Create standard junctions

Use the Junction Management page to create one or more standard junctions in the environment.

  1. Select...

      Web > Manage > Reverse Proxy > reverse proxy > Manage > Junction Management > New > Standard Junction

  2. Junction tab:

    1. Enter the junction point name.

      Names for standard junctions must start with a forward slash (/) character.

    2. If the junction name must match the name of a subdirectory under the root of the back-end server document space select the checkbox Create Transparant Path Junction

    3. To have the junction to be stateful elect the check box Stateful Junction

    4. To enable HTTP/2 protocol to the junction server select the checkbox HTTP/2 Junction.

    5. To enable HTTP/2 protocol to the proxy server select the check box HTTP/2 Proxy:

      • The protected Web Server must serve HTTP/2 over both TCP and SSL for WebSEAL mutual junction type with HTTP/2 to work. For example, Microsoft IIS only serves HTTP/2 over SSL. So an HTTP/2 mutual junction type cannot be created to an IIS Web Server.

      • TCP HTTP/2 junction connections do not use HTTP/2 upgrade. They require the "Prior Knowledge" method to connect to an HTTP/2 Web Server over TCP. In Apache configuration terms, this is the "Direct mode".

    6. Specify the Server Name Indicator (SNI).

    7. Select a junction type from the listed options on the right.

  3. Servers tab:

    1. Click New to add a target back-end server. At least one target back-end server must be added to create a junction. The options available when we add a server vary depending on the junction type selected.

    2. Complete the fields displayed.

    3. Click Save.

  4. Basic Authentication tab:

    The properties on this tab are specific to SSL junctions. They are available only if we create an SSL junction.

    1. Select the Enable Basic Authentication check box if BA header information is to be used for authentication with the back-end server.

    2. Enter the WebSEAL user name in the Username field.

    3. Enter the WebSEAL password in the Password field.

    4. Select the Enable mutual authentication to junctioned WebSEAL servers check box if mutual authentication is to be used between a frontend WebSEAL server and a back-end WebSEAL server.

    5. Select the key file from the list to use for mutual authentication.

      The options in the list include certificates from both the local and network key files. The certificates from the network key file are prefixed with the token label for the network HSM device.

  5. Identity tab:

    1. Define how WebSEAL server passes client identity information in BA headers to the back-end server by selecting appropriate actions from the list under HTTP Basic Authentication Header.

    2. If GSO is selected in the previous step, enter the GSO resource or resource group name in the GSO Resource or Group field. If a value other than GSO is selected in the previous step, skip this step.

    3. Select what HTTP header identity information is passed to the back-end server in the HTTP Header Identity Information field.

    4. Select encoding from the list under HTTP Header Encoding.

    5. Select an option from the list under Junction Cookie Javascript Block.

    6. Check box on the right as necessary.

  6. SSO and LTPA tab:

    1. Select the Enable LTPA cookie Support check box if the junctions are to support LTPA cookies.

    2. If LTPA version 2 cookies (LtpaToken2) are used, select the Use Version 2 Cookies check box.

    3. Select the LTPA keyfile from the list under LTPA Keyfile.

    4. Enter the keyfile password in the LTPA Keyfile Password field.

  7. General tab:

    1. Specify the name of the form based single sign-on configuration file in the FSSO Configuration File field.

    2. Define the hard limit for consumption of worker threads in the Percentage Value for Hard Limit of Worker Threads field.

    3. Define the soft limit for consumption of worker threads in the Percentage Value for Soft Limit of Worker Threads field.

    4. To have denied requests and failure reason information from authorization rules to be sent in the Boolean Rule header, select the Include authorization rules decision information check box.

  8. Click Save.

Parent topic: Junctions