Admin Guide
For administrators of Knocknoc. Please start with the introduction
Introduction
Welcome to the Knocknoc Admin Guide. Knocknoc is a component in reducing your attack surface, it...
Getting Started
Licensing Knocknoc licensing is based on the number of users. You will need to have a license to...
Understanding Access Control
Backends A backend is a Knocknoc-supported technology that can connect to and update ACLs. Using...
Use Cases
Consider Your Use Case
Knocknoc Knocknoc can ultimately act as an authentication portal for many use cases. To simplify...
Remote Desktop
Using the HAProxy backend, or the script backed are both viable approaches. Given the excellent ...
SSH
SSH can be protected by Knocknoc in a number of ways: Local Linux firewall orchestration on th...
Web application
There are various options for protecting your web application using Knocknoc Local Linux firew...
Video
Streaming low-latency video is a challenge for firewalls and VPNs, and Knocknoc is an excellent s...
VOIP
Having roaming users be able to use a handset from home, and protect your PABX from brute force a...
AWS Infrastructure
Knocknoc ships with a script for updating security groups in AWS. Checkout the backend documentat...
Azure Portal
Azure Portal or specific Azure services can be further protected through the use of the Knocknoc ...
Ivanti Connect Secure
Ivanti Connect Secure devices that have an outer firewall or control layer can be protected from ...
FortiOS, FortiProxy or SSL VPN
Protect your existing Fortigate investments from direct internet exposure by introducing Knocknoc...
Authentication
A guide on configuring the various authentication methods for Knocknoc
SAML
SAML is an in-depth topic, however it represents the best option for securing users, and providin...
SAML Principles and Terms
An overview of SAML principles and key terms to help you effectively configure and manage SAML wi...
SAML with EntraID (Azure AD)
The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Where...
Knocknoc with ADFS
The following example assumes your Knocknoc instance is located at https://your-knocknoc.cloud/. ...
SAML with Gsuite as IDP
Gsuite can be setup as an Identity Provider if you have Gsuite Business Startter or above plan. ...
SAML with OKTA
The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Where...
SAML with Jumpcloud
The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Where...
LDAP
Knocknoc can authenticate users to an LDAP server like Active Directory, by attempting to bind as...
Local Authentication
Knocknoc supports local users, and many will find that the fastest way to evaluate if Knocknoc is...
SAML for the Admin Interface
SAML for the admin interface is the same as SAML for the user base with a few very small alterati...
Backends
Backends are software interfaces that the Knocknoc Agent can connect and interact with. Select a ...
HAProxy
HAProxy is a fantastic reverse proxy with a massive amount of features. Knocknoc has supported HA...
IPset
IPsets are a powerful way of making a dynamic firewall on a normal Linux machine. A feature of th...
AWS (EC2) Security Groups
Knocknoc can easily connect to AWS using common utilities and IAM credentials, and update the all...
Script Any Arbitrary Backend
The "script" backend type is simply a script the agent can execute that takes a fixed set of argu...
IPsets with UFW
This is an example that lets you use UFW (https://wiki.ubuntu.com/UncomplicatedFirewall) and IPse...
IPsets with Shorewall
This is an example that lets you use Shorewall https://shorewall.org/index.html and IPsets to dyn...
Mikrotik RouterOS
The scripting backend can be used for MikroTik RouterOS config updates as well. Here is a sample ...
Nginx
Nginx support via script was added in knocknoc-agent version 1.0.30. This allows for flexible ACL...
Apache Webserver
Apache 2.4 and above have slightly different ACL syntax, so this page covers how you can use Knoc...
Fortigate Address Groups
Released for wider testing in version 1.0.34 of knocknoc agent, the FortiOS integration allows Kn...
Microsoft Entra
Overview This integration is designed to manage named locations in Microsoft Azure Conditional A...
Allowlist
The Allowlist backend makes a list of active IP address grants available via the Knocknoc server ...
ACLS
ACLs allow you to assign a name to an argument for a backend, which is then assigned to a Group
Setup Guides
All the guides to configure and Install Knocknoc server for first use.
Licensing Knocknoc
Knocknoc licensing and pricing can be found on the Knocknoc website. Once you have obtained your...
Server Installation
For the admin who knows what they need and needs a fast way to get it, you can use this command t...
Agent Installation
For the admin who know what they need, and needs a fast way to get it, you can use this command t...
Create Users
User creation varies depending on the authentication source in use. Local users will need to be c...
Create Groups
Groups in Knocknoc map users to ACLs and a user can be assigned to multiple groups, to create a g...
Admins
Admins in Knocknoc can login to /admin on their Knocknoc server, however they can't be granted AC...
Settings
The Settings in Knocknoc allows you to configure some of the basic setup like authentication sour...
Troubleshooting
What can go wrong, will.
Time for NTP
NTP It's important that ALL the servers within the Knocknoc cluster and agents are synchronised ...
LDAP Troubleshooting tips
The Knocknoc server will need to be able to contact your LDAP server on port 389 or 636. This is ...
Knocknoc server behind HAProxy
Running Knocknoc behind HAProxy could be a great option for people with existing HAProxy deployme...
HAProxy tips and tricks
Checking to see if an ACL is present in HAProxy For when you aren't sure if the whole process is...