Cisco Cisco Email Security Appliance C190 Guía Del Usuario
28-23
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 28 Distributing Administrative Tasks
Configuring Access to the Email Security Appliance
Configuring Access to the Email Security Appliance
AsyncOS provides administrators controls to manage users’ access to the Email Security appliance,
including a timeout for Web UI session and an access list that specifies the IP addresses from which users
and your organization’s proxy servers can access the appliance.
including a timeout for Web UI session and an access list that specifies the IP addresses from which users
and your organization’s proxy servers can access the appliance.
Configuring IP-Based Network Access
You can control from which IP addresses users access the Email Security appliance by creating access
lists for users who connect directly to the appliance and users who connect through a reverse proxy, if
your organization uses reverse proxies for remote users.
lists for users who connect directly to the appliance and users who connect through a reverse proxy, if
your organization uses reverse proxies for remote users.
Direct Connections
You can specify the IP addresses, subnets, or CIDR addresses for machines that can connect to the Email
Security appliance. Users can access the appliance from any machine with IP address from the access
list. Users attempting to connect to the appliance from an address not included in the list are denied
access.
Security appliance. Users can access the appliance from any machine with IP address from the access
list. Users attempting to connect to the appliance from an address not included in the list are denied
access.
Connecting Through a Proxy
If your organization’s network uses reverse proxy servers between remote users’ machines and the Email
Security appliance, AsyncOS allows you create an access list with the IP addresses of the proxies that
can connect to the appliance.
Security appliance, AsyncOS allows you create an access list with the IP addresses of the proxies that
can connect to the appliance.
Even when using a reverse proxy, AsyncOS still validates the IP address of the remote user’s machine
against a list of IP addresses allowed for user connections. To send the remote user’s IP address to the
Email Security appliance, the proxy needs to include the
against a list of IP addresses allowed for user connections. To send the remote user’s IP address to the
Email Security appliance, the proxy needs to include the
x-forwarded-for
HTTP header in its
connection request to the appliance.
The
x-forwarded-for
header is a non-RFC standard HTTP header with the following format:
x-forwarded-for: client-ip, proxy1, proxy2,... CRLF
.
The value for this header is a comma-separated list of IP addresses with the left-most address being the
address of the remote user’s machine, followed by the addresses of each successive proxy that forwarded
the connection request. (The header name is configurable.) The Email Security appliance matches the
remote user’s IP address from the header and the connecting proxy’s IP address against the allowed user
and proxy IP addresses in the access list.
address of the remote user’s machine, followed by the addresses of each successive proxy that forwarded
the connection request. (The header name is configurable.) The Email Security appliance matches the
remote user’s IP address from the header and the connecting proxy’s IP address against the allowed user
and proxy IP addresses in the access list.
Note
AsyncOS supports only IPv4 addresses in the
x-forwarded-for
header.
Creating the Access List
You can create the network access list either via the Network Access page in the GUI or the
adminaccessconfig > ipaccess
CLI command.
AsyncOS offers four different modes of control for the access list:
•
Allow All. This mode allows all connections to the appliance. This is the default mode of operation.
•
Only Allow Specific Connections. This mode allows a user to connection to the appliance if the
user’s IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list.
user’s IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list.