Security - External Users - Configuring External User Security

If you are going to allow external users access to your Coins ERP+ system over the Internet, we recommend that you have the WebServer on a computer that is separate from the Coins ERP+ database. If you only intend to allow external users access over a VPN (Virtual Private Network) or similar arrangement, having the WebServer and Coins ERP+ database on the same computer should be acceptable.

Set the value of the SY parameter INTIPS to a can-do list of valid internal IP addresses. These would typically be IP addresses within your firewall. This could be a list of individual IP addresses, for example:

123.45.67.44,123.45.67.49

or a mask, using wildcards:

123.45.67.*

Anyone who logs in to Coins ERP+ from an IP address that matches this will be considered an internal user regardless of whether they are identified as Extranet users (see Identifying Extranet users).

On the user record of each user you want to allow to log in as an Extranet user, tick the Extranet User box.

User Maintenance – Extranet User Field

If someone tries to log in from an external IP address (that is, not one of those specified by INTIPS), they will be allowed access to Coins ERP+ if the Extranet User box is ticked, and they will be treated as an Extranet user. If someone tries to log in from an external address using an internal user ID, they will not be allowed access.

As an additional, optional check, you can specify the IP address(es) that any user is allowed to use to access Coins ERP+.

On the user record, enter the IP address (or list of addresses) in the Restricted IP field.

User Maintenance – Restricted IP Field

For example, this could be the IP address used by the company this user works for. This can include wildcards (for example: 123.45.67.*). This means that the user would only be allowed to access Coins ERP+ from within that company’s firewall, and would not have access from their home computer. Also, if they move to a different company they would no longer have access.

If the Restricted IP field is blank, the user will be allowed to access Coins ERP+ from any IP address (but still subject to the other security restrictions).

You can also use this feature for internal users, by entering the IP address of individual computers; this would mean the user can only access Coins ERP+ from a designated computer.

One way to establish the IP address of an external user is to ask them to type "What is my IP" in their preferred Internet search engine. This will typically return several pages that show their IP address.

This is the value you need to enter in the Restricted IP field.

To find the IP address of an internal user’s computer (one on your network):

This will display details like the following:

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Coins.local
IP Address. . . . . . . . . . . . : 195.40.14.116
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 195.40.14.10

The IP Address line shows the value you need to enter in the Restricted IP field if you want to make sure an internal user can only log in to Coins ERP+ from their computer.

Another optional check on the access allowed to Extranet users is to restrict the functions they are allowed to run. This is done by setting up a “dummy” user account, and granting access to only those functions you want an external user to use. An Extranet user will only be allowed to run a function if both their own user record and the “dummy” user record have access to that function. This means that there are two independent function security checks on external users, so even if a new Extranet user was set up inadvertently with ROOT access, they would still only be able to run the functions allowed for Extranet users.