Agents and Reverse Proxy Servers Overview

Contents
casso10
Contents
How Reverse Proxy Servers Work with
CA Single Sign-On
A reverse proxy server is a proxy server that acts on behalf of an enterprise to forward requests to the internal network of an organization. The reverse proxy server allows clients to access resources on backend servers (those servers behind a firewall).
Reverse proxy servers provide the following advantages:
  • Users within a cookie domain can access resources on backend servers without reauthenticating. Users from other domains must authenticate through the reverse proxy server and typically, a firewall before gaining access to those same backend servers.
  • Users can access different resources that are hosted on several backend servers using the same domain name.
  • Reverse proxy agents support the same features as other
    CA Single Sign-On
    agents.
  • Protection resources that are on servers for which a
    CA Single Sign-On
    agent is not supported. In this situation, deploy a reverse proxy server before the backend server. The supported agent protects the resources hosted on the backend server. The backend server does not require a
    CA Single Sign-On
    agent.
CA Single Sign-On
agents that are installed on the reverse proxy server can protect resources on backend servers. The following illustration shows a network with a reverse proxy server using a
CA Single Sign-On
agent:
Reverse Proxy Deployment
Reverse Proxy Deployment
 
CA Access Gateway
For users who require a more sophisticated reverse proxy solution,
CA Access Gateway
 provides the following benefits over the Apache or Oracle iPlanet-based
CA Single Sign-On
Reverse Proxy Agent:
  • An embedded and fully supported web server, including SSL accelerator card support and a GUI tool for managing keys and certificates
  • Support for multiple session schemes (cookie-based, and cookie-less)
  • Support for flexible proxy rules, such as the following:
    • Support for rules that are based on HTTP headers and
      CA Single Sign-On
      responses, in addition to URLs.
    • Ease of use for complex rules.
SM_PROXYREQUEST HTTP Header for
CA Single Sign-On
Processing with
CA Access Gateway
CA Access Gateway
introduces a new layer in the traditional
CA Single Sign-On
architecture. This layer forwards or redirects all requests to destination servers in the enterprise.
When
CA Access Gateway
processes a request, the URL requested by the user is preserved in an HTTP header variable named SM_PROXYREQUEST. Other applications that require the original URL requested by a user before
CA Access Gateway
proxied the request can use this header.