Access to SkyConnect accounts can be restricted via a VPN. This document describes the steps to configure the VPN.
Step 1: Confirm that your firewall supports VPN configurations
To confirm that your firewall supports VPN do the following:
- Refer to the documentation at https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#DevicesTested
- If your vendor or model is not found in the list above, confirm with the firewall vendor
Step 2: Setup VPN on SkyConnect
The Mithi team will deploy the VPN on AWS to allow secure access to the SkyConnect hosts for your domain. To do so, the team requires the following information:
- The private IP range from which end users will access their accounts.
- The Public IP address of your corporate firewall
- The details of the firewall such as Vendor, Product name, model number and other relevant specifications.
Step 3: Update internal DNS servers to resolve access URL to the SkyConnect hosts for your domains
Mithi will also share the URLs for the hosts for your domains on SkyConnect and Vaultastic. These have to be configured in your internal DNS servers to resolve the access URLs to resolve to the SkyConnect hosts for your domains.
Your internal DNS entries will look like the following:
|Access URL||SkyConnect / Vaultastic Host|
|<domain>.mithiskyconnect.com||<Host name of the SkyConnect server for your domain>|
|<domain>-web.mithiskyconnect.com||<Host name of the Baya server for your domain>|
Step 4: Changes to the corporate Firewall
The corporate firewall will have to be updated as follows:
- VPN configuration: As per the configuration file generated in Step 2
- Routing rules: To redirect traffic from the internal IP range to the SkyConnect VPC private IP range for you.
- Allow traffic to and from the SkyConnect and Vaultastic hosts for your domains. This traffic can be allowed only for the ports required for POP, IMAP, SMTP, HTTP, CalDAV, XMPP, LDAP. Write to Mithi for the hosts and port numbers.
- Allow ping from your SkyConnect / Vaultastic host to the firewall public IP. (This is required for troubleshooting)