BMC Helix Client Gateway connectivity
BMC Helix Client Gateway is a non-VPN solution that securely connects your on-premises applications to BMC Helix services. The gateway uses Kaazing WebSocket Intercloud Connect (KWIC) to enable Transmission Control Protocol (TCP)-based WebSocket communication between on-premises systems and BMC Helix cloud services. You must install a client at your site to enable this connection.
For FedRAMP Impact Level 4 customers in the United States, your connection uses the Government NIPRNet instead of the internet.
You need to configure the BMC Helix Client Gateway if you're performing any of these activities:
- Using BMC Developer Studio for customization development.
- Using the LDAP protocol for people data loads.
- Integrating to or from third-party systems that don't communicate via HTTPS.
Refer to the following child topics for more information about BMC Helix Client Gateway.
- Requirements - System requirements and Gateway configuration options.
- Installing - Downloading the installation files and installing the BMC Helix Client Gateway for the first time.
- Upgrading - Upgrading from an older version of the BMC Helix Client Gateway to the latest version.
- Configuring - BMC Helix Client Gateway configuration elements and adding a proxy.
Benefits
BMC Helix Client Gateway offers highly secure, hybrid cloud connectivity with these benefits:
- Quick deployment of new cloud applications and services
- Secure connection to existing infrastructure without hardware or VPNs
- Modern web standards, including WebSocket, HTTP, and TLS encryption
- Native, secure, on-demand connection of TCP and HTTP enterprise services
- Enhanced infrastructure-to-infrastructure connectivity
- Secure end-to-end connections with authentication interfaces
- DMZ-friendly installation
Transport TCP connections using WebSocket technology
Cloud-to-on-premises integrations can be challenging when the integration architecture requires a low-level network connection. This TCP connection normally requires a full site-to-site VPN between you and the BMC Helix service locations. BMC Helix Client Gateway solves this challenge by transporting TCP connections using internet-friendly WebSocket technology.
Secure bidirectional data flows
BMC Helix Client Gateway delivers sophisticated server-to-server integrations, avoiding the complexity, cost, and time penalties associated with VPN architectures. The deployment handles bidirectional data flows in a secure, SSL-encrypted connection.
Even for connections that are logically initiated from the BMC Helix data center, the gateway architecture allows the transport layer to be physically initiated from the on-premises end toward BMC Helix. This approach is firewall-friendly as no special firewall rules are required at your end. All traffic transits the public internet over HTTPS using TLS 1.2 and TLS 1.3. Connections from the gateway can traverse proxies and firewalls without special rules or open ports.
A customer has the following separate integration requirements:
- LDAP pull of employee data for population in BMC Helix ITSM.
- BMC Helix Discovery to BMC Helix Atrium Configuration Management Database (CMDB) integration for asset discovery.
The LDAP connection is logically initiated from BMC Helix toward the on-premises LDAP environment. To build this integration using a VPN, you need a site-to-site VPN tunnel, often with network address translation (NAT) on both sides, which creates a dependency on the network addresses used. The BMC Helix Discovery connection is initiated from on-premises, but it also uses a VPN to carry the low-level AR System API traffic.
BMC Helix Client Gateway efficiently handles both requirements. BMC Helix services maintain a server gateway at each BMC Helix service location to receive requests. You simply deploy the gateway client on a server in your environment. The gateway connects to the server gateway via HTTPS and, once connected, allows bidirectional traffic.
Unpublished web services
If you have an integration that calls an unpublished web API, you might need to route the traffic through the BMC Helix Client Gateway.
If you need SSL certificates to enable an encrypted connection, you must provide them to BMC Helix (one certificate per environment). You're responsible for obtaining and renewing these certificates, and for managing any redirection configuration on your network.
List any related requirements on the BMC Helix Client Gateway request form, and provide the certificates to BMC Helix via a change request. BMC Helix SaaS Operations helps you with certificate loading and testing.
Development and disaster recovery
During the development of a new integration, you often need to connect an on-premises application to any BMC Helix application environment (development/tailoring, QA, or production). You might also have test, sandbox, or development systems for the on-premises applications.
BMC Helix Client Gateway simplifies connecting these various environments. You can:
- Change the application endpoint on the on-premises side without involving BMC Helix.
- Maintain multiple gateways connecting to each BMC Helix service location from the same location.
In disaster recovery scenarios, the gateway architecture fails over to alternate BMC Helix data centers, just as it does for any other web traffic. In a disaster situation, BMC Helix reroutes published hostnames (URLs) by modifying DNS entries and retargeting traffic from existing on-premises gateways to the alternate (backup) locations. This is accomplished without redeploying or reconfiguring the gateway.