Symantec Access Management

  • 1.  Restrict by IP Address

    Posted Oct 05, 2015 04:11 PM

    Is it possible to have Siteminder lock down a url by IP address of the requester?



  • 2.  Re: Restrict by IP Address

    Posted Oct 05, 2015 09:19 PM

    Hi Phillip,

     

    Yes, it is possible to restrict access to an application based on client IP address.

    This can be done by setting up IP Address restriction in the user policy.

     

    Reference : CA SiteMinder® Integrated Documents 12.52 SP1

     

    (Optional) IP Addresses

    A policy may be limited to specific user IP addresses. Once you add an IP address restriction to a policy, if a user attempts to access a resource from an IP address that is not specified in the policy, the policy will not fire for the user, and therefore will not allow/deny access or process any responses.

     

    When you use this feature, be sure to set ACO parameter RequireClientIP=yes


    RequireClientIP

    Specifies if the agent validates the IP address of the client. When this value is set to yes, the agent validates that the IP address in the browser cookie matches the IP address of the client. If the addresses do not match, a 403 error message appears in the browser of the user. If the cookie does not contain an IP address, then users are prompted for their credentials.

    Default: No (client IP addresses not validated).

     

    CA SiteMinder® Integrated Documents 12.52 SP1

     

    There are couple of things you need to careful when you use IP address validation , for e.g. if there are proxy involved, you might not be getting the actual client IP address

     

    So depending on the need, you might also need to look at following ACO parameters :

     

    CustomIpHeader

    Specifies an HTTP header for which the agent searches to find the IP address of the requestor. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value can be any string that contains a valid HTTP header value.

    Default: No

    Example: HTTP_ORIGINAL_IP

     

    ProxyDefinition

    Specifies the IP address of a proxy (such as a cache device) that requires the use of a custom HTTP header. This custom header helps the agent resolve the IP addresses of the requester.

    Default: No default

    Limits: The string must contain an IP address. Do not use server names or fully qualified DNS host names.

     

    Please let me know if you need any further clarifications.

     

    Cheers,

    Ujwol Shrestha



  • 3.  Re: Restrict by IP Address

    Posted May 17, 2016 04:36 AM

    Hi Ujwol,

     

    I have a similar requirement where we want that one user should access the application from one fixed IP address.

    User A - IP A

    User B- IP B

    User C- IP C

     

    is it possible through IP restrictions in CA siteminder? Or we can only specify specific IP or IP range for all the users in a policy??

     

    Thanks,

    Ashish Gupta



  • 4.  Re: Restrict by IP Address

    Posted May 17, 2016 09:10 AM

    Hi Ashish, 


    Your use case is possible through IP restrictions.

    All you have to do is create three separate user policies for each of the users.


    Regards,

    Ujwol



  • 5.  Re: Restrict by IP Address

    Posted Jan 18, 2018 09:25 AM

    Hi Ujwol,

     

    I have a similar requirement where we want to restrict the ip address from a requester but we have proxy involved . 

     

    In case of a proxy how do we restrict the ip address of the actual requester ?

     

    Thanks,

    Swathi



  • 6.  Re: Restrict by IP Address

    Posted Jan 18, 2018 11:14 AM

    Hello,

    Refer to the below link which might help you :

    https://communities.ca.com/docs/DOC-231150311

    Have"X-Forwarded-For" on webserver on the agent side for the target application,

    Also, create a rule with a DENY action for the resource intended, and create a new Policy, specifying the IP restrictions of who you want to deny, and then add only the DENY rule to the policy.

    Hope this helps,


    Regards,
    Ram,