Skip to content

On-Premises Connector

The On-Premises Connector connects 9brains via an encrypted WireGuard tunnel with systems in your company network: databases, ERP systems, file servers or other internal services.

The connector is protocol-agnostic, anything reachable via TCP works: databases, HTTP APIs, SMB file servers, LDAP and more.

Typical use cases:

  • SQL queries against an internal PostgreSQL, MySQL or MS SQL database (via an integration or a skill)
  • API calls to an internal ERP such as Odoo, SAP or Microsoft Dynamics (via a skill)
  • Access to internal web applications such as Grafana or BI dashboards
  • Connect your own tools that are reachable via TCP, in combination with a custom skill

Important: The On-Premises Connector establishes the network connection. For the AI to actively use an internal system, you additionally need a matching integration (e.g. PostgreSQL) or a skill that interacts with the system.

Note on file servers and NAS: A native indexing of internal SMB file servers or NAS systems as a searchable data source is part of the data sources roadmap and currently not yet available. TCP connections to SMB hosts can already be established today via the connector, but indexing currently requires a custom skill.

Requirements

Section titled “Requirements”
  • You are an administrator in the workspace
  • Your workspace has a Business or Max license
  • Your firewall supports WireGuard (pfSense, OPNsense, Sophos, Fortinet, Unifi, MikroTik or similar)
  • A UDP port on the firewall is reachable from the outside (default: 51820)

How it works

Section titled “How it works”
Your company network                         9brains Cloud
┌──────────────────────┐                    ┌──────────────────────┐
│                      │   WireGuard tunnel │                      │
│  Database ───────────│═══════════════════►│── Integration/Skill  │
│  ERP system ─────────│═══════════════════►│── Code execution     │
│  File server ────────│═══════════════════►│── Data indexing      │
│                      │    (encrypted)     │                      │
└──────────────────────┘                    └──────────────────────┘
  1. You configure a WireGuard tunnel between your firewall and 9brains
  2. You set up services, each service points to an internal system (e.g. database on port 5432)
  3. You set up an integration or a skill that uses the service
  4. The AI can address the system through the encrypted tunnel

Important: The connection is outbound only, 9brains connects to your systems. Your network cannot initiate connections to us.

Create a tunnel

Section titled “Create a tunnel”
  1. Go to Settings → On-Premises Connector
  2. Click “Create tunnel”
  3. Fill in the fields:
FieldDescription
NameA meaningful name (e.g. “Main site Munich”)
EndpointThe public address of your firewall with the WireGuard port (e.g. vpn.mycompany.com:51820)
Peer Public KeyThe WireGuard public key of your firewall, found in the WireGuard configuration of your firewall
  1. Click “Save”
  2. A public key is displayed, you need to enter this as a peer in your firewall

Configure the firewall

Section titled “Configure the firewall”

Add a new peer in the WireGuard configuration of your firewall:

FieldValue
Public KeyThe displayed public key from 9brains (copy button)
Allowed IPsThe displayed tunnel IP (e.g. 10.0.0.2/32)
EndpointNot required, 9brains initiates the connection

Note: The exact configuration varies depending on the firewall vendor. Check your firewall’s documentation for the WireGuard peer configuration.

Add services

Section titled “Add services”

A service describes a specific system that is reachable through the tunnel.

  1. Open the tunnel in the detail view
  2. Click “Add service”
  3. Fill in the fields:
FieldDescription
NameDisplay name (e.g. “ERP database”)
Remote hostThe internal IP or the hostname of the target system (e.g. 192.168.10.5)
Remote portThe port of the target system (e.g. 5432 for PostgreSQL)
ProtocolType of service (PostgreSQL, HTTP, SMB, LDAP etc.)
DescriptionWhat does this system contain? The AI sees this information in the chat
  1. Click “Save”
  2. An assigned address is displayed, you use this address in the integration or the skill

Tip: Write a meaningful description. The AI uses this information to decide which system is relevant for a question. For example: “Contains revenue, customer and article data since 2019.”

Set up an integration or skill

Section titled “Set up an integration or skill”

After creating a service, you need an integration or a skill so that the AI can use the system.

Example: Internal PostgreSQL database

Section titled “Example: Internal PostgreSQL database”
  1. Create a service (Remote host: 192.168.10.5, Remote port: 5432, Protocol: PostgreSQL)
  2. Note the assigned address (e.g. wg-gateway.production:12666)
  3. Go to Settings → Integrations and set up a PostgreSQL integration
  4. Use the assigned address as the host in the connection string

Example: Internal ERP system (API)

Section titled “Example: Internal ERP system (API)”
  1. Create a service (Remote host: 192.168.10.20, Remote port: 8080, Protocol: HTTP)
  2. Create a skill (e.g. with the skill builder assistant) that calls the API of the ERP system
  3. Use the assigned address as the API endpoint in the skill

Example: File server / NAS

Section titled “Example: File server / NAS”
  1. Create a service (Remote host: 192.168.10.30, Remote port: 445, Protocol: SMB)
  2. Create a custom skill that uses the assigned address as the SMB endpoint, retrieves files and makes them available to the AI as responses

Note: A native data source for SMB file servers with automatic indexing is part of the data sources roadmap and currently not yet available. Until then, the custom skill route is the only option to make files from the internal network accessible in the chat.

Test the connection

Section titled “Test the connection”
  1. In the tunnel detail view, click “Test connection”
  2. For each service it shows:
    • Reachable: Connection successful, latency in milliseconds
    • Not reachable: Connection failed, with error message

If a service is not reachable, check:

  • Is the WireGuard tunnel active on your firewall?
  • Is the target system switched on and reachable?
  • Are the Allowed IPs correctly configured on the firewall?
  • Does the firewall allow traffic from the WireGuard interface to the target system?

Security

Section titled “Security”
  • Encryption: All data is transmitted encrypted through the WireGuard tunnel using state-of-the-art cryptography
  • Outbound only: The connection can only be initiated by 9brains, your network is not reachable from the outside
  • Tenant isolation: Every workspace has its own tunnels and key pairs. Other workspaces cannot access your systems
  • Minimal permissions: 9brains only accesses the explicitly configured services, no access to other systems in your network

Common problems

Section titled “Common problems”

Tunnel shows “Error” instead of “Connected”

Section titled “Tunnel shows “Error” instead of “Connected””
  • Firewall peer not configured: Enter the displayed public key as a peer in your firewall
  • UDP port not reachable: Make sure that the WireGuard port (e.g. 51820) is reachable from the outside
  • Wrong public key: Compare the peer public key in 9brains with the actual public key of your firewall

Service not reachable despite active tunnel

Section titled “Service not reachable despite active tunnel”
  • Firewall rules: Check whether traffic from the WireGuard interface to the internal system is allowed
  • Allowed IPs: The tunnel IP from 9brains must be in the Allowed IPs of the peer on your firewall
  • Target system: The system must be switched on and listening on the specified port

Feature not visible

Section titled “Feature not visible”
  • The On-Premises Connector is only available with a Business license or higher
  • Only administrators can configure tunnels and services