This chapter has been added to EM Server Admin Guide 3.9.2:
Cloud hosting
If you decided to host EasyMorph Server on a cloud instance (e.g. Amazon EC2, Azure, or Google Cloud) and you’re not using a VPN to access it, you may effectively expose it to the threats of open internet. In this case make sure that:
- No space is configured to use the anonymous access mode
- All passwords used for password-protected spaces are sufficiently strong and have at least 20 characters (check out this xkcd about creating long passwords)
- Web Files disabled unless it’s necessary
- If Web Files need to be enabled then disable uploading files unless it’s necessary
- SSL is configured and enforced, SSL certificate is valid and not expired; don’t use self-signed certificates
- Remote admin access is disabled in Server Settings (instead, use Remote Desktop for Server administration)
It is highly recommended to use the cloud provider’s firewall to limit access to your Server instance only for the IP addresses (or IP ranges) that you use.
Hello @dgudkov, can you provide more information regarding connecting to EasyMorph Server using a VPN? If other IPs need to be able to trigger tasks remotely in EasyMorph Server, do all those computers need the VPN Username/Password in order to be able to trigger the tasks? If an IP does an API call to an EasyMorph Server web API that is inside a VPN network, will that API call fail?
Thanks,
Roberto
The Server API uses the HTTP protocol that requires network connectivity between the client and the Server. You can establish the connectivity in at least two ways:
- Use VPN. In this case, all clients need to have an established VPN connection to the Server.
- Expose EasyMorph Server publicly to a whitelisted set of IP addresses managed by a firewall. This is a trickier option because it requires strong security measures. For instance, putting EasyMorph behind a reverse proxy.
There are more modern alternatives to VPN such as tunnels, but I don’t know much about it.
Overall, I’m not a network security specialist and can’t advise on the exact configuration of network settings and protocols to ensure a secure connection. Ask a network security specialist how to establish between two computers a secure network connection that enables HTTP traffic. This is a typical task that networks security specialists specialize in.