# On-prem agent installation using Windows package

PREREQUISITES

You must create an on-prem group before you can set up an on-prem agent.

# Install an on-prem agent

Complete the following steps to create an on-prem agent (OPA) for a Windows operating system (OS):

Go to Tools > On-prem groups and select the group where you plan to add an agent.

Click Add agent. The Add agent dialog opens.

Provide an Agent name, use the Operating system drop-down menu to select Windows, and then click Next.

Select Windows as your operating system

Click Download installer and click Next.

Click Download agent package

Run the installer. The installer stores the agent in C:\Program Files\Workato Agent, creates a Workato group in the Start menu, and installs a Windows service called Workato on-prem agent by default.

OPA WINDOWS SERVICE USER ACCOUNTS

From OPA version 2.18.0 onwards, the Workato OPA Windows service user account is set to Local Service instead of Local System, which was used in previous versions.

Complete the following steps to access the settings of an OPA Windows service user account:

Press Win + R, type services.msc, and press Enter.

Go to the Services window and locate the agent.

Right-click the agent and select Properties

Copy and paste the Activation command from Workato when prompted. The code is valid for one hour. Click Regenerate code to generate a new code if it expires.

Alternatively, you can select Activate agent manually and activate the OPA after installation by starting the Workato on-prem agent Windows service or using the activation script, depending on your setup.

Copy and paste the Activation command Copy and paste the Activation command

ALLOW TRAFFIC TO WORKATO FROM YOUR SERVER

Ensure traffic to Workato is allowed from your server to use OPA. Refer to security allowlists to add Workato to your allowlist.

Return to Workato and click Next.

Click Test agent to confirm that your on-prem agent is working as expected.

Test the on-prem agent

Click Done to complete the installation.

# Security

From OPA version 2.18.0 onwards, the OPA Windows service runs under the Local Service system account by default. You can alter this account to better match your security requirements, for example, by running it under a domain user account with dedicated privileges.

It is extremely important to restrict access to the OPA conf folder. This folder contains a private key: cert.key. Ensure you protect this file from unauthorized access. Workato does not have access to your private key.

The conf folder also contains a config.yml file where you can configure options and connection properties if you are not using cloud profiles. Ensure you protect this file from unauthorized access.

# How to set permissions

Complete the following steps to protect the OPA's conf folder:

Right-click the conf folder and select Properties.

Go to the Security tab.

Click Advanced and remove any unnecessary explicit or implicit access to the conf folder.

Explicitly allow Read access to the conf folder for the LOCAL SERVICE system account (or the account assigned to run OPA as a Windows service).

OPA conf directory permissions

Click Apply, then OK.

Last updated: 5/21/2025, 5:22:32 AM