When setting up webservers two configuration options are:
- The webserver can be set up as a Reverse Proxy Server, which acts as a gateway and passes the web client requests onto backend web servers; or
- The webserver can be set up as a Backend Web-Server receiving requests from the proxy server.
SiteMinder webagents can be installed on the Reverse Proxy Server and/or on the Backed Web-Server. The settings ProxyAgent, ProxyTimeout and ProxyTrust have specific abilities for setup when the webagent is installed on both servers. This article explains their usage.
A normal configuration for a customer is to have a front end acting as a gateway into their web server farm. The front end is often configured with Load Balancers, SSL offloaders, and Reverse Proxy Servers, they perform the following tasks:
- Load Balancers distribute the load amongst workfarm members,
- SSL Offloaders take CPU load off the webservers by de-coding the encrypted SSL traffic and returning it in the clear and
- Reverse Proxy Servers allows you to hide the internal detail of your infrastructure from the outside client world.
A Reverse Proxy Server, which is what we are focusing on here, is a webserver that then passes all the URL requests from the front end clients, onto various backend webservers. During the "reverse proxy" process, it is common to manipulate the request and to split then directing them to different backend webservers. SiteMinder Secure Proxy Server is one example, but most webservers Apache, Sun ONE, and IIS are capable of acting as reverse proxy servers.
<Client> ---> <Reverse-Proxy> ---> <Backend-Web-Server>
If you have a webagent in both the Reverse Proxy Server and the Backend Web Server, then the SMSESSION will be decoded and checked twice, and calls so obviously there is some room for optimization.
Web Agent for Reverse Proxy Server
Setting for a WebAgent in a Reverse Proxy Server:
ProxyAgent: = YES|NO
If set to YES, then this agent will take control of the SMSESSION sentProxyTimeout: 120 Setting for a WebAgent for a backend server that gets requests from a Reverse Proxy Server: Will not write SMSESSION cookie updates back to the client.
Will trust the Az rules made by the Proxy Server