ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiy_5.4.0.1/rzaiygrppol.htm

215 lines
15 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Scenario: Manage remote user access to resources using Group Policies and IP filtering" />
<meta name="abstract" content="Group access policies identify distinct user groups for a connection, and allow you to apply common connection attributes and security settings to the entire group. In combination with IP filtering, this allows you to permit and restrict access to specific IP addresses on your network." />
<meta name="description" content="Group access policies identify distinct user groups for a connection, and allow you to apply common connection attributes and security settings to the entire group. In combination with IP filtering, this allows you to permit and restrict access to specific IP addresses on your network." />
<meta name="DC.Relation" scheme="URI" content="rzaiyscenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiyvalidlist.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiycfggap.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiyprofile.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiysysauth.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzajb/rzajbrzajb0ippacketsecuritysd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiygrppolicy.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiycfggap.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiycfgipfilter.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiygrppol" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Manage remote user access to resources using Group Policies
and IP filtering</title>
</head>
<body id="rzaiygrppol"><a name="rzaiygrppol"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Manage remote user access to resources using Group Policies
and IP filtering</h1>
<div><p>Group access policies identify distinct user groups for a connection,
and allow you to apply common connection attributes and security settings
to the entire group. In combination with IP filtering, this allows you to
permit and restrict access to specific IP addresses on your network.</p>
<div class="section"><h4 class="sectiontitle">Situation</h4><p>Your network has several groups of distributed
users, each of whom need access to different resources on your corporate LAN.
A group of data entry users needs access to the database and several other
applications, while a people from other companies needs dial-up access to
HTTP, FTP and Telnet services, but for security reasons must not be allowed
access to other TCP/IP services or traffic. Defining detailed connection attributes
and permissions for each user will duplicate your efforts, and providing network
restrictions for all the users of this connection profile won't provide enough
control. You'd like a way to define connection setting and permissions for
several distinct groups of users who routinely dial into this server. </p>
</div>
<div class="section"><div class="fignone"><span class="figcap">Figure 1. Apply connection settings to dial-up connections based
on group policy settings </span><br /><img src="rzaiy508.gif" alt="Apply connection settings to dial-up connections based on group policy settings" /><br /></div>
</div>
<div class="section"><h4 class="sectiontitle">Solution</h4><p>You need to apply unique IP filtering restrictions
to two different groups of users. To accomplish this, you will create group
access policies and IP filter rules. Group access policies reference IP filter
rules, so you need to create your filter rules first. In this example, you
need to create a PPP filter to include IP filter rules for the "IBM<sup>®</sup> Business Partner"
Group Access Policy. These filter rules will permit HTTP, FTP and Telnet services,
but restrict access to all other TCP/IP traffic and services through the iSeries™ server.
This scenario only shows the filter rules needed for the sales group; however,
you can also set up similar filters for the "Data Entry" group. </p>
</div>
<div class="section"><p>Finally, you need to create the group access policies (one per
group) to define your group. Group access policies allow you to define common
connection attributes to a group of users. By adding a Group Access Policy
to a Validation list on the iSeries server, you can apply these connection settings
during the authentication process. The group access policy specifies several
settings for the user's session, including the ability to apply IP filtering
rules that will restrict the IP addresses, and TCP/IP services available to
a user during their session. </p>
</div>
<div class="section"><h4 class="sectiontitle">Sample configuration</h4><ol><li>Create the PPP filter identifier and IP packet rules filters that specify
the permissions and restrictions for this Group Access Policy.<ol type="a"><li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">Remote Access
Services</span></span>.</li>
<li>Click <span class="uicontrol">Receiver Connection Profiles</span>, and select
Group Access Policies.</li>
<li>Right-click a predefined group listed in the right pane and select <span class="uicontrol">Properties</span>.
<div class="note"><span class="notetitle">Note:</span> If you want to create a new group access policy, right-click Group
Access Policies and select <span class="uicontrol">New Group Access Policies</span>.
Complete the General tab. Then select the TCP/IP Settings tab and continue
with step e below.</div>
</li>
<li>Select the TCP/IP Settings tab, and click <span class="uicontrol">Advanced</span>.</li>
<li>Select <span class="uicontrol">Use IP packet rules for this connection</span>,
and click <span class="uicontrol">Edit Rules File</span>. This will start the IP Packet
Rules Editor, and open the PPP filters packet rules file. </li>
<li>Open the <span class="uicontrol">Insert</span> menu, and select <span class="uicontrol">Filters</span> to
add filter sets. Use the General tab to define the filter sets, and the Services
tab to define the service you are permitting, such as HTTP. The following
filter set, "services_rules," will permit HTTP, FTP and Telnet services. The
filter rules include an implicit default deny statement, restricting any TCP/IP
services or IP traffic not specifically permitted. <div class="note"><span class="notetitle">Note:</span> The IP addresses
in the following example are globally routable, and are for example purposes
only.</div>
<pre>###The following 2 filters will permit HTTP (Web browser) traffic in &amp; out of the system.
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR %
= * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 80 SRCPORT %
= * FRAGMENTS = NONE JRN = OFF
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR %
= 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT = %
80 FRAGMENTS = NONE JRN = OFF
###The following 4 filters will permit FTP traffic in &amp; out of the system.
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR %
= * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 21 SRCPORT %
= * FRAGMENTS = NONE JRN = OFF
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR %
= 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT = %
21 FRAGMENTS = NONE JRN = OFF
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR %
= * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 20 SRCPORT %
= * FRAGMENTS = NONE JRN = OFF
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR %
= 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT = %
20 FRAGMENTS = NONE JRN = OFF
###The following 2 filters will permit telnet traffic in &amp; out of the system.
FILTER SET services_rules ACTION = PERMIT DIRECTION = INBOUND SRCADDR %
= * DSTADDR = 192.18.2.3 PROTOCOL = TCP DSTPORT = 23 SRCPORT %
= * FRAGMENTS = NONE JRN = OFF
FILTER SET services_rules ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR %
= 192.18.2.3 DSTADDR = * PROTOCOL = TCP DSTPORT = * SRCPORT %
= 23 FRAGMENTS = NONE JRN = OFF
</pre>
</li>
<li>Open the <span class="uicontrol">Insert</span> menu, and select <span class="uicontrol">Filter
Interface</span>. Use the filter interface to create a PPP filter identifier,
and include the filter sets you've defined. <ol type="i"><li>On the General tab, enter <kbd class="userinput">permitted_services</kbd> for
the PPP filter identifier.</li>
<li>On the Filter sets tab, select the filter set <span class="uicontrol">services_rules</span>,
and click <span class="uicontrol">Add</span>.</li>
<li>Click OK. The following line will be added to the rules file: <pre>###The following statement binds (associates) the 'services_rules' filter set with the
PPP filter ID "permitted_services." This PPP filter ID
can then be applied to the physical interface associated with a PPP connection profile
or Group Access Policy.
FILTER_INTERFACE PPP_FILTER_ID = permitted_services SET = services_rules</pre>
</li>
</ol>
</li>
<li>Save your changes, and exit. If you need to undo these changes later,
use the character-based interface to enter the command: <kbd class="userinput">RMVTCPTBL
*ALL</kbd>This will remove all filter rules and NAT on the server.</li>
<li>On the <span class="uicontrol">Advanced TCP/IP settings</span> dialog, leave the
PPP filter identifier box blank, and click <span class="uicontrol">OK</span> to exit.
Later, you should apply the filter identifier you just created to a Group
Access Policy, not this connection profile.</li>
</ol>
</li>
<li>Define a new Group Access policy for this user group.
<ol type="a"><li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">Remote Access
Services</span> &gt; <span class="uicontrol">Receiver Connection Profiles</span></span>.</li>
<li>Right click the Group Access Policy icon, and select New Group Access
Policy. iSeries Navigator
will display the New Group Access Policy definition dialog.</li>
<li>On the General page, enter a name and description for the Group Access
Policy.</li>
<li> On the TCP/IP settings page: <ul><li>Select <span class="uicontrol">Use IP packet rules for this connection</span>,
and select the PPP filter identifier <span class="uicontrol">permitted_services</span>.</li>
</ul>
</li>
<li>Select <span class="uicontrol">OK</span> to save the Group Access Policy.</li>
</ol>
</li>
<li>Apply the Group Access Policy to the users associated with this group. <ol type="a"><li>Open the Receiver Connection Profile controlling these dial-up connections.</li>
<li>On the Authentication page of the Receiver Connection Profile, select
the validation list that contains the users' authentication information, and
click <span class="uicontrol">Open</span>.</li>
<li>Select a user in the Sales group to which you want to apply the Group
Access Policy, and click <span class="uicontrol">Open</span>.</li>
<li>Click <span class="uicontrol">Apply a Group Policy to the user</span>, and select
the Group Access Policy defined in step 2.</li>
<li>Repeat for each Sales user.</li>
</ol>
</li>
</ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiyscenarios.htm" title="The scenarios in this topic help you understand how PPP works, and how you can implement a PPP environment in your network. These scenarios introduce fundamental PPP concepts from which beginners and experienced users can benefit before they proceed to the planning and configuration tasks.">Scenarios</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzaiycfggap.htm" title="The Group Access Policies folder under Receiver Connection Profiles provides options for configuring point-to-point connection parameters that apply to a group of remote users. It applies only to those point-to-point connections that originate from a remote system and are received by the local system.">Configure a group access policy</a></div>
<div><a href="rzaiygrppolicy.htm" title="Group Policy support enables network administrators to define user-based group policies to help manage resources and allows access control policies to be assigned to individual users when logging into the network with a PPP or L2TP session.">Group policy support</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzaiyprofile.htm" title="The first step in configuring a PPP connection between systems is to create a connection profile on the iSeries server.">Create a connection profile</a></div>
<div><a href="rzaiycfgipfilter.htm" title="You can use a packet rules file to restrict a user or a group's access to IP addresses on your network.">Apply IP packet filtering rules to a PPP connection</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzaiyvalidlist.htm" title="A validation list is used to store user ID and password information about remote users.">Validation list</a></div>
<div><a href="rzaiysysauth.htm" title="PPP connections with an iSeries server support several options for authenticating both remote clients dialing in to the iSeries, and connections to an ISP or other server that the iSeries is dialing.">System authentication</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzajb/rzajbrzajb0ippacketsecuritysd.htm">IP packet rules (Filtering and NAT)</a></div>
</div>
</div>
</body>
</html>