Layer7 API Management

Expand all | Collapse all

How to disable admin login to CA API Dev Portal 4.2 from external network?

Jump to Best Answer
  • 1.  How to disable admin login to CA API Dev Portal 4.2 from external network?

    Broadcom Employee
    Posted 10-01-2018 04:35 AM

    Colleagues,

     

    one of our important customers from banking sector has some security concerns about putting CA API Developer Portal 4.2 in DMZ due to the fact, that admin login is not separated from user login, and they do not want admin login to be available from outside. Is there any way how CA API Developer Portal 4.2 can be configured, so that users can login from outside world, but admin login is accessible from internal network only?

     

    Thank you,

     

    David Mateju

    CA CEE



  • 2.  Re: How to disable admin login to CA API Dev Portal 4.2 from external network?

    Broadcom Employee
    Posted 10-01-2018 06:01 AM

    Hi David 

     

    I am not aware of a option to disable the admin login depending on the network from where the request is coming from.

    Are you referring to the Admin login for the customer tenant or the apim internal tenant 

     

    Dirk 



  • 3.  Re: How to disable admin login to CA API Dev Portal 4.2 from external network?

    Broadcom Employee
    Posted 10-01-2018 06:09 AM

    Hi Dirk,

     

    I mean the administrator of the portal. Anyway, if there is no option to disable it, would putting Portal to internal network instead of DMZ work? And if yes, is there any best-practice about such architecture?

     

    Thank you,

     

    David Mateju

    CA CEE



  • 4.  Re: How to disable admin login to CA API Dev Portal 4.2 from external network?
    Best Answer

    Posted 10-02-2018 02:19 PM

    I concur with Dirk, I don't believe there's a built-in way to deny login access for just certain users from certain networks. But of course, the authentication to the OVA image itself is all handled at the operating system level not the Portal application level, so there may be ways to achieve what's desired at the OS level that I'm just not familiar with yet. A quick Google search should suffice for that, as I would be willing to bet there's some authentication apps that can always be installed that can meet that requirement too, hopefully even some open source ones.

     

    If you want to avoid all of that though and they are hesitant about putting in the DMZ then but feel they can better protect it from attacks on their internal network, then yes that would be the way to go forward for them. They know their network best, so if they believe they have the tools necessary already in place, then they can absolutely utilize them. Most customers simply have the Portal in their internal network and use load balancer and proxies in front to aid the flow of traffic from outside to inside to the Portal, that way they maintain a tighter reign on its security. There isn't a best practice really, it's just a basic network setup. Their network team will best handle that. From the Portal side, there isn't really any configurations necessary that you need to account for, or in other words no configuration that cares whether it's in the DMZ or the internal network. It works the same either way.



  • 5.  Re: How to disable admin login to CA API Dev Portal 4.2 from external network?

    Broadcom Employee
    Posted 10-08-2018 08:19 AM

    Hi

    Did the answers on this thread answered your question? If it did please mark it as the right answer.
    When your question is not answered or you still have additional questions please let us know.

    With Kind Regards
    Dirk