Is it possible to have Siteminder lock down a url by IP address of the requester?
Yes, it is possible to restrict access to an application based on client IP address.
This can be done by setting up IP Address restriction in the user policy.
Reference : CA SiteMinder® Integrated Documents 12.52 SP1
(Optional) IP Addresses
A policy may be limited to specific user IP addresses. Once you add an IP address restriction to a policy, if a user attempts to access a resource from an IP address that is not specified in the policy, the policy will not fire for the user, and therefore will not allow/deny access or process any responses.
When you use this feature, be sure to set ACO parameter RequireClientIP=yes
Specifies if the agent validates the IP address of the client. When this value is set to yes, the agent validates that the IP address in the browser cookie matches the IP address of the client. If the addresses do not match, a 403 error message appears in the browser of the user. If the cookie does not contain an IP address, then users are prompted for their credentials.
Default: No (client IP addresses not validated).
CA SiteMinder® Integrated Documents 12.52 SP1
There are couple of things you need to careful when you use IP address validation , for e.g. if there are proxy involved, you might not be getting the actual client IP address
So depending on the need, you might also need to look at following ACO parameters :
Specifies an HTTP header for which the agent searches to find the IP address of the requestor. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value can be any string that contains a valid HTTP header value.
Specifies the IP address of a proxy (such as a cache device) that requires the use of a custom HTTP header. This custom header helps the agent resolve the IP addresses of the requester.
Default: No default
Limits: The string must contain an IP address. Do not use server names or fully qualified DNS host names.
Please let me know if you need any further clarifications.
I have a similar requirement where we want that one user should access the application from one fixed IP address.
User A - IP A
User B- IP B
User C- IP C
is it possible through IP restrictions in CA siteminder? Or we can only specify specific IP or IP range for all the users in a policy??
Your use case is possible through IP restrictions.
All you have to do is create three separate user policies for each of the users.
I have a similar requirement where we want to restrict the ip address from a requester but we have proxy involved .
In case of a proxy how do we restrict the ip address of the actual requester ?
Refer to the below link which might help you :
Have"X-Forwarded-For" on webserver on the agent side for the target application,
Also, create a rule with a DENY action for the resource intended, and create a new Policy, specifying the IP restrictions of who you want to deny, and then add only the DENY rule to the policy.
Hope this helps,
Retrieving data ...