FAQ

Most Popular

Load More

Latest

The ports that need to be accessible from the Internet are: 1. 8000 – Apache Tomcat or Muse HTTP Server Configuration file – ${MUSE_HOME}/tomcat/conf/server.xml or ${MUSE_HOME}/http/conf/contexts.xml Files that contain references to this port:
  • ${MUSE_HOME}/factory/MuseInfoBase.xml
  • ${ICE_HOME}/ICECore.xml
  • ${ICE_HOME}/jaas.config
  • ${MUSE_HOME}/proxy/jaas.config
  • ${MUSE_HOME}/web/MusePeer.xml
2. 8443 – Apache Tomcat or Muse HTTP Server Configuration file – ${MUSE_HOME}/tomcat/conf/server.xml or ${MUSE_HOME}/http/conf/contexts.xml Files that contain references to this port:
  • ${MUSE_HOME}/web/MusePeer.xml
  • ${MUSE_HOME}/enrich/MuseEnrichmentService.xml
  • ${MUSE_HOME}/enrich/index/index.xml
  • ${MUSE_HOME}/z3950/MuseZBridge.properties
3. 9797 – Muse Proxy Configuration file – ${MUSE_HOME}/proxy/MuseProxy.xml Files that contain references to this port:
  • ${MUSE_HOME}/web/MusePeer.xml;
  • ${MUSE_HOME}/enrich/MuseEnrichmentService.xml;
  • ${MUSE_HOME}/enrich/index/index.xml;
  • ${MUSE_HOME}/z3950/MuseZBridge.properties
Note: Also configured in all Muse bridges that use the MNM: (${MUSE_HOME}//MuseBridge.xml and in ${MUSE_HOME}//MuseBridge.properties). Note: This is the secured mode of the Muse HTTP server (SSL connections). Warning: One of the server type ports Muse opens for its components may be occupied by other server programs. One such example is the Ajp12 connector from Tomcat. See “${MUSE_HOME}/doc/Muse External Servlets Engine (Tomcat).pdf" manual for further reference regarding the ports used by Tomcat. Warning: If one of the Muse Servers fails to start the user is advised to check the log file for detailed information. Finding the message below in the log file means that the port is already used by some other Application. When such a situation occurs a reconfiguration is necessary to change the port used by the respective Muse server or by the already existing service. Cannot listen on port . Address already in use: JVM_Bind Note: Not all ports are required by all Muse installations. They are required only if the corresponding components are installed. For example, port 9797 is only required if the Muse Proxy is installed. Note: All server type ports can be remapped. The best way to accomplish this remapping is by using the Muse PostInstall Configuration package, which makes this process simple and ensures that the correct files are updated. Further information about this can be found in the "$MUSE_HOME/doc/Muse Advanced Configuration.pdf"document, “Server Type Ports Opened by Muse within Internet Scope” chapter.

This FAQ has been created for partners to check the Muse Proxy configuration ($MUSE_HOME/proxy/hosts.xml file) to make sure they are not open proxies, and therefore prone to illegal usage.

RULES TO MODIFY:
1.) In the hosts.xml under the default user, there should be no * rule:


default
*

The default user allows the ICE Servers to access Muse Proxy. If the * rule is entered, the wildcard character, or *, will allow any IP to access the proxy via the default user. This could cause abuse of the proxy from remote IPs.  It is recommended that the IPs, or IP ranges, that will access the proxy via ICE are put in.

2.) In the hosts.xml under the administrator user, there should be no * rule:


administrator
*

Like the default user above, if the * statement is put in under this , it could potentially allow remote users to abuse muse proxy via the administrator user. It is recommended to only allow the IP (or IP ranges)  of computers that you expect to use to administrate the proxy.

RULES TO KEEP IN PLACE:
1.) For Muse Proxies above the 2.2.2.0 version, there is the following rule for the default.mnm user:

default.mnm
*

This must be kept in place, so that end users will able to navigate to links rewritten via Muse Navigation Manager.

2.)Under the section for every user, there is a * rule:


20
21
22
23
25
*


This must be kept in place. The REMOTE_PORTS section specifies the outgoing access port rules of the Muse proxy, i.e. to what remote ports the Muse Proxy is allowed to connect to. By default, we block access to the following remote ports:
20,21: File Transfer Protocol (FTP)
22: Secure Shell (SSH)
23: Telnet
25: Simple Mail Transfer Protocol (SMTP)
and allow access to the rest of the ports. Meaning that the Muse Proxy can connect to data services on any other ports except the ones listed above.

The *  was set to cover all possible ports used by service providers such as 80, 8080, 443, 210,etc.

3.) It is also recommended that if an rule is entered for Muse Global support (secure.museglobal.com or secure.museglobal.ro) that these are not taken out. These are in so that Muse support can properly troubleshoot the proxy.?

Categories: General, Muse Proxy

Load More