MyWorkDrive Cloudflare® Tunneling Integration

Introduction

Our MyWorkDrive File Remote Access Server web portal can be easily integrated with Cloudflare® Tunnel services to automatically provide a secure web address without exposing the MyWorkDrive server to the internet or provisioning security appliances. The public Internet does its best to deliver your content — but it can’t account for network congestion, leading to slow load times and a degraded end-user experience. By simply enabling Cloudflare Argo to proxy DNS name resolution for a host, real-time network congestion and routing of web traffic across the fastest and most reliable network paths is automatic. On average, web sites perform 30% faster. Optionally customers may also utilize Argo Tunneling to reverse proxy traffic through an Argo tunnel agent. While large enterprise customers may wish to use their own direct connection (with their own hostname/SSL Certificate) and manage their own Office Online server, by utilizing our integration with Cloudflare’s Argo and tunnel service the same or better network speeds, security and compliance objectives can be more easily achieved by companies of any size.

Benefits Overview

Using a lightweight agent installed on the MyWorkDrive Server, Cloudflare Argo Tunnel creates an encrypted tunnel between the nearest Cloudflare data center and the MyWorkDrive server without opening a public inbound port. This offers an additional layer of protection to keep the MyWorkDrive server website available by protecting the IP address from exposure and DDoS attacks. Starting with Version 5.4 MyWorkDrive integration is easy, simply enable our Cloud Web Connector or Office 365 Online integration.

Argo Smart routing

Automatically routes traffic around network congestion to improve performance and reduce latency. The Cloudflare network routes over 10 trillion global requests per month — providing Cloudflare Tunneling a unique vantage point to detect real-time congestion and route web traffic across the fastest and most reliable network path.

Improved Security

The built in Web Application Firewall (WAF) features protect again Cross-Site Scripting, SQL Injection, Cross-Site Request Forgery and the OWASP Security rule set at the edge, protecting your MyWorkDrive website from the OWASP top-10 vulnerabilities at all times. By utilizing the Cloudflare Tunneling service an A+ rating on Qualys SSL Labs SSL Scan is achieved instantly with no manual configuration or lockdown of IIS protocols needed. Cloudflare’s Web Application Firewall (WAF) is PCI compliant which enables customers to achieve PCI requirement 6.6 instantly when enabled alongside MyWorkDrive.

Denial of Service Protection

DDoS stands for Distributed Denial of Service and is a term used to describe attacks on the Network, Transport, and Application layers of the Open Systems Interconnection (OSI) model. Attacks at the Network, Application and IP layer are automatically dropped at the Cloudflare network before ever reaching your MyWorkDrive Server.

Automatic SSL Installation

MyWorkDrive server automatically provisions and deprovisions unique SSL Certificates for use exclusively by each MyWorkDrive server. The SSL integration between the MyWorkDrive Server and Cloudflare Argo Tunneling is automatic, and ensures your website is encrypted from end-to-end without exposing your servers to the internet or managing SSL Certificates and firewall rules.

How it works

Argo tunnel works by installing an agent on each Windows IIS Web Server. The tunnel agent is configured to connect to a local port and makes a secure connection outbound on TCP port 7844 to the Cloudflare networks. No inbound firewall ports need be exposed. Next a host is created and configured in Cloudflare to relay inbound requests to the internal host (the origin). In advanced configurations internal origin hosts can be configured for failover and load balancing. Cloudflare Argo requires TCP port 7844 outbound from your server to Cloudflare IP’s.

Get Started

New! As of version 6.4, there are no file size limits when using the Cloud Web Connector. The earlier 200MB Limit (6.1.1 and later) or 100MB Limit (5.4 – 6.0.2) no longer applies.

For earlier versions,
Starting with Version 5.4 of MyWorkDrive Cloudflare tunnels are configured automatically for you when our Cloud Web Connector or Office 365 Online services are enabled with a 100 MB file size limit restricted to our MyWorkDrive.net domain. With version 6.1.1 and later, the file size limit is raised to 200MB.

You may still wish to create your own Cloudflare tunnels to take advantage of other Cloudflare security features, or be able to manage your own WAF and settings. The Cloudflare Argo documentation here has complete details.

Running your own Cloudflare with MyWorkDrive

Two important notes to be aware of when running your own Cloudflare tunnels with MyWorkDrive.

Running you own Alongside MyWorkDrive

MyWorkDrive sets the Argo/Cloudflare service to use the location c:\wanpath\wanpath.data\settings for the cloudflare yml, pem and/or json files (the exact files you will have depend on if you are using named tunnels or not).

There are two options to running your own tunnel on a MyWorkDrive server

Utilizing the MyWorkDrive default paths

The first would be to utilize those locations for your files as well. Note that they will be overwritten on each upgrade, so keep a backup of those files to restore after upgrading MyWorkDrive. Restore them before starting the Argo/Cloudflare service.

 

Creating your own service

Alternately, you may find it easier to create a second Cloudflare service, so you can run both. That way your paths/service are never overwritten (and you can even run both if you need/want).

These instructions assume you have already installed MyworkDrive and have a Cloudflare service in services.

They also assume you’re using the path c:\cloudflare for your cloudflare executable and files. If you’ve stored them in another location, update these instructions as appropriate.

1) Update ImagePath HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cloudflared with your ImagePath:
C:\Cloudflare\cloudflared.exe –config C:\Cloudflare\cloudflared.yml tunnel run

2) Rename: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cloudflared to Cloudflared2

3) Rename HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Cloudflared to Cloudflare2

You’ll then be running on your own credentials and installer path.

When you re-install MyWorkDrive it will re-create a cloudflared service on our paths, which you can safely ignore if you are only running your own instance of Cloudflare.

If you want to run Office Online editing alongside your own Cloudflare, go configure Office Online in MyWorkDrive after you’ve re-installed MyWorkDrive and re-created our default Cloudflare service.

Monitoring your WAF

The Cloudflare WAF may occasionally false positive on the MyWorkDrive API for Map Drive clients or Office Online editing, and result in unexpected file operations such as files not opening, files not saving or files being corrupted on save.
If you are using the Cloudflare WAF, you are encouraged to monitor the log activity in Cloudflare and adjust rules to avoid data corruption. In particular, the OWASP package.