Tray Platform / Using Connectors / On-prem setup

On-prem setup

If you wish to host, secure and maintain certain services yourself there are several options for doing so:

  • For certain services, you can whitelist the Tray.io shared static IPs, so that you are not opening your database to the world (as per the docs pages, this is available for the following connectors: LDAP, Snowflake, MS SQL, Mongo DB, MySQL, PostgreSQL, Redshift)
  • To get an increased level of security or if you want to host a service which is not listed above, instead of using the above shared static IPs (which are shared with other Tray.io customers) you can contact us to arrange for your own dedicated static IPs (this can be done for multiple services)
  • The third option is to use TLS Certificates for database connectors, potentially alongside private static IP addresses. Certificates are per-connector, and are essentially a type of ‘key’ that the customers system expects when a connection attempt is made from an external source.
  • The final 'non-NAT' option is to work with our IPSec site-to-site VPN. This further increases security as it is fully 'non-public'. In this case, we set up a VPN instance of Tray which communicates to your on-prem subnet (with your hosted services) via a tunnel

1 - Shared static IPs

This is the simplest on-premise deployment option.

For all of the following connectors, Tray.io has a list of public static IPs:

LDAP, Snowflake, MS SQL, Mongo DB, MySQL, PostgreSQL, and Redshift

The static IPs, as per the above diagram, are:

  • 52.40.200.248
  • 52.39.10.61
  • 52.26.59.155

So, rather than opening your databases to the world, you can whitelist these IPs with your firewall to ensure that you are only accepting communications from Tray.io and can then forward them to the correct ports for your on-prem databases.

2 - Dedicated static IPs

For customers who are either:

  • not happy with the multi-tenanted option of shared static IPs and the fact that these are shared with other Tray.io customers

    or

  • wish to use a service which is not included in the above list

We can set up a dedicated account for you which will run all of the Tray.io connectors behind dedicated static IP addresses which you can whitelist with your firewall, knowing that all comms coming from this IP address are from Tray.io.

This is a very simple high-security set up solution with minimum overhead on the customer's part.

If you are interested in this solution please contact your customer success representative.

3 - TLS certificates

If a customer requires a TLS connection, then it is more about if the connector they are using needs a TLS update. As certificates are included as part of the authentication structure of a connector.

Using Private Static IP addresses in combination with TLS certified database connectors, would be a powerful security combination.

Certificates serves 2 purposes:

  1. It identifies the holder of the certificate. This means, when Tray.io attempts to call a service while using TLS as part of the authentication structure, the service is able to identify that the external entity is Tray.io. Note that TLS is configured on a per-connector basis and not all connectors support using TLS.

If SSL/ TLS is not currently supported in a connector and a customer asks for it, we will have to perform a connector update for the specific service the customer wants once a connector update request has been filed.

  1. It grants permissions to use encrypted communications between Tray.io and the customer’s service.

Once the identity of Tray.io is verified, and the connection is established, the certificate authorizes the customer’s system to exchange data with Tray.io regularly via an encrypted method.

Note that SSL certificates are also supported, should customers require this option.

4 - Site-to-site VPN

You will need to deploy IT / network engineers in order to set up and configure your network to work with the site-to-site VPN, and to communicate with Tray.io when configuring your setup

This is the highest security option but will also require the greatest overhead on the customer's part.

If you are interested in this solution please contact your customer success representative.

The above diagram illustrates the basic setup.

We will host the VPN server and deploy a Tray.io subnet in a region nearest to your geographic location.

To this subnet we will deploy a full set of all available Tray.io connectors so that they can, via the IPSec tunnel and your network device, communicate with the services (LDAP, MS SQL etc.) you have deployed in your subnet.

To ensure the best enterprise experience for our customers, we recommend that the Tray.io subnet we deploy (in your private IP space only) for you has an IP range of /16. This is because Tray.io runs concurrently and can have thousands of execution threads per workflow. There is effectively no limit on the scale of work you want to run in terms of asynchronous data processing (even if you are only deploying one service on-premise with fairly minimal use, this is still required as it is due to the number of connectors and executions running in your whole account)

The full setup then requires configuring the VPN tunnels (a second tunnel is used for failover and high availability) to connect to your internal network routing device (e.g. a Cisco ASA device, or a device running pfSense etc.). A sample configuration file is given below.

Once setup is complete, when making use of the services you have configured on-premise in the Tray.io workflow builder, all you need to do is add the internal IP address and port to the authentication dialog when you add that connector to a workflow.

The site-to-site VPN only needs installed once to make a connection to your on-premise subnet which may contain any number of services and instances of one service. This is in contrast to an 'agent' offering which would need an instance installed for each service you wish to run

This is not a VPN 'agent' and does not automatically set up any routing.

It also does not support DNS so your services should be hosted on static IPs within your network.

Setting up the IPSec VPN tunnel

You will need to contact us to ask for a tunnel to be set up to your network, whereby you will need to provide us with the following information:

  • The location of your network - This is so that we can deploy the VPN server as close as possible to your location. This reduces the data transfer latency between your services / databases and the Tray.io connectors.

  • The Tray.io subnet network range - We use a default 10.200.0.0/16 address space. If this clashes with your network, you can specify an alternative (the IP range must be private and must be /16 to allow for concurrent large-scale executions)

  • Your on-premise network range - This is your private address space that should be addressable from the connectors inside the Tray.io VPN network. This is where the services and databases you wish to maintain must be located. This can be anything such as 10.0.25.0/24or 192.168.0.0/16 as long as it is configured as a private address space.

    Each service you are hosting (e.g. MySQL Server, MongoDB etc.) should have its own address which falls within this private address range

  • Your on-premise public IP address - This is required for the connection and is used to generate the IPSec credentials between the two environments.

Once we have set this up we can assist you in setting up your device. Included in the required configuration will be the 2 tunnel IP addresses and 2 PSK secrets for each tunnel.

The exact configuration required will depend on your device.

A sample configuration file is given below. Sample files for other devices can be given on request.

Failover and high-availability

The On-Premise infrastructure has the ability to establish 2 tunnels for high-availability, redundancy, and maintenance reasons. In the event that one tunnel becomes unavailable, the other tunnel is available for use. This is why we provide two IPSec credentials and we recommend that our users configure both tunnels.

Encryption options

The following table lists the encryption standard options when configuring the VPN tunnel:

MethodStandard Options
IKEikev1, ikev2
Phase 1 Diffie-Hellman (DH) group numbers2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 2 Diffie-Hellman (DH) group numbers2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 1 encryption algorithmsAES128, AES256, AES128-GCM-16, AES256-GCM-16
Phase 2 encryption algorithmsAES128, AES256, AES128-GCM-16, AES256-GCM-16
Phase 1 integrity algorithmsSHA-1, SHA2-256, SHA2-384, SHA2-512
Phase 2 integrity algorithmsSHA-1, SHA2-256, SHA2-384, SHA2-512

Diffie-Hellman Perfect forward secrecy is supported.

Further options:

Phase 1 lifetime

The lifetime in seconds for phase 1 of the IKE negotiations.

Default: 28,800 (8 hours)

Phase 2 lifetime

The lifetime in seconds for phase 2 of the IKE negotiations. Must be less than the number of seconds for the phase 1 lifetime.

Default: 3,600 (1 hour)

Rekey fuzz

The percentage of the rekey window (determined by the rekey margin time) within which the rekey time is randomly selected.

Default: 100

Rekey margin time

The margin time in seconds before the phase 2 lifetime expires, during which the Tray.io side of the VPN connection performs an IKE rekey.

Default: 540 (9 minutes)

Replay window size packets

The number of packets in an IKE replay window.

Default: 1024

Startup action

The action to take when establishing the tunnel for a VPN connection. You can specify the following:

Start: Tray.io initiates the IKE negotiation to bring the tunnel up. Only supported if your customer gateway is configured with an IP address.

Add: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.

Ports

As per standard IPSec protocols the Tray.io VPN server runs UDP on ports 500 and 4500.

Sample configuration file

The following is a sample configuration file for a Cisco ASA 5500 device (9.7+):

! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
!
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto ikev1 enable 'outside_interface'
crypto ikev1 policy 200
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha
! --------------------------------------------------------------------------------
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
crypto ipsec ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxxxx8-0 esp-aes esp-sha-hmac
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-0exxxxxxxxxxx8-0
set pfs group2
set security-association lifetime seconds 3600
set ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxxxx8-0
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
crypto ipsec df-bit clear-df 'outside_interface'
! This option causes the firewall to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
sysopt connection tcpmss 1379
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
!
crypto ipsec fragmentation before-encryption 'outside_interface'
! --------------------------------------------------------------------------------
! The tunnel group sets the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
tunnel-group 18.xxx.xxx.xxx type ipsec-l2l
tunnel-group 18.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key ZMxxxxxxxxxxxxxxxxxxxxxDs
!
! This option enables IPSec Dead Peer Detection, which causes semi-periodic
! messages to be sent to ensure a Security Association remains operational.
!
isakmp keepalive threshold 10 retry 10
exit
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
interface Tunnel1
nameif Tunnel-int-vpn-0exxxxxxxx8-0
ip address 169.xxx.xx.xxx 255.xxx.xxx.xxx
tunnel source interface 'outside_interface'
tunnel destination 18.xxx.xx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-0exxxxxxx8-0
no shutdown
exit
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route
route Tunnel-int-vpn-0exxxxxxxxxx38-0 10.200.0.0 255.255.0.0 169.xxx.xx.xxx 100
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
crypto ikev1 enable 'outside_interface'
crypto ikev1 policy 201
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha
! --------------------------------------------------------------------------------
! #2: IPSec Configuration
!
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
crypto ipsec ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxx8-1 esp-aes esp-sha-hmac
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-0exxxxxxxxxxxx8-1
set pfs group2
set security-association lifetime seconds 3600
set ikev1 transform-set ipsec-prop-vpn-0exxxxxxxxxxxxxx8-1
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
crypto ipsec df-bit clear-df 'outside_interface'
! This option causes the firewall to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
sysopt connection tcpmss 1379
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
!
crypto ipsec fragmentation before-encryption 'outside_interface'
! --------------------------------------------------------------------------------
! The tunnel group sets the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
tunnel-group 18.xxx.xxx.xxx type ipsec-l2l
tunnel-group 18.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key pwkxxxxxxxxxxxxxxxxxxxQt
!
! This option enables IPSec Dead Peer Detection, which causes semi-periodic
! messages to be sent to ensure a Security Association remains operational.
!
isakmp keepalive threshold 10 retry 10
exit
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway.
!
!You will need to replace the outside_interface with the interface name of your ASA Firewall.
interface Tunnel2
nameif Tunnel-int-vpn-0exxxxxxxxxx8-1
ip address 169.xxx.xxx.xxx 255.xxx.xxx.xxx
tunnel source interface 'outside_interface'
tunnel destination 18.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-0exxxxxxxxxxx8-1
no shutdown
exit
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route
route Tunnel-int-vpn-0exxxxxxxx8-1 10.200.0.0 255.xxx.x.x 169.xxx.xxx.xxx 200