Client ip in smaccess logs

book

Article ID: 195023

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running Policy Server, one might be unable to log user ip address
in smaccess log in our non-prod environment. The ip captured in
REMOTE_ADDR is the LB ip instead of user ip which is being audited as
sm_client ip in smaccess logs currently.

X-forwarded-for and Client-ip headers are populated correct IP address
for user being authenticated. How one can force agent to use either of
X-forwarded-for or Client-ip to be used while auditing ?

 

Environment

 

Web Agent 12.52SP1CR11 on Apache 2.4.46 on RedHat 7

 

Resolution

 

Setting the ACO parameter CustomIPHeader to X-forwarded-for should
solve this (1)(2).

You should not need to change ProxyDefinition and/or RequireClientIP
just to include the X-forwarded-for in smaccess.log. Just set
CustomIPHeader.

 

Additional Information

 

(1)

    List of Agent Configuration Parameters
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html#concept.dita_2fd165d3272c946abfbbca53cdd2a631bff36952_1

(2)

    Default HTTP Headers Used by the Product
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product.html