Azure Relay Setup with Cloud Gateway

Owned by
Dev Raj Gautam
, created
Last updated: Jul 11, 2022
4 min read

Overview

EmpowerID utilizes Azure Relay Services via EmpowerID Cloud Gateway to securely expose necessary services that run on the On-Premises Network. The On-Premises system can communicate with the EmpowerID SaaS tenant without opening any ports. TLS protocol encrypts any communication between the On-Premises system and EmpowerID SaaS tenant.

Any external system installed on-prem such as Active Directory communicates to the EmpowerID Sass environment via the Cloud Gateway. The Cloud Gateway is a lightweight client installed on a Windows desktop or server machine in your on-premises network.

To connect with the on-prem system, EmpowerID SaSS securely routes a proprietary request to the same Azure Relay to which the on-prem cloud gateway is connected. The request gets fulfilled by the cloud gateway. Any other external systems which live on-premises communicate with Cloud Gateway to fulfill the request, and results are securely sent back to EmpowerID through the Azure Relay.

TLS encryption encrypts and secures all communication happening in these instances.

To Setup Azure Relay

Prerequisites: The client will provide the following details/permissions of their Azure environment.

  • Azure tenant and the subscription.

  • Azure resource group created and identified, or sufficient privileges in the subscription to create the resource group.

  • Sufficient privileges to create and configure an Azure Relay in a new or existing resource group.

  • Sufficient privileges to create an App Registration and a client secret for use by EmpowerID.

  • Sufficient privileges to assign the App Registration Service Principal the "Contributor" role to the Azure Relay

Step 1: Manual configuration of the Azure Relay settings and security principle.

Settings for Azure relay and security principles are configured manually in EmpowerID. Navigate to Infrastructure Admin ->EmpowerID Server and Settings -> EmpowerID System Settings.

  • Azure-AuthorizationRule

  • Azure-ClientID

  • Azure-ClientSecret

  • Azure-Relay

  • Azure-RelayNamespace

  • Azure-ResourceGroup

  • Azure-SubscriptionID

  • Azure-TenantID

Step 2: Setup the RemoteCloudGateway user with the following configuration

Once the relay is created, and configuration settings are done in EmpowerID, create a person in EmpowerID, used to register the EmpowerID Cloud Gateway during installation. The person should have the following privileges

  • Resource Type - EmpowerID System

  • Resource –EmpowerID

  • Access Level - RemoteCloudGateway

The person's credentials created in the above step are provided to the client to register the EmpowerID Cloud Gateway during installation.

If the on-prem environment has a proxy the Cloud Gateway will need to communicate through, the proxy details, including the address (and port), needs to be appropriately configured in EmpowerID. Also, the proxy should be configured to NOT require authentication from the Cloud Gateway when it communicates with the URLs stated above.

Step 3: Copy the installer of the EmpowerIDCloudGateway.msi into the designated machine. Double click on the installer to start the setup process.

Step 4: EmpowerID Cloud Gateway Setup Wizard appears, enter the HOST URL. In this case, the azure tenant URL is Mentioned in Prerequisites and click Next.

Step 5: Click on Install

Step 6: Click on the finish button.

Step 7: Start the service.

Start the EmpowerID Remote Agent service in the installed machine.

Step 8: Open the Cloud Gateway Configurator.

Step 9: Now, we see that the tenant URL is prepopulated. Click on Connect.

Step 10: Log in with EmpowerID RemoteCloudGateway.

In the EmpowerID Secure Web Login window that opens, enter the credentials you created for the Cloud Gateway in step 2 and click Login.

Step 11: Now the 'Registration Complete' pop-up window shows up, click OK!

 

Step 12: Verify Cloud Gateway is working.

  1. Check that the Cloud Gateway added has the following values to their registry under HKEY_LOCAL_MACHINE > SOFTWARE > TheDotNetFactory > EmpowerID > RemoteAgent

    • ApiKey

    • ApiPath

    • ClientID

    • ServerGUID

    • Thumbprint

    • RecycleOnIdle (Value to be in minutes, Recycles the process when there is no incoming call received in specified time window)

    • RecycleMaxMemory (Value is in GBytes, the process is terminated automatically if the memory usage reaches this value)

  2. On the connected EmpowerID Server, do the following:

    1. Open a browser and navigate to your EmpowerID portal.

    2. Authenticate and then ping the cloud gateway by pointing your browser to https://<FQDN_Of_Your_EmpowerID_Server>/ui/#w/PingEmpowerIDServerViaRemoteAgent.
      You should see a lookup for searching and selecting your Cloud Gateway machine.

       

    3. Search for and select your Cloud Gateway machine and then click Submit.


      You should see a message stating the server was pinged.

       

    4. Click Submit to exit the process.