Overview
To meet compliance requirements, some customers must restrict access to the Admin Web UI (admin UI), so it only accepts connections from VPN clients or internal connections from the LAN where Access Server is hosted. This guide explains how to configure such restrictions for the two most common deployment scenarios.
Case 1: Access Server using a private IP with the public IP attached to an external NAT device
Example Deployment: Access Server on AWS
Default Configuration:
- Admin Web UI: Listens on TCP 943 and TCP 443.
- Client Web UI: Listens on TCP 943 and TCP 443.
Steps to restrict Admin Web UI access:
- Sign in to the Admin Web UI.
- Click Configuration > Network Settings.
- In the Web Service forwarding settings, disable Admin Web Server forwarding.
- Under Admin Web Server > Port number, set the port to 946 (or another port of your choice).
- In the Client Web Server section, enable Use a different IP address or port.
- Click Save Settings and Update Running Server.
- Now, the Admin Web UI only listens on TCP port 946.
- There isn't any web service forwarding from TCP 443 to TCP 946 for the Admin Web UI.
- The Client Web UI continues to listen on TCP ports 443 and 943, as web service forwarding is still enabled for the Client Web UI.
The configuration will look like this:
Firewall Configuration:
- For AWS deployments, sign in to the AWS console and modify your EC2 instance's Security Groups to remove any rule allowing traffic to TCP 946.
- For on-premises deployments, configure your firewall or border router to block or avoid forwarding traffic to TCP 946.
Case 2: Access Server using a Public IP directly attached to the Linux (VM) interfaces
Example Deployment: Access Server on DigitalOcean with a Public IP attached to one of the VM's interfaces
Steps to restrict Admin Web UI access:
- Sign in to the Admin Web UI.
- Click Configuration > Network Settings.
- Under Admin Web Server > Port number, configure port 946 (or another port of your choice) and select an internal interface for the admin web server.
- In the Client Web Server section, enable the option Use a different IP address or port.
- Click Save Settings and Update Running Server.
- Now, the Admin Web UI will only listen on TCP port 946 on the internal interface (associated with the private IP).
- There is no web service forwarding from TCP 443 to TCP 946 for the Admin Web UI.
- The Client Web UI will continue to listen on TCP ports 443 and 943, using the interface associated with the public IP, as web service forwarding remains enabled for the Client Web UI.
The configuration will look like this:
If you have further questions or encounter issues, please submit a support ticket.
Comments
0 comments
Please sign in to leave a comment.