SKG Bank Communications Hub (BCH) FAQs
The Treasury Automation Suite uses a “hub” for bank communications and file security. Below are some common questions.
1: What is the purpose of the Bank Communications Hub?
In a production Dynamics 365F&O environment, there is no access to the underlying Azure virtual machine. Because of this, the BCH was created to store inbound and outbound bank files. In addition, it provides a platform for bank communications and/or file encryption.
2: What are its benefits?
- Secure file storage – The BCH machine provides locked-down security on in/out bound files. Sensitive banking files (in- or outbound) should never be presented to the end user for modification and/or viewing. Web services, folder and file access should only be given to non-D365F&O users.
- Secure bank communications – SFTP software can be installed on the BCH (or easily access the BCH) to support seamless in/outbound file communications with your bank
- Automation – Many of the Treasury Automation Suite processes can be run in an unattended mode, by leveraging the D365F&O batch job system. The BCH provides a platform for processes and communications.
- Multi-environment file overwrite protection – “Sandbox” databases are frequently refreshed from production environments. The downside of this is that the in/outbound file paths will still be pointing to the production locations on the sandbox db. The BCH solves this problem by storing the DNS value of each environment, and tracks and stops these DNS mismatches.
- File logging – Accidental DNS mismatch errors (above) and payment file history can all be logged to monitor exceptions.
3: How is data transmitted between D365F&O and the Bank Communications Hub?
Through an https connection. The BCH must be installed with an SSL certificate from a Trusted Authority (SSL or TLS protocol will be used depending on what’s available).
4: Where should the Bank Communications Hub reside?
It can reside in any virtual machine (VM). It can be on Azure, AWS, private hosted cloud or an on-premise VM. The only requirement is that the VM has access to the internet so it can interact with the Treasury Automation Suite in the production Dynamics 365F&O environment.
5: What are the minimal specs for the Bank Communications Hub machine?
The BCH needs to have a minimum configuration with Windows Server 2012 OS (or greater), along with IIS. SQL server does not need to be installed on the VM. If using an Azure VM, an A1 (1.75GB ram, 40GB disk space) or A2 (3.5GB ram, 60GB disk space) machine is adequate. The disk space sizing will depend on the number and size of your banking files.
Hint, if installing BCH on an Azure VM: During installation and setup, use a heftier machine (e.g. A4). It will run much faster. Once you’re done with setup, downgrade to a minimal configuration to save on monthly costs.
6: Who should provision the Bank Communications Hub VM?
The BCH VM is owned and maintained by the D365F&O customer, not by SK Global Software. It is a private communications and file hub for the D365F&O instance. The D365F&O customer is the only one that has control, and maintains security over their own sensitive banking information. It should be set up by someone that has familiarity in configuring IIS when creating websites/web services. In many respects, it is like setting up an SSL/TLS (https://) website that needs to be accessible to and trusted by a user browsing from wherever the D365F&O instance is. The installation of the web site is wizard-driven by an installation program, but knowledge of provisioning & installing VMs, issuing/installing SSL certificates, opening IIS ports, setting security on app pools, managing firewall settings, etc. is required. SKG can coordinate and assist in the installation process, but customer IT resources may need to be available.
7: What port(s) does the SKG Bank Communications Hub use?
The BCH installs on the 23060 port by default, but you can pick a different port during the install process if you want. If you install multiple instances of the BCH on one machine, then each instance would need its own port.
8: How do I configure my firewall(s) to allow SKG traffic?
The BCH installation automatically creates a rule in the Windows firewall to allow inbound traffic on the BCH port on the server where you install BCH (typically 23060). If there are other firewalls between the BCH server and the server where your D365F&O instance is running (for example, an Azure NSG), they need to be set up to allow connections on the BCH port.
Connections between D365F&O and BCH are initiated from the D365F&O side, so you shouldn’t need to change any firewall settings for the D365F&O machine. Modern statefull firewalls tend to automatically allow the “return” traffic back to the program that initiates the connection.
In addition to BCH for communication with D365F&O, you will also need some way of transferring files to/from the bank(s). SFTP is typical. If using SFTP, your firewall setup will have to allow those connections — the details of that are beyond the scope of this answer.
9: How do I install multiple instances of SKG Bank Communications Hub on the same server?
You run the BCH installation multiple times, specifying a different port and site name for each. For example, you might have SKGBankCommHub_Dev on port 23060, SKGBankCommHub_Test on port 23061, and SKGBankCommHub_Prod on port 23062. Also, be sure to set up separate directories in your file system to keep the banking files separate between different instances of D365F&O.
10: Why would I install multiple instances of SKG Bank Communications Hub on the same server?
Maybe it is a Very Big Deal to spin up an additional server. By using BCH’s ability to run multiple instances on the same server, you can conserve on the number of server instances, the number of SSL certificates, etc.
This also gives you the ability to do Test/QA activities to verify that you have a good setup, and then install the Prod BCH instance on the known good server.
11: What about the SSL server certificate(s) needed for the Bank Communications Hub?
The BCH “site” in IIS requires a certificate in its bindings that is trusted by the machine running the D365F&O instance. This is just like what an https:// website would require so that a user can browse to it and not see any security warnings.
If you have the certificate in the Server Certificates list in Internet Information Server (IIS), then you can pick it as part of the BCH install. If you have need to change the BCH bindings to use a different certificate after the installation, you can do that in IIS manager.
12: How do I get an SSL certificate for testing? How do I get an SSL certificate for production?
There are two ways to meet this certificate requirement:
- (Works for all – Prod, Test, Dev) Obtain a valid certificate signed by a real-world Certification Authority (e.g. Comodo, Symantec, GoDaddy, Globalsign, etc.) This will automatically be trusted by the D365F&O machine(s). Use that valid certificate in the BCH site bindings in IIS. No need to copy it to the D365F&O machine. Since this is REQUIRED for using the BCH with your Production environment, this should be OBTAINED and used AS EARLY IN THE PROJECT AS POSSIBLE.
- (Only possible on Tier 1 D365FO environments) Create a self-signed certificate. Use it in the BCH site bindings in IIS, and also install it in the Trusted Root Certification Authorities store on the machine running D365F&O to force it to trust that certificate.
One additional important thing to note is that the Subject Name in the certificate (or one of the Subject Alternative Names) has to match the DNS name part of the URL by which you are accessing BCH.
Example 1: The D365F&O instance and BCH instance are on the same local network, so that the BCH machine can be reached by its local Windows machine name, and the URL you enter in the D365F&O setup screens is something like https://BCHTEST:23060/SKGBCH. In that case, a certificate with a subject name BCHTEST would work. This is the kind of self-signed certificate you get when you create one from within IIS Manager.
Example 2: Accessing BCH across the Internet, where the URL you enter in the D365F&O setup screens is something like https://bchtest.yourdomain.com:23060/SKGBCH. In that case, a certificate with a subject name bchtest.yourdomain.com is required. Note: For a self-signed certificate in this form, you will have to create it using some other tool than IIS Manager.
13: Can you give some examples of different strategies setting up the D365F&O/SKG BCH/SFTP system?
Thanks for the question! The BCH server and SFTP server could be physical machines or VMs on a cloud system like Azure.
Example 1: D365F&O Prod (hosted by Microsoft) <-ssl->new SKG BCH VM + install SFTP on same server <-sftp->Your Bank’s System
Example 2: Maybe you already have an SFTP server that works well with your bank. You can leverage that existing setup.
D365F&O Prod (hosted by Microsoft) <-ssl->Install SKG BCH as additional component on existing SFTP machine <-sftp->Your Bank’s System
Example 3: D365F&O Prod (hosted by Microsoft) <-ssl->SKG BCH machine<-files written to network share->SFTP machine<-sftp->Your Bank’s System