I'm not an F5-guy, so take this for what its worth... my Network guys are telling me that our internet-facing F5 is configured with a "SNAT pool" consisting of three IP addresses. Traffic from the F5 to the WebTier server can come in from any of these three IP addresses. However, RSA only allows me to configure TWO IP addresses.
This results in some very inconsistent behavior in the WebTier self-service console, and tons of log errors in the WebTier like:
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.
[[ We're also having high-CPU spikes on the WebTier server (which may be unrelated to the load balancer config) which cause our primary AuthMgr to lock-up on occasion. ]]
Is anyone else having similar issues? Know of any work-arounds that DON'T require re-doing load balancer configurations across the enterprise?
There is a KB on this,
000033954 - How to configure more than two IP addresses for an RSA Authentication Manager 8.2 Web Tier Virtual Host
It's a file hack to add the third IP address for the F5 SNAT. Chris Salvati figured this one out