Versions Compared

Old Version 1

changes.mady.by.user Panna .

Saved on

compared with

New Version Current

changes.mady.by.user Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Grid provides certain security-related features. The following sections describe the different security-related features that you can set.

...

You can manage only certain features at the member level. To configure security features for the Grid or an individual member:

  1. Grid: From the Grid tab, select the Grid Manager tab, expand the Toolbar and click Grid Properties -> Edit.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox, and then click the Edit icon.
    To override an inherited property, click Override next to it and complete the appropriate fields.

  2. On the Security tab, complete the following:

    • Session Timeout(s): This field is in the Grid Properties editor only. Enter a number between 60 and 31536000 seconds (one minute – one year) in the Session Timeout field. The default session timeout is 600 seconds (10 minutes).

    • Minimum Password Length: This field is in the Grid Properties editor only. Specify the minimum number of characters allowed for an admin password.

    • Redirect HTTP to HTTPS: This field is in the Grid Properties editor only. Select this option to have the appliance redirect HTTP connection requests to HTTPS.

    • Restrict GUI/API Access: To control access to the GUI and API, select one of the following. You can restrict access using a named ACL or define individual ACEs. For information about named ACLs, see Configuring Access Control.

      • Allow Any: Select this to allow any clients to access the GUI and API. This is selected by default.

      • Named ACL: Select this and click Select Named ACL to select a named ACL that contains only IPv4 and IPv6 addresses and networks. GUI and API access restriction does not support TSIG key based ACEs. When you select this, the appliance allows GUI and API access for all ACEs in the named ACL. You can click Clear to remove the selected named ACL.

      • Set of ACEs: Select this to configure individual access control entries (ACEs). Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding.

        • IPv4 Address and IPv6 Address: Select this to add an IPv4 address or an IPv6 address. Click the Value field and enter the IP address. The appliance allows this client to access the GUI and API and restricts others.

        • IPv4 Network and IPv6 Network: Select this to add an IPv4 network or IPv6 network. Click the Value field and enter the network. The appliance allows this network to access the GUI and API and restricts others.
          After you have added access control entries, you can do the following:

        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.

        • Reorder the list of ACEs using the up and down arrows next to the table.

        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.

      • Access Restrictions Apply to Remote Console: Select this to restrict admins from accessing the Infoblox CLI from a remote location using SSH (Secure Shell) v2 client.

      • Enable Remote Console Access: Select this option to enable superuser admins to access the Infoblox CLI from a remote location using SSH (Secure Shell) v2 clients. You can set this at the Grid and member levels.

      • Enable Support Access: Select this checkbox to enable an SSH (Secure Shell) daemon that only Infoblox Technical Support can access. You can set this at the Grid and member levels.

      • Restrict Remote Console and Support Access to the MGMT Port: This field is in the Grid Member Properties editor only. Select this checkbox to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connections—both of which use SSH v2—to just the MGMT port. For an HA pair, you can make an SSH v2 connection to the MGMT port on both the active and passive node.
        Clear the checkbox to allow SSH v2 access to both the MGMT and LAN ports.

      • Permanently Disable Remote Console and Support Access: This field is in the Grid Properties editor only.
        Select this option to permanently disable remote console (Secure Shell v2) access for appliance administration and for Infoblox Technical Support.

      • Enable LCD Input: Select this checkbox to allow use of the LCD buttons on the front panel of a NIOS appliance to change the IP address settings of the LAN port. Clear this checkbox to disable this function. You can set this at the Grid and member levels.

      • Disable Concurrent Login: Select this checkbox to disallow multiple logins per user for the same NIOS session. That is, if you have already logged on to one NIOS session (for example https://255.255.255.0) you cannot log on to the same IP address from another browser or from another system.

        Note that before you disable multiple logins to a NIOS system, ensure that all its existing sessions (if any) are logged out. If not, the existing sessions continue to remain active even after you disable multiple logins.

      • Enable Account Lockout: Select the checkbox to enable account lockout for the local user. You can enable password security such that if a local user tries to log in to Grid Manager by using an incorrect password, NIOS appliance locks the user account after the configured number of failed login attempts for a configured time period. Only superusers can enable and configure this feature. This feature is applicable only to local users. This option is disabled by default.

        • Maximum number of attempts: Enter the maximum number of invalid login attempts to Grid Manager after which NIOS locks the account. You can specify a value from 1 to 99. The default value is 5

        • Lockout duration: Enter the time duration in minutes for which the account must be locked. You can specify a value from to 1440. The default value is 5 mins.

        • Never Unlock: Select the checkbox to permanently lock a local user account which is already locked. Only a superuser can clear the checkbox to unlock the account. NIOS displays a warning message if you enable this option. This option is not applicable to superuser accounts because you cannot permanently lock a superuser account. This option is disabled by default.
          You can also configure account lockout for admin groups. For more information, see Configuring Account Lockout for Admin Group.

      • Disable Inactive UsersSelect this checkbox to disable users who have not logged in to NIOS for a specified period of time. You can specify the time period (in days) in the Disable account if user has not logged in for <time period> days field. The range of days is from 2 to 9999. You can also specify a reminder to be sent in the Remind <days> prior to expiration field. The range of days is from 1 to 30. The number of days you specify in this field is the time from which users start getting daily email reminders that their account will be disabled. NIOS sends the email reminder only if an email address has been configured for the user.
        Select the Allow user to reactivate account via serial console and Allow user to reactivate account via remote console checkboxes if you want users to activate their account after it has been disabled. To reactivate using the serial console, see Deploying a Single Independent Appliance. To reactivate using the remote console, type ssh <user name>@<ip address>.
        Note: Reactivating the account using the serial console or the remote console is possible only for superusers.

  3. Save the configuration and click Restart if it appears at the top of the screen.

Enabling and Disabling Remote Console and Infoblox Technical Support Access

...

If you have any questions, contact Infoblox Technical Support. To enable or disable remote console and Infoblox technical support access:

  1. Grid: From the Grid tab, select Grid Manager tab, expand the Toolbar and click Grid Properties -> Edit.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox, and then click the Edit icon.
    Independent appliance: From the System tab, select the System Manager tab, expand the Toolbar and click System Properties -> Edit.

  2. In the editor, select the Security tab -> Advanced tab, and then complete the following in the Remote Console and Infoblox Technical Support Access section:

    • Enable Remote Console Access: Select this checkbox to enable superuser admins to access the Infoblox CLI from a remote location using SSH (Secure Shell) v2 clients. You can set this at the Grid and member levels.

    • Enable Support Access: Select this checkbox to enable an SSH (Secure Shell) daemon that only Infoblox Technical Support can access. You can set this at the Grid and member levels.

    • Support Access Info: Displays the support access code and the expiration time of the code. Note that the Enable Support Access is disabled after the expiration time.

    • Permanently Disable Remote Console and Support Access: This field is in the Grid Properties editor only.
      Select this checkbox to permanently disable remote console (Secure Shell v2) access for appliance administration and for Infoblox Technical Support.

  3. Save the configuration.