Securing console access

[cosmik]

I'd like to limit access to the B&R console (hosted on our BR server VM). Would firewalling port 9392 to allow only localhost access do the job?

Would allowing access to 10003/tcp and 9396/tcp only from localhost be a solid idea here?

I'm asking since I'm certain that some advice regarding hardening the BR server included removing the console from the main server altogether. Although feasible in my installation, it would lead to a worse setup security-wise, hence for my questions here...

[PetrM]

Hi Michael,

Please have a look at this table for the full list of used ports.

Thanks!

[cosmik]

Hello PetrM,

I've seen the table, in fact that's how I came up with 9392, 10003 and 9396. What I am asking here is:
1) whether B&R will work just fine if the console is firewalled to allow access for these 3 ports only from localhost (that is, someone could not install a console in my network and be able to access the BR server)
2) whether other ports should be included, always with regard to console access

[PetrM]

1) I don't see a reason for any issues with Veeam B&R if firewall rules are correctly set.
2) You should include only those ports that are listed in the table.

Thanks!