xWeb IP Address Security

The xWeb IP address security feature enables you to associate an xWeb User with one or more known IP addresses and allow that user to Authenticate only when the request originates from an IP address entered into this area of netFORUM.

By implementing this security, you can ensure that calls to xWeb come only from trusted servers, based on IP addresses. If a program tries to authenticate with an otherwise valid user name/password combination, but the request does not originate from a registered IP address, then Authenticate will not succeed.

Keep in mind that if you implement this, and the programs calling xWeb move to a different IP address, then they will need to let you know so you can add new records pointing to their new IP address. Be sure to let them know about this or else their access will immediately cease.

If the calling program has variable IP addresses, then this feature will not work.

To enable this security, select the restrict user IP address check box on the User record. Do this only after adding the xWeb IP address security records to the User record. For sites that upgrade to this build, any existing users will not get the check box checked automatically, but any new users added on this build will have the check box selected.

Do not confuse this with xWeb: Configuration_Settings#ValidateIPaddress. What ValidateIPaddress does is ensure that the server that calls Authenticate is the same server that calls subsequent web methods. Ideally, you will implement both restrictions for the most thorough security profile.

Adding Records

Navigate to the User record in the Admin module. Ensure that the restrict user IP address check box is selected on the User record. From the xWeb tab, add records to the xweb ip address security child form.

You may optionally enter a from date and through date to limit the date range for which the IP address is valid. Leave the dates blank if you do not want to restrict this based on dates. You may enter something in notes as a reference, for example, "Bob's computer" or "dev site" or "live site", etc. Notes is not used by the program, it is just for informal documentation.

Lockout

If the maximum number of failed Authenticate attempts for a particular User exceeds the FailCount limit (default is 10), then xWeb will lock out the User for that IP Address. In other words, if IP address 333.33.33.333 tries and fails 10 times to authenticate as xWebUserZZZ because the IP address is not valid the account gets locked out for 333.33.33.333. If IP address 777.77.77.7777 is permitted to authenticate as xWebUserZZZ Authenticate still works when called from the machine 777.77.77.777.

FAQ

Q. Help! My vendor moved their servers without telling me and now my xWeb integration is broken and my website is down. They can't tell me their new IP address until Monday. What can I do?

A. For now, just disable this security by clearing the 'restrict user IP address check box for that user until you get their new IP addresses. Once you add their new IP address(es), select the check box again and then immediately test to confirm.

Q. I'm trying to test a web method from my own computer. How can I do this?

A. Figure out your own computer's IP address by running ipconfig from a MS-DOS command prompt. Then add a record for your own IP address. If you are running a local project in .NET your IP will be "127.0.0.1".

Q. My vendor can't tell me their IP address.

A. You can leave the restrict user IP address check box cleared, but this will leave your xWeb site less secure. You should encourage your vendor to find out the IP address.

Q. Is it possible to use a range of IP addresses?

A. At this time, no. The IP address must be exact.