorize access to Auth0 Management API.
|
||||
- Click `Authorize`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/auth0-machine-authorization.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/auth0-machine-authorization.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
@@ -1249,7 +1249,7 @@ To enable this functionality, include the `--user-delete-from-idp` flag in the m
|
||||
- Copy **`DOMAIN`** to `NETBIRD_IDP_MGMT_EXTRA_AUDIENCE` in the `setup.env` file
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/auth0-machine-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/auth0-machine-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Set properties in the `setup.env` file:
|
||||
@@ -1287,23 +1287,23 @@ Before you start creating and configuring an JumpCloud application, ensure that
|
||||
- Click `SSO Applications` on the left menu under `USER AUTHENTICATION` section
|
||||
- Click `Add New Application` and select `Custom Application`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-new-sso-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-new-sso-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- On the `Which application would you like to integrate` screen, confirm that you've selected `Custom application` and click `Next`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-new-sso-app-confirm-selection.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-new-sso-app-confirm-selection.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- On the `Select the features you would like to enable` screen, select `Manage Single Sign-On (SSO)` and check `Configure SSO with OIDC` and click `Next`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-new-sso-app-features.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-new-sso-app-features.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- On the `Enter General info` screen, add `NetBird` as `Display Label` and click `Next`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-new-sso-app-general-info.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-new-sso-app-general-info.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- On the confirmation screen, review the information and click on `Configure Application` to proceed
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-new-sso-app-confirmation.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-new-sso-app-confirmation.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- On the `New Application` screen, click on the SSO tab and enter the following values:
|
||||
- Under `Endpoint Configuration` section:
|
||||
@@ -1312,20 +1312,20 @@ Before you start creating and configuring an JumpCloud application, ensure that
|
||||
- Login URL: `https://<domain>`
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-sso-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-sso-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Under `Attribute Mapping (optional)` section:
|
||||
- Standard Scopes: `Email`, `Profile`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-sso-atributes-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-sso-atributes-configuration.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Click on the `User Groups` tab and select the user groups that can access this application
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-user-groups.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-user-groups.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Click `Activate`
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-oidc-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-oidc-app.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- Take note of `Client ID`, will be used later
|
||||
|
||||
@@ -1349,7 +1349,7 @@ The following steps will assume that you are creating a new account. If you alre
|
||||
please ensure that you assign the `Help Desk` role to the `NetBird Integration` user following the steps outlined above.
|
||||
</Note>
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-add-admin-user.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-add-admin-user.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
After following the steps above, you will receive the login instructions for the newly created user in the email configured. Please follow the instructions to set a password for the user.
|
||||
@@ -1361,12 +1361,12 @@ In this step, we will generate netbird api token in jumpcloud for authorizing ca
|
||||
- Login with the user created in the previous step or with an existing user
|
||||
- Click on the account initials displayed at the top-right and select `My API Key` from the drop-down
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-profile.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-profile.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
- If there is no API key generated, click on `Generate New API Key` button
|
||||
- Take note of your api token displayed
|
||||
<p>
|
||||
<img src="/docs-static/img/integrations/identity-providers/self-hosted/jumpcloud-api-key-generation.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
<img src="/docs-static/img/selfhosted/identity-providers/self-hosted/jumpcloud-api-key-generation.png" alt="high-level-dia" className="imagewrapper-big"/>
|
||||
</p>
|
||||
|
||||
- Set properties in the `setup.env` file:
|
||||
|
||||
@@ -40,7 +40,7 @@ some additional features that are targeted at business customers and help with n
|
||||
- **[Integrations with EDR](/manage/access-control/endpoint-detection-and-response)** like CrowdStrike and others.
|
||||
- **[Peer approval](/manage/peers/approve-peers)** to join the network.
|
||||
- **[User invites](/manage/team/add-users-to-your-network#direct-user-invites)**.
|
||||
- **[MSP functionality](/how-to/msp-portal)** for managing multiple tenant networks from a single account.
|
||||
- **[MSP functionality](/manage/for-partners/msp-portal)** for managing multiple tenant networks from a single account.
|
||||
|
||||
## Geo Distributed Relay Servers
|
||||
|
||||
|
||||
@@ -12,12 +12,12 @@ configuration as follows:
|
||||
Please replace <b>netbird.DOMAIN.com</b> and <b>PASSWORD</b> with the information from the <b>management.json</b> TURNConfig, then click on <b>Add server</b>.
|
||||
|
||||
<p>
|
||||
<img src="/docs-static/img/troubleshooting/turn.png" alt="turn" width="700" className="imagewrapper"/>
|
||||
<img src="/docs-static/img/selfhosted/troubleshooting/turn.png" alt="turn" width="700" className="imagewrapper"/>
|
||||
</p>
|
||||
|
||||
You should see an output similar to the following:
|
||||
<p>
|
||||
<img src="/docs-static/img/troubleshooting/turn-test-out.png" alt="turn" width="700" className="imagewrapper-nig"/>
|
||||
<img src="/docs-static/img/selfhosted/troubleshooting/turn-test-out.png" alt="turn" width="700" className="imagewrapper-nig"/>
|
||||
</p>
|
||||
Where you have the following types: `host` (local address), `srflx` (STUN reflexive address), `relay`
|
||||
(TURN relay address). If `srflx` and `relay` are not present then the TURN server is not working or not accessible and you should review the required ports in the [requirements section](/selfhosted/selfhosted-guide#requirements).
|
||||
|
||||
@@ -69,7 +69,7 @@ Install [**cert-manager**](https://cert-manager.io/docs/installation/#default-s
|
||||
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml
|
||||
```
|
||||
|
||||
Add NetBird API token. You can create a PAT by following the steps [**here**](https://docs.netbird.io/how-to/access-netbird-public-api#creating-a-service-user)
|
||||
Add NetBird API token. You can create a PAT by following the steps [**here**](/manage/public-api#creating-a-service-user)
|
||||
|
||||
```jsx
|
||||
kubectl create namespace netbirdkubectl -n netbird create secret generic netbird-mgmt-api-key --from-literal=NB_API_KEY=$(cat ~/nb-pat.secret)
|
||||
@@ -107,7 +107,7 @@ ingres:
|
||||
enabled: true
|
||||
```
|
||||
|
||||
To learn more please checkout the official docs on our [K8s Operator](https://docs.netbird.io/how-to/kubernetes-operator#using-helm).
|
||||
To learn more please checkout the official docs on our [K8s Operator](/manage/integrations/kubernetes#using-helm).
|
||||
|
||||
### Install ArgoCD
|
||||
|
||||
@@ -143,7 +143,7 @@ Next we will enable sidecars. **Why Sidecars?** The application controller need
|
||||
|
||||
To enable sidecar functionality in your deployments, you first need to generate a setup key, either via the UI (enable the **Ephemeral Peers** options) or by following [**this guide**](https://docs.netbird.io/manage/peers/register-machines-using-setup-keys) for more details on setup keys. We will inject side-cars to ArgoCD application controller so it can communicate with remote MicroK8s clusters.
|
||||
|
||||
Note: We recommend checking out the section of our [Kubernetes Operator docs on using sidecars](https://docs.netbird.io/how-to/kubernetes-operator#accessing-remote-services-using-sidecars) for more context and detail.
|
||||
Note: We recommend checking out the section of our [Kubernetes Operator docs on using sidecars](/manage/integrations/kubernetes#accessing-remote-services-using-sidecars) for more context and detail.
|
||||
|
||||
Next, you'll create a secret in Kubernetes and add a new resource called `NBSetupKey`. The `NBSetupKey` name can then be referenced in your deployments or daemon sets to specify which setup key should be used when injecting a sidecar into your application pods. Below is an example of a secret and an `NBSetupKey` resource:
|
||||
|
||||
@@ -689,8 +689,8 @@ curl https://mega-mesh.net/v1/completions \
|
||||
|
||||
### NetBird Resources
|
||||
|
||||
- **Kubernetes Operator Deployment**: [https://docs.netbird.io/how-to/kubernetes-operator#deployment](https://docs.netbird.io/how-to/kubernetes-operator#deployment)
|
||||
- **Service Mesh Sidecars**: [https://docs.netbird.io/how-to/kubernetes-operator#accessing-remote-services-using-sidecars](https://docs.netbird.io/how-to/kubernetes-operator#accessing-remote-services-using-sidecars)
|
||||
- **Kubernetes Operator Deployment**: [/manage/integrations/kubernetes#deployment](/manage/integrations/kubernetes#deployment)
|
||||
- **Service Mesh Sidecars**: [/manage/integrations/kubernetes#accessing-remote-services-using-sidecars](/manage/integrations/kubernetes#accessing-remote-services-using-sidecars)
|
||||
|
||||
### ArgoCD Resources
|
||||
|
||||
|
||||
@@ -178,7 +178,7 @@ and an **Access Control Policy** that establishes connectivity between the (futu
|
||||
</p>
|
||||
|
||||
<Note>
|
||||
It doesn't matter that this is a unidirectional ICMP rule in the wrong direction - **Network Routes** are activated as soon as any **Access Control Policy** establishes connectivity to the **Routing Peer**, as explained in [Network Routes caveats](/how-to/routing-traffic-to-private-networks#network-routes-caveats).
|
||||
It doesn't matter that this is a unidirectional ICMP rule in the wrong direction - **Network Routes** are activated as soon as any **Access Control Policy** establishes connectivity to the **Routing Peer**, as explained in [Network Routes caveats](/manage/network-routes/routing-traffic-to-private-networks#network-routes-caveats).
|
||||
</Note>
|
||||
|
||||
We can verify that the local **Peer** can reach the `remote-site` using both `ping` and `curl`:
|
||||
|
||||
Reference in New Issue
Block a user