EWA and IIS in DMZ Topology / Structure / Architecture


(Jim Downey) #1

Does Epicor 10 support ADFS? I too am trying to setup IIS and EWA in our DMZ. Can we point the application server for an EWA installation, within the DMZ, to our existing, internal live / production, application and database servers? Can we allow windows authentication from EWA / IIS, within the DMZ, to our existing, internal Active Directory / Domain Controllers?


(Bart Elia) #2

ADFS is just Windows Authentication from the POV of Erp 10 so yes. We assume you do all the magic in the background between your ADs to make the trust relationships.


(Jim Downey) #3

Well, I am looking for some help with doing / understanding all the “magic”…

I found this post on the web of someone also looking to understand the “magic”: https://social.technet.microsoft.com/Forums/windowsserver/en-US/92a34798-65ee-4e5e-a185-036c6da9da3b/allowing-iis-web-application-in-dmz-to-authenticate-ad-users?forum=winserverDS

A user at the bottom responded:
The app needs to be configured for SAML not the IIS itself. Check this: https://blogs.msdn.microsoft.com/alextch/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts/

ADFS can be configured in a way that if the users are accessing the app from the inside they would have sso expirience and wouldn’t be asked for creds twice. Check this: https://blogs.technet.microsoft.com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/


(Jim Downey) #4

Does Epicor support SAML 2.0?


(Bart Elia) #5

As of this time, no announcement on any other User Authentication mechanisms. Epicor User/password and MS Windows Auth.

There are tools out in the wild to convert SAML to WIndows Auth but none I have seen tried with Epicor ERP.

What’s the high level need? An integration or?


(Jim Downey) #6

I’m starting to understand this a little more… We are hoping we can use Azure to authenticate from the DMZ.

Now that I see how to deploy EWA as an extension I am hoping we can use an install path of the external DMZ’s dns name or IP address and file location for the install path field. Does the Install Path for EWA support that or would it have to be local to the application server?


(Bart Elia) #7

ok, now that we are in ‘Pilot’ in Cloud - any SaaS customers can review the change log for 10.2.200 so I am sort of out from under our embargo on many things… we haven’t shipped YET so last minute stuff does happen so take commentary with a grain of salt, etc, etc</>

We are adding Azure AD support to the core app, the rich client, REST, EWA and a few more apps. Anyone who has ever played in Azure AD - it’s your SSO approach for cloud just as Windows Active Directory is the SSO approach to on premise.

More details to follow but for what you describe you can count on 10.2.200 support.

More apps will be made available during the 200 timeline - not everything has the same release cycle as 200 so some ‘Extension’ products will be release a little later. I honestly do not know which and when as the Azure AD effort was the last ERP 10 effort I was on before I moved into a new role.

When all the details come out I’ll do a post here on my take of the feature that will probably be relevant to the folks up here and my historical interactions. @josecgomez.sixs don’t get too excited it’s not OAuth - but it is Azure AD and cloud SSO.


(Mark Wonsil) #8

I saw a quick example of this in action. We are Azure AD and working with the Cloud Team. It’s just like Bart said, first the Rich Client, Rest, EWA, Active Desktop, but others later. It seems fairly straight forward. The Cloud Users are seeing .200 in their Pilot databases now with a launch in April.

Mark W.


(Bart Elia) #9

Were you a part of the group demoed to last week? I heard it went well. I could not attend but would of liked being a fly on the wall to observe commentary.

I am looking forward to playing with a few new toys in the area I am pitching.


(Mark Wonsil) #10

Yes. Cloud Services has a copy of our database that’s been anonymized. Once it’s at .200, we’ll test with our Azure AD this week. Looks very promising.

Mark W,


(Bart Elia) #11

It was great to work with the Azure guys again. We were a part of the original testing of ‘Red Dog’ - code name for Azure. Their perf at the time was pretty bad but they have made a lot of improvements. It’s good to competition in the Cloud space - it makes everyone better and gives better pricing to all.