General Guidelines
Always use https if your server is visible on the Internet
Sage X3 is a Web application that can be accessed using an http or an https connection. Although http is
available, we recommend you always use https for production instances, especially if your Sage X3
instance is accessed from the public Internet.
Which servers and ports to open from the outside? The answer is simple: Just one. Sage X3 uses several
components that communicate together through IP ports. The only port that actually needs to be accessed
by users for Sage X3 to operate, is the http or https
… Just one port: https. port (Defaults: 8124 or 843). All other ports can be
(and must be) protected from external access,
especially if the server is accessible from the Internet.
The MongoDB port (Default: 27017) and ElasticSearch port (Default: 9200) are some examples of those
ports that should not be available.
Ideally, your X3 https port (remember, that’s the only thing that needs to be seen by users) should not be
reachable directly from the public internet, but rather through a DMZ and reverse proxy, such as you can
see in this example illustrating one of many possibilities:
If you do not wish to set up a reverse proxy (not recommended!), the only server you need to expose is the
Web (Syracuse) server, with all ports protected except https and with the strongest possible authentication
service (not basic!). All other servers should be placed safely in your LAN.
Takeaway: Never open a server to the public internet without filtering the ports using a firewall.
Only allow the Sage X3 https port through. Nothing else is needed.
1These recommendations apply if you are setting up a Sage X3 instance that will be accessed from the public Internet. You do not
need to set up a DMZ and external firewalls if you are using Sage X3 from your internal LAN only.
Sage X3 Security Guidelines 2/2