Hi,
I need to restrict access to a reverse proxy protected resource from external DMZ network, user only should have access to that resource from external DMZ network if user belongs to an ISAM group.
I have tried Risk Profiles and Access Control from Secure Access Control module without success. Does anybody know if I can do it implementing infomap authenticacion policy? or if I have another option to get the goal?
Any help would be apretiated.
Thanks in advance.
Greetings.

------------------------------
David Vicenteño
------------------------------

Hello David,

To have logic based on a combination of IP address and group membership you will need an Advanced Access Control authorization policy.

A policy like this should give what you want:


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon December 30, 2019 01:17 PM
From: David Vicenteño
Subject: Restrict access to a reverse proxy protected resource from external DMZ network

Hi,
I need to restrict access to a reverse proxy protected resource from external DMZ network, user only should have access to that resource from external DMZ network if user belongs to an ISAM group.
I have tried Risk Profiles and Access Control from Secure Access Control module without success. Does anybody know if I can do it implementing infomap authenticacion policy? or if I have another option to get the goal?
Any help would be apretiated.
Thanks in advance.
Greetings.

------------------------------
David Vicenteño
------------------------------

Thank you very much Jon, your answer helps me a lot, Greetings.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Tue December 31, 2019 06:56 AM
From: Jon Harry
Subject: Restrict access to a reverse proxy protected resource from external DMZ network

Hello David,

To have logic based on a combination of IP address and group membership you will need an Advanced Access Control authorization policy.

A policy like this should give what you want:

In this case, if the client IP matches 172.18.0.* and the user is not in the iv-admin group then they will be denied access.
All other access is allowed.

If the IP range in your external DMZ is more complex then you may require multiple statements to capture all the subnets. You could also add JavaScript PIP which would get client IP and return a boolean on whether it is in External DMZ or not.

You will need to create a resource representing the top level of the resources you want to protect - and then attach the policy to it.  You should probably enable decision caching for the object because you only need to run the policy once per session (assuming client IP doesn't change within the session).   Remember that you'll need to publish the policy before it becomes active.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon December 30, 2019 01:17 PM
From: David Vicenteño
Subject: Restrict access to a reverse proxy protected resource from external DMZ network

Hi,
I need to restrict access to a reverse proxy protected resource from external DMZ network, user only should have access to that resource from external DMZ network if user belongs to an ISAM group.
I have tried Risk Profiles and Access Control from Secure Access Control module without success. Does anybody know if I can do it implementing infomap authenticacion policy? or if I have another option to get the goal?
Any help would be apretiated.
Thanks in advance.
Greetings.

------------------------------
David Vicenteño
------------------------------