ADV7. Restrict access to Perception

Applies to the following products: 
Questionmark Perception
Applies to the following Perception versions: 
Perception 5.4

It is recommended that you restrict access to certain parts of Perception. This is intended to improve security, but is only required if you are allowing general access to the server(s) hosting Perception.

The process involves limiting access to certain web shares so that no one can interfere with the services that are run.

Before you proceed to the section below and carry out the steps to restrict access to Perception's web shares, you must first run the configuration application again and set the base service address to http://127.0.0.1.

To do this:

  1. Open the configuration application by navigating to http://localhost/configuration
  2. Click Redo Configure Environment
  3. In the Enter the service layer address: text field, enter http://127.0.0.1
  4. Click Configure
  5. Click Return to choices and then exit the configuration application

Please follow the steps below in IIS 7 to restrict access to the relevant web shares on your Perception server:

  1. To open IIS Manager, go to All Programs | Administrative Tools | Internet Information Services (IIS) Manager
  2. Expand Sites in the side menu and then expand Default Web Site
  3. Click on the qabs virtual directory
  4. Double click the IPv4 Address and Domain Restrictions icon
  5. Click on Edit Feature settings in the Actions menu
  6. Change the Access for unspecified clients drop-down list to Deny and click OK
  7. Click Allow Entry... in the Actions menu
  8. Select the Specific IPv4 address option button and enter the IP address of your QPLA server. Repeat the process if you have more than one server.

    If you have installed Perception on a single server (as with this installation type), you will need to add two IP addresses by repeating the above steps. The IP addresses you will need to add are:

    • 127.0.0.1
    • The IP address of the server

    You should have something similar to the following listed.

    Now only the communications coming from the QPLA tier can be passed to the QABS virtual folder.

  9. Repeat the above steps for the following virtual folders:
    • analyticsservice
    • configurationservice
    • etlconfigurationservice
    • peopleidentitymanager
    • perceptionidentitymanager
    • perceptionidentityprovider