Epicor10 ArchitectureGuide 102700
Epicor10 ArchitectureGuide 102700
Epicor10 ArchitectureGuide 102700
Epicor 10.2.700
Disclaimer
This document is for informational purposes only and is subject to change without notice. This document and its
contents, including the viewpoints, dates and functional content expressed herein are believed to be accurate as of its
date of publication. However, Epicor Software Corporation makes no guarantee, representations or warranties with
regard to the enclosed information and specifically disclaims any applicable implied warranties, such as fitness for a
particular purpose, merchantability, satisfactory quality or reasonable skill and care. As each user of Epicor software is
likely to be unique in their requirements in the use of such software and their business processes, users of this document
are always advised to discuss the content of this document with their Epicor account manager. All information contained
herein is subject to change without notice and changes to this document since printing and other important information
about the software product are made or published in release notes, and you are urged to obtain the current release
notes for the software product. We welcome user comments and reserve the right to revise this publication and/or
make improvements or changes to the products or programs described in this publication at any time, without notice.
The usage of any Epicor software shall be pursuant to an Epicor end user license agreement and the performance of
any consulting services by Epicor personnel shall be pursuant to Epicor's standard services terms and conditions. Usage
of the solution(s) described in this document with other Epicor software or third party products may require the purchase
of licenses for such other products. Where any software is expressed to be compliant with local laws or requirements
in this document, such compliance is not a warranty and is based solely on Epicor's current understanding of such laws
and requirements. All laws and requirements are subject to varying interpretations as well as to change and accordingly
Epicor cannot guarantee that the software will be compliant and up to date with such changes. All statements of
platform and product compatibility in this document shall be considered individually in relation to the products referred
to in the relevant statement, i.e., where any Epicor software is stated to be compatible with one product and also
stated to be compatible with another product, it should not be interpreted that such Epicor software is compatible
with both of the products running at the same time on the same platform or environment. Additionally platform or
product compatibility may require the application of Epicor or third-party updates, patches and/or service packs and
Epicor has no responsibility for compatibility issues which may be caused by updates, patches and/or service packs
released by third parties after the date of publication of this document. Epicor® is a registered trademark and/or
trademark of Epicor Software Corporation in the United States, certain other countries and/or the EU. All other
trademarks mentioned are the property of their respective owners. Copyright © Epicor Software Corporation 2020.
All rights reserved. Not for distribution or republication. Information in this document is subject to Epicor license
agreement(s).
Epicor 10.2.700
Revision: October 20, 2020 8:26 a.m.
Total pages: 39
sys.ditaval
Epicor ERP Architecture Guide Contents
Contents
Epicor 10.2.700 3
Contents Epicor ERP Architecture Guide
4 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
Use this section to review hardware requirements for Epicor ERP 10. You can review the documents provided for
hardware sizing and configuration, and you can also review example hardware configuration scenarios based on your
required applications. It is highly recommended that you understand your hardware requirements prior to installing
your Epicor products.
Use these steps to download and review the Epicor ERP Hardware Sizing and Configuration Guide. Note that
Hardware requirements may change based on the specific release. It is recommended that you have an
understanding of the hardware requirements prior to installing.
1. Log on to EPICweb and go to the customer portal website. Navigate to Products > Epicor ERP version 10
> Downloads.
You can use this link: https://epicweb.epicor.com/products/epicor-erp-10/downloads
3. From the Available Downloads, select to download the Epicor ERP Hardware Sizing Guide file.
Use this section to review examples of hardware configuration scenarios, including basic multi-server scenarios.
The examples list the applications that might be installed on each server. Review the example scenarios to
determine which type of configuration is appropriate for your environment. Note that these are basic examples
and your desired configuration may be more complex.
Note The example scenarios only use compatible versions of Windows Server and SQL Server:
• Windows Server 2012 R2 with SQL Server 2016 or 2017
• Windows Server 2016 with SQL Server 2016 or 2017
• Windows Server 2019 with SQL Server 2016, 2017, or 2019.
Epicor 10.2.700 5
Epicor ERP Application Architecture Epicor ERP Architecture Guide
Review the One Server configuration example to determine if it is appropriate for your environment.
Review the Two Servers configuration example to determine if it is appropriate for your environment.
6 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
Review the Three Servers configuration example to determine if it is appropriate for your environment.
Epicor 10.2.700 7
Epicor ERP Application Architecture Epicor ERP Architecture Guide
Review the Four or More Servers configuration example to determine if it is appropriate for your environment.
8 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
Use this section to review the components of your Epicor ERP application. It is recommended that you understand the
relationships between the required components prior to starting your Epicor ERP application installation.
The Epicor Administration Console includes administrative tools that you can use to maintain and manage your
application databases, application servers, Enterprise Search servers, and other system components. Using the
Epicor Administration Console, you can manage multiple Epicor server installations on multiple physical servers
from a single interface. The Epicor Administration Console is a component that can be selected for installation
during the installation of Epicor ERP 10 Server.
Note that during the Development phase of a new release, Epicor executed a range of QA cycles while using
Epicor ERP 10 application databases encrypted with SQL Transparent Data Encryption (TDE). No functional or
Epicor 10.2.700 9
Epicor ERP Application Architecture Epicor ERP Architecture Guide
performance issues related to running Epicor ERP 10 on a TDE-encrypted database were seen. TDE is a technology
used by Microsoft Corporation to encrypt SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data
files, known as encrypting data at rest. For more information on TDE, refer to the Microsoft documentation and
articles. For example: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-
data-encryption
Epicor server is a server computer that hosts one or more application servers. To define what application servers
each Epicor server hosts, you either create new application servers or register existing application servers. These
application servers are then linked to the Epicor server and run tasks for the Epicor application.
An application server manages how a specific instance of the Epicor application runs. Through each application
server, you can configure licenses, companies, sessions, and users for a specific database.
An application server is created under the Epicor server. One or more application servers can be defined for each
Epicor server. When you select an application server on the tree view, you can perform administrative tasks to
it. For more information on Epicor server, review the Epicor Server section within this guide and the Administration
Console Online Help.
You can set up multiple application servers to run the same database. They can then improve performance by
balancing the load. For example, you create two application servers for the same database, but these application
servers support different endpoint bindings. One application server is set up to run Epicor Web Access (EWA) on
one server machine, while another application server is set up to run a smart client through Net.TCP on a different
server machine.
Note For more information on Endpoint Bindings, review the Authentication Options section within this
guide.
A database server represents a SQL Server server\instance and contains the various Epicor application databases
your organization requires to conduct business. Before you can work with databases in the Epicor Administration
Console, you need to add a database server to the Database Server Management node.
10 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
Reporting Server contains Epicor SQL Server Reporting Service (SSRS), a server-based reporting platform that
provides comprehensive reporting functionality for a variety of data sources. Note that in the Epicor ERP application,
SSRS reports can be used in parallel to Crystal reports.
If you have an existing Epicor 9.05 application and you chose to not use the recommended SSRS functionality
that is available with the Epicor ERP 10 application, you can use the steps in the Epicor ERP 10 Migration Guide
to install and configure Epicor SQL Server Reporting Service (SSRS) using the previous method, referred to as the
"portal method". These steps will create the Epicor SSRS Portal, create the Epicor SQL Report Monitor Service,
and establish the connection to a SQL Report Server. This portal method is available to provide a "stop gap"
functionality that you can use to continue to have reporting functionality as you gain experience using the new
SSRS functionality available in the Epicor ERP 10 application.
System Agent and Task Agent are designed to streamline and automate the flow of data throughout your
company.
To maximize the efficiency of your network resources, you can select to execute reports, process programs and
run queries not right after you submit them, but at a later time by adding them to a schedule that occurs during
specific intervals. You can add programs to recurring schedules using the Schedule drop-down lists available on
programs throughout the Epicor ERP application. When you assign a task to a recurring schedule, the Task Agent
activates and handles it according to the settings defined by the System Agent. Review the following information
to learn more about System Agents and Task Agents.
• Creating a System Agent. A System Agent defines the information needed to configure the Task Agent
AppServers. You create it after you first install the application, and it is automatically created when you install
an Epicor Demo Database or migrate from a previous version. You then can use the System Agent > Detail
sheet within the System Management Maintenance program to make changes you need to the system agent.
Review Epicor ERP 10 Installation Guide for information on how to set up System Agent. For more information
on how to work with System Agent, review the Application Help.
• System Agent Maintenance. You use System Agent Maintenance to define schedules users can then select
on reports, processes, and executive queries. Each schedule is set up to activate at regular, specific intervals
- seconds, minutes, days, weeks, and months. When the system clock activates a schedule, all the tasks
assigned to this schedule run. Depending on the task, this could cause a specific report to generate and print,
a business activity query to export, a global alert to be sent, and so on. If a task generates an error and does
not complete its process, the other tasks on the schedule will continue to run as expected.
Then to make better use of your system resources, you can also create task agent rules. These task agent
rules divide the system agent's processing between different application servers. An application server manages
how a specific instance of the Epicor application runs. You can set up multiple application servers to run the
same database and balance the load. You could create two application servers for the same database, but
these application servers are linked to different server machines.
Important To run the Task Agent, you must configure your System Agent Epicor user account to have
session impersonation rights. For instructions on how to set session impersonation rights, refer to Epicor
ERP 10 Installation Guide.
• Task Agent Service Configuration. You can create a task agent in the Task Agent Service Configuration
program. This program allows you to add task agents that run on either a local machine or a remote machine.
After you set up an application server (AppServer), you can then configure the local or remote task agent for
the database. If you have multiple appservers, all of them point to the same database, and you can configure
a task agent on any appserver even if they are located on different physical servers. The task agent is distributed
to multiple appservers based on pre-defined rules.
Epicor 10.2.700 11
Epicor ERP Application Architecture Epicor ERP Architecture Guide
Note You can set up a maximum of three task agents to run against the same database.
• Connecting a Task Agent. You can connect a task agent to an application server through different endpoint
binding methods. If you connect a new or existing task agent through the Windows endpoint binding type,
you must enter a Windows domain user account on the task agent service. The Windows domain user account
you enter must be associated with either an Epicor ERP or Epicor ICE user account.
Review the Authentication Options section for more details on binding methods you can use in Epicor ERP.
For more information on how to configure a task agent and how to connect it to an application server, review
the Administration Console Help and the System Administration Guide in Epicor ERP application help.
12 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
Use this section to review additional software components and products that are available to install with your Epicor
ERP 10 application. These additional components and products enhance the functionality of your Epicor ERP 10
application.
You can install the Epicor ERP extension applications after you have configured your Epicor application server.
To get an extension working, you need to go through the following three-step process:
• select the extension features to install during the Epicor ERP 10 server installation process
• to deploy the selected features, use the Application Server Configuration process in Epicor Administration
Console
• perform initial configuration within the installed extension
Extension applications include: Epicor Web Access, Epicor Mobile Access, Enterprise Search, Epicor Education,
Epicor Information Worker, Epicor Help, Epicor Data Discovery, and Epicor Web Configurator.
Epicor 10.2.700 13
Epicor ERP Application Architecture Epicor ERP Architecture Guide
Epicor Education
Epicor's library of embedded educational materials provides you with a platform to develop an effective training
program for your organization. The number of resources enable you to choose the best options to meet your
training needs and tailor the content to fit your users.
You install the Embedded Courses on the Epicor Education sheet. You can only have one instance of the Epicor
Education extension linked to each application server.
Epicor Help
Epicor's online help system contains reference level information on modules and programs. It also contains a
series of technical references guides that provide detailed information on job costing, scheduling, and other areas
of the Epicor application. You can launch application help from the Home page by clicking the Help tile, or from
directly within a specific program by pressing the F1 key or clicking Help > Application Help.
14 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
who sell configured products through a distributor or dealer channel. By receiving transactions from dealers
through the Dealer Portal, these manufacturers can sell their products, track products after they ship them, and
support warranty and repair needs.
Supplemental components that can be installed after your Epicor ERP 10 application is installed and configured.
Collaborate
Epicor Collaborate is a cloud-based solution that simplifies collaboration, drives employee engagement, and
streamlines interaction processes by leveraging social media concepts like hashtags and mentions. Collaborate
enables different teams to work together around orders, customers, suppliers, configurations, projects, or any
other business objects within your ERP; bring sales and manufacturing together, share, comment, and move on.
You can easily track information about an order as it progresses from a lead all the way until payment is received
in a dedicated stream available within your Active Home Page and Quick Access panel. This means your activity
stream shows you what you need to know, when you need it, exactly where you need to see it in order to do
your job effectively.
For more information about Epicor Collaborate, refer to the Extension and Companion Programs > Companion
Programs > Epicor Collaborate section in the application help.
The instructions for installing Microsoft Service Bus for Windows Server are located in the Epicor ERP 10 Installation
Guide (New or Migration) > Supplemental Installations section. For additional information, you can also refer to
the Microsoft Download Center documentation. Note that the instructions for setting up Multi-Company
functionality is located in the Multi-Site Technical Reference Guide which is available within the online help and
from the EPICweb Documentation > Technical Reference Guides page.
Epicor 10.2.700 15
Epicor ERP Application Architecture Epicor ERP Architecture Guide
Use this section to review the Cross Brand Products that can be installed after your Epicor ERP 10 application is
installed and configured.
You can access the Epicor Cross-Brand Solutions documentation on EpicWeb using the following link: https://e
picweb.epicor.com/products/epicor-erp-10/documentation. The Cross-Brand Solutions library is in the right pane.
Your screen may look similar to the following:
Epicor Cross-Brand Solutions are designed to extend the functionality of your ERP system by providing additional
features you can use for your business requirements. You can configure these products to work with different
Epicor ERP systems, such as Epicor ERP 10, Prophet 21, iScala. Eclipse, Tropos and so on. Cross-Brand solutions
interact with your ERP system which allows you to use ERP data in additional environments.
16 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
preview them to verify current data displays as expected, and upload Report Definition Language (RDL) files,
which enable users to view reports in a web browser, via SQL Server Reporting Services (SSRS). Once you set up
your report, you can further refine the look and feel in either Microsoft® Visual Studio® or Microsoft® SQL
Server® Report Builder. You can use these report layout and formatting tools to fine-tune the overall look of
each financial report.
When you finish refining the layout of your financial reports, users can view them in a web browser or in
Microsoft®Excel®. Reports can be printed, or exported in various file formats, or you can schedule a batch of
reports to be created at regular intervals. Based on the report parameters you define in the report, users can filter
data, or change the parameters to view different data, for example, change the report currency, change the
report dates, or filter by GL accounts.
Important AFR is not compliant with FIPS 140-2 cryptography standard.
Commerce Connect
Epicor Commerce Connect (ECC) is an e-commerce solution that enables Epicor ERP customers to develop unique
websites quickly and manage them easily, providing the necessary tools to deliver a rich customer experience,
throughout the typical order life cycle - from quote to fulfillment, and beyond.
Fully integrated to your ERP system, Epicor Commerce Connect eliminates the need to maintain a separate product
database and provides streamlined access to ordering, product or account information including customer specific
pricing, inventory levels, marketing and customer service processes - all in real-time using ERP data that can be
viewed online via Epicor Commerce Connect.
Based on the Magento eCommerce platform, ECC provides a scalable solution that is backed by an extensive
support network and allows you to build a site to help fit your unique business needs.
Important ECC is not compliant with FIPS 140-2 cryptography standard.
Manifest
Epicor Manifest is an automated shipping functionality that enables your company to streamline shipping processes
and meet the expectations of your customers. Epicor Manifest is multi-carrier shipping software that integrates
tightly with the Epicor ERP application and seamlessly processes domestic and international shipping transactions
by communicating to various carriers, calculating freight amounts, and printing carrier labels.
Epicor 10.2.700 17
Epicor ERP Application Architecture Epicor ERP Architecture Guide
Mattec MES
Mattec Manufacturing Execution System is a real-time production and process monitoring system which can be
used as a powerful tool in manufacturing including rubber and plastics, metals and automotive industries.
The solution offers a comprehensive set of MES capabilities for production scheduling, machine operation and
maintenance, quality management, and real-time analytics to monitor machines and analyze machine-related
data such as overall equipment effectiveness (OEE), run rates, scrap, yield and energy consumption. The system
captures data directly from machines and operators, and delivers real-time production metrics and real-time
operations analytics in an easy-to-digest visual manner.
Real-time reconciliation of information between Epicor ERP and Mattec MES ensures data integrity for supporting
accurate scheduling, planning, monitoring, resourcing and costing.
Use Data Integration to manage production from a central location and seamlessly integrate data flow between
Epicor ERP and Mattec MES. This integration allows you to reduce errors from manual data entry in both
applications and get timely and accurate data to enable better manufacturing decisions. Epicor ERP production
planning and job data are exported to Mattec MES for use when performing and monitoring shop floor activities.
In Mattec MES, production data is monitored and recorded for use in process and quality control monitoring and
analysis.
Labor and production data recorded in Mattec MES will then flow back to Epicor ERP where the data can be
used for costing, reporting and production analysis.
Important Mattec MES is not compliant with FIPS 140-2 cryptography standard.
Quick Ship
Quick Ship bridges the gap between your Epicor ERP solution and your parcel carrier for domestic parcel shipments.
Quick Ship uses FedEx and UPS web services to get your shipments out faster and easier. Quick Ship imports all
of the data — including shipping and packaging codes—directly from Epicor ERP 10 using REST Services.
Service Connect
Epicor Service Connect (SC) is a workflow and application integration environment. You can use Service Connect
to run a workflow within a single application or to run workflows that span multiple applications. Because it uses
documents as its primary interface and leverages a Service Oriented Architecture (SOA), Service Connect simplifies
the data conversion process from one application to suit the needs of other applications.
Important ESC is not compliant with FIPS 140-2 cryptography standard.
XL Connect
XL Connect is a powerful tool that can be used to report on data currently stored in your accounting system. XL
Connect is an add-in to Microsoft Excel™ and is accessed from within Excel. XL Connect is the data retrieval
engine. When in Excel, you will use XL Connect Content Functions and Analysis Sets to build reports that will
retrieve your accounting system data.
XL Connect Content provides the integration specific elements that define for XL Connect the tables in your
accounting system from which to retrieve your requested data. Once the data is retrieved into Excel, you can use
all of Excel’s capabilities to create a report that meets your business needs: financial statements, budget reports,
sales analysis, invoice analysis and dashboards.
Important ESC is not compliant with FIPS 140-2 cryptography standard.
18 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
Use this section to review the utilities and resources that are available and can be used with your Epicor ERP 10
application.
You can use the Epicor Performance and Diagnostic Tool to analyze Epicor logs to measure performance from
both the client and the server. The Epicor Performance and Diagnostic Tool summarizes information in the client
and server trace logs. You can manipulate that information to provide meaningful metrics related to the installation
efficiency and performance of your Epicor ERP application.
Epicor Performance and Diagnostic Tool offers the following utilities:
• Client Diagnostics - use it to analyze the performance of client installations.
• Configuration Check - use it to check the configuration of the application server. This utility reveals the
issues and potential issues you may have with the application server configuration.
• Network Diagnostics - use it to verify the baseline network and server performance are running at optimal
levels.
• Server Diagnostics - use it to analyze the performance of server installations.
The Epicor Performance and Diagnostic Tool is run from the Epicor Administration Console. For information on
how to run the Epicor Performance and Diagnostic Tool, use the Performance Tuning Guide. The guide is available
from various locations, including from within the Performance and Diagnostic Tool (webhelp format), the Epicor
ERP 10 application online help (webhelp and PDF format), or the EPICweb Documentation > Technical Reference
Guide site (PDF format).
Epicor Data Migration Tool (DMT) is used to accelerate and simplify the data migration process as well as efficiently
maintain your existing system data.
DMT offers the following features:
• Improve your implementation timeline and migration process.
• Import, add, update, and delete application data safely and efficiently.
• Application logic ensures security, data integrity and optimal performance.
® ®
• Imports data from commonly used Microsoft Excel and .CSV files.
• Provides estimate of the time it will take to import data.
• Error log identifies specific import problems.
DMT is delivered as additional files to be placed in the Epicor client directory.
Epicor 10.2.700 19
Epicor ERP Application Architecture Epicor ERP Architecture Guide
If you have a multiple application server environment, use this section to review information specific to web farm and
web garden configurations.
When multiple application servers are connected to the same database, each can internally notify all application
servers in the web farm or web garden that a change occurred. The application servers in this web farm or web
garden then refresh with the required changes.
This feature is useful for web farm, web garden, or other multiple application server environments. For example,
when the database changes or a BPM assembly is updated, the application server with the change sends out an
internal notification. If this update is a database change, the application servers refresh their caches. If this update
is a BPM assembly change, the application servers regenerate their BPM assemblies.
You can set up these notifications by selecting the notification type that best reflects your network configuration.
To do this, modify the web.config file for your environment. This file is located in your server installation. For
example: C:\Epicor\Deployment\Server
Set up the NotificationType to define how the application servers send notifications to the group. Available
notification types are:
• local - Select this option to indicate a single application server is in this web farm / web garden and no internal
notifications are needed. Always select this option when only one application server is in the web farm / web
garden, as it improves performance by reducing unnecessary notifications.
• UDP - Indicates the notifications are delivered through a User Datagram Protocol (UDP) broadcast. This protocol
exchanges messages between all computers in a local area network (LAN). This notification type does not
work on a wide area network (WAN). If your application servers are on the same LAN and the required ports
are open, a UDP broadcast can reach them. You should then select this option.
For the NotificationUdpPort setting, be sure to enter a unique and unused port for each application server
group. This requirement ensures the internal notifications are only sent within a specific application server
group.
• database - Select this option when you cannot use the UDP option and you are running more than one
process or application server. Depending on how your network is configured, you may not be able to select
UDP and so you instead must send notifications through the database. While this option is the most reliable,
this setting increases the number of calls to the database and so reduces performance. If your environment
supports UDP, you should use the UDP option instead. Note that the default type is database.
Use these steps if you need to change the type to the one that best reflects your network configuration.
1. Navigate to your Epicor ERP 10 application server web.config file. This file is located in your server installation,
for example, \Epicor\Deployment\Server.
3. Set the value to one of the options. If you set the notification type value to UDP, you also need to specify
the NotificationUdpPort property which defines the unique port used by the application server group.
Your file may look similar to the following:
<!-- Valid values: local, UDP or database -->
<add key="NotificationType" value="UDP" />
<!-- Valid values: 1024-65535. Choose a different port for each group o
20 Epicor 10.2.700
Epicor ERP Architecture Guide Epicor ERP Application Architecture
f AppServers -->
<add key="NotificationUdpPort" value="3100" />
For multiple appservers scenario, Epicor recommends to use a shared location to distribute active customizations
and their dependencies between multiple environments.
Customers hosting several Epicor ERP 10 endpoints, those running the Epicor ERP 10 web farm or web garden
may set up the web.config as follows:
• Customization storage provider (customizationStorage - provider attribute) configured to use SqlBlob.
This option is set by default.
• Storage of external assemblies (externalsStorage - provider attribute) configured as FileSystem, pointing
(externalsStorage - settings attribute) to a single shared folder location for all Epicor ERP 10 instances in
the web farm/web garden corresponding to a single Epicor ERP 10 installation. When setting up access rights
to the folder, make sure that Application Pools of all participating web applications have at least read access.
Example Use DFS or UNC (common) path - \\server\share\folder accessible to all appservers.
Epicor 10.2.700 21
Epicor ERP Application Architecture Epicor ERP Architecture Guide
It is recommended that you become familiar with the features available in the Epicor ERP 10 release prior to
installing the Epicor ERP 10.2 application.
1. Review the Epicor ERP 10.2 Feature Summary to learn about the features in the Epicor ERP 10.2 release. To
access the Feature Summary, log onto the EPICWeb Documentation site and click the Feature Summaries
link. You can use this link: https://epicweb.epicor.com/documentation/feature-summaries. Note that you
can also view the Feature Summary using the Epicor online help system.
2. If desired, contact the Services group to learn more about upgrading or migration to Epicor ERP 10.2.
Note To request assistance from Services, fill out the Services Request Form available on the EPICWeb
Services site. You can use this link: https://epicweb.epicor.com/services/Pages/default.aspx.
22 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
The Windows Communication Foundation (WCF) hosts the services for your Epicor application.
By working with the Epicor ICE Framework, the Windows Communication Foundation manages the service calls, or
messages, that users initiate on clients. These messages are then transported to the server, where application code
updates the database. Together both the Epicor ICE Framework and the WCF form a secure and efficient pipeline that
sends the service call messages between the clients and servers across your network.
You can use different WCF protocol bindings to facilitate this network communication. The Epicor application utilizes
several binding options, so you need to select the protocol binding that best matches the transport of different functions.
If you have an environment integrated with Service Connect, generate reports on a separate server, or require a similar
processing need, you can set up multiple application servers to update the same database. Each application server can
have a different protocol binding that best facilitates the configuration it needs to execute its function. Utilizing multiple
application servers can also help you load balance the demand on your network.
This section first describes the main aspects of network protocols to help you understand the differences between
them. Then this section details each protocol binding option you can activate for the Epicor application. By reviewing
this information, you will be better able to determine which protocol binding to select and implement.
6.1 Protocols
NET.TCP
NET.TCP is designed to facilitate communication between servers that reside in the same data center. For example,
the Epicor task agent schedules tasks within its application server and so the NET.TCP protocol bindings can
handle this network communication.
However this protocol does not work as well over the internet. Because the NET.TCP protocol needs to keep
communication constantly open between the clients and servers, firewalls and routers can disrupt the transport
pipeline. These bindings are faster than the available HTTP binding, but you can only use them for WCF to WCF
communication.
HTTP
The Epicor application uses Hypertext Transfer Protocol (HTTP) to support data communication through the Simple
Object Access Protocol 1.2 (SOAP). Through SOAP the data message is encrypted, but the transport process for
this data is not encrypted. To do this, HTTP uses the WSHttpBinding. This binding is similar to the BasicHttpBinding,
but it provides message security, transaction, consistent messages, and WS Addresses.
Epicor supports the HttpBinaryUsernameSslChannel binding option. This binding encrypts the body of the message.
It does not use Hypertext Transfer Protocol Secure (HTTPS), so it tends to be slower than bindings which use
HTTPS.
Epicor 10.2.700 23
Technology Strategies Epicor ERP Architecture Guide
HTTPS
The Hypertext Transfer Protocol Secure (HTTPS) bindings are designed to facilitate communication between clients
across Wide Area Networks (WANs) and the internet. These protocols can also handle communication within
Local Area Networks (LANs), but a purchased or self-signing certificate is required to maintain the integrity of
the system.
If you need to set up an application server that communicates with components over the internet, you should
select one of the HTTPS protocol bindings.
The following HTTP binding types are pre-defined in Windows Communication Foundation (WCF). These binding
types are only used with the HTTP and HTTPS protocols.
basicHttpBinding
This binding exposes endpoints that communicate through ASMX based Web services and other services that
conform to the WS-I Basic Profile 1.1. The transport of messages is secured through HTTPS.
wshttpBinding
This binding uses WS-Reliable Messaging for reliability and WS-Security for message security and authentication.
Message transport is handled by HTTP and is not encrypted, but the messages themselves are encoded using
Text/XML.
webHttpBinding
Instead of using SOAP requests, the webHttpBinding exposes the communication endpoints through HTTP
requests. These endpoints are used for REST integration within the Epicor application. The transport of messages
is secured through HTTPS.
When the protocol binding encrypts the network transport process, it uses the following methods:
• Windows - If the client and server use the same Windows Domain, WCF can leverage the domain to secure
the network transport. Either the client and the server must be on the same Windows Domain, or the client
and server domains need to have a trust relationship between different domains.
• Secure Sockets Layer (SSL) - If the client and the server are on separate, untrusted Windows Domains or
do not reside on any domain, the Secure Sockets Layer (SSL) is used to encrypt the network transport. The
client and server machines must trust the authority that issues the certificate. You typically do this by obtaining
a certificate from Verisign or a similar Microsoft approved authority. Your IT organization can also issue and
manage internal certificates.
6.4 Serialization
When a user enters data on a form and sends it across the network to the server, this data is transformed from
the object behind the form into a variety of formats that allow data to be sent across networks. These formats
include binary, JSON, and XML.
The Epicor application can do this transformation, or serialization, through the following methods.
• Custom Binary -- The Epicor application can utilize a custom binary serialization optimized for performance.
This serialization is used when the Epicor application code runs on both the client and the server. The data
format is designed for effective network performance. However Custom Binary serialization is difficult to
24 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
integrate with other applications. You cannot use custom binary serialization if your client runs on a
non-Windows platform such as Linux or another operating system.
• Interoperability -- When the client does not use .NET or Epicor code, the Epicor application uses the .NET
Data Contract Serializer. Both the SOAP 1.1 and 1.2 can then be available to transport the XML data over the
network. The REST endpoints also support both XML and JSON.
6.5 Compression
The network protocols available in the Epicor application all support data compression.
You can secure user identities through either Windows domain credentials or Epicor user account credentials. If
you use Windows credentials, the transport encryption type used by the protocol binding affects how user
identities are secured within the Windows domain.
The following table summarizes the main differences between each protocol.
The Windows Communication Foundation (WCF) has several protocol binding options. Most of the WCF binding
options available for your Epicor application are custom bindings optimized for specific environments.
This section documents each protocol binding available within the Epicor application.
6.8.1 UsernameWindowsChannel
This NET.TCP binding authenticates transactions through an Epicor Username and Password. Windows checks
for existing Epicor user accounts to authenticate logins.
Epicor 10.2.700 25
Technology Strategies Epicor ERP Architecture Guide
The following diagram illustrates how this binding handles network transactions.
6.8.2 Windows
This NET.TCP binding authenticates transactions using a Windows Username and Password. Any user with a
Windows Username and Password within this domain can successfully log into the Epicor application.
The following diagram illustrates how this binding handles network transactions.
26 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
6.8.3 UsernameSSLChannel
This NET.TCP binding authenticates transactions using a Secure Sockets Layer (SSL) X509 certificate. Leverage
this method for application servers that handle smart client installations when users reside in different domains.
By using an SSL certificate, users from these different domains can log into the Epicor application.
The following diagram illustrates how this binding handles network transactions.
6.8.4 HttpBinaryUsernameSslChannel
This HTTP binding protocol authenticates using a Secure Sockets Layer (SSL) X509 certificate. The data transfers
between the client and server using Hypertext Transfer Protocol (HTTP). Instead of the transport, the message
which contains the data transfer is encrypted. Because this binding does not use Hypertext Transfer Protocol
Secure (HTTPS), it tends to be slower than bindings which use HTTPS.
Use this method for application servers that handle smart client installations when users reside in different domains.
By using an SSL certificate, users from these different domains can log into the Epicor ERP application.
Epicor 10.2.700 27
Technology Strategies Epicor ERP Architecture Guide
The following diagram illustrates how this binding handles network transactions.
6.8.5 HttpsBinaryUsernameChannel
This HTTPS binding authenticates transactions using an Epicor Username and Password. The data transfers
between the client and server using Hypertext Transfer Protocol Secure (HTTPS). HTTPS encrypts the data transfer.
28 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
The following diagram illustrates how this binding handles network transactions.
6.8.6 HttpsBinaryWindowsChannel
This HTTPS binding authenticates transactions using a Windows Username and Password. The data transfers
between the client and server using Hypertext Transfer Protocol Secure (HTTPS).
You can select this method for application servers that handle smart client installations and Epicor Web Access
(EWA) installations where users access the application through the same domain. Any user with a Windows
Username and Password within this domain can successfully log into the Epicor application.
Epicor 10.2.700 29
Technology Strategies Epicor ERP Architecture Guide
The following diagram illustrates how this binding handles network transactions.
6.8.7 HttpsOffloadBinaryUserNameChannel
This HTTPS protocol binding is a configuration that offloads encryption handling to an intermediary Application
Request Router such as an F5.
The binding authenticates using an Epicor Username and Password token. The data transfers between the client
and server using Hypertext Transfer Protocol Secure (HTTPS). This protocol is configured to move encryption
handling to an intermediary Application Request Router like F5 or a similar router.
30 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
The following diagram illustrates how this binding handles network transactions.
6.8.8 HttpsOffloadBinaryAzureChannel
This HTTPS protocol binding is a configuration that offloads encryption handling between Epicor ERP to an
intermediary Application Request Router such as an F5.
The binding authenticates using a security token by specifying a valid authentication claim between Epicor ERP
and Azure AD. The data transfers between the client and server using Hypertext Transfer Protocol Secure (HTTPS).
This protocol is configured to move encryption handling to an intermediary Application Request Router like F5
or a similar router.
The following diagram illustrates how this binding handles network transactions:
Epicor 10.2.700 31
Technology Strategies Epicor ERP Architecture Guide
6.8.9 HttpsBinaryAzureChannel
Use this protocol to enable authentication of ERP application users against users in Microsoft Azure Active Directory
(Azure AD).
This binding relies upon the user authenticating against Azure Active Directory and obtaining a token to present
to Epicor ERP. The data transfers between the client and server using Hypertext Transfer Protocol Secure (HTTPS).
The following diagram illustrates how this binding handles network transactions:
32 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
Use this section to review the authentication options available with the Epicor ERP 10 application.
In this section, review the identity methods used to authenticate a user account. These methods have both
advantages and disadvantages, so select the method that works the best for your organization. You define your
user identity method when you implement single sign on. For more information on Single Sign-on and Azure AD
authentication, refer to the Epicor ERP Installation Guide > Appendices section.
Controlling access to the application is one of the primary ways you can secure the Epicor ERP application. When
you authenticate the identity of users attempting to login, or call, the application, you help prevent malicious
access.
• Windows Account - Use this method to authenticate user identity through Windows accounts when the
client and servers are on the same Windows Domain. These accounts are secured by the Windows operating
system, making it much more difficult for these accounts to be externally compromised.
This method controls access at the operating system level, so you can define your password policy and account
lockout policy through the Group Security Policy program. This method is easier to administrate, as you control
access at the operating system level. If an administrator disables a Windows Domain account, the user will
have no access to Epicor ERP. The disadvantage to this method is that if malicious users do compromise your
Windows environment, they gain access to all applications on your system.
• Epicor Account - If you use this method, you authenticate user identity through your internal Epicor accounts.
You then control access at the application level, using both the Password Policy Maintenance and Account
Lockout Policy programs to define the complexity of passwords and the number of failed logon attempts you
allow.
Like Windows accounts, your Epicor accounts are encrypted. By securing at the application level, you make
it harder for malicious users to specifically access Epicor ERP. However the disadvantage to this method is
users will need to manage separate passwords for each application in your environment, making it harder for
you to administrate security. The following sections describe how you implement authentication security
through either method.
• Azure AD Identity - Use this method to authenticate user identity when you manage Windows accounts
through Microsoft® Azure® Active Directory (Azure AD). Azure AD is Microsoft's multi-tenant, cloud based
directory. It provides centralized identity management service not only in your on-premise domain, but also
across the internet, giving users easy access to corporate cloud-based applications.
The advantage of Azure AD authentication is that user accounts are secured by Azure, making it much more
difficult for these accounts to be externally compromised. This method controls access within Azure, so you
can define your password policy and account lockout policy centrally for internal and external applications.
The disadvantage to this method is that if malicious users do compromise your identity, they gain access to
all applications in your system. There are advanced security and monitoring services Administrators can opt
into, such as self-service password management, multi-factor authentication, AI based Identity Monitoring
and Identity Protection.
Note A user can have multiple identities. All of the above mentioned methods: Epicor UserName / Password,
a Windows Domain Identity and an Azure AD identity can be mapped to the same Epicor User.
For more information on user identity methods, refer to Epicor ERP System Administration Guide.
Epicor 10.2.700 33
Technology Strategies Epicor ERP Architecture Guide
Use this section to review the security requirements when using the Epicor ERP 10 application.
8.1 Licensing
In the Epicor ERP 10 application, you use the Licensing node to manage licensing for your product licenses for
an application server.
Using the licensing node, you can import or delete licenses and view the license properties. Properties include
information such as the installation name, expiration date, and data on companies, license modules, and country
specific functionality included in the installation.
Review this section for information on how to set up such server protection features as ports to use for connection
on the servers and anti-viral scan configuration.
You should use the following ports for connection on the servers associated with the Epicor ERP 10 application:
Client and Epicor IIS Servers Epicor IIS Server SQL Server
When you configure anti-viral software, Epicor recommends to exclude the following folders from real time scans:
• The ERP10\client folder • The root IIS folder (by default, • All folders that contain the SQL
c:\inetpub) db files (ldfs/mdfs)
34 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
Epicor 10.2.700 35
Technology Strategies Epicor ERP Architecture Guide
Use this section to review requirements for using digital certificates with Epicor ERP 10. Digital certificates play a key
role in securing the communications between callers and services in the Epicor ERP 10 application and Epicor ICE 3.2
framework.
When the Epicor ERP 10 application is installed, the web services (SOAP) and REST services can be hosted automatically
by the Epicor 10 web sites. The SOAP-based web services can be used for integrations from either non-.NET callers or
from callers that do not have Epicor binaries available. REST services are used with Epicor Web Access (EWA). Both of
these protocols require encryption using digital certificates.
You can set up your machine to use the sample X509 certificates available with Epicor ERP 10. These certificates do
not expire until 2039 and are meant to be used during your Epicor ERP 10 implementation. You can also replace these
sample certificates with certificates that you create on from your own trusted servers or delivered from a Third Party
company such as VeriSign.
A digital certificate is basically a pair of keys - one public and one private. The public key can only decrypt data
which was encrypted using the private key and vice-versa. By keeping the private key truly private, client applications
using the public key are assured they are communicating with a known service. The digital certificates are used
to verify that the service is really who or what you believe it is. A digital certificate is signed using (usually) the
public key of another digital certificate, the private key being held by a trusted party. These signatures form a
"trust chain". At the top of the trust chain is a "root" certificate, which used its private key to basically sign itself.
For commercial web sites, the trust chain follows one of a small number of primary certificate authorities. The
images below show the trust chain for a bank's website. You can see this chain by clicking the padlock icon
displayed in most browsers when on any secure website. The browser not only shows you the trust chain, but it
verifies the integrity of every certificate in the chain. It checks that none of the certificates in the chain has expired
or has been revoked, meaning the private key was stolen or made public which makes the certificate basically
invalid.
Digital certificates also have a regular, readable name, technically called a "Subject". For web sites, the subject
name of the certificate securing the web site also must match the domain name of the web site. Finally - and
crucially - browsers and web client stacks will decline connections to web sites secured by a self-signed
certificate. The assumption is that without a separate issuer, no digital certificate can be fully trusted.
36 Epicor 10.2.700
Epicor ERP Architecture Guide Technology Strategies
The Epicor ERP application uses a series of default timeout settings to prevent frozen transactions from locking your
system. If you typically process a large volume of data, you must increase these timeout settings to prevent the Epicor
ERP application from prematurely stopping transactions before they complete.
These timeout settings are organized through a parent-child hierarchy. Depending on your performance and testing
needs, you adjust the timeout settings at different levels in this hierarchy. Current hierarchy levels are:
• machine.config file - This high level configuration file contains the overall settings used by all applications on the
server. This file contains the default timeout values. If no override timeout values exist lower in the hierarchy, the
values in this file determine when a transaction times out.
• web.config file - This configuration settings file defines the settings used by the application server that runs the
Epicor ERP application. You typically adjust the timeout settings in this file, as they only affect transactions run by
the Epicor ERP application.
In addition to this hierarchy, you can also adjust timeout values in the rsreportserver.config file, the .sysconfig file,
the Task Agent Configuration program, and on the SSRS Site. These settings define timeout durations for transactions
not monitored by the machine.config and web.config files.
The machine.config file is the main configuration settings file on your server. It contains the maximum timeout
values allowed for all server transactions. Any transaction settings entered in the web.config file and any transaction
scope overloads must have an equal or shorter duration than the duration defined in the machine.config file.
The maximum duration typically defined on the machine.config file is ten minutes. However to accommodate
larger transactions, you can modify this file to allow longer timeout durations. When you do this, you also need
to update the web.config settings to handle longer timeout durations. Note these child timeout durations can
be equal to or shorter than the default timeout value defined in the machine.config file.
Be aware that any change to the machine.config file changes the timeout duration for all applications that run
on this server. Increasing the timeout duration on the machine.config file could cause issues for other applications.
Be sure to thoroughly assess the consequences before you increase the duration limit on the machine.config file.
It may not be practical to raise this timeout limit. However when you receive the following errors, you should
increase the timeout values in this file:
• The transaction associated with the current connection has completed but has not been disposed. The
transaction must be disposed before the connection can be used to execute SQL statements.
• Cannot access a disposed object. Transaction.
• TransactionScope nested incorrectly.
Some part transactions and serial number processing may require a five hour timeout duration. Because this
exceeds the standard ten minute duration, you can adjust the machine.config file to handle these five hour
transactions. This feature helps you determine the cause of timeout issues for these users.
Remember that even though the machine.config file can be set to a longer timeout duration, the Epicor ERP
framework first uses the lower timeout durations defined in the web.config or transaction scope values. If you
wish to test a system using the five hour duration, you need to adjust the web.config or transaction scope values
to handle the longer time limit as well.
Epicor 10.2.700 37
Technology Strategies Epicor ERP Architecture Guide
If you regularly run large reports, set up SQL Server Reporting Services (SSRS) to either use a longer report timeout
duration or indicate SSRS should never timeout reports. To do this, modify options within the Site Settings page
on your report server.
1. On your server, run the Reporting Services Configuration Manager. To do this, click Start > All Programs
> Microsoft SQL Server 2012 > Configuration Tools > Reporting Services Configuration Manager.
2. In the Reporting Services Configuration Connection window, enter the Server Name and a Report
Server Instance for the server that handles SSRS reporting for your system. Click Connect.
3. In the left pane, click the Report Manager URL icon. The Report Manager URL screen displays.
4. Click the URLs hyperlink to display SQL Server Reporting Services in your internet browser.
5. A login window displays. Enter a Windows user account that has permissions to view the SSRS site. Click
OK.
6. On the Home page for SQL Server Reporting Services, in the upper right corner, click the Site Settings
hyperlink.
7. On the Site Settings page, locate the Report Timeout radio button options. Select one of the following
options:
a. Select the Do not timeout report option to prevent SSRS from stopping reports from generating.
b. Select the Limit report processing to the following number of seconds option to increase how long
SSRS can run while it generates reports. Then enter how many more seconds each report can run before
it timeouts.
8. Click Apply.
38 Epicor 10.2.700
Additional information is available at the Education and
Documentation areas of the EPICweb Customer Portal. To access
this site, you need a Site ID and an EPICweb account. To create an
account, go to http://support.epicor.com.