VPN setup

<< Click to Display Table of Contents >>

Navigation:  Integration and authentication >

VPN setup

Overview

A Virtual private network (VPN) is a technology used to extend a private network (i.e. one used in your corporate premises) across a public network (i.e. the internet), so that it provides a secure tunnel over the communication channel.

Its security relies on the encryption and decryption of transmitted data between Bizagi Cloud and other systems, when employing protocols others than HTTPS (given that this protocol already takes charge of encrypting the channel).

 

Its main purpose in a Bizagi Cloud service is, therefore, to establish a secure channel for integration requirements involving certain systems and ports (such as TCP).

 

Cloud_VPN

 

Its concept, requirements and configuration are likely to require an IT administrator from your side.

 

note_pin

Recall that using a VPN is optional, and that there is another alternative to integrate your systems with Bizagi Cloud which involves a service layer and it doesn't imply a VPN set up.

 

When would I want to use a VPN?

If you are planning to integrate Bizagi Cloud with your on-premises systems, and your systems are neither service-oriented nor set up technologically in a way that they can be accessed from the cloud, then you can choose to configure a VPN.

In other words, when wanting to use data virtualization, Windows authentication namely, using an LDAP import for users.

A VPN provides an additional degree of privacy when exchanging information over the internet by protecting transmitted data (if these should be intercepted by unauthorized attackers), but it also establishes a connection between two endpoints as if these were physically wired (in terms of visibility).

 

note_pin

Please bear in mind that whether or not you use a VPN, end users using Bizagi Cloud already rely on an encrypted connection (via HTTPS) that protects data in transit.

This means that the VPN  is a secure integration measure oriented specifically for the communication between Bizagi Cloud and other applications or systems of record that reside on your corporate network (outside of Bizagi Cloud domains) and which do not use HTTP/HTTPS.

 

You will NOT need a VPN if:

Systems you are integrating with your Bizagi Cloud service (such as email services, identity provider systems, ECMs, applications offering web services, or other corporate systems), are cloud-ready.

Cloud-ready means that they expose web services which can be accessed through the internet (e.g. residing in a DMZ), while implementing security protocols and standards to protect transmitted data.

Legacy systems for instance, by themselves are not typically cloud-ready.

You will not be integrating any systems with Bizagi Cloud (e.g. you will use Bizagi's local authentication and Bizagi's document repository).

 

note_pin

Using a DMZ on your side is best practice, whether or not you plan to establish a VPN, but it is especially useful in terms of security if you wish to expose certain services to applications and services from the outside of your network, while still protecting the internal network and its resources.

 

Which type of VPN do I need (requirements)?

As a standard requirement, in order to configure a VPN, you will need a supported VPN device located on-premises, with a Public IP address (IPv4) assigned to it, with capabilities to be configured using the IPsec protocol.

The Public IP address must be IP version 4 and it must not be located behind a NAT.

 

Some recommended VPN devices are:

Microsoft: Routing and Remote Access Service.

Cisco: ASA, ASR or ISR

Citrix: NetScaler MPX, SDX, VPX.

Barracuda Networks: NextGen Firewall F-series or NextGen Firewall X-series

Dell SonicWALL: TZ Series, NSA Series, SuperMassive Series, or E-Class NSA Series

F5: BIG-IP series

Fortinet FortiGate

Check Point: Security Gateway

Juniper: SRX, J-Series, ISG or SSG

Open Systems: AG Mission Control Security Gateway

 

To set up with Bizagi Cloud, the following specifications are used:

Site-to-site VPN, using Internet Protocol Security (IPsec) with an Internet Key Exchange (IKE) implementation.

IKE version: 1 / 2 (IKEv1, IKEv2).

Authentication method: Pre-shared key.

For phase #1 regarding IPsec parameters, settings include:

Setting support for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.

Using DH group 2.

A Key lifetime (in seconds) of 56600.

For phase #2 regarding IPsec parameters, settings include:

Setting support for AES256 and AES128 encryption algorithm, and SHA1 and SHA256 hashing algorithms used for authentication.

A Key lifetime (in seconds) of 7200.

 

In addition, you must use a Maximum Segment Size of 1350 (TCP MSS clamp).

 

How to establish the VPN (next steps)?

The first step to establish a VPN is by filling out the VPN request form by contacting us via cloud@bizagi.com.

The form will require you to provide specific details such as your Public IP address and the specific VPN device you use.

 

One you submit this information, we will contact you back with instructions on how to configure your VPN device and establish the connection on your side.