Security policy requires that Messaging Gateway (SMG) be secured from unauthorized access beyond it's default configuration.
Messaging Gateway (SMG) is a secure and hardended appliance / virtual machine solution which is scanned for known vulnerabilities as part of the standard software development process. Where possible, vulnerabilities are addressed either through replacement, configuration, or software patch of the vulnerable component. The underlying SMG operating system requires no additional "hardening" from its default installation provided that the software version is up to data and all available patches have been applied.
There are a number of SMG services which can be further secured via IP access control lists (ACL) or increased protocol security.
Messaging Gateway administrator policy groups can be populated with both local administrator accounts and Active Directory / LDAP users or groups if Directory Intergation has been configured. For Active Directory / LDAP based administrator accounts, it is expected that password complexity and expiration policies will be set at the AD level. For local administrator accounts, please ensure that the following options are set for local administrator accounts in Administration > Administrators
Note that the default admin account cannot be deleted but if another account has Full Administration rights the default admin account can had its access level reduced.
The SMG Control Center web application may be further secured by setting a network access control list to limit which IPs can connect to the web application. Additionally, the minimum TLS protocol level for the web application can be set from the admin command line (CLI).
In the event that an error was made in setting the Control Center web application network access control list, the ACL can be reset from the admin CLI via the following command:
cc-config set-min-tls-level --tls12
Minimum TLS level can be set to TLS 1.0, TLS 1.1, or TLS 1.2
Note: Due to an issue with the upgrade to SMG 10.7.5, the minimum TLS level is reset to TLS 1.0 following the upgrade and cannot be changed although SMG will report that it is limited to later protocol versions. Please see TLS 1.0 allowed for Control Center connection regardless of cc-config set-min-tls-level in Messaging Gateway version 10.7.5 to address this.
Please see Messaging Gateway and Diffie-Hellman key length for details on restricting ciphersuites and key exchange algorithms.
sshd-config --add allow 192.168.1.0/24
sshd-config --add deny ALL
Note: You MUST set the allowed networks and hosts before denying access to all other connections otherwise you risk being unable to connect to the SMG command line.
Some vulnerability scanners will raise alerts regarding the SMG SSH service accepting some CBC ciphers, MAC algorithms, or key exchange algorithms. To further secure and limit the ciphers used by the SMG command line SSH service please see