Universal Messaging 10.3 | Administration Guide | Universal Messaging Enterprise Manager | Administration Using Enterprise Manager | Using ACLs for role-based Security | Interface VIA Rules
 
Interface VIA Rules
Each interface defined within a Universal Messaging Realm server can have an associated ACL list, known as a VIA list.
The VIA list enables list of users to be defined who are entitled to connect to the Universal Messaging realm using a specific protocol 'via' a specific interface.
If for example, a realm has an HTTP (nhp) interface running on port 10000, and we also want a sockets (nsp) interface running on port 15000, and you want all external clients to connect using the nhp interface, and all internal clients to connect using the nsp interface, this can be achieved by providing the nhp and nsp interfaces with a list of subjects that are able to connect via the different interfaces.
This ensures that any user that tries to connect via the nsp interface who is not part of the nsp interface VIA list but exists in the nhp via list will be rejected and will not be able to establish a connection via nsp. The same will apply for the nhp interface. Alternatively, by simply adding a list of via entries to the nhp interface (and leaving the nsp via list empty), any user trying to connect via nsp interface who is found in any other interface via list will be rejected. This allows you to tie specific users to specific interfaces.
The default behaviour for all interfaces is that when no VIA lists exist on any defined interfaces, all users can connect on any interface (Realm ACLs permitting, see Realm Entitlements). When a user subject exists on an interface, that subject cannot use any other interface other than the one they are listed in.
This is an extra level of security that allows administrators of Realm Servers to define a strict approach to who can connect to the realm via specific protocols. This is particularly useful if for example you run many services on a single Universal Messaging realm server and wish to ensure that specific clients / groups of clients are using completely separate interfaces.
Interface ACL (VIA List)
In order to view the VIA list for an interface, select the realm where the interface is running, and then select the 'Interfaces' tab in the Enterprise Manager. From the interface list for the realm, select the interface from the table of interfaces, and choose the tab labelled 'VIA' from the bottom of the interface panel. The image below shows the result of an acl entry being added to the default socket interface running on port 9000. By adding this entry, the user johnsmith@192.168.1.2 can only use the nsp0 interface which is using the sockets protocol on port 9000.
As with all Universal Messaging ACLs wildcards are fully supported so that for example, *@192.168.1.2 or johnsmith@* are both relevant enforceable VIA rules.
Interface VIA entries can be added to by clicking on the 'Add' button from the VIA panel and entering the subject. Entries can be removed by selecting the entry and clicking the 'Delete' button.
Any changes to the interface VIA list will not take effect at the server until the 'Apply' button has been clicked on the VIA panel. Changes can also be disregarded without updating the server by clicking on the 'Cancel' button on the VIA list panel.