Access Control for DISA IL4 & IL5¶
Applications hosted on DISA infrastructure (IL4/IL5) via the 2F.mil DNS configuration use specific access methods. While CNAP and AFWERX deployments rely on Appgate, DISA-hosted environments sit behind a Boundary Cloud Access Point (BCAP) and require a different connection protocol.
Access requirements¶
Review the following requirements for network access and authentication.
Network access¶
Users must connect from a NIPRNet-based IP address using one of the following methods:
- Use GFE directly from a military installation
- Use GFE remotely via your service-specific VPN
- Access through your service's VDI solution
- VDI presents your connection as originating from a NIPRNet IP address to DISA
Authentication¶
- CAC/ECA certificate required for all application access
- Authentication is managed through Second Front's Keycloak instance
Access methods summary
| Method | Requirements | Use Case |
|---|---|---|
| On-site GFE | GFE + NIPRNet connection | Working from military base |
| Remote GFE | GFE + Service VPN | Working remotely with GFE |
| Service VDI | Service VDI access + CAC/ECA | Working from non-GFE device |
Access Grafana dashboard
To access the Grafana dashboard, follow the same network (NIPRNet) and authentication (CAC/ECA) protocols described previously. See Access Grafana dashboard for specific endpoints.
Troubleshooting¶
Cannot access application?
- Verify you're connecting from a NIPRNet IP address (via GFE or VDI).
- Confirm your CAC/ECA certificate is properly installed and valid.
- Ensure you're accessing the correct
2F.milURL. - Check that your browser is configured to present CAC/ECA certificates.