How do we prevent access to controller WebGUI while allowing access to VIA download page ?
In a typical scenario, end users will receive an email from their IT department with details to download VIA Client from a URL (controllers public IP address) , users will then download VIA from the URL provided and install it on their computers.
For example, they can download VIA set up files from https://<server-IP-address>/via after entering their corporate credentials.
But when the users mention the controllers public IP address without /via in the browser, it brings up the controller web interface,
Any user who is aware of the username and password of the controller, can login into the web interface, thereby gets access to change settings or bring down the network.
Therefore, it is highly recommended to block controller's web interface access from the users by adding an Access Control List to block access to controller WebGUI and allow access to the VIA download page .
Environment: This article applies to all Aruba Mobility Controllers running any ArubaOS versions.
The controller WebGUI is served on TCP port 4343 whereas the VIA download page is served on TCP port 443, Hence to limit public access to the controller web interface, you can configure rules on your firewall to only permit access from certain IPs on port 4343 and block from rest and allow access to port 443
Note:- First ensure you have appropriate rules in place allowing WebGUI access for administrators and then disable for the rest .