Skip to content

Connector software in your network

The connector software is the second way to connect your company network to 9brains. Instead of configuring the connection on your firewall, a small piece of software runs on a device in your network and builds the connection to 9brains on its own. This means it does not matter whether your firewall supports WireGuard, and you do not have to open any port.

For firewalls with WireGuard support, the firewall connection is usually the simpler choice. Both routes lead to the same result: internal services become reachable for the AI through an encrypted, outbound-only connection.

When this route fits

Section titled “When this route fits”
  • Your firewall does not support WireGuard (e.g. older Sophos UTM devices). The firewall stays completely untouched.
  • You only want to make a single machine reachable, for example a Mac or PC running a line-of-business application.
  • You want to get started quickly, without coordinating changes on the firewall.

Requirements

Section titled “Requirements”
  • You are an administrator in the workspace
  • Your workspace has a Business or Max license
  • A device in the network that stays switched on (computer, server, NAS or a VM) and can reach the internet
  • No open port and no firewall change required, the connection only goes outbound

How it works

Section titled “How it works”
Your company network                         9brains Cloud
┌──────────────────────┐                    ┌──────────────────────┐
│  ┌────────────────┐  │     encrypted      │                      │
│  │ Connector      │  │     connection     │── Integration/Skill  │
│  │ software       │──│═══════════════════►│── Code execution     │
│  └───────┬────────┘  │   (outbound only)  │── Data indexing      │
│  Database, ERP,      │                    │                      │
│  line-of-business... │                    │                      │
└──────────────────────┘                    └──────────────────────┘

The connector software registers with 9brains on its own. Through it, 9brains reaches exactly the services you release, and nothing else. Your network, in turn, cannot establish a connection to us.

Two variants

Section titled “Two variants”

When creating the connection you choose under “What should be reachable?” between:

  • “Only this machine”: The software runs directly on the target machine, that is, on the computer where the desired service lives. This is the most common case and works regardless of whether the machine has a fixed or a changing (DHCP) IP.
  • “Routing into the network”: The software runs on one device and makes several systems behind it reachable (an entire subnet). Suitable when you want to connect, for example, a database, ERP and file server through a single device.

Create a connector

Section titled “Create a connector”
  1. Go to Settings → On-Premises Connector
  2. Click “Create tunnel”
  3. Under Connection type, choose “Connector software in your network”
  4. Give it a name (e.g. “CAD machine engineering”)
  5. Under “What should be reachable?” choose the appropriate variant

Variant “Only this machine”

Section titled “Variant “Only this machine””

After saving, 9brains shows you two steps:

  1. Download and install Tailscale on the target machine. The dialog contains the download links for macOS, Windows and Linux.
  2. Run the displayed command on the target machine. Copy it with the copy button and run it there in the terminal or the command prompt.

As soon as the command has finished, the connection appears as connected in the overview.

Is Tailscale already running on the machine? Then append --force-reauth to the command. This switches the machine into the 9brains network.

Variant “Routing into the network”

Section titled “Variant “Routing into the network””
  1. Enter the network range (subnet) the connector should make reachable, e.g. 192.168.1.0/24. For a single machine, enter its IP as /32, e.g. 192.168.1.50/32.
  2. Click “Download connector”. You receive a ready-made docker-compose.yml.
  3. Start the file on a device in the network that runs Docker (VM, server or NAS) with docker compose up -d.

As soon as the connector is running, the connection appears in the overview.

Add services

Section titled “Add services”

A service describes a specific system (a port) that should be reachable through the connector.

  1. Open the connection in the detail view
  2. Click “Add service”
  3. Enter the data:
    • “Only this machine”: The port of the service is enough (e.g. 5432 for PostgreSQL). The target is the machine itself on which the connector runs.
    • “Routing into the network”: Additionally the remote host, that is the internal IP within the specified subnet (e.g. 192.168.1.50).
  4. After saving, an assigned address is displayed (e.g. wg-gateway.production:50798). You use this address in the integration or the skill.

For how to turn a service into a usable AI feature (PostgreSQL integration, ERP skill and more), see the Set up an integration or skill section of the overview.

Security

Section titled “Security”
  • Encryption: The connection is fully encrypted using modern cryptography
  • Outbound only: The software builds the connection outward, your network is not reachable from the outside and no port needs to be opened
  • Tenant isolation: Every workspace has its own connection. Other workspaces cannot access your systems
  • Minimal permissions: 9brains only reaches the services you release, no access to other devices in your network

Common problems

Section titled “Common problems”

The setup command “hangs”

Section titled “The setup command “hangs””

Tailscale is probably already running on the target machine (e.g. from a previous use). Append --force-reauth to the command, then the machine switches into the 9brains network.

Service not reachable although the connection is “connected”

Section titled “Service not reachable although the connection is “connected””
  • Service only listens locally: Some programs are reachable only via localhost (127.0.0.1) out of the box. For the connector to reach them, the service must listen on all network addresses (often 0.0.0.0 in the program’s configuration).
  • Local firewall: A firewall on the target machine itself (e.g. the Windows firewall) can block the port. Release the port there.
  • Wrong port or host: Check the port and, for “Routing into the network”, the internal IP.

The connection does not appear in the overview

Section titled “The connection does not appear in the overview”
  • The machine or device running the connector must be switched on and have internet access.
  • For the Docker variant: check with docker compose logs whether the connector has started.

Changing IP address (DHCP)

Section titled “Changing IP address (DHCP)”

With “Only this machine” you do not need to worry about this: the connector keeps a stable address even if the machine receives a new local IP via DHCP. With “Routing into the network” you reach the target systems via their internal IP, so it is best to assign fixed IPs or DHCP reservations there.

Feature not visible

Section titled “Feature not visible”
  • The On-Premises Connector is available from a Business license upwards.
  • Only administrators can configure connections and services.