Child pages
    • BMC Client Gateway connectivity

       

    To view the latest information for BMC Helix services and policies, go to BMC Helix Subscriber Information.

    Skip to end of metadata
    Go to start of metadata

    BMC recommends that you use BMC Client Gateway, which is a non-VPN solution, to securely connect to your BMC OnDemand service. You must install a small client at your site to facilitate this connection.

    This topic provides the following information:

    Support for transporting TCP connections using WebSocket technology

    Cloud to on-premises integrations can pose a substantial challenge when the integration architecture requires the use of a low-level network connection. This connection, over the TCP protocol, normally requires a full site-to-site VPN connection between a customer and the BMC OnDemand data centers. The BMC Client Gateway solves this challenge by transporting TCP connections using internet-friendly WebSocket technology.

    Support for secure bidirectional data flows

    With BMC Client Gateway, BMC delivers sophisticated server-to-server integrations, avoiding the complexity, cost, and time penalties associated with VPN architectures. The resulting deployment handles bidirectional data flows in a secure, SSL-encrypted connection. Even for those connections that are logically initiated from the BMC data center, the Client Gateway architecture allows the transport layer to be physically initiated from the on-premises end toward BMC. This approach remains firewall friendly (no special firewall rules are required at the customer end), and all traffic transits the public internet over HTTPS/SSL. The connections from the Client Gateway can traverse proxies and firewalls without special rules or opened ports.

    Diagram of sample BMC Discovery to BMC Remedy OnDemand integration


    For example, a customer may have the following separate integration requirements:

    • LDAP pull of employee data for population in BMC Remedy IT Service Management (ITSM)
    • BMC Discovery-BMC Atrium Configuration Management Database (CMDB) integration for asset discovery

    The LDAP connection is logically initiated from BMC toward the on-premises LDAP environment. To build this integration using VPN, a site-to-site VPN tunnel is used, often with network address translation (NAT) on both sides, and direct dependencies are created on the network addresses used. The BMC Discovery connection is initiated from on premises, but it also utilizes a VPN to carry the low-level BMC Remedy AR API traffic.

    The BMC Client Gateway handles both requirements with ease. BMC Remedy OnDemand maintains a server gateway to receive requests in each BMC data-center location. You simply deploy the BMC Client Gateway program on a server in your environment. The Client Gateway connects to the server gateway using HTTPS, and when connected, allows bidirectional traffic flows.

    Support for development and disaster recovery

    Often during the development of a new integration, it is necessary to connect an on-premises application to any of the BMC Remedy OnDemand application environments (development, QA, or production). The customer might also have test, sandbox, or development systems similarly for the on-premises applications. The Client Gateway simplifies connection of these various environments. You can:

    • Change the application endpoint on the on-premises side without involving BMC
    • Maintain multiple gateways connecting to each of the BMC OnDemand data centers from the same location

    For disaster recovery scenarios, the Client Gateway architecture fails over to alternate BMC data centers just like any other web traffic. In the event of a disaster situation, BMC reroutes the published hostnames (URLs) by modifying DNS entries, retargeting traffic from existing on-premises gateways to the alternate (backup) locations. This is accomplished without the need to redeploy or reconfigure the Client Gateway.

    BMC Client Gateway installation and configuration

    If you want to use the BMC Client Gateway, open a technical support issue, and BMC will provide the client installer.

    The BMC Client Gateway has the following requirements:

    • A Windows or Linux server with two CPUs and 4 GB of memory (virtualized deployments are acceptable) and Java SDK 8, 64 bit
    • Network connectivity to the internet on standard HTTPS (TCP port 443)
    • Network connectivity to the on-premises applications and servers used for integration

    BMC will assist you with the setup and provide you with a prebuilt configuration file and instructions. You will receive a unique private gateway hostname (URL) for connecting to the BMC data center location.

    The following table shows the ports that are configured by default for BMC Client Gateway.

    Ports used by BMC Client GatewayDescription
    46000The Client Gateway listens at this port for TCP traffic from client applications (for example, BMC Discovery, BMC Remedy Developer Studio, BMC TrueSight, and Pentaho Spoon client) and proxies it to the OnDemand development environment through a WebSocket connection.
    47000The Client Gateway listens at this port for TCP traffic from client applications (for example, BMC Discovery and BMC TrueSight) and proxies it to the OnDemand QA Environment through a WebSocket connection.
    48000The Client Gateway listens in this port for TCP traffic from client applications (for example, BMC Discovery and BMC TrueSight) and proxies it to the OnDemand production environment through a WebSocket connection.
    8000This port is used by the Client Gateway for the management console.
    443This is the outbound port used by the Client Gateway to connect to the OnDemand endpoint.

    For LDAP authentication, you specify the port and the LDAP server name in the BMC Client Gateway. The default port is TCP 389.

    Ports open to the internet from the agent must be TCP 443. You must ensure that any proxy servers or firewalls allow outbound connections on this port.

    After the BMC Client Gateway installation finishes, you should see a message in the Installation Summary window for the installer, stating that the installation has been completed successfully. You can also verify that the BMC Client Gateway has been installed correctly by:

    • Checking the services and ensuring that the BMC WebSocket Gateway – JMS Edition 4.0 service is running.

    • Reviewing the error.log file (in the Log directory in which BMC Client Gateway is installed) for any error messages.

    The BMC SaaS Operations team is available for technical support and assistance with the install.

    Related topics

    How TLS/SSL works with the Gateway

    Data encryption

     

    21 Comments

    1.  

      1.  

        1.  

    2.  

    3.  

    4. In appears that for ODBC setup connections, the ports are actually 46500, 47500 and 48500 for Dev, QA and PROD respectively. Please confirm and update

       

      1.  John, the ports listed are our standard numbers but these may have been customized for you. I need to leave this page as is.

    5.  

      Hi Martha,a bit of clarification is probably needed here.Ports 46000 47000 and 48000 are our standard configuration for access to the AR-api port on the DEV, QA and PROD environments.The AR-api is used by BMC Discovery, BMC Remedy Developer Studio, BMC TrueSight, Pentaho Spoon client,   BUT NOT BY A ODBC CLIENT 
      ODBC uses a different port number than the AR-api, therefore our network team normally configure the ports mentioned by John for connection to the ODBC port on the Integration AR-server(s), while the ports you list are configured fro connection to the AR-api port/KAF

       

    6. We were given the same ports for ODBC as John so I do not think BMC customized the ports.

    7. My ports are the standard 46000 (DEV), 47000 (QA), and 48000 (PROD) as Martha stated.  So, I agree with Martha that these are the default ports unless customized by BMC.  Additionally beyond these default ports, it might be good to mention in this article that BMC can both customize these port numbers as well as provide additional ports beyond the default 3 in situations where you have an extra test instance or DEV BOXI server.  

    8. how the data actually flows in this client gateway technique ? is there and ID for this application which would be authenticated for flowing of data from one gateway server to other?  customer must be hesitate to put their data across internet.

    9. Krishna, there is a client that resides on both ends (customer's premises and BMC cloud), allowing certain types of data to traverse via a pre-defined port. The gateway uses Kaazing Websocket technology. For an inbound connection, we need to know which server you are connecting to. For an outbound connection we need the IP addresses of the server(s) with the port mapping. The connection of the BMC Client Gateway utilizes standard HTTPS encryption techniques, including support for TLS 1.2, FIPS 140-2 cryptographic ciphers, and 2048-bit key length. 

      If this does not address your question entirely, I can connect you with a network specialist on our end. 

    10. Is there high availability configuration for the gateway or it can be configured on cluster?

      1. Yousef, at this time we do not offer a HA configuration for the Client Gateway.

    11. On this page it only shows installation of the client gateway on a windows platform.  My understanding from my previous conversations with BMC is that Linux is also supported.  Can anyone here confirm that?

      1. Anthony, Linux is supported. I have updated the page accordingly. Thank you.

    12. If there is no high availability provided for client gateway at customer premise, What is the suggested option to minimize downtime? Is deploying multiple instances of client gateway with a load balancer (Active-Passive) ok so that if one instance goes down the other one can be immediately turned On to avoid major down time?


      1. Hi Santosh, this is what BMC provided us as the solution as well.  I do advise to make sure that high-availability exist on both sides customer and BMC.  We had to setup 2 client gateway machines having LB in front of the 2.

    13. Thanks Francoise and in your case only one instance of Client Gwy (Active-passive) mode was able to handle requests for all the environments ( Development, Test , Production) on both on-premise and at BMC side? Or it is one instance of Client Gwy for every environment?

      1. One for all active-passive is enough

    14. Hi,

      One client GW installed on one server onsite customer premises can handle all traffic between the customers network and the BMC Helix datacenter. Each environment and integration point has its own ip portnumber. You can see the default portnumbers used on the customer end  in the table above one for DEV, QA and PROD respectively.

       

       

      Some customers do however of security reasons, require separation of Non-prod and prod networks, and in that case you can purchase an extra client GW and install a separate client GW within in each of the 2 security domains. Where one is configured to access PROD services and the other non-prod services.

       

      I have also seen customers setting up 2 client gateways onsite with a loadbalancer in front of them, to have a backup in case one fails, like you initially suggested.

       

      Best Regards

      Karl-Anders Falk

      Lead Business Relationship Manager

      BMC Helix Operations