Agent for SharePoint Guide › CA DLP Content Classification Service and the Agent for SharePoint › Set the Proxy Rules for the Agent for SharePoint when using CA DLP Content Classification Service with Multiple Authentication

Set the Proxy Rules for the Agent for SharePoint when using CA DLP Content Classification Service with Multiple Authentication

The Agent for SharePoint operates as a proxy-based solution. To protect your SharePoint resources, edit the default proxy rules file so that the Agent for SharePoint forwards requests to one of the following destinations:

• A hardware load balancer that redirects incoming requests to multiple web front ends associated with multiple SharePoint servers in a SharePoint server farm.
• A single web front end that is associated with multiple SharePoint servers in a SharePoint server farm.

If you are using the Agent for SharePoint, the CA DLP content classification service, and multiple authentication, specific proxy rules are required to ensure proper classification and protection of your SharePoint resources.

Multiple authentication allows authorized users to access resources using different credentials. For example, employees within an organization can access resources using Integrated Windows authentication (IWA), while customers and partner organizations use login names and passwords stored in a separate directory server. Both groups use different credentials to authenticate for the same resources.

Important! Do not use any other proxy rule settings with the Agent for SharePoint, the CA DLP content classification service, and multi–authentication. Resources that the CA DLP content classification service classifies use an HTTP request header for proper forwarding by the Agent for SharePoint. If the Agent for SharePoint does not properly forward these requests using the rules as they are shown here, unauthorized access and disclosure of your protected information is possible.

Follow these steps:

1. Locate the following file on your Agent for SharePoint:

   Agent-for-SharePoint_home\proxy-engine\conf\proxyrules.xml
   

2. Rename the previous file using a name similar to the following example:

   proxyrules_xml_default.txt
   

3. Open the following file on your Agent for SharePoint with a text editor:

   Agent-for-SharePoint_home\proxy-engine\examples\proxyrules\proxyrules_example2.xml
   

4. Save the previous file as a new file in the following location:

   Agent-for-SharePoint_home\proxy-engine\conf\proxyrules.xml
   

5. Locate the following text in the updated proxyrules.xml file:

   :///$$PROXY_RULES_DTD$$"
   

6. Replace the previous text with the following text:

   :///C:\Program Files\CA\Agent-for-SharePoint\proxy-engine\conf\dtd\proxyrules.dtd"
   

7. Locate the following text:

   http://www.company.com
   

8. Change the previous text to the domain of your organization. Use the following example as a guide:

   http:www.example.com
   

9. Locate the following line:

   <nete:cond type="header" criteria="equals" headername="HEADER">
   

10. Edit the previous line to match the following line:

    <nete:cond type="header" headername="SMSERVICETOKEN">
    

11. Locate the following line:

    <nete:case value="value1">
    

12. Edit the previous line to match the following line:

    <nete:case value="DLP">
    

13. Add a line after the previous line.
14. Copy and paste the following xml syntax onto the new line:

    <nete:xprcond>
    

    <nete:xpr>
    

    <nete:rule>^/_login/default.aspx\?ReturnUrl=(.*)</nete:rule>
    <nete:result>http://sharepoint.example.com:port_number/_trust/default.aspx?trust=name_of_siteminder_trusted_identity_provider&amp;ReturnUrl=$1</nete:result>
    </nete:xpr>
    

    <nete:xpr-default>
    

    <nete:forward>http://sharepoint.example:port_number$0</nete:forward>
    

    </nete:xpr-default>
    

    </nete:xprcond>
    

15. Replace both instances of the sharepoint.example:port_number in the previous section with one of the following values:
    • The host name, domain and port number of your hardware load balancer. This hardware load balancer operates between your Agent for SharePoint server and the SharePoint servers.
    • host name, domain and port number of your single web front end. In this context, this web front end (WFE) refers a web server that operates in front of your "back end" SharePoint servers.
16. Replace the instance of name_of_siteminder_trusted_identity_provider in the previous section with the name of your SiteMinder trusted identity provider.
17. Locate the following line in the file:

    <nete:forward>http://home.company.com</nete:forward>
    

18. Replace the home.company.com in the previous line with one of the following values:
    • The host name, domain and port number of your hardware load balancer. This hardware load balancer operates between your Agent for SharePoint server and the SharePoint servers.
    • host name, domain and port number of your single web front end. In this context, this web front end (WFE) refers a web server that operates in front of your "back end" SharePoint servers.
19. Save the file and close your text editor.

    The proxy rules are set.

More information:

Virtual Host Configurations Supported by the Agent for SharePoint