Getting Started

Cloud SaaS or self-hosted server?

You can run your Knocknoc server either as a managed cloud instance (we host it) or self-host it.

Should you deploy a cloud or self-hosted instance of Knocknoc? The answer will depend on a few factors.

For example, if you want to integrate an LDAP authentication source that is not on the internet, then of course you need self-hosted. A self-hosted Knocknoc server may also suit you better for various security segmentation scenarios, or even Knocknoc on internal networks, which is great for SCADA or ICS systems.

Our cloud SaaS servers are deployable in under a minute, with DNS records and inbound rules all configured for you ready to go.

Spin up a cloud instance fast via the licensing portal

For self-hosted servers, here is the self-hosted install guide.

Licensing

Knocknoc licensing is based on the number of users.

Cloud SaaS instances manage licensing for you - this is the quickest way to get going.

If you are self-hosting, you will need to have a license to install the server, noting you can get 1 free single license for home/DIY use, or lab environments. There is no limit on the amount of groups, backends, agents or ACLs configured. SAML support is also included out of the box!

Orchestration Agents

The agents perform the backend work of updating access for the logged-in user, so you need at least one unless you are using Passive firewall orchestration. These can run on the same server as Knocknoc if you so desire, or deep within an internal network with outbound network access only.

Knocs

Knocs define and manage the action(s) performed by the underlying Agents, or by the Server itself in the case of Passive lists. This is also where custom scripts are managed, webhooks and more! See currently supported backends.

Groups and Authentication

While users can be created either locally or through SSO (Single Sign On) like SAML (recommended) or LDAP, groups are created locally in the admin portal. A group maps users to ACLs, providing fine-grained control over the resources they have access to. Groups from SAML can match dynamically with Knocknoc groups for easy administration.

Read more in the authentication guides and the group setup guide.

Test it out!

The first time you log in, take a look at how Knocknoc works and feels like magic. We can't wait for you to enjoy using Knocknoc every day.

Monitor and Manage

Knocknoc can stream metrics using GELF, and can supply regular exports of user activity. It also has an audit trail function, so you can see exactly what resources which users had access to when. Security teams looking to track fine-grained access to network resources can export to CSV as required.

Use Cases (overview)

SSH

FortiOS, FortiProxy, Palo Alto, or SSL VPN

VPN and Ransomware

High security subnets and JIT network access

Financial services data partner, secure web upload

Web applications (layer-7 filtering)

Remote Desktop, simple small business example

Firewall Manager access (IT MSP)

Ivanti Connect Secure

Video

VOIP

AWS Infrastructure

Azure Portal

Licensing Knocknoc

Server Installation

Agent Installation

Knocker - a cli utility for agents

Create Users

Create Groups

Admins

Settings

Updates and Upgrades

Local Authentication (MFA included)

SAML

SAML Principles and Terms

SAML with EntraID (Azure AD)

SAML with OKTA

SAML with Gsuite as IDP

SAML with Jumpcloud

SAML for the Admin Interface

SAML with Keycloak

SAML with CyberArk

SAML with Authentik

Knocknoc with ADFS

LDAP

IPSet (Linux Netfilter/IPTables)

Fortigate Address Groups (Fortinet)

Palo Alto

Juniper SRX

Allowlist (EDLs)

Microsoft Entra

HAProxy

IPsets with UFW

IPsets with Shorewall

Custom Script

AWS (EC2) Security Groups

AWS WAF Ipset

Mikrotik RouterOS

Nginx

Apache Webserver

Click to Grant/Revoke

Additional client IP addresses

Time for NTP

LDAP Troubleshooting tips

Knocknoc server behind HAProxy

HAProxy tips and tricks

LOOTOTL - Last One Out Turn Off The Lights