Requirements for on-premise Lime installations

General

The integration is dependent on being able to communicate from our Newsletter cloud environment to the on-premise Lime Server in order to be able to get persons to send emails to and write back status updates on actions in emails. The Newsletter integration is built as an addon that is installed into the Lime Web Server and the Lime Webclient must be enabled for that to work.

Since most on-premise solutions are behind the customer firewall the customer need to take actions in order to let the newsletter environment connect to their Lime server. The customer doesn't have to open up the Webclient to the whole world. It can be limited to the Newsletter environment IPs.

The image shows how the Newsletter environment communicates with the on-premise solution in most cases. Either direct through the firewall to the Lime Server or through the firewall and then via a reverse proxy to the Lime Server.

lime newsletter communication

Security

The communication from the Newsletter environment to the on-premise Lime environment is secured via HTTPS/TLS.

Every request from the Newsletter environment to the on-premise Lime server needs to be authenticated. That is done by passing a unique secret (API-key) in the header (x-api-key). The API-key can only be generated by an administrator on the on-premise Lime server with the Lime administration tools (or the command line tool limefu). The API-key is bound to an existing Lime user and all requests using that API-key will impersonate that Lime user. The API-key is then stored in the Newsletter environment for the customer and used to authenticate with the Lime-newsletter API.

Actions

  1. Make sure the Webclient is enabled.
  2. The customer needs to set up a publicly available IP/hostname for us to use to connect to the on-premise Lime server.
  3. The integration doesn't require a hostname - a IP address is enough.

  4. The certificate for HTTPS does not have to been issued by a trusted CA but its recommended (self-signed certificates is supported).

  5. The customer IT need to allow HTTPS traffic (port 443) from at least the newsletter environment through the firewall to the Lime server.

Source IP Destination IP Destination Port Description
any or 84.19.149.64/27 IP from step 2 443 Rule to allow traffic via the publicly available IP to the Lime server from any or the Newsletter environment
  1. Some on-premise solutions also have a reverse proxy solution in front of their servers which the IT need to configure as well to direct traffic through to the Lime Server.