11-08-2017 12:23 PM
I want to know if there is any SAS documentation/ experiences out there in using your own 3rd party web server (IIS 7) in a SAS 9.4 middle tier/ SAS VA 7.4 deployment and what deployment steps and configuration steps this would entail. The restriction of using a 3rd party web server is arising from Enterprise SSO integration requirements and the container managed security mechanism that has to be used
Some more questions about this configuration,
--What happens to the SAS 9.4 web server in this case ? Do we have to un-install it and remove it from the middle tier, if we are using a 3rd party web server ?
--Does the 3rd party web server have to be configured as a reverse proxy ? Found some documentation which says this has to be done if you are taking out the web server from the SAS deployment.
--What is the downside of this kind of deployment ?
11-09-2017 05:28 AM
IIS should not be a problem. The document you are looking for is this one: Configuring the Middle Tier to Use an Existing Customer Reverse Proxy http://documentation.sas.com/?docsetId=bimtag&docsetTarget=p0sxhuco18v167n13dsmnrfqv7yy.htm&docsetVe...
What happens to the SAS 9.4 web server in this case ? Do we have to un-install it and remove it from the middle tier, if we are using a 3rd party web server ?
The web server cannot/should not be removed from the deployment, your IIS will pass your request to the SAS Apache server
Does the 3rd party web server have to be configured as a reverse proxy ? Found some documentation which says this has to be done if you are taking out the web server from the SAS deployment.
Yes, it has to. As said, the SAS Web Server should not be taken out of the deployment, but it can be kept as internal service.
What is the downside of this kind of deployment ?
On general, or security, none. But there is an overhead on maintenance efforts.
Up to 9.4 M3, for every maintenance, application of hotfixes, etc, you had to disable the reverse proxy configuration, apply the maintenance, then re-apply the reverse proxy configuration. But starting 9.4M4, this is not needed any more (great news!) http://documentation.sas.com/?docsetId=bimtag&docsetTarget=n0y2fq741xmw8nn1btstcnwnq3jj.htm&docsetVe...
Let me add some comments:
Besides a full-reverse proxy configuration, you have some alternatives, such as use re-write and redirect rules on IIS, then you can keep all your SAS deployment and SAS Web Server as internal, and let the IIS use those features for you. Most likely, SAS won't support issues with this configuration, but it is widely used, so up to you.
Anyway, IIS redirect/rewrite, or IIS reverse proxy, do not forget to configure the SSL of loading, if required.
For SSO, you will need to ensure that the TGT Kerberos tickets received on the IIS will be passed to the SAS Web Server, so this part is up to you.
If the IIS is on a DMZ, you probably will have trouble on ensuring the delegated user on the domain controller, since DMZ domain controlers are normally not part of a root domain controller.