Symantec Access Management

Hello, it is my understanding that proxy rule condition must have a child element of default and the default also must have an action.  Is there a way to do nothing? I have multiple domain names on the proxy server and do not want to have to account for each domain in the default rule. 

It seems that you used to be able to point to a different proxy rule per Virtual Host but now it seems it is global.

Outside of spinning up a separate instance, how are others handling it?  I would like for it to just break out (do nothing) if no condition is matched.

any help is greatly appreciated.

Thanks, John

To put the question a different way, I have been playing around with it some more and realized that the proxy server/rules should only be used to redirect (or forward) to a different server (or instance) and that a redirect that results in going back to the proxy server will cause an indefinite loop.  is this correct?  The proxy server until this point is being used mainly as a webserver and if I start adding rules I am afraid I will break what is there.  It seems my only alternative is another instance (on the same server).  My question now is, since the proxyrules.xml is referred to within the server.conf, will another instance create another server.conf file or just another httpd.conf file?  my whole goal here is to leave what is existing and create a different instance (on a different port) where I can have proxyrules that will  not impact the existing instance.  Thoughts?

Thanks,

John

Hi John 

To leave what is existing and create a different instance where you can have proxyrules that will  not impact the existing instance from an out the box point of view, you would have to install another (sps) proxy server on another server  as I am sure you know 

To answer the proxy server/rules should only be used to redirect (or forward) to a different server (or instance) and that a redirect that results in going back to the proxy server will cause an indefinite loop is correct .  

Regards

Terence

Thanks.  I have actually been playing with it more trying to understand it and I believe I have a solution to not have to setup a new instance.  I found that the only thing that goes through the proxy rules are URI's that are not match the definitions in the Contexts tag in the server.conf - so, I am able to specify a URI that is not defined in the server.conf when I want to hit the proxy rules and then the redirects would be back to ones that are (such as FED Services).  This works in my case since all of my redirects would either be to another site or back to the redirectjsp on the same server.

So far it is working.  Does anyone see a problem I will run into with that?

I have not seen that solution and don't know if that would be supported. Don't know if anybody else has any thoughts on this solution   

Hi, 

Secure proxy server deploys default examples, not sure if you have gone through the sample out of box files or not.

Should be under ~/secure-proxy/proxy-engine/examples/proxyrules

Documentation further explain them in details.

Proxy Rules Configuration - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

I would suggest not doing anything fancy, for most of customers, proxy by host or by uri should be sufficient.

If you have multiple virtual hosts, then the hosts must be already defined by your httpd.conf as well as server.conf.

I do think there needs to be a default proxy rule section, where everything is caught if logic is somehow flawed in configuration.

Thank You,

Hongxu

HI, I am not sure if my issue was completely understood.  I am not trying to do anything fancy and I should be able to set proxy rules on any criteria I want.  My issue was that my redirect happened to be back to the same server and not away from the server and so kept coming back to the proxy rules.

I have found (perhaps an unintended feature) that URI's that match one of the "Contexts" specified in the server.conf DO NOT go through the proxy rules and all others so do - SO, if redirecting back to the same server is your final target, specifying a Context in the server.conf file (or use an existing) seems to work.  Try it and you will see.

Thanks,

John