access enable

SteelHeads are subject to the network policies defined by corporate security policy, particularly in large networks. Using an internal management ACL you can:

• restrict inbound IP access to a SteelHead, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall).

• specify which hosts or groups of hosts can access and manage a SteelHead by IP address, simplifying the integration of SteelHeads into your network. You can also restrict access to certain interfaces or protocols.

This command provides the following safeguards to prevent accidental disconnection from the SteelHead (or the SCC):

• It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address.

• It always allows a previously connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.

• It converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.

• It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.

• You can also change the standard port for HTTPS (443) to match your management standards using the web https port and web http port commands.

When you change the default port of services (SSH, HTTP, HTTPS, and so on) on either the client or server-side SteelHead and then create a management ACL rule denying that service, the rule will not work as expected. The SteelHead on the other end (either server or client) of an in-path deployment does not know that the default service port has changed, and therefore optimizes the packets to that service port. To avoid this problem, add a pass-through rule to the client-side SteelHead for the management interfaces. The pass-through rule prevents the traffic from coming from the local host when optimized.

A management ACL rule that denies access to port 20 on the server-side SteelHead in an out-of-path deployment prevents data transfer using active FTP. In this deployment, the FTP server and client cannot establish a data connection because the FTP server initiates the SYN packet and the management rule on the server-side SteelHead blocks the SYN packet. To work around this problem, use passive FTP instead. With passive FTP, the FTP client initiates both connections to the server. For details about active and passive FTP, see the Management Console online help or the SteelHead Management Console User’s Guide.