Symantec Access Management

Expand all | Collapse all

Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

Jump to Best Answer
  • 1.  Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

    Posted 08-01-2017 08:07 AM

    Can we use CA SPS as a backend server behind an Apache web server ?

    e.g.

    www.apache.com is the reverse proxy server and

    www.sps.com is the secure proxy server.

    I have written a ProxyPass rule in apache web server to redirect all the traffic from apache web server to backend sps server as,

    ProxyPass /affwebservices http://www.sps.com/affwebservices
    ProxyPassReverse /affwebservices http://www.sps.com/affwebservices

    ProxyPreserveHost On

    i.e.

    https://www.apache.com/affwebservices -----should proxy to-----> http://www.sps.com/affwebservices

    But this gives an error on the SPS side,

    [ERROR] - Virtual Host is not found

    even when www.sps.com is configured as a virtual host in server.conf of SPS.

    Also if you directly access http://www.sps.com/affwebservices, it works fine.

    I can see that the request from Apache web server is reaching SPS because in the httpd/logs, it shows the IP address of Apache web server with a 'GET /affwebservices 200' message.

     

    Note: I have used 'ProxyPreserveHost On'.

     

    Please suggest.

     

    Regards,

    Anurag



  • 2.  Re: Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

    Posted 08-01-2017 10:44 AM

    CA SiteMinder SPS does not support local content. The ability to place content on CA SiteMinder SPS is not exposed, and CA SiteMinder SPS does not support proxy rules for providing access to local content.

     

    CA SiteMinder SPS can be placed in front of all destination servers in the enterprise. HTTP or HTTPS requests that come into the enterprise can be filtered through CA SiteMinder SPS, and forwarded to the appropriate destination server for fulfillment

     

    Thanks,

    Sharan



  • 3.  Re: Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

    Posted 08-01-2017 07:41 PM

    Hi Anurag

    The answer from SungHoon_Kim is probably the solution that will solve the exact issue you have.  

     

    But I just wanted to clarify Sharana 's answer above.   There are a number of ways that Ag/SPS can be used to support local content.  SPS is after all based on apache and tomcat,

     

    For example static content can be placed directly on SPS and served from apache (just need to add httpd/htdocs/ and add a JkIgnore rule in httpd.conf).  This is used to optimize requests for common frequently used and static content in a number of clients - the normal webagent login.fcc uses this method for its static content.

     

    You can deploy .fcc pages, which are served from the webagent engine in proxy-engine/tomcat.

     

    In the odd rare circumstance, we've deployed a webapp into the tomcat engine to deliver a login.jsp page, and that worked fine as well. 

     

    Another common method was for SPS to forward to an IIS server running on the same machine, although obviously on a different port. 

     

    From a supportability perspective, you are allowed to customize the install, there are many modules in the apache, and many ways to add code such as sps filters into tomcat.   In fact a lot of these custom deployments come about via some CA Services engagement.  So although we can't promise to support the customized code or every feature in vanilla apache, we can usually provide some assistance if something isn't working, even if it is to say the feature is disabled or not working as per the standard apache distribution.

     

     

    Cheers - Mark

    ----
    Mark O'Donohue
    Snr Principal Support Engineer - Global Customer Success



  • 4.  Re: Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

    Posted 01-28-2018 12:12 PM

    Hi Mark,

    I have a similar requirement. I'm trying to setup a keepalive.html file for the load balancer probe on CA SPS. I have added the file to the htdocs of Apache , but wanted to understand the JKIgnore rule that you mentioned about. Can you please give me an example of this? 

    I have also added proxy pass rules for this, but always seem to end up with a SPS Exception.

    Thanks,

    Lalitha



  • 5.  Re: Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

    Posted 01-28-2018 12:58 PM

    Hi Lalitha,

     

    Just to understand, are you trying to setup the HTML file which should just be served by the Apache part of SPS, and you don't want the request to reach the backend tomcat part of SPS ?

    You can use the JkUnMount in that case.

    JkUnMounting will not forward the request to to Tomcat and will instead serve the request locally.

     

    Regards,

    Anurag



  • 6.  Re: Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

    Posted 01-28-2018 04:25 PM

    Please open new thread referencing this one. This thread is marked as closed.



  • 7.  Re: Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?
    Best Answer

    Posted 08-01-2017 06:26 PM

    Your use case is a generic use case.

    The content you want to service from SPS as backend is its localapp(affwebservices).

     

    The reason why I say this is a generic use case is because you may have a loadbalancer in front of SPS for loadbalancing and failover.

     

    If you have set 'ProxyPreserveHost On' on your apache then the HTTP_HOST(www.apache.com) header value will be forwarded to SPS.

    And if your SPS did not have that hostname registered in the virtualhost configuration then that error is expected.

     

    Check your server.conf and register the www.apache.com by appending to the existing hostname separated by a comma as below.

     

    Then restart your SPS and test.

     



  • 8.  Re: Can CA Secure Proxy Server (Access Gateway) be used as a backend server ?

    Posted 08-04-2017 08:02 AM

    Thank you for the solution ! SungHoon_Kim

    Great Information in your answer, Mark.ODonohue, thanks !

     

    Regards,

    Anurag