OpenEdge 10.1c, Sun Solaris SPARC 64Bits.
Is it possible to configure the AppServer to accept only connections from localhost?
Thanks in advance and Best Regards,
Richard.
Sounds like a firewall thing rather than an AppServer thing.
You are right.
But, I have to defend OpenEdge in a extremely hostile environment and the hellhounds ( others would call them auditors ) are on our trail. Simply because they don't know anything about Progress OpenEdge means that they rate the technology as not secure. We need to prove that an AppServer instance which runs on the same machine as the JSE does not accept any malicious connections which do not originate from the localhost. Plus, as it is often the case, I've been told that other technologies spawning sockets are capable to do that ( don't know whether that is true or not ).
Best Regards, Richard.
Plus, as it is often the case, I've been told that other technologies spawning sockets are capable to do that ( don't know whether that is true or not ).
Actually many socket listeners can setup the adresses they are listening to. That's sometimes helpful in a DMZ setup as well when there are more than one NIC's in a server. The best I can think of for the Progress AppServer is the IP adress it registers with at the name server. That's a broker setting - but to my knowledge that does not stop client using the AppServerDC protocol to connect directly to them.
I'd ask tech support.
Or Paul Koufalis (http://progresswiz.com/) as he's frequently involved in security related projects.
mikefe wrote:
[snip]
I'd ask tech support.
Or Paul Koufalis (http://progresswiz.com/) as he's frequently involved in security related projects.
Only if he is awake, though ...
Thanks for all that replied. I will do that - ask Tech Support.
Thanks and Best Regards,
Richard.
maybe you can try to set hostName property in ubroker.properties file directly... can do it at higher [UBroker] level i guess.
anyway, just a long shot... that's the close thing that I think it can relate to the 'bind' address, 0.0.0.0 could mean all... you can also try 'localhost' or '127.0.0.1' and see if it makes a difference.