(Edited for clarity)
I need the system account to have always-on access to one resource - the central backup server - which would require a headless client.
I also need an individual user to be able to use the standard client to access other resources that are provisioned per-user.
Is this possible?
Hey Mike,
Unfortunately there’s no easy way to accomplish this as right now you can only have one instance per machine of Twingate running, so it is very likely the Headless Client that would take “priority” and the individual user would not be able to log in or change the behaviour.
I don’t know that this is something we could ever change due to the way Twingate does what it does and the potential for conflicts - ie if it were possible to run two simultaneous instances, and both instances had access to a resource at ip 192.168.1.24 but the headless client wanted that IP on Network A and the desktop client wanted that on Network B, which one should win? What if we need one to win sometimes and one to win other times.
However as is often said, nothing is impossible (most of the time), so I’ll take your feedback/use case to our product team, as I can see where it would be something that was useful.
As an alternative, do you have a limited enough user count/access requirement that you could just set up a few different headless client service keys that have access to the backup server AND the resources that users need access to, and then just use the headless client for everybody?
I apologize for the inconvenience.
-arthur
As far as a potential solution where you could run one client in the Sytem context and one in the User context:
I understand the security advantage of a ZTNA over a VPN is that the user is re-authenticated every time a connection is opened. So, as far as conflicts, if the connection is being opened under the System context, use the system (headless) credentials and resource mappings. If it’s being opened under the user context, use the user credentials and user resource mappings.
I have a similar but alternate solution in mind that should work for us, but could you confirm that each Twingate Service account is billed the same as a Twingate User account?
Hey Mike,
You make a good point – right now the Headless client is basically the User client without a front end, so there isn’t that System/User demarcation, but it’s something that potentially change.
As far as billing, yes, to us a Service account is a distinct entity like a User account.