[Waragainstsleep]

So I have a customer who accesses a service at a specific URL. They have login credentials but these are stored in their devices and only the boss actually knows what these are.

They would like to restrict access to only the IP address of their office so that people cannot access this URL/site from home or elsewhere.
This cannot be done within the service itself because others share the same server and do not share this requirement.

I am therefore looking for a service which would provide a new URL that forwards traffic to the old one, but only traffic from the authorised IP(s).

Does that make sense? Anyone know of such a service?

[P]

You're talking about a setting on the client computers so that they refuse to connect unless they're on the right IP? That is only ever going to be security by obscurity.

Not knowing the authentication protocol, the idea that occurs to me is to set up a server inside the office that authenticates to the external service and have that server forward incoming connections to the external server. This server could the accept connections on port 54321 or something, and the firewall be set to always block that port. The clients would then not have the login credentials to the external server, but only know how to connect to the server in their office.

[Waragainstsleep]

It IS security through obscurity yes. I wasn't actually thinking of setting the limits at the client machines though.

The service in question is based on MS Dynamics CRM and runs on port 443. Its just https AFAIK. There might be another protocol in play since its accessed chiefly through the Outlook plugin, but there is a web interface that allows 90% of the same access. Our preference is that users be able to use tablets to access this web interface while on the premises without being able to go home and put the URL into their own devices elsewhere.
While the users don't know their own login credentials, there is one shared account used by the tablets for convenient data capture. This one is a problem as staff will almost certainly need to know the login details for it.

I had been thinking of using an AWS instance running Apache, filtering allowed IPs via htaccess and forwarding requests that come from allowed IP addresses. I"m not sure if this is possible or how practical it is though.

[mattyb]

Apache's reverse proxy, used in DMZs all over the world for this sort of thing. LAN connection OK, outside LAN KO.

[Waragainstsleep]

So you think I'd be better off running an Apache instance on a local box? I guess I could do that. There is a Mac Mini Server just sharing files.

[mattyb]

The reverse proxy solution is well used, afaik well supported and if the dicks that I know installed it can do it, anyone can. For info, it was managed by the web team not a network team.

[besson3c]

How about a firewall rule? I believe you can do this using iptables, for instance