Guidelines for creating WebSEAL junctions

Edit online

The following guidelines summarize the "rules" for junctions:
  • You can add a junction anywhere in the primary WebSEAL object space.
  • You can junction multiple replica back-end servers at the same mount point.

    Multiple replica back-end servers mounted to the same junction point must be of the same type.

  • ACL policies are inherited across junctions to back-end Web servers.
  • The junction name should not match any directory name in the Web space of the back-end server if HTML pages from that server contain programs (such as JavaScript or applets) with server-relative URLs to that directory. For example, if pages from the back-end server contain programs with a URL of form /path/..., do not create a junction name using /path.
  • Creating multiple WebSEAL junctions that point to the same back-end application server/port is not a secure junction configuration. Each junction can be control by unique ACLs. One junction secured with more permissive ACLs can compromise another junction secured with less permissive ACLs. This type of configuration can cause unintended control of access to resources and is therefore not a supported configuration strategy for Security Verify Access.
  • WebSEAL supports HTTP/1.1 and HTTP/2 across junctions.