Description:

I am tuning the Policy Server and in the document it says:

"It is recommended that the TCP Idle Session Timeout be set to 60% of the idle timeout of any stateful device(s) to ensure that the Policy Server s timeout occurs first;"

I am running Policy Server on SunOS and in the sm.registry file I have changed "Tcp Idle Session Timeout" parameter under:

"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer"
Tcp Idle Session Timeout= 0x40;                  REG_DWORD

But I note that this parameter is defined under other branches as well and I want to know what are they used for? Should their value be changed also?

"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Accounting"
"Tcp Idle Session Timeout"

 
"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Administration"
"Tcp Idle Session Timeout"

 
"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Authentication"
"Tcp Idle Session Timeout"

 
"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Authorization"
"Tcp Idle Session Timeout"

Solution:

In SiteMinder 5.x and older there used to 4 different process in SiteMinder Policy Server: 1.Authentication, 2. Authorization, 3. Accounting and 4. Administration. But in SiteMinder R6 and above there is only one process which listens on different ports.

So the entry in sm.registry:

"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Accounting"
"Tcp Idle Session Timeout"
"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Administration"
"Tcp Idle Session Timeout"
"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Authentication"
"Tcp Idle Session Timeout"
"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Authorization"
"Tcp Idle Session Timeout"

correspond to the old 5.x which is no longer in use.

Only one under:

"HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer"

is currently used in R6 and above.