The EmpowerID Cloud Gateway Client for SaaS is a lightweight application installed on a Windows desktop or server machine within your on-premise network. This client enables your EmpowerID Cloud SaaS tenant to inventory and manage manages your on-premise systems without requiring ports to be opened on your firewallnetwork infrastructure changes or the introduction of firewall holes. The EmpowerID Cloud Gateway is a lightweight client uses Azure Hybrid Connections, which allows for relaying data between different networks that can be installed on a Windows desktop or server machine in your on-premise network. The Cloud Gateway client then makes a secure and encrypted outbound HTTPS connection to an EmpowerID queue in Azure as a bridge for communication between the EmpowerID Cloud servers and your on-premise network. You can install multiple Cloud Gateways on-premise for fault tolerance and increased performance“scoped to a single application endpoint on a single machine” using HTTP(S) and WebSockets. This way, services, and applications can access resources safely in the cloud and on-premise with a single host: port combination.
| Tip |
|---|
What is Azure Relay & Azure Relay Hybrid Connections? Azure Relay is a message service provided in the Azure Service Bus platform, which can expose services that run in premises to the public cloud. The services can be exposed without opening a port on the firewall with the use of Azure Relay. Azure Hybrid Connectionsis a protocol feature provided by Azure Relay which is open standard secured web sockets enabling multi-platform scenarios for HTTP and WebSockets. |
How does the Cloud Gateway Client allow EmpowerID to interact with systems in the local network?
As part of the process when installing the cloud gateway, you configure a connection to Azure Hybrid Connections (listener queue in Azure). The Cloud Gateway Client application makes a connection to Azure Hybrid Connections and registers the connection details in the EmpowerID database. EmpowerID also makes a connection to Azure Hybrid Connections with the connection details. Neither system has direct knowledge of the other, nor do they need to do so. They only need to know about the service endpoint in Azure Hybrid Connections, which acts as a broker between the two. EmpowerID and the Cloud Gateway Client never write data to each other; they write data to and read data from the Azure Hybrid Connection. In this model, the Cloud Gateway connects to Microsoft Cloud in order to connect to the endpoint (Azure Hybrid Connection). EmpowerID, whether in the same cloud or on some other network, connects to the same Azure Hybrid Connection.
Communication Flow
Before installing the Cloud Gateway Client (CGC) on a server, you need to create an EmpowerID Person with access to register and ping a Cloud Gateway server. You then use this Person to register the Cloud Gateway server in EmpowerID. During the registration process, EmpowerID verifies the Person has the appropriate access and then generates a certificate and stores it on the server with the Cloud Gateway Client. The public key is sent to EmpowerID and mapped to the EmpowerID Person used during the registration process. All subsequent calls to EmpowerID by the Cloud Gateway Client occur using certificate-based authentication. When the Cloud Gateway Client starts, it calls EmpowerID to retrieve information needed by it to connect to Azure. EmpowerID uses this same information to connect to Azure, constituting a point-to-point connection between EmpowerID in the Cloud and the on-premised Cloud Gateway Client.
...
| Info |
|---|
Unsolicited communication originating from the Cloud Gateway Client is not processed by EmpowerID. |
...
| Macrosuite divider macro | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Install the Cloud Gateway for SaaS