Connecting to TCP Servers with Luminate Secure Access Cloud

book

Article ID: 174889

calendar_today

Updated On:

Products

Secure Access Cloud

Issue/Introduction

Connecting to TCP Servers with Luminate Secure Access Cloud

Resolution

Luminate Secure Access Cloud (TM) can provide secure connectivity for any TCP-based protocol to any TCP Service deployed in on-premises, IaaS or PaaS environments. This article will explain how to configure the connectivity (for Luminate Administrators) and will provide a number of examples on how to use it (for Luminate users).

Below diagram explains the topology of the solution:

In the diagram, the Destination Server, deployed in the customer's datacenter or cloud location provides some kind of a service on TCP Ports XXX and YYY and the end-user is looking to consume this service (i.e., to connect to these ports) via Luminate Secure Access Cloud (TM).

The traffic is authenticated and authorized by Luminate Secure Access Cloud (TM) using any of these methods:

  • One-time temporary token (for interactive users)
  • Dedicated SSH Key (for heavy usage or non-interactive service-to-service access)

The traffic is encrypted in transit with the following means:

  • Industry-standard SSH Protocol (between the end-users' device and Luminate Secure Access Cloud (TM) Points of Delivery (PoDs)
  • TLS 1.2 tunnel (between the Luminate Secure Access Cloud PoDs and Luminate Connectors, deployed in customers' datacenters)

 

Configuring TCP Tunnels in the Admin Portal

Definitions of TCP Tunnels are made in the Admin Portal (or via an API). First a Site that contains the TCP Servers should be chosen (naturally, Luminate Connectors defined in the site should be able to connect to the actual servers over TCP).

First, in the Applications view, create a new TCP Tunnel:

The most important fields when defining an SSH Tunnel are:

 

  • Name - The name of the services/servers that the connectivity is being provided to
  • Target Address - DNS or IP Address of the service in the datacenter (could point to a load balancer)
  • Target Ports - TCP Ports that will be available for access
  • External Address - The DNS record for a virtual "TCP Gateway" that will be used by the connecting clients
  • Site - Luminate Site where the servers/services are deployed (the connectivity will be delivered in via Luminate Connectors associated with this site.

After defining the TCP Tunnel properties, it needs to be assigned to certain users or groups:

For each assigned entity, authentication settings should be chosen - either a one-time token or an SSH Key. All the policies related to SSH connections will apply to TCP Tunnels.

 

Using TCP Tunnels

Using TCP Tunnels can be done by either doing Local Port Mapping using any SSH Client (OpenSSH, Putty, SecureCRT, MobaXterm - among others) or by using an application that supports connecting over an SSH Tunnel (such as, but not limited to, MySQL Workbench, pgAdmin,  Robo 3T, FastoRedis and more). 

Luminate Applications Portal offers a convenient UX for creating local port maps using an OpenSSH CLI. By clicking on an icon representing the tunnel, the user is presented with the following UX:

The UI is building a default port mapping command using a Local Host IP address and the same ports as the ones exposed by the original TCP servers. Naturally, the IP Address or the local ports can be changed.

Additionally, here are guides on using SSH Tunnels in different tools:

Many more different applications and tools have a built-in SSH Tunnel support.

Attachments