Symantec Access Management

Hello,

I would like to confirm about the setting of HTTPS Ports of ACO Parameter.
Please tell us about the following question.

【Enviroment】
Client　<--HTTPSsession--> LoadBalancer <--HTTPSession--> WebServer(WebAgent)

【Reference】
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/web-agent-configuration/user-protection/define-https-ports.html

【Question】
<Question:1>
I think that HTTPS Ports must be set in the above environment.
Is the above idea correct?

<Question:2>
If Question1 is correct.
I am worried about the port number to set.
Is the port number that should be set as a parameter of ACO the port used between Client->Load Balancer? Or is it the Port used by LoadBalancer->WebServer? , Or do you want to set both?

<Question:3>
I would like to confirm the behavior when not setting in Https Ports.
If a timeout occurs and re-authentication (authentication screen display) occurs and the authentication screen is passed,
is it a specification that access is "http" instead of "https"?

regards.

Hi Haruka,

The HttpsPorts ACO parameter only affects how the web agent chooses a protocol when forming a relative redirect (the web agent will not alter the port for a hard-coded redirect in which the protocol is explicitly specified).  By default, with HttpsPorts not set, the agent will use http when redirecting a request received on any port except the web server's designated https port (typically port 443).  The web agent detects the port on which a request was received by reading the incoming HTTP_PORT header. 

Setting values for the HttpsPorts parameter changes this behavior so that https will be used for redirects of requests received on any of the listed ports.  This parameter essentially tells the agent: if request is received on any of the following ports, use https when forming redirects.  In situations where a load balancer is doing ssl acceleration (using https outside the firewall and http inside), it may be necessary to set the GetPortFromHeaders parameter to Yes (default value is No) if the load balancer is modifying the original request headers.  Setting this parameter to Yes causes the web agent to read the port from the HTTP_HOST header rather than the HTTP_PORT header.  

Here are your specific questions and inline answers:

<Question:1>
I think that HTTPS Ports must be set in the above environment.
Is the above idea correct?

Possibly.  If the load balancer is converting https to http, then yes, the agent will need to know when to use https in redirects as it will be receiving all requests on a single port.

<Question:2>
If Question1 is correct.
I am worried about the port number to set.
Is the port number that should be set as a parameter of ACO the port used between Client->Load Balancer? Or is it the Port used by LoadBalancer->WebServer? , Or do you want to set both?

This depends on your load balancer configuration.  As noted above, you may need to set the GetPortFromHeaders parameter to yes if the load balancer is changing protocols and modifying the original request header.  However, if all redirects that the web agent forms should be https, simply set HttpsPorts to all the ports on which the web server and load balancer listen - this will assure all redirects are https regardless of from where the web agent reads the request port.

<Question:3>
I would like to confirm the behavior when not setting in Https Ports.
If a timeout occurs and re-authentication (authentication screen display) occurs and the authentication screen is passed,
is it a specification that access is "http" instead of "https"?

As described above, the default behavior of the web agent when HttpsPorts is not set is to form all relative redirects with the http protocol unless the HTTP_PORT specified in the request is the web server's https port (typically the default 443, but the web agent will read the web server config in case the configured https port is one other than 443).  

Regards,
Pete

Original Message:
Sent: 07-02-2020 02:10 AM
From: Haruka Murata
Subject: About HTTPS Ports parameter.

Hello,

I would like to confirm about the setting of HTTPS Ports of ACO Parameter.
Please tell us about the following question.

【Enviroment】
Client　<--HTTPSsession--> LoadBalancer <--HTTPSession--> WebServer(WebAgent)

【Reference】
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/web-agent-configuration/user-protection/define-https-ports.html

【Question】
<Question:1>
I think that HTTPS Ports must be set in the above environment.
Is the above idea correct?

<Question:2>
If Question1 is correct.
I am worried about the port number to set.
Is the port number that should be set as a parameter of ACO the port used between Client->Load Balancer? Or is it the Port used by LoadBalancer->WebServer? , Or do you want to set both?

<Question:3>
I would like to confirm the behavior when not setting in Https Ports.
If a timeout occurs and re-authentication (authentication screen display) occurs and the authentication screen is passed,
is it a specification that access is "http" instead of "https"?

regards.

Hello Peter

Thank you for your instruction.

I understand HttpsPorts.
However,I am concerned about the GetPortFromHeaders that I mentioned in the explanation.

I checked the GetPortFromHeaders from the reference below.
[Reference]
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html

The following was written in the note at the relevant part.
Is GetPortFromHeaders available for web services that use Apache or IIS?

■ Note
non-framework Domino agents only.

regards.
Original Message:
Sent: 07-02-2020 11:25 AM
From: Peter Burant
Subject: About HTTPS Ports parameter.

Hi Haruka,

The HttpsPorts ACO parameter only affects how the web agent chooses a protocol when forming a relative redirect (the web agent will not alter the port for a hard-coded redirect in which the protocol is explicitly specified).  By default, with HttpsPorts not set, the agent will use http when redirecting a request received on any port except the web server's designated https port (typically port 443).  The web agent detects the port on which a request was received by reading the incoming HTTP_PORT header. 

Setting values for the HttpsPorts parameter changes this behavior so that https will be used for redirects of requests received on any of the listed ports.  This parameter essentially tells the agent: if request is received on any of the following ports, use https when forming redirects.  In situations where a load balancer is doing ssl acceleration (using https outside the firewall and http inside), it may be necessary to set the GetPortFromHeaders parameter to Yes (default value is No) if the load balancer is modifying the original request headers.  Setting this parameter to Yes causes the web agent to read the port from the HTTP_HOST header rather than the HTTP_PORT header.  

Here are your specific questions and inline answers:

<Question:1>
I think that HTTPS Ports must be set in the above environment.
Is the above idea correct?

Possibly.  If the load balancer is converting https to http, then yes, the agent will need to know when to use https in redirects as it will be receiving all requests on a single port.

<Question:2>
If Question1 is correct.
I am worried about the port number to set.
Is the port number that should be set as a parameter of ACO the port used between Client->Load Balancer? Or is it the Port used by LoadBalancer->WebServer? , Or do you want to set both?

This depends on your load balancer configuration.  As noted above, you may need to set the GetPortFromHeaders parameter to yes if the load balancer is changing protocols and modifying the original request header.  However, if all redirects that the web agent forms should be https, simply set HttpsPorts to all the ports on which the web server and load balancer listen - this will assure all redirects are https regardless of from where the web agent reads the request port.

<Question:3>
I would like to confirm the behavior when not setting in Https Ports.
If a timeout occurs and re-authentication (authentication screen display) occurs and the authentication screen is passed,
is it a specification that access is "http" instead of "https"?

As described above, the default behavior of the web agent when HttpsPorts is not set is to form all relative redirects with the http protocol unless the HTTP_PORT specified in the request is the web server's https port (typically the default 443, but the web agent will read the web server config in case the configured https port is one other than 443).  

Regards,
Pete

Original Message:
Sent: 07-02-2020 02:10 AM
From: Haruka Murata
Subject: About HTTPS Ports parameter.

Hello,

I would like to confirm about the setting of HTTPS Ports of ACO Parameter.
Please tell us about the following question.

【Enviroment】
Client　<--HTTPSsession--> LoadBalancer <--HTTPSession--> WebServer(WebAgent)

【Reference】
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/web-agent-configuration/user-protection/define-https-ports.html

【Question】
<Question:1>
I think that HTTPS Ports must be set in the above environment.
Is the above idea correct?

<Question:2>
If Question1 is correct.
I am worried about the port number to set.
Is the port number that should be set as a parameter of ACO the port used between Client->Load Balancer? Or is it the Port used by LoadBalancer->WebServer? , Or do you want to set both?

<Question:3>
I would like to confirm the behavior when not setting in Https Ports.
If a timeout occurs and re-authentication (authentication screen display) occurs and the authentication screen is passed,
is it a specification that access is "http" instead of "https"?

regards.