Security considerations
- Last UpdatedMay 08, 2026
- 3 minute read
To ensure secure operation of AVEVA Enterprise Resource Management, the server infrastructure hosting the AVEVA Enterprise Resource Management application server is exposed to the public internet, with the sole exception of the AVEVA Enterprise Resource Management Supplier Portal, where required.
Access to the application server infrastructure is restricted to administrative users only. Users with lower privilege levels are prevented from logging on to any machines that host AVEVA Enterprise Resource Management application server components.
Network Access for AVEVA Enterprise Resource Management
An AVEVA Enterprise Resource Management environment requires several network ports to be open. By default, the port index for an environment is set to 00. You can change the port index value. Additional port indexes are used when multiple AVEVA Enterprise Resource Management environments are installed on the same applications server.
In the port definitions in the following table, xx represents the configured port index. To view the complete list of network ports configured for an environment, refer to the IIS Manager on the application server.
|
Access From |
Access To |
Ports |
Usage |
|
Client |
Application server |
92xx 96xx |
Used for primary client or server communication. Potentially used for access to REST API from client plugins. |
|
* |
Application server |
91xx 93xx 95xx 96xx 99xx |
Used for REST API over HTTPS. Used for admin page. Used for SOAP API. Used for REST API over HTTP. Used for Scheduler. |
|
Application server |
Database server |
1521 |
Database connectivity. |
|
Application server |
License server |
4545 4546 |
License server communication. |
|
* |
Supplier Portal |
97xx 98xx |
HTTP access, will redirect to HTTPS. HTTPS access. See the following sections for details. |
|
Supplier Portal |
Application server |
92xx 5985 5986 |
App server connectivity. PowerShell Remoting / WinRM used during deployment. |
|
Supplier Portal |
Database server |
1521 |
Database connectivity. |
Supplier Portal
AVEVA Enterprise Resource Management environments are typically intended for use within secured internal networks. However, the AVEVA Enterprise Resource Management Supplier Portal is accessible from the public internet and therefore is protected using standard industry security measures.
An example setup is displayed in the following figure.
For production deployment, consider the following:
-
Deploy the Supplier Portal in a DMZ.
-
The back-end firewall permits traffic from the the Supplier Portal in the DMZ to the AVEVA Enterprise Resource Management application server and the AVEVA Enterprise Resource Management database.
-
The front-end firewall allows inbound traffic to the Supplier Portal in the DMZ.
-
To minimize potential attack vectors, configure the front-end firewall with an IP address whitelist that allows access only from approved sources (for example, the IP addresses of suppliers authorized to use the system).
-
-
-
Use HTTPS for access to the Supplier Portal.
-
An HTTP endpoint is also configured for the Supplier Portal to improve usability. Users enter only the domain name (for example, supplierportal.mycompany.com) in the browser, which defaults to the HTTP protocol. Without an HTTP endpoint and redirect rule in place, requests fails. A URL rewrite rule is configured on the Supplier Portal site. When an HTTP request is received, the site automatically redirects the client to the configured HTTPS endpoint. If non-default port numbers are used, the port number also changes.
-
-
A certificate signed by a trusted certificate authority is used by the Supplier Portal. Ignoring HTTPS warning messages exposes users to security threats such as man-in-the-middle attacks.
-
Patch the server hosting the Supplier Portal with the latest security updates from the vendors.