Server Remote Access Configuration

This configuration is required to enable the use of the SmartAdvocate from an out of network location, SmartAdvocate’s mobile application, texting integration, and other integrations.

To enable remote access to the SmartAdvocate application server, the following are necessary:

An IP address and port capable of reaching the server.

Depending on the existing configuration of your network, this address may either be the public
address of the server itself, or of the router or other device which forwards from a specific port to a
port on the server. Either configuration is compatible with all SmartAdvocate functionality. If you
are using port-forwarding, the two ports can be the same or different.

The selected port must be opened to incoming traffic. Most commonly, port 443 (the default
HTTPS port) is the port used, but this is not required; any valid, open port can be used.

It is possible to maintain a whitelist of IPs permitted to connect to the selected port, rather than
opening it to all incoming traffic; however, this will not allow the use of the SmartAdvocate mobile
app, since mobile devices do not have fixed IPs. Only integrations with our partners will be
available in this scenario, and active maintenance of the whitelist may be necessary if our partners’
public IP ranges change. For this reason, we do not recommend this approach.

A DNS entry mapping a hostname on your domain to the IP address in the previous section.
Many firms create an “sa” subdomain for this purpose, so that the hostname is similar to
sa.example.com.” This is not required – any valid hostname will work – but may be easy for your
users to use and recognize.

An SSL certificate corresponding to the chosen hostname.

See https://www.sslshopper.com/how-to-order-an-ssl-certificate.html for a summary of how to
order an SSL certificate. SmartAdvocate does not offer any particular recommendation as to which
SSL provider you should use. Remember to create the certificate request (CSR) from IIS on the
SmartAdvocate application server itself so that it can successfully be completed on that server.
If you already have a wildcard SSL certificate elsewhere on your network, it is likely possible to use
that certificate for the SmartAdvocate application server. You may need to re-key it for the server;
your SSL provider should be able to provide specific instructions.

If you already have a hostname and SSL certificate on the SmartAdvocate application server (e.g., if
it is already running another externally-accessible application), it is not necessary to create an
additional DNS entry or certificate for SmartAdvocate; the existing ones can be used.

An HTTPS binding for the web site in IIS.

Once the certificate has been installed in IIS, open the server node, then the Sites node, then select
Default Web Site and click Bindings... in the Actions pane. (If SmartAdvocate has been installed
under a site other than the Default Web Site, select that site instead; however, in nearly all
instances, SmartAdvocate is installed under the Default Web Site.)

This brings up the bindings editor that lets you create, edit, and delete bindings for your Web site.
Click Add... to add your new SSL binding to the site.

Select https in the Type drop-down list. Select the certificate you purchased in the previous section
from the SSL Certificate drop-down list. If you are using a port other than 443, enter that port in
the Port field (if you are using port-forwarding, enter the port being forwarded to on the
SmartAdvocate application server, not the port being forwarded from on the router). Click OK.

This completes the configuration of the server. Please provide us the hostname and port that you
have configured so we have it on file when configuring any integrations that require it in the future.
(If you are using port-forwarding, provide us the port being forwarded from on the router, not the
port being forwarded to on the application server.)

It is technically possible to bypass the certificate and HTTPS binding steps, and instead use port 80
and non-encrypted HTTP remote access. (Under this scenario, you could also bypass the DNS entry
and use the IP address directly.) However, doing so would create significant security risks and we
strongly recommend you do not take that approach. SmartAdvocate accepts no responsibility for
maintaining the security of your network in any way, shape, or form.

SmartAdvocate, LLC
Last updated Feb. 26, 2020

Visit smartadvocate.com/support for other help options including how to access our Support Tracker and Daily Office Hours sessions.