I would like to restrict user access based on the following scheme :

- if the client IP is from my internal network : full access granted
- if the client IP is outside my internal network : access to web client and imap/pop proxy is restricted to a group of users.

I plan to force the remote web access through a http reverse-proxy and put a zimbra-proxy in DMZ for remote imaps/pops access.

So the access scheme can also be read this way :

- if the client access the zimbra-apache server (which is only reachable from the internal network) : no restriction
- if the client access the zimbra web client through the http reverse proxy OR if the client access the zimbra-proxy in DMZ : access is restricted to a specific group of users

What is the best way to implement this policy ? Is there a way with COS ? Can PAM be used ? Must I rely on External Auth ?

Thanks for your advices.