Hi Phillip,
Yes, it is possible to restrict access to an application based on client IP address.
This can be done by setting up IP Address restriction in the user policy.
Reference : CA SiteMinder® Integrated Documents 12.52 SP1
(Optional) IP Addresses
A policy may be limited to specific user IP addresses. Once you add an IP address restriction to a policy, if a user attempts to access a resource from an IP address that is not specified in the policy, the policy will not fire for the user, and therefore will not allow/deny access or process any responses.
When you use this feature, be sure to set ACO parameter RequireClientIP=yes
RequireClientIP
Specifies if the agent validates the IP address of the client. When this value is set to yes, the agent validates that the IP address in the browser cookie matches the IP address of the client. If the addresses do not match, a 403 error message appears in the browser of the user. If the cookie does not contain an IP address, then users are prompted for their credentials.
Default: No (client IP addresses not validated).
CA SiteMinder® Integrated Documents 12.52 SP1
There are couple of things you need to careful when you use IP address validation , for e.g. if there are proxy involved, you might not be getting the actual client IP address
So depending on the need, you might also need to look at following ACO parameters :
CustomIpHeader
Specifies an HTTP header for which the agent searches to find the IP address of the requestor. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value can be any string that contains a valid HTTP header value.
Default: No
Example: HTTP_ORIGINAL_IP
ProxyDefinition
Specifies the IP address of a proxy (such as a cache device) that requires the use of a custom HTTP header. This custom header helps the agent resolve the IP addresses of the requester.
Default: No default
Limits: The string must contain an IP address. Do not use server names or fully qualified DNS host names.
Please let me know if you need any further clarifications.
Cheers,
Ujwol Shrestha