Connecting Apps to an on-premises Orchestrator instance

UiPath^® Apps cloud does provide means to connect to an on-premise deployed version of UiPath^® Orchestrator (19.10 and later) to help leverage the power of RPA to help drive rich app experiences.

For more information on data flow between Apps and Orchestrator, see Hybrid data flow diagram.

Integration Workflow

All connections to Orchestrator are made from a single place, the Apps Service application.
All calls to Orchestrator are authenticated calls in line with the security model exposed by Orchestrator. Please see the section about Authenticating.
Credential obtained from the user to talk to Orchestrator is used for all communication with Orchestrator both at design time when authoring the app as well as runtime when executing the app. The identity of the user who is designing or running the app itself has no bearing here.
- After initially obtaining the credential from the app designer, the credential is stored in the Apps backend with encryption at rest to enable seamless and uninterrupted design and runtime experience for all users of the app
Apps service sets up a secure webhook callback over HTTPS on process lifecycle events to help detect when processes start, stop, error out, etc. This follows the best practices mentioned in the About Webhooks page.
No process-related data is stored on the Apps backend. The only information that is persisted is metadata around the identity of the process/es that are being used by a specific app.
Apps can invoke both attended and unattended Orchestrator processes. An app designer can choose to run a process through the connected Orchestrator or directly on the local computer on which the app is running using UiPath^® RobotJS.

In the local robot scenario, process execution is invoked from the browser to the locally running robot and communication does not leave computer boundaries.
In the process execution via Orchestrator option, the complete lifecycle of the process is managed by Orchestrator, and UiPath^® Apps plays no role in the same other than listening to process lifecycle events using the webhook callback.

Allowing UiPath^® Apps to Access an On-Premise Orchestrator

The Apps service uses the outgoing IPs for all external communications:

20.103.103.104/30
20.82.230.132/30
52.226.216.100/30
52.149.31.132/30
20.103.172.28/30
20.82.205.104/30
20.92.155.132/30
20.70.73.28/30
20.116.168.240/30
52.229.69.80/30
20.63.171.100/30
104.215.23.28/30
52.175.22.152/30
20.198.201.136/30

Traffic from this IPs needs to be allowed through the Organization DMZ firewall and any other intermediate firewalls including the firewall on the computer/s in which Orchestrator application is hosted.

The associated port on which Orchestrator application is hosted needs to be exposed through the DMZ on all relevant firewalls (see the previous point)
An Orchestrator user who has read and execute access to relevant processes whose credential will be used from UiPath^® Apps to talk to Orchestrator
If using local robot process execution through RobotJS, please ensure RobotJS is properly configured using instructions provided at RobotJS.

Best practices

Ensure that the On-Premise hosted Orchestrator is only accessible through a secure HTTPS channel
Create a low privilege user in Orchestrator that only has read and execute access to just the desired processes/folders and use that for the integration.

Validating the Configuration

Apps Designer says unable to connect to Orchestrator

Are the UiPath^® Apps outgoing IPs allowlisted?
Is the Orchestrator port allowlisted?
Is the correct URL with the port being used in the Orchestrator URL field?
Has it been confirmed that the credentials provided when connecting to Orchestrator are correct?
Do the credentials provided have the permissions to list/run folders and processes?

Apps Designer shows no processes or wrong processes

Does the user whose credential was configured during App Design have read access to the folder in which the desired processes reside?

When previewing an App and/or running an app and invoking a process, there is an error

Are the UiPath^® Apps outgoing IPs still allowlisted?
Is the Orchestrator port still allowlisted?
Does the user whose credential was configured during App Design still exist?
Does the user whose credential was configured during App Design still have the same credentials?
Does the process and the exact version that is executed still exist in Orchestrator in the same folder or anything has changed?
If running processes locally, is RobotJS configured correctly, and is able to properly handshake with the robot?
Has the process being executed on the local robot been downloaded to the robot prior to executing the same through the app?
Does the user whose credential was configured during App Design have to execute access to the process?

Unsupported Scenarios

Connecting UiPath^® Apps with an on-premise Orchestrator with custom self-signed certificates is not supported.

A secure connection (HTTPS) between UiPath^® Apps and Orchestrator is needed for mutual authentication to work properly. To achieve this secure connection, both parties must trust each other's certificates. For this to happen, either of the following conditions must be satisfied:

Both parties should have certificates obtained from standard Certificate Authorities (CA), such as Google, VeriSign, or others. UiPath^® cloud products already have this, so nothing needs to be done on this part. This needs to be done for on-premise product deployments.
If the on-premise deployment uses an internal or self-signed certificate, the connection will not work. For that, the certificate has to be added to the trusted root of the other party. Note that this cannot be done for UiPath^® cloud products, as no custom certificates can be added to the UiPath^® cloud systems.

On this page