Envoy has 20+ access control system integrations with more coming soon. To connect your access control system. Envoy requires that the system be publicly reachable by inbound and outbound access to the internet. Ensuring secure communication between Envoy and your access control system is paramount.
These are the three most common ways that our customers securely make their access control publicly reachable by Envoy:
Public IP Network Address Translation (NAT)
Demilitarized Zone (DMZ)
Proxy/Reverse Proxy
Option 1: Public IP Network Address Translation (NAT):
Use a Public IP NAT to make the server accessible to Envoy.
A public IP address will be necessary for Envoy to communicate.
Inbound traffic from Envoy should be allowed on your firewall and routed (NAT) to the access control system.
Option 2: DMZ (Demilitarized Zone):
A DMZ is an isolated subnetwork designed to allow external access to specific systems (such as Envoy) while keeping the rest of the organization's network closed to external access.
The access control system can exist in the DMZ or your internal network. A DMZ can be created by implementing a dual firewall setup:
A firewall between the internet and the DMZ
Another firewall between the DMZ and your internal network.
Steps:
Allowlist Envoy’s IP addresses to communicate with your DMZ firewall
Route traffic appropriately to the access control system.
Option 3: Proxy/Reverse Proxy:
A proxy or reverse proxy is an intermediary server that sits between Envoy and your access control system. Envoy will send requests to the proxy server, which then forwards them to your access control system.
The access control system will respond through the proxy, which will send the traffic to Envoy. Through this method, Envoy will never interact directly with your access control system. This can be accomplished by selecting a proxy server software and configuring the traffic to route.