33.6 Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance

You can install and configure multiple Webgates for different Web sites on the same IIS 7 Web server instance. Several steps are manual and will differ from those that are performed when you install a single Webgate with a single IIS instance.

When installing multiple Webgates for a single IIS instance:

• The webgate.dll must be configured as an ISAPI filter at the individual Web site level, not the default (top) Web server level

• The /access virtual directory is mapped at the Web site level to the respective /access directory in the Webgate installation.

When configuring the impersonation DLL for multiple Webgates, you need to configure a user to act as the operating system.

Task overview: Installing and configuring multiple Webgates for a single IIS 7 instance:

1. Installing Each IIS 7 Webgate in a Multiple Webgate Scenario
2. Setting the Impersonation DLL for Multiple IIS 7 Webgates
3. Enabling Client Certification for Multiple IIS 7 Webgates
4. Configuring IIS 7 Webgates for Pass Through Functionality
5. Confirming IIS 7 Webgate Installation
6. Perform the following tasks, which are the same whether you install one or more Webgates per IIS Web server instance:

   • "Ordering the ISAPI Filters"

   • "Confirming Webgate Installation on IIS"

   See Also:

   "Confirming Multiple Webgate Installation"

33.6.1 Installing Each IIS 7 Webgate in a Multiple Webgate Scenario

After installing the ISAPI Webgate, there are several manual steps to perform as described here. By default, webgate.dll is configured as an ISAPI filter at the host name (top) level. When installing multiple Webgates with a single IIS 7 instance, you need to remove the respective webgate.dll from the top level and configure it for the appropriate individual Web site after each Webgate installation.

To install each Webgate when you have several with one IIS 7 instance:

1. Install the ISAPI 7 Webgate.

   See Registering and Managing 10g WebGates with Access Manager 11g.

2. Go to the Web site to protect, and configure webgate.dll as the ISAPI filter using these steps:

   1. Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.

   2. Select the hostname from the Connections pane.

   3. From the hostname Home pane, double-click ISAPI Filters, look for any Webgate.dll; if it is present, select it and click Remove from the Action pane.

   4. In the Connection pane, under Sites, click the name of the Web Site for which you want to configure a Webgate filter.

   5. In the Home pane, double-click ISAPI Filters.

   6. In the Actions pane, click Add…

   7. In the Filter name text box of the Add ISAPI Filter dialog box, type "Webgate" as name for the ISAPI filter.

   8. In the Executable box, type the file system path of the Webgate ISAPI filter file or click the ellipsis button (...) to go to the folder that contains the Webgate.dll ISAPI filter file, and then click OK.

      Webgate_install_dir\access\oblix\apps\webgate\bin\webgate.dll
      

3. Creating a Virtual Directory:

   1. Expand the Sites pane and select the Web Site for which you just configured the ISAPI filter (Webgate.dll).

   2. On the Action pane, click View Virtual Directories and then select Add Virtual Directory.

   3. Specify access in the Alias text box and the physical path to the Webgate access folder of Webgate or click the ellipsis button (...) to go to the "access" folder, and then click OK.

      Webgate_install_dir\access\
      

   4. Save and apply these changes.

4. Setting permissions to the Virtual Directory:

   1. Select the "access" virtual directory created in Step 3.

   2. From the access Home pane, double click Handler Mappings; from the Action pane, select Edit Feature Permissions….

   3. Check boxes beside Read, Script, and Execute, then click OK.

5. Setting Directory Permissions for Webgate:

   1. In Explorer, right click the Webgate installation directory Webgate_install_dir\access and select Properties.

   2. Click the Security tab and click the Edit button.

   3. Add user "IUSR", select "Allow" for "Modify".

   4. Add user "IIS_IUSRS", select "Allow" for "Modify".

   5. Add user "NETWORK", select "Allow" for "Modify".

   6. Add user "NETWORK SERVICE", select "Allow" for "Modify".

   7. For group "Administrators" select "Allow" for "Modify".

6. Webgate in Simple or Cert Mode:

   1. In the file system, locate and right-click the "password.xml" file in Webgate_install_dir\access\oblix\config\password.xml, and select Properties.

   2. Click the Security tab.

   3. Give "Allow" for "Read" rights to users "IUSR", "NETWORK SERVICE", "IIS_WPG", "IIS_IUSRS".

7. Ensure that there is no webgate.dll in the top level (the hostname level).

8. Perform the next set of tasks using instructions in the following topics:

   1. "Setting the Impersonation DLL for Multiple IIS 7 Webgates"

   2. "Enabling Client Certification for Multiple IIS 7 Webgates"

9. Repeat these steps when you install the next Webgate for the IIS instance.

33.6.2 Setting the Impersonation DLL for Multiple IIS 7 Webgates

The client's access token is known as an impersonation token. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf.

Access Manager authenticates and authorizes the user. The Access Manager IISImpersonationExtension.dll in the wildcard extension behaves like a filter for each request to the Web server. Access Manager designates a special user that does have the right to impersonate another user by configuring it using the impersonation username/password on the AccessGate Configuration page. That designated user must have "act as operating system" rights. DLL impersonates the user authenticated and authorized by Access Manager and generates the impersonation token.

You perform the following steps to set the impersonation DLL for each Webgate that protects a Web site for a single IIS 7 Web server instance. You can do this either immediately after the installation task in the previous topic or all at one time.

Note:

This task must be performed for each Webgate that protects an individual Web site for a single IIS Web server instance.

To add the impersonation DLL to IIS 7 configuration for individual Web site:

1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.

2. Add "IISImpersonationExtension.dll" as a Wildcard Script Map to the required Web Site:

   1. Expand Sites in the connection pane.

   2. Click the Web Site name to which you want to add IISImpersonationExtension.dll.

   3. Double click Handler Mappings from the selected Web Site's "home" pane.

   4. From the Action pane, click Add Wildcard Script Map.

   5. In the Name text box of the Add Wildcard Script Map dialog box, type "Oracle Impersonation Plugin" as name for the dll.

   6. In the Executable box, type the file system path of the Webgate IISImpersonationExtension.dll or click the ellipsis button (...) to go to the folder that contains IISImpersonationExtension.dll, and then click OK.

      Webgate_install_dir/access/oblix/apps/Webgate/bin/ 
      IISImpersonationExtension.dll
      

      This example shows the default path, where Webgate_install_dir is the file system directory where you have installed this particular Webgate.

3. Proceed as follows:

   • Client Certificate Authentication: "Enabling Client Certification for Multiple IIS 7 Webgates"

   • "Confirming IIS 7 Webgate Installation".

33.6.3 Enabling Client Certification for Multiple IIS 7 Webgates

You perform this task to set the enable client certification for each Webgate that protects a Web site for a single IIS 7 Web server instance.

You can do this either immediately after the adding the impersonation DLL to an individual Web site or all at one time.

Note:

SSL should be enabled on the Web Site before configuring the client certification for Webgate. Follow these steps after the Web Site is SSL enabled.

If you select client certificate authentication during setup, you must also enable and then add the cert_authn.dll as one of the ISAPI filters in the respective Web site.

To enable cert_authn.dll on the IIS 7 Web server:

1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.

2. Expand Sites in the connection pane.

3. Expand the Web Site to \access\oblix\apps\webgate\bin.

4. Right click the "bin" directory and select Switch To Content View.

5. Right click the "cert_authn.dll".and from the drop down menu, select Switch To Feature View.

6. From the cert_authn.dll Home pane, double click SSL Settings.

7. From SSL Settings pane, select Require SSL check-box and select Accept from Client Certificates.

8. Select Apply from Action pane.

9. Repeat for each Webgate installed on this host, for which you want to enable client certification.

10. Restart the IIS 7 Web server.

11. Proceed to the next task: "To add cert_authn.dll as an ISAPI v7 filter".

To add cert_auth.dll as an ISAPI v7 filter:

1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
2. Expand Sites in the connection pane.
3. Click on the Web Site name for which you want to add "cert_authn.dll".
4. In the Home pane, double-click ISAPI Filters.
5. In the Actions pane, click Add.
6. In the Filter name box of the Add ISAPI Filter dialog box, type Oracle Certification Authentication Plugin as name for the ISAPI filter.
7. In the Executable box, type the file system path of the Webgate cert_authn.dll or click the ellipsis button (...) to go to the folder that contains cert_authn.dll, and then click OK.

   Webgate_install_dir/access/oblix/apps/Webgate/bin/cert_authn.dll 
   

   This example shows the default path, where Webgate_install_dir is the file system directory where you have installed this particular Webgate.

8. Click View Ordered List from the Action pane and arrange the filters as shown here by using "Move Up" or "Move Down":

   cert_authn.dll webgate.dll

9. Select Apply from Action pane.
10. Repeat for each Webgate installed on this host, for which you want to enable client certification.
11. Restart the IIS 7 Web server.
12. Proceed as needed for your deployment:

    • "Configuring IIS 7 Webgates for Pass Through Functionality"

33.6.4 Configuring IIS 7 Webgates for Pass Through Functionality

Here you will add Webgate.dll as a Wildcard Script Map to the required Web Site.

While configuring Webgate to work with pass through functionality, you must ensure that "Physical Path" of the Web sites on which you are installing Webgates differ. Otherwise, the changes in "Handler Mappings" are reflected in all the Web Sites sharing the same physical path.

Note:

"Physical Path" is the path that is provided at the time of creating the Web Site. To check this path after the creation of the Web Site, , In Action pane click on Basic Settings..., you will be presented with a window showing the physical path of the Web Site.

• Click the Web Site name.

• In the Action pane, click Basic Settings.

To configure for pass through functionality:

1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.

2. Expand Sites in the connection pane.

3. Click the Web Site name for which you want to enable pass through.

4. Double click Handler Mappings from the selected Web Site's "home" pane.

5. From the Action pane, click Add Wildcard Script Map.

6. In the Name text box of the Add Wildcard Script Map dialog box, type Webgate as name for the ISAPI filter.

7. In the Executable box, type the file system path of the Webgate ISAPI filter file (Webgate.dll) or click the ellipsis button (...) to go to the folder that contains the Webgate.dll ISAPI filter file, and then click OK.

   Webgate_install_dir/access/oblix/apps/Webgate/bin/Webgate.dll
   

8. In the Access System Console:

   1. Locate the Web Gate profile and click Modify.

   2. Under User Defined Parameters, enter the following parameter and value:

      UseWebGateExtForPassthrough

      true

   3. Save the profile.

9. Repeat for each Webgate installed on this host, for which you want to enable pass through.

10. Restart the IIS 7 Web server.

11. Proceed to the next task: "Confirming IIS 7 Webgate Installation".

33.6.5 Confirming IIS 7 Webgate Installation

You can confirm the IIS 7 Webgate installation.

To verify IIS 7 Webgate installation:

1. Go to the URL:

        http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1
   

   where hostname refers to the name of the computer hosting the Webgate; port refers to the Web server instance port number.

2. The Webgate diagnostic page should appear.

   • Successful: If the Webgate diagnostic page appears, the Webgate is functioning properly and you can dismiss the page.

   • Unsuccessful: If the Webgate diagnostic page does not open, the Webgate is not functioning properly. In this case, the Webgate should be uninstalled and reinstalled. For more information about removing Access Manager see the Chapter 22, then return to the chapter on installing a Webgate.