Network Management

My customer is using Airwave to deploy their Instant AP's, via Aruba Activate.

They want to put Airwave in the DMZ because they don't want to expose internal systems to the Internet.

They also want to make sure that the Admin WebUI is not accessible from outside their network - is this possible?  

i.e. the IAPs will need to connect to the public IP address over https, so can we change the Admin port or IP to something else?  

You can do it but you would have to probably restrict the 443 access from only certain public IP address where your IAP will exist

IF  you already have TACACs in your environment you could tied Airwave to TACACs , and also remove delete the admin account

The IAPs "push" the info to Airwave.  Their port is 443 and cannot be changed.  I think a policy to only allow IAP traffic can be done but there would have to be a firewall/router involved prior to reaching Airwave

So no way to separate the Management WebUI traffic onto a different interface or port?  

Yes...you can specify the management VLAN (Virtual Controller VLAN) in the Admin settings to separate it out.

Hang tight...I am researching what options you have.

Sorry, I think I'm missing something.  Where do I find the management VLAN (Virtual Controller VLAN) in the Admin settings?

Click on System ---> General Tab ---> Show advanced options

Make sure you're on the latest code as well.  

There's no General tab under System in Airwave.

There is a General tab under AMP setup, but I don't see management VLAN anywhere in there.

I'm running AMP 7.7.1

Sorry...meant the IAP UI

Ah, that makes sense... kindof.

I think you misunderstand my question.

I want to make sure that the IAP's can get their config from Airwave via the public address (ultimately using Aruba Activate).

But I want to prevent Joe Anonymous out on the Internet from firing up a web browser and browsing to https://ip.of.amp and getting the Airwave Managment login page.

No ...I got it.  Looking into what we can do from an Airwave perspective.  

OK.  I have an answer!!!

This feature will be included in an upcoming maintenance release.  I will update this thread when I get confirmation on the release and date.  

Here is the summary of this feature.

In the UI of Airwave, there will be an IP address whitelist you can enable.  This whitelist will be the hosts/networks that will be allowed to access the Airwave server via https.  IAPs will be unrestricted.  

This means that you can safely deploy Airwave in the DMZ allowing IAPs to access the server but restricting admins and operators to specific IP addresses or networks.

Would you happen to know which release this will be coming in??

It's out now on the support site. it is in 7.7.3. You can  configure the whitelist on amp setup authentication page.

Hm... that's no good.  They are deploying the IAPs with VPN, similar to RAPs.  So the IAP's will be scattered out all over the world, behind dynamic public IP addresses.  So they need to allow https from "any" to AMP's public IP.  But by default that will also allow "any" to log into the Management WebUI, which is not good from their perspective.