Restricting by IP Address

Through the DHCP protocol, every computer on the Internet is assigned a unique IP address. When a client computer requests an ASP page, Internet Explorer passes this IP address in its request to IIS. IIS can then use this information to determine who is requesting the page.

If this IP address is a restricted address, IIS drops the request for the page, generates HTTP error 403.6, and displays the page 403-6.htm (see Displaying Run-Time Errors).

Setting IP Address Restrictions

To restrict IP addresses, use the Internet Service Manager. See the procedure Restricting Access by IP Address in the Deployment section. When you restrict access in this way, you should by default deny access to all computers. Then, grant access only to computers belonging to people authorized to administer the CML.

What Can You Restrict?

You can deny access to a virtual directory (such as the CML's virtual directory, FmLib), a subdirectory (such as Admin), or an individual file.

Other Considerations

A drawback of this method is that it only limits the locations from which access is attempted and does not directly restrict persons. This means both that non-administrators can try to log on from any authorized computer, and valid administrators cannot log on from restricted computers. The first of these problems is solved by duplicating security through another method, such as Directory Permissions or File Permissions.

This method is good as an additional barrier. Used in conjunction with the other restriction methods, it makes the CML application that much safer. You could combine these methods to produce different levels of administrative access. For example, you could use file or directory permissions to limit access to administrators in general. Then, you could add IP restrictions as a means to create a group of more powerful administrators who alone are allowed to maintain the FmLib database. Because IP restrictions can be applied on directories or on individual files, you can use them to selectively bar access to functionality.

In addition to IP restrictions, you can apply per-file Windows NT account restrictions. See the discussion under Restricting Using File Permissions.