- Admin Console is now accessible remotely using https:// [server_address] :443/admin-console instead of https:// [server_address] :16000/admin-console.
3 Likes
And I think you can configure whether you like to have it exposed to the world there or not, e.g. limit access to local network.
1 Like
In other words, it is on the default HTTPS port.
That's an improvement. One less thing to manage on the network. 
Also, no need to type the port number when you are accessing the console via the browser. 
3 Likes
Well, rather IP-restrict that path by default. Here is a howto from Claris: ClarisPKB
They didn't introduce a protection mechanism like slowing down multiple login attempts, nor any IP-restriction possibilities 
3 Likes
As with all IT information, there is an assumption of too much knowledge within these instructions. I’ve just secured 4 Windows servers on the cloud that, as a result of this FMS 19.4.1 update, have had their admin console publicly available on the Internet for the first time in over 10-years.
I’ve found that the published didn’t work:
<rule name="fac_restrict" patternSyntax="Wildcard" stopProcessing="true">
<match url="*"/>
<conditions>
<add input="{URL}" pattern="admin-console" />
<add input="{REMOTE_ADDR}" pattern="192.168.1.1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied."
statusDescription="You do not have permission to view this directory or page." />
</rule>
(192.168.1.1 entered as an example server IP address. We only require the admin console to be available on the server FMS is running on).
After much testing the best we achieved was to have the admin console unavailable along with WebDirect unavailable.
To add a bit more detailed information, the configuration file that has to be changed is at:
C:\Program Files\FileMaker\FileMaker Server\HTTPServer\conf
Open this in Notepad run as Administrator, otherwise changes cannot be saved
We pasted our revised syntax just above (formatting added below otherwise the syntax isn’t displayed) :
</rules>
<outboundRules>
(i.e. at the end of <rules>)
We replaced "admin-console" with
"*admin-console*"
The wildcards either side changed the behaviour so that we can only access the admin console from within the server, external access via port 443 (or any port via the firewall) is now disabled and WebDirect works.
To sum up, our syntax is (for a server with an IP address of 192,168.1.1 - a wild card such as 192.168* could be used):
<rule name="fac_restrict" patternSyntax="Wildcard" stopProcessing="true">
<match url="*"/>
<conditions>
<add input="{URL}" pattern="*admin-console*" />
<add input="{REMOTE_ADDR}" pattern="192.168.1.1" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied."
statusDescription="You do not have permission to view this directory or page." />
</rule>
Hope this prevents someone going to bed after midnight and getting up at 05:00 to secure their servers 
Kind regards
Andy
2 Likes