Hi Everyone,
We are currently doing an on-premises setup from scratch, and we're currently faced with a blocker issue.
Due to company security policy, port 80 is not allowed to be used.
I'm raising firewall requests based on the network requirements from link below.
https://success.outsystems.com/documentation/11/setup_outsystems_infrastructure_and_platform/setting_up_outsystems/outsystems_network_requirements/
Can someone help to explain what are the consequences in case this port is not open? I know based from the link it's to handle user traffic and IIS Monitoring, but what will happen to IIS Monitoring if not open?
I tried using ChatGPT to get answers however since Outsystems is a proprietary tool it's not really entirely reliable.
or is there a way to make outsystems use another port instead of port 80?
Same concern is discussed in the below two posts
This port is used for monitoring, and you can configure the firewall to allow requests only from specific source and destination IPs, ensuring that port 80 is accessible only to the required systems (frontends, controller). User traffic runs over HTTPS (443), so blocking port 80 will not affect users.
Hi Siya,
So what you're saying is, for end user access, just open port 443 and not include port 80
but on server to server, must be opened?
Yes. That's correct. For end users, all the communication will be over port 443. Server to Server communication for monitoring will be over 80.
Not sure if this will be accepted as mitigation on our end. I'll include this in our internal discussion and update here.
Hi Siya, will the below documentation still work if port 80 is only opened for server to server communication?
Yes. As per my understanding these configuration is only relevant in an environment where there are multiple front end servers (example : production). In such case there will be one server will act as controller and service centre will accessible through this server. Controller communicate to other front end servers over port 80 to check the IIS status. Eg:
Normally Development, UAT environment have a single server and they perform all the platform server roles so you don't have to expose port 80 over the public interface.
Hi Siya, for our case we have multiple servers on DEV and UAT environment as well. our UAT needs to mirror PRD Environment, and for DEV we also have multiple servers to handle our developer load in terms of publishing.
As I understand it, there can only be one deployment controller per environment. So I'm not sure what you mean by 'having multiple servers to handle our developer load in terms of publishing.' Could you share a high-level network diagram of the entire setup? Perhaps someone with more experience could provide insights. By the way, how do you mirror the production environment to UAT?
Yes, there is only 1 deployment controller per environment, we have several front-end servers is what I meant.
By Mirroring on high level I am pertaining to the setup of UAT and PRD, having the same number of servers (e.g UAT - 1 deployment controller, 3 additional front-end servers, similar to PRD)
Thank you for the clarification. For monitoring, the controller should be able to reach all the front-end servers it is connected to.
One suggestion is to set up the environment with four stages: Dev, UAT, Pre-Prod, and Production (instead of three). After development, the application will be moved to UAT for validation. Once accepted, it will be promoted to Pre-Prod, which serves as a replica of Production in terms of servers and configurations. Pre-Prod can be used for load testing and hotfixes.
I found a similar case on below link they also have company policy with regards to port 80
https://www.outsystems.com/forums/discussion/60574/network-requirements-iis-monitoring/
Seems really cannot force even to redirect to 443.
https://success.outsystems.com/documentation/11/setup_outsystems_infrastructure_and_platform/setting_up_outsystems/default_platform_server_and_database_configurations/
This is a key issue many on prem users are facing.