Previous Topic: Proxy-Specific WebAgent.conf Settings

Next Topic: Configuring SiteMinder Rules that Redirect Users

Avoiding Policy Conflicts with Destination Server Web Agents

In some deployments, when the SPS is running in proxy trust mode, the SPS can protect resources from one set of users, while a Web Agent on a destination server protects the same resources from another set of users.

In the following illustration, Destination Server 2 has its own Web Agent. Extranet users are authenticated and authorized at the SPS, while Intranet users are authenticated and authorized through the Web Agent on the destination server. In such situations policies must exist in SiteMinder policy store for the embedded SPS Web Agent and the Web Agent on the destination server.

Note: When creating policies, administrators must be sure that the policies do not conflict with each other. If policies contradict one another, it is possible that SiteMinder may allow unwanted or unexpected behavior.

To correctly create policies and other required SiteMinder objects for the resources contained on Destination Server 2, the following objects could be created in SiteMinder:

The following illustration shows how two policies must be created to protect a single resource when Compatibility Mode is used in environments that include both the SPS and Web Agents.

In the preceding illustration, the rules and realms for the same resources may have different paths based on the location of the resources on the destination server and the proxy rules used to forward requests.

For example, using the sample configuration in the preceding illustration, a resource called banking.html may be located on Destination Server 2 in the server2.company.com/start/banking/ directory, but the SPS may have proxy rules that forward all requests for www.company.com/banking/banking.html to the same destination on Server 2. Therefore, the same resource can have two different SiteMinder rules that represent the same resource. One rule authorizes access to the resource directly for employees on the intranet, and the other authorizes employees on the road who want to access the same resource from the extranet.