Gateway (Web Server)
The following security considerations apply to the gateway:
The gateway needs network access:
To all agent servers
Any respective agent services
The Elasticsearch cluster – as described in the firewall section.
The Internet Information Services configuration or Apache Server user account needs:
Read access to the Apps folder on your deployment.
Read/write access to the Logs folder on your deployment.
Read access to the certificates used to secure communications with Elasticsearch.
From a defence in depth perspective the principle of least privileges should apply.
The account should have the minimum privileges required to run the apps.
End user access should be secured over HTTPS with a valid certificate for production deployments. Not self-signed.
You can lock the Control Hub down to specific IP addresses. For example a remote desktop host. This provides additional security over and above the authentication required to access the app.
To do this you must lock the admin and the API sub-folder down to specific IP addresses.
Last updated