Previous Topic: Configure Security ZonesNext Topic: Agents and Reverse Proxy Servers

Web Agent GuidesWeb Agent Configuration GuideSSO Security ZonesAgents and Proxy Servers

Agents and Proxy Servers

Use any of the following settings to manage your CA SiteMinder® agents running on proxy servers:

Configure Agents that Sit behind Proxy Servers

If a Web Agent will be installed behind a proxy server, you can configure the Web Agent to work with proxy servers using the following parameters:

ProxyTrust

Instructs the agent on a destination server to trust authorizations received from a CA SiteMinder® agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

Default: No

ExpireForProxy

Prevents a client from caching content (pages and potentially headers or cookies). When the value of this parameter is set to yes , the Web Agent inserts one of the following HTTP headers into the HTTP response:

If content is not cached, subsequent requests continue to be forwarded.

When the ExpireForProxy parameter is set to yes, the Web Agent inserts the strings specified in the appropriate ProxyHeaderssuffix_name parameter into the HTTP response based upon what type of request the Agent performed.

For HTTP/1.1 requests, the Agent inserts the values of the following parameters as headers in the response:

For HTTP/1.0 requests, the Agent inserts the values of the following parameters as headers in the response:

Default: No

Note: Although this parameter name contains the word 'proxy,' the settings of this parameter also affect the behavior of web browsers, or any other client that connects to a web server on which any CA SiteMinder® Agents using this parameter setting operate.

To tell the proxy not to cache the pages, the Web Agent adds an Expires header for the page. This header is set to a date in the past, which prevents the page from being cached by a proxy, as dictated by the HTTP 1.0 specification. On 302 redirects, a cache-control: no-cache header is set instead. Although this prevents caching of content, this has the negative consequence of affecting the browsing experience for an Internet Explorer (IE) browser, as described by Microsoft Support.

With the use of cache-control: no-cache for 302 redirects, the ActiveX component that manages in-place document viewing in IE relies on the browser’s cache to locate the file. Because this header instructs the browser not to cache the file, the ActiveX component cannot locate the file and fails to display the request properly. Further, when you set the Web Agent’s ExpireForProxy setting to yes, the back-end server tells the proxy not to cache the resource.

To configure Agents that sit behind proxy servers

  1. Set the ProxyTust parameter to yes.
  2. Set the ExpireForProxy parameter to yes.
  3. (Optional) Customize values the cache-control and ExpireForProxy (HTTP) headers.

    The Agents behind the proxy servers are configured.

More information:

Customize the Cache-Control and ExpireForProxy Header Settings

Customize the Cache-Control and ExpireForProxy Header Settings

You can customize the cache-control and ExpireForProxy headers to secure Web resources without affecting in-place activation of application files (.doc, .pdf, and so on). You can set specific HTTP headers for the following types of content independently to control how that content is cached by a web browser or proxy server:

Important! We recommend using the default settings unless you are familiar with the ramifications of changing these settings in accordance with RFC 2068. If you plan to change the default settings, note that the CA SiteMinder® session cookie is updated on access of an unprotected page once a user has a session in order to track idle timeout. Therefore, unprotected pages should not be cached on a proxy that caches HTTP headers.

The following characteristics apply to setting headers to prevent caching by proxies:

All parameters should be configured using multi-value strings to suit the use of multiple headers, such as cache-control: private and cache-control: max-age=60.

The following is the new configuration:

  1. ProxyHeadersDefaultTime - defaults to 60 seconds
  2. ProxyHeadersTimeoutPercentage – defaults to 10 percent
  3. The following cache-control headers are available:
    ProxyHeadersAutoAuth

    Specifies the value of an HTTP 1.1 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the auto-authorized resource is cached.

    Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

    Example (suggested setting): "Cache-control: max-age=60"

    ProxyHeadersAutoAuth10

    Specifies the value of an HTTP 1.0 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the auto-authorized resource is cached.

    Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

    Example (suggested setting): "Expires: Thu, 01 Dec 1994 16:00:00 GMT"

    ProxyHeadersProtected

    Specifies the value of an HTTP 1.1 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the protected resource is cached.

    Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

    Cache-Control: no-cache

    Example (suggested settings): "Cache-Control: private"

    ProxyHeadersProtected="Cache-Control: max-age=60"

    ProxyHeadersProtected10

    Specifies the value of an HTTP 1.0 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the protected resource is cached.

    Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

    Cache-Control: no-cache

    Example (suggested settings): "Expires: Thu, 01 Dec 1994 16:00:00 GMT"

    ProxyHeadersUnprotected

    Specifies the value of an HTTP 1.1 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the unprotected resource is cached.

    Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

    Cache-Control: no-cache

    Example (suggested setting): ProxyHeadersUnprotected="Cache-Control: private"

    ProxyHeadersUnprotected="Cache-Control: max-age=60"

    ProxyHeadersUnprotected10

    Specifies the value of an HTTP 1.0 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the unprotected resource is cached.

    Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

    Cache-Control: no-cache

    Example (suggested setting): "Expires: Thu, 01 Dec 1994 16:00:00 GMT"

When configuring multiple headers, (for example, the cache-control headers in the suggested setting for unprotected HTTP/1.1 content), note the following:

If you do not configure the Web Agent to set the appropriate cache expiration headers when a user accesses unprotected resources, then by default, the Web Agent will not set these headers, thereby allowing a web browser or proxy server to cache an SMSESSION cookie. This cached cookie can be re-used by the web browser or proxy-server after the user has initiated a different session (and therefore a different user context), causing an unauthorized impersonation.

More information:

Configure Agents that Sit behind Proxy Servers

Proxy Header Usage Notes
Security Considerations

Browser sessions can persist after logout, so removing the SMSESSION cookie does not prevent a user from using the same browser session to view previously cached files. This problem occurs because the proxy server is not aware of the logout request and retains any protected/unprotected content in cache for the cache-control: private user until it timed out (cache-control: max-age=60). Thus, such a request would result in a page returned with a valid SMSESSION cookie. The only way to ensure security is to disable keep-alives or close the browser.

Further, the local browser cache is affected by the private/max-age combination since it observes local cache across sessions. For this reason, the max-age time for protected resources should be as short as possible.

Employing the if-modified-since and if-none-match request headers when the allowcacheheaders="FALSE" configuration setting is used (default) does not prevent the proxy server from observing these headers. Thus, these observed headers take effect on the request according to the proxy server.

You could work around this issue by installing:

Since HTTP 1.0, HTTP 1.1, or higher use different headers for specifying instructions to caching proxies, these versions should be configured in a way to ensure the most appropriate handling based on the type of connection.