Security details about 2-way integration of Microsoft Teams and Jira On-Premises.

All communication with Move Work Forward systems is TLS/SSL encrypted using a AWS managed certificate.

For 2-way integration to work, the Move Work Forward’s system should be able to access your Jira, which means:

  • your Jira DNS name should be resolvable or you use an IP address (we can add an entry to the DNS to resolve it).

  • your Jira or network appliances in-between permit connectivity on port 443 (SSL) from the Move Work Forward systems.

Things to know from the Jira side

  1. When Advanced Microsoft Teams Jira Connector is installed, it creates an Application Link for the Move Work Forward middleware system. It permits Jira components to call to the external system.

    1. Important: you can delete the Application Link if you don’t plan to use 2-way integration.

    2. Important: the Application Link will be created if you do decide to use 2-way integration in the future while mapping user accounts.

  2. When you register your Jira tenant (System → Microsoft Teams → Bot Settings → Register). There is an API call to the Move Work Forward middleware system to register your Jira tenant. For a call to work, outgoing Internet access to the Move Work Forward system should be permitted. Tenant registration tenant call sends some security information for the Move Work Forward systems to be able to connect to Jira, BUT not all information is sent. The missing part is sent after the user account mapping.

  3. When registering, the URL should be publicly accessible to Move Work Forward systems and your users. It is a base Jira URL for different actions and API calls.

  4. When the users map Microsoft Teams and Jira accounts (using connect command in Microsoft Teams bot chat), they are redirected to the protected Jira page when they Allow/Deny the usage of their Jira account when doing things in Jira (act-on-behalf permission). During this time, the user keys are securely sent to the Move Work Forward system for encrypted storage. As a result, Move Work Forward has four keys required to act on behalf of the user in Jira.

  5. Our system will try to connect to your Jira and call the server info endpoint to verify that our system can connect to your Jira (including network and authentication checks).

  6. If you need more details, please feel free to contact us.

Things to know from the Move Work Forward side

If you need the list of static IPs or domains of Move Work Forward systems please contact us.

  1. The sensitive information is sent via TLS/SSL connection and encrypted at rest using AWS KMS managed RSA256 tenant-specific keys.

  2. Only the CEO/Founder of Move Work Forward can access the production systems.

  3. Move Work Forward system stores the following data:

    1. Product info:

      1. host base URL

      2. Jira version

      3. consumerKey (encrypted)

      4. privateKey (encrypted)

      5. publicKey (encrypted)

    2. Connector info:

      1. version

    3. User info:

      1. accessToken (encrypted)

      2. userSecret (encrypted)

    4. Tenant mapping

      1. who mapped Jira to Microsoft Teams

      2. when the mapping has happened

  4. If you need to delete your data mapping in our system, please contact us.

Firewall configuration

You need to enable outgoing traffic to https://tenant.moveworkforward.net from your Jira nodes.

For the UI to load the Login to Microsoft Teams button, you need to make sure the end user machine can access the following domains/URLs:

https://api.moveworkforward.net/jira/jira-microsoft-teams-connector/bot-destination
https://microsoft-teams-jira-connector.moveworkforward.net
CODE

If you need the list of static IPs or domains of Move Work Forward systems please contact us.

Infrastructure

Move Work Forward system is deploying in the US-EAST-1 region of AWS. Our system is 100% Serverless, so we rely on Amazon for all security patches on OS levels.

We use the following AWS components:

  • AWS Lambda

  • AWS API Gateway

  • AWS Key Management Service

  • AWS Certificate Manager

  • AWS Dynamo DB

  • AWS SQS

  • AWS SNS

  • AWS Cloud Watch

  • AWS IAM

  • AWS Route 53

  • AWS VPC

  • AWS Global Accelerator

  • AWS Cloud Front

  • AWS Network Gateways and NAT Gateways

If you need our infra to be deployed to another region, please let us know.

Updated: