The Freshworks On-Prem Connector lets cloud-hosted Freshservice and Freshdesk reach systems inside your network without exposing them publicly. It is essential for AD/LDAP discovery, on-prem CMDB sync, and legacy ITSM bridging.
When you need it
- Active Directory user sync without ADFS
- SCCM, Lansweeper, or other agent-based asset discovery
- On-prem databases (Oracle, SQL Server) feeding ticket context
- Legacy ITSM systems being phased out incrementally
Architecture
The connector runs on a Windows or Linux host inside your network. It establishes an outbound TLS connection to Freshworks, polls for jobs, executes against on-prem systems, and returns results. No inbound firewall rules required.
[Freshservice cloud] ←TLS:443← [Connector host] → [AD, CMDB, DB]Sizing
For an organization of 5,000 endpoints with daily AD sync and asset discovery:
- 4 vCPU, 8 GB RAM
- Windows Server 2019+ or Ubuntu 22.04+
- Service account with read access to AD and CMDB
- Outbound 443 to
*.freshworks.com
Run two connectors behind a load policy for HA. The platform handles failover transparently.
Common failure modes
- Service account password rotation breaking AD sync silently
- Local time skew greater than 5 minutes causing TLS handshake failures
- Antivirus quarantining the connector binary after auto-update
- Firewall whitelist drift after a network team change
Sync schedules
Default AD sync runs hourly. For 50k+ users, switch to delta sync via the connector configuration JSON, not full sync.
{
"ad_sync_mode": "delta",
"delta_lookup_attribute": "uSNChanged",
"interval_minutes": 30
}Monitoring
The connector exposes a local health endpoint on localhost:8443/health. Wire it to your existing monitoring (Datadog, Prometheus). Do not rely solely on the Freshworks admin dashboard; it lags real-time by minutes.
What to do this week
Inventory which integrations require on-prem access, deploy two connector instances for HA, switch AD sync to delta mode, and add the local health endpoint to your monitoring.
