ESS External Access

You can take away access to RSS, etc by unmapping the application to the web server in WAS. Also, removing the search box from your ESS role removes panel access - Article ID: 68410  

This is the response I got from someone at Lawson:

Exposing ESS over the web to remote employees:
In a nutshell, you'll put an ESS web server in a DMZ, and the LSF server needs to be configured to support that 'Endpoint' in a secure, encrypted fashion(HTTPS). This configuration allows multiple web servers (internal and external) to communicate with a single application server (LSF). The backend Lawson applications are completely secured from external web access; these are industry standard security practices for exposing web applications safely. Access to the ESS web server for external employee’s can occur with or without a VPN; this is no different than any other web-based application exposed over the internet. If its without a VPN (rare for Lawson customers), then there are risks; most customers use VPN.

A note from a tech resource on open web access to ESS(no VPN):
want to ensure everyone understands what is possible and not possible....

It is NOT possible to provide web access to ESS only.... what is possible is to create another web server (i.e. entry point or Portal) for users to access Lawson. This new WebServer/Portal can be installed in a DMZ such that anyone on the internet could access it (however, presumably only remote employees would know the address to this server). However, just to be clear, it is Portal which is deployed... Therefore, if a user has access to Portal applications as well as the ESS applications, then they'll see all of this from the remote web server as well. There is NO way for the Lawson environment to determine how a user is entering the system... the Environment see's all Portals equally and will display everything the end user has access to.

The client should understand this before deploying applications out to the Internet. (And this small point is often overlooked and not communicated.....)

A follow-up note from the same tech resource on open web access to ESS(no VPN):
75% of the clients that attempt to do this (deploy Lawson to the Internet), eventually do NOT deploy it... They generally opt for deploying it on their intranet, and if required they rely on their VPN solution to provide access remotely. This is a much more secure and controllable solution. (Note: Lawson, internally, does not deploy our ERP solution to the Internet, but rather relies on VPN solutions for external access...). However, we do provide the capability if the client wishes to provide a Portal to Lawson via the Internet.

This situation is the main reason my attitude has been to 'just say no' to single Lawson login ID's. Our employees can access ESS/MSS as well as regular Portal / Lawson apps remotely (so they can work from home, for example). If an EE is at home checking his benefits or his paystub, I do not want to also have links to his/her work applications of Lawson on the screen. The one-login idea strikes me as something that's not a very good idea if one thinks about it even a little bit - all upside for the end user and mostly downside for the org.

For ESS/MSS users we use the letter z followed by their five-digit employee number as their user ID. Regular Lawson apps users have a login based on their last name and first initial. This segregates all the ESS/MSS user IDs wherever they are listed and makes it easier to bring them up in Lawson Security administrator.

It's just my opinion that it is bad practice for an employee to use the exact same login for conducting his/her personal business as for doing work duties. If someone from HR were to be nosing around in HR11 over the weekend from their home computer, and they had just one login, I would have no practical way to know they'd been doing that or just checking their pay stub. If their Lawson login used for HR duties shows as having been connected in remotely, there is a smoking gun and a reason to ask 'what were you doing'.