Solved: many thanks

silex · ‎11-24-2015

I want to be able to block web admin gui access to the edge server from the internet, and only allow Lan subnets from inside the network.

Is this possible ?

Chris Deren · ‎11-24-2015

That is how it normally works as Services DMZ NIC should be behind firewall and http and https port should not be allowed to it from outisde network.

Are you NATing the LAN2 interface or did you put it on public IP without firewall?

View solution in original post

devils_advocate · ‎11-24-2015

Agree with Chris on this, there should be a Firewall which sits between the Exp-E node and the outside world which only permits traffic needed as per the Deployment Guide.

View solution in original post

Chris Deren · ‎11-24-2015

That is how it normally works as Services DMZ NIC should be behind firewall and http and https port should not be allowed to it from outisde network.

Are you NATing the LAN2 interface or did you put it on public IP without firewall?

silex · ‎11-25-2015

sorry, I didn't explain very well. Yes I have 1 nic interface with static Nat and it is in the DMZ of the firewall, Is HTTP and HTTPS protocol only needed for Access? If so I will just block them as suggested

parcvista · ‎11-25-2015

HTTP/HTTPS are only needed for management, you may block them together with SSH.

silex · ‎11-25-2015

many thanks

devils_advocate · ‎11-25-2015

The ports required for MRA to work via Expressway are in the deployment guide.

The recommended configuration is to have a firewall between the Exp-E and the outside world. The default behaviour of a Firewall is to block everything inbound towards the Exp-E including http and https. You then just open the ports required as per the deployment guide for MRA to function.

devils_advocate · ‎11-24-2015

Agree with Chris on this, there should be a Firewall which sits between the Exp-E node and the outside world which only permits traffic needed as per the Deployment Guide.

Expressway Gui access