This article explains and provides a solution for issues which are seen when trying to connect to the RSA web tier from the internet. The requests to the web tier are being routed through a load balancer; in this case, Azure App Gateway.
The Authentication Manager server was unable to identify the incoming requests though the the backend instance IP addresses of the Azure App Gateway added under the Virtual Host load balancer page in the Operations Console.
On the side of the end user who is trying to access the web tier console from the internet to login, the following error is seen:
Sorry, your request cannot be processed at this time
In the /opt./rsa/am/server/ImsTrace.log collected from the Authentication Manager server the following errors are registered:
ERROR 16042 Execute command Administrator “SYSTEM” attempted to execute command “com.rsa.ims.sso.service.CheckAccessCommand” Failure Unexpected exception caught SYSTEM
UNEXPECTED_EXCEPTION Webtier.selfservice.com XX.XX,XX.XX system.com.rsa.command.CommandServerEngine com.rsa.ims.sso.service.CheckAccessCommand
com.rsa.common.SystemException: Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.
On the Authentication Manager server System Activity Report (Reporting > Reports > Add New or Manage Existing), the following errors are shown:
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERRORcom.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR Caused by:
com.rsa.common.SystemException: Unable to perform pre-Login process... Caused by: java.net.UnknownHostException: XX.XX.XX.XX:XXXX: invalid IPv6 address at
java.net.InetAddress.getAllByName(InetAddress.java:1170) at java.net.InetAddress.getAllByName(InetAddress.java:1127) at java.net.InetAddress.getByName(InetAddress.java:1077) at
com.rsa.ims.sso.service.SSOPreLoginCommand.performExecute(SSOPreLoginCommand.java:160) at com.rsa.ims.sso.service.SSOPreLoginCommand.performExecute(SSOPreLoginCommand.java:280)
The error seems to be an issue with the X-forward related configuration on the load balancer.
The RSA Authentication Manager Server does not expect that the request from the firewall will be sent in the format<IP Address>:<Port> in the header; rather it expects the request contain only the IP address, that is <IP Address>
To resolve the issue, remove x-forwarded-for header which is a comma-separated list of IP:port from the load balancer configuration.