Skip to content
CA Single Sign-On - 12.52 SP1
Documentation powered by DocOps

CA SiteMinder® IIS 7.x Web Servers and Application Request Routing (ARR)

Last update July 20, 2016

Contents

The CA Single Sign-On Agent for IIS supports the Application Request Routing feature of IIS 7.x. The following configurations are supported:

SSO--IIS 7.x Web Servers with Application Request Routing Enabled and One Agent for IIS running in the DMZ

SSO--Back End IIS Web Servers Running Agents with Application Request Routing Enabled

SSO--Agents for IIS on Front End and Back End Servers with Application Request Routing Enabled and the ProxyAgent and ProxyTrust Parameters set

How to Set up an IIS 7.x Server with ARR and CA Single Sign-On in your DMZ with other CA Single Sign-On Agents for IIS Operating Behind the DMZ

The CA Single Sign-On Agent for IIS protects your entire IIS environment with the following configuration:

  • An IIS 7.x web server with Application Request Routing (ARR) and a CA Single Sign-On Agent for IIS in your DMZ (as a front-end server).
  • Multiple IIS 7.x web servers behind the ARR server in the DMZ, with each using the CA Single Sign-On Web Agent or Agent for IIS.

    Note: Only certain CA Single Sign-On Web Agents support operating as a reverse-proxy server. However any web server hosting a supported CA Single Sign-On Web Agent or Agent for IIS can accept traffic from a reverse proxy server running CA Single Sign-On. For more information, see the Platform Support Matrix.

To implement the previous configuration, use the following multi-step process:

  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

    Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
  2. Install and configure a CA Single Sign-On Agent for IIS on your IIS 7.x web server in your DMZ (front-end).

  3. WebAgentConfigurationParametersforyourIIS7.xARRServerintheDMZ" class="conf-macro output-inline" data-hasbody="true" data-macro-name="sp-plaintextbody-link">Set the Web Agent Configuration parameters for the CA SiteMinder® Agent for IIS in your DMZ.
  4. Install and configure a CA Single Sign-On Agent for IIS on your first IIS 7.x web server behind your DMZ (back-end).

    Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
  5. Install and configure a CA Single Sign-On Agent for IIS on your other IIS 7.x web server nodes behind your DMZ (back-ends).
  6. BehindtheDMZ" class="conf-macro output-inline" data-hasbody="true" data-macro-name="sp-plaintextbody-link">Set the Web Agent Configuration Parameters for all of your IIS 7.x Servers using CA SiteMinder® behind the DMZ. Include the first web server and all nodes.

Set the CA Single Sign-On Web Agent Configuration Parameters for your IIS 7.x ARR Server in the DMZ

This section describes how to set the Web Agent Configuration parameters running the CA Single Sign-On Agent for IIS in the following situation:

  • An IIS 7.x Web Server operates in the DMZ using ARR and the CA Single Sign-On Agent for IIS (front end).
  • Other IIS 7.x Web servers behind the DMZ receive requests from the ARR server, but do not use the CA Single Sign-On Agent for IIS (back end).

Follow these steps:

  1. Verify the following items:
    • ARR 2.0 is installed and configured on the web server in the DMZ.
    • The CA Single Sign-On Agent for IIS is installed and configured on the web server in the DMZ.
  2. Open the Administrative UI.
  3. Open the Agent Configuration Object (ACO) associated with your CA Single Sign-On Agent for IIS (the front–end running in the DMZ).
  4. Locate the following parameter:
    • ProxyTrust

      Instructs the agent on a destination server to trust authorizations received from a CA Single Sign-On agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

      Default: No

  5. Verify that the value set in the ProxyTrust parameter is no.
  6. Locate the following parameter:
    • ProxyAgent

      Specifies if a Web Agent is acting as a reverse proxy agent.

      When the value of this parameter is yes, the CA Single Sign-On agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

      Default: No

  7. Change the value of the ProxyAgent parameter to yes.
  8. Submit your changes to the Agent Configuration Object.
    The Web Agent Configuration parameters are set.

Set the Web Agent Configuration Parameters for your IIS 7.x Servers using CA Single Sign-On Behind the DMZ

This section describes how to set the Web Agent Configuration parameters running the CA Single Sign-On Agent for IIS in the following situation:

  • An IIS 7.x server operates in the DMZ using ARR (front end).
  • Other IIS 7.x servers behind the DMZ receive requests from the ARR server. Those servers also use the CA Single Sign-On Agent for IIS (back end).

Follow these steps:

  1. Verify the following items:
    • ARR 2.0 is installed and configured on the web server in the DMZ.
    • The CA Single Sign-On Agent for IIS is installed and configured on the first web server and all the nodes behind your DMZ.
  2. Open the Administrative UI.
  3. Open the Agent Configuration Object (ACO) associated with the first IIS server deployed behind the DMZ.
  4. Locate the following parameter:
    • ProxyTrust

      Instructs the agent on a destination server to trust authorizations received from a CA Single Sign-On agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does not contact the Policy Server again reauthorize users.

      Default: No

  5. Change the value of the ProxyTrust parameter to yes.
  6. Locate the following parameter:
    • ProxyAgent

      Specifies if a Web Agent is acting as a reverse proxy agent.

      When the value of this parameter is yes, the CA Single Sign-On agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.

      Default: No

  7. Verify that the value of the ProxyAgent parameter is set to no.
  8. Submit your changes to the Agent Configuration Object.
  9. Open the Agent Configuration Object (ACO) associated with an IIS server node deployed behind the DMZ.
  10. Repeat Steps 5 through 10 on each IIS web server node, until all the nodes behind the DMZ are configured.
    The Web Agent Configuration parameters are set.

How to Set Up an IIS 7.x Server with ARR and CA Single Sign-On in your DMZ

To set up an IIS 7.x web server with Application Request Routing (ARR) and a CA Single Sign-On Agent for IIS in your DMZ (as a front-end server), use the following multi-step process:

  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

    Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
  2. Install and configure a CA Single Sign-On Agent for IIS on your IIS 7.x web server in your DMZ (front-end).

How to Set up your IIS 7.x Servers with CA Single Sign-On When Operating Behind an ARR Server in a DMZ

The CA Single Sign-On Agent for IIS supports the following configuration using Application Request Routing (ARR):

  • Operating several back-end web servers behind a DMZ-based IIS 7.x web server running ARR.
  • Protecting those back end servers with CA Single Sign-On Web Agents or Agents for IIS.

    Note: Only certain CA Single Sign-On Web Agents support operating as a reverse-proxy server. However any web server hosting a supported CA Single Sign-On Web Agent or Agent for IIS can accept traffic from a reverse proxy server running CA Single Sign-On. For more information, see the Platform Support Matrix.

To implement this configuration, use the following multi-step process:

  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).

    Note: For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
  2. Install and configure a CA Single Sign-On Agent for IIS on your first IIS 7.x web server behind your DMZ (back-end).

    Note: In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
  3. Install and configure a CA Single Sign-On Agent for IIS on your other IIS 7.x web server nodes behind your DMZ (back-ends).
Was this helpful?

Please log in to post comments.