When running a Web Agent on IIS, and a user send a request to a
specific protected resource, the browser does not get the page and the
Web Agent reports the error :
[04/03/2018][10:37:26][1896][5652][CSmHighLevelAgent.cpp:321][ProcessRequest]
[0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][][Start new request.]
[04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource]
[0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
[Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:94][CSmResourceManager::ProcessResource]
[0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
[SM_WAF_HTTP_PLUGIN->ProcessResource returned SmExit.]
[04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:160][CSmResourceManager::ProcessResource]
[0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
[Plugins did not collect required resource data.]
[04/03/2018][10:37:26][1896][5652][CSmHighLevelAgent.cpp:348][ProcessRequest]
[0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
[ResourceManager returned SmExit, end new request.]
[04/03/2018][10:37:26][1896][2196][CSmHighLevelAgent.cpp:321][ProcessRequest]
[0000000000000000000000005e7a320a-0768-5ac34b56-0894-00a83d6c][][][][][][Start new request.]
[04/03/2018][10:37:26][1896][5652][CSmLowLevelAgent.cpp:3567][ReportHealthData]
[][][][][][][Accumulating HealthMonitorCtxt.]
The Web Agent has a firewall in front of it which does NAT addresses
translation.
In the Web Agent ACO, set DisableDNSLookup to yes.
This parameter will disable DNS lookup for all request. You can safely
do this as it will also prevent DOS attack as stated by the
documentation :
DisableDNSLookup No
Specifies whether to disable DNS lookups to help prevent DNS denial
of service attacks. See Help Prevent DNS DOS Attacks.
Pay attention that the syntax of the parameter is correct according to
the links below (1)(2).
(1)
Web Agent :: ACO : DisableDNSLookup Syntax
https://knowledge.broadcom.com/external/article?articleId=50592
(2)
List of Agent Configuration Parameters
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html