Symantec Access Management

Hi All,

    I am new to SPS and I am able to install configure the SPS R12.52Sp1. I am able to make proxy rules so that the request coming from SPS will be redirected to the webserver.

Now when I have protected the webserver with an agent with basic Auth and hitting the Apache on SPS I am getting 401 error.

In SPS agent trace logs I can see the Proxy rule is getting triggered but the webserver is sending 401.

[03/30/2015][13:28:28][760][2248][aa590c5a-f36e84ea-f5c9f4de-8c6685a7-33768a31-1][execute][Response status code from backend webserver is 401]

[03/30/2015][13:28:28][760][2248][aa590c5a-f36e84ea-f5c9f4de-8c6685a7-33768a31-1][Noodle::doGet][Noodle.proxyRequest succeeded.  Writing out response data if available]

Any suggestions what I could be doing wrong?

We are expected to protect the webserver with SPS, so that we can remove the WebAgents and SPS will take all the load of Authenticating/Authorizing the Users.

Is there any way when we hit the apache on SPS can be protected?

Or any guidelines which I can use to protect the webserver behind SPS server?

Thanks in Advance.

Richard

For Backend NTLM auth (or when using BasicAuth in backend) scheme to work, ‘connection-auth’ attribute needs to be added to the forward rule in proxy-rules.xml.

eg:

<nete:forward connection-auth="yes">http:/hostname.xyz.com:81$1</nete:forward>

Regards

Hubert

Thanks Hubert your tip was helpful, this works now I am getting Authentication scheme triggered after adding this parameter.

Could you please give some guideline how can we protect the apache webserver on SPS it self? We are thinking to protect the SPS webserver only so that user will be Authenticated on the SPS webserver and it will forward the request to backend apache/IIS or application server?

I checked the httpd.conf for SPS apache webserver but the module mod_sm22.dll is not there.

In policy server SPS created its domain with the agent, and SPS apache webserver shows the resource is not protected.

Thanks

Richard

The way SPS works is different (it is always confusing because we try to compare the Apache embedded in SPS with a standard Apache / WebAgent). The WebAgent in SPS is a Java based Agent and runs on Tomcat. The Apache is just used for most of Reverse Proxy functions. Hence one would not find a WebAgent Module in Apache (shipped in SPS) httpd.conf.

If we opted to enabled the WebAgent during the SPS Configuration, then it would be enabled. You can cross verify in server.conf under <SPS_Home>/proxyengine/conf. We would have the link to WebAgent.conf.

As long as the Agent Object linked to ACO being used by SPS (defined in WebAgent.conf) is attached to the Realm, it should work OOB.

There are a few more threads in communities on how to use SPS. Hope these help.

same SPS agent for more apps

Re: CA SPS in front of WebLogic and WebSphere

Re: Secure Proxy Server 12.52 - Virtual Host Configurations

Re: FrontEnding SPS with LoadBalancer

Regards

Hubert

Thanks again Hubert, this helps, I will work to get this implemented.