To demonstrate when additional virtual host need to be created in server.conf
Use case:
There is only 1 instance of Access Gateway
Access Gateway will be accepting multiple hostnames: {server.example.net} and {server.example.org}.
Depending on the hostname, the protected resources are different.
https://server.example.net/protected/
https://server.example.org/restricted/
These 2 hostnames should protect different resources and authenticate/authorize different users and even the cookiedomain is also different.
The 2 sites should also generate separate webagent.log and webagenttrace.log
!! WARNING !!
Always make a backup of the configuration files before editing
If multiple hostnames are used but protecting the same resources and backend server is the same, no additional virtualhost need to be created.
# Default Virtual Host <VirtualHost name="default"> #addresses="192.168.1.100" hostnames="server.example.net, server.example.org" defaultsessionscheme="default" |
As shown above, all the hostnames can be added to the "hostnames" separated by a comma.
And the proxyrule.xml forwards to the same backend.
<?xml version="1.0"?> <!-- Proxy Rules--> |
But if the protecting resources are different and if you need to enforce different agent configuration(such as cookiedomains, logs, logoffuri and etc) then virtualhost need to be created manually and proxyrule.xml must be updated to ensure they forward to the desired backend servers.
Goal:
https://server.example.net --forward--> http://192.168.0.1:80$0
https://server.example.org --forward--> http://192.168.0.2:80$0
Default virtualhost exist as below.
<VirtualHostDefaults> # specify the block size for request and response in KBs #TO-DO: Define any session scheme mappings # Web Agent.conf # Default Virtual Host # specify the block size for request and response in KBs #The defaults can be overridden |
"VirtualHostDefaults" is acting as a template for virtualhost to pickup if not locally defined.
In this case the hostnames value from the local virtualhost="default" would override but the <WebAgent> section from the VirtualHostDefaults will be inherited.
Following is demonstration of creating an additional virtualhost.
<VirtualHostDefaults> # specify the block size for request and response in KBs #TO-DO: Define any session scheme mappings # Web Agent.conf # Default Virtual Host # specify the block size for request and response in KBs #The defaults can be overridden
# Additional Virtual Host # specify the block size for request and response in KBs #The defaults can be overridden |
VirtualHostDefault has the <WebAgent> section is untouched as that requires to have a default WebAgent.conf file defined. (There will be error reading the virtualhost if this is removed)
But default virtualhost and additional virtualhost both should have their <WebAgent> section pointing to their own WebAgent config file.
The ServerPath section in the WebAgent config file need to have a unique value as demonstrated below.
VirtualHost default | ServerPath="ServerPath_default" |
VirtualHost additional | ServerPath="ServerPath_additional" |
sample
default WebAgent.conf |
# WebAgent.conf - configuration file for SiteMinder Secure Proxy LOCALE=en-US HostConfigFile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" |
additional WebAgent-additional.conf |
# WebAgent.conf - configuration file for SiteMinder Secure Proxy LOCALE=en-US HostConfigFile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf" |
!! NOTE !!
As this Access Gateway will be accepting requests with multiple FQHN, its https certificate must have SubjectAltNames set with respective FQHN values.
!! NOTE !!
If "Agent Discovery" Feature is enabled, please update the WebAgent configuration file to have unique agentid.dat filename
Now the proxyrule.xml need to be configured to distinguish the incoming HTTP_HOST headers and forward to the desired backends.
There are proxyrule.xml samples for different usecases in "{secure-proxy}\federation\proxy-engine\examples\proxyrules\" folder.
The one with hostname use case is "proxyrules_example6.xml"
Backup the proxyrule.xml and update with following sample.
<?xml version="1.0"?> <!DOCTYPE nete:proxyrules SYSTEM "file:///C:\Program Files\CA\secure-proxy\proxy-engine\conf\dtd\proxyrules.dtd"> <!-- Proxy Rules --> |
proxyrule.xml will be evaluating the "host" header to identify if it matches the 2 conditions (condition1: server.example.net and condition2: server.example.org) which has defined forwarding backends.
If there are no matching host then it will goto the "default" forward which is "http://192.168.0.3:80/badhostname.html" so the user can be notified they are using wrong hostname.
Restart Access Gateway Services and test both hostnames to confirm they are forwarded to the desired backend servers.