CA SiteMinder® Reverse Proxy Deployment Considerations

Typically, when you deploy an Apache or Oracle iPlanet reverse proxy Agent, a firewall is located between the Apache or Oracle iPlanet Web Agent and the servers hosting the protected resources. The Policy Server should also be located behind the firewall.
sm1252sp1
Typically, when you deploy an Apache or Oracle iPlanet reverse proxy Agent, a firewall is located between the Apache or Oracle iPlanet Web Agent and the servers hosting the protected resources. The Policy Server should also be located behind the firewall.
The following illustration shows a
CA Single Sign-On
reverse proxy deployment.
SSO--Apache-based or Oracle Agents Configured as Reverse Proxy Server
SSO--Apache-based or Oracle Agents Configured as Reverse Proxy Server
When deploying a
CA Single Sign-On
reverse proxy Agent, consider the following:
  • If a policy has been configured to return response attributes, the variables are sent to both the reverse proxy server and the backend web server on which the protected resource resides. When a request is made for a protected resource, the Policy Server first sends response attributes (CGI or HTTP variables) to the Agent on the Apache or Oracle iPlanet server. The Agent then puts the response attributes in the request that is sent to the backend server.
  • If any of the backend servers or protected applications provide their own authentication functionality, the authentication must be disabled. Disabling the backend authentication ensures that
    CA Single Sign-On
    ’s authentication takes precedence.
    When configuring the cache for the reverse proxy be aware that all cookies are cached, including the SMSESSION cookie. For assistance see your Apache or Oracle iPlanet web server documentation.