TeamOne Proxy Server

The TeamOne Proxy Server is a customer-managed component that allows the TeamOne Google Sheets add-on to securely connect to customer IBM Planning Analytics / TM1 environments.

It is commonly used when IBM Planning Analytics / TM1 is not directly accessible from the user’s browser, when the customer wants to control all traffic between Google Sheets and IBM Planning Analytics through their own network, or when TeamOne needs to support SSO login from Google Sheets.

The TeamOne Proxy Server does not replace IBM Planning Analytics security. Users are still authenticated and authorized according to the customer’s IBM Planning Analytics / TM1 configuration.

Detailed installation and configuration instructions are provided separately as part of the TeamOne Welcome Kit.

If you have questions about the recommended architecture for your environment, please contact us at teamone@succeedium.com.

High-level request flow

At a high level, TeamOne uses the following request flow:

Google Sheets / TeamOne Add-on
        ↓
TeamOne Proxy Server
        ↓
IBM Planning Analytics / TM1 REST API

The TeamOne Proxy Server forwards requests only to approved IBM Planning Analytics / TM1 hosts, based on the customer’s configuration and network rules.

Deployment locations

The TeamOne Proxy Server can be deployed in a customer-managed cloud environment or on-premises.

Customer cloud deployment

Most TeamOne Proxy Server deployments are installed on customer-managed cloud infrastructure, such as:

• AWS EC2
• Azure VM
• GCP VM
• other customer-managed cloud infrastructure

On-premises deployment

The TeamOne Proxy Server can also be installed on a customer-managed Linux server or virtual machine inside the corporate network.

In both cloud and on-premises deployments, two network requirements must be satisfied:

User browser / Google Sheets → TeamOne Proxy Server
TeamOne Proxy Server → IBM Planning Analytics / TM1

The user’s browser must be able to reach the TeamOne Proxy Server endpoint, and the TeamOne Proxy Server must be able to reach the approved IBM Planning Analytics / TM1 hosts and ports.

Public address-space requirement

Modern browser security controls, including Chrome Local Network Access, may require the TeamOne Proxy Server endpoint to be reachable using a public address-space IP.

This does not mean the TeamOne Proxy Server must be open to the entire internet.

A public address-space IP can still be protected using standard network controls, such as:

• corporate VPN
• Zscaler or another secure access gateway
• firewall rules
• AWS Security Groups
• load balancer policies
• approved corporate source IP ranges

The key requirement is that the TeamOne Proxy Server endpoint must resolve to an IP address that the browser treats as public address space. This may be a public cloud IP address, such as an AWS Elastic IP, or another public address-space IP approved by the customer’s network team.

Carrier-Grade NAT (CGNAT) and private/internal IP ranges are not sufficient for this browser requirement.

More details about this requirement are available here.

TLS / SSL deployment options

The TeamOne Proxy Server supports two common SSL certificate deployment models. The right option depends on the customer’s network design and certificate management standards.

Option 1 — SSL certificate managed on the TeamOne Proxy Server

In this option, the TeamOne Proxy Server handles HTTPS directly.

Browser / Google Sheets
        ↓ HTTPS
TeamOne Proxy Server
        ↓
IBM Planning Analytics / TM1

Use this option when:

• a standalone cloud or on-premises server is used
• there is no load balancer handling SSL

In this model, the customer installs and renews the SSL certificate files on the TeamOne Proxy Server.

Option 2 — SSL certificate managed at the load balancer

In this option, HTTPS is handled by the customer’s load balancer or network layer. The TeamOne Proxy Server receives trusted internal HTTP traffic from the load balancer.

Browser / Google Sheets
        ↓ HTTPS
Load Balancer
        ↓ HTTP
TeamOne Proxy Server
        ↓
IBM Planning Analytics / TM1

Use this option when:

• the customer already uses a corporate or cloud load balancer
• certificate management is centralized
• AWS Certificate Manager or another enterprise certificate process is preferred

In this model, the customer manages the SSL certificate and renewals at the load balancer level. The TeamOne Proxy Server still handles browser preflight requests, rate limiting, request filtering, and forwarding to IBM Planning Analytics / TM1.

By default, this mode expects the load balancer to forward HTTP traffic to the TeamOne Proxy Server on port 80. If the customer’s load balancer uses a different internal target port, the TeamOne Proxy Server configuration can be adjusted accordingly.

Configuration templates

The TeamOne installation package includes example configuration templates for both SSL deployment models:

config/nginx-https.conf.example
config/nginx-http-behind-lb.conf.example

The selected template is copied to the active configuration file:

config/default.conf

Detailed steps for selecting and applying the correct template are provided in the TeamOne Welcome Kit.

Network and security controls

The TeamOne Proxy Server should be deployed with both network-level and application-level controls.

The recommended access model is:

Inbound:
Approved users / corporate network / VPN / Zscaler
        ↓
TeamOne Proxy Server

Outbound:
TeamOne Proxy Server
        ↓
Approved IBM Planning Analytics / TM1 hosts and ports only

Inbound access should be restricted to approved users or approved corporate network paths where possible. Outbound access should be restricted to the IBM Planning Analytics / TM1 hosts and ports that TeamOne is expected to use.

The TeamOne Proxy Server also includes application-level allowed host controls:

PROXY_ALLOWED_HOST_PATTERN=
PROXY_OAUTH_ALLOWED_HOST_PATTERN=

PROXY_ALLOWED_HOST_PATTERN controls which IBM Planning Analytics / TM1 hosts the proxy can forward requests to.

Example:

PROXY_ALLOWED_HOST_PATTERN=tm1-prod.company.com,tm1-dev.company.com

Wildcard patterns can also be used for trusted internal domains:

PROXY_ALLOWED_HOST_PATTERN=*.company.internal

PROXY_OAUTH_ALLOWED_HOST_PATTERN controls which OAuth/SSO gateway hosts can be used by the OAuth endpoints.

Example for IBM Planning Analytics Cloud:

PROXY_OAUTH_ALLOWED_HOST_PATTERN=*.planning-analytics.ibmcloud.com

Example for IBM Planning Analytics Local with Cognos SSO:

PROXY_OAUTH_ALLOWED_HOST_PATTERN=cognos.company.com

If SSO/OAuth is not used, this setting can be configured to a non-matching placeholder value to prevent unwanted OAuth redirection:

PROXY_OAUTH_ALLOWED_HOST_PATTERN=disabled.local

Recommended security practices include:

• restrict inbound access to approved corporate users, networks, VPNs, Zscaler, or source IP ranges where possible
• restrict outbound access to approved IBM Planning Analytics / TM1 hosts and ports
• configure allowed host patterns
• use HTTPS for user-facing access
• keep the TeamOne Proxy Server updated

The TeamOne Proxy Server does not persist client IBM Planning Analytics / TM1 data. Data is forwarded between TeamOne and IBM Planning Analytics in memory during the request and is not stored by the proxy server.