Security
Highlighted

How can you configure ARR (Application Request Routing) with Splunk for proxy

Contributor

How do you configure IIS' ARR to proxy for the Splunk web instance? There is currently a wiki regarding Apache and Splunk, but I'm not able to recreate the same settings on ARR.

Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Splunk Employee
Splunk Employee

I don't know what wiki you're looking at, but it's probably not applicable to Splunk 4.1. Nevertheless, setting up IIS ARR should be pretty straightforward. Set up a server "farm" in IIS pointing to SplunkWeb and proxy to that farm. Set up an application/site in IIS that goes to that farm. Set up that application/site to require Windows Integrated Auth instead of anonymous access.

That should be it for setting up the proxy. You then need to configure Splunk to accept SSO: http://docs.splunk.com/Documentation/Splunk/5.0/Security/ConfigureSplunkSSO

View solution in original post

Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Contributor

does this work on the "free" version?

0 Karma
Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Splunk Employee
Splunk Employee

Answers just deleted my answer, woohoo.

Free has no auth. In free, all connections are assigned to be a
single unnamed user who has admin-level priveledges. Thus, SSO is not
a meaningful term for splunk free.

However, in the quest to support SSO in 4.1, Splunk was modified to
work better behind a proxy. I would expect the settings such as
root_endpoint and tools.proxy.on should be sufficient to get splunk
free to function in some fashion behind a proxy in free.

0 Karma
Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Splunk Employee
Splunk Employee

If you set up an SSO proxy to protect Splunk Free, that essentially becomes your authentication into Splunk. However, this simply controls access, and does not provide distinct users or roles within the app. For that, you'd need the Splunk Enterprise version.

0 Karma
Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Contributor

Understood, gkanapathy, for right now, I simply just need to control access, possibly to testers only, until the Ent comes in the door. However, it might take quite a while until I get my hands on the Ent so for now this will do. So SSO can still be configured with Free? I would assume the remote_user would have to be the "Admin" user?

0 Karma
Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Splunk Employee
Splunk Employee

In free, you don't need to configure any remote user at all. It will always be the single admin user. You can do the same thing, but basically just ignore all the configuration on the Splunk side. However, you probably will want to use iptables, some other firewall, or the Splunk SSO trustedIP setting to ensure that only the IIS server can make requests to SplunkWeb. You should also use the SSOMode = strict settings in this case.

0 Karma
Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Contributor

Should I configure both web.conf and server.conf for trustedIP or just the server.conf?

0 Karma
Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Contributor

I'm giving up. I'm going to use the trustedIP on the web.conf to perform restriction.

0 Karma
Highlighted

Re: How can you configure ARR (Application Request Routing) with Splunk for proxy

Contributor

BTW, my inability to make the ARR on IIS work doesn't mean the answer provided is not correct, so I will hand it to you gkanapathy, for the patience :).

0 Karma