IP range for User and X-Forwarded-For HTTP header
Article ID: 125760
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
User >> Manage Users >> Select a specific user and click Update button >> Administration tab >> [IP Range that is accessible] has 2 kind of type "NAT/Proxy address". When it selects the "Allow the user connection IP range", May I understand the limitation is performed by the "NAT/Proxy address" side.
She tested and it worked as it is. But she would like to know the design is so as the double check.
Environment
Release:
Component: CAPAMX
Component: CAPAMX
Resolution
The understanding is correct.
Also, the customer asked us about the below Note in the DocOps that the scenario that the user accesses the PAM.
http://bit.ly/2DN9864
====
Section Title: Configure Administration Settings for the User Record
Note: If your CA PAM server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
====
If the device does not prevent against the IP Spoofing, the X-Forwarded-For HTTP header will reach the device. Then, she thinks PAM recognizes the "sender IP address" by the TCP/IP level, not from the X-Forwarded-For HTTP like ClientIP, ProxyIP...
The reason why she asked it is that there is the "IP range" field in the User settings >> Administration, it may possible to set the IP address based on the real IP address by checking the X-Forwarded-For header.
As a result, PAM get the IP address from the X-Forwarded-For header.
Also, the customer asked us about the below Note in the DocOps that the scenario that the user accesses the PAM.
http://bit.ly/2DN9864
====
Section Title: Configure Administration Settings for the User Record
Note: If your CA PAM server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
====
If the device does not prevent against the IP Spoofing, the X-Forwarded-For HTTP header will reach the device. Then, she thinks PAM recognizes the "sender IP address" by the TCP/IP level, not from the X-Forwarded-For HTTP like ClientIP, ProxyIP...
The reason why she asked it is that there is the "IP range" field in the User settings >> Administration, it may possible to set the IP address based on the real IP address by checking the X-Forwarded-For header.
As a result, PAM get the IP address from the X-Forwarded-For header.
Feedback
Yes
No
Powered by
