See also my follow-up (already sent). Gordon ----- Forwarded message from Jason Miller ----- From: Jason Miller To: Charlie Brady cc: support@e-smith.com, security@e-smith.com Subject: Re: [TT20010919001] VPN Security? Date: Wed, 19 Sep 2001 14:22:21 -0400 (EDT) X-Sender: jay@fettuccine.e-smith.e-smith.net X-Otto: security TT20010919001 update Content-Length: 3023 On Wed, 19 Sep 2001, Charlie Brady wrote: > > On Wed, 19 Sep 2001, Brandon Friedman wrote: > > > Gordon Rowell said: > > > > > > Gordon Rowell said: > > > > > [...] > > > > > Upgrade to SME Server V5, which has SSL access to the manager. By > > default > > > > > this is restricted to the local network(s), but you can also supply a > > > > > list of external IP addresses. > > > > > > > > We just received our fedex with SME server CDs. I setup the server - > > > > Do I enable ssh for public access? > > How do I then access the March Manager externally? What port do I specify in > > my browser? > > Brandon, I'm forwarding your mail to support@e-smith.com, as these are > specific support questions, and not reports of suspected security > vulnerabilities in the product. [removed Brandon from addresses for internal discussion if required] The answer is shown below. I guess this will need to be on the .org site as well considering its a new product feature: The SSL manager support currently has no server manager mechanism for enabling. It is strictly a command-line driven process. Later versions should address it to be configurable from the server manager. To enable SSL manager support from the command line: # Enable httpd-admin for public access /sbin/e-smith/db configuration setprop httpd-admin access public # Enable httpd-admin with a list of valid addresses /sbin/e-smith/db configuration setprop ValidFrom IP/Subnet[,IP/Subnet] # Expand httpd templates /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf # Graceful restart apache /etc/e-smith/events/actions/restart-httpd-graceful Examples of ValidFrom addresses, # This allows access from all of the subnet for e-smith, inc. /sbin/e-smith/db configuration setprop ValidFrom 64.26.145.88/255.255.255.248 # This allows a specific IP /sbin/e-smith/db configuration setprop ValidFrom 64.26.145.90 # This allows multiple addresses /sbin/e-smith/db configuration setprop ValidFrom 128.114.200.75/255.255.255.0,64.26.145.88/255.255.255.248 Of course, these are real world addresses (incl. e-smith ones) so its probably not a good idea to use those in the examples should this be posted to e-smith.org - don't need everybody knowing there are a whole bunch of e-smith machines besides mail.e-smith.com :> [results on two different machines] [root@rameses jay]# /sbin/e-smith/db configuration get httpd-admin service|InitscriptOrder|86|ValidFrom|64.26.145.88/255.255.255.248|access|public|status|enabled [root@napolean jay]# /sbin/e-smith/db configuration get httpd-admin service|InitscriptOrder|86|ValidFrom|128.114.200.75/255.255.255.0,64.26.145.88/2 55.255.255.248|access|public|status|enabled Jay > > Regards > > -- Jason D. Miller E-mail: jmiller@e-smith.com Senior Software Developer Phone: +1 613.368.4387 Network Server Solutions Group Fax: +1 613.564.7739 Mitel Networks Corporation http://www.e-smith.com ----- End forwarded message ----- Gordon Rowell gordonr@e-smith.com VP Engineering Network Server Solutions Group http://www.e-smith.com Mitel Networks Corporation http://www.mitel.com