By default, the web agent labeled Client IP Validation (Tab: Application, Name: com.sun.identity.agents.config.client.ip.validation.enable) is not enabled.
If you enable this property, client IP address validation is enforced for each incoming request that contains an SSO token. If the IP address from which the request was generated does not match the IP address issued for the SSO token, the request is denied. This is essentially the same as enforcing a deny policy.
This feature should not be used, however, if the client browser uses a web proxy or if a load balancer exists somewhere between the client browser and the agent-protected deployment container. In such cases, the IP address appearing in the request will not reflect the real IP address on which the client browser runs.