Previous Topic: Agents and Reverse Proxy ServersNext Topic: How to Configure an Apache Reverse Proxy Server


CA SiteMinder® IIS 7.x Web Servers and Application Request Routing (ARR)

The CA SiteMinder® 12.52 Agent for IIS supports the Application Request Routing feature of IIS 7.x. The following configurations are supported:

How to Set up an IIS 7.x Server with ARR and CA SiteMinder® in your DMZ with other CA SiteMinder® Agents for IIS Operating Behind the DMZ

The CA SiteMinder® Agent for IIS protects your entire IIS environment with the following configuration:

To implement the previous configuration, use the following multi-step process:

  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

    Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."

  2. Install and configure a CA SiteMinder® Agent for IIS on your IIS 7.x web server in your DMZ (front-end).

    Note: For more information, see the Web Agent Installation Guide for IIS.

  3. Set the Web Agent Configuration parameters for the CA SiteMinder® Agent for IIS in your DMZ.
  4. Install and configure a CA SiteMinder® Agent for IIS on your first IIS 7.x web server behind your DMZ (back-end). For more information, see the Web Agent Installation Guide for IIS.

    Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.

  5. Install and configure a CA SiteMinder® Agent for IIS on your other IIS 7.x web server nodes behind your DMZ (back-ends).
  6. Set the Web Agent Configuration Parameters for all of your IIS 7.x Servers using CA SiteMinder® behind the DMZ. Include the first web server and all nodes.
Set the CA SiteMinder® Web Agent Configuration Parameters for your IIS 7.x ARR Server in the DMZ

This section describes how to set the Web Agent Configuration parameters running the CA SiteMinder® Agent for IIS in the following situation:

Follow these steps:

  1. Verify the following items:
  2. Open the Administrative UI.
  3. Open the Agent Configuration Object (ACO) associated with your CA SiteMinder® Agent for IIS (the front–end running in the DMZ).
  4. Locate the following parameter:
    ProxyTrust

    Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

    Default: No

  5. Verify that the value set in the ProxyTrust parameter is no.
  6. Locate the following parameter:
    ProxyAgent

    Specifies if a Web Agent is acting as a reverse proxy agent.

    When the value of this parameter is yes, the CA SiteMinder® agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

    Default: No

  7. Change the value of the ProxyAgent parameter to yes.
  8. Submit your changes to the Agent Configuration Object.

    The Web Agent Configuration parameters are set.

Set the Web Agent Configuration Parameters for your IIS 7.x Servers using CA SiteMinder® Behind the DMZ

This section describes how to set the Web Agent Configuration parameters running the CA SiteMinder® Agent for IIS in the following situation:

Follow these steps:

  1. Verify the following items:
  2. Open the Administrative UI.
  3. Open the Agent Configuration Object (ACO) associated with the first IIS server deployed behind the DMZ.
  4. Locate the following parameter:
    ProxyTrust

    Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

    Default: No

  5. Change the value of the ProxyTrust parameter to yes.
  6. Locate the following parameter:
    ProxyAgent

    Specifies if a Web Agent is acting as a reverse proxy agent.

    When the value of this parameter is yes, the CA SiteMinder® agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

    Default: No

  7. Verify that the value of the ProxyAgent parameter is set to no.
  8. Submit your changes to the Agent Configuration Object.
  9. Open the Agent Configuration Object (ACO) associated with an IIS server node deployed behind the DMZ.
  10. Repeat Steps 5 through 10 on each IIS web server node, until all the nodes behind the DMZ are configured.

    The Web Agent Configuration parameters are set.

How to Set Up an IIS 7.x Server with ARR and CA SiteMinder® in your DMZ

To set up an IIS 7.x web server with Application Request Routing (ARR) and a CA SiteMinder® Agent for IIS in your DMZ (as a front-end server), use the following multi-step process:

  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

    Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."

  2. Install and configure a CA SiteMinder® Agent for IIS on your IIS 7.x web server in your DMZ (front-end).

    Note: For more information, see the Web Agent Installation Guide for IIS.

How to Set up your IIS 7.x Servers with CA SiteMinder® When Operating Behind an ARR Server in a DMZ

The CA SiteMinder® Agent for IIS supports the following configuration using Application Request Routing (ARR):

To implement this configuration, use the following multi-step process:

  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

    Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."

  2. Install and configure a CA SiteMinder® Agent for IIS on your first IIS 7.x web server behind your DMZ (back-end). For more information, see the Web Agent Installation Guide for IIS.

    Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.

  3. Install and configure a CA SiteMinder® Agent for IIS on your other IIS 7.x web server nodes behind your DMZ (back-ends).
CA SiteMinder® Reverse Proxy Deployment Considerations

Typically, when you deploy an Apache or Oracle iPlanet reverse proxy Agent, a firewall is located between the Apache or Oracle iPlanet Web Agent and the servers hosting the protected resources. The Policy Server should also be located behind the firewall.

The following illustration shows a CA SiteMinder® reverse proxy deployment.

Illustration showing a SiteMinder agent deployed behind a reverse proxy server

When deploying a CA SiteMinder® reverse proxy Agent, consider the following:

More Information

Define HTTPS Ports