Using the access control feature, you can block requests to Helix Universal Server by media clients, encoding software, and other servers, based on the IP address of the requesting machine and the Helix Universal Server port to which the request is made. This chapter explains how to set up access control rules.
| Note: To implement user name and password control for media clients, refer to Chapter 13. The section "Controlling Connections" explains how to limit connections according to outgoing bandwidth use, total number of players, and other general criteria. |
The access control feature associates permission to connect to certain ports with client addresses. For example, you can allow only certain groups in your organization to view clips by giving those groups' IP addresses access to application protocol ports on Helix Universal Server. If a media player requests a clip through a port for which it has no access, it receives a message that the URL is invalid, or that the connection has timed out.
Helix Universal Server uses rules to implement access control policy. Each access rule provides the following information:
Helix Universal Server predefines two access rules:
Allow all localhost connectionsThis rule permits access to Helix Universal Server from an application running on the same computer. You should not edit this rule. This rule should always come first in the access control list.Allow all other connectionsThis rule allows all clients to make any request on any port. Access is denied, though, if the content is secured, and the client does not supply a valid user name and password.By default, the second rule allows all clients to make requests on all ports. Hence, access control checking is off. To turn access control on, you need to delete or modify the second rule, and implement new rules.
When you implement access control, you may inadvertently lock yourself out
of Helix Administrator by denying all client access to the Admin port.
Therefore, if you decide to set up access control, the first rule to define should
allow access to the Admin Port. This rule needs to come directly after the
predefined Allow all localhost connections rule. The section "Granting Access to
Helix Administrator" explains how to create this rule.
To use the access control feature, you must make decisions about the types of rules you will create. Then, you can create as many rules as you need. There are two general methods that you can use to restrict access to Helix Universal Server:
In this method, you deny access to a specific group of IP addresses and ports, and allow access to everyone else. This is the better policy if you want to block a small number of clients, while allowing most clients to make requests.
This method is the opposite of the preceding. Here, you allow access to a specific group of IP addresses and ports, and deny access to everyone else. This is the better policy if you want to block a large number of clients, allowing only a small number of clients to make requests.
When you create a rule, you select a specific client IP address. Optionally, you can extend the addressing by choosing a bit mask, as described in Appendix B. You then select the ports for which that set of clients is allowed or denied access. You may need only one access rule. Or, you may want to set up several.
When you create multiple access rules, you need to set a rule order using the up and down arrow buttons on the rule list. Helix Universal Server carries out rules in order from first to last. When a client connects, Helix Universal Server evaluates the connection starting with the first rule on the list. As soon as it finds a rule that matches the player's address, it allows or denies access according to that rule.
| Tip: When implementing an access control policy, make the rules at the top of the list more strict. Reserve lower positions for the more lenient rules. |
If you decide to implement access control rules, the first step is to set up a rule that enables you to connect to Helix Administrator, regardless of the restrictions you create in other rules.
| To grant access to Helix Administrator: |
AccessToAdmin.Allow.Any. Although this appears to allow everyone access to Helix Administrator, administrator log-in is guarded by the randomly-generated Admin port number, as well as user name and password validation, as described in "Administrator Authentication".| Tip: For additional security, specify the IP address for users permitted to using an address and a bit mask. |
Any.AccessToAdmin as the second rule on the list, following the first predefined rule (Allow all localhost connections).Follow the steps in this section to allow or deny access to specific client IP addresses or address ranges.
| Warning! Be sure first to follow the steps in "Granting Access to Helix Administrator", or you may not be able to access Helix Administrator after you implement your access rules. |
| To limit client access requests by IP address: |
Allow or Deny.Any and leave the Client Netmask box set to None.Any to refer to any IP address Helix Universal Server uses to listen for incoming requests.Note:
If you type a specific IP address or host name rather than
Any, ensure that the address is on the IP binding list. See
"Binding to an IP Address" for more information.
|
|
Allow all localhost connections rule, and the rule you created for allowing access to Helix Administrator. For more information, see "Rule Order".|
|
© 2002 RealNetworks, Inc. All rights reserved.
For more information, visit RealNetworks Click here if the Table of Contents frame is not visible at the left side of your screen. |