Cloudflare Zero Trust Setup
Last updated
Last updated
Copyright © Good Heart Technology
Cloudflare Zero Trust is a security approach that ensures trust verification for every user and device, wherever they are. It boosts security by confirming identities and reducing risks in remote work. It's also cost-effective, offering free access for up to 50 users and easy integration with identity providers like Microsoft or Google.
Log in with your Cloudflare account.
Ensure you have a credit on file. You can't proceed without this, even though Zero Trust is free for 50 users. To add a credit card, navigate to Billing > Payment Info
Navigate back to the main dashboard.
Click on Zero Trust on the left sidebar.
A wizard will launch for you to set up a Cloudflare Team name. Use the name of your organization without spaces. For example, Good Heart Tech could be goodhearttech.
Select the FREE Plan.
Once in the Zero trust portal, setup the rest of the Team and portal and configure the following settings:
Settings < Custom Pages < make a note of the Team domain. This is what users will use to log in to Cloudflare Zero Trust using the WARP client or URL.
Settings < Custom Pages < Login Page < Customize.
Set the message to: If you are not authorized, close this page immediately.
(Optional branding) Update the background color and logo URL.
Settings < Authentication < Configure Azure AD SSO according to the Cloudflare Documentation https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/azuread/
Access groups allow organizations to create specific access policies based on user roles, devices, and locations. This enhances security by ensuring that only authorized individuals can access sensitive data, applications, and services.
In the Zero Trust Portal, navigate to: Access < Access Groups < Create an Access group for each group needed, usually just one. Add in the company email domains.
Cloudflare Tunnels provide a secure and efficient way to connect your infrastructure to Cloudflare's global network. They enable organizations to route traffic through Cloudflare for enhanced performance and security. This ensures that web applications and services remain highly available and protected from online threats.
In the Zero Trust Portal, navigate to Network < Tunnels < + Create a Tunnel. Name the tunnel.
Use the code displayed on the screen to install the Tunnel (cloudflared) on the server hosting the services.
If configuring APPLICATION access (specific port on a server), do the following:
On the first screen, select self-hosted.
In the Public hostname tab of the Tunnel, create an entry for each web-based resource you want to publish to the Zero-Trust portal. Add a public hostname using a subdomain, and point the application to the correct local host and port. Creating a public hostname entry creates a public DNS CNAME record.
For services running without valid SSL certs, check the Do Not Verify TLS option.
If configuring NETWORK access, do the following:
In the private network tab of the Tunnel, specify the IPs that Zero Trust will have access to, typically the whole network. Example: 192.168.1.0/24
Go to Settings < WARP Client < Default profile < Split Tunnels < Manage < and delete the class of IP Addresses that represent the primary corporate network and tunneled resources.
If you have a local Active Directory domain, you should add the domain to Local Domain Fallback setting under Settings < WARP Client < Default profile. This ensures that connected agents will use the on-premise DNS options provided by Active Directory but bypasses Cloudflare's logging.
We'll create an application for all applications that are required on the portal (typically all web-based applications). Each application must relate to an existing DNS entry or tunnel public hostname.
Go to Access < Applications < Add an application
Select Self-Hosted
Enter the application name, subdomain, domain, and path if applicable.
Enable App in App Launcher
By default, enable all ID providers unless the client has other requirements. Click Next.
For the Policy, give it a name, then select the Access Group you made previously. Hit Next.
The last tab, Setup, can be left as-is.
The Cloudflare WARP client should be deployed to all PCs that need to connect to the Cloudflare Network and access the internet securely.
Deploy Cloudflare WARP using your preferred method for software deployment (we like Chocolatey)
Have users follow the following steps to configure Zero Trust on endpoints:
In the WARP Client, right-click the tray icon and go to Preferences. Then go to Account < Login with Cloudflare Zero Trust.
Instruct users to log in with their Cloudflare team name, which should be similar to their company name.