Advanced: HSTS

Use Security > Advanced > HSTS to enable HTTP Strict Transport Security (HSTS). HSTS provides an additional layer of security for HTTPS. It helps prevent man-in-the-middle attacks by greatly reducing the ability to intercept requests and responses between a user and a web application server.

When you enable HSTS on Ivanti EPMM, web browsers enforce a secure HTTPS connection for all communication with Ivanti EPMM. If Ivanti EPMM uses a self-signed certificate or if the portal certificate on Ivanti EPMM has expired, a warning message is displayed in the browser and users cannot access the resource. Users do not have the option to bypass the warning message to access the resource. By default, HSTS is disabled.

Ivanti recommends caution before enabling HSTS. Enabling HSTS may cause browsers to block access to Ivanti EPMM resources if a self-signed certificate is in use or the certificate has expired.

The following Ivanti EPMM services are impacted by HSTS:

  • Ivanti Admin Portal
  • Ivanti EPMM System Manager
  • Self-Service User Portal

When you enable HSTS, provisional protocol access over port 8080 must be disabled. Access will be allowed only for HTTPS over port 443.

This section includes the following topics:

Before enabling HSTS

Before enabling HSTS ensure the following:

  • Ivanti EPMM uses a root or intermediate certificate from a publicly trusted CA.
  • You have policies and processes in place that ensure that the certificate is current and has not expired.
  • Ensure that port 443 is open.
  • Provisioning protocol must be set as HTTPS, and the provisioning port must be set as 443. Provisioning protocol and port are set in the Ivanti EPMM System Manager, under Settings > Port Settings.

Enabling HSTS

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > HSTS.
  3. Make the following selections:

    Status: select Enabled from the drop down list.

    Max Age: enter a number.

    The number indicates, in seconds, the length of time HSTS will be enabled on the browser. After the set time, the browser will not enforce HSTS connections.

  4. Click Apply > OK.

Disabling HSTS

You can also disable HSTS using Ivanti EPMM command line interface (CLI). For information about using the Ivanti EPMM CLI to disable HSTS, see "hsts-disable" in the Command Line Interface (CLI) Reference.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > HSTS.
  3. Change the Max Age to 0.

    When you set Max Age to 0, Ivanti EPMM sends the HSTS header with the 0 value to the browser. This effectively results in the expiration of the HSTS policy and allows immediate access without requiring trusted SSL certificates.

For additional information see Security Bulletin: HTTP Strict Transport Security (HSTS) in Ivanti EPMM 9.0.