Cloud Access for Third Party Consultants
Author: Eric Vasbinder
Contents
Overview
Third party consultants are often employed by our customers to perform tasks such as custom Crystal Report writing, updating stored procedures, creating SSRS dashboards, and more. These consultants work regularly with Viewpoint products, including Vista and HFF to provide customized experiences for our joint customers.
As part of the task of supporting joint customers hosted in our cloud, third-party consultants will need to have access to various databases and custom report libraries that are hosted in our cloud. There are three methods by which this access may be provided to third-party consultants:
Option A (PREFERRED): Consultant-Managed Azure Virtual Desktop
Option B: Customer-Provided Client VPN to Customer Network
Option C: Customer-hosted Remote Desktop Instance
Option D (ONLY VIABLE IF CONSULTANT DEDICATED TO ONE CUSTOMER): Static IP with Consultant's Local Workstation through TLS Database Endpoint (TLS VPN) or IPSEC VPN
Option E (HIGHLY DISCOURAGED): Viewpoint-hosted RDP Published Apps access
Please see below for more details for each option and how to use them.
IMPORTANT VISTA VRL CLIENT NOTE
Customers of our modern clouds (VP1, TC1, and VEC VRL) currently use the Vista Remote Link (VRL) method to connect to the Vista database. This method leverages HTTPS to allow for a Vista client to connect to a Vista database from anywhere in the world, regardless of the workstation being on a VPN or using the TLS Database Endpoint (TLS VPN). That's right! No VPNs are necessary to use just Viewpoint product UIs, such as Vista's rich client, HFF, Team, and more.
As such, a consultant should use Vista installed on his or her local workstation to connect to a client's Vista instance.
Increasing Your Client's Server Dropdown List Limit
Oftentimes, consultants with multiple clients will end up filling their Vista client's server dropdown with many client machines that need to be accessed. To that end, consultants may need to allow for more than five Vista servers to be specified in their Vista client's login screen. To enable that, the consultant will need to follow these steps on their local workstation or cloud-hosted virtual desktop:
Go to the file: %appdata%\Roaming\Viewpoint Construction Software\C^Program Files (x86)^Viewpoint Construction Software^Vista^bin^VistaUserConfiguration.json
Please open that file and then change this line: "MaxConnectionConfigurations": 5,
Where it says 5 today, change the number to be larger. For example, 128.
Restart all Vista services on your client workstation or Terminal Server - OR merely reboot your machine.
NOTE: The largest value that can be allowed there should be 256.
Overall Connectivity Background for NON-VIEWPOINT Products
Please note that a few items are present with every Viewpoint One (VP1) / Trimble Construction One (TC1) installation; items that will help with providing access to third-parties. For example, with every VP1 environment, either a TLS Database Endpoint (TLS VPN) or an IPSEC VPN tunnel are stood up between our cloud environment and the customer's main network. This facilitates connectivity between the Vista ERP database and the customer's network. Here are Vista Cloud FAQ articles that will provide more details on this topic: TLS Database Endpoint and How do I set up an IPSEC VPN to access my Vista database directly?
Option A - Consultant-Managed Azure Virtual Desktop
A consultant managed Azure Virtual Desktop, cloud-hosted Citrix instance, a cloud-hosted Microsoft Terminal Server, or a cloud-hosted VMWare Terminal Server can be EXCELLENT choices for allowing third party consultants to connect to multiple clients with Vista VRL. In addition, a cloud hosted, consultant managed Remote Desktop style environment, WITH A STATIC PUBLIC IP, allows for easy connectivity to those customers' Vista databases directly over ODBC for tools such as SQL Server Management Studio (SSMS), Crystal Reports Builder, SSRS Report Builder, Insight Spreadsheet Server, and more.
This option allows for you to have an environment that you, as a consultant, can set up and tweak to be accessible from anywhere, configured to your preferences. In addition, with a static, public IP, you'll be assured of being able to connect via the powerful and simple TLS Database Endpoint (TLS VPN) to multiple customer databases. Please note that an IPSEC VPN is also required to each customer's environment with which you wish to use SSRS Report Builder or to have access to the Viewpoint Repository.
NOTE: An IPSEC VPN is also possible here but requires that the consultant's Azure Desktop has an IPSEC tunnel dedicated to one customer client only. This is because, for security reasons, a network level peering to a client's network should only be done for one customer at a time.
Option B - Customer-Provided Client VPN to Customer Network
This option leverages an already existing IPSEC VPN or TLS Database Endpoint (TLS VPN) that is connected to the customer network. By allowing the consultant to connect via a client VPN to the customer's corporate network, this allows for the consultant to leverage that already pre-existing connection.
Pros
Avoids the 1 to 1 ratio restriction of IP addresses to TLS Database Endpoints (TLS VPN).
Smaller potential attack surface makes this easier to secure than RDP
Cons
Requires that traffic intended for viewpoint SQL server domains (e.g. viewpointdata.cloud) be forced to pass through the customer network so as to leverage the customers Internet ingress / egress point.
Option C - Customer-hosted Remote Desktop Instance
This will take the form of the customer creating an RDP Remote Desktop environment, such as an Azure Virtual Desktop, and making it available to the consultant to connect to remotely over RDP or some other mechanism (e.g., TLS Client VPN). This method has several pros and cons compared to Option "A", above:
Pros
Multiple licenses for Crystal Builder, etc. are not necessary
Remote access might be easier if RDP connectivity is allowed directly
Client VPN still recommended instead for security reasons
The consultant can access this environment from any location.
Cons
Requires standing up RDP workstation or server for consultant to use
Potential security concerns unless two factor authentication is required for RDP session
This two-factor authentication must be configured by the customer's IT, using tools such as Azure AD. Trimble Viewpoint has no ability to configure this for our customers, as these RDP workstations, whether cloud hosted or not, are under customer control.
Option D - Local Workstation Direct Access for Consultant (Rarely Possible)
As mentioned above, with every Viewpoint One (Trimble Construction One) installation, a connection is stood up between the customer's network and the cloud single tenant environment. This connection may be leveraged to allow for a consultant to use his or her workstation / laptop to connect to the customer's Vista database in the cloud. This method, though preferred due to its simplicity, requires several items:
The consultant MUST have copies of SSRS Report Builder, SSMS, Crystal Reports Builder, and other client-side tools installed and licensed on their local workstation.
CRITICAL NOTE: With this method, the consultant MUST have his/her own static IP address AND that static IP may only be connected to one IPSEC or TLS Database Endpoint (TLS VPN).
As it is unlikely that a consultant will have only one Vista – using client, this option is not usually viable.
This is a many:1 ratio of IPs to customer environments
A single TLS Database Endpoint (TLS VPN) can have many IPs assigned to it, but a single IP may ONLY be assigned to ONE TLS Database Endpoint (TLS VPN)
Option E - Viewpoint-hosted RDP Published Apps (Approval Required)
This option has been used in the past but is now strongly discouraged. This is due to the complexity and the need to pass on costs for hosting third-party applications, such as Crystal Reports Builder. Over the longer term, this method will slowly fade away as pure VRL implementations in our cloud increase.
Pros
A single license for Crystal Builder, etc. is needed
Remote access is direct to VP Cloud environment
Cons
Additional customer charges for hosting and management of third-party apps
Approval required as RDP Published apps is no longer deployed by default in Viewpoint's cloud
NOTE: Some forthcoming Viewpoint Datacenter environments will have NO RDP access possible
NOTE: To use this method, special exemption approval must be granted by Viewpoint Cloud Product Management. Please contact your cloud support representative for more information.
Changelog
Tuesday, 12 December 2023 at 05:04PM:
added note about SSRS Report builder requiring IPSEC VPN
Monday, 24 October 2022 at 06:55PM:
Added note that IPSEC is possible in Option A, but ONLY for one client at a time as, for security reasons, a network level peering to a client's network should only be done for one customer at a time.
Tuesday, 06 September 2022 at 08:51PM:
Included a new, preferred option "A" for consultants to stand up their own, personally managed Azure Virtual Desktop with a static, public IP.
Added information on how to update the client to allow for Vista's client to show many more servers in the server dropdown list.
Wednesday, 09 February 2022 at 09:45AM
Updated option "C" to include the reference to many:1 ratio for static IPs
Tuesday, 08 February 2022 at 09:49PM
Significant rewriting of article, including revamping of options for consultant connectivity, cleaning up options see, and marking the client VPN to customer environment as the preferred option going forward.
Thursday, 16 December 2021 at 04:58PM
Initial Posting