The General tab provides control over site specific attributes and
settings.
Reload Settings: Reloads settings the admin interface may have changed.
Options include Setting, Access and Users. These options tell
the filter to reload specific settings for example if you just finished
updating new access configurations. When you add, remove or modify
and access restriction you must reload access. When you modify
any settings you must reload settings. Reload users would typically
not be used and is only required if you need to force information in
the cache to be updated. You do not need to reload users after
adding, deleting or modifying and user.
User Session Length: In minutes. This is determined by a collection
of client requests from the same address. If no further requests
are received within the time period specified then the session is assumed
to be over.
Form Based Cookie Login: Enabled / Disabled. Use this option
if you want to use cookie based login with a custom login form rather
than basis authentication.
Cookie Login Form URL: Web site address for the login form used if
the previous option is enabled. This field takes a virtual path
for example if your full URL to the form is http://www.domain.com/login.asp
you would enter /login.asp
Unsupported cookie handling: Determines if users will be allowed to
failover to basic authentication if cookies are not supported or disabled.
Logout URL: Web site address for the logout URL. This field
takes a virtual path for example if your full URL to the form is http://www.domain.com/logout.asp
you would enter /logout.asp. Users will be redirected to this
page when they are logged out but accessing www.yourdomain.com/logout
This is a special URL used for logout purposes. For basic authentication
your access realm settings must be the same if you wish to use logout.
Encryption Password: This controls the password used to encrypt and
decrypt cookie password details.
Account Expired Error HTML/URL: Redirect to URL or return HTML when
account expired.
Account Inactive Error HTML/URL: Redirect to URL or return HTML when
account inactive.
Log File Path: The full path including filename of sites log file.
This will log site specific information in a text format.
Mail Server: The address of the SMTP mail server you wish iisPROTECT
to use when sending email. e.g. mail.yourdomain.com
Return address: The return address and name of the account you wish
iisPROTECT to send email from. e.g. you@yourdomain.com,Sales group
When you select this tab you will be provided with a search form that
is dynamically created from your database. This means that you
will be able to search on any fields you have in your database, not
just the fields that iisPROTECT requires
Text fields can be used with a partial match, for example, if you
search for "Da" in the username it would return both "Dave"
and "Dan"
Date fields will display with 2 entries. The first is the from
date and the second is the to date. If you enter both it will
display records that have a date within this range. If you enter
only the from date it will display only records after this date and
if you enter only the to date it will display only records before this
date
Yes / No fields will display with a combo box with 3 values, yes,
no or both
When you run a search you can specify one or more fields to match
your values for example if you want to see all users which expire after
a given date are active and start with the letter H this is simple -
just enter any additional criteria you wish and then perform your search.
Search results are returned in a paged listing which you can navigate
through using the next and previous buttons
When you select this tab you will be provided with a list of users.
You can page through results and drill down on a given user. You
are also presented with another row of tabs that allow you to drill
down on alphabetical lists of users.
When you drill down on an user you will be provided options to delete
the selected user, update their information, or add a new user.
When updating a user any groups you select in the first box (groups
that the user is currently a member of) will be removed from that user.
Any groups you select from the second box (all available groups) will
be added to that user. You can therefore add and remove users
in one update operation.
Standard Field List: username, password, active, selected / available
groups, expiry date, ntuser, ntpassword, lastlogin. Username and
password are the only required fields. Active controls if the
user is active or not and can be changed to disable an user without
deleting them, groups settings are used to set which groups the user
belongs to, expiry is used for a future date after which the account
will no longer allow logins, ntuser and password are not required
and should be set only if you want to map logins to a particular NT
account, lastlogin populates a date / time if this feature is enabled.
iisPROTECT also provides a facility to view live users on your site
at any given time. This is accessible through a special web page,
liveusers.htm. You don't need to create this page, the filter
dynamically generates it. This must be requested from your web
root for example: http://www.yourdomain.com/liveusers.htm"
It is easy to protect this page using iisPROTECT by creating a new
access restriction for /liveusers.htm if you don't want others to be
able to view it
This page will list all the users currently on the site, along with
their KB, hits, logins, and concurrent access counts if you are using
iisPROTECTquota
When you select this tab you will be provided with a list of access
restrictions. You can page through results and drill down on a
given access.
The add tab can be used to add a new access restriction.
Access protects your site by relative paths. For example, if
you want to protect http://www.yourdomain.com/protected you would enter
/protected for the path.
For any given access restriction you can allow any number of users
and groups
The realm is displayed in the basic authentication pop up login window
by the web browser. Realm controls areas, or realms, of protection.
When crossing into another realm users will be prompted to login again.
Generally you would set the realm to the same value for your various
access restrictions.
You can also define a specific error message (returned if the user
does not present a valid username and password for the resource requested)
and realm (returned in the basic authentication dialog box)
The error message can be plain text or HTML
When you add, delete, or modify an access restriction you must reload
access from the site admin general tab in order for the changes to take
effect.
Access Update/Additions:
When you drill down on an access you will be provided options to delete
the selected entry, update the information, and add a new access restriction.
If you want to protect www.yourdomain.com/protected then enter /protected
for the path. Inheritance controls if files in just /protected
or if all files and directories beneath /protected use the same permissions.
Filters:
Filters enable you to deny access to the protected resource based on the
following criteria:
Domain: Limit access to only the users listed domains, includes wildcard
support e.g. *domain.com would work allow user1.domain.com and user2.domain.com
IP: Limit access by the clients IP address or range e.g. 24.54.32.*
Referrer: Limit by referrer - ensure clients are coming from a feeder
site.
User Agent: Filters incoming requests based on user agent (browser).
Can be used to kill spiders and content scrapers.
Filters control if a request gets to the authentication system.
If a request passes the filters it will still require a username and password
to gain access to a protected resource.
If the filter is not passed the request is denied. If the optional
error message / URL is set for a given filter the user will be returned
the error message or redirected to the defined URL.
To save time typing large exclusionary lists there is an option as to
whether the list should be denied or allowed. For example if you
list 2 IP's in the IP filter this option would control if the 2 IP's would
be allowed and all others denied or if the 2 IP's would be denied and
all others allowed.
All filters have an error setting. If the filter condition is met and
user will be shown the error if HTML / text is entered or redirected if
a complete URL is provided (e.g. http://www.yourdomain.com/YourFilterError.htm).
Auto Login:
Controls automatically logging in users based on the following criteria:
Domain: login if request is from one of the listed domains, includes
wildcard support e.g. *domain.com would work allow www.domain.com and
domain.com
IP: login if request is from one of the listed IP address or range
e.g. 24.54.32.*
Referrer: Auto login if they are coming from a given referrer.
User Agent: Login users with specific user agents (browsers).
In this case, if a request meets the auto login criteria they will immediately
be granted access to the resource without having to provide an username
and password.
This is much different than filters that control if the request gets to
the authentication system. Here if the request meets the criteria
they skip the login step. This is useful for internal networks for
example. Define the IP's for your Intranet and then any request
from within your network would not be authentication and any request from
outside would.
Common Tasks:
How to protect a specific file / entire directory / subdirectory:
To protect an area of your site you need to add a new access restriction
using the site admin page. The path determines the specific resource
to be protected. To protect a specific file you would enter the
path to that file. For example, if the file was data.mdb in your
/database directory you would enter /database/data.mdb as the path for
protection. If you wanted to protect all files in the database
directory you would just enter /database as the path. If you wanted
to protect all files in the database directory and all file in any subdirectories
then make sure the inheritance option is selected. Note it is
your web path or URL that is entered not a file path. For example,
when you browse your web site at http://www.yourdomain.com/mydir/myfile.htm
only mydir/myfile.htm should be entered as the path for protection,
not your full web address.
With the path entered correctly you can now select the groups that
you want to have access to your resource by selecting them form the
groups list. You can make multiple selections by holding down
the ctrl key and clicking the first mouse button
The realm is optional and controls the message that appears in the
popup box which asks the user for their username and password
Once you have configured a new access restriction you must reload
access from the general tab of site admin for it to take effect.
How do I protect a file and grant a specific user access but no groups:
In this case you setup an access restriction as above for your specific
file. Instead of selecting groups you can type the username and
add the entry. If you wish to add multiple users then navigate
to the access tab, click on your new access restriction and add any
more users you wish by entering the username in the username field and
hitting the update button.
Once you have modified an access restriction you must reload access
from the general tab of site admin for it to take effect.
How do I use a custom login form and cookie authentication:
Enable "Form Based Cookie Login" in the general tab of site
admin
Enter the virtual path to your login form for "Cookie Login Form
URL". For example, if your login page could be reached at http://www.yourdomain.com/forms/login.asp
then you would enter /forms/login.asp for the cookie login form URL.
An example login form can be found in the /sample directory (login.asp)
login.asp stores login details in an encrypted cookie which the filter
accesses
After you have modified site specific settings you must reload settings
from the general tab in the site admin in order for the changes to take
effect.
How do I determine the currently logged in user from ASP for personalization:
The current user is exposed through the IISPROTECTUSER server variable
This information can be displayed in a web page with the following
script:
<% response.write(request.servervariables("HTTP_IISPROTECTUSER"))
%>
