33.5 Completing Webgate Installation with IIS

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates.

See Also:

As needed, see:

• Finishing 64-bit Webgate Installation

• Installing and Configuring Multiple Webgates for a Single IIS 6 Instance

If you have IIS v7, Oracle recommends the following topics:

• Updating IIS 7 Web Server Configuration on Windows 2008

• Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance

Completing Webgate installation with an IIS Web server, includes the following activities after the installation has been completed.

Task overview: Completing IIS Webgate:

1. Enabling Client Certificate Authentication on the IIS Web Server
2. Ordering the ISAPI Filters
3. Enabling Pass-Through Functionality for POST Data
4. Protecting a Web Site When the Default Site is Not Setup

33.5.1 Enabling Client Certificate Authentication on the IIS Web Server

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates. If you are using client certificate authentication, you must enable SSL on the IIS Web server. If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters.

Note:

The procedures here reflect the sequence for IIS v5. Your environment might be different.

To enable SSL on the IIS Web server:

1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.

2. Expand the local computer to display your Web Sites.

3. Expand the Default Web Site (or the appropriate Web site), then expand \access\oblix\apps\webgate\bin.

4. Right click cert_authn.dll and select Properties.

5. In the Properties panel, select the File Security tab.

6. In the Secure Communications sub-panel, click Edit.

7. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.

8. Click OK in the cert_authn.dll Properties panel.

9. Proceed to the next procedure: "To add cert_authn.dll as an ISAPI filter".

To add cert_authn.dll as an ISAPI:

1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
2. Expand the local computer to display your Web Sites.
3. Right click the appropriate Web Site to display the Properties panel.
4. Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel.
5. Enter filter name "cert_authn".
6. Click the Browse button and navigate to the following directory:

   \Webgate_install_dir\access\oblix\apps\webgate\bin

7. Select cert_authn.dll as the executable.
8. Click OK on the Filter Properties panel.
9. Click Apply on the ISAPI Filters panel.
10. Click OK.
11. Ensure the filters are listed in the correct order.

33.5.2 Ordering the ISAPI Filters

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates. It is important to ensure that the Webgate ISAPI filters are included in the right order.

Note:

This task is the same whether you are installing one or more Webgates per IIS Web server instance.

To order the Webgate ISAPI filters:

1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
2. Expand the local computer to display your Web Sites.
3. Right-click the Web Site and select Properties.
4. Click Properties, select ISAPI filters.
5. Confirm the following .dll files appear.

   For example:

   cert_authn.dll webgate.dll

6. Add any missing filters, if needed, and then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5.

   WARNING:

   Confirm that there is only one webgate.dll and one postgate.dll filter. If you perform multiple Webgate installations on one computer, multiple versions of the postgate.dll file might be created and cause unusual Access Manager behavior.

33.5.3 Enabling Pass-Through Functionality for POST Data

You can set up the Webgate in conjunction with IIS 6.0 Worker Process Isolation Mode. They also cover configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode.

Note:

This section supersedes information in "Installing Postgate.dll on IIS Web Servers" in the 10g . For the IIS 5.0 Web server, the existing functionality using postgate.dll continues to be supported.

Follow these tasks to enable pass-through functionality for POST Data:

• About ISAPI Webgate 10.1.4.2.3

• About Pass-Through Functionality for POST Data

• Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode

• Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode

33.5.3.1 About ISAPI Webgate 10.1.4.2.3

Starting with ISAPI Webgate release 10.1.4.2.3, Access Manager pass-through functionality is supported with IIS 6.0 running in a Worker Process Isolation Mode. ISAPI Webgate 10.1.4.2.3 also operates with IIS 6.0 running in IIS 5.0 Isolation Mode using postgate.dll.

Note:

Oracle recommends using Worker Process Isolation Mode for new or existing implementations. Worker Process Isolation Mode is a default setting for the IIS 6.0 Web server. For the IIS 5.0 Web server, the existing functionality (using postgate.dll) continues to be supported.

This section describes how to set up ISAPI Webgate release 10.1.4.2.3 in conjunction with IIS 6.0 Worker Process Isolation Mode. It also provides configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode. This section supersedes information in Section 19-6 (Installing Postgate.dll on IIS Web Servers) of the .

33.5.3.2 About Pass-Through Functionality for POST Data

POST data is required for pass through during a form login on the IIS Web server when using the Webgate extension method (where the Webgate is the action of the form).

In other words, if a form authentication scheme on the IIS Web server is configured with the pass-through option, and the target of the login form requires the data posted by the form, the Webgate extension method (where the Webgate DLL is the action of the form) cannot be used. The Webgate filter method (where the action of the form is a protected URL that is not the Webgate DLL) must be used instead, and based on IIS version, the postgate.dll must be installed or configure webgate.dll as ISAPI extension.

IIS 6.0 in Worker Process Isolation Mode: webgate.dll must be configured as an ISAPI filter and also as an ISAPI extension to achieve pass-through functionality. (This does not apply to ISA server integration.) Pass-through functionality is supported with 10.1.4.2.3 and higher ISAPI Webgates. However, you must also set a new user-defined parameter "UseWebGateExtForPassthrough" to true in the Webgate configuration profile in the Access System Console.

IIS 5.0 or IIS6.0 running in IIS 5.0 Isolation Mode: postgate.dll must be configured as an ISAPI filter to achieve the pass-through functionality.

33.5.3.3 Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode

You can implement Pass-Through Functionality with IIS 6.0 Web Server in Worker Process Isolation Mode.

Task overview:

1. Install Webgate as described in "Locating and Installing the Latest 10g WebGate for Access Manager 11g".
2. Set the pass-through parameter as described in "Setting the UseWebGateExtForPassthrough Parameter in the Webgate Profile".
3. Configure webgate.dll as described in "Configuring webgate.dll as an ISAPI Extension".

33.5.3.3.1 Setting the UseWebGateExtForPassthrough Parameter in the Webgate Profile

You must set the new user-defined parameter, UseWebGateExtForPassthrough, in the Webgate profile to implement pass-through functionality with the IIS 6.0 Web server in Worker Process Isolation Mode.

You must set: UseWebGateExtForPassthrough to true. If this parameter is set to false, pass-through functionality does not work.

See Also:

"IIS Web Server Issues"

To set the UseWebGateExtForPassthrough Parameter in the WebGate Profile:

1. Launch the Access System Console and click Application Security.
2. Click Agents.
3. Enter your search criteria for the WebGate, and then click Search.
4. In the Search Results table, click a WebGate name.
5. Locate the User Defined Parameters section of the Access/WebGate Gate page, enter the following parameter, and click Apply.

   Parameter: UseWebGateExtForPassthrough

   Value: true

6. Click Apply if you want to add more user-defined parameters.
7. Repeat for each WebGate in your deployment.
8. Proceed to "Configuring webgate.dll as an ISAPI Extension".

33.5.3.3.2 Configuring webgate.dll as an ISAPI Extension

The webgate.dll is part of the Webgate installation. You can configure webgate.dll as an ISAPI extension.

This task must also be performed to implement pass-through functionality with IIS 6.0 Web Server in Worker Process Isolation Mode.

Note:

You can have multiple webgate.dlls configured at different website levels from the top level Web Sites. In this case, you also need to configure webgate.dll as an ISAPI extension for each website protected by Webgate.

To configure webgate.dll as an ISAPI extension:

1. Go to websites, right click, and select Properties.
2. In the Properties dialog box, select the Home Directory tab.
3. Click the Configurations button to open the Application Configurations dialog box.
4. In Wild Card Application Maps, click the Inset button.
5. Provide the path to webgate.dll. For example:

   Webgate_install_dir/access/oblix/apps/webgate/bin/webgate.dll
   

6. Uncheck the "verify that file exists" box.
7. Confirm and finalize the changes: click OK, then click OK again; click Apply, and then click OK.
8. Stop the IIS Administration Server from Services and restart the IIS Web server.

33.5.3.4 Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode

You can implement Pass-Through Functionality with IIS 6.0 Web Server in IIS 5.0 Isolation Mode.

The following steps outline this task.

Note:

Skip this task if you are using IIS 6.0 Web server in Worker Process Isolation Mode.

Task overview:

1. Install Webgate.

   See Registering and Managing 10g WebGates with Access Manager 11g.

2. Set up IIS 6.0.

   See "Setting Up IIS 6.0 Web Server in IIS 5.0 Isolation Mode".

3. Install postgate.dll.

   See "Installing the Postgate ISAPI Filter".

33.5.3.4.1 Setting Up IIS 6.0 Web Server in IIS 5.0 Isolation Mode

When IIS 6.0 Web server is used, you can set up the WWW Service to run in IIS 5.0 Isolation Mode. This is required by the ISAPI postgate filter.

The following information is updated for the 10.1.4.2.3 Webgate.

To set IIS 5.0 isolation on IIS 6 Web servers

1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
2. Expand the local computer to display your Web Sites.
3. Right-click the Web Site and select Properties.
4. Select the Service tab in the Web Site Properties window.
5. Check the box beside Run WWW service in IIS 5.0 Isolation Mode.
6. Click OK.
7. Proceed with "Installing the Postgate ISAPI Filter".

33.5.3.4.2 Installing the Postgate ISAPI Filter

For single Webgate installations, you need to install the filters in the following order.

The following information is updated for the 10.1.4.2.3 Webgate.

• The ISAPI Webgate filter needs to be installed after the sspifilt filter and before any others.

• The postgate filter needs to be installed before the Webgate filter, only if needed.

• All other Access Manager filters can be installed at the end.

  Note:

  Before installation (or after uninstallation) the filters must be removed manually. If multiple copies of a filter are installed, this means that they were not manually removed before installing the new filters.

You can have multiple webgate.dlls configured at different levels from the top level Web Sites. However, they share the same postgate.dll. If you perform multiple Webgate installations on one computer, multiple versions of the postgate.dll file can be created which might cause unusual Access Manager behavior. There can only be one postgate.dll configured at the (top) Web Sites level of a computer

Note:

postgate.dll is not supported when you have more than one Webgate installed and configured for a single IIS Web server instance.

The following procedures serve as a guide when you install and position the postgate ISAPI filter with a single Webgate installed and a single IIS Web server instance.

To install all the postgate ISAPI:

1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.

2. Expand the local computer to display your Web Sites.

3. Right-click the Web Site and select Properties.

4. Select the ISAPI Filters tab in the Web Site Properties window.

5. Click the Add button to display the Filter Properties panel.

6. Enter the filter name "postgate".

7. Click the Browse button and navigate to the following directory:

   \Webgate_install_dir\access\oblix\apps\webgate\bin

8. Select postgate.dll as the executable.

9. Click OK on the Filter Properties panel.

10. Click Apply on the ISAPI Filters panel.

11. Reposition the postgate ISAPI filter, as follows:

    1. Start the Internet Information Services console, if needed.

    2. Right-click your local computer, then select All Tasks, select Restart IIS.

    3. Select the ISAPI Filters tab on the Properties panel.

    4. Select the postgate filter and move it before Webgate, using the up arrow.

       For example:

       postgate.dll webgate.dll

    5. Restart IIS.

       Note:

       Consider using net stop iisadmin and net start w3svc to help ensure that the Metabase does not become corrupted.

33.5.4 Protecting a Web Site When the Default Site is Not Setup

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit Webgates. When you install a Webgate on an IIS Web server that does not have the "Default Web Site" configured, the installer does not create "Virtual Directory access", which must be done manually.

See Also:

"Setting Access Permissions, ISAPI filters, and Directory Security Authentication"

To protect a Web Site (not the default site):

1. Start the Internet Information Services console, if needed
2. Select the name of the Web site to protect.
3. Right-click the name of the Web site to protect and select New, and then select Virtual Directory in the menu.
4. Click Next.
5. Select Alias: access, then click Next.
6. Directory: Enter the full path to the /access directory, then click Next.

   Webgate_install_dir\access

7. Select Read, Run Scripts, and Execute, then click Next.
8. Click Finish.
9. Restart IIS.

   For example:

   • Select Start, then Run.
   • Type net start w3svc.
   • Click OK.