On-Premise Access Enterprise
Connect your cloud SaaS to customer on-premise environments. Deploy an NFLTR agent inside the customer network — your product can reach their databases, APIs, and internal services through a secure, outbound-only tunnel. No VPN, no firewall changes for the customer.
Architecture
The NFLTR agent runs in the customer's network and connects outbound to your NFLTR server. Your cloud services send requests through the server to the agent, which proxies them to the customer's internal resources. The customer doesn't open any inbound ports.
Deployment Options
Binary agent
# Customer downloads and runs the agent
nfltr http 8080 \
--server grpc.yourco.com:443 \
--api-key $FLEET_TOKEN \
--name acme-prod \
--forward erp.internal.acme.com:8080Docker container
docker run -d --name nfltr-agent \
ghcr.io/onpremlink/nfltr http 8080 \
--server grpc.yourco.com:443 \
--api-key $FLEET_TOKEN \
--name acme-prod \
--forward erp.internal.acme.com:8080Embedded SDK
// Ship the agent as part of your Go application
a := agent.New(agent.Config{
ServerAddr: "grpc.yourco.com:443",
AgentID: "acme-prod",
APIKey: fleetToken,
TLS: true,
Labels: map[string]string{"client":"acme","env":"prod"},
Routes: []agent.Route{{Backend: "http://erp.internal:8080"}},
})
a.Connect(ctx)Multi-Tenant Management
🏷️ Fleet Tokens
Issue a fleet token per customer. Each token has label selectors that scope access to only that customer's agents.
🔀 Label Routing
Tag agents with client=acme, env=prod. Your SaaS routes requests to agents matching specific labels.
📊 Per-Tenant Metrics
Prometheus metrics tagged by agent ID and labels. Monitor each customer's tunnel health independently.
🔐 mTLS Option
For enterprises requiring certificate-based auth: mTLS with customer-specific CAs. No shared secrets.
🔄 Auto Reconnect
Agents reconnect automatically on network interruptions. Exponential backoff with jitter prevents thundering herd.
📦 Self-Hostable
Run the entire NFLTR server in your own infrastructure. Zero dependency on nfltr.xyz for enterprise deployments.
Comparison: NFLTR vs Traditional VPN
| Aspect | Site-to-Site VPN | NFLTR Agent |
|---|---|---|
| Customer setup | Firewall rules, IP whitelisting, VPN appliance | Run one binary |
| Inbound ports | Yes (IPSec, WireGuard) | Zero |
| Network exposure | Full subnet routing | Only configured services |
| Setup time | Days to weeks | Minutes |
| Maintenance | Certificates, routing tables, firmware | Auto-updating agent |
| Scale to 1000 clients | Complex mesh network | Fleet tokens + labels |
Unlike VPNs that route entire subnets, NFLTR agents expose only the specific services you configure. A customer agent set to --forward erp.internal:8080 can only reach that one endpoint.
Use Cases
- SaaS data integration — Pull data from customer databases (Oracle, SAP, MSSQL) that are not internet-accessible.
- On-prem API access — Call customer REST/SOAP APIs that live behind corporate firewalls.
- Hybrid deployments — Your cloud manages the control plane; the agent connects the data plane to on-prem resources.
- Managed service providers — Manage hundreds of customer environments through a single fleet dashboard.
- IoT edge access — Reach sensors, cameras, and gateways deployed in factories, retail stores, or remote sites.
Reach any on-premise resource
Ship an agent with your product — your SaaS can call customer APIs, databases, and services with zero firewall changes.
Go SDK Fleet Management →