Web Agent Guides › Web Agent Configuration Guide › Basic Agent Setup and Policy Server Connections

Basic Agent Setup and Policy Server Connections

This section contains the following topics:

Default Settings of Web Agent Configuration Parameters

Set the AgentName and DefaultAgentName Values

Restrict Changes to Local Configuration Parameters

Ensure that Agent Names Match

Encrypt the Agent Name

How to Manage Web Agent and Policy Server Communication

Accommodate Network Latency

Manage Web Agents with Multiple Web Server Instances

How to Set Log Files, and Command-line Help to Another Language

Default Settings of Web Agent Configuration Parameters

The default settings for the Web Agent configuration parameters are always used unless a different value is specified.

If a parameter does not exist in the Agent Configuration Object or local configuration file, the default value is used.

Set the AgentName and DefaultAgentName Values

The AgentName parameter specifies the identity of the agent. The Policy Server uses this identity to tie policies to a Web Agent. You can define the name of an agent with the following parameters:

AgentName

Defines the identity of the web agent. This identity links the name and the IP address or FQDN of each web server instance hosting an Agent.

The value of the DefaultAgentName is used instead of the AgentName parameter if any of the following events occur:

• The AgentName parameter is disabled.
• The value of AgentName parameter is empty.
• The values of the AgentName parameter do not match any existing agent object.

Note: This parameter can have more than one value. Use the multivalue option when setting this parameter in an Agent Configuration Object. For local configuration files, add each value to a separate line in the file.

Default: No default

Limit: Multiple values are allowed, but each AgentName parameter has a 4,000 character limit. Create additional AgentName parameters as needed by adding a character to the parameter name. For example, AgentName, AgentName1, AgentName2.

Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.

Example: myagent1,192.168.0.0 (IPV4)

Example: myagent2, 2001:DB8::/32 (IPV6)

Example: myagent,www.example.com

Example (multiple AgentName parameters): AgentName1, AgentName2, AgentName3. The value of each AgentNamenumber parameter is limited to 4,000 characters.

DefaultAgentName

Defines a name that the agent uses to process requests. The value for DefaultAgentName is used for requests on an IP address or interface when no agent name value exists in the AgentName parameter.

If you are using virtual servers, you can set up your CA SiteMinder® environment quickly by using a DefaultAgentName. Using DefaultAgentName means that you do not need to define a separate agent for each virtual server.

Important! If you do not specify a value for the DefaultAgentName parameter, then the value of the AgentName parameter requires every agent identity in its list. Otherwise, the Policy Server cannot tie policies to the agent.

Default: No default.

Limit: Multiple values are allowed.

Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.

If you are configuring virtual server support, specify a value for either the AgentName or the DefaultAgentName parameter.

Follow these steps:

1. Specify an AgentName value by doing either of the following steps:
   • For central agent configurations, open the Agent Configuration Object on the Administrative UI, and then add the values that you want to the AgentName parameter.
   • For local agent configurations, open the local configuration file on your web server. Add the values that you want on separate lines in the file.
2. Specify a DefaultAgentName identity by doing either of the following steps:
   • For central agent configurations, open the Agent Configuration Object on the Administrative UI, and then add the value that you want to the DefaultAgentName parameter.
   • For local agent configurations, open the local configuration file on your web server. Add the values that you want to the DefaultAgentName parameter.

   The AgentName and DefaultAgentName values are set.

More Information

How to Set Up Virtual Server Support

Restrict Changes to Local Configuration Parameters

With central agent configuration, you can restrict the configuration parameters which local web server administrators modify. We recommend this method when the CA SiteMinder® administrator and the web server administrator are different people.

Follow these steps:

1. Log in to the Administrative UI.

   The Welcome screen appears.

2. Click the Infrastructure, Agent Configuration Objects.

   A list of Agent Configuration objects appears.

   Click the edit icon in the line Agent Configuration Object you want.

   The Modify Agent Configuration dialog appears.

3. Click the edit icon to the left of the AllowLocalConfig parameter.

   The Edit Parameter dialog appears.

4. Erase the text in the Value field, and then click the multivalue option button.
5. Click Add.

   An empty field appears.

6. Type the name of the parameter to which you want to allow access in the field. Separate multiple parameters with commas. Only those parameters in the list can be changed locally.

   Example: The following example shows how to allow only the EnableAuditing and EnableMonitoring parameters to be set on the local web server:

   AllowLocalConfig=EnableAuditing,EnableMonitoring

7. (Optional) Repeat Steps 5 and 6 to add more parameters.
8. Click OK.

   The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.

9. Click Submit.

   The Modify Agent Configuration dialog closes, and a confirmation message appears.

10. (Optional) Enter any remarks about the change in the Comment field for future reference.
11. Click Yes.

    Your changes will be applied the next time the Web Agent polls the Policy Server.

Ensure that Agent Names Match

CA SiteMinder® rules and policies are tied to Agent names. If a request is made to a host with an Agent name that is unknown to the Policy Server, the Policy Server cannot implement policies. Therefore, the value for the Web Agent’s DefaultAgentName or AgentName parameter must match the name of an Agent entry defined at the Policy Server.

You define an Agent at the Policy Server using the Administrative UI. The value you enter in the Name field of the Agent Properties dialog box is the value that must match the name defined for the DefaultAgentName or AgentName setting, whether the Web Agent is configured locally (Agent configuration file) or centrally from the Policy Server (Agent Configuration Object).

Encrypt the Agent Name

The Web Agent, by default, adds its name to the URL that redirects a user to a forms, SSL, or NTLM credential collector. You can control whether the Agent encrypts its name in the URL and whether the credential collector decrypts the name when it receives the URL with the EncryptAgentName parameter.

The default setting for the EncryptAgentName parameter is yes. You should set this parameter to no in either of the following situations:

• If a third-party application is working with the credential collector and it must be able to read the Agent name for processing.
• If you configure a Web Agent as a Forms Credential Collector (FCC) for forms authentication, and direct users to a single resource to be authenticated. The procedure to configure a single resource target requires an un-encrypted Agent name.

To encrypt the Web Agent name, set the EncryptAgentName parameter to yes.

More Information

Configure the FCC to Use a Single Resource Target

How to Manage Web Agent and Policy Server Communication

You can manage the communication between agents and the Policy Server using any of the following procedures:

• Accommodate network latency issues.
• Manage agents with multiple web server instances.

More information:

Monitoring Web Agents

Accommodate Network Latency

When network latency issues exist, the Web Agent cannot connect with the Policy Server. To avoid this problem, use the following parameter in the Agent Configuration Object or local configuration file:

AgentWaitTime

Specifies the number of seconds that the agent waits for the Low-level agent Worker process (LLAWP) to become available. When the interval expires, the agent tries to connect to the Policy Server.

Setting this parameter can help to resolve agent start-up errors that are related to the LLAWP connections. We recommend starting with the default value and then increasing the interval 5 seconds each time until the agent starts successfully.
If you are using local configuration, set this parameter in the WebAgent.conf file instead of the agent configuration object.

Default: 5

Example: Calculate a suggested value with the following formula:

(The_number_of_Policy_Servers x 30) + 10 = value of the AgentWaitTime parameter (in seconds).

For example, if you have five Policy Servers, then set value of the AgentWaitTime parameter to 160. [(5x30) + 10 = 160] (seconds).

Limit: (FIPS-compatability and FIPS-migration modes) minimum of 5.

Limit: (FIPS-only mode) minimum of 20.

Use a higher setting only if network latency issues exist. A high setting possibly causes unexpected web server behavior.

To accommodate any network latency, enable the AgentWaitTime parameter in your Agent Configuration Object or local configuration file. Then specify the number of seconds you want.