Symantec Access Management

 View Only
  • 1.  Web Agent client IP resolution

    Posted Sep 11, 2019 04:29 PM
    I am having an issue after upgrade from Apache 2.2 to 2.4 where SiteMinder web agent module no longer picks up the remote client IP address but instead uses the load balancer's IP address. Apparently Apache 2.4 has a different connection record structure (documented here). My question was regarding the SiteMinder web agent's source of remote IP address. Does it use the connection record's client_ip or the request record's useragent_ip, or neither?


  • 2.  RE: Web Agent client IP resolution
    Best Answer

    Broadcom Employee
    Posted Sep 11, 2019 04:59 PM

    Hi Jose,

    By default, the Web Agent will use the REMOTE_ADDR header value to determine the client ip address.  If this header does not contain the correct value, you can use the CustomIpHeader ACO parameter to instruct the agent to use a different header.  It is very common to set this parameter value to 'X-forwarded-for' as that header will typically contain the true client ip when a proxy is in the path.

    More information about this is here:

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product#DefaultHTTPHeadersUsedbytheProduct-ConfigureIPAddressValidation

    Regards,
    Pete
    Broadcom Layer 7 Siteminder Support




  • 3.  RE: Web Agent client IP resolution

    Posted Sep 12, 2019 10:57 AM
    Pete, thank for the response. According to that document REMOTE_ADDR is a "web server variable representing the IP address of the HTTP client", not a HTTP header. Could you please confirm REMOTE_ADDR is indeed a web server variable such as Apache's conn_rec->remote_addr variable and not a header per se? 

    PS. I have tried CustomIpHeader setting but it had un-intended negative consequences (IP validation was turned on)



  • 4.  RE: Web Agent client IP resolution

    Posted Sep 13, 2019 10:35 AM
    I have been able to confirm that the Siteminder web agent module for Apache 2.4 is incorrectly using the connection record's client_ip variable instead of the request record's useragent_ip. This change was documented by Apache here. This is a bug and should be fixed in the web agent code. Per Apache's docs: 

    When you require the IP address of the user agent, which might be connected directly to the server, or might optionally be separated from the server by a transparent load balancer or proxy, use request_rec->useragent_ip and request_rec->useragent_addr.