Cloud Gateway Client

Owned by Phillip Hanegan
Feb 07, 2023
4 min read

The EmpowerID Cloud Gateway Client is a lightweight application installed on a Windows desktop or server machine within your on-premise network. This client enables your EmpowerID Cloud SaaS tenant to inventory and manages your on-premise systems without requiring network infrastructure changes or the introduction of firewall holes. The EmpowerID Cloud Gateway uses Azure Hybrid Connections, which allows for relaying data between different networks that can be “scoped to a single application endpoint on a single machine” using HTTP(S) and WebSockets. This way, services and applications can access resources safely in the cloud and on-premise with a single host: port combination.

What is Azure Relay & Azure Relay Hybrid Connections?

Azure Relay is a message service provided in the Azure Service Bus platform, which can expose services that run on-premises to the public cloud. The services can be exposed without opening a port on the firewall using Azure Relay. Azure Hybrid Connections is a protocol feature provided by Azure Relay, which is open standard secured web sockets enabling multi-platform scenarios for HTTP and WebSockets.

How does the Cloud Gateway Client allow EmpowerID to interact with systems in the local network?

As part of the process when installing the cloud gateway, you configure a connection to Azure Hybrid Connections (listener queue in Azure). The Cloud Gateway Client application connects to Azure Hybrid Connections and registers the connection details in the EmpowerID database. EmpowerID also makes a connection to Azure Hybrid Connections with the connection details. Neither system has direct knowledge of the other, nor do they need to do so. They only need to know about the service endpoint in Azure Hybrid Connections, which acts as a broker between the two. EmpowerID and the Cloud Gateway Client never write data to each other; they write data to and read data from the Azure Hybrid Connection. In this model, the Cloud Gateway connects to Microsoft Cloud to connect to the endpoint (Azure Hybrid Connection). EmpowerID, whether in the same cloud or on some other network, connects to the same Azure Hybrid Connection.

 

Communication Flow

Before installing the Cloud Gateway Client (CGC) on a server, you need to create an EmpowerID Person with access to register and ping a Cloud Gateway server. You then use this Person to register the Cloud Gateway server in EmpowerID. During the registration process, EmpowerID verifies the Person has the appropriate access and then generates a certificate and stores it on the server with the Cloud Gateway Client. The public key is sent to EmpowerID and mapped to the EmpowerID Person used during the registration process. All subsequent calls to EmpowerID by the Cloud Gateway Client occur using certificate-based authentication. When the Cloud Gateway Client starts, it calls EmpowerID to retrieve the information it needs to connect to Azure. EmpowerID uses this same information to connect to Azure, constituting a point-to-point connection between EmpowerID in the Cloud and the on-premised Cloud Gateway Client.

Figure 1: Process and communication flow between EmpowerID, the Cloud Gateway Client (Agent), and Azure

 

The above image provides a high-level overview of the process and communication flow that occurs between EmpowerID, the Cloud Gateway Client, and Azure. The process is as follows:

  • Step 1 – You create a dedicated Person account and assign to that Person the UI-Admin-Cloud-Gateway Management Role. The role gives the Person access to register and ping a Cloud Gateway server. This Person account should be solely dedicated for this use and should not be linked to an actual Person that uses EmpowerID for their daily activities.

  • Step 2 – You register the Cloud Gateway Client on a server using the EmpowerID Person account created above. If the Person successfully authenticates and has the required access, EmpowerID registers the client on the server, generates a certificate and stores that certificate on the server hosting the Cloud Gateway Client. The public key is sent securely to EmpowerID as part of the registration process, where it is mapped to the Person account used to register the client. The certificate is then used to authenticate all communications between the client and EmpowerID.

  • Step 3 – The client securely calls EmpowerID to retrieve information needed by the client to connect to Azure.

  • Step 4 – The client connects to the queue in Azure using the information received from EmpowerID.

  • Step 5 – EmpowerID connects to the Azure queue using the same connection information sent to the Cloud Gateway Client, constituting a point-to-point connection between EmpowerID in the cloud and the on-premise Cloud Gateway Client. All such communications are secured via TLS.

Unsolicited communication originating from the Cloud Gateway Client is not processed by EmpowerID.