Skip to main content
Nintex Community Menu Bar

I'd like to know how common it is for people to allow anonymous external access to K2 SmartForms. We have a number of solutions running on our K2 servers. Some are really important to our company and hold important and private information. It feels like a risk to allow external web access to the same server that runs our SmartForms and workflow designers as well as other K2 forms that are meant for internal people only.

 

If I'm understanding it correctly, the only thing stopping people from seeing those other forms or hitting the designers is K2's application security, based on our corporate AD group. Is this risky?

 

If anyone knows of any documentation about options or how this works architecturally, could you please give me the links?

 

Usually companies do not implement direct web access to the servers. There is some sort of gateway, such as a reverse proxy that sits between the web and the K2 server. This adds an additional layer, and prevent users from directly accessing your K2 servers.


 


I have also seen companies implementing VPN, so any users who wish to access K2 from the web will first have to connect to their company's VPN service.


 


There are other authentication options you can use in K2 other than AD. You can configure K2 to use forms authentication, then configure K2 to use SQL User Manager. Create a username and password for any external users, then get them to use that username and password to log into your K2 environment. That way you do not have to enable anonymous access.


 


Above are just some examples I encounter. I recommend you get in touch with a representative from K2 to discuss your concerns, and what you can do to ensure security is not compromised. You may not even need to enable anonymous access.


 


Hi boringNerd,

 

Thanks for that thoughtful reply. The reason we may want anonymous access in this case is to give external users genuinely anonymous access since there is a requirement for public users to submit a form to our company.

 

As an alternative, my preferred approach would be to write an ASP.NET MVC web app to ingest the information and then have that app kick off the K2 workflow. If that web app is compromised there is very little risk. People are interested in K2 because we're good at it here and we can whip up a few forms in an afternoon.

 

I brought up our AD groups becuase it's the other K2 forms hosted on that server that concern me. If someone discovers an attack that compromises K2, an intruder could get access to everything else on the server. If a DDOS attack were to successfully hit that server it would also bring down a few other K2 apps.

 

K2 appears best to me as an internal tool but I was curious about people's opinions on that.


Reply