Novell Access Manager 3.1 SP4 User guide

www.novell.com/documentation

SSL VPN Server Guide

Access Manager 3.1 SP5

January 2013

Legal Notices

Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttothecontentsoruseofthisdocumentation,andspecifically

disclaimsanyexpressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,

reservestherighttorevisethispublicationandtomakechangestoitscontent,at

anytime,withoutobligationtonotifyany

personorentityofsuchrevisionsorchanges.

Further,Novell,Inc.,makesnorepresentationsorwarrantieswithrespecttoanysoftware,andspecificallydisclaimsany

expressorimpliedwarrantiesofmerchantabilityorfitnessforanyparticularpurpose.Further,Novell,Inc.,reservestheright

to

makechangestoanyandallpartsofNovellsoftware,atanytime,withoutanyobligationtonotifyanypersonorentityof

suchchanges.

AnyproductsortechnicalinformationprovidedunderthisAgreementmaybesubjecttoU.S.exportcontrolsandthetrade

lawsofothercountries.Youagreeto

complywithallexportcontrolregulationsandtoobtainanyrequiredlicensesor

classificationtoexport,re‐exportorimportdeliverables.Youagreenottoexportorre‐exporttoentitiesonthecurrentU.S.

exportexclusionlistsortoanyembargoedorterroristcountriesasspecifiedintheU.S.

exportlaws.Youagreetonotuse

deliverablesforprohibitednuclear,missile,orchemicalbiologicalweaponryenduses.SeetheNovellInternationalTrade

ServicesWebpage(http://www.novell.com/info/exports/)formoreinformationonexportingNovellsoftware.Novellassumes

noresponsibilityforyourfailuretoobtainanynecessaryexportapprovals.

Copyright©2006‐2011

Novell,Inc.Allrightsreserved.Nopartofthispublicationmaybereproduced,photocopied,storedon

aretrievalsystem,ortransmittedwithouttheexpresswrittenconsentofthepublisher.

Novell, Inc.

1800 South Novell Place

Provo, UT 84606

U.S.A.

www.novell.com

OnlineDocumentation:ToaccessthelatestonlinedocumentationforthisandotherNovellproducts,seetheNovell

DocumentationWebpage

(http://www.novell.com/documentation).

Novell Trademarks

ForNovelltrademarks,seetheNovellTrademarkandServiceMarklist(http://www.novell.com/company/legal/trademarks/

tmlist.html).

Third-Party Materials

Allthird‐partytrademarksarethepropertyoftheirrespectiveowners.

Contents 3

Contents

About This Guide 7

1 Overview of SSL VPN 9

1.1 SSL VPN Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

1.2 Traditional and ESP-Enabled SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.2.1 ESP-Enabled Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

1.2.2 Traditional Novell SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

1.2.3 High-Bandwidth and Low-Bandwidth SSL VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.3 SSL VPN Client Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

1.3.1 Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

1.3.2 Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

2 Basic Configuration for SSL VPN 19

2.1 Configuring Authentication for the ESP-Enabled Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . .19

2.2 Accelerating the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

2.2.1 Configuring the Default Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

2.2.2 Injecting the SSL VPN Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

2.3 Configuring the IP Address, Port, and Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . .26

2.3.1 Configuring the SSL VPN Gateway behind NAT or L4 . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

2.3.2 Configuring the SSL VPN Gateway without NAT or an L4 Switch. . . . . . . . . . . . . . . . . . . . 28

2.4 Configuring Route and Source NAT for Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

2.4.1 Configuring the OpenVPN Subnet in Routing Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

2.5 Configuring DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.5.1 Configuring DNS Servers for Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

2.5.2 Configuring DNS Servers for Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

2.6 Configuring Certificate Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3 Configuring End-Point Security and Access Policies for SSL VPN 35

3.1 Configuring Policies to Check the Integrity of the Client Machine . . . . . . . . . . . . . . . . . . . . . . . . . . .36

3.1.1 Selecting the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.1.2 Configuring the Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

3.1.3 Configuring Applications for a Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

3.1.4 Configuring Attributes for an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

3.1.5 Exporting and Importing Client Integrity Check Policies . . . . . . . . . . . . . . . . . . . . . . . . . . .41

3.2 Configuring Client Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

3.2.1 Client Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

3.2.2 Configuring a Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

3.3 Configuring Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3.1 Configuring Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3.3.2 Ordering Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

3.3.3 Exporting and Importing Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

3.4 Configuring Full Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

3.4.1 Creating a Full Tunneling Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

4 Configuring How Users Connect to SSL VPN 51

4.1 Preinstalling the SSL VPN Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

4.1.1 Installing Client Components for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4 Contents

4.1.2 Installing Client Components for Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

4.1.3 Installing Client Components for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.2 Configuring Client Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4.2.1 Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode . . . . . . . . . . . . . . .52

4.2.2 Allowing Users to Select the SSL VPN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

4.2.3 Configuring Client Cleanup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

4.2.4 Configuring SSL VPN to Download the Java Applet on Internet Explorer. . . . . . . . . . . . . . 55

4.2.5 Configuring a Custom Login Policy for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4.3 Configuring SSL VPN to Connect through a Forward Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

4.3.1 Understanding How SSL VPN Connects through a Forward Proxy . . . . . . . . . . . . . . . . . . 57

4.3.2 Creating the proxy.conf File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

4.4 Configuring SSL VPN for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

4.4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

4.4.2 How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

4.4.3 Configuring a Custom Login Policy for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4.4.4 Configuring the Access Gateway to Protect the Citrix Server . . . . . . . . . . . . . . . . . . . . . . .60

4.4.5 Configuring Single Sign-On between Citrix and SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . .61

5 Clustering the High-Bandwidth SSL VPN Servers 63

5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

5.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64

5.3 Creating a Cluster of SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

5.3.1 Creating a Cluster of SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

5.3.2 Adding an SSL VPN Server to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

5.3.3 Removing an SSL VPN Server from a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

5.4 Clustering SSL VPN by Using an L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

5.4.1 Configuring a Cluster of ESP-Enabled SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

5.4.2 Configuring a Cluster of Traditional SSL VPNs by Using an L4 Switch . . . . . . . . . . . . . . .69

5.5 Clustering SSL VPNs by Using the Access Gateway without an L4 Switch . . . . . . . . . . . . . . . . . . .70

5.5.1 Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

5.5.2 Installing the Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

5.5.3 Testing the Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

5.6 Configuring SSL VPN to Monitor the Health of the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

5.6.1 Services of the Real Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

5.6.2 Monitoring the SSL VPN Server Health. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

6 Monitoring the SSL VPN Servers 75

6.1 Viewing and Editing SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

6.2 Enabling SSL VPN Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

6.3 Viewing SSL VPN Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

6.3.1 Viewing the SSL VPN Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

6.3.2 Viewing the SSL VPN Server Statistics for the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

6.3.3 Viewing the Bytes Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

6.4 Disconnecting Active SSL VPN Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

6.5 Monitoring the Health of SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

6.5.1 Monitoring the Health of a Single Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

6.5.2 Monitoring the Health of an SSL VPN Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

6.6 Viewing the Command Status of the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

6.6.1 Viewing Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

6.7 Monitoring SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

6.7.1 Configuring SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

6.7.2 Viewing SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

6.7.3 Viewing SSL VPN Cluster Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Contents 5

7 Additional Configurations 89

7.1 Customizing the SSL VPN User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

7.1.1 Customizing the Home Page and Exit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

7.1.2 Customizing Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

7.2 Creating DH Certificates with Different Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

7.3 Creating a Configuration File to Add Additional Configuration Changes . . . . . . . . . . . . . . . . . . . . . .90

8 Server Configuration Settings 91

8.1 Managing SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

8.2 Configuring SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

8.3 Modifying SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

A Troubleshooting SSL VPN Configuration 97

A.1 Successfully Connecting to the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

A.1.1 Connection Problems with Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

A.1.2 Connection Problems with Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

A.2 Adding Applications for Different Versions of Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

A.3 The SSL VPN Server Is in a Pending State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

A.4 Error: Failed to Fetch CIC Policy from the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

A.5 SSL VPN Connects in Kiosk Mode, But There Is No Data Transfer . . . . . . . . . . . . . . . . . . . . . . . . 101

A.6 The TFTP Application and GroupWise Notify Do Not Work in Enterprise Mode . . . . . . . . . . . . . . .101

A.7 SSL VPN Not Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

A.7.1 Verifying and Restarting JCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

A.7.2 Verifying and Restarting the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

A.8 Verifying SSL VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

A.8.1 SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

A.8.2 SSL VPN Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

A.8.3 SSL VPN Macintosh Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

A.8.4 SSL VPN Windows Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

A.9 Unable to Contact the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

A.10 Unable to Get Authentication Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

A.11 The SSL VPN Connection Is Successful But There Is No Data Transfer . . . . . . . . . . . . . . . . . . . .103

A.12 Unable to Connect to the SSL VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

A.13 Multiple Instances of SSL VPN Are Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

A.14 Issue with the Preinstalled Enterprise Mode Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

A.15 Socket Exception Error After Upgrading SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

A.16 SSL VPN Server Is Unable to Handle the Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

A.17 Embedded Service Provider Status Is Red . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

A.18 Connection Manager Log Does Not Display the Client IP Address. . . . . . . . . . . . . . . . . . . . . . . . .105

A.19 SSL VPN Full Tunnel Connection Disconnects on VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

A.20 Clustering Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

A.20.1 Bringing Up the Server If a Cluster Member Is Down . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

A.20.2 Bringing Up a Binary If It Is Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

A.20.3 Debugging a Cluster If Session Sharing Doesn’t Properly Happen. . . . . . . . . . . . . . . . . .106

A.21 On Windows XP and 7, ActiveX Loading takes more than three minutes to connect to the

SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

A.22 If There Is An Install Log Error Then SSL VPN Client In Kiosk Mode Fails To Start . . . . . . . . . . . .106

6 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

About This Guide 7

About This Guide

TheNovellAccessManagerSSLVPNusesencryptionandothersecuritymechanismstoensurethat

datacannotbeinterceptedandonlyauthorizedusershaveaccesstothenetwork.Userscanaccess

SSLVPNservicesfromanyWebbrowser.

 Chapter 1,“OverviewofSSLVPN,”onpage 9

 Chapter 2,“BasicConfigurationforSSL

VPN,”onpage 19

 Chapter 3,“ConfiguringEnd‐PointSecurityandAccessPoliciesforSSLVPN,”onpage 35

 Chapter 4,“ConfiguringHowUsersConnecttoSSLVPN,”onpage 51

 Chapter 5,“ClusteringtheHigh‐BandwidthSSLVPNServers,”onpage 63

 Chapter 6,“MonitoringtheSSLVPNServers,”onpage 75

 Chapter 8,“ServerConfigurationSettings,”onpage 91

 Chapter 7,

“A dditionalConfigurations,”onpage 89

 Appendix A,“TroubleshootingSSLVPNConfiguration,”onpage 97

Audience

ThisguideisintendedforAccessManageradministrators.Itisassumedthatyouhaveknowledgeof

evolvingInternetprotocols,suchas:

 ExtensibleMarkupLanguage(XML)

 SimpleObjectAccessProtocol(SOAP)

 SecurityAssertionMarkupLanguage(SAML)

 PublicKeyInfrastructure(PKI)digitalsignatureconceptsandInternetsecurity

 SecureSocketLayer/TransportLayerSecurity(SSL/TLS)

 HypertextTransferProtocol(HTTPandHTTPS)

 UniformResourceIdentifiers(URIs)

 DomainNameSystem(DNS)

 WebServicesDescriptionLanguage(WSDL)

Feedback

Wewanttohearyourcommentsandsuggestionsaboutthisguideandtheotherdocumentation

includedwiththisproduct.PleaseusetheUserCommentsfeatureatthebottomofeachpageofthe

onlinedocumentation,orgotoDocumentationFeedback(http://www.novell.com/documentation/

feedback.html)atwww.novell.com/documentation/feedback.htmlandenteryourcommentsthere.

Documentation Updates

ForthemostrecentversionoftheNovellAccessManagerSSLVPNServerGuide,visittheNovellAccess

ManagerDocumentationWebsite(http://www.novell.com/documentation/novellaccessmanager).

8 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

Additional Documentation

ForinformationabouttheotherAccessManagerdevicesandfeatures,seethefollowing:

 NetIQAccessManager3.1SP5SSLVPNUserGuide

 NetIQAccessManager3.1SP5InstallationGuide

 NetIQAccessManager3.1SP5SetupGuide

 NetIQAccessManager3.1SP5AdministrationConsoleGuide

 NetIQAccessManager3.1SP5IdentityServer

Guide

 NovellAccessManager3.1SP5AccessGatewayGuide

Documentation Conventions

InNovelldocumentation,agreater‐thansymbol(>)isusedtoseparateactionswithinastepand

itemsinacross‐referencepath.

1

Overview of SSL VPN 9

1

Overview of SSL VPN

TheNovellAccessManagerSSLVPNusesSecureSocketsLayer(SSL)astheunderlyingsecurity

protocolfornetworktransmissions.Itusesencryptionand othersecuritymechanismstoensurethat

datacannotbeinterceptedandonlyauthorizedusershaveaccesstothenetwork.Userscanaccess

SSLVPNservicesfromanyWeb

browser.

 Section 1.1,“SSLVPNFeatures,”onpage 9

 Section 1.2,“TraditionalandESP‐EnabledSSLVPNs,”onpage 12

 Section 1.3,“SSLVPNClientModes,”onpage 14

1.1 SSL VPN Features

NovellSSLVPNcomeswithanumberofkeyfeaturesthatmaketheproductsecure,easytoaccess,

andreliable.

Browser-Based End User Access

NovellSSLVPNhasbrowser‐basedenduseraccessthatdoesnotrequireuserstopreinstallany

componentsontheirmachines.UserscanaccesstheSSLVPNservicesfromanyWebbrowser,from

theirpersonalcomputer,laptop,orfromanInternetkiosk.

WhenusersaccessSSLVPNthroughtheWebbrowser,

theyarepromptedtoauthenticate.On

successfulauthentication,aJavaappletoranActiveXcontrolisdeliveredtotheclient,dependingon

thebrowser.Thisestablishesasecuretunnelbetweentheuser’smachineandthe SSLVPNserver.

Support on Linux, Macintosh, and Windows

TheSSLVPNclientissupportedonLinux,Macintosh,andWindowsenvironments.Foracomplete

listofoperatingsoftwareandbrowsersthataresupportedbySSLVPN,see“ClientMachine

Requirements”intheNetIQAccessManager3.1SP5SSLVPNUserGuide.

Support on 64-Bit Clients

EnterprisemodeSSLVPNcanbeinstalledon64‐bitclientconfigurations.

High-Bandwidth and Low-Bandwidth Versions

NovellSSLVPNcomesinhigh‐bandwidthandlow‐bandwidthversions.Thedefaultlow‐bandwidth

SSLVPNserverisrestrictedto249simultaneoususerconnectionsandatransferrateof90Mbitsper

secondbecauseofexportrestrictions.

10 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

Iftheexportlawpermits,youcaninstallthehigh‐bandwidthSSLVPNRPMtogetthehigh‐

bandwidthcapabilities,becausethatversiondoesnothaveconnectionandperformancerestrictions.

Youcanorderthehigh‐bandwidthSSLVPNkeyatnoextracost.Itisessentialtohavethehigh‐

bandwidth

SSLVPNifyouwanttoclustertheSSLVPNservers.

Formoreinformationonhowtoorderandinstallthehigh‐bandwidthSSLVPN,andtoupgrade the

high‐bandwidthversiontothelatestbuild,see“InstallingtheKeyfortheHigh‐BandwidthSSLVPN”

intheNetIQAccessManager

3.1SP5InstallationGuide.

Traditional and ESP-Enabled Installation

YoucaninstallSSLVPNintwoways:

 AsanESP‐enabledSSLVPN,whichisinstalledwiththeIdentityServerandtheAdministration

Console.

 AsaTraditionalSSLVPN,whichisinstalledwiththeIdentityServer,AdministrationConsole,

andtheAccessGateway.

Formoreinformationonthesemethods,seeSection 1.2,

“TraditionalandESP‐EnabledSSLVPNs,”

onpage 12.

Enterprise and Kiosk Modes for End User Access

TheNovellSSLVPNusesbothclientlessandthin‐clientaccessmethods.Theclientlessmethodis

calledtheKioskmodeSSLVPNandthethin‐clientmethodiscalledtheEnterprisemodeSSLVPN.

InEnterprisemode,allapplications,includingthoseonthedesktopandthetoolbar,areenabledfor

SSL,

regardlessofwhethertheywereopenedbeforeorafterconnectingtoSSLVPN.Inthismode,a

thinclientisinstalledontheuser’sworkstation,andtheIPForwardingfeatureisenabledbydefault.

FormoreinformationonEnterprisemode,seeSection 1.3.1,“Enterp riseMode,”onpage 15.

InKioskmode,onlya

limitedsetofapplicationsareenabledforSSLVPN.InKioskmode,

applicationsthatwereopenedbeforetheSSLVPNconnectionwasestablishedarenotenabledfor

SSL.FormoreinformationonKioskmode,seeSection 1.3.2,“KioskMode,”onpage 17.

AsSSLVPNserveradministrators,youcandecidewhichusers

canconnectinEnterprisemodeand

whichuserscanconnectinKioskmode,dependingontheroleoftheuser.Oryoucanlettheclient

selectthemodeinwhichtheSSLVPNconnectionismade.Formoreinformationonhowtodothis,

seeChapter 4 ,“ConfiguringHowUsersConnect

toSSLVPN,”onpage 51.Enterprisemodeis

availabletoauserwhohastheadministratorrightinaWindowsworkstationora

root

userprivilege

onLinuxorMacintoshworkstations.Iftheuserdoesnothaveadministratorrightsor

root

user

privilegesforthatworkstation,theSSLVPNconnectionismadeinKioskmode.

Customized Home and Exit Pages for End Users

ThehomepageandtheexitpageofSSLVPNcanbecustomizedtosuittheneedsofdifferent

customers.Formoreinformation,seeSection 7.1,“CustomizingtheSSLVPNUserInterface,”on

page 89.

Clustering SSL VPN Servers

TheSSLVPNserverscanbeclusteredtoprovideloadbalancingandfaulttolerance,Whenyouform

aclusterofSSLVPNservers,allmembersofaclustershouldbelongtoonlyonetypeofSSLVPNand

theyshouldallberunningthehigh‐bandwidthSSLVPN.Forexample,all

themembersofacluster

Overview of SSL VPN 11

shouldbelongtoeithertheESP‐enabledSSLVPNortheTraditionalSSLVPN.Formoreinformation

onSSLVPNclustering,seeChapter 5,“ClusteringtheHigh‐BandwidthSSLVPNServers,”on

page 63.

End-Point Security Checks

TheNovellSSLVPNhasasetofpoliciesthatcanbeconfiguredtoprotectyournetworkand

applicationsfromclientsthatareusinginsufficientsecurityrestraintsandalsotorestrictthetraffic

basedontheroleoftheclient.

Youcanconfigureaclientintegritycheckpolicytoruna

checkontheclientworkstationsbefore

establishingatunneltoSSLVPNserver.Thischeckensuresthattheusershavespecifiedsoftware

installedandrunningintheirsystems.Eachclientisassociatedwithasecuritylevel,depending on

theassessmentoftheclientintegritycheckandtherelevanttrafficpolicies

thatareassigned.For

moreinformationonconfiguringend‐pointsecurity,seeChapter 3,“ConfiguringEnd‐PointSecurity

andAccessPoliciesforSSLVPN,”onpage 35.

Ability to Order Rules

Ifyouhaveconfiguredmorethanoneruleforauser’srole,therulethatisplacedfirstisappliedfirst.

NovellSSLVPNallowsyoutochangetheorderofrulesbydragginganddroppingthem,basedon

theirpriority.FormoreinformationonruleorderinginSSLVPN,see

“OrderingTrafficPolicies”on

page 47.

Ability to Import and Export Policies

NovellSSLVPNallowsyoutoexporttheexistingconfigurationintoanXMLfilethroughthe

AdministrationConsole.Youcanreimportthisconfigurationlater.Thisisaveryusefulfeaturewhen

youupgradeyourserversfromoneversiontoanother.Formoreinformation,see“Exportingand

ImportingTrafficPolicies”onpage 47

Desktop Cleanup Feature

WhenauseraccessestheprotectedresourcefromoutsidebyusingSSLVPN,italsomeansthatthe

sitesthattheuservisitedarestoredinthebrowserhistory,orsomesensitiveinformationisstoredin

thecacheorcookies.Thisisapotentialsecuritythreatifitisnotproperly

dealtwith.TheNovellSSL

VPNclientcomeswiththedesktopcleanupfeature,sotheuserhastheoptiontodeleteallthe

browserhistory,cache,cookies,andfilesfromthesystem,beforeloggingoutoftheSSLVPN

connection.

IftheuserusesFirefoxtoconnecttoSSLVPN,

thebrowsingdatathatwasstoredaftertheSSLVPN

connectionwasmadeisdeleted.InInternetExplorer,allthebrowserdataisdeleted,includingthe

datathatwasstoredbeforetheSSLVPNsessionwasestablished.

Sandbox Feature

WhenyouconnecttoSSLVPNineitherKioskmodeorEnterprisemode,afoldernamedVPN‐

SANDBOXiscreatedonyourdesktopsYoucanmanuallycopyfilestothisfolder,includingfilesthat

youcreateorfilesthatyoudownloadfromyourcorporatenetwork.Thisfolderisautomatically

deletedalong

withitscontentswhenyoulogsoutoftheSSLVPNconnection.Thisisaveryuseful

featureifyouarebrowsingfromanInternetconnectionandyoudonotwantanysensitive

informationtoreachotherpersons.Formoreinformationonthesa ndboxfeatureofSSLVPN,see

“Using

theSandboxFeature”intheNetIQAccessManager3.1SP5SSLVPNUserGuide.

12 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

Custom Login Policy

Whencustomloginpolicyisconfigured,SSLVPNredirectsthecustomloginrequeststodifferent

URLsbasedonthepolicy.Thisisaveryusefulfeatureifuserswanttoaccessapplicationssuchas

thoseontheCitrixapplicationservers.Formoreinformationonhowtoconfigureacustomlog in

policy,

seeSection 4.2.5,“ConfiguringaCustomLoginPolicyforSSLVPN,”onpage 56 .

1.2 Traditional and ESP-Enabled SSL VPNs

TheNovellSSLVPNcanbedeployedaseitheranESP‐enabledSSLVPNoraTraditionalSSLVPN.

WhenSSLVPNisdeployedwithouttheAccess Gateway,anEmbeddedServiceProvider(ESP)

componentisinstalledalongwiththeSSLVPNserver.ThisdeploymentrequirestheIdentityServer

andtheAdministration

servertoalsobeinstalled.ThistypeofdeploymentiscalledanESP‐enabled

NovellSSLVPN.

WhenSSLVPNisdeployedwiththeAccessGateway,itiscalledaTraditionalNovellSSLVPN.In

thistypeofinstallation,SSLVPNisdeployedwiththeIdentityServer,AdministrationConsole,and

the

LinuxAccessGatewaycomponentsofNovellAccessManager.

 Section 1.2.1,“ESP‐EnabledNovellSSLVPN,”onpage 12

 Section 1.2.2,“TraditionalNovellSSLVPN,”onpage 13

 Section 1.2.3,“High‐BandwidthandLow‐BandwidthSSLVPNs,”onpage 14

1.2.1 ESP-Enabled Novell SSL VPN

InanESP‐enabledNovellSSLVPN,theprocessinvolvedinestablishingasecureconnectionbetween

aclientmachineandthedifferentcomponentsofNovellAccessManagerisasfollows:

1. TheuserspecifiesthefollowingURLtoaccesstheSSLVPNserver:

https://<www.sslvpn.novell.com>/sslvpn/login

<www.sslvpn.novell.com>istheDNSnameoftheSSLVPNserver,and/sslvpn/loginisthepathof

theSSLVPNserver.

2. TheSSLVPNredirectsthebrowsertotheIdentityServerforauthentication.

3. Aftersuccessfulauthentication,theIdentityServerredirectsthebrowserbacktoSSLVPN.

4. TheIdentityServerprop agatesthesession

informationtotheSSLVPNserverthroughthe

EmbeddedServiceProvider.

5. TheSSLVPNserverinjectstheSSLVPNpolicyforthatuserintotheSSLVPNservlet.TheSSL

VPNservletprocessestheparametersandsendsthepolicyinformationbacktotheserver.

6. TheSSLVPNchecksiftheclient

machinehassufficientsecurityrestraints.Formoreinformation

onclientintegritychecks,seeSection 3.1, “ConfiguringPoliciestoChecktheIntegrityofthe

ClientMachine,”onpage 36.

7. Whentheuseraccessestheapplicationsbehindtheprotectednetwork,theconnectiongoes

throughthesecuretunnelformedwiththeSSLVPNserver.

8. Thebrowser

staysopenthroughouttheSSLVPNconnectiontoallowthekeepalivepackets.

9. Whentheuserclicksthelogoutbu tton toclosetheSSLVPNsession,alltheclientcomponents

areautomaticallyuninstalledfromtheworkstation.

Overview of SSL VPN 13

1.2.2 Traditional Novell SSL VPN

ThefollowingfigureshowstheNovellAccessManagercomponentsandtheprocessinvolvedin

establishingasecureconnectionbetweenaclientmachineandtraditionalNovellSSLVPNserver.In

thistypeofdeployment,theLinuxAccessGatewayacceleratesandprotectstheSSLVPNserver.

Figure 1-1 TraditionalNovellSSLVPN

1. TheuserspecifiesthefollowingURLtoaccesstheSSLVPNserver:

https://<www.ag.novell.com>:8443/sslvpn/login

<www.ag.novell.com>istheDNSnameoftheAccessGatewaythatacceleratestheSSLVPN

server,and/sslvpn/loginisthepathoftheSSLVPNserver.

2. TheAccessGatewayredirectstheusertotheIdentityServerforauthentication,becausetheURL

isconfiguredasaprotectedresource.

3. TheIdentityServerauthenticatesthe

user’sidentity.

4. TheIdentityServerprop agatesthesessioninformationtotheAccessGatewaythroughthe

EmbeddedServiceProvider.

5. TheAccessGatewayinjectstheSSLVPNpolicyforthatuserintotheSSLVPNservlet.TheSSL

VPNservletprocessestheparametersandsendsthepolicyinformationbacktotheAccess

Gateway.

6. The

SSLVPNchecksiftheclientmachinehassufficientsecurityrestraints.Formoreinformation

onclientintegritychecks,seeChapter 3.1, “ConfiguringPoliciestoChecktheIntegrityofthe

ClientMachine,”onpage 36.

7. Oneofthefollowingactionstakesplace,dependingonthemodeoftheSSLVPNconnection:

 InEnterprise

mode,atunnelinterfaceiscreatedandisboundwiththetunnelIPaddress

assignedbytheSSLVPNserver.Asecuretunnelisestablishedbetweentheclientmachine

andtheSSLVPNserver,andtheroutingtableisupdatedwiththeprotectednetwork

configuration.

 InKioskmode,asecure

tunnelisestablishedbetweentheclientmachineandtheSSLVPN

server,andtheprotectednetworkconfigurationispushedtothe client.

6

5

4

7

Application

SSL VPN

Browser

Identity

Server

Access

Gateway

2

1

3

7

External IP: 192.23.45.4

Internal IP: 10.0.0.4

DNS: www.ag.novell.com

www.ag.novell.com/sslvpn

14 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

8. Whentheuseraccessestheapplicationsbehindtheprotectednetwork,theconnectiongoes

throughthesecuretunnelformedwiththeSSLVPNserverandnotthroughtheAccess

Gateway.

9. ThebrowserstaysopenthroughouttheSSLVPNconnectiontoallowthekeepalivepacketsto

gothroughtheAccessGateway.

10. When

theuserclicksthelogoutbuttontoclosetheSSLVPNsession,alltheclientcomponents

areautomaticallyuninstalledfromtheworkstation.

1.2.3 High-Bandwidth and Low-Bandwidth SSL VPNs

NovellSSLVPNcomesinhigh‐bandwidthandlow‐bandwidthversions.

Low‐BandwidthVersion:ThedefaultSSLVPNserverisalow‐bandwidthversion.Itisrestrictedto

249simultaneoususerconnectionsandatransferrateof90Mbitspersecondbecauseofexport

restrictions.

High‐BandwidthVersion:Thehigh‐bandwidth

versiondoesnothavetheconnectionand

performancerestrictions.Itisessentialtohavethehigh‐bandwidthSSLVPNinstalledifyouwantto

clustertheSSLVPNservers.

Iftheexportlawpermits,youcanorderthehigh‐bandwidthSSLVPNRPMandgetthehigh‐

bandwidthcapabilitiesatno

extracost.Aftertheexportcontrolshavebeensatisfied,theorderwillbe

fulfilled.Youcaninstallthehigh‐bandwidthSSLVPNRPMonboththeTraditionalNovellSSLVPN

serverandontheESP‐enabledNovellSSLVPNserver.

YourregularNovellsaleschannelcandetermineiftheexport

lawallowsyoutoorderthehigh‐

bandwidthversionatnoextracost.

Formoreinformationonhowtoorderandinstallthehigh‐bandwidthSSLVPN,andtoupgrade the

high‐bandwidthversiontothelatestbuild,see“InstallingtheKeyfortheHigh‐BandwidthSSLVPN”

intheNetIQ

AccessManager3.1SP5InstallationGuide.

1.3 SSL VPN Client Modes

NovellSSLVPNhastwoclientmodes,EnterprisemodeandKioskmode.InEnterprisemode,which

isavailableforuserswhohaveadministrativeprivileges,allapplicationsareenabledforSSLVPN.In

Kioskmode,onlyalimitedsetofapplicationsareenabledforSSLVPN.

Enterprisemodeisavailabletousers

whohavetheadministratorrightinaWindowsworkstationor

a

root

userprivilegeonLinuxorMacintoshworkstations.Ifauserdoesnothaveadministrator

rightsor

root

userprivilegesforthatworkstation,theSSLVPNconnectionismadeinKioskmode.

FormoreinformationontheclientplatformsandsetupstestedbyNovell,seetheAccessManager3.1

SupportPack1SSLVPNintegrationtestingreport(http ://www.novell.com/support/

viewContent.do?externalId=7004342&sliceId=1 ).

 Section 1.3.1,“EnterpriseMode,”onpage 15

 Section 1.3.2,“KioskMode,”onpage 17

Overview of SSL VPN 15

1.3.1 Enterprise Mode

InEnterprisemode,allapplications,includingthoseonthedesktopandthetoolbar,areenabledfor

SSL,regardlessofwhethertheywereopenedbeforeorafterconnectingtoSSLVPN.Inthisapproach,

athinclientisinstalledontheuser’sworkstation.InEnterprisemode,theIPForwardingfeatureis

enabled

bydefault.

Enterprisemodeisrecommendedfordevicesthataremanagedbyanorganization,suchasalaptop

providedbytheorganizationforitsemployees.Enterprisemodesupportsthefollowing:

 ProtocolssuchasTCP,UDP,ICMP,andNetBIOS.

 ApplicationsthatopenTCPconnectionsonbothsides,suchasVoIPand FTP.

 EnterpriseapplicationssuchasCRMandSAP*.

 ApplicationssuchasWindowsFileSharingsystems,theNovellClient™,andNovell

SecureLogin.

YoucanconfigureausertoconnectonlyinEnterprisemode,dependingontheroleoftheuser.For

moreinformation,seeSection 4.2.1,“ConfiguringUserstoConnectOnlyinEnterpriseMode

or

KioskMode,”onpage 52.

NOTE:IfyouhaveconfiguredausertoconnectinEnterprisemodeonlyandthatuserdoesnotmeet

theprerequisites,theSSLVPNconnectionfailswithanappropriateerrormessageifitisusingthe

applet‐basedWebbrowser,orablankscreenifanActiveX‐basedWebbrowserisused.

 “Prerequisites”onpage 15

 “UserScenarios”onpage 15

Prerequisites

AusercanaccessSSLVPNinEnterprisemodeifanyoneofthefollowingprererequisitesisinplace:

 Theuserisanadministratorora

root

userofthemachine,oraSuperuseroranAdministrator

userinWindowsVistauser.

 Theuserisanon‐adminoranon‐

root

userwhoknowsthecredentialsoftheadministratoror

root

user,orastandarduserinWindowsVista.

 TheSSLVPNclientcomponentsarepreinstalledontheuser’smachine.

User Scenarios

Dependingonwhichprerequisitesareinplace,usershavedifferentloginscenarios.

 “Scenario1:TheUserIstheAdminorRootUseroftheMachine”onpage 15

 “Scenario2:TheUserIstheNon‐AdminorNon‐RootUserofMachineandKnowstheAdminor

RootCredentials”onpage 16

 “Scenario

3:TheUserIsaNon‐AdminorNon‐RootUser,buttheClientComponentsAre

PreinstalledontheMachine”onpage 17

Scenario 1: The User Is the Admin or Root User of the Machine

Whentheuserisanadministratorora

root

userofthemachine,thetoolidentifiestheuserasthe

adminor

root

userandEnterprisemodeisenabledbydefaultaftertheuserspecifiescredentialsin

theAccessManagerpage.Anadminora

root

usercanconnecttoSSLVPNonlyinEnterprisemode

16 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

unlessthesystemadministratorconfigurestheusertoconnectinKioskmodeonly.Formore

informationonhowtoconfigureusersforKioskmodeonly,seeSection 4.2.1,“ConfiguringUsersto

ConnectOnlyinEnterpriseModeorKioskMode,”onpage 52.

Scenario 2: The User Is the Non-Admin or Non-Root User of Machine and Knows the Admin or

Root Credentials

Anon‐adminoranon‐

root

usercanaccessSSLVPNinEnterprisemodeiftheuserknowsthe

administratoror

root

usercredentials.Whenanon‐adminoranon‐

root

userconnectstoSSLVPN,

theuserispromptedtospecifythecredentialsontheAccessManagerpage.Thetoolidentifiesthat

thecredentialssuppliedarethoseofthenon‐adminoranon‐

root

useranddisplaysthefollowing

dialogbox.

Figure 1-2 SSLVPNDialogbox

Theusermustspecifytheusernameandpasswordoftheadministratororthe

root

userofthe

machineinthedialogbox,thenclickOKtoenableEnterprisemode.

Enterprisemodeisenabledbydefaultinthesubsequentsessionsandtheuserisnotpromptedagain

fortheadministratoror

root

usernameandpassword.

Non‐adminornon‐

root

userswhohaveconnectedtoSSLVPNinEnterprisemodecanconnectto

SSLVPNinKioskmodeonthesamemachine.Formoreinformation,see“SwitchingfromEnte rprise

ModetoKioskMode”intheNetIQAccessManager3.1SP5SSLVPNUserGuide.

NOTE:Userscannotswitchfromonemodetoanotherifyouhaveconfiguredthemtoconnectinone

modeonly.

Overview of SSL VPN 17

Scenario 3: The User Is a Non-Admin or Non-Root User, but the Client Components Are

Preinstalled on the Machine

Ifanon‐adminoranon‐

root

userwantstoinstallSSLVPNinEnterprisemode,youcanpreinstall

theSSLVPNclientcomponentsontheuser’smachine.Formoreinformati on,seeSection 4.1,

“PreinstallingtheSSLVPNClientComponents,”onpage 51.Whennon‐adminornon‐

root

users

accesstheclientcomponentsfromaworkstationtha thastheSSLVPNclientcomponents

preinstalled,theusersarenotpromptedtoenterthecredentialsoftheadminuseror

root

user.

TheusersareconnectedtoSSLVPNinEnterprisemodeaftertheyspecifytheircredentialsonthe

AccessManagerloginpage.

1.3.2 Kiosk Mode

InKioskmode,onlyalimitedsetofapplicationsareenabledforSSLVPN.Anon‐adminuser,anon‐

root

user,orastandarduserinWindowsVistacanconnecttoSSLVPNinKioskmodeifheorshe

doesnothaveadministratoraccess.InKioskmode,applicationsthatwereopenedbeforetheSSL

VPNconnectionwasestablishedarenotSSL‐enabled.

KioskmodesupportsTCPandUDPapplicationsonly.

Thismodeisbettersuitedformachinesthat

arenotmanagedbyanorganization,suchashomecomputersandcomputersinWebbrowsing

kiosks.

YoucanconfigureausertoconnectinKioskmodeonly.Whenyouhavedoneso,auserisconnected

toSSLVPNinKioskmodeafter

theuserprovidescredentialsintheNovellAccessManagerlogin

page.Formoreinformation,seeSection 4.2.1,“ConfiguringUserstoConnectOnlyinEnterprise

ModeorKioskMode,”onpage 52.

IfyouhaveleftthemodeselectiontotheclientandauserlogsintotheSSLVPNclientas

anon‐

adminornon‐

root

user,thefollowingdialogboxisdisplayed:

18 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

Figure 1-3 SSLVPNDialogBox

TheusercandooneofthefollowingtoloadtheKioskmode:

 ClickIgnoretoconnecttoSSLVPNinKioskmodeforthatparticularsession.Theuseris

promptedagaintoprovidetheadministratororthe

root

usernameandpasswordduringthe

nextlogin.

 ClickIgnoreForevertoconnecttoSSLVPNinKioskmodeinthecurrentsession,aswellasin

subsequentsessions.

AuserwhohasclickedIgnoreForevercanstillswitchtoSSLVPNinEnterprisemodeinthenext

session.Formoreinformation,

see“SwitchingfromKioskModetoEnterpriseMode”intheNetIQ

AccessManager3.1SP5SSLVPNUserGuide.

NOTE:Whenanon‐adminuserusesInternetExplorertoestablishanSSLVPNconnection,the

ActiveXdownloadfails.ThishappensbecauseActiveXrequiresadminrightstodownload.Thisissue

mightalsooccurifyouhaveupgradedfromanolderversion.IfauserwantstoaccessSSLVPNwith

Internet

Explorer,usethefollowingURL:

https:<DNS-Name>/sslvpn/login?forcejre=true

Formoreinformation,seeSection 4.2.4,“ConfiguringSSLVPNtoDownloadtheJavaAppleton

InternetExplorer,”onpage 55.

2

Basic Configuration for SSL VPN 19

2

Basic Configuration for SSL VPN

SSLVPNserversareauto‐importedintotheAdministrationConsoleduringinstallation.Yo ucanuse

theSSLVPNspageintheAdministrationConsoletoviewinformationaboutthecurrentstatusofall

SSLVPNserversandtoconfiguretheSSLVPNservers.

BeforeyouproceedwiththeSSLVPNconfiguration,youmust

dothefollowing:

 InstalltheSSLVPNserver.Formoreinformation,see“InstallingtheSSLVPNServer”inthe

NetIQAccessManager3.1SP5InstallationGuide.

 InstalltheLinuxAccessGateway,ifyouwanttoaccelerateSSLVPNbyusingtheLinuxAccess

Gateway.Formoreinformation,see“Installing

theLinuxAccessGatewayAppliance”inthe

NetIQAccessManager3.1SP5InstallationGuide.

 LogintotheAdministrationConsoleastheadminuser.Formoreinformation,see“LoggingIn

totheAdministrationConsole”intheNetIQAccessManager3.1SP5InstallationGuide.

 CreateanIdentityServerconfiguration.

Formoreinformation,see“ConfiguringanIdentity

Server”intheNetIQAccessManager3.1SP5IdentityServerGuide.

 IfyouhaveupgradedfromSSLVPN3.0toSSLVPN3.1,updatetheSSLVPNserversbeforeyou

proceedwithanyotherconfigurations.Formoreinformation,see“UpgradingAccess

Manager

Components”intheNetIQAccessManager3.1SP5InstallationGuide.

Thissectionhasthefollowinginformation:

 Section 2.1,“ConfiguringAuthenticationfortheESP‐EnabledNovellSSLVPN,”onpage 19

 Section 2.2,“AcceleratingtheTraditionalNovellSSLVPN,”onpage 21

 Section 2.3,“ConfiguringtheIPAddress,Port,andNetworkAddressTranslation(NAT),”on

page 26

 Section 2.4,“ConfiguringRouteandSourceNATforEnterpriseMode,”onpage 30

 Section 2.5,“ConfiguringDNSServers,”onpage 31

 Section 2.6,“ConfiguringCertificateSettings,”onpage 32

2.1 Configuring Authentication for the ESP-Enabled Novell SSL

VPN

IfyouinstalledtheESP‐enabledNovellSSLVPN,thenanEmbeddedServiceProvidercomponent

wasinstalledalongwiththeSSLVPNserverduringtheinstallation.Youmustnowconfigurethe

EmbeddedServiceProviderinordertoestablishatrustrelationshipbetweentheIdentityServerand

theEmbeddedServiceProvider.

NOTE:IfyouhaveinstalledtheTraditionalSSLVPN,refertoSection 2.2,“Acceleratingthe

Traditional NovellSSLVPN,”onpage 21.

1 IntheAdministrationConsole,clickDevices>SSLVPNs>Edit.

20 Novell Access Manager 3.1 SP5 SSL VPN Server Guide

TheServerconfigurationpageisdisplayed.

2 SelectAuthenticationConfigurationfromtheBasicGatewayConfigurationsection.

3 Fillinthefollowingfields:

IdentityServerCluster:SpecifiestheIdentityServerclusterthatyouwanttheSSLVPNtotrust

forauthentication.SelecttheconfigurationyouhaveassignedtotheIdentityServer.

AuthenticationContract:Specifiesthetypeofcontract,whichdeterminestheinformationa

usermustsupplyforauthentication.Bydefault,

youcanselectfromthefollowing

authenticationcontracts:

 AnyContract:Iftheuserhasauthenticated,thisoptionallowsanycontractdefinedforthe

IdentityServertobevalid,oriftheuserhasnotauthenticated,itpromptstheuserto

authenticateusingthedefaultcontractassignedtotheIdentityServer

configuration.

 Name/Password‐Basic:SpecifiesbasicauthenticationoverHTTP,usingastandardlogin

pop‐upprovidedbytheWebbrowser.

 Name/Password‐Form:Specifiesaform‐basedauthenticationoverHTTP,usingtheAccess

Managerloginform.

 SecureName/Password‐Basic:SpecifiesbasicauthenticationoverHTTPS,usinga

standardloginpop‐upprovidedbythe

Webbrowser.

 SecureName/Password‐Form:Specifiesaform‐basedauthenticationoverHTTPS,using

theAccessManagerloginform.

EmbeddedServiceProviderBaseURL:TheapplicationpathfortheEmbeddedService

Provider.ThisURLhasthefollowingconstituents:

 Protocol:Specifiesthecommunicationprotocol.SpecifyHTTPSinordertorunsecurelyin

SSL

mode.UseHTTPonlyifyoudonotrequiresecurity.

 Domain:TheDNSnameusedtoaccesstheSSLVPNserver.UsinganIPaddressisnot

recommended.

 Port:Specifiestheportvaluesfortheprotocol.Theportis80or8080forHTTPor443or

8443forHTTPS.

Ifyouwanttouseport80or433,selecttheporthere,thenselectthe

RedirectRequestsfromNon‐SecurePorttoSecurePortoption.Selecting80forHT TPand443

forHTTPSimpliesthattheportneedstobetranslated.

Page is loading ...

Novell Access Manager 3.1 SP4 User guide

Related papers

Other documents