Working from home

No one else has brought this up?!

What are the options?

  1. VPN connection
  2. RDP connection (a cal per user)
  3. EWA (Epicor through a web browser)
  4. Some of this REST magic
  5. Install the client on a home computer?

We have 1, 2 and 3 functional already. Number 4 is not set up and I can’t imagine the work to create your own entire ecosystem.

Number 5 is the big unknown for me. I have not been successful with it. Epicor is on-premises for us. I know single-sign-on would not work. I have a secondary app server using a Net.Tcp Endpoint binding of UsernameSSLChannel, which I thought was sufficient.

But when I try to log on outside of the network, I get the errors below. It still looks for a local (in-network) path, and not the address on the SSL certificate, like www.SomePublicURL.com. Can I just modify the config file? Or is there a different problem here?

How does this work for cloud users?

image

FYI, this app server does work inside the network for me.

it is not an easy setup @JasonMcD, there are few security issues need to be considered before opening your local network to the outside world

@A.Baeisa

Yeah and I’m not Jose. Wow.

I’m looking for a non-REST solution.

i am thinking to allow RDC to each user PC, any experts can shed a light on this idea ?

Your .sysconfig file holds all of the paths to the server. SaaS users use the HttpsBinaryUsernameChannel or HttpBinaryAzureChannel for Azure AD login. The appServer URL points to your app server (https://server.name.in.certificate/EpicorInstanceName). The deployment server is an http location in Azure for SaaS users. For On-Prem users, it’s a usually a file share.

You should be able to use your regular sysconfig with no changes when connected via vpn so your network shares are available to the end user.

1 Like

@A.Baeisa - We’re using RDC to allow home users to remotely access their PC in the office - everything works great and there is no confusing set up involved. They can’t print of course - but why should they!? :slight_smile: And as long as your internet connection at the office has enough bandwidth…

Also, we’re considered ‘essential’ so we’re doing a 50/50 rotation where 1/2 the folks are at home or at work on a given day, so the bandwidth for us is manageable.

1 Like

On-Prem:

I just VPN in and have the client on my laptop. Works.
Most others use Citrix, RDP.

3 Likes

@JasonMcD - like @Mark_Wonsil said - connected via the internet is the only way it will work, plus you need to make sure your network setup will pass the DNS name resolution as the sysconfig file’s entry for Deployment server is not a FQDN. I’ve tried changing it to a FQDN and it doesn’t work, so VPN is the only way to go. All of our laptop users work via VPN and it’s working fine - you just need the bandwidth to support it.

1 Like

our appserver and SQL in one on-prem physical server, IT not recommending to open any global direct port rout to it

that what i was thinking off, many thanks @MikeGross

1 Like

@MikeGross and @Mark_Wonsil - Yes, it does work fine on VPN for me. But off of VPN…

Right that’s what confused me (as if nothing else did), is the sysconfig file looking for a folder path.

@Mark_Wonsil, what is a “file share”?

I agree. I would only use a VPN in an on-prem scenario. In which case, the only reason to use a different endpoint prototcol is that the https version is much more resilient to network latency over the net.tcp endpoint.

3 Likes

I should have said “network path.” Many people map a share name to a network path for security reasons. If it begins with \\ then it’s a Windows network path. If it begins with htttps then it’s going to a web server.

2 Likes

From a security standpoint I wouldn’t ever allow that. Way too much risk especially if you don’t have 2FA. Even with 2FA I wouldn’t open up RDP to the outside world. Setup a VPN and connect that way. With 2FA on your VPN of course.

1 Like

@A.Baeisa @Mark_Wonsil OK fair enough, VPN is safer.

I guess I’m just confused because cloud users don’t need VPN, but that’s considered safe. So, what makes the cloud so much better? (I’m asking for it now…)

Completely different architecture setup.

2 Likes

Clouds Infrastructure is less secure than my On-Prem :slight_smile:

I mean you could enable https binding and allow it to cross thru the internet, if you have hardened your server.

Think about this, if you use the user print/print or manager/manager or epicor/epicor or testing/testing - anyone can login into your ERP with the API Url.

You must vet your system to make sure users also arent using username/password as the same.

User: HH01 or MES1 or HandHeld1 – easy to gues the password usually.

1 Like

Agreed :100:

I wouldn’t even do that. Without support for 2FA in ERP you’re a sitting duck waiting for someone to find your exposes server and start poking at it. I’m not sure even with 2FA I’d open it up like that.

1 Like

Thank you all. Lots of good info.