Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Endpoint Security Overview and Architecture
  4. What is CylanceGATEWAY?
  5. Architecture: CylanceGATEWAY

Architecture:
CylanceGATEWAY

The
CylanceGATEWAY
 architecture was designed to help you protect users' devices and your extended network from threats. The following diagrams show the architecture of
CylanceGATEWAY
 in the two modes of operation.
  • Work Mode: Work Mode creates a secure tunnel from devices, through the
    CylanceGATEWAY
     cloud services, to network resources and protects all of the traffic on that path.
  • Safe Mode: Safe Mode extends the tenant’s ACL rules and endpoint protection for
    macOS
     and
    Windows
     devices. When enabled, Safe Mode automatically takes effect when Work Mode is disabled, ensuring that devices are always protected.
CylanceGATEWAY
: Work Mode enabled
Diagram showing the components used by CylanceGATEWAY.
CylanceGATEWAY
: Safe Mode enabled for users on the private network (for example, users in the office on the corporate network)
Diagram showing the components used by CylanceGATEWAY when Safe Mode is enabled with users in a private network.
CylanceGATEWAY
: Safe Mode enabled for users on a remote network (for example, a user is traveling)
Diagram showing the components used by CylanceGATEWAY when Safe Mode is enabled for users in a private network (for example, the corporate office.
Component
Description
CylanceGATEWAY
 cloud services
CylanceGATEWAY
 is a cloud-based service that provides Zero Trust Network Access to provide your users with access to your extended network perimeter and protect devices and your extended network from threats.
The
CylanceGATEWAY
 cloud services use machine learning to continuously evaluate network connections. Network anomaly events are detected when a
CylanceGATEWAY
 user attempts to connect to a destination that might be suspicious or contain malicious content. Detected anomalies can block access to a destination based on the configured risk threshold for your environment.
Management console
The cloud-based management console allows you to configure, manage, and monitor
CylanceGATEWAY
 and the connections made through it.
CylanceGATEWAY Connector
The
CylanceGATEWAY Connector
 is an optional component that you can install behind your firewall and in private networks to establish a secure tunnel between the
CylanceGATEWAY
 services and one of your private networks. The
CylanceGATEWAY Connector
 allows users to communicate with content and application servers behind your firewall using
CylanceGATEWAY
 instead of a traditional VPN.
BlackBerry Connectivity Node
The
BlackBerry Connectivity Node
 is an optional component that allows
Cylance Endpoint Security
 to synchronize users and groups with your on-premises
Microsoft Active Directory
 or LDAP directory.
Cylance Endpoint Security
 can synchronize users and groups with
Microsoft Entra ID
 without the
BlackBerry Connectivity Node
.
Mobile devices with the
CylancePROTECT Mobile
 app
CylanceGATEWAY
 supports
iOS
 and
Android
 devices. The
CylancePROTECT Mobile
 app installed on mobile devices sends Internet traffic through a secure tunnel to the
CylanceGATEWAY
 cloud services. Users can enable and disable work mode to specify whether data traffic uses the tunnel to the
CylanceGATEWAY
 cloud services.
Desktop devices with the
CylanceGATEWAY
 agent
CylanceGATEWAY
 supports
macOS
 and
Windows
 10 and 11 devices.
CylanceGATEWAY
 has two modes of operation:
  • With Work Mode, the
    CylanceGATEWAY
     agent sends network traffic through a secure tunnel to the
    CylanceGATEWAY
     cloud services. Users can enable and disable Work Mode to specify whether data traffic uses the tunnel.
  • With Safe Mode,
    CylanceGATEWAY
     blocks apps and users from accessing potentially malicious destinations and enforces an acceptable use policy (AUP) by intercepting DNS requests. The
    CylanceGATEWAY
     Cloud evaluates each DNS query against the configured ACL rules and network protection settings, and then instructs the agent to allow or block the request in real time. If allowed, the DNS request completes normally over the bearer network. Otherwise, the
    CylanceGATEWAY
     agent overrides the normal response to prevent access.
    When Safe Mode is enabled, users that are on the private network (for example, in the office) can access resources on your private network. Users on remote networks will not have access to resources on your private network.
SaaS applications
Software-as-a-Service applications provide cloud-based enterprise software, making apps and data available to users on multiple devices. Applications and data reside mostly on cloud-based servers managed by the vendor, easing deployment and reducing on-premises infrastructure costs, but requiring security measures that extend beyond firewalls and other perimeter-based security methods.
CylanceGATEWAY
 can help secure user access to SaaS applications without requiring traffic to route through your organization's private network by enabling source IP pinning.
Internet destinations
Public Internet destinations include any web site, SaaS application, or other entity with an IP address that a client app can connect to over the Internet.
BlackBerry
 maintains an ever-growing list of destinations that are known to be malicious.
CylanceGATEWAY
 can block apps on devices from connecting to destinations on the list.
If you enable split tunneling, traffic between devices and safe public sites that you specify can go directly over the Internet instead of through
CylanceGATEWAY
.