Restrict Service Access to Host Names or IPs

By default, the Commander Admin Portal and Service Portal are accessible on all network addresses of the computer hosting Commander. However, you can specify that users can only access the Admin Portal and/or the Service Portal through a particular Fully Qualified Domain Name (FQDN) or IP address.

For example, if Commander is installed on "myhost", you can restrict users so that they can only access the Service Portal only through that host's IP address; users would no longer have access to the Service Portal at https://myhost/portal. Rather, they must access it at https://<IP address>/portal. In addition, Service Portal users wouldn't be able to access the Admin Portal from the FQDN or IP address where the Service Portal is served.

You can also run the Admin Portal and the Service Portal on separate ports to control access. You configure ports in the Snow Commander Control Panel.

Restrict Commander and Service Portal access to specific host names or IP addresses

Access:

Configuration > System

Available to:

Commander Role of Superuser

  1. Click the Access tab.
  2. In the Commander and Service Portal section, click Edit.
  3. In the Edit Service Access dialog, for either the Admin Portal or the Service Portal, or both, enter an FQDN or IP address, keeping in mind the following:
    • FQDNs are limited to 1024 characters.
    • Regular expressions aren't permitted.
    • IP addresses must be in IP4 format.
    • IP addresses and FQDNs aren't mutually exclusive; they may both point to the same host.
    • Virtual directories aren't permitted (for example, you can't enter https://portal.acme.ca/admin/).
  4. If you also want to restrict API access, so that only users with a Commander role can access the APIs, enable Restrict REST API access to Commander Host/IP. This option is only enabled if you have entered text in the Commander Host/IP field.
  5. Click OK to confirm.

Important:

  • Once you click OK, all users currently signed in to the Admin Portal or the Service Portal (depending on which access you restricted) will immediately see an error in their browser. Make sure to provide users with the new URL.
  • If you restrict access as described here, links in notification emails sent before you restricted access will no longer work. You must resend notification emails as required.

Access URLs when access is restricted

ScenarioAccess URL

Admin Portal and the Service Portal running on the same port

Commander

https://<Commander FQDN or IP address>

Examples:

  • https://commander.mycompany.com
  • https://11.22.33.444

Service Portal

https://<Service Portal FQDN or IP address>

Examples:

  • https://portal.mycompany.com
  • https://11.22.33.555

Admin Portal and the Service Portal running on different ports

Commander

https://<Commander FQDN or IP address>

Examples:

  • https://commander.mycompany.com
  • https://11.22.33.123

Service Portal

https://<Service Portal FQDN or IP address>/<port>

Examples:

  • https://portal.mycompany.com:9000
  • https://11.22.33.123:9000
  • Whatever restrictions are in place, you can always access the Admin Portal and Service Portal locally through https://localhost or https://127.0.0.1.
  • Current access URLs and port numbers are stored in the Commander log, in the Support section under Tomcat. You can find the log at <Commander install directory>\tomcat\logs\vcommander.txt
  • If you make a mistake when configuring service access, return to the Access tab from the host where Commander is installed, using localhost in the URL, and correct the error.
  • If you want to clear any configured restrictions and restore access on all network addresses, click Clear and click Save Settings, then confirm the operation.