This topic includes suggestions and best practices regarding ISL Conference Proxy configuration and security.
Whenever you deploy ISL Conference Proxy to a server, no matter if it is a Linux or Windows machine, you should make sure it is as secure as possible.
Some of these steps are quite general (not ICP-specific, not OS-specific), but we will list them anyway for reference:
- Reduce the possible attack surface, i.e. disable (or even better, uninstall if possible) everything you do not need on the server (ICP does not have any external dependencies such as web server, database etc., so you do not need those roles).
- Keep the server (OS and installed programs) up to date.
- Allow access only to ports you need for ICP (check this manual topic for more information) and your access (SSH, RDP), drop/block the rest.
- Use strong passwords for both the machine itself and for ICP administration.
- Make sure you have configured the mail server and related settings so that you will receive error reports and notification emails from ICP:
Configuration -> General -> Outgoing mail server (SMTP)
Configuration -> General -> SMTP port
Configuration -> General -> Default e-mail from address
Configuration -> General -> System e-mail goes to - Enable SSL for ICP web pages - check this manual topic for more information.
- Check the SSL protocols and cipher suite settings (sample values included below) and make sure they match your security and compatibility requirements. Default protocol and cipher suite settings should be a good starting point and in case you have no specific requirements you should leave them at their default values.
Configuration -> General -> HTTPT SSL protocol: ALL -SSLv2 -SSLv3
Configuration -> General -> HTTPT SSL cipher suite: HIGH:MEDIUM:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:@STRENGTH
Important: Before making any permanent changes to protocol or cipher suite settings we strongly suggest testing all your main use cases to make sure these changes will not break backward compatibility where this is not acceptable. Suggested further reading:
- By default ICP administration is only possible from localhost - if plan to access the ICP administration machine via RDP or through an SSH tunnel, you can keep this default setting. If you would like direct access to ICP administration from another machine, make sure you have an SSL certificate on your ICP and you force SSL for administration:
Configuration -> Security -> Must use SSL for server administration: Yes
Then you can set the trusted network address(es) and/or subnets that should have access to the ICP administration:
Configuration -> Security -> Allowed IP addresses for server administration - Force SSL for all ICP user web pages, websockets and webapi:
Configuration -> Security -> Redirect HTTP to HTTPS for all user web pages: Yes
Configuration -> Security -> Require HTTPS for WebSockets when HTTP to HTTPS redirect is enabled: Yes
Configuration -> Security -> Require HTTPS for WebAPI when HTTP to HTTPS redirect is enabled: Yes
Configuration -> Security -> Require HTTPS for WebAPI2 when HTTP to HTTPS redirect is enabled: Yes - You might want to generate custom crypto keys (software signatures, client to server, client to client), you can do it here:
Configuration -> Advanced -> Security
Important: Make sure you read the note on top. All old (already downloaded) programs will fail to connect if you generate new keys! In other words, if you want to do it, do it immediately, before putting the server into production. If you have existing machines with old keys, you will need to remove them from registry - remove the appropriate entry for your server from HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ISL Online\Grid and/or HKEY_CURRENT_USER\SOFTWARE\ISL Online\Grid, then download a new program and run it.
- Last but not least, make regular backups.