Configuring Advanced Access Control Rule Attributes

For most rules, a basic configuration that includes users or groups, destination resources, and access methods is sufficient. Settings that provide even tighter access are available on the Advanced page for Add/Edit Access Rule.

For example, if you want to restrict connections to those coming from an individual IP address, select the User’s network address option. Source networks are referenced in an access rule to permit or deny a connection to a destination resource based on the location from which the request originates, which provides you with even greater security.

To configure advanced settings for an access control rule

1. In the AMC, navigate to Security Administration > Access Control.

2. Click the name of an existing rule.

   The Edit Access Rule page displays.

3. Click the Advanced tab.

4. Under Access method restrictions, permit or deny access based on the software agent or client initializing the connection. In most cases, you can leave this set to Any.

5. To restrict the Protocols that the network tunnel or proxy service will accept from the client, click Selected. A brief description of each command is included in the below table, but for more details, see http://www.ietf.org/rfc/rfc1928.txt.

   Advanced Access Control Rule Attributes

   Protocol	Description
   TCP	Enables normal TCP connections (for example, SSH, telnet, SCP, and so forth).
   UDP	Allows the network tunnel or proxy service to make a UDP data transfer. This is necessary for operations such as streaming audio and Microsoft Outlook new-mail notification.
   ICMP	(Internet Control Message protocol) Enables the ping and traceroute network troubleshooting commands. Selecting this option will configure the network tunnel or proxy service to allow these operations on your behalf. This option also enables ICMP packets to flow through the network tunnel or proxy service.
   Accept bind requests from server	Used in protocols that require the client to accept connections from the server. FTP is a notable example: bind usually occurs with a Connect/Bind pair of connections.

6. Specify the names of any source networks you want evaluated in the rule with the User’s network address option. This is useful for controlling access based on the origin of the connection request. Click Edit to select from the list of resources. If no source network is specified, the default value of this field is Any. For reverse connections, this option can be used to block access requests to users’ computers that originate from specific ports or the application resources.

7. Use Destination restrictions to restrict access over individual Ports or a range of ports. For example, if you are building a policy to control access to an SMTP mail server, you might allow access only over port 25 (the well-known port for SMTP traffic). A list of the latest port number assignments is available at http://www.iana.org/assignments/port-numbers.

   To enable access on any port, click Any. To specify multiple ports, click Selected and type the port numbers, separating each with a semicolon. To specify a port range, type the beginning and ending numbers separated by a hyphen.

8. Use Permissions to specify whether the rule will allow Read or Read/Write access to the file system resources. These access privileges work in conjunction with Windows access control rules. For a user to have certain file permissions, both entities (that is, Windows and the appliance) must allow them. If you disable file uploads, no user can write to a file, although users with write access will be able to move and delete files. These settings are ignored by reverse connections.
9. Under Time and date restrictions, specify when the rule will be in effect. (The time zone for the time restriction fields is your local time.) You can specify a Shift or a Range, or you can specify that the rule remain in effect at all times.

10. Click Save.