Restricting Service Access to Host Names or IPs

By default, Commander and the Service Portal are accessible on all network addresses of the computer hosting Commander. However, you can specify that users can only access Commander and/or the Service Portal through a particular Fully Qualified Domain Name (FQDN) or IP address.

For example, if Commander is installed on "myhost", you can restrict users so that they can only access the Service Portal only through that host's IP address; users would no longer have access to the Service Portal at https://myhost/portal. Rather, they must access it at https://<IP address>/portal. In addition, Service Portal users wouldn't be able to access Commander from the FQDN or IP address where the Service Portal is served.

Note: You can also run Commander and the Service Portal on separate ports to control access. You configure ports in the Commander Control Panel.

Restricting Commander and Service Portal access to specific host names or IP addresses

Access through:

Configuration > System

Available to:

Commander Role of Superuser

To restrict Commander and/or Service Portal access to specific host names or IP addresses:

  1. Click the Access tab.
  2. In the Commander and Service Portal section, click Edit.
  3. In the Edit Service Access dialog, for either Commander or the Service Portal, or both, enter an FQDN or IP address, keeping in mind the following:
    • FQDNs are limited to 1024 characters.
    • Regular expressions are not permitted.
    • IP addresses must be in IP4 format.
    • IP addresses and FQDNs are not mutually exclusive; they may both point to the same host.
    • Virtual directories are not permitted (for example, you can't enter https://portal.acme.ca/admin/).
  4. If you also want to restrict API access, so that only users with a Commander role can access the APIs, enable Restrict REST API access to Commander Host/IP. This option is only enabled if you have entered text in the Commander Host/IP field.
  5. Click OK to confirm.

Important:

  • Once you click OK, all users currently signed in to Commander or the Service Portal (depending on which access you restricted) will immediately see an error in their browser. Make sure to provide users with the new URL.
  • If you restrict access as described here, links in notification emails sent before you restricted access will no longer work. You must resend notification emails as required.

Access URLs when access is restricted

Scenario Access URL

Commander and the Service Portal running on the same port

Commander

https://<Commander FQDN or IP address>

Examples:

  • https://commander.mycompany.com
  • https://11.22.33.444

Service Portal

https://<Service Portal FQDN or IP address>

Examples:

  • https://portal.mycompany.com
  • https://11.22.33.555

Commander and the Service Portal running on different ports

Commander

https://<Commander FQDN or IP address>

Examples:

  • https://commander.mycompany.com
  • https://11.22.33.123

Service Portal

https://<Service Portal FQDN or IP address>/<port>

Examples:

  • https://portal.mycompany.com:9000
  • https://11.22.33.123:9000

Notes:  

  • Whatever restrictions are in place, you can always access Commander and the Service Portal locally through https://localhost or https://127.0.0.1.
  • Current access URLs and port numbers are stored in the Commander log, in the Support section under Tomcat. You can find the log at <Commander install directory>\tomcat\logs\vcommander.txt

Correcting errors in service access configuration

If you make a mistake when configuring service access, return to the Access tab from the host where Commander is installed, using localhost in the URL, and correct the error.

Restoring access on all network addresses

Click Clear and click Save Settings, then confirm the operation.