How Convertigo Cloud accesses resources behind a firewall?


Convertigo Cloud is the cloud based technology developed by Convertigo to enable Convertigo servers to run in the cloud requiring no IT resources from enterprise. Convertigo cloud is based on Amazon’s EC2 IaaS (Elastic Compute Cloud) technology. This article describes how Convertigo cloud can access enterprise resources located behind the company’s Firewall.

The most important challenge is about security. How can an enterprise be sure that only Convertigo Cloud only will access some of the precious enterprise resources? The problem can be solved by using two techniques:

  • Checking Convertigo Cloud IP addresses.
  • Establish an SSLv3 secured connection over the net and checking the client SSL Certificate.

Convertigo Cloud servers will always be in a fixed IP address range. Firewalls should be configured to reject any call coming from outside this range. Any IP address range modification will notified to Convertigo Cloud customers by mail. This security setting would be enough to limit access to an enterprise’s resources from Convertigo Cloud, but in this case any Convertigo Cloud customer would have access to any enterprise’s protected resources. This is why we also use a client SSL certificate to limit access to a given cloud customer.

Also, having precious data transferred on the Internet is not suitable for most of the enterprises. This is why all traffic should be made using the SSLv3 protocol. Convertigo Cloud supports most of the protocols over SSL:

  • HTTPS (For HTML/ Ajax resources)
  • SOAP/REST/JSON over HTTPS (Web Services)
  • TN5250, TN3270, TNVIP over SSLv3 (Mainframe and Legacy resources)

That is why firewalls should be configured to only accept SSLv3 connections and to check a given client certificate. Convertigo Cloud supports one unique client certificate by enterprise customer. This means that only a given enterprise’s Convertigo Cloud will be able to connect to its enterprise network. This SSL Client certificate has to be provided by the Enterprise and is mandatory for any Convertigo Cloud subscription.

Back to post list ...