1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE...
  6. Manual

Novell ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010 Manual

Ssl vpn server guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
SSL VPN Server Guide
Novell
®
Access Manager
3.1 SP1
March 17, 2010
www.novell.com
Novell Access Manager 3.1 SP1 SSL VPN Server Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010

Summary of Contents for Novell ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE 03-17-2010

  • Page 1 AUTHORIZED DOCUMENTATION SSL VPN Server Guide Novell ® Access Manager 3.1 SP1 March 17, 2010 www.novell.com Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 2: Legal Notices

    Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 5: Table Of Contents

    Installing the Traditional Novell SSL VPN ....... . . 38...
  • Page 6 Deploying the Traditional Novell SSL VPN ........
  • Page 7 14 Configuring End-Point Security and Access Policies for SSL VPN 14.1 Configuring Policies to Check the Integrity of Client Machine ......90 14.1.1 Selecting the Operating System .
  • Page 8 Viewing SSL VPN Cluster Alerts ..........153 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 9 Part VI Troubleshooting SSL VPN 30 Troubleshooting SSL VPN Installation 30.1 Manually Uninstalling the Enterprise Mode Thin Client ......157 30.2 SSL VPN Health Status is Yellow After an Upgrade .
  • Page 10 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 11: About This Guide

    Documentation Feedback (http://www.novell.com/documentation/ feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there. Documentation Updates For the most recent version of the Novell Access Manager SSL VPN Server Guide, visit the Novell Access Manager Documentation Web site (http://www.novell.com/documentation/ novellaccessmanager). Additional Documentation Novell Access Manager 3.1 SP1 Installation Guide...
  • Page 12 Novell Access Manager 3.1 SSL VPN User Guide For information about the other Access Manager devices and features, see the following: Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ®...

  • Page 13: Part I Overview Of Ssl Vpn

    Overview of SSL VPN ® The Novell Access Manager SSL VPN uses Secure Sockets Layer (SSL) as the underlying security protocol for network transmissions. It uses encryption and other security mechanisms to ensure that the data cannot be intercepted and only authorized users have access to the network. Users can access SSL VPN services from any Web browser.
  • Page 14 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 15: Ssl Vpn Features

    Browser-Based End User Access Novell SSL VPN has browser-based end user access that does not require users to preinstall any components on their machines. Users can access the SSL VPN services from any Web browser, from their personal computers, laptop, or from an Internet kiosk.
  • Page 16 121. End-Point Security Checks The Novell SSL VPN has a set of policies that can be configured to protect your network and applications from clients that are using insufficient security restraints and also to restrict the traffic based on the role of the client.
  • Page 17 This is a potential security threat if it is not properly dealt with. The Novell SSL VPN client comes with the desktop cleanup feature, so the user has the option to delete all the browser history, cache, cookies, and files from the system, before logging out of the SSL VPN connection.
  • Page 18 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 19: Traditional And Esp-Enabled Ssl Vpns

    Administration server to also be installed. This type of deployment is called an ESP-enabled Novell SSL VPN. When SSL VPN is deployed with the Access Gateway, it is called a Traditional Novell SSL VPN. In this type of installation, SSL VPN is deployed with the Identity Server, Administration Console, and the Linux Access Gateway components of Novell Access Manager.

  • Page 20: Traditional Novell Ssl Vpn

    2.2 Traditional Novell SSL VPN The following figure shows the Novell Access Manager components and the process involved in establishing a secure connection between a client machine and traditional Novell SSL VPN server. In this type of deployment, the Linux Access Gateway accelerates and protects the SSL VPN server.

  • Page 21: High And Low Bandwidth Ssl Vpns

    After the export controls have been satisfied, the order will be fulfilled. You can install the high bandwidth SSL VPN RPM on both the traditional Novell SSL VPN server and on the ESP-enabled Novell SSL VPN server.
  • Page 22 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 23: Ssl Vpn Client Modes

    SSL VPN Client Modes Novell SSL VPN has two client modes, Enterprise mode and Kiosk mode. In Enterprise mode, which is available for users who have administrative privileges, all applications are enabled for SSL VPN. In Kiosk mode, only a limited set of applications are enabled for SSL VPN.

  • Page 24: Prerequisites

    VPN, the user is prompted to specify the credentials on the Access Manager page. The tool identifies that the credentials supplied are those of the non-admin or a non- user and displays root the following dialog box. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 25: Kiosk Mode

    SSL VPN in Kiosk mode on the same machine. For more information, see “Switching from Enterprise Mode to Kiosk Mode” in the Novell Access Manager 3.1 SSL VPN User Guide. NOTE: Users cannot switch from one mode to another if you have configured them to connect in one mode only.
  • Page 26 You can configure a user to connect in Kiosk mode only. When you have done so, a user is connected to SSL VPN in Kiosk mode after the user provides credentials in the Novell Access Manager login page. For more information, see Section 15.1, “Configuring Users to Connect Only...

  • Page 27: Part Ii Installing And Deploying The Ssl Vpn Server

    Installing and Deploying the SSL VPN Server ® The Novell SSL VPN can be installed as an ESP-enabled SSL VPN, or as a Traditional SSL VPN along with the Access Gateway. You can also install the high bandwidth version of SSL VPN if export laws permit.
  • Page 28 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 29: Installing The Ssl Vpn Server

    Section 4.2, “Limitations With 64-Bit Software,” on page 29 Section 4.3, “Installing ESP-Enabled SSL VPN,” on page 30 Section 4.4, “Installing the Traditional Novell SSL VPN,” on page 34 Section 4.5, “Installing the RPM Containing Key For High Bandwidth SSL VPN,” on page 41 Section 4.6, “Uninstalling the RPM Containing Key For High Bandwidth SSL VPN,”...

  • Page 30: Installing Esp-Enabled Ssl Vpn

    When SSL VPN is deployed without the Access Gateway, an Embedded Service Provider (ESP) component is installed along with the SSL VPN server. This requires the Identity Server and the Administration server to also be installed. This deployment is called an ESP-enabled Novell SSL VPN.
  • Page 31 Deployment Scenario 2: Installing SSL VPN and the Identity Server on the Same Machine Deployment Scenario 2 Figure 4-2 Firewall Firewall Identity Stores Linux, Mac, or Windows Identity Server+ SSL VPN E-Mail Server Terminal Server Private Network This deployment scenario consists of a demilitarized zone where the Identity Server and SSL VPN are on a single machine.
  • Page 32 Console are on the same machine and the Linux Access Gateway and the Identity servers are deployed separately. For installation instructions for this scenario, see Section 4.3.2, “Installing the ESP-Enabled SSL VPN,” on page Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 33: Installing The Esp-Enabled Ssl Vpn

    Deployment Scenario 4: Installing SSL VPN, the Administration Console and the Identity server on the Same Machine Deployment Scenario 4 Figure 4-4 Firewall Firewall Identity Stores Linux, Mac, or Windows Identity Server+ SSL VPN Administration Console E-Mail Server Terminal Server Private Network This deployment scenario consists of a demilitarized zone where the Identity Server, SSL VPN, and Administration Console are on the same machine and the Linux Access Gateway is deployed...

  • Page 34: Installing The Traditional Novell Ssl Vpn

    4.4 Installing the Traditional Novell SSL VPN When SSL VPN is deployed with the Access Gateway, it is called a Traditional Novell SSL VPN. In this type of installation, SSL VPN is deployed with the Identity Server, Administration Console, and the Linux Access Gateway components of Novell Access Manager.
  • Page 35 Deployment Scenario 1: Linux Access Gateway and SSL VPN on the Same Server Deployment Scenario 1 Figure 4-5 Firewall Firewall Identity Server Identity Stores Web Servers Java Application Servers Linux, Mac or Windows E-Mail Server Terminal Server Private Network Access Gateway + SSL VPN This deployment scenario consists of a demilitarized zone where the Linux Access Gateway and SSL VPN are on the same server and the Identity Server is deployed separately.
  • Page 36 This deployment scenario consists of a demilitarized zone where the Access Gateway, Identity Server, and SSL VPN are deployed separately. For installation instructions for this scenario, see Section 4.4.2, “Installing the Traditional Novell SSL VPN,” on page Deployment Scenario 3: Novell Identity Server and SSL VPN on the Same Server Firewall Firewall...
  • Page 37 Deployment Scenario 4: Novell Administration Console and SSL VPN on the Same Server Deployment Scenario 4 Figure 4-7 Firewall Firewall Access Gateway Web Servers Java Application Servers Identity Server Identity Stores Linux , Mac, or Windows E-Mail Server Terminal Service...

  • Page 38: Installing The Traditional Novell Ssl Vpn

    “Standard Installation” on page 38 “Advanced Installation” on page 39 Standard Installation The standard installation process installs SSL VPN along with the Linux Access Gateway. This is the preferred method of installation. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 39 Novell Access Manager 3.1 SP1 Installation Guide. 2 In the Access Administrator Configuration section in the Novell Linux Access Gateway Configuration page, select the Enable On Box SSL VPN Server check box to install and configure SSL VPN on the Linux Access Gateway.
  • Page 40 Server, or with the Administration Console You can use an install script to install the traditional Novell SSL VPN on a separate machine with the Identity Server on the same machine, or on the same machine with the Administration Console or with the Identity Server and the Administration Console.

  • Page 41: Installing The Rpm Containing Key For High Bandwidth Ssl Vpn

    4 You are prompted to select an installation. 5 When prompted to install the Novell SSL VPN Agent, press Enter. 6 Review and accept the License Agreement. 7 (Conditional) If the SSL VPN machine has been configured with multiple IP addresses, select an IP address for the SSL VPN server when you are prompted to do so.

  • Page 42: Uninstalling The Rpm Containing Key For High Bandwidth Ssl Vpn

    Identity server and the Embedded service provider is yet to be established. For more information on how to configure the trust relationship, see Chapter 9, “Configuring Authentication for ESP-Enabled Novell SSL VPN,” on page 3 (Optional) Continue with Part III, “Configuring SSL VPN,” on page 65, if you have not already configured the SSL VPN server.

  • Page 43: Upgrading Ssl Vpn Servers

    SSL VPN 3.0 SP4 to Traditional Novell SSL VPN 3.1. You cannot upgrade the Traditional Novell SSL VPN from SP4 to the 3.1 version of ESP-enabled SSL VPN. After the upgrade, traffic policies that you configured for SSL VPN 3.0 are migrated to SSL VPN 3.1.

  • Page 44: Upgrade Scenarios

    Section 5.3, “Upgrading SSL VPN Installed on a Separate Machine,” on page 45. If the SSL VPN server was installed with the other Novell Access Manager components, the SSL VPN server is automatically upgraded along with the other component. 5.2 Upgrade Scenarios...

  • Page 45: Upgrading Ssl Vpn Installed On A Separate Machine

    5.3 Upgrading SSL VPN Installed on a Separate Machine To upgrade from Novell SSL VPN 3.0 SP4 to Novell SSL VPN 3.1: 1 Upgrade the Administration Console, Identity Server, and Linux Access Gateways before you proceed with upgrading the SSL VPN server.

  • Page 46: Migrating A Traditional Ssl Vpn Server To The Esp-Enabled Version

    Novell Access Manager 3.1 SP1 Installation Guide understand the prerequisites. You cannot directly upgrade the traditional Novell SSL VPN from version 3.0 to version 3.1 of the ESP-enabled SSL VPN, but you cane export the traffic policies from the traditional 3.0 SSL VPN into the ESP-enabled 3.1 SSL VPN, which is installed on a separate machine.

  • Page 47: Upgrade Scenarios

    5.4.1 Upgrade Scenarios The following table explains the various upgrade scenarios available when you want to upgrade from traditional SSL VPN to ESP-Enabled SSL VPN. Upgrade Scenarios Table 5-2 Serial Installation Scenarios Upgrade Procedure Number Traditional SSL VPN, Identity Server, Linux 1.

  • Page 48: Migrating Traffic Policies From Traditional Ssl Vpn To Esp- Enabled Ssl Vpn

    2 Select Traffic Policies from the Policies section. The SSL VPN Traffic Policies page is displayed. 3 Select the Traditional SSL VPN 3.0 SP4 from which you want to import the traffic policies, then click Export. 4 Specify a filename for the XML document. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 49: Upgrading Clustered Ssl Vpn Servers

    10 Select Authentication Configuration and establish a trust relationship with the Identity Server. For more information, see Chapter 9, “Configuring Authentication for ESP-Enabled Novell SSL VPN,” on page 11 To save your modifications, click OK, then click Update on the Configuration page.

  • Page 50: Configuration Changes To The Ssl Vpn Server Installed With The Linux Access Gateway

    3 Select the Webservers tab. Click the Webserver IP address link from the Webservers list section. 4 Originally, the public IP address of SSL VPN was configured as the IP address of the Webserver. Change the IP address to 127.0.0.1, which is the loopback IP address. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 51 5 Click OK when prompted to purge cache. 6 Click OK, then click Update on the Configuration page to save your modifications. Upgrading SSL VPN Servers...
  • Page 52 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 53: Preinstalling The Ssl Vpn Client Components

    1 On the client machine, download the following package from the /var/opt/novell/ directory: tomcat4/webapps/sslvpn/MacOS novell-sslvpn-serv.tar.gz 2 Enter the following command to untar the file: tar -zxvf novell-sslvpn-serv.tar.gz 3 Enter the following command to install the package extracted novl-sslvpn-service.pkg from the tar ball: “/”...
  • Page 54 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 55: Uninstalling The Ssl Vpn Server

    ® Enter 4 to uninstall the Traditional Novell SSL VPN. Enter 5 to uninstall the ESP-enabled Novell SSL VPN. NOTE: If SSL VPN fails to uninstall gracefully, use option 6 to forcefully uninstall SSL VPN. Uninstalling the SSL VPN Server...
  • Page 56 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 57: Deploying Ssl Vpn

    Section 8.2, “Deploying a Cluster of Single-Machine SSL VPNs,” on page Installing the Traditional Novell SSL VPN: In this deployment scenario, SSL VPN is installed along with Linux Access Gateway, Administration Console, and Identity Server. You can install SSL VPN along with the Linux Access Gateway on the same machine, you can install it along with the Identity Server on the same machine, or you can install SSL VPN on a separate machine.

  • Page 58: Prerequisites

    One private IP address. This is the IP address of the interface that is connected to the private LAN. One public DNS name One X.509 certificate, if the locally generated certificate is not sufficient. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 59: Deployment Procedure

    Console are all installed on a single machine and several of these SSL VPNs are clustered. In this deployment scenario, the ESP-enabled Novell SSL VPN is used. You can deploy SSL VPN along with the Identity Server cluster or on a single Identity Server.

  • Page 60: Deployment Scenario

    8.2.1 Deployment Scenario This sample deployment scenario consists of a cluster of four ESP-enabled Novell SSL VPNs. The following figure explains the setup: Cluster of ESP-enabled Novell SSL VPNs Installed on a Single Machine Figure 8-2 Firewall Identity Administration Console...
  • Page 61 4 Configure the Identity Server. For more information on configuring the Identity Server, see “Configuring an Identity Server” in the Novell Access Manager 3.1 SP1 Identity Server Guide 5 Assign the security certificate. For more information, see “Enabling SSL Communication” in the Novell Access Manager 3.1...

  • Page 62: Deploying The Traditional Novell Ssl Vpn

    Terminal Server Private Network When you deploy the traditional Novell SSL VPN, you can install the SSL VPN along with the Identity Server on the same machine, you can install SSL VPN along with Linux Access Gateway on the same machine or you can install the Linux Access Gateway, Identity server and the SSL VPN server on different machines.
  • Page 63 6 Configure the Linux Access Gateway to accelerate and protect the SSL VPN Server. For more information, see Chapter 10, “Accelerating the Traditional Novell SSL VPN,” on page 7 In the Administration Console, select Devices > SSL VPNs. The health status at this stage...
  • Page 64 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 65: Part Iii Configuring Ssl Vpn

    This section has the following information: Chapter 9, “Configuring Authentication for ESP-Enabled Novell SSL VPN,” on page 67 Chapter 10, “Accelerating the Traditional Novell SSL VPN,” on page 69 Chapter 11, “Configuring the IP Address, Port, and NAT,” on page 75 Chapter 12, “Configuring Route and Source NAT for Enterprise Mode,”...
  • Page 66 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 67: Configuring Authentication For Esp-Enabled Novell Ssl Vpn

    3 Fill in the following fields: Identity Server Cluster: Specifies the Identity Server cluster that you want the Access Gateway to trust for authentication. Select the configuration you have assigned to the Identity Server. Configuring Authentication for ESP-Enabled Novell SSL VPN...
  • Page 68 6 Click Update on the Identity Server Configuration page. 7 (Optional) Proceed with Chapter 11, “Configuring the IP Address, Port, and NAT,” on page if you have not already configured the SSL VPN server details. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 69: Accelerating The Traditional Novell Ssl Vpn

    Chapter 9, “Configuring Authentication for ESP-Enabled Novell SSL VPN,” on page If you have installed the traditional Novell SSL VPN, this is a mandatory configuration in order to accelerate the SSL VPN server. This section has the following information: Section 10.1, “Configuring the Default Identity Injection Policy,”...

  • Page 70: Injecting The Ssl Vpn Header

    Published DNS Name: This field is populated by default with the published DNS name. Path: Specify the path to the SSL VPN resource. This must be /sslvpn Web Server IP Address: Specify the public IP address of the SSL VPN server. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 71 6 In the Path List section, make sure the Path is /sslvpn. 7 In the Path List section, select the /sslvpn check box, then click Enable SSL VPN. The Enable SSL VPN pop-up is displayed. 8 Fill in the following fields: Accelerating the Traditional Novell SSL VPN...
  • Page 72 17 Click Configuration Panel, then click OK. 18 On the Configuration page, click OK. 19 On the Access Gateways page, click Update. 20 To update the Identity Server, click Identity Servers > Update. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 73 21 Click Close. 22 (Optional) Proceed with Chapter 11, “Configuring the IP Address, Port, and NAT,” on page if you have not already configured the SSL VPN server details. Accelerating the Traditional Novell SSL VPN...
  • Page 74 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 75: Configuring The Ip Address, Port, And Nat

    Configuring the IP Address, Port, and NAT The Gateway Configuration page displays the current configuration of the SSL VPN server, such as the external IP address if the SSL VPN server is behind NAT, the listening IP address, TCP encryption port, connection manager port, and the type of encryption used. This section describes how to configure the IP addresses, port, subnet address and subnet mask, and protocol for SSL VPN.
  • Page 76 Port: Specify a port number for Kiosk mode as well as for Enterprise mode when the SSL VPN server is behind an L4 or a NAT. Make sure that the port you specify here is free. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 77: Configuring The Ssl Vpn Gateway Without Nat Or L4

    Protocol: Specify a protocol for Kiosk mode as well as for Enterprise mode, when the SSL VPN server is behind an L4 or a NAT. The protocol is TCP for Kiosk mode, but it can either be TCP or UDP for Enterprise mode. 5 Specify the following information to configure the assigned IP address pool for Enterprise mode: Subnet Address: Specify the IP address of the subnet pool where SSL VPN assigns the IP...
  • Page 78 NAT. For more information, see Chapter 12, “Configuring Route and Source NAT for Enterprise Mode,” on page Subnet Mask: Specify the subnet mask for Enterprise mode. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 79 The values specified in the Subnet Address and Subnet Mask fields determine the IP addresses that are assigned to the clients. Make sure that the assigned IP address and the IP address of the client do not match. 5 Specify the other configuration as follows: Cluster Communications Port: Specify the port that is used for communication between the cluster members.
  • Page 80 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 81: Configuring Route And Source Nat For Enterprise Mode

    Configuring Route and Source NAT for Enterprise Mode In Enterprise mode, SSL VPN assigns IP addresses to each client from subnet specified in the configuration. For more information on configuring IP address, see Chapter 11, “Configuring the IP Address, Port, and NAT,” on page 75.
  • Page 82 NOTE: This field is populated by the Enterprise mode IP address by default. But, you can edit the value in this field if you want to use this field to add iptables SNAT entries for other cases in Kiosk mode such as for full tunneling. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 83: Ordering Snat Entries

    --destination (-d): This is an optional parameter. You can either specify the host IP address or the destination IP address or specify the IP address and the network mask combination in the following format: <destination>/<SubnetMask> The Network mask should be in the dotted decimal format only. --destination-port (--dport): This is an optional parameter.
  • Page 84 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 85: Configuring Dns Servers And Certificates

    Configuring DNS Servers and Certificates ® Some configurations are common to both the ESP-enabled Novell SSL VPN and SSL VPN protected by the Access Gateway: Section 13.1, “Configuring DNS Servers,” on page 85 Section 13.2, “Configuring Certificate Settings,” on page 86 13.1 Configuring DNS Servers...

  • Page 86: Configuring Dns Servers For Kiosk Mode

    Before you proceed with this section, make sure you have already created a certificate. For more information on creating certificates, see “Security and Certificate Management”Novell Access Manager 3.1 SP1 Administration Console Guide. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 87 NOTE: Make sure that SSL VPN certificate names contain only alphanumeric characters, space, underscore (_), hyphen (-), the at symbol @, and the dot (.). 1 In the Administration Console, select Devices > SSL VPN > Edit. 2 Select SSL VPN Certificates from the Security settings section. The Certificates for SSL VPN page is displayed.
  • Page 88 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 89: Configuring End-Point Security And Access Policies For Ssl Vpn

    Configuring End-Point Security and Access Policies for SSL VPN ® Novell SSL VPN has a set of client integrity check policies to protect your network and applications from clients that are using insufficient security restraints. SSL VPN also allows you to...

  • Page 90: Configuring Policies To Check The Integrity Of Client Machine

    14.1.1 Selecting the Operating System 1 In the Administration Console, click Devices > SSL VPNs > Edit. 2 Select Client Integrity Check Policies from the Policies section. The Client Integrity Check Policies page is displayed. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 91: Configuring The Category

    3 Select the operating system. Next, you must configure a category of software that needs to be present in the client machine. 4 Continue with Section 14.1.2, “Configuring the Category,” on page 14.1.2 Configuring the Category A category is a group of similar software. For example, a firewall category can contain a list of firewalls such as the Windows firewall and ZoneAlarm* firewall.

  • Page 92: Configuring Applications For A Category

    1 To add a new attribute, click New, specify an attribute name, then click OK. 2 Click the application to add application details and attributes. The Application Details and Attributes page is displayed. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 93 3 Specify details for the attributes. The following table lists the attributes for applications on different operating systems: Operating Attribute Type Attribute Name System Linux Name: Specify the name of the RPM that must be present in the client machine. Version: Specify the version of the RPM that must be present in the client machine.
  • Page 94 Version: Specify the owner of the process. Service Name: Specify the display name of the service. Status: Specify the status of the process in the client machine. The status of the process can be Running or Stopped. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 95: Exporting And Importing Client Integrity Check Policies

    Operating Attribute Type Attribute Name System Macintosh Package Name: Specify the name of the software package that must be present in the client machine. Version Specify the version of the software package Process Name: Specify the name of the executable file that must be present in the client machine.
  • Page 96 Secure: You can configure this level for a client that has met all the requirements for the client integrity check. None: You can configure this level to provide minimal access to resources for a client, who that has failed the client integrity check. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 97: Configuring Traffic Policies

    3 Click a security level to configure. The Edit Security Level Definition page is displayed. Any category that is not enabled in the Client Integrity Check policy appears as dimmed. 4 To assign a category for a level, select categories under each operation system, then click Assign.
  • Page 98 Assigned Roles. If you want to assign a traffic policy to multiple roles, press the Ctrl key when selecting the roles. To assign a traffic policy to user-defined roles, click the Manage Roles button. Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 99: Rule Ordering

    Click the Add Role icon to add the roles and click the Remove selected roles icon to delete the roles. Click OK to confirm your changes, or click Cancel to discard the changes. The role is case-sensitive. If the role configured is and the Identity Server sends a Employee request for...

  • Page 100: Exporting And Importing Traffic Policies

    7 Click Import in the traffic policies page. 8 Browse and select the XML file that contains the saved traffic policies. 9 To save your modifications, click OK, then click Update on the Configuration page. 100 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 101: Configuring How Users Connect To Ssl Vpn

    Configuring How Users Connect to SSL VPN You can configure SSL VPN so that a client can be forced to connect in either Kiosk mode only or Enterprise mode only, depending on the role of a client. You can also configure SSL VPN to let the client select the SSL VPN mode based on the client privileges, or you can configure SSL VPN to download the applet client when the Internet Explorer browser is used to establish the SSL VPN connection.

  • Page 102: Allowing Users To Select The Ssl Vpn Mode

    4 To save your modifications, click OK, then click Update on the Configuration page. If you do not configure any client modes for roles, then the roles are by default configured for the Client Privilege Based Mode option. 102 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 103: Configuring Ssl Vpn To Download The Java Applet On Internet Explorer

    15.3 Configuring SSL VPN to Download the Java Applet on Internet Explorer The SSL VPN client components are downloaded on the client machine through a Java applet or through ActiveX, depending on the browsers they use. The Internet Explorer browser uses the ActiveX control by default to download the SSL VPN client components.

  • Page 104: Customizing Ssl Vpn User Interface

    Section 15.5.3, “Modifying Help Pages for the Customized Error Messages,” on page 105 15.5.1 Customizing the Home Page and Exit Page To customize the home page, modify the /var/opt/novell/tomcat5/webapps/sslvpn/ file. sslvpnclient.jsp 104 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 105: Customizing Error Messages

    The home page content is displayed within the tags. <div id=”homecontent”> To customize the Exit page, modify the /var/opt/novell/tomcat5/webapps/sslvpn/ file. logout.jsp 15.5.2 Customizing Error Messages To customize the error messages, do the following: 1 Browse and open the following file: var/opt/novell/tomcat5/webapps/sslvpn/Applet/properties/ BrowserAgentMessages.properties...
  • Page 106 106 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 107: Configuring Full Tunneling

    You can configure full tunneling for both Kiosk mode as well as Enterprise mode. ® Novell SSL VPN is configured for split tunneling by default. This means that only the traffic that is enabled to go through the protected network, such as items meant for the corporate network, goes through the VPN tunnel.
  • Page 108 Access Gateway. This field is not present if you have installed the ESP-enabled SSL VPN. 9 To save your modifications, click OK, then click Update on the Configuration page. 108 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 109: Configuring Ssl Vpn To Connect Through A Forward Proxy

    Configuring SSL VPN to Connect through a Forward Proxy ® The Novell SSL VPN can be configured to detect and connect through a forward proxy in both Kiosk as well as Enterprise modes after authenticating to the Identity server. To establish the SSL VPN connection through a forward proxy, you can either configure the browser or create a file in the user’s home directory.

  • Page 110: Creating The Proxy.conf File

    This is not a recommended method because you need to specify the credentials of the forward proxy in the configuration file and this might be a security vulnerability. 4 Save and close the file. 110 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 111: Configuring Ssl Vpn For Citrix Clients

    Citrix Application Server with the Access Gateway. If you are using the ESP-enabled Novell SSL VPN, you must install an Access Gateway in order to protect the Citrix server. The following sections discuss the configuration process: Section 18.1, “Prerequisites,”...

  • Page 112: Configuring A Custom Login Policy For Citrix Clients

    A custom-login policy must be configured to enable users to use a browser to access Citrix applications protected by Access Manager.This is because the browser settings of the client need to be modified so that connections to Citrix applications can happen through SSL VPN. 112 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 113: Configuring The Access Gateway To Protect The Citrix Server

    For more information, see “Configuring Protected Resources” in the Novell Access Manager 3.1 SP1 Access Gateway Guide. 4 On the Server Configuration page, click OK, then click Update. Configuring SSL VPN for Citrix Clients 113...

  • Page 114: Configuring Single Sign-On Between Citrix And Ssl Vpn

    Novell Access Manager 3.1 SP1 Policy Management Guide Citrix displays login failures via the query string, so you’ll need to use CGI matching. 10 Click OK, then click Apply Changes. 11 Click Close. 114 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 115 You should return to the Form Fill page for the protected resource. 12 Select the policy you just created, then click Enable. 13 Click Configuration Panel, then click OK. 14 On the Server Configuration page, click OK, then click Update. Configuring SSL VPN for Citrix Clients 115...
  • Page 116 116 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 117: Additional Configurations

    SSL VPN has many extended configuration options for both the SSL VPN Enterprise client and Enterprise server that can be saved and executed from a configuration file. 1 Browse to /etc/opt/novell/sslvpn 2 Open the following files, depending on the changes you want to make: Open if you want to push configuration changes to the Enterprise openvpn-client.conf...

  • Page 118: Disconnecting Active Ssl Vpn Connections

    19.4 Modifying SSL VPN Server Details To edit the Gateway information: 1 In the Administration Console, click Devices > SSL VPNs. 2 Check the information that is displayed and make any necessary changes. 118 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 119 New Cluster: Displays the New Cluster dialog box. You can specify a name for your SSL VPN configuration and assign an Identity Server. When you click OK, the system displays the Create Cluster Configuration page, which lets you configure how your Identity Servers operate in an Access Manager configuration.
  • Page 120 Description: (Optional) Provide a brief description of the purpose of this SSL VPN Gateway or any other relevant information. 6 Click OK to save changes or click Cancel to discard the changes. 120 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 121: Part Iv Clustering The High Bandwidth Ssl Vpn Servers

    Clustering the High Bandwidth SSL VPN Servers The high bandwidth SSL VPN servers can now be clustered to provide load balancing and fault tolerance capabilities and act as a single server. Clients access the virtual IP address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster.
  • Page 122 122 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 123: Overview Of Ssl Vpn Clusters

    For more information on configuring the L4 server, see “Configuration Tips for the L4 Switch ” in the Novell Access Manager 3.1 SP1 Setup Guide. Using Access Gateway for Clustering: In a direct connection, the client directly establishes contact with the tunneling component, which could be a NAT IP address and not through the L4 switch.

  • Page 124: Limitations

    All members of an SSL VPN cluster should belong to only one type. For example, all the members of a cluster should be either an ESP-enabled Novell SSL VPN or a Traditional Novell SSL VPN. You cannot have a cluster where some members are ESP-enabled Novell SSL VPNs and some are Traditional Novell SSL VPNs.

  • Page 125: Creating A Cluster Of Ssl Vpn Servers

    Creating a Cluster of SSL VPN Servers The system automatically enables clustering when multiple SSL VPN servers exist in a group. To create an SSL VPN cluster, you must create a cluster of SSL VPNs after you install an SSL VPN server, then assign one or more SSL VPN servers to that cluster.The Access Manager software configuration process is the same whether there is one server or multiple servers in a cluster.

  • Page 126: Adding An Ssl Vpn Server To A Cluster

    1 In the Administration Console, click Devices > SSL VPNs. 2 On the Servers page, select the server, then click Actions > Assign to Cluster. To select all the servers in the list, select the top-level Server check box. 126 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 127: Removing An Ssl Vpn Server From A Cluster

    3 Select the name of the cluster that you want to add the SSL VPN server to. The health status of the SSL VPN server turns green, if the server is already configured and the trust relationship is established with the Identity Servers. Otherwise, the health status is displayed as yellow.
  • Page 128 128 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 129: Clustering Ssl Vpn By Using L4

    Clustering SSL VPN by Using L4 You configure the SSL VPN cluster to be behind a Layer 4 (L4) server because it is essential in order to assign multiple SSL VPN servers to the same configuration. You can use the same L4 server for SSL VPN server clustering, Identity Server clustering, and Access Gateway clustering, provided that you use different virtual IPs.
  • Page 130 9 In the Embedded Service Provider Base URL, if you select HTTPS as the protocol, create and use a custom certificate. 10 Restart the Tomcat server when prompted. 11 To save your modifications, click OK, then click Update on the Configuration page. 130 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 131: Configuring A Cluster Of Traditional Ssl Vpns By Using L4

    8 Accelerate the SSL VPN server by using the Access Gateway. For more information, see Chapter 10, “Accelerating the Traditional Novell SSL VPN,” on page 9 To save your modifications, click OK, then click Update on the Configuration page.
  • Page 132 132 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 133: Clustering Ssl Vpns By Using Access Gateway And Without L4

    6 Save your changes and update the Access Gateway. 23.2 Installing the Scripts 1 Download the tar file containing scripts for SSL VPN automatic monitoring and failover from the Additional Resources section on the Novell Access Manager documentation page (http:// www.novell.com/documentation/novellaccessmanager/index.html). The tar file contains sslvpn-heartbeat.sh sslvpn-heartbeat...

  • Page 134: Testing The Scripts

    It might require several attempts before you can connect to the desired Access Gateway. 9 Repeat Step 1 Step 8 to verify if the SSL VPN health scripts are working on all the SSL VPN servers. 134 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 135: Configuring Ssl Vpn To Monitor Health Of Cluster

    Configuring SSL VPN to Monitor Health of Cluster The L4 servers use health checks to determine which cluster members are ready to receive requests and which cluster members are unhealthy and should not receive requests. You need to configure the L4 server to monitor the heartbeat URL of the Identity Servers and Access Gateways, so that the L4 server can use this information to accurately update the health status of each cluster member.

  • Page 136: Virtual Server Settings Example

    The health status of the SSL VPN server can be monitored by using the heartbeat URL. The heartbeat URL uses the DNS name of the SSL VPN server as follows: https://<SSLVPN DNS NAME>/sslvpn/heartbeat 136 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...
  • Page 137 L4 switches require you to use the IP address rather than the DNS name. If the IP address of the SSL VPN Server is 10.10.16.50, and you have configured it for HTTPS, the heartbeat URL is: https://10.10.16.50:8443/sslvpn/heartbeat You must configure the L4 switch to use this heartbeat to perform a health check. If you have configured SSL on the SSL VPN servers and your L4 switch has the ability to do an SSL L7 health check, you can use HTTPS.
  • Page 138 138 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 139: Part V Monitoring The Ssl Vpn Servers

    Monitoring the SSL VPN Servers This section describes the various ways you can determine whether the SSL VPN server is functioning normally and whether an Internet attack is in progress. Chapter 25, “Enabling SSL VPN Audit Events,” on page 141 Chapter 26, “Viewing SSL VPN Statistics,”...
  • Page 140 140 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 141: Enabling Ssl Vpn Audit Events

    Enabling SSL VPN Audit Events The Novell Audit Settings option allows you to configure the events you want audited. The ® following steps assume that you have already set up Novell Audit on your network. For more information, see “Configuring Access Manager for Novell Auditing”...
  • Page 142 Generates a log file containing miscellaneous information. Cluster Logs Generates a log file containing information about the SSL VPN cluster. 4 To save your modifications, click OK, then click Apply Changes on the Configuration page. 142 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 143: Viewing Ssl Vpn Statistics

    Viewing SSL VPN Statistics The Statistics page allows you to view such information as the number of active client connections and the time when the SSL VPN server was started. Section 26.1, “Viewing Statistics of SSL VPN Server,” on page 143 Section 26.2, “Viewing Statistics of SSL VPN Server Cluster,”...

  • Page 144: Viewing Statistics Of Ssl Vpn Server Cluster

    Use this page to monitor a summary of the statistics for servers in a cluster. The following information is displayed: 1 In the Administration Console, click Devices > SSL VPNs > [Cluster Name] > Statistics. The Cluster Statistics page is displayed. 144 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 145: Viewing The Bytes Graphs

    2 The statistics page has the following information: Server Name: The IP address identifying the SSL VPNs in the cluster. Click the Edit link to edit server information. Statistics: Click the View link to get a summary of the statistics of individual servers in a cluster.
  • Page 146 146 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 147: Monitoring Health Of Ssl Vpn Servers

    Monitoring Health of SSL VPN Servers You can monitor the health of an SSL VPN Server through the Health page, which displays the current status of the server. Section 27.1, “Monitoring Health of Single Server,” on page 147 Section 27.2, “Monitoring Health of SSL VPN Cluster,” on page 148 27.1 Monitoring Health of Single Server 1 In the Administration Console, click Devices >...

  • Page 148: Monitoring Health Of Ssl Vpn Cluster

    3 To send a request to the agent to update its status information, click Update from Server. Click OK in the confirmation dialog box. This can take a few minutes. 4 To close the Health page, click Close. 148 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 149: Viewing The Command Status Of The Ssl Vpn Server

    Viewing the Command Status of the SSL VPN Server Use the Command Status page to view the command status of the selected SSL VPN server. 1 In the Administration Console, click Devices > SSL VPNs > [Server Name] > Command Status.
  • Page 150 Delete: To delete a command, click Delete. Click OK in the confirmation dialog box. Refresh: To update the current cache of recently executed commands, click Refresh. 3 Click Close to return to the command status page. 150 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 151: Monitoring Ssl Vpn Alerts

    Monitoring SSL VPN Alerts The Alerts page allows you to view information about current system alerts and to clear them. An alert is generated whenever the SSL VPN Gateway detects a condition that prevents it from performing normal system services. Section 29.1, “Configuring SSL VPN Alerts,”...

  • Page 152: Viewing Ssl Vpn Alerts

    2 To send an acknowledgement, select the check box next to the alert, then click Acknowledge Alert(s). When you acknowledge an alert, the alert is cleared from the list. 3 Click Close to close the Alerts page. 152 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 153: Viewing Ssl Vpn Cluster Alerts

    29.3 Viewing SSL VPN Cluster Alerts To view information about current alerts for all members of a cluster: 1 In the Administration Console, click Devices > SSL VPNs > [Name of Cluster] > Alerts. 2 Analyze the data displayed in the table. Column Description Server Name...
  • Page 154 154 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 155: Part Vi Troubleshooting Ssl Vpn

    Troubleshooting SSL VPN You might sometimes encounter issues while installing or configuring the SSL VPN servers. The SSL VPN server might not work the way you intended because of problems encountered during installation or configuration. The following sections list some of the scenarios that you might encounter and the steps to troubleshoot such issues: Chapter 30, “Troubleshooting SSL VPN Installation,”...
  • Page 156 156 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 157: Troubleshooting Ssl Vpn Installation

    You can also uninstall the SSL VPN c:/Program Files/Novell sslvpn service service through Start > Control Panel > Add or Remove Programs. Linux: If you are a Linux user, log in as and enter the following command on the Linux...
  • Page 158 Modify the existing path-based service accelerating SSL VPN server and configure the loopback IP 127.0.0.1 as the Web server IP. For more information, see Section 5.7, “Configuration Changes to the SSL VPN Server Installed with the Linux Access Gateway,” on page 158 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 159: Troubleshooting Ssl Vpn Configuration

    Troubleshooting SSL VPN Configuration This section provides various troubleshooting scenarios that you might encounter while configuring SSL VPN. Section 31.1, “Successfully Connecting to the Server,” on page 159 Section 31.2, “The SSL VPN Server Is in a Pending State,” on page 161 Section 31.3, “SSL VPN Connects in Kiosk Mode, But There Is No Data Transfer,”...

  • Page 160: Connection Problems With Mozilla Firefox

    Verify 1, 2, and 3 Retry Blank JRE Not Screen Installed: With Mark Install JRE Check Applet Logs; Install Failed Missing Software Check Java Blank Settings Screen in the Displayed Browser 160 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 161: Connection Problems With Internet Explorer

    31.1.2 Connection Problems with Internet Explorer Using Internet Explorer to Connect to the SSL VPN Server Figure 31-2 User Requests Remote Access Enter Correct Name and Password Successful Connection Access Manager 3.0 Login Local Login Username admin Password Login LIBERTY ALLIANCE Connection Failed: Verify 1 and 2...

  • Page 162: Ssl Vpn Connects In Kiosk Mode, But There Is No Data Transfer

    To verify the status of the SSL VPN server, enter the following command: /etc/init.d/novell-sslvpn status If any component is down, stop and start the SSL VPN server by using the following commands: novell-sslvpn stop novell-sslvpn start 162 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 163: Verifying Ssl Vpn Components

    31.6 Verifying SSL VPN Components Use the commands and processes described in the following sections to verify that the SSL VPN components are running: Section 31.6.1, “SSL VPN Server,” on page 163 Section 31.6.2, “SSL VPN Linux Client,” on page 163 Section 31.6.3, “SSL VPN Macintosh Client,”...

  • Page 164: Unable To Contact The Ssl Vpn Server

    Possible Cause: If this issue appears in Enterprise mode, it could be because the router configuration is wrong. Action: Check the router configuration. For more information, see Section 11, “Configuring the IP Address, Port, and NAT,” on page 164 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

  • Page 165: Unable To Connect To The Ssl Vpn Gateway

    SSL VPN services. etc/init.d/novell-sslvpn restart If you are using a 64-bit machine and have changed the TUN interface, check to make sure the interface is up. If it is down, enter the command to restart etc/init.d/novell-sslvpn restart...

  • Page 166: Ssl Vpn Server Is Unable To Handle The Session

    UNKNOWN HOST the client, when ESP-enabled SSL VPN is installed. This is because this information is provided by the Access Gateway and is available only if the Traditional Novell SSL VPN server is deployed. 31.17 SSL VPN Full Tunnel Connection...

  • Page 167: Bringing Up The Server If A Cluster Member Is Down

    , or , restart SSL VPN by using the following command: openvpn stunnel sockd /etc/init.d/novell-sslvpn restart You can check for the status by using the following command: /etc/init.d/novell-sslvpn status 31.18.2 Bringing Up a Binary If It Is Down Action: If the...
  • Page 168 168 Novell Access Manager 3.1 SP1 SSL VPN Server Guide...

This manual is also suitable for:

Access manager 3.1 sp1

Table of Contents