Symantec Access Management

 View Only
Expand all | Collapse all

CA SSO Access Gate Way Proxy Rule for Internet vs Intranet requests

  • 1.  CA SSO Access Gate Way Proxy Rule for Internet vs Intranet requests

    Broadcom Employee
    Posted Oct 25, 2018 10:53 AM

    We have a requirement to allow access to a particular pattern of URL only inside the customer network, For example https://xx.com/internal* should be able to access only via internal network and https://xx.com/external* should be able to access from via internet as well as intranet. If this is possible using proxy rules, Is there any document how we can configure this proxy rules?



  • 2.  Re: CA SSO Access Gate Way Proxy Rule for Internet vs Intranet requests

    Posted Oct 25, 2018 11:22 AM

    Kiran nalki01

     

    Apologies, your email completely skipped my mind.

     

    Option-1 : Using the policies within Policy Domain.

    We can write two authorization policies and assign IP addresses (or range if the UI permits).

    Policy Overview - CA Single Sign-On - 12.7 - CA Technologies Documentation 

    We may be able get Internal IP Addresses (OR Range) from the Network Team within an Organization.

    Write a ALLOW Rule for /internal* and in Policy Add Internal IP's (or range if UI permits). With this /internal* would be allowed only when Client IP matches the IP defined in policy.

    For /external* we don't define any IP range, so both internal and external IP ranges will be allow as long as user passes any other authorization criteria defined.

     

    Option-2 : Using the Load Balancer in front of CA AG.

    E.g. We can write iRules in F5 LB to do this filtering. I prefer doing it at this layer, because getting a ClientIP down to the server is always a challenge. May be F5 / LB has a better chance of seeing the Client IP (albeit, if LB can see the Client IP, it can always send it down stream to CA SSO).

     

    Option-3 : Writing a ReWrite module at Apache layer on CA AG, before the request is handled by mod_jk and sent to Tomcat (noodle / ProxyRules).

     

     

    Regards

    Hubert