VPN setup

<< Click to Display Table of Contents >>

Navigation:  Integration and authentication >

VPN setup


A Virtual private network (VPN) is a technology used to extend a private network (i.e. one used in your corporate premises) across a public network (i.e. the internet), so that it provides a secure tunnel over the communication channel.

Its security relies on the encryption and decryption of transmitted data between Bizagi PaaS and other systems, when employing protocols others than HTTPS (given that this protocol already takes charge of encrypting the channel).


Its main purpose in a Bizagi PaaS service is, therefore, to establish a secure channel for integration requirements involving certain systems and ports (such as TCP).






Recall that using a VPN is optional, and that there is another alternative to integrate your systems with Bizagi PaaS which involves a service layer and it doesn't imply a VPN set up.

Its concept, requirements and configuration are likely to require an IT administrator from your side.

A VPN setup also entails additional costs to the subscription fee.


When would I want to use a VPN?

If you are planning to integrate Bizagi PaaS with your on-premises systems, and your systems are neither service-oriented nor set up technologically in a way that they can be accessed from Bizagi PaaS (the internet), then you can choose to configure a VPN.

In other words, when wanting to use integration features of Bizagi such as:

Data Virtualization/Replication.

LDAP authentication namely, or using the built-in LDAP synchronization module to import users into Bizagi.

Invoking your corporate web services, connecting your corporate SMTP server or other similar services, whenever these are set up inside of your network.


Consider that a VPN establishes a connection between two endpoints as if these were physically wired (in terms of visibility, but not in terms of performance), while it also provides an additional degree of privacy when exchanging information by protecting/encrypting transmitted data (if these should be intercepted by unauthorized attackers).

Having said the above, it is important that you assess any potential performance impact when using a VPN, especially for online requests (non-scheduled jobs), so that you can determine if inherent factors to the on-premises-cloud communication design significantly affect your requirements.

Some of the inherent factors which are beyond Bizagi PaaS' control are: a higher latency in data transmission, fluctuations, interference and congestion affecting the speed of the channel, or the quality of the networks used during transmission.




Please bear in mind that whether or not you use a VPN, end users using Bizagi PaaS already rely on an encrypted connection (via HTTPS) that protects data in transit.

This means that the VPN  is a secure integration measure oriented specifically for the communication between Bizagi PaaS and other applications or systems of record that reside on your corporate network (outside of Bizagi PaaS domains) and which do not use HTTP/HTTPS.


You will NOT need a VPN if:

Systems you are integrating with your Bizagi PaaS service (such as email services, identity provider systems, ECMs, applications offering web services, or other corporate systems), are cloud-ready.

Cloud-ready means that they expose web services which can be accessed through the internet (e.g. residing in a DMZ), while implementing security protocols and standards to protect transmitted data.

Legacy systems for instance, by themselves are not typically cloud-ready.



Consider as cloud-ready, systems and services which are either cloud-native, cloud-enabled or simply published for access through a public channel such as internet.

This means basically a service which has an HTTP/HTTPS (the later preferred) endpoint.


You will not be integrating any systems with Bizagi PaaS (e.g. you will use Bizagi's local authentication and Bizagi's document repository).



Using a DMZ on your side is best practice, whether or not you plan to establish a VPN, but it is especially useful in terms of security if you wish to expose certain services to applications and services from the outside of your network, while still protecting the internal network and its resources.


Which type of VPN do I need (requirements)?

As a standard requirement, in order to configure a VPN, you will need a supported VPN device located on-premises, with a Public IP address (IPv4) assigned to it, with capabilities to be configured using the IPsec protocol.

The Public IP address must be IP version 4 and it must not be located behind a NAT.


Some recommended VPN devices are:

Microsoft: Routing and Remote Access Service.

Cisco: ASA, ASR or ISR

Citrix: NetScaler MPX, SDX, VPX.

Barracuda Networks: NextGen Firewall F-series or NextGen Firewall X-series

Dell SonicWALL: TZ Series, NSA Series, SuperMassive Series, or E-Class NSA Series

F5: BIG-IP series

Fortinet FortiGate

Check Point: Security Gateway

Juniper: SRX, J-Series, ISG or SSG

Open Systems: AG Mission Control Security Gateway


To set up with Bizagi PaaS, the following specifications are used:

Site-to-site VPN, using Internet Protocol Security (IPsec) with an Internet Key Exchange (IKE) implementation.

IKE version: 1 / 2 (IKEv1, IKEv2).

Authentication method: Pre-shared key.

For phase #1 regarding IPsec parameters, settings include:

Setting support for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.

Using DH group 2.

A Key lifetime (in seconds) of 56600.

For phase #2 regarding IPsec parameters, settings include:

Setting support for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.

A Key lifetime (in seconds) of 7200.


In addition, you must use a Maximum Segment Size of 1350 (TCP MSS clamp).


How to establish the VPN (next steps)?

The first step to establish a VPN is by filling out the VPN request form by contacting us via cloud@bizagi.com.

The form will require you to provide specific details such as your Public IP address and the specific VPN device you use.


One you submit this information, we will contact you back with instructions on how to configure your VPN device and establish the connection on your side.