App Suite Security

Publicly exposed interfaces

All APIs that are exposed to the external network are limited to user-level privileges in the context of an authenticated and authorized session via the HTTPS protocol.

All communication from and to the users client is purely based on HTTP, there are no proprietary protocols and no UDP based protocols involved in the communication. It is strongly recommended to use only encrypted HTTP. HTTPS communication can be terminated at OX App Suite workloads or the load-balancer managing ingress traffic. The latter requires that the network between the load-balancer and OX App Suite workloads is considered secure.

OX App Suite workloads should not be exposed to external networks as an additional security measure. From a functional perspective, it is sufficient if the load-balancing system that handles ingress traffic is publicly exposed.

HTTP API

OX App Suite middleware contains a HTTP and HTTPS server implementation based on Grizzly, which offers limited configuration and is not a stand-alone web server. It offers a JSON based HTTP API is the one and only API exposing all user functionality to the external network. The same API can be used to integrate with third-party solutions.

Microsoft Exchange Active Sync

The "OXtender for Business Mobility" is a server-based Active Sync Implementation. The "Microsoft Exchange Active Sync" protocol supports push via HTTPS, therefore the E-Mail backend needs to send push events to OX App Suite middleware. Server side, the synchronization makes use of the "Universal Sync Module", which is a middleware bundle containing the synchronization logic for several clients. This component communicates internally via a second JSON/HTTP based API with the OX App Suite middleware workload.

DAV protocols

CalDAV and CardDAV interfaces are available to synchronize calendars and address books with macOS, Android, iOS and other clients implementing these protocols. A WebDAV implementation provides the possibility to access the content of OX Drive directly via any WebDAV client, like the Windows Explorer.