ArchiCAD BIMcloud SSL Proxy Howto

Here's one way to set up a SSL reverse proxy to provide secure external access to your ArchiCAD teamwork projects. This is a good alternative for VPN if you don't have complete control over the endpoint. I haven't found any documentation from Graphisoft on this subject so unfortunately there's no way to validate if any of this is up to spec, but, "it works"...

To make things more interesting, this scenario will cover ArchiCAD 19 and 21 projects, hosted on two separate servers. The goal is to provide our external ArchiCAD users with access our BIMcloud server at https://bim.example.com and from there on our ArchiCAD 21 BIMserver module at https://bim.example.com:21001.

This setup doesn't interrupt your current local ArchiCAD users (ie you don't have reconfigure all your local users after implementing this).

The general outline of the process:

  • Add the public URLs to your BIMcloud/server configuration
  • Configure the proxy server to forward SSL traffic to the BIMcloud/servers
  • Configure public DNS to include the necessary hostnames
  • Configure firewall to allow and redirect the public traffic to the new proxy

Let's get cooking...

Ingredients

  • A BIMcloud manager running on http://bim.example.com:19000 (A)
  • A BIMserver ArchiCAD 19 module running on http://bim.example.com:19001, paired with A
  • A BIMserver ArchiCAD 21 module running on http://ac21.example.com:21001, paired with A
  • nginx installed and running in your DMZ

Secret names

In BIMcloud 21 it's possible to define multiple URLs to access a given BIM server. We will take advantage of this feature to map our public hostnames and secure URLs with our private names and insecure URLs.

You will need public DNS records for all the BIMcloud servers involved, but the names don't necessarily have to be the same as in your private DNS - they can be anything you like, as long as they're listed in the "Alternate addresses" - list of the corresponding server. If you're already using FQDNs (not .local or .lan, etc) on your LAN, then I would recommend also using the same names publicly, for clarity's sake.

  • Open http://bim.example.com:19000 and navigate to Servers > BIMcloud Manager > Connection settings
  • Edit > Alternative addresses and lookup order > add https://bim.example.com and save your changes. You can put whatever you want here, just as long as your external users can resolve those addresses...

Unfortunately, the BIMcloud/server relationship is not completely transparent - the client has to be able to connect to the final server where the project (and necessary libraries) is hosted. Knowing that, let's add the external addresses to our ArchiCAD 21 BIMserver:

  • Select the server in the BIMcloud manager > Alternative addresses and lookup order > add https://ac21.example.com:21001 and save your changes

Pro tip: Use ArchiCAD's Network Diagnostics tool to verify that the client is actually receiving the new addresses from the server. Notice how you get an error for the public addresses - this is to be expected, because the external traffic will be routed differently than our internal ArchiCAD clients. If you want your local clients to also use HTTPS, just install the SSL proxy on the same host as your BIMcloud manager.

Proxy configuration

Setting up the actual nginx reverse proxy that will take our SSL traffic and forward it to the corresponding internal BIMcloud/server is probably the most straight-forward part of the entire operation:

Firewall configuration

Finally, poke some redirects into your firewall to forward 443 and 21001 to the proxy web server. Test the setup via a 4G modem and make sure you also test opening the ArchiCAD project (making sure you can access both the BIMcloud management and BIMserver hosting the project).

PS. I would like to thank the excellent Charles Proxy which proved extremely useful in figuring out what ArchICAD was doing under the hood.