Cnmaestro on premise server access using FQDN

I have cnmaestro on premise server using a public IP address.
I want to change this public ip into fqdn.
Kind help on how to do it.


what do you need to know?
Create a hostname with that IP. You will need to have a certificate for ssl

Hi @TimoWanume - its strongly discouraged to expose your on premises installation to the whole internet. If you must have it connected, its best to strictly limit the networks that can access it. If you need to continue to do this, and you filter your incoming traffic, you can generate a certificate signing request matching your chosen hostname under Administration > Server > SSL Certificates > Generate CSR. Get your CA to sign this request, and then import the certificate they provide.

1 Like


do you mind to explain?

Thank you

Hi, the system is used to connect e500 wifi aps that are distributed across different branch offices.

How do I limit access to the server and how do I get that ssl certificate

Hi @MW_WISP - its best practice to reduce attack surface. Leaving it open to the internet leaves everyone on the planet with the ability to try logging in, or exploiting any vulnerability that might be discovered in the future.

If the branch offices have static IP addresses, you could just allow these on your firewall or router and block everything else.

Hi @Hamish,

I agree with you, but:
a) best feature of cnMaestro is the ability to manage devices outiside our network, or devices from several different networks. if I had to put a vpn for every customers costs will increase too much.
b) too is public :wink:

Totally agree @MW_WISP - if you need to do this then thats what you need to do :slight_smile: its always best to limit access as much as is possible though. If you run the onprem server at each of your customers, would it be useful to have a secure vpn to the management interface? Might be an interesting feature request if it was useful to people.
EDIT: lets not hijack @TimoWanume 's thread though - happy to chat in another thread if you like!

@Hamish ,
The public ip is configured directly on the cnm server, nor router or firewall

@TimoWanume ok, but above that is there a router? Its here that you’ll want to filter if you can. If you just plug in to your ISP’s managed router and can’t change anything you wont be able to do this.

@Hamish the available router is used for other internet services

Fair enough - its on this router that you probably did the route for the cnmaestro box. If you’re able to limit the sources for this route it will be better :slight_smile:

Once you’ve done that, just generate a CSR and get it signed (steps are in the manual under Administration > Server Management > SSL Certificate, but its fairly straightforward)

Thanks very much for this help.
I will email you in case I need more help.


@Hamish kindly teach me about CA,
Been looking for one but still not successful

Its a Certificate Authority. That just means a certificate provider like zerossl or any of the shops that will sell you a TLS/SSL certificate. In this case “Get your CA to sign the request” just means “buy a certificate” :slight_smile: