33.7 Installing and Configuring Multiple Webgates for a Single IIS 6 Instance

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates. You can install and configure multiple Webgates for different Web sites on same IIS Web server instance. Several steps are manual and differ from those that are performed when you install a single Webgate with a single IIS instance.

See Also:

"Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance"

When you install multiple Webgates for a single IIS instance:

• The webgate.dll must be configured as an ISAPI filter at the individual Web site level, not the default (top) Web server level

• The /access virtual directory is mapped at the Web site level to the respective /access directory in the Webgate installation.

When configuring the impersonation DLL for multiple Webgates, you need to configure a user to act as the operating system.

There can only be one postgate.dll configured at the (top) Web Sites level of a machine. However, you might have multiple webgate.dlls configured at different levels below the top level Web Sites. If you perform multiple Webgate installations on one machine, multiple versions of the postgate.dll file might be created that can cause unusual Access Manager behavior.

Task overview: Installing and configuring multiple Webgates for a single IIS instance:

1. Installing Each Webgate in a Multiple Webgate Scenario
2. Setting the Impersonation DLL for Multiple Webgates
3. Enabling SSL and Client Certification for Multiple Webgates
4. Perform the following tasks, which are the same whether you install one or more Webgates per IIS Web server instance:

   • "Ordering the ISAPI Filters"

   • "Confirming Webgate Installation on IIS"

   See Also:

   "Confirming Multiple Webgate Installation"

33.7.1 Installing Each Webgate in a Multiple Webgate Scenario

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates. After installing the ISAPI Webgate, there are several manual steps to perform as described here. By default, webgate.dll is configured as an ISAPI filter at the Web sites (top) level. When installing multiple Webgates with a single IIS instance, you need to remove the respective webgate.dll from the top level and configure it for the appropriate individual Web site after each Webgate installation.

Note:

If you perform multiple Webgate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Access Manager behavior. The postgate.dll is not supported in environments where you have multiple Webgates configured with a single IIS v6 web server instance.

To install each Webgate when you have several with one IIS instance:

1. Install the ISAPI Webgate as described in Registering and Managing 10g WebGates with Access Manager 11g.

2. Go to the Web site to protect, and configure webgate.dll as the ISAPI filter using these steps:

   1. Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager

   2. Right click Web Sites, and then click the Properties option.

   3. Click the ISAPI filter tab, look for the path to webgate.dll; if it is present in the filter, then select it and click the Remove button.

   4. Under Web Sites, right-click the name of the Web site to protect, and select the Properties option.

   5. Click the ISAPI filter tab to add the filter DLLs.

   6. Add the following filter to identify the path to the webgate.dll file, and name it "webgate".

      Webgate_install_dir/access/oblix/apps/webgate/bin/webgate.dll
      

   7. Save and apply these changes.

   8. Go to the Directory Security tab.

   9. Confirm that "anonymous access" and "basic authentication" are selected so that Access Manager provides authentication for this Web server.

   10. Save and apply these changes.

3. Go to Web sites level to protect and create an /access virtual directory that points to the newly installed Webgate_install_dir:

   1. Under Web Sites, right-click the name of the Web site to be protected.

   2. Select New and create a new virtual directory named access that points to the appropriate Webgate_install_dir/access.

   3. Under Access Permissions, check Read, Run Scripts, and Execute.

   4. Save and apply these changes.

4. In the file system, set directory permissions for Access Manager:

   1. In the file system, locate and right-click Webgate_install_dir\access, and the select Properties.

   2. Click the Security tab.

   3. Add user "IUSR_machine_name" and then select "Allow" for "Modify".

      For example, for a machine_name of Oracle, select IUSR_ORACLE.

   4. Add user "IWAM_machine_name" and then select "Allow" for "Modify"

      For example, for a machine_name Oracle, select IWAM_ORACLE.

   5. Add user "IIS_WPG" and then select "Allow" for "Modify".

   6. Add user "NETWORK SERVICE" and then select "Allow" for "Modify".

   7. For the group "Administrators", select "Allow" for "Modify".

5. If Webgate has been set up in Simple or Cert mode, perform the follow steps:

   1. In the file system, locate and right-click the "password.xml" file in Webgate_install_dir\access\oblix\config\password.xml.

   2. Click the Security tab.

   3. Give "Allow" for "Read" rights to users "IUSR_machine_name", IWAM_machine_name, "IIS_WPG", and "NETWORK SERVICE".

6. Add a new Web service extension using the following steps:

   1. Right click Web Service Extensions, and then select Add a new Web service extension....

   2. Add the Extension name Oracle Webgate.

   3. Click Add to add the path to the extension file, and then enter the path to the appropriate webgate.dll.

      Webgate_install_dir\access\access\oblix\apps\webgate\bin\webgate.dll
      

   4. Click OK to save the changes.

   5. Check box beside Set extension status to allowed.

   6. Click OK to save the changes.

7. Ensure that there is no webgate.dll in the ISAPI filter at the top Web site level ("web sites").

8. Perform the next set of tasks using instructions in the following topics:

   1. "Setting the Impersonation DLL for Multiple Webgates"

   2. "Enabling SSL and Client Certification for Multiple Webgates"

9. Repeat these steps when you install the next Webgate for the IIS instance.

33.7.2 Setting the Impersonation DLL for Multiple Webgates

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates and IIS v6. You can add the impersonation DLL to IIS configuration for indicidual websites.

The client's access token is known as an impersonation token. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf.

The Access System authenticates and authorizes the user. IISImpersonationExtension.dll of Access Manager in the wildcard extension behaves like a filter for each request to the Web server. The Access System designates a special user that does have the right to impersonate another user by configuring it using the impersonation username/password on the AccessGate Configuration page. That designated user must have "act as operating system" rights. DLL impersonates the user authenticated and authorized by Access Manager and generates the impersonation token.

You perform the following steps to set the impersonation DLL for each Webgate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the installation task in the previous topic or all at one time.

Note:

This task must be performed for each Webgate that protects an individual Web site for a single IIS Web server instance.

To add the impersonation DLL:

1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
2. Click the plus icon (+) beside the Local Computer icon in the left pane to display your Web Sites.
3. Click Web Service Extensions in the left pane.
4. Double-click Webgate in the right pane to open the Properties panel.
5. Click the Required Files tab.
6. Click Add.
7. In the Path to file text box, type the full path to IISImpersonationExtension.dll, and then click OK. For example:

   Webgate_install_dir\access\oblix\apps\webgate\bin\IISImpersonationExtension.dll
   

   This example shows the default path, where Webgate_install_dir is the file system directory where you have installed this particular Webgate.

8. Verify that the Allow button beside the Webgate icon is grayed out, which indicates that the dll is allowed to run as a Web service extension.
9. Right click the Web site name, and then click Properties.
10. Click the Home Directory tab, and then click the Configuration button.
11. In the list box for Wildcard application maps, click the entry for IISImpersonationExtension.dll to highlight it, then click Edit.
12. Ensure that the box is unchecked, and then click OK.
13. Repeat these steps for each Webgate and Web site pair for the IIS Web server instance.
14. Proceed as follows:

    • Client Certificate Authentication: "Enabling SSL and Client Certification for Multiple Webgates"

    • "Confirming Multiple Webgate Installation".

33.7.3 Enabling SSL and Client Certification for Multiple Webgates

You can enable SSL on the IIS v6 Web and add cert_authn.dll as an ISAPI filter.

You perform this task to set the enable client certification for each Webgate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the adding the impersonation DLL to an individual Web site or all at one time.

Note:

Procedures in this topic apply equally to 32-bit and 64-bit Webgates, and IIS 6, unless stated otherwise.

If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters in the respective Web site.

To enable SSL on the IIS v6 Web:

1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.

2. Expand the local computer icon to display your Web Sites.

3. Expand the appropriate individual Web Site, then expand \access\oblix\apps\webgate\bin.

4. Right click cert_authn.dll and select Properties.

5. In the Properties panel, select the File Security tab.

6. In the Secure Communications sub-panel, click Edit.

7. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.

8. Click OK in the cert_authn.dll Properties panel.

9. Repeat for each Webgate installed on this host.

10. Proceed to the next task: "To add cert_authn.dll as an ISAPI filter".

To add cert_authn.dll as an ISAPI filter:

1. Start the Internet Information Services console, if needed.
2. Expand the local computer to display your Web Sites.
3. Right click the appropriate Web Site to display the Properties panel.
4. Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel.
5. Enter filter name "cert_authn".
6. Click the Browse button and navigate to the following directory:

   \Webgate_install_dir\access\oblix\apps\webgate\bin

7. Select cert_authn.dll as the executable.
8. Click OK on the Filter Properties panel.
9. Click Apply on the ISAPI Filters panel.
10. Click OK.
11. Repeat for each Webgate installed on this host.
12. Ensure the filters are listed in the correct order.
13. Proceed to "Confirming Multiple Webgate Installation".

33.7.4 Confirming Multiple Webgate Installation

This task applies equally to 32-bit and 64-bit Webgates, and IIS v6 Web servers. If you perform multiple Webgate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Access Manager behavior. the postgate.dll is not supported in environments where you have multiple Webgates configured with a single IIS v6 web server instance.

See Also:

• "Finishing 64-bit Webgate Installation"

• "Confirming Webgate Installation on IIS"