OpenClaw on Windows Server 2022: Enterprise Deployment with NSSM and IIS (2026)
Who This Guide Is For: IT administrators and enterprise developers who want to deploy OpenClaw on Windows Server 2022 in a production environment. This guide covers deploying OpenClaw as a proper Windows Service using NSSM, setting up an IIS reverse proxy for HTTPS access, configuring Windows Firewall rules, and integrating with Active Directory environments. Estimated setup time: 45–60 minutes.
Why Deploy OpenClaw on Windows Server 2022?
Many organizations already have Windows Server infrastructure — either on-premises or on Azure. Deploying OpenClaw on Windows Server 2022 allows organizations to leverage existing investments in Windows administration tooling, Group Policy management, Active Directory authentication, and Windows Event Log monitoring — all without the overhead of introducing a new Linux server into a Windows-centric environment.
Windows Server 2022 is particularly well-suited for OpenClaw deployment due to several improvements: the enhanced security baseline (Secured-Core Server), built-in support for TLS 1.3, improved Windows Subsystem for Linux (WSL2) integration, and Azure Arc compatibility for hybrid cloud management. All of these benefit an OpenClaw deployment in an enterprise context.
Windows Server 2022 vs Windows 11 for OpenClaw
Windows Server 2022
- ✅ No user login required to run
- ✅ Group Policy management
- ✅ Windows Event Log integration
- ✅ Dedicated server hardware
- ✅ Multiple concurrent users
Windows 11 Desktop
- ✅ Simpler setup
- ✅ Built-in UI tools
- ❌ Requires user login
- ❌ Not enterprise-managed
- ❌ Lower reliability SLA
Prerequisites and Initial Server Setup
Before installing OpenClaw, ensure your Windows Server 2022 environment meets these requirements:
Operating System: Windows Server 2022 Standard or Datacenter (both work). Windows Server 2019 is also compatible if you have not upgraded yet, though 2022 is recommended for its security improvements.
Hardware: Minimum 4GB RAM (8GB+ recommended), 50GB free disk space, reliable network connection. A dedicated service account for OpenClaw is strongly recommended over running as SYSTEM or Administrator.
Network: Outbound HTTPS (port 443) to api.anthropic.com must be allowed through your corporate firewall. If your organization requires proxy authentication for internet access, you will need to configure OpenClaw's proxy settings in the config file.
Windows Updates: Ensure the server is fully patched. Windows Server 2022 with all updates has the best TLS 1.3 support, which is important for Claude API connectivity stability.
Open PowerShell as Administrator and enable the execution policy for scripts (required for the installation steps):
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
# Install Chocolatey package manager (if not already installed)
Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Step 1 — Install Node.js 22 via Chocolatey
Install Node.js 22 LTS using Chocolatey. This installs Node.js system-wide, which is the correct approach for a Windows Server deployment (unlike the user-scoped nvm approach on desktop systems):
choco install nodejs-lts --version=22 -y
# Reload PATH
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")
# Verify installation
node --version # Should show v22.x.x
npm --version # Should show 10.x.x
Alternatively, download the Node.js 22 Windows Installer (.msi) directly from nodejs.org and run it with administrative privileges. Choose the option to "Automatically install the necessary tools" during installation.
Step 2 — Install and Configure OpenClaw
Install OpenClaw globally using npm (run in an Administrator PowerShell window):
npm install -g openclaw
# Verify installation
openclaw --version
Create a dedicated directory for OpenClaw's data files on a non-system drive if available (to keep OS drive usage minimal):
mkdir C:\OpenClaw
mkdir C:\OpenClaw\data
mkdir C:\OpenClaw\logs
# Set environment variable for OpenClaw home directory
[System.Environment]::SetEnvironmentVariable("OPENCLAW_HOME", "C:\OpenClaw\data", "Machine")
Run the onboarding wizard to configure your Claude API key, agent persona, and messaging channel. For enterprise deployments, running OpenClaw from an Administrator PowerShell window ensures the wizard can write to the configured data directory:
$env:OPENCLAW_HOME = "C:\OpenClaw\data"
openclaw onboard
# Follow the interactive wizard
# When complete, test manually:
openclaw start
# Send a Telegram message to verify — then Ctrl+C to stop
Step 3 — Create a Windows Service with NSSM
NSSM (the Non-Sucking Service Manager) is the standard tool for converting any command-line application into a proper Windows Service. Unlike the Windows built-in SC command, NSSM handles stdout/stderr redirection, automatic restarts, and environment variables elegantly. It is widely used in enterprise environments and has been maintained for over 15 years.
Install NSSM via Chocolatey:
choco install nssm -y
# Verify installation
nssm --version
Create the OpenClaw Windows Service:
# Get the full path to node.exe
$nodePath = (Get-Command node.exe).Source
# Get the full path to openclaw binary
$openclawPath = (Get-Command openclaw.cmd).Source
$openclawJsPath = "$env:APPDATA\npm\node_modules\openclaw\bin\openclaw.js"
# Create the service using NSSM
nssm install OpenClawAgent "$nodePath" "$openclawJsPath start"
# Configure service settings
nssm set OpenClawAgent AppDirectory "C:\OpenClaw"
nssm set OpenClawAgent AppEnvironmentExtra "OPENCLAW_HOME=C:\OpenClaw\data" "NODE_ENV=production"
nssm set OpenClawAgent AppStdout "C:\OpenClaw\logs\openclaw.log"
nssm set OpenClawAgent AppStderr "C:\OpenClaw\logs\openclaw-error.log"
nssm set OpenClawAgent AppRotateFiles 1
nssm set OpenClawAgent AppRotateOnline 1
nssm set OpenClawAgent AppRotateBytes 10485760
nssm set OpenClawAgent Start SERVICE_AUTO_START
nssm set OpenClawAgent ObjectName "LocalSystem"
# Start the service
nssm start OpenClawAgent
# Verify it is running
nssm status OpenClawAgent
Get-Service OpenClawAgent
The AppRotateFiles and AppRotateBytes settings configure automatic log rotation when the log file reaches 10MB — essential for a production service that runs 24/7.
Service Account Best Practice
Running as LocalSystem has full privileges. For production environments, create a dedicated service account: CORP\svc-openclaw. Grant this account: Log on as a service right, read/write to C:\OpenClaw\, and outbound network access. Then replace nssm set OpenClawAgent ObjectName "LocalSystem" with nssm set OpenClawAgent ObjectName "CORP\svc-openclaw" "password".
Step 4 — IIS Reverse Proxy for HTTPS Access
If you want to expose OpenClaw's web interface over HTTPS within your corporate network (for example, so team members can access a shared agent via browser), you can use IIS as a reverse proxy in front of OpenClaw's internal port.
Install IIS with ARR (Application Request Routing) and URL Rewrite modules:
# Install IIS with required features
Install-WindowsFeature -Name Web-Server, Web-Http-Redirect, Web-Static-Content `
Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors `
Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter `
Web-Mgmt-Console -IncludeManagementTools
# Install ARR via Chocolatey
choco install iis-arr -y
# Install URL Rewrite via Chocolatey
choco install urlrewrite -y
Create a new IIS site for OpenClaw with a reverse proxy configuration. The following PowerShell script creates the site and adds the reverse proxy rule:
Import-Module WebAdministration
# Create site
New-WebSite -Name "OpenClaw" -Port 443 -HostHeader "openclaw.corp.local" `
-PhysicalPath "C:\OpenClaw\web" -Ssl
# Create web.config with reverse proxy rules
$webConfig = @'
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxy" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:3000/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
'@
New-Item -Path "C:\OpenClaw\web" -ItemType Directory -Force
$webConfig | Out-File -FilePath "C:\OpenClaw\web\web.config" -Encoding UTF8
Step 5 — Windows Firewall Configuration
Windows Server 2022's enhanced firewall requires explicit rules for outbound connections to work correctly with OpenClaw. In corporate environments with strict egress filtering, you need to ensure the following connections are allowed:
✅ Required Outbound Rules
- • api.anthropic.com:443 — Claude AI API (primary requirement)
- • api.telegram.org:443 — Telegram bot API (if using Telegram)
- • npmjs.com:443 — For updating OpenClaw via npm
- • registry.npmjs.org:443 — npm package registry
Create outbound firewall rules using PowerShell:
# Allow OpenClaw node.exe outbound connections
$nodePath = (Get-Command node.exe).Source
New-NetFirewallRule -DisplayName "OpenClaw - Claude API" `
-Direction Outbound `
-Program $nodePath `
-Protocol TCP `
-RemotePort 443 `
-Action Allow `
-Profile Domain,Private
# Allow IIS inbound on 443 (if using IIS reverse proxy)
New-NetFirewallRule -DisplayName "OpenClaw - IIS HTTPS" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-Action Allow `
-Profile Domain,Private
Step 6 — Windows Event Log Integration
Enterprise environments need centralized logging. NSSM automatically writes OpenClaw's stdout and stderr to file logs, but you can also configure OpenClaw to write important events to the Windows Event Log for integration with SIEM tools like Splunk, Microsoft Sentinel, or Windows Event Forwarding:
# Create a custom Event Log source for OpenClaw
New-EventLog -LogName "Application" -Source "OpenClawAgent"
# Write a test event to confirm it works
Write-EventLog -LogName "Application" -Source "OpenClawAgent" `
-EventId 1000 -EntryType Information `
-Message "OpenClaw Agent service started successfully"
# View OpenClaw events in Event Viewer
Get-EventLog -LogName "Application" -Source "OpenClawAgent" -Newest 20
For Group Policy-managed environments, create a GPO that monitors the OpenClaw service status and alerts if it stops unexpectedly. Use the Windows Server built-in Task Scheduler to create a task triggered by the OpenClaw service stopping, which sends an email alert via SMTP.
Why Every Enterprise OpenClaw Needs VPN07
Enterprise deployments of OpenClaw face unique networking challenges that VPN07 is specifically positioned to solve. Corporate networks often have multiple layers of filtering and inspection that can interfere with OpenClaw's API connectivity in unexpected ways.
The first challenge is corporate proxy authentication. Many enterprise environments route all outbound internet traffic through a Web Proxy with NTLM or Kerberos authentication. OpenClaw can be configured to use an HTTP proxy, but if the proxy performs SSL inspection (also called MITM proxying), it can break Claude API's TLS certificate validation, causing persistent connection failures. VPN07 bypasses this by establishing an encrypted tunnel that corporate SSL inspection cannot intercept.
The second challenge is API rate limiting by source IP. If multiple team members run their own OpenClaw agents all pointing to the same corporate network egress IP, Anthropic may apply rate limiting as if they are all the same user. VPN07 gives each server or deployment its own dedicated IP path, preventing rate limiting conflicts between users in the same organization.
Enterprise OpenClaw: With and Without VPN07
VPN07 provides a native Windows client that installs via Group Policy (MSI installer available), can be configured silently across multiple servers, and supports split tunneling to route only API traffic through the VPN while keeping internal corporate traffic on the local network. For enterprise IT teams, VPN07's central management and consistent performance across 70+ countries make it the natural choice.
VPN07's Windows Server client supports Windows Server 2022 natively and is certified compatible with all standard Windows firewall configurations. At just $1.5/month per deployment, VPN07 delivers 1000Mbps of dedicated bandwidth — the highest available in the industry for this price point. When comparing VPN07 to competitors, VPN07 is the only service offering both enterprise-grade performance and proven 10-year operational history at this price.
Installing VPN07 on Windows Server 2022
# Download and install VPN07 Windows Server MSI
$msiUrl = "https://vpn07.com/downloads/vpn07-win-server.msi"
Invoke-WebRequest -Uri $msiUrl -OutFile "C:\Temp\vpn07.msi"
Start-Process msiexec.exe -ArgumentList "/i C:\Temp\vpn07.msi /quiet /norestart" -Wait
# Connect to optimal server
vpn07 connect --auto
# Configure split tunneling (route only API traffic)
vpn07 split-tunnel --include api.anthropic.com api.telegram.org
# Verify connection
vpn07 status
VPN07: The Enterprise VPN for OpenClaw on Windows Server
1000Mbps · 70+ countries · Windows Server native · $1.5/month
VPN07 is the trusted network partner for enterprise OpenClaw deployments on Windows Server. With 1000Mbps dedicated bandwidth, native Windows Server client, split tunneling for corporate environments, and 10 years of proven reliability across 70+ countries, VPN07 eliminates corporate proxy interference, API rate limiting, and ISP throttling issues that plague enterprise AI deployments. At just $1.5/month per server with a 30-day money-back guarantee, VPN07 is the network investment that makes your enterprise OpenClaw deployment bulletproof.
Related Articles
OpenClaw on Windows 11: Beginners Install Guide 2026
Complete guide for installing OpenClaw on Windows 11 Home and Pro for individual users. Easier setup than Windows Server.
Read More →OpenClaw on Slack & Microsoft Teams Enterprise Setup
Connect your enterprise OpenClaw agent to Slack and Microsoft Teams for team-wide AI assistant access in corporate environments.
Read More →