Skip to main content

Admin Guide

For administrators of Knocknoc. Please start with the introduction

Introduction

Welcome to the Knocknoc Admin Guide. Knocknoc is a component in reducing your attack surface, it...

How Knocknoc removes attack surface

Knocknoc enables you to remove the attack surface of systems, by enacting just-in-time network/ap...

Getting Started

Licensing Knocknoc licensing is based on the number of users. You will need to have a license to...

Understanding Access Control

Backends A backend is a Knocknoc-supported technology that can connect to and update ACLs. Using...

Use Cases

Setup Guides

All the guides to configure and Install Knocknoc server for first use.

Authentication

A guide on configuring the various authentication methods for Knocknoc

Local Authentication (MFA included as an option)

Knocknoc supports local users in addition to SAML/LDAP. Simply add a user, with a username and p...

SAML

SAML is an in-depth topic, however it represents the best option for securing users, and providin...

SAML Principles and Terms

An overview of SAML principles and key terms to help you effectively configure and manage SAML wi...

SAML with EntraID (Azure AD)

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Where...

SAML with OKTA

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Where...

SAML with Gsuite as IDP

Gsuite can be setup as an Identity Provider if you have Gsuite Business Startter or above plan. ...

SAML with Jumpcloud

The following example assumes your Knocknoc instance is located at https://demo.knoc.cloud. Where...

SAML for the Admin Interface

SAML for the admin interface is the same as SAML for the user base with a few very small alterati...

SAML with Keycloak

Keycloak supports multiple authentication realms, so you must first select the appropriate realm ...

SAML with CyberArk

CyberArk integrates with Knocknoc via the "Web Apps" component, passing through SAML assertions. ...

SAML with Authentik

In this example our Authentik instance is hosted at https://auth.example.com/ and is running vers...

Knocknoc with ADFS

The following example assumes your Knocknoc instance is located at https://your-knocknoc.cloud/. ...

LDAP

Knocknoc can authenticate users to an LDAP server like Active Directory, by attempting to bind as...

Backends

Backends are software interfaces that the Knocknoc Agent can connect and interact with. Select a ...

IPSet (Linux Netfilter/IPTables)

IPsets are a powerful and highly efficient way of making a dynamic firewall on a normal Linux mac...

Fortigate Address Groups (Fortinet)

The  FortiOS integration allows Knocknoc to dynamically add and remove user's source IP from a na...

Palo Alto

Passive, Active or a combination Passive - Knocknoc's Allowlist features provides a very powerfu...

Juniper SRX with Allowlist

Background Knocknoc's Allowlist features provides a very powerful integration with firewalls tha...

Allowlist

The Allowlist backend makes a list of active IP address grants available via the Knocknoc server ...

Microsoft Entra

Overview This integration is designed to manage named locations in Microsoft Azure Conditional A...

HAProxy

HAProxy is a fantastic reverse proxy with a massive amount of features. Knocknoc has supported HA...

IPsets with UFW

This is an example that lets you use UFW (https://wiki.ubuntu.com/UncomplicatedFirewall) and IPse...

IPsets with Shorewall

This is an example that lets you use Shorewall https://shorewall.org/index.html and IPsets to dyn...

Script Any Arbitrary Backend

The "script" backend type is simply a script the agent can execute that takes a fixed set of argu...

AWS (EC2) Security Groups

Knocknoc can easily connect to AWS using common utilities and IAM credentials, and update the all...

AWS WAF Ipset

Below is a concise guide for a sysadmin (or developer) to set up and configure AWS WAF with a cus...

Mikrotik RouterOS

The scripting backend can be used for MikroTik RouterOS config updates as well. Here is a sample ...

Nginx

Nginx support via script was added in knocknoc-agent version 1.0.30. This allows for flexible ACL...

Apache Webserver

Apache 2.4 and above have slightly different ACL syntax, so this page covers how you can use Knoc...

ACLS

ACLs allow you to assign a name to an argument for a backend, which is then assigned to a Group

Troubleshooting

What can go wrong, will.