An employee, partner, contractor, customer, auditor or regulator reaches the designated app through a browser. Coelion sits at the edge of the company network and checks every request. No VPN client, no network tunnel into the company, no path that bypasses the access check.
Lateral movement into the rest of the company is prevented by design, not by policy.
Coelion is an OSI layer 7 reverse proxy placed at the edge of the company network. The external request enters the network only through the gateway, and only resolves to the designated app inside. Everything else inside the network stays unreachable from outside.
Partners reach the integration console for a joint product. Contractors reach the project tool for the duration of the engagement. Customers reach the self-service portal scoped to their tenant. Auditors reach the read-only dashboard for the audit window. Regulators reach the compliance evidence view in place. Suppliers reach the order-and-invoice surface, nothing else.
Per-request access check on every request. Access log per app: identity (or anonymous), client IP, app, HTTP method, URI, status code, response bytes, duration, browser, session, plus referer and timestamp. Sessions expire with an idle timeout and an absolute cap. Identity sources include OAuth2 (Google, GitHub, Azure, AWS Cognito, GitLab, LinkedIn, Meta), LDAP and Active Directory, and local users with one-way salted password hashes.