You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Cloud Gateway Client for SaaS

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

The EmpowerID Cloud Gateway Client for SaaS enables your EmpowerID Cloud SaaS tenant to inventory and manage your on-premise systems without requiring ports to be opened on your firewall. The Cloud Gateway is a lightweight client that can be installed on a Windows desktop or server machine in your on-premise network. The Cloud Gateway client then makes a secure and encrypted outbound HTTPS connection to an EmpowerID queue in Azure as a bridge for communication between the EmpowerID Cloud servers and your on-premise network. You can install multiple Cloud Gateways on-premise for fault tolerance and increased performance.

Communication Flow

Before installing the Cloud Gateway Client (CGC) on a server, you need to create an EmpowerID Person with access to register and ping a Cloud Gateway server. You then use this Person to register the Cloud Gateway server in EmpowerID. During the registration process, EmpowerID verifies the Person has the appropriate access and then generates a certificate and stores it on the server with the Cloud Gateway Client. The public key is sent to EmpowerID and mapped to the EmpowerID Person used during the registration process. All subsequent calls to EmpowerID by the Cloud Gateway Client occur using certificate-based authentication. When the Cloud Gateway Client starts, it calls EmpowerID to retrieve information needed by it to connect to Azure. EmpowerID uses this same information to connect to Azure, constituting a point-to-point connection between EmpowerID in the Cloud and the on-premised Cloud Gateway Client.

The above image provides a high-level overview of the process and communication flow that occurs between EmpowerID, the Cloud Gateway Client, and Azure. The process is as follows:

  • Step 1 – You create a dedicated Person account and assign to that Person the UI-Admin-Cloud-Gateway Management Role. The role gives the Person access to register and ping a Cloud Gateway server. This Person account should be solely dedicated for this use and should not be linked to an actual Person that uses EmpowerID for their daily activities.

  • Step 2 – You register the Cloud Gateway Client on a server using the EmpowerID Person account created above. If the Person successfully authenticates and has the required access, EmpowerID registers the client on the server, generates a certificate and stores that certificate on the server hosting the Cloud Gateway Client. The public key is sent securely to EmpowerID as part of the registration process, where it is mapped to the Person account used to register the client. The certificate is then used to authenticate all communications between the client and EmpowerID.

  • Step 3 – The client securely calls EmpowerID to retrieve information needed by the client to connect to Azure.

  • Step 4 – The client connects to the queue in Azure using the information received from EmpowerID.

  • Step 5 – EmpowerID connects to the Azure queue using the same connection information sent to the Cloud Gateway Client, constituting a point-to-point connection between EmpowerID in the cloud and the on-premise Cloud Gateway Client. All such communications are secured via TLS.

Unsolicited communication originating from the Cloud Gateway Client is not processed by EmpowerID.

Next Steps

Install the Cloud Gateway for SaaS

  • No labels