Cloudflare for Teams Onboarding
Join Chris Scharff, a Cloudflare for Teams Solutions Engineer, to walk through configuring Cloudflare for Teams from initial signup, policy creation, and discussions of client deployment and management. Zero slides, 100% demo. Live without a net!
Hey, thank you for joining us here on Cloudflare TV. My name is Chris Scharff. I'm a Solutions Engineer here at Cloudflare, and today we're going to be talking about Cloudflare for Teams and going through an onboarding.
Before I get started, I want to thank you, not the collective you, but you personally for joining me here today.
I know with these trying times, everything that's going on, people have a lot of stress in their lives.
Hopefully you find this hour to be enjoyable and good for your mental health and not a frustrating exercise in what the heck is Chris talking about.
Today, we're going to be going through Cloudflare for Teams and doing an onboarding from scratch.
If you already have a Cloudflare account, you're actually ahead of us.
I'm actually going to sign up a brand new account on Cloudflare as part of this process here.
So we're going to go through everything.
This is not marketing, so if you wanted to know about CASB and SASE, we have other great presentations that talk about those topics.
This is not what we're going to do here today.
We're going to go through and we're going to set up Cloudflare for Teams and talk about the practical aspects of it.
So as a Solutions Engineer here at Cloudflare, one of the great parts of my job is I get to talk to a lot of customers, a lot of prospects, a lot of folks that are interested in Cloudflare.
And there's a lot of different use cases for Cloudflare for Teams, for Access, for Gateway.
And so some folks want to understand how they deploy a client to 10,000 desktops using tools like Jamf and Intune.
Other folks are home users, hobbyists, small businesses that have a totally different set of considerations.
In my day job, I get to ask some discovery questions. I get to find out what are you trying to achieve?
What does your environment look like today?
There's information sharing that happens. I'm going to apologize in advance that for this presentation, I'm not going to be able to address everything individually, but I'm going to try to cover a broad spectrum of topics and things of hopefully interest to you.
Try to bear with me if I'm talking about things that aren't practical or relevant to your environment.
I'm really trying to cover a lot of ground here. So with that, I'm going to turn off the camera so you guys don't have to look at me anymore.
We're going to do some screen sharing.
We're going to go through this live. I have no idea how this is going to work out.
There's nothing like a live unscripted demo.
So let me share my screen out here for you all. And we will see what happens.
So let's go stop my video so you don't have to see my mug. This is my desktop.
Great. So Cloudflare for Teams. If you wouldn't mind, go ahead and visit Cloudflare.com slash teams.
We're going to have this page open. And then one of the things we're going to do here requires having a domain on Cloudflare.
And so you may not own a domain, or you may not have a domain that you're able to put on Cloudflare right now.
So we're going to walk through the process of actually adding a domain right now.
And we're going to go to a site called Freenom. And we're going to add a domain.
So there's two places I'm going to cheat in this particular demo.
One is I'm not going to walk through signing up for an account at Freenom.
But if you don't have an account, you can sign up for one. You can get a free domain for use here.
So if you want to register a domain, that's great. Please do so.
If you already have a domain that you're going to use, or you already have a domain on Cloudflare, bear with the rest of us here.
While we do this, I am going to register a new domain live on Cloudflare TV.
And we'll see this should work.
Why wouldn't this work, right? All right. So brand new domain. Don't overthink this.
Just combine a couple of words. Pick out a domain. For those of you who need some random words, let's go with person, man, woman, camera, TV for you.
And we're going to name my zone.
I'm going to check for availability here. Oh, look, it's free. It's available. Get it now.
Select it. I'm going to check out. I'm going to change this to 12 months for free.
And I'm going to continue. So I've got my domain. Hopefully, you all are picking out a great domain name for yourselves.
Don't be married to this. We are, you know, this is just for demo purposes.
Oh, great. So I'm going to go ahead and give you guys my home email address.
This will be fun. No, that's not it. Let's try. If you guys send me spam, I will be sad.
I got to look up my password.
I don't know what my password is. This is too complicated.
This is too complicated. I have a password.
You know what's great?
Password managers. I have a password manager. Password, because nobody wants to know what my password is.
That is not the wrong password.
All right. This is fun. Nothing like a live demo. Hopefully, you all have your accounts already.
Let's try my work address.
Why not? I think you can find that on the Internet. I don't know this password either.
This is why password managers exist. Hopefully, you all know your passwords, and you're not having as much trouble.
But this is just more time for everybody to figure out what your domain name is going to be that we're going to use.
I was already logged in as me. This is great. I've read the terms and conditions.
I'm going to complete my order. Go to my client area.
All right. Eventually, I'm going to need to manage my domain.
Let's go to my domains right now. Here is this domain that I've purchased. I'm going to have to manage this.
If I look at the name servers, right now, it's just using default ones.
But we're going to add this site to Cloudflare eventually. Let's get started.
We're going to sign up for a Cloudflare account here as well. This is very exciting.
I'm sure some of you probably already have a Cloudflare account, but I really want to make sure that we can do this literally from scratch.
I've created a test email address for this.
I've entered in a password, which I'll put in my password manager eventually.
We are on the main page. We are going to begin the setup process. That domain that we created is going to come into place here a little bit later.
Right now, what we're going to do is we're going to configure Gateway.
Gateway is Cloudflare's secure DNS service that you can use for filtering.
It has a couple of other features associated with it as well.
We're going to begin our setup here, walk through the wizard.
We're going to set up our first location.
I'm probably going to run into an error here around my IP address already being in use, and that's because I've set this up a few times in the past.
So we're going to start with Gateway, then we're going to do a little bit of work with access.
So let's go ahead. I'm going to use default location. In general, my recommendation to large organizations is you want as few locations and as few policies as possible for managing this infrastructure.
So if you have 100 remote offices, that doesn't mean you need 100 locations.
It doesn't mean you need 100 different policies.
You can see my current IP address. So hopefully you all are launching DDoS attacks against me directly.
Thanks so much. Yes, we can see my IP address is already in use.
You probably won't see this. If you're an enterprise customer, contact us.
We could potentially get it released for you. So there's no IPv4 address associated with this, but I do have both a DNS over TLS hostname that I can use for queries, an IPv6 address that I can use for queries, and then I also have a DNS over HTTP endpoint.
So one of the fun things about the DNS over HTTP endpoint is you can use this in scripting and other things if you're kind of a nerd to look things up.
It's also an easy way to do some testing to validate that things are working the way that you expect them to.
Instructions down here, if you're going to deploy this on a router or on your machine itself to use these services, but we're going to kind of skip those and instead we're going to install the gateway client if we have time at the end of this.
I think we should have time.
We'll at least install it on my Mac here, but we have clients for iOS, Android, OSX, and Windows, so you can test that.
So we've got our location. I'm going to be done with this for the moment, but now what I want to do is I want to create a policy and I want to apply that.
So policies allow you to choose what types of restrictions you want to have with regards to DNS queries.
So I'm going to select and to apply this to the policy. Don't forget that step.
If you haven't applied a policy to a location, it would seem like, hey, you would automatically apply this policy, but what if I have hundreds of locations?
The thing I told you not to do, right?
I want to be able to pick these. We're going to skip the block page at the moment, but you can show a custom block page when users are blocked.
I can also do things like enforcing safe search and a feature which I think literally should be on by default is blocking YouTube comments, which is what restricted mode does among other things, so you can enable that.
Then there are some categories and types of threats that we can block.
So security threats, you might choose block all, you might be concerned about things like malware domains and phishing domains.
I'm going to go ahead and choose block all, but in this case, I'm going to go ahead and uncheck private IP addresses.
So one of the features that this would do is if an IP address resolves to something that would normally use on your home network, then this would block those results from being returned.
I have use for this, so I'm not going to apply it. Beyond that, most of these are pretty commonly just left enabled by folks.
There's also content categories.
So you may run a business where you have a point of sale systems that are going to use this software, and you don't really need people going to anywhere other than work-related sites.
So maybe I want to block gambling sites from being looked up.
I'm not going to get into any discussions about the efficacy of these things.
This is typically used in corporate environments, and you make the decisions that you want based on your organizational needs and security risks.
And then I can also put in some custom entries. So if I want to make sure that a category, I can add things into the allow list.
I can also block particular sites. So say that you're not a fan of the Rams.
It's an American football team, for those who have no idea what I'm talking about.
It's a game where we bash each other in the head and play a ball, not with our foot, but we call it football anyway.
So I'm going to block the Rams.
You know, now that I'm done with my policy, I'm going to save that.
And I can validate that I have one location assigned. And if I edit this policy, or if I look at my locations, I can also see that I have one policy applied, right?
So those are consistent, and it makes sense. We're going to talk about a couple of other more advanced features here related to Cloudflare for Teams as well.
Other features that we can do for Secure Web Gateway. And this is the second time that I'm going to cheat.
I am going to go ahead and give myself a subscription that allows those.
The reason that I'm going to do that, so let's go ahead and look at, if I want to take advantage of some of these advanced features, they're available on various plans.
So if I look at my account under settings here, I can choose a plan.
And when you go to choose a plan, you can choose free.
There is a paid plan that includes up to 50 users, and then also enterprise plans.
If I selected this standard plan so that I could demo this to you, then I've got to enter my credit card information.
You guys saw how much trouble I had with all my other fields.
Plus, I really don't want to give you my credit card number.
So I have cheated on the backend and given myself a subscription. If you want to subscribe, feel free.
As I mentioned, up to 50 users are included on the standard plan.
So if you want to sign up for the standard plan, configure that, you can do so.
At the moment, you can see on my overview page, I don't have any DNS queries going to this yet.
I've configured a location, and we saw that. And I have a default DNS over HTTPS query location, but I haven't configured a client yet.
Just for fun, we're going to bring up a DOS prompt here, and I'm going to do a curl against this host name that I was assigned.
So this is my unique Cloudflare DOH subdomain.
And I'm going to do a query for phishing.testcategory.com. If my policy is working, I should get back 0.0.0 .0 as the IP address for this.
So let's do a query.
Yes. So you can see phishing requests are being blocked, because that's a category that I had turned on.
And I'll bring this command back up in case somebody wanted to see it.
I'll try to paste this. There's a community post associated with this session.
I'll paste a sample of this command in there as well, so you can take a look at it if it's something you want to play with later.
But I can validate that the queries are actually being blocked in my environment.
So that's awesome.
Now, let's see.
Let me go to access now.
So access, this is the reason that we needed to add a domain.
So today is October 23, 2020. If you're watching this, hello to future me. If I happen to be watching it, hello to future you.
If you happen to be watching this at some point in the future, the steps that we're going to go through right now around adding a domain in Cloudflare in order to set up an access policy are, this is a short-term issue.
If you're only interested in using access for third-party applications, and as part of a team's policy, you'll be able to do this without having to onboard a zone.
That should be solved by the end of 2020. Again, I mentioned there's a community post.
If you look in there today, there's an answer to question number one, which is, can I save five minutes of my life?
And the answer is currently no.
So we're going to take five minutes. We're going to onboard this domain that I purchased.
So when I click on begin setup for access, it's going to tell me that I need to add a zone to Cloudflare in order to onboard to Cloudflare for teams.
If you're not planning to use this to protect internal applications in your environment, the work that we did on Freenom to add a domain, this could basically be a throw-it-away domain.
You don't have to use a corporate domain here.
But we're going to go through this process. It's going to take us to the main Cloudflare dashboard.
I am going to grab the name of this zone that I just created, and I'm going to paste that in here.
So if you add in the name of the site that you just added or a site that you own, you can click on add site.
And no need to pick any plan other than the free plan for the purposes of the exercise that we're going through today.
If you're interested in web application firewall, advanced logging, additional features that are available on other plans, feel free to explore that.
But we can do what we're going to do today just on the free plan.
So right now, Cloudflare in the background is scanning for my existing DNS records.
You all know I just added this domain and created it, so there aren't any actual existing DNS records other than the name server records.
So it's not actually going to find anything.
There's also an option to import your records if you have a production zone that you want to bring on to make sure that we get everything.
It's going to be unhappy that we don't have any DNS records, but that's fine.
We're going to go with the default method for adding this zone. We could transfer our name servers instead, or we could transfer registrars to Cloudflare if we were interested in this instance.
But right now, we are going to update our name servers at Freenom to this custom name server pair.
So I'm going to go ahead and paste in the name servers that I have here.
And we're going to change the name servers to Cloudflare.
Didn't we just do this, guys? I literally just signed in like a hot second ago.
There's nothing like a live demo.
All right. My domains. Managed domain. I doubt it took that information.
I appreciate their concerns for my security, and I will not complain.
By the way, you'll notice I am copying and pasting these. Biggest mistake that I see folks make when they're transferring their name servers is typoing a name server pair.
The other thing is we need to be the only name servers here, so I'm making sure that I don't have any others in my registrar.
You only want the Cloudflare name server pair to show up.
So we're going to save that. And one of the things that you'll notice is this particular workflow that we're in here opened a new window from Cloudflare for Teams.
So I'm going to click Done and change name servers.
We're set up for full SSL encryption. If I had a website and it already had SSL on it, this is really kind of my preferred and default mechanism.
I can also automatically upgrade my request to HTTPS.
If somebody makes a request on HTTP, if your site supports that, I definitely encourage turning that on.
You know, I'm going to go ahead and turn on the minification because I can, and then I'm going to click Done.
And so this is my website. We're waiting for the name servers to update.
The other thing is here on the page here, this wizard is actually waiting in the background and checking for my name servers to update.
So if I clear my screen here and I do a dig for the domain that I have, I can see that these name servers have already propagated.
It's out there. It may just take a second for Cloudflare to notice that that's the case.
I can click the Recheck Now button. This gets queued up.
I come back to this screen. Oh, you can see, look, it will automatically move you on to the next page here once the name server is successfully validated.
So at this point, I have to pick an authentication domain. This is often people use the name of their company.
But this is really, if you're setting up access, requests will be redirected to this particular URL.
It can be changed in the future.
So like I mentioned, camera, person, woman, man, TV. I don't remember what order those are supposed to be in, but we're going to say camera and see if that's taken.
Look, not taken. All right. Now I'm going to talk a little bit about access here.
Perhaps you have an application that you want to protect in your environment.
If you've already got a website and it's up and running, that's awesome.
I'm going to assume that we're trying to protect a WordPress site, for example.
So in this case, I want end users, visitors to be able to hit the site, but I want to make sure that the admin section is being protected.
I'm going to go through the basics of this. There's actually a couple of cool things that you can do.
I'll see if I can link a knowledge base article in here to when you're setting up WordPress, but this could be your admin site.
This could be your Internet from your company.
This could be your home file server that you want to expose to the Internet so that you can get to your videos that you've recorded of your drone footage.
I don't know. A lot of use cases here, but we're just going to call this WordPress for the moment.
I am going to call this, maybe it's my www site.
I choose which of my domains that I want to protect, and in this case, I'm also going to do a slash wp -admin.
And so click next. I'm going to set up some identity providers here in just a moment, but for the moment, I'm going to say, allow just me, and we're going to use the email address that I created for this account.
So I'm going to say, emails ending in, or actually, I'm just going to do emails, and I'm just going to use this one email, tvdemo at 10lines.com.
Yeah, there's also this cool feature where we don't like spaces in the name of the rule.
That's a feature. So there should be my rule.
Let's just make sure. Oh, nothing like a live demo. Let me skip to the Teams dash, and let's look.
I've got my auth domain. I didn't remember my applications.
That's a feature. I'm just going to skip Teams dash.
That's fine. All right. Don't worry about it. Live demo, nothing ever works the way you expect it to.
A couple of fun things here. Usually, you're going to see a login page when they try to go to a site that's protected by Cloudflare Access.
I'm going to customize my login page just for a hot second here.
So the page they're going to go to is this one. This is what they're ultimately going to see.
I could put up my company logo. I could have a message at the top of it.
I could have a legal disclaimer at the bottom, and I can change the color of the screen if I want.
We'll just save that. I can enable an app launcher for my end users to get to published apps that I have.
And so I'm going to do emails, and I'm going to add the email address I was using before.
I'll just copy that back over here and save that.
So this user can log in. I realized what my issue was from before.
I don't have a login method set up yet, so I need to add a login method.
So let me go with the easiest login method, which is one-time pin, where it will basically send me a code to allow me to log in in my email.
There are instructions for setting up things like Okta, LastPass, or Azure AD, OneLogin.
So when I click these links, there's information you need to provide. We try very hard to give you step-by-step instructions here on how to do that along with screenshots in line.
You can scroll through that, scroll back up to the section where you need to put that data in, and we kind of walk through the steps that are required to configure these identity providers.
But one-click access is really pretty straightforward.
So that's kind of my default when I'm doing a demo, at least where I'm trying to cover as much ground as we're covering today.
So I've got my authentication in place.
Now I should be able to add an application. So let me add my application here.
In this case, I'm going to do the self-hosted app. We're going to go back, and this is we're going to say WordPress, right?
And so dub -dub-dub. I'm going to select my domain again, and I'm also going to do slash wp-admin.
And it's warning me that I don't have this domain name created yet, which is true.
So we're going to do that in kind of the next step.
But let me see if I can configure this rule. Emails. Put my email in here. So this user's allowed.
If I have things like Okta groups or other settings that I could pull in from my identity provider, I can leverage those here as well.
I can also add things like geo-restrictions so that people can only log in if they're in certain countries.
But for the moment, I'm just going to add this application. You can see that there in the UI.
I'm going to come back to my environment that we had, and I'm just going to add a dummy record here.
So I'm going to do an A record for dub-dub-dub.
I'm going to point it to 102 .2.1. This is a documentation address, and we allow that to be orange-clotted.
Now I've created this, right? So if I go to dub-dub-dub.cfdemo1.cf, I'm definitely going to get an error, right?
I mean, everybody understands that I don't actually have a host there.
It's going to give me an error when I go to the site.
Well, it should give me an error.
It will eventually give me an error because I can't get to that site.
But let's do dash slash wp-admin, which is where we just created that policy, and see what happens.
Oh, yeah, see? So even though the site isn't there, I've got the login code option here because that's my identity provider.
And if I type in that email address that I have... Sorry, let me create an email address for a demo.
It's kind of hard to remember, but I'm going to send myself a code.
And what I should see here shortly in my personal email is a code that I can type in, and that will let me pass this page.
It will almost certainly hang up just like the other site was because, again, I don't have a website behind this.
But if I did have a website behind this, then I've securely protected that app.
So here's the code that I was sent. I put that in. I click sign in, and now you can see it's waiting on the website.
So it's hung up the same way as when I was trying to go to the www site, right?
So nothing's broken here. It's just there really isn't a website behind this, and it's eventually going to throw an error.
So don't get freaked out by that. It's... Nobody wants to see me set up a sample WordPress site just for the purposes of this demo, right?
But now I've got this application.
I can protect that. I can protect third-party applications where I integrate with Cloudflare for additional signal information to protect my apps.
So that's always fun. And now let's talk a little bit about the log data.
So you can see I did DNS queries for that phishing category, and it shows up in my logs here.
I also see the source IP address for that. All right. So yeah, connection timed out, right?
So eventually Cloudflare let me through the access policy, but gave me a connection timed out, which makes perfect sense because I gave it a bogus origin, right?
Like there's no actual website running there, totally expected behavior.
Let's open up some Cloudflare documentation here. So now I want to talk a little bit about the gateway client and what we can do with that.
So from our docs, we have information both on configuring and managing policies, and then we also have information around our client, the warp client.
So this is available from 188.8.131.52, the website, or we have links here in the environment.
So we're going to talk about the various modes that are available. I can encrypt all the user traffic to my edge.
I can use this just for DNS lookups. On the paid plans, you can also do L7 firewall inspection.
I can do URL filtering.
I can block particular kinds of content as well in the environment. And then I can also map users to their devices.
So let's talk a little bit about installation.
I'm going to talk about primarily doing this as a Teams deployment.
So a couple of ways you can deploy this software. You can use tools like Jamf Intune, others that deploy software to your end users, and you can auto configure a bunch of these settings.
So we describe some of the fields that are available and their values and what they do.
Actually, this documentation, we're going to add a a new option to this shortly for a feature that's just being released into our beta branch later today.
But let's take a look at the Mac OS deployment here.
So I can grab the client for this and then I can install this.
So let's see. Let me go to 184.108.40.206 real quick. And I'm going to download from Mac OS onto my desktop.
So I've got the zip for the client here. If I wanted to do an automated install on a Mac, there's what's called a plist file that has some settings that you can put in place.
I did want to call out this enable key.
We mentioned it in the documentation. But what this would do is if you have enable as a key, this is an optional key, but if you set it to true, this will prevent a user from turning off work on their client.
During your POC, I would probably not set that to true in case you need to disable it for some reason so you can test things.
You're also going to want a couple of unique pieces of information. One is your gateway DOH subdomain.
So that was something that we got from our gateway policy.
So if I look at my policy here and I edit this, oh, sorry, not your policy, but your location.
So your location, that's this value right here. This is my gateway DOH subdomain.
So this value I'm going to need. And so you can copy that and paste it into that file if you're automatically configuring it or if you're manually configuring it, you can give end user instructions to paste this in the appropriate field.
And we'll get into that here in just a second. The other thing, sorry, I'm going to change here for just a second.
There's also setting up a policy to say who can enroll in my teams.
And so I'm going to do emails ending in and just say anybody with a 10lions.com email address can enroll a device.
So let me go back to the deployment here because the other thing I'm going to need is my organization name, which is my team name.
So when we created my access policies and we created this authentication zone, in this case, I used camera.
It's whatever this off domain, the short, the host name.
So not the full camera.Cloudflareaccess .com, but just camera.
We're going to need that as well. So these, if I'm doing this, I can specify these.
So my end users don't have to know anything about them. If I'm doing an automated deployment for a manual deployment, I'm going to need those pieces of information.
And then I can also set a support URL. So you if people are having problems and they need to contact your help desk, you can send them there by entering your help desk URL here.
You can also do a mail to link here instead. So it could be mail to colon whack whack support at example.com for your company to email if you use email-based support.
And then we also have instructions for manual configuration.
And so again, I mentioned we're going to need this DOH subdomain and I showed where we're going to get that.
And we're also going to need the team name when we log in with teams.
So this is fun so far, right? Everybody's having a good time.
Let me click on this zip file and extract that. And then I'll show my desktop so you can see the extracted file.
Here we go. The warp package here, I'm going to double click that.
I may have done this a couple of times.
You can see I've got a few installers. So I'm going to click continue and install to the default location.
They get prompted for your credentials. And then what we should see once this finishes installing is you'll, yeah.
So we see that this popped up on my desktop.
I've got a little icon in my bar here. If I'm on a Windows machine, that shows up in the little task bar down in the bottom right hand corner.
I'm going to close this installer, close this window, and then we'll go ahead and click this link.
Brings up this, what is warped. We're going to continue.
Right now you can see this is configured for 220.127.116.11, which is the consumer service.
But the exact same installer that is being used on millions of desktops and mobile devices today was the basis for building out Cloudflare for Teams.
So we've had millions of users using this for months, years in some cases, depending on the platform, tons of feedback.
We're going to set this up here.
So two places I need to configure things. One is I need to configure a gateway DOH subdomain.
So we go back to our browser. And if I remember correctly, that's in locations.
And what I want is this value here, just the host name.
So I'm going to copy and paste that because nobody wants to read that out to an end user over the phone.
And I'm going to come back here. And I'm going to input my DOH subdomain.
And I'm going to click Done. And then what you'll see here is 1.1 .1 for families actually changes to None.
And if I try to switch it to something else, I'm not allowed to do that.
If I try to change the protocol method, I'm not allowed to do that either because now my gateway DOH subdomain is what is controlling these settings.
If you have a particular security policy in place, you don't want users bypassing it.
So once this is configured, that is what's in use. And then the other piece of this is now I want to log into Cloudflare for Teams.
So if we remember, I used the incredibly awesome name of, what was the incredible awesome name I used?
Oh, camera. Look at me, my cognitive function, folks, it's rocking.
So I'm going to log into my organization name and click Done.
It should bring up a page here in just a moment.
Oh, yeah, it did. And so what that is trying to do is force open a screen in a browser that I can't share with you.
So let's see if this works from over here. I'm going to allow it to open it.
I'm going to look at my preferences. This is one of those challenges.
There's a screen I can't share with you, and I may have broken it because of it.
Nothing like a live demo. I promise you, this is not a particular issue that you would encounter in your environment.
I just had something extremely weird in my environment and sort of broken on purpose for testing purposes.
So I apologize that you're seeing that.
Yeah, it's a feature.
It's just me. It's not you, it's me. How's that? So let me close this.
Hopefully now what we should see is, yes, so I'm in Teams. You're going to see this registration error.
I apologize. But you can see I'm using Gateway with Warp.
And team registration is just not going to work for me right now because of a particular work on my machine.
That being said, if you run into problems, there is the opportunity to send feedback.
Put in your email address. We'll triage it.
We'll do our best to help you resolve it. There's also the Cloudflare community, and you can visit that.
That's community.Cloudflare.com and configure for your environment.
What else should we talk about when it comes to Cloudflare for Teams? So you can see I don't have a device here, but that's only because I had a problem with that registration.
But when the devices are registered, you'll get a device name here along with the user that's correlated to it.
What I should see now, because the DOH subdomain should be working, if I try to visit, let me grab that phishing.testcategory.com.
If I try to visit this in my browser, now that the client is installed, this should fail.
Yes. If you expected this category to be blocked, check the resolver.
Try again in a few minutes.
So clearly, I have broken my machine. There is nothing like a live demo.
Yeah. Basically, because my registration is in process, Teams isn't turned on at the moment.
I can quit this. Let me see if I can turn it back on. Oh, this is fun.
Nothing like a live demo. This is so awesome. Sorry, guys. I broke that piece.
Let's flip back to the UI. We already know the category is working, right?
We did that. We did that here. We get back at 0.0.0.0. Because my device is in a bad state, because of something totally unique to my environment, that's not going to work.
But hopefully, you all didn't get stuck there. You tried the phishing category, and that worked for you.
Let's talk about a couple of other things here in the environment.
So I have my gateway logs. I can see these lookups. I know what IP address this came from, because I was using DOH for this particular query.
If I had this set up at a site level, if my IP address hadn't already been used by another policy, that would show up in the logs as well.
I have information about the logon request that I set up for my WordPress admin site here.
You can see that the user tried to log in, that they were able to successfully log in, that the decision was to allow them information about who the user was.
So as an administrator, I get a lot of visibility into what folks have done.
I also have information from an admin policy perspective, who was creating policies and why in the environment, and what those do.
And then at a user level, I understand which of my users are utilizing this tool.
I can revoke a user. You'll also be able, within devices, to remove devices.
So if a user leaves or you need to deprovision a device, you'll be able to remove that as well.
So I'm trying to give you a lot of information there from an administrative standpoint, so you get an idea of what your users are doing when you put these security tools in place.
We've talked about customizing the login page.
I now also have, I can enable my app launcher. So if I go to that camera.Cloudflareaccess .com, you will also see my app launcher here, because I've configured my apps.
Let me try to open this and see what happens.
I don't think that will actually work.
Yeah, I think that I've actually broken this, but let's see if the warp client, oh, hey, connected.
So for fun, let's try that phishing link again. That was the URL.
Oh, yeah, look at that. Let me double check that was the right URL, and I'm not just cheating by pasting in a bad value.
Yeah, phishing .testcategory.com. I'll copy and paste from somewhere else just to make sure that I'm not cheating.
But yes, look at that.
So my DOH policies are now actually working. So apologies about that weirdness.
It looks like we found a way to actually get that to work, which is kind of fun.
But I've got my app dashboard here for the applications that I have access to in my environment.
I've got my application that I've created.
Let's talk just briefly about protecting SaaS apps.
So if you have a SaaS app that you don't see in the list here that you're interested in protecting, let us know.
But I could protect hosted Atlassian applications that are hosted by third parties.
I could use these signals for my Dropbox and Evernote.
And what you wind up doing is you configure your identity provider within Cloudflare, again, under the authentication section.
And you're able to create policies here that may include some premium features or features that may not be available with your existing identity provider, where we can do things like require two-factor auth for a particular application for a subset of users, like administrators, or require that they not be connecting from certain countries when they're trying to log in.
So if you're using a tool that didn't offer geo-restrictions, we can do that using this tool.
So that can be pretty powerful if you want to basically configure Cloudflare as an identity provider there.
The other nice thing is you can potentially aggregate multiple identity providers.
So perhaps you're using Azure AD and you acquire a company that's utilizing Okta.
This would allow you to support that as well. So we have a number of folks that are doing that.
It also allows you to potentially support some novel authentication types.
Perhaps you have contractors and you want to add support for them being able to log in via GitHub credentials.
So we support that as well.
So again, locations, policies. The only thing I'm not going to go into today from a policy standpoint is around HTTP filtering, but we do have support for that as well.
You can visit developers .Cloudflare.com. We have documentation on how that works within the gateway section.
So you can read about that. Hopefully you have all found this useful and a good step to kind of walking through getting this installed and configured.
I absolutely appreciate you taking the time to hang out with me today to walk through this process.
If you have questions, feel free to ask those in the community forums, reach out to your account team or sales team.
If there's some enterprise features or you have a large number of users that you're looking to support, or if you have unique scenarios that you're trying to cover here, like how do I cover my guest networks in my retail stores, reach out to us.
Let's have a conversation. We have solutions for those types of things as well.
I really wanted to focus here more on kind of the nitty gritty for how you install and configure these features.
I guess one other thing I do want to mention, I'm not going to show the HTTP policies right now, but if you're going to do HTTP filtering policies, that means that we're going to become a termination endpoint for those SSL connections.
And so the users are going to have to have a certificate installed on their devices.
So we have instructions on how you can do that manually.
If you have, again, tools like Jamf and Intune, you can also deploy this certificate as part of this process to the end user devices.
If you enable URL filtering and force the clients to connect to Cloudflare's edge and they don't have this certificate installed, they will not be able to get on the Internet with the client enabled.
So by all means, make this part of your test plan when you're doing your initial trials with the client.
If you're going to deploy this for your mom, double check and make sure that you've got it in place and that it works the way that you expect before you enforce the traffic to be filtered on Cloudflare's edge.
We have instructions for iOS, Android, Windows, Mac for how you install this certificate.
And so just be aware, I would get the certificate installed before I started configuring policies and even playing with it, because without the certificate in place, you will break the clients.
Beyond that, we do have sections with some frequently asked questions.
We're constantly updating that as we get more questions, information about how the tool works, different deployment scenarios.
But again, community is a great resource for troubleshooting as well.
If you have questions or problems, I'm more than happy to address them there.
There's a bunch of really smart people there that have played with all of these toys.
And for me, that is really the end of the presentation.
I want to thank you all so much for having joined and spent time with me today.
I recognize that there were a lot of ways that you could have been spending your time.
The fact that you felt that it was worthwhile to walk through this demo with me, I am hugely appreciative of that.
Thank you so much again for your time.
And with that, I'm going to pass it back to my team, and they're going to take us to commercial.
...in a way that is private and in a way that is trustworthy.
We've been collaborating on improving the protocols that help secure connections between browsers and websites.
Mozilla and Cloudflare collaborate on a wide range of technologies.
The first place we really collaborated was the new TLS 1.3 protocol, and then we followed it up with QUIC and DNS server HTTPS, and most recently the new Firefox private network.
DNS is core to the way that everything on the Internet works.
It's a very old protocol, and it's also in plain text, meaning that it's not encrypted.
And this is something that a lot of people don't realize. You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.
When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.
The idea was that Cloudflare would run the server piece of it, and Mozilla would run the client piece of it, and the consequence would be that we'd protect DNS traffic for anybody who used Firefox.
Cloudflare was a great partner with this, because they were really willing early on to implement the protocol, stand up a trusted recursive resolver, and create this experience for users.
They were strong supporters of it. One of the great things about working with Cloudflare is their engineers are crazy fast.
So the time between we decide to do something and we write down the barest protocol sketch, and they have it running in their infrastructure, is a matter of days to weeks, not a matter of months to years.
There's a difference between standing up a service that one person can use or 10 people can use, and a service that everybody on the Internet can use.
When we talk about bringing new protocols to the web, we're talking about bringing it not to millions, not to tens of millions.
We're talking about hundreds of millions to billions of people.
Cloudflare's been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.
Really, users are getting two classes of benefits out of our partnership with Cloudflare.
The first is direct benefits. That is, we're offering services to the user that make them more secure, and we're offering them via Cloudflare.
So that's an immediate benefit that users are getting. The indirect benefit that users are getting is that we're developing the next generation of security and privacy technology, and Cloudflare is helping us do it.
And that will ultimately benefit every user, both Firefox users and every user of the Internet.
We're really excited to work with an organization like Mozilla that is aligned with the user's interests, and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.
So thank you.