We are super excited to bring this new feature in version 7.1 of BizTalk360 called “BizTalk360 for managed services“. One of the key users of BizTalk360 is consulting companies that specializes (experts) in BizTalk server implementation and support. Typically the consulting companies will manage multiple customer BizTalk environments across various locations.
Currently they manage their customer environments by remotely logging into their system. Based on the customer the remote access mechanism may be via VPN, Citrix, etc. In some cases there is no option for remote access at all. With “BizTalk360 for managed services” we are addressing this challenge and making it super simple for consulting companies to access multiple customer sites securely without any complex setup.
We are taking advantage of Windows Azure Service Bus Relay and Windows Azure Active Directory (AD) to make this possible.
The concept itself is not new to BizTalk360, we attempted the first prototype back in June 2011. At that time some of the technologies like Service Bus relay was fairly new and BizTalk360 was in very early stages. Now the number of partners (consulting companies) we have is growing steadily and clearly there is a need for simplifying multiple customer access from a single location.
What problem does it solve?
Let’s assume a scenario where Partner #1 has three customers (ACME, Contoso, and Northwind) running BizTalk server in their corresponding on-premise environments. If the consultants from Partner #1 need to manage any of these environments, they need to login to the customer site using various remote access techniques like VPN, Citrix etc. This means the consultant need to be aware of various techniques, his machine must be properly patched and configured with correct settings for various access etc. In some cases the customers may not have the infrastructure to expose their environment safely for remote access. In that case the only option for the consultants is to visit the customer site or try to solve any problems via telephone/video conferencing etc.
BizTalk360 for managed services
Our solution to the scenario is to solve this problem seamlessly by providing remote access to various customer site from a central portal in safe way with very little configuration. The only requirement is to have internet connectivity on the server where BizTalk360 (7.1 or above) is installed in the on-premise customer environment.
How does it work?
We have created a short 8 minutes video explaining the technical working details of the solution, which you can watch it here.
“BizTalk360 for Managed Services” is an add-on to existing BizTalk360 and it’s a subscription based service. At the very high level, this is how it works
- Partner (Consulting company) request us to setup “N” number of customers (sites), they provide list of consultants who will have access to and they specify the admin user.
- We setup a new partner with “N” number of sites, create users in our Windows Azure Active Directory (biztalk360.co) and assign who is the administrator
From here the admin person in partner can manage all the consultants, assign various sites the consultants can have access to etc. from the central portal directly.
Configuring Customer site for remote access
- Partner Admin logs into central portal authenticating against Windows Azure Active Directory (similar to live id authentication)
- He/She will see list of all the sites and their corresponding site access secure key.
- The admin copies the site access secure key from the portal, goes to the on-premise customer site, open the local copy of BizTalk360, navigate to settings and registers the secure site key. Once the key is registered, the site will be ready to be accessed from the central portal.
- The next important step the admin needs to perform is to map the biztalk360.co windows azure AD account to local user in the customer site. Example: firstname.lastname@example.org will be mapped to ACME\John. The user access policy settings UI in BizTalk360 makes this process seamless.
- The admin person repeats this step for each customer site and makes it available in the portal.
- The admin person can also manage users (consultants) in central portal, providing which customers sites they can have access to.
Normal users (consultants) accessing customer site
Once the permission is granted to the consultant, he/she can login to our central portal, once authenticated against windows azure AD, they will see the list of sites they have access to. They simply click on the customer link, which will take them directly to the customer site making it seamless to manage a remote customer site.
What infrastructure is required on the customer site
All it requires is a internet connectivity on the server where BizTalk360 (v7.1 or above) is installed on the customer site. Exposing the customer site safely to the central portal is taken care by Windows Azure Service Bus relay. You can read more about it here, How to use Service Bus Relay.
How Secure is it?
The central portal is hosted in Windows Azure and the connection between the central portal and customer site is taken care by Windows Azure Service Bus shared secret security mechanism. The connection between the user (consultants) to the portal is protected by Windows Azure Active Directory authentication.
The portal takes care of authenticating the user against windows azure AD, once authenticated the user will see list of sites they have access to. When the user click on the site, the corresponding sites service bus secret key is retrieved from our store and used to connect to the remote site securely. The connection between the user and the customer site end to end is fully encrypted and uses “https” traffic end-to-end.
Is the customer data stored in the cloud (Windows Azure)
No, all the data related to customer stays at the on-premise customer site. The central portal just acts like a proxy in between the consultant (web browser) and customer site. As you can see in the above picture, apart from user authentication and using the relevant service bus secret key to make connection, the data is not persisted anywhere in the middle.
See it in action
It may be bit difficult to visualize all the concepts explained in the earlier paragraph by reading text, hence we decided to put a short video showing how different roles (BizTalk360 administrator, Partner Administrator, Partner normal consultant) work together to make everything seamless.
How much will it cost?
We are going to run this project on pilot phase for next 2 months to understand our Windows Azure costing. During the pilot phase it’s completely free (if you are interested get in touch with us email@example.com). After the pilot phase the price will be based on per customer connection you require. Example: Partner #1 might be interested to access 5 different customer sites using this model, they will pay for 5 connection licenses. We will announce the actual cost after our pilot phase. This price will be in addition to the original BizTalk360 cost.