30 Configuring the ISA Server for 10g Webgates

This chapter describes how to configure the Oracle Access Manager ISAPI Webgate and Microsoft Internet Security and Acceleration Server (ISA Server) to operate together. Topics include:

• Prerequisites

• About Oracle Access Manager and the ISA Server

• Compatibility and Platform Support

• Installing and Configuring Webgate for the ISA Server

• Configuring the ISA Server for the ISAPI Webgate

• Starting, Stopping, and Restarting the ISA Server

• Removing Oracle Access Manager Filters Before Webgate Uninstall on ISA Server

Prerequisites

Ensure that your Oracle Access Manager Console is running and get familiar with:

• "Introduction to Policy Enforcement Agents"

• "About Oracle Access Manager and the ISA Server"

About Oracle Access Manager and the ISA Server

The ISA Server is Microsoft's "integrated edge security gateway". It is designed to protect IT environments from Internet-based threats and to give users secure remote access to applications and data.

Webgate is the Oracle Access Manager Web server plug-in access client that intercepts HTTP requests for Web resources and forwards them to the Access Server for authentication and authorization. ISAPI is the Internet Web server extension that Oracle Access Manager uses to identify Webgates that communicate with the ISA Server (and the IIS Web Server).

This Webgate has been tested to operate with the ISA Server in scenarios that use both Oracle Access Manager Basic and Form (form-based) authentication schemes. You develop Basic and Form authentication schemes and policy domains using Oracle Access Manager as usual.

Note:

Oracle Access Manager Client Certificate authentication is not supported for the ISA Server.

See Also:

Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service for more information about authentication management and policy domains.

Using ISA Server with Oracle Access Manager is similar to using the IIS Web server. However, the ISA Server provides firewall and Virtual Private Network (VPN) functions.

ISA Server can be configured for third-party security filters. To enforce Oracle Access Manager security during authentication and authorization when you use ISA Server, both webgate.dll and postgate.dll must be registered as ISA Server Web filters. Every request to the Access Server that passes through ISA Server requires webgate.dll and postgate.dll.

The following overview outlines the tasks that you must perform and the topics where you will find the steps to set up the ISAPI Webgate with the ISA Server.

Task overview: Installing and configuring the ISAPI Webgate on ISA Server

1. Confirming "Compatibility and Platform Support"

2. "Installing and Configuring Webgate for the ISA Server".

3. "Configuring the ISA Server for the ISAPI Webgate".

4. Perform the following tasks, as described in:

   1. "Ordering the ISAPI Filters"

   2. "Removing Oracle Access Manager Filters Before Webgate Uninstall on ISA Server"

Compatibility and Platform Support

Get the latest certification matrix from Oracle Technology Network at the following URL:

http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls

Installing and Configuring Webgate for the ISA Server

After ISA Server installation, you perform the following tasks to install Webgate for use with ISA Server.

See Also:

"Compatibility and Platform Support"

Task overview: Performing Webgate configuration for ISA Server includes

1. "Installing Webgate with ISA Server"

2. "Changing /access Directory Permissions"

3. "Registering Oracle Access Manager Plug-ins as ISA Server Web Filters"

Installing Webgate with ISA Server

When you install Webgate with the ISA Server, the destination for the ISAPI Webgate installation (also known as the Webgate_install_dir) should be same as that of the Microsoft ISA Server. For example, if ISA Server is installed on C:\Program Files\Microsoft ISA Server, the ISAPI Webgate should also be installed there.

Note:

During Webgate installation, do not automatically update the ISA Server configuration. Instead, choose "No" when asked about automatic updates to the ISA Server configuration.

Task overview: Installing the ISAPI Webgate for the ISA Server

1. See Chapter 27 for details on the following topic, as these apply to your environment:

   • Provisioning a 10g Webgate with OAM 11g

   • Locating and Installing the Latest OAM 10g Webgate for OAM 11g

   • Deploying Applications in a WebLogic Container

   • Configuring Centralized Logout for 10g Webgate with OAM 11g

2. Changing /access Directory Permissions

Changing /access Directory Permissions

After finishing ISAPI Webgate installation and configuration for the ISA Server, you need to change permissions to the \access subdirectory. This subdirectory was created in the ISA Server (also Webgate) installation directory. You need to add the user NETWORK SERVICE and grant full control to NETWORK ADMINISTRATOR.

This enables the ISA Server to establish a connection between the Webgate and Access Server. Certain configuration files should be readable by network administrators, which is why you grant NETWORK ADMINISTRATOR full control.

To change permissions for the \access subdirectory

1. In the file system, right-click Webgate_install_dir\access, and select Properties.

2. In the Properties window, click the Security tab.

3. Add user "NETWORK SERVICE" and then select "Allow" to give "Full Control".

4. For the "NETWORK ADMINISTRATOR", select "Full Control".

Configuring the ISA Server for the ISAPI Webgate

The following topics describe how to configure the ISA Server to operate with the Oracle Access Manager ISAPI Webgate.

Task overview: Performing Webgate configuration for ISA Server includes

1. "Registering Oracle Access Manager Plug-ins as ISA Server Web Filters"

2. "Configuring ISA Firewall Policies for ISA Web Filters"

Registering Oracle Access Manager Plug-ins as ISA Server Web Filters

After resetting ISAPI Webgate permissions, you need to register Oracle Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within ISA Server. Web filters screen all HTTP traffic that passes through the ISA Server host. Only compliant requests are allowed to pass through.

Oracle Access Manager authentication schemes define how the user is challenged for credentials, maps user-supplied information, verifies it, and so forth. With the ISA Server, you must choose either Form or Basic authentication as the challenge method. You must also specify a Challenge Parameter to map the credentials provided by the user to the corresponding user profile stored in the directory server.

Note:

If Oracle Access Manager libraries are not registered as ISA Web filters, Oracle Access Manager authentication could fail. Do not point to webgate.dll in the action path for form-based login in the authentication scheme. Instead, specify the path to a dummy file in the /access directory as shown here:

action= "/access/dummy"

For form based authentication, postgate.dll must be installed and should be at a higher level than webgate.dll.

The following procedure describes how to register Oracle Access Manager plug-ins in the ISA Server.

Note:

If you need to undo the filter registration, you can use the following procedure with the /u option in the regsvr32 command. For example: regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\webgate.dll

To register Oracle Access Manager plug-ins as ISA Server Web filters

1. Locate the ISA Server installation directory, from which you will perform the following tasks.

2. Run net stop fwsrv to stop the ISA Server.

3. Register the webgate.dll as an ISAPI Web filter by running regsvr32 ISA_install_dir\access\oblix\apps\webgate\bin\webgate.dll.

4. Register the postgate.dll as an ISAPI Web filter by running regsvr32 ISA_install_dir\access\oblix\apps\webgate\bin\postgate.dll.

5. Restart the ISA Server by running net start fwsrv to restart the ISA Server.

6. Proceed to "Configuring ISA Firewall Policies for ISA Web Filters".

Configuring ISA Firewall Policies for ISA Web Filters

To authenticate users, ISA Server must be able to communicate with the authentication servers. After registering Oracle Access Manager webgate.dll and postgate.dll as ISA Web filters, you must configure the ISA Firewall Policy rule to protect resources using these Web filters.

Web publishing rules essentially map incoming requests to the appropriate Web servers. Access rules determine how clients on a source network access resources on a destination network. ISA Firewall Policy rules require client membership in a user set: either Firewall clients, authenticated Web clients, or virtual private network (VPN) clients. The ISA Server attempts to match authenticated users based upon ISA Firewall Policy rules.

See Also:

Your ISA Server documentation for details about ISA Firewall Policies and rules

The following procedure describes how to configure an ISA Firewall Policy rule to use with ISA Web filters for Oracle Access Manager webgate.dll and postgate.dll.

Note:

After you perform the following procedure, when you create a listener in the authentication click Allow client authentication over HTTP in Advanced Properties.

To configure ISA policies to enable Oracle Access Manager authentication and authorization

1. From the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.

2. From the tree of the ISA Server Management console, locate the name of this server, and then click Firewall Policy.

3. From the Tasks tab, click Publish Web Sites.

4. In the Web publishing rule name field, type a descriptive name for the rule, and then click Next.

5. On the Select Rule Action page, confirm that the Allow option is selected, and then click Next.

6. In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next.

7. On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next.

   Note:

   If you are using secured connections, see the server connection security settings provided by ISA Server.

8. Perform the following steps to set internal publishing details:

   1. In the Internal site name box, type the internally-accessible name of the Web server.

   2. Check the Use a computer name or IP address to connect to the published server check box.

   3. Type the internally-accessible and fully qualified domain name, or type the IP address of the Web server computer, in the Computer name or IP address box

   4. Click Next.

9. In the Public name box, type the publicly-accessible domain name of the Web server computer, and then click Next.

10. To publish a particular folder in the Web site:

    1. Type the folder name in the Path (optional) box to display the full path of the published Web site in the Web site box.

    2. Click Next.

11. In the Accept requests for list:

    1. Click This domain name (type below).

    2. In the Public name box, type the publicly-accessible fully qualified domain name of the Web site.

    3. Click Next.

12. In the Web listener list, either click the Web listener to use for this Web publishing rule; otherwise or create a new Web listener, as follows:

    1. Click New, type a descriptive name for the new Web listener, and then click Next.

    2. Click Do not require SSL secured connections with clients, and then click Next.

    3. In the Listen for requests from these networks list, click the required networks and click to check the External box, then click Next.

    4. In the Select how clients will provide credentials to ISA Server list, click No Authentication, and then click Next.

    5. On the Single Sign On Settings page, click Next, and then click Finish.

13. Authentication Delegation: Perform the following steps in the Select the method used by ISA Server to authenticate to the published Web server list:

    1. Click No Delegation.

    2. Click Client Cannot Authenticate Directly.

    3. Click Next.

       This is used by ISA Server to authenticate to the published Web server.

14. On the User Sets page:

    1. Choose All (the default user setting) to set the rule that applies to requests from the user sets box.

    2. Click Next and then click Finish.

15. Click Apply to update the firewall policy, and then click OK.

16. Validate that only applicable ports are open and that the traffic that you would like to pass through is allowed.

Ordering the ISAPI Filters

It is important to ensure that the Webgate ISAPI filters are included in the right order. postgate.dll should be loaded before webgate.dll.

To order the Webgate ISAPI filters for ISA Server

1. From the Start menu, click All Programs, click Microsoft ISA Server, and then click ISA Server Management.

2. Expand Configuration, then check Add-ins to display your Web-filters.

3. Right-click the Web-filters and select Properties.

4. Confirm the following .dll files appear.

   For example:

   
   postgate.dll
   webgate.dll
   

5. Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5.

   WARNING:

   Confirm that there is only one webgate.dll and one postgate.dll filter and ensure that these are in an enabled state. Also, ensure that postgate.dll is installed at higher priority level than webgate.dll.

Starting, Stopping, and Restarting the ISA Server

When instructed to restart your ISA Server during Oracle Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, consider using net stop fwsrv and net start fwsrv are good ways to stop and start the ISA Server. The net commands help to ensure that the Metabase does not become corrupted following an installation.

For more information, see your ISA Server documentation.

Removing Oracle Access Manager Filters Before Webgate Uninstall on ISA Server

If you plan to uninstall the Webgate that is configured to operate with the ISA Server, you must first unregister the Oracle Access Manager filters manually, and then uninstall Webgate.

See Also:

Chapter 27 for details about uninstalling Oracle Access Manager 10g Webgates

To unregister filters before Webgate uninstall

1. Stop the ISA Server.

2. Run the following command to unregister webgate.dll. For example:

   regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\webgate.dll
   

3. Run the following command to unregister postgate.dll. For example:

   regsvr32 /u ISA_install_dir\access\oblix\apps\webgate\bin\postgate.dll