Skip Navigation
Expand
  • Advanced SearchOpens new dialog
    Enter plus (+) or minus (-) signs in search terms to make a word required or excluded
    Search Tips
    Filter by product
    Filter by category
Restricting computers or hosts that can access the Oracle B2C Service console and end-user pages
Answer ID 245   |   Last Review Date 06/14/2024

How do I restrict which computers (hosts) are allowed to access the agent console and end-user pages?

Environment:

Configuration Settings
Oracle B2C Service, All versions including Browser User Interface (BUI)

Resolution:

The SEC_VALID_ADMIN_HOSTS  setting defines which hosts are allowed to access the agent console. Only users logging in from hosts matching entries in this list are allowed access to the agent console. 

Important!  Use caution when editing this setting. An incorrect setting (i.e. an incorrect IP address) may lock you out of your site. If this happens, submit a service request to Ask Technical Support

In addition, the SEC_VALID_ENDUSER_HOSTS configuration setting works similarly but with respect to accessing the end-user pages at https://<vhost>/. Only users logging in from hosts matching entries listed in this setting are allowed access to the end-user pages.

You can edit the SEC_INVALID_ENDUSER_HOSTS configuration setting to explicitly list which hosts are not allowed to access the end-user interface.  

Path to edit settings is: Select Configuration > Site Configuration > Configuration Settings > search by Key.

For more information on accessing the Configuration Editor and editing settings, refer to Answer ID 1960: Editing Configuration Settings.

Valid entries to these settings include (in a comma separated list) domain names with wildcards (*.mycompany.com), or single IPv4 and or IPv6  addresses (216.136.229.72), (FE80:0000:0000:0000:0202:B3FF:FE1E:8329 or FE80::::0202:B3FF:FE1E:8329) and or IPv4 or IPv6 address ranges defined using standard CIDR (Classless Interdomain Routing) Notation.

For IPv4, use subnet masks such as (216.136.229.0/255.255.255.0) to specify ranges.  

For IPv6 ranges are specified as follows: 2620:0:860:2::/64

Instead of, or in addition to, an IP address range, a domain may be entered. This should be included at the end of the list of IP addresses.

Example: 216.136.229.72, 216.136.229.0/255.255.255.0, *.domain.com

Note:
When using a domain name, a network operation must execute a DNS reverse lookup. This will result in connection delays and may induce a noticeable performance degradation of the Oracle B2C Service Application. Whenever possible, please refrain from using a domain name.


Additional Notes:

  • You cannot use wildcards (*) to specify a range of IP addresses, i.e. 1.2.3.* or 1.2.3*.
     
  • When specifying IP address ranges use only standard CIDR notation.
     
  • It is possible to specify a comma separated list of the above values, such as:
    • Example: 216.136.229.72, 216.136.229.0/255.255.255.0
       
  • The use of hard returns is not permitted in these configuration settings. Any entries after a hard-return are not recognized.

    Good example: 1.2.3.4, 1.2.3.5, 1.2.3.6

    Bad example: 1.2.3.4,
    1.2.3.5,
    1.2.3.6

To determine your IP, visit https://cx.rightnow.com/app/utils/whatsmyip. Private IP addresses such as 192.168.0.0, 10.0.0.0, or 172.16.0.0 may not be used in this setting.

 

Additional Considerations

Modifying the SEC_VALID_ADMIN_HOSTS setting limits your exposure from somebody hacking into the administrative side of the product from another network. It also limits your ability to administrate your application from outside your corporate network. However, there are options available that would allow access into the admin side of the Oracle B2C Service application. These options and their pros and cons are outlined below:

Option: List the IP subnets of the Admin’s ISP in the Valid Admin Host settings.

Pros: This allows access from the Admin’s home dial-up or high-speed provider.

Cons: The ISP may have multiple IP subnets, or they may change IP numbers without your knowledge. Every subnet listed gives hackers greater chance of access. 
  
 
Option: Dial-in access to your corporate network.

Pros: As long as the corporate dial-in is allowed Internet access with the correct IP subnet, This approach should work.

Cons: Not all corporations allow dial-in access. 
   
 
Option: Use a product such as PC Anywhere or Windows Terminal Server to remotely control your corporate desktop PC from home.

Pros: This approach may be a bit slow, but this should work.

Cons: This is subject to the corporate IS policy on the remote control of PCs. Most corporations do not allow this. 
 
 
Option: Set up VPN access to the corporate network which allows Internet access out of the corporate firewall.

Pros: This is probably the most secure method of access.

Cons: Requires the VPN software and equipment necessary, and support from the corporate IS group.
  
 
Option: Set up a proxy server inside the corporate firewall to forward HTTP protocol out to the Internet.

Pros: A forward proxy acts a gateway for a client's browser, sending HTTP requests on the client's behalf to the Internet. When the Oracle HTTP server receives the request, it sees the requestor's address as originating from the proxy server on the corporate network, not from the actual client.

Cons: This approach needs to be combined with VPN access to provide best security. The corporate IS group would need to configure the proxy server.


If you have questions around what generates a session and how you can prevent inaccurate session billing on your site please review Demystifying Session Usage (PDF). Some simple mis-steps in customization and configuration can increase billable sessions.  For more information, see Session usage information.