Hi Of course EP and the Web Application Framework is not as secure as what you would get by having a similar app to run on the .Net platform with ASP.Net as it has a lot of built-in security capabilities (for instance in the web server controls themselves) and make use of the security stuff offered by the .Net platform. But having said that there are actually quite a few B2C sites out there which are based on EP. And the Web Application Framework is pretty secure in my opinion as it covers a lot of the attack surfaces known today, like input validation (SQL-injection, buffer overflows and cross-site scripting) and parameter (querystring) manipulation. But if you decide to go for a VPN/SSL setup I will strongly recommend that you use Axapta's support for SSL. Even though it's not the most advanced support it does work and once you have implemented SSL in IIS (i.e. installed the certificate and set up a secure site) it's very easy to make the framework use it (by default SSL is only used by the menu item which is executed once you click Ok in EP's logon webform.)
I am not sure which type of users you are targeting. Are the users defined in EP (which means that they will have to logon to EP) or do you target anonymous users? If you decide to go for the VPN solution and your users are defined in EP you could try to enable single-sign-on in Axapta which means that EP will automatically authenticate the user based on the credentials passed from the web server. //Peter From: Axapta-Knowledge-Village@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Steeve Gilbert Sent: 13. august 2007 23:20 To: Axapta-Knowledge-Village@yahoogroups.com Subject: [Axapta-Knowledge-Village] Enterprise Portal on the Internet Hi guys, I'm using Ax 3.0. We are looking to provide an access to Axapta for our client with the Enterprise Portal. That means exposing an IIS box with Enterprise Portal. Is the Enterprise Portal secure enough? Would you dare to expose that to the net? Anyone have idea to improve this setup? Problem is my network admin is not too happy about going that way. He wants to put an VPN-SSL box between the firewall and IIS. Setup would look like this : (Net)-->--[FireWall]-->--[VPN-SSL]-->--[IIS] So client will have to authenticate on the VPN-SSL with a user/password and i'll have to catch that username on the Enterprise Portal to log them automatically so they don't have to login a second time on IIS. That's where I'm a bit confused. I know I can use "Request.ServerVariables["AUTH_USER"]" in ASP to get the userName but How do I "force" login to Axapta with that userName? Sorry for the big email but I wanted to put as much information as I can. If you have any experience with that, please feel free to comment on that subject. [Non-text portions of this message have been removed]