Access Gateway Virtual Host use cases

Products

CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

To demonstrate when additional virtual host need to be created in server.conf

Environment

Use case:

There is only 1 instance of Access Gateway

Access Gateway will be accepting multiple hostnames: {server.example.net} and {server.example.org}.

Depending on the hostname, the protected resources are different.

https://server.example.net/protected/

https://server.example.org/restricted/

These 2 hostnames should protect different resources and authenticate/authorize different users and even the cookiedomain is also different.

The 2 sites should also generate separate webagent.log and webagenttrace.log

Resolution

!! WARNING !!
Always make a backup of the configuration files before editing

If multiple hostnames are used but protecting the same resources and backend server is the same, no additional virtualhost need to be created.

# Default Virtual Host
<VirtualHost name="default">
#addresses="192.168.1.100"
hostnames="server.example.net, server.example.org"
defaultsessionscheme="default"

As shown above, all the hostnames can be added to the "hostnames" separated by a comma.

And the proxyrule.xml forwards to the same backend.

<?xml version="1.0"?>
<?cocoon-process type="xslt"?>
<!DOCTYPE nete:proxyrules SYSTEM "file:///C:\Program Files\CA\secure-proxy\proxy-engine\conf\dtd\proxyrules.dtd">

<nete:proxyrules xmlns:nete="http://www.example.com/">
<nete:forward>http://192.168.0.1:80$0</nete:forward>
</nete:proxyrules>

But if the protecting resources are different and if you need to enforce different agent configuration(such as cookiedomains, logs, logoffuri and etc) then virtualhost need to be created manually and proxyrule.xml must be updated to ensure they forward to the desired backend servers.

Goal:
https://server.example.net --forward--> http://192.168.0.1:80$0
https://server.example.org --forward--> http://192.168.0.2:80$0

Default virtualhost exist as below.

<VirtualHostDefaults>
# default session scheme
defaultsessionscheme="default"
enablerewritecookiepath="no"
enablerewritecookiedomain="no"
enableproxypreservehost="yes"
filteroverridepreservehost="no"

# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="4"

#TO-DO: Define any session scheme mappings
#<SessionSchemeMappings>
# user_agent_name=session_scheme_name
#</SessionSchemeMappings>

# Web Agent.conf
<WebAgent>
sminitfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf"
</WebAgent>
</VirtualHostDefaults>

# Default Virtual Host
<VirtualHost name="default">
#addresses="192.168.1.100"
hostnames="server.example.net"
defaultsessionscheme="default"

# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"

#The defaults can be overridden
#not only for the Virtual Host
#but for the WebAgent for that
#virtual host as well
#<WebAgent>
#</WebAgent>
</VirtualHost>

"VirtualHostDefaults" is acting as a template for virtualhost to pickup if not locally defined.
In this case the hostnames value from the local virtualhost="default" would override but the <WebAgent> section from the VirtualHostDefaults will be inherited.

Following is demonstration of creating an additional virtualhost.

<VirtualHostDefaults>
# default session scheme
defaultsessionscheme="default"
enablerewritecookiepath="no"
enablerewritecookiedomain="no"
enableproxypreservehost="yes"
filteroverridepreservehost="no"

# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="4"

#TO-DO: Define any session scheme mappings
#<SessionSchemeMappings>
# user_agent_name=session_scheme_name
#</SessionSchemeMappings>

# Web Agent.conf
<WebAgent>
sminitfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf"
</WebAgent>
</VirtualHostDefaults>

# Default Virtual Host
<VirtualHost name="default">
#addresses="192.168.1.100"
hostnames="server.example.net"
defaultsessionscheme="default"

# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"

#The defaults can be overridden
#not only for the Virtual Host
#but for the WebAgent for that
#virtual host as well
<WebAgent>
sminitfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent.conf"
</WebAgent>
</VirtualHost>

# Additional Virtual Host
<VirtualHost name="additional">
#addresses="192.168.1.100"
hostnames="server.example.org"
defaultsessionscheme="default"

# specify the block size for request and response in KBs
requestblocksize="4"
responseblocksize="8"

#The defaults can be overridden
#not only for the Virtual Host
#but for the WebAgent for that
#virtual host as well
<WebAgent>
sminitfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\WebAgent-additional.conf"
</WebAgent>
</VirtualHost>

VirtualHostDefault has the <WebAgent> section is untouched as that requires to have a default WebAgent.conf file defined. (There will be error reading the virtualhost if this is removed)

But default virtualhost and additional virtualhost both should have their <WebAgent> section pointing to their own WebAgent config file.

The ServerPath section in the WebAgent config file need to have a unique value as demonstrated below.

VirtualHost default	ServerPath="ServerPath_default"
VirtualHost additional	ServerPath="ServerPath_additional"

sample

default
WebAgent.conf

# WebAgent.conf - configuration file for SiteMinder Secure Proxy
# Secure Proxy Version = 12.80, Build = 2658, Update = 6.0

LOCALE=en-US

HostConfigFile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf"
AgentConfigObject="{default_aco}"
ServerPath="ServerPath_default"
EnableWebAgent="YES"
#localconfigfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\LocalConfig.conf"
LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\HttpPlugin.dll"
LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SPSPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SPPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\DisambiguatePlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\OpenIDPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SessionLinkerPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SAMLDataPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\CertSessionLinkerPlugin.dll"
AgentIdFile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\AgentId.dat"

additional
WebAgent-additional.conf

# WebAgent.conf - configuration file for SiteMinder Secure Proxy
# Secure Proxy Version = 12.80, Build = 2658, Update = 6.0

LOCALE=en-US

HostConfigFile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\SmHost.conf"
AgentConfigObject="{additional_aco}"
ServerPath="ServerPath_additional"
EnableWebAgent="YES"
#localconfigfile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\LocalConfig.conf"
LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\HttpPlugin.dll"
LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SPSPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SPPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\DisambiguatePlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\OpenIDPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SessionLinkerPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\SAMLDataPlugin.dll"
#LoadPlugin="C:\Program Files\CA\secure-proxy\agentframework\bin\CertSessionLinkerPlugin.dll"
AgentIdFile="C:\Program Files\CA\secure-proxy\proxy-engine\conf\defaultagent\AgentId-additional.dat"

!! NOTE !!
As this Access Gateway will be accepting requests with multiple FQHN, its https certificate must have SubjectAltNames set with respective FQHN values.

!! NOTE !!
If "Agent Discovery" Feature is enabled, please update the WebAgent configuration file to have unique agentid.dat filename

Now the proxyrule.xml need to be configured to distinguish the incoming HTTP_HOST headers and forward to the desired backends.

There are proxyrule.xml samples for different usecases in "{secure-proxy}\federation\proxy-engine\examples\proxyrules\" folder.

The one with hostname use case is "proxyrules_example6.xml"

Backup the proxyrule.xml and update with following sample.

<?xml version="1.0"?>
<?cocoon-process type="xslt"?>

<!DOCTYPE nete:proxyrules SYSTEM "file:///C:\Program Files\CA\secure-proxy\proxy-engine\conf\dtd\proxyrules.dtd">

<nete:proxyrules xmlns:nete="http://server.example.net/">
<nete:cond type="host">
<nete:case value="server.example.net:80">
<nete:forward>http://192.168.0.1:80$0</nete:forward>
</nete:case>
<nete:case value="server.example.org:80">
<nete:forward>http://192.168.0.2:80$0</nete:forward>
</nete:case>
<nete:default>
<nete:forward>http://192.168.0.3:80/badhostname.html</nete:forward>
</nete:default>
</nete:cond>
</nete:proxyrules>

proxyrule.xml will be evaluating the "host" header to identify if it matches the 2 conditions (condition1: server.example.net and condition2: server.example.org) which has defined forwarding backends.

If there are no matching host then it will goto the "default" forward which is "http://192.168.0.3:80/badhostname.html" so the user can be notified they are using wrong hostname.

Restart Access Gateway Services and test both hostnames to confirm they are forwarded to the desired backend servers.