Usually companies do not implement direct web access to the servers. There is some sort of gateway, such as a reverse proxy that sits between the web and the K2 server. This adds an additional layer, and prevent users from directly accessing your K2 servers.

I have also seen companies implementing VPN, so any users who wish to access K2 from the web will first have to connect to their company's VPN service.

There are other authentication options you can use in K2 other than AD. You can configure K2 to use forms authentication, then configure K2 to use SQL User Manager. Create a username and password for any external users, then get them to use that username and password to log into your K2 environment. That way you do not have to enable anonymous access.

Above are just some examples I encounter. I recommend you get in touch with a representative from K2 to discuss your concerns, and what you can do to ensure security is not compromised. You may not even need to enable anonymous access.

Hi boringNerd,

Thanks for that thoughtful reply. The reason we may want anonymous access in this case is to give external users genuinely anonymous access since there is a requirement for public users to submit a form to our company.

As an alternative, my preferred approach would be to write an ASP.NET MVC web app to ingest the information and then have that app kick off the K2 workflow. If that web app is compromised there is very little risk. People are interested in K2 because we're good at it here and we can whip up a few forms in an afternoon.

I brought up our AD groups becuase it's the other K2 forms hosted on that server that concern me. If someone discovers an attack that compromises K2, an intruder could get access to everything else on the server. If a DDOS attack were to successfully hit that server it would also bring down a few other K2 apps.

K2 appears best to me as an internal tool but I was curious about people's opinions on that.