Controlling Access to Your Server
You can configure the firewalls of InterMapper's built-in servers to
accept or deny connections from a client based on its IP address. You
can also require a user name and password. Once accepted, a connection
is associated with a user name that is used to determine which maps and
permissions are available. For some examples of typical access control
setups, see Access Control Examples.
Note: You can also control access through the InterMapper Authentication Server, which connects to an external authentication server such as Radius, LDAP, or ActiveDirectory to authenticate a user. For more information, see Authentication Server,.
The Access Control Process
When a user attempts to connect to one of the InterMapper servers, the
request goes through these steps:
- The client's IP address is
checked against the list of firewall definitions. If the address matches
a DENY address in the firewall list, or if the address fails to match an
ALLOW address, the connection is dropped with a "not allowed"
response.
- The client's IP address is
checked against the list of Automatic Login addresses.
If the client's IP address matches an Automatic Login address, the connection
is accepted and is assigned the user name associated with that Automatic
Login.
- If the client's IP address does not match an Automatic Login address,
the connection is accepted and authentication by a username and password
begins, as follows:
- Web server - issues
a "401 Unauthorized" response, which forces the web browser
to request a username/password from the user.
- Telnet server - prompts
for a username and password.
- Remote server - proceeds
after the InterMapper RemoteAccess client requests and supplies a username
and password.
- The username and password
are verified against InterMapper's built-in authentication database.
If they match, the connection is assigned the user name. Otherwise, the
connection is dropped with a "not allowed" response. When using
the Remote and Telnet servers, an error message appears, saying that the
user name is not allowed. When using the Web server, a web page appears,
saying that the user is not allowed access.
- The users is checked for
membership in a Special Group. These special groups give broader access:
- Administrators Group
If the user is a member of the Administrators group, the connection
is given full (read/write) access to every map and setting. - FullWebAccess Group
If you have created a group named FullWebAccess, all members
of that group are given full access to all maps through the web server.
As with all web access rights, this is a read-only view. This membership
also overrides any individual map access settings. - FullTelnetAccess Group
If you have created a group named FullTelnetAccess, all members
of that group are given full access to the Telnet server. - FullLogAccess Group
If you have created a group named FullLogAccess, all members of that group are given full access to all log files.
- The user is granted access
to maps. Once a connection has a user name associated with it, InterMapper
then checks to see which information is available for that user. Access
to individual maps can be granted using the "Map Access" server
setting (see Map Access for more info).
If a user is not in the Administrators, FullWebAccess, or FullTelnetAccess
group, and has no access to an individual map, the connection is dropped
with a "not allowed" response, since the user has no options
for access.