I have a customer who, given there business, have quite strict security requirements.
Standing up FLEX for a PoC hasn't been too challenging in a sealed environment, however, for production, a number of issues remain around hardening. The most significant of these is below:
The Mirage Web Management server that underpins FLEX is based upon IIS. It presents a number of pages for different functions, including Mirage Management. Most of which can be relatively easily restricted - IP and domain restrictions on IIS spring to mind. However, the /rvm folder (the contents for FLEX) are another matter. This folder hosts both the FLEX management console, but (through testing) is also the direction that the FLEX clients use to both authenticate and gather policies etc. Placing a restriction on this path restricts not just administration, but also the access from the client. The outcome we want is that internet facing clients can access the FLEX server for entitlements etc, but an internet user can't access the web management interface.
Documentation hints at using a reverse proxy, but provides no guidance on how to set this up (or whether this would give us the desired result. Although this particular discussion board is as quiet as a grave, any help would be appreciated.
Although there is guidance n setting up FLEX, there's little around hardening what is potentially an internet facing service - hence the question in the subject line - is there a hardening guide?
Hi Curtis Brown,
I understand your concern here, it's something we would like address. A reverse proxy won't do what you're hoping for here.