Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010 Manual page 16

Logout URL: Displays the URL that you need to use for logging users out of protected
resources. This value is empty until you have created at least one reverse proxy and it has been
assigned to be used for authentication. If you create two or more reverse proxies, you can select
which one is used for authentication, and the logout URL changes to match the assigned
reverse proxy.
If any of your protected resources have a logout page or button, you need to redirect the user's
logout request to the page specified by this URL. The Access Gateway can then clear the user's
session and log the user out of any other resources that have been enabled for single sign-on. If
you do not redirect the user's logout request, the user is logged out of one resource, but the
user's session remains active until inactivity closes the session. If the user accesses the resource
again before the session is closed, single sign-on re-authenticates the user to the resource, and it
appears that the logout did nothing.
Auto-Import Identity Server Configuration Trusted Root: Allows you to import the public
key from the Identity Server cluster into the trust store of the Embedded Service Provider. This
sets up a trusted SSL relationship between the Embedded Service Provider and the Identity
Server. This option is not available until you have selected an Identity Server Cluster and have
configured the use of SSL on the Embedded Service Provider of the reverse proxy that is
performing authentication (see the Enable SSL with Embedded Service Provider option on the
Reverse Proxy page).
If the Identity Server cluster is using a certificate created by the Novell Access Manager
certificate authority (CA), the public key is automatically added to this trust store, so you do
not need to use this option. If the Identity Server cluster is using a certificate created by an
external CA, you need to use this option to import the public key into the trust store.
5 (Optional) Configure the proxy settings:
Behind Third Party SSL Terminator: Enable this option if you have installed an SSL
terminator between the users and the Access Gateway. This allows the terminator to handle the
SSL traffic between the browsers and the terminator. The terminator and the Access Gateway
can use HTTP for their communication. For some configuration tips, see
Terminator" in the
Enable Via Header: Enables the sending of the Via header to the Web server. The Via header
contains the DNS name of the Access Gateway and a device ID. It has the following format:
Via: 1.0 www.mylag.com (Access Gateway 3.1.1-72-D06FBFA8CF21AF45)
Deselect this option when your Web server does not need this information or does not know
what to do with it.
6 (Optional) Configure the cookie settings:
For more information and other options for securing Access Manager cookies, see
"Enabling Secure Cookies," on page
Enable Secure Cookies: Configures the Access Gateway to set the secure keyword for the
proxy authentication cookie. This provides some additional security for the cookie stored in the
browser and allows the browser to destroy the cookie when the SSL session closes.
If you have enabled the Behind Third Party SSL Terminator option, enabling this option sets the
secure keyword on HTTP requests.
WARNING: Do not enable the Enable Secure Cookies option if you have both HTTP and
HTTPS reverse proxies. The HTTP services become unavailable because authentication
requests to the non-secure services fail.
16 Novell Access Manager 3.1 SP2 Access Gateway Guide
Novell Access Manager 3.1 SP2 Setup
117.
"Using an SSL
Guide.
Section 3.5,