Skip to content
Xcel Software
← Back to blog

How DataXcel Connects to Your Sage 100 Server — Securely, with NetBird and WireGuard

· By Mike Hagberg

A plain-English security white paper on how DataXcel reaches your Sage 100 Contractor SQL Server — an outbound-only WireGuard tunnel via NetBird, exactly one allowed port, zero-trust access control, and zero inbound firewall changes.

How DataXcel Connects to Your Sage 100 Server — Securely

Before any IT team installs our connector, they ask the right question: "You want to reach our Sage 100 SQL Server from the cloud — how is that safe?" This white paper answers it in plain English, then backs it up with the underlying technology and references you can verify yourself.

The short version: DataXcel connects over an outbound-only, end-to-end-encrypted WireGuard tunnel using NetBird. We open no inbound ports, make no firewall changes, and the access policy allows traffic to exactly one port — your Sage SQL Server's port — and nothing else.

What gets installed

A single lightweight agent runs as a Windows service on your Sage server. When it starts, it makes one outbound connection to our network — the same kind of outbound connection your browser makes to any website. From there it joins a private, encrypted overlay network. There is no listening port opened on your server for the internet, and nothing inbound is exposed.

This matters because the most common way servers get compromised is an exposed inbound port (RDP, SQL, a VPN appliance). NetBird's model has the opposite shape: your server reaches out, so there is no inbound attack surface to scan, brute-force, or exploit.

One port, and only one port

Connectivity alone isn't access. NetBird enforces a zero-trust access policy: by default, peers on the network cannot talk to each other at all. We create a single rule that allows our reporting infrastructure to reach only your Sage SQL Server's TCP port — typically the dynamic port your Sage 100 Contractor instance already listens on.

  • Our data-warehouse builder can reach that one SQL port.
  • It cannot reach RDP, file shares, other databases, the OS, or anything else on the server.
  • No other device on the network can reach your server at all.

If someone tried to use the tunnel to read files off your server, browse the network, or open a remote desktop, the policy would simply drop the traffic. The connection is scoped to "talk SQL to this one port," full stop.

The encryption: WireGuard

The tunnel itself is WireGuard — the modern VPN protocol now built into the Linux kernel and trusted across the industry for being small, fast, and auditable. WireGuard uses the Noise protocol framework for its handshake, Curve25519 for key exchange, ChaCha20-Poly1305 for authenticated encryption, and BLAKE2s for hashing. Its design has been the subject of formal, machine-checked security verification — a level of scrutiny most VPN software never receives.

Every byte between your server and our infrastructure is encrypted end-to-end with keys that live only on the two endpoints. Even the relay infrastructure that helps two peers find each other cannot read the traffic passing through the tunnel.

Why we chose NetBird specifically

  • Outbound-only, no inbound ports. Nothing to expose, nothing to scan.
  • Zero-trust by default. Peers are denied until an explicit, port-scoped rule allows them. We grant the minimum — one SQL port.
  • Open source and auditable. NetBird is open source on GitHub under a permissive license. The code can be reviewed, and the platform can be self-hosted — which is exactly how we run it.
  • Identity- and device-aware. Access is tied to identity and device posture, not just a static network location, consistent with zero-trust principles.
  • No standing remote access. This is not RDP or a screen-share. There is no interactive session into your server — just a scoped SQL connection used to build and refresh your reports.

How this compares to the alternatives

Approach Inbound ports Scope of access Encryption
Open SQL/RDP to the internet Yes (high risk) Whole server Varies
Traditional site-to-site VPN Often Whole network IPsec (complex)
DataXcel + NetBird None One SQL port WireGuard (modern, audited)

Don't take our word for it — who trusts this technology

The two technologies under the hood — WireGuard and NetBird — are trusted far beyond DataXcel:

  • WireGuard is built into the Linux kernel. It was merged into the mainline Linux kernel (version 5.6, March 2020) — an extraordinarily high bar for security and code quality. Linux creator Linus Torvalds publicly called it "a work of art" next to older VPN protocols. (WireGuard — Wikipedia)
  • The biggest names in security ship it. Cloudflare's WARP, Mozilla VPN, and Tailscale all build their products on WireGuard. When Cloudflare and Mozilla trust a protocol to protect millions of users, that's a strong signal.
  • WireGuard has been formally, academically verified. Independent cryptographers have published formal security analyses of the WireGuard protocol — a level of mathematical scrutiny most VPNs never receive.
  • NetBird is independently funded and security-hardened. NetBird raised €4M in venture funding (December 2024, co-led by InReach Ventures and Nauta Capital) and went through GitHub's Secure Open Source Fund — threat modeling and supply-chain hardening reviewed under GitHub's security program.
  • It's open source — anyone can audit it. Both WireGuard and NetBird are open source, so the exact code that protects your connection can be (and has been) reviewed by the global security community.

In one sentence

DataXcel reaches your Sage data through an outbound-only, WireGuard-encrypted tunnel that is locked to a single SQL port — no inbound firewall changes, no remote desktop, no broad network access, and no way to read anything from your server beyond the SQL data your reports are built from.

If your IT team wants to go deeper, every claim above is verifiable in the public sources below — and we're always happy to walk through it on a call.

References