# On-prem agent installation using Windows package
PREREQUISITES
You must create an on-prem group before you can set up an on-prem agent.
# Install an on-prem agent
Complete the following steps to create an on-prem agent (OPA) for a Windows operating system (OS):
Sign in to your Workato account. The Orchestrate platform displays by default.
Go to Tools > On-prem groups and select the group where you plan to add an agent.
Click Add agent. The Add agent dialog opens.
Provide an Agent name, use the Operating system drop-down menu to select Windows, and then click Next.
Select Windows as your operating system
Click Download installer and click Next.
Click Download agent package
Run the installer. The installer stores the agent in C:\Program Files\Workato Agent
, creates a Workato group in the Start menu, and installs a Windows service called Workato on-prem agent
by default.
OPA WINDOWS SERVICE USER ACCOUNTS
From OPA version 2.18.0 onwards, the Workato OPA Windows service user account is set to Local Service
instead of Local System
, which was used in previous versions.
Complete the following steps to access the settings of an OPA Windows service user account:
Press Win + R
, type services.msc
, and press Enter
.
Go to the Services window and locate the agent.
Right-click the agent and select Properties
Copy and paste the Activation command from Workato when prompted. The code is valid for one hour. Click Regenerate code to generate a new code if it expires.
Alternatively, you can select Activate agent manually and activate the OPA after installation by starting the Workato on-prem agent Windows service or using the activation script, depending on your setup.
Copy and paste the Activation command
ALLOW TRAFFIC TO WORKATO FROM YOUR SERVER
Ensure traffic to Workato is allowed from your server to use OPA. Refer to security allowlists to add Workato to your allowlist.
Return to Workato and click Next.
Click Test agent to confirm that your on-prem agent is working as expected.
Test the on-prem agent
Click Done to complete the installation.
# Security
From OPA version 2.18.0 onwards, the OPA Windows service runs under the Local Service
system account by default. You can alter this account to better match your security requirements, for example, by running it under a domain user account with dedicated privileges.
It is extremely important to restrict access to the OPA conf
folder. This folder contains a private key: cert.key
. Ensure you protect this file from unauthorized access. Workato does not have access to your private key.
The conf
folder also contains a config.yml
file where you can configure options and connection properties if you are not using cloud profiles. Ensure you protect this file from unauthorized access.
# How to set permissions
Complete the following steps to protect the OPA's conf
folder:
Right-click the conf
folder and select Properties.
Go to the Security tab.
Click Advanced and remove any unnecessary explicit or implicit access to the conf
folder.
Explicitly allow Read access to the conf
folder for the LOCAL SERVICE
system account (or the account assigned to run OPA as a Windows service).
OPA conf directory permissions
Click Apply, then OK.
Last updated: 5/21/2025, 5:22:32 AM