none
Restrict trunk access by IP RRS feed

  • Question

  • I am needing to lock down a specific trunk that I have configured within IAG. I would like to do this based on IP address however. Personally I would like to do this a diferent way but it doesn't seem to feasable at this stage.

    I would like to know if it was possible to restrict access to a HTTP trunk based on IP address. I have a quick look through and the only way I can see to possibly acomplish something like this would be some sort of session policy. Is this the right way to go about something like this or is there an easier way?

    Thanks

    Tuesday, April 6, 2010 4:07 AM

Answers

All replies

  • Hi Brodie

    I'm thinking of two different options:

    • Use the built-in feature called 'limit applications to the following subnets' to specify the 'good' networks
    • Customize the login process to verify if the client IP is specified in the 'bad' network set and alllow/deny access based on that information

     

    Hope it helps,
    Dominik

    Tuesday, April 6, 2010 6:57 AM
  • Hi Dominik,

    I don't believe I have come across this feature on our IAG SP2 Update 3 instance. I will check tomorrow when I'm in at work and get back to you.

    Thanks, sounds to be exactly what I'm after.

     

    Regards,

    Brodie

    Tuesday, April 6, 2010 7:38 AM
  • Brodie, 

    Are all of the users accessing the trunk coming from the same place, like a branch office or something like that? If so, you can use and endpoint policy for session access using the "Source_IP" endpoint variable. 

    This link may help you as well. 

    http://www.ssl-vpn.de/wiki/How%20to%20access%20the%20endpoint%20IP%20address%20in%20endpoint%20detection%20policies.ashx

     

    - Bryan 

    Tuesday, April 6, 2010 2:25 PM
  • I believe that the 'limit applications to the following subnets' is actually for restricting what backend subnets are accessible - not what client (source) addresses are allowed.

    A couple of viable options would be:

    • Use IIS to only allow connections from particular IP addresses / subnets
    • Use a firewall in front of IAG to only allow connections from particular IP addresses / subnets

    (I'm currently using the 2nd option)

     

    HTH

     

    Rob

    Tuesday, April 6, 2010 2:25 PM
  • Brodie, 

    Are all of the users accessing the trunk coming from the same place, like a branch office or something like that? If so, you can use and endpoint policy for session access using the "Source_IP" endpoint variable. 

    This link may help you as well. 

    http://www.ssl-vpn.de/wiki/How%20to%20access%20the%20endpoint%20IP%20address%20in%20endpoint%20detection%20policies.ashx

     

    - Bryan 


    Hi Bryan,

    Unfortunately the requirements I have been given state that there will be multiple addresses that will be given access to this trunk. I would have liked to do it through IIS personally but I have been told that is not an option at this stage. I had a quick play around with the Source_IP var that I found documented so I will continue to play around with that.

    Failing this I will take a look at the solution that RobEllis has provided.

    Report back shortly.

    Thanks

    Tuesday, April 6, 2010 11:01 PM
  • HI,

    There is a good document of this in www.forefrontsecurity.org -> Articles -> IAG -> Customization. That basically does checking the IP Address based on InternalIP.inc file, where you can have multiple IP addresses.

    In that script, if the user is not coming from allowed endpoint IP address, it will be redirected to error page.

    I have made in one environment this so that I have added this code to login.asp and there we request different authentication based on the IP address. If the user is coming from trusted IP, they can authenticate only using AD credentials. Otherwise they are requested automatic for strong authentication. This is unvisible actions for the user.

    But, please have a look at the www.forefrontsecurity.org (http://www.forefrontsecurity.org/?ctype=Articles&id=A00000007&rootid=27&name=How-to-create-different-portals-based-on-source-IP-address-and-custom-scripts)

    BR, TommiK

    • Marked as answer by Brodie Carter Wednesday, April 7, 2010 9:54 PM
    Wednesday, April 7, 2010 7:00 PM
  • Thank you all for your help regarding this.

    I have come to the conclusion that the project that was run prior to my arrival has failed miserably at installation/configuration. There seems to be quite a few small undocumented hacks that completely mess with the setup.

    I am going to go through and install UAG 2010 on a test appliance I have sitting here. After that is done I will run through your suggestions Tommi.

    Cheers

    Wednesday, April 7, 2010 9:59 PM
  • I have followed the links but I don't seem to see the scripts, I'm trying to achieve exactly what you have mentioned, any ideas where I could get these scripts from ?
    Wednesday, November 24, 2010 3:00 PM
  • My script example (in the other thread) is based upon the code provided by Idan @ ForefrontSecurity.org...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, November 24, 2010 3:29 PM
    Moderator
  • Hi,

    I have used this kind of functionality in the login.asp

    First -> include internalIP.inc file

    <!--#include virtual="internalsite/inc/customupdate/portal1InternalIP.inc"-->

    The structure of the internalip.inc is as follows

    <%
    'Enter the IP range for the internal network
    ' Use * as wildcard: 10.*.*.* you can use wild cars: 10.1.1.*. 10.1.*.*, etc'
    Dim IP(2)
    IP(0)="xx.xx.xx.xx"
    IP(1)="xx.xx.xx.*"
    %>


    Then the actual code is
    '---------------------------------------------------------------------------------
    'Check IP address
    '---------------------------------------------------------------------------------

    g_cookie = GetSessionCookie(g_site_name,g_secure)
    g_Source_IP=getsessionparam(g_cookie,"SourceIP")

    For each i in IP
     If inStr(i,"*")>0 then
            ListIP = "b" + (mid(i,1,inStr(i,"*")-1))
            SourceIP = "b" + g_Source_IP
         else
            ListIP = "b" + i + "e"
            SourceIP = "b" + g_Source_IP + "e"
         end if
     
         dim strLogin
         If inStr(SourceIP,ListIP)=0 then
            strLogin = "OTP"
     else
            strLogin = "AD"
      exit for      
         end if
    Next

    This will check the IP and if the source IP is trusted, user will be redirected to AD repository. Otherwise he / she will be prompted for the OTP. Later in the body I have modified it so that it shows either repository based on the value above.

    Hope this helps. This is also based on the script in Forefrontsecurity.org.

    BR, TommiK

    Friday, November 26, 2010 11:07 AM
  • Hi Darren,

    Now you have two versions to test ;)

    Thanks TommiK!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, November 26, 2010 12:10 PM
    Moderator
  • Hi gents,

    Sorry for replying to such an old thread but we are already successfully using the code that Jason et. all kindly provided but I need to alter it for a new trunk so that it denies access for source addresses not in the trusted list.

    How do if get the IF statement to redirect to an error page?

    Thanks,

    Matt

    Tuesday, July 10, 2012 9:14 PM