CyberArk Sentry – PAM — Question 57

As a member of a PAM Level-2 support team, you are troubleshooting an issue related to load balancing four PVWA servers at two data centers. You received a note from your Level-1 support team stating “When testing PVWA website from a workstation, we noticed that the “Source IP of last sign-in” was shown as the VIP (Virtual IP address) assigned to the four PVWA servers instead of the workstation IP where the PVWA site was launched from.”
Which step should you take?

Answer options

• A. Verify the “LoadBalancerClientAddressHeader” parameter setting in PVWA configuration file Web.config is set to “X-Forwarded-For”.
• B. Add the VIP (Virtual IP address) assigned to the four PVWA servers to the certificates issued for all four PVWA servers, if missing.
• C. Add a firewall rule to allow the testing workstation to connect to the VIP (Virtual IP address) assigned to the four PVWA servers on Port TCP 443.
• D. Edit the dbparm.ini file on the Vault server and add the IP or subnet of the workstation to the whitelist.

Correct answer: A

Explanation

The correct answer is A because setting the 'LoadBalancerClientAddressHeader' to 'X-Forwarded-For' allows the PVWA servers to recognize the original workstation IP instead of the VIP. Options B and C do not address the underlying issue of IP recognition, and option D is irrelevant as it pertains to whitelisting instead of load balancing configuration.