Configuring the Secure Gateway

The Secure Gateway is a designated Platform Agent that enables software inside the customer network to securely communicate with the server-based components of RunMyJobs. The Secure Gateway runs inside the customer network, behind the customer firewall, and communicates with the RunMyJobs server components via HTTPS. All traffic between the customer network and the RunMyJobs server processes passes through the Secure Agent. All communication is initiated from inside the customer network, for additional security. The Secure Gateway is only available to RunMyJobs SaaS customers.

This topic explains how to configure a Platform Agent to be the Secure Gateway.

Secure Gateway Overview

The Secure Gateway acts as a proxy for communications between a managed application and a your RunMyJobs SaaS environment. It communicates via a dedicated, encrypted connection, using an exchange of credentials known only within the customer-specific SaaS environment. The following graphic shows the RunMyJobs SaaS architecture when the Secure Gateway is deployed.

The Secure Gateway can facilitate communication with various customer systems, including the following. If you need connections to other environments, contact Redwood.

• SAP systems
• Oracle EBS applications
• IBM iSeries (AS400)
• Web Service based solutions
• BusinessObjects
• PeopleSoft
• Database connections (via JDBC)
• SMTP (email) connections

As can be seen in the diagram, connections from other Platform Agents are independent from the Secure Gateway and each other. This provides flexibility and contributes to fault tolerance (see below).

The Secure Gateway connection is initiated from the Platform Agent that is configured to act as the communication proxy instance. This connection is an established HTTPS secured TCP connection. This way, no open incoming ports in the customer firewall are required to set up connections from Redwood Server to the required applications.

The general process for configuring the Secure Gateway is as follows:

1. Decide where to host the Secure Gateway
2. Download and Install the Platform Agent
3. Configure Job Server(s) for Secure Gateway
4. Restart the preferred Secure Gateway Job Server candidate
5. Configure application connections

The following sections describe these steps in more detail.

Deciding Where to Host the Secure Gateway

The Secure Gateway establishes secure communication between managed applications and customer's dedicated Redwood SaaS environments. This includes passing instructions to the managed applications on which processes are to execute, as well as passing progress and completion status data from the applications back to the central RunMyJobs server. It is, therefore, important to locate any Platform Agent that is a Secure Gateway candidate on a server that is:

1. Located inside the corporate firewall
2. Able to communicate through the internal network with the applications to be managed
3. Able to connect to your Redwood *.cloud environment (verify your URL after connecting to an environment)
4. Reliable fast network (low latency)

Fault Tolerance Considerations

The Secure Gateway is designed to be highly available. At any time only one Platform Job Server acts as the Secure Gateway, but if the active Secure Gateway becomes unavailable, any other Platform Job Server that is designated as a Secure Gateway Candidate will take over the role automatically and seamlessly.

Note: Any Platform Job Server can be configured to serve as a Secure Gateway candidate in addition to its other roles. However, for safety, Redwood recommends having at least two dedicated Secure Gateway candidate Platform Job Servers that do NOT have other roles.

DMZ Setup

Secure Gateways in a DMZ need to be able to connect to the central Redwood server on port 443 and to all remote systems (ERP, REST/SOAP, JDBC, IBM i, SMTP...) on the configured ports. See the remote-system specific documentation for the default ports.

Installing the Platform Agent

Installing the Platform Agent(s) for Secure Gateway purposes is done in exactly the same way as when installing Platform Agents for general use.

Note: The Secure Gateway is only supported to run on Platform Agents on Linux x86 and Windows.

Redwood recommends using Linux x86 64-bit for hosting the Secure Gateway, as a best practice. Once installed, each Platform Agent will be registered with a Job Server in the customer-specific Redwood Cloud environment. The Job Server name will be the same as the hostname on which the Platform Agent is installed to make identification easy, and it is the Job Server name that is used when referring to Secure Gateway connections in the Redwood user interface.

Configuring Job Servers for the Secure Gateway

To configure the Secure Gateway, you need at least one Platform Agent Job Server, and you must have the Cloud Administrator role.

To designate a Job Server as a Secure Gateway candidate, navigate to Configure > Control > Job Servers, right-click the Job Server you want to use and choose Edit. Then check Secure Gateway Candidate, save the change, and restart the Job Server by right-clicking it and choosing Restart from the context menu.

• At least one Job Server designated as a Secure Gateway must be restarted before any can be selected as the active Secure Gateway.
• If there are multiple Job Servers designated as Secure Gateways, the first to be restarted will become the active Secure Gateway.
• If only one Job Server has been designated as a Secure Gateway candidate, it will become the active Secure Gateway only after being restarted.
• If more than one Job Server has been designated as a Secure Gateway, you only need to restart one of them to achieve fault tolerance. The other Job Servers do not need to be restarted.

For example, assume you have two Job Servers named A and B, both of which are configured as Secure Gateway candidates.

• If you start A and then B, A will be the Secure Gateway because it was started first.

• If you then stop A, B will take over as Secure Gateway.

• If you then restart A, B will remain the Secure Gateway.

• If you then stop B, A will once again take over as Secure Gateway.

Identifying the Active Secure Gateway

At any time only one Secure Gateway candidate Job Server will be used as the active Secure Gateway. You can easily identify Secure Gateways and Secure Gateway candidates in the Job Servers screen by using the Column Chooser to add the Secure Gateway Candidate and Secure Gateway columns.

Secure Gateway Alerting

When the Secure Gateway connection between the proxy-processor in the central Redwood server and the current Platform Agent running as the client side of the secure websocket fails, then the server tries to start another proxy-processor. However this is only possible if we have another Secure Gateway candidate that is regarded as configured, meaning that there is a connection available.

If, however, the proxy-processor fails to establish a secure connection with this candidate after four minutes, then the proxy-processor exits and another Secure Gateway candidate is tried. If there are no further configured Secure Gateway candidates to try, then the following occurs:

1. The System_Secure_Gateway Event is raised. This is an internal Event only for use by the Secure Gateway. This Event is raised provided that Secure Gateway alerts are configured.
2. A alert message is sent to a pre-configured URL informing SaaS that the Secure Gateway is down. The header and body of the message are configurable.

Once the situation is resolved and the Secure Gateway connection is operational again:

1. The System_Secure_Gateway Event is cleared.
2. An alert message is sent to a pre-configured URL informing SaaS that the Secure Gateway is up.

See Also

• Secure Gateway Alerting Configuration Entries