Page tree
Skip to end of metadata
Go to start of metadata

BMC requires that you use the BMC Helix Client Gateway, a non-VPN solution, to securely connect to your BMC Helix services when using certain integration methods. You must install a small client at your site to facilitate this connection.


To review which integration types require use of the BMC Client Gateway, see Integrations.

This topic provides the following information:

Support for transporting TCP connections using WebSocket technology

Cloud to on premises integrations can pose a substantial challenge when the integration architecture requires the use of a low-level network connection. This connection, over the TCP protocol, normally requires a full site-to-site VPN connection between a customer and the BMC service locations. The BMC Helix Client Gateway solves this challenge by transporting TCP connections using internet-friendly WebSocket technology.

Support for secure bidirectional data flows

With BMC Helix Client Gateway, BMC delivers sophisticated server-to-server integrations, avoiding the complexity, cost, and time penalties associated with VPN architectures. The resulting deployment handles bidirectional data flows in a secure, SSL-encrypted connection. Even for those connections that are logically initiated from the BMC data center, the Helix Client Gateway architecture allows the transport layer to be physically initiated from the on premises end toward BMC. This approach remains firewall friendly (no special firewall rules are required at the customer end), and all traffic transits the public internet over HTTPS/SSL. The connections from the Helix Client Gateway can traverse proxies and firewalls without special rules or opened ports.

Diagram of sample BMC Discovery to BMC Helix ITSM integration

For example, a customer may have the following separate integration requirements:

  • LDAP pull of employee data for population in BMC Helix ITSM 
  • BMC Discovery-BMC Atrium Configuration Management Database (CMDB) integration for asset discovery

The LDAP connection is logically initiated from BMC toward the on premises LDAP environment. To build this integration using VPN, a site-to-site VPN tunnel is used, often with network address translation (NAT) on both sides, and direct dependencies are created on the network addresses used. The BMC Discovery connection is initiated from on premises, but it also utilizes a VPN to carry the low-level BMC Remedy Helix ITSM AR API traffic.

The BMC Helix Client Gateway handles both requirements with ease. BMC Helix services maintain a server gateway to receive requests in each BMC service location; you simply deploy the BMC Helix Client Gateway client on a server in your environment. The gateway connects to the server gateway using HTTPS, and when connected, allows bidirectional traffic flows.

Support for development and disaster recovery

Often during the development of a new integration, it is necessary to connect an on premises application to any of the BMC Helix application environments (development/tailoring, QA, or production). The customer might also have test, sandbox, or development systems similarly for the on premises applications. The BMC Helix Client Gateway simplifies connection of these various environments. You can:

  • change the application endpoint on the on premises side without involving BMC.
  • maintain multiple gateways connecting to each of the BMC service locations from the same location.

For disaster recovery scenarios, the Helix Client Gateway architecture fails over to alternate BMC data centers just like any other web traffic. In the event of a disaster situation, BMC re-routes the published hostnames (URLs) by modifying DNS entries, re-targeting traffic from existing on premises gateways to the alternate (backup) locations. This is accomplished without the need to redeploy or reconfigure the gateway.

BMC Helix Client Gateway installation and configuration

If you want to use the BMC Helix Client Gateway, open a technical support issue, and BMC will provide the client installer.

The BMC Helix Client Gateway has the following requirements:

  • A Windows or Linux server with two CPUs and 4 GB of memory (virtualized deployments are acceptable)
  • Network connectivity to the internet on standard HTTPS (TCP port 443)
  • Network connectivity to the on-premises applications and servers used for integration

BMC will assist you with the setup and provide you with a pre-built configuration file and instructions. You will receive a unique private gateway hostname (URL) for connecting to each BMC service location.

The following table shows the ports that are configured by default for BMC Helix Client Gateway.

Ports used by BMC Client GatewayDescription
46000The BMC Helix Client Gateway listens at this port for TCP traffic from client applications (for example, BMC Discovery, BMC Developer Studio, BMC TrueSight, and Pentaho Spoon client) and proxies it to the Helix development environment through a WebSocket connection.
47000The BMC Helix Client Gateway listens at this port for TCP traffic from client applications (for example, BMC Discovery and BMC TrueSight) and proxies it to the Helix QA environment through a WebSocket connection.
48000The BMC Helix Client Gateway listens in this port for TCP traffic from client applications (for example, BMC Discovery and BMC TrueSight) and proxies it to the Helix production environment through a WebSocket connection.
8000This port is used by the BMC Helix Client Gateway for the management console.
443This is the outbound port used by the BMC Helix Client Gateway to connect to the Helix services' endpoint.

For LDAP authentication, you specify the port and the LDAP server name in the BMC Helix Client Gateway. The default port is TCP 389.

Ports open to the internet from the agent must be TCP 443. You must ensure that any proxy servers or firewalls allow outbound connections on this port.

After the BMC Helix Client Gateway installation finishes, you should see a message in the Installation Summary window for the installer, stating that the installation has been completed successfully. You can also verify that the BMC Helix Client Gateway has been installed correctly by:

  • Checking the services and ensuring that the BMC WebSocket Gateway – JMS Edition 4.0 service is running.

  • Reviewing the error.log file (in the Log directory in which BMC Helix Client Gateway is installed) for any error messages.

The BMC SaaS Operations team is available for technical support and assistance with the install.

Related topics

How TLS/SSL works with the Gateway

Data encryption



  1. Please add a note that the Client Gateway isn't needed for REST/SOAP WS connections.  This was confirmed by Geert/Dinesh.


  2. Is SDK a requirement or can we install JRE?

    Is OpenJDK supported?

    1. Hi Jan, SDK is no longer a requirement. The gateway does support OpenJDK however the current version (KWIC/5.x) has its own embedded Java , so there is no need to install it separately.

      1. Hi,

        Java SDK 8 licensing is now having a cost.   I guess reason for asking for OpenJDK.

        whose licence will be used with the embedded java (KWIC/5.x) ?