Chapter 15: Configure Reverse Proxy Servers
This section contains the following topics:
Types of Reverse Proxy Solutions (see page 195)
How Reverse Proxy Servers Work with SiteMinder (see page 195) SiteMinder Secure Proxy Server (see page 204)
Types of Reverse Proxy Solutions
SiteMinder supports the following reverse proxy solutions:
■ The Apache-based reverse proxy agent
■ The Sun Java System-based reverse proxy agent
■ The SiteMinder Secure Proxy Server
How Reverse Proxy Servers Work with SiteMinder
You can configure the Apache or Sun Java System web server to function as a reverse proxy server. A reverse proxy server is a proxy server that acts on behalf of an enterprise to forward requests to an organization‘s internal network. It allows clients to access resources on backend servers, which are servers behind a firewall.
If your environment uses an Apache or Sun Java System reverse proxy server as a gateway to your back-end servers, a SiteMinder Web Agent can protect these resources. Therefore, you can protect resources that are not protected by a backend SiteMinder Web Agent. Also, your resources are secure for intranet and authorized Internet users.
196 Web Agent Configuration Guide
The following illustration shows a network with a reverse proxy server:
Reverse proxy servers provide the following advantages:
■ Users within a cookie domain may seamlessly access resources on backend servers. Users from other domains must authenticate through the reverse proxy server and typically, a firewall before gaining access to those same backend servers.
■ Users can access different resources hosted on several backend servers using the same domain name.
■ Reverse proxy agents support the same features as other SiteMinder Web Agents for Apache or Sun Java System Web servers.
■ If you have resources located on servers for which a SiteMinder Agent is not yet available, you can implement an Apache or Sun Java System reverse proxy server in front of the servers. The Web Agent for the Apache or Sun Java System server then protects everything on the backend.
Chapter 15: Configure Reverse Proxy Servers 197 The following illustration describes how a reverse proxy server forwards requests from users to the appropriate resource on a back end server:
198 Web Agent Configuration Guide
SiteMinder Reverse Proxy Deployment Considerations
Typically, when you deploy an Apache or Sun Java System reverse proxy Agent, a firewall is located between the Apache or Sun Java System Web Agent and the servers hosting the protected resources. The Policy Server should also be located behind the firewall.
The following illustration shows a SiteMinder reverse proxy deployment.
Firewall Apache or Sun Java System Proxy Server/
Web Agent Internet user
Policy Server
User Store
Policy Store Marketing Resources IIS
Payroll Resources IIS (SSL)
Finance Resources Oracle Application Server
Intranet user Internet
Chapter 15: Configure Reverse Proxy Servers 199 When deploying a SiteMinder reverse proxy Agent, consider the following:
■ If a policy has been configured to return response attributes, the variables are sent to both the reverse proxy server and the backend web server on which the protected resource resides. When a request is made for a
protected resource, the Policy Server first sends response attributes (CGI or HTTP variables) to the Agent on the Apache or Sun Java System server. The Agent then puts the response attributes in the request that is sent to the backend server.
■ If any of the backend servers or protected applications provide their own authentication functionality, the authentication must be disabled. Disabling the backend authentication ensures that SiteMinder‘s authentication takes precedence.
Important! When configuring the cache for the reverse proxy be aware that all cookies are cached, including the SMSESSION cookie. For assistance contact your Apache or Sun Java System vendor for support.
More Information
Define HTTPS Ports (see page 137)
200 Web Agent Configuration Guide
How to Configure An Apache Reverse Proxy Server
To configure an Apache-based reverse proxy server with SiteMinder, use the following process:
1. Update the settings of the following parameters for any Apache Web Agents located behind the Apache reverse proxy server:
a. Set the ProxyAgent value to yes to indicate that this Agent is acting as a reverse proxy Agent.
b. Set ProxyTimeout parameter to a value (in seconds).
The reverse proxy uses this value to time out the requests it makes to the Web Agent deployed behind it.
c. Edit the BadURLChars parameter by removing all occurrences of the following value from the list:
%
d. (Optional) Enable the ProxyTrust parameter.
By setting this parameter to yes, it instructs the Web Agent behind the proxy Agent to trust the session information sent from the proxy Agent.
and not to re-validate it. Enabling this parameter makes communication more efficient because only one call is made from the proxy Agent to the Policy Server. The Agent behind the proxy does not have to contact the Policy Server.
e. Set the httpsports parameter to indicate to the Apache server which port is set up for SSL.
2. Add the following directives to the httpd.conf file of your Apache Web server:
ProxyPass
Allows mapping of remote servers to the local server. The values in this directive use the following format:
/local_virtual_path partial_URL_of_remote_server
Example: ProxyPass /realma/ http://server.example.org/realma/
ProxyPassReverse
Allows adjustment of the location header by the Apache server on HTTP redirect responses. The values in this directive use the following format:
/local_virtual_path partial_URL_of_remote_server Example: ProxyPassReverse /realma/
http://server.example.org/realma/
Note: For more information about directives, see the documentation for your web server.
3. Restart your Apache web server.