Sage 100

Hello all, we have a customer rolling out some Terminal Server users and a new IT firm.  Can I get some recommendations on best practices and settings for Sage 100 Advanced on a Terminal Server.  TIA

------------------------------
John Wilder
Technology Integrators
------------------------------

Moved to General Discussion Community.  Sage Urgent is reserved for time sensitive posts.

------------------------------
Moira Goggin
Executive Director
90 Minds, Inc.
------------------------------

Per @Therese Logeais the need for feedback is urgent as the expected go live date is Monday, Feb. 10, 2020. 
​

------------------------------
Moira Goggin
Executive Director
90 Minds, Inc.
------------------------------

Original Message:
Sent: 02-04-2020 18:14
From: Moira Goggin
Subject: Terminal Server security - recomendations

Moved to General Discussion Community.  Sage Urgent is reserved for time sensitive posts.

------------------------------
Moira Goggin
Executive Director
90 Minds, Inc.
------------------------------

Feel free to close \ move this. I'm good!

------------------------------
John Wilder
Technology Integrators
------------------------------

Original Message:
Sent: 02-04-2020 18:55
From: Moira Goggin
Subject: Terminal Server security - recomendations

Per @Therese Logeais the need for feedback is urgent as the expected go live date is Monday, Feb. 10, 2020.
​

------------------------------
Moira Goggin
Executive Director
90 Minds, Inc.
------------------------------


Original Message:
Sent: 02-04-2020 18:14
From: Moira Goggin
Subject: Terminal Server security - recomendations

Moved to General Discussion Community.  Sage Urgent is reserved for time sensitive posts.

------------------------------
Moira Goggin
Executive Director
90 Minds, Inc.

Not really security-related - but you'll need to copy the activate.pvx

Copy the "Activate.pvx" from the "..\MAS90\Home\Lib\Keys" directory where Sage 100 is installed, to the "..\MAS90\Home\Lib\Keys" directory where the Workstation Setup client has been installed on the Terminal Server.

See the detailed steps below:

https://support.na.sage.com/selfservice/viewdocument.do?noCount=true&externalId=25520&sliceId=1&isLoadPublishedVer=&docType=kc&docTypeID=DT_Article&stateId=47604&cmd=displayKC&dialogID=1731869&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl&openedFromSearchResults=true

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------

Sage 100 ERP Advanced and Premium workstation information:

Terminal Services or Citrix Server:

If running Sage 100 ERP Advanced or Premium through Terminal Services or Citrix, do not run the workstation installation directly at the Terminal Services or Citrix server. Run the workstation installation wizard only once through a remote session, this will setup up the correct registry entries for Crystal forms and report access and copy the multi-user activation file from the Application Server to the Terminal or Citrix server.

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------

Also, I have one very high-security customer in the financial industry.  For remote work, they issued me a laptop where I cannot use anything on the desktop. I must VPN with Microsoft 2FA to a VDI based remote machine and they control everything from there. I don't know how they have this configured beyond that but my sense is they have segmented their network to a point where it would be nearly impossible for one login to access all their servers which I suspect keeps their risk of malware/ransomware to a tolerable level. 

For testing, we set up a virtual server which one IT admin maintains then for go-live I have to coordinate with another to get to their live server and when SQL is in the mix there are separate SQL techs.

Also, the Sage 100 Advanced account used to run Sage 100 on the server should be a domain account which has the ability to see other servers ( which IT tells me they don't like because they know it's going to be an account running a service where they cannot easily force a periodic password change so to them it's a weak point in their network setup ). If you use an account that cannot see other servers then if you also use paperless and put the folder for paperless storage on another server you will get a message when trying to read/write to paperless. This confuses people because they will check the rights of the end-users login NOT the login of the account running the service ( which may not have rights to see the other server ).

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------

Thanks for the input Wayne, helps!

------------------------------
John Wilder
Technology Integrators
------------------------------

Original Message:
Sent: 02-05-2020 08:17
From: Wayne Schulz
Subject: Terminal Server security - recomendations

Also, I have one very high-security customer in the financial industry.  For remote work, they issued me a laptop where I cannot use anything on the desktop. I must VPN with Microsoft 2FA to a VDI based remote machine and they control everything from there. I don't know how they have this configured beyond that but my sense is they have segmented their network to a point where it would be nearly impossible for one login to access all their servers which I suspect keeps their risk of malware/ransomware to a tolerable level.

For testing, we set up a virtual server which one IT admin maintains then for go-live I have to coordinate with another to get to their live server and when SQL is in the mix there are separate SQL techs.

Also, the Sage 100 Advanced account used to run Sage 100 on the server should be a domain account which has the ability to see other servers ( which IT tells me they don't like because they know it's going to be an account running a service where they cannot easily force a periodic password change so to them it's a weak point in their network setup ). If you use an account that cannot see other servers then if you also use paperless and put the folder for paperless storage on another server you will get a message when trying to read/write to paperless. This confuses people because they will check the rights of the end-users login NOT the login of the account running the service ( which may not have rights to see the other server ).

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------