This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UserPortal: set noindex or robots.txt to avoid google listing

Hello all,

our UserPortal is unfortunately indexed at Google. Since the UserPortal doesn't have a Legal notice or Privacy policy option at the moment, I do not want it listed. Generally I don't want it listed :)

I have not found an option to set a meta name "noindex" or "none", nor a possibilty to set X-Robots-Tag as a header. Is this implemented somewhere?

Or alternatively, is there a possibility to create a robots.txt for the UserPortal?

 

Thanks for answers :)



This thread was automatically locked due to age.
Parents
  • Hallo Johannes and welcome to the UTM Community!

    I haven't heard of this issue before here.  What is your concern?  Have you considered two-factor authentication?  Alternatively, have you considered limiting access to your "Internal (Network)" and "VPN Pool (SSL)" subnets?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for welcoming me, Bob :)

     > What is your concern?

    One of my concerns ist that there might be a Security Issue with the portal in the future, and that a lot of Sophos portals - including ours - can be easily found/tried using google. Everthing that helps fingerprinting the security devices of a company ist just helpful for people I don't WANT to give help ;)

    Since Google and other searchengines are giving me several options to de-list, I would like the Sophos UserPortal to support it. An ssh-editable robots.txt would suffice.

    In my opinion there isn't really a reason for the UserPortal to be indexed by google. So perhaps even a none or noindex meta header as default could be concidered. Normally business-user do not need to search the URL for the vpn-portal using google, do they? :)

    In the moment the OpenVPN-Based Portal seems to be packaged, so that I can't modify the portal on the Firewall, or add a robots.txt. Or did I oversee a possibility?

     

    > Have you considered two-factor authentication? 

    Adding two-factor authentication still leaves the portal to be found, just changes the authentication part. So, not for this issue, in general: yes :) It's upcoming.

     

    > Alternatively, have you considered limiting access to your "Internal (Network)" and "VPN Pool (SSL)" subnets?

    Well, that would break the possibility to download the VPN-Config and client using the portal. I DO want to use the UserPortal for its intended purpose, but I do NOT need it to be listed by Searchengines.

     

    As for being the first to ask: well, someone's got to be the first! It would help keeping Sophos Firewalls off the radar. A little step, I agree, but I would hate this to be precisely be the little help that makes us - and other sophos customers - a target.

     

    Greetings, Johannes.

  • I usually recommend using a port other than 443 for the Portal - don't use 4443 as that's reserved for Central Management (SUM).

    Still, I don't think that the Google bot can get past the login page to map anything.  I usually suggest that personal laptops, etc. should not be allowed to VPN into a business-class environment.  If you only allow company-owned devices, then folks should be able to download the client while at work.  For the few that cannot, you can download an installation package on the 'Users' tab of 'Users and Groups' and then email that to them.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I usually recommend using a port other than 443 for the Portal - don't use 4443 as that's reserved for Central Management (SUM).

    Still, I don't think that the Google bot can get past the login page to map anything.  I usually suggest that personal laptops, etc. should not be allowed to VPN into a business-class environment.  If you only allow company-owned devices, then folks should be able to download the client while at work.  For the few that cannot, you can download an installation package on the 'Users' tab of 'Users and Groups' and then email that to them.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data