This article outlines the steps required to secure access to the LoadMaster WUI.
Access to the LoadMaster WUI is secured by HTTPS. By default, a self-signed certificate is in use. The reason for this is to protect sensitive network information which is transmitted over the line that could be captured by an attacker in order to compromise the network. As a result, the client browser will display a certificate warning every time a user logs on to the WUI.
For instructions on how to import a certificate, refer to the SSL Accelerated Services, Feature Description which can be found on the KEMP Documentation page.
In order to use a proper SSL certificate, please follow the steps below:
- In the main menu of the LoadMaster WUI, select Certificates > SSL Certificates.
- Select the previously imported certificate from the Administrative Certificate drop-down list.
- Close the browser and open it again. The certificate should now be in use.
If the LoadMaster is balancing applications published to the internet, consider placing it behind the perimeter firewall so that private IP addresses can be used in conjunction with port forwarding from the firewall, preventing internet clients from connecting directly to it.
If this configuration is not an option, there are some other things you can do:
In the main menu of the LoadMaster WUI, go to System Configuration > Access Control > Access Lists.
Here, white and blacklist IP addresses can be added for WUI access.
Note: If you accidentally lock yourself out by changing these settings, console access to the LoadMaster is requied.
In the System Configuration > Access Control section there is also a Packet Filter link which allows you to restrict traffic to addresses configured for the LoadMaster by virtue of the Virtual Services. So, if access is configured to, for example, an Exchange server, traffic to any other destination will be either dropped or rejected, based on the setting selected in the Packet Filter screen.
In the main menu, go to Miscellaneous Options > Remote Access.
The option Allow Remote SSH Access lets you choose an interface to connect to via SSH.
Note: Unless otherwise required, only an internal interface should be selected for access to prevent brute-force attacks from malicious hosts. The same applies to the Allow Web Administrative Access field.
The option Enable API Interface should be unchecked if you do not specifically require it.