Cameyo's Cloud Tunneling is an alternative connectivity model. Instead of connecting end-users directly to your Cameyo server's HTTPS port, both the end-user and the Cameyo server connect to a cloud node serving as a bridge. This eliminates the need for inbound connection, allowing to securely operate sessions on on-prem servers without connecting to a VPN and without having to open inbound firewall ports.

Configuration is flexible and allows for hybrid mode - a single Cameyo server can provide either connectivity mode (Direct or Cloud Tunneling) depending on apps, users or conditions and can be defined via the PowerTag !CLOUDTUNNEL=1/0.

Cloud Tunneling eliminates the need for inbound connection, allowing to securely operate sessions on on-prem servers without connecting to a VPN and without having to open inbound firewall ports.


Security

Cloud Tunneling encrypts transit data via HTTPS.


Architecture


Internal users / exclusion

In self-hosted (on-premises hosting) scenario, you'll generally want to exclude internal users from going through Cloud Tunneling, since the server is within their company LAN. To do this, you can define your internal company IP addresses in the /company page under the Advanced section:

Users initiating sessions from these predefined IPs will then be excluded from Cloud Tunneling, and will connect to the server directly.


Cloud Tunneling server

In most cases the Cloud Tunneling servers are provided and maintained by Cameyo. While you don't need to manage or maintain them, this section describes the inner workings of this cloud component:

  • The Cloud Tunneling server faces your on-prem Cameyo Play servers on one side on port 8443, and the user's browser on the other side on port 443.
  • When a session request is initiated which involves cloud tunneling, the Cloud Tunnel server receives an HTTPS request from the Cameyo portal which tells it to start brokering a session between the Play server and the user's browser. It validates the request using an API call which also gives the IP addresses of both the Play server and the user.
  • The Cloud Tunnel server's Port Shield opens its Windows Firewall port 8443 for the Play server's IP, and opens port 443 for the end-user's IP.
  • The user's browser connects to the Cloud Tunnel server on port 443 and waits for the Play server's connection to be brokered.
  • The relevant on-prem Cameyo Play server obtains the job through regular polling (checking Cameyo's cloud API for a job every X seconds).  It then connects to the Cloud Tunnel server on port 8443.
  • The Cloud Tunneling machine then acts as a transmitter between both parties. Cameyo's proprietary tunneld component is in charge of transmitting the communication between both parties.

A dual CPU Cloud Tunneling server can serve approximately 40 sessions at once. This can vary according to graphical intensivity.