This article gives information about the Flow Production Tracking Client VPN, and why it is required in order for you to receive support.

It is intended for Flow Production Tracking System Administrators.

Remote support

Flow Production Tracking support is provided remotely. We will be accessing your servers over a VPN connection provided through a private OpenVPN server. Allowing Flow Production Tracking to access your server remotely guarantees you a higher level of support, because it allows our Support Team to investigate and address issues rapidly.

The OpenVPN client can be installed on any server, as long as that client can access all the servers in your Flow Production Tracking Cluster.

We will need to be able to access the server over SSH (TCP/22) and HTTP (TCP/80). We recommend setting up your server to “dial in” to our OpenVPN aggregation point. This will place your server in a virtual network that will allow Flow Production Tracking Support Team to access it as necessary. The certificates needed to connect to our virtual network will be sent to you securely.

Please let us know in your setup support ticket the person on your end who should be receiving the OpenVPN configuration and setup guide.

Architecture Overview

Flow Production Tracking OpenVPN for Enterprise clients is a secure connection that we use to provide continued support to clients with Flow Production Tracking installed in their on-premise environment. It is a key-driven, client-server SSL tunnel where your server acts as a client to our VPN aggregation point. Once your VPN client has established a secure key exchange and connection with our aggregation point, a virtual tunnel interface will be created on your server and it will act as a member of a virtual network. This virtual network is firewalled. It also black holes all traffic between members, so that another client server on the network will be unable to even see your server (and vice versa).

Flow Production Tracking Support personnel will connect to your server over this tunneled connection, coming from a different support network, which is allowed access into the client network by our firewalls.

Because Flow Production Tracking Support personnel have to use a similar key exchange process to gain access to the support network, it is very easy for us to revoke an individual’s access. This removes the need for our clients to support creating and revoking multiple VPN accounts for support purposes.

Access Control

Only specified support personnel is granted access to the Flow Production Tracking Client VPN. Access to the system is personalized by support person (unique login). To be granted access, one must:

• Be connected to the Autodesk Corporate VPN
• Be granted access by the Flow Production Tracking Operation team to the Flow Production Tracking VPN jumpbox

Typically, Flow Production Tracking Support will be connecting to your servers from that jumpbox, using a common user/password. SSH keys are also supported. On demand, specific SSH keys per users is also supported but must be added to your customer agreement.

Users don't need to be connected to the VPN all the time. If they choose to, clients can connect only to receive support when needed. Please note that this could impact the responsiveness of the Support Team.

Monitoring and Auditing

Flow Production Tracking Client VPN is tightly secured, and all the activity around it is monitored. Monitoring measures includes, but are not restricted to:

• Detailed VPN Server logs
• Detailed TCP logs of exchanges between the vpn client and the server
• Auditing of every commands ran on the VPN server

According to Autodesk policy, these logs cannot be made available to clients. However, in case of incident, Autodesk Security Team, who will have access to these logs, will work hand in hand in clients to work things out.

More information on the Flow Production Tracking Client VPN

Deeper information about the Flow Production Tracking VPN architecture can be provided on demand. This information is not available publicly due to security reasons. Let us know in your setup support ticket if you require more information about OpenVPN.