Security

How can you configure ARR (Application Request Routing) with Splunk for proxy

Contributor

How do you configure IIS' ARR to proxy for the Splunk web instance? There is currently a wiki regarding Apache and Splunk, but I'm not able to recreate the same settings on ARR.

1 Solution

Splunk Employee
Splunk Employee

I don't know what wiki you're looking at, but it's probably not applicable to Splunk 4.1. Nevertheless, setting up IIS ARR should be pretty straightforward. Set up a server "farm" in IIS pointing to SplunkWeb and proxy to that farm. Set up an application/site in IIS that goes to that farm. Set up that application/site to require Windows Integrated Auth instead of anonymous access.

That should be it for setting up the proxy. You then need to configure Splunk to accept SSO: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO

View solution in original post

BunnyHop: Can you please tell me how you made ARR on IIS work? ...Having issues with URL Rewrite rules/settings and Splunk web.conf settings.

0 Karma

How did you configure IIS and ARR/URL Rewrite?

0 Karma

Contributor

This never worked on the Free version, I tricked IIS by using ARR and restricting users by IP.

0 Karma

Splunk Employee
Splunk Employee

I don't know what wiki you're looking at, but it's probably not applicable to Splunk 4.1. Nevertheless, setting up IIS ARR should be pretty straightforward. Set up a server "farm" in IIS pointing to SplunkWeb and proxy to that farm. Set up an application/site in IIS that goes to that farm. Set up that application/site to require Windows Integrated Auth instead of anonymous access.

That should be it for setting up the proxy. You then need to configure Splunk to accept SSO: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO

View solution in original post

Splunk Employee
Splunk Employee

Okay, well even with ARR, you would still need to set trustedIP (to the ARR). I have to get onto a W2k8 box to get more detailed instructions and will update accordingly.

0 Karma

Contributor

BTW, my inability to make the ARR on IIS work doesn't mean the answer provided is not correct, so I will hand it to you gkanapathy, for the patience :).

0 Karma

Contributor

I'm giving up. I'm going to use the trustedIP on the web.conf to perform restriction.

0 Karma

Contributor

Should I configure both web.conf and server.conf for trustedIP or just the server.conf?

0 Karma

Splunk Employee
Splunk Employee

In free, you don't need to configure any remote user at all. It will always be the single admin user. You can do the same thing, but basically just ignore all the configuration on the Splunk side. However, you probably will want to use iptables, some other firewall, or the Splunk SSO trustedIP setting to ensure that only the IIS server can make requests to SplunkWeb. You should also use the SSOMode = strict settings in this case.

0 Karma

Contributor

Understood, gkanapathy, for right now, I simply just need to control access, possibly to testers only, until the Ent comes in the door. However, it might take quite a while until I get my hands on the Ent so for now this will do. So SSO can still be configured with Free? I would assume the remote_user would have to be the "Admin" user?

0 Karma

Splunk Employee
Splunk Employee

If you set up an SSO proxy to protect Splunk Free, that essentially becomes your authentication into Splunk. However, this simply controls access, and does not provide distinct users or roles within the app. For that, you'd need the Splunk Enterprise version.

0 Karma

Splunk Employee
Splunk Employee

Answers just deleted my answer, woohoo.

Free has no auth. In free, all connections are assigned to be a
single unnamed user who has admin-level priveledges. Thus, SSO is not
a meaningful term for splunk free.

However, in the quest to support SSO in 4.1, Splunk was modified to
work better behind a proxy. I would expect the settings such as
root_endpoint and tools.proxy.on should be sufficient to get splunk
free to function in some fashion behind a proxy in free.

0 Karma

Contributor

does this work on the "free" version?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!