Security Configurations for On-premises Deployments

Table of contents

  1. Windows Integrated Authentication
  2. Network-based security
  3. Network zones
  4. Client authentication with SSL certificates

The OutSystems Cloud provides convenience and value to end-users, handling the administration of the technology stack as well as core OutSystems administrative tasks. While the OutSystems Cloud supports secure integration with a customer’s own on-premises or cloud systems, for some customers there is a requirement to install OutSystems within their own infrastructure. OutSystems fully supports on-premises installations and provides additional security configurations for these, as described below.

Windows Integrated Authentication

Windows Integrated Authentication uses operating system credentials to automatically login to a given page or application. Windows Integrated Authentication requires the OutSystems platform server be part of the customer’s Windows user authentication domain.

An OutSystems Cloud server cannot join the customer's Windows domain for security reasons. Therefore OutSystems Cloud customers need to select one of the other user authentication options.

Network-based security

The OutSystems Cloud implements a standard and secure network configuration.

With an on-premises deployment, customers have full control of the network configuration, thereby enabling further customization. For example, customers can limit application access by IP address, configuring it per-application.

Network zones

With an on-premises OutSystems installation, it's possible to configure how front-end servers are spread across the various customer networks (internet, intranet, extranet) and define which applications are deployed to which clusters of front-end servers. For example, internal applications can run in an internal network zone, and websites can run in the demilitarized zone (DMZ).

This is an example of detailed configuration of front-end servers and eSpaces associated with a network zone:

On the OutSystems Cloud, you can achieve a similar isolation between applications by subscribing to additional production environments, and choosing which applications to deploy to each environment.

Client authentication with SSL certificates

To enable even stronger authentication, with an on-premises installation you can require clients have a valid SSL certificate to access sensitive web pages and web services.

The load balancer used in the OutSystems Cloud does not support client-side SSL certificates, thus you should authenticate clients with other mechanisms: