Refer to these Frequently Asked Questions (FAQ) to better understand how the Vault Gateway works.
How secure is the connection from the Vault Gateway to the Vault Server?
The local agent, installed on the Vault server, makes a secure connection to the Vault Gateway service using HTTPS protocol.
What information is stored in the Vault Gateway?
Vault data is not stored in the Vault Gateway.
What Vault authentication methods can be used with Vault Gateway?
A Vault account or Autodesk ID must be used to connect to a Vault Server through the Vault Gateway. Windows Authentication will not work through the Vault Gateway.
What kind of Denial-of-Service attack protection is in the Vault Gateway service?
Vault Gateway service limits the number of requests per period of time (minute/etc.) that can be made to each Vault server.
How do I get a license if I use the Vault Gateway and not on my network?
If you are using network licenses, your users will need to borrow a license, or you will have to make the license manager reachable on the internet.
Can I use SSO with Vault Gateway?
Autodesk ID can be integrated with a company's Active Directory using Autodesk SSO. See About Single Sign-on (SSO).
What are the password requirements needed to use Vault-authenticated accounts with the Vault Gateway?
All passwords must be a minimum of eight characters, with at least one letter and one number. Blank passwords are blocked from using the Vault Gateway.
Is data encrypted during transit?
Yes. The Vault Gateway connection uses the HTTPS protocol for communications.
Can we limit who can use the Vault Gateway service?
Any user with the Vault Gateway URL and a Vault account will use the connection.
What has to be installed on the client workstations to use the Vault Gateway?
Additional software is not required to use the Vault Gateway.
Will all Vault clients and add-ins be able to use the Vault Gateway?
All clients, excluding the Vault Thin Client, can use the Vault Gateway.
Does the Vault Gateway support multifactor authentication?
Multifactor authentication can be used if the Autodesk ID is integrated with the company's SSO service. See About Single Sign-on (SSO).
Can this be put on a different server in the DMZ and communicate with our Vault client on-prem?
No, it is a part of the Vault Server (ADMS Console).
Reporting - Can we tell where users are connecting from (regions as an example)?
Not currently. All users connecting to the Vault Server will show in the Audit log connecting from "127.0.0.1". We are planning to enhance this in a future release.
Are there other IP type restrictions that we could implement to make this more controllable on our end?
No.
How is the Vault Gateway itself secured?
The Vault Gateway cloud service uses Autodesk CloudOS and is built with Autodesk Forge security best practices. All traffic to and from the Vault Gateway is encrypted.
Is the Vault Gateway located within the continental US?
Services locations originate in the continental United States and Europe (Ireland).
Can the location of the Vault Gateway be configured?
Yes, this is chosen when the Admin configures the Vault Gateway.
Does the Vault Gateway store any data or metadata?
Vault data is not stored in the Vault Gateway. The data simply passes through the gateway.
Does the gateway mechanism support integration with OKTA identity management?
Autodesk ID supports MFA (Multifactor Authentication), and also supports SSO (Single Sign-on) with third-party systems, including OKTA, and this would work for Vault Gateway as well.
Is it a single-tenant environment, for example where each customer receives a dedicated cloud virtual machine?
There are no "cloud virtual machines" created for each gateway. A gateway is a logical construct, with many gateways served by a single cloud application.
Does Autodesk perform any penetration or vulnerability testing on Vault Gateway?
Autodesk performs standard security testing that complies with industry best practices.
What are the Vault Server firewall requirements to connect to the Vault Gateway?
The Vault Server needs outbound HTTPS access to the internet to connect to the service. Inbound ports do not have to be opened in the firewall to use the Vault Gateway.
To allow Vault Server firewalls to operate correctly, allow outbound HTTPS traffic with *.autodesk.com in the firewall.