As of Oct 15, 2015 the web server registration process has changed.

  • Web server registration is now part of the iprequest application.  There is no longer a separate application.
  • Web servers are no longer made instantly available to the Internet, they must first pass a vulnerability scan.


Web server registration is a low cost, low impact activity that has reasonable and specific benefits:

  1. Reduced internet footprint - it is beneficial to reduce the Lab's exposure of unneeded and unmanaged web servers. Examples include printers and cameras, as well as misconfigured and abandoned web servers.
  2. Awareness of openness to the Internet - web server owners specifically acknowledge the increased risk of opening their web server to the Internet. This acknowledgment will increase awareness of the risks, thus incentivizing properly securing exposed web servers.
  3. Early security checkup - this process will allow Cyber to look for vulnerabilities before the web server is exposed to the Internet.

How To Register

  1. To register a web server visit:

  2. Enter your computer name in the "Add, modify or remove a FQDN:" field and click "next".

  3. Check the boxes next to the port exceptions you would like to create and click "next".

  4. If you are done making changes, click "submit".

  5. You will then receive an email like the one below that your request has been submitted.  


  6. The cyber security group is notified about your request. They will scan your web server for vulnerabilities.  If no vulnerabilities are found the request will be approved.  If vulnerabilities are found, you will be contacted to resolve them before the request is approved. 

    For urgent situations, where you need the web server immediately assessable please contact

How to Unregister (delete) a Web Server

  1. To delete a web server visit:

  2. Enter your computer name in the "Add, modify or remove a FQDN:" field and click "next".

  3. Uncheck the boxes next to the port exceptions you would like to remove and click "next".

  4. If you are done making changes, click "submit".

  5. You will then receive an email like the one below that your exception request is processing.

Email List for Registration

All registered web server contacts are added to the  webserver-registration mailing list to announce vulnerabilities and communicate other important information. In order to join the webserver-registration mailing list you can use the form located here.


  1. How long after I register will the web server become accessible from the Internet?

    Our goal is less than 48 hours. We have to scan the web server which can take some time to run. 

  2. Can I register a DCHP host as a web server?

    No. In order to register a web server and have it be visible to the Internet, you must acquire a static IP address. 

  3. Why was my web server unregistered?

    There are two reasons why the cyber security group will unregister a web server.  The first is the web server is no longer online or no longer at the registered IP address. Unregistering the IP prevents some future computer at the IP from improperly becoming a registered web server without knowing it. The second reason is to protect the web server from some critical vulnerability as discussed here.

  4. Do I need to register all the web servers virtual hosts and hostnames (i.e. cnames)?

    The policy that enforces web server registration only understands IP addresses. Hence, web server registration is essentially IP based. If the computer has multiple named-based virtual hosts or cnames branched from one IP address, only the one IP address needs to register. If the host uses multiple IP addresses, one for each virtual hosts, all of the IP addresses need to be registered.

  5. What if the IP address of my web server changes?

    There is no way to change an IP address within the web server registration application. If the IP address of your web server changes, you will need to unregister the old web server IP and register the web server at the new IP address. For example, if your web server moves to a different building, it will likely get a new IP address.

  6. Do I need to register 'HTTP' or 'HTTP and HTTPS'?

    It depends. You may have to check with your server administrator or web programmer. The vast majority of web servers at the lab only have HTTP accesses from the Internet. If you are not sure, you can see if port 443/tcp is open on your web server. If the port is not open, it is unlikely you need HTTPS. CPP can help determine if you need HTTPS access, just let us know.

  7. How can I confirm my web servers is registered?

    You can confirm a web server is registered in two ways.

    1. Use onestop page at and examine the reported port exceptions.


    2. Observe the full list of port excepts at:

  8. What about Internet accessibility to other ports on my web server?

    Web server registration does not affect any ports besides 80/tcp and 443/tcp. Internet accessibility to all other ports on your web server is unaffected by web server registration. For example, if you want to SSH (22/tcp) to your web server, that access remains unaffected whether or not your register your web server. Keep in mind CPP always recommends you configure your computer for minimum exposure to the Internet, while meeting your business needs.

  9. What about web servers on non-standard ports?

    We recognize that a web server can listen on any port, e.g. a non-standard port. Normally a web server listens on 80/tcp and a SSL enabled web server listens on port 443/tcp. The case where web servers run on non-standard ports is not addressed by web server registration at this time. If you would like to run a web server on a non-standard port, no registration is required. The cost-benefit-calculus for registering web servers on non-standard ports or requiring web servers to use standard ports is not clear.

  10. I need to run some other application, that is not a web server, on 80/tcp or 443/tcp. Do I need to register?

    Yes. If you have some device or application that is not a web server and needs 80/tcp or 443/tcp to be visible from the Internet, it must be registered. For example, if you have a web camera that you control from the Internet via 443/tcp, the camera needs to be registered.

  11. Are registered web servers open to the entire Internet?

    Not necessarily. Registration allows traffic to reach a web server through the LBNL border router, but host or local firewalls may further restrict access. CPP recommends and encourages web servers be configured to restrict traffic to the minimum required, commonly referred to as the principle of least privilege. For example, if your web server only needs to be accessed from NERSC, implement local firewall rules that only allow access from NERSC.

  12. How do I update my web server contacts?

    Web server contacts can be updated through Once logged in, enter your computer name and click next.  The next page has a field that contains "Modify contacts or location" in its title.


  1. Web servers may be automatically un-registered by Computer Protection Program(CPP) if they meet any of following conditions:

    1. Web server not on the network for 30 days (arp data)
    2. Web server has no network traffic from the Internet in last 30 days
    3. Web server not enabled (listening) in last 30 days




Web Traffic

Network traffic on tcp port 80 or tcp port 443.

Web Server

Any device that accepts web traffic, that is, that listens on tcp port 80, normally for the HTTP protocol, or tcp port 443, normally for HTTPS protocol.

Internet ¹

Any address space outside of 131.243.* and 128.3.*.


the address space within 131.243.* and 128.3.*.

Berkeley Lab network

Synonymous with intranet.

¹ Internet here includes the address space of organizations closely affiliated with Berkeley Lab, such as NERSC, ESnet, JGI, and others.


If you have questions or comments about this website, please contact the CPP group via email at

If you need general computer assistance, please contact the LBNL Help Desk at x4357,, or online at



Adaptavist ThemeBuilder EngineAtlassian Confluence