Filemaker 19.4.1 remote admin console access

[jaboda]

 

I am an accidental early adopter of Filemaker Server 19.4.1 - something I don't make a habit of.

One of the new features in this version of Filemaker Server is remote access to the Admin Console. This is great if you want that functionality, but if you have an internet-facing server then you probably...don't.

It seems Claris put in an undocumented way of disabling this new functionality.

In HTTPServer\conf is web.config (at least on Windows). This contains the following commented out section:

        <!-- Admin Console restriction access
        To grant remote access for Admin Console, you can uncomment the following with IP address -->
        <!-- <rule name="fac_restrict" patternSyntax="Wildcard" stopProcessing="true">
          <match url="*"/>
          <conditions>
            <add input="{URL}" pattern="*admin-console*" />
            <add input="{REMOTE_ADDR}" pattern="<IP-Address-to-Grant_Access>" negate="true" />
          </conditions>
            <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
        </rule> -->

Simply uncomment this section and change the <IP-Address-to-Grant_Access> to 127.0.0.1 and restart Webdirect/the server. You can also change it to a 404 error, which is even better.

Hope this helps people facing a similar issue with this new feature.

[jaboda]

This has slightly changed in 19.5.2. The commented out section has been removed, and re-adding it doesn't work.

To stop remote access for the Admin Console on Windows Server do the following:

1. Open IIS Manager and navigate to FMWebSite.
2. Select URL Rewrite.
3. Locate the 'fac' rule and add a condition with the Input {REMOTE_ADDR} and the pattern 127.0.0.1.
4. Click Okay and hit Apply.

This also has the benefit of applying instantly. It also doesn't require editing config files which some are uncomfortable with.

Edited July 19, 2022 by jaboda

[jaboda]

Since 19.6.1 this has now been resolved.

From the release notes:

Quote

• You can now restrict access to Admin Console and the Admin API by IP address in the following places.

  • Admin Console: Administration > Restrict Access

  • FileMaker Admin API:

    • Get Restrict Access Settings: GET /server/restrictaccess.

    • Update Restrict Access Settings: PATCH /server/restrictaccess.

  Note: The IP address 127.0.0.1 is always allowed for Admin Console access.