Kiran nalki01
Apologies, your email completely skipped my mind.
Option-1 : Using the policies within Policy Domain.
We can write two authorization policies and assign IP addresses (or range if the UI permits).
Policy Overview - CA Single Sign-On - 12.7 - CA Technologies Documentation
We may be able get Internal IP Addresses (OR Range) from the Network Team within an Organization.
Write a ALLOW Rule for /internal* and in Policy Add Internal IP's (or range if UI permits). With this /internal* would be allowed only when Client IP matches the IP defined in policy.
For /external* we don't define any IP range, so both internal and external IP ranges will be allow as long as user passes any other authorization criteria defined.
Option-2 : Using the Load Balancer in front of CA AG.
E.g. We can write iRules in F5 LB to do this filtering. I prefer doing it at this layer, because getting a ClientIP down to the server is always a challenge. May be F5 / LB has a better chance of seeing the Client IP (albeit, if LB can see the Client IP, it can always send it down stream to CA SSO).
Option-3 : Writing a ReWrite module at Apache layer on CA AG, before the request is handled by mod_jk and sent to Tomcat (noodle / ProxyRules).
Regards
Hubert