New install of 11.1.200 on 2019 Server issue with EpicorData folder

Has anyone run into an issue with the RL11.1.200 ISO installer not creating the EpicorData folder during a new installation? I have made several attempts to install on a new 2019 server and it just fails to create. Support has not been helpful and just wants me to create it manually and share to 'Everyone" without any security suggestions. Of course that will work but I would like it to be working correctly (with the proper security), not just working so they can close the ticket.

I have always created it manually, I didn’t even realize it was supposed to get created automatically…

It needs to be shared with all Epicor users, so if you have an AD group for that you could use that instead of Everyone.

I think everyone needs read and write to most subfolders. The CustomReports subfolder is the only one I’ve put extra security on because that’s where any legacy Crystal .rpt files live.

I’ve also seen a group policy put in place that prevents users from browsing to shared folders in File Explorer (when you type in \servername\EpicorData).

1 Like

If you’re really interested in tighter security, there isn’t any absolute reason to have File Share access to your Epicor server. In fact, this is how the SaaS users have operated for years. There are only two concerns that one has to deal with:

  • Downloading Files like Logs, etc.
  • Downloading the Client

Downloading Files

For quite awhile, Epicor has provided a program to download files from the EpicorData folder:

image

It restricts the User folder to the logged in user.

Client Deployment Folder

It is possible to expose the Client Deployment Folder as a web site and download the files via https. This is how SaaS distributes the .NET client. Of course, in the next few years, this will become less of of an issue as people move to the browser.

Tom brings up Crystal and we didn’t use it in the Public Cloud so I’m not sure if that’s still a complication.

1 Like

Interesting. I’ve done installs on prem since Vantage 6 and never remember creating it. I ended up copying our live system sharing and security specs on this new system to get it going and start testing. (this also includes local IIS_IUSRS R/W) We do still have some special rules on the crystal folder to prevent browsing that I included also.

I was hoping to get some additional input from support on the actual requirements but they were not that interested. Guess I just miss the ‘old days’ when Ben Nixon or the like would jump on the phone and give you all the answers plus additional info you didn’t know you needed at the time.

That’s what epiusers is for now :slight_smile:

I’ve only been doing installs since 10.2 so maybe creating the folder automatically is something they stopped doing recently?

2 Likes

I just did an K2021.2 fresh install and it created the EpicorData folder. :man_shrugging:

image

This one Mark?
image

Yep.

What Server OS?

Windows Server 2019

Son of a … :zipper_mouth_face:

It’s standalone and not on a domain for what that is worth… I have two Hyper-V VMs (App/DB) running under Win10.

Mine’s added to the domain on two HV VMs (App/DB) on 2016 servers. Doesn’t make sense.

@Mark_Wonsil , were you able to specify the drive that the Epicor Data folder was on or did it put it on C?

I keep trying to figure out how to adjust this… I want it on D: but it’s on C:…

Is it in the webconfig?

That’s the truth about the Good ole days! Ben was the best!

2 Likes

It’s on the system agent… I knew it to be somewhere familiar. I always forget this spot.

Also, if you have two app servers this field on the system agent can be different… I wonder where this value is stored if not in the database.

image

I ended up manually creating it on D:, created the permissions, and made it shared to use in the sys agent path.

1 Like

Nice, me too, thanks for sharing so that I could be successful!

(On vacation, sorry for the late reply)

I have to be honest, from a Zero Trust perspective, I prefer not to have the Epicor system running on an AD domain at all, which segments the asset. AD uses a trust model and this can be exploited. This also means SMB access is out. Obviously it can be done since this is how SaaS runs but I believe the biggest hurdle is if one is still running Crystal Reports.

That said, I think Epicor may be tightening up security and not using the traditional file share service. I don’t see the share via the \server\EpicorData when browsing to the server anymore. Obviously, it’s there since client upgrades are still running. :person_shrugging:

1 Like