Feat: Improve SFTP/File Browser connection handling #345
Description
Feature Request: Enable Filebrowser to Work Behind NAT/Firewalls
Is your feature request related to a problem? Please describe.
Currently, the filebrowser feature requires the agent to accept inbound connections on the SFTP port. This works well when the sysadmin and agent are on the same network (physical LAN or VPN) and the endpoint firewall permits the traffic.
However, this does NOT work when:
- The agent is behind NAT (most common scenario over the internet)
- Corporate firewalls block inbound connections
- Agents are deployed in home/mobile networks with restrictive routing
This severely limits the filebrowser's usability for remote endpoint management where agents are distributed across the internet.
Describe the solution you'd like
Enable the filebrowser to work regardless of network topology, including scenarios where the agent is behind NAT or firewalls.
Desired behavior:
- Filebrowser should "just work" whether the agent is on the local network or remote
- Should automatically use the most efficient connection method available
- When direct connection is possible (same LAN/VPN), use it for best performance
- When direct connection isn't possible (NAT/firewall), fall back to an alternative method (ie route through the existing NATS connection)
Key requirements:
- Transparent to the end user - no manual configuration or troubleshooting needed
- Maintain good performance on local networks (don't force all traffic through console if unnecessary)
- Universal connectivity - works in all network scenarios
Additional context
This would make OpenUEM's file management truly universal - working seamlessly whether managing endpoints on the local network, in branch offices, or on remote users' home networks. The existing NATS infrastructure already provides a persistent connection from agents; leveraging this for file transfers when direct connection isn't possible would be ideal.