Symantec Access Management

Expand all | Collapse all

Using SPS server in place of webagent

  • 1.  Using SPS server in place of webagent

    Posted May 29, 2017 08:01 AM

    Hi,

     

    We are trying to replace the traditional webagent with the secure proxy server for an internal application hosted in Docker Container.

    The application information is:

    1. the link to access the application from internet is:

    https://bggg.abc.abcbt.com/REG/InWORK/en_US/enroll.do?pageAction=initialize 

     

    Can you please suggest if above URL will go in proxyrules.xml and how it will look like, or Apache URL (https://bgggdev.abc.abcbt.com/REG/search_init.do?pageAction=initialize)will go in the proxyrules.xml ?

     

    Thanks.



  • 2.  Re: Using SPS server in place of webagent

    Posted May 29, 2017 07:06 PM

    The simple answer is a qualified yes, the proxyrules URL would be the bgggdev URL, but you would also not put the full URI in the proxy rules. 

     

    The proxy rules would look something like:

     

    <nete:proxyrules xmlns:nete="https://bggg.abc.abcbt.com/" >
      <nete:forward>http://bgggdev.abc.abcbt.com$0</nete:forward>

    That is basic and default, if you have multiple incoming hostnames you would need to case it out, but that should give you the idea.

    Let us know if you need more assitance.

    Thanks

    J



  • 3.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 12:59 AM

    Hi Deepak,

     

    When you say Apache , do you mean SPS Apache or backend Apache which is hosting the actual application ?

    The answer would differ based on that.

     

    Generally it looks something like this :

     

    Let's say backend Apache or any other web server hosting the resource is :

    http://backend.com/

    (This resource is usually behind firewall and is not accessible from the internet or outside network)

     

    SPS has a virtual host defined as frontend.com (in server.conf). This is accessible from the internet.

    Now,  the proxy rules will look something like this :

     

    <nete:proxyrules xmlns:nete="http://www.company.com/">
         <nete:cond type="host">
              <nete:case value="frontend.com:80">
                   <nete:forward>http://backend.com$1</nete:forward>
              </nete:case>
              <nete:default>
                   <nete:forward>http://backend.com$1</nete:forward>
              </nete:default>
         </nete:cond>
    </nete:proxyrules>

     

    Let me know if you have any further question

     

    Regards,

    Ujwol



  • 4.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 01:52 AM

    HI Ujwol,

     

    Actually the above clarification helps. Also i need some update from you on one more item. In your previous ca community  in mentioned

    1. Modify DNS resolution of ourapp.company.com from your old Apache webserver to SPS Host.https://communities.ca.com/thread/241772745-new-to-ca-access-gateway-r1252-sp1-cr05

    Please explain how to achieve this

     

     



  • 5.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 02:01 AM

    Hi Deepak,

     

    That configuration is outside of scope of CA SSO.

    However, refer to the below link which should give you an idea.'

    IP Addressing: DNS Configuration Guide, Cisco IOS Release 15M&T - Configuring DNS [Support] - Cisco 

    Refer to section : Mapping Hostnames to IP Addresses


    Regards,

    Ujwol



  • 6.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 02:54 AM

    Hi Ujwol,

     

    Still need some help from u.

    1. Please validate if below steps are fine.

    2. Please help to understand once the request goes from Proxy server to internal webserver. How to fetch the SSO login.fcc(form based authention) form before loading the application.

     

    Step 1 : User Hits on application URL e.g http://spsVirtualHost.abc.abcat.com ( this URL is based upon virtual host configured in server.conf of sps server).

    This URL needs to be configured through http://spsVirtualHost.abc.abcat.com DNS Mapping. So that when the user requests for it it hits SPS server.

     

    Step 2 : The SPS forwards the request to the backend Server (configured in proxy rule) e.g. http://backendserver.abc.abcat.com

    Step 3: Request hits Backend Server and fetches the logon page (how to configure this, so that sso login.fcc is fetched)



  • 7.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 03:24 AM

    Hi Deepak,

     

    Yes, here is what happens.

     

    • Step 2 : The SPS forwards the request to the backend Server (configured in proxy rule) e.g. http://backendserver.abc.abcat.com
    • Step 3 : As the resource is protected in the backed, it does 302 redirect back to the login page which should be relative uri e.g. /siteminderagent/forms/login.fcc.  (just ensure that your authentication scheme has relative URI and not hardcoded hostnames)

     

    This request then goes to SPS and the login.fcc is served from SPS agent locally. Note , if SPS sees any request for FCC files (or any file specified in FCCExt ACO) , it serves it locally and doesn't forward the request to backend.

     

    If you want the SPS to NOT serve the request for .fcc file locally and still forward the request for fcc files to backend, you will need to configure FCCExt ACO parameter to something else (e.g .fccnew ) in SPS and also update the extension of all the forms in SPS to the new extension.

     

    However, we normally recommend to have the fcc served directly from SPS.

     

    Regards,

    Ujwol



  • 8.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 03:41 AM

    HI Ujwol,

     

    We already have a form authentication scheme set up for the earlier application that was being SSO'd though webagent on the webserver.this logon form resides on a seperate logon server. Can we make use of it still?



  • 9.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 03:46 AM

    If this is just an fcc page , I would recommend just copying the custom login form (fcc) to SPS under :

    C:\Program Files\CA\secure-proxy\proxy-engine\examples\siteminderagent\forms directory

     

    If this is non FCC page, then you don't have to do anything. The request will be forwarded to that login server.

    If you also want to reverse proxy to the login server (hide the direct access to login server from internet), then you will also have to have a new virtual host for the login server and the related proxy rules.



  • 10.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 04:37 AM

    Hi Ujwol,

     

    So i need to understand the routing once again. We have a separate server which has a login form posted. So upon successfull login the request should hit the webserver where the application is hosted.

     

    You are saying that we need to configure this through proxy rules. Can u please state how to implement this ?



  • 11.  Re: Using SPS server in place of webagent

    Posted Jun 01, 2017 04:38 AM

    FYI... we are not using login.fcc page



  • 12.  Re: Using SPS server in place of webagent

    Broadcom Employee
    Posted Jun 02, 2017 05:58 PM

    Hi,

    the SPS is build from 2 components:

    1. Apache HTTPD 

    2. Tomcat 

     

    SPS flow: 

    1. request enters the Apache HTTPD server 

    2. request is routed (using mod_jk) to the Tomcat instance (using default port 8009)

    3. agent on tomcat check access (from cache or from policy server)

    4. if access is okay, the proxy rules kick in

     

    proxy rules are mapping from external requested URL to your backend servers. 

    you can find very useful examples inside the proxy-engine/example folder 

    the siteminder guide is also very useful:

    Proxy Rules Configuration - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    So,

    after the user authenticate (SMSESSION returned in the response) the user should be redirected to a protected resources. once this request hits the SPS and access is validated, the request is routed using the proxy rules: 

     

    for example (from the guide):

    <nete:cond type="uri" criteria="beginswith">
    <nete:case value="/hr">
    <nete:forward>http://hr.company.com$0</nete:forward> </nete:case>

    <nete:case value="/employee">

    <nete:forward>http://employees.company.com$1 </nete:forward>

    </nete:case>

    </nete:cond>

    means that if a request that start with "/hr" hits the SPS and passes the access validation part, this request will be forwarded (nete:forward) to http://hr.company.com$0 where $0 includes the /hr and everything after. 

     

    Oren