Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
Chapter15 System Administration
Configuring Access to the Email Security Appliance
AsyncOS provides administrators controls to manage users’ access to the Email
Security appliance, including a timeout for Web UI session and an access list that
specifies the IP addresses from which users and your organization’s proxy servers
can access the appliance.
Configuring IP-Based Network Access
You can control from which IP addresses users access the Email Security
appliance by creating access lists for users who connect directly to the appliance
and users who connect through a reverse proxy, if your organization uses reverse
proxies for remote users.
You can specify the IP addresses, subnets, or CIDR addresses for machines that
can connect to the Email Security appliance. Users can access the appliance from
any machine with IP address from the access list. Users attempting to connect to
the appliance from an address not included in the list are denied access.
Connecting Through a Proxy
If your organization’s network uses reverse proxy servers between remote users’
machines and the Email Security appliance, AsyncOS allows you create an access
list with the IP addresses of the proxies that can connect to the appliance.
Even when using a reverse proxy, AsyncOS still validates the IP address of the
remote user’s machine against a list of IP addresses allowed for user connections.
To send the remote user’s IP address to the Email Security appliance, the proxy
needs to include the
HTTP header in its connection request to
header is a non-RFC standard HTTP header with the
x-forwarded-for: client-ip, proxy1, proxy2,... CRLF
The value for this header is a comma-separated list of IP addresses with the
left-most address being the address of the remote user’s machine, followed by the
addresses of each successive proxy that forwarded the connection request. (The