VMware Workspace ONE Community
bajiip
Contributor
Contributor
‎02-22-2018 06:21 PM

Getting Access denied (Access Policy not found) when exposing vIDM through Reverse proxy (Azure App Gateway) - Without UAG

Experts,

I am new to VMWARE. I am exposing (to external) the VIDM server through reverse proxy (Azure app gateway) without UAG. My vidm is authenticated against the Keycoak server using SAML.  I have defined the policy to access vidm from all the devices to access from all the network ranges. It works fine when i access the internal URL of the VIDM. But  When i access my external URL (VIDM URL through Azure App gateway) through browser, i am getting the "Access Denied" "Access Policy not found." error. Can anyone share your ideas for this issue?

Is there any place to check the log files for this issue? or do i need to do more settings?

Regards,

Balamurugan

0 Kudos
3 Replies
pbjork
VMware Employee
VMware Employee
‎02-22-2018 10:56 PM

First thing first.. vIDM only supports one namespace, i.e. one FQDN. So there is no such thing as internal URL vs. external.

The error message indicates something wrong with access policies and or the configuration of authentication methods. Make sure you have correct network range configured not only in access policies but also on the individual authentication method..

If you could upload a couple screenshots of access policies and authN method it would be easier to help..

0 Kudos
bajiip
Contributor
Contributor
‎02-27-2018 12:14 PM

Thanks pbjork for your reply.

I found the reason for the issue. But i don't have any solution. Please share your thoughts if you faced this  issue earlier.

In general, we are trying to expose the VIDM URL outside (accessible through internet) through Azure App Gateway. When we do that, we are able to access the VIDM admin console and not able to access the Workspace One Portal. Below is the technical issue for that. It is blocked by the VIDM Policy.

Cannot find applicable access policy for the request

The IP of the client was identified as xxx.xxx.xxx.22054891 while it should be xxx.xxx.xxx.220:54891 as format of IP:PORT, the colon was missed.

As we are using App Gateway, initially we thought, it is an App Gateway issue. But Microsoft team conformed that, it is not Microsoft issue (Azure App Gateway). It is sending the X-Forward-For as IP:Port format. Now our question is, As VMWare using the APPACHE server, Is there any module is truncating the split char?. We saw an article about this Remote IP in Tomcat. Is this module used in VMWare, if yes, do you have any workaround for this? We need  your help to fix this issue.

“Tomcat has a module called Remote IP Valve that will replace the client IP with the value found in X-Forwarded-For. However this does not seem to work, most likely because there is port number included in the XFF header in addition to the IP”

Regards,

Balamurugan

0 Kudos
avanish321
Expert
Expert
‎02-27-2018 08:52 PM

Is it possible to forward the data without the port number ? As far as I can tell, we only need the sourceIP for Audit events or verifcation of client IP.

As per X-Forwarded-For - Wikipedia  , the standard is to include just IP address in the header.

I also see similar question had been asked in azure forums

Support for dropping port out of x-forwarded-for header – Customer Feedback for Microsoft Azure  .

Azure Application Gateway x-forwarded-for remove port information – Customer Feedback for Microsoft ...

Cheers! Avanish
0 Kudos