Server Configuration Considerations

This Help topic provides configuration information for the Extreme Management Center Server, such as limiting client connections to the server, adding memory to the server, firewall considerations, and dealing with SSL vulnerability concerns.

Instructions on:

Limiting Client Connections on Linux

Use the steps in this section to configure the server to accept connections only from the local system and/or limit client connections to a specific IP address.

Accepting Connection from Local Client Only

By default, the Management Center Server accepts connections from any client system. To limit connections to clients connecting from the local system only, use the following steps:

  1. Open the server's run.sh file located in <install directory>/jboss/bin/run.sh.
  2. Edit the HOSTNAME variable at the top of the file to:
    HOSTNAME="127.0.0.1"

Limiting Connections to a Specific IP Address

By default, the Management Center Server accepts connections on all IP addresses supported by the server host. If your server supports multiple IP addresses, it may be desirable to limit client connections to a specific IP address. To specify an IP address:

  1. Open the server's run.sh file located in <install directory>/jboss/bin/run.sh.
  2. Edit the HOSTNAME variable at the top of the file to:
    HOSTNAME="<server IP address>"
    For example, HOSTNAME="123.123.123.123"

Clients must use the exact IP address to connect to the server. Clients can no longer use localhost, 127.0.0.1, or any DNS name that translates to anything but the specified IP address.

Adding Memory to the Server on Linux

By default, the Management Center Server is configured to use a maximum of 512 MB of virtual memory. On large server systems and in large deployments, you can increase the amount of memory. If the server attempts to access more memory than it is configured for, it terminates.

  1. Open the server's run.sh file located in <install directory>/jboss/bin/run.sh.
  2. Edit the MAXMEMORY variable at the top of the file to the desired value:
    MAXMEMORY="<number of MB>"

Firewall Considerations

  • The Management Center Server runs on a set of non-standard ports. These TCP ports (4530-4533) must be accessible through firewalls for clients to connect to the server.
    4530/4531 -- JNP (JNDI)
    4532 -- JRMP (RMI)
    4533 -- UIL (JMS)
  • Port 8080 (Default HTTP traffic) must be accessible through firewalls for users to install and launch Management Center client applications.
  • Port 8443 (Default HTTPS traffic) must be accessible through firewalls for clients to access the Management Center Server Administration web pages, Management Center, and Extreme Access Control Dashboard.
  • Port 8444 (Default HTTPS traffic) must be accessible through firewalls for clients to access the Access Control Appliance Administration web pages.
  • The following ports must be accessible through firewalls for the Management Center Server and an Access Control engine to communicate:
    Required Ports (all bi-directionally)
    TCP: 4530-4533, 4589, 8080, 8443, 8444
    UDP: 161, 162
  • The following ports must be accessible through firewalls for the Management Center Server and Wireless Controllers to communicate:
    SSH: 22
    SNMP: 161, 162
    Langley: 20506
  • The following ports must be accessible through firewalls for the Management Center Server and WAS to communicate:
    TCP: Port 8443 - Used by WAS to authenticate Management Center users. This port corresponds to Management Center’s HTTPs Web Server port.
    TCP: Port 443 - Import data from Management Center into WAS.
    TCP: Port 8080 - Upgrade WAS from WAS UI.
  • Port 2055 must be accessible through firewalls for the Management Center Server to receive NetFlow data.

SSL Vulnerability Concerns

The Secure Socket Layer (SSL) protocol allows for secure communication between a web server and a web browser. In Management Center, it is used to secure communication between the JBoss Web Console server (accessed from the Launch Page Administration tab > Server Utilities tab > JBoss Web Console link) and the web browser client that is accessing it. At the beginning of an SSL session, the server and client negotiate the encryption algorithm, known as a cipher. The chosen cipher is generally the strongest one which is supported by both the server and client. SSL encryption ciphers are classified based on encryption key length as follows:

  • HIGH - key length larger than 128 bits
  • MEDIUM - key length equal to 128 bits
  • LOW - key length smaller than 128 bits

Messages encrypted with LOW encryption ciphers are easy to decrypt and a remote attacker with the ability to sniff network traffic could decrypt an encrypted session.

To increase SSL security, you can disable support for LOW encryption ciphers by adding a line to the nsjboss.properties file that specifies the encryption ciphers used. The line (as it appears below) only lists MEDIUM and HIGH ciphers; all LOW ciphers have been removed. The values are comma delimited and you can customize the list as desired. If this line is not added, then all ciphers will be included.

  1. Open the nsjboss.properties file (<install directory>\appdata\nsjboss.properties) in a text editor.
  2. Cut and paste the following line into the file:
    enterasys.tomcat.ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  3. Save and close the file.
  4. Restart the Management Center Server.

To remove a cipher (for example, if a vulnerability scan lists one of the ciphers as insecure), simply delete the cipher from the list.

  1. Open the nsjboss.properties file (<install directory>\appdata\nsjboss.properties) in a text editor.
  2. Delete the cipher from the list. For example, the cipher SSL_RSA_WITH_RC4_128_MD5 has been removed from the list:
    enterasys.tomcat.ciphers=SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  3. Save and close the file.
  4. Restart the Management Center Server.

Related Information

For information on related tasks:

For information on related windows:

top