Symantec Access Management

  • 1.  ACO Parameters

    Posted Mar 15, 2013 07:12 AM
    Hi all,,Can any one explain me the use of ProxyAgent, ProxyTimeout, Proxytrust parameters in the Agent configuration Object. we are using Apache webserver as proxy to application server and planning to install apache webagent on apache web server. In this case do i need to modify these parameters.


  • 2.  RE: ACO Parameters

    Posted Mar 15, 2013 10:41 AM
      |   view attached
    Hi Sreekanth,

    Web agent configuration guide(attached) is having better explanation about ACO parameters. Please go to page 331 in the document. Hope this helps.

    Thanks,
    Jagadeesh.K

    Attachment(s)

    pdf
    siteminder_wa_config_enu.pdf   2.92 MB 1 version


  • 3.  RE: ACO Parameters

    Posted Mar 16, 2013 10:48 PM
    I found a knowledgebase article that descirbes some of what you are looking for. Here is the text from the article:

    What are the ProxyAgent and ProxyTrust WebAgent settings and how are they to be used?

    Description:
    When setting up webservers two configuration options are:
    a.
    The webserver can be set up as a Reverse Proxy Server, which acts as a gateway and passes the web client requests onto backend web servers; or
    b.
    The webserver can be set up as a Backend Web-Server receiving requests from the proxy server.
    SiteMinder webagents can be installed on the Reverse Proxy Server and/or on the Backed Web-Server. The settings ProxyAgent, ProxyTimeout and ProxyTrust have specific abilities for setup when the webagent is installed on both servers. This article explains their usage.
    Solution:
    Introduction
    A normal configuration for a customer is to have a front end acting as a gateway into their web server farm. The front end is often configured with Load Balancers, SSL offloaders, and Reverse Proxy Servers, they perform the following tasks:

    Load Balancers distribute the load amongst workfarm members,

    SSL Offloaders take CPU load off the webservers by de-coding the encrypted SSL traffic and returning it in the clear and

    Reverse Proxy Servers allows you to hide the internal detail of your infrastructure from the outside client world.
    A Reverse Proxy Server, which is what we are focusing on here, is a webserver that then passes all the URL requests from the front end clients, onto various backend webservers. During the "reverse proxy" process, it is common to manipulate the request and to split then directing them to different backend webservers. SiteMinder Secure Proxy Server is one example, but most webservers Apache, Sun ONE, and IIS are capable of acting as reverse proxy servers.
    <Client> ---> <Reverse-Proxy> ---> <Backend-Web-Server>
    If you have a webagent in both the Reverse Proxy Server and the Backend Web Server, then the SMSESSION will be decoded and checked twice, and calls so obviously there is some room for optimization.
    Web Agent for Reverse Proxy Server
    Setting for a WebAgent in a Reverse Proxy Server:
    ProxyAgent: = YES|NO
    If set to YES, then this agent will take control of the SMSESSION sent
    ProxyTimeout: 120 Setting for a WebAgent for a backend server that gets requests from a Reverse Proxy Server: Will not write SMSESSION cookie updates back to the client.
    ProxyTrust:= YES|NO
    Will trust the Az rules made by the Proxy Server


  • 4.  RE: ACO Parameters

    Posted Mar 28, 2013 10:54 PM
    Depends on whether the backend application server needs to know the original URL coming from the client's browser.
    Below is the excerpt from WA Install guide mentioned in the previous post:

    ProxyAgent
    Specifies if a Web Agent is acting as a reverse proxy agent.
    When the value of this parameter is yes, the SiteMinder Web Agent on the front-end server preserves the original URL requested by the user in the SM_PROXYREQUEST HTTP header.
    This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.


    Depending on Apache server configuration, your deployment resembles the Reverse Proxy deployment configuration and if you want an application deployed on the App Server to know the original URL (for auditing or authz decsions) then you need to enable ProxyAgent.

    ProxyTimeout default is 120 seconds - is usually enough

    If you have other agents deployed behind the proxy agent, then you need to enable the ProxyTrust, so that those agents trust the authz decisions made by the proxy agent and do not make potentially duplicate calls to PS