What you need to enable secure remote access for your on-site FileMaker Server for your users and developers.
While an increasing number of business are moving their FileMaker custom apps to the cloud, there are still valid reasons for self-hosting with your own on-site FileMaker Server. Maybe you have a very large, complex system, that demands local network speed, or it is an older system that isn’t build on current best practices, so it doesn’t scale well. Perhaps you just like maintaining your own server hardware (we can respect that). It could be that your users don’t need (or you don’t want them to have) access to the system when they aren’t on-premise. Another possibility is that your app doesn’t have a proper security model, so it shouldn’t have outside access. That’s another conversation, so we won’t judge you too harshly now. But at some point, someone will need access. If you hire us to build or enhance your FileMaker app, that someone is us.
There are three main options for providing remote access, each with various benefits and trade-offs.
- Native direct access to FileMaker Server via port 5003.
- VPN access to your network.
- Remote desktop access to a workstation on your network.
We’ll go into the details of what is required for each option, and our preferences.
Option 1: Native remote access via port 5003
This is the preferred option, as it provides the easiest access for our developers to work on your system. It involves opening a port on your router/firewall between the outside world and your FileMaker server. If you know anything about network security, there should be alarms going off in your head right now. If you open a hole in your firewall, you need to make sure that you do so in a secure way. There are a few steps that need to be followed for this method.
Purchase and install an SSL certificate on the FileMaker server.
Open port 5003 on your firewall.
A certificate for your FileMaker Server can be purchased from LuminFire. You can either buy a custom certificate or user our shared certificate. If you choose a custom certificate, the main thing to decide here is what your server name should be. It will be a subdomain of your main URL. An example that many people use is to tack “fms.” on the front of their domain, so the server address would be something like fms.website.com. You can have this be whatever you want as long as you own the domain name.
You can save some money by using our shared (called a wildcard) certificate. In that case, your server address would be companyname.fmsecureserver.com.
Here are some ballpark costs that you can expect:
Custom (eg. fms.website.com)
Normally $300 for a 3 year certificate.
Plus about 1-2 hours for installation and renewals.
Normally $150 for a 3 year cert.
Plus 1 hour installation and renewals.
Here, all that is required is that your FileMaker Server have a static IP on your LAN (likely already done), and whoever manages your router/firewall then needs to open port 5003 and point traffic to the server. We can also help with this if needed.
For a custom certificate, your DNS administrator will need to add <fms.website>.com as an A record to your public DNS and point it to the public static IP of your FileMaker server. For local traffic, you’ll want a local DNS entry pointing at the internal IP as well. That way, your users will get the green lock icon in FileMaker and won’t see warnings about the server not being secure.
If you don’t want access from anywhere on the internet, you can limit port 5003 access to only certain IP addresses. For instance, if you want to give our developers access, but not anyone else, you can limit access to only the LuminFire office IP.
Option 2: VPN access to your network
This is another good option, depending on your specific firewall/VPN, as some are not as friendly a others, from our perspective. The difference is if the VPN works with one of the open standards supported by the macOS built-in Network Preferences, or if it has dedicated app that is required to connect. In theory, the dedicated app makes it easy for your users. But for our developers, it means yet another VPN app to manage, and remember which client uses which app. If it supports the system options, they are all in one tidy list.
Depending on your VPN configuration options, you can grant access to your entire network, or only certain servers or IP addresses within your network. A VPN with full network access can be a good option if your FileMaker app integrates with other devices or servers on your network that we may need to test. Otherwise those options will be missing when we connect remotely.
If your FileMaker server is secured by only being accessible on your local network or via VPN, installing an SSL certificate is not necessarily a security requirement. Just know that FileMaker will still warn you that that your connection to the host is not secure, and users will not see the green lock icon.
Option 3: Remote desktop access to a workstation on your network
The last option is remote desktop access. There are Remote Desktop apps from Apple and Microsoft, but those will also require network access. The other option is to use apps like TeamViewer, JumpDesktop, ConnectWise, etc. These apps get around your firewall by communicating with a central server, providing an outbound connection that will route traffic between connected computers.
We use apps like this for remote work and diagnostics when necessary, but they make actually developing in FileMaker difficult. For one thing, there is almost always a noticeable lag between the actions of your mouse or keyboard, and what you see on screen. The other reason it is not as efficient is simply because you are effectively working on a computer that is not yours. If you’ve ever tried to get work done on someone else’s computer, you will understand. It may not have the same customizations and shortcuts that you prefer. It might not even be the same operating system. And it won’t have the custom plug-ins and apps that we use to make our development time more efficient. Because of these reasons, everything takes more time… often much more.
If this is the only option, be prepared for things to take longer and to cost more. If we know this ahead of time, we will increase our estimate by 50-100% over what we think it will take, just to cover the loss in productivity.
Unless everyone who uses and develops/maintains your FileMaker custom app is on your local network all the time, having a system with no outside access is just not a realistic expectation. We can work with you and your network IT staff to get remote access set up in a way that is efficient and secure, informing you of the benefits and dangers of any options being considered.
Also published on Medium.