We'd love to hear about it! Click here to go to the product suggestion community
Is it possible for the acess to the SEA user pages ( https://sea.acme.com/ ) and the admin pages ( https://sea.acme.com:18080/ ) to be over different network interfaces?
We would like to do this for security reasons.
this is a DNS issue. You cannot have 2 different names pointing to the same IP without having issues. The best thing you can do is to use perimeter firewall in order to allow the management address only from certain IP addresses.
I'm not sure that was the answer you were looking for.. The appliance has 3 portal pages
SPX portal - 10443 you can not simply log into this page, you must be invited by the appliance to register to create a password. The page is hashed and that has is good for one long in.
EUI - 443, allows users to log in and view/release their spam
(note: the SPX portal and the EUI will share ports 443 or 10443 depending on your configuration)
Admin UI - port 18080
To answer your question, yes you can allow connections from anywhere with the appropriate routing. so you could have a user log in remotely and release a spam if your firewall routed 10443 traffic to the appliance. or if you port forward 18080 externally to the appliance you can log in from anywhere you wish.
In regards to, would I want to allow that? Up to you, my answer is .. the SPX portal must be resolvable from the external world so people can sign up to the portal.. am I worried about security? no, they cant do anything without that 1 time hash.
Would I be worried about the EUI from external ? probably not, but the best practice is to only allow this internally.. and there's not much of a reason to allow someone to remotely release spam .. Ideally that remote user would be using a VPN and that connection would originate locally.
Admin UI? there is no reason to expose this to the internet, it should only be as accessible as required. Personally my firewall rule limits the connection from a specific IP and sends it to the appliance. You could allow internal traffic to it, but there is no real reason to do so.
In reply to Red_Warrior:
David, I guess, is trying to configure SEA in order to have separate NICs, one for Admin and one for the rest of the traffic. This is not possible. As you explained and I did, Admin page should be accessible only from restricted set of internal IP.