oracle · rjeberhard · Sep 9, 2021 · Aug 31, 2021 · Aug 31, 2021 · Aug 31, 2021
diff --git a/documentation/staging/content/faq/external-clients.md b/documentation/staging/content/faq/external-clients.md
@@ -547,6 +547,8 @@ please see [Meet Kubernetes resource name restrictions]({{< relref "/userguide/m
 
 - You can configure a custom channel with a secure protocol and two-way SSL to help prevent external access by unwanted applications. See [When is a WebLogic custom channel needed?](#when-is-a-weblogic-custom-channel-needed).
 
+- For a detailed description of external network access security, see [External network access security]({{< relref "/security/domain-security/weblogic-channels.md" >}}).
+
 #### Optional reading
 
 - For a description of the WebLogic URL syntax for JMS, EJB, and JNDI applications

diff --git a/documentation/staging/content/security/domain-security/weblogic-channels.md b/documentation/staging/content/security/domain-security/weblogic-channels.md
@@ -1,21 +1,90 @@
 ---
-title: "Channels"
+title: "External network access security"
 date: 2019-03-08T19:07:36-05:00
 weight: 2
-description: "WebLogic channels"
+description: "Remote access security"
 ---
 
-#### WebLogic T3 channels
+#### WebLogic T3 and administrative channels
 
 {{% notice warning %}}
 Oracle recommends _not_ exposing any administrative, RMI, or T3 channels outside the Kubernetes cluster
-unless absolutely necessary. If exposing any of these channels, limit access using
-controls like security lists or set up a Bastion to provide access.
+unless absolutely necessary.
 {{% /notice %}}
 
-When accessing T3 or RMI based channels, the preferred approach is to `kubectl exec` into
-the Kubernetes Pod and then run `wlst`, or set up Bastion access and then run
-`wlst` from the Bastion host to connect to the Kubernetes cluster.
+If exposing an administrative, RMI, EJB, JMS, or T3 capable
+channel using a load balancer,
+port forwarding, `NodePorts`, or similar,
+then limit access by using a custom
+dedicated WebLogic Server port that you have configured
+with the T3 or administration protocol (a network access point)
+instead of relaying the traffic to a default port,
+leverage two-way SSL, use controls like security lists,
+and/or set up a Bastion to provide access. A custom channel
+is preferred over a default channel because a default port supports
+multiple protocols.
 
-Also, consider a private VPN if you need use cross-domain T3 access
-between clouds, data centers, and such.
+When accessing T3 or RMI based channels for administrative purposes,
+such as running WLST, the preferred approach is to `kubectl exec` into
+the Kubernetes Pod and then run `wlst.sh`, or set up Bastion access and then run
+`java weblogic.WLST` or `$ORACLE_HOME/oracle_common/common/bin/wlst.sh`
+from the Bastion host to connect to the Kubernetes cluster
+(some cloud environments use the term Jump Host or Jump Server instead of Bastion).
+
+Also, if you need to use cross-domain T3 access
+between clouds, data centers, and such, consider a private VPN.
+
+#### WebLogic HTTP channels
+
+When providing remote access to HTTP using a load balancer,
+port forwarding, `NodePorts`, or similar,
+Oracle recommends relaying the traffic to a dedicated
+WebLogic Server port that you have configured
+using a custom HTTP channel (network access point)
+instead of relaying the traffic to a default port.
+This helps ensure that external
+traffic is limited to the HTTP protocol. A custom HTTP channel
+is preferred over a default port because a default port supports
+multiple protocols.
+
+Do not enable tunneling on an HTTP channel
+that is exposed for remote access unless you specifically
+intend to allow it to handle T3 traffic
+(tunneling allows T3 to tunnel through the channel using HTTP)
+and you perform the additional steps that may be necessary
+to further secure access, as described
+in [WebLogic T3 and administrative channels](#weblogic-t3-and-administrative-channels).
+
+#### Limit use of Kubernetes NodePorts
+
+Although Kubernetes `NodePorts` are good for use in demos and getting-started guides,
+they are typically not suited for production systems for multiple reasons, including:
+
+- With some cloud providers, a `NodePort` may implicitly expose a port to the public Internet.
+- They bypass almost all network security in Kubernetes.
+- They allow all protocols (load balancers can limit to the HTTP protocol).
+- They cannot expose standard, low-numbered ports like 80 and 443 (or even 8080 and 8443).
+- Some Kubernetes cloud environments cannot expose usable `NodePorts` because their Kubernetes clusters run on a private network that cannot be reached by external clients.
+
+#### General advice
+
+1. _Set up administration ports_: Configure an administration port on WebLogic, or an administrative channel, to prevent
+   all other channels from accepting administration-privileged traffic
+   (this includes preventing administration-privileged traffic from a WebLogic console over HTTP).
+
+1. _Be aware of anonymous defaults_:
+   If an externally available port supports a protocol suitable for WebLogic
+   JNDI, EJB/RMI, or JMS clients,
+   then note that _by default_:
+   - WebLogic enables anonymous users to access such a port.
+   - JNDI entries, EJB/RMI applications, and JMS are open to anonymous users.
+
+1. _Configure SSL_:
+   You can configure two-way SSL to help prevent external access by unwanted applications
+   (often SSL is setup between the caller and the load balancer, and plain-text
+   traffic flows internally from the load balancer to WebLogic).
+
+#### See also
+
+- [External WebLogic clients]({{< relref "/faq/external-clients.md" >}})
+- [Remote Console, Administration Console, WLST, and Port Forwarding access]({{< relref "/userguide/managing-domains/accessing-the-domain/_index.md" >}})
diff --git a/...taging/content/userguide/managing-domains/accessing-the-domain/admin-console.md b/...taging/content/userguide/managing-domains/accessing-the-domain/admin-console.md
@@ -7,6 +7,7 @@ description: "Use the WebLogic Remote Console to manage a domain running in Kube
 ---
 
 The WebLogic Remote Console is a lightweight, open source console that does not need to be collocated with a WebLogic Server domain.
+It is an _alternative_ to the WebLogic Server Administration Console.
 You can install and run the Remote Console anywhere. For an introduction, read the blog, ["The NEW WebLogic Remote Console"](https://blogs.oracle.com/weblogicserver/new-weblogic-server-remote-console).
 For detailed documentation, see the [WebLogic Remote Console](https://github.com/oracle/weblogic-remote-console) GitHub project.
 
@@ -16,13 +17,20 @@ or [OSDC](https://edelivery.oracle.com/osdc/faces/Home.jspx;jsessionid=LchBX6sgz
 Slim installers reduce the size of WebLogic Server downloads, installations, container images, and Kubernetes pods.
 For example, a WebLogic Server 12.2.1.4 slim installer download is approximately 180 MB smaller.
 
-
 The Remote Console is deployed as a standalone Java program, which can connect to multiple WebLogic Server Administration Servers using REST APIs.
 You connect to the Remote Console and, when prompted, supply the WebLogic Server login credentials
 along with the URL of the WebLogic Server Administration Server's administration port to which you want to connect.
 
 **Note**:  An Administration Server administration port typically is the same as its default port unless either an SSL port or an administration port is configured and enabled.
 
+{{% notice warning %}}
+Externally exposing administrative, RMI, or T3 capable WebLogic channels
+using a Kubernetes `NodePort`, load balancer,
+port forwarding, or a similar method can create an insecure configuration.
+For more information, see [External network access security]({{<relref "/security/domain-security/weblogic-channels.md">}}).
+{{% /notice %}}
+
+
 ### Setup
 
 To set up access to WebLogic Server domains running in Kubernetes using the Remote Console:
@@ -32,29 +40,31 @@ To set up access to WebLogic Server domains running in Kubernetes using the Remo
    **NOTE**: These instructions assume that you are installing and running the Remote Console Java program externally to your Kubernetes cluster.
 
 1. When you first connect your browser to the Remote Console, which is at `http://localhost:8012` by default, the console will prompt you with a login dialog for a WebLogic Server Administration Server URL. To give the Remote Console access to an Administration Server running in Kubernetes, you can:
-
    * Use an [Administration Server `NodePort`](#use-an-administration-server-nodeport).
 
    * Deploy a load balancer with [ingress path routing rules](#configure-ingress-path-routing-rules).
 
+   * [Use a `kubectl port-forward` connection](#use-a-kubectl-port-forward-connection).
+
+   **Note**: If you want to customize the Remote Console listen address,
+     then see [Specify a Listen Address for the Remote Console Host](https://github.com/oracle/weblogic-remote-console/blob/master/site/install_config.md#remote). This is useful if you want to run the Remote Console
+     on a different machine than your browser, or if you want the Remote Console to use SSL.
+
 
 #### Use an Administration Server `NodePort`
 
-For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server’s `NodePort`, use the URL:
+For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server’s `NodePort`, use the following URL after you have connected to the Remote Console
+with your browser and it
+prompts for the location of your WebLogic Server Administration Server:
 
 ```
 http://hostname:adminserver-NodePort/
 ```
 
 The `adminserver-NodePort` is the port number of the Administration Server outside the Kubernetes cluster.
 For information about the `NodePort` Service on an Administration Server, see the [Domain resource](https://github.com/oracle/weblogic-kubernetes-operator/blob/main/documentation/domains/Domain.md) document.
-
-{{% notice warning %}}
-Exposing administrative, RMI, or T3 capable channels using a Kubernetes `NodePort`
-can create an insecure configuration. In general, only HTTP protocols should be made available externally and this exposure
-is usually accomplished by setting up an external load balancer that can access internal (non-`NodePort`) services.
-For more information, see [T3 channels]({{<relref "/security/domain-security/weblogic-channels#weblogic-t3-channels">}}).
-{{% /notice %}}
+For an example of setting up the `NodePort` on an Administration Server,
+see [Use a `NodePort` for WLST]({{< relref "/userguide/managing-domains/accessing-the-domain/wlst#use-a-nodeport" >}}).
 
 #### Configure ingress path routing rules
 
@@ -81,7 +91,11 @@ For more information, see [T3 channels]({{<relref "/security/domain-security/web
          port: 7001
    ```
 
-1. For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server, supply a URL that resolves to the load balancer host and ingress that you supplied in the previous step. For example:
+
+1. After you have connected to the Remote Console with your browser,
+   it will prompt for the location of your WebLogic Server Administration
+   Server.
+   For the Remote Console to connect to the Kubernetes WebLogic Server Administration Server, supply a URL that resolves to the load balancer host and ingress that you supplied in the previous step. For example:
 
    ```
    http://${HOSTNAME}:${LB_PORT}/
@@ -94,10 +108,42 @@ For more information, see [T3 channels]({{<relref "/security/domain-security/web
 
         `$ export LB_PORT=$(kubectl -n traefik get service traefik-operator -o jsonpath='{.spec.ports[?(@.name=="web")].nodePort}')`
 
+#### Use a `kubectl port-forward` connection
+
+1. Forward a local port (that is external to
+   Kubernetes) to the administration port of the
+   Administration Server Pod according to these
+   [instructions]({{< relref "/userguide/managing-domains/accessing-the-domain/port-forward.md" >}}).
+
+   **NOTE:** If you plan to run the Remote Console Java program
+   on a different machine than the port forwarding command,
+   then the port forwarding command needs to specify a `--address` parameter
+   with the IP address of the machine that is hosting the command.
+
+1. After you have connected to the Remote Console with your browser,
+   it will prompt you for the location of your WebLogic Server Administration
+   Server.
+   Supply a URL using the local hostname or IP address
+   from the `port-forward` command in the first step, plus the local port from
+   this same command. For example:
+
+   ```
+   http://${LOCAL_HOSTNAME}:${LOCAL_PORT}/
+   ```
+   Where:
+
+     * `${LOCAL_HOSTNAME}` is the hostname or the defined IP address of the machine
+       where the `kubectl port-forward` command is running. This is
+       customizable on the `port-forward` command and is `localhost`
+       or `127.0.0.1`, by default.
+
+     * `${LOCAL_PORT}` is the local port where the `kubectl port-forward` command is running.
+       This is specified on the `port-forward` command.
+
 ### Test
 
-To verify that your WebLogic Server Administration Server URL is correct, and to verify that that your load balancer
-or `NodePort` are working as expected, run the following curl commands at the same location as your browser:
+To verify that your WebLogic Server Administration Server URL is correct, and to verify that that your load balancer,
+`NodePort`, or `kubectl port-forward` are working as expected, run the following curl commands at the same location as your browser:
 
 
 ```