PRTG Cloud Tunnel/Proxy for Secure Mobile Access without VPN
I'm a long-time user and system administrator, and I'd like to propose a feature that would greatly enhance the usability and security of PRTG for remote monitoring.
The Problem
Currently, accessing an on-premise PRTG core server from the mobile app requires a VPN connection. While a VPN is a secure solution, it introduces a layer of complexity for users who need quick access to sensor status, especially for alert acknowledgment. Managing VPN profiles on multiple mobile devices can be cumbersome and presents an access barrier for non-IT personnel who might only need to check system health or acknowledge alerts.
Exposing the PRTG web interface directly to the internet is not a viable option due to the significant security risks and is strongly discouraged. This leaves a gap for a secure, user-friendly, and lightweight method for remote access.
The Proposed Solution
I propose the development of a "PRTG Cloud Tunnel" or "PRTG Cloud Proxy" service. This service would be similar in concept to other secure tunnel solutions (like Cloudflare Tunnels) but would be integrated directly into the PRTG ecosystem.
The core idea is for the on-premise PRTG core server to establish an outbound, encrypted connection to a Paessler-managed cloud service. This connection would be a reverse proxy or tunnel, allowing the PRTG mobile app to communicate with the on-premise server by routing traffic through the secure Paessler cloud infrastructure.
This model has several key advantages:
Enhanced Security: All traffic would be encrypted and would not require inbound firewall rules on the local network. The PRTG core server would only need to make outbound connections, which is a much safer security posture.
Simplified Access: Users with the mobile app could connect to the PRTG cloud service using their existing PRTG credentials, eliminating the need for VPN setup and management on each device.
Improved User Experience: A streamlined connection process would allow for faster access to critical monitoring data and quicker response times to alerts.
Centralized Authentication: The cloud service could handle initial authentication, potentially offloading some processing from the on-premise server and providing a single sign-on experience.
I believe this feature would be a game-changer, making PRTG even more accessible and robust for today's hybrid work environments. I hope the Paessler team will consider this request for a future roadmap.
Thank you.
Nicola B.
shared this idea
-
Oliver Starzacher
commented
Dear Paessler Team,
we are using PRTG externally via the Microsoft Entra Application Proxy.
In the browser, access works flawlessly with Pre-Authentication (Azure AD, MFA, Conditional Access).
However, the PRTG Mobile App fails in this scenario, as it currently only supports Basic Authentication – therefore, Entra Pre-Auth cannot be used.
This leaves enterprise customers with an unsatisfactory choice:Enable Pre-Authentication → secure (Zero Trust, MFA, Conditional Access), but the mobile app becomes unusable.
Enable Passthrough → mobile app works, but without Azure AD security (no MFA, no CA compliance).
For many enterprise environments this is not acceptable, especially under Zero Trust, Compliance, and NIS2 requirements.We kindly request that the PRTG Mobile App supports modern authentication standards such as OAuth2, SAML, or OpenID Connect in the future, making it compatible with Entra Pre-Authentication.
This would perfectly complement the proposed Cloud Tunnel/Proxy feature and finally allow secure, compliant mobile access without VPN.
Thank you for considering this enhancement for the roadmap.
Best regards,
Oliver