Overview
By default, Diplomat MFT launches with bindings on two ports: one for HTTP and one for HTTPS. Refer to this article for those default ports and how to change them.
In some rare circumstances you may wish to restrict this to a single IP address out of multiple or even to only the localhost loopback address (127.0.0.1).
Considerations and background information
Before beginning, make sure it’s clear why such a change would be desirable. Contact the Coviant Support team if you’re thinking about such a change but aren’t certain of the outcome or ramifications of doing so. And before taking any of the steps below, use the Windows command line utility “ipconfig” on the Diplomat server (or “ifconfig” on Linux) to verify that the IP address you’re intending to use is actively bound to the computer’s network interfaces.
By default, Diplomat MFT listens for incoming HTTP and HTTPS connection on all available local IP addresses (“0.0.0.0”). This is most often a single internal IP address along with the universal local loopback address. The primarily result is that internal parties on same network(s) with the Diplomat server computer can connect and log in as an administrator if they have proper credentials. Generally the Diplomat server computer is only a part of a trusted internal network, often next to other application servers, file servers, and so on, and therefore this configuration does not need to be changed.
Changing the configuration is not intended to allow or disallow login attempts from external administrators, which are instead blocked by network and OS firewalls. Further, the Diplomat server computer’s IP address(es) are typically internal and unrouteable, inaccessible from the outside world without taking highly unusual explicit steps to reconfigure network firewalls and NAT devices to allow such connections. If you contract third party firms or individuals to manage your systems, they should generally have established methods of accessing resources on your internal network, such as VPN connections to “jump boxes” or other such options.
How to Change the Listening IP Address
To change which IP address the Diplomat MFT Server listens on, you must edit the server.xml file which is found in the following path:
C:\Program Files\Coviant Software\Diplomat-j\tomcatWebserver\conf
NOTE: for Trial installations, the path needs to be modified to “Diplomat-trial” instead of “Diplomat-j” referenced above.
Inside the server.xml file, locate the line that begins with
<Connector port="8080"
For trial installations it will be 8081 instead. Underneath that line, add a new line that provides an “address” value that reflects whichever IP on the Diplomat server computer you want Diplomat to use. For example, if you wanted to limit admin connections to the local machine only, you would use 127.0.0.1 as shown below.
address="127.0.0.1"
The net result of the <Connector> section of server.xml will look something like this:
<Connector port="8080"
address="127.0.0.1"
protocol="HTTP/1.1"
maxThreads="150"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
SSLCertificateFile="conf/diplomat.certificate.pem"
SSLCertificateKeyFile="conf/diplomat.key.pem"
SSLVerifyClient="none"
SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
SSLCipherSuite="ECDHE-RSA-CHACHA20-POLY1305,
ECDHE-RSA-AES128-GCM-SHA256,
ECDHE-RSA-AES256-GCM-SHA384,
ECDHE-RSA-AES256-SHA384,
DHE-RSA-AES128-GCM-SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256"
/>
When you have finished editing, save the file and restart the Diplomat MFT 64 (or Diplomat 64 Trial) Service. Your Diplomat MFT Server should now be listening for socket connections on the specified IP address. Use the “netstat” command to verify.