October 30, 2017

This notice is for any customers that are currently using the Deadline Proxy Server in Deadline 8 or later, or the Deadline Remote Connection Server (RCS) in Deadline 10. These are optional applications that ship with Deadline, documented here:

Proxy Server Documentation

RCS Documentation

These applications are designed to be installed and accessible only from within your internal network. However, we have identified an issue that requires your attention to ensure that the contents of your Deadline Database and Repository are not inadvertently visible on the Internet. If you have exposed the Deadline Proxy Server or the Deadline Remote Connection Server to the internet, you may have inadvertently exposed information about your jobs (job names, render logs, auxiliary files submitted with the job), your render nodes (machine name, IP address, MAC address), and your Deadline users (user names, email addresses).  If you have either the Deadline Proxy Server or the Deadline Remote Connection Server visible to the internet (for example, via open ports in your router or VPC), we recommend you take the corrective action listed below to eliminate any unintended risk of exposure. The corrective actions are to (1) halt the Deadline Proxy or Remote Connection Server, (2) update your Deadline install, and (3) enable hardening features to secure your Deadline farm. Even if these applications are not visible to the internet, we still recommend step 3 as a security best practice.

STEP 1: CONFIRM WHETHER OR NOT YOU’RE RUNNING DEADLINE PROXY SERVER OR REMOTE CONNECTION SERVER

Use the Deadline Monitor and open up the Proxy Server Panel (Deadline 8 or 9) or the Connection Server Panel (Deadline 10). (Refer to below links for details)If there are no running instances, then you can skip to step 3 now. If you see an instance in the panel with a status of ‘Running’, then you are running one of these applications. Please continue to step 2.

Proxy Server Panel

Connection Server Panel

STEP 2: STOP DEADLINE PROXY SERVER OR REMOTE CONNECTION SERVER & ENFORCE SIGNED CLIENT CERTIFICATE VALIDATION

1.      To stop the application:  Log into the machines that are running them (if you’re unsure, this is tracked in the Monitor Panels mentioned above) and close the Terminal window that is running the application, or switch to the terminal and use the Ctrl+C key combination.

If you cannot identify the terminal window that is running these programs, you can also simply terminate the ‘deadlineproxyserver’ and/or ‘deadlinercs’ processes via your OS’s process management tools (Task Manager on Windows, Activity Monitor on OS X, ps and kill on Linux).

2.      Upgrade your Deadline installation & enforce signed client certificate validation: If you are running a service such as Nginx to force client certificate verification when acting as a TLS termination service for the Proxy/RCS , we recommend ceasing use of either Nginx or the Proxy/RCS until they can be properly re-configured to require client certificate validation (note that this will require an updated Deadline version). Follow these steps:

a.      Ensure you’ve stopped the Proxy/Remote Connection Server.

b.      Stop Nginx: run “sudo nginx -s stop” from a terminal on the machine that is running it.

c.      Upgrade your Deadline installation to version 8.0.18.0, 9.0.9.1, or 10.0.6.3, which were released on Friday October 27th, to enforce client certificate validation. The installers for these new versions can be found at: https://downloads.thinkboxsoftware.com

d.      To configure Nginx to require clients to provide a valid certificate signed by a given CA (e.g. /etc/nginx/certs/ca.crt), simply add the “ssl_verify_client on;” and “ssl_client_certificate /etc/nginx/certs/ca.crt;” settings to your server’s configuration file. If you followed the Nginx setup directions in Deadline’s documentation, this configuration file should be located at /etc/nginx/deadline.conf, or possibly /etc/nginx/conf.d/deadline.conf. Once the changes to the configuration are done you must run “sudo nginx -s reload” in order for the changes to take place.

STEP 3: LIMITING WHICH MACHINES WITHIN YOUR NETWORK CAN COMMUNICATE WITH THESE APPLICATIONS

Enable the Network Whitelist feature in Deadline 9 and 10 by specifying the IP addresses or IP address ranges for the machines in your farm that need to communicate with it, and then restart the Proxy Server or RCS application. If you are running Deadline 8, we recommend updating to Deadline 10 so you can use Network Whitelist along with other feature enhancements.

Network whitelisting in Deadline 9

Network whitelisting in Deadline 10

DEADLINE 10 CUSTOMERS USING THE AWS PORTAL

If you are using the Remote Connection Server in Deadline 10 to enable the AWS Portal feature, the AWS Portal Link service is already securing the communication between the AWS Portal Infrastructure and your RCS. These recommendations ensure your RCS isn’t otherwise exposed to the internet. Additionally, we recommend enabling the Network Whitelist and specifying the IP address of the machine that’s running the AWS Portal Link service.

These recommendations are to ensure that information about your render farm is only accessed by the machines within your network that need access to it.

We apologize for any inconvenience this may cause. If you have any questions or concerns, please contact Thinkbox Support: http://www.thinkboxsoftware.com/support-links/.

Thank you.