(Optional) Configuring Web LMT Proxy(eLTE Management Scenarios)
The Web LMT proxy needs to be configured only when the eLTE management component is installed and the Web LMT proxy service is required.
Context
If the eLTE management component is installed in eSight, you must configure Web LMT proxy.
Basic Concepts
This topic describes the scenario, default setting, risks and suggestions, and other related concepts about Web LMT Proxy configuration.
Scenario
- Versions earlier than eCNS610 V100R004C00 do not support the Web LMT.
- Versions earlier than eAN3710 V100R002C00 do not support the Web LMT.
- The browsers supported by the Web LMT proxy function are subject to the browsers supported by the device Web LMT.
When devices and users are in different networks, the users can access the devices Web LMT only through the proxy function offered by the proxy server.
Before accessing the base station via a proxy capability of eSight, you must configure Web LMT Proxy rules referring to Operation Process.
Default Setting
By default, the proxy server is not started, the system does not offer a proxy authentication user, and source and destination IP address ranges are empty, indicating that no user is allowed to access any device through the proxy.
Risks and Suggestions
After the Web LMT proxy function is enabled, users with the source IP address range can access devices within the destination IP address range. There are certain security risks. Exercise caution when configuring the allowed source and destination IP address ranges.
Basic Concepts
- Proxy authentication
Requires user names and passwords before using LMT functions.
- Source IP address range
Controls the IP address range of clients that are allowed to use the Web LMT proxy. The IP address refers to the IP address of the host where the user browser is located.
- Destination IP address range
Controls the IP address range of devices that are allowed to pass through the Web LMT proxy.
Operation Process
This topic describes the process of configuring the Web LMT proxy.
Figure 8-34 shows the process of configuring the Web LMT proxy.
Creating a Proxy User
This topic describes how to create a proxy user.
Context
The system allows users to access NEs through the proxy. When using the proxy function, you must enter the user name and password for authentication, increasing system security.
By default, the system has no proxy user. You must create a proxy user to use the proxy function.
Precautions
- A password must contain at least one digit, uppercase letter, lowercase letter, and special character (!"#$%&'()*+,-./:;<=>?@[\]^`{_|}~).
The password must meet the following rules:
- The password must not contain the user name or the reversal of the user name.
- The password ranges from 8 to 32 characters.
- The password must contain at least one uppercase letter, one lowercase letter, one digit, and one special character.
- After a proxy user is created, the setting takes effect immediately. You do not need to restart the proxy server.
- It is recommended that you change proxy user passwords at regular intervals to ensure the account security.
Procedure
- Log in to the server as the Administrator user.
Log in to the server as the SWMaster user if the Windows is hardened.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Create a proxy user.
> htproxy.bat -au username
New password: Re-type new password:
- If no command output is displayed, the proxy user is created successfully.
- The username field indicates the name of the proxy user to be created. The name must be a string of 6 to 32 characters.
- You can run the preceding command for several times to add multiple proxy users.
Follow-up Procedure
- Viewing the Proxy Users
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to view the list of proxy users.
> htproxy.bat -lu
- Changing the Proxy User Password
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to change the password:
> htproxy.bat -au username
New password: Re-type new password:
- If no command output is displayed, the password is changed successfully.
- Here, username indicates the name of the proxy user whose password you want to change. If the proxy user does not exist, the proxy user will be created.
- When a password is changed, the password takes effect immediately. You do not need to restart the proxy server.
- Deleting a Proxy User
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to delete the line where the user name is located.
> htproxy.bat -ru username
username indicates the name of the proxy user to be deleted.
Adding the Source IP Address Range
This topic describes how to add the source IP address range. The IP address refers to the IP address of the host where the user browser is located.
Procedure
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to add the source IP address range.
> htproxy.bat -as 192.168.1.104 or htproxy.bat -as 10.1.1.0/24
- The source IP address range must be in the format of IP address/mask length. You can add as many times as needed. Here, take "192.168.1.104 10.1.1.0/24" as an example:
- 192.168.1.104: indicates that the IP address is allowed the access to the proxy server.
- 10.1.1.0/24: indicates that all IP addresses within the subnet are allowed the access to the proxy server.
- If the message "success, restart nginx to take effect please" is displayed, the IP address range is added successfully.
- If proxy server has been started, run the following command to restart the proxy server to make the modification take effect:
> restart.bat
Follow-up Procedure
- Viewing the Source IP Address Range
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to view the source IP address range.
> htproxy.bat -ls
- Deleting the Source IP Address Range
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to delete the source IP address range.
> htproxy.bat -rs 192.168.1.104 or htproxy.bat -rs 10.1.1.0/24
- The IP address range must be in the format of IP address/mask length. You can add multiple network segments and separate them by space. Here, take "192.168.1.104 10.1.1.0/24" as an example:
- 192.168.1.104: indicates that delete the IP address if it exists in source IP address list.
- 10.1.1.0/24: indicates that delete all IP addresses within the subnet if they exist in source IP address list.
- If the message "success, restart nginx to take effect please" is displayed, the IP address range is deleted successfully.
- If proxy server has been started, run the following command to restart the proxy server to make the modification take effect:
> restart.bat
Adding the Destination IP Address
This topic describes how to add the destination IP address.
Procedure
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to add the destination IP address.
> htproxy.bat -ad 192.168.1.104 [port ID]
- If the port ID of the IP address is the default one, you do not need to add the port ID. If the port ID is not the default one, you need to add the port ID.
- Take 192.168.1.104 83 as an example. In the example, 192.168.1.104 indicates that the Web LMT corresponding to the IP address can be proxied and 83 indicates the port number corresponding to the IP address.
- If the message "success, restart nginx to take effect please" is displayed, the IP address is added successfully.
- If proxy server has been started, run the following command to restart the proxy server to make the modification take effect:
> restart.bat
Follow-up Procedure
- Viewing the Source IP Address Range
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to view the destination IP address.
> htproxy.bat -ld
- Deleting the Destination IP Address
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to delete the destination IP address.
> htproxy.bat -rd 192.168.1.104
- Take "192.168.1.104" as an example, indicates that delete the IP address if it exists in destination IP address list.
- You can only delete the IP address which already exists. And you can operate many times as needed.
- If the message "success, restart nginx to take effect please" is displayed, the IP address range is deleted successfully.
- If proxy server is not started, run the following command to start the proxy server to make the configuration take effect:
> startup.bat
- If proxy server has been started, run the following command to restart the proxy server to make the modification take effect:
> restart.bat
Start the Proxy Server
By default, the proxy server is not started. After the configuration is complete, you need to start the proxy server.
Procedure
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to start the proxy server.
If proxy server is not started, run the following command to start the proxy server to make the configuration take effect:
> startup.bat
If proxy server has been started, run the following command to restart the proxy server to make the modification take effect:
> restart.bat
Stop the Proxy Server
When the proxy service is not required, stop the proxy server to reduce security risks.
Procedure
- Log in to the server as the Administrator user.
- Run the following command to switch the directory:
> cd /d eSight installation directory\AppBase\3rdparty\nginx_ewl\bin
- Run the following command to stop the proxy server.
> shutdown.bat
Proxy Authentication
After configuring Web LMT proxy, log in to the LMT through Nginx proxy.
Procedure
- Open a web browser, and enter https://eSight IP address:32143/Device IP address/login.html in the address box. Example: https://10.135.39.26:32143/10.137.63.230/login.html
If the following page is displayed, the Web LMT proxy is started successfully.
- Click Continue to this website. In the authentication window that is displayed, enter the user name and password.
- If the client and device IP addresses are within the allowed range, the Web LMT proxy asks you to enter the user name and password. Go to Step 3.
- If the client or device IP address is beyond the allowed range, the Web LMT proxy rejects your service request.
- If error 502 is displayed, rectify the fault by seeing How Do I Modify the SSL Configuration of the WebLMT in eSight Operation Guide.
- Log in to the LMT after the authentication succeeds. Take the base station as an example. The following figure shows the GUI.
