When running Web Agent and trying to unprotect some resources, some
questions might raise :
1) Is using the IgnoreURL ACO an acceptable or best practice to
allow certain web applications to web applications traffic to
flow while still protecting the main front end web application
via a default root protected policy /* ?
If not, are unprotected realms better ?
2) Is there a standard method of allowing web application to
communicate with web application without traffic via a Web Agent
or Siteminder authentication process at all?
1 - Ignoreurl is best practice to allow some url and not others. It
avoids calls to the Policy Server which improves performances.
There's some limitations as wildcards can't be used (1).
2 - To make trafic to completely avoid the Web Agent, let the Web
Agent running on specific virtualhost and not on the others;
Take note that using IgnoreURL, the trafic will be analyzed for
vulnerabilities, and other security topics, even if no protection
occurs on the URL (2).
Some ACO parameters can be combined to get finer protection too
Web Agent : in IgnoreURL ACO with "*" wildcard registration
Web Agent :: IgnoreURL : BadCssChars BadURLChars
Web Agent autoauthorize ignoreext, ignoreurl, overrideignoreextfilter