Users are unable to access the Email Security.cloud portal when going through a proxy server after enabling IP restrictions under Access Control.

You are not authorized to log in from your current location. Please contact your administrator.

Email Security.cloud Portal

This is due to the http request containing a HTTP_X_FORWARDED_FOR,  which means that the traffic was forwarded from one or more IP addresses. This will cause for the Email Security.cloud Portal authentication servers to see that the last hop is the HTTP_X_FORWARDED_FOR, changing the IP address(es) that the traffic is coming from the IP address(es) added in the portal under Access Control > IP Restrictions.

Example:

REMOTE_ADDR=192.168.x.x
HTTP_X_FORWARDED_FOR= 10.x.x.x

Where REMOTE_ADDR=192.168.x.x  is the client's IP address and HTTP_X_FORWARDED_FOR= 10.x.x.x  is the successive proxy that passed the request adding the IP address where it received the request from.

The proxy administratior will need to have the HTTP_X_FORWARDED_FOR statements removed from the HTTP request or apply a proxy bypass for the following domains:

• clients.messagelabs.com
• identity.symanteccloud.com
   

Note: This restriction provides a limited measure of security, as IP addresses could potentially be spoofed. For example, IP-based restricted access cannot detect instances in which the HTTP_FORWARDED_FOR header has been spoofed. We recommend that you set up two factor authentication in conjunction with IP restrictions for a comprehensive approach to access control.