How do you configure IIS' ARR to proxy for the Splunk web instance? There is currently a wiki regarding Apache and Splunk, but I'm not able to recreate the same settings on ARR.
I don't know what wiki you're looking at, but it's probably not applicable to Splunk 4.1. Nevertheless, setting up IIS ARR should be pretty straightforward. Set up a server "farm" in IIS pointing to SplunkWeb and proxy to that farm. Set up an application/site in IIS that goes to that farm. Set up that application/site to require Windows Integrated Auth instead of anonymous access.
That should be it for setting up the proxy. You then need to configure Splunk to accept SSO: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO
BunnyHop: Can you please tell me how you made ARR on IIS work? ...Having issues with URL Rewrite rules/settings and Splunk web.conf settings.
How did you configure IIS and ARR/URL Rewrite?
This never worked on the Free version, I tricked IIS by using ARR and restricting users by IP.
I don't know what wiki you're looking at, but it's probably not applicable to Splunk 4.1. Nevertheless, setting up IIS ARR should be pretty straightforward. Set up a server "farm" in IIS pointing to SplunkWeb and proxy to that farm. Set up an application/site in IIS that goes to that farm. Set up that application/site to require Windows Integrated Auth instead of anonymous access.
That should be it for setting up the proxy. You then need to configure Splunk to accept SSO: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO
Okay, well even with ARR, you would still need to set trustedIP (to the ARR). I have to get onto a W2k8 box to get more detailed instructions and will update accordingly.
BTW, my inability to make the ARR on IIS work doesn't mean the answer provided is not correct, so I will hand it to you gkanapathy, for the patience :).
I'm giving up. I'm going to use the trustedIP on the web.conf to perform restriction.
Should I configure both web.conf and server.conf for trustedIP or just the server.conf?
In free, you don't need to configure any remote user at all. It will always be the single admin user. You can do the same thing, but basically just ignore all the configuration on the Splunk side. However, you probably will want to use iptables, some other firewall, or the Splunk SSO trustedIP setting to ensure that only the IIS server can make requests to SplunkWeb. You should also use the SSOMode = strict settings in this case.
Understood, gkanapathy, for right now, I simply just need to control access, possibly to testers only, until the Ent comes in the door. However, it might take quite a while until I get my hands on the Ent so for now this will do. So SSO can still be configured with Free? I would assume the remote_user would have to be the "Admin" user?
If you set up an SSO proxy to protect Splunk Free, that essentially becomes your authentication into Splunk. However, this simply controls access, and does not provide distinct users or roles within the app. For that, you'd need the Splunk Enterprise version.
Answers just deleted my answer, woohoo.
Free has no auth. In free, all connections are assigned to be a
single unnamed user who has admin-level priveledges. Thus, SSO is not
a meaningful term for splunk free.
However, in the quest to support SSO in 4.1, Splunk was modified to
work better behind a proxy. I would expect the settings such as
root_endpoint and tools.proxy.on should be sufficient to get splunk
free to function in some fashion behind a proxy in free.
does this work on the "free" version?