Administration Guide › Integrating the SPS with SiteMinder › How the SPS Interacts with SiteMinder › Avoiding Policy Conflicts with Destination Server Web Agents

Avoiding Policy Conflicts with Destination Server Web Agents

In some deployments, when the SPS is running in proxy trust mode, the SPS can protect resources from one set of users, while a Web Agent on a destination server protects the same resources from another set of users.

In the following illustration, Destination Server 2 has its own Web Agent. Extranet users are authenticated and authorized at the SPS, while Intranet users are authenticated and authorized through the Web Agent on the destination server. In such situations policies must exist in SiteMinder policy store for the embedded SPS Web Agent and the Web Agent on the destination server.

Note: When creating policies, administrators must be sure that the policies do not conflict with each other. If policies contradict one another, it is possible that SiteMinder may allow unwanted or unexpected behavior.

To correctly create policies and other required SiteMinder objects for the resources contained on Destination Server 2, the following objects could be created in SiteMinder:

• SPS Web Agent
• Destination server 2 Web Agent
• Realm using the SPS Web Agent
• Realm using the destination server 2 Web Agent
• Rule for resources accessed through the SPS Web Agent
• Rule for resources accessed through the destination server 2 Web Agent
• Policy for SPS web agent resources
• Policy for destination server 2 Web Agent resources

The following illustration shows how two policies must be created to protect a single resource when Compatibility Mode is used in environments that include both the SPS and Web Agents.

In the preceding illustration, the rules and realms for the same resources may have different paths based on the location of the resources on the destination server and the proxy rules used to forward requests.

For example, using the sample configuration in the preceding illustration, a resource called banking.html may be located on Destination Server 2 in the server2.company.com/start/banking/ directory, but the SPS may have proxy rules that forward all requests for www.company.com/banking/banking.html to the same destination on Server 2. Therefore, the same resource can have two different SiteMinder rules that represent the same resource. One rule authorizes access to the resource directly for employees on the intranet, and the other authorizes employees on the road who want to access the same resource from the extranet.