diff --git a/alfa-client/apps/admin/src/test/helm/deployment_env_test.yaml b/alfa-client/apps/admin/src/test/helm/deployment_env_test.yaml
index 444d80b661e454360bdad6eaa0ad76bb63ec5935..6172fd2cdf989a7c932e09c1387d7f28e23db17b 100644
--- a/alfa-client/apps/admin/src/test/helm/deployment_env_test.yaml
+++ b/alfa-client/apps/admin/src/test/helm/deployment_env_test.yaml
@@ -22,7 +22,7 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #
 
-suite: test deployment container environments 
+suite: test deployment container environments
 templates:
   - templates/deployment.yaml
 set:
@@ -73,3 +73,4 @@ tests:
           content:
             name: my_test_environment_name
             value: "A test value"
+
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index b7221ad6bd6407099a01862c2ffb85bb5199d49d..c21b9c17e45df3527a4550c51caffadb2295c26c 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -109,6 +109,10 @@ spec:
           value: {{ ((.Values.ozgcloud).xdomea).behoerdenschluesselUri}}
         - name: ozgcloud_xdomea_behoerdenschluesselVersion
           value: {{ ((.Values.ozgcloud).xdomea).behoerdenschluesselVersion | quote }}
+        {{- if ((.Values.ozgcloud).feature).collaborationEnabled }}
+        - name: ozgcloud_feature_collaborationEnabled
+          value: {{ ((.Values.ozgcloud).feature).collaborationEnabled | quote }}
+        {{- end }}
 
         image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
         imagePullPolicy: Always
diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index fde1ca628cf7ea984d4ffceefbdf13f4922c339a..ee37649c47d584833c401a8f68748ba46a4d8fd2 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -21,6 +21,18 @@ spec:
 {{ toYaml . | indent 2 }}
 {{- end }}
   egress:
+{{- if ((.Values.ozgcloud).feature).collaborationEnabled }}
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "zufiManager.namespace must be set if zufiManager server is enabled" (.Values.zufiManager).namespace }}
+      podSelector: 
+        matchLabels:
+          component: zufi-server
+    ports:
+      - port: 9090
+        protocol: TCP
+{{- end }}
   - to:
     - podSelector: 
         matchLabels:
diff --git a/src/test/helm/deployment_collaboration_env_test.yaml b/src/test/helm/deployment_collaboration_env_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..21ca8ba4550390d89e333fb62a3110e389615f81
--- /dev/null
+++ b/src/test/helm/deployment_collaboration_env_test.yaml
@@ -0,0 +1,38 @@
+suite: deployment collaboration env
+release:
+  name: alfa
+  namespace: sh-helm-test
+templates:
+  - templates/deployment.yaml
+set:
+  baseUrl: test.company.local
+  ozgcloud:
+    environment: test
+    bundesland: sh
+    bezeichner: helm
+  sso:
+    serverUrl: https://sso.company.local
+  imagePullSecret: image-pull-secret
+tests:
+  - it: should enable collaboration
+    set:
+      ozgcloud:
+        feature:
+          collaborationEnabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_feature_collaborationEnabled
+            value: "true"
+  - it: should not enable collaboration
+    set:
+      ozgcloud:
+        feature:
+          collaborationEnabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: ozgcloud_feature_collaborationEnabled
+          any: true
\ No newline at end of file
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index af65c804e62b7fb9aebb26f65f2322b536f71550..b1b35ecddd7608c33ed412b7a036829d4e966bb6 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -78,7 +78,7 @@ tests:
               - port: 8080
             egress:
             - to:
-              - podSelector: 
+              - podSelector:
                   matchLabels:
                     component: vorgang-manager
               ports:
@@ -223,4 +223,40 @@ tests:
         dnsServerNamespace: test-dns-server-namespace
     asserts:
       - hasDocuments:
-          count: 1
\ No newline at end of file
+          count: 1
+
+  - it: should set egress for zufi if configured
+    set:
+      networkPolicy:
+        ssoPublicIp: 1.1.1.1
+        dnsServerNamespace: test-dns-server-namespace
+      ozgcloud:
+        feature:
+          collaborationEnabled: true
+      zufiManager:
+        namespace: by-zufi-dev
+    asserts:
+      - contains:
+          path: spec.egress
+          content:
+            to:
+              - podSelector:
+                  matchLabels:
+                    component: zufi-server
+                namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: by-zufi-dev
+            ports:
+              - port: 9090
+                protocol: TCP
+  - it: should fail to set egress for zufi if namespace is missing
+    set:
+      networkPolicy:
+        ssoPublicIp: 1.1.1.1
+        dnsServerNamespace: test-dns-server-namespace
+      ozgcloud:
+        feature:
+          collaborationEnabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: zufiManager.namespace must be set if zufiManager server is enabled
\ No newline at end of file