Use an external server to expose shared data for every user

Protecting a nextcloud server by making it not accessible from outside of an intranet is a good solution to increase the security and the data protection.

Now, the problem is: What happens when some users want to share some data with external partners? (so, outside the intranet)

An approach could be to have a second nextcloud server outside of the intranet, just for data sharing. But that doesn’t seem too elegant.

After taking a look to files_external and the core/skeleton directory, I wonder: Isn’t there a way to create an external server which provides (i.e.) a single directory (“External”) for every user, and automatically synchronize that directory into the internal server? … And make it default for every user.
Note that the external server cannot see the internal one, but the internal one can see the external.

This way, if the external server gets compromised, they would only have access to that “External” directory (of every user), but not the rest.
Also, using the DNSs, mobile devices would get full access to the nextcloud infrastructure while connected from the intranet, and only the “External” directory could be accessed/synchronized from the outside.

Am I trying to reinvent the wheel?

I don’t know how you create shared folder for each user by default. Manually, it is possible with federated cloud sharing to connect both servers with each other.

Can you help with automation or tell what would be required to do this @rullzer @bjoern

With mobile devices, switching the NC instances via DNS will be difficult because you have different NC ids. You could always sync the external server, and a second sync account for the local folder (from the local server only).

Using two NC servers is probably the best if you want a physical barrier between the data storage and avoid external access in any case. But the implementation is not so easy and there are perhaps still some tools missing to implement this easily. On a single instance you could use the fileaccess, tagging and workflow.

If your business has a certain budget for good software, you could consider an enterprise subscription where they can individually help you and with the money they have some resources to work on your problems.

Thanks @tflidd.
Well… Finally, I will follow your advice and separate both servers physically.
It would be nice to have everything in one environment, but it seems quite tricky to get around that NC ID issue.