I recently had a customer who wanted to make certain users on their network use Multi Factor Authentication, but not others.
Users connect to a Netscalar load balancer for the two UAG applicances, which then reverse proxy the WorkspaceOne Identity Manager (vIDM aka WSOne Access) cluster via another Netscalar load balancer.
The problem is that even if you configure the Loadbalancer to pass the client source IP as a X-Forwarded-For header, vIDM does not recognise which of the IPs listed is the client’s actual IP and will usually use the wrong IP, bypassing the Network Range policy rules. What we want is to ignore certain IPs in the XFF header.
The fix for this is to tell vIDM all of the IPs that you want to ignore and disregard. This list would be the IP of every Loadbalancer and UAG appliance on the route from your client to the vIDM instance.
First step is to follow your Load Balancer vendor’s guide to enable client ip X-Forwarded-For URL rewrite. Carl Stalhood has thankfully done one for how to configure Netscaler here: https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-netscaler-12/
Next we need to add our IPs to each vIDM appliance in the runtime-confile.properties file. In my case I have six of them so this took the best part of an hour waiting for everything to come back up. When restarting vIDM services you MUST ensure that they are fully up on the node before progressing to the next node. This can be monitored from the Admin System Diagnostics Dashboard. Wait for all the green ticks unless you want to spend a few hours cleaning up unassigned shards (see HERE for how to fix that)
Via SSH/Console connect to each vIDM appliance and run the following commands to make a copy of the original file and open it for editing:
cd /usr/local/horizon/conf/ cp runtime-config.properties runtime-config.properties.bak vi runtime-config.properties
Scroll to the end of the document, hit the [Insert] Key on your keyboard to put vi into edit mode and add the following line to the very end of the file:
Where X.X.X.X is a specific IP you wish to ignore, and Y.Y.Y.Y/26 is a specific Subnet you wish to ignore.
Now restart the service
service horizon-workspace restart
and now browse to the System Diagnostics Dashboard on the admin interface and wait for the services to come back up before moving on to the next node.
Congratulations, WorkspaceOne can now identify users by their actual client IP.