Protecting multiple websites on single IIS server (Legacy_Onyx KB Id: 222705)

Document ID : KB000054947
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

I've two websites on a single IIS server that I need to protect each with different set of rules.

the host headers (defined in IIS) for the sites are :
web1.intranet.wmcpolice
web2.intranet.wmcpolice

I have setup two agents svrWeb1 and svrWeb2

In the ACO I have set two agent identities under the AgentName parameter as a multi-value item :
svrWeb1, web1.intranet.wmcpolice
svrWeb2, web2.intranet.wmcpolice

I have setup two Policy Domains each with a Realm (one with agent svrWeb1, one with agent svrWeb2). I have setup a number of Rules and Policies but only the ones for web1.intranet.wmcpolice are working.

In development.intranet.wmcpolice I know the http_smuser is not being set so I'm taking this as proof of this one not working.

Could you confirm whether I have set this up correctly or whether I have missed a step.

*******************
Message to customer

Can you expand further with regards to the web site that is not working, ie the symtoms being experienced, are there any errors, warnings, messages being displayed

*******************
Reply from customer

At the moment I'm just calling a web page that will output the http_smuser if it exists, if it doesn't exist then I output a message to say it is undefined.
I get the undefined message.

no errors, no warnings.

I get to the page whether I am included or excluded in the Policy users list.

*********************
Update from customer

The ISAPI filter is set at the Web Sites level so will cover all websites on that server.
The problem is how the agent identities are configured as at the moment both sites are trying to be protected by the single agent even though the two sites have different file structures.

The question was ..... have I configured the agent identities correctly.

Solution:

For IIS 6.0, please refer the chapter: Configure Virtual Servers, section - "Add a SiteMinder Wildcard mapping to Protect IIS 6.0 Virtual Web sites" from Web Agent Configuration Guide. This has the step-by-step procedure to configure agent identities in IIS 6.0.

However, with Web Agent on IIS5, you should only have a Web Agent filter at the root level, not the web site level.

You should never have two ISAPI web agent filters installed in a single IIS server. Such a configuration has been known to cause the same request to be handled multiple times by a web agent, and can cause multiple issues.

  1. If you only wish to protect a single virtual server:

    Create an agent identity for the virtual server you wish to protect.
    Configure a defaultagentname that is not tied to any realms.

    The protected resources will be handled by the configured agent identity. Other requests will fall through the defaultagentname and not be handled.

  2. If you wish to protect some but not all virtual servers:

    Configure agent identities for all the virtual servers. For the virtual servers that you do not wish to be protected, do not configure any realms for those agent identities. (You may also setup a default agentname for those servers as mentioned above.)