Exploring Reverse Tunnel
Summarize
Summary of Exploring Reverse Tunnel
Reverse Tunnel enables ServiceNow Zero Copy Connectors to securely access private or on-premises data sources without requiring inbound firewall ports to be opened. It achieves this by establishing encrypted outbound connections from private relays within the customer network to a gateway hosted on the ServiceNow platform, allowing seamless and secure data access even when data sources are not publicly accessible.
Show less
Key Features
- Gateway: Hosted on the ServiceNow platform, it authenticates and routes encrypted traffic from private relays to on-premises or private cloud data sources without decrypting the data.
- Private Relay: Deployed within the customer network, it initiates outbound connections to the gateway and proxies traffic to private data sources. It operates similarly to a MID Server and authenticates automatically using certificates managed by ServiceNow.
- Gateway Controller: Manages gateway instances, including creation and assignment to private relays, on the ServiceNow platform.
- User Roles:
- Relay Manager: Responsible for registering, managing, and monitoring private relays (requires the snzctunnel.relaymanager role).
- Relay User: A service account used by the private relay to authenticate and fetch configuration (with snzctunnel.relayuser role).
Setup Workflow
- Install the snzctunnel application to manage relays and services.
- Create a service account with the relay user role for relay authentication.
- Download, configure, and start the Reverse Tunnel Relay in the customer network.
- Relay registers automatically with the ServiceNow instance, creating a relay record.
- Request gateway instances and associate them with the relay record.
- Add service endpoints for each private data source to the relay record.
- Configure Zero Copy Connectors with the necessary credentials to establish and test connections through the tunnel.
Benefits
- Access private cloud or on-premises data sources securely without opening inbound firewall ports, reducing security risks.
- Maintain data privacy by encrypting connections and avoiding exposure of data source credentials or IP addresses.
- Centralized management and monitoring of relay registrations and connection health directly within the ServiceNow instance.
Next Steps
To maximize the value of Reverse Tunnel, customers should explore detailed configuration guides and monitoring procedures available within the ServiceNow platform to ensure optimal setup and ongoing health of their private relays and connections.
Reverse Tunnel enables Zero Copy Connectors to reach private or on-premises data sources through encrypted outbound connections without having to open inbound firewall ports.
Reverse Tunnel overview
Reverse Tunnel extends Zero Copy Connectors access to data sources hosted in private cloud networks or on-premises networks. Because it accepts outbound connections from private relays deployed in the customer network and routes encrypted traffic to the correct data source without decrypting it, Zero Copy Connectors can reach data sources that aren't publicly accessible.
Key components
- Gateway
- The central infrastructure component hosted on the ServiceNow platform that accepts authenticated connections from private relays, enforces registration and hostname authorization, and routes encrypted traffic to customer-side data sources.
- Private relay
- A component deployed in the customer network that connects outbound to the gateway and proxies traffic between the gateway and the customer's private cloud data source. The relay is deployed in the customer network and operates like a MID Server in placement and connectivity.
- Gateway Controller
- Manages gateway instances on the ServiceNow platform. Handles gateway creation and assignment to private relays.
Reverse Tunnel users
| User | Description |
|---|---|
| Relay manager | Registers and manages private relays and monitors relay connection and registration health. Requires the sn_zc_tunnel.relay_manager role. |
| Relay user | A service account that the private relay uses to authenticate with the instance and fetch its configuration. |
Reverse Tunnel workflow
The setup workflow involves the following primary activities:
- Install the
sn_zc_tunnel(Zero Copy Reverse Tunnel), which provides the interface to manage relays and services. - Service account creation: The relay manager creates a service account in User Administration with the sn_zc_tunnel.relay_user role and notes the password for relay configuration.
- Relay setup: The relay manager downloads the relay artifact
Reverse Tunnel Relayfrom the store app, extracts the files, and configures and starts the relay. - Relay record configuration: After the relay starts, the relay registers with the instance and a new record is created in the
sn_zc_tunnel_relaytable. The relay manager requests a gateway instance.Two gateway records are automatically attached to the Gateways field, tied to the instance name.
- Backend services registration: The relay manager adds a service endpoint to the relay record for each data source to be accessed through the tunnel. For details, see Manage relay service endpoints through Reverse Tunnel.
- Zero Copy Connectors connection setup: The relay manager configures the connector in Zero Copy Connectors with the required credentials and tests the connection.
Reverse Tunnel benefits
| Benefit | Feature |
|---|---|
| Connect to private cloud or on-premises data sources without having to open inbound firewall ports. | Reverse Tunnel |
| Establish encrypted connections between your private network and Workflow Data Fabric without exposing data source credentials or IP addresses. | Reverse Tunnel |
| Manage and monitor private relay registrations and connection health from your ServiceNow instance. | Monitoring relay connectivity |
What to explore next
To learn more about configuring and using Reverse Tunnel, see: