Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit Webgates.
See Also:
As needed, see:
If you have IIS v7, Oracle recommends the following topics:
Completing Webgate installation with an IIS Web server, includes the following activities after the installation has been completed.
Task overview: Completing IIS Webgate:
Note:
The procedures here reflect the sequence for IIS v5. Your environment might be different.
To enable SSL on the IIS Web server:
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Expand the Default Web Site (or the appropriate Web site), then expand \access\oblix\apps\webgate\bin.
Right click cert_authn.dll and select Properties.
In the Properties panel, select the File Security tab.
In the Secure Communications sub-panel, click Edit.
In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.
Click OK in the cert_authn.dll Properties panel.
Proceed to the next procedure: "To add cert_authn.dll as an ISAPI filter".
To add cert_authn.dll as an ISAPI:
Note:
This task is the same whether you are installing one or more Webgates per IIS Web server instance.
To order the Webgate ISAPI filters:
You can set up the Webgate in conjunction with IIS 6.0 Worker Process Isolation Mode. They also cover configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode.
Note:
This section supersedes information in "Installing Postgate.dll on IIS Web Servers" in the 10g . For the IIS 5.0 Web server, the existing functionality using postgate.dll continues to be supported.
Follow these tasks to enable pass-through functionality for POST Data:
Starting with ISAPI Webgate release 10.1.4.2.3, Access Manager pass-through functionality is supported with IIS 6.0 running in a Worker Process Isolation Mode. ISAPI Webgate 10.1.4.2.3 also operates with IIS 6.0 running in IIS 5.0 Isolation Mode using postgate.dll.
Note:
Oracle recommends using Worker Process Isolation Mode for new or existing implementations. Worker Process Isolation Mode is a default setting for the IIS 6.0 Web server. For the IIS 5.0 Web server, the existing functionality (using postgate.dll) continues to be supported.
This section describes how to set up ISAPI Webgate release 10.1.4.2.3 in conjunction with IIS 6.0 Worker Process Isolation Mode. It also provides configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode. This section supersedes information in Section 19-6 (Installing Postgate.dll on IIS Web Servers) of the .
POST data is required for pass through during a form login on the IIS Web server when using the Webgate extension method (where the Webgate is the action of the form).
In other words, if a form authentication scheme on the IIS Web server is configured with the pass-through option, and the target of the login form requires the data posted by the form, the Webgate extension method (where the Webgate DLL is the action of the form) cannot be used. The Webgate filter method (where the action of the form is a protected URL that is not the Webgate DLL) must be used instead, and based on IIS version, the postgate.dll must be installed or configure webgate.dll as ISAPI extension.
IIS 6.0 in Worker Process Isolation Mode: webgate.dll must be configured as an ISAPI filter and also as an ISAPI extension to achieve pass-through functionality. (This does not apply to ISA server integration.) Pass-through functionality is supported with 10.1.4.2.3 and higher ISAPI Webgates. However, you must also set a new user-defined parameter "UseWebGateExtForPassthrough" to true in the Webgate configuration profile in the Access System Console.
IIS 5.0 or IIS6.0 running in IIS 5.0 Isolation Mode: postgate.dll must be configured as an ISAPI filter to achieve the pass-through functionality.
You can implement Pass-Through Functionality with IIS 6.0 Web Server in Worker Process Isolation Mode.
Task overview:
You must set the new user-defined parameter, UseWebGateExtForPassthrough, in the Webgate profile to implement pass-through functionality with the IIS 6.0 Web server in Worker Process Isolation Mode.
You must set: UseWebGateExtForPassthrough to true. If this parameter is set to false, pass-through functionality does not work.
See Also:
To set the UseWebGateExtForPassthrough Parameter in the WebGate Profile:
The webgate.dll is part of the Webgate installation. You can configure webgate.dll as an ISAPI extension.
This task must also be performed to implement pass-through functionality with IIS 6.0 Web Server in Worker Process Isolation Mode.
Note:
You can have multiple webgate.dlls configured at different website levels from the top level Web Sites. In this case, you also need to configure webgate.dll as an ISAPI extension for each website protected by Webgate.
To configure webgate.dll as an ISAPI extension:
You can implement Pass-Through Functionality with IIS 6.0 Web Server in IIS 5.0 Isolation Mode.
The following steps outline this task.
Note:
Skip this task if you are using IIS 6.0 Web server in Worker Process Isolation Mode.
Task overview:
When IIS 6.0 Web server is used, you can set up the WWW Service to run in IIS 5.0 Isolation Mode. This is required by the ISAPI postgate filter.
The following information is updated for the 10.1.4.2.3 Webgate.
To set IIS 5.0 isolation on IIS 6 Web servers
For single Webgate installations, you need to install the filters in the following order.
The following information is updated for the 10.1.4.2.3 Webgate.
The ISAPI Webgate filter needs to be installed after the sspifilt filter and before any others.
The postgate filter needs to be installed before the Webgate filter, only if needed.
All other Access Manager filters can be installed at the end.
Note:
Before installation (or after uninstallation) the filters must be removed manually. If multiple copies of a filter are installed, this means that they were not manually removed before installing the new filters.
You can have multiple webgate.dlls configured at different levels from the top level Web Sites. However, they share the same postgate.dll. If you perform multiple Webgate installations on one computer, multiple versions of the postgate.dll file can be created which might cause unusual Access Manager behavior. There can only be one postgate.dll configured at the (top) Web Sites level of a computer
Note:
postgate.dll is not supported when you have more than one Webgate installed and configured for a single IIS Web server instance.
The following procedures serve as a guide when you install and position the postgate ISAPI filter with a single Webgate installed and a single IIS Web server instance.
To install all the postgate ISAPI:
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right-click the Web Site and select Properties.
Select the ISAPI Filters tab in the Web Site Properties window.
Click the Add button to display the Filter Properties panel.
Enter the filter name "postgate".
Click the Browse button and navigate to the following directory:
\Webgate_install_dir\access\oblix\apps\webgate\bin
Select postgate.dll as the executable.
Click OK on the Filter Properties panel.
Click Apply on the ISAPI Filters panel.
Reposition the postgate ISAPI filter, as follows:
Start the Internet Information Services console, if needed.
Right-click your local computer, then select All Tasks, select Restart IIS.
Select the ISAPI Filters tab on the Properties panel.
Select the postgate filter and move it before Webgate, using the up arrow.
For example:
postgate.dll webgate.dll
Restart IIS.
Note:
Consider using net stop iisadmin and net start w3svc to help ensure that the Metabase does not become corrupted.
To protect a Web Site (not the default site):