Can't (completely) connect to servers in EAC

Epicor ERP 10
1

…at least not from my workstation. It works fine on the app server. It also used to work fine on my workstation, so I suspect either Windows firewall or our new AV.

When I try to connect to a server in EAC, the “Create New Session” window pops up that says it’s connecting to net.tcp:// etc. If I click through three or four “snap-in not responding” messages, I eventually get this error:

Creating an instance of the COM component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from the IClassFactory failed due to the following error: 800706ba The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)..

Then click through a couple more “not responding” messages, and I get here. I can access the appserver settings and configuration, and I can view users and sessions. But I can’t launch the task agent config (nothing happens), nor can I stop/start the pool (repeat of the error above).

image
image.png767×556 60.1 KB

I can disable the firewall and AV to test those, but it’s a pain so I figured I’d check if anyone recognizes the cause first.

2

Check out the New Installation Guide, section 2.3 Verify Windows Operating System Requirments, step3 3 through 6

image
image.png717×574 92.5 KB

maybe one of those ports or firewalls are no longer open.

3

Weird…that management service was not turned on for the Epicor server. It’s on now and I’ve enabled the Web Management Service rule, but it’s still hanging.

Interesting that after the explanation of what ports to open in the firewall, it states that the firewall must be disabled for remote administration. That sounds contradictory. Is remote administration frowned upon now?

4

Don’t know about that.

I always just use Remote Desktop to connect to the App Server, and then run EAC in the RDC session.

5

That’s how I’ve been doing it since it stopped working remotely, but it was certainly more convenient to run it on my own computer. However, if it only worked because we didn’t have firewalls turned on before, then I’ll live with the mild hassle.

6

If you’re using RDP, please make sure that your servers are patched. RDP is becoming a very attractive target these days and an exploit kit was released for the BlueKeep vulnerability so even script kiddies can attack your system.

From: Ransomware has evolved into a serious enterprise threat | Computer Weekly


Follow best RDP practices like:

In the light of these findings, Samani said organizations should:

  • Question whether externally accessible RDP is an absolute necessity;
  • Consider how to secure RDP if the organization is absolutely reliant on it, such as for IP address filtering.

Where RDP is indispensable, Samani said organizations should follow best practices of basic cyber security hygiene to improve RDP security by:

  • Not allowing RDP connections over the open internet;
  • Using a virtual private network (VPN) for remote user access;
  • Using complex RDP passwords to reduce the likelihood of successful brute-force attacks;
  • Using multi-factor authentication (MFA);
  • Using an RDP gateway to simplify RDP management;
  • Using a firewall to restrict access;
  • Enabling restricted admin mode so that no credentials are stored on the RDP server;
  • Enabling enhanced RDP security to implement encryption and server authentication;
  • Enabling network level authentication (NLA);
  • Restricting access to RDP to only those who need it;
  • Minimizing the number of local administrator accounts;
  • Ensuring that local administrator accounts are unique;
  • Limiting domain administrator account access;
  • Wherever possible placing RDP servers within a demilitarized zone (DMZ) or other restricted area of the network;
  • Using an account-naming convention that does not reveal organizational information.
1 Like
7

I’m in a remote office, not connected to the LAN. Does a VPN connection still count as “over the internet” ??

edit

whoops should have read the second bullet before hitting reply

8

I’m in the same office as my server. I’ll check with my MSP on any of these that apply, though.

9

From what I’m hearing, VPN might be replaced with Software Define Perimiters. Instead of basing security on a trusted IP, you first login with some role and THEN the system creates a route to resources in your network that you have access to and no others. More info: