Symantec Access Management

  • 1.  Capturing Client IP address

    Posted Oct 09, 2018 04:33 PM

    In our environment, we are using CA SPS and Siteminder. With this setup, we have a back-end application using our environment that is looking for Siteminder to pass the original client IP address(rather than the proxy address) for all successful authentication/authorization requests. 

     

    We came across below article and after a quick reading, it looks to be helpful. However, if we implement the configurations mentioned in the link on SPS, how will Siteminder pass the information to back-end application.

     

    Adding X-Forwarded-For header to CA Access Gateway (CA Secure Proxy Server) 

     

    Thanks.



  • 2.  Re: Capturing Client IP address
    Best Answer

    Broadcom Employee
    Posted Oct 10, 2018 05:42 AM

    Hi, 

     

    With that sps filter, it will add the "X-Forwarded-For" header to the request that is sent to the backend.  So you application can pickup the header from the request.

     

    But also just warning, Remote_Addr which is what is used to fill that variable, will be the IP address of the physical address of the device that was the source of the previous socket connection that sent the request.

     

    1) So if you have : 

       client -> SPS -> backend 

     

    The X-Forwarded-For address will contain the IP address of the client. (tick)

     

    2) If you have : 

        client -> [ loadbalancer -> SPS -> backend ]

     

    The X-Forwarded-For address will contain the IP address of the loadbalancer. (in this case you should be able to configure your loadbalancer to capture the client IP and place it in the X-Forwarded-For header.)  (no-tick).

     

    3) Also if you have 

        [client -> client firewall ] ->  SPS -> backend 

     

    The X-Forwarded-For address will contain the IP address of the client firewall. (in this case the IP address of the "real" client is not obtainable).  (small-tick)

     

     

    Hope that helps, I described 2) and 3) as often the limitation of what can be obtained for the client IP address is misunderstood, and hope that makes it clear. 

     

    Cheers - Mark



  • 3.  Re: Capturing Client IP address

    Posted Oct 11, 2018 12:08 PM

    Hi Mark,

     

    Just thinking on a different thought/approach to capture client IP address.

     

    Currently, in Siteminder(under smaccess logs), we see IP address that have been validated to be actual client IP address. Can we leverage this IP information to pass from Siteminder to the application without making changes to SPS/loadbalancer (https://communities.ca.com/docs/DOC-231150311)

     

    Thanks.



  • 4.  Re: Capturing Client IP address

    Broadcom Employee
    Posted Oct 12, 2018 12:38 AM

    Hi Vinay, 

     

    Yes thats a good idea, it should work if you create a response attribute header using : 

     

    CA SiteMinder®-Generated User Attributes - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    • %SM_USERIPADDRESS
      This attribute holds the IP address of the user at the time of authentication or authorization.
    • %SM_USERSESSIONIP
      This attribute holds the IP address that was used during the original user authentication (upon establishment of a session).

     

    My aim for X-Forwarded-For was to reproduce the normal X-Forwarded-For, and did expect that CA Access Gateway may roll it into the code at some time sicne it is a standard function for proxies. 

     

    But the above look close, and yes the SPS webagent does capture the IP Address and pass it to the policy server (in the same way that that sps filter captures the IP address). 

     

    The wording of those two parameters does seem close, I expec tthe first one uses the IP address in the actual request (the one you want) and the second one uses the IP address in the SMSESION cookie.

     

    Cheers - Mark