Connecting Syncly in the cloud to on-premises iManage using an Application Proxy
Overview
For those customers with an on-premises Manage system using Syncly cloud you must allow API access (https traffic on port 443).
Syncly can provide customers with their fixed IP address ranges of the service to allow customers to whitelist connectivity.
Customers can either
- Provision direct, inbound, access using a combination of a DMZ/firewall
- Configure Azure AD Application proxy (more detail below)
- Configure third-party solutions such as Zero Trust Network Access (ZTNA) | Zero Trust | Cloudflare
As an organisation we’ve spent the most time using Azure AD Application proxy which has some of the following benefits.
Azure AD Application Proxy
For iManage this must be configured with passthrough authentication for REST API traffic to flow through to the on-prem (utility) server. The connector service will append the X-Forward-For header on the request (the Syncly service) and this can be used to allow/deny the request.
All access is outbound
ℹ️ You don't need to open inbound connections to the corporate network.
Application Proxy connectors only use outbound connections to the Azure AD Application Proxy service, which means that there is no need to open firewall ports for incoming connections.
Traditional proxies required a perimeter network (also known as DMZ, demilitarized zone, or screened subnet) and allowed access to unauthenticated connections at the network edge. This scenario required investments in web application firewall products to analyze traffic and protect the environment. With Application Proxy, you don't need a perimeter network because all connections are outbound and take place over a secure channel.
Traffic termination
ℹ️ All traffic is terminated in the cloud.
Because Azure AD Application Proxy is a reverse-proxy, all traffic to back-end applications is terminated at the service. The session can get reestablished only with the back-end server, which means that your back-end servers are not exposed to direct HTTP traffic. This configuration means that you are better protected from targeted attacks
Azure DDoS Protection Service
Applications published through Application Proxy are protected against Distributed Denial of Service (DDoS) attacks. This protection is managed by Microsoft and is automatically enabled in all our datacenters. The Azure DDoS protection service provides always-on traffic monitoring and real-time mitigation of common network-level attacks.
Automatic Updates
Azure AD provides automatic updates for all the connectors that you deploy. As long as the Application Proxy Connector Updater service is running, your connectors update with the latest major connector release automatically. If you don’t see the Connector Updater service on your server, you need to reinstall your connector to get any updates.
If you don't want to wait for an automatic update to come to your connector, you can do a manual upgrade. Go to the connector download page on the server where your connector is located and select Download. This process kicks off an upgrade for the local connector.
For tenants with multiple connectors, the automatic updates target one connector at a time in each group to prevent downtime in your environment.
You may experience downtime when your connector updates if:
- You only have one connector we recommend you install a second connector and create a connector group. This will avoid downtime and provide higher availability.
- A connector was in the middle of a transaction when the update began. Although the initial transaction is lost, your browser should automatically retry the operation or you can refresh your page. When the request is resent, the traffic is routed to a backup connector.