Anda di halaman 1dari 13

Netegrity® SiteMinder®

Secure Proxy Server


The Secure Gateway to Enterprise Resources

Netegrity White Paper


July 2, 2003

© Copyright 2003 Netegrity, Inc.

1
Table of Contents
Executive Summary ...................................................................................................................................... 3
Introduction ................................................................................................................................................... 4
Product Overview.......................................................................................................................................... 5
Architecture............................................................................................................................................. 5
Session Schemes ................................................................................................................................... 7
Proxy Rules ............................................................................................................................................ 8
Secure Policy Server in Action ............................................................................................................... 9
Two Access Control Strategies................................................................................................................... 10
Agent-Based Deployment..................................................................................................................... 10
Proxy-Based Deployment..................................................................................................................... 11
Combining the Two Approaches .......................................................................................................... 12
Summary ..................................................................................................................................................... 13

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

2
Executive Summary
Resources across the network are valuable for every company, and therefore have to be protected from
unauthorized access. Security considerations for these resources vary based on the sensitivity of content
and the intended user community. The challenge is to implement secure solutions within the context of
providing an integrated and centralized access control environment, while simultaneously supporting
multiple authentication mechanisms and appropriate session controls. Netegrity provides both an agent-
based solution and a proxy-based solution to meet those challenges.

This paper discusses Netegrity® SiteMinder® Secure Proxy Server. The Netegrity SiteMinder Secure Proxy
Server is a high performance, proxy gateway that secures company’s backend servers. The product
consists of two components – a Proxy engine, with a fully integrated SiteMinder Agent, and an Apache-
based HTTP web listener. The Netegrity SiteMinder Secure Proxy product provides the following features:

• Access control for HTTP and HTTPS requests to and from backend destination servers.
• Single sign-on as a standalone proxy or in combination with SiteMinder Agent enabled servers.
• Multiple session schemes including SiteMinder cookies, mini-cookies, SSL session ID,
IP address, URL rewriting, HTTP header, and custom.
• Session storage to maintain user session information in memory.
• Intelligent proxy rules for flexible routing of incoming request to backend servers.

The SiteMinder Secure Proxy Server seamlessly integrates with your infrastructure to provide SiteMinder
access control and entitlement management. It offers an alternative deployment model to Netegrity
SiteMinder Agent deployment that enables central management of security policies for user access to
resources. The SiteMinder Secure Proxy Server allows you to:

• Centralize Security – The SiteMinder Secure Proxy Server provides a central security
management point that stops non-authenticated traffic from entering the DMZ. It supports multiple
authentication schemes including passwords, tokens, X.509 certificates, custom forms, and
biometrics, as well as combinations of authentication methods.
• Provide Access Management for Wireless Devices – The product architecture supports multiple
session schemes including non-cookie based methods of session-tracking thereby providing a
platform for building wireless solutions.
• Conceal Internal Network – The SiteMinder Secure Proxy Server never reveals the internal
network topology to outsiders, including those who might attempt to attack an internal server.
• Lower Administrative Costs – The SiteMinder Secure Proxy Server is a single point of entry for
all user requests. Therefore, it can be managed by a central IT organization and can enforce
enterprise wide access control policy.

Netegrity offers two complementary policy enforcement strategies for a more flexible and secure web
access architecture. Netegrity SiteMinder Agent-based solution provides distributed access control with
fine-grained authorization tightly linked with individual applications and servers. The Netegrity SiteMinder
Secure Proxy Server provides centralized access management to control traffic entering the enterprise
DMZ. Customers may choose to deploy these solutions singly or in combination to provide the most
appropriate security and administration solution for any site.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

3
Introduction
Sharing information broadly within the enterprise and creating value by making assets available to
customers and partners online is crucial. Resources across the network are valuable for every company,
and therefore have to be protected from unauthorized access. Enterprises employ multiple network
configurations and policies to make these assets and information available to only trusted parties. Security
considerations vary based on the sensitivity of content and the intended user community.

The challenge is to implement secure solutions within the context of providing an integrated access control
environment, while simultaneously supporting multiple authentication mechanisms and appropriate session
controls. These solutions must support heterogeneous environments, including a wide variety of platforms,
servers, and end-user devices. Providing access to network resources for employees, customers, and
partners presents a number of challenges, including:

• Directing requests to appropriate services


• Verifying user identities and establishing entitlements
• Maintaining sessions for authorized users
• Providing centralized access control
• Supporting multiple device types
• Employing flexible and secure architectures

The Netegrity SiteMinder Secure Proxy Server provides solutions to many of these challenges, including
authentication and authorization of users, and a complex engine for evaluating user entitlements. The
Netegrity Secure Proxy Server further expands the benefits of its core SiteMinder Policy Server and Agent
functionality by providing a secure reverse proxy solution. The Netegrity Secure Proxy Server is a high
performance, proxy gateway that secures a company’s backend servers. The SiteMinder Secure Proxy
Server patent pending technology offers a turnkey reverse proxy solution built upon market-proven Java
technologies and components. The SiteMinder Secure Proxy Server provides the following capabilities:

• Centralized administration with flexible, powerful proxy rules


• Cookie-less single sign-on and session storage
• Multiple options for maintaining sessions
• Multiple device support
• Interoperability with existing SiteMinder Web Agents

This paper provides an overview of Netegrity SiteMinder Secure Proxy Server, including product
architecture, features, and benefits to customers. It also discusses the use of the SiteMinder Secure Proxy
Server as a standalone security solution and its use with SiteMinder agent technology to achieve a
complete, robust security infrastructure. For more information on the SiteMinder Secure Proxy Server or
any of the Netegrity identity and access management product solutions please visit our website at
www.netegrity.com.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

4
Product Overview
The Netegrity SiteMinder Secure Proxy Server provides a reverse proxy solution for access control to an
company’s backend servers. It can be used as a standalone solution or in conjunction with SiteMinder web
server and application server agents. The SiteMinder Secure Proxy Server accepts HTTP and HTTP over
SSL (HTTPS) requests from web clients, passes those requests to enterprise backend content servers,
and then returns resources to the requesting client. Advanced proxy rules control how requests are routed
to destination servers.

The SiteMinder Secure Proxy Server sits in the DMZ between firewalls separating Internet users and
backend resources. It prevents non-authenticated users from entering at any point in the DMZ. Access to
the entire enterprise is managed through a single enforcement point. The internal network topology is
made opaque to external users.

The SiteMinder Secure Proxy Server offers the following features:

• Access Control for HTTP and HTTPS Requests - The SiteMinder Secure Proxy Server allows
you to control the flow of HTTP and HTTPS requests to and from destination servers using an
embedded SiteMinder Web Agent. In addition, the SiteMinder Secure Proxy Server is fully
integrated with SiteMinder to securely manage e-business transactions.
• Single Sign-on - The SiteMinder Web Agent embedded in the SiteMinder Secure Proxy Server
enables single sign-on (SSO) across an enterprise, including SSO with SiteMinder Web Agents
that may be installed on destination servers within the enterprise.
• Multiple Session Schemes - A session scheme is a method for maintaining the identity of a user
after authentication. The SiteMinder Secure Proxy Server supports multiple session schemes
based on SSL ID, mini-cookies, device IDs for handheld devices, URL rewriting, IP addresses, and
schemes created using the Session Scheme API.
• Session Storage - The SiteMinder Secure Proxy Server is equipped with an in-memory session
store to maintain user session information. The SiteMinder Secure Proxy Server uses a token
such as a mini-cookie or SSL ID access a particular user’s session information. Cookie-less
session schemes and the SiteMinder Secure Proxy Server in-memory session storage provide a
solution for e-business management beyond PCs, including wireless devices, such as PDAs and
cell phones.
• Intelligent Proxy Rules - Proxy rules allow you to configure different paths for fulfilling client
requests from the SiteMinder Secure Proxy Server based on characteristics such as the requested
virtual host or URI string. The SiteMinder Proxy Engine interprets a set of proxy rules to determine
how to handle user requests.

Architecture
The SiteMinder Secure Proxy Server serves as a single gateway for access to enterprise resources,
regardless of a user’s method of network access. It consists of two components – a proxy engine with a
fully integrated SiteMinder Agent and an Apache-based HTTP web listener. It works with the SiteMinder
Policy Server which provides authentication and authorization services. Administrators secure backend
content by specifying security policies using the SiteMinder Policy Server, which are then enforced by the
SiteMinder Secure Proxy Server.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

5
A set of configurable proxy rules determines how the SiteMinder Secure Proxy Server handles a user’s
request. Users may access resources through multiple session schemes based on mappings between
user agent types and virtual hosts. Users can access the SiteMinder Secure Proxy Server using various
devices. Requests may be routed to different destination servers based on the type of device being used
to access the network. The SiteMinder Secure Proxy Server determines session schemes and forwards or
redirects requests to the appropriate destination servers. The enterprise network is opaque to users, who
simply access the SiteMinder Secure Proxy Server which uses its proxy engine to route requests.

The following diagram illustrates a typical process flow when the SIteMinder Secure Proxy Server receives
an HTTP or HTTPS request.

Firewall Firewall
DMZ

1
All 5
HTTP/ 7 Netegrity
HTTPS SiteMinder 6 Destination
Traffic Secure
Server 1
Proxy
Server

Agent

2 4 3

server.conf

Policy
Server
proxy_rules.xml

1. A user’s request is received by the SiteMinder Secure Proxy Server.


2. The SiteMinder Secure Proxy Server determines the session scheme to be used based on the
virtual host requested and device type defined in the server.conf file
3. The embedded SiteMinder Agent performs the necessary authentication and authorization process.
4. Proxy rules, defined in the proxy_rules.xml file, are used by the SiteMinder Secure Proxy
Server to determine how to handle the incoming request.
5. Based on the applicable proxy rule, the SiteMinder Secure Proxy Server constructs a new request
and forwards it to the backend server.
6. The SiteMinder Secure Proxy Server gets a response back from the backend server.
7. An appropriate response is constructed and sent back to the user.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

6
Session Schemes
Session schemes are provided to track user sessions. The SiteMinder Secure Proxy Server supports
multiple session schemes, in addition to the SiteMinder HTTP Session cookies, to manage user sessions.

A site administrator may determine that device or security requirements preclude the use of cookies or that
a smaller cookie would be preferable for performance reasons. To meet these needs, alternative session
schemes are available. The SiteMinder Secure Proxy Server caches these user sessions based on keys.
Several schemes are supported:

• SiteMinder Cookies: This scheme uses the normal SiteMinder cookie to track the user session.
• HTTP Header: A very general and easy to configurable Session Scheme can be derived from any
HTTP header found in a client request, provided that the header value uniquely identifies a user.
The header value is used as a key to a user session. An example is provided of a Session
Scheme that is based on a device ID.
• SSL Session ID: In this Session Scheme, the content is served over SSL and the SSL session ID
is used as a key to the user session. This scheme provides a highly secure means of holding user
sessions that are resistant to spoofing. However, it is limited in scalability since all content must be
served over SSL and the user must continue to access the same Secure Proxy Server for the
session to persist. This scheme is used for intranet and extranet applications with very high
security needs.
• Mini Cookies: This Session Scheme is designed for the clients that accept cookies, but due to size
or bandwidth limitations cannot accept a standard SiteMinder cookie. A smaller cookie contains a
key to the user session.
This scheme is ideal for applications where user clients accept cookies but are accessing the
application over connections of limited speed and bandwidth. This would include some wireless
environments and desktop users who use slow modem connections to the internet.
• IP Address: This Session Scheme is designed for environments that can uniquely identify an
active user by the IP address, which is used as a key to a user session.
This scheme should only be used for applications where users are retrieving information (with
HTTP GET) from protected resources. If HTTP POST or HTTP PUT is used for sending
information to a secure application then applications need to keep in mind that IP addresses can be
spoofed for the purposes of sending data to the server.
• URL Rewriting: This scheme uses an encrypted session key inserted into a URL to track the
user’s session. The SiteMinder Secure Proxy Server finds the session key on subsequent
requests, uses it to achieve single sign-on, and then strips it out of the URL before completing the
request.
For example, for the request http://www.company.com/marketing/index.html, the user is redirected
to http://www.company.com/smkey=123/marketing/index.html where the session key is “123”.
This scheme is ideal for environments that do not support cookies (such as some wireless
environments) and for applications supporting user communities who do not want to use cookies.
• Custom: Additionally, users can create custom session schemes using the Java™-based Session
Scheme API provided with the SiteMinder Secure Proxy Server.

The SiteMinder Secure Proxy Server’s configuration file contains mappings between session schemes and
user agent types. A separate set of mappings may be defined in the configuration file for each virtual host.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

7
Proxy Rules
One of the most important capabilities of the SiteMinder Secure Proxy Server is the ability to route requests
to the appropriate destination servers in the enterprise. The Proxy Rules for the SiteMinder Secure Proxy
Server are defined in an XML file and contain the logic required by the SiteMinder Proxy Engine to process
requests. The SiteMinder Proxy Engine interprets those rules and provides both a forward and a redirect
service to handle the disposition of all user requests for backend resources.

The Proxy Rules have three basic constructs – conditions, cases and destinations. Conditions specify the
attribute(s) of a request that must be evaluated by the SiteMinder Proxy Engine. A case specifies a value
to be matched. Conditions must contain at least one case, but may contain multiple cases. Simple
conditions may be combined to make complex conditions. If the incoming request has a value that
matches the one specified in a case, the request is forwarded or redirected to the associated destination.
Destinations represent back end resources protected by the SiteMinder Secure Proxy Server.

A condition defines the part of the incoming request that the SiteMinder Proxy Engine evaluates against
defined cases. Supported conditions include:

• URI: Matches the portion of the requested URL after the host name to the URI string defined in the
condition. Portions of the URI can be evaluated by the SiteMinder Proxy Engine. For example, the
endswith criteria can be used to match the file extension of a requested resource.
• Query String: Matches the query string portion (all chars after the “?”) of the requested URL to the
query string defined in the condition.
• Host Name: Matches the value of the HTTP HOST header variable to the value of the hostname
defined in the condition. This type of condition is used when the SiteMinder Secure Proxy Server is
configured to support multiple virtual hosts.
• HTTP Header: Matches any HTTP Header, including SiteMinder responses, to the value defined in
the condition. For example, a user’s device type, which is part of the USER_AGENT HTTP
header, can be evaluated by the SiteMinder Proxy Engine.

The SiteMinder Proxy Engine compares the attribute specified in a condition to the specific values defined
in cases according to one of the following criteria: equals, beginswith, endswith, and contains. A special
type of a condition is a Regular Expression. Regular expressions offer a very flexible and powerful tool
that can be employed in SiteMinder Secure Proxy Server proxy rules. Regular expressions can be used to
evaluate incoming URIs and query strings.

A case specifies a value of the request that is evaluated by the SiteMinder Proxy Engine. If the value
matches, the request is forwarded or redirected to a destination or another condition.

• Forward: Service that forwards requests to a specific destination server. Any response from a
destination server is returned to the user through the SiteMinder Secure Proxy Server.
• Redirect: Service that redirects requests to a specific destination server. Any response from a
destination server is returned directly to the user, without passing through the SiteMinder Secure
Proxy Server.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

8
The SiteMinder Secure Proxy Server can also use SiteMinder responses to determine a destination for a
request. A user’s entitilements, gathered during the authentication and authorization process, can be used
to personalize the user’s experience.

For example, if a user directory contains information about the account type for a banking web site, the
SiteMinder Secure Proxy Server can proxy users with different types of accounts to different destinations.
Customers with standard accounts can be handled by one set of destination servers, while customers with
premium accounts can be handled by a separate set of high performance destination servers. This
enables an enterprise to provide a higher quality of service to its best customers.

Secure Policy Server in Action


Now let’s look at an example. This example shows how session schemes and proxy rules can be used
together to provide a very flexible proxy configuration. The diagram below shows the deployment.

1
1 - SM Cookie
Web browser Consumer Portal

2
www.company.com
2 - Mini Cookie

Bank Application Server


banking.company.com For wired users
3 – URL Rewriting 3
Mobile Phone
bondtrading.company.com
4
Bank Application Server
For wireless users
4 – SSL ID

Web browser
Standard Card High Security
Bond Trading
Application Server

In this example an enterprise has three virtual hosts. The http://www.company.com URL is the company’s
public page and points to a consumer portal that supports browser clients. The
http://banking.company.com URL points the user to the banking application that supports browser and
wireless phone clients. The https://bondtrading.company.com points the user to a high security bond
trading application that supports only HTTPS clients.

The first user accesses the consumer portal and the banking application from a browser. The SiteMinder
Secure Proxy Server is configured to manage the session based on the requested URL and the device
type of the user. The second user accesses the banking application through a mobile device. Since that
mobile device does not accept cookies, the SiteMinder Secure Proxy Server has been configured to
manage that user’s session through URL rewriting. Finally, the high security bond trading application
supports only HTTPS and the session scheme is configured to use SSL session ID.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

9
Two Access Control Strategies
In general, there are two architectural approaches to managing access to web-based applications and
resources. In the agent-based approach, a software filter or agent is installed on a web or application
server. The agent provides high security on the local server by mediating all HTTP(s) traffic and granting
access to resources on that server based on a flexible, powerful policy model. In the proxy-based
approach, a server configured as a reverse proxy acts as a gateway for all user requests to various
backend servers. User requests are routed to backend servers through a set of configurable proxy rules.

Agent-based and proxy-based solutions can be use singly or in combination to provide optimum security
and administration flexibility. Netegrity provides both agent-based and proxy-based access control
solutions.

Agent-Based Deployment
In general, agent-based deployment is used for distributed access control. The agents provide a local
policy enforcement point on each server and can be tightly integrated with the applications running on that
local server. This distributed model allows for fine-grained access control and personalization in the
protected applications. The agent-based deployment is better suited for heterogeneous environments with
multiple application platforms and/or a wide variety of user types. It is also easier to delegate policy and
user administration in a large, complex enterprise with multiple applications.

SiteMinder is Netegrity’s solution for securely managing e-business. It consists of a policy server that
allows you to specify policies for your enterprise, and agents that are installed on web and application
servers. The SiteMinder Agents communicate with the Policy Server and provide authentication,
authorization, and other functions. A wide variety of authentication mechanisms are supported including
passwords, tokens, X.509 certificates, custom forms, and biometrics, as well as combinations of
authentication methods.

The SiteMinder Agent is a program that acts as a filter to enforce access control on a wide variety of web
and application servers. When a user requests a resource protected by SiteMinder, the Agent prompts the
user for credentials based on the administrator configured authentication scheme and sends the
credentials to the SiteMinder Policy Server. Based on pre-defined rules and according to the user’s
credentials, the Policy Server determines whether the user can be authenticated and entitled to use the
requested resource. The Policy Server then advises the Agent whether to allow or deny access to the
requested resource. If access is allowed, the Policy Server may also add responses to the HTTP stream.
Response headers are configured by SiteMinder administrators, and are typically profile or entitlement
information which a requested application may use in its business logic. Header variables allow for fine-
grained access control and personalization in the application. In an agent-based deployment, SiteMinder
sessions are controlled by storing user information in an encrypted cookie.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

10
Proxy-Based Deployment
In general, proxy-based deployment is best suited for centralized access control. It is easier to administer
because it is a single control point for all backend applications. This centralized access control model is
typically used in applications that have a single entry point for a relatively homogeneous user group (e.g. a
consumer portal). The proxy rules provide a more coarse form of access control. Multiple session
schemes provide additional flexibility including cookie-less session management for wireless devices. The
proxy-based approach also obscures the internal network topology.

The SiteMinder Secure Proxy Server is Netegrity’s proxy-based solution. The SiteMinder Secure Proxy
Server sits in the DMZ between firewalls separating Internet users and backend resources. It contains a
fully functional SiteMinder Web Agent that can communicate with the SiteMinder Policy Server to
authenticate users and verify user entitlements. Destination servers do not require SiteMinder Agents.

A virtual host configuration controls the session scheme that is used for a particular user accessing an
application through a particular device. Proxy rules determine how requests are routed to the destination
servers. Standard HTTP headers, SiteMinder headers and cookies are added to the incoming client
request. When the response is received from the backend content server, the SiteMinder Secure Proxy
Server adds session information to the response and returns the desired content to the requesting client. A
common use of the SiteMinder Secure Proxy Server is as a central entry point for all destination servers
within the enterprise. Any HTTP or HTTPS requests from users are first funneled through the SiteMinder
Secure Proxy Server, so that only authenticated and authorized users are forwarded to the destination
server. Destination servers are protected without agents and no content resides in the DMZ

The figure below illustrates this type of deployment.

Firewall Firewall
DMZ

All Destination
HTTP/ Netegrity
SiteMinder Server 1
HTTPS
Traffic Secure
Proxy
Server

Agent
Destination
Server 2

Policy
Server

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

11
Combining the Two Approaches
Generally speaking, agent-based deployments are best suited for distributed access control while proxy-
based deployments work best for centralized access control. Many enterprises have a mix of applications
and/or user communities with differing security requirements. In such cases, a combined agent/proxy
deployment may be the best choice.

Let’s look at an example. In this case, the enterprise has applications that can be accessed by outside
users (Extranet) as well as users within the enterprise (Intranet). The Intranet users have direct access to
the destination servers. One of the servers behind the firewall contains sensitive information that requires
an additional layer of protection even for internal users.

All extranet requests are filtered through the SiteMinder Secure Proxy Server, which is located in the DMZ
between the clients and backend content servers. The destination server with the higher security
requirement also has a SiteMinder Agent which provides local access control to resources on that machine.
Sessions established by the SiteMinder Secure Proxy Server are recognized by the SiteMinder Agent on
the backend server, maintaining single sign-on whether users access the enterprise from the Extranet or
the Intranet.

This model allows very flexible, but secure, access to backend resources. The enterprise can provide
differing levels of security and a mixture of coarse and fine-grained access control. The SiteMinder Secure
Proxy Server can be administered by corporate IT personnel according to corporate access policies while
the destination server with the SiteMinder Agent can be administered by the group that is responsible for
that application.

Firewall Firewall Firewall


DMZ

All Destination
HTTP/ Netegrity
Server 1
HTTPS SiteMinder
Traffic Secure Intranet
Proxy HTTP/
Server HTTPS
Traffic
Agent Destination
Server 2

Agent

Policy
Server

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

12
Summary
The SiteMinder Secure Proxy Server is a self-contained reverse proxy solution that seamlessly integrates
with your infrastructure to provide SiteMinder access control and entitlement management while serving as
a secure gateway to your enterprise’s backend resources. It provides a central access management point
for controlling HTTP and HTTPS request to backend content servers. The SiteMinder Secure Proxy Server
provides single sign-on as a standalone component and in conjunction with SiteMinder Agents. Multiple
session schemes are supported including cookies, SSL session ID, device ID, IP address, and URL re-
writing. Proxy rules control the flow of requests to destination servers evaluating specific parts of the
request including URI, query string, host name, and HTTP headers.

The Netegrity SiteMinder Secure Proxy Server provides a number of key benefits. By providing centralized
security, non-authenticated users are prevented from entering the DMZ and the corporate network topology
is hidden from external users. Cookie-less session management and an in-memory session store provide
a platform for building wireless access solutions. Having a single point of entry allows access management
by a central IT organization and lowers administrative costs.

Netegrity offers state of the art solutions for both agent-based and proxy-based solutions. While there is
some overlap, agent-based deployments are generally best suited for distributed access control where
applications require fine-grained authorization and where administration needs to be delegated to
organizations within the enterprise. Proxy-based solutions are generally used when centralized security
policy is required or multiple session management schemes are used. Many enterprises have a mix of
applications and user communities with differing security requirements. In this case, a combined
agent/proxy approach may be the best choice.

For more information on Netegrity SiteMinder and other Netegrity products and services, please visit
http://www.netegrity.com.

Copyright © 2003 Netegrity, Inc. All Rights Reserved.

Trademarks

Netegrity, and SiteMinder are registered trademarks of Netegrity, Inc. All other brand or product names are service
marks, trademarks or registered trademarks of their respective owners.

The statements in this white paper that relate to future plans, events or performances are forward-looking statements.
Actual results, events and performances may differ.

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources
Netegrity, Inc. Proprietary

13