Skip to main content

Enabling Access from Additional Client Addresses

Enabling Access from Additional Client Addresses

You can add additional clients to the list of authorized administrators by adding the client IP addresses to the System_Manager parameter in the SYSTEM section in the configuration file. This parameter represents a comma- or plus-separated list of clients (by IP address) who may access the Web Gateway management pages. The directive shown below grants access to three remote clients in addition to the default local access.

[SYSTEM]
System_Manager=190.8.7.6, 190.8.7.5, 190.8.7.4

For new Gateway installations, for which there is no local browser available, manually edit the configuration file and add the System_Manager parameter, which is equivalent to the Systems Manager Machines setting, found under the Default Parameters section of the Web Gateway management pages. You can specify wildcard and numeric ranges in the entries for this parameter.

Note:

If you attempt to load the Web Gateway management pages, and the browser fails to load the page, giving an error You are not authorized to use this facility, this is likely due to the System_Manager setting blocking access to your IP address.

The following example indicates that the last part of the IP address can take the value of a number between 4 and 6 inclusive.

[SYSTEM]
System_Manager=190.8.7.4-6

The previous example is a more convenient way of writing:

[SYSTEM]
System_Manager=190.8.7.6, 190.8.7.5, 190.8.7.4

You can also use wildcards, such as, in this example:

[SYSTEM]
System_Manager=190.8.7.*

The following directive grants access to all clients:

[SYSTEM]
System_Manager=*.*.*.*

However, it is not recommended to use such a directive on operational systems; this approach does not provide strong security, because client IP addresses can be spoofed.

The use of a proxy between the client and the web server/Gateway installation effectively translates all client IP addresses to that of the proxy. In this scenario, you would have to either specify the proxy’s IP address as a Gateway Systems Manager (which would effectively grant access to all web users coming in through the proxy) or, preferably, enable the designated systems managers to bypass the proxy layer altogether.

The IP-based scheme, while useful as a first line of defense, should not be relied upon as the sole means through which access to the Web Gateway management pages is controlled – certainly not for CSP installations that are available over the internet. For production systems, it is recommended that you use the hosting web server configuration to control access to the Web Gateway systems management modules.

Next sectionAvailable Options
Previous sectionAccessing the Web Gateway Management Pages
FeedbackOpens in a new tab