This section contains the following topics:
Default Settings of Web Agent Configuration Parameters
Set the AgentName and DefaultAgentName Values
Restrict Changes to Local Configuration Parameters
How to Manage Web Agent and Policy Server Communication
Manage Web Agents with Multiple Web Server Instances
Set Log Files, and Command-line Help to Another Language
The default settings for the Web Agent configuration parameters are always used unless a different value is specified.
If a parameter does not exist in the Agent Configuration Object or local configuration file, the default value is used.
The AgentName parameter specifies the identity of the agent. The Policy Server uses this identity to tie policies to a Web Agent. You can define the name of an agent with the following parameters:
Defines the identity of the web agent. This identity links the name and the IP address or FQDN of each web server instance hosting an Agent.
The value of the DefaultAgentName is used instead of the AgentName parameter if any of the following events occur:
Note: This parameter can have more than one value. Use the multivalue option when setting this parameter in an Agent Configuration Object. For local configuration files, add each value to a separate line in the file.
Default: No default
Limit: Multiple values are allowed, but each AgentName parameter has a 4,000 character limit. Create additional AgentName parameters as needed by adding a character to the parameter name. For example, AgentName, AgentName1, AgentName2.
Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.
Example: myagent1,192.168.0.0 (IPV4)
Example: myagent2, 2001:DB8::/32 (IPV6)
Example: myagent,www.example.com
Example (multiple AgentName parameters): AgentName1, AgentName2, AgentName3. The value of each AgentNamenumber parameter is limited to 4,000 characters.
Defines a name that the agent uses to process requests. The value for DefaultAgentName is used for requests on an IP address or interface when no agent name value exists in the AgentName parameter.
If you are using virtual servers, you can set up your CA SiteMinder® environment quickly by using a DefaultAgentName. Using DefaultAgentName means that you do not need to define a separate agent for each virtual server.
Important! If you do not specify a value for the DefaultAgentName parameter, then the value of the AgentName parameter requires every agent identity in its list. Otherwise, the Policy Server cannot tie policies to the agent.
Default: No default.
Limit: Use only one value.Multiple values are prohibited.
Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.
If you are configuring virtual server support, specify a value for either the AgentName or the DefaultAgentName parameter.
Follow these steps:
The AgentName and DefaultAgentName values are set.
With central agent configuration, you can restrict the configuration parameters which local web server administrators modify. We recommend this method when the CA SiteMinder® administrator and the web server administrator are different people.
Follow these steps:
The Welcome screen appears.
A list of Agent Configuration objects appears.
Click the edit icon in the line Agent Configuration Object you want.
The Modify Agent Configuration dialog appears.
The Edit Parameter dialog appears.
An empty field appears.
Example: The following example shows how to allow only the EnableAuditing and EnableMonitoring parameters to be set on the local web server:
AllowLocalConfig=EnableAuditing,EnableMonitoring
The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.
The Modify Agent Configuration dialog closes, and a confirmation message appears.
Your changes will be applied the next time the Web Agent polls the Policy Server.
CA SiteMinder® rules and policies are tied to Agent names. If a request is made to a host with an Agent name that is unknown to the Policy Server, the Policy Server cannot implement policies. Therefore, the value for the Web Agent’s DefaultAgentName or AgentName parameter must match the name of an Agent entry defined at the Policy Server.
You define an Agent at the Policy Server using the Administrative UI. The value you enter in the Name field of the Agent Properties dialog box is the value that must match the name defined for the DefaultAgentName or AgentName setting, whether the Web Agent is configured locally (Agent configuration file) or centrally from the Policy Server (Agent Configuration Object).
The Web Agent, by default, adds its name to the URL that redirects a user to a forms, SSL, or NTLM credential collector. You can control whether the Agent encrypts its name in the URL and whether the credential collector decrypts the name when it receives the URL with the EncryptAgentName parameter.
The default setting for the EncryptAgentName parameter is yes. You should set this parameter to no in either of the following situations:
To encrypt the Web Agent name, set the EncryptAgentName parameter to yes.
You can manage the communication between agents and the Policy Server using any of the following procedures:
When network latency issues exist, the Web Agent cannot connect with the Policy Server. To avoid this problem, use the following parameter in the Agent Configuration Object or local configuration file:
Specifies the number of seconds that the agent waits for the Low-level agent Worker process (LLAWP) to become available. When the interval expires, the agent tries to connect to the Policy Server.
Setting this parameter can help to resolve agent start-up errors that are related to the LLAWP connections. We recommend starting with the default value and then increasing the interval 5 seconds each time until the agent starts successfully.
If you are using local configuration, set this parameter in the WebAgent.conf file instead of the agent configuration object.
Default: 5
Example: Calculate a suggested value with the following formula:
(The_number_of_Policy_Servers x 30) + 10 = value of the AgentWaitTime parameter (in seconds).
For example, if you have five Policy Servers, then set value of the AgentWaitTime parameter to 160. [(5x30) + 10 = 160] (seconds).
Limit: (FIPS-compatability and FIPS-migration modes) minimum of 5.
Limit: (FIPS-only mode) minimum of 20.
Use a higher setting only if network latency issues exist. A high setting possibly causes unexpected web server behavior.
To accommodate any network latency, enable the AgentWaitTime parameter in your Agent Configuration Object or local configuration file. Then specify the number of seconds you want.
Copyright © 2014 CA.
All rights reserved.
|
|