Business Community > Controllers > Exposing Omada Controller to Internet - Security questions
< Controllers

Exposing Omada Controller to Internet - Security questions

Exposing Omada Controller to Internet - Security questions

Exposing Omada Controller to Internet - Security questions
Exposing Omada Controller to Internet - Security questions
Sunday - last edited Yesterday

Hello,


using VPN to connect sites to my Omada controller is not suitable in every situation. See answer from TP-Link here: https://community.tp-link.com/en/business/forum/topic/668402


So my questions are: are there security tests or hardening recommendations from TP-Link? Especially exposing 8043 WebUI (for device firmware updates) makes me headache. Is there documentation about used protocols / ciphers? Which communication with sites is plain text? Can you please tell me the URL for updates, which devices call to get the firmware https://fqdn:8043/fwupd/v2/29r01 for ex. ?


How do you dealing with it?


Thanks!

  0      
 
  0      
 
#1
Options
2 Accepted Solutions
Re:Exposing Omada Controller to Internet - Security questions-Solution
Sunday - last edited Yesterday

  @Wrzlbrnft 

 

If you must use port forward based adoption on some sites, there are a few ways to make it a little more secure, but its still not "ideal"

1) enable 2FA on your controller accounts
2) Enable Account Security on your controller accounts to lock access to specific IPs only
3) If the remote sites are on a fixed public IP, you can allow just tthat on the port forwarding rules

4) You can change the HTTPS management port used for remote firmware updates (hardware controllers default to 443, software to 8043) - I change mine to 29817 so i can simply include it in the port forward as one rule 29810 - 29817 TCP/UDP

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
Recommended Solution
  1  
  1  
#2
Options
Re:Exposing Omada Controller to Internet - Security questions-Solution
Yesterday - last edited Yesterday

  @Wrzlbrnft 

 

Here is an example for point2 of GRL's suggestion:

 

 

Wish you a happy life and smooth network usage!  >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#3
Options
2 Reply
Re:Exposing Omada Controller to Internet - Security questions-Solution
Sunday - last edited Yesterday

  @Wrzlbrnft 

 

If you must use port forward based adoption on some sites, there are a few ways to make it a little more secure, but its still not "ideal"

1) enable 2FA on your controller accounts
2) Enable Account Security on your controller accounts to lock access to specific IPs only
3) If the remote sites are on a fixed public IP, you can allow just tthat on the port forwarding rules

4) You can change the HTTPS management port used for remote firmware updates (hardware controllers default to 443, software to 8043) - I change mine to 29817 so i can simply include it in the port forward as one rule 29810 - 29817 TCP/UDP

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
Recommended Solution
  1  
  1  
#2
Options
Re:Exposing Omada Controller to Internet - Security questions-Solution
Yesterday - last edited Yesterday

  @Wrzlbrnft 

 

Here is an example for point2 of GRL's suggestion:

 

 

Wish you a happy life and smooth network usage!  >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#3
Options

Information

Helpful: 0

Views: 52

Replies: 2

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.