Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Contents About This Guide 1 Overview of SSL VPN Access Modes ............. . 9 1.1.1 Kiosk Mode .
Page 6
B.24 Socks Client Logs Are Displayed under Service Logs ....... 58 B.25 Connection Fails in SSL VPN If the Root User Password Is Not Set in Macintosh ..58 Novell Access Manager 3.1 SP2 SSL VPN User Guide...
Novell Access Manager 3.1 SP2 Identity Server Guide Novell Access Manager 3.1 SP2 Access Gateway Guide Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. About This Guide...
Overview of SSL VPN The Novell Access Manager SSL VPN allows you to use a Web browser to access corporate resources securely from a remote site. It uses a Secure Socket Layer (SSL) with a virtual private connection (VPN). It is a clientless solution, and it eliminates the need to install or configure a VPN client on your desktop or laptop.
“Preinstalling the SSL VPN Client Components” in the Novell Access Manager 3.1 SP2 SSL VPN Server GuideNovell Access Manager 3.1 SP2 SSL VPN Server Guide. For more information on using Enterprise mode, see Chapter 3, “Accessing SSL VPN in Enterprise Mode,”...
“Configuring SSL VPN to Download the Java Applet on Internet Explorer” in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide. The following table lists the supported versions of operating software and browsers in the Windows...
Page 12
NOTE: Do not use Windows Explorer to run SSL VPN. Sun JRE 1.4.1 or higher NOTE: If you are using Firefox 3.6, you must have Java SE 6 update 10 or higher. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
Accessing SSL VPN in Kiosk Mode Kiosk mode is the usual choice for computers not controlled by the organization, such as home computers and computers in Web-browsing kiosks. In the Kiosk mode of SSL VPN, only those applications that are opened after connecting to the SSL VPN server are enabled for SSL.
Page 14
7 If the SSL VPN connection is successful, the SSL VPN Home page is displayed. Make sure that you keep the browser open throughout the SSL VPN session, and continue with Step If the SSL VPN connection fails, an error message is displayed. Skip to Step Novell Access Manager 3.1 SP2 SSL VPN User Guide...
8 Do one of the following, depending on whether you are a Linux, Macintosh, or Windows user: Linux: If you are a Linux user, open a new terminal to launch applications that need to be enabled for SSL. For more information, see Section 5.5.1, “Enabling Linux Applications for SSL,”...
For more information on pre-installing the client components, see “Preinstalling the SSL VPN Client Components” in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide. You must have the recommended browser or operating software installed in your system. For more information, see Section 1.2, “Client Machine Requirements,”...
Page 18
Policy tab. Make sure that you do not close this browser during the SSL VPN session. If the SSL VPN connection fails, an error message is displayed. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
5 (Conditional) If you see this error message, click Logout to log out of the session. For more information on these error messages, see Appendix A, “Error Messages,” on page 3.3 Accessing SSL VPN as a Non-Admin User If you are a non-admin or a non- user, but you know the credentials of the administrator or root user, you can connect to SSL VPN in Enterprise mode as follows:...
Page 20
7 (Conditional) If the connection is successful, the SSL VPN Home page is displayed, allowing access to all the resources listed on the Policy page. Make sure that you do not close this browser during the SSL VPN session. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
SSL VPN in Kiosk Mode,” on page 3.5 Enabling the Sudo Command for Standard Users in the Mac OS Novell SSL VPN uses the command to gain root privileges for non-root users in the Mac OS. sudo This command is not enabled by default for standard users in the Mac OS.
Accessing Published Citrix Applications through SSL VPN You can access published Citrix applications through SSL VPN. Section 4.1, “Accessing Published Citrix Applications in Kiosk Mode,” on page 23 Section 4.2, “Accessing Published Citrix Applications in Enterprise Mode,” on page 23 4.1 Accessing Published Citrix Applications in Kiosk Mode 1 Connect to a Citrix server by using the following URL:...
Click the Home icon to display the Home page. How this page is displayed to you depends on how your organization has customized this page. The following figure displays the default Novell SSL VPN home page. SSL VPN Home Page...
Java applet log for more information on the error. For more information on error messages, see Appendix A, “Error Messages,” on page 5.2 Using the Policies Page 1 On the SSL VPN Home page, click the Policies icon. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
2 Review the information on the page. This page displays the resources you can access, based on the traffic policies configured by your system administrator for your role. The information is displayed as follows: Name: The name of the traffic policy applicable for your role. Destination: The IP address of the destination network.
NOTE: When you click the installation logs, you might notice the log message Sandbox is . This message indicates that a folder named VPN- enabled for you at VPN-SANDBOX SANDBOX was automatically created for you on your desktop during the SSL VPN Novell Access Manager 3.1 SP2 SSL VPN User Guide...
connection. Copy or download all the files into this folder. This folder, along with its contents, is deleted automatically, when you disconnect the SSL VPN connection. Section 5.7, “Using the Sandbox Feature,” on page 30 Tunnel Logs: Displays the tunnel logs. This contains STunnel logs if the SSL VPN connection is in Kiosk mode and OpenVPN logs if the SSL VPN connection is in Enterprise mode.
Kiosk mode or Enterprise mode, a folder named VPN-SANDBOX is created on your desktop. You can copy all the files and folders that you have downloaded from your corporate network, or that Novell Access Manager 3.1 SP2 SSL VPN User Guide...
you have created into this folder. This folder is automatically deleted when the SSL VPN connection is terminated. This is a very useful feature if you are browsing from an Internet Kiosk and you do not want any sensitive information to reach other persons. Sandbox Folder on Your Desktop Figure 5-2 The Browser Agent logs indicate that the Sandbox folder has been created on your desktop.
Windows client to load a Java-based applet instead of the ActiveX controls. In order to force load the applet, enter the following URL to launch the SSL VPN user interface: https:<DNS-Name>/sslvpn/login?forcejre Novell Access Manager 3.1 SP2 SSL VPN User Guide...
Error Messages Some frequently encountered error messages and their explanations are given below: “AM.1000: Client Integrity Check Failed. Check Error Logs for More Information.” on page 36 “AM.1001: Server Is not Responding.” on page 36 “AM.1002: Client Is Inactive for More Than <x> Minutes. Please Log Out.” on page 36 “AM.1003: Problem with One of the Underlying Components/ Connection Error.
Page 34
“AM.1303: Unable to Send Acknowledgment to the Applet for the Cookie Received” on page 44 “AM.1304: Incorrect DNS Information Message Received from the Applet (Incorrect Length of Message)” on page 44 Novell Access Manager 3.1 SP2 SSL VPN User Guide...
Page 35
“AM.1305: Unable to Send Acknowledgment to the Applet for the DNS Message Received” on page 44 “AM.1306: Disconnect Message from the Applet Was Incorrect (Incorrect Message Length)” on page 44 “AM.1307: Unable to Send Acknowledgment to the Applet for the Disconnect Message Received”...
Action: Click Log Entries, select Polresolver Logs, Tunnel Logs and Service Logs from View Logs to check details, then contact your system administrator. Possible Cause: The SSL VPN tunnel is down. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
Action: Click Log Entries, then select Tunnel Logs from View Logs to check details. Try reconnecting again. If the problem persists, contact your system administrator. AM.1005: Failed to Find Free Ports on the Client. Possible Cause: No free ports are available. Action: Contact your system administrator.
AM.100I: Your SSL VPN connection was terminated by the System Administrator. Please Log Out. Possible Cause: The system administrator has disconnected your connection. Action: Try reconnecting. If the problem persists, contact your system administrator. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
AM.100J: Your SSL VPN connection was terminated because of configuration changes in the server or because the server was restarted. Please log out. Possible Cause: The SSL VPN restarted to apply the configuration changes. Action: Log out of SSL VPN connection. Try reconnecting after a few minutes. Possible Cause: One of the SSL VPN server components might have gone down.
Action: Close the browser. If you want to reconnect, initiate the connection from a fresh instance of the browser. AM.1011: This Operating System Is not Supported. Please Log Out. Possible Cause: Your operating system is not supported. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
Page 41
Action: Click Log Entries, then select Browser Agent Logs from View Logs for more information. Check the Novell Access Manager 3.1 SSL VPN User Guide (http://www.novell.com/documentation/novellaccessmanager31/ sslvpn_userguide/index.html?page=/documentation/novellaccessmanager31/ sslvpn_userguide/data/bookinfo.html) for supported platforms. AM.1012: The User Does Not Seem to Have Enough Privileges. Please Log Out.
Page 42
Manager 3.1 SSL VPN User Guide (http://www.novell.com/documentation/ novellaccessmanager31/sslvpn_userguide/index.html?page=/documentation/ novellaccessmanager31/sslvpn_userguide/data/ba9j4uq.html). If your browser is supported by Novell SSL VPN, close all instances of the browser and try connecting from a fresh instance of the browser. AM.1021: Failed to Send a Keepalive Message to Server Possible Cause: Failed to send the session persistence packets to the server.
Page 43
Action: Click Log Entries, then select Browser Agent Logs and Service Logs from View Logs for more information. Check if the enterprise thin client service binary novell-sslvpn-serv is running. AM.1100: Received Zero Length Data from the SOCKS Client. Possible Cause: The SSL-enabled application crashed while performing a policy resolution.
AM.1306: Disconnect Message from the Applet Was Incorrect (Incorrect Message Length) Possible Cause: Polresolver – Applet communication is bad or the session cleanup is incomplete. Action: Contact your system administrator if the problem persists. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
AM.1307: Unable to Send Acknowledgment to the Applet for the Disconnect Message Received Possible Cause: Polresolver – Applet communication is bad or the session cleanup is incomplete. Action: Contact your system administrator if the problem persists. AM.1308: Polresolver Received an Incomplete Message. Possible Cause: An intruder might be probing Polresolver with an incorrect message.
Action: Click Log Entries, then select Tunnel Logs from View Logs to check logs. Try reconnecting from a fresh instance of the browser. If the problem persists, contact your system administrator. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
If it is not running, go to Control Panel > Administrative serv.exe Tools > Services Panel and look for a service named novell-sslvpn-serv. If it is found, restart it. If it is not found, then the thin-client service is not installed properly.
Possible Cause: You have not selected any client mode in the SSL VPN mode selection dialog box. Action: Log out from the current session and connect again. When the Mode selection dialog box appears, select a client mode. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
For more information on SSL VPN modes, see the Novell Access Manager SSL VPN User Guide (http://www.novell.com/documentation/ novellaccessmanager31/sslvpn_userguide/index.html?page=/documentation/ novellaccessmanager31/sslvpn_userguide/data/bac4n0o.html) AM.1809: Error: Failed to Start SSL VPN Desktop Cleanup Possible Cause: There was an error in initiating the desktop cleanup action.
Page 50
If your deployment requires 250 or more concurrent SSL VPN connections, ® your regular Novell sales channel can determine if the export law allows you to order the high bandwidth version at no extra cost. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
Troubleshooting SSL VPN This section provides various troubleshooting scenarios that you might encounter while configuring SSL VPN. Section B.1, “SSL VPN Fails to Load If Firefox 3.0 Is Used on Vista 64-bit,” on page 52 Section B.2, “Error: Failed to Fetch CIC Policy from the Server,” on page 52 Section B.3, “Stability Issues when You Use a Firefox Browser on a Vista 64-Bit Machine,”...
Failed to Renew DHCP IP Address Lease on TAP-Win 32 Adapter: The system cannot find the file specified. To work around this issue, do the following before attempting to connect to SSL VPN again: 1 Select Start > Control Panel > Network Connections. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
2 Right-click the Local Area Connection with the device name TAP-Win 32 Adapter, then select Properties. 3 Click Configure, then select the Advanced tab. 4 Select Media Status and set the value to Always Connected. 5 Click OK. B.5 The SSL VPN Applet Fails to Download on a SLED 11 64-bit Machine If you are using a SUSE Linux Enterprise Desktop (SLED) 11 64-bit machine, the SSL VPN applet might fail to download after logging in, and a blank page is displayed to you.
On a Windows machine, do the following: 1 Control Panel > Java. 2 Click Delete Files in the General tab. 3 Select the Downloaded Applets check box in the Delete Temporary Files dialog box. 4 Click OK. Novell Access Manager 3.1 SP2 SSL VPN User Guide...
B.11 Mozilla Firefox Browser Displays an “X” Mark If you see an “X” on the top left corner of Mozilla Firefox while trying to access the SSL VPN end user portal, it indicates that the Java Runtime Environment* (JRE) is not installed on the client machine.
B.19 The Browser Becomes Non-Responsive If Clear Browser Private Data Is Repeatedly Clicked The browser might become non-responsive if the button in the SSL VPN applet is repeatedly clicked. This issue occurs with the JRE Update 06 version. To work around this issue, upgrade the JRE to the latest update.
When there is no password set for the user, you can log in by using the root root credentials of the admin user. Novell Access Manager 3.1 SP2 SSL VPN User Guide...