cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

NAM - Distinguishing NAM Console port number for user authentication vs configuration

hingnien_too
Participant

Hi Forumers,

I would like to ask if there are any ways for me to use a different port for user authentication purpose (Other than 4183)?

As for configuration, remaining port 4183 is fine. The purpose of this request is because firewall team would like to clearly distinguish whether the traffic is meant for authentication or console configuration purposes.

Thank you in advance.


7 REPLIES 7

Jacek_Janowicz
Dynatrace Pro
Dynatrace Pro

Hi Hing,

We do not neither support nor recommend running Console (https) on two different ports. Such configuration may lead to multiple issues and we definitely do not want our customers to go this way.

I'm just thinking if there is any other way to achieve your goal and the first idea which comes to my mind, is to use URLs to distinguish traffic for authentication and traffic for configuration. URLs:

  • https://NAM_Console_host:4183/console/auth/saml/login
  • https://NAM_Console_host:4183/console/auth/saml/logout
  • https://NAM_Console_host:4183/console/login.xhtml

should be considered as a traffic for authentication purposes, all other URLs are for working with configuration.

I realize that for firewall team using port for distinguishing traffic purpose might be better solution, but perhaps approach with URLs will work as well ?


Best Regards


Jacek



Hi Jacek,

Thanks for your input. Actually we have proposed them the idea of distinguishing operation through URL. Unfortunately they are not impressed with our answer. Nevertheless appreciate your reply.


Thanks,

Fred Too


fstekelenburg
DynaMight Pro
DynaMight Pro

I reckon firewall team should not fuss on the functionality of an application.
But if you insist to separate the functionality you could consider to use or implement a Single Sign On service, and have that deal with authentication.


Hi Frans,

I have same the thought as yours, but it's hard to manage the people and process sometimes.

Talking about SSO, it won't change much of the fact that end-user still needs to connect to port 4183 for NAM console to authenticate with other Idp.


Implementing external SSO and integrating it with NAM Console will not solve the problem I'm afraid. Even with external IdP, still it is NAM Console who receives both kind of requests:

* For authenticating users who want, for example, see report on NAM server

* For users who want to perform configuration actions on Console, say, modify Software service definition

The thing is to distinguish those two kinds of requests/traffic, that's how I understand original problem.


Best Regards


Jacek


Ah yes, I was under the impression that Console acted in place of SSO, and with an actual SSO this would work directly. https://www.dynatrace.com/support/doc/nam/sso/nam-sso-deployment-external-idp/#using-openam-as-an-ex...

Then it's as it is. Two functions on one port. From firewall perspective you can't tell the difference, when it's IP/port based. As most are.


Yes Jacek,

Your interpretation on the problem statement is correct,