Enable Remote Access

Sym3 Operator >= V10 is supporting only secured connections:

  • https instead of http.
  • wss instead of ws.

Hence, the configuration of Sym3 requires more configuration.

By default, Sym3 web is only locally accessible, meaning https://localhost:4031/Sym3Web is only accessible from the server. During the installation, a local certificate is generated here C:\ProgramData\Sym3\cert, and allows only localhost. To enable remote access (a web browser from outside the server), an SSL certificate with the specified IP address or hostname is required.

Apply the Sym3 generated self signed SSL certificate

Note: Applying a certificate will only be done once after the first installation. It will not be required after an upgrade of Sym3.

Step 1: Generate a new certificate

  1. On Sym3 web, Open the web application settings

  2. Open the CERTS tab

  3. Enter the server’s IP address:

    • If the IP Address field is empty, the current certificate only allows access from localhost ( or the loopback IP 127.0.0.1).
    • Enter the server’s IP address or hostname in the field. Multiple entries are accepted (semicolon delimited).
    • Click the Apply Certificate button. Sym3 Web will then generate a new certificate that includes the specified IP address or hostname. This step may take some time. After the new certificate is installed, the browser will disconnect from the server.

Step 2: Restart services

  1. Open Windows Services (Window Key + “Services”).
  2. Restart the following services:
          - Sym3 Auth Server
          - Sym3 Web Service
  3. Close your web browser.
  4. Open your web browser, and open the web application with the IP address used in Step 1.

Install the Certificate Individually or Distribute it to Client Computers by Using AD Group Policy

The certificates generated by Sym3 are self-signed. Each client computer must install the certificate on the machine. The steps see Sym3 Web Certificate.

This can be done for all computers in the domain using Active Directory Group Policy. The steps can be found on the Microsoft learning page.

Use your own CA SSL certificate

Note: The owner of the certificate is responsible for maintaining the certificate.

Step 1: Obtain the Certificate Thumbprint

The thumbprint of a certificate can be found in the ‘Manage Computer Certificates’ tool. Locate the certificate, double-click it to open and navigate to the ‘Details’ tab to retrieve the thumbprint.

Additionally, check the ‘Subject Alternative Name’ of the certificate to ensure it includes the primary domain name or IP address specified in the ‘CERTS’ setting.

Step 2: Export the PFX File for Sym3 Auth Server and Sym3 Web Service

Run the following PowerShell script to export the certificate:

Note: Administrator privileges are required to execute the script.

  • Replace «YOUR THUMBPRINT» with the thumbprint obtained in Step 1.
  • Replace «YOUR PASSWORD» with your chosen password.
  • The default certificate folder for Sym3 Auth Server and Sym3 Web is: C:\ProgramData\Sym3\cert. It is recommended to backup the Sym3 generated Sym3Auth.pfx and Sym3Auth.cer files in a safe location.
  • Open the appsettings.json of Sym3 Auth Server and Sym3 Web Service. Update the inline certificate file password to «YOUR PASSWORD». Then run the following script.
  • After running the script, restart Sym3 Auth Server and Sym3 Web Service to apply the changes.

$certificatePath = 'Cert:\CurrentUser\My\<<YOUR THUMBPRINT>>';
$pfxPassword = ConvertTo-SecureString -String "<<YOUR PASSWORD>>" -Force -AsPlainText;
Export-PfxCertificate -Cert $certificatePath -FilePath "C:\ProgramData\Sym3\cert\Sym3Auth.pfx" -Password $pfxPassword;
Export-Certificate -Cert $certificatePath -FilePath "C:\ProgramData\Sym3\cert\Sym3Auth.cer";

Step 3: Bind the certificate to the ports used by the Sym3 services

The server section displays all non-loopback domain names and IP addresses included in the current certificate. Double-check that the expected domain name appears in the field. Each service record will have a ‘Bind’ button if the ports used by the service are not bound to the current certificate. Click the button to bind the certificate to the ports.

Note: Do not click the ‘Apply Certificate’ button, as it will generate a self-signed certificate.

Step 4: Add the redirect URL to the whitelist in Sym3 Auth Server

  • Open Sym3 Auth Server login page at: https://«YOUR DOMAIN»:6051/account/login.
  • Log in using the PlatformAdmin account, then open the Client Management page from the Administration menu or open URL https://«YOUR DOMAIN»:6051/ClientManagement.
  • Locate the ‘Sym3Web’ record and edit it.
  • Find the Redirect URL field and add the following URL to the list: https://«YOUR DOMAIN»:4031/sym3web/authentication/login-callback.
  • Save the change.

Step 5: Update the Sym3 Auth Server URL in the Sym3 Web configuration

  • Open the Sym3 Web configuration located at: “C:\ProgramData\Sym3\Sym3 Web\sym3web.config.json”.
  • Set the value of Oidc=>Authority to https://«YOUR DOMAIN»:6051/.
  • Restart Sym3 Web Service from the Windows Service Manager.

Step 6: Update the Sym3 Operator Client settings

  • Run the Sym3 Operator Client and click the Edit button to open the configuration window.
  • Replace all ’localhost’ values to «YOUR DOMAIN»