Scribd
Upload
587 views4 pages

How To Configure CCP Loadbalancing

This document provides instructions for configuring an F5 load balancer to load balance CyberArk CCP servers using SNAT proxy and preserving the original client source IP address by using the X-Forwarded-For HTTP header. It describes configuring the F5 load balancer and modifying the CCP server web.config file to include trusted proxy addresses.

Uploaded by

Eng Keen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
587 views4 pages

How To Configure CCP Loadbalancing

This document provides instructions for configuring an F5 load balancer to load balance CyberArk CCP servers using SNAT proxy and preserving the original client source IP address by using the X-Forwarded-For HTTP header. It describes configuring the F5 load balancer and modifying the CCP server web.config file to include trusted proxy addresses.

Uploaded by

Eng Keen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Title

How to configure CCP Load-Balancing with an F5 load-balancer using a SNAT Proxy and X-Forwarded-For
URL Name
How-to-configure-CCP-Load-Balancing-with-an-F5-load-balancer-using-a-SNAT-Proxy
Community Article URL
https://cyberark-customers.force.com/s/article/How-to-configure-CCP-Load-Balancing-with-an-F5-load-balancer-
using-a-SNAT-Proxy
Article Number
000010226
Product
 
Component
 
Internal Only Reason
Solution applies to a particular customer only
Introduction
Customers are utilizing F5 load-balancers for their CyberArk CCP servers. The load-balancers can be configured for
transparent proxy which preservers the original source IP address of the client requesting credentials when the
request arrives at the CCP. However, the F5 load-balancer can also be configured with a proxy which causes a
termination of the communication resulting in the source IP provided to the CCP servers to be that of the F5 VIP
address.
 
If customers are restricting access to their CCP application in the PVWA via source IP then having the F5 VIP
address become problematic. Hence we must configure the following two steps to provide the original client's
source IP address to the CCP:
 
- Configure the F5 Load-Balancer to use the X-Forwarded-For (XFF) HTTP header to preserve the original client IP
address for traffic translated by a SNAT object
 
- Configure the CCP servers "web.config" file to set the "TrustedProxies" parameter to include the proxies utilized
by the F5 load-balancer so it can resolve the original source IP provided in the XFF HTTP header
Step-by-step instructions
When adding a Code Sample, please choose the 'Normal (DIV)' formatting, in order to avoid text glitch over the
page borders
 
1. Configure the F5 Load-Balancer to use the X-Forwarded-For (XFF) HTTP header to preserve the
original client IP address for traffic translated by a SNAT object:
 
Link:  https://support.f5.com/csp/article/K4816
 
2. Update the "TrustedProxies" configuration line in the "web.config" of each CCP server to contain the
SNAT proxy addresses used by the F5 Load-Balancer:
 
<!-- Set Trusted proxies ip list (Part of a feature that support ip-auth for machines behind proxies )-->
<add key="TrustedProxies" value="<SNAT_Proxy_IP1>,<SNAT_Proxy_IP2"/>
 
Note: The "SNAT_Proxy_IP" IS NOT the F5 Load-balancer VIP. You can find the proxies utilized in the F5
CCP Load-Balancer configuration in the following locations:
 
You must then locate the SNAT Pool in F5 to find the SNAT Proxy IP addresses:

3.  After modifying the "web.config" file with an administrative notepad, save the file and perform an
"iisreset" on the CCP server.
 
Link:  https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/CCP/Load-
Balancing-the-Central-Credential-Provider.htm#Allowedmachinesauthentication
 
4. Validate that you are able to retrieve credential from the Vault using the CCP Load-Balancer by
restricting your application by your client source IP address in the PVWA with the "Allowed Machines"
section of your application.
 
Link:  https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-CP/Latest/en/Content/Common/
Adding-Applications.htm#Step3Addallowedmachines
 
If it is successful, it is due to the "TrustedProxies" parameter in the "web.config" file of the CCP which
tells the IIS application to resolve the XFF Header for the original source IP if it gets an HTTP request
from the proxy addresses specified.
 
Note: The CCP won't attempt to resolve true originated source IP if any of the following scenarios are
present, but will follow the default behavior where the IP will be taken from TCP packet header:
 
-TrustedProxies list is not set
-Received request don't include X-Forwarded-For header
-Received request which include X-Forwarded-For header but failed to parse X-Forwarded-For header.
-Source IP of received request is not in the TrustedProxies
-If received a request with X-Forwarded-For header which includes more than one IP
Internal Instructions
 
Vendor specific KB - made internal only as we cannot support/instruct on products outside our control

You might also like