Ignore Unprotected Resources
You can improve the Web Agent performance by ignoring requests for resources that you do not want to protect. Consider the following configurations to improve performance:
You can improve the Web Agent performance by ignoring requests for resources that you do
notwant to protect. Consider the following configurations to improve performance:
Reduce Overhead by Ignoring File Extensions of Unprotected Resources
Reduce overhead by instructing the Web Agent to ignore requests for certain types of resources with the following parameter:
Specifies the types of resource requests that the Web Agent passes to the web server without checking access policies. The Web Agent allows access to the items with extensions specified by this parameter even if they exist in a realm that is protected by a policy.
You can configure Web Agent to ignore requests in the following conditions:
- The resource ends in one of the extensions that you want to ignore
- The URI of the protected resource contains a single period (.).For example, if a URI for a requested resource is /my.dir/ the Web Agent passes the request directly to the web server.
Default:.class, .gif, .jpg, .jpeg, .png, .fcc, .scc, .sfcc, .ccc, .ntc
By default, the Agent does
notignore requests for resources that contain two or more periods that are separated by a slash (/). Web Agents handle requests for resources using the process that is shown in the following example:
- The .gif extension is added to the IgnoreExt parameter. The Web Agent ignores requests for resources with the .gif extension.
- A request is made for the following URI:/dir1/app.pl/file1.gif,
- The Web Agent checks /dir1/app.pl/file1.gif against the configured policies because some web servers execute/dir1/app.plas an application instead of serving the file1.gif resource.Granting access to /dir1/app.pl/file1.gif without consulting the web server can result in a security breach.
To reduce overhead, add the extensions to this parameter for the resources you want the Agent to ignore.
Web Agent applies the IgnoreExt parameter to resources in a URL but not to parameter values. Consider this behavior when configuring the IgnoreExt setting.
Specify Virtual Servers for the Web Agent to Ignore
If a web server at your site supports several virtual servers, there may be resources on these virtual servers that you do not want to protect with the Web Agent. To simplify how the Web Agent distinguishes which portions of a web server's content it protects, use the following parameter:
Specifies the fully qualified domain names of any virtual servers that you want the web Agent to ignore. Resources on such virtual servers will be auto-authorized, and the Web Agent always grants access to them regardless of which client makes the request. The authorization decision is based on the configuration of the Web Agent instead of being based on a policy.
The list of ignored hosts is checked first before any other auto-authorization checks, such as the IgnoreExt and IgnoreURL settings. Therefore, the double-dot rule will not trigger an authorization call to the Policy Server for resources on an ignored host but would not be ignored by extension.
The host portion of the URL entries for the IgnoreHost parameter must exactly match what the Web Agent reads for the host header of the requested resource.
This value is case-sensitive.
If the URL uses a specific port, then the port must specified.
For centrally-managed agents, use a multi-value parameter in the Agent Configuration Object to represent several servers. For agents configured with a local configuration file, list each host on a separate line in the file.
Example:(URL shown with port specified)
Example:(local configuration file)
To specify virtual servers for the Web Agent to Ignore, do either of the following tasks:
For central configuration, add the servers you want to ignore to your agent configuration object. For more than one server, use the multi-value setting for the parameter.
- For local configuration, add a separate line for each server in the local configuration file.
Resources using the specified URLs are ignored by the Web Agent and access to those resources is granted automatically.
Ignore Query Data in a URL
The IgnoreQueryData parameter affects the way Web Agents treat URLs. Use this parameter to prevent Web Agent from caching the entire URL and sending the URIs with their query strings to the Policy Server for rule processing.
Specifies whether the Web Agent will cache the entire URL (including the query strings) and send the entire URI to the Policy Server for rule processing. A full URL string contains a URI, a hook (?), and some query data, as shown in the following example:
URLs that have been the subjects of requests are cached by default. Subsequent requests search the cache for a match. If requests for the same URI contain different query data, the match fails. Ignoring the query data improves performance.
When the IgnoreQueryData parameter is set to yes, the following occurs:
- The URL is truncated at the hook. Only the URI is cached and sent to the Policy Server. The query data is maintained elsewhere, for the purpose of maintaining the proper state for redirects.
- Only the part before the hook is sent to the Policy Server for rule processing.
- Both URIs in the following example are handled as the same resource:/myapp?data=1/myapp?data=2
When the IgnoreQueryData parameter is set to no, the following occurs:
- The entire URL is cached.
- The entire URI is sent to the Policy Server for rule processing.
- The URIs in the following example are handled as different resources:/myapp?data=1/myapp?data=2
To have the Web Agent send only URIs to the Policy Server for processing, set the value of the IgnoreQueryData parameter to yes.
Do not enable this setting if you have policies which depend on URL query data.
Allow Unrestricted Access to URIs
If you do not want to protect a set of URIs, configure the IgnoreUrl parameter to direct Web Agent to ignore and allow unrestricted access to those URIs.
Specifies a URI within a URL that must not be protected. Web Agent does not challenge the users who attempt to access the resource associated with the specified URI and allows access to the resource automatically. It also ignores the specified URI in a different domain or multiple URIs. The value is case-sensitive.
You can configure the parameter value in the following formats:
Web Agent ignores the URI
directoryin the following sample URIs:
Allow Unrestricted Access to Specific URI Folder
To allow unrestricted access to a specific folder in a URI, configure the parameter in the following format:
Consider the same sample URIs that are mentioned in
Example 1, Web Agent ignores only the following URI and protects the rest of the URIs:
For a central configuration, add the fully qualified domain names with the URIs that you want to ignore to your agent configuration object. For more than one URI, use the multivalue setting for the parameter. For local configuration, add a separate line for each fully qualified domain name and URI in the local configuration file.