1-19
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter1 Overview of Cisco Secure ACS AAA Server Functions and Concepts
You can access the HTML interface from computers other than the
Cisco Secure ACS server. This enables remote administration of
Cisco Secure ACS. For more information about the HTML interface, including
steps for accessing the HTML interface, see the “Cisco Secure ACS HTML
Interface” section on page 1-21.
HTTP Port Allocation for Remote Administrative SessionsThe HTTP port allocation feature allows you to configure the range of TCP ports
used by Cisco Secure ACS for remote administrative HTTP sessions (that is,
administrative sessions conducted by a browser running on a computer other than
the Cisco Secure ACS server). Narrowing this range with the HTTP port
allocation feature reduces the risk of unauthorized access to your network by a
port open for administrative sessions.
We do not recommend that you administer CiscoSecure ACS through a firewall.
Doing so requires that you configure the firewall to permit HTTP traffic over the
range of HTTP administrative session ports that CiscoSecure ACS uses. While
narrowing this range reduces the risk of unauthorized access, a greater risk of
attack remains if you allow administration of Cisco Secure ACS from outside a
firewall. A firewall configured to permit HTTP tr af f ic ov er the CiscoSecure ACS
administrative port range must also permit HTTP traffic through port 2002,
because this is the port a remote web browser must access to initiate an
administrative session.
Note A broad HTTP port range could create a security risk. To prevent accidental
discovery of an active administrative port by unauthorized users, keep the
HTTP port range as narrow as possible. Cisco Secure ACS tracks the IP
address associated with each remote administrative session. An unauthorized
user would have to impersonate, or “spoof”, the IP address of the legitimate
remote host to make use of the active administrative session HTTP port.
For information about configuring the HTTP port allocation feature, see the
“Access Policy” section on page 10-10.