When running a Policy Server, often the authorization of a user to access a resource fails, and the Policy Server smaccess log reports:

   Invalid session ip 

This might occur despite the configuration of CustomIPHeader and ProxyDefinitions (1).

First, if IP checking is not needed, override this behavior by configuring TransientIPCheck="NO" (2).

Second, the ProxyDefinition cannot be a subnet. Even if the Front End servers handle multiple IPs, CustomIPHeader accepts only 1 value for a given Web Agent (3).

Third, if the Server is API Gateway, this one handles only a few ACO parameters for which CustomIPHeader isn't in the list (4).

The WebAgent in the actual code accepts only 1 IP from the value of X-Forwarded-For (3).

In light of that, having configured:

If 

  customipheader = x-forwarded-for
  ProxyDefinitions = <empty>

Then

  the CustomeIpHeader is used to resolve the Client IP.

If 

   customipheader = x-forwarded-for
   ProxyDefinitions = Ip1, Ip2

Then 

   The CustomIpHeader is only used if the actual ClientIp (REMOTE_ADDR) matches one of the defined proxy devices; otherwise, the normal ClientIp is used.

About AUTO value that can be set for ProxyDefinitions.

AUTO means :

• If accessing from a Proxy and the Proxy is not in the list of Proxydefinition, allow access using Remote_Addr.
• AUTO allows also direct access to the application by passing all Proxies, as Web Agent allows access using Remote_Addr.
• If AUTO is not set in Proxydefinition, but there's an IP set, then the Web Agent will use Customipheader only if the Remote_Addr matches the IP defined in Proxydefinition.
• If Proxydefinition is not set in the ACO, then it has an empty value by default.
• Finally, if neither CustomIpHeader nor ProxyDefinition is used, then ClientIp is used as normal.

1. Default HTTP Headers Used by the Product
     
2. Error: Invalid session ip in Policy Server
   
   
3. How works WebAgent ACO parameter CustomIPHeader
   
   
4. SiteMinder Session cookie grace period in API Gateway