How to customize the port that the EDR web UI uses. 

• EDR Console: All Versions
• EDR Server: All Versions

For customers who desire to use a custom WebUI cert, follow the directions here:  Implementing Custom Web UI Certificates.

Important: These steps should be performed on all Primary and Secondary server nodes. Without this, users will be able to access the UI via port 443 if the secondary server's IP is entered into a browser. It is recommended that secondary servers not be used to access the web console. If possible, use firewall rules to deny outside access on the port for all server nodes except for the primary. All server nodes still need to communicate on the custom port with each other. 

1. Rename the nginx cb.conf file with mv to back it up:

   mv /etc/cb/nginx/conf.d/cb.conf /etc/cb/nginx/conf.d/cb.conf.default

2. Copy and rename multi-home template configuration file:

   cp /etc/cb/nginx/conf.d/cb.multihome.conf.example /etc/cb/nginx/conf.d/cb.multihome.conf

3. Backup the nginx http.conf file:

   cp /etc/cb/nginx/conf.d/http.conf /etc/cb/nginx/conf.d/http.conf.default​​​​

4. Edit /etc/cb/nginx/conf.d/cb.multihome.conf.
   • Modify the line in blue under the WebUI section to the desired port (8443 is the common choice). Note: There are two port areas, the first one is for Sensors. Make sure to edit the end one per the example here.
   • On 7.5.0+ Only, comment out the cb.server.error line in red 

     server
     {
     # This server configuration is used for communications between the sensors
     # and the server.
     
     # IMPORTANT: If this configuration file is used, NginxSensor#### parameters in
     # /etc/cb/cb.conf MUST be updated to match this file.
     # Port 80 is defined in the http.conf. By default it redirects all trafic
     # to the https://$host$request_uri; If this behaviour needs to change update http.conf
     listen [::]:443 ssl ipv6only=off;
     
     include /etc/cb/nginx/conf.d/includes/cb.server.body;
     include /etc/cb/nginx/conf.d/includes/cb.server.sensor;
     
     # Include content of custom server configuration file
     include /etc/cb/nginx/conf.d/includes/cb.server.custom;
     }
     
     server
     {
     # This server configuration is used for VMware Carbon Black EDR Server's Web UI
     
     # IMPORTANT: If this configuration file is used, NginxWebApi#### parameters in
     # /etc/cb/cb.conf MUST be updated to match this file.
     # Port 80 is defined in the http.conf. By default it redirects all trafic
     # to the https://$host$request_uri; If this behaviour needs to change update http.conf
     listen [::]:8443 ssl ipv6only=off;
     
     include /var/cb/nginx/props/nginx.runtime.ssl_certificate.prop;
     include /var/cb/nginx/props/nginx.runtime.ssl_certificate_key.prop;
     
     include /etc/cb/nginx/conf.d/includes/cb.server.body;
     include /etc/cb/nginx/conf.d/includes/cb.server.api;
     #include /etc/cb/nginx/conf.d/includes/cb.server.error;
     
     # Include content of custom server configuration file
     include /etc/cb/nginx/conf.d/includes/cb.server.custom;
     }

5. Edit /etc/cb/cb.conf:

      NginxWebApiHttpPort=443
   Change to...
      NginxWebApiHttpPort=8443
   
   And if minion port was also changed (recommended, see additional notes) 
      MinionApiPort=443 
   change to...
      MinionApiPort=8443
   
   

6. Port 80 redirection is optional
   • To keep port 80 redirection when typing http://<servername>, open /etc/cb/nginx/conf.d/http.conf and edit this line

        return         301 https://$host$request_uri;
     Change to...
        return         301 https://$host:8443$request_uri;

   • To remove port 80 redirection, open /etc/cb/nginx/conf.d/http.conf and comment out this line

     #listen [::]80 ipv6only=off;

   • Note: You cannot forward from port 443 to 8443 due to sensors communicating over port 443
   • Note: To change what using port 443 will display after this change the files within "/usr/local/openresty/nginx/html/" can be modified or removed
7. Update Nginx to forward the custom port in the header for CSRF:
   • Open /etc/cb/nginx/conf.d/includes/headers.includes
   • Find the following line:

proxy_set_header       Host               $host;

• Edit to:

proxy_set_header       Host               $host:$server_port;

9. Update the firewall to include 8443
   • If using Iptables on CentOS 6

iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
service iptables save
service iptables reload

• If using firewalld on CentOS 7

firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --reload

10. Note: There should only be one cb*.conf file. Nginx will fail to start if there are two. Confirm there is only one ending in .conf by running: ls -lh /etc/cb/nginx/conf.d | grep 'cb\.'

    cb.conf.default
    cb.multihome.conf

11. Restart the server services: EDR: How to restart server services
12. Verify that the UI is accessible: https://<server>:8443

• Any available port can be used if the firewall and network allow it. Port 8443 is used here as an example.
• It's recommended to follow the same instructions on the secondary server for clustered environments. Without this, the console will be accessible over 443 by the secondary server's IP and will not use the custom certificates. 
• If using the Event Forwarder, the cb_server_url value may need to be modified to add the port number in the /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf file
• For RHEL/CentOS 7, you can use the following commands to check the firewall settings to see if anything is missing, like the 8443 config:

  • /usr/share/cb/cbcheck firewall -l  (Lists missing rules)
    /usr/share/cb/cbcheck firewall -a (Applies missing rules)