Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Aug 2019
    Posts
    5

    Default Tieing Administration to Specific Interface

    Still testing Untangle out and need to understand how to tie administration to a specific port and interface. Basically I need to create an "out of band" management interface.

    Doe anyone have experience doing this with Untangle?

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,738

    Default

    I haven't done it myself, but you should be able to accomplish it via Filter Rules. Just be very careful here, because you can really break things in two ways:

    1. It's very easy to accidentally stop all administrative access to your server this way
    2. It's very easy to block access to Web Filter block pages and Captive Portal capture pages this way.

    The more-normal way for providing out of band management is via the console connected directly to the back of the server, which in more sophisticated environments might be a network KVM, Dell iDrac, HP ILO, IPMI, etc
    Last edited by jcoehoorn; 08-22-2019 at 07:25 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.2.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,196

    Default

    Definitely be careful, but if you want to mess with this you can disable the in-built Access Rules (Config->Networking->Advanced->Access Rules) for administration and craft your own. You don't want to use Filter Rules here, they are for traffic passing through, not traffic going to untangle's services.

    You might also have interest in this thread: https://forums.untangle.com/networki...tml#post235718

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,542

    Default

    Quote Originally Posted by dwdino View Post
    Basically I need to create an "out of band" management interface.
    Doe anyone have experience doing this with Untangle?
    It's possible to change the port in /admin/index.do#config/network/services . It's best not to limit the interface for management since it also serves block and captive pages.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Yeah, the http and https administrative services are on the same mechanism as the block pages. You cannot safely use the filter to control them unless you want problems.

    Now, if you go to config -> administration, then look on the admin tab and scroll down, you'll notice a Restrict Administration Subnets box, you can use that for an individual IP or range. So if you want to make an "out of band" administrative device, then I suggest you dedicate a network port on Untangle to connect to an IP range of management devices, then feed that box the IP range in question.

    No filter rules required.
    No risks required.

    If you screw up, the physical console admin still works.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by sky-knight View Post
    Y
    Now, if you go to config -> administration, then look on the admin tab and scroll down, you'll notice a Restrict Administration Subnets box, you can use that for an individual IP or range. So if you want to make an "out of band" administrative device, then I suggest you dedicate a network port on Untangle to connect to an IP range of management devices, then feed that box the IP range in question.
    This is the way.

    If you modify access rules make sure you read the huge bold warnings:
    https://wiki.untangle.com/index.php/Access_Rules
    specifically the part about "proper functioning"
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Aug 2019
    Posts
    5

    Default

    Thanks for all of the feedback. I will see what I can do and break...

    I would highly recommend to the untangle developers to add an ADMIN IP configuration so that we can keep administration outside of normal traffic flows.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Quote Originally Posted by dwdino View Post
    Thanks for all of the feedback. I will see what I can do and break...

    I would highly recommend to the untangle developers to add an ADMIN IP configuration so that we can keep administration outside of normal traffic flows.
    They did, and I just told you where to find it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Aug 2019
    Posts
    5

    Default

    Quote Originally Posted by sky-knight View Post
    They did, and I just told you where to find it.
    Sorry, you didn't.

    Let's say my internal interface is 192.168.1.1. I should have a place to say management of the Untangle appliance is on 192.168.1.254 (or whatever). All functions an services for management are then served from that address. No extra configuration needed.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Administration is limited to the white list in the box I just specified. Admin is technically available on every interface, but limited to the IP address you specified in the white list.

    No, it's not service isolation, but it also cannot be. Untangle only has 1 web server to work with, and it not only serves administration duty but block pages, and everything else. So what you're asking for is simply never going to happen, the nature of Untangle precludes it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2