Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How to restrict Apex One web console access to IP address/IP address range and domains

    • Updated:
    • 17 Jan 2020
    • Product/Version:
    • Apex One
    • Platform:
    • N/A
Summary

By default, the Apex One web console is accessible on any computer from the same network. However, to increase security, the Internet Information Services (IIS) Manager can be configured to allow or deny the Apex One web console from accessing individual addresses or ranges of IP addresses based on the server’s logs or website activity.

Details
Public

The IP and Domain Restrictions Role Service feature must be installed as part of Web Server (IIS) on the Apex One server.

To install it, click Start > Server Manager > Add Roles and Features > Server Selection > Server Roles > Web Server (IIS) > Web Server > Security > IP and Domain Restrictions > Next > Next > Install.

Restrict Apex One web console access

To restrict Apex One web console access:

  1. On the Apex One server computer, launch Internet Information Services (IIS) Manager.
  2. Expand SERVERNAME > Sites > OfficeScan website > officescan and then click the console directory.
  3. Double-click IP Address and Domain Restrictions under IIS group.

    Restrict Apex One web console access

  4. To deny all access, select "Deny action under Access for unspecified clients: setting".

    Restrict Apex One web console access

    Restricting all access will have the following limitation, which is addressed in Apex One Patch 2 Build 2146 or later builds:

    • The Sample Submission and Suspicious Object List settings will fail to upload samples and sync settings from the Apex One server to Security Agents

      Restrict Apex One web console access

      Restrict Apex One web console access

      Restrict Apex One web console access

      Restrict Apex One web console access

  5. Add the IP addresses of allowed devices e.g. system administrator computer and then click Add Allow Entry… action on the upper-right section.
  6. Input the target Specific IP address or IP address range and then click OK.
     
    • Add both IPv4 and IPv6 addresses of the allowed computers. The following should have allowed access:
      • System administrator
      • Apex One server
      • Apex Central server
      • Apex One Edge server
    • Allow localhost IP to ensure any internal Apex One communication within the console. Below are the default localhost IP values:
      • 127.0.0.1
      • ::1
    • If you get logged out after allowing the necessary IP address when you are accessing Apex One web console, clear the browser cache and restart the web browser.

      Restrict Apex One web console access

      Restrict Apex One web console access

    If you are using the default action type (forbidden), an easy way to identify the IPv6 addresses would be to check the Apex One website’s IIS logs.

    Restrict Apex One web console access

    You can search all “error 403” and back-check the restricted IPv6 addresses of the allowed computers.

    Restrict Apex One web console access

     

    Allowing or restricting domain names access is not recommended as this rule may significantly affect server performance because it requires a DNS lookup for every request.

    Restrict Apex One web console access

  7. The "Enable Proxy Mode" setting can be enabled to filter clients that access IIS through one or more firewalls, load-balancing, or proxy servers. Administrators can configure their servers to examine the X-Forwarded-For HTTP header in order to determine which requests to block.

    Restrict Apex One web console access

    To enable X-Forwarded-For logging in IIS:

    1. Expand SERVERNAME > Sites > OfficeScan website directory.
    2. Double-click Logging under IIS group.

      Restrict Apex One web console access

    3. Click the Select Fields button under Log File Format.

      Restrict Apex One web console access

    4. In the W3C Logging Fields menu, click Add Field… and then input “X-Forwarded-For” on both the Field Name and Source sections.

      Restrict Apex One web console access

    5. The Custom Fields section should show the entry after you click OK.

      Restrict Apex One web console access

    6. Restart IIS Admin Service.

      Restrict Apex One web console access

      Restrict Apex One web console access

      The log file name should append a ”_x” at the end and show X-Forwarded-For in the header.

Below is the default message that the restricted IP/domain gets when the Apex One web console is accessed:

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

Restrict Apex One web console access

In IIS 8.0, administrators can configure to deny access in several additional ways.

Restrict Apex One web console access

Action TypeDescription
UnauthorizedReturns Error 401
ForbiddenReturns Error 403
Not FoundReturns Error 404
AbortTerminates the connection
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000159031
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.