ISAPI is an Internet Web server extension that the WebGate that communicates with the IIS Web server.
For example, you will need the following package to install the WebGates for IIS:
Oracle_Access_Manager10_1_4_3_0_Win32_ISAPI_Webgate
64-bit Webgate: Oracle_Access_Manager10_1_4_3_0_Win64_ISAPI_Webgate.exe
Updating the IIS Web server configuration file is required when installing Webgates. With IIS Web servers, a configuration update involves updating the Web server directly by adding the ISAPI filter and creating extensions required by Access Manager. A filter listens to all requests to the site on which it is installed. Filters can examine and modify both incoming and outgoing streams of data to enhance IIS functionality. ISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. Like ASP and HTML pages, IIS uses the virtual location of the DLL file in the file system to map the ISAPI extension into the URL namespace that is served by IIS.
Oracle recommends that you update the IIS Web server configuration file automatically during Webgate installation. Automatic updates may take more than a minute. However, updating the IIS Web server configuration file manually takes longer and could introduce unintended errors.
For more specific guidelines, see:
General WebGate preparation and installation details apply to ISAPI WebGates. Additionally, this topic provides specific guidelines for ISAPI WebGates installed with an IIS Web server.
You can install multiple WebGates with a single IIS Web server instance or you might have a 64-bit WebGate.
Note:
Unless explicitly stated, details apply equally to 32-bit and 64-bit Webgates.
lockdown Mode: Before installing the WebGate, ensure that your IIS Web server is not in lockdown mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lockdown.
Permissions: Setting various permissions for the /access directory is required for IIS Webgates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI Webgate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.
Virtual Hosts: Each IIS Virtual Web server can have it's own Webgate.dll file installed at the virtual level, or can have one Webgate affecting all sites installed at the site level. Either install the Webgate.dll at the site level to control all virtual hosts or install the Webgate.dll for one or all virtual hosts.
postgate.dll: You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \Webgate_install_dir, as described in "Installing the Postgate ISAPI Filter". If you perform multiple installations, multiple versions of this file may be created which may cause unusual Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist.
Note:
The postgate.dll is always installed at the site level. If for some reason the Webgate is reinstalled, the postgate.dll is also reinstalled. In this case, ensure that only one copy of the postgate.dll exists at the site level.
Updating Web Server Configuration for Webgate: As with other Webgates, your Web server must be configured to operate with the Webgate. Oracle recommends automatically updating your Web server configuration during installation. However, you can decline the automatic update and instead manually configure your Web server.
See "Registering a 10g WebGate with Access Manager 11g Remotely".
FAT32 file system: You may receive special instructions to perform during Webgate installation. For example: Setting various permissions for the /access directory is required for IIS Webgates only when you are installing on a file system that supports NTFS. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions can be ignored.
SSL and Client Certificate Authentication: On IIS, if you are using client certificate authentication you must enable SSL on the IIS Web server hosting the Webgate before enabling client certificates for Webgate. You must also ensure that various filters are installed in a particular order. In addition, you may need to install the postgate.dll as an ISAPI filter.
Web Server Releases: Web server details in this chapter apply to the stated release. If the release is not stated, you can presume it is IIS v5. Details specific to IIS v6 or IIS v7 are identified.
See Also:
32-bit versus 64-bit Webgates: Unless explicitly stated, all information applies equally to both 32-bit and 64-bit Webgates.
General Webgate Preparation and Installation Details: Refer to this chapter for IIS-specific guidelines. Refer to Registering and Managing 10g WebGates with Access Manager 11g for general preparation and installation details.
Completing and Confirming Webgate Installation: Perform tasks relevant to your ISAPI Webgate and IIS version:
General guidelines and Webgate installation are usually the same regardless of the IIS release for which you plan to install a Webgate.
However, there are several topics that you need to review before you install one or more Webgates for IIS v7:
General guidelines and Webgate installation are usually the same regardless of the IIS release for which you plan to install a Webgate.
However, there are several topics of interest.
Multiple Webgates with a Single IIS 6 Instance: IIS v6.0 supports hosting multiple Web sites on a single Web server instance and ISAPI Webgate allows you to protect each Web site with a different Webgate.
64-bit IIS v6 Webgate: Perform installation as you do for all others, using instructions available in Registering and Managing 10g WebGates with Access Manager 11g. If you choose manual Web server configuration during Webgate installation, you can access details in the following path:
Webgate_install_dir\access\oblix\lang\en-us\docs\dotnet_isapi.htm
Following Webgate installation and IIS configuration, perform tasks in "Finishing 64-bit Webgate Installation".
Earlier Release Webgate Installations: Previously Oracle recommended that you install Webgate in the same physical directory location as Policy Manager. This required a virtual directory named "access" for both Policy Manager and Webgate, which is mapped to the physical location of both Policy Manager and Webgate.
Note:
You can install Webgate 10g (10.1.4.3) for IIS in any location, separate from that of Policy Manager.
If you have an earlier, combined Webgate and Policy Manager installation, you can de-couple the components.
To de-couple an earlier Webgate/Policy Manager:
Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates.
IIS v6.0 supports hosting multiple Web sites on a single Web server and ISAPI Webgate allows you to protect each Web site with a different Webgate.
Note:
Previous ISAPI Webgate releases did not support multiple Webgates with a single IIS Web server instance. You either had to install one Webgate for all Web sites at the top level, or protect a single Web site by configuring Webgate at the Web site level.
IIS 6 provides application pools that are used to run virtual servers. You can think of an application pool as a group of one or more URLs that are served by a worker process or a set of worker processes. An application pool is a configuration that links one or more applications to a set of one or more worker processes. Because applications in this pool are separated from other applications by worker process boundaries, an application in one application pool is not affected by problems caused by applications in other application pools. Today, Webgate instances can run in different process spaces.
When you have multiple Web sites on a single IIS v6.0 Web server instance, you need to ensure that user requests reach the correct Web site. To do this, you need to configure a unique identity for each site on the server using at least one of the following unique identifiers:
Host header name
IP address
TCP port number
Note:
If you have multiple Web sites on a single server and these are distinguished by IP address and port, multiple Webgates are not required. Starting with release 10.1.4.2.0 virtual hosts on Apache and IIS 6.0 are supported. As a result, a single Webgate on the top level can protect all the Web sites even if the IP addresses are different. This is handled by using different Host Identifiers for each Web site.
You can install multiple Webgates on different Web sites of the same IIS Web server instance. However, several manual steps are required.