Web Agent Guides › Web Agent Configuration Guide › SSO Security Zones › Agents and Reverse Proxy Servers › CA SiteMinder® IIS 7.x Web Servers and Application Request Routing (ARR)

CA SiteMinder® IIS 7.x Web Servers and Application Request Routing (ARR)

The CA SiteMinder® 12.52 Agent for IIS supports the Application Request Routing feature of IIS 7.x. The following configurations are supported:

• An IIS 7.x web server running both ARR and the CA SiteMinder® Agent for IIS in a DMZ, as shown in the following illustration:

  

• Multiple IIS 7.x web servers running CA SiteMinder® Web Agents for IIS behind another IIS 7.x server in the DMZ running ARR. This configuration is shown in the following illustration:

  

• An IIS 7.x web server running both ARR and the CA SiteMinder® Agent for IIS in a DMZ, and multiple IIS 7.x web servers running the CA SiteMinder® Agent for IIS behind the the ARR server. This configuration is shown in the following illustration:

  

How to Set up an IIS 7.x Server with ARR and CA SiteMinder® in your DMZ with other CA SiteMinder® Agents for IIS Operating Behind the DMZ

The CA SiteMinder® Agent for IIS protects your entire IIS environment with the following configuration:

• An IIS 7.x web server with Application Request Routing (ARR) and a CA SiteMinder® Agent for IIS in your DMZ (as a front-end server).
• Multiple IIS 7.x web servers behind the ARR server in the DMZ, with each using the CA SiteMinder® Web Agent or Agent for IIS.

  Note: Only certain CA SiteMinder® Web Agents support operating as a reverse-proxy server. However any web server hosting a supported CA SiteMinder® Web Agent or Agent for IIS can accept traffic from a reverse proxy server running CA SiteMinder®. For more information, see the Platform Support Matrix.

To implement the previous configuration, use the following multi-step process:

1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

   Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."

2. Install and configure a CA SiteMinder® Agent for IIS on your IIS 7.x web server in your DMZ (front-end).

   Note: For more information, see the Web Agent Installation Guide for IIS.

3. Set the Web Agent Configuration parameters for the CA SiteMinder® Agent for IIS in your DMZ.
4. Install and configure a CA SiteMinder® Agent for IIS on your first IIS 7.x web server behind your DMZ (back-end). For more information, see the Web Agent Installation Guide for IIS.

   Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.

5. Install and configure a CA SiteMinder® Agent for IIS on your other IIS 7.x web server nodes behind your DMZ (back-ends).
6. Set the Web Agent Configuration Parameters for all of your IIS 7.x Servers using CA SiteMinder® behind the DMZ. Include the first web server and all nodes.

Set the CA SiteMinder® Web Agent Configuration Parameters for your IIS 7.x ARR Server in the DMZ

This section describes how to set the Web Agent Configuration parameters running the CA SiteMinder® Agent for IIS in the following situation:

• An IIS 7.x Web Server operates in the DMZ using ARR and the CA SiteMinder® Agent for IIS (front end).
• Other IIS 7.x Web servers behind the DMZ receive requests from the ARR server, but do not use the CA SiteMinder® Agent for IIS (back end).

Follow these steps:

1. Verify the following items:
   • ARR 2.0 is installed and configured on the web server in the DMZ.
   • The CA SiteMinder® 12.52 Agent for IIS is installed and configured on the web server in the DMZ.
2. Open the Administrative UI.
3. Open the Agent Configuration Object (ACO) associated with your CA SiteMinder® Agent for IIS (the front–end running in the DMZ).
4. Locate the following parameter:

   ProxyTrust

   Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

   Default: No

5. Verify that the value set in the ProxyTrust parameter is no.
6. Locate the following parameter:

   ProxyAgent

   Specifies if a Web Agent is acting as a reverse proxy agent.

   When the value of this parameter is yes, the CA SiteMinder® agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

   Default: No

7. Change the value of the ProxyAgent parameter to yes.
8. Submit your changes to the Agent Configuration Object.

   The Web Agent Configuration parameters are set.

Set the Web Agent Configuration Parameters for your IIS 7.x Servers using CA SiteMinder® Behind the DMZ

This section describes how to set the Web Agent Configuration parameters running the CA SiteMinder® Agent for IIS in the following situation:

• An IIS 7.x server operates in the DMZ using ARR (front end).
• Other IIS 7.x servers behind the DMZ receive requests from the ARR server. Those servers also use the CA SiteMinder® Agent for IIS (back end).

Follow these steps:

1. Verify the following items:
   • ARR 2.0 is installed and configured on the web server in the DMZ.
   • The CA SiteMinder® 12.52 Agent for IIS is installed and configured on the first web server and all the nodes behind your DMZ.
2. Open the Administrative UI.
3. Open the Agent Configuration Object (ACO) associated with the first IIS server deployed behind the DMZ.
4. Locate the following parameter:

   ProxyTrust

   Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

   Default: No

5. Change the value of the ProxyTrust parameter to yes.
6. Locate the following parameter:

   ProxyAgent

   Specifies if a Web Agent is acting as a reverse proxy agent.

   When the value of this parameter is yes, the CA SiteMinder® agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

   Default: No

7. Verify that the value of the ProxyAgent parameter is set to no.
8. Submit your changes to the Agent Configuration Object.
9. Open the Agent Configuration Object (ACO) associated with an IIS server node deployed behind the DMZ.
10. Repeat Steps 5 through 10 on each IIS web server node, until all the nodes behind the DMZ are configured.

    The Web Agent Configuration parameters are set.

How to Set Up an IIS 7.x Server with ARR and CA SiteMinder® in your DMZ

To set up an IIS 7.x web server with Application Request Routing (ARR) and a CA SiteMinder® Agent for IIS in your DMZ (as a front-end server), use the following multi-step process:

1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

   Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."

2. Install and configure a CA SiteMinder® Agent for IIS on your IIS 7.x web server in your DMZ (front-end).

   Note: For more information, see the Web Agent Installation Guide for IIS.

How to Set up your IIS 7.x Servers with CA SiteMinder® When Operating Behind an ARR Server in a DMZ

The CA SiteMinder® Agent for IIS supports the following configuration using Application Request Routing (ARR):

• Operating several back-end web servers behind a DMZ-based IIS 7.x web server running ARR.
• Protecting those back end servers with CA SiteMinder® Web Agents or Agents for IIS.

  Note: Only certain CA SiteMinder® Web Agents support operating as a reverse-proxy server. However any web server hosting a supported CA SiteMinder® Web Agent or Agent for IIS can accept traffic from a reverse proxy server running CA SiteMinder®. For more information, see the Platform Support Matrix.

To implement this configuration, use the following multi-step process:

1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

   Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."

2. Install and configure a CA SiteMinder® Agent for IIS on your first IIS 7.x web server behind your DMZ (back-end). For more information, see the Web Agent Installation Guide for IIS.

   Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.

3. Install and configure a CA SiteMinder® Agent for IIS on your other IIS 7.x web server nodes behind your DMZ (back-ends).

CA SiteMinder® Reverse Proxy Deployment Considerations

Typically, when you deploy an Apache or Oracle iPlanet reverse proxy Agent, a firewall is located between the Apache or Oracle iPlanet Web Agent and the servers hosting the protected resources. The Policy Server should also be located behind the firewall.

The following illustration shows a CA SiteMinder® reverse proxy deployment.

When deploying a CA SiteMinder® reverse proxy Agent, consider the following:

• If a policy has been configured to return response attributes, the variables are sent to both the reverse proxy server and the backend web server on which the protected resource resides. When a request is made for a protected resource, the Policy Server first sends response attributes (CGI or HTTP variables) to the Agent on the Apache or Oracle iPlanet server. The Agent then puts the response attributes in the request that is sent to the backend server.
• If any of the backend servers or protected applications provide their own authentication functionality, the authentication must be disabled. Disabling the backend authentication ensures that CA SiteMinder®’s authentication takes precedence.

  Important! When configuring the cache for the reverse proxy be aware that all cookies are cached, including the SMSESSION cookie. For assistance see your Apache or Oracle iPlanet web server documentation.

More Information

Define HTTPS Ports