SystoLOCK Companion is your key to using the advanced features of SystoLOCK. Its advanced features require your phone to be able to connect to the SystoLOCK servers. If you are inside a perimeter network, you will most likely have no connectivity problems, but if you are outside or connected to a network outside your organisation, you will need to ensure that the Companion can otherwise reach the servers.
There are many ways (in no particular order) to make Companion (or your Windows client) do this:
Which solution is right for you depends on many factors addressed below and you will need to decide which solution best suits your technical and financial plans. Whatever decision you take, DNS considerations apply for all cases.
This is technically the fastest and easiest way to provide the required connectivity. You can use it for testing and in rare cases in production, but care should be taken as direct port forwarding does not fit well with many security practices (or even policies). If you have installed SystoLOCK Server on a domain controller, we strongly advise you not to use direct port forwarding.
Execute the steps described in Firewall and Port Forwarding to make port forwarding work for you.
Make sure to adjust your service certificates' SAN entries to include your outside endpoints.
If you have an Entra ID P1 subscription (or higher), you can use the Entra Application Proxy included in the subscription. If configured with pass-through authentication and no restrictions, it will act as an HTTP rendezvous reverse proxy and, together with an its proxy agent, will ensure correct access for the Companion.
If you do not have an Entra subscription or prefer a more general approach, you can use Cloudflare Tunnels that work similarly, are very efficient and are included in the free tier of Cloudflare subscriptions. The only problem with Cloudflare is that their treatment of SRV records will make it difficult to configure the records within the same domain, so you will have to use an externally managed domain to create an SRV record required by the Companion.
If you have your own HTTP reverse proxy of any kind, you can use it to proxy SystoLOCK Companion requests. Any make or model should work, including a standard Web Application Proxy that is part of a Windows Server installation.
Make sure to adjust your service certificates' SAN entries to include your outside endpoints. Wildcard certificates often work well in these scenarios.
SystoLOCK Proxy, together with SystoLOCK Proxy Agent, is part of the SystoLOCK platform and is a dedicated solution for SystoLOCK and is another rendezvous proxy solution that makes connectivity for the Companion a breeze.
The Proxy is very flexible: written for .Net Core, you can install it on a Windows or Linux machine, with or without IIS, with or without .Net installed.
SystoLOCK Proxy on premises is delivered without support from Systola. If you require support for it, please consider the next option.
If you have an Enterprise licence, you are entitled to use 2 Proxy endpoints provided in "as-a-service" mode and hosted by Systola.
If you have a Standard licence, you can subscribe to SystoLOCK Proxy as-a-service for a fee. In both cases, Systola will help you configure the agents and provide you with all the necessary information.