Руководство Пользователя для Cisco Cisco Email Security Appliance C170

You can specify the IP addresses, subnets, or CIDR addresses for machines that can connect to the Email 
Security appliance. Users can access the appliance from any machine with IP address from the access 
list. Users attempting to connect to the appliance from an address not included in the list are denied 
access.

If your organization’s network uses reverse proxy servers between remote users’ machines and the Email 
Security appliance, AsyncOS allows you create an access list with the IP addresses of the proxies that 
can connect to the appliance. 

Even when using a reverse proxy, AsyncOS still validates the IP address of the remote user’s machine 
against a list of IP addresses allowed for user connections. To send the remote user’s IP address to the 
Email Security appliance, the proxy needs to include the 

x-forwarded-for

 HTTP header in its 

connection request to the appliance. 

The 

x-forwarded-for

 header is a non-RFC standard HTTP header with the following format:

x-forwarded-for: client-ip, proxy1, proxy2,... CRLF

.

The value for this header is a comma-separated list of IP addresses with the left-most address being the 
address of the remote user’s machine, followed by the addresses of each successive proxy that forwarded 
the connection request. (The header name is configurable.) The Email Security appliance matches the 
remote user’s IP address from the header and the connecting proxy’s IP address against the allowed user 
and proxy IP addresses in the access list.

AsyncOS supports only IPv4 addresses in the 

x-forwarded-for

 header.

You can create the network access list either via the Network Access page in the GUI or the 

adminaccessconfig > ipaccess

 CLI command. 

 shows the Network Access page with a 

list of user IP addresses that are allowed to connect directly to the Email Security appliance.