Symantec Access Management

Tech Tip : CA Single Sign-On : not able to resolve to DNS after web agent installation

  • 1.  Tech Tip : CA Single Sign-On : not able to resolve to DNS after web agent installation

    Broadcom Employee
    Posted Apr 06, 2018 10:22 AM

    Issue:


    We're running a Web Agent on IIS, and when we request a resource, we don't get it in the browser and the Web Agent reports the error :

    [04/03/2018][10:37:26][1896][5652][CSmHighLevelAgent.cpp:321][ProcessRequest][0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][][Start new request.]
    [04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
    [04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:94][CSmResourceManager::ProcessResource][0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmExit.]
    [04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:160][CSmResourceManager::ProcessResource][0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][][Plugins did not collect required resource data.]
    [04/03/2018][10:37:26][1896][5652][CSmHighLevelAgent.cpp:348][ProcessRequest][0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][][ResourceManager returned SmExit, end new request.]
    [04/03/2018][10:37:26][1896][2196][CSmHighLevelAgent.cpp:321][ProcessRequest][0000000000000000000000005e7a320a-0768-5ac34b56-0894-00a83d6c][][][][][][Start new request.]
    [04/03/2018][10:37:26][1896][5652][CSmLowLevelAgent.cpp:3567][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

    Our Web Agent has a firewall in front which does NAT addresses translation. How can we solve this?

     

    Resolution:

     

    In Web Agent ACO, set DisableDNSLookup to yes.

    This parameter will disable DNS lookup for all request. You can safely do this as it will also prevent DOS attack as stated by the documentation :

    DisableDNSLookup No
    Specifies whether to disable DNS lookups to help prevent DNS denial of service attacks. See Help Prevent DNS DOS Attacks.

    Pay attention that the syntax of the parameter is correct :

    Web Agent :: ACO : DisableDNSLookup Syntax
    https://comm.support.ca.com/kb/web-agent-aco-disablednslookup-syntax/kb000050592


    List of Agent Configuration Parameters
    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/list-of-agent-configuration-parameters

     

    KB : KB000076231