Configure the Virtual Host Settings Manually

Contents
casso127
Contents
The virtual host settings let
CA Access Gateway
act as a virtual host. You must define one default virtual host and can define multiple virtual hosts. By default,
CA Access Gateway
provides default virtual host settings that can be used for all the virtual hosts.
If you want to override the default virtual host settings for a virtual host, create a virtual host with the new values. If you do not define virtual host settings during the virtual host creation,
CA Access Gateway
uses the default value that is defined in the default virtual host settings.
Default Virtual Host Values
The default virtual host settings consist of the following sections:
  • Virtual host details
  • Default session scheme
  • Session scheme mappings
  • Web Agent configuration
Virtual Host Details
The following parameters define the virtual host:
The parameter names are represented as they appear in the server.conf file and Administrative UI, respectively.
  • enablerewritecookiepath
    Rewrites the cookie path to the URI that the backend server set when it received the initial request from the client. This ensures that the backend server does not reset the cookie path to its own resource URI and the browser contains the correct cookie when the client sends subsequent requests.
  • enablerewritecookiedomain
    Rewrite the cookie domain from the domain set to the domain that the backend server set when it received the initial request from the client.
  • enableproxypreservehost
    Preserves the HTTP HOST header file and sends it to the backend server.
    When you enable the parameter, it takes precedence over a filter that is configured to control the HTTP HOST header. To disable the parameter and let the filter take precedence over the parameter, perform the following steps:
    1. Open the server.conf file.
    2. Add the following parameter in the Virtual Host section of the virtual host you want to configure:
      filteroverridepreservehost
    3. Set the value of filteroverridepreservehost to yes.
    You can enable filteroverridepreservehost only if a filter is available to control the HTTP HOST header.
  • requestblocksize
    Defines the block size of the request data that must be read at a time before the data is sent to the backend server. You can configure different values for each virtual host that you configure.sizes.
    Limits
    : 1KB to approximately 352000 KB. For any value greater than or equal to 8 KB, chunks of 8 KB are created. A corresponding chunk size is create for values between 1 KB and 8 KB.
  • responseblocksize
    Defines the block size of the response data that must be read at a time before the data is sent from the backend server to the user. You can configure different value for each virtual host you configure.
    Limits
    : 1KB to approximately 352000 KB.
You must define the block sizes in proportion to the available and allocated JVM heap size for the
CA Access Gateway
java process. Use large block sizes for large file transfers. Perform the following steps to define the JVM heap size:
  1. Navigate to the appropriate directory:
    • Windows: sps_home
      /secure-proxy/proxy-engine/conf
    • UNIX: sps_home/secure-proxy/proxy-engine
  2. Open one of the following files
    • For Windows systems: SmSpsProxyEngine.properties file
    • For UNIX systems: proxyserver.sh file
  3. Add the following parameters in the Java section of the file:
    • - Xms256m
    • - Xmx512m
  4. Save the file.
Default Session Scheme
The default session scheme defines the session scheme that the virtual host uses by default.
Session Scheme Mapping
Session scheme mappings associate session schemes with user agent types. Map the defined user agent types with the defined session schemes.
The following parameters define the session scheme mapping:
The parameter names are represented as they appear in the server.conf file and Administrative UI, respectively.
  • user_agent_name
    Identifies the user agent name that you want to map.
  • session_scheme_name
    Identifies the session scheme that must be mapped.
Web Agent Configuration
The WebAgent.conf file defines the default web agent configuration. If you want to uses local configuration, you can point the WebAgent.conf file to a local configuration file, LocalConfig.config.
If you create more than one virtual host, you can use the default Web Agent when you do not intend to use alternate settings in the Web Agent configuration file. If you plan to set any directive differently, for example, to specify a different log level, use a different Web Agent for the new virtual host.
To configure a Web Agent for a new virtual host, perform the following steps:
  1. Create a directory with the name of the new virtual host, for example, serverb.
  2. Copy the contents of the directory for the default virtual host into the new directory.
  3. Run smreghost if the new Web Agent points to a different
    CA Single Sign-On
    installation.
    If the Web Agent configuration objects for both virtual hosts point to the same
    CA Single Sign-On
    installation, you do not need to run smreghost. You can use the same smhost file for both the Web Agents.
  4. Use a text editor to modify WebAgent.conf to reflect the new agent configuration object. Verify that the Web Agents have different log files.
  5. Open the WebAgent.conf file and add the following required directive with a unique value.
    ServerPath="path"
    • path
      Specifies is the fully qualified path to the WebAgent.conf file you are editing
      • For Windows, this value must be a unique alphanumeric string. The backslash '\' character is not permitted in this string.
      • For UNIX, this value must be the fully qualified path to the WebAgent.conf file you are editing.
  6. Access the Agent Configuration Object at the Policy Server that corresponds to the first host configuration object in the server.conf file. Verify the Agent cache settings for MaxResoureceCacheSize and MaxSessionCacheSize and also that the cache limits take into account all Agent Configuration Objects.
The requirecookies setting in the server.conf file is a special Web Agent setting that is useful only if basic authentication was set during the Policy Server configuration. This setting instructs the agent to require either an SMSESSION or an SMCHALLENGE cookie to process HTTP requests successfully, including basic Authorization headers.
If you configure the embedded Web Agent to require cookies, the browser must accept HTTP cookies. If the browser does not, the user receives an error message from the Agent denying them access to all protected resources.
Set the requirecookies setting to yes when all user agent types for the associated virtual server use the default session scheme. If an agent type uses a cookieless session scheme, set the requirecookies parameter to no.
Handling Redirects by Destination Servers
Some destination servers can respond to a request from the
CA Access Gateway
with a redirection.
A redirection that is the result of a request to the
CA Access Gateway
is not the same as a redirect that occurs in a proxy rule. For information about a redirect in a proxy rule, see nete:redirect.
Because the redirection initiated by the destination server is likely to a server behind the DMZ, the URL specified in the redirection results in an error. However, you can include parameters in a virtual host configuration that substitute the virtual host server name and port number in place of a redirect from a destination server.
To substitute the virtual host server and port for redirect writing, configure the following:
  • enableredirectrewrite
    Enables or disables redirect rewriting. If this directive is set to a value of yes, the URL for a redirect initiated by a destination server is examined by the
    CA Access Gateway
    . If the redirect URL contains a string found in the list of strings specified in the associated redirectrewritablehostnames parameter, the server name and port number of the redirect are replaced by the server name and port number of the virtual host. If the parameter is set to a value of no, any redirects initiated by destination servers are passed back to the requesting user.
  • redirectrewritablehostnames
    Contains a comma-separated list of strings that the
    CA Access Gateway
    searches for when a redirection is initiated by a destination server. If any of the specified strings are found in the server or port portion of the redirect URL, the
    CA Access Gateway
    substitutes the name and port number of the virtual host for the server name and port portion of the redirect URL. If you specify a value of "ALL" for this parameter, the
    CA Access Gateway
    substitutes the server name and port number of the virtual host for all redirects initiated by the destination server.
For example, consider a virtual host configuration in the server.conf file that contains the following parameters:
<VirtualHost name="sales"> hostnames="sales, sales.company.com" enableredirectrewrite="yes" redirectrewritablehostnames="server1.company.com,domain1.com" </VirtualHost>
When a user makes a request from http://sales.company.com:80, the
CA Access Gateway
forwards the request to a destination server according to proxy rules. If the destination server responds with a redirect to server1.internal.company.com, the redirect is rewritten before being passed to the user as sales.company.com:80.
The proxy rules for the
CA Access Gateway
must be configured to handle the redirected requests.
Default Virtual Host
To let
CA Access Gateway
to act as a virtual host for one or more host names, you must define a virtual host as the default virtual host. You can define multiple virtual hosts.
To manually configure a default virtual host, modify the <VirtualHost name="default"> section in the server.conf file.
Create Virtual Host
You can define multiple virtual hosts and configure them to different settings other than the default virtual host values.
Follow these steps:
  1. Open the server.conf file.
  2. Create a virtual host section in the server.conf file with the fields as described in the default virtual host values.
    If you do not define any settings, its default value is considered from the default virtual host values.
  3. Save the changes.