Hello, I was asked if it is possible to limit access to different CommSuite services (SMTP Submit, IMAP, LDAP, Calendar, XMPP, Convergence WebGUI - all in SSL/STARTTLS secured form of course) in a way that only certain users may access the services from "any" IP addresses while others would be denied; but still, all active users should have access to everything from corporate network (like 192.168.* or 10.*).
Apparently, this requires that crypto-secured IP services are open to the internet, and the choice to permit or deny a login is based on some property of the attempted user's account (maybe availability of a valid user certificate as an required option for the login from the world? how to disable password-based logins as the only required method, then?) and the source of connection (which the deciding server should know - i.e. dumb port-redirections are ruled out, while direct connections, NAT, or HTTP reverse-proxies with added Origin headers should be okay). Maybe instead require a valid corporate user certificate to establish the SSL/STARTTLS connection itself - if an external user's device has a trusted certificate and can thus establish the secured tunnel, allow it to proceed with logins as usual?
I have some ideas about how this stuff could be arranged for some of the services related to CommSuite, but don't see a good option for the general case. Is there something built-in to allow a single place of such configuration already? Access to some services listed in the "CoS plans" comes pretty close, but AFAIK it would allow or deny use of IMAP/SMTP/POP/HTTP for a user's account regardless of network location...
What are the best practices regarding this? What do others do?
PS: VPNs, applet port redirectors and such are also under consideration by the customer's networking team; this question is whether a solution can be made using capabilities of only the CommSuite (and related components such as DSEE and SWS for their per-protocol filtering and authentication hooks/ACLs)?
Thanks in advance,