RStudio Connect - Deployment options - Firewalls

Hi all,

After reading the admin guide, watching a variety of videos, searching various locations I am still wanting to know a bit more about actual deployment scenarios with particular interest in how to balance the requirements of internal vs internet access; wanting to use LDAP authentication, but also support authenticated users who are external to the organization and are not in the organization's LDAP; ensuring access to restricted data is not compromised through external access, etc. Has anyone seen such materials anywhere?


I have not seen such material. However, I could image one of the following approaches:

  1. Use proxied authentication where your proxy authenticates either with LDAP or the source for external users. These external users should get some fixed group so that it is easy to authorize certain Apps for external access by allowing read access by that group.

  2. Use LDAP authentication and mark content meant for external access "public". Then add a reverse proxy in front of RSC which authenticates with your source for external users.

In both cases, external users have to authenticate and are only allowed to view content that has been made available to them.

1 Like

Sorry for the delayed response here. One possible approach you can take here is to use Connect's ability to delegate to multiple LDAP identity providers. You could build an LDAP directory for only external users, and then let Connect delegate to both that "external" LDAP directory and the internal LDAP directory. Just ensure that usernames are unique, and both should be able to access!

As @rstub mentioned, you will still need to mark content as accessible to these external users.

Another solution would be to have separate Connect servers - one which is internet accessible and another which is "internal only." You can use some manner of "staging" / programmatic deployment / etc. to keep content in sync across the servers, if this is a desirable approach. We have seen customers take this approach on occasion, since the internet accessible server has more restrictive firewall and security requirements.

We're definitely happy to chat through it with you either here or elsewhere, if you have any more specific questions! Always feel free to ping, and we can set up a call!