When running a front end Web Agent Reverse Proxy, the back-end server doesn't run a Web Agent and as such internal people can reach directly the application without being challenged for credentials.
How to protect the back-end server from direct access?
Install a Web Agent on the back-end server application, It would rather request the Policy Server to check the validity of the session data.
If the browser doesn't present an SMSESSION cookie, it will challenge the user for credentials.
So having a Web Agent running on the back-end server application will allow you protection in a much finer way the direct accesses to the back-end server.
SiteMinder provides many flavors of Agents:
SiteMinder Web Server Agents
SiteMinder Agents for WebSphere
SiteMinder Agents for WebLogic
SiteMinder Agent for JBoss
SiteMinder SharePoint Agent
SiteMinder Siebel Agent
SiteMinder SAP WebAS Agent
SiteMinder PeopleSoft Agent
SiteMinder Web Services Security Agents
among the others (1).
There's no specific Agent to run in an OpenShift environment (2).