1. Manuals
  2. Brands
  3. Novell Manuals
  4. Gateway
  5. ACCESS MANAGER 3.1 SP1 - ADMINISTRATION
  6. Manual

Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE Manual

Access gateway guide
Hide thumbs Also See for ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual
AUTHORIZED DOCUMENTATION
Access Gateway Guide
Novell
®
Access Manager
3.1 SP1
April 5, 2010
www.novell.com
Novell Access Manager 3.1 SP1 Access Gateway Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE

Summary of Contents for Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE

  • Page 1 AUTHORIZED DOCUMENTATION Access Gateway Guide Novell ® Access Manager 3.1 SP1 April 5, 2010 www.novell.com Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 2: Legal Notices

    Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 5: Table Of Contents

    1.5.4 Configuring a Protected Resource for a Novell Teaming 2.0 Server ... . . 36 Configuring HTML Rewriting ..........41 1.6.1...
  • Page 6 Monitoring the Health of an Access Gateway ......135 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 7 Error: novell-vmc-chroot Failed to Start ........187...
  • Page 8 Using Curl to Download Large Files..........207 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 9: About This Guide

    About This Guide ® This guide describes the following features of Novell Access Gateways: Chapter 1, “Configuring the Access Gateway to Protect Web Resources,” on page 11 Chapter 2, “Configuring the Access Gateway for SSL,” on page 63 Chapter 3, “Server Configuration Settings,” on page 75 Chapter 4, “Access Gateway Maintenance,”...

  • Page 10: Additional Documentation

    Novell Access Manager 3.1 SP1 SSL VPN Server Guide Novell Access Manager 3.1 SP1 Event Codes Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ®...

  • Page 11: Configuring The Access Gateway To Protect Web Resources

    Configuring the Access Gateway to Protect Web Resources ® The Novell Access Gateway is a reverse proxy server (protected site server) that restricts access to Web-based content, portals, and Web applications that employ authentication and access control policies. It also provides single sign-on to multiple Web servers and Web applications by securely providing the credential information of authenticated users to the protected servers and applications.

  • Page 12: Creating A Reverse Proxy And Proxy Service

    Reverse proxy names and proxy service names must be unique to the Access Gateway because they are configured for global services such as IP Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 13 addresses and TCP ports. For example, if you have a reverse proxy named and another products reverse proxy named , only one of these reverse proxies can have a proxy service named library corporate Protected resource names need to be unique to the proxy service, but they don’t need to be unique to the Access Gateway because they are always accessed through their proxy service.
  • Page 14 IP addresses to enable. You must enable at least one address by selecting its check box. If the Access Gateway is in a cluster, you must select a listening address for each cluster member. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 15 TCP Listen Options: Provides options for configuring how requests are handled between the reverse proxy and the client browsers. You cannot set up the listening options until you create and configure a proxy service. For information about these options, see Section 1.7.1, “Configuring TCP Listen Options for Clients,”...

  • Page 16: Configuring A Proxy Service

    You can modify the following features of the proxy service: Web servers HTML rewriting Logging Protected resources Caching 1 To configure a proxy service, click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service]. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 17 Cookie Domain: Specifies the domain for which the cookie is valid. If one proxy service has a DNS name of www.support.novell.com and the second proxy service has a DNS name of www.developernet.novell.com, the cookie domains are support.novell.com for the first proxy service and developernet.novell.com for the second proxy service.

  • Page 18: Configuring The Web Servers Of A Proxy Service

    HTTP 1.1 requests and your Web server can only handle HTTP 1.0 requests, you should enable this option. When the option is enabled, the Access Gateway translates an HTTP 1.1 request to an HTTP 1.0 request. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 19: Configuring Protected Resources

    5 To enable SSL connections between the proxy service and its Web servers, select Connect Using SSL. For configuration information for this option, Web Server Trusted Root, and SSL Mutual Certificate, see Section 2.4, “Configuring SSL between the Proxy Service and the Web Servers,”...

  • Page 20: Setting Up A Protected Resource

    1 Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources. 2 Either click the name of an existing resource or click New, then specify a display name for the resource. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 21 You can configure other types of contracts. For more information, see “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP1 Identity Server Guide. If these default contracts are not available, you have not configured a relationship between the Access Gateway and the Identity Server. See Section 1.1, “Creating a Reverse Proxy and Proxy...
  • Page 22 “Assigning a Form Fill Policy to a Protected Resource” on page 27 “Assigning a Policy to Multiple Protected Resources” on page 29 10 To apply your changes, click the Access Gateways link, then click Update > OK. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 23: Understanding Url Path Matching

    On the Access Gateway Appliance, you can remove the query string from the URL path or you can create the following touch file: /var/novell/.prWithOutQuestionMark You need to then restart the Access Gateway Appliance to activate the touch file. When this touch file is used, the Access Gateway Appliance ignores the query string and uses just the path to find a match.

  • Page 24: Modifying Authentication Procedures

    Session limits are set by clicking Devices > Identity Servers > Edit. To modify the authentication procedures: 1 Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources > [Name of Protected Resource]. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 25: Assigning An Authorization Policy To A Protected Resource

    “Configuring a Protected Resource for a SharePoint Server with an ADFS Server” on page 31 “Configuring a Protected Resource for Outlook Web Access” on page 34 “Configuring a Protected Resource for a Novell Teaming 2.0 Server” on page 36 1.4.5 Assigning an Authorization Policy to a Protected Resource An Authorization policy specifies conditions that a user must meet in order to access a resource.

  • Page 26: Assigning An Identity Injection Policy To A Protected Resource

    Identity Injection policy to inject into the HTTP header the information that the Web application requires. 1 Click Access Gateways > Edit > [Reverse Proxy Name] > [Name of Proxy Service] > Protected Resources > [Name of Protected Resource] > Identity Injection. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 27: Assigning A Form Fill Policy To A Protected Resource

    For configuration information, see “Creating Identity Injection Policies” in the Novell Access Manager 3.1 SP1 Policy Management Guide. When you have finished your policy modifications, continue with Step To create a new policy, click Manage Policies. On the Policies page, click New, specify a display name, select Access Gateway: Identity Injection as the type, then click OK.
  • Page 28 Novell Access Manager 3.1 SP1 Policy Management Guide. When you have created your new policy, continue with Step 6 To enable the policy you just created, select the policy, then click Enable. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 29: Assigning A Policy To Multiple Protected Resources

    Access Management Authentication Class Extension to Retrieve Password for Single Sign-on (http://www.novell.com/communities/node/4556). 1.4.8 Assigning a Policy to Multiple Protected Resources If you have created multiple protected resources that need to be protected by the same policy or policies, you can use the policy view to assign a policy to multiple protected resources.

  • Page 30: Configuring Protected Resources For Specific Applications

    Server,” on page 31 Section 1.5.3, “Configuring a Protected Resource for Outlook Web Access,” on page 34 Section 1.5.4, “Configuring a Protected Resource for a Novell Teaming 2.0 Server,” on page 36 1.5.1 Configuring Protected Resource for a SharePoint Server You can protect a SharePoint server as a domain-based or a path-based multi-homing resource on the Linux Access Gateway Appliance.

  • Page 31: Configuring A Protected Resource For A Sharepoint Server With An Adfs Server

    For more information on the other options, see “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP1 Identity Server Guide. 3 Click Next. 4 Configure a card for the contract by filling in the following: Text: Specify the text that is displayed on the card to the user.
  • Page 32 When a user first accesses the SharePoint server, the users are directed either to the home page or the root of the server. From either of these locations, the users can be Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 33 redirected to the Identity Server for authentication. After the users have authenticated and the SharePoint server requests authentication for access to any of the other pages, these pages need to be configured to use non-redirected login. 1 In the Proxy Service List, click the name of the Proxy Service you created, then click Protected Resources.

  • Page 34: Configuring A Protected Resource For Outlook Web Access

    2 Either click the name of an existing resource or click New, then specify a display name for the resource. 3 (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 35 4 Select an authentication contract. If you want to enable non-redirected login, select Name/ Password - Basic as the authentication contract. 5 (Optional) If you want to enable non-redirected login, click the Edit Authentication Procedure icon, then click the contract that you have added to specify the following information: Non-Redirected Login: Select the option to enable non-redirected login.

  • Page 36: Configuring A Protected Resource For A Novell Teaming 2.0 Server

    The following sections explain how to configure the Access Gateway with a domain-base multi- homing service. The instructions assume that you have a functioning Novell Teaming 2.0 server on Linux and a functioning Access Manager 3.1 SP1 IR1 system with a reverse proxy configured for SSL communication between the browsers and the Access Gateway.
  • Page 37 Configuring the Teaming Server to Trust the Access Gateway To use Teaming as a protected resource of a Novell Access Gateway and to use Identity Injection for single sign-on, the Teaming server needs a trusted relationship with the Access Gateway. With a trusted relationship, the Teaming server can process the Authorization header credentials.
  • Page 38 The following instructions describe how to set up a domain-based service to protect the Teaming server. In this example, the published DNS name of the service is teaming.doc.provo.novell.com. Users would access the Teaming server with a URL similar to the following: http:// teaming.doc.provo.novell.com/teaming.
  • Page 39 2 Create a protected resource for HTML content: 2a In the Protected Resource List, click New, specify a name, then click OK. 2b (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource. 2c Specify a value for Authentication Procedure.
  • Page 40 “Configuring Single Sign-On” on page Configuring Single Sign-On You must configure an Identity Injection policy to enable single sign on with the Novell Teaming server. This Identity Injection policy should be configured to inject the authentication credentials into the Authorization headers.

  • Page 41: Configuring Html Rewriting

    For more information on creating such a policy, see “Configuring an Authentication Header Policy” in the Novell Access Manager 3.1 SP1 Policy Management Guide. 9 Assign this policy to the protected resources: 9a Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].

  • Page 42: Understanding The Rewriting Process

    Internet users through the Access Gateway by using a published DNS name of novell.com. Many of the HTML pages on this Web site have URL references that contain the private DNS name, such as http://data.com/imagel.jpg. Because Internet users are unable to resolve data.com/imagel.jpg, links using this URL reference would return DNS errors in the...

  • Page 43: Specifying The Dns Names To Rewrite

    Context Criteria HTTP Headers Qualified URL references occurring within certain types of HTTP response headers such as Location and Content-Location are rewritten. The Location header is used to redirect the browser to where the resource can be found. The Content-Location header is used to provide an alternate location where the resource can be found.
  • Page 44 The link to the data.com server is automatically rewritten to novell.com, when rewriting is enabled. The link to the image on graphics.com is not rewritten, until you add this URL to the Additional DNS Name List. When the link is rewritten, the browser knows how to request it, and the Access Gateway knows how to resolve it.
  • Page 45 If the Web server listens on one port (for example, 80), and redirects the request to a secure port (for example, 443). The response to the user comes back on https://<DNS_name>:443. This does not match the request which was sent on http://<DNS_name>:80. If you add the DNS name to the list, the response can be sent in the format that the user expects.

  • Page 46: Defining The Requirements For The Rewriter Profile

    A user accesses data.com through the published DNS name of novell.com.mx. The data.com server has references to product.com. The novell.com.mx proxy has two ways to get to the product.com server because this Web server has two published DNS names (novell.com.uk and novell.com.usa).
  • Page 47 Word Profile A Word profile searches for matches on words. For example, “get” matches the word “get” and any word that begins with “get” such as “getaway” but it does not match the “get” in “together” or “beget.” The Access Gateway has a default Word profile. It is not specific to a reverse proxy or its proxy services.
  • Page 48 Possible Actions for Rewriter Profiles The rewriter action section of the profile determines the actions the rewriter performs when a page matches the profile. Select from the following: Inbound Actions Enabling or Disabling Rewriting Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 49 Additional Names to Search for URL Strings to Rewrite with Host Name String Replacement Inbound Actions: A profile might require these options if the proxy service has the following characteristics: URLs appear in query strings, Post Data, or headers. The Web server uses WebDAV methods. If your profile needs to match pages from this type of proxy service, you might need to enable the following options.
  • Page 50 String replacement is done as a single pass. String replacement is not performed recursively. Suppose you have listed the following search and replacement strings: to be replaced with to be replaced with Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 51 Rewriting with a Multi-homing Path Figure 1-6 Firewall Browsers Access Gateway Web Server Request inner.com novell.com novell.com/inner HTML Page: Source HTML Page: Source <HTML> <HTML> Reply <a href="../inner/prices/pricelist.html" class="ulink"> Rewriter <a href="../prices/pricelist.html" class="ulink">...

  • Page 52: Configuring The Html Rewriter And Profile

    To configure the HTML rewriter: 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > HTML Rewriting. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 53 The HTML Rewriting page specifies which DNS names are to be rewritten. The HTML Rewriter Profile specifies which pages to search for DNS names that need to be rewritten. 2 Select Enable HTML Rewriting. This option is enabled by default. When it is disabled, no rewriting occurs.When enabled, this option activates the internal HTML rewriter.
  • Page 54 Rather than modify the default profile, you should create your own customized Word profile and enable it 6 Use the Requested URLs to Search section to set up a policy for specifying the URLs you want this profile to match. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 55 Fill in the following fields: If Requested URL Is: Specify the URLs of the pages you want this profile to match. Click New to add a URL to the text box. To add multiple values, enter each value on a separate line. And Requested URL Is Not: Specify the URLs of pages that this profile should not match.
  • Page 56 Character profile is executed per page. The first one in the list that matches a page is executed, and the others are ignored. 12 Enable the profiles you want to use for this protected resource. Select the profile, then click Enable. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 57: Disabling The Rewriter

    The default profile cannot be disabled. However, it is not executed if you have enabled another Word profile that matches your pages, and this profile comes before the default profile in the list. 13 To save your changes to browser cache, click OK. 14 To apply your changes, click the Access Gateways link, then click Update >...
  • Page 58 JavaScript. <param> <!--NOVELL_REWRITE_ATTRIBUTE_ON='value'--> <param> elements to be rewritten <!--NOVELL_REWRITE_ATTRIBUTE_OFF='value'--> <param> elements that shouldn’t be rewritten Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 59: Configuring Connection And Session Limits

    Form Tags: Some applications have forms in which the , and <input> <button> <option> elements contain a value attribute with a URL. You can enable global rewriting of these attributes by adding to the list of variable and attribute names to search for. If you need more control formvalue because some URLs need to be rewritten but others cannot be rewritten, you can turn on and turn off rewriting by adding the following tags before and after the...

  • Page 60: Configuring Tcp Connect Options For Web Servers

    1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 61 2 Configure the IP address to use when establishing connections with Web servers: Cluster Member: (Available only if the Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. Only the value of the Make Outbound Connection Using option applies to the selected server.

  • Page 62: Configuring Connection And Session Persistence

    1 In the Administration Console, click Devices > Identity Servers > Edit. 2 For the Session timeout option, use the up-arrow button to increase the timeout and the down- arrow button to decrease the timeout. 3 Click OK, then update the Identity Server. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 63: Configuring The Access Gateway For Ssl

    Configuring the Access Gateway for SSL SSL provides the following security features: Authentication and nonrepudiation of the server through the use of digital signatures Data confidentiality through the use of encryption Data integrity through the use of authentication codes Mutual SSL provides the same things as SSL, with the addition of authentication and nonrepudiation of the client, by using digital signatures.
  • Page 64 You should enable at least SSL if the Access Gateway is injecting authentication credentials into HTTP headers. Mutual SSL is probably not needed if you have configured the Web servers so that they can only accept connections with the Access Gateway. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 65: Prerequisites For Ssl

    You can use the Access Manager CA to create this certificate. See “Creating a Locally Signed Certificate” in the Novell Access Manager 3.1 SP1 Administration Console Guide. You can create a certificate signing request (CSR), send it to an external CA, then import the returned certificates into Access Manager.

  • Page 66: Configuring Ssl Communication With The Browsers And The Identity Server

    Secure Port and allowed to establish an SSL connection. If this option is not selected, browsers that connect to the non-secure port are denied service. This option is only available if you have selected Enable SSL with Embedded Service Provider. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 67 Identity Servers in the selected Identity Server Configuration. This sets up a trusted SSL relationship between the Identity Server and the Embedded Service Provider. If you are using certificates signed by the Novell Access Manager CA, the public key is automatically added to this trust store.

  • Page 68: Configuring Ssl Between The Proxy Service And The Web Servers

    Access Gateway and its Web servers. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 69 2 To configure SSL, select Connect Using SSL. This option is not available if you have not set up SSL between the browsers and the Access Gateway. See Section 2.3, “Configuring SSL Communication with the Browsers and the Identity Server,” on page 66 and select the Enable SSL between Browser and Access Gateway field.
  • Page 70 This is only part of the process. You need to import the trusted root certificate of the CA that signed the proxy service’s certificate to the Web servers assigned to this proxy service. For instructions, see your Web server documentation. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 71: Enabling Secure Cookies

    SSL configured, create a touch file as follows: 1 On the Linux Access Gateway Appliance, log in as root 2 Specify the following command to create the file: .setsecureESP touch /var/novell/.setsecureESP 3 Specify the following command to restart Linux Access Gateway: Configuring the Access Gateway for SSL...

  • Page 72: Securing The Proxy Session Cookie

    NOTE: This works only for HTTPS services. When this setting is enabled, you cannot configure the Access Gateway to have an HTTP service that requires authentication, or create a policy that depends on the authentication cookie. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 73: Managing Access Gateway Certificates

    2.6 Managing Access Gateway Certificates Section 2.6.1, “Managing Embedded Service Provider Certificates,” on page 73 Section 2.6.2, “Managing Reverse Proxy and Web Server Certificates,” on page 73 2.6.1 Managing Embedded Service Provider Certificates The Access Gateway uses an Embedded Service Provider to communicate with the Identity Server. The Service Provider Certificates page allows you to view the private keys, certificate authority (CA) certificates, and certificate containers associated with this module.
  • Page 74 Phase 2: When you select to update the Access Gateway, the configuration for the Access Gateway is modified to contain references to the new certificate and the configuration change is sent to the Access Gateway. The Access Gateway loads and uses the new certificate. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 75: Server Configuration Settings

    Server Configuration Settings This section describes the configuration settings that affect the Access Gateway as a server, such as changing its name or setting the time. Section 3.1, “Viewing and Updating the Configuration Status,” on page 75 Section 3.2, “Saving, Applying, or Canceling Configuration Changes,” on page 77 Section 3.3, “Starting and Stopping the Access Gateway,”...
  • Page 76 Click the icon to discover which objects have been misconfigured. You need to fix the error by either canceling or modifying the changes before you can perform an update. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 77: Saving, Applying, Or Canceling Configuration Changes

    Status Description Pending Indicates that the server is processing a configuration change, but has not completed the process. 3.2 Saving, Applying, or Canceling Configuration Changes When you make configuration changes on a page accessed from Devices > Access Gateways > Edit and click OK on that page, the changes are saved to the browser cache.

  • Page 78: Starting And Stopping The Access Gateway

    Section 3.3.3, “Starting the Access Gateway Service Provider,” on page 80 Section 3.3.4, “Stopping the Access Gateway Service Provider,” on page 80 Section 3.3.5, “Restarting the Access Gateway Appliance,” on page 80 Section 3.3.6, “Stopping the Access Gateway Appliance,” on page 81 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 79: Updating The Access Gateway

    3.3.1 Updating the Access Gateway When a configuration change has been made, but not applied, the Access Gateway is in an Update status on the Access Gateways page. If the Access Gateway is a member of a cluster, the cluster is in an Update All status.

  • Page 80: Starting The Access Gateway Service Provider

    The following field displays information about the command you are scheduling. Type: Displays the type of command that is being scheduled, such as Access Gateway Shutdown, Access Gateway Reboot, Access Gateway Upgrade, Device Configuration. 3 Fill in the following fields: Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 81: Stopping The Access Gateway Appliance

    Name Scheduled Command: (Required) Specifies a name for this scheduled command. This name is used in log and trace files. Description: (Optional) Provides a field to describe the reason for the command. Date & Time: The drop-down menus allow you to select the day, month, year, hour, and minute when the command should execute.

  • Page 82: Changing The Name Of An Access Gateway And Modifying Other Server Details

    The tunnel option lets you create one or more services for the specific purpose of tunneling non- HTTP traffic through the Access Gateway to a Web server. To do this, the non-HTTP traffic must use a different IP address and port combination than the HTTP traffic. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 83 An Access Gateway usually processes HTTP requests in order to fill them. However, it is not unusual that some of the traffic coming through the gateway is not HTTP-based. Web servers sometimes handle Telnet, FTP, chat, or other kinds of traffic without attempting to process it. If your Web servers are handling this type of traffic, you should set up a tunnel for it.

  • Page 84: Setting The Date And Time

    1 minute of each other for trusted authentication to work. To configure the date and time options: 1 In the Administration Console, click Devices > Access Gateways > Edit > Date & Time. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 85: Customizing Error Pages On The Gateway Appliance

    2 (Conditional) If the Access Gateway belongs to a cluster of Access Gateways, select the Access Gateway from the list displayed in the Cluster Member field. The modifications you make on this page apply only to the selected Access Gateway. If the Access Gateway does not belong to a cluster, this option is not available.

  • Page 86: Customizing The Error Pages By Using The Default Template

    A sample error page template looks similar to the following: <html> <head><title>Information Alert</title></head> <body bgcolor="white"> <div align="center"> <center> <table border="0" cellpadding="2" frame height="199" style="margin-top: 1px; margin-bottom: 1px; padding-top: 1px; padding-bottom: -1px"> <tr> <td height="34" align="center"><font color="black" face="Arial Bold" size="4"><b><p align="center"></b></font> Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 87 All the images must be linked to the directory. <PROXY_ADDRESS>/images/ All the images must be copied to Tomcat in the path /var/opt/novell/tomcat5/ webapps/LAGERROR/images If you have changed an image but retained the filename, press Ctrl+F5 in the browser to refresh the Access Gateway cache.

  • Page 88: Customizing And Localizing Error Messages

    English file because, the file selects the error message ErrorPagesConfig.xml within these tags for display. 4 Save the file. 5 Enter the following commands to restart the Linux Access Gateway: Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 89 /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 6 If the Access Gateway belongs to a cluster, copy the modified file to each member of the cluster, then restart that member. Modifying the ErrorPagesConfig.xml File file stores the header value and the template mapping information.

  • Page 90: Configuring Network Settings

    New Network Interfaces to the Gateway Appliance,” on page To view or modify your current adapter settings: 1 In the Administration Console, click Devices > Access Gateways > Edit > Adapter List. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 91 To delete an address, select the address, then click Delete. To change the IP address, see “Changing the IP Address of the Access Gateway Appliance” in the Novell Access Manager 3.1 SP1 Administration Console Guide. 5 Click OK. 6 Configure the Adapter List Options.

  • Page 92: Viewing And Modifying Gateway Settings

    Access Gateway. IMPORTANT: If you enter an IP address that is on a different subnetwork, the Access Gateway reports this error on the Health page, after the configuration has been applied. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 93 To modify your current gateway configuration: 1 In the Administration Console, click Devices > Access Gateways > Edit > Gateways. 2 (Conditional) If the Access Gateway is a member of a cluster, select the server you want to configure from the list of servers in the Cluster Member field. All changes made to this page apply to the selected server.

  • Page 94: Viewing And Modifying Dns Settings

    3.8.3 Viewing and Modifying DNS Settings The DNS page displays the current configuration for domain name services and allows you to modify it. 1 In the Administration Console, click Devices > Access Gateways > Edit > DNS. Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 95 2 (Conditional) If the Access Gateway is a member of a cluster, select the server you want to configure from the list of servers in the Cluster Member field. All changes made to this page apply to the selected server. 3 Fill in the following fields: Server Hostname: Displays the unique host or computer name that you have assigned to the Access Gateway machine.

  • Page 96: Configuring Hosts

    Cluster Member field. All changes made to this page apply to the selected server. 3 To add a new hostname to an existing IP address, click the name of a Host IP Address. Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 97: Adding New Network Interfaces To The Gateway Appliance

    4 In the Host Name(s) text box, specify a name for the host. Place each hostname on a separate line, then click OK. 5 To add a new IP address and hostname, click New in the Host IP Address List section, then specify the IP address.

  • Page 98: Customizing Logout Requests

    The following sections provide some tips for accomplishing this task: “Modifying the Header” on page 99 “Redirecting to Your Custom Page” on page 99 “Calling Different Logout Pages” on page 99 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 99 For information on nidp.jsp how to modify for logos, titles, and colors, see “Rebranding the Header” in the Novell nidp.jsp Access Manager 3.1 SP1 Identity Server Guide. IMPORTANT: Save a copy of your modified file. Every time you upgrade your Access nidp.jsp...

  • Page 100: Configuring X-Forwarded-For Headers

    This feature is especially useful for deployments that set up configurations in a staging environment, test and validate the configuration, then want to deploy the configuration on new hardware that exists in the production environment. 100 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 101: Exporting The Configuration

    See “Backing Up and Restoring Components” in the Novell Access Manager 3.1 SP1 Administration Console Guide When exporting the file, you can select to password protect the file, which encrypts the file. If you...

  • Page 102: Importing The Configuration

    In the Administration Console, click Devices > Access Gateways, select the Access Gateway, then click Actions > Remove from Cluster. You can create a cluster and add this machine to the cluster as the primary server after you have completed the import. 102 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 103: Cleaning Up And Verifying The Configuration

    The Access Gateway should be an unconfigured machine. If it contains reverse proxies, delete them before continuing. In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxies / Authentication. In the Reverse Proxy List, select Name, then click Delete. Update the Access Gateway and the Identity Server.
  • Page 104 This certificate should be in use by the ESP Mutual SSL and Proxy Key Store of the Access Gateway. 104 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 105 9c If the certificate is not in use by the required keystores, select the certificate, then click Actions > Add Certificate to Keystores. 9d Click the Select Keystore icon, select ESP Mutual SSL and Proxy Key Store of the Access Gateway, then click OK twice.
  • Page 106 106 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 107: Access Gateway Maintenance

    Access Gateway Maintenance Section 4.1, “Gateway Appliance Logs,” on page 107 Section 4.2, “Configuring Proxy Service Logging,” on page 110 Section 4.3, “Monitoring Access Gateway Statistics,” on page 118 Section 4.4, “Monitoring Access Gateway Alerts,” on page 128 Section 4.5, “Enabling Access Gateway Audit Events,” on page 133 Section 4.6, “Managing Server Health,”...

  • Page 108: Interpreting Log Messages

    Linux Access Gateway Components Table 4-1 Number Component If the fifth and sixth digits are 01, the Multi-Homing component Service Manager Request Processing Authentication Authorization Identity Injection Form Fill Caching Response Processing 108 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 109: Configuring Logging Of Soap Messages And Http Headers

    Number Component Rewriting Soap Channel Connection Manager. DataStream 4.1.3 Configuring Logging of SOAP Messages and HTTP Headers 1 At the command prompt, enter the following command: nash 2 To enter the configuration mode, enter the following command: configure .current 3 Enter one of the following commands to configure logging: Command Purpose Logs all the SOAP messages between the...

  • Page 110: Configuring Proxy Service Logging

    Section 4.2.6, “Configuring the Size of the Log Partition,” on page 118 4.2.1 Determining Logging Requirements Because logging requirements and transaction volume vary widely, Novell cannot make recommendations regarding a specific logging strategy. The following tasks guide you through the process of creating a strategy that fits your business needs.

  • Page 111: Calculating Rollover Requirements

    5 Design a log deletion strategy The Access Gateway has a limited amount of disk space allocated for logging, and you need to decide how you are going to manage this space. You can limit the number of rollover files by number or age.
  • Page 112 3 Record the max_roll_time result on your planning sheet. Calculating max_log_roll_size Use the following formula to calculate the maximum log file size you should specify in the Maximum File Size field: max_log_roll_size = logpartition_size / (num_services * logs_per_service) 112 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 113: Enabling Logging

    For example, assume the following: logpartition_size = 600 MB num_services = 2 logs_per_service = 3 max_log_roll_size = 600 MB / (2 * 3) = 100 MB If you roll your logs over when they reach a specific size, the file size must be no more than 100 MB.

  • Page 114: Configuring Common Log Options

    Service] > Logging > [Name of Common Log Profile]. 2 Select one of the following roll over options: Rollover When File Size Reaches: Rolls the file when it reaches the specified number of megabytes. 114 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 115: Configuring Extended Log Options

    Rollover every: Rolls the file at the specified interval. You can specify the interval in hours or days. beginning: Specifies the day that the interval should begin. You can select a day of the week or the first of the month. at: Select the hour of the day that the interval should begin and the time zone (either the local time zone or GMT).
  • Page 116 The number of bytes of HTTP response data the Access Gateway sent to the browser. Bytes Received The number of bytes of HTTP request data the proxy service received from the browser. 116 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 117 Name Description Time Taken The time in seconds it took the Access Gateway resources to deal with the request. User Agent The User-Agent HTTP request header value the browser sent to the Access Gateway. Cookie The Cookie HTTP request header value the browser sent to the Access Gateway.

  • Page 118: Configuring The Size Of The Log Partition

    The Statistics page allows you to monitor the amount of data and the type of data the Access Gateway is processing. 1 In the Administration Console, click Devices > Access Gateways > [Name of Server] > Statistics. 118 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 119 2 Select from the following types: “Server Activity” on page 119 “Server Benefits” on page 123 “Service Provider Activity” on page 123 3 Click Close. Server Activity Access Gateways > [Name of Server] > Statistics Select whether to monitor live or static statistics: Statistics: Select this option to view the statistics as currently gathered.
  • Page 120 The connection statistics show the current and peak levels of usage in terms of TCP connections. Connections Table 4-3 Statistic Description Current Connections to Displays the current number of connections that the Access Gateway has Origin Server established with Web servers. 120 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 121 Statistic Description Current Connections to Displays the current number of connections that the Access Gateway has Browsers established with browsers. Current Total Displays the current total of all connections that the Access Gateway has Connections established. Connections to Origin Displays the total number of connections that the Access Gateway has Server established with Web servers since it was last started.
  • Page 122 Displays the peak number of requests that have been sent in one second from Second from Browsers the browsers to the Access Gateway. Cache Freshness The cache freshness statistics display information about the cache refresh process. 122 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 123 Cache Freshness Table 4-6 Statistic Description Total “Get If Modified Displays the total number of Get If Modified Since requests that the Access Since” Request Gateway has received from browsers. Total Not Modified Displays the total number of 304 Not Modified replies that the Access Gateway Replies has received from the Web servers for updated content.
  • Page 124 (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the number of cached sessions. If no sessions have been cached, the value axis is not meaningful. 124 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 125 Statistic Description Cached Ancestral Sessions The number of cached ancestral session IDs. An ancestral session ID is created during the failover process. When failover occurs, a new session is created to represent the previous session. The ID of the previous session is termed an “ancestral session ID,”...
  • Page 126 It looks for a parameter on the query string of the URL indicating the authoritative server. It looks for an HTTP cookie, indicating the authoritative 126 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 127: Viewing Cluster Statistics

    server. If these do not exist, the cluster member examines the payload of the HTTP request to determine the authoritative server. Payload examinations result in immediate identification of the authoritative server or a user session ID or user identity ID that can be used to locate the authoritative server.

  • Page 128: Monitoring Access Gateway Alerts

    Access Gateway detects a condition that prevents it from performing normal system services. 1 In the Administration Console, click Devices > Access Gateways > [Name of Server] > Alerts. 128 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 129: Configuring Access Gateway Alerts

    2 To delete an alert from the list, select the check box for the alert, then click Acknowledge Alert(s). To remove all alerts from the list, click the Severity check box, then click Acknowledge Alert(s). 3 Click Close. 4 (Optional) To verify that the problem has been solved, click Access Gateways > [Server Name] >...
  • Page 130 Generated when the IP address of DNS parent is invalid. DNS Resolver Initialization Generated when the DNS resolver initialization fails. Failure (10 seconds) DNS Resolver Initialization Generated when the DNS resolver initialization fails. Failure (2 minutes) 130 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 131 Services Gateway has been configured to stop services. To configure the Access Gateway to continue when auditing services are not available, click Auditing > Novell Auditing, deselect the Stop Services on Audit Server Failure option, then click Apply. Failure in Audit, Will lose events, Generated when the audit agent has failed.
  • Page 132 Lists the number of critical alerts that have been sent and not acknowledged. Warning Lists the number of warning alerts that have been sent and not acknowledged. Information Lists the number of informational alerts that have been sent and not acknowledged. 132 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 133: Enabling Access Gateway Audit Events

    4.5 Enabling Access Gateway Audit Events The Novell Audit option in the Access Gateway allows you to configure the events you want audited. The following steps assume that you have already set up Novell Audit on your network. For more information, see “Configuring Access Manager for Novell...

  • Page 134: Managing Server Health

    Administration Console. A yellow status indicates that the server might be functioning sub-optimally because of configuration discrepancies. A yellow status with a question mark indicates that the server has not been configured. 134 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 135: Monitoring The Health Of An Access Gateway

    Icon Description A red status with an x indicates that the server configuration might be incomplete or wrong, that a dependent service in not running or functional, or that the server is having a runtime problem. 4.6.2 Monitoring the Health of an Access Gateway To view detailed health status information of an Access Gateway: 1 In the Administration Console, click Devices >...
  • Page 136 Access Gateway. A green status indicates that a configuration has been applied; it does not indicate that it is a functioning configuration. 136 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 137 Embedded Service Provider “Configuring an Identity Server” in the Configuration: Specifies whether the Access Novell Access Manager 3.1 SP1 Identity Server Gateway has been configured to trust an Identity Guide for information on configuring an Identity Server and whether that configuration has been Server.

  • Page 138: Viewing The Health Of An Access Gateway Cluster

    3 To ensure that the information is current, click Refresh. 4 To view specific information about the status of an Access Gateway, click the Health icon in the Access Gateway row. 138 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 139: Viewing The Command Status Of The Access Gateway

    4.7 Viewing the Command Status of the Access Gateway Commands are issued to an Access Gateway when you make configuration changes and when you select an action such as stopping or starting the gateway. Certain commands, such as start and stop commands, retry up to 10 times before they fail. The first few retries are spaced a few minutes apart, then they move to 10-minute intervals.

  • Page 140: Viewing Detailed Command Information

    Delete: To delete a command, click Delete. Click OK in the confirmation dialog box. Refresh: To update the current cache of recently executed commands, click Refresh. 5 Click Close to return to the Command Status page. 140 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 141: Configuring The Content Settings

    Configuring the Content Settings One of the major benefits of using an Access Gateway to protect Web resources is that it can cache the requested information and send it directly to the client browser rather than contacting the origin Web resource and waiting for the requested information to be sent. This can significantly accelerate access to the information.
  • Page 142 If it isn’t valid, the request is forwarded to the Web server. Ignore: Causes the proxy service to ignore the request and send the data from cache without checking to see if the cached data is valid. 142 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 143: Controlling Browser Caching

    5 Modify the Cache Freshness settings for the Gateway Appliance. Use the Reset button to return these settings to their default values. These options govern when the proxy service revalidates requested cached objects against those on their respective origin Web servers. If the objects have changed, the proxy service re- caches them.

  • Page 144: Configuring Custom Cache Control Headers

    Access Gateway can recognize and follow. Section 5.3.1, “Understanding How Custom Cache Control Headers Work,” on page 145 Section 5.3.2, “Enabling Custom Cache Control Headers,” on page 146 144 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 145: Understanding How Custom Cache Control Headers Work

    5.3.1 Understanding How Custom Cache Control Headers Work Only the proxy service containing the custom header definition follows the cache policies specified in the custom headers. All other proxy services, requesting browsers, and external proxy caches (transparent caches, client accelerators, etc.), do not recognize the custom headers. They follow only the cache policies specified by the standard cache control headers.

  • Page 146: Enabling Custom Cache Control Headers

    A value of zero prevents the Access Gateway from caching the object. This cache interval can be different than the value set for browsers (see Section 5.3.1, “Understanding How Custom Cache Control Headers Work,” on page 145). 146 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 147: Configuring A Pin List

    8 Ensure that the Web server continues to send the following standard HTTP cache-control headers: Cache-Control: Max-Age headers that cause browsers to cache object for no longer than two minutes. Cache-Control: Private headers that cause external caches to not cache the objects. When your Web server sends an object with the MYCACHE header in response to a request made through the Access Gateway, the proxy service recognizes the custom header and caches the object for 10 minutes.

  • Page 148: Url Mask

    All of these are classified as hostnames, and they are ordered by specificity. The first item in the list is considered the most specific and is processed first. The last item is the most general and is processed last. 148 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 149 Level Examples path /documents/picture.gif /documents/pictures.gif/* /documents/* Path entries are processed after hostnames. A leading forward slash must always be used when specifying a path, and the entry that follows must always reference the root directory of the Web server. In these examples, documents is the root directory.

  • Page 150: Pin Type

    You can configure the Access Gateway to use the pin list to add objects to the cache and to use the purge list to remove the same objects. 1 In the Administration Console, click Devices > Access Gateways > Edit > Purge List. Novell Access Manager 3.1 SP1 Access Gateway Guide 1 5 0...

  • Page 151: Purging Cached Content

    2 Click New, enter a URL pattern, then click OK. 3 (Optional) Repeat Step 2 to add additional URL patterns. 4 To save your changes to browser cache, click OK. 5 To apply the changes, click the Access Gateways link, then click Update > OK. 5.6 Purging Cached Content You can select to purge the content of the purge list or all content cached on the server.
  • Page 152 152 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 153: Protecting Multiple Resources

    Protecting Multiple Resources This section describes how to create multiple resources for the various Access Gateway components, including a cluster of Access Gateways. Figure 6-1 illustrates the relationships that Access Gateways, reverse proxies, proxy services, Web servers, and protected resources have with each other when two Access Gateways are members of a cluster.

  • Page 154: Setting Up A Group Of Web Servers

    Connection persistence is enabled by default. This allows the Access Gateway to send multiple HTTP requests to the Web server to be serviced before the connection is closed. To configure this option, see Section 1.7.2, “Configuring TCP Connect Options for Web Servers,” on page 154 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 155: Using Multi-Homing To Access Multiple Resources

    Session persistence is enabled whenever a second Web server is added to the list. This allows a browser to persistently use the same Web server after an initial connection has been established. This type of persistence is not configurable. For more information on persistent connections, see Section 1.7.3, “Configuring Connection and Session Persistence,”...
  • Page 156 10.10.195.90:80 sales.internal.com 10.10.15.20 apps.company.com 10.10.195.90:80 apps.internal.com 10.10.15.30 Configure your DNS server to resolve the published DNS names to the IP address of the Access Gateway. Set up the back-end Web servers. 156 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 157: Path-Based Multi-Homing

    To create a domain-based multi-homing proxy service, see Section 6.2.4, “Creating a Second Proxy Service,” on page 160, and select domain-based for the multi-homing type. 6.2.2 Path-Based Multi-Homing Path-based multi-homing uses the same DNS name for all resources, but each resource or resource group must have a unique path appended to the DNS name.
  • Page 158 If you select to use the Forward Received Host Name option for a path-based service, you might also need to add entries to the Additional DNS Name List for the rewriter. For more information, see “Determining Whether You Need to Specify Additional DNS Names” on page 158 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 159: Virtual Multi-Homing

    Configuring for Path-Based Multi-Homing Before configuring the Access Gateway, you need to complete the following: Create the published DNS names with paths for public access to the back-end resources. For example, the table below uses test.com as the domain name. It lists three published DNS names (two with paths), the IP address these names resolve to, and the Web servers that they are going to protect: Access Gateway...

  • Page 160: Creating A Second Proxy Service

    6.2.4 Creating a Second Proxy Service 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy]. 2 In the Proxy Service List, select New. 160 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 161 3 Fill in the fields. Proxy Service Name. Specify a display name for the proxy service. For the sales group, you might use sales. For the group of application servers, you might use apps. Multi-Homing Type: Specify the multi-homing method that the Access Gateway should use to identify this proxy service.

  • Page 162: Configuring A Path-Based Multi-Homing Proxy Service

    2 Configure the following options: Description: (Optional) Provide a description of the purpose of this proxy service or specify any other pertinent information. 162 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 163 HTTP Options: Determines how the proxy service handles HTTP headers and caching. For more information, see Section 5.3, “Configuring Custom Cache Control Headers,” on page 144 Section 5.2, “Controlling Browser Caching,” on page 143. 3 Configure the path options: Remove Path on Fill: Determines whether the multi-homing path is removed from the URL before forwarding it to the Web server.

  • Page 164: Managing Multiple Reverse Proxies

    Section 6.3.2, “Changing the Authentication Proxy Service,” on page 165 6.3.1 Managing Entries in the Reverse Proxy List 1 In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication. 164 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 165: Changing The Authentication Proxy Service

    2 In the Reverse Proxy List, select one of the following actions: New: To create a new reverse proxy, click New. You are prompted to enter a display name for the proxy. For configuration information, see Section 1.1, “Creating a Reverse Proxy and Proxy Service,”...

  • Page 166: Managing A Cluster Of Access Gateways

    Section 6.4.1, “Managing the Servers in the Cluster,” on page 167 Section 6.4.2, “Changing the Primary Cluster Server,” on page 168 Section 6.4.3, “Applying Changes to Cluster Members,” on page 168 166 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 167: Managing The Servers In The Cluster

    For information about monitoring the health or statistics of a cluster, see Section 4.6, “Managing Server Health,” on page 134 Section 4.3, “Monitoring Access Gateway Statistics,” on page 118. 6.4.1 Managing the Servers in the Cluster To view the servers that are currently members of clusters: 1 In the Administration Console, click Devices >...

  • Page 168: Changing The Primary Cluster Server

    1 Remove the server that you have applied the configuration changes from the cluster. 2 Access the Configuration page for the cluster, then click Revert. The servers in the cluster revert to the last applied configuration. 168 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 169 3 Add the removed server to the cluster. The server is configured to use the same configuration as the other cluster members. When you make the following configuration changes, the Update All option is the only option available and your site is unavailable while the update occurs: The Identity Server configuration that is used for authentication is changed (Access Gateways >...
  • Page 170 170 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 171: Troubleshooting The Linux Access Gateway

    “Troubleshooting a Linux Access Gateway Appliance Installation” and “Troubleshooting the Access Gateway Import” in the Novell Access Manager 3.1 SP1 Installation Guide. For information on how to install security patches on your Linux Access Gateway, see “Installing or Updating the Latest Linux Patches”...

  • Page 172: Useful Tools

    173. directory contains the following scripts: /chroot/lag/opt/novell/bin getlaglogs.sh Generates a /var/log/laglogs.tar.gz file of the install and system log files. For more information, see “Linux Access Gateway Logs” on page 196. 172 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 173: The Linux Access Gateway Console

    Use this script to resolve auto-import issues. For more information, see “Triggering an Import Retry” in the Novell Access Manager 3.1 SP1 Installation Guide. You can use the following commands to stop and start the Linux Access Gateway and to view its status.
  • Page 174 7. Display HTTP server statistics Displays statistics about the server handling of HTTP requests. 8. Display HTTP client statistics Displays statistics about the client handling of HTTP requests. 174 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 175: Viewing Configuration Information

    Screen Description 9. Display connection statistics Displays general information about connections. 10. Display FTP client statistics Displays statistics about FTP client requests. 11. Display GOPHER client statistics Displays statistics about GOPHER requests. 12. Display configured addresses and services Displays information about the IP addresses that the Access Gateway is using.

  • Page 176: Useful Files For Troubleshooting The Access Gateway Appliance

    When enabled, this file contains a log of the HTTP headers to and from the Linux Access Gateway. For information on enabling logging to this file, see “Configuring Logging of SOAP Messages and HTTP Headers” on page 109. 176 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 177: Using Touch Files

    Description Located in the directory. .~newInstall /var/novell The Linux Access Gateway creates this file by default during every start. If you want the Linux Access Gateway to come up without the contents cached in the previous run, or to purge all cache, remove this file before you restart the Linux Access Gateway.
  • Page 178 The Linux Access Gateway sends 302 redirects without any content by default. When this file is present, the following content is sent for any 302 redirects: <html><head><title>Redirection</title></ head><body>Your browser should support redirection.</body></html> 178 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 179 Filename Description Located in the directory. .forceUTF8CharSet /var/novell When this file is enabled, the Linux Access Gateway serves the Form Fill page to the browser in the UTF-8 character set. .ignoreDnsServerHealth Located in the /var/novell directory. Ignores the DNS server health status while reporting health to the Administration Console.
  • Page 180 Located in the directory. .matchLagIchainCookieName /var/novell Forwards a proxy session cookie to a back-end application. Cookie without a touch file looks like: IPCZQX03a36c6c0a=xxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxx Cookie with a touch file looks like: IPCZQX01a36c6c0a=xxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxx 180 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 181 Filename Description Located in the directory. .spnetworkplaces /var/novell Helps user to use Microsoft Network Places client to connect to WebDAV folders such as SharePoint that is accelerated by Linux Access Gateway as path-based multi-homing service. For this touch file to function as specified, you should add the following lines to the file, and restart Linux Access Gateway.
  • Page 182 If multiple paths are configured, Access Gateway looks for the last path-based service accessed by this user. This path is injected to the request, and the request is sent to this path-based service. 182 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 183 The Linux Access Gateway must be restarted in order to get the desired functionality. Use the following command to restart when a touch file is created or removed: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start Creating a File To create a file, use the following command as a root user: touch <pathname>/<filename>...

  • Page 184: Protected Resource Issues

    “Configuring Authentication Methods” and “Configuring Authentication Contracts” in the Novell Access Manager 3.1 SP1 Identity Server Guide. 5a In the Administration Console, click Devices > Identity Servers > Edit > Methods. 184 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 185: Troubleshooting Http 1.1 And Gzip

    Form Fill does not need to process the data, the compressed data is sent unchanged from the Web server to the browser. This is the default behavior. To turn off the GZIP feature: 1 Add the following touch file /var/novell/.noGzipSupport Use the utility to create this blank file. touch 2 Restart the Linux Access Gateway.

  • Page 186: Protected Resources Referencing Non-Existent Policies

    GIFs might be denied access. To avoid this, you should add the page and the page as a protected resource. Doing this index.html avoids the possibility of missing GIFs. 186 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 187: Unable To View Contents Of Mail When Outlook Web Access Is Protected By Access Gateway

    302 redirect. 7.4 Hardware and Machine Resource Issues Section 7.4.1, “Error: novell-vmc-chroot Failed to Start,” on page 187 Section 7.4.2, “Mismatched SSL Certificates in a Cluster of Access Gateways,” on page 187 Section 7.4.3, “Recovering from a Hardware Failure on an Access Gateway Machine,” on page 188 Section 7.4.4, “Reinstalling a Failed Access Gateway,”...

  • Page 188: Recovering From A Hardware Failure On An Access Gateway Machine

    5b Add it to the cluster. 5c Make it the primary cluster server. 5d Delete the Access Gateway that is using the new IP address from the cluster and from the Administration Console. 188 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 189: Cos Related Issues

    7.4.5 COS Related Issues The following sections explain how to troubleshoot COS (cache object store) partition issues: “Viewing COS Partition Details” on page 189 “Checking if the COS Partition Is Mounted” on page 189 Viewing COS Partition Details You can view COS partition details either through YaST or through the nash prompt. Using YaST 1 Log in as the user.
  • Page 190 4 Enter the Display COS Global Statistics option number at the Enter option prompt. 190 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 191: Memory Issues

    The following details are displayed if the COS partition is mounted: 7.4.6 Memory Issues The following sections explain how to troubleshoot memory issues: “Checking Memory Details and Related Information” on page 191 “Checking Available Memory” on page 191 Checking Memory Details and Related Information Most of the information, including the memory details, can be accessed by entering the following command at the prompt:...

  • Page 192: Rewriter Issues

    The path-based proxy services are configured to Forward Received Host Name and to Remove Path on Fill. The Web servers protected by these path-based proxy services have links to each other. 192 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 193: Reading Configuration Files

    The HTTP header does not help, because the proxy services are forwarding the same host name: mycompany.provo.novell.com.

  • Page 194: Additional Dns Name Without A Scheme Is Not Rewritten

    Check the rewriter configuration. Ensure that your content type, extension type, and include URL list are valid. 7.6 Troubleshooting Crashes and Hangs Section 7.6.1, “The Access Gateway Hangs When the Audit Server Comes Back Online,” on page 195 194 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 195: The Access Gateway Hangs When The Audit Server Comes Back Online

    For more information about the file and these parameters, see Logevent (http:// logevent www.novell.com/documentation/nsureaudit/nsureaudit/data/al36zjk.html#alibmyw). 7.6.2 Access Gateway Crashes When the Log Files Are Removed If you have enabled the debug level of logging for the and the...

  • Page 196: Troubleshooting A Failed Linux Access Gateway Configuration

    The Linux Access Gateway might have crashed because of the following reasons: SIGSEGV ASSERT (for a debug build only) The following sections explain how to gather the files that need to be sent to Novell for a resolution of the problem. “Linux Access Gateway Logs” on page 196 “Event Log”...
  • Page 197 2 To stop all instances of Linux Access Gateway, enter the following command: /etc/init.d/novell-vmc stop 3 To start the Novell Linux Access Gateway in debugging mode, enter the following command: /etc/init.d/novell-vmc gdb 4 To run the Linux Access Gateway process, enter the following command at the GDB prompt: run -m <memory>...
  • Page 198 6 To save all event logs to a file, enter the following command: d ,save 1 This stores all the events in the /chroot/lag-debug/opt/novell/debug/ file. <pid>all_events.0.txt 7 Tar or zip this file and send it to Novell Support. Useful Debugger Commands GDB Commands Table 7-6 Command Function...

  • Page 199: Linux Access Gateway Not Responding

    6 Enter the following command to save the core dump in the directory. /chroot/lag gcore The core dump is saved as core.<pid> 7 Tar or zip this file and send it to Novell Support. Packet Capture utility allows you to capture network trace packets. tcpdump 1 Log in as the user.

  • Page 200: Connection And Authentication Issues

    The core dump is saved as core.<pid> 8 Tar or zip this file and send it to Novell Support. 7.7 Connection and Authentication Issues This section provides various troubleshooting scenarios and frequently asked questions that you might encounter while using the Linux Access Gateway, and suggests appropriate actions.

  • Page 201: Authentication Issues

    Socket Listener Bind To verify whether the socket listener is bound to the required port: 1 Log in as the user. root 2 At the bash prompt, enter the following command: netstat -anp | grep LISTEN All ports are displayed. 3 Search for the desired port.
  • Page 202 3 Enter the Proxy Console option number at the Pick a Screen prompt. The Linux Access Gateway Console screen is displayed. 4 To select the Identity Agent Console option, enter the option number at Enter Option. The Identity Agent Console screen is displayed. 202 Novell Access Manager 3.1 SP1 Access Gateway Guide...
  • Page 203 The user information contains the following items: X: An authenticated user. O: An unauthenticated user. R: A retired user; the user session has timed out. The default time-out is 3 minutes. In this state, the user session is deleted. If the user makes another request from the browser session, the Linux Access Gateway requires the user to authenticate.

  • Page 204: Form Fill Issues

    2 Specify the following command to create the . file: enableInPlaceSilentFill touch /var/novell/.enableInPlaceSilentFill 3 Specify the following command to create the file: enableInPlaceSilentFillNew touch /var/novell/.enableInPlaceSilentFillNew 4 Specify the following command to restart Linux Access Gateway: /etc/init.d/novell-vmc stop /etc/init.d/novell-vmc start 204 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 205: Form Fill Error Messages

    Form fill fails if the policy is not configured correctly. For configuration information, see “Creating Form Fill Policies” in the Novell Access Manager 3.1 SP1 Policy Management Guide. 7.8.5 Browser Spinning Issues Browser spinning can occur if inappropriate data is filled in the form because of one of the following...

  • Page 206: Authorization And Identity Injection Issues

    Restart the Embedded Service Provider from the Administration Console as follows: 1 In the Administration Console, click Devices > Access Gateways. 2 Select the server, then click Actions. 3 Click Service Provider > Restart Service Provider. 4 Click OK. 206 Novell Access Manager 3.1 SP1 Access Gateway Guide...

  • Page 207: Identity Injection Failures

    Customer Header Injection Failed. Query String Injection Failed. Authentication Header Injection Failed To receive help resolving identity injection failures, send the following information to Novell Support: Linux Access Gateway logs. For more information on how to get Linux Access Gateway log files, see “Gateway Appliance Logs”...
  • Page 208 208 Novell Access Manager 3.1 SP1 Access Gateway Guide...

Table of Contents