ACCESS CONTROL FOR USERS OF CAN-8 SERVERS
To provide control over where licensed connections to CAN-8 servers
originate from, an access control system has been implemented. The
access controls allow the server administrator to allocate a specific
number of licenses to a range of IP addresses. In this way, the server
administrator may reserve a number of licenses for use in a classroom
thus preventing others from outside the classroom from using them.
SETTING-UP THE ACCESS CONTROL
To setup the access controls, the server administrator must create a
text file called ACCESS.CFG in the SVSYS\ID directory on the server.
The contents of this file are as follows.
The first line defines the number of licensed connections the server may support.
This number must match exactly with the number of licenses that have been purchased
from Sounds Virtual. If this number does not agree, the server will
either allocate licenses that will not connect, or never connect licenses
that do exist. The form of this line is below:
license 40
In this case the server was licensed for 40 connections. There is one
space between the word "license" and the number.
The remaining lines all take the same form. There may be up to 200 such
lines in the file.
The form is as follows:
[starting IP address][whitespace][ending IP address][whitespace][number]
The fields are as follows:
| Field
|
Description
|
| whitespace
|
One or more space characters |
| starting IP address
|
First IP address (inclusive) of the range |
| ending IP address |
Last IP address (inclusive) of the range |
| number | Number of licenses to allocate to the range |
A typical line would look like this:
10.0.0.1 10.0.0.250 10
The above line allocates 10 possible connections to the range of addresses
starting at 10.0.0.1 and up to and including 10.0.0.250.
The access control list works on a "pool" basis. The starting pool is
the number of licenses specified in the "license nn" line. Each allocation
line reserves licenses from this pool. When all the allocation lines
have been read, any remaining licenses may be used from any location.
Going back to our simple example file:
license 40
10.0.0.1 10.0.0.250 10
In this case, the server is capable of 40 licensed connections. Ten of
those addresses are reserved for the range of IP address 10.0.0.1 to
10.0.0.250. You will note that there are a possible 250 IP addresses
that may use up to 10 connections. This does not mean that only 10
users may sign on from those addresses, but that a MINIMUM of 10 users
may ALWAYS sign on from those addresses. If users attempt to sign on
from a reserved range that has exceeded its allocation of addresses,
then remaining licenses are allocated from the unreserved pool (in this
case 40 - 10 = 30 licenses). Thus users are not prevented from signing
on in the reserved range, only that a minimum are guaranteed to sign on.
Lets consider a more realistic and complex example:
license 35
10.0.0.1 10.0.0.250 10
10.0.1.0 10.0.1.250 10
172.16.32.1 172.16.32.250 10
In this case, three ranges are reserved, each having ten licenses
allocated to them. So this means that a minimum of 10 users may sign
on to the server from each of the ranges. The remaining number of licenses
from the total is five. These five may be used from any IP address
including addresses within the range of allocated addresses.
EXTENDED FORMAT
The extended
form adds time and day restrictions so that the
CAN-8 server may automatically create reserverations depending on
the day and during a defined time interval.
The form is as follows:
[first IP][WS][last IP][WS][# res][WS][day][WS][start time][WS][end time]
Where:
| Field
|
Description
|
| [WS] |
- One or more space characters |
| [first IP] |
- First IP address in range |
| [last IP] |
- Last IP address in range |
| [# res] |
- Number of licenses reserved for this range |
|
[day] |
- Day of week for this reservation where
- 0 = sunday
- 1 = monday
- 2 = tuesday
- ...etc.
|
|
[start time] |
- Time (24 hr format) for this reservation to come into effect |
|
[end time] |
- Time (24 hr format) at which this reservation no longer applies
|
GENERAL NOTES
The addresses must be specified with the lower numbered address first
and the higher number second. If the order is reversed, the line will
be ignored.
Ranges may overlap with each other. In the case of the overlap, the
first matching range has its allocated licenses assigned first, and
then the next matching range in order as they appear in the file. When
all overlapped ranges have their allocation exceeded, the remaining free
pool will be used.
Extended format: The start time must always be earlier (smaller) than the end time or
the line will be considered containing an error. Therefore, any overnight reservation must be done in two lines as shown below:
10.0.0.10 10.0.0.50 10 0 1800 2400
10.0.0.10 10.0.0.50 10 1 0001 0900
In the above example, 10 licenses are reserved for the specified IP range from sunday 6PM to monday 9AM
Lines with errors will be ignored by the server and a record of the
error will be placed in the SERVER.LOG file at start up.
The file is only read once during server startup, so in order to have
changes to the ACCESS.CFG file take effect, the NTSERVE program must be
stopped and then re-started.
Previous Chapter - Networking information