The TC-Administration webapp context-descriptor admin.xml includes a (out- commented) RemoteAddrValve to restrict access to localhost "for obvious security reasons" - so should the manager webapp for the same reason.
Created attachment 7717 [details] Patch to include RemoteAddrValve
Fixed in 7.0.x and will be included in 7.0.7 onwards.