Chapter 14: Use Web Agents with Proxy Servers
This section contains the following topics:
Configure Agents that Sit behind Proxy Servers (see page 188) Security Considerations (see page 193)
188 Web Agent Configuration Guide
Configure Agents that Sit behind Proxy Servers
If a Web Agent will be installed behind a proxy server, you can configure the Web Agent to work with proxy servers using the following parameters:
ProxyTrust
Instructs the Web Agent for the destination server to trust the
authorizations made by the proxy server. This is more efficient because the Web Agent for the destination server does not need to reauthorize users.
Default: No ExpireForProxy
Prevents a forward proxy server from caching content (pages and potentially headers or cookies). When this parameter is set to yes (enabled), the Web Agent inserts an Expires or Cache-control header into the HTTP response. If content is not cached, subsequent requests continue to be forwarded.
When the ExpireForProxy parameter is set to yes, the Web Agent inserts the strings specified in the appropriate ProxyHeaderssuffix parameter into the HTTP response based upon what type of request was performed.
The Web Agent adds strings into the HTTP responses as follows:
■ For HTTP/1.1 requests—if the resource is auto-authorized, then the Web Agent inserts the value of all ProxyHeadersAutoAuth
parameters into the HTTP response. If the resource is protected, then the Web Agent inserts the value of all ProxyHeadersProtected parameters into the HTTP response. If the resource is not protected, then the Web Agent inserts the value of all
ProxyHeadersUnprotected parameters into the HTTP response.
■ For HTTP/1.0 requests—if the resource is auto-authorized, then the Web Agent inserts the value of all ProxyHeadersAutoAuth10 parameters into the HTTP response. If the resource is protected, then the Web Agent inserts the value of all
ProxyHeadersProtected10 parameters into the HTTP Response. If the resource is not protected, then the Web Agent inserts the value of all ProxyHeadersUnprotected10 parameters into the HTTP response.
Default: No
Note: This parameter applies to proxy servers only.
Chapter 14: Use Web Agents with Proxy Servers 189 To tell the proxy not to cache the pages, the Web Agent adds an Expires header for the page. This header is set to a date in the past, which prevents the page from being cached by a proxy, as dictated by the HTTP 1.0 specification. On 302 redirects, a cache-control: no-cache header is set instead. Although this prevents caching of content, this has the negative consequence of affecting the browsing experience for an Internet Explorer (IE) browser, as described by Microsoft Support.
With the use of cache-control: no-cache for 302 redirects, the ActiveX component that manages in-place document viewing in IE relies on the
browser‘s cache to locate the file. Because this header instructs the browser not to cache the file, the ActiveX component cannot locate the file and fails to display the request properly. Further, when you set the Web Agent‘s ExpireForProxy setting to yes, the back-end server tells the proxy not to cache the resource.
To configure Agents that sit behind proxy servers 1. Set the ProxyTust parameter to yes.
2. Set the ExpireForProxy parameter to yes.
3. (Optional) Customize the cache-control and ExpireForProxy (HTTP) headers.
The Agents behind the proxy servers are configured.
190 Web Agent Configuration Guide
Customize the Cache-Control and ExpireForProxy Header Settings
You can customize the cache-control and ExpireForProxy headers to secure Web resources without affecting in-place activation of application files (.doc, .pdf, and so on). You can set specific HTTP headers for the following types of content independently to further characterize the data handled by the proxy server:
■ Auto-Authorized
■ Unprotected
■ Protected
Important! We recommend using the default settings unless you are familiar with the ramifications of changing these settings in accordance with RFC 2068. If you plan to change the default settings, note that the SiteMinder session cookie is updated on access of an unprotected page once a user has a session in order to track idle timeout. Therefore, unprotected pages should not be cached on a proxy that caches HTTP headers.
The following characteristics apply to setting headers to prevent caching by proxies:
■ All redirects set a Cache-Control: no-cache header, regardless of agent activity.
■ The web server sends the appropriate headers back to the proxy/client based on the HTTP protocol used (1.0 or 1.1 and higher).
All parameters should be configured using multi-value strings to suit the use of multiple headers, such as cache-control: private and cache-control:
max-age=60.
The following is the new configuration:
1. ProxyHeadersDefaultTime - defaults to 60 seconds 2. ProxyHeadersTimeoutPercentage – defaults to 10 percent 3. Auto-authorized resources:
■ For HTTP/1.1, configure ProxyHeadersAutoAuth parameter(s):
ProxyHeadersAutoAuth
Note: You must add this parameter manually.
Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT Example (suggested setting):
ProxyHeadersAutoAuth="Cache-control: max-age=60"
Chapter 14: Use Web Agents with Proxy Servers 191
■ For HTTP/1.0, configure ProxyHeadersAutoAuth10 parameter(s):
ProxyHeadersAutoAuth10
Note: You must add this parameter manually.
Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT
Example (suggested setting): ProxyHeadersAutoAuth10="Expires:
Thu, 01 Dec 1994 16:00:00 GMT"
4. Unprotected content:
■ For HTTP/1.1, configure ProxyHeadersUnprotected parameter(s):
ProxyHeadersUnprotected
Note: You must add this parameter manually.
Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache
Example (suggested setting):
ProxyHeadersUnprotected="Cache-Control: private"
ProxyHeadersUnprotected="Cache-Control: max-age=60"
■ For HTTP/1.0, configure ProxyHeadersUnprotected10 parameter(s):
ProxyHeadersUnprotected10
Note: You must add this parameter manually.
Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache
Example (suggested setting): ProxyHeadersUnprotected10="Expires:
Thu, 01 Dec 1994 16:00:00 GMT"
5. Protected content:
■ For HTTP/1.1, configure ProxyHeadersProtected parameter(s):
ProxyHeadersProtected
Note: You must add this parameter manually.
Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache
Example (suggested settings):
ProxyHeadersProtected="Cache-Control: private"
ProxyHeadersProtected="Cache-Control: max-age=60"
192 Web Agent Configuration Guide
■ For HTTP/1.0, configure ProxyHeadersProtected10 parameter(s):
ProxyHeadersProtected10
Note: You must add this parameter manually.
Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache
Example (suggested settings): ProxyHeadersProtected10="Expires:
Thu, 01 Dec 1994 16:00:00 GMT"
When configuring multiple headers, (for example, the cache-control headers in the suggested setting for unprotected HTTP/1.1 content), note the following:
■ You must have multiple occurrences of the configuration parameter and you cannot separate these with a comma (,) or the plus-sign (+).
■ As the values for these configuration parameters are HTTP response headers, they must comply with RFC 2616 (for HTTP/1.1), RFC 1945 (for HTTP/1.0) and RFC 822. Both HTTP/1.1 and HTTP/1.0 specify the format for an HTTP Header as that of an RFC 822 message, namely "Name: Value"
(Name, followed by a colon, white space and then a value).
If you do not configure the Web Agent to set the appropriate cache expiration headers when a user accesses unprotected resources, then by default, the Web Agent will not set these headers, thereby allowing a proxy (or browser) to cache an SMSESSION cookie. This cached cookie can be re-used by the proxy (or browser) after the user has initiated a different session (and therefore a different user context), causing an unauthorized impersonation.
Proxy Header Usage Notes
■ To prevent the Web Agent from sending any proxy headers, blank out the ProxyHeadersUnprotected value. For example:
ProxyHeadersUnprotected=""
Note: To get a double quote character (―) to appear, use a single quote (‗). The Web Agent automatically converts it to a double quote.
■ The value, %% or %d (treated identically) may appear within a ProxyHeaders line. This value is replaced with either the smaller of the IdleTimeout and SessionTimeout multiplied by the
ProxyHeadersTimeoutPercentage, or, if the timeouts are not set, the ProxyHeadersDefaultTime is used.
■ Ensure that values for the standard (1.1 and higher) and HTTP 1.0 headers are set properly for requests to the back-end server.
■ ExpireForProxy="YES" will expire cookie provider redirects carrying the SMSESSION cookie in the query string.
Chapter 14: Use Web Agents with Proxy Servers 193
Security Considerations
Browser sessions can persist after logout, so removing the SMSESSION cookie does not prevent a user from using the same browser session to view previously cached files. This problem occurs because the proxy server is not aware of the logout request and retains any protected/unprotected content in cache for the cache-control: private user until it timed out (cache-control: max-age=60).
Thus, such a request would result in a page returned with a valid SMSESSION cookie. The only way to ensure security is to disable keep-alives or close the browser.
Further, the local browser cache is affected by the private/max-age combination since it observes local cache across sessions. For this reason, the max-age time for protected resources should be as short as possible.
Employing the if-modified-since and if-none-match request headers when the allowcacheheaders="FALSE" configuration setting is used (default) does not prevent the proxy server from observing these headers. Thus, these observed headers take effect on the request according to the proxy server.
You could work around this issue by installing:
■ a Web Agent on the proxy server.
■ another filter that removes these headers from the request.
Since HTTP 1.0, HTTP 1.1, or higher use different headers for specifying instructions to caching proxies, these versions should be configured in a way to ensure the most appropriate handling based on the type of connection.