Verify IP Addresses

Resolve Agent Identity by IP Address
On virtual web servers, when IP addresses and host names are used to resolve the Agent name, the Web Agent can potentially use an incorrect value for AgentName to evaluate the request. This situation would allow unauthenticated users to access protected resources.
You can force the Web Agent to resolve the Agent name based on the physical IP address of the virtual server, with the following parameter:
Instructs the Web Agent to resolve the AgentName according to the physical IP address of a virtual web server. Use this parameter to increase security if a web server uses IP addresses for virtual server mappings. If this parameter is set to no, the Web Agent resolves the AgentName according to the host name in the HTTP Host header of the client's request.
For Domino servers, this parameter is supported only for Domino 6.x. If this parameter is enabled for an Agent on other Domino versions, the Web Agent uses the default Agent name.
For IIS Web Agents configured for SSL communication and virtual hosts, you must set this parameter to yes. IIS does not allow virtual host mappings using host names with SSL enabled.
For Apache Servers, configure the “UseCanonicalName” and “ServerName” parameters to allow the AgentName mappings based on the IP:PORT of the Agent. For more information, see Apache Web Server Settings.
To resolve a Web Agent's identity using the IP Address, set the UseServerRequestIp parameter to yes.
Compare IP Addresses to Prevent Security Breaches
An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies.
The IP checking feature requires agent to compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses do not match, the agent rejects the request.
The two parameters that are used to implement IP checking are PersistentIPCheck and TransientIPCheck. Set them as follows:
  • If you enabled PersistentCookies, set PersistentIPCheck to yes.
  • If you did not enable PersistentCookies, set TransientIPCheck to yes.
CA Single Sign-On
identity cookies are unaffected by IP checking.