not able to resolve to DNS after web agent installation

book

Article ID: 76231

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running a Web Agent on IIS, and a user send a request to a
specific protected resource, the browser doesn't get the page and the
Web Agent reports the error :

  [04/03/2018][10:37:26][1896][5652][CSmHighLevelAgent.cpp:321][ProcessRequest]
  [0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][][Start new request.]

  [04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource]
  [0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
  [Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

  [04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:94][CSmResourceManager::ProcessResource]
  [0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
  [SM_WAF_HTTP_PLUGIN->ProcessResource returned SmExit.]

  [04/03/2018][10:37:26][1896][5652][CSmResourceManager.cpp:160][CSmResourceManager::ProcessResource]
  [0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
  [Plugins did not collect required resource data.]

  [04/03/2018][10:37:26][1896][5652][CSmHighLevelAgent.cpp:348][ProcessRequest]
  [0000000000000000000000005e7a320a-0768-5ac34b56-1614-00a84ae1][][][][][]
  [ResourceManager returned SmExit, end new request.]

  [04/03/2018][10:37:26][1896][2196][CSmHighLevelAgent.cpp:321][ProcessRequest]
  [0000000000000000000000005e7a320a-0768-5ac34b56-0894-00a83d6c][][][][][][Start new request.]

  [04/03/2018][10:37:26][1896][5652][CSmLowLevelAgent.cpp:3567][ReportHealthData]
  [][][][][][][Accumulating HealthMonitorCtxt.]

The Web Agent has a firewall in front of it which does NAT addresses
translation. 

 

Resolution

 

In the Web Agent ACO, set DisableDNSLookup to yes.

This parameter will disable DNS lookup for all request. You can safely
do this as it will also prevent DOS attack as stated by the
documentation :

  DisableDNSLookup    No    

   Specifies whether to disable DNS lookups to help prevent DNS denial
   of service attacks. See Help Prevent DNS DOS Attacks.

Pay attention that the syntax of the parameter is correct according to
the links below (1)(2).

 

Additional Information

 

(1)

   Web Agent :: ACO : DisableDNSLookup Syntax
   https://knowledge.broadcom.com/external/article?articleId=50592

(2)

   List of Agent Configuration Parameters
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html