Teamwork & BIMcloud
About Teamwork, BIMcloud, BIMcloud Basic, BIMcloud Software as a Service, network settings, etc.

BIMcloud, BIM Server and encryption

BIMadmin80
Booster
From "BIMcloud and BIM Server network requirements":
To encrypt the network traffic, the following alternatives are available:

Use HTTPS to secure the communication. For this you will need a Reverse Proxy on the server side that will perform the SSL encryption between ARCHICAD and the Reverse Proxy
Use VPN, which will encrypt the communication
Seems odd that in 2016 this isn't built-in to the product, these days SSL encryption is the norm in almost all network services using the internet and BIMcloud is marketed as a product for the public internet. Will this be built-in in the future? As I understand, communication between BIMcloud servers is at least signed if not encrypted.

Will ArchiCAD work out-of-the-box with a reverse proxy or is additional configuration required on the client side? If I just use something like https://bim.server.address:19000 as the server address, will ArchiCAD know how to handle the connection? And if ArchiCAD can handle it, why isn't it built-in to BIMcloud/BIM Server?
10 REPLIES 10
Anonymous
Not applicable
Totally agree that this should be built-in, not bolted-on. And Graphisoft hasn't even published instructions on how to build the proxy.

We recently "upgraded" to BIMcloud and even that doesn't have SSL support built-in (even though I remember some marketing material claiming otherwise).

I've made some progress setting up nginx as a reverse SSL proxy from our DMZ to provide external access to team projects, but it doesn't really work since the BIMcloud manager insists on reporting the internal server address to the client (we have 2 servers paired with BIMcloud) which suggests I publish *all* our internal teamwork server addresses with corresponding firewall rules etc.

BIMcloud/server is just a Node.js web service. Usually these are put behind HTTP load balancers that also take care of encryption. It's beyond me how Graphisoft didn't consider that most architecture offices are not that experienced with setting up web services.
Marton Kiss
Graphisoft
Graphisoft
Hi Filipp,

this is an extremely important topic, so allow me to summarise our take on it.

First and foremost having encryption on any Internet traffic is a must. We strongly recommend this for all of our users running BIMclouds and BIM Server with public access.

This can either be done:
- by relying on VPN - which is typically a good solution for businesses that already have a VPN solution in use, or
- by establishing HTTPS connection via a 3rd party solution

Back with version 18 we switched to HTTP based communication that enabled our solution to be compatible with most HTTP based infrastructure solutions.

We considered building in HTTPS support straight to our server applications, but as there are plenty of proven solutions out there with millions of users we rather focused our resources on developments unique for our users base.

For nginx and most popular solutions (Apache Reverse Proxy, Amazon/Google Load balancers) we have detailed guides, please PM your email address and I'll have our local team send you the corresponding documents.

Regards,
Marton Kiss
Chief Product Officer
GRAPHISOFT
BIMadmin80
Booster
filipp wrote:
Totally agree that this should be built-in, not bolted-on. And Graphisoft hasn't even published instructions on how to build the proxy.

We recently "upgraded" to BIMcloud and even that doesn't have SSL support built-in (even though I remember some marketing material claiming otherwise).

I've made some progress setting up nginx as a reverse SSL proxy from our DMZ to provide external access to team projects, but it doesn't really work since the BIMcloud manager insists on reporting the internal server address to the client (we have 2 servers paired with BIMcloud) which suggests I publish *all* our internal teamwork server addresses with corresponding firewall rules etc.

BIMcloud/server is just a Node.js web service. Usually these are put behind HTTP load balancers that also take care of encryption. It's beyond me how Graphisoft didn't consider that most architecture offices are not that experienced with setting up web services.
I got a guide from Graphisoft a while back for setting up Apache proxy in front of BIMcloud. At that time at least, it required some modifications to make it work. It has been working quite well with AC19 and 20 and I haven't had to touch it much in recent times

In BIMcloud Manager, the encrypted address should be made the primary server address. After this the unencrypted Manager page is redirected to the encrypted one. So during testing it's possible to get into a loop where you can't access the Manager page if the proxy isn't working correctly. After shutting down the proxy the unencrypted page can usually be accessed again.

Apache on Windows doesn't have log rotation by default so that has to be configured manually. The logging level could require some tuning too as Apache will produce huge amounts of logs in its default state. I've installed Apache on the same Windows server as BIMcloud, but it would probably be easier to work with a separate Linux installation for the proxy. By the way, when is Graphisoft releasing a Linux version of BIMcloud/BIM Server? The Mac version already is a *nix version, so porting it to Linux shouldn't be very hard.

The whole thing sure feels like a bit fragile afterthought. I wouldn't image it to be that much work to build it in, since there are standard SSL libraries that the whole world is using.
Anonymous
Not applicable
I asked our ArchiCAD reseller for SSL proxy instructions, but didn't get any so I assumed they don't even exist. Secret documentation is silly - just put that stuff in your knowledge base.

We've been doing secure remote BIMserver over VPN for over a decade, but VPN only really works when you have full control over the endpoint (ie it's a company computer), not so much for subcontractors.

FWIW, I threw together a little writeup of how I set this up for us: http://unflyingobject.com/blog/stories/archicad-bimcloud-ssl-proxy-howto/
Anonymous
Not applicable
Wow, that was a masterful copout! I had to register just to express my incredulity that an http backend would be created without encryption in this day and age. Let's interweb like it's 1999!

Anyways, I am attempting to help set up bimcloud for a friend's firm. If VPN is the route chosen, is there even any need for the port forwarding or will they simply be able to connect directly to the machine running BIM?
Anonymous
Not applicable
We use AWS classic load balancers to manage this. But I agree, https should be standard and preferred.
Anonymous
Not applicable
Anyone have instructions to share? THe link above appears to be dead...
BIMadmin80
Booster
pesos wrote:
Anyone have instructions to share? THe link above appears to be dead...
Site-to-site VPN is easier in my opinion if you are able to use it. No port forwarding or NAT needed if the subnets are different on the networks. Although small offices often have 192.168.0.0/24 network in use. If that's the case for both networks you would either need to change one network or setup NAT in the VPN tunnel. Depending on the firewalls NAT could be easy to setup, cumbersome or not possible at all. Often NATting in the IPsec tunnel is only possible with professional grade equipment.

Proxy setup is harder to do in my opinion if you're not familiar with web servers. Filipp's link still works for me, you could follow that or ask Graphisoft to send the guide. They should have a guide at least for Apache, since they sent me one couple of years ago, although the guide wasn't actually 100% correct and required some tweaking.
Barry Kelly
Moderator
pesos wrote:
Anyone have instructions to share? THe link above appears to be dead...
The link by filipp is working just fine for me.

Barry.
One of the forum moderators.
Versions 6.5 to 27
i7-10700 @ 2.9Ghz, 32GB ram, GeForce RTX 2060 (6GB), Windows 10
Lenovo Thinkpad - i7-1270P 2.20 GHz, 32GB RAM, Nvidia T550, Windows 11