Restricting Computers Or Hosts That Can Access the Oracle Service Cloud Console and End-User
Total Page:16
File Type:pdf, Size:1020Kb
Restricting computers or hosts that can access the Oracle Service Cloud console and end-user pages Answer ID 245 | Last Review Date 07/16/2015 How do I restrict which computers (hosts) are allowed to access the administration console and end-user pages? ENVIRONMENT: Configuration Settings RESOLUTION: The SEC_VALID_ADMIN_HOSTS setting defines which hosts are allowed to access the administration interface (agent console). Only users logging in from hosts matching entries in this list are allowed access to the administration interface (agent console). Important! Use caution when editing this setting. An incorrect setting (i.e. an incorrect IP address) may lock you out of your site. If this happens, msgtool must be run to blank out the setting value to restore access. In addition, the SEC_VALID_ENDUSER_HOSTS configuration setting works similarly but with respect to accessing the end-user pages. Only users logging in from hosts matching entries listed in this setting are allowed access to the end-user pages. You can edit the SEC_INVALID_ENDUSER_HOSTS configuration setting to explicitly list which hosts are not allowed to access the end-user interface. Valid entries to these settings include domain names with wildcards (*.mycompany.com), or specific IP addresses (216.136.229.72), or IP subnet masks (216.136.229.0/255.255.255.0). You cannot use wildcards with IP addresses, just domain names. When specifying a subnet mask or range of hosts, the /255.255.255.0 component indicates that you mean to allow all possible values for the entire 216.136.229.x range of addresses. Note: For February 2013 and older releases, CIDR (Classless Inter-Domain Routing) notation of an IP address will NOT work in this configuration setting and will nullify your existing entries. (example: 216.136.229.1/24) You cannot use wildcards (*) to specify a range of IP addresses, i.e. 1.2.3.* or 1.2.3*. It is also possible to specify a comma separated list of the above values, such as: 216.136.229.72, 216.136.229.0/255.255.255.0
Instead of or in addition to an IP address range, a domain may be entered and should be included at the end of the list of IP addresses. 216.136.229.72, 216.136.229.0/255.255.255.0, *.domain.com
Note: When using a domain name, a network operation must execute a DNS reverse lookup. This will result in connection delays and may induce a noticeable performance degradation of the Service Cloud Application. Whenever possible, please refrain from using a domain name. Path to edit setting, dependent on your version: In August 2012 and newer versions: Select Configuration > Site Configuration > Configuration Settings. For more information, refer to Answer ID 5453: Oracle Service Cloud August 2012 Editing configuration settings. In November 2011 through May 2012: Select Configuration > Site Configuration > Configuration Settings. In May 2010 through August 2011: Select Configuration > Site Configuration > Settings. In February '08 through February 2010 releases: Select the Common navigation button and select System Configuration > Settings. then... Common > Heading: General > Sub-heading: Security After editing the Value field, click Update. If necessary, click another setting, edit the Value field and click Update. When finished editing, click Commit and Exit to register your changes.
For more information on accessing the Configuration Editor and editing settings, refer to Answer ID 1960: Editing Configuration Settings.
Note: To determine your IP, visit https://cx.rightnow.com/app/utils/whatsmyip. Private IP addresses such as 192.168.0.0, 10.0.0.0, or 172.16.0.0 may not be used in this setting.
If you edit this setting to restrict access, we recommend that you include entries that will allow the Oracle Service Cloud Technical Support staff access to your site for troubleshooting purposes. If your site is on version 8.0 or higher, add the following IPs in your comma separated list: 208.72.89.0/255.255.254.0, 199.167.175.0/255.255.255.0, 160.34.86.0/255.255.254.0, 160.34.88.0/255.255.248.0, 160.34.104.0/255.255.248.0, 160.34.110.0/255.255.254.0, 160.34.112.0/255.255.240.0, 148.87.67.0/255.255.255.0
Note: The use of hard returns is not permitted in these configuration settings. Any entries after a hard-return are not recognized. Good example: 1.2.3.4, 1.2.3.5, 1.2.3.6 Bad example: 1.2.3.4, 1.2.3.5, 1.2.3.6
Additional Considerations
Modifying the SEC_VALID_ADMIN_HOSTS setting limits your exposure from somebody hacking into the administrative side of the product from another network. It also limits your ability to administrate your application from outside your corporate network. However, there are options available that would allow access into the admin side of the Oracle Service Cloud application. These options and their pros and cons are outlined below: Option: List the IP subnets of the Admin’s ISP in the Valid Admin Host settings.
Pros: This allows access from the Admin’s home dial-up or high-speed provider.
Cons: The ISP may have multiple IP subnets, or they may change IP numbers without your knowledge. Every subnet listed gives hackers greater chance of access.
Option: Dial-in access to your corporate network.
Pros: As long as the corporate dial-in is allowed Internet access with the correct IP subnet, This approach should work.
Cons: Not all corporations allow dial-in access.
$bluestar Option: Use a product such as PC Anywhere or Windows Terminal Server to remotely control your corporate desktop PC from home.
Pros: This approach may be a bit slow, but this should work.
Cons: This is subject to the corporate IS policy on the remote control of PCs. Most corporations do not allow this.
Option: Set up VPN access to the corporate network which allows Internet access out of the corporate firewall.
Pros: This is probably the most secure method of access. Cons: Requires the VPN software and equipment necessary, and support from the corporate IS group.
Option: Set up a proxy server inside the corporate firewall to forward HTTP protocol out to the Internet.
Pros: A forward proxy acts a gateway for a client's browser, sending HTTP requests on the client's behalf to the Internet. When the Oracle HTTP server receives the request, it sees the requestor's address as originating from the proxy server on the corporate network, not from the actual client.
Cons: This approach needs to be combined with VPN access to provide best security. The corporate IS group would need to configure the proxy server.