Symantec Access Management

  • Private Community
 View Only

  • 1.  Inclusion list of Siteminder Webagent

    Posted Oct 28, 2014 11:35 PM

    Hi Everyone,

     

    I have a requirement where, the customer requires the inclusion rules to be implemented at web agebt end.

    i.e :- web agent determines if the requet should be forwarded to the policy server or not.

    The ignore parameter ( ignore URL, ignore Extensions) defined on the ACO is not a solution here, because of the following two reasons:-

     

    1. it is defined in the ACO which means the traffic has to go to the policy server end ( customeer doesnt want these to reach the policy server at all).

    2. It is an Exclusion list rather than an inclusion list.

     

    Suggestions are welcome to achieve the above.

    Also if someone can confirm that if these parameters are defined in the localconfig.conf file, will the traffic still flow to policy server?



  • 2.  Re: Inclusion list of Siteminder Webagent

    Posted Oct 29, 2014 01:04 AM

    Hi Robab,


    IgnoreURL and IgnoreExt are indeed a solution for your use case because of the following reason :

     

    - IgnoreURL and IgnoreExt processing are done on the client side (web agent side) ..and if they matches..the request is NOT forwarded to the policy server.

      Web Agent is able to do so because when it initializes at the startup it fetches all the ACO parameters from the policy server and caches them locally.

    -The reverse of Exclusion is Inclusion ..so once you define a list which shouldn't be forwarded to the policy server (using IgnoreExt/IgnoreURL)..the remaining list of resource (inclusion list ) which needs to be forwarded to Policy server is automatically determined.

     

    The configuration defined in the LocalConfig.conf just overwrites the one defined in the central configuration (ACO).

     

    Sample web agent log to prove the idea :

    ==================================

     

    [10/29/2014][15:44:38.168][940][248][239b0220000040f50000000040f5239b-03ac-545070b6-00f8-00a6483d][agent-vm1][][CSmHttpPlugin.cpp:574][CSmHttpPlugin::ProcessResource][][][][][*127.0.0.1][][][][][][][][][][Resolved URL: '/ignoreme/'.]

    [10/29/2014][15:44:38.168][940][248][][][][CSmHttpPlugin.cpp:4179][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][][][][][][][][][Auto-authorizing resource, matches IgnoreUrl filter.]

    [10/29/2014][15:44:38.168][940][248][239b0220000040f50000000040f5239b-03ac-545070b6-00f8-00a6483d][agent-vm1][/ignoreme/][CSmHttpPlugin.cpp:687][CSmHttpPlugin::ProcessResource][][][][][*127.0.0.1][][][][][][][][][][Resolved METHOD: 'GET'.]

    [10/29/2014][15:44:38.168][940][248][239b0220000040f50000000040f5239b-03ac-545070b6-00f8-00a6483d][agent-vm1][/ignoreme/][CSmHttpPlugin.cpp:740][CSmHttpPlugin::ProcessResource][][][][][*127.0.0.1][][][][][][][][GET][][Resolved cookie domain: '.ujwol.com'.]

    [10/29/2014][15:44:38.168][940][248][239b0220000040f50000000040f5239b-03ac-545070b6-00f8-00a6483d][agent-vm1][/ignoreme/][CSmSessionManager.cpp:148][CSmSessionManager::EstablishSession][][][][][*127.0.0.1][][][][][][][][GET][][No plugins responded, returning SmNoAction.]

    [10/29/2014][15:44:38.168][940][248][239b0220000040f50000000040f5239b-03ac-545070b6-00f8-00a6483d][agent-vm1][/ignoreme/][CSmHighLevelAgent.cpp:394][ProcessRequest][][][][][*127.0.0.1][][][][][][][][GET][][ProtectionManager returned SmNo, end new request.]

     

    As you could see above,

    Web agent determines that the resource "ignoreme" matches the IgnoreUrl Filter and hence Auto-authorizes it by itself and doesn't forward it to Policy server for further processing.

     

    Hope this helps.

     

    Cheers,

    Ujwol



  • 3.  Re: Inclusion list of Siteminder Webagent

    Posted Oct 29, 2014 05:37 AM

    Hi Ujwol,

     

    Thanks for such a vivid explanation.

    It solves my query pretty much.

    Just I have one more doubt, if the application is installed on apache web server, is there any way where we can configure <location match>.

    I.e the URL falling under the location match is only forwarded to Web Agent and others are not even forwarded to the agent?



  • 4.  Re: Inclusion list of Siteminder Webagent

    Posted Nov 02, 2014 06:10 PM

    Hi Robab,

     

    Web agent as plugin to web server will intercept requests come in when web agent is enable. We cannot perform location match.

    However, we can configure unprotected realm (Realm -> Select radio button of Unprotected) to exclude those resource that you don't want web agent to protect. In that case, web agent will still check the resource but since it is unprotected, it will not challenge user but enable the user to access without login challenge.

    Hope this helps.

     

    Regards,

    Kar Meng



  • 5.  Re: Inclusion list of Siteminder Webagent

    Posted Nov 02, 2014 08:48 PM

    Hi KarMeng,

     

    Thanks for the revert. Though what I want to achieve is traffic control, i.e. minimum hit to the policy server and webagent if possible.

    Do you suggest any way to achieve this.

     

    Regards,

    Robab