CA Single Sign-On for IIS 7.x Web Servers and Application Request Routing (ARR)
Contents
casso127
Contents
The
CA Single Sign-On
Agent for IIS supports the Application Request Routing feature of IIS 7.x. The following configurations are supported:- An IIS 7.x web server running both ARR and the CA SiteMinder® Agent for IIS in a DMZ, as shown in the following illustration:ARR in DMZ with Agent for IIS

- Multiple IIS 7.x web servers running CA SiteMinder® Web Agents for IIS behind another IIS 7.x server in the DMZ running ARR. This configuration is shown in the following illustration:Back End IIS Web Servers Running Agents with Application Request Routing Enabled

- An IIS 7.x web server running both ARR and the CA SiteMinder® Agent for IIS in a DMZ, and multiple IIS 7.x web servers running the CA SiteMinder® Agent for IIS behind the the ARR server. This configuration is shown in the following illustration:Agent for IIS with ARR as Reverse Proxy with Agents for IIS on Backend Servers

How to Set up an IIS 7.x Server with ARR and
CA Single Sign-On
in your DMZ with other CA Single Sign-On
Agents for IIS Operating Behind the DMThe
CA Single Sign-On
Agent for IIS protects your entire IIS environment with the following configuration:- An IIS 7.x web server with Application Request Routing (ARR) and aCA Single Sign-OnAgent for IIS in your DMZ (as a front-end server).
- Multiple IIS 7.x web serversbehindthe ARR server in the DMZ, witheachusing theCA Single Sign-OnWeb AgentorAgent for IIS.Only certain Web Agents support operating as a reverse-proxy server. However, any web server hosting a supported Web Agent or Agent for IIS can accept traffic from a reverse proxy server runningCA Single Sign-OnFor more information, see the Platform Support Matrix.
To implement the previous configuration, use the following multi-step process:
- Install and configure ARR on the IIS 7.x web server in your DMZ (front end).casso127For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
- Install and configure aCA Single Sign-OnAgent for IIS on your IIS 7.x web server in your DMZ (front-end).casso127For more information, see the Web Agent Installation Guide for IIS.
- Install and configure aCA Single Sign-OnAgent for IIS on your first IIS 7.x web serverbehindyour DMZ (back-end).casso127In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
- Install and configure aCA Single Sign-OnAgent for IIS on your other IIS 7.x web server nodesbehindyour DMZ (back-ends).
- Set the Web Agent Configuration Parameters for all of your IIS 7.x Servers using CA SiteMinder® behind the DMZ. Include thefirstweb server andallnodes.
Set the
CA Single Sign-On
Web Agent Configuration Parameters for your IIS 7.x ARR Server in the DMZThis section describes how to set the Web Agent Configuration parameters running the
CA Single Sign-On
Agent for IIS in the following situation:- An IIS 7.x Web Server operates in the DMZ using ARR and theCA Single Sign-OnAgent for IIS (front end).
- Other IIS 7.x Web servers behind the DMZ receive requests from the ARR server, but donotuse theCA Single Sign-OnAgent for IIS (back end).
Follow these steps:
- Verify the following items:
- ARR 2.0 is installed and configured on the web server in the DMZ.
- TheCA Single Sign-OnAgent for IIS is installed and configured on the web server in the DMZ.
- Open the Administrative UI.
- Open the Agent Configuration Object (ACO) associated with yourCA Single Sign-OnAgent for IIS (the front–end running in the DMZ).
- Locate the following parameter:
- casso127ProxyTrustInstructs the agent on a destination server to trust authorizations received from aCA Single Sign-Onagent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server doesnotcontact the Policy Server again reauthorize users.Default:No
- Verify that the value set in the ProxyTrust parameter is no.
- Locate the following parameter:
- casso127ProxyAgentSpecifies if a Web Agent is acting as a reverse proxy agent.When the value of this parameter is yes, theCA Single Sign-Onagent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.Default:No
- Change the value of the ProxyAgent parameter to yes.
- Submit your changes to the Agent Configuration Object.The Web Agent Configuration parameters are set.
Set the Web Agent Configuration Parameters for your IIS 7.x Servers using
CA Single Sign-On
Behind the DMZThis section describes how to set the Web Agent Configuration parameters running the
CA Single Sign-On
Agent for IIS in the following situation:- An IIS 7.x server operates in the DMZ using ARR (front end).
- Other IIS 7.x servers behind the DMZ receive requests from the ARR server. Those servers also use theCA Single Sign-OnAgent for IIS (back end).
Follow these steps:
- Verify the following items:
- ARR 2.0 is installed and configured on the web server in the DMZ.
- TheCA Single Sign-OnAgent for IIS is installed and configured on the first web server and all the nodesbehindyour DMZ.
- Open the Administrative UI.
- Open the Agent Configuration Object (ACO) associated with the first IIS server deployedbehindthe DMZ.
- Locate the following parameter:
- casso127ProxyTrustInstructs the agent on a destination server to trust authorizations received from aCA Single Sign-Onagent on a proxy server. A destination server is a server that is behind a reverse proxy server. Setting this value to yes increases efficiency because only the agent on the proxy server contacts the Policy Server for authorization. The agent operating on the destination server doesnotcontact the Policy Server again reauthorize users.Default:No
- Change the value of the ProxyTrust parameter to yes.
- Locate the following parameter:
- casso127ProxyAgentSpecifies if a Web Agent is acting as a reverse proxy agent.When the value of this parameter is yes, theCA Single Sign-Onagent on the front-end server preserves the original URL that the user requested in the SM_PROXYREQUEST HTTP header. This header is created whenever protected and unprotected resources are requested. The back-end server can read this header to obtain information about the original URL.Default:No
- Verify that the value of the ProxyAgent parameter is set to no.
- Submit your changes to the Agent Configuration Object.
- Open the Agent Configuration Object (ACO) associated with an IIS server node deployedbehindthe DMZ.
- Repeat Steps 5 through 10 on each IIS web server node, until all the nodes behind the DMZ are configured.The Web Agent Configuration parameters are set.
How to Set Up an IIS 7.x Server with ARR and
CA Single Sign-On
in your DMZTo set up an IIS 7.x web server with Application Request Routing (ARR) and a
CA Single Sign-On
Agent for IIS in your DMZ (as a front-end server), use the following multi-step process:- Install and configure ARR on the IIS 7.x web server in your DMZ (front end).casso127For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
- Install and configure aCA Single Sign-OnAgent for IIS on your IIS 7.x web server in your DMZ (front-end).casso127For more information, see the Web Agent Installation Guide for IIS.
How to Set up your IIS 7.x Servers with
CA Single Sign-On
When Operating Behind an ARR Server in a DMZThe
CA Single Sign-On
Agent for IIS supports the following configuration using Application Request Routing (ARR):- Operating several back-end web serversbehinda DMZ-based IIS 7.x web server running ARR.
- Protecting those back end servers withCA Single Sign-OnWeb Agents or Agents for IIS.Only certain Web Agents support operating as a reverse-proxy server. However, any web server hosting a supported Web Agent or Agent for IIS can accept traffic from a reverse proxy server runningCA Single Sign-OnFor more information, see the Platform Support Matrix.
To implement this configuration, use the following multi-step process:
- Install and configure ARR on the IIS 7.x web server in your DMZ (front end).casso127For more information about Application Request Routing (ARR), go to the IIS website, and search for the phrase, "Application Request Routing."
- Install and configure aCA Single Sign-OnAgent for IIS on your first IIS 7.x web serverbehindyour DMZ (back-end).casso127In this context, the first server refers to the IIS web server in a farm where the shared configuration information is stored. A node refers to any other IIS web servers in the farm which read the shared configuration from the first server.
- Install and configure aCA Single Sign-OnAgent for IIS on your other IIS 7.x web server nodesbehindyour DMZ (back-ends).