Novell Doc: GroupWise 7 Gateway for Lotus Notes Installation and Administration Guide

7.4 Controlling Gateway Access

The Notes Gateway lets you control access through the gateway. For example, you can:

Specify which GroupWise users can send messages and to which Notes users
Specify which GroupWise users can receive messages and from which Notes users
Specify the maximum size for messages sent through the gateway
Specify whether or not rule-generated GroupWise messages are sent through the gateway

The standard way to control access for all GroupWise and Notes users on the GroupWise side of the gateway is with the access.cfg file in the domain\wpgate\notes directory. In addition, you can control individual user access using the Gateway Access field of individual User objects in ConsoleOne.

On the Notes side of the gateway, access control is provided on the Restrictions page of the Notes foreign domain that represents the GroupWise system, as described in Section 4.3, Defining the GroupWise System As a Notes Foreign Domain.

7.4.1 Using the Access.cfg File in the Gateway Directory

The access.cfg file is an ASCII text file that can be edited with a standard text editor. It is located in the gateway root directory (for example, domain\wpgate\notes). The access.cfg file enables you to implement the following specific types of access control:

Provide specific access control based on GroupWise domains and post offices
Provide specific access control based on access groups that you define
Limit the size of incoming and outgoing messages to and from your GroupWise system for specific domains, post offices, or access groups
Prevent messages from specific addresses from entering your GroupWise system for specific domains, post offices, or access groups
Allow messages from specified addresses to enter your GroupWise system, while preventing all others for specific domains, post offices, or access groups
Prevent rule-generated messages from going out of your GroupWise system for specific domains, post offices, or access groups

The initial access.cfg file includes descriptions and examples of the section headers and keywords that you can use in the file. However, all lines are initially commented out and access control is off by default. Print the initial access.cfg file in the domain\wpgate\notes directory. Reviewing the file will help you understand how it works.

Add the following line at the top of the file to turn on access control:

Access Control=On

After access control has been turned on, you can create sections in the access.cfg file for various groups of users. Within each section, you define the access control settings for the group to which the section applies. The following section headers and keywords are available:

Section Headers	Keywords
[Default:In\|Out] [groupwise_domain:In\|Out] [groupwise_domain.post_office:In\|Out] [AccessGroup:group_name]	AllAccess NoAccess Block Allow MaxSize AllowRuleGenerated

Section headers, keywords, and settings are not case sensitive. The In and Out directions are from the point of view of the GroupWise system.

Notes Gateway Web Console You can turn access control on and off for the current gateway session on the Access Control page. You can also adjust the maximum message size.

Section Headers

Section headers establish groups of users to which access control settings are applied.

[Default:In|Out]

This section lists the access control settings for users who are not covered by access control settings for a particular GroupWise domain, post office, or access group.

Syntax:

[Default:In]
[Default:Out]

Examples:

[Default:In]
MaxSize=100000
[Default:Out]
AllowRuleGenerated=No

This example limits incoming messages to 100 KB but does not limit the size of outgoing messages. It prevents rule-generated GroupWise messages from transferring through the gateway to the Notes system. These access control settings would apply to any users who did not fall under a more specific section header.

[groupwise_domain:In|Out]

This section lists the access control settings for users in a particular GroupWise domain.

Syntax:

[groupwise_domain:In][groupwise_domain:Out]

Examples:

[Corporate:In]
MaxSize=100000000
[Corporate:Out]
AllowRuleGenerated=Yes

This example limits incoming messages to 1 MB but does not limit outgoing messages. It allows GroupWise users to send rule-generated messages.

[groupwise_domain.post_office:In|Out]

This section lists the access control settings for users in a particular GroupWise post office.

Syntax:

[groupwise_domain.post_office:In]
[groupwise_domain.post_office:Out]

Examples:

[Corporate.Temps:In]
Allow NetTech
MaxSize=10000
[Corporate.Temps:Out]
Allow NetTech
MaxSize=10000
AllowRuleGenerated=No

This example allows users in the Temps post office to exchange messages with users in the Notes NetTech domain only. It restricts incoming and outgoing messages to 10 KB. It prevents rule-generated messages.

[AccessGroup:group_name]

This section lists the access control settings for individual GroupWise users who are assigned to the access group in ConsoleOne, as described in Using the Gateway Access Field on Individual User Objects. Access groups do not have direction parameters. If you want to control access in both directions, you must create separate access groups.

Syntax:

[AccessGroup:group_name]

Examples:

[AccessGroup:SysAdminsIn]
MaxSize=5000000
[AccessGroup:SysAdminsOut]
MaxSize=5000000
AllowRuleGenerated=Yes

This example allows users in the SysAdminsIn and SysAdminsOut access groups to receive messages up to 5 MB in size and to send rule-generated messages.

Keywords

Keywords define the access control settings for the users included under each section header.

AllAccess

This keyword provides unrestricted access to the Notes Gateway for those GroupWise users specified by the section header. Users can send messages to or receive messages from Notes users, depending on the direction specified by the header.

Examples:

[Corporate.Executives:In]
AllAccess
[Corporate.Executives:Out]
AllAccess

This example allows all GroupWise users in the Executives post office to exchange messages with all Notes users with no access control restrictions.

NoAccess

This keyword restricts access to the Notes Gateway for those GroupWise users specified by the section header. Users cannot send or receive messages through the gateway, depending on the direction specified in the header.

Examples:

[Corporate.Temps:In]
NoAccess
[Corporate.Temps:Out]
NoAccess

This example prevents all GroupWise users in the Temps post office from exchanging messages with Notes users.

Block

This keyword restricts access to the Notes Gateway from the perspective of Notes users. This keyword differs from NoAccess because a specific Notes address must be provided. If GroupWise users try to send mail to a Notes address that has been blocked, they receive a message from the gateway stating that the message is undeliverable.

Syntax:

Block notes_domain[
Block username@notes_domain
Block CN=full_name/O=organization@notes_domain

Block notes_domain
Block username@notes_domain
Block CN=full_name/O=organization@notes_domain

Examples:

[Corporate.Temps:In]
Block XYZCorp
[Corporate.Temps:Out]
Block XYZCorp

[Corporate.Executives:In]
Block SJones@XYZCorp
Block CN=Sophie Jones/O=Sales@XYZCorp

The first example prevents GroupWise users in the Temps post office from exchanging messages with users in the Notes XYZCorp domain. The second example prevents GroupWise users in the Executives post office from receiving messages from a specific Notes user. Providing the username in both formats is required to totally block a user.

Allow

This keyword allows messages to pass through the Notes Gateway only if the message’s recipient matches the Notes address specified on the Allow line. Any messages addressed to other Notes addresses are blocked.

Syntax:

Allow notes_domain
Allow username@notes_domain
Allow CN=full_name/O=organization@notes_domain

Examples:

[Corporate.Temps:In]
Allow NetTech
[Corporate.Temps:Out]
Allow NetTech

[Default:In]
Allow SJones@XYZCorp
Allow CN=Sophie Jones/O=Sales@XYZCorp

The first example allows GroupWise users in the Temps post office to exchange messages with the NetTech Notes domain but no others. The second example allows all users to receive messages from a specified user.

MaxSize

This keyword determines the maximum size of messages that the Notes Gateway will transfer between systems. Maxsize is specified in bytes (1000 = 1000 bytes or 1 KB), with a range from 0 to 2147483647.

Unless you have a reason to limit the message size (for example, you are charged for the amount of data transferred by the gateway), you might not want to limit the message size. When attachments are encoded as they pass through the gateway, they generally become larger.

Syntax:

Maxsize=number _of_bytes

Example:

[Corporate.Temps:In]
MaxSize=1000000
[Corporate.Temps:Out]
MaxSize=5000000

This example prevents GroupWise users in the Temps post office from receiving messages larger than 1 MB and from sending messages larger than 5 MB.

AllowRuleGenerated

This keyword determines whether or not rule-generated messages are allowed through the Notes Gateway. It applies only to outbound messages from GroupWise to Notes.

You could use this keyword to control rule-generated messages such as “On Vacation” from entering the Notes system. Unlike NoAccess and Block, the gateway does not generate a status message stating that the mail message was undeliverable. Instead, the message remains pending in the sender’s mailbox.

Syntax:

AllowRuleGenerated=Yes | No

Example:

[Default:Out]
AllowRuleGenerated=No

This example prevents all rule-generated messages from transferring from the GroupWise system to the Notes system.

7.4.2 Using the Gateway Access Field on Individual User Objects

You can use the Gateway Access field on the GroupWise Account page of each User object in ConsoleOne to control individual user access. This can be useful if you only have a few users whose access you want to control. If you have many users whose access you want to control, you should use the access.cfg file, as described in Using the Access.cfg File in the Gateway Directory.

If desired, create an access control group in the access.cfg file.
In ConsoleOne, browse to and right-click the user whose access you want to control, then click Properties.
Click GroupWise > Account to display the Account page.
Fill in the Gateway Access field.

If you created an access control group in the access.cfg file in Step 1, specify the name of the access control group that you want this user to be associated with.

If you have not created an access control group, you can put access control information unique to this user in the Gateway Access field.
Syntax:
```
gateway.direction:keyword,keyword,...,keyword;
                            gateway.direction:keyword,...,keyword
```
The following keywords are valid in the Gateway Access field:
IMPORTANT:The Block and Allow keywords cannot be used in the Gateway Access field. They can only be used in the access.cfg file.
Example:
```
Notes.Out:MaxSize=500000,AllowRuleGenerated=No;Notes.In:
                                                Maxsize=500000
```
In this example, the gateway name is Notes, the maximum message size is 500 KB, and rule-generated messages are prevented from leaving the GroupWise system. The gateway direction designations and their keywords are separated by a semicolon (;).
Click OK to save the access control information for the selected user.

ConsoleOne passes the access control information to the Notes Gateway so that the access control settings are in force immediately.