| Author |
Message |
john
Guest
|
 Posted:
Sun Jun 27, 2004 10:56 pm Post subject:
single source IP address |
|
|
Hello,
Does anyone know what to configure Windows Media server
for Win2K to accept ASX files or mms:// calls from only
one IP address? The media files need to be played on any
IP address.
We are trying to prevent unauthorized users from
accessing the video files directly. We know we could set
up NTLM permissions on the Windows Media Server, but that
is impratical because the users are constantly changing.
We could provide a single username and password to the
userbase, but that would likely create the problem we are
trying to avoid. The alternative would be to be able to
send the user name and pass from within the asx file to
the server, but I have not found a solution for that.
What we do know is that all requests to play files will
come from one IP address through asx files. If we can
find a way to restrict to server from accepting mms calls
from only that IP address, this would resolve our issue.
Does anyone have any ideas?
(the server that has the asx files is not on the same
domain as the media server..and cannot be).
Thanks
|
|
| Back to top |
|
 |
Ravi Raman
Guest
|
| Posted:
Wed Jun 30, 2004 6:59 am Post subject:
single source IP address |
|
|
Can you explain the scenario better? The WMS 4.1 in Win2K
supports IP masking:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;274158
but I am getting a feeling that this is not what you want.
What you can do with this is to allow streaming only to
clients that have specific set of IP Addresses (or just
one IP with a mask of 255.255.255.255). Note that
firewalls, proxies can mask the original IP of the client.
Also, you might want to read through
http://www.elims.org/wmsecure.htm - this is a third party
authorization plug-in for WMS4.1 that might be closer to
what you want but not sure if it will match your
requirement exactly.
Hope this helps.
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
| Quote: | -----Original Message-----
Hello,
Does anyone know what to configure Windows Media server
for Win2K to accept ASX files or mms:// calls from only
one IP address? The media files need to be played on any
IP address.
We are trying to prevent unauthorized users from
accessing the video files directly. We know we could set
up NTLM permissions on the Windows Media Server, but that
is impratical because the users are constantly changing.
We could provide a single username and password to the
userbase, but that would likely create the problem we are
trying to avoid. The alternative would be to be able to
send the user name and pass from within the asx file to
the server, but I have not found a solution for that.
What we do know is that all requests to play files will
come from one IP address through asx files. If we can
find a way to restrict to server from accepting mms calls
from only that IP address, this would resolve our issue.
Does anyone have any ideas?
(the server that has the asx files is not on the same
domain as the media server..and cannot be).
Thanks
.
|
|
|
| Back to top |
|
|
Ravi Raman
Guest
|
| Posted:
Wed Jun 30, 2004 9:30 pm Post subject:
RE: single source IP address |
|
|
Thanks for your reply. So, my first suggestion doesn't
help because even though the download of ASX happens from
the IIS, the IP address that connects to the WMS Server is
the client's IP - so the access control using IP will not
work for you.
However, please check the latter link that I mentioned.
This is what the WMSecure
(http://www.elims.org/wmsecure.htm) website states:
"This page is about WMSECURE a Windows Media Services 4.1
Authorization Plug-in. WMSecure is a 2 part system a) an
encryption / decryption com component used with IIS/ASP
and b) the authorization component used with the WMS 4.1
Service. Included in the package is a sample
implementation for the purposes of creating a content
authorization system to limit unauthorized access to
Windows Media streams from your server. The basic premise
of this solution is to generate a MMS url with IIS that
contains an encrypted data element which is then passed to
the WMS server to decrypt and validate the encrypted data."
This seems closer to what you want to do. Can you go
through that webssite to see if it fits your need?
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
| Quote: | -----Original Message-----
There are two servers in a work group. One is a web
server, the other is the video server (both run Windows |
2000 Advanced Server). The video server does not have IIS
installed.
| Quote: |
Content can be stored on either server, but I am
presuming it be better if the content was on the same |
server as the video server.
| Quote: |
The web server hosts a public site, but the video content
is intended only for a small group of people. We can |
protect access to the site and access to the asx files on
the web server. The problem is that Windows media player
displays the entire path to the video server
(mms://server/folder/videofile) eliminating our security
precautions for returning users. Since the video files
contain sensitive information, we need to either find a
way to get the player not to display the path or prevent
people from access the video server directly.
| Quote: |
The asx files are located on the web server. What I was
thinking was that since all mms calls to the video server |
would be coming from the webserver, one possible solution
would be to somehow limit the video server to only
accepting mms calls from the IP address of the web
server. The trick is that the videos would have to be
playable on any IP address.
| Quote: |
I am not sure if this is the best solution or if it is
even feasable. I am certainly open to alternatives.
Thanks,
John
"Ravi Raman" wrote:
Can you explain the scenario better? The WMS 4.1 in
Win2K
supports IP masking:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;274158
but I am getting a feeling that this is not what you
want.
What you can do with this is to allow streaming only to
clients that have specific set of IP Addresses (or just
one IP with a mask of 255.255.255.255). Note that
firewalls, proxies can mask the original IP of the
client.
Also, you might want to read through
http://www.elims.org/wmsecure.htm - this is a third
party
authorization plug-in for WMS4.1 that might be closer
to
what you want but not sure if it will match your
requirement exactly.
Hope this helps.
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
Hello,
Does anyone know what to configure Windows Media
server
for Win2K to accept ASX files or mms:// calls from
only
one IP address? The media files need to be played on
any
IP address.
We are trying to prevent unauthorized users from
accessing the video files directly. We know we could
set
up NTLM permissions on the Windows Media Server, but
that
is impratical because the users are constantly
changing.
We could provide a single username and password to the
userbase, but that would likely create the problem we
are
trying to avoid. The alternative would be to be able
to
send the user name and pass from within the asx file
to
the server, but I have not found a solution for that.
What we do know is that all requests to play files
will
come from one IP address through asx files. If we can
find a way to restrict to server from accepting mms
calls
from only that IP address, this would resolve our
issue.
Does anyone have any ideas?
(the server that has the asx files is not on the same
domain as the media server..and cannot be).
Thanks
.
.
|
|
|
| Back to top |
|
|
John
Guest
|
| Posted:
Wed Jun 30, 2004 9:45 pm Post subject:
RE: single source IP address |
|
|
The short answer to that is "I think so". The only drawback appears to be that when I click for the download, the page that comes up is the directory structure. I am not sure if the program is still available.
If it is not, one other possible solution I thought of was to have the asx file pass login parameters to the video server. I have not been able to figure out how to make this happen though.
"Ravi Raman" wrote:
| Quote: | Thanks for your reply. So, my first suggestion doesn't
help because even though the download of ASX happens from
the IIS, the IP address that connects to the WMS Server is
the client's IP - so the access control using IP will not
work for you.
However, please check the latter link that I mentioned.
This is what the WMSecure
(http://www.elims.org/wmsecure.htm) website states:
"This page is about WMSECURE a Windows Media Services 4.1
Authorization Plug-in. WMSecure is a 2 part system a) an
encryption / decryption com component used with IIS/ASP
and b) the authorization component used with the WMS 4.1
Service. Included in the package is a sample
implementation for the purposes of creating a content
authorization system to limit unauthorized access to
Windows Media streams from your server. The basic premise
of this solution is to generate a MMS url with IIS that
contains an encrypted data element which is then passed to
the WMS server to decrypt and validate the encrypted data."
This seems closer to what you want to do. Can you go
through that webssite to see if it fits your need?
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
-----Original Message-----
There are two servers in a work group. One is a web
server, the other is the video server (both run Windows
2000 Advanced Server). The video server does not have IIS
installed.
Content can be stored on either server, but I am
presuming it be better if the content was on the same
server as the video server.
The web server hosts a public site, but the video content
is intended only for a small group of people. We can
protect access to the site and access to the asx files on
the web server. The problem is that Windows media player
displays the entire path to the video server
(mms://server/folder/videofile) eliminating our security
precautions for returning users. Since the video files
contain sensitive information, we need to either find a
way to get the player not to display the path or prevent
people from access the video server directly.
The asx files are located on the web server. What I was
thinking was that since all mms calls to the video server
would be coming from the webserver, one possible solution
would be to somehow limit the video server to only
accepting mms calls from the IP address of the web
server. The trick is that the videos would have to be
playable on any IP address.
I am not sure if this is the best solution or if it is
even feasable. I am certainly open to alternatives.
Thanks,
John
"Ravi Raman" wrote:
Can you explain the scenario better? The WMS 4.1 in
Win2K
supports IP masking:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;274158
but I am getting a feeling that this is not what you
want.
What you can do with this is to allow streaming only to
clients that have specific set of IP Addresses (or just
one IP with a mask of 255.255.255.255). Note that
firewalls, proxies can mask the original IP of the
client.
Also, you might want to read through
http://www.elims.org/wmsecure.htm - this is a third
party
authorization plug-in for WMS4.1 that might be closer
to
what you want but not sure if it will match your
requirement exactly.
Hope this helps.
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
Hello,
Does anyone know what to configure Windows Media
server
for Win2K to accept ASX files or mms:// calls from
only
one IP address? The media files need to be played on
any
IP address.
We are trying to prevent unauthorized users from
accessing the video files directly. We know we could
set
up NTLM permissions on the Windows Media Server, but
that
is impratical because the users are constantly
changing.
We could provide a single username and password to the
userbase, but that would likely create the problem we
are
trying to avoid. The alternative would be to be able
to
send the user name and pass from within the asx file
to
the server, but I have not found a solution for that.
What we do know is that all requests to play files
will
come from one IP address through asx files. If we can
find a way to restrict to server from accepting mms
calls
from only that IP address, this would resolve our
issue.
Does anyone have any ideas?
(the server that has the asx files is not on the same
domain as the media server..and cannot be).
Thanks
.
.
|
|
|
| Back to top |
|
|
Ravi Raman
Guest
|
| Posted:
Thu Jul 01, 2004 10:55 pm Post subject:
RE: single source IP address |
|
|
I guess the site gives the source code and you have to
compile it. Sorry about that, I thought it provided a
download DLL.
In any case, other folks in this forum may have a better
idea for your scenario - so you might want to wait for
others suggestions.
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
| Quote: | -----Original Message-----
The short answer to that is "I think so". The only
drawback appears to be that when I click for the download, |
the page that comes up is the directory structure. I am
not sure if the program is still available.
| Quote: |
If it is not, one other possible solution I thought of
was to have the asx file pass login parameters to the |
video server. I have not been able to figure out how to
make this happen though.
| Quote: |
"Ravi Raman" wrote:
Thanks for your reply. So, my first suggestion doesn't
help because even though the download of ASX happens
from
the IIS, the IP address that connects to the WMS Server
is
the client's IP - so the access control using IP will
not
work for you.
However, please check the latter link that I mentioned.
This is what the WMSecure
(http://www.elims.org/wmsecure.htm) website states:
"This page is about WMSECURE a Windows Media Services
4.1
Authorization Plug-in. WMSecure is a 2 part system a)
an
encryption / decryption com component used with IIS/ASP
and b) the authorization component used with the WMS
4.1
Service. Included in the package is a sample
implementation for the purposes of creating a content
authorization system to limit unauthorized access to
Windows Media streams from your server. The basic
premise
of this solution is to generate a MMS url with IIS that
contains an encrypted data element which is then passed
to
the WMS server to decrypt and validate the encrypted
data."
This seems closer to what you want to do. Can you go
through that webssite to see if it fits your need?
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
There are two servers in a work group. One is a web
server, the other is the video server (both run Windows
2000 Advanced Server). The video server does not have
IIS
installed.
Content can be stored on either server, but I am
presuming it be better if the content was on the same
server as the video server.
The web server hosts a public site, but the video
content
is intended only for a small group of people. We can
protect access to the site and access to the asx files
on
the web server. The problem is that Windows media
player
displays the entire path to the video server
(mms://server/folder/videofile) eliminating our
security
precautions for returning users. Since the video files
contain sensitive information, we need to either find a
way to get the player not to display the path or
prevent
people from access the video server directly.
The asx files are located on the web server. What I
was
thinking was that since all mms calls to the video
server
would be coming from the webserver, one possible
solution
would be to somehow limit the video server to only
accepting mms calls from the IP address of the web
server. The trick is that the videos would have to be
playable on any IP address.
I am not sure if this is the best solution or if it is
even feasable. I am certainly open to alternatives.
Thanks,
John
"Ravi Raman" wrote:
Can you explain the scenario better? The WMS 4.1 in
Win2K
supports IP masking:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;274158
but I am getting a feeling that this is not what you
want.
What you can do with this is to allow streaming only
to
clients that have specific set of IP Addresses (or
just
one IP with a mask of 255.255.255.255). Note that
firewalls, proxies can mask the original IP of the
client.
Also, you might want to read through
http://www.elims.org/wmsecure.htm - this is a third
party
authorization plug-in for WMS4.1 that might be
closer
to
what you want but not sure if it will match your
requirement exactly.
Hope this helps.
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties,
and
confers no rights.
-----Original Message-----
Hello,
Does anyone know what to configure Windows Media
server
for Win2K to accept ASX files or mms:// calls from
only
one IP address? The media files need to be played
on
any
IP address.
We are trying to prevent unauthorized users from
accessing the video files directly. We know we
could
set
up NTLM permissions on the Windows Media Server,
but
that
is impratical because the users are constantly
changing.
We could provide a single username and password to
the
userbase, but that would likely create the problem
we
are
trying to avoid. The alternative would be to be
able
to
send the user name and pass from within the asx
file
to
the server, but I have not found a solution for
that.
What we do know is that all requests to play files
will
come from one IP address through asx files. If we
can
find a way to restrict to server from accepting mms
calls
from only that IP address, this would resolve our
issue.
Does anyone have any ideas?
(the server that has the asx files is not on the
same
domain as the media server..and cannot be).
Thanks
.
.
.
|
|
|
| Back to top |
|
|
koba
Guest
|
| Posted:
Sat Jul 03, 2004 8:18 pm Post subject:
Re: single source IP address |
|
|
Hello.
I think wmsecure is like a reference checker to avoid public access
to a streaming server with a crypted ticket. In using wmsecure,
video file path can't be hiden for a player (client) and any user can
see it by reading ASX file or property on player's menu. So, one
possible solution would be that you can generate the file path and
the ticket in the ASX for only limited users such as subscribers
and login-ing users.
| Quote: | If it is not, one other possible solution I thought of was to have
the asx file pass login parameters to the video server. I have
not been able to figure out how to make this happen though.
|
If ASX file is public, I have a idea to hide a video file path.
mms://hostname/dammy.wmv?crypted-ticketA
----> 'encrypted-ticketA' is retrieved and decoded to map a
correct path on steaming server in accessing from
a client. If a ticket is't encrypted and isn't included
information on file path, it needs a management of
information on a map of user's ticket generated on web
server and the video file path on streaming server in
some way, for example, using database or file.
The way must be needed to develop a custom plug-in with
'Windows Media Services Event Notification and
Authorization API'. The plug-in has following functions:
1. encrypted-ticketA is retrieved.
2. encrypted-ticketA can be available only once or for a minute.
Second-use user get a unauthorized error. Of course, the user
who can get a ticket is limited.( because getting the ticket
means the user is allowed to see the movie. )
3. encrypted-ticketA is decoded to map a corect file path.
for example: mms://hostname/dir1/sample01.wmv
I don't know whether it is realizable or now because I had not
yet tried it.... But if NSS_PRESENT_REQUEST_NAME is
writable with IPropertyMap.Write(), I belive it can do and
redirect to a video file you want without exposing the file path.
Is it possible?
Is there anybody who had tried this idea?
for your information,
Redirection function is available in WMS9 on win2k3
"Enterprise edition" using a custom authorization plug-in.
Thanks,
koba
/This posting is provided "AS IS" with no warranties, and
confers no rights./
"Ravi Raman" <ravira@Online.microsoft.com> wrote in message
news:24b4b01c45f9d$033a40b0$a501280a@phx.gbl...
| Quote: | I guess the site gives the source code and you have to
compile it. Sorry about that, I thought it provided a
download DLL.
In any case, other folks in this forum may have a better
idea for your scenario - so you might want to wait for
others suggestions.
Thanks,
Ravi
--
This posting is provided "AS IS" with no warranties, and
confers no rights.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in