We value your privacy

We use cookies to personalize your use of our site. This includes third-party cookies for that we use for advertising and site analytics. See our Privacy Statement and Cookie Policy for more information on how we collect and use data.

Cookie Options
OK
Knowledge Center

Application Portal

Application Portal allows you to configure the connection settings of various applications so that you can directly access and run these applications (e.g. File Station) in independent browser tabs or windows.

Note:

  • You can edit access settings for applications like Audio Station, Download Station, Surveillance Station, Video Station, File Station, and many others.

Customize Aliases

You can assign an alias for each Synology-developed application like File Station. With the custom alias, you can quickly open the application via a specialized URL.

To customize application aliases:

  1. Go to Control Panel > Application Portal > Application.
  2. Select an application.
  3. Click Edit > General.
  4. In the pop-up window, select Enable customized alias and specify the alias.
  5. Click OK to save the settings.

Note:

  • Some applications have their default aliases: Audio Station (audio), Download Station (download), File Station (file), Surveillance Station (cam), and Video Station (video).
  • Alias names cannot be the same as those reserved for system, browsers, or used by other applications, and their number of characters must be limited within 2 to 20.
  • An alias can only be made up of mixed case letters, numeric characters, and two special characters (-) and (_).
  • An alias cannot start or end with either special character (-) or (_).

To access applications with aliases:

After you set up an alias for an application (e.g. File Station), you can quickly open the application by entering a URL in the following formats: http://DS_IP_OR_SERVER_NAME/ALIAS/ or https://DS_IP_OR_SERVER_NAME/ALIAS/

For instance, you can quickly access File Station via the URLs: http://192.168.xx.xx/file/ or https://MySynologyNAS/file/

Customize HTTP/HTTPS Ports

You can assign an HTTP/HTTPS port for each Synology-developed application like File Station. With the custom port, you can quickly open the application via a specialized URL.

To customize application HTTP/HTTPS ports:

  1. Go to Control Panel > Application Portal > Application.
  2. Select an application.
  3. Click Edit > General.
  4. In the pop-up window, select Enable customized port (HTTP) or Enable customized port (HTTPS).
  5. Specify a custom port number.

Note:

  • The range of port number can be from 1 to 65535.
  • The following ports cannot be used because they are reserved for system use:
    • 20, 21, 22, 23, 25, 80, 110, 137, 138, 139, 143, 199, 443, 445, 515, 543, 548, 587, 873, 993, 995, 3306, 3689, 5000, 5001, 5005, 5006, 5335, 5432, 6881, 8080, 7000, 7001, 8081, 9997, 9998, 9999, 50001, 50002
    • eMule default ports: 4662 (TCP), 4672(UDP)
    • FTP default port range: The actual range may vary depending on different models.

To access applications with HTTP/HTTPS ports:

After you set up HTTP/HTTPS ports for an application (e.g. File Station), you can quickly open the application by entering URLs in the following formats: http://DS_IP_OR_SERVER_NAME:HTTP_PORT or https://DS_IP_OR_SERVER_NAME:HTTPS_PORT

For instance, you can quickly access File Station via the URLs: http://192.168.xx.xx:7000 or https://MySynologyNAS:7001

To configure the certificate and TLS/SSL profile level for HTTPS ports:

After you set up an HTTPS port for an application (e.g. File Station), you can go to Control Panel > Security > Certificate and click Configure. Then find the service name in the format of Application_Name - HTTPS_PORT to configure the certificate used.

Also, you can go to Control Panel > Security > Advanced and click Custom Settings. Then find the service name in the format of Application_Name - HTTPS_PORT to configure the TLS/SSL profile level used.

For instance, if the HTTPS port of File Station is 7001, you can go to the two setting pages mentioned above and find the service under the name of FileStation - 7001 for further configuration.

Customize Domains

You can match a domain name with a Synology-developed application like File Station. With the custom domain, you can quickly open the application via a specialized URL.

To customize application domains:

  1. Go to Control Panel > Application Portal > Application.
  2. Select an application.
  3. Click Edit > General.
  4. In the pop-up window, select Enable customized domain.
  5. Specify a custom domain.
  6. For additional settings, you can select Enable HSTS or Enable HTTP/2 to suit your needs.

Note:

  • Before setting up this feature, you need to apply for domain names from domain providers so that users can access the service from the Internet.
  • Each domain name can only be used for one distinct application on your Synology NAS.
  • If the domain name does not exceed 15 characters in length and complies with the NetBIOS naming conventions, the system will register and broadcast the domain name automatically.
  • When you access applications via URLs that use domain names, you will go through the standard HTTP port (80) or the standard HTTPS port (443).
  • If you enable access control with certificate that is issued by Let's Encrypt, it may lead to certificate auto renew failure. If this situation happens, please disable access control first. Then, go to Control Panel > Security > Certificate, right-click one of the Let's Encrypt certificates you would like to renew and choose Renew certificate. After renewing certificate, you can re-enable access control.

To access applications via domains:

After you set up a domain (e.g. file.example.com) for an application (e.g. File Station), you can quickly open the application by entering a URL in the following formats: http://APP_DOMAIN or https://APP_DOMAIN

For instance, you can quickly access File Station via the URLs: http://file.example.com or https://file.example.com

If the domain name (e.g. FileFile) for an application (e.g. File Station) obeys the NetBIOS naming conventions, Windows users can access it on a Synology NAS in the same local network with a similar URL: http://FileFile or https://FileFile

To configure the certificate and TLS/SSL profile level for domains:

After you set up a domain for an application (e.g. File Station), you can go to Control Panel > Security > Certificate and click Configure. Then find the service name in the format of Application_Name - Domain to configure the certificate used.

Also, you can go to Control Panel > Security > Advanced and click Custom Settings. Then find the service name in the format of Application_Name - Domain to configure the TLS/SSL profile level used.

For instance, if the domain of File Station is file.example.com, you can go to the two setting pages mentioned above and find the service under the name of FileStation - file.example.com for further configuration.

To specify an access control profile:

After you set up an access control profile for an application (e.g. File Station), denied users will not able open the application by entering the specified URLs mentioned in this article.

  1. Go to Control Panel > Application Portal > Application.
  2. Select an application.
  3. Click Edit > General.
  4. In the pop-up window, click Enable access control and select an access control profile. For more information on how to create an access control profile, refer to Customize Access Control Profiles below.
  5. Click OK to save the settings.

Customize Reverse Proxy Rules

Your Synology NAS can act as a reverse proxy server that transfers requests from the Internet to devices in the local network. Reverse proxy rules can help you hide sensitive ports from potential threats as in the two scenarios below:

Scenario 1: Suppose the sensitive port is 80, which should not allow external access according to the firewall rule. You can set up a reverse proxy rule to allow trusted users from the Internet to reach the sensitive port 80 via another open port (e.g. 81). In this way, the trusted users can circumvent the firewall and still be able to access the port 80.

Scenario 2: Suppose the sensitive port is 80, which should not allow external access except from a specific device (e.g. a server named "MyTrustee"). With reverse proxy rules, you can allow only traffic from MyTrustee to reach the port 80 while traffic from other devices will not.

To set up reverse proxy rules:

  1. Go to Control Panel > Application Portal > Reverse Proxy.
  2. Click Create and specify the following settings in the General page:
    • Description: Specify a name that helps you identify the rule function.
    • Specify the rules for the Source (the device sending requests from the Internet) and Destination (the device in the local network):
      • Protocol: The HTTP or HTTPS protocols used by the source/destination
      • Hostname: The name of the source/destination device
      • Port: The port used by the source/destination device
      • Enable HSTS and Enable HTTP/2 (only for the source)
  3. To specify an access control profile, click Enable access control and select an access control profile. For more information on how to create an access control profile, refer to Customize Access Control Profiles below.

    4. Note:

    • Click WebSocket from the Create drop-down menu to fast create WebSocket function header to let reverse proxy support WebSocket.
  4. To adjust reverse proxy's other behavior, please go to Advanced Settings page.
    • Proxy connection timeout (sec.): Set the proxy time limit of connection to target server.
    • Proxy send timeout (sec.): Set the proxy time limit of request being sent to target server.
    • Proxy read timeout (sec.): Set the proxy time limit of waiting for target server to response.
    • Proxy HTTP version: Select the HTTP verison that is used to communicate between proxy server and target server.
    • Use the error page sent back by target server: When target server senting back error HTTP code, it will show target server's web error page after this option is ticked. Otherwise, it will show Synology NAS error page.
  5. Click OK to save the settings.

Customize Access Control Profiles

If you want to restrict user access to Application Portal or reverse proxies according the user's source IP, you can create an access control profile. Denied users will see an access denied page.

To create an access control profile:

  1. Go to Control Panel > Application Portal > Access Control Profile.
  2. Click Create. In the pop-up window, you can customize the rules in this new profile.
  3. Click Create to create a new rule. The rules will be applied according to top to bottom priority, determining the access permissions.
  4. Double click on a rule to edit it. To delete rules, select them and click Delete.
  5. Click OK to save the rule list as a new profile.
  6. Click on the name field of the profile to rename it.

Note:

  • If you leave the source hostname blank, the rule will be applied to all sources.
  • If you enable access control with certificate that is issued by Let's Encrypt, it may lead to certificate auto renew failure. If this situation happens, please disable access control first. Then, go to Control Panel > Security > Certificate, right-click one of the Let's Encrypt certificates you would like to renew and choose Renew certificate. After renewing certificate, you can re-enable access control.
  • If you want to apply whitlisting, you need to set up rules about denied sources, besides creating rules about allowed sources, to activate the rules.
    For instance, if only http://192.168.xx.xx is allowed, you need to
    1. Add http://192.168.xx.xx as the allowed source.
    2. Add a new rule and set it as "Deny".
Customize Aliases
Customize HTTP/HTTPS Ports
Customize Domains
Customize Reverse Proxy Rules
Customize Access Control Profiles