An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to sensitive resources.  

PRODUCT: Siteminder

COMPONENT: Access Gateway or Web Agent

VERSION: Any

OPERATING SYSTEM: Any

To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies.

The IP checking feature requires agent to compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses do not match, the agent rejects the request.

When a load balancer sites between the web browser and the Siteminder Web Agent all requests sent from the Load Balancer to the Web Agent will be from the Load Balancer's IP address.  This will mean all requests will be coming from the same IP.

The following Agent Configuration Object (ACO) parameters will enable IP Checking:

PersistentIPCheck

If you enabled PersistentCookies in the ACO [PersistentCookies=yes], set PersistentIPCheck=yes.

TransientIPCheck

If you did not enable PersistentCookies in the ACO [PersistentCookies=no], set, set TransientIPCheck=yes.

RequireClientIP

Specifies if the agent validates the IP address of the client. When this value is set to yes, the agent validates that the IP address in the browser cookie matches the IP address of the client. If the addresses do not match, a 403 error message appears in the browser of the user. If the cookie does not contain an IP address, then users are prompted for their credentials.

Configure Siteminder to perform IP Checking when traffic is coming from a Load Balancer

1) Configure the Load Balancer to pass the browser clients IP address in the X-Forwarded-For header.

2) Configure the Web Agent to obtain the Client IP from a Header

ProxyDefinition

Specifies the IP addresses of a list of trusted proxies in a network. Agent uses the value of ProxyDefinition along with other ACO parameters such as CustomIpHeader to determine whether a request originates from a user directly or proxy server. If you define the value of ProxyDefinition, Agent expects that all the requests coming from a proxy to have an IP address that can be found in the ProxyDefinition list. If a request includes an IP address that cannot be found in the list, Agent does not consult the CustomIPHeader list to resolve the client IP address for the request and leaves the client IP address as unresolved.

ProxyDefinition=<Load Balancer IP's>

CustomIpHeader

Specifies an HTTP header for which the agent searches to find the IP address of the requestor. If no value is specified for this parameter, the default is an empty string. No maximum length is enforced and the value can be any string that contains a valid HTTP header value.

CustomIpHeader=X-Forwarded_For

EXAMPLE:

...

PersistentCookies=no

PersistentIPCheck=no

Verify IP Addresses

Configure IP Address Validation