Symantec SiteMinder

 View Only

With Secure Proxy Server (now known as Access Gateway) can I connect to older versions of the policy server?

By Mark ODonohue posted Sep 14, 2017 10:39 PM

  
Introduction:

The CA SSO - Secure Proxy Servers releases : R12.51, R12.52, R12.52Sp1 are supported for connecting to some older backend policy server versions.

 

For SPS released R12.51, R12.52, R12.52 Sp1 the recommended install for SPS is still that the Policy Server release version should be equal or greater than the SPS (or webagent) version.  

But there were some considerations with the above SPS releases, mainly that they let you select an earlier release version of the policy server in the install process, and the net result was that, although not the recommended arrangement, it is a supported configuration.

 

This above exception is not the case for SPS releases post R12.52 Sp1, (SPS is now called Access Gateway) so Ag releases R12.6 and R12.7 for supported configuration the policy server release must be >= agent version.

 

A similar situation also exists for CA Sharepoint 2010 Agent.

 

Background:

 Generally SSO agents have a strict regime that a policy server release must be greater than or equal to the webagent release version.   From the R12.52 PSM:

"CA SiteMinder12.52 Policy Server supports Web Agents at a higher CR (cumulative release) number than the Policy Server
provided both are the same level Service Pack."

 

 So a supported configuration is :

WebAgent R12.51  -> PolicyServer R12.51 (or R12.52, R12.52Sp1 or R12.6 or R12.7) 

And example unsupported configurations are :

WebAgent R12.52 -> PolicyServer R12.51

WebAgent R12.52Sp1 -> PolicyServer R12.52

 

But within the Service Pack release the CR level does not matter and the WebAgent can have a latter CR release,  so :  

WebAgent R12.52 Cr5 -> PolicyServer R12.52

WebAgent R12.52Sp1 Cr5 -> PolicyServer R12.52Sp1 Cr1

are also supported configurations. 

 

 

Instructions:

After install and on running the configure of SPS it gives a choice of what policy server version it is being connected to.  The exact choice depends on the release but are : 

    SPS R12.51 – gives choice of PolicyServer : R6, R12, R12.X

    SPS R12.52 – gives choice of PolicyServer : R6, R12.X, R12.5X

    SPS R12.52Sp1 – gives choice of PolicyServer : R12.X, R12.5X

The choice here determined which affwebservices package is installed into the SPS Tomcat deployment.

 

Here was the clarification note from Engineering :

Here are the SPS compatibility with Policy Server guidelines, across versions:

1) SPS 12.5 release was geared towards bringing SPS at parity with web-agents ; and to encourage customer-adoption (without forcing Policy Server upgrades), backward compatibility with older Policy Server versions was provided. 

o) This was mentioned in SPS PSM / Release-Notes & explicitly prompted during SPS configuration-screen too.

 

2) Later versions of SPS, 12.51 & 12.52 continue the configuration screen and support backward compatibility (PS 12.0.x & 12.5 x); though it is not explicitly highlighted in PSM. 

o) However, this compatibility is only for existing/old features & not the new ones. For ex, Session Assurance, support for Active Profile was brought in during 12.52 release and requires both SPS & Policy Server to be 12.52  version. These features are not supported with older PS versions.

 

Hope this clarifies the compatibility questions.  

Also, going forward, with next version of SPS, plan is not to carry forward this backward compatibility, and only support traditional compatibility (old agents support newer servers, for existing features).

 

The going forward ended up converting R12.6 and R12.7 which now have a fixed deployment of affwebservices deployed (the same version as per the release) , and do not allow you to select older versions. 

 

For those R12.5X releases, the screen you are presented with when running SPS configure (ca-sps-config.exe) : is :

For SPS R12.51  & R12.52 

 

 

And for R12.52 Sp1 :

 

 

 

https://support.ca.com/us/knowledge-base-articles.TEC1026157.html

 

0 comments
1 view

Permalink