Cloud Gateway

The Cloud Gateway is a small, lightweight Windows application that acts as a connectivity gateway between the customer environment and the EmpowerID SaaS tenant. It enables the EmpowerID Cloud SaaS tenant to inventory and manage on-premise systems without requiring ports to be opened on their firewall. The Cloud Gateway is a lightweight application that users can install on a Windows 10 desktop or server inside the on-premise network. Upon installation, the Cloud Gateway generates a public and private PKI certificate and registers the public key in the customer’s SaaS tenant for encrypted and secure communications. The Cloud Gateway then makes a secure and encrypted outbound HTTPS (TLS) connection to an EmpowerID queue in Azure as a bridge for communication between the EmpowerID Cloud servers and the customer’s on-premise network. Customers may install multiple Cloud Gateways on-premise for fault tolerance and increased performance.

Connectivity Between External Components and EmpowerID SaaS

Communication Flow

Before installing the Cloud Gateway Client (CGC) on a server, you need to create an EmpowerID Person with access to register and ping a Cloud Gateway server. You then use this Person to register the Cloud Gateway server in EmpowerID. During the registration process, EmpowerID verifies the Person has the appropriate access and then generates a certificate and stores it on the server with the Cloud Gateway Client. The public key is sent to EmpowerID and mapped to the EmpowerID Person used during the registration process. All subsequent calls to EmpowerID by the Cloud Gateway Client occur using certificate-based authentication. When the Cloud Gateway Client starts, it calls EmpowerID to retrieve information needed by it to connect to Azure. EmpowerID uses this same information to connect to Azure, constituting a point-to-point connection between EmpowerID in the Cloud and the on-premised Cloud Gateway Client.

The above image provides a high-level overview of the process and communication flow that occurs between EmpowerID, the Cloud Gateway Client, and Azure. The process is as follows:

Step 1 – You create a dedicated Person account and assign to that Person the UI-Admin-Cloud-Gateway Management Role. The role gives the Person access to register and ping a Cloud Gateway server. This Person account should be solely dedicated for this use and should not be linked to an actual Person that uses EmpowerID for their daily activities.
Step 2 – You register the Cloud Gateway Client on a server using the EmpowerID Person account created above. If the Person successfully authenticates and has the required access, EmpowerID registers the client on the server, generates a certificate, and stores that certificate on the server hosting the Cloud Gateway Client. The public key is sent securely to EmpowerID as part of the registration process, where it is mapped to the Person account used to register the client. The certificate is then used to authenticate all communications between the client and EmpowerID.
Step 3 – The client securely calls EmpowerID to retrieve information needed by the client to connect to Azure.
Step 4 – The client connects to the queue in Azure using the information received from EmpowerID.
Step 5 – EmpowerID connects to the Azure queue using the same connection information sent to the Cloud Gateway Client, constituting a point-to-point connection between EmpowerID in the cloud and the on-premise Cloud Gateway Client. All such communications are secured via TLS.