Deny Inbound Connections from Specified Hosts (Allow All Others)

Integration Server 10.15 | Integration Server Administrator's Guide | Controlling Access to Resources | Controlling Access to Resources by Port | Restricting IP Addresses that Can Connect to a Port | Controlling IP Access to All Ports (Globally) | Deny Inbound Connections from Specified Hosts (Allow All Others)

The following procedure describes how to change the global IP access setting to Allow by Default and specify some hosts to deny.

With this setting in effect, the server allows most hosts and denies some.

To deny inbound requests from specified hosts

1. Open the Integration Server Administrator if it is not already open.

2. Go to Server > Ports.

3. Click Change Global IP Access Restrictions.

4. Click Change IP Access Mode to Allow by Default.

The server changes the access mode and displays a page from which you can add hosts to the Deny List.

5. Click Add Hosts to Deny List.

6. You can add hosts to the deny list in one of the following ways:

In Add host, select Manually.

a) In the Hosts field, specify the hostnames (for example, workstation5.webmethods.com) or IP addresses (for example, 132.906.19.22 or 2001:db8:85a3:8d3:1319:8a2e:370:7348) of hosts from which the server should accept inbound requests. Separate your entries with commas. For example: *.allowme.com, *.allowme2.com.

Consider the following points while adding host names:

The hostnames or IP addresses can include uppercase and lowercase alphabetic characters, digits (0-9), hyphens (-), and periods (.) but cannot include spaces. For IPv6, IP addresses can also include colons (:) and brackets ([]).

Avoid using the fully qualified domain name of the host. Integration Server resolves an incoming hostname to the simple hostname and then compares the simple host name to the fully qualified domain name in the allow list. Therefore, the names do not match and Integration Server denies the request. To resolve this issue, you can use the * wildcard character at the end of the simple hostname. Alternatively, use the IP address.

Note:
IP addresses are harder to spoof, and therefore more secure.

You can use the following pattern-matching characters to identify several clients with similar hostnames or IP addresses.

Char	Description	Example
*	Matches any number of characters	r*.webmethods.com
?	Matches any single character	workstation?.webmethods.com

b) Click Add Hosts.

In Add host, select Using a service.

a) In the Service field, specify a service name that returns a list of IP Addresses or hostnames in the CSV format. The service must conform to the pub.security.ports:hostListProviderSpec specification. For more information on the specification, see webMethods Integration Server Built-In Services Reference.

b) In the Polling Interval field, specify the frequency with which Integration Server executes the service to refresh the Deny list. Set to On demand to refresh the list only when the Refresh IP Access List link is clicked on the Global IP access restrictions page. If you specify a service to identify hosts, Integration Server executes the service after saving the changes and thereafter at the specified polling interval.

Note:
If a port is enabled, Integration Server executes the service at startup.

7. Click Save.

Note:
You can identify hosts manually or using a service. If you change how you add hosts, Integration Server overwrites the existing host list.