Thursday, 11 December 2014

Configuring DCC Webgate 11g with IIS7.5 on Windows 2008 R2

 Pre-requisites:

  1. IIS Server Role is already added: In case not follow Configure IIS Server Role
  2. IIS Site is created: 
    1. IIS Site Global Configuration IIS
    2. New Site Creation
  3. IIS R2PS2 Webgate is installed & configured with the IIS Sites: Configure IIS R2PS2 Webgate 11g

Let's start the process:

  • Open OAM Console : http://host:port/oamconsole
  •  Create Webgate Agent Profile:
    • We need to create 2 profiles: One is the resource webgate profile & other is DCC webgate profile.
  •  Create Resource Webgate Profile: rwg-9090
Note: I have configured my OAM Server in Simple Mode, that's why security mode is chosen as 'simple'.
  • Create DCC Webgate Profile: dcc-9091
Note: Once you have created  the profile, to make it DCC we need to tick the detached credential collector flag.
    • Once done the change, click apply to reflect the changes.
  •  Now we need to add resources to with the DCC profile just created:
    • We need to add a few excluded resources, so that no authentication/authorization is made for them.
    •  Select the dcc-9091 profile:
    •  Let's create excluded resource:

    •  We have created following excluded resources:
      • /favicon.ico
      • /oamsso-bin/login.pl
      • /oamsso/** - Note this is an additional resource to be excluded as for IIS this needs to be excluded. Other wise for other servers it is not required.
  •  Now we need to create a DCC Authentication Scheme: This scheme will be used by resource webgate & dcc webgate both.



  • Now we need to attach the both created authn scheme with the profiles:





  •  You can see that i have created 2 IIS sites & webgate is already configured with both of them.
  • Now copy the artifacts to the webgate instance directory in the respective resource & dcc webgate sites.
    • In our setup: we have rwg-9090 for resource webgate & dcc-9091 for dcc webgate.
  • Once done, restart the IIS Server: using the command 'iisreset'. 
  • Now access the protected resource webgate url:
          http://host:9090/welcome.html
    • Did you noticed you get this login page, having url as http://host:9091/oamsso-bin/login.pl
    • This is the challenge url that we have mentioned in the dcc authn scheme.
    • With DCC webgate in picture, the oam server ip port is mot visible to the end user, that's why it is a detached credential collector. It has detached the credential collection process from the OAM Server.
    • Now it is the DCC which creates OAP/NAP connections with OAM Server.


This end's the DCC Webgate Configuration with IIS 7.5/8.5 on Windows 2008 R2.

Enjoy :-)

No comments:

Post a Comment