I want to put a JBoss AS instance out on the Internet securely. I can follow the explanations at http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html#d0e21402 about the consoles but wanted to make sure I really understand what's going on in the discussion about the HTTP and JMX invokers. My JBoss AS instance will be administered remotely and run a Seam application. Outside of command-line administration (via SSH), administration via secured web pages, and secured web access to the actual application, further access to the server and the application from the Internet is not required. It seems to me that the right thing to do is to secure the JMX and Web consoles and to remove the HTTP and JMX invokers. Is that correct or does the correct function of a standalone JBoss AS require (one or both of) the invokers? I searched but didn't really find/follow further explanation of the impact of removing the invokers, so RTFM pointers also humbly accepted. Thanks.