ISSUE
Allowing local access to a Unitrends appliance on the local network leaves users open to attacks if an attacker were to gain access to an admin's credentials.
Disabling local network access significantly reduces the attack surface of your Unitrends software.
RESOLUTION
UniView, VSA, and IT Complete offer highly secure, granular control for access and administration of the Unitrends Recovery Series, Ion, and Max line, without requiring access to the device on the local network.
With the 'manage' feature within UniView a user to block local access to the Web interface, SSH and Postgres. Once disabled all management would be performed through the Uniview 'manage' feature.
If, for some reason, a device cannot access UniView once enabled a user can re-enable access via physical access to the appliance or virtual console (VMware, Hyper-V for virtual appliances, devices w/ iDrac, or IPMI that support virtual console).
Enabling/Disabling local access:
For increased appliance security, the UniView Portal has a feature that blocks users from logging in directly to the appliance UI. Once local network access has been disabled, users must connect to the appliance from UniView (as described in Connecting to an appliance).
Consider the following before disabling local network access:
- To enable or disable local network access, you must log in to UniView as a Superuser, Admin, or Manage user. (UniView users with Monitor access cannot enable or disable local network access.)
- Hot backup copy to a Unitrends appliance target – To add a self-hosted backup copy target to the appliance, local network access must be enabled on the backup copy target appliance. If needed, use the procedure below to enable local network access on the target appliance before adding the hot backup copy target. Once the target has been added, use the procedure below to disable local network access.
- iSeries protection – To protect your iSeries platform, you must log in to the appliance directly from the local network. Do NOT disable local network access if your appliance is protecting an iSeries environment.
1) First, add the backup appliance to the UniView portal following the steps under Working with appliances in the UniView Backup Portal Guide.
2) Navigate to the 'Status' section in UniView
3) Click on the name of the appliance you want to toggle the local access on to bring up that appliance's details
4) Click the slider to block local access. The default is local access is enabled.
5) Once you disable local access, you can manage the appliance by clicking 'Manage'
Un-Blocking local access in the event Unitrends cannot access UniView:
The DPU menu has the option to re-enable local access. This is accessible with physical access (keyboard/monitor), or via a virtual console for virtual appliances or hardware with out-of-band management that includes virtual console.
Note: with the UniView setting to block local access, using the console to allow access will do so only temporarily. Each roughly 5 minutes the appliances try to reach UniView, and on successful connection, UniView will re-enforce the local UI lockout closing the connection again. If you are intending to disable this feature and allow local UI and SSH use for an extended period, log into UniView and change the setting there. The setting below is useful only in emergencies when UniView or your internet connection is not functional. The last setting in UniView will be enforced on next connection from your appliance.
To re-enable local access in the event of a network outage, follow these steps:
1) Select option 4, 'Advanced Options'
2) Selection Option 2, 'Enable UI Access'
Addition information can be found in the UniView Portal Guide