previous next

Chapter 12: Access Control

Using the access control feature, you can block requests to Helix Universal Server by media clients, encoding software, and other servers, based on the IP address of the requesting machine and the Helix Universal Server port to which the request is made. This chapter explains how to set up access control rules.

Note: To implement user name and password control for media clients, refer to Chapter 13. The section "Controlling Connections" explains how to limit connections according to outgoing bandwidth use, total number of players, and other general criteria.

Understanding Access Control

The access control feature associates permission to connect to certain ports with client addresses. For example, you can allow only certain groups in your organization to view clips by giving those groups' IP addresses access to application protocol ports on Helix Universal Server. If a media player requests a clip through a port for which it has no access, it receives a message that the URL is invalid, or that the connection has timed out.

Rule Components

Helix Universal Server uses rules to implement access control policy. Each access rule provides the following information:

Predefined Access Rules

Helix Universal Server predefines two access rules:

By default, the second rule allows all clients to make requests on all ports. Hence, access control checking is off. To turn access control on, you need to delete or modify the second rule, and implement new rules.

Access to Helix Administrator

When you implement access control, you may inadvertently lock yourself out of Helix Administrator by denying all client access to the Admin port. Therefore, if you decide to set up access control, the first rule to define should allow access to the Admin Port. This rule needs to come directly after the predefined Allow all localhost connections rule. The section "Granting Access to Helix Administrator" explains how to create this rule.

Access Rule Methods

To use the access control feature, you must make decisions about the types of rules you will create. Then, you can create as many rules as you need. There are two general methods that you can use to restrict access to Helix Universal Server:

When you create a rule, you select a specific client IP address. Optionally, you can extend the addressing by choosing a bit mask, as described in Appendix B. You then select the ports for which that set of clients is allowed or denied access. You may need only one access rule. Or, you may want to set up several.

Rule Order

When you create multiple access rules, you need to set a rule order using the up and down arrow buttons on the rule list. Helix Universal Server carries out rules in order from first to last. When a client connects, Helix Universal Server evaluates the connection starting with the first rule on the list. As soon as it finds a rule that matches the player's address, it allows or denies access according to that rule.

Tip: When implementing an access control policy, make the rules at the top of the list more strict. Reserve lower positions for the more lenient rules.

Granting Access to Helix Administrator

If you decide to implement access control rules, the first step is to set up a rule that enables you to connect to Helix Administrator, regardless of the restrictions you create in other rules.

To grant access to Helix Administrator:

  1. If you do not know the Admin port number, click Server Setup>Ports. Or, click the View link at the bottom of the Access Control page. Note the value of the Admin Port field.
  2. Click Security>Access Control.
  3. Click the "+" icon in the Access Rules section.
  4. In the Edit Rule Description box, enter a rule description such as AccessToAdmin.
  5. In the Access Type pull-down list, select Allow.
  6. In the Client IP Address or Hostname box, type Any. Although this appears to allow everyone access to Helix Administrator, administrator log-in is guarded by the randomly-generated Admin port number, as well as user name and password validation, as described in "Administrator Authentication".
  7. Tip: For additional security, specify the IP address for users permitted to using an address and a bit mask.

  8. If you specified a client IP address, you can indicate a range of allowable addresses by selecting a bit mask from the Client Netmask pull-down list. For information on using a bit mask, see Appendix B.
  9. In the Server IP Address box, type Any.
  10. In the Ports box, enter the Admin port number.
  11. In the Access Rules area, click the up arrow to place AccessToAdmin as the second rule on the list, following the first predefined rule (Allow all localhost connections).
  12. Click Apply.
  13. Restart Helix Universal Server.

Creating General Access Rules

Follow the steps in this section to allow or deny access to specific client IP addresses or address ranges.

Warning! Be sure first to follow the steps in "Granting Access to Helix Administrator", or you may not be able to access Helix Administrator after you implement your access rules.

To limit client access requests by IP address:

  1. Review the ports in use for PNA (usually 7070), RTSP (usually 554), and MMS (usually 1755). You'll need these numbers for Step 8. You can determine the port values by clicking Server Setup>Ports. Or, click the View link at the bottom of the Access Control page.
  2. Click Security>Access Control.
  3. Click the "+" icon and enter a short description for the new access rule in the Edit Rule Description box. This description is for your reference only.
  4. From the Access Type list, indicate whether permission is to be granted or refused by selecting Allow or Deny.
  5. In the Client IP Address or Hostname box, type the IP address of the client machine. To refer to all clients regardless of IP address, enter Any and leave the Client Netmask box set to None.
  6. To indicate a range of client IP addresses, select a bit mask from the Client Netmask pull-down list. For information on using a bit mask, see Appendix B.
  7. In the Server IP Address or Hostname box, type the IP address or host name of Helix Universal Server. You can type a specific address, or use the word Any to refer to any IP address Helix Universal Server uses to listen for incoming requests.
  8. Note: If you type a specific IP address or host name rather than Any, ensure that the address is on the IP binding list. See "Binding to an IP Address" for more information.

  9. List the Helix Universal Server port numbers to which you want to restrict access. In the Ports box, type the port numbers you noted in Step 1, separating entries with commas. For example, type:
  10. 1090, 554
    

  11. In the Access Rules area, click the up arrow or down arrow to move the rule to its appropriate position on the list. General access rules should always come after the Allow all localhost connections rule, and the rule you created for allowing access to Helix Administrator. For more information, see "Rule Order".
  12. Click Apply.
  13. Restart Helix Universal Server.


RealNetworks, Inc. © 2002 RealNetworks, Inc. All rights reserved.
For more information, visit RealNetworks
Click here if the Table of Contents frame is not visible at the left side of your screen.
previous next