Cisco Cisco Content Security Management Appliance M390 Guía Del Usuario
13-20
AsyncOS 10.0 for Cisco Content Security Management Appliances User Guide
Chapter 13 Distributing Administrative Tasks
Additional Controls on Access to the Security Management Appliance
Additional Controls on Access to the Security Management
Appliance
Appliance
•
•
Configuring IP-Based Network Access
You can control from which IP addresses users access the Security Management appliance by creating
access lists for users who connect directly to the appliance and users who connect through a reverse
proxy, if your organization uses reverse proxies for remote users.
access lists for users who connect directly to the appliance and users who connect through a reverse
proxy, if your organization uses reverse proxies for remote users.
Direct Connections
You can specify the IP addresses, subnets, or CIDR addresses for machines that can connect to the
Security Management appliance. Users can access the appliance from any machine with IP address from
the access list. Users attempting to connect to the appliance from an address not included in the list are
denied access.
Security Management appliance. Users can access the appliance from any machine with IP address from
the access list. Users attempting to connect to the appliance from an address not included in the list are
denied access.
Connecting Through a Proxy
If your organization’s network uses reverse proxy servers between remote users’ machines and the
Security Management appliance, AsyncOS allows you create an access list with the IP addresses of the
proxies that can connect to the appliance.
Security Management appliance, AsyncOS allows you create an access list with the IP addresses of the
proxies that can connect to the appliance.
Even when using a reverse proxy, AsyncOS still validates the IP address of the remote user’s machine
against a list of IP addresses allowed for user connections. To send the remote user’s IP address to the
Email Security appliance, the proxy needs to include the
against a list of IP addresses allowed for user connections. To send the remote user’s IP address to the
Email Security appliance, the proxy needs to include the
x-forwarded-for
HTTP header in its
connection request to the appliance.
The
x-forwarded-for
header is a non-RFC standard HTTP header with the following format:
x-forwarded-for: client-ip, proxy1, proxy2,... CRLF
.
The value for this header is a comma-separated list of IP addresses with the left-most address being the
address of the remote user’s machine, followed by the addresses of each successive proxy that forwarded
the connection request. (The header name is configurable.) The Security Management appliance matches
the remote user’s IP address from the header and the connecting proxy’s IP address against the allowed
user and proxy IP addresses in the access list.
address of the remote user’s machine, followed by the addresses of each successive proxy that forwarded
the connection request. (The header name is configurable.) The Security Management appliance matches
the remote user’s IP address from the header and the connecting proxy’s IP address against the allowed
user and proxy IP addresses in the access list.
Note
AsyncOS supports only IPv4 addresses in the
x-forwarded-for
header.
Creating the Access List
You can create the network access list either via the Network Access page in the GUI or the
adminaccessconfig > ipaccess CLI command.
adminaccessconfig > ipaccess CLI command.
shows the Network Access page with a list
of user IP addresses that are allowed to connect directly to the Security Management appliance.