by
Etienne Liebetrau
By default, Fastvue Sophos Reporter is open and unrestricted for anonymous users to view. For a number of privacy related reasons you might need to restrict access to the site. You may also want to further restrict access to the Settings tab to prevent unauthorised users from making configuration changes to Sophos Reporter. To improve security even further, it is a good idea to add SSL encryption for authentication.
In this article I will show you how to restrict access to the Sophos Reporter website, and further restrict access to the Settings tab using Windows Authentication and Authorization Rules in IIS, and how to enable SSL (HTTPS) for the site.
The simplest way of achieving this is by using IIS authorization rules. There a few prerequisites. All of the following needs to be performed on the Fastvue Sophos Reporter server.
All the following steps will be performed in the IIS Management Console on the Fastvue Sophos Reporter server. Depending on your configuration you may need to install the ‘Windows Authentication’ and ‘URL Authorization’ Role Services for IIS in Server Manager.
Authorization rules require that users authenticate. We will therefore first enable Windows Authentication.
At this point user access to the Fastvue Sophos Reporter site will be limited to the users specified in the groups. To restrict access to the Setting tab do the following in the IIS Management Console:
At this point only the Fastvue Administrators group should have access to the Settings tab. If you are testing this remember to close the browser to end the user sessions.
Any site that requires credentials to be passed should be secured using SSL encryption. This means using HTTPS and certificates. For this article we will be using an internal self-signed certificate but in practice it is better to use a certificate from your internal PKI or a third party CA such as VeriSign.
The Fastvue Sophos Reporter site will now require HTTPS and users to be authenticated. At this point you will see a certificate warning since the self-signed certificate is not from a trusted CA on the client machine. Using either an internal PKI or a third party CA certificate would resolve this issue.
Another issue you will notice is that when attempting to connect to the site using HTTP you will get:
403 – Forbidden: Access is denied Error
To fix this, we can change the 403 error page to redirect us to the HTTPS site.
Now when you try to access the site via plain http, you will be redirected to the https site instead of seeing the 403 error message.
When Fastvue Sophos Reporter sends an email such as a scheduled report or an alert, it uses the URL set in Settings | Site Settings as the domain in these links back to the application. Now that you've secured the site using HTTPS, it is a good idea to change the Site Settings to also use HTTPS to avoid being redirected to the root of the website by the custom error page configured above.
To edit the Site Settings:
If you followed through the steps above, Fastvue Sophos Reporter will now be secured using Windows Authentication. Two user groups can access Sophos Reporter, but only the admin group can access pages on the Settings tab, and the site can only be accessed via HTTPS / SSL.
Download our FREE 14-day trial, or schedule a demo and we'll show you how it works.
How To Secure Fastvue Reporter for Private Report Sharing
How To Secure Fastvue TMG Reporter for Private Report Sharing