Web Agent Guides › Web Agent Configuration Guide › User Protection › Verify IP Addresses

Verify IP Addresses

CA SiteMinder® agents can verify IP addresses using the parameters described in the following procedures:

• Resolve agent identity by IP address.
• Compare IP addresses to prevent security breaches.

Resolve Agent Identity by IP Address

On virtual web servers, when IP addresses and host names are used to resolve the Agent name, the Web Agent can potentially use an incorrect value for AgentName to evaluate the request. This situation would allow unauthenticated users to access protected resources.

You can force the Web Agent to resolve the Agent name based on the physical IP address of the virtual server, with the following parameter:

UseServerRequestIp

Instructs the Web Agent to resolve the AgentName according to the physical IP address of a virtual web server. Use this parameter to increase security if a web server uses IP addresses for virtual server mappings. If this parameter is set to no, the Web Agent resolves the AgentName according to the host name in the HTTP Host header of the client's request.

For Domino servers, this parameter is supported only for Domino 6.x. If this parameter is enabled for an Agent on other Domino versions, the Web Agent uses the default Agent name.

For IIS Web Agents configured for SSL communication and virtual hosts, you must set this parameter to yes. IIS does not allow virtual host mappings using host names with SSL enabled.

Default: No

To resolve a Web Agent's identity using the IP Address, set the UseServerRequestIp parameter to yes.

Compare IP Addresses to Prevent Security Breaches

An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies.

The IP checking feature requires agent to compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses do not match, the agent rejects the request.

The two parameters that are used to implement IP checking are PersistentIPCheck and TransientIPCheck. Set them as follows:

• If you enabled PersistentCookies, set PersistentIPCheck to yes.
• If you did not enable PersistentCookies, set TransientIPCheck to yes.

CA SiteMinder® identity cookies are unaffected by IP checking.

More Information

Set Persistent Cookies

Control Identity Cookies