Installing A TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect On-Premise Agent With Proxy Servers Or Firewalls

Installing A TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect On-Premise Agent With Proxy Servers Or Firewalls

book

Article ID: KB0072057

calendar_today

Updated On:

Products Versions
TIBCO Cloud Integration - Connect ( Scribe ) 2.0 and higher

Description

For many networks, security configurations include either proxy servers or firewalls. While TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect is in the Cloud, your On-Premise Agent is installed on a computer, as shown in the following diagram:
 
kA3320000004Rq3CAE_en_US_1_0

TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect Architecture


If your site uses either proxy servers or firewalls, some additional steps are required to allow the TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect On-Premise Agent access to the cloud.

Symptoms that your On-Premise Agent may be behind a network firewall or proxy are:
  • You are unable to establish a connection to https://agent.scribesoft.com, https://us-east.connect-agent.scribesoft.com, https://us1-connect-agent-azure.scribesoft.comhttps://au1-connect-agent-aws.scribesoft.com, or https://agent-frankfurt.scribesoft.com.
  • When installing a TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect On-Premise Agent, you receive the following error:
kA3320000004Rq3CAE_en_US_1_1
  • When running a TIBCO Scribe® Online Solution / TIBCO Cloud™ Integration - Connect app, the status displays Starting or In Progress for extended periods of time with no records being processed.
  • You cannot create any Connections using your On-Premise Agent or receive a message that No Connectors were found.
  • The rolling log for the On-Premise Agent (..\Scribe Software\TIBCO Scribe® Online Agent\logs) contains the following error message:
(407) Proxy Authentication Required

NOTE: If you encounter any of these issues, or do not know whether your organization uses advanced security measures such as a proxy server or firewall traffic filtering contact your Network Administrator.

NOTE: When using a proxy server, TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect requires that your On-Premise Agent use Windows Authentication for access through the proxy server; other authentication methods are not currently supported.
 

Configuring On-Premise Agent Firewall Support

Some TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect end users have Firewall servers to add an extra level of security to their environments. In this case, you may need to add exceptions or whitelist entries to the firewall for TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect and other databases, such as Microsoft Dynamics CRM Online and Salesforce, to function properly.

Connecting To TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect

If you are trying to connect to TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect from behind extra security, add exceptions to the firewall for TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect for your data center.

NOTE: For On-Premise Agents, if you are using a data center other than the AWS US data center, you must allow access to both your data center and the AWS US data center.  

TIBCO Cloud Region / Data Center Provider


AWS Australia (Sydney) / AWS Asia Pacific (Sydney)
ap-southeast-2
Endpoint:
https://au1-connect-agentaws.scribesoft.com
Static IP Addresses
  • 13.210.38.217
  • 52.64.131.8
  • 54.79.197.91
  • 54.153.138.211
  • 54.206.181.49
  • 54.253.98.44

AWS US East (N. Virginia) / AWS US East (N. Virginia)
us-east-1
Endpoint:
https://us-east.connect-agent.scribesoft.com
Static IP Addresses
  • 34.194.97.106
  • 34.196.184.112
  • 34.225.166.152
  • 35.170.223.145
  • 54.173.29.240
  • 54.235.154.48
AWS US West (Oregon) / AWS US East (N. Virginia)
us-east-1
Endpoint:
https://agent.scribesoft.com
Static IP Addresses
  • 18.205.138.48
  • 34.197.135.234
  • 34.197.203.69
  • 34.199.76.224
  • 34.233.74.136
  • 34.237.69.78
  • 34.238.209.108
  • 54.83.87.1
  • 54.84.110.228
  • 54.86.129.180
  • 54.88.106.171

AWS US Sandbox
Endpoint:
https://sbagent.scribesoft.com
Static IP Addresses
  • 3.213.67.3
  • 3.229.207.198
  • 34.198.237.167
  • 34.224.153.250
  • 52.204.244.28
  • 54.146.195.161

*Azure US (Washington) / Azure West US 2 (Washington)
Endpoint:
https://us1-connect-agent-azure.scribesoft.com
Static IP Addresses
  • 13.77.173.116

AWS Europe (Ireland) / AWS Europe (Frankfurt)
eu-central-1
Endpoint:
https://agent-frankfurt.scribesoft.com
Static IP Addresses
  • 3.94.183.228
  • 3.210.164.229
  • 3.210.220.205
  • 3.219.0.211
  • 3.219.82.130
  • 3.222.1.182
  • 3.224.17.183
  • 18.204.188.169
  • 18.211.255.76
  • 34.192.161.112
  • 34.199.140.171
  • 34.230.155.160
  • 35.158.9.191
  • 35.174.159.215
  • 52.1.131.218
  • 52.2.155.242
  • 52.3.62.147
  • 52.7.200.1
  • 52.20.44.177
  • 52.23.130.182
  • 52.28.61.234
  • 52.29.220.8
  • 52.45.5.15
  • 52.58.102.181
  • 52.58.248.24
  • 52.70.64.150
  • 52.73.34.66
  • 52.73.83.188
  • 52.203.27.122
  • 52.205.243.69
  • 54.82.228.30
  • 54.86.177.217
  • 54.93.152.15

Note: The Azure US, AWS US East, and AWS Australia data centers are available only when working in TIBCO Cloud Integration - Connect as a capability of TIBCO Cloud ™ Integration. In TIBCO Cloud ™ Integration data centers are referred to as Regions.

NOTE: TIBCO may update these IP addresses or URLs. Updates are made after posting a Release Notice and updating the TIBCO Cloud ™ Services status. Best practice is to sign up for notifications from the TIBCO Cloud ™ Services status. 

For additional information on URLs and IP addresses that may need to be whitelisted, see  Whitelisting Requirements. For another useful reference on URLs and IP addresses and why they change, see  Why do AWS Elastic Load Balancers have 3 IP addresses?
 

Configuring The On-Premise Agent For Proxy Servers

Setting Up Ports And The Active Directory Account

  1. Make sure that all of the following TCP ports are open. If needed, talk to your IT Administrator:
    • Port 443. This port is required for outbound Agent communication with the TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect website. TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect can respond to Agent communication using port 443. If this port is not open, the Agent is not fully accessible from the TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect website.
    • Ports 5671 and 5672, and 9350 through 9354. These are outbound ports used by the Agent to communicate with the Enterprise Service Bus (ESB). The ESB can respond to Agent communication using the same port. If your network policies prohibit you from opening these outbound ports, contact Support for assistance with an alternate configuration.
WARNING: Performance is slower when the Enterprise Service Bus (ESB) is not used.
  1. Set up an Active Directory account with permissions to go through the proxy that uses these ports on the proxy server.

Editing The Scribe.Core.ProcessorService.exe.config File

To configure the On-Premise Agent to use the Active Directory User account when communicating through the proxy, modify the Scribe.Core.ProcessorService.exe.config file on the computer where the Agent is installed. Use a text editor, such as Notepad, to open the Scribe.Core.ProcessorService.exe.config file from the Agent installation folder.

The default location for this file is: ..\Program Files [(x86)]\Scribe Software\TIBCO Scribe® Online Agent\

NOTE: Make sure to run the text editor as Administrator or the changes to the file may not be saved.

In the Scribe.Core.ProcessorService.exe.config file:
  1. Find the section that begins with <basicHttpBinding>, as follows:
kA3320000004Rq3CAE_en_US_1_2
 
To the following line:
<transport clientCredentialType="None"/>
 
If you are using a Windows authentication based proxy server add:
 
<transport clientCredentialType="None" proxyCredentialType="Windows"/>
 
For example:

kA3320000004Rq3CAE_en_US_1_3

If you are using a non-authentication based proxy server add:
 
<transport clientCredentialType="None" proxyCredentialType="None"/>

For example:

kA3320000004Rq3CAE_en_US_1_4
  1. In the same file, find the appSettings section. After the line that begins:
<add key="Agent ID" value="21EC2020-3AEA-1069-A2DD-08002B30309D"/>

Add the following line to explicitly state that any calls made through the network by the Agent use TCP:
<add key="ServiceBusConnectionMode" value="Tcp"/>

For example:
 
kA3320000004Rq3CAE_en_US_1_5
 
  1. Save and close the Scribe.Core.ProcessorService.exe.config file.
  2. In the ..\Program Files (x86)\Scribe Software\TIBCO Scribe® Online Agent\ folder, locate the Scribe.Core.ProcessorService.exe file. Restart it to pick up the changes you made to the Scribe.Core.ProcessorService.exe.config file.

Editing On-Premise Agent Service Properties

After you modify the Scribe.Core.ProcessorService.exe.config file, you need to change the user account running the service.
  1. From the Agent server, open Windows Services, right-click the Scribe Online Agent service and select Properties.
  2. From the Log On tab of the Scribe Online Agent Properties dialog, change the service to log on as a domain user for which your Network Administrator has granted permissions to have access through the proxy.
NOTE: As a test, log in to the computer as the domain user, and then try to sign in to TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect. Make sure that Internet Explorer is not set up to use a proxy server. If you can access and sign in to https://agent.scribesoft.com, https://us1-connect-agent-azure.scribesoft.com, https://au1-connect-agent-aws.scribesoft.com,or https://agent-frankfurt.scribesoft.com, then your user has the necessary permissions.
  1. Save the changes you made to the Scribe Online Agent Service properties.
  2. Restart the Agent Windows Service.
  3. Test your changes by signing into TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect and testing a Connection. If you can successfully test a Connection, then the Agent is functioning properly through the proxy server.
In addition to changes for TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect, you may need to make some changes for connectivity to your cloud application, as described below.
 

Connecting To Microsoft Dynamics CRM Online

Use the following information to connect to Microsoft Dynamics CRM Online from behind extra security.

Dynamics CRM Online Required Exceptions

To allow access to Microsoft Dynamics CRM Online, add exceptions to the firewall for the following sites:
  • https://*.login.live.com
  • https://*.crm.dynamics.com
  • https://*.crm4.dynamics.com
  • https://*.crm5.dynamics.com
  • https://*.microsoft.com
  • https://*.microsoftonline.com

Dynamics CRM Online IP Addresses

For a list of valid IP address ranges see the following Microsoft Support article: Microsoft Dynamics CRM Online IP Address Ranges.

NOTE: These servers are owned by Microsoft. The IP addresses may change and can be verified by Microsoft at any time. Best practice is to whitelist all of the IP addresses in the IP address list so that you are less likely to experience a service disruption if Microsoft makes changes to the IP addresses.

Dynamics CRM Online Port

 

Connecting To Salesforce

Use the following information if your site connects to Salesforce from behind extra security.

Salesforce Required Exception

To allow access to Salesforce, add an exception to the firewall for the following site:

SalesForce.com IP Addresses

Note that these servers are owned by Salesforce. The IP addresses may change and can be verified by Salesforce at any time.
  • 204.14.232.0/23 — East Coast Data Center
  • 204.14.237.0/24 — East Coast Data Center
  • 96.43.144.0/22 — Midwest Data Centers
  • 96.43.148.0/22 — Midwest Data Centers
  • 204.14.234.0/23 — West Coast Data Center
  • 204.14.238.0/23 — West Coast Data Center
  • 182.50.76.0/22 — Japan Data Center

Salesforce.com Ports

  • 80: This port only accepts HTTP connections.
  • 443: This port only accepts HTTPS connections.
  • 1024–66535 (inclusive): These ports accept HTTP or HTTPS connections.

Troubleshooting

Proxy And Firewall Server Logs

When the Agent attempts to make an external connection to the cloud, a site, or a database and is denied by environmental security, the Proxy and/or Firewall server typically keeps a log of these attempts. These logs are useful for determining if a site you wish to connect to is being blocked. TIBCO Support can help you determine which IP addresses to unblock based on your log files.
 

High CPU Usage

If you have not configured your inbound and outbound ports correctly or if you have not added an exception to your firewall for TIBCO Scribe® Online / TIBCO Cloud™ Integration - Connect, the computer where your Agent is installed may experience very high CPU usage.
 

Whitelisting IP Addresses

You may find the following resources useful for information about whitelisting IP addresses:

Issue/Introduction

If your network configuration includes either proxy servers or firewalls, review this article for special setup information.