Hi,
I have cnmaestro on premise server using a public IP address.
I want to change this public ip into fqdn.
Kind help on how to do it.
Regards
Hi,
what do you need to know?
Create a hostname with that IP. You will need to have a certificate for ssl
Hi @TimoWanume - its strongly discouraged to expose your on premises installation to the whole internet. If you must have it connected, its best to strictly limit the networks that can access it. If you need to continue to do this, and you filter your incoming traffic, you can generate a certificate signing request matching your chosen hostname under Administration > Server > SSL Certificates > Generate CSR. Get your CA to sign this request, and then import the certificate they provide.
Hi,
do you mind to explain?
Thank you
Hi, the system is used to connect e500 wifi aps that are distributed across different branch offices.
How do I limit access to the server and how do I get that ssl certificate
Hi @MW_WISP - its best practice to reduce attack surface. Leaving it open to the internet leaves everyone on the planet with the ability to try logging in, or exploiting any vulnerability that might be discovered in the future.
If the branch offices have static IP addresses, you could just allow these on your firewall or router and block everything else.
Hi @Hamish,
I agree with you, but:
a) best feature of cnMaestro is the ability to manage devices outiside our network, or devices from several different networks. if I had to put a vpn for every customers costs will increase too much.
b) cloud.cambiumnetworks.com too is public
Totally agree @MW_WISP - if you need to do this then thats what you need to do its always best to limit access as much as is possible though. If you run the onprem server at each of your customers, would it be useful to have a secure vpn to the management interface? Might be an interesting feature request if it was useful to people.
EDIT: lets not hijack @TimoWanume 's thread though - happy to chat in another thread if you like!
@TimoWanume ok, but above that is there a router? Its here that you’ll want to filter if you can. If you just plug in to your ISP’s managed router and can’t change anything you wont be able to do this.
Fair enough - its on this router that you probably did the route for the cnmaestro box. If you’re able to limit the sources for this route it will be better
Once you’ve done that, just generate a CSR and get it signed (steps are in the manual under Administration > Server Management > SSL Certificate, but its fairly straightforward)
Its a Certificate Authority. That just means a certificate provider like zerossl or any of the shops that will sell you a TLS/SSL certificate. In this case “Get your CA to sign the request” just means “buy a certificate”