IP range for User and X-Forwarded-For HTTP header

Document ID : KB000125760

Last Modified Date : 04/02/2019

Question:

User >> Manage Users >> Select a specific user and click Update button >> Administration tab >> [IP Range that is accessible] has 2 kind of type "NAT/Proxy address". When it selects the "Allow the user connection IP range", May I understand the limitation is performed by the "NAT/Proxy address" side.
She tested and it worked as it is. But she would like to know the design is so as the double check.

Answer:

The understanding is correct.

Also, the customer asked us about the below Note in the DocOps that the scenario that the user accesses the PAM.

http://bit.ly/2DN9864
====
Section Title: Configure Administration Settings for the User Record
Note: If your CA PAM server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
====

If the device does not prevent against the IP Spoofing, the X-Forwarded-For HTTP header will reach the device. Then, she thinks PAM recognizes the "sender IP address" by the TCP/IP level, not from the X-Forwarded-For HTTP like ClientIP, ProxyIP...

The reason why she asked it is that there is the "IP range" field in the User settings >> Administration, it may possible to set the IP address based on the real IP address by checking the X-Forwarded-For header.

As a result, PAM get the IP address from the X-Forwarded-For header.

Was this information helpful?