Network Filters - TIBCO BusinessConnect Gateway Server™ Administration

Overview

Network filters are used to define where the inbound traffic to a Gateway Server will be coming from based on the IP address or based on the trading partners.

Using Filtering

The property bc.ipfilter.enabled can be used to enable or disable IP filtering.

If disabled (check box unchecked), no filtering takes place at any level and all incoming requests will be allowed to pass with any remote IP address. If enabled (check box checked), then every incoming request will be evaluated as follows:

• ^DENY If there is no matching filter expression, regardless of type ^Deny or

Accept AND the default policy is ^Deny.

• ^DENY If there is at least one filter expression that matches the address and is of type ^Deny.

• ^ACCEPT If there is no matching filter expression regardless of type ^Deny or

Accept AND the default policy is ^Accept.

• ^ACCEPT If there is no matching filter expression of type ^Deny AND there is at least one matching filter expression of type ^Accept.

Filtering Levels

Network filters can perform two levels of filtering:

• Filtering based on the IP address (first level)

• Filtering based on the trading partner name (second level)

First level of filtering, where IP addresses are specified, takes precedence over the second level of filtering.

First Level Filtering

The first level of filtering is used to deny or accept an IP address. It is exercised for If there is any disabled individual filter expression that matches the address, it will not participate in the filtering decision but it can be reactivated at any time.

TIBCO BusinessConnect Gateway Server Administration Overview

|

³³

Second Level Filtering

Second level filtering using the field From Participant is exercised on the Interior Server only for d FTPS transports. It is performed before user authentication and during on login for FTPS.

Filter Level Precedence

First level of filtering is performed only when the ^FromParticipant field, as required for the second level of filtering, is not specified.

You can also define the first level filtering by selecting BusinessConnect >

System Settings > Activated Protocol Plug-ins and Properties>

BusinessConnect Server and then looking for the entry bc.ipfilter.default.noMatchPolicy.

From the dropdown menu select the Default IP Filter Policy:

• Accept

• Deny

Based on this selection, the default first level filtering will either deny or accept the traffic from a certain IP address if no existing (and active) rules have matched the address.

Filter Expressions

Only one filter expression can be created with a single filter entry and can match the remote IP addresses directly, or can define any arbitrary ranges with a specific pattern syntax.

IPv4 canonical textual representation: N1.N2.N3.N4 where N1-4 are segments between 0 and 255 inclusive.

Matching Patterns

Here are some examples of matching patterns to use:

• ^1.2.3.4 Matches the IPv4 address 1.2.3.4 directly. Any other address on this pattern will be non-matching.

• ^1.2.3.* Matches all the IPv4 addresses between 1.2.3.0 and 1.2.3.255 inclusive, a total of 256 addresses.

• ^1.2.3.4-12 Matches all the IPv4 addresses between 1.2.3.4 and 1.2.3.12 inclusive, a total of 9 addresses.

• ^1.2.3-5.* Matches all the IPv4 addresses between 1.2.3.0 and between 1.2.5.255, a total of 768 addresses.

|

Chapter 6 Network Filters

• ^1.2.* Matches all the IPv4 addresses between 1.2.0.0 and 1.2.255.255, a total of 65,536 addresses.

• Any combination of ranges (^n1-n2) and wildcards ^* are allowed for a different segment. The expression *.*.*.* can be used to match every possible IPv4 address.

If the pattern doesn't specify every segment, they are canoncicalized so that they match every address for the given segments' range.

TIBCO BusinessConnect Gateway Server Administration Creating Network Filters

|

³⁵

Creating Network Filters

To create a network filter:

1. Select BusinessConnect> Gateway> Network Filters.

2. Click Add.

3. Enter filter parameters as described in Table 10.

4. Click Save.

5. The new filter will be displayed in the Network Filters window.

Table 10 Network Filter Parameters Field Description

Name Enter the filter name.

Enable Check this field to enable the filter.

Default is checked.

Type This field defines whether a single IP address, or a range of IP addresses, will be denied or accepted:

• ^Deny Indicated that a matching IP address will be denied or

• ^Accept Indicated that a matching IP address will be accepted

IP Expression This is first level filtering based on the IP address denial or acceptance and is required. Enter the IP address information by using wildcards * or a range -.

No regular expressions or comma-delimited expressions are allowed.

Example: 1.2.1-100.*

For more details see Matching Patterns on page 33.

From Participant

This is second level filtering based the trading partner name and is performed before user authentication and during login for SFTP or FTPS.

This field is not required.

For more details see Filtering Levels on page 32.

|

Chapter 6 Network Filters

6. Use the Network Filters window to:

— Add a new filter

— Delete an existing filter

— Edit a Network Filter, page 36 Figure 6 New Filter Created

Edit a Network Filter

To edit an existing network filter:

1. In the Network Filters window, click on the filter link.

The Edit filter Settings window appears. Edit the filter settings as explained in Table 10 on page 35.

TIBCO BusinessConnect Gateway Server Administration

General tab for HTTP transport 19 customer support xi

E

ENV_HOME viii

G

GatewayServerPX.Partner.Ports 19 General tab for FILE transport 22

S

在文檔中 TIBCO BusinessConnect Gateway Server™ Administration (頁 44-49)