When running a front end Web Agent Reverse Proxy, the back-end server doesn't run a Web Agent and as such internal people can reach directly the application without being challenged for credentials.

How to protect the back-end server from direct access?

Install a Web Agent on the back-end server application, It would rather request the Policy Server to check the validity of the session data.

If the browser doesn't present an SMSESSION cookie, it will challenge the user for credentials.

So having a Web Agent running on the back-end server application will allow you protection in a much finer way the direct accesses to the back-end server.

SiteMinder provides many flavors of Agents:

  SiteMinder Web Server Agents
  SiteMinder Agents for WebSphere
  SiteMinder Agents for WebLogic
  SiteMinder Agent for JBoss
  SiteMinder SharePoint Agent
  SiteMinder Siebel Agent
  SiteMinder SAP WebAS Agent
  SiteMinder PeopleSoft Agent
  SiteMinder Web Services Security Agents
  SiteMinder SDK

among the others (1).

There's no specific Agent to run in an OpenShift environment (2).

(1)

    CA Single Sign-On (formerly CA SiteMinder) Hotfix/Cumulative Release Index
    

(2)

    Use Web Agent in Dynamically Scaled Environments