Applicable to:
- Plesk
Introduction
Those partners who want to protect their Plesk licenses from being stolen and used at alien servers could use restrictions by IP. There are two types (levels) of such restrictions available in KA:
- Restrict by IP range(s). IP range(s) are specified at client level in Key Administrator. Applicable to all Plesk licenses under the client.
- Restrict by individual IP address (so-called "IP binding"). IP address is specified at license level in Key Administrator. Applicable to an individual license.
You can use either type of restrictions for your licenses (or their combination).
Restrict by individual IP address (so-called "IP binding")
IP binding is the feature that allows you to bind any Plesk license to a certain server IP address.
How does IP binding work?
There are two possible behaviors of “IP binding” feature:
- “Lookup only”
This behavior is the default one and is useful for cases when you need to reinstall Plesk on the same server. For example, you have a Plesk server with a production license that is bound to the server IP address. After you reinstall Plesk, you get clean Plesk instance without any data and license file. Plesk will connect to Key Administrator and get the license file with the server IP address.
- "Lookup and Restrict"
In addition to “reinstall” scenario, this behavior also includes “restrict” scenario. It allows restricting a Plesk license for use only on one server.
When your Plesk license is bound to some IP address and has “Lookup and Restrict” behavior selected, it can be used only on that server. If someone tries to copy the license file and install it on a different server, this new instance of Plesk will fail to update license.
This behavior can be helpful for partners who want to restrict usage of their Plesk licenses to certain IP addresses and avoid piracy.
How can I manage IP binding?
IMPORTANT: IP binding management is available only for Plesk partners having access to Key Administrator and/or Key Administrator Partner Central. If you are a Plesk partner and need to change IP binding behavior, log in to your account in Key Administrator/Partner Central.
IP binding behavior can be set at two levels:
1. “Reseller” / “Client” level:
- All newly created clients inherit IP binding behavior from a parent account.
- IP binding behavior can be set for the required client.
2. “Key” level:
- When a new key is created, it inherits the behavior specified for its client.
IMPORTANT: changing behavior for a client does not change the behavior for already existing keys under this client. “Inheritance” works only during key creation. So if the behavior is set to “Lookup and Restrict” for an existing client, it should be also switched to “Lookup and Restrict” explicitly for all previously created keys.
To switch IP binding behavior between “Lookup only” and “Lookup and Restrict” behaviors for existing licenses you can choose one of the following options:
- Change settings for multiple licenses via mass-operation in Partner Central: select licenses > click “more” > “change IP behavior”;
- Change setting for a single license in Partner Central if a license has been already bound to IP: open license > click “more” > “Change Binding to IP Address”;
- Change the setting for a single license via Partner API 3.0 using the “restrictIPBinding” field. For more details, see License Key Structure (Full) for more details.
How does automatic IP binding work?
To simplify licenses control you can enable automatic IP binding. The setting is available only for Plesk partners having access to Key Administrator and/or Key Administrator Partner Central.
Automatic IP binding can be set at the “Reseller” or “Client” level.
“Reseller” / “Client” level:
- All existing clients have “Disabled” selected by default.
- All newly created clients inherit the setting from a parent account.
- Automatic IP binding behavior can be set to “Enabled” for the required client.
“Enabled” auto IP binding means that with the next request from Plesk server, the public IP address will be bound to the requested license automatically.
Depending on the license IP binding behavior all the future requests from Plesk servers with other IP addresses:
- Will be processed and a license will be provided if IP binding behavior is “Lookup only”.
- Will be rejected, and a license will not be provided if IP binding behavior is “Lookup and Restrict”. A user in Plesk will see the message “Request cannot be serviced from the specified IP(s): 203.0.113.2”
Note: a license can be provided to the Plesk server, but not bound even if auto IP binding is enabled. It happens if a requested IP address of Plesk server is already bound to another license. If you are going to use the current license on the Plesk server either remove IP address for another license or terminate it.
To change bounded IP address, open the license, click “More” and select one of two available options:
- “Change Binding to IP Address” allows adding a specific IP address and change IP binding behavior.
- “Remove Binding to IP Address” removes the current bonded IP address. The IP address of the next request from Plesk server will be automatically bound to a license.
Important facts to know
-
IP restrictions (IP ranges and IP binding) do not work with IPv6. Key Administrator does not have IPv6 address, therefore no IPv6-to-IPv6 routing is possible.
-
If you are a partner and use some load-balancing solution in front of Plesk server that causes use of dynamic public IP address, then:
- You should either take care of directing the outgoing traffic to ka.plesk.com via a permanent public static IP address.
- Or should not use IP restrictions in Key Administrator.
-
If you are a partner and have multiple public IP addresses on your server, and any of these IP addresses may be used as an address for outgoing connections, then:
- You should either take care of directing their outgoing traffic to ka.plesk.com via a permanent public static IP address.
- Or should not use IP restrictions in Key Administrator.
Comments
0 comments
Please sign in to leave a comment.