System requirements for the new sign-on method

Study the system requirements. The system requirements apply to both two-factor authentication and single sign-on unless specified otherwise.

Note:

TLS1.3 is supported for connection to Profit (incoming traffic only). The support of TLS1.2 will be limited because some old ciphers will no longer be supported as of 15 December 2021. Support is expanded to include other ciphers.

Contents

Computer/workstation user

Component

Explanation

Operating system

Browsers

  • Microsoft Edge
  • Google Chrome
  • Safari (Apple Mac)
  • Mozilla Firefox (including the ESR version)

If you use Chrome, Safari or FireFox, you must configure the browser in such a way that this is automatically updated to the last version.

You must add the URLs below to the Trusted Sites. If you do not, the 'The current website is trying to open a site in your Trusted sites list' message may be displayed. This is how you open the Trusted Sites.

  • https://*.afasonline.com
  • https://*.afas.online
  • https://*.afasinsite.nl

TLS

  • TLS 1.2 or TLS 1.3 should be enabled. TLS (Transport Layer Security) is an encryption protocol for the authentication and security of data that are sent through the Internet.
  • You can test whether your computer/workstation works for outgoing traffic to AFAS Online by opening the login.afasonline.com site. This site requires TLS1.2.

PCC

Network and data traffic

Component

Explanation

IP range

  • 185.46.182.0/24 (therefore 185.46.182.0 to 185.46.182.255)

Outgoing traffic

  • Outgoing traffic clients by means of port 443 (HTTPS). Usually, you do not have to open anything for this unless you work with a whitelist on the firewall or with a proxy.
  • We support TLS1.0, TLS1.1 and TLS1.2 where possible for outgoing traffic.
  • Outgoing traffic operates on the basis of an allow list. AFAS Online will prepare as best as possible all outgoing communication from your environment. A personal communication profile will, in a very few cases, not work immediately. If this is the case, submit an incident to have the address released.

Incoming traffic

See also:

  • Profit Connectors linked to the new sign-on method

AFAS Pocket

AFAS Pocket does not work on every version of iOS or Android. Please check the minimum version of your smartphone (or iPad) via Apple and Android pages. This is particularly relevant if you get a message that the app cannot be installed.

See also:

Other

  • Users can sign on via AFAS Pocket with regard to two-factor authorisation (on supported iPhones or Android devices). The first step is to sign on using a username + password and the second step is to confirm via AFAS Pocket on the user's smartphone. If you only use AFAS Pocket for this authentication, you do not need to configure (the app connector of) Pocket.

    A user can link AFAS Pocket for two-factor authorisation to multiple AFAS Online accounts.

    Note:

    AFAS Pocket offers a lot more functionality and especially with regard to Employee Self Service. If you use this solution, you must, however, execute the configuration in Profit. In this situation, AFAS Pocket is linked to one specific environment for the full use of the Pocket functionality and to one or more AFAS Online accounts for two-factor authorisation.

  • With two-factor authentication, you can also log in via a supported authenticator app (instead of AFAS Pocket).

    Preventing the jacking of parts of your own InSite/OutSite on an external site (anti-click jacking) is on by default. If this needs to be disabled, please submit an incident ticket. As from Profit 19, you manage this yourself in the site properties. You can, however, include a linked to an InSite/OutSite page on an external site.

    You can continue to show an external page on your own site with an integration page.

  • Dashboards

    Should problems occur, for example, when consulting dashboards or other data exchange with AFAS Online, please review the instructions below with your own system administrator.

  • If techniques such as SSL scanning, SSL decryption, HTTPS inspection, deep packet inspection (DPI) or an intrusion prevention system (IPS) are used, this can affect performance and stability or lead to error messages. An intermediate VPN or proxy server can also cause problems depending on the settings. Consider having your IT department put AFAS Online's network traffic on an allow list for these methods. If only to conclude whether it could be the cause of a particular problem. AFAS' addresses can be found in the article System requirements Citrix platform.

Restricting login to a specific IP address (IP restrictions)

The administrator can set IP restrictions on the AFAS Online portal, via Manage / IP restrictions. You set up IP restrictions per component (Profit, InSite, Management). IP restrictions apply to both two-factor authentication and single sign-on.

If you do not define IP restrictions, no IP restrictions are applied.

If you do define IP restrictions, users can only launch the applications (apps) from IP addresses that are allowed based on the IP restrictions, this is an additional protection against unwanted visitors. You always use the CIDR notation.

Note:

Users can always log in, regardless of IP restrictions. Only when starting the apps (Profit, InSite or management) is it checked whether IP restrictions apply.

A user accessing InSite via a URL (favourite) must then log in first. It is then checked whether IP restrictions apply.

You can define different IP restrictions. For administrators, you can define IP addresses of the home workplace in addition to the work IP address, for example.

IP addresses, URLs and ciphers

This information is intended for organisations that use a whitelist on the firewall or a proxy.

Note:

TLS1.3 is supported for connection to Profit (incoming traffic only). The support of TLS1.2 will be limited because some old ciphers will no longer be supported as of 15 December 2021. Support is expanded to include other ciphers.

As of 15 December 2021, the following ciphers are supported:

  • TLS1.3-AES256-GCM-SHA384 0x13,0x02
  • TLS1.3-CHACHA20-POLY1305-SHA256 0x13,0x03
  • TLS1.3-AES128-GCM-SHA256 0x13,0x01
  • TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 0xC0,0x30
  • TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 0xCC,0xA8
  • TLS1.2-ECDHE-RSA-AES128-GCM-SHA256 0xC0,0x2F

You can check through Citrix Workspace whether you have the correct ciphers.

PCC

Applications

Explanation

Host name

Public IP

Ports

TLS version

TLS Ciphers [1]

Certificate

InSite, PCC

PCC Notification hub. This must be available to all users who use the PCC.

pc**.notificationhub.afas.online

185.46.182.28

443

1.2

[0xC0,0x2B],[0xC0,0x30]

ECC

Connector, PCC

SOAP API for production environments. This must be available for all connections/connectors and PCC users.

[participant].soap.afas.online

185.46.182.140 thru 185.46.182.179.

443

1.2

[0xC0,0x2F],[0xC0,0x2C]

ECC

Connector, PCC

SOAP API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.

[participant].soaptest.afas.online

185.46.182.180 thru 185.46.182.199.

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

SOAP API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.

[participant].soapaccept.afas.online

185.46.182.44

185.46.182.45

185.46.182.46

185.46.182.47

 

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

REST API for production environments. This must be available for all connections/connectors and PCC users.

[participant].rest.afas.online

185.46.182.140 thru 185.46.182.179.

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

REST API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.

[participant].resttest.afas.online

185.46.182.180 thru 185.46.182.199.

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

REST API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.

[participant].restaccept.afas.online

185.46.182.44

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite

InSite. Must be available to all InSite users.

[participant].afasinsite.nl

185.46.182.60

80 (redirect), 443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite

InSite test sites. Must be available to all InSite users who must be able to sign on to InSite sites of test environments.

[participant].insitetest.afas.online

185.46.182.90

80 (redirect), 443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite

InSite accept sites. Must be available to all InSite users who must be able to sign on to InSite sites of accept environments.

[participant].insiteaccept.afas.online

185.46.182.95

80 (redirect), 443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Sing-on portal (InSite + Profit)

Applications

Explanation

Host name

Public IP

Ports

TLS version

TLS Ciphers [1]

Certificate

InSite, Profit

Login Portal. All users sign on here through the browser.

login.afasonline.com

185.46.182.11

80 (redirect), 443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite, Profit

Secure Token Service. This must be available to all users. If using federation (SSO), this address must also be accessible for the federation server (for example, ADFS) on site. Outgoing oAuth/OpenID Connect connections may not occur from this IP address.

sts.afasonline.com

185.46.182.12

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite, Profit

Identity Provider. This must be available to all users to ensure they can sign on to the portal.

idp.afasonline.com

185.46.182.13

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Profit

Citrix Netscaler. The Citrix Client makes a connection using this address (portal.afasonline.com

portal.afasonline.com

185.46.182.121

443

1.3

[0x13,0x02], [0x13,0x03], [0x13,0x01]

RSA

1.2

[0xC0,0x30],[0xC0,0x2F]

 

[0xCC,0xA8]

Profit

Citrix Netscaler. The Citrix Client makes a connection using this address (portal.afasonline.com

portal.afasonline.com

185.46.182.122

443

1.3

[0x13,0x02], [0x13,0x03], [0x13,0x01]

RSA

1.2

[0xC0,0x30],[0xC0,0x2F]

 

[0xCC,0xA8]

Bank link

Bank Integration Portal. Required to change banking links. Redirect from the bank website.

bis.afas.online

185.46.182.37

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Additional for InSite

Applications

Explanation

Host name

Public IP

Ports

TLS version

TLS Ciphers [1]

Certificate

InSite

InSite. Must be available to all InSite users.

[participant].afasinsite.nl

185.46.182.60

80 (redirect), 443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite

InSite test sites. Must be available to all InSite users who must be able to sign on to InSite sites of test environments.

[participant].insitetest.afas.online

185.46.182.90

80 (redirect), 443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite

InSite accept sites. Must be available to all InSite users who must be able to sign on to InSite sites of accept environments.

[participant].insiteaccept.afas.online

185.46.182.95

80 (redirect), 443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite

Profit BI Dashboards. This must be available to every InSite user who wants to view Dashboards.

pc**.bi.afas.online

185.46.182.35

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

InSite

Analytics for AFAS InSite. This must be available to every InSite user for diagnostic purposes.

statistics.afas.online

185.46.182.26

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connectors

Applications

Explanation

Host name

Public IP

Ports

TLS version

TLS Ciphers [1]

Certificate

Connector, PCC

SOAP API for production environments. This must be available for all connections/connectors and PCC users.

[participant].soap.afas.online

185.46.182.140 thru 185.46.182.179.

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

SOAP API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.

[participant].soaptest.afas.online

185.46.182.180 thru 185.46.182.199.

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

SOAP API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.

[participant].soapaccept.afas.online

185.46.182.44

185.46.182.45

185.46.182.46

185.46.182.47

 

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

REST API for production environments. This must be available for all connections/connectors and PCC users.

[participant].rest.afas.online

185.46.182.140 thru 185.46.182.179.

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

REST API for test environments. This must be available for all connections/connectors and PCC users who link up to test environments.

[participant].resttest.afas.online

185.46.182.180 thru 185.46.182.199.

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Connector, PCC

REST API for accept environments. This must be available for all connections/connectors and PCC users who link up to accept environments.

[participant].restaccept.afas.online

185.46.182.44

443

1.2

[0xC0,0x2F],[0xC0,0x30]

ECC

Email

Applications

Explanation

Host name

Public IP

Ports

TLS version

TLS Ciphers [1]

Certificate

Variable

Default outgoing AFAS Online IP address. Any communication profiles and/or connections to your personal email servers come from this address.

proxy.afas.online

185.46.182.1

Variable

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mail.afas.online

185.46.182.200

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta1.afas.online

185.46.182.201

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta2.afas.online

185.46.182.202

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta3.afas.online

185.46.182.203

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta4.afas.online

185.46.182.204

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta5.afas.online

185.46.182.205

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta6.afas.online

185.46.182.206

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta7.afas.online

185.46.182.207

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta8.afas.online

185.46.182.208

25

1.0, 1.1, 1.2

Variable

N/A

Variable

Email MTA. Used to send outgoing email when the AFAS.ONLINE email server is used. SPF: afas.online

mta9.afas.online

185.46.182.209

25

1.0, 1.1, 1.2

Variable

N/A

Directly to

  1. Configuration with regard to the new sign-on
  2. Configure Messagebird for text messaging
  3. System requirements
  4. Before, during and after the change to two-factor authentication
  5. Before, during and after the change to single sign-on
  6. Citrix Receiver Frequently Asked Questions