10-11
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter10 Setting Up and Managing Administrators and Policy Access Policy
–
Reject connections from listed IP addresses—Allow remote access to
the HTML interface only from IP addresses outside the address range(s)
specified in the IP Address Ranges table.
•IP Address Ranges—The IP Address Ranges table contains ten rows for
configuring IP address ranges. The ranges are always inclusive; that is, the
range includes the start and end IP addresses. The IP addresses entered to
define a range must differ only in the last octet (Class C format).
The IP Address Ranges table contains one column of each of the following
boxes:
–
Start IP Address—Defines the lowest IP address of the range specified
in the current row.
–
End IP Address—Defines the highest IP address of the range specified
in the current row.
• HTTP Port Allocation—Contains the following options for configuring
TCP ports used for remote access to the HTML interface.
–
Allow any TCP ports to be used for Administration HTTP
Access—Allow the ports used by administrative HTTP sessions to
include the full range of TCP ports.
–
Restrict Administration Sessions to the following port range From
Port x to Port y—Restrict the ports used by administrative HTTP
sessions to the range specified in the x and y boxes, inclusive. The size
of the range specified determines the maximum number of concurrent
administrative sessions.
A firewall configured to permit HTTP traffic over the CiscoSecure ACS
administrative port range must also permit HTTP traffic through port
2002, because this is the port a remote web browser must access to
initiate an administrative session.
Note We do not recommend allowing administration of
Cisco Secure ACS from outside a firewall. If you do choose to
allow remote access to the HTML interface from outside a
firewall, keep the HTTP port range as narrow as possible. This can
help prevent accidental discovery of an active administrative port
by unauthorized users. An unauthorized user would have to
impersonate, or “spoof,” the IP address of a legitimate remote host
to make use of the active administrative session HTTP port.