GW monitor 14.2.3 remove access to Web Console

Hello -

GW 14.2.3 on SLES11SP4/OES2015.1

How do I remove access to the web console for gwmonitor? I do not need access from the outside to gw mon and was curious what config file(s) to edit to remove this access - if that is possible. I still need the agent console but not the web console.

Thanks,
Brad

Tags:

  • In article <BPainter.8yeppz@no-mx.forums.microfocus.com>, BPainter wrote:
    > How do I remove access to the web console for gwmonitor? I do not need
    > access from the outside to gw mon and was curious what config file(s) to
    > edit to remove this access - if that is possible. I still need the agent
    > console but not the web console.


    To make sure we are on the same page
    you want to not have the GW Monitor web page running/accessible at all,
    but still want the agents pages such as for POA, MTA, GWIA to be
    accessible?

    If you don't want the only GUI for GW Monitor running, do you really need
    GW Monitor itself running? If you don't needed it, then we can just stop
    it from starting in the first place.

    If you still want the GW Monitor accessible on the inside but not the
    internet, then it is a case of proper firewalling, i.e. Where you have at
    your perimeter that only allows specified ports in, blocking the rest such
    as port 8200.

    If you still want GW Monitor to alert in the background, but have no GUI,
    then what might work is to comment out the <HTTP> section of your
    monitor.xml Note that I have never tried that, and don't have any of my
    GW Monitor instances visible to the public interenet, only if I am on the
    local network in some fashion (such as in person or VPNed in)


    Andy of
    http://KonecnyConsulting.ca/gw in Toronto
    Knowledge Partner
    https://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

  • I agree that the firewall option is the best route but that would require contacting those in charge of that - for various reasons I would like to avoid that. Since there are two ways to access GW Monitor - one being the Agent Console and two being the Monitor Web Console. I would like to remove access to the Monitor Web Console (external) but keep access to the Monitor Agent Console (internal). I suppose I could use the SLES FW but currently that is disabled. I thought there would be a config file entry that I could just comment out but maybe not. Thanks for the reply.

    bp
  • In article <BPainter.8ym4un@no-mx.forums.microfocus.com>, BPainter
    wrote:
    > I thought there would be a
    > config file entry that I could just comment out but maybe not.


    Or, if you don't need apache for anything, just turn apache off

    I hadn't been previously aware that we had two different Web type
    consoles, had only used the {serverIP}:8200 route.
    Found the {serverIP}/gwmon/gwmonitor that I believe you are discussing
    and that appears to be dependant on apache
  • Yes the {serverIP}/gwmon/gwmonitor is the option I am referring too. I saw those gwmon files in /etc and /var as well but wasn't sure if there was an easier way so that's why I asked. Thanks for creating the Idea in the portal - I was going to do the same.
  • In article <BPainter.8ypv40@no-mx.forums.microfocus.com>, BPainter wrote:
    > Yes the {serverIP}/gwmon/gwmonitor is the option I am referring too. I
    > saw those gwmon files in /etc and /var as well but wasn't sure if there
    > was an easier way so that's why I asked. Thanks for creating the Idea
    > in the portal - I was going to do the same.


    I wonder how many installs of Monitor out there are left exposed to the
    outside that nobody knows about. A security issue one would think. Good
    advice is to not install Monitor on a WebAccess or otherwise http/https
    accessible box from the outside, at least until this is fixed.
    Just editing the index.html under /var might be enough for a work around.
    My friend who is big on Monitor suggests that it is the only part of the
    Monitor application (vs the agent), so un-installing that may be the
    trick.

    I see your vote and comment, now to see if anyone else agrees and gives
    that idea some love with a vote.


    Andy of
    http://KonecnyConsulting.ca/gw in Toronto
    Knowledge Partner
    https://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

  • GroupWise Monitor originally came as an Agent (port 8200) and Application (integrates into web server). Recent versions of GroupWise no longer include the Application AFAIK, but if you've upgraded GroupWise over the years, it may have been left in place on your web server from an earlier install.

    Here's docs on Monitor Agent/Application from GW8 for example:
    https://www.novell.com/documentation/gw8/gw8_install/data/bpcm0jj.html

    This page also mentions the "Monitor Security Requirements" similar to your issue and suggest using a proxy server to control access from the outside.

    I think that just removing the un-needed pieces is probably your only solution given that any install/uninstall routine for the Monitor Application are no longer available.

    =====>Andreas