Cameyo's Secure Cloud Tunneling ensures that your firewall ports are closed to the open Internet and eliminates the need for VPNs. 

Combined with Cameyo's Port Shield, all of your server and firewall ports are closed protecting you from ransomware, brute force attacks, etc. 

Instead of connecting end-users directly to your Cameyo server's HTTPS port, both the end-user and the Cameyo server connect to a cloud node serving as a bridge. This eliminates the need for inbound connection, allowing to securely operate sessions on on-prem servers without connecting to a VPN and without having to open inbound firewall ports.

Configuration is flexible and allows for hybrid mode - a single Cameyo server can provide either connectivity mode (Direct or Cloud Tunneling) depending on apps, users or conditions and can be defined via the PowerTag !CLOUDTUNNEL=1/0.


Cloud Tunneling encrypts transit data via HTTPS.


  1. User clicks the application's URL in Cameyo's cloud portal
  2. The gets redirected to and authenticated through the customer's SSO provider
    The portal selects the best Cameyo Play server
  3. The Cameyo Play server checks if there is a new session assigned
  4. The assigned Cameyo Play server connects to the Cloud tunnel on port 8443
  5. The cloud portal redirects the user to the assigned Cloud Tunnel on port 443

Internal users / exclusion

In self-hosted (on-premises hosting) scenario, you'll generally want to exclude internal users from going through Cloud Tunneling, since the server is within their company LAN. To do this, you can define your internal company IP addresses in the /company page under the Advanced section:

Users initiating sessions from these predefined IPs will then be excluded from Cloud Tunneling, and will connect to the server directly.

Cloud Tunneling server

In most cases the Cloud Tunneling servers are provided and maintained by Cameyo. While you don't need to manage or maintain them, this section describes the inner workings of this cloud component:

  • The Cloud Tunneling server faces your on-prem Cameyo Play servers on one side on port 8443, and the user's browser on the other side on port 443.
  • When a session request is initiated which involves cloud tunneling, the Cloud Tunnel server receives an HTTPS request from the Cameyo portal which tells it to start brokering a session between the Play server and the user's browser. It validates the request using an API call which also gives the IP addresses of both the Play server and the user.
  • The user's browser connects to the Cloud Tunnel server on port 443 and waits for the Play server's connection to be brokered.
  • The relevant on-prem Cameyo Play server obtains the job through regular polling (checking Cameyo's cloud API for a job every X seconds).  It then connects to the Cloud Tunnel server on port 8443.
  • The Cloud Tunneling machine then acts as a transmitter between both parties. Cameyo's proprietary tunneld component is in charge of transmitting the communication between both parties.
  • As of 25 May 2023 - the current list of Cloud Tunnel Servers

A dual CPU Cloud Tunneling server can serve approximately 40 sessions at once. This can vary according to graphical intensivity.