TIBCO Cloud™ - Proxy Agent
TIBCO Cloud™ enables apps running in the cloud to access any TCP-based on-premises resource via TIBCO Cloud - Proxy Agent. It is a proprietary, secure, point-to-point tunneling connection between on-premises computers and an app container.
Overview
TIBCO Cloud - Proxy Agent consists of an on-premises client that can be downloaded and run on the command line.
With TIBCO Cloud - Proxy Agent, on-premises services such as JDBC, FTP, or JMS can be accessed by TIBCO Cloud apps. TIBCO Cloud - Proxy Agent does not need to expose your database or service as a public Internet service, so there is no requirement to change the firewall rules or to host the TIBCO Cloud - Proxy Agent in the DMZ (Demilitarized Zone).
TIBCO Cloud - Proxy Agent uses the secure WebSocket protocol (WSS) on top of TLS as the transport layer between on-premises resources and TIBCO Cloud. The connection is initiated over HTTPS/WSS by using TLS encryption. After being established, TIBCO Cloud - Proxy Agent uses a proprietary protocol on top of a secure WebSocket connection, ensuring that the caller is authenticated.
Supported Authentication Mechanism
You can connect TIBCO Cloud - Proxy Agent with TIBCO Cloud tunnel endpoints by using the AccessKey authentication, which is a TIBCO proprietary authentication mechanism. An AccessKey is composed of a pair of AccessKey Secret and AccessKey Hash. An AccessKey is required to expose the tunnel endpoints for user apps. For more information about Generating an access key, see Generating and Revoking Access Keys
Advantages
TIBCO Cloud - Proxy Agent architecture provides a number of key advantages over VPN connectivity:
-
You can connect only to on-premises or private cloud (private virtual network on the cloud) resources explicitly specified on the TIBCO Cloud - Proxy Agent command line. No other arbitrary on-premises resources can be accessed from TIBCO Cloud. Whereas with VPN connectivity, whatever is exposed by the VPN server is exposed to TIBCO Cloud.
-
You do not need service account credentials to run TIBCO Cloud - Proxy Agent. For VPN connectivity, you have to add the corporate network VPN information and credentials to TIBCO Cloud. TIBCO Cloud - Proxy Agent has more granular authentication requirements than VPN.
-
TIBCO Cloud - Proxy Agent enables secure communications without the need for you to open ports in your firewall.
-
TIBCO Cloud - Proxy Agent is lightweight, easy to install, and easy to configure with minimal technical prerequisites. The download is less than 10 MB.
-
TIBCO Cloud - Proxy Agent’s tunnels are isolated from each other. TIBCO Cloud ensures that only containers corresponding to the app associated with the specified tunnel endpoint can access the on-premises resources.
-
You can configure a single instance of TIBCO Cloud - Proxy Agent to connect to all internal (private) endpoint resources, or use multiple instances of TIBCO Cloud - Proxy Agent to connect to each individual resource.
TIBCO Cloud - Proxy Agent provides the following operational benefits:
-
Application Scaling: If you scale down a TIBCO Cloud app with active tunnel connections, the tunnel connections for the deleted instances (app docker containers) are automatically terminated. Similarly, when you scale up an app, the TIBCO Cloud - Proxy Agent process automatically discovers the new app instance and a new tunnel connection is established for the new container.
-
High Availability (HA): TIBCO Cloud - Proxy Agent is designed to work in HA mode. You can establish multiple tunnel connections simultaneously by starting multiple TIBCO Cloud - Proxy Agent processes, ideally on different machines located at different physical locations, and connecting to the same endpoint. When a given on-premises resource is reachable by more than one tunnel, the first tunnel, in the order of connection, is used, and all others are in standby mode, ready to be used if the first tunnel fails.
-
Fault Tolerance (FT): When a tunnel connection fails, for example, due to temporary network errors, the TIBCO Cloud - Proxy Agent process attempts to reconnect periodically. If TIBCO Cloud - Proxy Agent was started in HA mode (see above), the first available standby tunnel becomes the active tunnel. When the initial tunnel connection is re-established, the new connection becomes a new standby tunnel.
After you configure TIBCO Cloud - Proxy Agent, a secret key is saved in a configuration profile file located in a directory named tibtunnel
in the home directory of the current user unless the option--config-dir
is used to specify a different location. Therefore, to avoid security breaches, you must restrict access to this configured directory.