How to disable webagent on web server which is configured with multiple virtual hosts
search cancel

How to disable webagent on web server which is configured with multiple virtual hosts


Article ID: 259277


Updated On:


CA Single Sign On Agents (SiteMinder)


Customer is using a web server where multiple URLs are created via virtual hosts and protected with Siteminder Web Agent and one ACO.  A unique AgentName was created for each virtual host and mapped in the Web Agent ACO.

What is the best method to disable the Web Agent for one or more virtual hosts while leaving the Web Agent enabled for all other hosts?


Release : ALL


Enabling/disabling the web agent is global to the entire web server including all virtual hosts.

There are various ways Siteminder can leave a particular resource unprotected when the Web Agent is enabled.

If each application you want to be unprotected is using a unique virtual host, using the agent's IgnoreHost ACO parameter is likely the best option.  This tells the Web Agent to auto-authorize any requests for any resources on the listed virtual host(s).  
More about this option is here:
IgnoreHost ACO Parameter

Another way to accomplish the same is to leverage agent names.  If you can map the requests you want to not be protected to unique agent names, you can simply not assign those agent names to any realms, resulting in requests mapping to those agent names not being protected.  As with the IgnoreHost option, this option requires each application you want to be unprotected to use a unique host or IP from any of the protected applications.  
More about this parameter is here:
AgentName and DefaultAgentName ACO Parameters

If leveraging agent names is not an option (such as if an application you need unprotected is sharing a virtual host name with an application that needs to be protected), the Web Agent allows a list of specific URLs to be explicitly unprotected regardless of the resolved agent name or policies.  The IgnoreURL ACO parameter can accept multiple values.  As a wildcard is implied in the IgnoreURL values, leveraging this parameter works particularly well if all the resources within the application you want unprotected are below a single URI (many applications work this way).
More about this option here:
IgnoreURL ACO Parameter