| Retricting access based on APN. |  Search
|
|
NowSMS Support Forums ⬆ Now.WAP Proxy Support ⬆ Archive through October 01, 2008 ⬆ |
◄ ► |
| Author | Message | |||
| Joseph Smith New member Username: Falangjoe Post Number: 16 Registered: 08-2006 |
Software Version v2.58 Customer: Union Telephone We use two APNs. One is union.wap.com and the other is union.mms.com. Currently, all ours phones are programmed to use the same wap gateway for WAP and MMS. Is it possible to only allow the requests from the union.mms.com APN to connect to the MMSC IP and not other IPs? We can assign differenct address ranges to the different apns. It had been suggested that a restriction could be made based on the connecting ip. We would go to different wap gateways for each apn, but we have more than 20,000 phones already programmed this way. Since we have started charging for internet GPRS usage but not MMS gprs usage, this is causing alot of problems with are customers. We would be open to any kind of solution you could propose. Thanks, Joseph | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 7533 Registered: 10-2002 |
Hi Joseph, We did implement something ... similar to what was discussed in this thread: http://support.nowsms.com/discus/messages/131/20155.html But, it doesn't look like it was ever released as an update. Let me explain how it works, and if this sounds like it would work for you, then I'll get it posted. (We do have one customer running this version, but not for this feature.) This feature assumes that the WAP gateway is listening for requests on multiple IP addresses. Depending on which IP address receives the request, the gateway may restrict access to only those sites that are on the "Forward X-MSISDN header" list. So the idea is that one IP address is only handling requests for the MMSC, which is in this list. This doesn't sound like it would exactly work in your situation. As it sounds like you have the phones configured for different APNs, but the same IP address for the WAPGW. If somehow that destination IP of the WAPGW could be translated to a different address before it gets to the WAPGW, then it would work. But putting a NAT in there could cause problems with MSISDN identification, if it also modifies the source. I suspect we could probably do an update that would compare the source address with a configurable pattern (e.g., 10.0.*.*), and only allow connections to sites that are on the "Forward X-MSISDN header" list if the source matches that pattern. But without studying it further, I'm not sure if that would be a quick update, or something that we'd have to charge for as custom. Before I get too far in evaluating that ... is there any chance that you could redirect the destination IP for requests from the MMS APN range ... so that the WAPGW would receive them on a different IP? -bn | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 7537 Registered: 10-2002 |
An update ... We had a quick development meeting, and it was agreed that it was a simple change to allow access restrictions based upon either the destination address of the client request (e.g., multi-homed server) or the source address of the client request. What does this mean? Geez ... I can't figure out how to explain this. It's pretty simple, but it's probably easier to explain with examples. The best way to restrict access is using firewalls. But we realise this isn't always practical, and ofthen there are practical considerations like the ones described in this thread and the other referenced thread. Within NowWAP, there is a list of "Content Domains to receive X-MSISDN header". These are a list of host names, domain names, and/or IP addresses, to which NowWAP will forward MSISDN information if it is available. This setting is normally used for interfacing to a service like an MMSC that needs to know the phone number/MSISDN of the connecting user. Because we had customers that wanted to restrict the proxy to only allow connections to those listed domains/hosts, a WAPGW.INI file setting was added. If IncludeMsisdnConnectOnly=Yes is set under the [WAPGW] header, then NowWAP will only allow connections to domains/hosts in the "X-MSIDN" list. (This restriction applies whether or not MSISDN information is actually available.) So, if you were setting up a WAP proxy that only interfaced with an MMSC, you could use this setting to restrict access to only the MMSC. (If this was what I wanted to accomplish, I would put them on a private network instead of using this setting, but that's another story.) The next evolution of this setting was to allow a configuration for a proxy that could be used on multiple APNs. The idea here was that the proxy would be a multi-homed server, presenting multiple IP addresses. Depending on which server IP address the client connected to, it may have restricted access. So for example, one APN might give out IP addresses on the 10.0.0.0 network. The other APN, for MMS only traffic, might give out IP addresses on the 192.168.0.0 network. The same WAP proxy could be used, with 2 network interfaces. Server address 10.0.0.1 would serve the open network, and 192.168.0.1 would serve the MMS only network. By adding IncludeMsisdnConnectOnlyGWIP=192.168.0.1 to the [WAPGW] section of the WAPGW.INI file, this would tell the WAP Proxy that for any requests received by the server on 192.168.0.1, the proxy should only allow connections to domains/hosts in the "X-MSIDN" list. Connections to the proxy on other server addresses would not be restricted. This "IncludeMsisdnConnectOnlyGWIP=" setting was added in a limited release 2.58a version. And it is the setting that I have referred to in other discussions. But, the use of that setting requires some pre-planning ... and probably would not be feasible for your setup where you already have the phones provisioned to use one APN for MMS and another APN for browsing ... but the same proxy server IP address for both. So we've added another setting. Instead of looking at the server IP address to determine whether or not the access is restricted, this setting looks at the IP address of the connecting client. By adding IncludeMsisdnConnectOnlySourceIP=10.*.*.* to the [WAPGW] section of the WAPGW.INI file, this would tell the WAP Proxy that for any requests that come from clients in that IP address range, the proxy should only allow connections to domains/hosts in the "X-MSIDN" list. Connections to the proxy from other client addresses would not be restricted. This setting can have a comma delimited list of IP addresses. It doesn't support net masks, it can only use the "*" character as a wildcard in parts of the IP address. This "IncludeMsisdnConnectOnlySourceIP=" setting is being added in a limited release 2.58b version. This update can currently be downloaded from http://www.nowwap.com/download/wapup.zip. Note that this ZIP file only contains an update for one executable. To install this update, you must stop the NowWAP service, update this file, then restart the NowWAP service. -bn | |||
