Basic Agent Setup and Policy Server Connections

This content provides information about how to configure the agent and set up Policy Server connections.
casso128
This content provides information about how to configure the agent and set up Policy Server connections.
2
Default Settings of Agent Configuration Parameters
The default settings for the agent configuration parameters are always used unless a different value is specified.
If a parameter does not exist in the agent Configuration Object or local configuration file, the default value is used.
Set the AgentName and DefaultAgentName Values
Configure the AgentName value to define the identity of the agent and the DefaultAgentName value to define a name that the agent uses to process requests.
Follow these steps:
  1. Specify an AgentName value by doing
    one
    of the following steps:
    • For central agent configurations, open the Agent Configuration Object on the Administrative UI, and then add the values that you want to the AgentName parameter.
    • For local agent configurations, open the local configuration file on your web server. Add the values that you want on separate lines in the file.
  2. Specify a DefaultAgentName value by doing
    one
    of the following steps:
    • For central agent configurations, open the Agent Configuration Object on the Administrative UI, and then add the value that you want to the DefaultAgentName parameter.
    • For local agent configurations, open the local configuration file on your web server. Add the values that you want to the DefaultAgentName parameter.
    The AgentName and DefaultAgentName values are set.
If you are configuring virtual server support, specify a value for either the AgentName or the DefaultAgentName parameter.
AgentName
Defines the identity of the agent. This identity links the name and the IP address or FQDN of each web server instance hosting an Agent. The Policy Server uses this identity to tie policies to an agent.
The value of the DefaultAgentName is used instead of the AgentName parameter if any of the following events occur:
    • The AgentName parameter is disabled.
    • The value of AgentName parameter is empty.
    • The values of the AgentName parameter do
      not
      match any existing agent object.
This parameter can have more than one value. Use the multivalue option when setting this parameter in an Agent Configuration Object. For local configuration files, add each value to a separate line in the file.
Default:
No default
Limit
: Multiple values are allowed, but each AgentName parameter has a 4,000 character limit. Create additional AgentName parameters as needed by adding a character to the parameter name. For example, AgentName, AgentName1, AgentName2.
Limits:
Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.
Example:
myagent1,192.168.0.0 (IPV4)
Example:
myagent2, 2001:DB8::/32 (IPV6)
Example:
myagent,www.example.com
Example
(multiple AgentName parameters): AgentName1, AgentName2, AgentName3. The value of each AgentName
number
parameter is limited to 4,000 characters.
DefaultAgentName
Defines a name that the agent uses to process requests. The value for DefaultAgentName is used for requests on an IP address or interface when no agent name value exists in the AgentName parameter.
If you are using virtual servers, you can set up your
CA Single Sign-On
environment quickly by using a DefaultAgentName. Using DefaultAgentName means that you do not need to define a separate agent for each virtual server.
If you do not specify a value for the DefaultAgentName parameter, then the value of the AgentName parameter requires every agent identity in its list. Otherwise, the Policy Server cannot tie policies to the agent.
Default:
No default.
Limit
: Use only one value.Multiple values are prohibited.
Limits:
Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.
Restrict Changes to Local Configuration Parameters
With central agent configuration, you can restrict the configuration parameters which local web server administrators modify. We recommend this method when the
CA Single Sign-On
administrator and the web server administrator are different people.
Follow these steps:
  1. Log in to the Administrative UI.
    The Welcome screen appears.
  2. Click the Infrastructure, Agent Configuration Objects.
    A list of Agent Configuration objects appears.
    Click the edit icon in the line Agent Configuration Object you want.
    The Modify Agent Configuration dialog appears.
  3. Click the edit icon to the left of the AllowLocalConfig parameter.
    The Edit Parameter dialog appears.
  4. Erase the text in the Value field, and then click the multivalue option button.
  5. Click Add.
    An empty field appears.
  6. Type the name of the parameter to which you want to allow access in the field. Separate multiple parameters with commas. Only those parameters in the list can be changed locally.
    Example
    : The following example shows how to allow only the EnableAuditing and EnableMonitoring parameters to be set on the local web server:
    AllowLocalConfig=EnableAuditing,EnableMonitoring
  7. (Optional) Repeat Steps 5 and 6 to add more parameters.
  8. Click OK.
    The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.
  9. Click Submit.
    The Modify Agent Configuration dialog closes, and a confirmation message appears.
  10. (Optional) Enter any remarks about the change in the Comment field for future reference.
  11. Click Yes.
    Your changes will be applied the next time the Web Agent polls the Policy Server.
Ensure that Agent Names Match
CA Single Sign-On
rules and policies are tied to agent names. If a request is made to a host with an agent name that is unknown to the Policy Server, the Policy Server cannot implement policies. Therefore, the value for the agent DefaultAgentName or AgentName parameter must match the name of an Agent entry defined at the Policy Server.
You define an Agent at the Policy Server using the Administrative UI. The value you enter in the Name field of the Agent Properties dialog box is the value that must match the name defined for the DefaultAgentName or AgentName setting, whether the agent is configured locally (Agent configuration file) or centrally from the Policy Server (Agent Configuration Object).
Encrypt the Agent Name
The agent, by default, adds its name to the URL that redirects a user to a forms, SSL, or NTLM credential collector. You can control whether the Agent encrypts its name in the URL and whether the credential collector decrypts the name when it receives the URL with the EncryptAgentName parameter.
The default setting for the EncryptAgentName parameter is yes. You should set this parameter to no in either of the following situations:
  • If a third-party application is working with the credential collector and it must be able to read the Agent name for processing.
  • If you configure an agent as a Forms Credential Collector (FCC) for forms authentication, and direct users to a single resource to be authenticated. The procedure to configure a single resource target requires an un-encrypted Agent name.
To encrypt the agent name, set the EncryptAgentName parameter to yes.
How to Manage Agent and Policy Server Communication
You can manage the communication between agents and the Policy Server using any of the following procedures:
Accommodate Network Latency
When network latency issues exist, the agent cannot connect with the Policy Server. To accommodate any network latency, enable the AgentWaitTime parameter in the
local
configuration file.
AgentWaitTime
Specifies the number of seconds that the agent waits for the Low-level agent Worker process (LLAWP) to become available. When the interval expires, the agent tries to connect to the Policy Server.
Setting this parameter can help to resolve agent start-up errors that are related to the LLAWP connections. We recommend starting with the default value and then increasing the interval 5 seconds each time until the agent starts successfully.
Default
: 5
Example
: Calculate a suggested value with the following formula:
(
The_number_of_Policy_Servers
x 30) + 10 = value of the AgentWaitTime parameter (in seconds).
For example, if you have five Policy Servers, then set value of the AgentWaitTime parameter to 160. [(5x30) + 10 = 160] (seconds).
Limit:
(FIPS-compatability and FIPS-migration modes) minimum of 5.
Limit
: (FIPS-only mode) minimum of 20.
Use a higher setting
only
if network latency issues exist. A high setting possibly causes unexpected web server behavior.