IIS agent configuration
Manage the PingAccess agent for Internet Information Services (IIS) configuration using the IIS Manager application.
During the installation of the agent, a configuration schema extension is added to the system.webServer
section. This schema extension adds the following two configuration options:
Parameter | Definition | Default Value |
---|---|---|
|
A string value containing the path to the certificates extracted from the |
|
|
The list of |
|
Do not make any changes to the previous two configuration options if you followed the steps in Installing on IIS. |
Agent.properties
The configured agent.properties
files can contain the following properties:
Property | Definition | Default Value | ||||
---|---|---|---|---|---|---|
|
The Uniform Resource Identifier (URI) scheme used to connect to the engine node. Acceptable values are:
|
|
||||
|
The PingAccess host name. |
The value in the agent node’s PingAccess Host field. |
||||
|
The port that the agent connects to on the PingAccess host.
|
Defined in the PingAccess admin UI. |
||||
|
The unique agent name that identifies the agent in PingAccess. |
Defined in the PingAccess admin UI. |
||||
|
Determines whether the agent performs certificate revocation list (CRL) checking against the server certificate used by the engine nodes or by a load balancer in front of the engine nodes. A value of |
This property isn’t present by default. The value is treated as |
||||
|
Determines whether the agent ignores the requirement to perform CRL checking if the backend server is offline or missing. A value of
|
This property isn’t present by default. The value is treated as |
||||
|
The password which is used to authenticate the agent to the engine. |
Defined in the PingAccess admin UI. |
||||
|
The base64-encoded public certificate which is used to establish HTTPS trust by the agent to the PingAccess engine.
|
Generated by PingAccess. |
||||
|
The number of connections that a single web server worker process maintains to the PingAccess engine defined in the |
|
||||
|
The maximum amount of time, in milliseconds, that an agent request made to PingAccess can take. If this time is exceeded, the client receives a generic |
|
||||
|
The maximum amount of time, in milliseconds, that the agent can take to connect to the PingAccess engine. If this time is exceeded, the client receives a generic |
|
||||
|
The maximum amount of time, in milliseconds, that a web server worker process waits for a response to a policy cache request sent to other web server worker processes. |
|
||||
|
The network port that web server processes use to publish policy cache requests to other web server worker processes. This port is bound to the localhost network only. |
|
||||
|
The network port that web server processes use to receive policy cache requests from other web server worker processes. This port is bound to the localhost network only. |
|
||||
|
The maximum number of tokens that are stored in the policy cache for a single web server worker process. A value of |
|
||||
|
Determines whether policy decision caching is enabled or disabled. A value of You might want to use this option for custom rules created using the PingAccess SDK that involve data that changes with every request within a resource and session.
|
|
||||
|
The host name and port of the PingAccess server where the agent should send requests in the event of a failover from the PingAccess host. |
Defined in the PingAccess admin console |
||||
|
The number of seconds to wait before the agent should retry connecting to a failed PingAccess server. |
|
||||
|
The number of times to retry a connection to a PingAccess server after an unsuccessful attempt. If all retries fail, the agent marks the PingAccess server as failed for the duration of the |
|
||||
|
Controls the type of policy cache used by the agent. There are three acceptable values for this property:
|
|
||||
|
Determines whether the This header contains the following fields:
Learn more in Agent inventory logging. |
|
||||
|
Specifies additional values to include in the This property uses the following syntax: agent.inventory=exampleheader=TEST;exampleheader2=TEST2;
|
This property isn’t present by default. |
||||
|
Specifies which token-type to favor when making an access decision if both a cookie and an authorization header token are included in a request. Acceptable values are
|
|
||||
|
If present, specifies a value or values that prompts PingAccess to block a request if it finds one or more of them in the request body. When defining these values, you can:
The following example demonstrates how to block some common XSS characters: agent.request.block.xss.characters=<,>,’,/\,\,%22,%0a,%0d
|
This property isn’t present by default. |
||||
|
If present, specifies a value or values that prompts PingAccess to block a request if it finds one or more of them in the request URI. When defining these values, follow the syntax established in the The following example demonstrates how to block some common URI characters: agent.request.block.uri.characters=//,./,/.,/*,*.,~,\,%00-%1f,%7f |
This property isn’t present by default. |
||||
|
If present, specifies a value or values that prompts PingAccess to block a request if it finds one or more of them in the request’s query parameters. When defining these values, follow the syntax established in the The following example demonstrates how to block some common query characters: agent.request.block.query.characters=<,>,&,%22,%27,%28,%29,%7b,%7d |
This property isn’t present by default. |
||||
|
If present, specifies a value or values that prompts PingAccess to block a request if it finds one or more of them in the request’s form parameters.
When defining these values, follow the syntax established in the The following example demonstrates how to block some common form characters: agent.request.block.form.characters=<,>,&,%22,%27,%28,%29,%7b,%7d |
This property isn’t present by default. |
||||
|
Set a custom status code to display when the agent blocks a request because of a bad XSS character.
The following example demonstrates how to set an XSS HTTP status code: agent.request.block.xss.http.status=400 |
This property isn’t present by default. |
||||
|
Set a custom status code to display when the agent blocks a request because of a bad URI character. The following example demonstrates how to set a URI HTTP status code: agent.request.block.uri.http.status=404 |
This property isn’t present by default. |
||||
|
Set a custom status code to display when the agent blocks a request because of a bad query character. The following example demonstrates how to set a query HTTP status code: agent.request.block.query.http.status=400 |
This property isn’t present by default. |
||||
|
Set a custom status code to display when the agent blocks a request because of a bad form character. The following example demonstrates how to set a form HTTP status code: agent.request.block.form.http.status=400 |
This property isn’t present by default. |
You can add comments to the |
If you make changes to the |
Learn more about improving agent performance in the Performance tuning guide. |