Antivirus / Firewall Exclusions

SOLVED

Hello,

Is there a KB or anything that lists the antivirus and firewall exclusions required for Sage 300?   

I am looking primarily for those that apply to the application, but if there are any that also need to be applied to the SQL server (other than the standard MS SQL exclusions) I'd appreciate those too.

I have found some information online but it is either outdated or it applies to other Sage products (e.g. Sage 50, Sage Accounts, etc)

Thanks

Daniel

  • +1
    verified answer

    Hi Daniel,

    I'm not aware of any official comprehensive documentation regarding AV nor firewall.

    In case it helps, read on for a basic recommendation.

    AntiVirus (AV) is a common cause of Sage 300 performance issues. The first thing we do when performance issues are raised is compare performance with AV enabled versus AV disabled.

    A basic recommendation for AV configuration is as follows:

    1. Disable all realtime scans of the Sage 300 Programs and Shared Data directories. This needs to be applied to all computers that access these directories.

    2. Configure scheduled scans of these directories on a schedule that doesn't impact day to day work..

    A basic recommendation for file permission configuration is as follows:

    1. Install Programs and Shared Data to separate directories

    2. Create a specific group for Sage 300 users.

    3. Set the Programs directory to Read Only, and the Shared Data directory to Read Write for this group.

    4. Create a separate "Custom" directory for custom reports/macros/executables/assemblies etc.and assign Read Only permissions for the Sage 300 users' group.

    As for firewall, configuration largely depends on your network and server configuration. Best Practice is to apply Principle Of Least Privilege i.e. only allow access to required addresses and ports, nothing else. Obviously Web Screens (Sage 300 2016 and up) reqirie firewall access to port 443 of the web server. For public facing sites, consider a tri-homed firewall configuration.

    As for SQL Server, you'll obviously need to allow firewall acccess to port 1433 to all computers accessing Sage 300.

    You can also run System Internals' Procmon and Tcpview to identify ports/paths etc. used by Sage 300.

  • 0 in reply to aslan.kanzas

    Thanks .   We're working toward moving this new client off of a wide-open approach and into a fenced approach as you describe (both network, as well as permissions) .. its a production system however so its an ongoing incremental process.   

    Port 443 and 1433 not an issue - as for the SQL I was just wondering if there were any server-side processes (stored procedures) that I would have to add exclusions for ..   from your answer - I'm going to assume no.

    Thanks for taking the time to answer - I appreciate it

    Daniel

  • 0 in reply to DWardCA

    Hi Daniel,

    Glad to help.

    There are a tonne of hardening techniques for SQL Server (e.g. from Microsoft, UC Berkeley etc.) which make very good sense, though they're largely generic in nature rather than specific to Sage 300. Ideally your Customer's IT Vendor and/or Security Consultants will be taking these generic hardening techniques for SQL Server into consideration.