Security

How can you configure ARR (Application Request Routing) with Splunk for proxy

BunnyHop
Contributor

How do you configure IIS' ARR to proxy for the Splunk web instance? There is currently a wiki regarding Apache and Splunk, but I'm not able to recreate the same settings on ARR.

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

I don't know what wiki you're looking at, but it's probably not applicable to Splunk 4.1. Nevertheless, setting up IIS ARR should be pretty straightforward. Set up a server "farm" in IIS pointing to SplunkWeb and proxy to that farm. Set up an application/site in IIS that goes to that farm. Set up that application/site to require Windows Integrated Auth instead of anonymous access.

That should be it for setting up the proxy. You then need to configure Splunk to accept SSO: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO

View solution in original post

magnuspenilsson
Explorer

BunnyHop: Can you please tell me how you made ARR on IIS work? ...Having issues with URL Rewrite rules/settings and Splunk web.conf settings.

0 Karma

magnuspenilsson
Explorer

How did you configure IIS and ARR/URL Rewrite?

0 Karma

BunnyHop
Contributor

This never worked on the Free version, I tricked IIS by using ARR and restricting users by IP.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I don't know what wiki you're looking at, but it's probably not applicable to Splunk 4.1. Nevertheless, setting up IIS ARR should be pretty straightforward. Set up a server "farm" in IIS pointing to SplunkWeb and proxy to that farm. Set up an application/site in IIS that goes to that farm. Set up that application/site to require Windows Integrated Auth instead of anonymous access.

That should be it for setting up the proxy. You then need to configure Splunk to accept SSO: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO

gkanapathy
Splunk Employee
Splunk Employee

Okay, well even with ARR, you would still need to set trustedIP (to the ARR). I have to get onto a W2k8 box to get more detailed instructions and will update accordingly.

0 Karma

BunnyHop
Contributor

BTW, my inability to make the ARR on IIS work doesn't mean the answer provided is not correct, so I will hand it to you gkanapathy, for the patience :).

0 Karma

BunnyHop
Contributor

I'm giving up. I'm going to use the trustedIP on the web.conf to perform restriction.

0 Karma

BunnyHop
Contributor

Should I configure both web.conf and server.conf for trustedIP or just the server.conf?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

In free, you don't need to configure any remote user at all. It will always be the single admin user. You can do the same thing, but basically just ignore all the configuration on the Splunk side. However, you probably will want to use iptables, some other firewall, or the Splunk SSO trustedIP setting to ensure that only the IIS server can make requests to SplunkWeb. You should also use the SSOMode = strict settings in this case.

0 Karma

BunnyHop
Contributor

Understood, gkanapathy, for right now, I simply just need to control access, possibly to testers only, until the Ent comes in the door. However, it might take quite a while until I get my hands on the Ent so for now this will do. So SSO can still be configured with Free? I would assume the remote_user would have to be the "Admin" user?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If you set up an SSO proxy to protect Splunk Free, that essentially becomes your authentication into Splunk. However, this simply controls access, and does not provide distinct users or roles within the app. For that, you'd need the Splunk Enterprise version.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Answers just deleted my answer, woohoo.

Free has no auth. In free, all connections are assigned to be a
single unnamed user who has admin-level priveledges. Thus, SSO is not
a meaningful term for splunk free.

However, in the quest to support SSO in 4.1, Splunk was modified to
work better behind a proxy. I would expect the settings such as
root_endpoint and tools.proxy.on should be sufficient to get splunk
free to function in some fashion behind a proxy in free.

0 Karma

BunnyHop
Contributor

does this work on the "free" version?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...