In a production Dynamics 365F&O environment, there is no access to the underlying Azure virtual machine. Because of this, the BCH was created to store inbound and outbound bank files. In addition, it provides a platform for bank communications and/or file encryption.
Secure file storage – The BCH machine provides locked-down security on in/out bound files. Sensitive banking files (in- or outbound) should never be presented to the end user for modification and/or viewing. Web services, folder and file access should only be given to non-D365F&O users.
Secure bank communications – SFTP software can be installed on the BCH (or easily access the BCH) to support seamless in/outbound file communications with your bank
Automation – Many of the Treasury Automation Suite processes can be run in an unattended mode, by leveraging the D365F&O batch job system. The BCH provides a platform for processes and communications.
Multi-environment file overwrite protection – “Sandbox” databases are frequently refreshed from production environments. The downside of this is that the in/outbound file paths will still be pointing to the production locations on the sandbox db. The BCH solves this problem by storing the DNS value of each environment, and tracks and stops these DNS mismatches.
File logging – Accidental DNS mismatch errors (above) and payment file history can all be logged to monitor exceptions.
Through an https connection. The BCH must be installed with an SSL certificate from a Trusted Authority (SSL or TLS protocol will be used depending on what’s available).
It can reside in any virtual machine (VM). It can be on Azure, AWS, private hosted cloud or an on-premise VM. The only requirement is that the VM has access to the internet so it can interact with the Treasury Automation Suite in the production Dynamics 365F&O environment.
The BCH needs to have a minimum configuration with Windows Server 2012 OS (or greater), along with IIS. SQL server does not need to be installed on the VM. If using an Azure VM, an A1 (1.75GB ram, 40GB disk space) or A2 (3.5GB ram, 60GB disk space) machine is adequate. The disk space sizing will depend on the number and size of your banking files.
Hint, if installing BCH on an Azure VM: During installation and setup, use a heftier machine (e.g. A4). It will run much faster. Once you’re done with setup, downgrade to a minimal configuration to save on monthly costs.
The BCH VM is owned and maintained by the D365F&O customer, not by SK Global Software. It is a private communications and file hub for the D365F&O instance. The D365F&O customer is the only one that has control, and maintains security over their own sensitive banking information. It should be set up by someone that has familiarity in configuring IIS when creating websites/web services. In many respects, it is like setting up an SSL/TLS (https://) website that needs to be accessible to and trusted by a user browsing from wherever the D365F&O instance is. The installation of the web site is wizard-driven by an installation program, but knowledge of provisioning & installing VMs, issuing/installing SSL certificates, opening IIS ports, setting security on app pools, managing firewall settings, etc. is required. SKG can coordinate and assist in the installation process, but customer IT resources may need to be available.
The BCH installs on the 23060 port by default, but you can pick a different port during the install process if you want. If you install multiple instances of the BCH on one machine, then each instance would need its own port.
The BCH installation automatically creates a rule in the Windows firewall to allow inbound traffic on the BCH port on the server where you install BCH (typically 23060). If there are other firewalls between the BCH server and the server where your D365F&O instance is running (for example, an Azure NSG), they need to be set up to allow connections on the BCH port. Connections between D365F&O and BCH are initiated from the D365F&O side, so you shouldn’t need to change any firewall settings for the D365F&O machine. Modern statefull firewalls tend to automatically allow the “return” traffic back to the program that initiates the connection. In addition to BCH for communication with D365F&O, you will also need some way of transferring files to/from the bank(s). SFTP is typical. If using SFTP, your firewall setup will have to allow those connections — the details of that are beyond the scope of this answer.
You run the BCH installation multiple times, specifying a different port and site name for each. For example, you might have SKGBankCommHub_Dev on port 23060, SKGBankCommHub_Test on port 23061, and SKGBankCommHub_Prod on port 23062. Also, be sure to set up separate directories in your file system to keep the banking files separate between different instances of D365F&O.
By using BCH’s ability to run multiple instances on the same server, you can conserve on the number of server instances, the number of SSL certificates, etc.
This also gives you the ability to do Test/QA activities to verify that you have a good setup, and then install the Prod BCH instance on the known good server.
SSL Server Certificate(s):
The BCH “site” in IIS requires a certificate in its bindings that is trusted by the machine running the D365F&O instance. This is just like what an https:// website would require so that a user can browse to it and not see any security warnings.
If you have the certificate in the Server Certificates list in Internet Information Server (IIS), then you can pick it as part of the BCH install. If you have need to change the BCH bindings to use a different certificate after the installation, you can do that in IIS manager.
SSL certificate for testing:
There are two ways to meet this certificate requirement:
(Works for all – Prod, Test, Dev) Obtain a valid certificate signed by a real-world Certification Authority (e.g. Comodo, Symantec, GoDaddy, Globalsign, etc.) This will automatically be trusted by the D365F&O machine(s). Use that valid certificate in the BCH site bindings in IIS. No need to copy it to the D365F&O machine. Since this is REQUIRED for using the BCH with your Production environment, this should be OBTAINED and used AS EARLY IN THE PROJECT AS POSSIBLE.
(Only possible on Tier 1 D365FO environments) Create a self-signed certificate. Use it in the BCH site bindings in IIS, and also install it in the Trusted Root Certification Authorities store on the machine running D365F&O to force it to trust that certificate.