Q. ProxyTrust ACO parameter

Document ID : KB000123114
Last Modified Date : 19/12/2018
Show Technical Document Details
Question:
Two questions about ProxyTrust ACO parameter

1. Web Agents are installed and configured on both a front-end Reverse Proxy server and a back-end Web server.
When the ProxyTrust ACO parameter is set to "yes" on the back-end Web Agent, no authorization requests are sent to the Policy Server from the Web Agent.
Does it mean the authorization events aren't recorded in the smaccess.log file on the Policy Server?

2. Another Web server is protected with the Web Agent and exposed to clients without the Reverse Proxy server above. The Web server is planned to be moved behind the Reverse Proxy in near future. Is it a good idea to set the ProxyTrust to "yes" in advance?
 
Answer:
The ACO parameter "ProxyTrust" is used in the combination with the ACO parameter "ProxyAgent" of the Reverse Proxy Server.

1. The behavior is depending on the value of "ProxyAgent"
 
case 1: ProxyAgent=yes
Yes. All authorization events are skipped on the back-end server. Only the authorization events from the Reverse Proxy server are logged in the smaccess.log file.

case 2: ProxyAgent=no
No. Authorization is done on the back-end server again and the events are logged in the smaccess.log file.
 
2. No. It isn't recommended.

"ProxyTrust=yes" means the back-end Web Agent trusts the authorization results of the front-end Web Agent. This setting shouldn't be used without protecting with the front-end Reverse Proxy Server with the Web Agent.