The CA SiteMinder® 12.52 Agent for IIS supports the Application Request Routing feature of IIS 7.x. The following configurations are supported:
The CA SiteMinder® Agent for IIS protects your entire IIS environment with the following configuration:
Note: Only certain CA SiteMinder® Web Agents support operating as a reverse-proxy server. However any web server hosting a supported CA SiteMinder® Web Agent or Agent for IIS can accept traffic from a reverse proxy server running CA SiteMinder®. For more information, see the Platform Support Matrix.
To implement the previous configuration, use the following multi-step process:
Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
Note: For more information, see the Web Agent Installation Guide for IIS.
Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
This section describes how to set the Web Agent Configuration parameters running the CA SiteMinder® Agent for IIS in the following situation:
Follow these steps:
Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.
Default: No
Specifies if a Web Agent is acting as a reverse proxy agent.
When the value of this parameter is yes, the CA SiteMinder® agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.
Default: No
The Web Agent Configuration parameters are set.
This section describes how to set the Web Agent Configuration parameters running the CA SiteMinder® Agent for IIS in the following situation:
Follow these steps:
Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.
Default: No
Specifies if a Web Agent is acting as a reverse proxy agent.
When the value of this parameter is yes, the CA SiteMinder® agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.
Default: No
The Web Agent Configuration parameters are set.
To set up an IIS 7.x web server with Application Request Routing (ARR) and a CA SiteMinder® Agent for IIS in your DMZ (as a front-end server), use the following multi-step process:
Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
Note: For more information, see the Web Agent Installation Guide for IIS.
The CA SiteMinder® Agent for IIS supports the following configuration using Application Request Routing (ARR):
Note: Only certain CA SiteMinder® Web Agents support operating as a reverse-proxy server. However any web server hosting a supported CA SiteMinder® Web Agent or Agent for IIS can accept traffic from a reverse proxy server running CA SiteMinder®. For more information, see the Platform Support Matrix.
To implement this configuration, use the following multi-step process:
Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
Typically, when you deploy an Apache or Oracle iPlanet reverse proxy Agent, a firewall is located between the Apache or Oracle iPlanet Web Agent and the servers hosting the protected resources. The Policy Server should also be located behind the firewall.
The following illustration shows a CA SiteMinder® reverse proxy deployment.
When deploying a CA SiteMinder® reverse proxy Agent, consider the following:
Important! When configuring the cache for the reverse proxy be aware that all cookies are cached, including the SMSESSION cookie. For assistance see your Apache or Oracle iPlanet web server documentation.
Copyright © 2013 CA.
All rights reserved.
|
|