Skip to content

Setting Up Your First Zero Trust Policy

This tutorial guides you through implementing zero trust network access using Peakhour's Edge Access features. By the end of this tutorial, you'll have a functional zero trust policy protecting a web application with identity-based access controls using Email OTP (One-Time Password).

Duration: 25 minutes Prerequisites: A Peakhour account and an application to protect (e.g., internal-app.yourdomain.com). Learning Goals: Understand zero trust principles, configure the Edge Access authentication server, and create and test access policies.

What You'll Build: A complete zero trust setup that requires users to authenticate via an email-delivered code to access your application, with conditional access based on their location.

Understanding Zero Trust

Zero trust security operates on the principle "never trust, always verify." Unlike traditional network security that trusts users inside a network perimeter, zero trust verifies every access request, regardless of its origin.

Key Components in this Tutorial

  • Identity Verification: Users authenticate using secure codes delivered to their email.
  • Conditional Access: Access decisions are based on rules, such as the user's geographic location.
  • Continuous Verification: Sessions expire after a configured duration, requiring re-authentication.

Configure the Authentication Server

The first step is to set up the central authentication service for your account.

  1. In your Peakhour Account Dashboard, navigate to Edge Access > Settings.
  2. You will see the Authentication Server Configuration form.
  3. OTP Valid Minutes: Set how long the one-time password is valid for. 15 minutes is a secure default.
  4. Token Type: Choose between JWT and PASETO. JWT is a widely supported standard.
  5. User Session Token Lifetime: Set how long a user's session remains valid after they log in. 86400 seconds (24 hours) is a common setting.
  6. Secret: This is a critical security key used to sign the tokens. Click the Generate (refresh icon) button to create a strong, secure secret.
  7. Click Save Configuration.

Your account is now ready to issue authentication tokens.

Define an Application

Next, define the web application you want to protect.

  1. Navigate to the Applications tab within Edge Access.
  2. Click Add Application.
  3. Fill in the form:
    • Application Name: A descriptive name, e.g., "Internal Staging Site".
    • Description: An optional description.
    • Domains: Enter the domain(s) for this application, e.g., internal-app.yourdomain.com. Press Enter after each domain to add it to the list.
  4. Click Add Application.

Create Access Rules

Rules are the core logic of the zero trust system. They are expressions that evaluate to true or false.

Create a Rule to Identify Corporate Users

This rule will identify users from your company based on their email domain.

  1. Navigate to the Rules tab.
  2. Click Add Rule.
  3. Fill in the form:
    • Rule Name: Is Corporate User
    • Description: Matches users with a @yourcompany.com email address.
    • Rule Definition: Use the Rule Builder or enter the Wirefilter expression directly: 
      auth.user.email ends_with "@yourcompany.com"
      (Replace @yourcompany.com with your actual email domain).
  4. Click Add Rule.

Create a Rule for Geographic Location

This rule will identify users connecting from specific countries.

  1. Click Add Rule again.
  2. Fill in the form:
    • Rule Name: Is From Allowed Country
    • Description: Matches users from Australia or New Zealand.
    • Rule Definition: 
      ip.geoip.country in {"AU", "NZ"}
  3. Click Add Rule.

Create an Access Policy

A policy combines rules to make a final access decision. Policies are evaluated in order, from top to bottom.

  1. Navigate to the Policies tab.
  2. Click Add Policy.
  3. Fill in the form:
    • Policy Name: Corporate App Access
    • Description: Requires corporate users from AU/NZ to log in.
    • Action: Select Login Gate. This action forces users to authenticate.
    • Associated Rules: In the "Add Rule to Policy" dropdown, select the Is Corporate User and Is From Allowed Country rules you created. You can drag and drop them to set their order, though for this policy, the order doesn't matter as both must be true.
  4. Click Add Policy.

Associate the Policy with Your Application

Now, link the policy to the application you defined earlier.

  1. Navigate back to the Applications tab.
  2. Find your application in the list and click the Edit icon.
  3. In the Policies multi-select box, click to select the Corporate App Access policy you just created. (You can hold Ctrl/Cmd to select multiple policies if needed).
  4. Click Update Application.

Commit Your Changes

Your changes are staged but not yet live. You must commit them to deploy them to the edge.

  1. A banner will appear at the top of the page: "You have uncommitted changes...".
  2. Enter a descriptive Commit message, such as "Initial Zero Trust policy for internal app".
  3. Click Commit.

The changes will be deployed globally within a few minutes.

Test Your Zero Trust Policy

Test Authenticated Access

  1. Open a new incognito or private browser window to ensure you don't have an existing session.
  2. Navigate to your application's URL (e.g., https://internal-app.yourdomain.com).
  3. Expected Flow:
    • You should be redirected to the Peakhour Edge Access login page.
    • Enter your corporate email address (e.g., you@yourcompany.com).
    • Check your email for a one-time password.
    • Enter the OTP on the login page.
    • Upon successful authentication, you should be redirected back to your application with full access.

Test Access Denial (from a different location)

If you have a VPN or can test from an IP address outside of the countries you allowed (Australia/New Zealand in our example), try accessing the application. You should be blocked and receive a "Forbidden" error, as the Is From Allowed Country rule will not match.

Verify Session Persistence

  1. After a successful login, close your browser tab (but not the entire private window).
  2. Re-open the tab and navigate to the application URL again.
  3. Expected Result: You should be granted access directly without needing to re-authenticate, as your session token is still valid.

Monitor and Optimize

  1. Navigate to Edge Access > Analytics.
  2. Here you can review:
    • Successful and failed login attempts.
    • Policy evaluation statistics.
    • Application access grants and denials.

Use this data to fine-tune your rules. For example, you might need to add more countries to your location rule or create more granular policies for different user groups.

Next Steps

You have successfully implemented a foundational zero trust policy. From here, you can:

  • Expand Coverage: Apply policies to other internal or public applications.
  • Create More Granular Rules: Use other Wirefilter fields like http.user_agent or fingerprint.tls for device-based policies.
  • Implement Service Tokens: For programmatic API access, create service tokens under Edge Access > Service Tokens.