Validate Reject Invalid Session IP
Article ID: 211483
Updated On:
Products
Issue/Introduction
When running a Policy Server, often the authorization of a user to
access a resource fails and the Policy Server smaccess log reports :
Invalid session ip
This might occur despite the configuration of CustomIPHeader and
ProxyDefinitions (1).
Resolution
At first glance, if you don't wish IP checking you can easily override
this behavior by configuring TransientIPCheck="NO" (2).
Second, the ProxyDefinition cannot be a subnet. Even if the Front End
servers handles multiple IP's, CustomIPHeader accepts only 1 value for
a given Web Agent (3).
Third, you should know that if the Server is API Gateway, this one
handles only few ACO parameter for which CustomIPHeader isn't in the
list (4).
Web Agent in the actual code accepts only 1 IP from the value of
X-Forwarded-For (5).
In light of that, having configured :
If
customipheader = x-forwarded-for
ProxyDefinitions = <emtpy>
Then
the CustomeIpHeader is used to resolve the Client IP.
If
customipheader = x-forwarded-for
ProxyDefinitions = Ip1, Ip2
Then
then CustomIpHeader is only used if the actual ClientIp
(REMOTE_ADDR) matches one of the defined proxy devices; otherwise,
the normal ClientIp is used.
About AUTO value that you can set for ProxyDefinitions.
AUTO means :
If we access from a Proxy and the Proxy is not in the list of
Proxydefinition, we allow access using Remote_Addr.
AUTO allows also direct access to the application by passing all
Proxies, as Web Agent allows access using Remote_Addr.
If AUTO is not set in Proxydefinition, but there's an IP set, then the
Web Agent will use Customipheader only if the Remote_Addr maches the
IP defined in Proxydefinition.
If Proxydefinition is not set in the ACO, then it has empty value by
default.
Finally, if neither CustomIpHeader nor ProxyDefinition is used, then
ClientIp is used as normal.
Additional Information
(1)
Default HTTP Headers Used by the Product
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product.html
(2)
Policy Server reporting "Invalid session ip"
In Web Agent, we override this IP validation by setting the
ACO parameter TransientIPCheck="NO".
https://knowledge.broadcom.com/external/article?articleId=36892
(3)
How works WebAgent ACO parameter CustomIPHeader
[...]
The Web Agent only accept 1 single value is motivated by security
concerns.
CustomIPHeader accepts single value because of security attacks
possible if SiteMinder would allows multiple values :
[...]
https://knowledge.broadcom.com/external/article?articleId=36859
(4)
Can you suggest how to implement grace period
As you know already, the Api Gateway only support 9 ACO at the moment :
Fetch ACO Properties to the Gateway Policy for Composing SMSESSION
Cookie with SSOToken
The following list of ACO parameters compose the SMSESSION cookie string:
ATTR_ACO_SSOZoneName constitutes SSOZoneName property
ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
ATTR_ACO_UseSecureCookies is used to indicate secure flag
ATTR_ACO_UseHttpOnlyCookies is used to indicate http only
Note: Except for the above ACO parameters, Gateway does not use
any other ACO parameters.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/context-variables/ca-single-sign-on-context-variables.html
https://knowledge.broadcom.com/external/article?articleId=143720
(5)
How works WebAgent ACO parameter CustomIPHeader
[...]
The Web Agent only accept 1 single value is motivated by security
concerns.
CustomIPHeader accepts single value because of security attacks
possible if SiteMinder would allows multiple values :
[...]
https://knowledge.broadcom.com/external/article?articleId=36859
Feedback
