8.4 Controlling Gateway Access

The Exchange Gateway lets you control access through the gateway. For example, you can:

The standard way to control access for all GroupWise and Exchange users on the GroupWise side of the gateway is with the access.cfg file in the domain\wpgate\exchange directory. In addition, you can control individual user access using the Gateway Access field of individual User objects in ConsoleOne.

On the Exchange side of the gateway, access control is provided on the Permissions page of the Site Addressing object. See your Exchange documentation for more information.

8.4.1 Using the Access.cfg File in the Gateway Directory

The access.cfg file is an ASCII text file that can be edited with a standard text editor. It is located in the gateway root directory (for example, domain\wpgate\exchange). The access.cfg file enables you to implement the following specific types of access control:

  • Provide specific access control based on GroupWise domains and post offices

  • Provide specific access control based on access groups that you define

  • Limit the size of incoming and outgoing messages to and from your GroupWise system for specific domains, post offices, or access groups

  • Prevent messages from specific addresses from entering your GroupWise system for specific domains, post offices, or access groups

  • Allow messages from specified addresses to enter your GroupWise system, while preventing all others for specific domains, post offices, or access groups

  • Prevent rule-generated messages from going out of your GroupWise system for specific domains, post offices, or access groups

The initial access.cfg file includes descriptions and examples of the section headers and keywords that you can use in the file. However, all lines are initially commented out and access control is off by default. Print the initial access.cfg file in the domain\wpgate\exchange directory. Reviewing the file can help you understand how it works.

Add the following line at the top of the file to turn on access control:

Access Control=On

After access control has been turned on, you can create sections in the access.cfg file for various groups of users. Section headers are enclosed in square brackets ([header]). Within each section, you use keywords to define the access control settings for the group to which the section applies. The following section headers and keywords are available:

Section headers, keywords, and settings are not case sensitive. The In and Out directions are from the point of view of the GroupWise system. Semicolons (;), slashes (/), and pound signs (#) can be used to comment out lines of text. In the examples provided in the access.cfg file, the string gwaddresstext represents the address of an Exchange user. For example, you could replace gwaddresstext with Novell.Sales.Glen if that is the appropriate address format, as explained in Section 3.8, Selecting User Address Type and Format.

Exchange Gateway Web Console You can turn access control on and off for the current gateway session on the Access Control page. You can also adjust the maximum message size.

Section Headers

Section headers establish groups of users to which access control settings are applied.

[Default:In|Out]

This section lists the access control settings for users who are not covered by access control settings for a particular GroupWise domain, post office, or access group.

Syntax:
  • [Default:In]
  • [Default:Out]
Examples:
  • [Default:In]
  • MaxSize=100000
  • [Default:Out]
  • AllowRuleGenerated=No

This example limits incoming messages to 100 KB but does not limit the size of outgoing messages. It prevents rule-generated GroupWise messages from transferring through the gateway to the Exchange system. These access control settings would apply to any users who did not fall under a more specific section header.

[groupwise_domain:In|Out]

This section lists the access control settings for users in a particular GroupWise domain.

Syntax:
  • [groupwise_domain:In]
  • [groupwise_domain:Out]
Examples:
  • [Corporate:In]
  • MaxSize=100000000
  • [Corporate:Out]
  • AllowRuleGenerated=Yes

This example limits incoming messages to 1 MB but does not limit outgoing messages. It allows GroupWise users to send rule-generated messages.

[groupwise_domain.post_office:In|Out]

This section lists the access control settings for users in a particular GroupWise post office.

Syntax:
  • [groupwise_domain.post_office:In]
  • [groupwise_domain.post_office:Out]
Examples:
  • [Corporate.Temps:In]
  • Allow NetTech
  • MaxSize=10000
  • [Corporate.Temps:Out]
  • Allow NetTech
  • MaxSize=10000
  • AllowRuleGenerated=No

This example allows users in the Temps post office to exchange messages with users in the Exchange NetTech system only. It restricts incoming and outgoing messages to 10 KB. It prevents rule-generated messages.

[AccessGroup:group_name]

This section lists the access control settings for individual GroupWise users who are assigned to the access group in ConsoleOne, as described in Using the Gateway Access Field on Individual User Objects. Access groups do not have direction parameters. If you want to control access in both directions, you must create separate access groups.

Syntax:[
  • [AccessGroup:group_name]
Examples:
  • [AccessGroup:SysAdminsIn]
  • MaxSize=5000000[
  • [AccessGroup:SysAdminsOut]
  • AllowRuleGenerated=Yes

This example allows users in the SysAdminsIn and SysAdminsOut access groups to receive messages up to 5 MB in size and to send rule-generated messages.

Keywords

Keywords define the access control settings for the users included under each section header.

AllAccess

This keyword provides unrestricted access to the Exchange Gateway for those GroupWise users specified by the section header. Users can send messages to or receive messages from Exchange users, depending on the direction specified by the header.

Examples:
  • [Corporate.Executives:In]
  • AllAccess[
  • [Corporate.Executives:Out]
  • AllAccess

This example allows all GroupWise users in the Executives post office to exchange messages with all Exchange users with no access control restrictions.

NoAccess

This keyword restricts access to the Exchange Gateway for those GroupWise users specified by the section header. Users cannot send or receive messages through the gateway, depending on the direction specified in the header.

Examples:
  • [Corporate.Temps:In]
  • NoAccess
  • [Corporate.Temps:Out]
  • NoAccess

This example prevents all GroupWise users in the Temps post office from exchanging messages with Exchange users.

Block

This keyword restricts access to the Exchange Gateway from the perspective of Exchange users. This keyword differs from NoAccess because a specific Exchange address must be provided. If GroupWise users try to send mail to a Exchange address that has been blocked, they receive a message from the gateway stating that the message is undeliverable.

Syntax:
  • Block exchange_server
  • Block username@exchange_server
  • Block CN=full_name/O=organization@exchange_server
Examples:
  • [Corporate.Temps:In]
  • Block XYZCorp
  • [Corporate.Temps:Out]
  • Block XYZCorp
  •  
  • [Corporate.Executives:In]
  • Block SJones@XYZCorp
  • Block CN=Sophie Jones/O=Sales@XYZCorp

The first example prevents GroupWise users in the Temps post office from exchanging messages with users in the Exchange XYZCorp system. The second example prevents GroupWise users in the Executives post office from receiving messages from a specific Exchange user. Providing the username in both formats is required to totally block a user.

Allow

This keyword allows messages to pass through the Exchange Gateway only if the message’s recipient matches the Exchange address specified on the Allow line. Any messages addressed to other Exchange addresses are blocked.

Syntax:
  • Allow exchange_server
  • Allow username@exchange_server
  • Allow CN=full_name/O=organization@exchange_server
Examples:
  • [Corporate.Temps:In]
  • Allow NetTech
  • [Corporate.Temps:Out]
  • Allow NetTech
  •  
  • [Default:In]
  • Allow SJones@XYZCorp
  • Allow CN=Sophie Jones/O=Sales@XYZCorp

The first example allows GroupWise users in the Temps post office to exchange messages with the NetTech Exchange system but no others. The second example allows all users to receive messages from a specified user.

MaxSize

This keyword determines the maximum size of messages that the Exchange Gateway can transfer between systems. Maxsize is specified in bytes (1000 = 1000 bytes or 1 KB), with a range from 0 to 2147483647.

Unless you have a reason to limit the message size (for example, you are charged for the amount of data transferred by the gateway), you might not want to limit the message size. When attachments are encoded as they pass through the gateway, they generally become larger.

Syntax:
  • Maxsize=number_of_bytes
Examples:
  • [Corporate.Temps:In]
  • MaxSize=1000000
  • [Corporate.Temps:Out]
  • MaxSize=5000000

This example prevents GroupWise users in the Temps post office from receiving messages larger than 1 MB and from sending messages larger than 5 MB.

AllowRuleGenerated

This keyword determines whether or not rule-generated messages are allowed through the Exchange Gateway. It applies only to outbound messages from GroupWise to Exchange.

You could use this keyword to control rule-generated messages such as “On Vacation” from entering the Exchange system. Unlike NoAccess and Block, the gateway does not generate a status message stating that the mail message was undeliverable. Instead, the message remains pending in the sender’s mailbox.

Syntax:
  • AllowRuleGenerated=Yes | No
Examples:
  • [Default:Out]
  • AllowRuleGenerated=No

This example prevents all rule-generated messages from transferring from the GroupWise system to the Exchange system.

8.4.2 Using the Gateway Access Field on Individual User Objects

You can use the Gateway Access field on the GroupWise Account page of each User object in ConsoleOne to control individual user access. This can be useful if you only have a few users whose access you want to control. If you have many users whose access you want to control, you should use the access.cfg file, as described in Using the Access.cfg File in the Gateway Directory.

  1. If desired, create an access control group in the access.cfg file.

  2. In ConsoleOne, browse to and right-click the user whose access you want to control, then click Properties.

  3. Click GroupWise > Account to display the Account page.

    Account page
  4. Fill in the Gateway Access field.

    If you created an access control group in the access.cfg file in Step 1, specify the name of the access control group that you want this user to be associated with.

    If you have not created an access control group, you can put access control information unique to this user in the Gateway Access field.

    Syntax:

    gateway.direction:keyword,keyword,...,keyword;gateway.direction:keyword,...,keyword

    The following keywords are valid in the Gateway Access field:

    IMPORTANT:The Block and Allow keywords cannot be used in the Gateway Access field. They can only be used in the access.cfg file.

    Example:

    Exchange.Out:MaxSize=500000,AllowRuleGenerated=No;Exchange.In:Maxsize=50000

    In this example, the gateway name is Exchange, the maximum message size is 500 KB, and rule-generated messages are prevented from leaving the GroupWise system. The gateway direction designations and their keywords are separated by a semicolon (;).

  5. Click OK to save the access control information for the selected user.

    ConsoleOne passes the access control information to the Exchange Gateway so that the access control settings are in force immediately.