Question OpenEdge Management IP Address Lockdown

[Cecil]

Within OpenEdge Management you can specify a comma separated list of IP Address to allow access to the Management Interface.

Does anybody know if you can supply a IP Address Range/Block i.e. 192.168.1.0/25? I don't want to shoot myself in the foot and try it out, just in case I screw up my access list and inadvertently lock myself out of OpenEdge Management.

 

[Rob Fitzpatrick]

I don't know.

Do you have logical access to the machine that runs OEM? Do you know the addresses of the hosts that currently do have and should have remote access to OEM?

 

[Cecil]

We're set-up a 2way VPN tunnel to our VPS in the cloud which has OE installed. Before the VPN tunnel was created the IP address set in the access list was that of our Public WAN IP address on the firewall. Now the tunnel has been put in place we want to specify a range of IP addresses which are located on our LAN.

 

[Rob Fitzpatrick]

If you have a PSDN license you can install OEM on a PC, enter an access network address in CIDR notation, then try to access it from another PC on the same LAN segment that is outside of that address range. Or you could just call TS and ask them.

 

[Cecil]

Turns out it's not possible.

 

[Cecil]

Just in case you do screw up your OEM Web access, here is the KB to fix it:

http://knowledgebase.progress.com/articles/Article/000051478

 

[Rob Fitzpatrick]

Have you tried specifying a comma-delimited list of IP addresses under "Trusted clients" instead of a network address?

 

[Rob Fitzpatrick]

According to the docs it looks like it should be possible to do what you want, assuming I'm looking in the right place. It says:

Under HTTP Configuration, type the name of one or more trusted clients in the
Trusted clients field. If you type more than one trusted client, use a comma-delimited list.

You can identify trusted clients by machine name, subnet, or IP address.

This is from the 11.3 OEM/OEE Getting Started manual.

 

[mollyfud]

Of course if you really think this would be a good feature to add you could suggest it as an Idea/Enhancement in the new Ideas section of the Progress Community.
Details how available here.

 

[Cecil]

Have you tried specifying a comma-delimited list of IP addresses under "Trusted clients" instead of a network address?

I knew I could have a list of IP address, it's that I did not want to enter every possible combination of IP Address on our LAN network.

 

[Cecil]

Of course if you really think this would be a good feature to add you could suggest it as an Idea/Enhancement in the new Ideas section of the Progress Community.
Details how available here.

Hi Molly, I would suggest an enhancement to the Progress Community however I feel that the members of the "Ideas & Enhancement" committee are actually not very proactive of any of the ideas suggested. There's little of no feedback from Progress whether or not any suggestion would be implemented.

I think there is even a thread requesting an improvement of the Progress Community forum on getting regular status updates on ideas suggested.

When I have a spare 20 minutes to articulate a statement of what enhancement I would like to see in a future releases, I might post one.

 

[Rob Fitzpatrick]

Hi Molly, I would suggest an enhancement to the Progress Community however I feel that the members of the "Ideas & Enhancement" committee are actually not very proactive of any of the ideas suggested. There's little of no feedback from Progress whether or not any suggestion would be implemented.

I think there is even a thread requesting an improvement of the Progress Community forum on getting regular status updates on ideas suggested.

When I have a spare 20 minutes to articulate a statement of what enhancement I would like to see in a future releases, I might post one.

The docs also says you can enter a subnet rather than a list of IP addresses. So if you've tried it and it doesn't work I'd consider it a bug, not a cause for submitting an enhancement request. Talk to tech support about it. Unlike product management, they're obliged to respond.

 

[Cecil]

Can't specify a Subnet.

Update FAILED with 1 error(s):
1. Problems with one or more web server trusted clients: illegal address format, each subnet component must be a number: 192.168.1.0/255

 

[mollyfud]

Is that the number you entered? It seems from the OEM/OEE Getting started guide that you should be able to use a wildcard:
"A wildcard dot-formatted address string (for example, 123.123.123.*)"

Does this work?

Molly
PS. And you said product management doesn't listen to Ideas! They implemented this one before you even entered it! Can't get quicker then that! ;-) (Joking, of course)

 

[Cecil]

Is that the number you entered? It seems from the OEM/OEE Getting started guide that you should be able to use a wildcard:
"A wildcard dot-formatted address string (for example, 123.123.123.*)"

Does this work?

Nope, that does not work either.

Update FAILED with 1 error(s):
1. Problems with one or more web server trusted clients: illegal address format, each subnet component must be a number: 192.168.1.?

***** Fathom configuration was not updated. *****

 

[mollyfud]

Hmmmm......Worked for me! What release are you on? And, silly question, did you use the * as the wildcard? (only ask as its missing from the error message)

 

[Cecil]

Hmmmm......Worked for me! What release are you on? And, silly question, did you use the * as the wildcard? (only ask as its missing from the error message)

Weird, the first time I think I used a '?' instead of a '*' ??? I don't know what I was thinking. It's working though.

 

[Rob Fitzpatrick]

It seems from the OEM/OEE Getting started guide that you should be able to use a wildcard:
"A wildcard dot-formatted address string (for example, 123.123.123.*)"

That's a strange way to specify subnets, given that the rest of the world uses CIDR notation in IPv4. The Progress wildcard notation assumes classful network addressing which isn't necessarily what you find in the real world.

Imagine for example that your network address is 192.168.100.64/27. So valid hosts on this subnet, excluding network and broadcast, are 100.65 to 100.94 inclusive. How do you specify that with wildcards? You don't. From the docs it seems the only option would be to enter 30 comma-separated IP addresses or host names, if that even fits in the field. Not terribly elegant.

 

[Cecil]

You can also supply *.*.*.* which will invalidate any rule set.

 

[zerovian]

The wild card addresses were added a long time ago. IP V6 is also broken since the filtering chokes when it hits more than 4 segments in the supplied ip address. You're better off setting up firewall rules if you want more than simple filtering.