When it comes to On-premise deployment there are 3 types of the network topology which you may want to consider:

1. Close System

Claromentis is installed within the internal network, access to Claromentis can only be established within the internal network or from the outside network using VPN.

This configuration allows you to maintain Claromentis as part of internal network such as the implementation of Microsoft NTLM  and control its security just like any other in-house system located within your Internal Network.

Please be aware that this configuration reduces the flexibility of access from outside world as VPN access often cumbersome slow, and hard to configure on Mobile apps.

2. HTTPS Direct Traffic

Access from the outside world (The Internet) is allowed by direct connection to HTTPS port (443) allowing users who are not located within the Internal Network can access Claromentis from the outside world.

This configuration allows Microsoft NTLM authentication protocol to be used within the network, while users accessing from the outside has to be authenticated.

Users accessing from the outside network has to be authenticated first and access from mobile requires users to enter username and password on the app (including domains)

3. DMZ or Reverse Proxy

Placing a load balance server or a reverse proxy server into the DMZ or demilitarized zone (often referred to perimeter network) allows external facing access to Claromentis while keeping the rest of the network secure within Internal Network.

Since the load balance or the reverse proxy is located outside the internal network please consider your network configuration if you are using Microsoft NTLM. 

Implementing SSO (Single Sign On) via Cloud Azure (Gallery app) or Simple SaML prototol is ideal for this type of configuration. Read more about Integrating Identity Providers (SSO)