Symantec Access Management

  • Private Community

  • 1.  CA Access Gateway - Forward to destination Tomcat server via AJP protocol

    Posted May 02, 2017 02:26 PM

    Our current setup with SiteMinder Apache web agent:

     

    Can the CA Access Gateway reverse proxy send requests to destination Tomcat server via AJP protocol rather than HTTP?  Currently we have an Apache web server frontend with SiteMinder web agent and this Apache web server act as a reverse proxy server to send to the Tomcat application server:

     

    ProxyPass /app ajp://claritysandlb.regence.com:8009/app keepalive=On
    ProxyPassReverse /app ajp://claritysandlb:8009/app

     

    Due to our firewall and security policies we do not allow our tomcat servers to listen to HTTP but instead only on AJP port.  Moving away from the Apache web agent architecture and into the Access Gateway model we would need Access Gateway to send traffic to directly to the Tomcat app server via AJP protocol rather than HTTP/HTTPS.  Below is my proxy rule that I've tried but this did not work and I am not even sure if this is possible at all with Access Gateway.

     

    <!-- Proxy Rules -->
    <nete:proxyrules xmlns:nete="SPS Proxy Rule">
       <nete:cond type="host">
          <nete:case value="app.company.com:443">
             <nete:forward>ajp://tomcat.company.com:8009$1</nete:forward>
          </nete:case>
          <nete:default>
             <nete:forward>http://app.company.com$1</nete:forward>
          </nete:default>
       </nete:cond>
    </nete:proxyrules>

     

    Much appreciate any help.

     

    Thanks!



  • 2.  Re: CA Access Gateway - Forward to destination Tomcat server via AJP protocol
    Best Answer

    Posted May 03, 2017 06:28 AM

    CA Access Gateway uses The HTTP client to send the requests to the backend server and receives responses from the backend server.
    The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server.
    AJP is tomcat proprieatry used for connecting to tomcat from various front end servers like Apache and IIS, probably AJP is not supported for HTTPClient. hence it is not possible to use AJP while sending request to backend.

     

    Thanks,

    Sharan



  • 3.  Re: CA Access Gateway - Forward to destination Tomcat server via AJP protocol

    Broadcom Employee
    Posted Aug 18, 2017 06:07 PM

    You can use http server configuration for AJP based communication. Update the httpd.conf file to as following for this communication.

     

    #below 5 lines are added to post header on ajp port for appB portal
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    LoadModule rewrite_module modules/mod_rewrite.so
    RewriteEngine On
    RewriteRule ^/appA/(.*) ajp://127.0.0.1:8010/appB/$1 [P]