Cannot accelerate Sentinel Server with Access Gateway Appliance

  • 7010523
  • 26-Jul-2012
  • 12-May-2014


NetIQ Access Manager 3.2
Access Gateway Appliance (AGA) used to accelerate Sentinel Server
Sentinel Version works fine with AGA
Sentinel Version fails with AGA


Access Manager 3.2 setup and working fine ie. users can access protected resources behind an Access Gateway Appliance (AGA) server after having successfully authenticated to the Identity Server. After installing the latest Sentinel Server version, the AGA was setup to accelerate the main portal page using domain based multihoming or standard accelerator. With a single protected resource (/*) defined for this Sentinel server, users were able to access the protected Sentinel proxy server and authenticate to NAM.

After successfully authenticating, users were manually asked to submit the Sentinel Admin username/pwd to auth to Sentinel server (no SIngle sign on enabled). After submiting the credentials, users do not get redirected to the main Sentinel Admin page, but simply get a blank screen.


Fixed in 3.2.2 IR3. The workaround prior to this is to disable rewriter on the Sentinel proxy and make sure that the proxy and back end Sentinel server listen on the same TCP port.


Some back-end applications like Sentinel, when enabled with ssl, may only send 1 byte of data when gzip is enabled, but mod_deflate will return the error message if
data is less than 10 bytes (mod_deflate has a header size of 10 bytes, and it excepts minimum it 10 bytes). As a result, browser side SSL requests containing less than 10 bytes 
of data would be closed, causing a blank page to appear on browser.

With new fix, if data with size of less than 10 bytes is sent to mod_deflate, it will be temporarely stored and when next chunk of data comes, it will
combine both chunks and process data.