Network Management

Reply
Contributor II

Airwave Management WebUI security

My customer is using Airwave to deploy their Instant AP's, via Aruba Activate.

They want to put Airwave in the DMZ because they don't want to expose internal systems to the Internet.

 

They also want to make sure that the Admin WebUI is not accessible from outside their network - is this possible?  

i.e. the IAPs will need to connect to the public IP address over https, so can we change the Admin port or IP to something else?  

Re: Airwave Management WebUI security

 

You can do it but you would have to probably restrict the 443 access from only certain public IP address where your IAP will exist

 

IF  you already have TACACs in your environment you could tied Airwave to TACACs , and also remove delete the admin account

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Airwave Management WebUI security

The IAPs "push" the info to Airwave.  Their port is 443 and cannot be changed.  I think a policy to only allow IAP traffic can be done but there would have to be a firewall/router involved prior to reaching Airwave

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II

Re: Airwave Management WebUI security

Hm... that's no good.  They are deploying the IAPs with VPN, similar to RAPs.  So the IAP's will be scattered out all over the world, behind dynamic public IP addresses.  So they need to allow https from "any" to AMP's public IP.  But by default that will also allow "any" to log into the Management WebUI, which is not good from their perspective.

Contributor II

Re: Airwave Management WebUI security

So no way to separate the Management WebUI traffic onto a different interface or port?  

Re: Airwave Management WebUI security

Yes...you can specify the management VLAN (Virtual Controller VLAN) in the Admin settings to separate it out.

 

Hang tight...I am researching what options you have.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II

Re: Airwave Management WebUI security

Sorry, I think I'm missing something.  Where do I find the management VLAN (Virtual Controller VLAN) in the Admin settings?

Re: Airwave Management WebUI security

Click on System ---> General Tab ---> Show advanced options

 

Make sure you're on the latest code as well.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II

Re: Airwave Management WebUI security

There's no General tab under System in Airwave.

There is a General tab under AMP setup, but I don't see management VLAN anywhere in there.

 

I'm running AMP 7.7.1

Re: Airwave Management WebUI security

Sorry...meant the IAP UI

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: