When running Web Agent and trying to unprotect some resources, some
questions might raise :

  1) Is using the IgnoreURL ACO an acceptable or best practice to
     allow certain web applications to web applications traffic to
     flow while still protecting the main front end web application
     via a default root protected policy /* ?

     If not, are unprotected realms better ?

  2) Is there a standard method of allowing web application to
     communicate with web application without traffic via a Web Agent
     or Siteminder authentication process at all?

1 - Ignoreurl is best practice to allow some url and not others. It
    avoids calls to the Policy Server which improves performances.

    There's some limitations as wildcards can't be used (1).

2 - To make trafic to completely avoid the Web Agent, let the Web
    Agent running on specific virtualhost and not on the others;

    Take note that using IgnoreURL, the trafic will be analyzed for
    vulnerabilities, and other security topics, even if no protection
    occurs on the URL (2).

    Some ACO parameters can be combined to get finer protection too
    (3).

(1)

    Web Agent : in IgnoreURL ACO with "*" wildcard registration
    https://knowledge.broadcom.com/external/article?articleId=44956

(2)

    Web Agent :: IgnoreURL : BadCssChars BadURLChars
    https://knowledge.broadcom.com/external/article?articleId=49522

(3)

    Web Agent autoauthorize ignoreext, ignoreurl, overrideignoreextfilter
    https://knowledge.broadcom.com/external/article?articleId=212373