Vulnerability in EPiServer.Forms
I'm attempting to run the EPiServer CMS UI (Edit/Admin) on a seperate port so we can secure it better however I'm having a bit of difficaultly getting it to work.
For reference, Imm using EpiServer 7.5.402.0.
I'm following the guide here;
While I can get the Edit/Admin pages running on both ports (in my example 8000 is main site, 8888 is edit/admin), I can't get it to stop access on the main site (port 8000).
I think my confusion is arround step 2. If I'm not interested in renaming the UI folder do I need to modify this setting or not? This then follows into steps 3 and 4 (same issue).
Step 5 (IIS setup) works fine, no issues at that point.
As far as I understand you don't have to rename UI folder to map it to another port. You have to point to absolute path in `uiUrl` attribute for the site settings.
What exactly you ment for "I can't get it to stop access on the main site (port 8000)." Are you not able to secure access from admin part to the main site?
Good, I wasn't sure if I was expected to rename the UI folder as well. I put in an absolute URL ("http://localhost:8888/EPiServer/" in this case as it's my dev box) and steup IIS.
While this works as far as port 8888 goes, on the main site (port 8000) I can still access the UI (i.e. via "http://localhost:8000/EPiServer/").
This is the bit I don't know if is expected or not. It's not what I want though.
What you did is to tell EPiServer that Edit and Admin mode actually *could* be found on different port as well.
I suppose that Admin and Edit mode is still available from main site because it's not restricted in IIS and as web site and Admin and Edit mode are actually the same application sharing the same config files (was considering of locking down using `location` element) I'm not quite sure what outcomes to expect from description page you mentioned.
Yeah, it does appear that is the case.
What I want is to relocate the port it's on. Which is what this;
"EPiServer CMS allows relocation of the edit and admin folders and configurable HTTP port" states/implies.
However it doesn't seem to be working like that.