We have a requirement to allow access to a particular pattern of URL only inside the customer network, For example https://xx.com/internal* should be able to access only via internal network and https://xx.com/external* should be able to access from via internet as well as intranet. If this is possible using proxy rules, Is there any document how we can configure this proxy rules?
Apologies, your email completely skipped my mind.
Option-1 : Using the policies within Policy Domain.
We can write two authorization policies and assign IP addresses (or range if the UI permits).
Policy Overview - CA Single Sign-On - 12.7 - CA Technologies Documentation
We may be able get Internal IP Addresses (OR Range) from the Network Team within an Organization.
Write a ALLOW Rule for /internal* and in Policy Add Internal IP's (or range if UI permits). With this /internal* would be allowed only when Client IP matches the IP defined in policy.
For /external* we don't define any IP range, so both internal and external IP ranges will be allow as long as user passes any other authorization criteria defined.
Option-2 : Using the Load Balancer in front of CA AG.
E.g. We can write iRules in F5 LB to do this filtering. I prefer doing it at this layer, because getting a ClientIP down to the server is always a challenge. May be F5 / LB has a better chance of seeing the Client IP (albeit, if LB can see the Client IP, it can always send it down stream to CA SSO).
Option-3 : Writing a ReWrite module at Apache layer on CA AG, before the request is handled by mod_jk and sent to Tomcat (noodle / ProxyRules).