Exploring Reverse Tunnel
Summarize
Summary of Exploring Reverse Tunnel
The Reverse Tunnel app enables ServiceNow customers to securely connect Zero Copy Connectors to private or on-premises data sources without opening inbound firewall ports. It achieves this by establishing encrypted outbound connections from private relays within the customer network to a central ServiceNow-hosted gateway, ensuring data sources remain protected and inaccessible from the public internet.
Show less
Key Features
- Gateway: A ServiceNow-hosted component that authenticates private relays, enforces registration and hostname authorization, and routes encrypted traffic to the appropriate customer data sources without decrypting the traffic.
- Private Relay: Deployed inside the customer network, this component initiates outbound connections to the gateway and proxies traffic between the gateway and private cloud or on-premises data sources. It functions similarly to a MID Server and handles automatic authentication via ServiceNow-issued certificates.
- Gateway Controller: Manages the creation and assignment of gateway instances on the ServiceNow AI Platform to private relays.
- User Roles:
- Relay Manager: Responsible for registering, managing, and monitoring private relays; requires the snzctunnel.relaymanager role.
- Relay User: A service account used by private relays to authenticate and fetch configurations.
- Workflow Steps: Setup involves installing necessary plugins, creating service accounts with appropriate roles, deploying and configuring the private relay, registering relays and gateways, adding service endpoints for data sources, and configuring Zero Copy Connectors with required credentials to establish and test connections.
Benefits
- Securely connect to private cloud or on-premises data sources without opening inbound firewall ports.
- Maintain encrypted connections that protect data source credentials and IP addresses by routing traffic without decryption.
- Manage and monitor private relay registrations and connection health directly within the ServiceNow instance.
Next Steps
To fully leverage Reverse Tunnel, customers should explore configuration guidance and monitoring practices for relay connectivity to ensure secure and reliable data access.
The Reverse Tunnel app enables Zero Copy Connectors to reach private or on-premises data sources through encrypted outbound connections without having to open inbound firewall ports.
Reverse Tunnel overview
The Reverse Tunnel app extends Zero Copy Connectors access to data sources hosted in private cloud networks or on-premises networks. Because it accepts outbound connections from private relays deployed in the customer network and routing encrypted traffic to the correct data source without decrypting it, Zero Copy Connectors can reach data sources that aren't publicly accessible.
Key components
- Gateway
- The central infrastructure component hosted on the ServiceNow platform that accepts authenticated connections from private relays, enforces registration and hostname authorization, and routes encrypted traffic to customer-side data sources.
- Private relay
- A component deployed in the customer network that connects outbound to the gateway and proxies traffic between the gateway and the customer's private cloud data source. The relay is deployed in the customer network and operates like a MID Server in placement and connectivity.
- Gateway Controller
- Manages gateway instances on the ServiceNow AI Platform. Handles gateway creation and assignment to private relays.
Reverse Tunnel users
| User | Description |
|---|---|
| Relay manager | Registers and manages private relays and monitors relay connection and registration health. Requires the sn_zc_tunnel.relay_manager role. |
| Relay user | A service account that the private relay uses to authenticate with the instance and fetch its configuration. |
Reverse Tunnel workflow
The setup workflow involves the following primary activities:.
- Installing two plugins on
the instance:
com.glide.tunnel— Private Tunnel, a platform plugin required by the store app.sn_zc_tunnel— Zero Copy Reverse Tunnel, which provides the interface to manage relays and services.
- Service account creation: The relay manager creates a service account in User Administration with the sn_zc_tunnel.relay_user role and notes the password for relay configuration.
- Relay setup: The relay manager downloads the
relay artifact
SR - WDF - Reverse Tunnel Relay v1.0 (AS)from the store app, extracts the files, and configures and starts the relay. - Relay record
configuration:
After the relay starts, the relay registers with the instance and a new record is created in the
sn_zc_tunnel_relaytable. The relay managerrequests a gateway instance.Two gateway records are automatically attached to the Gateways field, tied to the instance name.
- Backend services registration: The relay manager adds a service endpoint to the relay record for each data source to be accessed through the tunnel. For details, see Manage relay service endpoints through Reverse Tunnel.
- Zero Copy Connectors connection setup: The relay manager configures the connector in Zero Copy Connectors with the required credentials and tests the connection.
Reverse Tunnel benefits
| Benefit | Feature | |
|---|---|---|
| Connect to private cloud or on-premises data sources without having to open inbound firewall ports. | Reverse Tunnel | |
| Establish encrypted connections between your private network and Workflow Data Fabric without exposing data source credentials or IP addresses. | Reverse Tunnel | |
| Manage and monitor private relay registrations and connection health from your ServiceNow instance. | Monitoring relay connectivity |
What to explore next
To learn more about configuring and using Reverse Tunnel, see: