Allow filter lists are examined if there is no Deny filter list, or if no match is found in the Deny filter list.
The Allow filter list is examined for a filter matching the remote IP address (that is, a wildcard, subnet, or specific match). If a match is found, the filter is further examined for a qualifier to determine if the filter denies access to the remote IP address. If a match is found in the qualifier, the COI is excluded from COI negotiation.
Any other match in the Allow filter list results in the COI being included in the COI negotiation. If no match is found, and if there was no Deny filter list, the COI is excluded from COI negotiation as the Allow filter implicitly denies access to the endpoint.
Note: If both a Deny list and an Allow list are present, and if no match is found in either list for the remote IP address, then the COI is included for COI negotiation. This is because the filter lists are ambiguous and cannot be used to clearly determine access to the remote endpoint.
Figure 3–5. Filter Flow
3.6. Stealth Roles
Each role is an association of users and COIs. For example, you can set up roles based on department (that is, Accounting and Human Resources) or security clearance level (that is, Secure and Top Secret).
Users can belong to multiple roles; however, users should not belong to multiple roles that include different Clear Text COIs or that include the same Stealth COI with different filters. This is because of the following:
• Each endpoint user can use only one Clear Text COI
In the Enterprise Manager interface, each role can support only one Clear Text COI.
Even if you add an endpoint user to multiple roles (each with different Clear Text COIs), only one Clear Text COI can be used at one time for that endpoint user. The endpoint uses the last Clear Text COI it receives, and depending on the
communication state between endpoints, the Clear Text COI that is used might differ.
• Stealth COIs applied to roles are not combined
If a user is included in two different roles, and if those roles include the same Stealth COI with different filters, the behavior is unpredictable. Again, depending on the communication state between the endpoints, and the filters that are applied, the behavior might differ.
• Include users in only one role.
• Ensure that users included in multiple roles have only one Clear Text COI (or identical Clear Text COIs).
• Use the same filter definition on each occurrence of a Stealth COI.
Note: If you define a filter on a Stealth COI, it is highly recommended that you use the same filter definition on each occurrence of the Stealth COI. For example, you could create a Stealth COI named StealthCOIHR and include it in the HR role and in the Management role; in both occurrences of the StealthCOIHR, you should include the same filter content. This ensures that there is no ambiguity when the endpoints associated with the HR and Management roles communicate.
3.7. Endpoint Users and Enterprise Manager Users
You can add two different categories of users to the Enterprise Manager interface:
• Enterprise Manager users, who are responsible for administering and operating the Enterprise Manager interface
These users have privileges to access different pages within the Enterprise Manager interface, enabling them to perform various configuration or monitoring tasks.
For example, you assign one or more users to the Portal Administrator role to grant administrator privileges to those users and enable users in that role to see all pages in the interface. In contrast, assigning a user to the Audit Administrator role grants access only to the Monitor and Logs pages.
See the Administration page for information about adding Enterprise Manager users.
• Endpoint users, who participate in COIs
These are Stealth users who do not interact directly with the Enterprise Manager interface.
Each user name and each role name must be unique.
See4.1.4 Configuring Usersfor more information.
These users exist in the same database, and so each user ID must be unique.
3.8. Enterprise Manager Database
You should back up the Enterprise Manager database on a regular schedule or after a significant configuration change. Full backups are critical to maintaining the integrity of your Management Server and Stealth network configuration in catastrophic failures, such as storage unit failure or server hardware failure. See5.2 Backing Up the Enterprise Manager Databasefor more information.
In the event of an Enterprise Manager database failure, the Enterprise Manager interface keeps running, but you cannot make configuration changes. How long the interface continues to run is dependent on the exact nature of the database failure. In general, when the database fails, the following occurs:
• You cannot complete any actions on open Enterprise Manager interface sessions (for example, you cannot add or delete users from roles.)
• New sessions to the Enterprise Manager interface cannot be established.
However, endpoints are not affected. That is, existing Stealth sessions are not interrupted, and new sessions can be established.
Once the Enterprise Manager database is available again, you can continue with normal activity. After your initial configuration is complete, you should be sure to backup your database as described in5.2 Backing Up the Enterprise Manager Database.
3.9. Supported Characters and Length Restrictions in the Enterprise Manager Interface
When you are creating components in the Enterprise Manager interface—including configuration, COI, role, user, and endpoint software file names—the following characters are supported:
• Upper and lowercase letters
Note: The first character in a name must be a letter.
• Numbers (0-9)
• Space ( )
Note: A space cannot be the first character or last character in a name.
• Underscore (_)
• Hyphen (-)
• Comma (,)
• Period (.)
Note: Multiple periods in a row are not supported.
• Exclamation point (!)
• Dollar sign ($)
• Percent sign (%)
• Ampersand (&)
• Single quotation mark (‘)
• Parentheses ( )
• Equal sign (=)
• At sign (@)
• Square brackets ([ ])
• Caret (^)
• Curly brackets ({ })
• Tilde (~)
In addition, COI names and filter set names must be 28 characters or fewer.
3.10. Interface Time Outs
For security purposes, all of the pages on the Enterprise Manager interface time out after 30 minutes of inactivity, except for the Monitoring page, which does not time out.
To avoid a time out, you can do any of the following:
• Navigate between pages using the menu bar (for example, moving from the Configure page to the Provision page)
• Navigate between tabs on a page (for example, on the Configure page, moving from the Role tab to the User tab)
• Perform an action (for example, adding a component or clicking Save)
• Navigate in the tree view (if the page includes a left-pane tree view)
Note: Moving the mouse around the screen or typing input does not reset the time out process. In addition, starting and cancelling an action (for example, clicking Add to add a component and then closing the Add dialog box) does not reset the time out process.
After 29 minutes of inactivity, you see a warning at the top of the interface that Enterprise Manager will time out in one minute, and you can click Extend to extend your session. If you do not extend the session, you are logged out of the interface and must log in again.