Secure Mobile Access 12.4 Administration Guide

Specifying Advanced Access Control Rule Attributes

For most rules, a basic configuration that includes users or groups, destination resources, and access methods is sufficient. However, additional options are available to provide even tighter access. For example, you can control a connection based on the location of the user (by IP address). Source networks are referenced in an access rule to permit or deny a connection to a destination resource based on the location from which the request originates, provides even greater security.

To configure advanced settings for an access control rule

  1. In AMC, navigate to Security Administration > Access Control.

  2. Click the + (New) icon.

    The Add Access Rule page displays.

  3. Click Next to display the Advanced tab.

  4. In the Access Method Restrictions area, select one or more methods for access to the resource. Any is the recommended setting in most circumstances, unless your security environment requires you to use a particular method for access to a resource.

    1. When you select access methods, the advanced options are enabled or disabled based on whether they apply to the methods you specified. Click Selected to choose the access methods this rule will require; see the below table.

      Client software agents
      Access methodDescription
      Web browser (HTTP/HTTPS)

      Manages access from HTTP or HTTPS resources for users connecting using a Web browser.

      The available Advanced settings are:

      • User’s network address

      • Time and date restrictions

      Network Explorer

      Manages access from Windows file system resources for WorkPlace users connecting using Network Explorer.

      The available Advanced settings are:

      • User’s network address

      • Read/write permissions

      • Time and date restrictions

      Connect Tunnel and/or OnDemand (TCP/IP)

      Manages access from TCP/IP resources such as client/server applications, file servers, or databases, for users connecting with one of the following:

      • The Connect Tunnel or proxy clients

      • The OnDemand Tunnel or proxy agents

        For example, suppose you want to provide access to a network domain for users who have Connect or OnDemand, but you don’t want to allow browser access to Web resources within that domain. You can do that by creating a rule that specifies Connect Tunnel and/or OnDemand Mapped Mode as the only access method, and specifies the network domain in the Client restrictions area.

        The available Advanced settings are:

        • Protocols

        • User’s network address

        • Destination restrictions (ports)

        • Time and date restrictions

    2. Click Selected to specify the Protocols (see the below table) that the network tunnel or proxy service will accept from the client. A brief description of each command is included here, but for more details, see http://www.ietf.org/rfc/rfc1928.txt.

      Protocol selecting
      ProtocolDescription
      TCPEnables normal TCP connections (for example, SSH, telnet, SCP, and so forth).
      UDPAllows the network tunnel or proxy service to make a UDP data transfer. This is necessary for operations such as streaming audio and Microsoft Outlook new-mail notification.
      ICMP(Internet Control Message protocol) Enables the ping and traceroute network troubleshooting commands. Selecting this option will configure the network tunnel or proxy service to allow these operations on your behalf. This option also enables ICMP packets to flow through the network tunnel or proxy service.
  5. Under Client restrictions, in the User’s network address field, specify the names of any source networks you want evaluated in the rule.

    This is useful for controlling access based on the origin of the connection request. Click Edit to select from the list of resources. If no source network is specified, the default value of this field is Any. For reverse connections, this option can be used to block access requests to users’ computers that originate from specific ports or application resources.

  6. Use Destination restrictions to restrict access over individual Ports or a range of ports. To enable access on any port, click Any. To specify multiple ports, click Selected and type the port numbers, separated by semicolons. To specify a port range, type the beginning and ending numbers separated by a hyphen. For example, if you are building a policy to control access to an SMTP mail server, you might allow access only over port 25 (the well-known port for SMTP traffic). A list of the latest port number assignments is available at http://www.iana.org/assignments/port-numbers.

    Use Permissions to specify whether the rule will allow Read or Read/Write access to the file system resources. These access privileges work in conjunction with Windows access control rules. For a user to have certain file permissions, both entities (that is, Windows and the appliance) must allow them. If you disable file uploads, no user can write to a file, although users with write access will be able to move and delete files. These settings are ignored by reverse connections.

  7. Under Time and date restrictions, specify when the rule will be in effect. (The time zone for the time restriction fields is your local time.) You can specify a Shift or a Range, or you can specify that the rule remain in effect at all times.
  8. Click Save or, if you want to define another rule, click Finish and Add Another.

Because AMC gives you the flexibility to assign multiple access methods to resources, situations may arise in which there is a mismatch between access methods and resources. This happens if you create a rule that assigns an access method that is incompatible with the specified resource. For example, designating Web browser as the method for accessing a Windows domain resource will trigger an “Invalid destination resources” error message in AMC. For more information, see Resolving Invalid Destination Resources.

In some cases you can create a Deny rule that contains a mix of resources and access methods that may prevent subsequent rules from being evaluated. This could inadvertently block user access to other resources referenced in the access policy. The logic used to determine access method and resource compatibility is described in Resolving Deny Rule Incompatibilities.

Reverse connections are available only when IP address pools are configured for the network tunnel clients. AMC displays an error message if you attempt to change the rule from a forward connection to a reverse connection and no IP address pools are configured.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.