4.3.1. Procedure – Configuring user and administrator login addresses

Purpose: 

You can configure two separate login addresses for accessing the web interface of PSM:

  • Web login for administrators and users: On this address, users can, depending on their access privileges, modify the configuration of PSM, and perform authentication-related activities (gateway authentication, 4-eyes authorization).

  • Web login for users only: The configuration of PSM cannot be viewed or altered from this address. Users (even ones with administrator privileges) can only perform gateway authentication and 4-eyes authorization.

Note

You can find more information about gateway authentication and 4-eyes authorization in Chapter 18, Advanced authentication and authorization techniques.

Both login addresses can be configured to restricts connections to a configured set of IP addresses only.

Note

Avoid using the IP address configured for administrator or user login on PSM when configuring HTTP or SSH connections.

The login addresses are, by default, protected against brute-force attacks: after five unsuccessful login attempts, all following attempts are denied for increasing periods of time. You can turn this off by unselecting the Protect against brute-force attacks option for the web login addresses.

By default, the Required minimum version of encryption protocol in the default web listener is TLS 1.2. It is not advised to use TLS 1.0 because there are known serious attacks against TLS (for details, see: https://tools.ietf.org/html/rfc7457).

Note

If you intend to use the deprecated Balabit Audit Player (BAP), you will have to configure this setting to TLS 1.0. It is strongly advised that you use Balabit Desktop Player (BDP) instead. For details, see Chapter 17, Replaying audit trails with Audit Player.

Steps: 

  1. Navigate to Basic Settings > Local Services > Web login.

    Figure 4.9. Basic Settings > Local Services > Web login — Configuring web login address

    Basic Settings > Local Services > Web login — Configuring web login address
  2. In the Listening addresses field, choose .

  3. Into the Address field, choose the IP address to use for connecting to PSM's user interface.

    The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.

  4. Into the HTTP field, enter the port number for HTTP connections.

  5. Into the HTTPS field, enter the port number for HTTPS connections.

  6. Optional step: To permit access to the PSM web interface only from selected subnets or IP addresses, select Restrict clients, click and enter the IP address and netmask of the allowed clients. Note that these settings do not affect the SSH access to PSM.

    Warning

    Permit administrative access to PSM only from trusted networks. If possible, monitored connections and administrative access to the PSM web interface should originate from separate networks.

    After comitting the changes, the web interface will be available only from the configured subnets or IP addresses.

    Use an IPv4 address.

  7. Recommended: configure a separate login address for user connections in Web login (user only). The configuration settings of PSM cannot be viewed or modified from this address.

  8. Click .