6.4.11 Sample Identity Injection Policy

One of the common uses of an Identity Injection policy is to differentiate between internal users and external users. Web servers that have been configured for this logic can then display one set of pages to internal users and another set of pages to external users. The following sample policy is based on an environment that has the following characteristics:

  • The web server has been configured to look for a custom tag called IPAddress and to differentiate between internal IP addresses and external IP addresses.

  • The internal customers have NAT IP addresses.

  • The protected resource is a page called mycompany.html. This page is a public protected resource (no authentication required) because the IP address of the client is available before authentication.

To configure your site for this type of policy:

  1. Click Policies > Policies.

  2. Select the policy container.

  3. Click New, specify a name for the policy, select Access Gateway: Identity Injection for the type, then click OK.

  4. In the Actions section, click New > Inject into Custom Header.

  5. Specify the following details:

    Custom Header Name: Specify IPAddress in the text box.

    Value: Select Client IP.

    The other fields do not need to be modified. Your policy must look similar to the following:

  6. Click OK > OK > Apply Changes.

  7. Assign the policy to the mycompany.html page of the web server. Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.

  8. In the Protected Resource List, select the protected resource for the page or click New to create one, then specify a name for it.

  9. In the URL Path List, ensure that the path ends with the name of the page. For example:

    /mycompany.html

  10. Click Identity Injection, select the name of the IP address policy, then click Enable.

  11. Click Configuration Panel > OK.

  12. On the Configuration page, click OK, then click Update.

  13. Configure the web server to use the IPAddress values in the custom header to distinguish between external and internal customers.

    In this sample scenario, the web server is configured to recognize IP addresses starting with 10. as internal customers and all other addresses as external customers.