SystoLOCK Companion is your key to using the advanced features of SystoLOCK. These advanced features require your phone to be able to connect to the SystoLOCK servers. If you are inside a perimeter network, you will most likely have no connectivity problems, but if you are outside and connected to a network outside your organisation, you will need to ensure that the Companion can otherwise reach the servers.
There are 5 ways (in no particular order) to make Companion do this:
Which solution is right for you depends on many factors addressed below and you will need to decide which solution best suits your technical and financial plans. Whatever decision you take, DNS considerations apply for all cases.
This is technically the fastest and easiest way to provide the required connectivity. You can use it for testing and sometimes in production, but care should be taken as direct port forwarding does not fit well with many security policies. If you have installed SystoLOCK Server on a domain controller, we strongly advise you not to use direct port forwarding.
Execute the steps described in Firewall and Port Forwarding to make port forwarding work for you.
Make sure to adjust your service certificates' SAN entries to include your outside endpoints.
If you have your own HTTP reverse proxy of any kind, you can use it to proxy SystoLOCK Companion requests. Any make or model should work, including a standard Web Application Proxy that is part of a Windows Server installation.
If you decide to go this route, make sure you attach an identical certificate to the Internet-facing endpoint of the proxy as the one attached to the internal SystoLOCK endpoint. Wildcard or SAN certificates work best in this case.
SystoLOCK Proxy, together with SystoLOCK Proxy Agent, is part of the SystoLOCK platform and is a dedicated solution for SystoLOCK and is another reverse proxy solution that makes connectivity for the Companion a breeze.
The Proxy is very flexible: written for .Net Core, you can install it on a Windows or Linux machine, with or without IIS, with or without .Net installed.
It has its own certificate mapping engine, so you can use different certificates for internal and external endpoints.
SystoLOCK Proxy on premises is delivered without support from Systola. If you require support for it, please consider the next option.
If you have an Enterprise licence, you are entitled to use 2 Proxy endpoints provided in "as-a-service" mode and hosted by Systola.
If you have a Standard licence, you can subscribe to SystoLOCK Proxy as-a-service for a fee. In both cases, Systola will help you configure the agents and provide you with all the necessary information.
If you have an Entra ID P1 subscription (or higher), you can use the Entra Application Proxy included in the subscription. If configured with pass-through authentication and no restrictions, it will act as an HTTP reverse proxy and, together with an its proxy agent, will ensure correct access for the Companion.
This solution would also require you to use the same certificate for both internal and external endpoints.