Symantec Access Management

  • 1.  One ACO for two IIS instances

    Posted Jan 29, 2018 06:13 PM

    This might be a dumb question, but can we have one ACO for two IIS instances(one separate machines) for one application. I guess Yes, we can have it. Can someone please highlight pros & cons with it?

     

    We are preparing the scripts for silent installation of agent on various machines and ACO is one of the thing which we need to mention. We want to keep our scripts same so I'm using the same ACO for more than 2 servers in TEST environment and seems to be working fine.



  • 2.  Re: One ACO for two IIS instances
    Best Answer

    Posted Jan 29, 2018 06:29 PM

    Yes, you certainly can use same ACO in multiple instance.

     

    Are these instance have unique hostnames for each ?

    • AgentConfigObject="wac_web1,iiswebsite1.com"
    • AgentConfigObject="wac_web2,iiswebsite2.com"
    • AgentConfigObject="wac_web3,iiswebsite3.com"

     

    Because if you dont' tracing the request on the policy server would be a problem while troubleshooting as you wouldn't know from which agent the request is coming from a quick look at it ..(you can always trace it based on transacationid though but it would need more work)

     

    Other than that, for managebility purpose I don't think its a good idea to have the same ACO used by mutliple instance in PROD specially... for eg. if you had to enable tracing that would then apply to all the agents...



  • 3.  Re: One ACO for two IIS instances

    Posted Jan 29, 2018 06:36 PM

    Thanks Ujwol for you prompt response !

     

    The hostnames are different, however FQDN is same. I've not mentioned any mapping in TEST environment.

     

    The thing is that application team moving their app from on prem to AWS instances. They asked for Silent installation script which they can embed to create new EC2 instances with SiteMinder installed. So the IP & hostname will be floating only FQDN is static. So it's even difficult to have different ACO name or Agent mapping done in ACO. Can you suggest any work around here?



  • 4.  Re: One ACO for two IIS instances

    Posted Jan 29, 2018 06:46 PM

    So you are basically using only the "deafaultagentname" ? and not the agentname <--> FQDN mapping ?

    How about the trusted hosts , are the multiple instances going to have unique trusted host or share that also ?



  • 5.  Re: One ACO for two IIS instances



  • 6.  Re: One ACO for two IIS instances

    Posted Jan 29, 2018 07:50 PM

    That's right ! I'm using defaultagentname and agentname mentioned but not FQDN mapping.


    We have manipulated script to increment Trusted host name counter by 1 everytime they run script on new server. Host registration is done on each instance.