Network Management

last person joined: yesterday 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

Airwave Management WebUI security

  • 1.  Airwave Management WebUI security

    Posted Jul 24, 2013 03:03 PM

    My customer is using Airwave to deploy their Instant AP's, via Aruba Activate.

    They want to put Airwave in the DMZ because they don't want to expose internal systems to the Internet.

     

    They also want to make sure that the Admin WebUI is not accessible from outside their network - is this possible?  

    i.e. the IAPs will need to connect to the public IP address over https, so can we change the Admin port or IP to something else?  



  • 2.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:07 PM

     

    You can do it but you would have to probably restrict the 443 access from only certain public IP address where your IAP will exist

     

    IF  you already have TACACs in your environment you could tied Airwave to TACACs , and also remove delete the admin account



  • 3.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:16 PM

    The IAPs "push" the info to Airwave.  Their port is 443 and cannot be changed.  I think a policy to only allow IAP traffic can be done but there would have to be a firewall/router involved prior to reaching Airwave



  • 4.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:17 PM

    So no way to separate the Management WebUI traffic onto a different interface or port?  



  • 5.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:20 PM

    Yes...you can specify the management VLAN (Virtual Controller VLAN) in the Admin settings to separate it out.

     

    Hang tight...I am researching what options you have.



  • 6.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:33 PM

    Sorry, I think I'm missing something.  Where do I find the management VLAN (Virtual Controller VLAN) in the Admin settings?



  • 7.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:35 PM

    Click on System ---> General Tab ---> Show advanced options

     

    Make sure you're on the latest code as well.  



  • 8.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:39 PM

    There's no General tab under System in Airwave.

    There is a General tab under AMP setup, but I don't see management VLAN anywhere in there.

     

    I'm running AMP 7.7.1



  • 9.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:40 PM

    Sorry...meant the IAP UI



  • 10.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:44 PM

    Ah, that makes sense... kindof.

     

    I think you misunderstand my question.

     

    I want to make sure that the IAP's can get their config from Airwave via the public address (ultimately using Aruba Activate).

     

    But I want to prevent Joe Anonymous out on the Internet from firing up a web browser and browsing to https://ip.of.amp and getting the Airwave Managment login page.

     



  • 11.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:46 PM

    No ...I got it.  Looking into what we can do from an Airwave perspective.  



  • 12.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 06:16 PM

    OK.  I have an answer!!!

     

    This feature will be included in an upcoming maintenance release.  I will update this thread when I get confirmation on the release and date.  

     

     



  • 13.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 07:50 PM

    Here is the summary of this feature.

     

    In the UI of Airwave, there will be an IP address whitelist you can enable.  This whitelist will be the hosts/networks that will be allowed to access the Airwave server via https.  IAPs will be unrestricted.  

     

    This means that you can safely deploy Airwave in the DMZ allowing IAPs to access the server but restricting admins and operators to specific IP addresses or networks.



  • 14.  RE: Airwave Management WebUI security

    Posted Jul 31, 2013 08:07 AM

    Would you happen to know which release this will be coming in??



  • 15.  RE: Airwave Management WebUI security

    Posted Jul 31, 2013 08:10 AM
    Not as of yet. I will keep you posted.


  • 16.  RE: Airwave Management WebUI security

    Posted Aug 03, 2013 04:36 PM

    It's out now on the support site. it is in 7.7.3. You can  configure the whitelist on amp setup authentication page.



  • 17.  RE: Airwave Management WebUI security

    Posted Jul 24, 2013 03:16 PM

    Hm... that's no good.  They are deploying the IAPs with VPN, similar to RAPs.  So the IAP's will be scattered out all over the world, behind dynamic public IP addresses.  So they need to allow https from "any" to AMP's public IP.  But by default that will also allow "any" to log into the Management WebUI, which is not good from their perspective.