- Primeros pasos
- Seguridad y cumplimiento de los datos
- Organizaciones
- Autenticación y seguridad
- Licencia
- Acerca de la licencia
- Precios unificados: marco del plan de licencias
- Activar su licencia Enterprise
- Migrar de Test Suite a Test Cloud
- Migración de licencias
- Asignar licencias a tenants
- Asignación de licencias de usuario
- Anular la asignación de licencias de usuarios
- Monitoring license allocation
- Licencias con exceso de asignación
- Notificaciones de licencias
- Administración de licencias de usuario
- Tenants y servicios
- Cuentas y roles
- Ai Trust Layer
- Aplicaciones externas
- Notificaciones
- Registro
- Pruebas en su organización
- Solución de problemas
- Migrar a Test Cloud
Guía de administración de Test Cloud
Cómo funciona
The Relay client — a lightweight binary installed on a machine inside your network — establishes a persistent, outbound-only TLS tunnel (port 443) to the Relay Server in Test Cloud. When a UiPath cloud service needs to reach one of your on-premises endpoints, the request travels from the cloud service through the Relay Server, down the tunnel to the Relay client, and from there across your local network to the target service.
Because the Relay client initiates all tunnel connections outbound, your network never accepts an inbound connection from the internet.
Connectivity flow
- You register on-premises endpoints under a Relay Group in UiPath Administration. The endpoint list is stored in the Relay service.
- The Relay client performs an authenticated discovery call to Test Cloud to retrieve the list of endpoints to expose.
- The Relay client establishes a persistent control connection (TLS) to the region-specific relay server — for example,
eu-relay.uipath.com. - The Relay Server validates the connection via OIDC and verifies the client configuration against the registered Relay Group, preventing a client from claiming endpoints it does not own.
- When a UiPath service needs to call an on-premises endpoint, it retrieves the Relay URL from the Relay API and obtains a relay-scoped token from UiPath Identity.
- The service calls the Relay URL. The relay infrastructure validates the token and the consuming tenant's authorization before forwarding the request through the tunnel.
- The Relay client terminates the inbound tunnel connection and re-initiates an HTTP or HTTPS connection to the on-premises endpoint over the local network.
For best throughput, deploy the Relay client in the same geographic region as your cloud tenant. Traffic follows the path UiPath Cloud → relay server → relay node → on-premises service, so cross-region tunnels add latency proportional to the round-trip time between the regions — for large-payload scenarios this difference is significant.
Alta disponibilidad
For production environments, deploy at least two Relay clients within the same Relay Group with identical network access and trust store configuration. Clients in a group share load via round-robin distribution and fail over automatically if one client becomes unavailable.
When multiple clients use proactive reconnect, they coordinate so that only one client drains at a time, keeping the group continuously available throughout each reconnect cycle.
Modelo de seguridad
- Authentication. The Relay client authenticates to the cloud platform using OAuth 2.0 Client Credentials. The Relay Server validates each control connection via OIDC and verifies the client matches the registered Relay Group.
- Encryption at rest. Credentials stored on the Relay client machine are encrypted: AES-256-GCM on Linux, DPAPI on Windows.
- Encryption in transit. All traffic between the Relay client and the Relay Server is encrypted with TLS.
- Token scoping. UiPath services obtain a relay-scoped token before calling a Relay URL. The relay infrastructure validates this token and the consuming tenant's authorization before forwarding the request.
TLS and certificate trust
The Relay client terminates and re-initiates HTTP or HTTPS connections to on-premises targets. When the on-premises endpoint uses HTTPS, the OS trust store on the Relay client machine must trust the certificate authority (CA) that signed the on-premises endpoint's certificate.
If your endpoint uses a self-signed certificate or a private corporate CA, add the issuing CA to the Relay client machine's trust store before starting the relay. Failure to do so causes the Relay client to reject the connection to the internal target.