diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
index c7be754..ddf2623 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@@ -22,11 +22,7 @@
 #   We use this only for Graylog at the time of writing.
 #
 / @param swamid_testing Set this to true if your SP is registered in swamid-testing.
-#
-# @param front_clients
-#   Hiera field, defined at common.yaml, with the the frontend IP prefixes that require access
-#   to port 443. Defaults to empty string.
-#
+
 class soc::sso(
   $hostname,
   $email,
@@ -36,7 +32,6 @@ class soc::sso(
   $x_remote_user = false,
   $swamid_testing = false,
   $single_user = false,
-  $front_clients = '',
   $satosa = true,
   $satosa_certbot = false,
   $translog = 'INFO',
@@ -189,17 +184,6 @@ class soc::sso(
   # NFT Rules
   #
 
-  if 'wg0' in $facts['networking']['interfaces'].keys {
-    if $front_clients != '' {
-      $front_clients_exposed = hiera_array($front_clients,[])
-      sunet::nftables::docker_expose { 'clients_https' :
-        allow_clients => $front_clients_exposed,
-        port          => 443,
-        iif           => 'wg0',
-      }
-    }
-  }
-
   sunet::nftables::docker_expose { 'apache_sso_https' :
     allow_clients => ['0.0.0.0/0'],
     port          => 443,