From e154696348643e790d56a286a5007374ab154bf3 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Wed, 24 May 2023 09:31:05 +0000 Subject: [PATCH 1/9] add how to modify network address restrictions --- docs/source/roles/system_manager/manage_users.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 740085431f..2f639a4813 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -183,6 +183,19 @@ A sample email might look like the following > > --details about network and location/VPN restrictions here-- +(modifying_network)= + +## Manually modifying network restrictions + +Tier 2/3 SREs restrict access based on network addresses. After deployment, the network addresses can be modified manually. + +* In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` +* On the `Overview` tab, and navigate to the Network Security Group for the remote desktop service, `NSG_SHM__SRE__GUACAMOLE` +* Navigate to `Inbound Security Rules`, and find the entry called `AllowUsersApprovedHttpsInbound` +* For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry + +`Source IP addresses/CIDR ranges` + ## {{construction_worker}} Common user problems One of the most common user issues is that they are unable to log in to the environment. From 7913a3bcd06fe1b7f1296e2606cfb4318523a28d Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Wed, 24 May 2023 09:32:02 +0000 Subject: [PATCH 2/9] Clarify changing network restrictions --- docs/source/roles/system_manager/manage_users.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 2f639a4813..4c98596e5f 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -187,14 +187,13 @@ A sample email might look like the following ## Manually modifying network restrictions -Tier 2/3 SREs restrict access based on network addresses. After deployment, the network addresses can be modified manually. +One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. If the users were to require access from different IP addresses - if their institutional IP address changes, or an additional location with a different network were approved - then the network addresses that are allowed access can be modified manually. * In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` -* On the `Overview` tab, and navigate to the Network Security Group for the remote desktop service, `NSG_SHM__SRE__GUACAMOLE` +* On the `Overview` tab, and navigate to the Network Security Group for the appropriate remote desktop service (e.g `NSG_SHM__SRE__GUACAMOLE`) * Navigate to `Inbound Security Rules`, and find the entry called `AllowUsersApprovedHttpsInbound` * For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry - -`Source IP addresses/CIDR ranges` +* Users will then be able to access the remote desktop interface ## {{construction_worker}} Common user problems From 8475fb405d5d53aba4a4cccd2eb2e5022d50a281 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 30 May 2023 11:28:50 +0000 Subject: [PATCH 3/9] Add network emoji, clarify instructions --- docs/source/roles/system_manager/manage_users.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 4c98596e5f..d0b465f700 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -185,15 +185,15 @@ A sample email might look like the following (modifying_network)= -## Manually modifying network restrictions +## {{globe_with_meridians}} Manually modifying network restrictions One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. If the users were to require access from different IP addresses - if their institutional IP address changes, or an additional location with a different network were approved - then the network addresses that are allowed access can be modified manually. * In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` -* On the `Overview` tab, and navigate to the Network Security Group for the appropriate remote desktop service (e.g `NSG_SHM__SRE__GUACAMOLE`) -* Navigate to `Inbound Security Rules`, and find the entry called `AllowUsersApprovedHttpsInbound` -* For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry -* Users will then be able to access the remote desktop interface +* On the `Overview` tab, navigate to the Network Security Group for the appropriate remote desktop service (e.g `NSG_SHM__SRE__GUACAMOLE`) +* Navigate to `Inbound Security Rules`, and open the entry called `AllowUsersApprovedHttpsInbound` +* For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry, or overwrite the existing entry if it is no longer required +* Users will then be able to access the remote desktop interface from the new IP address ## {{construction_worker}} Common user problems From 03821ee9324f07e82ac5422a475c0a8ae0d30e45 Mon Sep 17 00:00:00 2001 From: Matt Craddock <5796417+craddm@users.noreply.github.com> Date: Tue, 27 Jun 2023 10:58:40 +0000 Subject: [PATCH 4/9] remove whitespaces, change list style --- docs/source/roles/system_manager/manage_users.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 24b48c1651..dab993a86d 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -187,13 +187,13 @@ A sample email might look like the following ## {{globe_with_meridians}} Manually modifying network restrictions -One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. If the users were to require access from different IP addresses - if their institutional IP address changes, or an additional location with a different network were approved - then the network addresses that are allowed access can be modified manually. +One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. If the users were to require access from different IP addresses - if their institutional IP address changes, or an additional location with a different network were approved - then the network addresses that are allowed access can be modified manually. -* In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` -* On the `Overview` tab, navigate to the Network Security Group for the appropriate remote desktop service (e.g `NSG_SHM__SRE__GUACAMOLE`) -* Navigate to `Inbound Security Rules`, and open the entry called `AllowUsersApprovedHttpsInbound` -* For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry, or overwrite the existing entry if it is no longer required -* Users will then be able to access the remote desktop interface from the new IP address +- In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` +- On the `Overview` tab, navigate to the Network Security Group for the appropriate remote desktop service (e.g `NSG_SHM__SRE__GUACAMOLE`) +- Navigate to `Inbound Security Rules`, and open the entry called `AllowUsersApprovedHttpsInbound` +- For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry, or overwrite the existing entry if it is no longer required +- Users will then be able to access the remote desktop interface from the new IP address ## {{construction_worker}} Common user problems From 6a54ce7294537357dc0a45a8034c75a496752392 Mon Sep 17 00:00:00 2001 From: Matt Craddock Date: Thu, 3 Aug 2023 15:32:01 +0100 Subject: [PATCH 5/9] Update docs/source/roles/system_manager/manage_users.md Co-authored-by: Jim Madge --- docs/source/roles/system_manager/manage_users.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index dab993a86d..8a6977a3d1 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -187,7 +187,10 @@ A sample email might look like the following ## {{globe_with_meridians}} Manually modifying network restrictions -One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. If the users were to require access from different IP addresses - if their institutional IP address changes, or an additional location with a different network were approved - then the network addresses that are allowed access can be modified manually. +One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. +The network addresses that are allowed to access an SRE can be modified after deployment. +This is useful if users require access from new, or different, IP addresses. +For example if their institutional IP address changes, or an additional location is approved. - In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` - On the `Overview` tab, navigate to the Network Security Group for the appropriate remote desktop service (e.g `NSG_SHM__SRE__GUACAMOLE`) From 2eeba8cbea9a8ea4b69e63cfadbb2e945e060b51 Mon Sep 17 00:00:00 2001 From: Matt Craddock Date: Fri, 4 Aug 2023 12:30:28 +0100 Subject: [PATCH 6/9] Update docs/source/roles/system_manager/manage_users.md --- docs/source/roles/system_manager/manage_users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 8a6977a3d1..cdc54df49d 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -185,7 +185,7 @@ A sample email might look like the following (modifying_network)= -## {{globe_with_meridians}} Manually modifying network restrictions +## {{globe_with_meridians}} Changing user network access restrictions One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. The network addresses that are allowed to access an SRE can be modified after deployment. From f418e5dae67b24fa9eaf4c1c47c340de254dcb7e Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Fri, 4 Aug 2023 16:14:53 +0100 Subject: [PATCH 7/9] Update docs/source/roles/system_manager/manage_users.md Co-authored-by: Matt Craddock --- docs/source/roles/system_manager/manage_users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index cdc54df49d..89c0237363 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -193,7 +193,7 @@ This is useful if users require access from new, or different, IP addresses. For example if their institutional IP address changes, or an additional location is approved. - In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` -- On the `Overview` tab, navigate to the Network Security Group for the appropriate remote desktop service (e.g `NSG_SHM__SRE__GUACAMOLE`) +- On the `Overview` tab, navigate to `NSG_SHM__SRE__GUACAMOLE`, the Network Security Group for the remote desktop service - Navigate to `Inbound Security Rules`, and open the entry called `AllowUsersApprovedHttpsInbound` - For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry, or overwrite the existing entry if it is no longer required - Users will then be able to access the remote desktop interface from the new IP address From 536f756042934f34eb5355976810e1a89dc12764 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Fri, 4 Aug 2023 16:17:10 +0100 Subject: [PATCH 8/9] Update docs/source/roles/system_manager/manage_users.md Co-authored-by: Matt Craddock --- docs/source/roles/system_manager/manage_users.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 89c0237363..7824354444 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -195,8 +195,8 @@ For example if their institutional IP address changes, or an additional location - In the Azure Portal, navigate to `RG_SHM__SRE__NETWORKING` - On the `Overview` tab, navigate to `NSG_SHM__SRE__GUACAMOLE`, the Network Security Group for the remote desktop service - Navigate to `Inbound Security Rules`, and open the entry called `AllowUsersApprovedHttpsInbound` -- For the field `Source IP addresses/CIDR ranges`, add the desired IP address or range to the existing entry, or overwrite the existing entry if it is no longer required -- Users will then be able to access the remote desktop interface from the new IP address +- Update the `Source IP addresses/CIDR ranges` field to include IP addresses that should be able to access the SRE and remove any that should not +- Users will now be able to access the remote desktop interface from only the desired IP addresses ## {{construction_worker}} Common user problems From e903063e0c33e36ac9af3c75735c7bcecfb92d91 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Fri, 4 Aug 2023 16:20:25 +0100 Subject: [PATCH 9/9] Remove trailing space. --- docs/source/roles/system_manager/manage_users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index 7824354444..100b6788b2 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -187,7 +187,7 @@ A sample email might look like the following ## {{globe_with_meridians}} Changing user network access restrictions -One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. +One of the controls used by Tier 2/3 SREs is to restrict access based on network addresses. The network addresses that are allowed to access an SRE can be modified after deployment. This is useful if users require access from new, or different, IP addresses. For example if their institutional IP address changes, or an additional location is approved.