NIM

The simplest method of providing external access to NIM is the combined use of port forwarding and a reverse proxy server, such as NGINX.

Let's say you want external users to access NIM at the address https://nim.mydomain.com/.

First, set up a rule on your firewall that forwards HTTP and HTTPS traffic (port 80 and 443, by default) to your reverse proxy server. Then, configure your reverse proxy to forward traffic with the hostname of nim.mydomain.com to your NIM server.

We recommend using a web application firewall (WAF) along with a reverse proxy to control external access to the NIM server. A WAF is often combined into the same platform as a reverse proxy. The WAF provides an added layer of security, and can be used to control which URL paths on the NIM server are publicly accessible.

At a minimum, in order to prevent external access to the administrative side of NIM, block all external access to the /studio route.

Additionally, you may block other routes, such as specific applications that should only be accessed while on your internal network.

You can provide additional security by requiring multi-factor authentication (MFA) for all users who access NIM. You can do this by updating the Multi-factor authentication setting in the NIM Preferences to Required.

If you are securing HTTPS with a Let's Encrypt certificate, your NIM server must be externally available on port 80 so that Let's Encrypt can validate its existence and renew its certificate. Non-standard ports, such as 8080, will not work.

Additionally, the URL http://<HOSTNAME>/.well-known/acme_challenge/* must be whitelisted and allowed through the reverse proxy and WAF. <HOSTNAME> in this instance is the External host URL value in the NIM Preferences.