AnsweredAssumed Answered

RSA Self Service Web Tier Behind A Cloud WAF

Question asked by Jeff Smith on Nov 2, 2017

Hello,

 

We have RSA Self Service web tier deployed in our DMZ, allowing temporary token generation.

 

I am working on adding a cloud WAF (Incapsula) in front of the RSA web tier. When deployed behind the WAF, I can get the initial page, but when I click "Troubleshoot SecurID token" it generates an error. The RSA logs are showing: "The authentication request was routed through a load balancer/Proxy server that is not recognized by the system".

 

I did a little research on this and it looks I am supposed to supply all possible proxy IPs in the RSA configuration? It looks like there is a maximum of two? Since Incapsula is a cloud WAF there are literally thousands of possible proxy source IP address.

 

Do you have any input on how I can get this working? How does the RSA web tier even know it's being accessed behind a proxy? Does it look for the existence of the X-Forwarded-For header?

 

Thank you,

Jeff

Outcomes