Secure Remote Access with Cloudflare Tunnel
Connect PocketNOC to your SolarWinds Orion server from anywhere, without opening inbound firewall ports or exposing your server to the internet.
~15 minutes to set upOverview
By default, SolarWinds Orion uses a self-signed certificate on its SWIS API (port 17778). Mobile apps require a certificate signed by a trusted Certificate Authority to establish a secure connection.
Cloudflare Tunnel solves this by creating an outbound-only encrypted tunnel from your network to Cloudflare's edge. Cloudflare provides a valid TLS certificate automatically. Your Orion server is never directly exposed to the internet.
How it works: A small service (cloudflared) runs on your network and connects outbound to Cloudflare. PocketNOC connects to Cloudflare, which routes traffic through the tunnel to your Orion server. No inbound ports need to be opened on your firewall.
Prerequisites
- A Cloudflare account (free tier is sufficient)
- A machine on the same network as your Orion server (can be the Orion server itself, or any Windows/Linux host that can reach it)
- Your Orion server's internal hostname or IP and SWIS port (default:
17778) - A domain name managed in Cloudflare DNS (you can add one for free, or use a subdomain of an existing domain)
Setup Guide
Create a Cloudflare Tunnel
- Log in to the Cloudflare Zero Trust dashboard
- Navigate to Networks → Tunnels
- Click Create a tunnel
- Select Cloudflared as the connector type
- Give your tunnel a name (e.g.,
orion-pocketnoc) - Click Save tunnel
Install the connector on your network
After creating the tunnel, Cloudflare will show installation instructions for your platform. Choose the one that matches the machine you'll run the connector on.
Windows (most common for SolarWinds environments)
Cloudflare provides a single command to download and install cloudflared as a Windows service. Copy the command from the dashboard and run it in an elevated PowerShell prompt. It will:
- Download the
cloudflaredbinary - Install it as a Windows service (starts automatically on boot)
- Register the connector with your tunnel
Tip: You can run this on your Orion server itself, or on any machine that can reach your Orion server over the network.
Linux / Docker
If you prefer to run the connector on a Linux host or in Docker, the dashboard provides commands for those environments as well.
Configure the public hostname
Once the connector is running and shows as Healthy in the dashboard:
- Go to the Public Hostname tab of your tunnel
- Click Add a public hostname
- Set the Subdomain (e.g.,
orion) and select your Domain - Under Service, set:
- Type:
HTTPS - URL:
your-orion-server:17778(use the internal hostname or IP)
- Type:
- Expand Additional application settings → TLS
- Enable No TLS Verify (this tells the connector to accept your Orion server's self-signed certificate on the internal connection)
- Click Save hostname
Important: "No TLS Verify" only applies to the connection between the cloudflared connector and your Orion server on your internal network. The connection from PocketNOC to Cloudflare is always encrypted with a valid certificate.
Add access controls (recommended)
By default, the tunnel hostname is publicly reachable. You should restrict access using Cloudflare Access:
- In Zero Trust, go to Access → Applications
- Click Add an application → Self-hosted
- Set the application domain to match your tunnel hostname (e.g.,
orion.yourdomain.com) - Under Policies, create a Service Auth policy (since PocketNOC authenticates with service tokens, not browser login)
- Go to Access → Service Auth → Service Tokens
- Click Create Service Token
- Save the Client ID and Client Secret — you'll need these for PocketNOC
Free tier: Cloudflare Access is free for up to 50 users. Service tokens do not count toward user limits.
Configure PocketNOC
Open PocketNOC on your device. On the Sign In screen, enter your connection details:
Enter your Cloudflare Tunnel hostname as the Server URL. Use your normal SolarWinds Orion credentials.
If you set up Cloudflare Access (Step 4), tap Advanced Options and add your service token headers:
CF-Access-Client-Secret: def456...
Enter one header per line. These are the service token values you saved when creating the Cloudflare Access application.
Tap Sign In. PocketNOC will reach your Orion server securely through the tunnel.
Firewall Requirements
One of the main benefits of Cloudflare Tunnel is that no inbound firewall rules are required. The cloudflared connector only makes outbound connections.
Outbound (from the machine running cloudflared)
| Port | Destination | Purpose |
|---|---|---|
443/tcp | Cloudflare edge | Tunnel connection (QUIC/HTTP2) |
7844/udp | Cloudflare edge | Tunnel connection (QUIC, preferred) |
Internal (from cloudflared to Orion)
| Port | Destination | Purpose |
|---|---|---|
17778/tcp | Orion server (LAN) | SWIS API |
No changes needed on your Orion server's firewall. If the machine running cloudflared can already reach your Orion web console on the internal network, the tunnel will work.
SolarWinds Account Recommendations
PocketNOC works with both local Orion accounts and Active Directory accounts. When using an AD account, you must log in with the down-level format:
- Use
DOMAIN\username(e.g.,CORP\jsmith) - Do not use the UPN format (
user@domain.com) — this may result in limited data visibility or denied API permissions
Troubleshooting
Tunnel shows "Inactive" or "Down" in the dashboard
Verify the cloudflared service is running. On Windows, check Services (services.msc) for "Cloudflared agent". Restart the service if needed.
PocketNOC shows "Connection refused" or timeout
- Verify the service URL in your tunnel config points to the correct Orion server and port (
17778) - Confirm the machine running
cloudflaredcan reach your Orion server: openhttps://your-orion-server:17778/SolarWinds/InformationService/v3/Json/Metadatain a browser on that machine - Ensure No TLS Verify is enabled in the tunnel's TLS settings (to accept the Orion self-signed certificate)
PocketNOC shows "403 Forbidden"
If you configured Cloudflare Access, make sure the CF-Access-Client-Id and CF-Access-Client-Secret headers are entered correctly in PocketNOC's custom headers settings. The values are case-sensitive.
Alerts or nodes are missing
This is usually an account permissions issue, not a tunnel issue. Try switching to the DOMAIN\username login format or use a local Orion account. See the account recommendations above.
Security Considerations
- No inbound ports: Your Orion server is never directly exposed to the internet
- End-to-end encryption: Traffic is encrypted from PocketNOC to Cloudflare (TLS) and from Cloudflare to your Orion server (through the tunnel)
- Cloudflare as intermediary: Cloudflare terminates TLS at their edge. They can technically inspect traffic in transit. For most organizations this is acceptable. If your security policy prohibits third-party traffic inspection, consider placing a trusted CA-signed certificate directly on your Orion server's IIS binding instead
- Access controls: Cloudflare Access service tokens add a strong second layer of authentication on top of your Orion credentials
- No credentials stored by PocketNOC: The tunnel is entirely managed within your Cloudflare account. PocketNOC does not have access to your tunnel configuration or Cloudflare account
Further Reading
- Cloudflare Tunnel — Getting Started
- Create a tunnel via the dashboard
- Publish a self-hosted application
Need help? Contact us and we'll walk you through the setup.