Controlling Access to Your Server

You can configure the firewalls of Intermapper's built-in servers to accept or deny connections from a client based on its IP address. You can also require a user name and password. After these are accepted, a connection is associated with the user name that determines which maps and permissions are available. For examples of typical access control setups, see Access Control Examples (Pg. 1).

NOTE:
  • You can also control access through the Intermapper Authentication Server (Pg. 1), which connects to an external authentication server such as Radius, LDAP, or ActiveDirectory to authenticate a user. For more information, see Authentication Server (Pg. 1).
  • Any firewall that is protecting the machine that is running Intermapper must be configured to allow access to the ports specified for remote access. This includes the port specified for use by the web server.

Access Control

When a user attempts to connect to one of the Intermapper servers, the request goes through the following steps:

  1. The client's IP address is checked against the list of firewall definitions. If the address matches a DENY address in the firewall list, or if the address fails to match an ALLOW address, the connection is dropped with a not allowed response.
  2. The client's IP address is checked against the list of Automatic Login addresses. If the client IP address matches an Automatic Login address, the connection is accepted and is assigned the user name associated with that Automatic Login.
  3. If the client IP address does not match an Automatic Login address, the connection is accepted and authentication by a username and password begins, as follows:
    1. Web server - Issues a 401 Unauthorized response, which forces the web browser to request a username/password from the user.
    2. Telnet server - Prompts for a username and password.
    3. Remote server - Proceeds after the Intermapper RemoteAccess client requests and supplies a username and password.
  4. The username and password are verified against Intermapper's built-in authentication database. If they match, the connection is assigned the user name. Otherwise, the connection is dropped with a not allowed response. When using the Remote and Telnet servers, an error message is displayed, saying that the user name is not allowed. When using the Web server, a web page is displayed, saying that the user is not allowed access.
  5. The users are checked for membership in a Special Group. The following special groups provide broader access:

    • Administrators Group

      If the user is a member of the Administrators group, the connection is granted full (read/write) access to every map and setting.

    • FullWebAccess Group

      If you create a group named FullWebAccess, all members of that group are granted full access to all maps through the web server. As with all web access rights, this is a read-only view. This membership also overrides any individual map access settings. FullWebAccess members can also acknowledge down devices.

    • FullTelnetAccess Group

      If you create a group named FullTelnetAccess, all members of that group are granted full access to the Telnet server.

    • FullLogAccess Group

      If you create a group named FullLogAccess, all members of that group are granted full access to all log files.

  6. The user is granted access to maps. After a connection has a user name associated with it, Intermapper checks to see which information is available for that user. Access to individual maps can be granted using the Map Access server setting (see Map Access (Pg. 1)).

If a user is not in the Administrators, FullWebAccess, or FullTelnetAccess group and has no access to an individual map, the connection is dropped with a not allowed response.