This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can the SEA user and admin pages be accessed through different network interfaces?

Is it possible for the acess to the SEA user pages ( https://sea.acme.com/ ) and the admin pages ( https://sea.acme.com:18080/ ) to be over different network interfaces?

We would like to do this for security reasons.



This thread was automatically locked due to age.
Parents
  • Hi David,

    I'm not sure that was the answer you were looking for..   The appliance has 3 portal pages

    SPX portal - 10443 you can not simply log into this page, you must be invited by the appliance to register to create a password.  The page is hashed and that has is good for one long in.

    EUI - 443, allows users to log in and view/release their spam

    (note: the SPX portal and the EUI will share ports 443 or 10443 depending on your configuration)

    Admin UI - port 18080

     

    To answer your question, yes you can allow connections from anywhere with the appropriate routing.   so you could have a user log in remotely and release a spam if your firewall routed 10443 traffic to the appliance.  or if you port forward 18080 externally to the appliance you can log in from anywhere you wish.

     

    In regards to, would I want to allow that?  Up to you, my answer is .. the SPX portal must be resolvable from the external world so people can sign up to the portal.. am I worried about security? no, they cant do anything without that 1 time hash.

     

    Would I be worried about the EUI from external ?  probably not, but the best practice is to only allow this internally.. and there's not much of a reason to allow someone to remotely release spam .. Ideally that remote user would be using a VPN and that connection would originate locally. 

     

    Admin UI? there is no reason to expose this to the internet, it should only be as accessible as required.  Personally my firewall rule limits the connection from a specific IP and sends it to the appliance.  You could allow internal traffic to it, but there is no real reason to do so. 

Reply
  • Hi David,

    I'm not sure that was the answer you were looking for..   The appliance has 3 portal pages

    SPX portal - 10443 you can not simply log into this page, you must be invited by the appliance to register to create a password.  The page is hashed and that has is good for one long in.

    EUI - 443, allows users to log in and view/release their spam

    (note: the SPX portal and the EUI will share ports 443 or 10443 depending on your configuration)

    Admin UI - port 18080

     

    To answer your question, yes you can allow connections from anywhere with the appropriate routing.   so you could have a user log in remotely and release a spam if your firewall routed 10443 traffic to the appliance.  or if you port forward 18080 externally to the appliance you can log in from anywhere you wish.

     

    In regards to, would I want to allow that?  Up to you, my answer is .. the SPX portal must be resolvable from the external world so people can sign up to the portal.. am I worried about security? no, they cant do anything without that 1 time hash.

     

    Would I be worried about the EUI from external ?  probably not, but the best practice is to only allow this internally.. and there's not much of a reason to allow someone to remotely release spam .. Ideally that remote user would be using a VPN and that connection would originate locally. 

     

    Admin UI? there is no reason to expose this to the internet, it should only be as accessible as required.  Personally my firewall rule limits the connection from a specific IP and sends it to the appliance.  You could allow internal traffic to it, but there is no real reason to do so. 

Children
  • Red_

    David, I guess,  is trying to configure SEA in order to have separate NICs, one for Admin and one for the rest of the traffic. This is not possible. As you explained and I did, Admin page should be accessible only from restricted set of internal IP.

    Thanks