We have a need not to install CA siteminder webagent in the backend app and thinking of using SPS and tunnel this backend app traffic via CA SPS gateway and protect the app URL at SPS level so that we don't need to install webagent in the backend app. How do we protect if some one call backend app URL directing by invoking app hosting server URL (same URL that SPS will proxy forward) by passing required headers that SPS would provide to backend app ? Basically, how does back end app server will ensure that request came via SPS and user is authenticated ? This may be possible by having source IP check in backend app, but it is not reliable and difficult to maintain as we add more SPS servers or replace existing SPS server with new server.
Any suggestiongs ? Really appreciate your input.