BMC Helix Client Gateway connectivity
BMC Helix Client Gateway is a non-VPN solution that securely connects your on-premises applications to BMC Helix services. The gateway uses Kaazing WebSocket Intercloud Connect (KWIC) to enable Transmission Control Protocol (TCP)-based WebSocket communication between on-premises systems and BMC Helix cloud services. You must install a client at your site to enable this connection.
For FedRAMP Impact Level 4 customers in the United States, your connection uses the Government NIPRNet instead of the internet.
You need to configure the BMC Helix Client Gateway if you're performing any of these activities:
- Using BMC Developer Studio for customization development.
- Using the LDAP protocol for people data loads.
- Integrating to or from third-party systems that don't communicate via HTTPS.
Refer to the following child topics for more information about BMC Helix Client Gateway.
- Requirements - System requirements and Gateway configuration options.
- Installing - Downloading the installation files and installing the BMC Helix Client Gateway for the first time.
- Upgrading - Upgrading from an older version of the BMC Helix Client Gateway to the latest version.
- Configuring - BMC Helix Client Gateway configuration elements and adding a proxy.
Benefits
BMC Helix Client Gateway offers highly secure, hybrid cloud connectivity with these benefits:
- Quick deployment of new cloud applications and services
- Secure connection to existing infrastructure without hardware or VPNs
- Modern web standards, including WebSocket, HTTP, and TLS encryption
- Native, secure, on-demand connection of TCP and HTTP enterprise services
- Enhanced infrastructure-to-infrastructure connectivity
- Secure end-to-end connections with authentication interfaces
- DMZ-friendly installation
Transport TCP connections using WebSocket technology
Cloud-to-on-premises integrations can be challenging when the integration architecture requires a low-level network connection. This TCP connection normally requires a full site-to-site VPN between you and the BMC Helix service locations. BMC Helix Client Gateway solves this challenge by transporting TCP connections using internet-friendly WebSocket technology.
Secure bidirectional data flows
BMC Helix Client Gateway delivers sophisticated server-to-server integrations, avoiding the complexity, cost, and time penalties associated with VPN architectures. The deployment handles bidirectional data flows in a secure, SSL-encrypted connection.
Even for connections that are logically initiated from the BMC Helix data center, the gateway architecture allows the transport layer to be physically initiated from the on-premises end toward BMC Helix. This approach is firewall-friendly as no special firewall rules are required at your end. All traffic transits the public internet over HTTPS using TLS 1.2 and TLS 1.3. Connections from the gateway can traverse proxies and firewalls without special rules or open ports.
A customer has the following separate integration requirements:
- LDAP pull of employee data for population in BMC Helix ITSM.
- BMC Helix Discovery to BMC Helix Atrium Configuration Management Database (CMDB) integration for asset discovery.
The LDAP connection is logically initiated from BMC Helix toward the on-premises LDAP environment. To build this integration using a VPN, you need a site-to-site VPN tunnel, often with network address translation (NAT) on both sides, which creates a dependency on the network addresses used. The BMC Helix Discovery connection is initiated from on-premises, but it also uses a VPN to carry the low-level AR System API traffic.
BMC Helix Client Gateway efficiently handles both requirements. BMC Helix services maintain a server gateway at each BMC Helix service location to receive requests. You simply deploy the gateway client on a server in your environment. The gateway connects to the server gateway via HTTPS and, once connected, allows bidirectional traffic.
Securing on-premises connectivity with reverse tunnel authentication
For scenarios where BMC Helix SaaS services need to access on premises resources, BMC Helix Client Gateway uses reverse tunnels. In a reverse tunnel scenario, requests originate from the SaaS environment and are routed through an existing outbound secure WebSocket connection from the on premises gateway. BMC SaaS applications use these WebSocket connections to access on-premises resources (for example, an HTTP server, a database, an LDAP server). Additional authentication is required for the secure WebSocket connections originating from the on premises network. Reverse tunnel authentication ensures that only authorized gateways can establish and use these connections.
Reverse tunnel authentication is based on secure token-based validation between the on-premises and SaaS gateways.
- The on-premises BMC Helix Client Gateway authenticates with the SaaS gateway and obtains an access token.
- The on-premises gateway uses the token whenever it establishes or maintains a reverse tunnel secure WebSocket connection.
- The SaaS gateway validates the token before allowing the connection to proceed.
All communication uses secure WebSocket connections. The on-premises gateway automatically refreshes authentication tokens before they expire. The gateway handles this process transparently, without requiring manual intervention.
Reverse tunnel authentication is disabled by default. You must explicitly enable it in the SaaS gateway. The on‑premises gateway must be running version 6.2.00 or later, and you must raise a service request with BMC Helix to request enablement. BMC Helix Support configures the required settings on both the on‑premises gateway and the SaaS gateway to enable the feature.
When not enabled, reverse tunnels still operate in existing environments. Reverse tunnel authentication is designed for environments with dedicated BMC Helix Client Gateway deployments.
Benefits of reverse tunnel authentication for on-premises security
Reverse tunnel authentication strengthens the security of on‑premises connectivity by allowing only correctly configured gateways to connect to the SaaS gateway. It introduces an additional authentication layer beyond the on‑premises resource server and centralizes authentication and validation for all reverse tunnel connections at the SaaS gateway.
Unpublished web services
If you have an integration that calls an unpublished web API, you might need to route the traffic through the BMC Helix Client Gateway.
If you need SSL certificates to enable an encrypted connection, you must provide them to BMC Helix (one certificate per environment). You're responsible for obtaining and renewing these certificates, and for managing any redirection configuration on your network.
List any related requirements on the BMC Helix Client Gateway request form, and provide the certificates to BMC Helix via a change request. BMC Helix SaaS Operations helps you with certificate loading and testing.
Development and disaster recovery
During the development of a new integration, you often need to connect an on-premises application to any BMC Helix application environment (development/tailoring, QA, or production). You might also have test, sandbox, or development systems for the on-premises applications.
BMC Helix Client Gateway simplifies connecting these various environments. You can:
- Change the application endpoint on the on-premises side without involving BMC Helix.
- Maintain multiple gateways connecting to each BMC Helix service location from the same location.
In disaster recovery scenarios, the gateway architecture fails over to alternate BMC Helix data centers, just as it does for any other web traffic. In a disaster situation, BMC Helix reroutes published hostnames (URLs) by modifying DNS entries and retargeting traffic from existing on-premises gateways to the alternate (backup) locations. This is accomplished without redeploying or reconfiguring the gateway.