We are a .org wishing to implement Mattermost.

We would like only a specific group of "internal" users to be allowed to access the server from outside the firewall. In addition, we would also like a specific group of external clients to be able to access the server through the mobile app.

I understand one method is to use a VPN. However, an additional app to put on someone's device may be a burden.

The Novell/Micro Focus Product Webaccess has a feature that allows the admin to specify users via an .xml file.

A snippet:

"Controlling WebAccess Usage:

You can control which users can use WebAccess to access their GroupWise mailboxes. By default, all GroupWise users can use WebAccess.

You can control access based on the domain or post office where the user’s mailbox is located. You can control access for related users based on groups, and you can control access for individual users.

Access control is established through the gwac.xml file, located in the same folder with the webacc.cfg file.

The default gwac.xml file illustrates the following options:

<!-- To allow access to all EXCEPT a few, use this technique. -->
<!--
<gwac access="prevent">
<domain name="domain1" />
<postOffice name="po2.domain2" />
<user name="jdoe.po3.domain3" />
<distributionList name="helpdesk.po4.domain4" />
<resource name="confroom.po4.domain4" />
</gwac>
-->

<!-- To prevent access to all EXCEPT a few, use this technique -->
<!--
<gwac access="allow">
<domain name="domain1" />
<postOffice name="po2.domain2" />
<user name="jdoe.po3.domain3" />
<distributionList name="helpdesk.po4.domain4" />
<resource name="confroom.po4.domain4" />
</gwac>
-->
You can use any ASCII text editor that you prefer to edit the gwac.xml file.

Open the gwac.xml file in a text editor.

Typically, you use the gwac.xml file to override the default of allowing all users to use WebAccess.

Remove the comment marker lines (<!-- and -->) around the section that you want to use.

(Optional) Under the <gwac access="prevent"> line, create one or more lines to prevent users in one or more domains from using WebAccess, for example:

<domain name="provo5"/>
<domain name="provo6"/>
(Optional) Create one or more lines to prevent users in one or more post offices from using WebAccess, for example:

<postOffice name="interns.provo1"/>
<postOffice name="temps.provo1"/>
Specify the post office in post_office.domain format.

(Optional) Create one or more lines to prevent users in one or more groups from using WebAccess, for example:

<distributionList name="webaccessdenied.admin.provo1"/>
Specify the group in group.post_office.domain format.

Using one or more groups is the most flexible approach to access control for WebAccess. The group belongs to a specific post office (for example, the one you belong to), but it can include GroupWise users located anywhere in your GroupWise system. By using a group, you can easily modify access control for specific users by modifying the group in the GroupWise Admin console, rather than needed to modify the gwac.xml file whenever access control changes are needed. For more information about groups, see Section 56.0, Creating and Managing Groups.

(Optional) Create one or more lines to prevent specific users from using WebAccess, for example:

<user name="sjones.interns.provo1"/>
<user name="gbock.interns.provo1"/>
(Conditional) If you want to prevent most users and allow only specified users, use a <gwac access="allow"> line instead of a <gwac access="prevent"> line.

Save the gwac.xml file."

Please consider.

Original Request:
http://forum.mattermost.org/t/restricting-users-from-accessing-mattermost-outside-firewall/2617