Cisco Cisco Email Security Appliance C650 Guía Del Usuario
32-24
Cisco AsyncOS 9.0 for Email User Guide
Chapter 32 Distributing Administrative Tasks
Configuring Access to the Email Security Appliance
Configuring Access to the Email Security Appliance
AsyncOS provides administrators controls to manage users’ access to the Email Security appliance,
including a timeout for Web UI session and an access list that specifies the IP addresses from which users
and your organization’s proxy servers can access the appliance.
including a timeout for Web UI session and an access list that specifies the IP addresses from which users
and your organization’s proxy servers can access the appliance.
Related Topics
•
•
•
•
Configuring IP-Based Network Access
You can control from which IP addresses users access the Email Security appliance by creating access
lists for users who connect directly to the appliance and users who connect through a reverse proxy, if
your organization uses reverse proxies for remote users.
lists for users who connect directly to the appliance and users who connect through a reverse proxy, if
your organization uses reverse proxies for remote users.
Related Topics
•
•
•
Direct Connections
You can specify the IP addresses, subnets, or CIDR addresses for machines that can connect to the Email
Security appliance. Users can access the appliance from any machine with IP address from the access
list. Users attempting to connect to the appliance from an address not included in the list are denied
access.
Security appliance. Users can access the appliance from any machine with IP address from the access
list. Users attempting to connect to the appliance from an address not included in the list are denied
access.
Connecting Through a Proxy
If your organization’s network uses reverse proxy servers between remote users’ machines and the Email
Security appliance, AsyncOS allows you create an access list with the IP addresses of the proxies that
can connect to the appliance.
Security appliance, AsyncOS allows you create an access list with the IP addresses of the proxies that
can connect to the appliance.
Even when using a reverse proxy, AsyncOS still validates the IP address of the remote user’s machine
against a list of IP addresses allowed for user connections. To send the remote user’s IP address to the
Email Security appliance, the proxy needs to include the
against a list of IP addresses allowed for user connections. To send the remote user’s IP address to the
Email Security appliance, the proxy needs to include the
x-forwarded-for
HTTP header in its
connection request to the appliance.
The
x-forwarded-for
header is a non-RFC standard HTTP header with the following format:
x-forwarded-for: client-ip, proxy1, proxy2,... CRLF
.
The value for this header is a comma-separated list of IP addresses with the left-most address being the
address of the remote user’s machine, followed by the addresses of each successive proxy that forwarded
the connection request. (The header name is configurable.) The Email Security appliance matches the
remote user’s IP address from the header and the connecting proxy’s IP address against the allowed user
and proxy IP addresses in the access list.
address of the remote user’s machine, followed by the addresses of each successive proxy that forwarded
the connection request. (The header name is configurable.) The Email Security appliance matches the
remote user’s IP address from the header and the connecting proxy’s IP address against the allowed user
and proxy IP addresses in the access list.