Chapter 13. System Services

Table of Contents

13.1. HTTP Server configuration
13.1.1. Access control
13.1.1.1. Trusted addresses
13.2. Telnet Server configuration
13.2.1. Access control
13.3. DNS configuration
13.4. NTP configuration
13.5. SNMP configuration

A system service provides general functionality, and runs as a separate concurrent process alongside normal traffic handling.

Table 13.1 lists the services that the FB2500 can provide :-

Table 13.1. List of system services

ServiceFunction
SNMP serverprovides clients with access to management information using the Simple Network Management Protocol
NTP clientautomatically synchronises the FB2500's clock with an NTP time server (usually using an Internet public NTP server)
HTTP serverserves the web user-interface files to a user's browser on a client machine
Telnet serverprovides an administration command-line interface accessed over a network connection
DNSrelays DNS requests from either the FB2500 itself, or client machines to one or more DNS resolvers
Platform RADIUS server/proxy**TBC**

Services are configured under the "Setup" category, under the heading "General system services", where there is a single services object (XML element : <services>). The services object doesn't have any attributes itself, all configuration is done via child objects, one per service. If a service object is not present, the service is disabled. Clicking on the Edit link next to the services object will take you to the lists of child objects. Where a service object is not present, the table in that section will contain an "Add" link. A maximum of one instance of each service object type can be present.

13.1. HTTP Server configuration

The HTTP server's purpose is to serve the HTML and supporting files that implement the web-based user-interface for the FB2500. It is not a general-purpose web server that can be used to serve user documents, and so there is little to configure.

13.1.1. Access control

By default, the FB2500 will allow access to the user interface from any machine, although obviously access to the user interface normally requires the correct login credentials to be provided. However, if you have no need for your FB2500 to be accessed from arbitrary machines, then you may wish to 'lock-down' access to the user interface to one or more client machines, thus removing an 'attack vector'.

Access can be restricted to :-

  • specific client IP addresses, or
  • clients connecting from locally-attached Ethernet subnets[2]

Additionally, access to the HTTP server can be completely restricted (to all clients) under the control of a profile. This can be used, for example, to allow access only during certain time periods.

To restrict to specific client IP addresses, using the user interface, check the checkbox next to the allow attribute, and enter one or more IP addresses, or IP address ranges into the text entry box - use the Enter key to separate your list items.

Tip

Address ranges can be entered using either <first address>-<last_address> syntax, or using CIDR notation : <start address>/<prefix length>. If a range entered using the first syntax can be expressed using CIDR notation, it will be automatically converted to that format when the configuration is saved. You can also use name(s) of defined IP address group(s) - see Section 3.1 for discussion of address groups.

To restrict access to clients connecting from locally-attached subnets, check the checkbox next to the local-only attribute and select true from the drop-down box.

Tip

You can verify whether the access control performs as intended using the diagnostic facility described in Section 14.2

13.1.1.1. Trusted addresses

Trusted addresses are those from which additional access to certain functions is available. They are specified by setting the trusted attribute using address ranges or IP address group names.



[2] A locally-attached subnet is one which can be directly reached via one of the defined interfaces, i.e. is not accessed via a gateway.