Specifying Security Policies by Client IP Address
You can use specific security schemes for individual client machines based on their IP address (either full or partial). The PTC RV&S Server selects the security scheme based on the IP address the user is coming from. If you specify a partial IP address, every client in the subnet (up to 256 machines) with an IP address that starts with the same three entries as the partial IP address uses the specified security scheme.
Specify the security scheme for individual client machines in the following properties:
mks.security.policy.scheme.<client ip>=<security scheme>
mks.security.policy.scheme.<subnet ip>=<security scheme>
For example, if the client’s IP address is 10.0.08.24 and you want to use a Windows private security policy, you would specify the following:
• if you are using a full client IP address
mks.security.policy.scheme.10.0.8.24=windows_private
• if you are using a partial client IP address
mks.security.policy.scheme.10.0.8=windows_private
You can specify multiple comma-separated security policies for each IP address, for example:
mks.security.policy,scheme.10.0.8.24=windows_private,
mksdomain_private
|
When specifying multiple security policies for an IP address, all policies for that IP address must use the same transport protocol.
|
The client’s IP address is compared against the specified policies in the order of most specific to least specific. For example, if you specified the following security policies:
mks.security.policy.scheme.10.0.8=ldap_clear,mksdomain_clear
mks.security.policy.scheme.10.0.8.24=mksdomain_private
mks.security.policy.scheme.default=ldap_clear
then a client with IP address 10.0.8.24 is validated against the MKS Domain using an encrypted transport protocol.
|
The transport protocol does not need to be the same for all IP addresses.
|
FSA does not support client authentication by IP address on the host
PTC RV&S server. Authentication by IP address must be set on the proxy. For more information on FSA, see
Understanding Federated Server Architecture.
If you change security realms on a remote server, connecting clients and proxies must be restarted to log in successfully.