seba4 Respected Contributor.
Respected Contributor.
473 views

NAM & F5 Load balance - Wrong Remote Client IP Address

Hi i am trying to setup NAM with cluster and over F5 load balancer.

When i try to connect directly to NAM Risk based authentication is working like it's supposed to, we are getting the correct form.
But when i try to connect through load balancer i get wrong Risk score, because IP address NAM receives is wrong.


I have checked logs and i see that X-Forwarded-For is sent.


What i have done:
- in Risk Based i have enabled NAT settings and Client IP Header name is set to: x-forwarded-for and Client IP Header Parser is set to .*


In logs i can see that X-Forwarded-For is set to 10.1.7.13 and Remote Client IP adress is set to 10.252.252.81 (F5 load balance)
[PHP]****** HttpServletRequest Information:
Method: GET
Scheme: https
Context Path: /nidp
Servlet Path: /app
Query String: null
Path Info: /login
Server Name: idp.eti.si
Server Port: 443
Content Length: -1
Content Type: null
Auth Type: null
Request URL: https://idp.company.si/nidp/app/login
Host IP Address: 10.252.252.79
Remote Client IP Address: 10.252.252.81
Cookie: (0 of 3): JSESSIONID, 06aca6aa8a620d2d286e4abd39970ba2aa901fcad4288a3de68beee0aee7136f
Cookie: (1 of 3): UrnNovellNidpClusterMemberId, ~03~02feb~03~14~17hhw~0A~02
Unobfuscated: UrnNovellNidpClusterMemberId: 10.252.252.79
Cookie: (2 of 3): BIGipServerAccessManager, 1341979658.47873.0000
Header: Name: host, Value: idp.company.si
Header: Name: user-agent, Value: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0
Header: Name: accept, Value: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Header: Name: accept-language, Value: en-US,en;q=0.5
Header: Name: accept-encoding, Value: gzip, br

Header: Name: DNT, Value: 1
Header: Name: connection, Value: keep-alive
Header: Name: Upgrade-Insecure-Requests, Value: 1
Header: Name: X-Forwarded-For, Value: 10.1.7.13
Header: Name: Via, Value: 1.1 idp.eti.si (Access Gateway-ag-B4DA5565790A2261-119959)
[/PHP]

Based on Risk log i saw that it's using wrong ip:
[PHP]Rule considered for risk score: COMPANY-LAN</msg></amLogEntry>
<amLogEntry seq="327315" d="2019-04-08T12:21:31Z" lg="Application" lv="DEBUG" th="49" ><msg>Method: RiskManager.evaluateRisk
Thread: ajp-bio-127.0.0.1-9019-exec-24
traceList: RL~groupName~RBA_Preauth_Kerberos-SK~ruleCount~1~Success~riskScore~30
RU~~ETI-LAN~~negateResult~false~exceptionRule~false~result~false~
CO~~ clientIP~10.252.252.81~in-range~hidden~parameters~result~false~</msg></amLogEntry>
[/PHP]


I have noticed this post about this kind of a problem but it's old it's strange that NAM doesn't already support this.
https://www.netiq.com/communities/cool-solutions/how-to-pass-users-actual-address-to-nam-identity-server-when-request-coming-in-via-load-balancer-or-proxy-server/

Our current NAM version is 4.4.2. Currently i can't upgrade it.

I know i am missing something but i don't know what. If someone can help that would be great, because nothing works what i have tried.

Kind Regards
Sebastjan
0 Likes
4 Replies
seba4 Respected Contributor.
Respected Contributor.

Re: NAM & F5 Load balance - Wrong Remote Client IP Address

It looks like this url i have pasted is working atleast from first test. I didn't like it because it looked like a hack and i was hopping something better exists.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM & F5 Load balance - Wrong Remote Client IP Address

On 08-04-2019 11:34 PM, seba4 wrote:
>
> Hi i am trying to setup NAM with cluster and over F5 load balancer.
>
> When i try to connect directly to NAM Risk based authentication is


>
>
> I have noticed this post about this kind of a problem but it's old it's
> strange that NAM doesn't already support this.
> https://www.netiq.com/communities/cool-solutions/how-to-pass-users-actual-address-to-nam-identity-server-when-request-coming-in-via-load-balancer-or-proxy-server/
>
> Our current NAM version is 4.4.2. Currently i can't upgrade it.
>
> I know i am missing something but i don't know what. If someone can help
> that would be great, because nothing works what i have tried.


Your filter isn't working properly. Set it to:

<filter>
<filter-name>RemoteIpFilter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RemoteIpFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>



--
Cheers,
Edward
0 Likes
seba4 Respected Contributor.
Respected Contributor.

Re: NAM & F5 Load balance - Wrong Remote Client IP Address

Thank you this helped.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: NAM & F5 Load balance - Wrong Remote Client IP Address

On 17-04-2019 5:54 PM, seba4 wrote:
>
> Thank you this helped.
>
>

Thanks for the feedback 🙂

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.