CA Single Sign-On for IIS 7.x Web Servers and Application Request Routing (ARR)

Contents
casso10
 
Contents
 
 
 
The 
CA Single Sign-On
 Agent for IIS supports the Application Request Routing feature of IIS 7.x. The following configurations are supported:
How to Set up an IIS 7.x Server with ARR and 
CA Single Sign-On
 in your DMZ with other 
CA Single Sign-On
 Agents for IIS Operating Behind the DM
The 
CA Single Sign-On
 Agent for IIS protects your entire IIS environment with the following configuration:
  • An IIS 7.x web server with Application Request Routing (ARR) and a 
    CA Single Sign-On
     Agent for IIS in your DMZ (as a front-end server).
  • Multiple IIS 7.x web servers 
    behind 
    the ARR server in the DMZ, with 
    each 
    using the 
    CA Single Sign-On
     Web Agent 
    or 
    Agent for IIS.
    casso10
    Only certain
    CA Single Sign-On
    Web Agents support operating as a reverse-proxy server. However any web server hosting a supported
    CA Single Sign-On
    Web Agent or Agent for IIS can accept traffic from a reverse proxy server running
    CA Single Sign-On
    . For more information, see the Platform Support Matrix.
To implement the previous configuration, use the following multi-step process:
  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).
    casso10
    For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
  2. Install and configure a 
    CA Single Sign-On
     Agent for IIS on your IIS 7.x web server in your DMZ (front-end).
    casso10
    For more information, see the Web Agent Installation Guide for IIS.
  3. Install and configure a 
    CA Single Sign-On
     Agent for IIS on your first IIS 7.x web server 
    behind
     your DMZ (back-end).
    casso10
    In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
  4. Install and configure a 
    CA Single Sign-On
     Agent for IIS on your other IIS 7.x web server nodes 
    behind 
    your DMZ (back-ends).
Set the 
CA Single Sign-On
 Web Agent Configuration Parameters for your IIS 7.x ARR Server in the DMZ
This section describes how to set the Web Agent Configuration parameters running the 
CA Single Sign-On
 Agent for IIS in the following situation:
  • An IIS 7.x Web Server operates in the DMZ using ARR and the 
    CA Single Sign-On
     Agent for IIS (front end).
  • Other IIS 7.x Web servers behind the DMZ receive requests from the ARR server, but do 
    not 
    use the 
    CA Single Sign-On
     Agent for IIS (back end).
 
Follow these steps:
 
  1. Verify the following items:
    • ARR 2.0 is installed and configured on the web server in the DMZ.
    • The 
      CA Single Sign-On
       Agent for IIS is installed and configured on the web server in the DMZ.
  2. Open the Administrative UI.
  3. Open the Agent Configuration Object (ACO) associated with your 
    CA Single Sign-On
     Agent for IIS (the front–end running in the DMZ).
  4. Locate the following parameter:
    • casso10
      ProxyTrust
      Instructs the agent on a destination server to trust authorizations received from a
      CA Single Sign-On
      agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does
      not
      contact the Policy Server again reauthorize users.
      Default:
      No
  5. Verify that the value set in the ProxyTrust parameter is no.
  6. Locate the following parameter:
    • casso10
      ProxyAgent
      Specifies if a Web Agent is acting as a reverse proxy agent.
      When the value of this parameter is yes, the
      CA Single Sign-On
      agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.
      Default:
      No
  7. Change the value of the ProxyAgent parameter to yes.
  8. Submit your changes to the Agent Configuration Object.
    The Web Agent Configuration parameters are set.
Set the Web Agent Configuration Parameters for your IIS 7.x Servers using 
CA Single Sign-On
 Behind the DMZ
This section describes how to set the Web Agent Configuration parameters running the 
CA Single Sign-On
 Agent for IIS in the following situation:
  • An IIS 7.x server operates in the DMZ using ARR (front end).
  • Other IIS 7.x servers behind the DMZ receive requests from the ARR server. Those servers also use the 
    CA Single Sign-On
     Agent for IIS (back end).
 
Follow these steps:
 
  1. Verify the following items:
    • ARR 2.0 is installed and configured on the web server in the DMZ.
    • The 
      CA Single Sign-On
       Agent for IIS is installed and configured on the first web server and all the nodes 
      behind
       your DMZ.
  2. Open the Administrative UI.
  3. Open the Agent Configuration Object (ACO) associated with the first IIS server deployed 
    behind 
    the DMZ.
  4. Locate the following parameter:
    • casso10
      ProxyTrust
      Instructs the agent on a destination server to trust authorizations received from a
      CA Single Sign-On
      agent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server does
      not
      contact the Policy Server again reauthorize users.
      Default:
      No
  5. Change the value of the ProxyTrust parameter to yes.
  6. Locate the following parameter:
    • casso10
      ProxyAgent
      Specifies if a Web Agent is acting as a reverse proxy agent.
      When the value of this parameter is yes, the
      CA Single Sign-On
      agent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.
      Default:
      No
  7. Verify that the value of the ProxyAgent parameter is set to no.
  8. Submit your changes to the Agent Configuration Object.
  9. Open the Agent Configuration Object (ACO) associated with an IIS server node deployed 
    behind 
    the DMZ.
  10. Repeat Steps 5 through 10 on each IIS web server node, until all the nodes behind the DMZ are configured.
    The Web Agent Configuration parameters are set.
How to Set Up an IIS 7.x Server with ARR and 
CA Single Sign-On
 in your DMZ
To set up an IIS 7.x web server with Application Request Routing (ARR) and a 
CA Single Sign-On
 Agent for IIS in your DMZ (as a front-end server), use the following multi-step process:
  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).
    casso10
    For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
  2. Install and configure a 
    CA Single Sign-On
     Agent for IIS on your IIS 7.x web server in your DMZ (front-end).
    casso10
    For more information, see the Web Agent Installation Guide for IIS.
How to Set up your IIS 7.x Servers with 
CA Single Sign-On
 When Operating Behind an ARR Server in a DMZ
The 
CA Single Sign-On
 Agent for IIS supports the following configuration using Application Request Routing (ARR):
  • Operating several back-end web servers 
    behind 
    a DMZ-based IIS 7.x web server running ARR.
  • Protecting those back end servers with 
    CA Single Sign-On
     Web Agents or Agents for IIS.
    casso10
    Only certain
    CA Single Sign-On
    Web Agents support operating as a reverse-proxy server. However any web server hosting a supported
    CA Single Sign-On
    Web Agent or Agent for IIS can accept traffic from a reverse proxy server running
    CA Single Sign-On
    . For more information, see the Platform Support Matrix.
To implement this configuration, use the following multi-step process:
  1. Install and configure ARR on the IIS 7.x web server in your DMZ (front end).
    casso10
    For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
  2. Install and configure a 
    CA Single Sign-On
     Agent for IIS on your first IIS 7.x web server 
    behind
     your DMZ (back-end).
    casso10
    In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
  3. Install and configure a 
    CA Single Sign-On
     Agent for IIS on your other IIS 7.x web server nodes 
    behind 
    your DMZ (back-ends).