Controlling Access from Client Computers

Use the Client Host Access Control pane to control which client computers have access to the server. These settings apply to all users of the client computer. You can use either domain names or IP addresses to specify hosts. For either, you can use regular expressions to specify an expression that matches one or more hosts.

You can allow or deny access, or use a combination of allow and deny. For information about how the server handles allow and deny rules, see Using Allow and Deny Rules for Access Control.

Notes:

• For access lists that use domain names, the server always tries to resolve the client domain name. However, if name resolution fails, the server allows or denies access based on the client IP address. This means that even if a client's domain name is on the deny list, that client can connect when DNS lookup fails, unless its IP address is also on the deny list. To prevent access from hosts whose domain name could not be resolved, you can enable, from the Network Binding dialog box, Require reverse DNS lookup.
• The resolved domain name for a client is always the fully qualified domain name. This means that when you add a host to the allow or deny list using a domain name, you must either use a fully qualified domain name, or a regular expression, to ensure that host domain names are handled correctly. For example, if you deny access to the client "mypc", the client mypc.myhost.com will be able to connect. You must explicitly deny access to "mypc\.myhost\.com" or use an expression such as "mypc\..*" to ensure that this client is denied access.

Examples

In the following configuration, access to client hosts with an IP address that begins with 123.156.78 is denied — users on any other client host are allowed access.

In the following configuration, access to all hosts in the acme.com domain is allowed, except badpc — clients from any other domain are denied access.

The following configuration denies access to all hosts in the acme.com domain, including mypc — clients from any other domain are allowed access.

Note: Without the final line, no clients would be allowed access. This is because once any client is added to the Allow list, clients are allowed access only if they match an allowed expression.