Skip to main content

On-Premise Access Control System

Connect your on-premise access control system to Envoy to automatically issue visitor access credentials and collect employee badge data.

Updated today

Subscription note: The Access Control integrations were available on our Legacy Workplace Premium plan. Our current Workplace plan requires an Enterprise platform for access to Presence.

Overview

Envoy’s secure on-prem client provides an alternative to configuring firewall rules or whitelisting IP addresses and ports to connect your access control system (ACS). Instead of allowing inbound traffic into your network, the client runs locally alongside your ACS and establishes a secure, outbound connection to Envoy.

This approach reduces firewall exposure, avoids ongoing IP allowlist maintenance, and is often preferred in environments with strict security or compliance requirements. Once paired, the client securely handles communication between Envoy and your on-prem access control system without requiring additional network configuration.

Step 1: Begin to install your access control integration

Before configuring any on-premise settings, you must begin the process of setting up the ACS on the Envoy dashboard.

At this time, we support the following systems:

Each ACS has a slightly different configuration flow. On all configurations, skip whitelisting the listed IP addresses. This is not necessary since we'll be establishing a secure connection through our on-premise client.

Continue through the API Access step on all systems.

  • Netbox by Lenel S2: Continue through step 1

  • Kantech: Continue through step 2

  • C-Cure 9000: Continue through step 1

  • Net2 by Paxton: Continue through step 2

  • AEOS by Nedap: Continue through step 2

  • Genetec Security System: Continue through step 2

  • Cisco ISE: Continue through step 1

  • Access It!: Continue through step 1

  • Pro-watch by Honeywell: Continue through step 1

The configuration of specific access points and access levels relies on a working connection between Envoy and your ACS. You'll need to complete the initial setup steps, then return to finish configuration once the on-premise connection is established.

Step 2: Download Envoy's on-premise client

Once the integration is installed on the Envoy dashboard, we can download the client to establish the connection to your on-premises server.

  1. Navigate to Integrations > Settings, then click Enable next to Secure on premise client download.

  2. Select your Operating System and Platform architecture from the dropdown menus. This will generate a SHA-256 Hash that you can use to verify the integrity of the download. Click Download to retrieve the diplomat-client.exe.

  3. Once downloaded, open this file on your machine in a terminal window. You will see a temporary pairing code. We'll use this in the next step.

(Optional) Verify the integrity of the download:

  1. Hover over the i icon to reveal download links for the public key and hash signature. Download these packages.

  2. Install OpenSSL if not already installed.

  3. Open a terminal or command prompt.

  4. Navigate to the folder where you downloaded the files.

  5. Run the verification command to verify the client's SHA-256.

    1. openssl dgst -sha256 -verify public_key.pub -signature hash.signature diplomat-client

  6. You should see a "Verification successful" message indicating the signature is valid.

Step 3: Establish a connection

Once you have the diplomat client downloaded and open on your machine, you need to establish the connection with your ACS provider.

  1. Next to Secure on-premise client configuration, click Edit.

  2. This will show any existing connections and their status. Click Pair client to establish a new connection.

  3. Select your Integration from the dropdown menu.

    1. The integration you want to leverage must be installed (not fully configured) for it to appear here, as detailed in step 1. This is to ensure that we tie the right client to the right installation.

  4. Enter your Pairing code shown in your terminal window.

  5. Paste your Internal URL, then click Pair client.

    1. The internal URL should be provided by either your internal IT team or by leveraging the local installation of your integration. They follow a standard URL pattern [protocol]://[host/ip]:[port]. Accepted protocols are HTTP and HTTPS, when no port is provided, the default port (80, 443) will be used.

  6. Once successful, the integration will be listed under Secure on-premise clients, along with its status.

  7. In your terminal window, you will also see a "Successfully established WebSocket connection" message.

  8. You can set up connection alerts by toggling these settings on, as detailed here.

Step 4: Finalize integration configurations

Now that Envoy is connected to your ACS, you can continue with the additional configuration options.

Step 5: Test your connection

Before welcoming any visitors or needing employee badge data, it's recommended to test the entire workflow to confirm the connection is working as intended.

For Visitors, this means you should sign a visitor in using the Visitor log or Kiosk. You should see a success message on the right-hand side of the entry, along with a card number (if applicable).

The diplomat client will also show the corresponding request.

For Workplace auto sign-in, swipe/tap an employee badge on your card reader. The Access Log will populate badge event data, and an employee sign-in will be created in the employee log.

Related Articles
Avigilon Unity Access
Kantech Entrapass by Tyco
Net2 by Paxton
Available signals for employee auto check-in (Presence)
On-Premises Systems Integrations Topologies
Did this answer your question?