JIRA access for remote workers

We have a JIRA instance hosted on our own server which is accessible through our VPN. The server itself has a public IP but the firewall prohibits public access to port 80/443 from the Internet for security purposes.

We would really like to be able to give remote workers/freelancers access to JIRA but without having to set them up with a VPN connection (either because they are non-technical users or because the added hassle would cause them to use the system less). Secondly, I don't want to expose our JIRA interface directly to the public Internet to prevent unauthorized access.

Does anyone have any suggestions for how we could securely provide access to our instance for specific users?

I'm thinking along the lines of a system where they authenticate with a password at a special URL (or similar) which could then grant them access via a reverse proxy. In other words, some third-party login interface where they must authenticate before being able to access JIRA - anything to prevent the JIRA login from being exposed to everyone.

Thanks in advance.

Chris

1 answer

1 accepted

As consultants working for clients, we encounter this situation occasionally.  A client needs to give us access, but doesn't want to give us access to anything else on the network.  Many will add point-to-point firewall rules to allow my IP address to access the application.  It's a bit of a management headache, but effective. Obviously, you should use SSL if you plan to do expose your tools over the internet.

If you manage your own DNS and have split horizons (can advertise one IP internally and another IP externally for the same A record,) you could set up an SSL proxy and enable basic auth on it for the internet facing access.  This would prompt users to enter a password that is managed within the proxy server before the application UI will pop up.  You could get even more tricky and use client certificates on the proxy in place of basic auth (2-factor auth, essentially.)  That would allow you to create a certificate for each external user, have them import the cert into their browser and use the cert to validate their access to the application UI. You can set an expiration date on the cert so that the user will automatically lose access after the date has passed and you can revoke the cert if the person should lose access sooner.  

Thanks for your answer based on your experience - really appreciated. This is most insightful and gives us a good nudge in the right direction. We will work on implementing what you suggested. Thanks again!

Suggest an answer

Log in or Join to answer
Community showcase
Teodora [Botron]
Published Thursday in Marketplace Apps

Jira Inferno: The Nine Circles of Jira Administration Hell

If you spend enough time as a Jira admin - whether you are managing a single, mid-sized instance, a large enterprise one or juggling multiple instances at once - you will eventually find yourself in ...

500 views 1 15
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot