Sample network topology – Grass Valley iControl V.6.02 User Manual
Page 264
Access Control
Sample Network Topology
254
iControl provides multiple domain- and role-based authentication based on the Lightweight
Directory Access Protocol (LDAP). In a typical system, each domain has one LDAP server
(i.e. LDAP running as a service on an iControl Application Server), and manages its own
accounts with top down referrals. In such a configuration, users from a higher level domain
can log on to a lower level one, and vice-versa. For example, in the architecture shown above,
users from the
ic-projects.ic-acme.com or ic-acme.com domains can login directly to
ic-hdmg.ic-projects.ic-acme.com.
Users from a higher level domain log on to a lower level one with role inheritance. For example,
a user registered as an operator at the top level
ic-acme.com could log on to
ic-projects.ic-acme.com as an operator, but would inherit the permissions from the
operator role in the lower-level domain.
Sample Network Topology
The figure below illustrates a general network topology with some sample domains. All
domains are configured with their own private local LAN (192.168) connected to a second
iControl Application Server NIC (eth1). A client PC is configured on the LAN for maintenance
engineers to configure and control equipment in the room. All equipment in the room is also
configured on the local LAN for private access. External PCs on the public network cannot
access any equipment directly.
Each room has one or more iControl Application Server(s), depending on the amount of
equipment to monitor and control. The Application Servers within each room are connected
to the same local LAN (
192.168). The primary NIC (eth0) is configure for the public subnet
(
3.199.107). This is the only subnet available to connect all Application Servers from all
rooms to the public LAN. PC clients can be connected on the public subnet, but typically
monitoring and control will be from PCs on the corporate LAN behind the firewall as shown.