Symantec Access Management

Hi All,

Need your valuable thoughts on the SM Web Agent protecting the virtual applications in IIS7.5. In the Siteminder bookshelf, it is not clear or mentioned in the configuration guide, on to configure Siteminder Web agent to protect the virtual applications under Default Web Site. Currently I am able to protect the websites which are under Default Web Site and the websites/pages within the Virtual Directory. But NOT able to protect the virtual application which is under Default Web Site.

On the Web server I am able to create and apply SiteMinder to the DefaultWebSite (and everything contained within), and any custom Sites that I create. Along with the multiple sites and virtual directory in the environment, there are also handful of applications that live underneath DefaultWebSite and only some of which we desire SiteMinder protection.

In IIS7.5, this does not seem to work. I follow the specific details in the installation manual and it seems like it is protecting the sites and virtual directories having multiple web pages but having a challenge to protect virtual applications.

My questions as follows:

1. How to configure SM Web Agent in IIS 7.5 to protect the virtual applications?

2. In IIS 7.5 we have Sites > Default Web Sites > site1, site2, virtual directory1, virtual directory2, virtual app1,virtual app2...

Consider Default Web Site (which also an application by itself) as LEVEL 1 and anything underneath LEVEL 2. After running the SM Web Agent Configuration Wizard, the ISAPI Filters, Handlers, Modules dll files get created at LEVEL1. But what if I want to protect virtual applications at LEVEL 2 such as virtual app1,virtual app2? Can I manually configure ISAPI filters, Handlers, Modules for it? If yes, then do I need to remove the dll files from the Default Web Site (LEVEL 1)?

3. While running the SM Web Agent Configuration Wizard, we only view the Sites > Default Web Sites and its equivalent level, but don't see the LEVEL 2 such as virtual applications, sites where we can select have a granular option where to deploy/create SM Web Agent DLL files. So if CA recommends not to add the DLL files manually and use configuration wizard, then can we expect to have a view of the entire sites hierarchy present in the IIS7.5 while executing the Web Agent Configuration Wizard?

Thanks

Amit Shinde (Johnson Controls)

+420 - 731 618 233

Amit amitshinde    

It does work unless we are talking about Virtual Applications in a different sense.

Here is how I created a Virtual Application

I had to enable ASP from "Role Services" in Server Manager to enable to access the ASP page.

Then installed and configured WebAgent version "ca-wa-12.52-sp01-win64-64.exe". Selected "Default WebSite" during configuration of WebAgent. After reboot of server post installation of WebAgent, accessed the resource i.e. Virtual Application. SiteMinder WebAgent intercepted the request and present a Basic Authentication Challenge.

Kindly suggest if you mean something else as Virtual Application and if the above helps!

Regards

Hubert

Thanks Hubert for the reply and the screenshots... I will validate the same in the customer's environment and share the response. Nevertheless any inputs for point 2 and 3 as well...

I believe the configurations mentioned by you are in place :-)

Thanks

Amit Shinde

Amit,

you gave us a great description of what you are trying, and left us knowing nothing about the bit level and your version of SM.

if 6.0 SP5, remember they certified only cr30+ (maybe later) and  that's only 64 bit

if 6.0 SP6, still only touches 64 bit

12.0 SP3 then which agent? regular or iis?

12.5x, this is  probably best as a CA case

-josh

Hi Josh,

I agree it is my bad...

Environment Details:

Web Server OS: Windows 2008 R2

Web Server version: IIS 7.5

SM version: r12 SP3

SM Web Agent Version: 12.0 QMR03, Update HF-12, Label 910

Web agent installation file - sm-wa-iis-12.0-sp3-cr012-win64.zip

Thanks

Amit Shinde

verify  bit levels. i'm not sure both 32 and 64 bit agents are enabled by default, but if you selected yes i suspect both are.

you may have one enabled and the other disabled, where the app is using the disabled bit level

Hi Josh,

We have a separate application pools for 32-bit and 64-bit application which are in Integrated mode.

For 32-bit application, within the application pool we have enabled the 32-bit Application parameter value as True, whereas for 64-bit application its false.

Thanks

Amit Shinde

are both Web Agents enabled?

i believe it's the <smhome>\win64\bin\iis\webagent.conf and the <smhome>\win32\bin\iis\webagent.conf files...

if i understood right, your response addresses the IIS settings.

Hi Josh,

Both Web Agents are enabled because we have tested the SSO functionality for multiple sites and virtual directory in the environment. But having challenge to protect the Virtual Application or just an application underneath the Default Web Site in IIS 7.5.

I'm perplexed why Siteminder is not able to protect the virtual application as mentioned above after following the standard IIS based configuration steps.

Thanks

Amit Shinde

Amit amitshinde

What does the WebAgent Trace log file say when you access the VirtualApplication URL? Would it be possible for you to paste a complete txn?

Hi Hubert,

Unfortunately I don't have an access to provide the latest logs from the Web Server because of the access limitation. Please allow me to upload the same by tomorrow.

Thank you so much for providing valuable support.

Thank you Josh... Please let those valuable comments flow-in...