Toggle menu

IP Rules

These rules restrict access to the iCM enterprise URL and may be used by subsites (if they don't have any rules of their own defined).  At least one rule must be provided, and the first rule that matches will determine whether a request is successful or not. By default the first rules in the list allow all connections.

When entering a rule you'll be prompted to enter the IP address, either IPV4 or IPV6, and a netmask. If you are entering a single IPV4 address the netmask will generally be /32. For more information about ranges and netmasking, this documentation from Cisco has a thorough explanation, https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html (opens new window)

Subsite level rules are set in the Subsite Properties.

Note that you'll need to manually decache the site for changes at the enterprise level to be picked up (changing rules at the subsite level automatically clears the cache for that subsite).

iCM Access

IP rules do not prevent users from accessing the iCM login screen. Rather, when a user attempts to log in, their current IP address is checked against the rules, and their login will either be blocked or allowed to proceed.

Whenever someone tries to access the iCM enterprise URL, the rules set here are checked. In new installations all connections are allowed.

If a user is attempting to log into a subsite level iCM, the rules set in that subsite are checked, and if one matches, the IP address is either allowed or rejected. If no match is found, the rules set here are checked.

When you upgrade to iCM 10.0.7.0 existing subsites automatically have final "reject all" rules added to them to maintain previous behaviour. If you'd like a subsite to also use the enterprise rules, you'll have to remove these rejects. New subsites don't have any rules.

Remember that iCM subsites can be set as "isolated" or "co-operative". Co-operative subsites allow the iCM content in one subsite to be accessed and edited on the URL of another.

Website Access

The site frameworks query the IP rules to determine access to the front-end site following the same logic outlined above.

Logical Flow

Subsite

  1. Attempt to access a subsite or subsite iCM login
  2. Are subsite IP rules enabled? No - allow access. Yes - check the rules
  3. If the IP address matches a subsite rule, allow or reject as appropriate
  4. If no subsite rules match, check the enterprise level rules

Enterprise

  1. Attempt to access the iCM enterprise URL, or exhaust all of the subsite rules
  2. Check the rules set in the iCM configuration
  3. Allow or reject based upon the first rule that matches my IP
  4. If all rules are checked and no match is found, the request will be rejected

Examples

This rule would allow local connections and reject any other IP address:

IP Rule - Allow Local

Inverting the rules would reject all connections even though an IP address is allowed later in the list:

IP Rule - Reject All

Last modified on February 23, 2023

Share this page

Facebook icon Twitter icon email icon

Print

print icon