HTTP Server Config

Use this page to change the HTTP port on which the web server will run, enable HTTP Secure (HTTPS) operation, and optionally change the default HTTPS port from 443 to a different value.

Select Network Configuration / HTTP.

 

HTTP Enable – Enter the port number for the HTTP server. The default is port 80.

By default, the receiver supports unencrypted HTTP traffic through port 80. Encrypted web interface access can then be performed from a client browser by entering a receiver URL starting with “https://” followed by the IP address or the DNS-supported name by which the receiver IP is known.

If the HTTPS port has been changed from the default value of 443, then a colon (:) followed by that port must be appended to the URL.

If HTTPS is running on port 8443 on a receiver at IP 10.20.30.40, the URL for encrypted web interface access would be “https://10.20.30.40:8443”.

If an HTTPS certificate has not been installed through the SSL Certificates page, a default self-signed certificate is used but will never be trusted by a web browser. The browser will caution the user not to proceed to the receiver web interface, and you must enable access as an exception.

If an HTTPS certificate is installed, it, too, will not be trusted by a web browser unless the following conditions are met:

  • The root CA certificate and any intermediate CA certificates are installed on the web client computer in the “trusted” certificate stores.

    The “common name” specified in the HTTPS certificate Subject field matches the name in the URL used to access the receiver.

HTTP Server Port – Enter the port number for the HTTP server. The default is port 80.

HTTP Secure Enable – Enter a port number (the default is 443) and update your port forwarding rules (if applicable). You can then access the secure port by using the "https://" extension.

These settings are only available if the HTTPS option is installed. See Receiver Options – Details.

High Security – The High Security mode disables some older cryptographic ciphers still supported by OpenSSL and also disables TCP and ICMP timestamps.

Boot Monitor IP Port – In the rare event that the firmware is corrupt or there is repetitive reboot issue, you can use this low-level mode to upgrade the firmware. The only way to upgrade the corrupt firmware is with local access to the receiver via RS-232, CAN, or USB, or TCP/IP. For more information, contact Trimble Support.


Network Security Risks

This list indicates the possible security risks associated with the receiver. Implementing HTTPS and High Security mode improves the security of the device, but you should also minimize all the different points where an unauthorized user could get into the system. All services that are not required should be disabled. For example:

  • If the application does not require the FTP server, turn it off. See FTP Server Configuration.

  • If HTTPS is active, turn off HTTP. See HTTP Enable above.

  • Is HTTPS needed? If the application does not require web access, both HTTP and HTTPS can be disabled. See HTTP Enable and HTTP Secure Enable above.

  • If service discovery is not required, then turn off mDNS, UPnP, and NETBIOS. See Network Service Discovery Configuration. These features are very useful during integration and development, but may not be used in the end application and can become security vulnerabilities.

  • If NTP is not required, disable it. See NTP Configuration.

  • Disable all unused TCP/IP and UDP connections. See I/O Configuration. Only allow inbound connections on the remaining ports if the use case requires it. The ports can be configured as output only, if the application only requires information from the receiver make sure the port(s) are set to output only.

  • If HTTP and/or HTTPS must be enabled, make sure that the user accounts have the appropriate permissions.

  • Enable the High Security mode. See High Security above.