System requirements
Ground Control is a web application hosted on Windows + IIS and requires the .NET runtime to run.
Operating System (Server)
- Recommended Windows Servers: 2016 / 2019 / 2022
(Evaluate previous versions only if they are already part of the company standard and supported by IT policies.)
Minimum hardware requirements (indicative)
- RAM: 8 GB or more
- CPU: 1 GHz or faster
- Disk: 2 GB free (plus additional space for logs, exchanged files, and operational growth)
The minimum requirements must also be sized considering any services already present on the server (SQL Server, antivirus, backup/monitoring agents, other IIS sites, etc.).
Software prerequisites
You need an IIS server with:
- “Web Server (IIS)” role installed
- Basic Authentication enabled
Network, accessibility and certificates
HTTPS required (valid certificate)
Business Central tends to validate certificates on outgoing calls: AL/HttpClient side validation has become an explicit theme in recent releases and (in various scenarios) is enabled “by default”.
For this reason, Ground Control must be published with:
- valid TLS certificate (trusted CA, not self-signed)
- DNS name (domain name) associated with the certificate
- port published to the outside (default is port 8296 HTTPS )
Firewall / NAT
- Open the designated port (default 8296/TCP) to the IIS server only from authorized IPs (see whitelist below).
- If possible, publish to 443 via reverse proxy/load balancer and map the application port internally.
IP Whitelist
To reduce the attack surface, it is strongly recommended to allow access to Ground Control only from the necessary IP addresses [1] .
Business Central IP Recovery
IPs can be obtained as Dynamics365BusinessCentral “service tags” [2] : Microsoft indicates that the IP group is available via the Azure Management API and also as a downloadable JSON file [3] .
The IP list can be extracted from the JSON by searching for the node with “name”: "Dynamics365BusinessCentral".
[1] https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/ipsecurity/add
[3] https://www.microsoft.com/en-us/download/details.aspx?id=56519
Service Accounts (Application Pool) and Permissions
The Ground Control Application Pool must run under a dedicated user (local or domain) configured at installation time as the “Identity” of the app pool.
Grant only the strictly necessary permissions to the required activated modules:
- NTFS : Read/write to the Ground Control installation folder (defaults to C:\inetpub\wwwroot\GroundControl)
- File system / share : Read/write access to folders that Business Central should use via Ground Control
- Program Execution : Permission to execute only the programs that Ground Control needs to use
- Database (if using Windows Authentication) : Minimum permissions to access the required databases
Recommendation: Avoid using administrative or "Domain Admin" accounts. Track and explicitly approve every folder/resource/DB the user can access.
Final configuration checklist
☐ Updated and IT policy-compliant Windows server
☐ IIS installed + Basic Authentication configured
☐ Valid TLS certificate + DNS configured
☐ Published port (default 8296/HTTPS) + firewall/NAT
☐ Active IP Whitelist (Dynamics365BusinessCentral + any customer IPs)
☐ App Pool with dedicated account + minimal permissions on folders/DBs