Microsoft Dynamics NAV
Connecting the RoleTailored Client over a Wide Area Network White Paper
December 2010
Contents Connecting the RoleTailored Client over a Wide Area Network ..................................................... 1 Using Certificates to Secure a Remote RoleTailored Client Connection ..................................... 3 Walkthrough: Implementing Security Certificates in a Test Environment ................................. 3 How to: Implement Security Certificates in a Production Environment .................................... 8 Performance Considerations ...................................................................................................... 11
2
Connecting the RoleTailored Client over a Wide Area Network This white paper describes how to implement a secure RoleTailored client connection to Microsoft Dynamics NAV Server over a wide area network (WAN). The RoleTailored client and Microsoft Dynamics NAV Server can be in the same or separate Active Directory domains. This white paper also discusses some performance benchmarks that you should consider before implementing a WAN connection. For updates on this process and other information about hosting and WAN connections, see the Microsoft Dynamics NAV Team Blog and search for the terms hosting and performance.
Assumptions This white paper assumes the following:
Remote client users do not require the Classic client. This means that reports that have not been transformed for the RoleTailored client are not available to remote RoleTailored client users.
User accounts are provisioned in an Active Directory domain, and SQL Server and Microsoft Dynamics NAV Server are installed on a computer in this domain.
The administrator who is implementing this configuration is a member of the domain administrator group in this domain.
On the computer running Microsoft Dynamics NAV Server, a DNS entry that resolves to the published server port on the computer’s firewall exists for Microsoft Dynamics NAV Server.
If the RoleTailored client or Microsoft Dynamics NAV Server is behind a firewall, then you must have opened a port for communication with Microsoft Dynamics NAV Server on the RoleTailored client computer and published the port on the Microsoft Dynamics NAV Server computer. The default port number is 7046.
The RoleTailored client and Microsoft Dynamics NAV Server are configured as described in the Walkthrough: Installing the Three Tiers on Three Computers topic in the MSDN Library.
Procedural Overview This white paper includes instructions for protecting WAN connections with security certificates. We recommend that you do not implement remote access without security certificates. To
See
Read about the certificate security implementation that is presented in this white paper.
Using Certificates to Secure a Remote RoleTailored Client Connection
Follow a detailed demonstration of how to set up an environment for testing secure connections over a WAN by using the chain trust configuration.
Walkthrough: Implementing Security Certificates in a Test Environment
Learn how to implement security certificates in a production environment.
How to: Implement Security Certificates in a Production Environment
Determine whether your users fit the performance profile for running the RoleTailored client over a WAN.
Performance Considerations
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
1
Deployment Illustration This illustration shows how a computer running the RoleTailored client in one Active Directory domain can connect to an instance of Microsoft Dynamics NAV Server in another domain.
2
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
Using Certificates to Secure a Remote RoleTailored Client Connection You can use service certificates to secure RoleTailored client connections over a wide area network (WAN). Microsoft Dynamics NAV 2009 R2 can support the following configurations:
Chain trust, which specifies that each certificate must belong to a hierarchy of certificates that ends in a root authority at the top of the chain.
Peer trust, which specifies that both self-issued certificates and certificates in a trusted chain are accepted.
This white paper describes the chain trust configuration, which is the more secure option. In a production environment, you implement chain trust by obtaining X.509 service certificates from a trusted provider. These certificates and their root certification authority (CA) certificates must be installed in the certificates store on the computer running Microsoft Dynamics NAV Server. The CA certificate must also be installed in the certificate store on computers running the RoleTailored client so that clients can validate the server. Note This white paper does not use the term Secure Sockets Layer (SSL) to describe the implementations. Although these implementations do use the public and private key infrastructure of SSL and SSL certificates, they use Windows Communication Foundation (WCF) transport-level security (TLS) over the TCP/IP protocol instead of https. This means that they are not strict SSL implementations.
Walkthrough: Implementing Security Certificates in a Test Environment In this walkthrough, you set up an environment to test integration of certificates into a configuration for connecting computers running the RoleTailored client to Microsoft Dynamics NAV Server instances over a wide area network (WAN) with the chain trust configuration.
Prerequisites To complete this walkthrough, you will need:
The Certificates snap-in for Microsoft Management Console (MMC). If you do not already have this snap-in installed, then follow these steps: 1. Click Start, click Run, and then type Mmc.exe. 2. In the console, on the File menu, click Add/Remove Snap-in. 3. In the Add Standalone Snap-in dialog box, select Certificates, click Computer Account, click Local Computer, and then click Add.
The makecert.exe utility. For more information, see Certificate Creation Tool (Makecert.exe) in the MSDN Library.
Configuring Microsoft Dynamics NAV Server You create and install a root certification authority (CA) and a server certificate on the computer running Microsoft Dynamics NAV Server.
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
3
To create a root CA and a private key file with the makecert.exe utility 1. Create a temporary folder to use when you work with certificates. 2. Click Start, point to All Programs, and then click Accessories. Right-click Command Prompt, and then click Run as administrator. 3. At the command prompt, locate the temporary directory. 4. Type the following command. makecert -n "CN=RootNavServiceCA" -r -sv RootNavServiceCA.pvk RootNavServiceCA.cer
5. When you are prompted, enter a password. You need this password to create the service certificate. 6. The RootNavServiceCA.cer certificate file and the RootNavServiceCA.pvk private key are saved in your temporary folder. To use the Certificates snap-in to install the root CA on the computer running Microsoft Dynamics NAV Server 1. Start the Certificates snap-in for the MMC on the computer running Microsoft Dynamics NAV Server, and then add the Certificates snap-in. 2. In the Certificates snap-in dialog box, click Computer account, and then click Next. 3. In the Select Computer pane, click Local computer: (the computer this console is running on), and then click Finish. 4. Click OK to close the Add or Remove Snap-ins dialog box. 5. In the left pane of the MMC, expand the Certificates (Local Computer) node. 6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import. 7. In the Certificate Import Wizard, on the Welcome page, click Next. 8. On the File to Import page, click Browse. 9. Browse to the location of the RootNavServiceCA.cer certificate file, select the file, and then click Open. 10. On the File to Import page, click Next. 11. On the Certificate Store page, accept the default selection, and then click Next. 12. On the Completing the Certificate Import Wizard page, click Finish. The RootNavServiceCA certificate is now visible in the list of trusted root CAs. You now create a certificate revocation list for the root certification authority and install the certificate revocation list on the computer running Microsoft Dynamics NAV Server. A certificate revocation list is required because WCF applications check the revocation list when validating certificates. To create a certificate revocation list for the root certification authority 1. At the command prompt, type the following command: makecert -crl -n "CN=RootNavServiceCA" -r -sv RootNavServiceCA.pvk RootNavServiceCA.crl
2. When you are prompted, enter the password that you used to create the root CA. 4
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
To install the certificate revocation list on the computer running Microsoft Dynamics NAV Server 1. In the Certificates snap-in, in the left pane of the MMC, expand the Certificates (Local Computer) node. 2. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import. 3. In the Certificate Import Wizard, on the Welcome page, click Next. 4. On the File to Import page, click Browse. 5. In the File Type field, select Certificate Revocation List (*.crl). 6. Browse to the location of the RootNavServiceCA.crl file, select the file, and then click Open. 7. On the File to Import page, click Next. 8. On the Certificate Store page, accept the default selection, and then click Next. 9. On the Completing the Certificate Import Wizard page, click Finish. 10. Select the Trusted Root Certificate Authorities node, and then refresh the MMC snap-in. A Certificate Revocation List folder that contains the RootNavServiceCA.crl file has been created. To create and install a test certificate for the Microsoft Dynamics NAV Server service 1. At the command prompt, type the following command: makecert -sk NavServiceCert -iv RootNavServiceCA.pvk -n "CN=NavServiceCert" -ic RootNavServiceCA.cer -sr localmachine -ss my -sky exchange -pe NavServiceCert.cer
Note This command specifies the subject’s certificate name as NavServiceCert. You need this certificate name when you configure the RoleTailored client. 2. When you are prompted, enter the password that you used to create the root CA. 3. Select the Trusted Root Certificate Authorities node, and then refresh the MMC snap-in. You now have the NavServiceCert.cer certificate file in your temporary folder. The certificate is installed under the Personal node in the Certificates snap-in. To grant access to the certificate’s private key to the service account for Microsoft Dynamics NAV Server 1. In the left pane of the MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder. 2. In the right pane, right-click the NavServiceCert certificate, click All Tasks, and then click Manage Private Keys. 3. In the Permissions for NavServiceCert private keys dialog box, click Add. 4. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter NETWORK SERVICE, which is the name of the service account, and then click OK.
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
5
Security Note In a production environment, you run Microsoft Dynamics NAV Server under a dedicated domain user account instead of the less secure NETWORK SERVICE account. Because this is a test implementation, the NETWORK SERVICE account is acceptable. 5. Select Allow Full Control, and then click OK. 6. In the right pane, double-click the NavServiceCert certificate. 7. In the Certificate dialog box, click the Details tab, and then select the Thumbprint field. 8. Copy or note the value of the Thumbprint field. To modify the Microsoft Dynamics NAV Server configuration file to support login over a WAN 1. Stop the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services. For more information, see How to: Configure Windows Services in the MSDN Library. 2. Open the CustomSettings.config file, which is the Microsoft Dynamics NAV Server configuration file. By default, this file is located in C:\Program Files\Microsoft Dynamics NAV\60\Service. 3. Modify the following key settings in the CustomSettings.config file. Key
New value
Description
ClientCredentialType
UserName
The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials. Note Consider using a dedicated Microsoft Dynamics NAV Server instance for remote connections so that this change does not affect local users.
CertificateThumbprint
Value of the Thumbprint field in the previous procedure
The default value is . Remove any leading or trailing spaces in the thumbprint.
4. Save and close the CustomSettings.config file. 5. Restart the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services. If you get an error, then see the Windows Event Viewer.
Configuring the RoleTailored Client With the chain trust configuration, only the root CA and the certificate revocation list must be installed for the RoleTailored client. To do this, complete these procedures on the computer running the RoleTailored client.
6
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
To install the root CA on the computer running the RoleTailored client 1. Start the Certificates snap-in for the MMC on the computer running the RoleTailored client, and then add the Certificates snap-in. Note This procedure is identical to the one that you followed for installing the root CA on the computer running Microsoft Dynamics NAV Server. 2. In the Certificates snap-in dialog box, click Computer account, and then click Next. 3. In the Select Computer pane, click Local computer: (the computer this console is running on), and then click Finish. 4. Click OK to close the Add or Remove Snap-ins dialog box. 5. In the left pane of the MMC, expand the Certificates (Local Computer) node. 6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import. 7. In the Certificate Import Wizard, on the Welcome pane, click Next. 8. On the File to Import page, click Browse. 9. Browse to the location of the RootNavServiceCA.cer certificate file, select the file, and then click Open. 10. On the File to Import page, click Next. 11. On the Certificate Store page, accept the default selection, and then click Next. 12. On the Completing the Certificate Import Wizard page, click Finish. To install the certificate revocation list on the computer running the RoleTailored client 1. Start the Certificates snap-in for the MMC on the computer running the RoleTailored client, and then add the Certificates snap-in. 2. In the Certificates snap-in dialog box, click Computer account, and then click Next. 3. In the Select Computer pane, click Local computer: (the computer this console is running on), and then click Finish. 4. Click OK to close the Add or Remove Snap-ins dialog box. 5. In the left pane of the MMC, expand the Certificates (Local Computer) node. 6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import. 7. In the Certificate Import Wizard, on the Welcome page, click Next. 8. On the File to Import page, click Browse. 9. In the File Type field, select Certificate Revocation List (*.crl). 10. Browse to the location of the RootNavServiceCA.crl file, select the file, and then click Open. 11. On the File to Import page, click Next. 12. On the Certificate Store page, accept the default selection, and then click Next. 13. On the Completing the Certificate Import Wizard page, click Finish.
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
7
To edit the RoleTailored client configuration file to add certificate information 1. Open the ClientUserSettings.config configuration file. In Windows 7, Windows Vista, or Windows Server 2008, the location of this file is Users\\AppData\Local\Microsoft\Microsoft Dynamics NAV. In Windows Server 2003 or Windows XP, the location is Documents and Settings\\Local Settings\Application Data\Microsoft\Microsoft Dynamics NAV. This file is hidden by default, so you may need to change your folder options in Windows Explorer to view hidden files. 2. Modify the following settings. Key
New value
Description
ClientCredentialType
UserName
The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials.
DnsIdentity
The subject name of the service certificate
The default value is . For this walkthrough, set the key to NavServiceCert.
3. Save and close the ClientUserSettings.config file. When you start the RoleTailored client, you are prompted for a valid user name in the format domain\username and password for the server domain.
How to: Implement Security Certificates in a Production Environment After you have installed and configured Microsoft Dynamics NAV Server and obtained a service certificate and a root certification authority (CA) from a trusted provider, you must install the certificates on the computer running Microsoft Dynamics NAV Server. Complete instructions are available from your certificate provider. The root CA certificate and the service certificate are used in the configuration, but client certificates are not. The root CA must be installed on the computer running Microsoft Dynamics NAV Server and all computers running the RoleTailored client. The service certificate must only be installed on the computer running Microsoft Dynamics NAV Server. Most enterprises and hosting providers have their own infrastructure for issuing and managing certificates. You can also use these certificate infrastructures. The only requirement is that the service certificates must be set up for key exchange and therefore must contain both private and public keys. Note An instance of Microsoft Dynamics NAV Server that has been configured for secure WAN communication always prompts RoleTailored client users for authentication when they start the client, even when the client computer is in the same domain as Microsoft Dynamics NAV Server. The following procedures use the Certificates snap-in for the Microsoft Management Console (MMC). If you do not already have this snap-in installed, then follow these steps: 1. Click Start, click Run, and then type Mmc.exe. 2. In the console, on the File menu, click Add/Remove Snap-in. 3. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add. 8
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
Configuring Microsoft Dynamics NAV Server After you have installed the root CA and the service certificate on the computer running Microsoft Dynamics NAV Server, you must grant access to the service account that is associated with the server so that the service account can access the service certificate’s private key. You must also change the configuration settings for Microsoft Dynamics NAV Server to enable remote logins. To configure the computer running Microsoft Dynamics NAV Server 1. In the left pane of the MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder. 2. In the right pane, right-click the certificate, select All Tasks, and then click Manage Private Keys. 3. In the Permissions dialog box for the certificate, click Add. 4. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the dedicated domain user account that is associated with Microsoft Dynamics NAV Server, and then click OK. 5. In the Full Control field, select Allow, and then click OK. 6. In the right pane, double-click the certificate. 7. In the Certificate dialog box, click the Details tab, and then select the Thumbprint field. 8. Copy or note the value of the Thumbprint field. 9. Stop the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services. 10. Open the CustomSettings.config configuration file. By default, this file is located in C:\Program Files\Microsoft Dynamics NAV\60\Service. 11. Modify the following settings. Key
New value
Description
ClientCredentialType
UserName
The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials.
CertificateThumbprint
Value of the Thumbprint field in the previous procedure
The default value is . Remove any leading or trailing spaces in the thumbprint.
12. Save and close the CustomSettings.config file. 13. Restart the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services. If you get an error, then see the Windows Event Viewer.
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
9
Configuring the RoleTailored Client The chain trust configuration allows all users of the RoleTailored client on a computer to log on to one or more instances of Microsoft Dynamics NAV Server as long as their login credentials have been associated with user accounts in Microsoft Dynamics NAV. The client validates that the server certificate is signed with the root CA. After you have installed the root CA on the computer running the RoleTailored client, you need to edit the RoleTailored client configuration file. To edit the RoleTailored client configuration file 1. Open the ClientUserSettings.config configuration file. In Windows 7, Windows Vista, or Windows Server 2008, the location of this file is Users\\AppData\Local\Microsoft\Microsoft Dynamics NAV. In Windows Server 2003 or Windows XP, the location is Documents and Settings\\Local Settings\Application Data\Microsoft\Microsoft Dynamics NAV. This file is hidden by default, so you may need to change your folder options in Windows Explorer to view hidden files. 2. Modify the following settings. Key
New value
Description
ClientCredentialType
UserName
The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials.
DnsIdentity
The subject name of The default value is . the service certificate
3. Save and close the ClientUserSettings.config file. When you start the RoleTailored client, you are prompted for a valid user name in the format domain\username and password for the server domain.
10
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
Performance Considerations You can use the information in this section to help decide whether the RoleTailored client over WAN option is appropriate for your organization. Specifically, this section should help you answer the following questions:
Do your users’ usage scenarios support running the RoleTailored client over a WAN?
What kind of performance can you expect when you run the RoleTailored client over a WAN?
Targeted Usage Scenarios There are two primary scenarios for running the RoleTailored client over a WAN.
Mobile light-usage users. Salespeople who visit customers and look up order histories and take orders when they are at the customer site are examples of mobile light-usage users. These users want quick and easy access to data to support their primary tasks. This usage is typically not extensive, and users prefer to not have to log on to the company network through a virtual private network.
Hosted users. Multiple users who sit at one location and access Microsoft Dynamics NAV Server at a remote location are hosted users. These users do not have control of the installation, which is managed by a hosting provider.
For each scenario, the following assumptions are made:
Each user has a download speed of at least 1 megabit per second and an upload speed of at least 200 kilobits per second.
Network latency is less than 200 milliseconds.
The RoleTailored client is running on a computer that cannot log on to an Active Directory domain controller, either in the domain where the RoleTailored client is installed or in the domain where Microsoft Dynamics NAV Server is installed. The RoleTailored client and Microsoft Dynamics NAV Server can be in the same Active Directory domain or in separate domains.
Performance Testing Results Performance testing of these scenarios focused on latency and bandwidth. An environment where both latency and bandwidth could be throttled helped simulate different types of connectivity. The tests were based on 10 concurrent users posting 10 automated one-line sales orders with the RoleTailored client. This kind of measurement is not completely realistic because the order entry is so fast that the screen cannot render before the Post button is pressed. Therefore, if this is the benchmark load, then any reallife loads that involve similar operations will be slower. Bandwidth that ranged from a 10-megabit download and 1-megabit upload connection to a 300-megabit download and 300-megabit upload connection, which is comparable to a local area network, was tested. Latencies that ranged from 0 milliseconds to 600 milliseconds were also tested. This range approximates connections from a fast LAN connection to a slow ADSL connection. The range also approximates a fast satellite connection, which would be between 500 milliseconds and 1000 milliseconds. In the following graph, the x-axis from left to right shows the round-trip time added to the connection in milliseconds. The line that runs from the lower-left to the upper-right shows the latency, or response times. The other lines show the maximum kilobytes received per second, average kilobytes received per second, maximum kilobytes sent per second, and the average kilobytes sent per second.
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
11
The graph shows that latency linearly affects the response time. It also shows that a higher latency affects the ability to use the available bandwidth and that the "elbow" or optimum latency is between a latency of 100 milliseconds and 150 milliseconds. In the following graph, the x-axis shows bandwidth per user, and the y-axis shows the response time for the 10 sales orders. On the bandwidth per user axis, 5/1 represents a 50-megabit upload and 10-megabit download connection, and 2/0,5 represents a 20-megabit download and 0.5 megabit upload connection.
The graph shows that the "elbow" or optimum bandwidth is between 1.50/0.3 megabits and 2/0.1. Additional tests show that the determining factor for these connections is the upload speed rather than download speed, and that the elbow is between 0.1 and 0.3 megabits per user for the tested scenarios. Because these tests targeted limited bandwidth scenarios, you can also have a single session use all available bandwidth for any kind of connection when you transfer a large file or run a large report.
12
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
For more information, see the "Microsoft Dynamics NAV 2009 R2 Hot Topic: RoleTailored Client for Remote and Roaming Users" session on the Partner Learning Center (requires Microsoft Partner Network login).
CONNECTING THE ROLETAILORED CLIENT OVER A WIDE AREA NETWORK
13
Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your people to make business decisions with greater confidence. Microsoft Dynamics works like and with familiar Microsoft software, automating and streamlining financial, customer relationship, and supply chain processes in a way that helps you drive business success. U.S. and Canada Toll Free (888) 477-7989 Worldwide (1) (701) 281-6500
www.microsoft.com/dynamics
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, this document should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2010 Microsoft. All rights reserved.
