Gateway Deployment
A MyPass Gateway server is a critical component in the MyPass landscape. It acts as a secure request proxy between the MyPass Cloud platform and your organization’s internal infrastructure. The Gateway enables controlled communication from the cloud to various user systems within your environment, such as Microsoft Active Directory, SQL databases, Novell, IBM iSeries, and other local API-based systems.
By deploying a Gateway server, you ensure that all requests from the MyPass Cloud are securely routed and managed, allowing integration with multiple backend systems while maintaining strict security.
Security Considerations
To secure communications between the MyPass Cloud platform and the Gateway, several network and application security measures are put in place as part of a deployment. These include
- Mutual firewall policies to restrict the flow of traffic between the MyPass Cloud platform and Gateway server(s).
- Transport layer security through the use of strong and modern encryption.
- Application level configuration, including authorized caller configurations to restrict specific MyPass Cloud platform POD tenants to communicate only with specific Gateway server(s).
Additional hardening requirements (server hardening, business continuity) are scoped during the deployment engagement.
Hardware Requirements
The Gateway is a critical component in the operation of the MyPass Cloud platform, providing secure and reliable communication between MyPass Cloud and your organization’s user repositories. Due to this, the Gateway must be performant and redundant (either on a hardware or virtualization level).
The Gateway runs in a Microsoft IIS web application on top of Microsoft Windows. To provision a Gateway server, use the following server specifications.
| Component | Minimum Requirement | Recommended Requirement |
|---|---|---|
| CPU Cores | 2 (physical or virtual) | 2 (physical or virtual) |
| RAM | 4 GB | 8 GB |
| Free Hard Disk Space | 20 GB (excluding OS requirements) | 40 GB (excluding OS) |
For operating system and software requirements, see the Software Requirements section below.
Software Requirements
The Gateway server uses web services hosted on a Microsoft IIS instance to allow incoming requests from the MyPass Cloud platform to your user repositories. As such, a current Microsoft Windows Server with IIS is perfect to host the Gateway web services.
Software to be installed on the Gateway Server
- Microsoft Windows Server 2016 or later
- .NET Framework v. 4.5
- Microsoft Internet Information Server (IIS) v.10 or later (See table below)
Please also see the list of additional Role Services that needs to be enabled while performing the IIS Server Role installation.
Internet Information Services (IIS) Enabled Features
As part of the deployment of IIS on the Gateway, we require the following features to be enabled with the role.
| IIS Feature Category | Role Services to enable |
|---|---|
| Common HTTP Features |
|
| Health and Diagnostics |
|
| Performance |
|
| Security |
|
| Application Development |
|
| Management Tools |
|
Network Requirements
To establish a secure connection between the MyPass Cloud platform and your user repositories, the Gateway is used to proxy traffic. All traffic to the Gateway will always originate from the MyPass Cloud.
All traffic is always initiated from the MyPass Cloud to the Gateway and never the other way around. All traffic is encrypted web requests.
The Gateway can be deployed within the local network or a DMZ, if you prefer. If the Gateway is deployed in a DMZ, only HTTPS (443) traffic needs to be allowed from the internet to the Gateway, while the ports required from the DMZ to the local network will depend on the user repositories that are being accessed. More information on this can be found in the integration guide for each target user repository.
Publishing the Gateway
1. Public NAT
The Gateway server must be provided with a PUBLIC IP ADDRESS that's presented via NAT (Network Address Translation) to the public internet. For Gateway traffic, this can be achieved through application delivery controllers or firewalls.
2. Securing NAT with Firewall Rules
Firewall rules needs to be configured on your edge appliance to allow the MyPass Cloud platform IP address pool to access your Gateway server over port 443–incoming–TCP only.
| MyPass Cloud | Allowed Source IP Addresses (Inbound Only) |
|---|---|
| POD1 Customers |
|
| POD2 Customers |
|
| POD3 Customers | TBA |
| POD4 Customers | TBA |
3. Encrypting Gateway traffic
To ensure secure encrypted communication between the MyPass Cloud platform and your Gateway server, follow these steps:
- Install a valid SSL certificate (either customer-owned or newly issued) on the Gateway server to enable secure HTTPS connections via Microsoft IIS. For example, use a certificate for
gateway1.yourcompanyname.xyz. - Add the certificate to the server and bind it to the Default Site in IIS, preparing it for the MyPass Gateway web service software deployment.
- Create a public DNS A-record that matches the certificate’s domain name and points to the Gateway server’s public NAT IP address (e.g.,
gateway1.yourcompanyname.xyz -> 41.32.4.123). - Update the Gateway server’s SSL protocols and ciphers to allow only modern, secure encryption standards. This can be done with IISCrypto or others alike.
These steps help protect all data exchanged between MyPass Cloud and your Gateway, ensuring compliance with security best practices.
4. Validating the Configuration
Once all the above-mentioned requirements have been successfully implemented, communications between the MyPass Cloud platform and the Gateway server can be validated.
Email your deployment partner, MyPass Project Manager, or help@integralis.co.za to validate.
Gateway Groups & Service Accounts
Before deploying the Gateway web services, you’ll need to create service accounts and groups to run the application pools. These accounts can be set up locally on the Gateway server or, for environments with multiple Gateways, centrally in Active Directory for easier management and consistency.
Adapt all example names to match your organisation’s naming conventions. For details on the specific services, accounts, groups, and permissions needed for each user repository, refer to the relevant integration/connector guide or consult your MyPass Cloud deployment partner.
These groups and service accounts are distinct from the service accounts used within each connected system, such as Active Directory, SQL, Novell, or IBM iSeries. Ensure you do not confuse Gateway-specific accounts with those required for individual system integrations.
1. Gateway Administrators Security Group
This group controls the access for local / domain users who perform administration and configuration tasks on the Gateway.
| Group Name Example | Group Type | Purpose |
|---|---|---|
| MP-GWGroup | AD Security Group or Local Computer Group | Admin/configuration access for Gateway server |
2. Gateway Server IIS Application Pool Account
This account is required to host the Microsoft Internet Information Services (IIS) application pool in which the Gateway web services application will run. The Gateway installer will create this account during the setup process. Please ensure the account executing the installer has the appropriate permission to create an account in the specified target repository (either Active Directory for mulitple gateways with a shared account or locally on the server)
| Account Type | Account Name Example | Required Permissions |
|---|---|---|
| Active Directory User Account OR Local Computer User Account | MP-IISUser |
|
3. Gateway Service Account
This account is required to perform all administration and configuration on the Gateway.
| Account Type | Account Name Example | Required Permissions |
|---|---|---|
| Active Directory User Account OR Local Computer User Account | MP-IISUser |
|
Security Recommendations
Since the primary role of the Gateway is hosting a set of web services using Microsoft Internet Information Service (IIS), the recommendations will focus on securing this role. Normal security best practices relating to firewall configuration, patching and monitoring should still be addressed.
To harden the security posture of the Gateway server, we recommend the following:
- Don't run the MyPass Gateway (IIS) on a domain controller or with any other dedicated functions.
- Install only the IIS modules you need (as described in the Gateway software prerequisite section)
- Ensure that server roles are kept separate.
- Keep your antivirus, malware, EDR/XDR software up to date.
- Isolate web applications if more than one exists on the server.
- Implement the principle of least privilege when assigning permissions to the service account for the Gateway.
- Make periodic backups of the server or IIS configuration.
- Never deploy a gateway without using transport layer encryption, and take care to configure accepted SSL ciphers and protocols.
- Ensure that incoming firewall ports only allow HTTP, TCP on port 443.
- Configure the outgoing firewall configuration if DMZ or HIPS is used between the Gateway and user repositories.
- Ensure the Gateway’s authorized caller configuration contains only the MyPass Cloud POD IP addresses for your tenant. Your MyPass Cloud engineer will confirm your POD name (e.g., POD1, POD2). Use the IP addresses listed in the Network Requirements section to verify the correct addresses.
Management Recommendations
To ensure the MyPass Gateway server operates securely and reliably, the following management practices are recommended. As the Gateway server hosts only a Microsoft Internet Information Services (IIS) website to proxy traffic between the MyPass Cloud platform and your user repositories, maintenance tasks such as reboots and startup after failures are simple and do not require extensive hand-holding.
1. Patching Recommendations
Regular patching is critical to maintain the security and stability of the MyPass Gateway server. The server runs on a Microsoft Windows Server with IIS, and timely updates address vulnerabilities in the operating system, IIS, and related components.
- Patch Frequency: Apply Microsoft security updates and critical patches monthly, aligning with Microsoft’s Patch Tuesday releases (second Tuesday of each month).
- Patch Types: Include operating system updates, IIS updates, and any required .NET Framework or security patches for the MyPass Gateway web services.
- Security Best Practices: Keep antivirus, malware, and EDR/XDR software up to date to complement patching efforts.
2. Reboot Schedule
Reboots are necessary to apply certain patches and ensure system stability. Given that the MyPass Gateway server hosts only an IIS website, reboots are straightforward, and the server automatically restarts IIS services upon startup, requiring minimal manual intervention.
- Reboot Frequency: Schedule reboots monthly as part of the patch cycle, immediately following the application of patches that require a restart.
- Timing: Perform reboots during a maintenance window (e.g., off-peak hours) to minimize impact on users accessing the MyPass Cloud platform.
- Automation: Configure the server to automatically restart after patch installation using tools like Windows Task Scheduler or Group Policy settings for controlled reboots.
- Post-Reboot Validation: After rebooting the Gateway server, confirm that the IIS website is running by browsing to its URL (e.g.,
https://gateway.yourcustomerdomain.netorhttps://customername.mypassgw.co.zaif using the MyPass shared wildcard certificate). Next, Log in with a test account to verify connectivity to the MyPass Cloud platform. If you can locate the account and proceed through the portal steps, the Gateway Server is functioning correctly.
3. Annual Certificate Renewal
The MyPass Gateway server requires a valid SSL/TLS certificate to secure communications between the MyPass Cloud platform and your user repositories. The certificate can be either a MyPass-provided certificate or a company-managed certificate (e.g., issued by a trusted public Certificate Authority or an internal CA).
- Renewal Frequency: Renew the certificate annually, at least 30 days before expiration, to prevent service disruptions due to expired certificates.
- Certificate Options:
- MyPass Certificate: If using a MyPass-provided certificate, contact your MyPass representative or email support@integralis.co.za to initiate the renewal process. Follow the provided instructions to install the renewed certificate on the Default Site within IIS.
- Company-Managed Certificate: For company-managed certificates (e.g., wildcard, SAN, or single-domain certificates), generate a new Certificate Signing Request (CSR) using IIS Manager or PowerShell, submit it to your Certificate Authority, and import the renewed certificate into the server’s Personal certificate store. Update the IIS site bindings to use the new certificate.
- Certificate Installation:
- Import the certificate using IIS Manager: Server Certificates > Import, then bind it to the Default Site (Bindings > https > port 443).
- Ensure the certificate includes the private key and is correctly paired (e.g., in .pfx format).
- Confirm the DNS A-record still resolves to the Gateway’s public NAT IP address. If using the MyPass shared wildcard certificate (
*.mypassgw.co.za), the MyPass engineering team will update the DNS record — provide them with your Gateway’s current public NAT IP address. If using your own certificate, update the A-record on your DNS provider only if the IP address has changed.
- Post-Renewal Validation: After renewal, validate secure connectivity by testing the HTTPS endpoint (e.g.,
https://gateway1.yourcompanyname.xyz) and confirming communication with the MyPass Cloud platform. Email your deployment partner or MyPass support to verify integration. - Automation: Consider using a certificate management tool (e.g., CertSecure Manager) to automate renewal and deployment, reducing manual effort and ensuring compliance with modern certificate lifecycle requirements (e.g., 397-day maximum validity).
A server reboot may be required after certificate installation to ensure proper binding, but this is handled automatically by IIS startup processes.
Backup Recommendations
To recover the Gateway in the event of a failure, both the IIS configuration and the application files need to be restored. There is no dynamic content or database instances on the server, so the content that needs to be backed up only includes:
- Microsoft IIS Application Configuration: This can be achieved with APPCMD or through configuration in whichever backup solution is implemented. See the APPCMD reference on Microsoft Learn.
- SSL Certificates
- Gateway Application Content: All file content for the Gateway is stored in the folder:
C:\Program Files (x86)\FastPassCorp
- MyPass Cloud specific Registry Keys: All registry information for the MyPass Gateway is stored in the key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\FastPassCorp
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FastPassCorp A/S
Additional Notes
- Simplicity of Operations: As the MyPass Gateway server hosts only an IIS website, recovery from failures or reboots is straightforward. The IIS service starts automatically, and the Gateway web services resume operation without complex manual intervention.
- Monitoring: MyPass monitors certificate expiration and service health on the cloud side. Implement your own monitoring for Gateway hardware uptime and network connectivity.
- Security: Follow best practices for securing the IIS server, including isolating the Gateway from other roles (e.g., not running on a Domain Controller), applying the principle of least privilege to the service account, and maintaining up-to-date firewall configurations.