PingAccess

Agent field descriptions

The following table describes the fields available for managing applications in the Agents page.

Standard fields
Field Required Description

Name

Yes

Enter a unique alphanumeric name for the agent, up to 64 characters.

Description

No

Enter a unique description to identify the agent’s purpose.

PingAccess Host

Yes

In the PingAccess Host fields, enter the Hostname and Port of the PingAccess server where the agent should send requests.

The PingAccess Hostname and Port might not be the actual host and port that policy server is listening to, depending on the network routing configuration and network elements, such as reverse proxies and load balancers.

The PingAccess Host and Port are where the agent sends its requests. For example, if you have a cluster of engines behind a load balancer, the PingAccess Host and Port values might point to the load balancer rather than directly to an engine host. This configuration provides fault tolerance for the agent connectivity.

Failover Host

No

In the Failover Host fields, enter the Hostname and Port of the PingAccess server where the agent should send requests in the event of a failover from the PingAccess Host.

Additional failover hosts can be added using the application programming interface (API).

Agent Trusted Certificate

Yes

Select a certificate to export in the <agent-name>_agent.properties file. The agent uses this certificate to communicate with the PingAccess engine using Secure Sockets Layer (SSL)/TLS.

PingAccess determines the certificates that are available to select in this list based on the certificates that have been imported into PingAccess. If the certificate you want to use isn’t available, you must import it into the system. Learn more in Importing certificates.

You must specify the certificate authority (CA) root certificate if the agent listener presents a CA-signed certificate chain.

The default value is C=US, O=Ping Identity, CN=localhost (Generated: AGENT).

To configure advanced settings, click Show Advanced.

Advanced fields
Field Required Description

Override Request IP Source Configuration

No

When enabled, the configuration you provide in the following fields overrides the default IP source settings (defined in Settings > HTTP Requests > IP Source) for this agent instance.

Screen capture of the Override Request IP Source Configuration field.

To configure the agent to use different Internet Protocol (IP) source information:

  1. In the Override Request IP Source Configuration section, select Yes.

  2. In the Header Names section, click + Add Header Name and enter a header name which identifies the source IP address.

    To enter multiple header names, click + Add Header Name for each header.

  3. If you include more than one value in the Header Names section, in the List Value Location section, select whether the first or last value in the list is the source address.

    The default value is Last.

  4. Select the Fall Back to Last Hop IP checkbox to use the last hop IP address as the source address if none of the configured header names are found.

    If you don’t select this option and none of the listed header names are found, access is denied and a Forbidden result is returned.

Override Unknown Resource Configuration

No

When enabled, the configuration you provide in the following fields overrides the default unknown resource settings (defined in Settings > Access > Unknown Resources) for this agent instance.

Screen capture of the Override Unknown Resource Configuration field.

To configure the agent to handle unknown resource requests differently:

  1. In the Override Unknown Resource Configuration section, select Yes.

  2. In the Mode field, select one of the following options to specify how requests for unknown resources should be handled:

    Deny

    Agent requests for unknown resources generate an error response.

    Passthrough

    Agent requests for unknown resources are allowed to pass through unfiltered.

Max Retries

Yes

Enter a number specifying how many times an agent should try contacting a PingAccess server before considering it unavailable.

The default value is 2.

Failed Retry Timeout

Yes

Enter a number, in seconds, specifying how long an agent should wait before trying to establish a connection to a failed PingAccess server again.

The default value is 60.