Руководство Пользователя для Cisco Cisco Email Security Appliance C170
28-24
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 28 Distributing Administrative Tasks
Configuring Access to the Email Security Appliance
AsyncOS offers four different modes of control for the access list:
•
Allow All. This mode allows all connections to the appliance. This is the default mode of operation.
•
Only Allow Specific Connections. This mode allows a user to connection to the appliance if the
user’s IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list.
user’s IP address matches the IP addresses, IP ranges, or CIDR ranges included in the access list.
•
Only Allow Specific Connections Through Proxy. This mode allows a user to connect to the
appliance through a reverse proxy if the following conditions are met:
appliance through a reverse proxy if the following conditions are met:
–
The connecting proxy’s IP address is included in the access list’s IP Address of Proxy Server
field.
field.
–
The proxy includes the
x-forwarded-header
HTTP header in its connection request.
–
The value of
x-forwarded-header
is not empty.
–
The remote user’s IP address is included in
x-forwarded-header
and it matches the IP
addresses, IP ranges, or CIDR ranges defined for users in the access list.
•
Only Allow Specific Connections Directly or Through Proxy. This mode allows users to connect
through a reverse proxy or directly to the appliance if their IP address matches the IP addresses, IP
ranges, or CIDR ranges included in the access list. The conditions for connecting through a proxy
are the same as in the Only Allow Specific Connections Through Proxy mode.
through a reverse proxy or directly to the appliance if their IP address matches the IP addresses, IP
ranges, or CIDR ranges included in the access list. The conditions for connecting through a proxy
are the same as in the Only Allow Specific Connections Through Proxy mode.
Please be aware that you may lose access to the appliance after submitting and committing your changes
if one of the following conditions is true:
if one of the following conditions is true:
•
If you select Only Allow Specific Connections and do not include the IP address of your current
machine in the list.
machine in the list.
•
If you select Only Allow Specific Connections Through Proxy and the IP address of the proxy
currently connected to the appliance is not in the proxy list and the value of the Origin IP header is
not in the list of allowed IP addresses.
currently connected to the appliance is not in the proxy list and the value of the Origin IP header is
not in the list of allowed IP addresses.
•
If you select Only Allow Specific Connections Directly or Through Proxy and
–
the value of the Origin IP header is not in the list of allowed IP addresses
OR
–
the value of the Origin IP header is not in the list of allowed IP Addresses and the IP address of
the proxy connected to the appliance is not in the list of allowed proxies.
the proxy connected to the appliance is not in the list of allowed proxies.
Procedure
Step 1
Select System Administration > Network Access.
Step 2
Click Edit Settings.
Step 3
Select the mode of control for the access list.
Step 4
Enter the IP addresses from which users will be allowed to connect to the appliance.
You can enter an IP address, IP address range or CIDR range. Use commas to separate multiple entries.
Step 5
If connecting through a proxy is allowed, enter the following information:
•
The IP addresses of the proxies allowed to connect to the appliance. Use commas to separate
multiple entries.
multiple entries.
•
The name of the origin IP header that the proxy sends to the appliance, which contains the IP
addresses of the remote user’s machine and the proxy servers that forwarded the request. By default,
the name of the header is
addresses of the remote user’s machine and the proxy servers that forwarded the request. By default,
the name of the header is
x-forwarded-for
.