We have RSA Self Service web tier deployed in our DMZ, allowing temporary token generation.
I am working on adding a cloud WAF (Incapsula) in front of the RSA web tier. When deployed behind the WAF, I can get the initial page, but when I click "Troubleshoot SecurID token" it generates an error. The RSA logs are showing: "The authentication request was routed through a load balancer/Proxy server that is not recognized by the system".
I did a little research on this and it looks I am supposed to supply all possible proxy IPs in the RSA configuration? It looks like there is a maximum of two? Since Incapsula is a cloud WAF there are literally thousands of possible proxy source IP address.
Do you have any input on how I can get this working? How does the RSA web tier even know it's being accessed behind a proxy? Does it look for the existence of the X-Forwarded-For header?