|Oracle® Access Manager Installation Guide
The Oracle Access Manager ISAPI WebGate will not be available with the initial 10g (10.1.4.3) installer release. Check the certification matrix for availability as described in "Compatibility and Platform Support".
The ISA Server is Microsoft's "integrated edge security gateway". It is designed to protect IT environments from Internet-based threats and to give users secure remote access to applications and data.
WebGate is the Oracle Access Manager Web server plug-in access client that intercepts HTTP requests for Web resources and forwards them to the Access Server for authentication and authorization. ISAPI is the Internet Web server extension that Oracle Access Manager uses to identify WebGates that communicate with the ISA Server (and the IIS Web Server).
This WebGate has been tested to operate with the ISA Server in scenarios that use both Oracle Access Manager Basic and Form (form-based) authentication schemes. You develop Basic and Form authentication schemes and policy domains using Oracle Access Manager as usual.
Oracle Access Manager Client Certificate authentication is not supported for the ISA Server.
Oracle Access Manager Access Administration Guide for more information about authentication management and policy domains.
Using ISA Server with Oracle Access Manager is similar to using the IIS Web server. However, the ISA Server provides firewall and Virtual Private Network (VPN) functions.
ISA Server can be configured for third-party security filters. To enforce Oracle Access Manager security during authentication and authorization when you use ISA Server, both webgate.dll and postgate.dll must be registered as ISA Server Web filters. Every request to the Access Server that passes through ISA Server requires webgate.dll and postgate.dll.
The following overview outlines the tasks that you must perform and the topics where you will find the steps to set up the ISAPI WebGate with the ISA Server.
Confirming "Compatibility and Platform Support"
Perform the following tasks, as described in:
As described in "Confirming Certification Requirements", you can get the latest certification matrix from Oracle Technology Network at the following URL:
After ISA Server installation, you perform the following tasks to install WebGate for use with ISA Server.
When you install WebGate with the ISA Server, the destination for the ISAPI WebGate installation (also known as the WebGate_install_dir) should be same as that of the Microsoft ISA Server. For example, if ISA Server is installed on C:\Program Files\Microsoft ISA Server, the ISAPI WebGate should also be installed there.
During WebGate installation, do not automatically update the ISA Server configuration. Instead, choose "No" when asked about automatic updates to the ISA Server configuration.
As you can see in the following task overview, some of the tasks that you need to perform are described in Chapter 9, and others are located in this chapter.
After finishing ISAPI WebGate installation and configuration for the ISA Server, you need to change permissions to the \access subdirectory. This subdirectory was created in the ISA Server (also WebGate) installation directory. You need to add the user NETWORK SERVICE and grant full control to NETWORK ADMINISTRATOR.
This enables the ISA Server to establish a connection between the WebGate and Access Server. Certain configuration files should be readable by network administrators, which is why you grant NETWORK ADMINISTRATOR full control.
In the file system, right-click WebGate_install_dir\access, and select Properties.
In the Properties window, click the Security tab.
Add user "NETWORK SERVICE" and then select "Allow" to give "Full Control".
For the "NETWORK ADMINISTRATOR", select "Full Control".
The following topics describe how to configure the ISA Server to operate with the Oracle Access Manager ISAPI WebGate.
After resetting ISAPI WebGate permissions, you need to register Oracle Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within ISA Server. Web filters screen all HTTP traffic that passes through the ISA Server host. Only compliant requests are allowed to pass through.
Oracle Access Manager authentication schemes define how the user is challenged for credentials, maps user-supplied information, verifies it, and so forth. With the ISA Server, you must choose either Form or Basic authentication as the challenge method. You must also specify a Challenge Parameter to map the credentials provided by the user to the corresponding user profile stored in the directory server.
If Oracle Access Manager libraries are not registered as ISA Web filters, Oracle Access Manager authentication could fail. Do not point to webgate.dll in the action path for form-based login in the authentication scheme. Instead, specify the path to a dummy file in the /access directory as shown here:
For form based authentication, postgate.dll must be installed and should be at a higher level than webgate.dll.
The following procedure describes how to register Oracle Access Manager plug-ins in the ISA Server.
If you need to undo the filter registration, you can use the following procedure with the
Locate the ISA Server installation directory, from which you will perform the following tasks.
net stop fwsrv to stop the ISA Server.
Register the webgate.dll as an ISAPI Web filter by running
Register the postgate.dll as an ISAPI Web filter by running
Restart the ISA Server by running
net start fwsrv to restart the ISA Server.
To authenticate users, ISA Server must be able to communicate with the authentication servers. After registering Oracle Access Manager webgate.dll and postgate.dll as ISA Web filters, you must configure the ISA Firewall Policy rule to protect resources using these Web filters.
Web publishing rules essentially map incoming requests to the appropriate Web servers. Access rules determine how clients on a source network access resources on a destination network. ISA Firewall Policy rules require client membership in a user set: either Firewall clients, authenticated Web clients, or virtual private network (VPN) clients. The ISA Server attempts to match authenticated users based upon ISA Firewall Policy rules.
Your ISA Server documentation for details about ISA Firewall Policies and rules
The following procedure describes how to configure an ISA Firewall Policy rule to use with ISA Web filters for Oracle Access Manager webgate.dll and postgate.dll.
After you perform the following procedure, when you create a listener in the authentication click Allow client authentication over HTTP in Advanced Properties.
To configure ISA policies to enable Oracle Access Manager authentication and authorization
From the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.
From the tree of the ISA Server Management console, locate the name of this server, and then click Firewall Policy.
From the Tasks tab, click Publish Web Sites.
In the Web publishing rule name field, type a descriptive name for the rule, and then click Next.
On the Select Rule Action page, confirm that the Allow option is selected, and then click Next.
In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next.
On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next.
If you are using secured connections, see the server connection security settings provided by ISA Server.
Perform the following steps to set internal publishing details:
In the Internal site name box, type the internally-accessible name of the Web server.
Check the Use a computer name or IP address to connect to the published server check box.
Type the internally-accessible and fully qualified domain name, or type the IP address of the Web server computer, in the Computer name or IP address box
In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.
To publish a particular folder in the Web site:
Type the folder name in the Path (optional) box to display the full path of the published Web site in the Web site box.
In the Accept requests for list:
Click This domain name (type below).
In the Public name box, type the publicly-accessible fully qualified domain name of the Web site.
In the Web listener list, either click the Web listener to use for this Web publishing rule; otherwise or create a new Web listener, as follows:
Click New, type a descriptive name for the new Web listener, and then click Next.
Click Do not require SSL secured connections with clients, and then click Next.
In the Listen for requests from these networks list, click the required networks and click to check the External box, then click Next.
In the Select how clients will provide credentials to ISA Server list, click No Authentication, and then click Next.
On the Single Sign On Settings page, click Next, and then click Finish.
Authentication Delegation: Perform the following steps in the Select the method used by ISA Server to authenticate to the published Web server list:
Click No Delegation.
Click Client Cannot Authenticate Directly.
This is used by ISA Server to authenticate to the published Web server.
On the User Sets page:
Choose All (the default user setting) to set the rule that applies to requests from the user sets box.
Click Next and then click Finish.
Click Apply to update the firewall policy, and then click OK.
Validate that only applicable ports are open and that the traffic that you would like to pass through is allowed.
It is important to ensure that the WebGate ISAPI filters are included in the right order. postgate.dll should be loaded before webgate.dll.
From the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.
Expand Configuration, then check Add-ins to display your Web-filters.
Right-click the Web-filters and select Properties.
Confirm the following .dll files appear.
Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5.
Confirm that there is only one webgate.dll and one postgate.dll filter and ensure that these are in an enabled state. Also, ensure that postgate.dll is installed at higher priority level than webgate.dll.
When instructed to restart your ISA Server during Oracle Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, consider using
net stop fwsrv and
net start fwsrv are good ways to stop and start the ISA Server. The
net commands help to ensure that the Metabase does not become corrupted following an installation.
For more information, see your ISA Server documentation.
If you plan to uninstall the WebGate that is configured to operate with the ISA Server, you must first unregister the Oracle Access Manager filters manually, and then uninstall WebGate.
Chapter 22 for complete details about uninstalling Oracle Access Manager components
Stop the ISA Server.
Run the following command to unregister webgate.dll. For example:
regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\webgate.dll
Run the following command to unregister postgate.dll. For example:
regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\postgate.dll