BMC Helix Client Gateway connectivity

BMC requires that you use the BMC Helix Client Gateway, a non-VPN solution, to securely connect to your BMC Helix services when using certain integration methods. You must install a small client at your site to facilitate this connection. 

For FedRAMP Impact Level 4 customers in the United States, your connection is via the Government NIPRNet, instead of through the internet.

Reminder:

BMC Helix Client Gateway is a prerequisite to ITSM customers, including BMC Helix ITSM, BMC Helix Digital Workplace, BMC Helix Knowledge Management by ComAround, BMC Helix Innovation Suite Apps (Business Workflows, Virtual Agent, Communication Service Providers, Multi-Cloud Broker, etc.). If you have a subscription with BMC Helix Operations Management, BMC Helix Discovery, BMC Helix Continuous Optimization and other ITOM services, BMC Helix Client Gateway does not apply to your subscription. 

To review which integration types require use of the BMC Client Gateway, see Integrations.


This topic provides the following information:

Getting started

You will need to configure the BMC Helix Client Gateway if you are performing any of the following activities:

  • Using BMC Developer Studio for customization development
  • Using the LDAP protocol, commonly used for people data loads
  • Integrating to/from third-party systems that do not communicate via HTTPS

Start by downloading the BMC Helix Client Gateway Installation Guide and the BMC Helix Client Gateway request form. The installation guide provides you with step-by-step instructions for downloading and installing the gateway software on your network. The input form is where you will document your inbound integration points coming from your premises so that BMC can complete the configuration file that we need to finalize the setup. BMC will also provide you with the Kaazing license file. Once BMC has provided you with these two files and you have completed the client software installation, we will work with you to perform a connectivity test.  

You may request a separate gateway for each of your environments if they are on separate networks, or you may use just one gateway for all environments. You may also configure the gateway client on your premises in a highly available configuration if desired. Work with your internal network team to configure the primary and failover servers. 

Support for transporting TCP connections using WebSocket technology

Cloud to on-premises integrations can pose a substantial challenge when the integration architecture requires the use of a low-level network connection. This connection, over the TCP protocol, normally requires a full site-to-site VPN connection between a customer and the BMC service locations. The BMC Helix Client Gateway solves this challenge by transporting TCP connections using internet-friendly WebSocket technology.

Support for secure bidirectional data flows

With BMC Helix Client Gateway, BMC delivers sophisticated server-to-server integrations, avoiding the complexity, cost, and time penalties associated with VPN architectures. The resulting deployment handles bidirectional data flows in a secure, SSL-encrypted connection. Even for those connections that are logically initiated from the BMC data center, the Helix Client Gateway architecture allows the transport layer to be physically initiated from the on-premises end toward BMC. This approach remains firewall friendly (no special firewall rules are required at the customer end), and all traffic transits the public internet over HTTPS using TLSv1.1 and TLSv1.2. The connections from the Helix Client Gateway can traverse proxies and firewalls without special rules or opened ports. 

Diagram of sample BMC Discovery to BMC Helix ITSM integration


For example, a customer may have the following separate integration requirements:

  • LDAP pull of employee data for population in BMC Helix ITSM 
  • BMC Discovery-BMC Atrium Configuration Management Database (CMDB) integration for asset discovery

22.2 BMC Helix Discovery

22.2 and later versions of BMC Discovery can use a REST API to sync with CMDB outside of BMC Helix Client Gateway. 


The
LDAP connection is logically initiated from BMC toward the on-premises LDAP environment. To build this integration using VPN, a site-to-site VPN tunnel is used, often with network address translation (NAT) on both sides, and direct dependencies are created on the network addresses used. The BMC Discovery connection is initiated from on-premises, but it also utilizes a VPN to carry the low-level BMC Remedy Helix ITSM AR API traffic.

The BMC Helix Client Gateway handles both requirements with ease. BMC Helix services maintain a server gateway to receive requests in each BMC service location; you simply deploy the BMC Helix Client Gateway client on a server in your environment. The gateway connects to the server gateway using HTTPS, and when connected, allows bidirectional traffic flows.

Unpublished Web services

In the event you have an integration that calls an unpublished web API, you may require the traffic to route through the BMC Client Gateway. If you require SSL certificates to enable an encrypted connection, you must provide these certificates to BMC (one is required for each environment). The customer remains responsible for obtaining and renewing these certificates, as well as managing any re-direction configuration on their network. List any related requirements on the BMC Helix Client Gateway request form, and provide the certificates to BMC via a change request. BMC SaaS Operations will then assist you with certificate loading and testing.

Support for development and disaster recovery

Often during the development of a new integration, it is necessary to connect an on-premises application to any of the BMC Helix application environments (development/tailoring, QA, or production). The customer might also have test, sandbox, or development systems similarly for the on-premises applications. The BMC Helix Client Gateway simplifies connection of these various environments. You can:

  • change the application endpoint on the on-premises side without involving BMC.
  • maintain multiple gateways connecting to each of the BMC service locations from the same location.

For disaster recovery scenarios, the Helix Client Gateway architecture fails over to alternate BMC data centers just like any other web traffic. In the event of a disaster situation, BMC re-routes the published hostnames (URLs) by modifying DNS entries, re-targeting traffic from existing on-premises gateways to the alternate (backup) locations. This is accomplished without the need to redeploy or reconfigure the gateway.

BMC Helix Client Gateway installation and configuration

The BMC Helix Client Gateway has the following requirements:

  • A Windows or Linux server with 4 CPUs and 16 GB of memory (virtualized deployments are acceptable)
  • Provide 50 GB disk space dedicated to BMC Helix Client Gateway
  • Network connectivity to the internet on standard HTTPS (TCP port 443)
  • Network connectivity to the on-premises applications and servers used for integration

BMC will assist you with the setup and provide you with a pre-built configuration file and instructions. You will receive a unique private gateway hostname (URL) for connecting to each BMC service facility.

The following table shows the ports that are configured by default for BMC Helix Client Gateway.

Ports used by BMC Client GatewayDescription
46000The BMC Helix Client Gateway listens at this port for TCP traffic from client applications (for example, BMC Discovery, BMC Developer Studio, BMC TrueSight, and Pentaho Spoon client) and proxies it to the Helix development environment through a WebSocket connection.
47000The BMC Helix Client Gateway listens at this port for TCP traffic from client applications (for example, BMC Discovery and BMC TrueSight) and proxies it to the Helix QA environment through a WebSocket connection.
48000The BMC Helix Client Gateway listens in this port for TCP traffic from client applications (for example, BMC Discovery and BMC TrueSight) and proxies it to the Helix production environment through a WebSocket connection.
8000This port is used by the BMC Helix Client Gateway for the management console. BMC uses this port to monitor the gateway's health that resides on the customer's premises.
443This is the outbound port used by the BMC Helix Client Gateway to connect to the Helix services' endpoint.

For LDAP authentication, you specify the port and the LDAP server name in the BMC Helix Client Gateway. The default port is TCP 389.

Ports open to the internet from the agent must be TCP 443. You must ensure that any proxy servers or firewalls allow outbound connections on this port. If a proxy is used to bypass the traffic towards BMC, you must disable authentication.

After the BMC Helix Client Gateway installation finishes, you should see a message in the Installation Summary window for the installer, stating that the installation has been completed successfully. You can also verify that the BMC Helix Client Gateway has been installed correctly by:

  • Checking the services and ensuring that the BMC WebSocket Gateway – JMS Edition 4.0 service is running.


  • Reviewing the error.log file (in the Log directory in which BMC Helix Client Gateway is installed) for any error messages.

The BMC SaaS Operations team is available for technical support and assistance with the install.

Related topic

Data encryption

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. David Fiel

    Please add a note that the Client Gateway isn't needed for REST/SOAP WS connections.  This was confirmed by Geert/Dinesh.

    Jan 10, 2019 03:04
    1. Jan Sierens

      I don't think this is correct for the REST API.

      How can we connect to the REST API from on-prem? The rest api is hosted on the jetty in the AR Server and not the mid tier like SOAP.

      Oct 01, 2020 09:15
      1. Marcell Alzate

        I have not idea where REST API is hosted, but I cannot confirm that Client Gateway isn't taking part of the connection from on-prem towards REST API.

        in our environment we can consume REST API and there hasn't ever been a configuration in Client Gateway for this to work. 

        Oct 15, 2020 09:14
        1. Martha Mulvaney

          REST API calls talk over HTTPS and do not route through the Client Gateway. The REST API is configured on the BMC side with a URL provided to the customer at activation time.

          Oct 15, 2020 05:43
          1. Marcell Alzate

            sorry... my statement  was wrongly written (wink)


            I meant: I CAN confirm that CLient Gateway is not taking part of the connection from how we had validated now the solution on our side (wink)


            Oct 19, 2020 08:57
            1. Esteban Faz

              Hi

              Now, we have a client gateway custom, The API REST passes through of client gateway for a integration with other ITSM

              Nov 29, 2022 10:46
  2. Jan Sierens

    Is SDK a requirement or can we install JRE?

    Is OpenJDK supported?

    Apr 24, 2019 04:38
    1. Martha Mulvaney

      Hi Jan, SDK is no longer a requirement. The gateway does support OpenJDK however the current version (KWIC/5.x) has its own embedded Java , so there is no need to install it separately.


      Jan 20, 2020 08:43
      1. Marcell Alzate

        Hi,

        Java SDK 8 licensing is now having a cost.   I guess reason for asking for OpenJDK.

        whose licence will be used with the embedded java (KWIC/5.x) ?

        Feb 10, 2020 06:52
        1. Vipul Bhosale

          Hello Marcell,


          Embedded KWIC version uses OpenJDK

          Jun 11, 2020 01:08
  3. Sourabh Jhunjhunwala

    Do We have Sizing guidelines for client gateway

    Jun 05, 2020 10:55
    1. Martha Mulvaney

      Yes, see the first bullet under the installation and configuration section.

      Jun 05, 2020 11:07
  4. Keith Farrugia

    All sections are duplicated:

    Feb 24, 2022 01:40
    1. Betty Xu

      Thanks Keith, should be fixed now.  

      Feb 24, 2022 02:11
  5. Shekhar Raj

    Can we upload the Gateway Request form in Word format? One cannot use pdf format document to update and then upload in the Lifecycle request?

    Jun 02, 2022 06:33
    1. Dhanya Menon

      Hello Shekhar,

      Thank you for the suggestion. We have attached the Gateway Request form in Word format.

      Regards,

      Dhanya 

      Jun 08, 2022 02:47
  6. Sudeepkumar Chandrasekaran

    is there client gateway needed for  consuming third party interface REST APIs which are on premise from Helix Innovation stuido which is on cloud ?

    Nov 25, 2022 08:40
    1. Dhanya Menon

      Thank you for your query, Sudeep.

      If the on-premise REST APIs are not exposed over the internet, they can be consumed via Client Gateway.

      Regards,

      Dhanya

      Jan 19, 2023 05:52
  7. Thad Esser

    The "How TLS/SSL works with the Gateway" link is broken.

    Jan 31, 2023 04:51
    1. Dhanya Menon

      Hello Thad,

      Thank you for letting us know about this broken link.

      I have checked the kaazing website but the information about TLS is no longer available. I have therefore removed this link.

      Regards,

      Dhanya

      Feb 02, 2023 04:46
  8. Diego felipe Rodriguez gomez

    Any minimal Bandwidth recommendation for the connection? regards

    Feb 10, 2023 09:47
    1. Dhanya Menon

      Thank you for your comment, Diego.

      There are no particular bandwidth recommendations for BMC Helix Client Gateway connection. It varies based on the integration being used.

      Regards,

      Dhanya

      Feb 15, 2023 06:09
  9. Ezequiel Bautista

    Are there limits on the traffic that the client gateway can support?... For example, if it is used to connect Helix with a network element manager that will generate incidents?

    Jul 13, 2023 01:19
    1. Dhanya Menon

      Thank you for your comment, Ezequiel. There are no limits in terms of network traffic that can go via client gateway. 

      Regards,

      Dhanya

      Jul 20, 2023 04:42
  10. Andreas Petraschke

    Please add to this page/the setup instructions how to add a proxy to the Client Gateway config on Windows and Linux. We have to use this proxy to reach internet destinations.

    Dec 16, 2023 10:06
    1. Rodrigo Barcat

      Andreas, did you manage to set up the client gateway with a proxy? I have a client asking me about it, but I couldn't find anything explicit in the documentation.

      Jan 06, 2024 03:52
    1. Rodrigo Barcat

      BMC Teams have this answer? Is it possible to connect client gateway using proxy config?

      Jan 08, 2024 08:10
      1. Dhanya Menon

        Hello Andreas, Rodrigo, Thank you for your comments.

        I will check with our SME and revert on this query.

        Regards, Dhanya

        Jan 08, 2024 09:13