Integrate > On-Premise Bridge Agents and Endpoints > On-Premise Bridge security additional information

On-Premise Bridge security additional information

Security aspects addressed by the agent

  • Communication between an On-Premise Bridge Agent and Service Management uses SSL to secure the connection. In addition, the Agent logs on to Service Management using the user and password provided during installation. This user is created by the customer for the dedicated On-Premise Bridge Remote Agent role.
  • Passwords for the endpoint credentials are saved encrypted on the customer's machine, which prevents the credentials from being transferred to another machine. The encryption method uses keys that are randomly generated during installation. The agent uses AES 128 as the main encryption method.
  • The agent does not expose any internal information.

Security recommendations

  • Deploy the agent in an isolated network with a firewall between the agent and the target on-premise applications. The communication with Service Management requires port 443 to be opened. Internal communications with other on-premise applications may require opening additional ports.
  • The agent should be installed on a dedicated machine. The machine that the agent runs on should be hardened.
  • Do not download the On-Premise Bridge Agent installation or updates from unknown sources.
  • (Windows only) The On-Premise Bridge Agent service is run using the Windows Local System service user. You can protect the On-Premise Bridge Agent installation folder by granting permissions for that folder only to administrators and to the Local System service user.
  • (Linux only) The On-Premise Bridge Agent service is running using the user with Sudo permission. You can protect the On-Premise Bridge Agent installation folder by granting permissions for that folder only to non-root users with Sudo permission.
  • Limit the permissions that you assign to on-premise application users to perform only specific required operations.
  • Only the user who is specified during the installation of the On-Premise Bridge Agent and who communicates between the agent and Service Management should have the On-Premise Bridge Remote Agent role.
  • Edit the PortRangeRMIServerSocketFactory to use the specific port range for the RMI server, for example 49152-65535. Configure the RMI registry (server) to listen to localhost.

 

Related topics