Configuring Tomcat to work with IIS for Symantec DLP Manager (Enforce)

book

Article ID: 160555

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Set up IIS 2 factor authentication

Resolution

Relevant Versions:  ALL

1. Download the ISAPI Redirect DLL from the apache site. When downloading, choose the version of Windows that IIS is running on (win32), and then choose the latest available jk version. The file to download is called isapi_redirect.dll.

2. Place the DLL into the Tomcat bin directory. For the purpose of this document, we will assume the directory is C:\Vontu\Protect\tomcat\bin.

3. Create a file in the same directory called isapi_redirect.properties.  Using Notepad, edit the file and enter the following contents.  Some adjustment for directory names may be required.

# Configuration file for the Jakarta ISAPI Redirector

# The path to the ISAPI Redirector Extension, relative to the website

# This must be in a virtual directory with execute privileges

extension_uri=/jakarta/isapi_redirect.dll

# Full path to the log file for the ISAPI Redirector

log_file=C:\Vontu\Protect\logs\isapi_redirect.log

# Log level (debug, info, warn, error or trace)

log_level=info

# Full path to the workers.properties file

worker_file=C:\Vontu\Protect\tomcat\conf\workers.properties

# Full path to the uriworkermap.properties file

worker_mount_file=C:\Vontu\Protect\tomcat\conf\uriworkermap.properties

4. In the Tomcat conf directory (C:\Vontu\Protect\tomcat\conf), create the following two text files:

uriworkermap.properties

# uriworkermap.properties - IIS #

# This file provides mappings for the workers

# defined in workermap.properties.minimal.

# The general syntax for this file is: # [URL]=[Worker name]

/ProtectManager/*=worker1

 workers.properties

# workers.properties.minimal

# This file provides minimal jk configuration properties needed to connect to Tomcat.

# The workers that jk should create and work with.

worker.list=worker1

# Defining a worker named worker1 and of type ajp13.

# Note that the name and the type do not have to match.

worker.worker1.type=ajp13

worker.worker1.host=localhost

worker.worker1.port=8009

5. Ensure that the file permissions are good for isapi_redirect.dll.

     Enable the Internet Guest Account to access the Tomcat bin folder with Read & Execute permissions

     Apply the same permissions to the DLL itself.

6.  Open Control Panel, then Administrative Tools and open Internet Information Services.  Optionally, you may right click on My Computer and select Manage, then navigate down the tree to Services and Applications à Internet Information Services (IIS) Manager.

7.  Add an ISAPI Filter to IIS.

    • Right-click on Default Web Site (or the Web Site that should be responsible for proxying requests to Vontu), and click on Properties.
    • Click the ISAPI Filters tab.
    • Check if there is a Filter that points to the isapi_redirect.dll file and that it is in the right location. If not, click Add and create one. Enter Tomcat_Connector as the Filter Name and enter the location of the isapi_redirect.dll file for the executable.
    • Click Apply and then OK

8. Create a virtual directory for ProtectManager in IIS. This is the name of the Tomcat application for Vontu.

    • Right-click on Default Web Site (or the Web Site that should be responsible for proxying requests to ProtectManager), choose New and then Virtual Directory.
    • Go through the creation wizard. Set the alias as the value of the Context Path (without slashes).
    • This can point to any directory (e.g. C:\Temp).
    • Complete the wizard.

Note:  The reason for creating a virtual directory is so that requests without the trailing slash still work.

9.  Create a virtual directory for access to the isapi_redirect.dll in IIS.

    • Right-click on Default Web Site (or the Web Site that should be responsible for proxying requests to ProtectManager), choose New and then Virtual Directory.
    • Go through the creation wizard. Set the alias to be jakarta.
    • This must point to the directory in which the isapi_redirect.dll is installed. In our example this is C:\Vontu\Protect\tomcat\bin.
    • Complete the wizard, making sure that you have checked the 'execute' checkbox for the Virtual Directory.

Note:  This Virtual Directory is needed for the connector to work. The alias that you give the directory needs to be the same as the path set in the isapi_redirect.properties file, extension_uri property. In our example this value is: /jakarta/isapi_redirect.dll.

10. If using IIS 6.0 you will also need to add the DLL as a Web Service Extension, as follows:

    • Right-click on Web Service Extensions and choose Add a new Web Service Extension...
    • Enter tomcat for the Extension Name and then add the isapi_redirect.dll file to the required files.
    • Select the Set extension status to Allowed check-box, then click OK.

11. Also, for IIS 6, you will need to set the service to run in IIS 5.0 Isolation Mode.  From the Web Sites container, right click and select Properties, then the Service tab.  Check the Run WWW service in IIS 5.0 isolation mode option.

12. You will need to restart the IIS Service. If you have the Computer Management application running, just right click on the Internet Information Service (IIS) Manager container and select All Tasks à Restart IIS…

13.  After restarting, check that the ISAPI filter is running. 

    • Right-click on Default Web Site (or the Web Site that should be responsible for proxying requests to Vontu), and click on Properties.
    • Click the ISAPI Filters tab
    • If your ISAPI filter dialog looks like Figure 1 in the attached document, then check step number 11.

14.  Edit the file C:\Vontu\Protect\tomcat\conf\server.xml.

Look for this section:

    <!-- Define an AJP 1.3 Connector on port 8009 -->

    <!--

    <Connector port="8009"

               enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />

    -->

15. Delete the comments around the connector (highlighted) and save the file.

16. For testing purposes, you may set the SSL port for IIS.

Enabling SSL within IIS is out of scope for this document, but for testing purposes, the port is set to 444 above.  As such, the Vontu Manager will be available on port 443 (direct to Tomcat) and also 444 (IIS to Tomcat).

17. Restart the Vontu Manager and Restart IIS.

18. Browse to https://localhost:444/ProtectManager


Attachments

Configuring_IIS_for_Vontu_Manager.doc get_app