I've recently been hit with a roadblock on an implementation I am working on. Here's the setup:
-We're using a SA6500 with custom sign-in page (CSP) to redirect a user to an external-facing 2-factor authentication solution (Arcot). Arcot integrates with SiteMinder to generate a SMSession cookie for users that the IVE checks for authentication/authorization.
-After successful authentication, we have Arcot configured to redirect the user's browser back through the IVE to their original requested URL, and we manually configure this link to go through the IVE properly (see example below)
-Original URL: https://server1.company.com/urldata
-We have configured external DNS to point to the IVE for the hostname of the internal server (server1 external DNS = IVE, server1 internal DNS = back-end server).
This redirection works well for initial, unauthenticated requests, but any subsequent internal links of the form server1.company.com/urldata aren't caught by our CSP script.
Has anyone ever done this (even just the DNS part)? Any assistance would be most helpful! I'm just looking for a way to tunnel or rewrite the traffic destined to this server.. I have had an issue with SAM doing the job, because it seems that it automatically bypasses traffic destined for the IVE hostname that was used to launch it. Weird..
That is correct. You are using the same browser for the connection; this is picked up as a valid session and users are logged in directly (or at least attempted to be). You would need to sign out between each connection on that.
For your SAM issue, do you mean that it is not capturing traffic for the IVE? Was it configured to capture that traffic?
WSAM is configured to tunnel a handful of URLs:
All 3 of these are configured with external DNS to point to the IP of the IVE, as well as exist on the internal LAN.When I launch WSAM through URL1, I can tunnel data to the other two destinations but not the original URL1..
Is there some built-in function of WSAM that passes through the traffic destined to the URL that was used to launch it?
I don't believe so, not really. I believe it makes a change so it always connects to the same IP in case of events like proxy or DNS changes; but not that it passes traffic that was used to launch it because of the some other reason.
Do the internal DNS servers resolve to the IVE as well? DNS requests are proxied by WSAM to the intranet.
Internal DNS resolves to the internal server IPs.. I've actually worked around the hostname issue, by redirecting the browser to another URL of the form iveurl.company.com/dana/home/launch.cgi?url=http://url1.company.com/urldata1
Either way, I'm still having issues with WSAM.. I noticed that the traffic actually starts tunneling after about 5 minutes. I have JTAC looking into it, but I have no idea why this behavior is occurring.. Thoughts?
What is the client OS?
Is WSAM showing as connected successfully prior to the 5 minute mark?
Is this for all connections or just some?
Client OS: Windows XP SP2, IE 6 or 7
WSAM is showing as connected the whole time
All connections seem to be untunneled.. And I was/am mistaken... traffic destined to URL2 and 3 is no longer tunneling properly.. tried flushing DNS and still no joy..
So just in case anyone is still following this or trying to do the same thing, the way that JTAC and I worked out to get it done was to modify DNS timeouts to 1 second on the host machine. This is done using the procedure found here.
The only problem with this is that by setting the DNS timeouts so low, I am afraid that there will be quite a large increase in DNS traffic (permanently, I might add). I tried using a logon/logoff script with WSAM, but by the time SAM is launched, the DNS timeout values need to be set already, so the logon script does not trigger in time.
I wonder if there's a way to pause the IVE after autolaunching SAM so that the script can run before the browser is forwarded on to the start page...
Any ideas folks?
Ack, not leaving me much wiggle room there zany. Is there anything you can think of that may solve/work around this problem??