Chapter 10: Access Control

Using the access control feature, you can limit access to media streams by clients, based on the IP address of the requesting machine and the Helix Universal Proxy port to which the request is made. This chapter explains how to implement this feature.

To implement user name and password control for media clients, use the authentication feature, which is described in Chapter 11.

Overview

The access control feature lets you associate permission to connect to certain Helix Universal Proxy ports with client addresses. For example, you could allow only certain groups in your organization to view clips routed by Helix Universal Proxy. You do this by listing their IP addresses, and the IP address of the machine on which Helix Universal Proxy is installed. If a client attempts to play a stream for which it hasn't been granted access, it will receive a message that the URL is not valid, or that the connection has timed out.

Additionally, you can restrict which clients can send requests to your Helix Universal Proxy by restricting access to the RTSP Proxy port (usually 554).

Helix Universal Proxy uses rules to implement access control policy. A rule consists of a client IP address or hostname, port value (or values), the Helix Universal Proxy IP address or hostname and an indicator for denying or allowing connections for that address/port pair.

Each rule has the following qualities:

Sorting Order—Order in which a rule appears on the Access Rules list; determines the order a rule is implemented.

Description—Descriptive statement of a rule.

Access Type—Whether the client will be allowed or denied access.

Client IP Address or Hostname—Client's address, or a range of addresses.

Client Netmask—Client's netmask.

Server IP Address or Hostname—Helix Universal Proxy's address.

Ports—Port numbers on Helix Universal Proxy to which access is allowed or denied. These numbers correspond to settings on the Ports page: RTSP Port, PNA Port, and MMS Port.

Helix Universal Proxy implements the access rule numbers in order, from rules on the top of the Access Rules list, to the bottom. That is, the highest-placed rule will be enacted first, the lowest-placed last. This is important to keep in mind when establishing the order in which you wish your rules to apply.

Before using this feature, you must make decisions about the types of rules you will create. You can create as many rules as you like.

Access to Helix Administrator

When setting up access rules, it is important to note that you can inadvertently lock yourself out of the Admin Port. Therefore, the first rule you create should always be one that allows access to the Admin Port. This should be the third rule on the list, making it the third rule that Helix Universal Proxy implements in its access control policy. The steps for creating the Admin Port Access Rule are described in "Granting Access to Helix Administrator".

Access Rule Methods

There are two general methods that you can use to restrict access to Helix Universal Proxy:

specific address denial

In this method, you deny access to a specific group of IP addresses and ports, and allow access to everyone else.

specific address permission

This method is the opposite of the preceding. Here, you allow access to a specific group of IP addresses and ports, and deny access to everyone else.

When you create a rule, you sort the rule's order on the Access Rules list using the up and down arrow buttons. Helix Universal Proxy uses the rule's order to determine the sequence in which the rule is carried out. You must create rules in a certain order for Helix Universal Proxy to execute rules properly.

When a client connects, it evaluates the connection starting with the first rule on the list. As soon as it finds a rule that matches the client's address, it allows or denies access according to the rule. As soon as Helix Universal Proxy finds a rule that matches the client's IP address, it allows or denies access, according to the rule.

When developing an access control policy, you should make the rules nearer the top of the list, the most strict. Reserve positions closer to the bottom for the most lenient rules.

The following table summarizes Helix Universal Proxy rules. The first two rules are predefined and should not be modified.

Helix Universal Proxy Rules
	Contents of Rules in Each Set
Rule/Rule Set	Specific Address Denial	Specific Address Permission
`Allow all localhost connections`: Built-in rule. Do not edit this rule.	This rule permits access to Helix Universal Proxy from an application running on the same computer.
`Deny connections to port 7070` : Built-in rule. Do not edit this rule.	This rule prevents other computers from accessing ports 7070, which is reserved for Helix Universal Proxy's use.
Access to Helix Administrator	Clients permitted to use Helix Administrator. Client IP address: `Any`Access: `Allow`Ports: use value for `Admin Port`
`Allow all other connections`: Specific client addresses This rule is also predefined, but you can edit it.	Clients prevented from accessing Helix Universal Proxy. Client IP address: specific client addresses. Access: `Deny`Ports: use values for specific ports	Clients permitted to connect to Helix Universal Proxy. Client IP address: specific client addresses. Access: `Allow`Ports: use values for specific ports
All other addresses	Clients permitted to use your Helix Universal Proxy. Client IP address: `Any`Access: `Allow`Ports: use values for content ports	Clients prevented from using Helix Universal Proxy. Client IP address: `Any`Access: `Deny`Ports: use values for specific ports This set of rules is optional.

Granting Access to Helix Administrator

The first step in creating rules is to set up a rule that enables you to connect to Helix Administrator, regardless of the restrictions you create in other rules. Although it appears that you are allowing everyone to access Helix Administrator, the only people who will use it are other administrators who know the Admin Port number (chosen randomly at installation) and who have a user name and password specifically for Helix Administrator.

For More Information: To learn how to give access to Helix Administrator based on user name, see "Authenticating Helix Administrator Users".

To grant access to Helix Administrator:

If you do not know the Admin Port number, click Proxy Setup>Ports (or, in the Access Control page, click "View assigned ports for this proxy.") and note the value of the Admin Port field.

Click Security>Access Control.

Click the "+" icon in the Access Rules section.

In the Edit Rule Description box, type AccessToAdmin.

In the Access Type pull-down, select Allow.

In the Client IP Address or Hostname box, type Any. For additional security, type the IP address for users permitted to use Helix Administrator (separate multiple addresses with commas). To indicate a range of allowable addresses for this rule, select a bit mask from the Client Netmask drop down box. For more information on assigning a range of IP addresses using a bit mask, see Appendix B.

In the Server IP Address box, type Any.

In the Ports box, type the Admin Port number.

In the Access Rules area, click the up arrow to place AccessToAdmin as the third rule on the list.

Click Apply.

You will now be able to access Helix Administrator, no matter what rules you create in the next section.

Creating Specific Access Rules

Use the steps in this section to allow or deny access to specific IP addresses or address ranges.

Warning! Be sure to first follow the steps in "Granting Access to Helix Administrator", or you will not be able to access Helix Administrator after you restart Helix Universal Proxy.

To limit access according to IP number:

Review the port numbers in use. You'll use these in Step 8. In Helix Administrator, click Proxy Setup>Ports.

Make a note of the values for PNA Proxy Port (usually 1090) , RTSP Port (usually 554), and MMS Proxy Port (usually 1755).

In Helix Administrator, click Security>Access Control.

Click the "+" icon.

A new rule appears at the bottom of the list, and a generic rule description appears in the Edit Rule Description box.

In the Edit Rule Description box, type a short description for the new access rule in the Access Rules list.

From the Access Type list, indicate whether permission is being granted or refused by selecting Allow or Deny.

In the Client IP Address or Hostname box, type the IP address of the client machine. To indicate a range of addresses, select a bit mask from the Client Netmask drop down box. For more information on assigning a range of IP addresses using a bit mask, see Appendix B.

Tip: To refer to all clients, regardless of IP address, type the word Any in the Client IP Address box, and leave the Client Netmask box set to None.

In the Server IP Address or Hostname box, type the IP address or host name of the client machine or network card.

You can type a specific address, or use the word Any to refer to any IP address Helix Universal Proxy uses to listen for incoming requests.

If you type a specific IP address or host name, rather than the word Any, you must also add that address to the IP Binding list. See "Binding To An IP Address" for more information.

Finally, list the Helix Universal Proxy port numbers to which you want to restrict access. In the Ports box, type the port numbers you noted in Step 1, separated by commas. For example, type 1090, 554.

To restrict access to all Helix Universal Proxy ports, the port numbers should match the other port numbers you've instructed Helix Universal Proxy to listen to; look at the port numbers for RTSP port, PNA port, HTTP port, MMS Port

Click Apply.