one of our important customers from banking sector has some security concerns about putting CA API Developer Portal 4.2 in DMZ due to the fact, that admin login is not separated from user login, and they do not want admin login to be available from outside. Is there any way how CA API Developer Portal 4.2 can be configured, so that users can login from outside world, but admin login is accessible from internal network only?
I am not aware of a option to disable the admin login depending on the network from where the request is coming from.
Are you referring to the Admin login for the customer tenant or the apim internal tenant
I mean the administrator of the portal. Anyway, if there is no option to disable it, would putting Portal to internal network instead of DMZ work? And if yes, is there any best-practice about such architecture?
I concur with Dirk, I don't believe there's a built-in way to deny login access for just certain users from certain networks. But of course, the authentication to the OVA image itself is all handled at the operating system level not the Portal application level, so there may be ways to achieve what's desired at the OS level that I'm just not familiar with yet. A quick Google search should suffice for that, as I would be willing to bet there's some authentication apps that can always be installed that can meet that requirement too, hopefully even some open source ones.
If you want to avoid all of that though and they are hesitant about putting in the DMZ then but feel they can better protect it from attacks on their internal network, then yes that would be the way to go forward for them. They know their network best, so if they believe they have the tools necessary already in place, then they can absolutely utilize them. Most customers simply have the Portal in their internal network and use load balancer and proxies in front to aid the flow of traffic from outside to inside to the Portal, that way they maintain a tighter reign on its security. There isn't a best practice really, it's just a basic network setup. Their network team will best handle that. From the Portal side, there isn't really any configurations necessary that you need to account for, or in other words no configuration that cares whether it's in the DMZ or the internal network. It works the same either way.
Did the answers on this thread answered your question? If it did please mark it as the right answer.When your question is not answered or you still have additional questions please let us know.
With Kind RegardsDirk