Buscar

How do I restrict which computers (hosts) are allowed to access the agent console and end-user pages?

Environment:

Configuration Settings
Oracle B2C Service, All versions including Browser User Interface (BUI)

Resolution:

The SEC_VALID_ADMIN_HOSTS  setting defines which hosts are allowed to access the agent console. Only users logging in from hosts matching entries in this list are allowed access to the agent console. 

Important!  Use caution when editing this setting. An incorrect setting (i.e. an incorrect IP address) may lock you out of your site. If this happens, submit a service request to Pregunta al Soporte Técnico.  Also, Oracle B2C Service uses a tool to monitor the uptime of your end user pages.  This tool will not function if you restrict your enduser pages by IP address - if you want B2C Service Technical Support to be monitoring your site with this tool, you will need to add Oracle IP ranges to the configuration.  Please submit a service request to get the needed configuration values.

In addition, the SEC_VALID_ENDUSER_HOSTS configuration setting works similarly but with respect to accessing the end-user pages at https://<vhost>/. Only users logging in from hosts matching entries listed in this setting are allowed access to the end-user pages.

You can edit the SEC_INVALID_ENDUSER_HOSTS configuration setting to explicitly list which hosts are not allowed to access the end-user interface.  

Path to edit settings is: Select Configuration > Site Configuration > Configuration Settings > search by Key.

For more information on accessing the Configuration Editor and editing settings, refer to Answer ID 1960: Editing Configuration SettingsAnswer ID 1960: Editing Configuration Settings.

Valid entries to these settings include (in a comma separated list) domain names with wildcards (*.mycompany.com), or single IPv4 and or IPv6  addresses (216.136.229.72), (FE80:0000:0000:0000:0202:B3FF:FE1E:8329 or FE80::::0202:B3FF:FE1E:8329) and or IPv4 or IPv6 address ranges defined using standard CIDR (Classless Interdomain Routing) Notation.

For IPv4, use subnet masks such as (216.136.229.0/255.255.255.0) to specify ranges.  

For IPv6 ranges are specified as follows: 2620:0:860:2::/64

Instead of, or in addition to, an IP address range, a domain may be entered. This should be included at the end of the list of IP addresses.

Example: 216.136.229.72, 216.136.229.0/255.255.255.0, *.domain.com

Note: When using a domain name, a network operation must execute a DNS reverse lookup. This will result in connection delays and may induce a noticeable performance degradation of the Oracle B2C Service Application. Whenever possible, please refrain from using a domain name.

Additional Notes:

• You cannot use wildcards (*) to specify a range of IP addresses, i.e. 1.2.3.* or 1.2.3*.
   
• When specifying IP address ranges use only standard CIDR notation.
   
• It is possible to specify a comma separated list of the above values, such as:
  • Example: 216.136.229.72, 216.136.229.0/255.255.255.0
     

• The use of hard returns is not permitted in these configuration settings. Any entries after a hard-return are not recognized.

  Good example: 1.2.3.4, 1.2.3.5, 1.2.3.6

  Bad example: 1.2.3.4,
  1.2.3.5,
  1.2.3.6

To determine your IP, visit https://cx.rightnow.com/app/utils/whatsmyip. Private IP addresses such as 192.168.0.0, 10.0.0.0, or 172.16.0.0 may not be used in this setting.

Additional Considerations

Modifying the SEC_VALID_ADMIN_HOSTS setting limits your exposure from somebody hacking into the administrative side of the product from another network. It also limits your ability to administrate your application from outside your corporate network. However, there are options available that would allow access into the admin side of the Oracle B2C Service application. These options and their pros and cons are outlined below:

	Option: List the IP subnets of the Admin’s ISP in the Valid Admin Host settings. Pros: This allows access from the Admin’s home dial-up or high-speed provider. Cons: The ISP may have multiple IP subnets, or they may change IP numbers without your knowledge. Every subnet listed gives hackers greater chance of access.
	Option: Dial-in access to your corporate network. Pros: As long as the corporate dial-in is allowed Internet access with the correct IP subnet, This approach should work. Cons: Not all corporations allow dial-in access.
	Option: Use a product such as PC Anywhere or Windows Terminal Server to remotely control your corporate desktop PC from home. Pros: This approach may be a bit slow, but this should work. Cons: This is subject to the corporate IS policy on the remote control of PCs. Most corporations do not allow this.
	Option: Set up VPN access to the corporate network which allows Internet access out of the corporate firewall. Pros: This is probably the most secure method of access. Cons: Requires the VPN software and equipment necessary, and support from the corporate IS group.
	Option: Set up a proxy server inside the corporate firewall to forward HTTP protocol out to the Internet. Pros: A forward proxy acts a gateway for a client's browser, sending HTTP requests on the client's behalf to the Internet. When the Oracle HTTP server receives the request, it sees the requestor's address as originating from the proxy server on the corporate network, not from the actual client. Cons: This approach needs to be combined with VPN access to provide best security. The corporate IS group would need to configure the proxy server.

Si tiene preguntas sobre qué genera una sesión y cómo puede evitar la facturación inexacta de la sesión en su sitio por favor consulte Demystifying Session Usage (PDF). Algunos simples errores en la personalización y configuración pueden incrementar las sesiones facturables. Para más información, ver Información de Uso de Sesión.