Controlling Access from Client Computers

Use the Client Host Access Control pane to control which client computers have access to the server. These settings apply to all users of the client computer. You can use either domain names or IP addresses to specify hosts. The value you enter is interpreted as a regular expression.

You can allow or deny access, or use a combination of allow and deny. For information about how the server handles allow and deny rules, see Using Allow and Deny Rules for Access Control.

 

Notes:

  • For access lists that use domain names, the server always tries to resolve the client domain name. However, if name resolution fails, the server allows or denies access based on the client IP address. This means that even if a client's domain name is on the deny list, that client can connect when DNS lookup fails, unless its IP address is also on the deny list. To prevent access from hosts whose domain name could not be resolved, you can enable, from the Network Binding dialog box, Require reverse DNS lookup.
  • If IPv6 connections are supported, a client connecting using an IPv6 address may be allowed access even if the IPv4 address of that client is on the list of denied client hosts. To configure Reflection for Secure IT to deny all IPv6 (or IPv4) connections, from the Network pane, remove any listening address in IPv6 (or IPv4) format.
  • The resolved domain name for a client is the fully qualified domain name. This means that when you add a host to the allow or deny list using a domain name, you must either use a fully qualified domain name, or a regular expression, to ensure that host domain names are handled correctly. For example, if you deny access to the client "mypc", the client mypc.myhost.com will be able to connect. You must explicitly deny access to "mypc\.myhost\.com" or use an expression such as "mypc\..*" to ensure that this client is denied access.

 

Examples

In the following configuration, access to client hosts with an IPv4 address that begins with 123.156.78 is denied — users on any other client host (or users connecting from an IPv6 address) are allowed access.

Client host

Access

123\.156\.78\..*

Deny

 

In the following configuration, access to all hosts in the acme.com domain is allowed, except badpc — clients from any other domain are denied access.

Client host

Access

.*\.acme\.com

Allow

badpc\.acme\.com

Deny

 

The following configuration denies access to all hosts in the acme.com domain, including mypc — clients from any other domain are allowed access.

Note: Without the final line, no clients would be allowed access. This is because once any client is added to the Allow list, clients are allowed access only if they match an allowed expression.

Client host

Access

.*\.acme\.com

Deny

mypc\.acme\.com

Allow

.*

Allow

Related Topics

Using Allow and Deny Rules for Access Control

Regular Expression Syntax

Network Binding Dialog Box

Client Host Access Control Dialog Box

Controlling Access