- App
- Name, alias slug, status active/disabled, internal upstream.
- Connector
- One primary workspace-owned connector per app in V1.
- Role
- V1 allows by workspace role (member, admin, billing). This is not group policy.
- Session TTL
- Default 60 minutes, configurable 1–480 minutes per app. A requested launch TTL is capped by app policy.
- Rewrites
- Optional redirect rewrite and cookie-domain rewrite.
- TLS diagnostics
- The upstream TLS verification setting is surfaced for diagnostics. For live traffic, use internal certificates trusted by the connector host.
Private App Access Beta
Open one internal web app to outside users, without a device VPN
Publish a friendly HTTPS alias for an internal web app. A connector inside your network dials out to BusinessProxy, resolves the real upstream privately and relays requests back to the app. External users see the alias, not your internal hostname or private IP.
Private App Access is in Beta. It is offered as sales-assisted early access while we finish production hardening and real-upstream evidence. We will not enable a pilot until connector, alias, diagnostics and revoke checks pass for your target app.
How it works
Alias → connector → internal upstream
The alias is the only public surface for the app. The connector is the only component that needs internal network reachability. The gateway brokers sessions, applies readiness checks, rewrites alias-safe response headers when configured and keeps internal topology out of user-facing responses.
Admin publishes an app alias in a workspace and assigns one workspace-owned connector.
Connector starts inside the customer network, authenticates with a workspace-scoped runtime token and holds an outbound tunnel over TLS.
A workspace member launches the app from the cabinet. The backend issues a one-time launch token and then an alias session token.
The alias gateway sets an HttpOnly session cookie and removes the token from the URL.
Each alias request is relayed through the connector to the internal upstream. Location and cookie domains are rewritten when the app config enables it.
Two paths, two levels of visibility
BusinessProxy has two access paths, and they don't see the same things. We state this plainly.
| Browser-proxy path (Layer 1) | Alias / reverse-proxy path (Layer 2) |
|---|---|
| Does not decrypt HTTPS page content. | Terminates and relays HTTP for the alias app path. |
| Sees domain/network metadata needed for routing and policy. | Relays HTTP method, path, headers and request/response bodies in transit. |
| Domain/category filtering only; no page DOM or form inspection. | Processes L7 metadata for routing, policy and audit. |
| Page content is not logged or retained because it is not decrypted on this path. | Request/response bodies pass through in transit and must not be logged or retained. |
If you route an internal app through the alias path, you should know it operates at Layer 7. That's a deliberate disclosure, not a footnote.
What you control
Control is per workspace and per app
Short-lived launch, cookie-backed alias session, immediate revoke
A launch token is a one-time bridge from the cabinet to the alias. After it is consumed, the alias gateway creates a server-side session and sets bp_private_app_session as an HttpOnly cookie. The URL token is stripped with a redirect. Sessions expire at the app TTL and can be revoked from the cabinet. Revocation removes the server-side token state, so an old cookie no longer opens the app.
Fail-closed, without exposing the upstream
If the app is disabled, the connector is missing, draining, offline or stale, launch and alias requests stop. If the tunnel is unavailable, WebSocket and HTTP Upgrade requests stop. Ordinary HTTP may use the bounded relay fallback only when configured, and still fails closed on timeout or size limits. Error responses are sanitized and must not include internal upstreams, private IPs, connector tokens, token hashes or custom CA material.
Limits
Limits we state openly
- Beta: sales-assisted pilots only until real-upstream staging and production evidence are complete.
- V1: one primary connector per app. Automatic multi-connector HA/failover is future work.
- V1: workspace-role access only. Group-based app policies are future work.
- The alias path is L7 and passes bodies in transit. It is not body-blind.
- A connector outage blocks access. Do not expose internal upstreams directly as a workaround.
Private App Access is part of Business Plus
Email us to discuss a Beta pilot for your target internal app.