Blocking the HTTPS port for TIBCO LogLogic LMI appliances serving as remote appliances in a management station configuration
Article ID: KB0077512
Updated On:
| Products | Versions |
|---|---|
| TIBCO LogLogic Log Management Intelligence | all versions |
Description
Some LMI administrator who utilize the management station feature of LogLogic LMI may want or need to ensure LMI users only access the remote appliances in the LMI management station cluster via the management station itself using the remote control feature. To do this entails having to block access to HTTPS for all the remote appliances. This is indeed possible. Although the management station remote control communication occurs with remote appliances using HTTPS, the port that is used is non-standard (4443/tcp) and therefore is independent of 443/tcp used for the web GUI.
Issue/Introduction
This article explains how to block the HTTPS port for accessing the web GUI on LMI appliances operating as remote appliances in the context of a management station cluster.
Resolution
The LMI firewall is unable to provide the mechanism for doing this simply because the GUI protects port 443 from being blocked by not allowing the ACCEPT rule from being deleted (and any rules add manually on the command line are periodically removed) so having a configuration like this requires using network-based firewalls to block port 443/tcp connection attempts from client systems to the LMI RA appliances. This is what is needed for all LMI versions prior to 6.3.0.
Starting in LMI 6.3.0 various ports have been modified including the port for management station. The management station remote control communication now occurs over port 9443/tcp to remote appliances. Currently the GUI already has an ACCEPT rule for that port so adding a DROP rule will not have any effect because it will be appended to the rule chain after the ACCEPT. Because of that we still recommend for 6.3.0 and higher to usie a network-based firewall for controlling access for this particular configuration; the only difference will be the port to block.
In summary:
For all versions up to and including 6.2.1 you must block 443/tcp in the network-based firewalls.
For all versions starting with 6.3.0 and higher you must block 9443/tcp in the network-based firewalls.
Starting in LMI 6.3.0 various ports have been modified including the port for management station. The management station remote control communication now occurs over port 9443/tcp to remote appliances. Currently the GUI already has an ACCEPT rule for that port so adding a DROP rule will not have any effect because it will be appended to the rule chain after the ACCEPT. Because of that we still recommend for 6.3.0 and higher to usie a network-based firewall for controlling access for this particular configuration; the only difference will be the port to block.
In summary:
For all versions up to and including 6.2.1 you must block 443/tcp in the network-based firewalls.
For all versions starting with 6.3.0 and higher you must block 9443/tcp in the network-based firewalls.
Feedback
Yes
No
Powered by
