Web Agent :: Useserverrequestip : AgentName

book

Article ID: 51247

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

On virtual Web servers, when IP addresses and host names are used to resolve the Agent name, the Web Agent can potentially use an incorrect value for AgentName to evaluate the request. This situation would allow unauthenticated users to access protected resources.

However, if you configure the Useserverrequestip parameter, the Web Agent resolves AgentName based on the actual IP Address and protects these resources. If the Web server is configured to use IP addresses for virtual server mappings, set Useserverrequestip to yes. The Web Agent resolves the AgentName based on the physical IP address of the virtual server, which means that the correct rules and policies are applied. Which means that if Web server is configured to use IP addresses for virtual server mappings then 'useserverrequestip' must have been set to 'yes' should have worked.

But this is not the case and it still does not work on my environment. Why?

Solution:

If you set 'useserverrequestip' to yes, then you have to set AgentName with ip address, plus the port number as x.x.x.x:zzzz.
An IP within itself is not unique but IP + port is unique and will point to a single AgentName rather than multiple one.

Environment

Release:
Component: SMAPC