Rejecting Forward Logins
When you deploy secure applications that allow users to connect to Sametime, ensure that your users connect to their home Sametime Community Servers or home clusters. You can prevent users from connecting to remote servers by specifying trusted IP addresses and rejecting forwarded log-ins during the log-in process.
About this task
For users that must log in through a secure application, the Sametime Community Server should allow them to connect only through the home server. The Sametime Community Mux Server should only accept connections that come from the application's IP addresses. You must dedicate a specific Community Mux to a specific Sametime Community Server, and limit users to connecting to that Mux through the secure application. This applies to local Community Mux services hosted on the Sametime Community Server, as well as to stand-alone Community Mux servers.
Use the following settings on all Sametime Community Servers and Sametime Community Mux servers in your deployment.
Procedure
- Use a text editor to open the sametime.ini file located in the Sametime Community server installation directory.
-
In the
[Connectivity]
section, add or create a comma-separated list of trusted IP addresses of proxy servers.VPMX_TRUSTED_CLIENT_IPS=IPaddress1, IPaddress2
Only clients originating from one of the IP addresses in this list are allowed to connect to Sametime. An empty list (the default) means that this feature is disabled and clients from all IP addresses can connect to Sametime.
-
Create or edit the VP_REJECT_FORWARDED_LOGINS setting so that forwarded logins are rejected.
VP_REJECT_FORWARDED_LOGINS=1
When that setting is set to 1, users must connect to their assigned home servers. This is essential when users must connect through the secure application.
- Save the sametime.ini file.