In order to allow access using the Role Tailored Client (RTC) remotely over the Internet without a VPN, there are several steps that must be taken.
The first is to request that our security team publish the NAV Service for the RTC. Once this is published you will be provided with a customer port number for your service. In this example, the port number is 45000.
After receiving this you must configure the NAV service with two settings. Depending on the version of NAV you are using the settings file keys may vary slightly but the names will be very similar. For example, in NAV 2009 one of the keys is ClientCredentialType but in NAV 2016 this is ClientServicesCredentialType.
It is important to keep in mind that the settings we are changing affect ALL connections to NAV using the RTC.
Configure the Microsoft Dynamics NAV Server
- Open MMC and add the Certificates Snap-In for the Local Computer
- In the left pane of the MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.
-
In the right pane, right-click the certificate *.mgcld.com, select All Tasks, and then click Manage Private Keys. NOTE: If you see more than one certificate, be sure to use the one with the latest expiration date.
-
In the Permissions dialog box for the certificate, click Add.
-
In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the NAV Service, and then click OK. NOTE: If you are running NAV using NETWORK SERVICE, stop here are request a domain service account.
-
In the Full Control field, select Allow, and then click OK.
-
In the right pane, double-click the certificate.
-
In the Certificate dialog box, click the Details tab, and then select the Thumbprint field.
-
Copy or note the value of the Thumbprint field. TIP: If you copy and paste the thumbprint to Notepad, you can replace the spaces with nothing to remove them. There is also an invisible character at the left of the thumbprint when copy/pasted to notepad. Go to the beginning and make note of the first character. Press delete until the first character deletes and retype it.
-
Stop the Microsoft Dynamics NAV Services.
-
Open the CustomSettings.config configuration file. By default, this file is located in C:\Program Files\Microsoft Dynamics NAV\XX\Service. Where XX is the version number.
-
Modify the following settings:
This is typically Windows, change it to UserName. Note: the value is case sensitive!
<add key="ClientServicesCredentialType" value="UserName"/>
Use the thumbprint from the certificate you retrieved in step 9.
<add key="ServicesCertificateThumbprint" value="4ff4e12a64dcddc143a335406950a82111374c63"/>
Update the server to use the port provided.
<add key="ClientServicesPort" value="45000"/> -
Save and close the CustomSettings.config file.
-
Restart the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services.
Next we need to setup the RTC settings to match. You will need to do this for every PC and user as the settings are stored for each user. Typically, the ClientUserSettings.config file is located here: C:\Users\USERNAME\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\XX where USERNAME is the username and XX is the version number.
It is important to keep in mind that the settings need to be changed even on the NAV server itself if the RTC is to be used there (e.g. as a RemoteApp or via RemoteDesktop).
- Open the ClientUserSettings.config file
- Modify the following settings:
<add key="Server" value="NAVSERVER.mgcld.com"/>
Where NAVSERVER is the server name.
<add key="ClientServicesPort" value="45000"/>
Change the value to the custom port provided by the security team.
<add key="ClientServicesCredentialType" value="UserName"/>
This is typically Windows, change it to UserName. Note: the value is case sensitive!
<add key="DnsIdentity" value="mgcld.com"/>
This is empty by default but it needs to match the certificate subject name on the NAV server. Typically, you will use one of our public certs so the mgcld.com name is correct.
You must ensure that the firewall on the server allows inbound TCP traffic on the port provided.
It is important to note that it is also a security best practice to ask our security team to limit access to the RTC based on the public IP of specific locations. For example, a customer may want to restrict access to the RTC over the Internet to traffic originating from their office. This requires the location to have a static IP and you must open a ticket and specifically request that the connections be restricted. By default we DO NOT restrict access by IP.
Lastly, here is an article from NAV 2009 that for the most part holds true today regarding performance of NAV RTC over the Internet. https://msdn.microsoft.com/en-us/library/gg502513.aspx
Comments
0 comments
Please sign in to leave a comment.