Security Guidelines

Why securing your Sage X3 on-premise

architecture is not optional
Customer details, financial records, staff information – you probably store lots of sensitive data using your
business software. That might be stored on your own servers if you have in-house systems, or outside your
business if you use cloud computing services.
With Sage X3 Cloud, maximum security of your data is part of the deal you get. But what if you choose to
install Sage X3 as an on premise instance or if you host it with a non-Sage managed cloud provider?
Wherever your data is, it is important you take a multi-layered, industry proven approach to keep your data
where it belongs and as secure as possible. This document reviews the main controls you should
implement to secure your data.

General Guidelines
Always use https if your server is visible on the Internet
Sage X3 is a Web application that can be accessed using an http or an https connection. Although http is
available, we recommend you always use https for production instances, especially if your Sage X3
instance is accessed from the public Internet.

Change default passwords, and use strong ones!

Make sure you change the default Sage X3 Administrator password after the application is set up. Always
make sure you use a strong password for the Administrator account.

Always use advanced authentication on a production instance

Sage X3 support several state-of-the-art services such as LDAP and OAuth2 and these should be used for
user authentication on production instances, or any instance holding sensitive data for that matter. Please
review the Sage X3 guides on setting up advanced authentication for more details.
We do not recommend using basic authentication (user/password) except on implementation or test
instances. Even then, make sure those instances do not contain any sensitive data. Basic authentication
exposes you to insider and outsider threats.

Secure your servers with tight user access rights

The servers that host X3 components contain configuration files and other data that are vulnerable to
insider threats. Administrators should be the only persons allowed to log into the servers. Folders on the
servers should not be accessible by normal users (via Network shares for examples). Set up users for Sage
X3 Administration with just the right access to relevant directories. Do not mix Server Administrators with
Sage X3 Administrators.

Use local firewalls

Use local firewalls on your Sage X3 server(s) to lock any IP port that is not needed for Sage X3 operation
or for user access. Typically, if all Sage X3 components are installed on a single server, Sage X3 only
needs the http or https to function. On multiple-server installation, you need to open the ports or ranges of
ports that Sage X3 components use to communicate with each other.

Sage X3 Security Guidelines 1/2

Building a Secure Internet Architecture
The architecture you implement is key to your security, especially if your system will be accessed from the
public internet. Connecting your systems so they are available from the Internet involves deciding which
servers and ports need to be seen from the outside
Do not simply open your world, and how any of the queries coming from the

server to the Internet.

outside world are intercepted, translated and
directed to those servers and ports if eligible. This
will involve equipment such as a firewall which sits
between your internal network and the internet to intercept incoming queries and forward them to the
proper servers inside your network; or a Demilitarized Zone or DMZ - a physical or logical network area
that isolates your LAN from the Internet. The firewall is the guard at your DMZ’s “checkpoints”.

Recommended firewall settings if your instance is visible on the Internet 1

Which servers and ports to open from the outside? The answer is simple: Just one. Sage X3 uses several
components that communicate together through IP ports. The only port that actually needs to be accessed
by users for Sage X3 to operate, is the http or https
… Just one port: https. port (Defaults: 8124 or 843). All other ports can be
(and must be) protected from external access,
especially if the server is accessible from the Internet.
The MongoDB port (Default: 27017) and ElasticSearch port (Default: 9200) are some examples of those
ports that should not be available.
Ideally, your X3 https port (remember, that’s the only thing that needs to be seen by users) should not be
reachable directly from the public internet, but rather through a DMZ and reverse proxy, such as you can
see in this example illustrating one of many possibilities:

If you do not wish to set up a reverse proxy (not recommended!), the only server you need to expose is the
Web (Syracuse) server, with all ports protected except https and with the strongest possible authentication
service (not basic!). All other servers should be placed safely in your LAN.

Takeaway: Never open a server to the public internet without filtering the ports using a firewall.
Only allow the Sage X3 https port through. Nothing else is needed.

1These recommendations apply if you are setting up a Sage X3 instance that will be accessed from the public Internet. You do not
need to set up a DMZ and external firewalls if you are using Sage X3 from your internal LAN only.
Sage X3 Security Guidelines 2/2