ConnectMyApps CloudConnector Client Security Overview
Introduction​
The ConnectMyApps CloudConnector client is a Windows application designed to seamlessly integrate on-premises applications with the ConnectMyApps cloud integration platform. Once installed, the client runs as a Windows Service that opens and maintains an outbound, encrypted connection to the Microsoft Azure Relay Service. Once the initial outbound connection is made, inbound messages may be sent from the ConnectMyApps cloud integration platform to the client via the relay, instructing the client to retrieve or process data from the underlying on-premises application it connects to.
The initial outbound connection is made over a standard TCP port capable of outbound traffic. As the initial connection is outbound from the client there is no need for inbound firewall exceptions to be made on the on-premises machine the connector is installed on.
Microsoft Azure Relay​
The ConnectMyApps CloudConnector client relies on the Microsoft Azure Relay service for communication with the ConnectMyApps cloud integration platform. The relay endpoint the client connects to is hosted within ConnectMyApps’ Azure environment. Further details about Microsoft Azure Relay can be found here.
Authentication and Encryption between Client and Relay​
CloudConnector uses Shared Access Signatures (SAS) for authentication to the Microsoft Azure Relay service. The client is only authorized to “listen” for incoming requests after initial first connection to the relay.
All communication over the Azure Relay connection between client and cloud is encrypted using Transport Layer Security (TLS) version 1.2.
Client Access Rights on Installed Machine​
The ConnectMyApps CloudConnector client is configured to run as a Windows Service under the default "Local System" OS built-in user account. Post-installation, this may be changed so that the service runs under a different account, such as the "Network Service" or even under dedicated user accounts, if desired. The client inherits the access rights of the Windows account under which it runs.
Authentication between Client and On-premises Application​
The client uses the standard authentication mechanism for the on-premises application it attempts to connect with. For MSSQL databases a SQL Connection is made using a provided SQL login. For Active Directory Windows authentication with a provided Windows login is used.
The client itself does not store application credentials locally. These are sent securely to the client in each encrypted message from the ConnectMyApps cloud integration platform. Credentials are not retained by the client but are disposed of once the request has completed.
Client Logging​
By default, the client logs each request received locally in a text file. The default log only contains the request meta data and does not contain the actual business data within a request, or the business data returned from a request.