Installation and Upgrade Guides › Agent for IIS Installation Guide › Install an Agent for IIS on Windows Operating Environments › How to Install and Configure an Agent for IIS

How to Install and Configure an Agent for IIS

Installing and configuring the agent for IIS involves several separate procedures. To install and configure the Agent for IIS, use the following process:

1. If you are deploying the Agent for IIS to an IIS server farm, review the following topics:
   • IIS 7.x web server shared configuration.
   • How web agent logs and trace logs work with shared configuration.
2. Gather the information for the installation program.
3. Run the wizard based installation program.
4. Gather the information for the configuration program.
5. Run the wizard based configuration program.
6. Verify that the ISAPI Filter is First in the List When Using Classic Pipeline Mode
7. (Optional) Install and configure additional Agents for IIS silently.
8. (Optional) Add or remove SiteMinder protection from virtual sites on IIS web servers silently.
9. Determine if your Agent for IIS requires any manual configuration steps.

IIS 7.x Web Server Shared Configuration and the Agent for IIS

IIS 7.x web servers support shared configurations that streamline the configuration process for an IIS a server farm.

The Agent for IIS can protect resources on IIS server farms that use the shared configuration feature of IIS 7.x.

Note: This feature works only with the SiteMinder r12.5 Agent for IIS 7. Older versions of the SiteMinder Web Agent do not support this feature.

IIS 7.x uses network shares to propagate the configuration information across the server farm. The SiteMinder r12.5 Agent for IIS, however, cannot operate on network shares. Using a SiteMinder r12.5 Agent for IIS on an IIS server farm involves several separate procedures.

For example, suppose you have three IIS 7.x web servers, with all of them using a shared configuration. Web server number one is your primary web server, which contains the configuration information for the farm. Web servers 2 and 3 are nodes that connect to the network share on web server one to read the configuration information.

The entire installation and configuration process for using the SiteMinder Agent for IIS on all three IIS 7.x web servers is described in the following illustration:

How Web Agent Logs and Trace Logs Work with IIS 7.x Web Server Shared Configuration

For SiteMinder Agents for IIS running on an IIS server farm, create duplicate log and trace file directories on each node if all the following conditions are true:

• Your Agent for IIS log and trace log directories are specified in an Agent Configuration Object on the Policy Server (not in a local configuration file).
• Any of the SiteMinder Agents for IIS in your IIS 7.x web servers in the server farm share the same Agent Configuration object
• Your Agent for IIS log file and trace log directories specified in the shared Agent Configuration Object are different than the following default settings:
  • web_agent_home\win32\log (for Windows IIS 7.x 32-bit)
  • web_agent_home\win64\log (Windows IIS 7.x 64-bit)

If all of the previous conditions exist in your server farm, use the following process to enable your Web Agent logs and trace logs:

1. Create a custom log directory on the IIS 7.x web server that contains the shared configuration for the farm.
2. Grant the application pool identities associated with your protected resources the following permissions to the custom directory on the previous IIS 7.x web server.
   • Read
   • Write
3. Create the same custom log directory on a IIS 7.x web server node in the farm.
4. Grant the application pool identities associated with your protected resources the following permissions to the custom directory on the a IIS 7.x web server node in the farm.
   • Read
   • Write
5. Repeat steps 3 and 4 on all other nodes in your server farm.

For example, suppose you have three IIS 7.x web servers, with all of them using a shared configuration. Web server number one is your primary web server, which contains the configuration information for the farm. Web servers 2 and 3 are nodes that connect to the network share on web server one to read the configuration information.

The entire process for configuring these logs is described in the following illustration:

Gather Information for the Agent Installation Program

Before running the installation program for the SiteMinder Agent for IIS on the Windows operating environment, gather the following information about your web server:

Installation Directory

Specifies the location of the SiteMinder agent binary files on your web server. The web_agent_home variable is set to this location.

Limit: SiteMinder requires the name "webagent" for the bottom directory in the path.

Shortcut Location

Specifies the location in your Start menu for the shortcut for the Web Agent Configuration wizard.

Run the Installation Program on Windows

The installation program for the agent installs the agent on one computer at a time using the Windows operating environment. This installation program can be run in wizard or console modes. The wizard and console-based installation programs also create a .properties file for subsequent installations and configurations using the unattended or silent method with the same settings.

For example, suppose the Agents in your environment use the same web server version, installation directory, Agent Configuration Object and Policy Servers. Use the installation wizard or console-based installation program for your first installation. Afterwards, you could create your own script to run the installation program with the .properties file the wizard or console-based installation program created.

Follow these steps:

1. Copy the Web Agent installation executable file to a temporary directory on your web server.
2. Do one of the following steps:
   • For wizard-based installations, right-click the installation executable file, and then select Run as Administrator.
   • For console-based installations, open a command line window and run the executable as shown in the following example:

     executable_file_name.exe -i console
     

3. Use the information that you gathered previously to complete the installation.

More information:

Web Agent Install Worksheet for the Windows Operating Environment

Gather Information for the Agent Configuration Program for IIS Web Servers

Before configuring a SiteMinder Agent on an IIS web server, gather the following information about your environment.

Host Registration

Indicates whether you want to register this agent as a trusted host with a Policy Server. Only one registration per agent is necessary. If you are installing the SiteMinder Agent for IIS 7.x on an IIS server farm, register all IIS agents in the farm as trusted hosts.

Limits: Yes, No

Admin User Name

Specifies the name of a SiteMinder user account that has sufficient privileges to create and register trusted host objects on the Policy Server.

Admin Password

Specifies the password that is associated with the SiteMinder user account that has sufficient privileges to create and register trusted host objects on the Policy Server.

Confirm Admin Password

Confirms the password that is associated with the SiteMinder user account that has sufficient privileges to create and register trusted host objects on the Policy Server.

Enable Shared Secret Rollover

Indicates whether the Policy Server generates a new shared secret when the agent is registered as a trusted host.

Trusted Host Name

Specifies a unique name for the host you are registering. After registration, this name appears in the list of Trusted Hosts in the Administrative UI. When configuring a SiteMinder Agent for IIS on an IIS web server farm, specify a unique name for each IIS server node on the farm. For example, if your farm uses six servers, specify six unique names.

Host Configuration Object

Indicates the name of the Host Configuration Object that exists on the Policy Server.

IP Address

Specifies the IP addresses of any Policy Servers to which the agent connects. Add a port number if you are not using the default port for the authentication server. Non-default ports are used for all three Policy Server connections (authentication, authorization, accounting).

Default: (authentication port) 44442

Example: (IPv4) 127.0.0.1,55555

Example: (IPv6) [2001:DB8::/32][:55555]

Note: If a hardware load balancer is configured to expose Policy Servers in your environment through a single Virtual IP Address (VIP), enter the VIP.

FIPS Mode Setting

Specifies one of the following algorithms:

FIPS Compatibility/AES Compatibility

Uses algorithms existing in previous versions of SiteMinder to encrypt sensitive data and is compatible with previous versions of SiteMinder. If your organization does not require the use of FIPS-compliant algorithms, use this option.

FIPS Migration/AES Migration

Allows a transition from FIPS-compatibility mode to FIPS-only mode. In FIPS-migration mode, SiteMinder environment continues to use existing SiteMinder encryption algorithms as you reencrypt existing sensitive data using FIPS-compliant algorithms.

FIPS Only/AES Only

Uses only FIPS-compliant algorithms to encrypt sensitive data in the SiteMinder environment. This setting does not interoperate with, nor is backwards-compatible with, previous versions of SiteMinder.

Default: FIPS Compatibility/AES Compatibility

Note: FIPS is a US government computer security standard that accredits cryptographic modules which meet the Advanced Encryption Standard (AES).

Important! Use a compatible FIPS/AES mode (or a combination of compatible modes) for both the SiteMinder agent and the SiteMinder Policy Server.

Name

Specifies the name of the SmHost.conf file which contains the settings the Web Agent uses to make initial connections to a SiteMinder Policy Server.

Default: SmHost.conf

Location

Specifies the directory where the SmHost.conf file is stored. On Windows 64-bit operating environments, the configuration program creates two separate files. One file supports 64-bit applications, and the other file supports 32-bit applications running on the same web server.

Default: (Windows IIS 7.x 32-bit) web_agent_home\win32\bin\IIS

Default: (Windows IIS 7.x 64-bit) web_agent_home\win64\bin\IIS

Virtual Sites

Lists the web sites on the IIS 7.x web server that you can protect with SiteMinder.

Important! Do not configure and unconfigure virtual sites at the same time. Run the wizard once to configure the sites you want, and then run the wizard again to unconfigure the sites you want.

Overwrite, Preserve, Unconfigure

Appears when the SiteMinder Agent configuration wizard detects one of the following situations:

• IIS 7.x websites that SiteMinder r12.5 already protects on a stand-alone IIS web server.
• IIS 7.x websites that SiteMinder protects on an IIS server farm using shared configuration.

Select one of the following options:

Overwrite

Replaces the previous configuration of the SiteMinder Agent with the current configuration.

Preserve

Keeps the existing configuration of your SiteMinder Agent. No changes are made to this web server instance. Select this setting for each web server node if you are configuring the SiteMinder Agent for IIS 7.x on an IIS server farm.

Unconfigure

Removes the existing configuration of a SiteMinder Agent from the web server. Any resources are left unprotected by SiteMinder.

Default: Preserve

Agent Configuration Object Name

Specifies the name of an Agent Configuration Object (ACO) already defined on the Policy Server. IIS web servers in a server farm using shared configuration support sharing a single ACO name with all IIS servers in the farm.

Default: AgentObj

More information:

SiteMinder Agent Configuration Worksheet for IIS Web Servers

Hardware Load Balancing

Run the Web Agent Configuration Wizard

After gathering the information for your Agent Configuration worksheet, run the Agent Configuration wizard. The configuration wizard creates a runtime instance of the Agent for IIS on your IIS web server.

Running the configuration wizard once creates a properties file. Use the properties file to run unattended configurations on other computers with same operating environment and settings.

Note: The configuration wizard for this version of the Agent for IIS does not support console mode.

Follow these steps:

1. Click Start, All Programs, CA, SiteMinder.

   A shortcut to the Web Agent Configuration wizard appears.

2. Right-click the shortcut, and then select Run as administrator.

   Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your SiteMinder component.

   The Web Agent Configuration wizard starts.

3. Complete the wizard.

Verify that the ISAPI Filter is First in the List When Using Classic Pipeline Mode

Applications running in classic pipeline mode require that the ISAPI filter appears first in the list of ISAPI filters. Verify the position of the ISAPI filter in the list of ISAPI filters on your IIS web server before continuing.

Follow these steps:

1. Open IIS Manager using the following steps:
   1. Click Start, Control Panel.

      The control panel opens.

   2. Click Administrative Tools, Internet Information Services (IIS) Manager.

      IIS Manager opens.

2. Verify the ISAPI filter is first in the list using the following steps:
   1. From IIS Manager, expand the following items:
      • Your web server
      • Sites
      • Default Web Site
   2. Double-click the Handler Mappings icon.
   3. Click view ordered list.
   4. Verify that the following ISAPI filter appears in the top of the list:

      handler-wa
      

3. If the ISAPI filter from Step 2d does not appear first in the list, do the following steps:
   1. Click the handler-wa ISAPI filter.
   2. Click the Move up arrow until the ISAPI filter appears first in the list.

   The ISAPI filter appears first in the list.