We are frequently asked about what server architecture is required for Unit4 ERP Mobile Apps. The simple reason being is that most on-premise Unit4 ERP systems are only directly accessible from the Local Area Network. While connections to the Mobile Apps module are generally carried out from a mobile phone or tablet that is not on the company network, but just connected to the internet either on home broadband or 4G.
Therefore, unless you are going to enforce a policy that Mobile Apps can only be used by mobile devices that first connect to the company network via VPN, then an internet facing server is required.
There are three common configurations that can be used to achieve this.
- Existing Unit4 ERP Web Server
- Dedicated Mobile Apps Server
- Reverse Proxy Server
Each Mobile App will connect to a specific Web Service and these are configured in the Unit4 Management Console. Each Web Service will simply be a specific URL address that is hosted by Windows Server IIS.
Please note that specific port numbers are not used in the following diagrams. Port 1433 is the default port for SQL Server but would be different if SQL Server was installed with a named instance. Additionally, some organisations will manually change the port number from 1433 for security reasons. For organisations using Oracle, the port would typically be 1521. But to avoid confusion the port number for the database server is just termed as DB Port.
Unit4 ERP offers the choice to either store images and files either in the Database (default setting) or stored in a Windows Directory. When they are stored in a Windows Directory the Document Archive Web Service handles the saving and retrieval of the documents from the Windows file share. This Web Service normally runs on the Unit4 ERP Application server and by default listens on port 5078 if configured with HTTPS or 7078 if configured with HTTP.
Therefore, if you are using a Mobile App that uploads images to the Windows file share such as images of receipts in the expense’s module and your system is configured so that documents are stored outside the database, then in the first two configurations below there is a need to connect to the Application server on Port 5078 or 7078 on the internal network from the Mobile Apps server. For Reverse Proxy configurations this is not required.
Please note that although this service normally runs on the Unit4 ERP Application server, it can be installed on the Unit4 ERP Web Server. So best to verify if it is actually used, which server it is running on and what the port number is being used.
1 Existing Unit4 ERP Web Server.
If the existing Unit4 ERP Web Server is internet facing then it is simply a case of configuring the Mobile Apps module on that server and this is the simplest option. However, the vast majority of on-premise Web Servers are not internet facing.
Setting the existing Web Server to be internet facing just so that Mobile Apps can be deployed is not a good solution as you are also exposing the Web Client to the internet as well. The Mobile App modules are very limited to what they can access in Unit4 ERP while the Web Client provides access to a lot more of the system and a lot more functionality.
2 Dedicated Mobile Apps Server
Using a dedicated Windows Server just for Mobile Apps is a common solution. The server is in the DMZ (internet facing but also has limited access to the local area network). The server runs IIS and has Unit4 ERP installed on it. The only functionality that is configured in the Management Console for this server is for Mobile App connectivity. The internal connection to the local area network is to the database server and potentially to the server if it is running the Document Archive service.
3 Reverse Proxy Server
The reverse proxy server will be in the DMZ and have internal access to the Unit4 ERP Web Servers(s) either on port 80 or 443. The reverse proxy server will handle all client connections and transparently send these to the internal Web Server. The internal Web Server having the Mobile Apps module configured.
A Reverse Proxy server can be used for Mobile Apps or any standard Web Server. External users only connect to the Reverse Proxy server and know nothing about the Unit4 ERP Web Server that is carrying out the actual processing of requests which is on the internal network. The Reverse Proxy server simply handles requests and forwards them on to the internal Web Server and then likewise handles the traffic back to the client device that initiated the request.
If you are not familiar with Reverse Proxy please don’t confuse it with HTTP redirect. The latter simply redirects you to another URL address. With Reverse Proxy the end user only ever connects to the Reverse Proxy server.
A Reverse Proxy server can be a Windows Server or Linux Server running Reverse Proxy software or it could be a hardware device that acts as a Reverse Proxy server.
In an environment that runs in this configuration, the Reverse Proxy server has port 443 (SSL) open to the internet and it needs to connect to the internal Unit4 ERP Web Server on either port 80 or port 443. Port 80 being HTTP and port 443 being HTTPS. Although it would seem more secure for the connection between the Reverse Proxy and internal Web Server to be encrypted on port 443, non-encrypted connections to port 80 on the internal server is known as SSL offloading. Connecting to port 80 means that the internal server does not have the CPU overhead of carrying out encryption / decryption of traffic. From a security point of view, it can be argued that there are no security issues with SSL offloading as the unencrypted traffic is only from the internal port of the Reverse Proxy to the Web Server, so the traffic is on the local area network and doesn’t require encryption. Whether you use SSL offloading or connect internally to SSL is down to your own internal security policies, but both methods work fine. Obviously if you want the traffic between the Reverse Proxy server and the Internal Web Server to be encrypted you will need an SSL certificate on the Internal Web Server.
Apart from an internet facing server, you also need to setup external DNS for the server. This would mean giving the server a name such as mobileapp.intersect.co.uk where intersect.co.uk is your organisations domain name.
An SSL certificate is required which encrypts traffic from the mobile device to the server. Please don’t use a self-signed SSL certificate even for testing as they can cause a lot of issues. The Mobile Apps expect to connect to an SSL certificate from a Certificate Authority such as Comodo or Symantec etc.
Wildcard SSL certificates work fine in all configurations.
There is no standard option in this configuration to use two factor authentication (2FA) that involves Authenticator codes or entering codes that have been sent to the end user via text (there is with the standard Unit4 ERP Web Client) . If this type of 2FA is essential it can be achieved by using Unit4 Identity Services U4IDS which is a paid for subscription service which allows you to then use Microsoft Azure 2FA for example. For more information on how this works and pricing please contact Unit4.
The Mobile App does support client certificates which is an alternate form of 2FA. Although a client certificate conforms to X.509, it is different to a normal SSL certificate as it does not carry out any type of encryption, it simply proves the identity of the client connection to the server. The Client Certificate(s) are created on the Web Server and then issued to mobile devices, Web Browsers and so on. A password is usually required to install the certificate. Any connections to the Web Server require that the connecting device has the relevant client certificate installed on it. If the certificate is not present, no connection can be made to the Web Server.
The usage of client certificates is widespread throughout the IT industry and in this case would be a feature of the Web Server that you are connecting to. They are not something that is specific to the Mobile App.