Hi,

We want to put a WAF, which terminates the connections, in front of our WebSEAL for connections coming from the internet. This will now pose several challenges regarding the real IP-address of the client.
There are (at least) 3 places where the IP address is used: logging, POPs and forwarding the address to back-end servers.

Does WebSEAL have a feature like the following from Nginx:
set_real_ip_from w.x.y.z;
real_ip_header X-Forwarded-For;

This would really facilitate our life.

The added challenge in our case is that there will be connections coming through the WAF, where the real IP-address is only accessible via header, and other connections which access WebSEAL directly. The reason for this setup are routing problems if the internal traffic would also pass through the WAF.

Here are the problems and possible solutions:

Logging:
If everything would pass through the WAF it would be easy to log the X-Forwarded-For or similar header. But here we will probably have to log both the header and the real IP-address, which will make log analyzing more difficult. I don't know if our Syslog server would be able to make such a consolidation.

POP:
IP-address restriction will probably have to be checked both on the WAF and on WebSEAL. WebSEAL also has to allow the addresses of the WAF.

forwarding the real IP to back-end servers:
at the moment we use the built-in WebSEAL header to forward the IP-address. We will probably have to change that, which would then also need an adaptation of the back-end applications (of which there are a lot).
We would probably have to add something like this:
client-ip-v4 = +X-Forwarded-For
That way the header would be added and in case the traffic goes through the waf there would be two valued for this header, which of course is also not ideal.

So, what are your thoughts and experiences using a WAF with WebSEAL?

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: 12/2/2020 9:20:00 AM
From: Laurent LA Asselborn
Subject: Considerations when putting WebSEAL behind an external WAF

Hi,

We want to put a WAF, which terminates the connections, in front of our WebSEAL for connections coming from the internet. This will now pose several challenges regarding the real IP-address of the client.
There are (at least) 3 places where the IP address is used: logging, POPs and forwarding the address to back-end servers.

Does WebSEAL have a feature like the following from Nginx:
set_real_ip_from w.x.y.z;
real_ip_header X-Forwarded-For;

This would really facilitate our life.

The added challenge in our case is that there will be connections coming through the WAF, where the real IP-address is only accessible via header, and other connections which access WebSEAL directly. The reason for this setup are routing problems if the internal traffic would also pass through the WAF.

Here are the problems and possible solutions:

Logging:
If everything would pass through the WAF it would be easy to log the X-Forwarded-For or similar header. But here we will probably have to log both the header and the real IP-address, which will make log analyzing more difficult. I don't know if our Syslog server would be able to make such a consolidation.

POP:
IP-address restriction will probably have to be checked both on the WAF and on WebSEAL. WebSEAL also has to allow the addresses of the WAF.

forwarding the real IP to back-end servers:
at the moment we use the built-in WebSEAL header to forward the IP-address. We will probably have to change that, which would then also need an adaptation of the back-end applications (of which there are a lot).
We would probably have to add something like this:
client-ip-v4 = +X-Forwarded-For
That way the header would be added and in case the traffic goes through the waf there would be two valued for this header, which of course is also not ideal.

So, what are your thoughts and experiences using a WAF with WebSEAL?

------------------------------
Laurent LA Asselborn
------------------------------

Hi Scott,

This would indeed be great news.

Thanks a lot for the information

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: Wed December 02, 2020 03:10 PM
From: Scott Exton
Subject: Considerations when putting WebSEAL behind an external WAF

Laurent,

 

Changes which are available in the upcoming 10.0.1 release (which is due to be released on 18th December) will address some of the problems which you are facing.  You will now be able to specify a HTTP header which contains the IP address and have this used as the 'real' IP address in auditing, logging and authorization decisions.  WebSEAL can already forward HTTP headers to junctioned Web servers and so there is no change required there.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 12/2/2020 9:20:00 AM
From: Laurent LA Asselborn
Subject: Considerations when putting WebSEAL behind an external WAF

Hi,

We want to put a WAF, which terminates the connections, in front of our WebSEAL for connections coming from the internet. This will now pose several challenges regarding the real IP-address of the client.
There are (at least) 3 places where the IP address is used: logging, POPs and forwarding the address to back-end servers.

Does WebSEAL have a feature like the following from Nginx:
set_real_ip_from w.x.y.z;
real_ip_header X-Forwarded-For;

This would really facilitate our life.

The added challenge in our case is that there will be connections coming through the WAF, where the real IP-address is only accessible via header, and other connections which access WebSEAL directly. The reason for this setup are routing problems if the internal traffic would also pass through the WAF.

Here are the problems and possible solutions:

Logging:
If everything would pass through the WAF it would be easy to log the X-Forwarded-For or similar header. But here we will probably have to log both the header and the real IP-address, which will make log analyzing more difficult. I don't know if our Syslog server would be able to make such a consolidation.

POP:
IP-address restriction will probably have to be checked both on the WAF and on WebSEAL. WebSEAL also has to allow the addresses of the WAF.

forwarding the real IP to back-end servers:
at the moment we use the built-in WebSEAL header to forward the IP-address. We will probably have to change that, which would then also need an adaptation of the back-end applications (of which there are a lot).
We would probably have to add something like this:
client-ip-v4 = +X-Forwarded-For
That way the header would be added and in case the traffic goes through the waf there would be two valued for this header, which of course is also not ideal.

So, what are your thoughts and experiences using a WAF with WebSEAL?

------------------------------
Laurent LA Asselborn
------------------------------