How to restrict access to PrinterOn Configuration Manager for a Managed Service customer - c06705874
Access to PONCONF by default is available through the internet. Some customers may request this admin page be restricted to their own network. Below are steps on how to configure this within AWS.
I will use Aviva as an example. Their service is based in Frankfurt (EU-1) region.
They supplied us with 10 IP addresses they wished to have access to the PrinterOn Configuration Manager. We also need to include the PrinterOn IP ranges, the default Security Group for the customer, and the NAT Gateway for the region.
To enter IPs in an AWS Security Group, they must be in CIDR format. If the IP is a single address and not a range, it would be entered like this: 192.168.10.10/32 The /32 indicates only this specific IP has rights. It effectively means "all 32 bytes of the IP address must match") NOTE: You should ask the customer to supply their range in CIDR format, but if they can't or don't know how, you can ask Conrad Clement in our IT group to help figure it out. So far the only ranges configured are for PrinterOn internal.
Steps to make changes to the PONCONF Security Group:
- Log into the Managed Services AWS account
- Go to EC2
- Select the region of your customer ( eg. for Aviva we choose Frankfurt)
- Choose Security Groups from the left hand menu
- Locate your customer's PonConf Security Group ( eg. Aviva-PonConfSecurityGroup-P2DCB8MOUXWC)
- From the bottom panel, navigate to the Inbound tab and choose Edit
- Add new rules for custom port 8057
Within the Source field choose "Custom" and enter the IPs you have been provided from the customer
Please be sure to label them as to what they are - eg. Aviva Network Access, PrinterOn Internal, etc.
- Add the PrinterOn Internal ranges: 192.168.253.0/24, 192.168.254.0/24, 172.16.0.0/16, 18.104.22.168/32
Add the Nat Gateway IP: Frankfurt - 22.214.171.124/32 Ohio - 126.96.36.199
To locate the Nat Gateway IP for a new location, go to EC2 for the region you want, and then choose the Elastic IPs section from the left hand menu. The Elastic IP shown there is the Nat Gateway IP
- Save changes
Be sure to update the Confluence page for that customer to include a link to PONCONF using the IP address of CPS1. This is the IP that PrinterOn staff connected to VPN will need to use to access the PONCONF page.