1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE...
  6. Manual

Novell ACCESS MANAGER 3.1 SP2 - SSL VPN SERVER GUIDE 2010 Manual

Ssl vpn server guide
Hide thumbs Also See for ACCESS MANAGER 3.1 SP2 - SSL VPN SERVER GUIDE 2010:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual
AUTHORIZED DOCUMENTATION
SSL VPN Server Guide
Novell
Access Manager
3.1 SP2
June 11, 2010
www.novell.com
Novell Access Manager 3.1 SP2 SSL VPN Server Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell ACCESS MANAGER 3.1 SP2 - SSL VPN SERVER GUIDE 2010

Summary of Contents for Novell ACCESS MANAGER 3.1 SP2 - SSL VPN SERVER GUIDE 2010

  • Page 1 AUTHORIZED DOCUMENTATION SSL VPN Server Guide Novell Access Manager 3.1 SP2 June 11, 2010 www.novell.com Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 2: Legal Notices

    Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 5: Table Of Contents

    Accelerating the Traditional Novell SSL VPN ........
  • Page 6 Monitoring SSL VPN Alerts ........... 89 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 7 6.7.1 Configuring SSL VPN Alerts ......... . . 89 6.7.2 Viewing SSL VPN Alerts .
  • Page 8 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 9: About This Guide

    Documentation Feedback (http://www.novell.com/documentation/ feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there. Documentation Updates For the most recent version of the Novell Access Manager SSL VPN Server Guide, visit the Novell Access Manager Documentation Web site (http://www.novell.com/documentation/ novellaccessmanager). About This Guide...

  • Page 10: Additional Documentation

    Novell Access Manager 3.1 SP2 Access Gateway Guide Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 11: Overview Of Ssl Vpn

    Section 1.2, “Traditional and ESP-Enabled SSL VPNs,” on page 14 Section 1.3, “SSL VPN Client Modes,” on page 16 1.1 SSL VPN Features Novell SSL VPN comes with a number of key features that make the product secure, easy to access, and reliable. Browser-Based End User Access Novell SSL VPN has browser-based end user access that does not require users to preinstall any components on their machines.
  • Page 12 Enterprise and Kiosk Modes for End User Access The Novell SSL VPN uses both clientless and thin-client access methods. The clientless method is called the Kiosk mode SSL VPN and the thin-client method is called the Enterprise mode SSL VPN.
  • Page 13 This is a potential security threat if it is not properly dealt with. The Novell SSL VPN client comes with the desktop cleanup feature, so the user has the option to delete all the browser history, cache, cookies, and files from the system, before logging out of the SSL VPN connection.

  • Page 14: Traditional And Esp-Enabled Ssl Vpns

    Administration server to also be installed. This type of deployment is called an ESP-enabled Novell SSL VPN. When SSL VPN is deployed with the Access Gateway, it is called a Traditional Novell SSL VPN. In this type of installation, SSL VPN is deployed with the Identity Server, Administration Console, and the Linux Access Gateway components of Novell Access Manager.

  • Page 15: Traditional Novell Ssl Vpn

    1.2.2 Traditional Novell SSL VPN The following figure shows the Novell Access Manager components and the process involved in establishing a secure connection between a client machine and traditional Novell SSL VPN server. In this type of deployment, the Linux Access Gateway accelerates and protects the SSL VPN server.

  • Page 16: High-Bandwidth And Low-Bandwidth Ssl Vpns

    You can install the high-bandwidth SSL VPN RPM on both the Traditional Novell SSL VPN server and on the ESP-enabled Novell SSL VPN server. Your regular Novell sales channel can determine if the export law allows you to order the high- bandwidth version at no extra cost.

  • Page 17: Enterprise Mode

    For more information on the client platforms and setups tested by Novell, see the Access Manager 3.1 Support Pack 1 SSLVPN integration testing report (http://www.novell.com/support/ viewContent.do?externalId=7004342&sliceId=1). Section 1.3.1, “Enterprise Mode,” on page 17 Section 1.3.2, “Kiosk Mode,” on page 19 1.3.1 Enterprise Mode...
  • Page 18 OK to enable Enterprise mode. Enterprise mode is enabled by default in the subsequent sessions and the user is not prompted again for the administrator or username and password. root Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 19: Kiosk Mode

    You can configure a user to connect in Kiosk mode only. When you have done so, a user is connected to SSL VPN in Kiosk mode after the user provides credentials in the Novell Access Manager login page. For more information, see Section 4.2.1, “Configuring Users to Connect Only...
  • Page 20 If a user wants to access SSL VPN with Internet Explorer, use the following URL: https:<DNS-Name>/sslvpn/login?forcejre=true For more information, see Section 4.2.4, “Configuring SSL VPN to Download the Java Applet on Internet Explorer,” on page Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 21: Basic Configuration For Ssl Vpn

    2.1 Configuring Authentication for the ESP- Enabled Novell SSL VPN If you installed the ESP-enabled Novell SSL VPN, then an Embedded Service Provider component was installed along with the SSL VPN server during the installation. You must now configure the Embedded Service Provider in order to establish a trust relationship between the Identity Server and the Embedded Service Provider.
  • Page 22 8443 for HTTPS. If you want to use port 80 or 433, select the port here, then select the Redirect Requests from Non-Secure Port to Secure Port option. Selecting 80 for HTTP and 443 for HTTPS implies that the port needs to be translated. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 23: Accelerating The Traditional Novell Ssl Vpn

    Section 2.1, “Configuring Authentication for the ESP-Enabled Novell SSL VPN,” on page If you have installed the traditional Novell SSL VPN, this is a mandatory configuration in order to accelerate the SSL VPN server. Section 2.2.1, “Configuring the Default Identity Injection Policy,” on page 24 Section 2.2.2, “Injecting the SSL VPN Header,”...

  • Page 24: Configuring The Default Identity Injection Policy

    For more information on creating a proxy service and authentication procedure, see “Configuring a Reverse Proxy” in the Novell Access Manager 3.1 SP2 Setup Guide. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy]. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 25 For more information on configuring the loopback IP address, see “Configuration Changes to the SSL VPN Server Installed with the Access Gateway Appliance” in the Novell Access Manager 3.1 SP2 Installation Guide. Host Header: Select which hostname is forwarded to the Web server in the host header. If your SSL VPN server has a DNS name, select Web Server Host Name.
  • Page 26 Section 2.2.1, “Configuring the Default Identity Injection Policy,” on page Name: Select Create SSL VPN Default Protected Resource from the drop-down list. 9 Click OK to close the Enable SSL VPN pop-up. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 27: Configuring The Ip Address, Port, And Network Address Translation (Nat)

    10 Click the Web Servers tab. 11 Specify 8080 in the Connect Port field, then click OK. 12 In the Proxy Service List section, click the name of the parent proxy service of the newly created SSL VPN proxy service. This host does not have a multi-homing value. 13 Select the Protected Resources tab.

  • Page 28: Configuring The Ssl Vpn Gateway Behind Nat Or L4

    2 Select Basic Configuration from the Gateway Configuration section. 3 Specify the following NAT/L4 configuration as follows: Behind NAT/L4: Select the check box to specify that the SSL VPN Gateway is behind NAT. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 29 Public IP Address: This field is enabled when the Behind NAT check box is selected. Specify the public IP address (that is, the address exposed to the Internet user) that translates into the SSL VPN Gateway IP address. This is the IP address where the external user on the Internet must be able to access the SSL VPN server.

  • Page 30: Configuring The Ssl Vpn Gateway Without Nat Or An L4 Switch

    2.3.2 Configuring the SSL VPN Gateway without NAT or an L4 Switch 1 In the Administration Console, click Devices > SSL VPNs > Edit. The Server configuration page is displayed. 2 Select Basic Configuration from the Gateway Configuration section. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 31 3 Specify the device-specific configuration as follows: Cluster Member: Select the cluster member from a list of IP addresses. Listening IP Address: Specify the IP address that the SSL VPN listens on. Port: Specify a port number for Kiosk mode as well as for Enterprise mode when the SSL VPN server is behind an L4 switch or behind NAT.

  • Page 32: Configuring Route And Source Nat For Enterprise Mode

    IP address of the client do not match. For more information on configuring the IP address, see Section 2.3, “Configuring the IP Address, Port, and Network Address Translation (NAT),” on page Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 33: Configuring The Openvpn Subnet In Routing Tables

    The packets from these clients reach the application server with the IP address of the client as the source address. The response packets need to be routed back to the SSL VPN server, which sends them on to the clients. You can solve this routing problem in one of the following ways: Section 2.4.1, “Configuring the OpenVPN Subnet in Routing Tables,”...

  • Page 34: Configuring Dns Servers For Kiosk Mode

    YaST as follows: /etc/resolv.conf 1 In YaST, select Network Devices > Network Cards, then press Enter. 2 Select Change, then press Enter. 3 Select Edit, then press Enter. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 35: Configuring Certificate Settings

    The following instructions assume that you have already created a certificate. For more information on creating certificates, see “Security and Certificate Management” in the Novell Access Manager 3.1 SP2 Administration Console Guide. Before you proceed with the configuration, log in to the Administration Console, select Security >...
  • Page 36 Alias(es): You can provide an alternate name for the certificate you are importing. 5 Click OK to save changes. 6 To save your modifications, click OK, then click Update on the Configuration page Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 37: Configuring End-Point Security And Access Policies For Ssl Vpn

    Configuring End-Point Security and Access Policies for SSL VPN Novell SSL VPN has a set of client integrity check policies to protect your network and applications from clients that are using insufficient security restraints. You can configure a client integrity check policy to run on the client workstations before establishing a tunnel to the SSL VPN gateway.

  • Page 38: Configuring Policies To Check The Integrity Of The Client Machine

    4 Continue with “Configuring the Category” on page For more information on exporting and importing client integrity check policies, see Section 3.1.5, “Exporting and Importing Client Integrity Check Policies,” on page Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 39: Configuring The Category

    3.1.2 Configuring the Category A category is a group of similar software. For example, a firewall category can contain a list of firewalls such as the Windows Firewall and ZoneAlarm firewall. You can configure multiple software categories for a single client integrity check policy. When multiple categories are configured for an operating system, if one of the enabled category does not exist on the client, the client integrity check fails.

  • Page 40: Configuring Attributes For An Application

    The client integrity check detects the presence of these attributes. 1 To add a new attribute, click New, specify an attribute name, then click OK. 2 Click the application to add application details and attributes. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 41 3 Specify details for the attributes. The following table lists the attributes for applications on different operating systems: Operating Attribute Type Attribute Name System Linux Name: Specify the name of the RPM that must be present on the client machine. Version: Specify the version of the RPM that must be present on the client machine.
  • Page 42 Version: Specify the version of the software process that must be running in the client machine. NOTE: The version attribute specifies the Windows Explorer file version number. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 43 Operating Attribute Type Attribute Name System RegistryKey Name: Specify the name and absolute path of the registry key that must be present on the client machine. Value Name: Specify the name of the registry key value. Value Data: Specify a data for the registry key value. This data can be for registry type REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_MULTI_SZ, or REG_SZ.

  • Page 44: Exporting And Importing Client Integrity Check Policies

    Edit. 3 Click Client Integrity Check Policies in the Policies section. 4 Click Import. 5 Browse and select the XML file that contains the saved client integrity check policies configuration. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 45: Configuring Client Security Levels

    6 Click OK. 7 To save your modifications, click OK, then click Update on the Configuration page. 3.2 Configuring Client Security Levels You can configure the SSL VPN server to send traffic on the SSL VPN tunnel based on the level of security configured at the client machine.

  • Page 46: Configuring A Security Level

    You can configure a maximum of 250 traffic rules per role, depending on the length of the policy name. If you have configured multiple traffic policies, the policies are prioritized based on the order of their creation. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 47: Configuring Policies

    The roles for a user are created in the Identity Server. These roles are displayed in the traffic policies page by default.In scenarios such as a federated setup, where the role can be injected from another Identity Server, you can add or remove the user-configured roles while creating the traffic policies. Section 3.3.1, “Configuring Policies,”...
  • Page 48 Click the Add Role icon to add the roles and click the Remove selected roles icon to delete the roles. Click OK to confirm your changes, or click Cancel to discard the changes. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 49: Ordering Traffic Policies

    The role is case-sensitive. If the role configured is and the Identity Server sends a Employee request for , the rule is not pushed to the client. You cannot change the role name employee after you have configured a traffic rule. If you do so, the changes are not reflected in the associated traffic rule.

  • Page 50: Exporting And Importing Traffic Policies

    9 To save your modifications, click OK, then click Update on the Configuration page. 3.4 Configuring Full Tunneling Novell SSL VPN is configured for split tunneling by default. This means that only the traffic that is enabled to go through the protected network, such as items meant for the corporate network, goes through the VPN tunnel.

  • Page 51: Creating A Full Tunneling Policy

    You must configure traffic policies for both split tunneling and full tunneling in your organization in order to permit access to specific internal hosts as well as prevent a hacker from controlling the machine via a connection external to the tunnel. The split tunneling policies must be ordered at the top of the policy list and the full tunneling policy must be placed as the last policy.

  • Page 52: Modifying Existing Traffic Policies For Full Tunneling

    If you are using Traditional SSL VPN, you are prompted to configure the IP address or DNS name of the Identity Server, and the Linux Access Gateway. 5 Click OK. 6 Select Gateway Configuration from the Basic Gateway Configuration section. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 53 7 Specify the following information in the Other Configuration section: Identity Provider Address: Specify the IP addresses or the DNS name of the Identity Server. Access Gateway Address: Specify the IP address or DNS name of the Access Gateway if your server is accelerated by the Access Gateway.
  • Page 54 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 55: Configuring How Users Connect To Ssl Vpn

    2 On the client machine, download the following package for the Intel* platform from the /var/ directory: opt/novell/tomcat5/webapps/sslvpn/Maci386 novell-sslvpn-serv.tar.gz 3 Enter the following command to untar the file: tar -zxvf novell-sslvpn-serv.tar.gz Configuring How Users Connect to SSL VPN...

  • Page 56: Installing Client Components For Windows

    You can configure client policies to user roles so that they can connect only in Enterprise mode or only in Kiosk mode. 1 In the Administration Console, click Devices > SSL VPNs > Edit. 2 Select Client Policies from the policies section. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 57: Allowing Users To Select The Ssl Vpn Mode

    3 Select one of the following options: Always Kiosk Mode: Select this option to force SSL VPN users to connect in Kiosk mode only, depending on the role of the user. Always Enterprise Mode: Select this option to force SSL VPN users to connect in Enterprise mode only, depending on the role of the user.

  • Page 58: Configuring Client Cleanup Options

    Internet Explorer, ActiveX is downloaded to the client machine to enable SSL VPN connection. You can select this option to remove the ActiveX control when the client logs out. To select any of these options, set Default Option to Yes. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 59: Configuring Ssl Vpn To Download The Java Applet On Internet Explorer

    If you set Allow User to Override to Yes, users can change any of the cleanup options set by you. To require users to retain the cleanup options you configured, set Allow User to Override to No. 4 To save your modifications, click OK, then click Update on the Configuration page 4.2.4 Configuring SSL VPN to Download the Java Applet on Internet Explorer The SSL VPN client components are downloaded on the client machine through a Java applet or...

  • Page 60: Configuring Ssl Vpn To Connect Through A Forward Proxy

    4.3 Configuring SSL VPN to Connect through a Forward Proxy The Novell SSL VPN can be configured to detect and connect through a forward proxy in both Kiosk and Enterprise modes after authenticating to the Identity Server. To establish the SSL VPN connection through a forward proxy, you can either configure the browser or create a proxy.conf...

  • Page 61: Understanding How Ssl Vpn Connects Through A Forward Proxy

    NOTE: The SSL VPN client ignores the use of dynamic proxy configuration either by assigning a JavaScript to the browser client or by using the WPAD protocol. In such a scenario, use proxy.pac file. proxy.conf Section 4.3.1, “Understanding How SSL VPN Connects through a Forward Proxy,” on page 61 Section 4.3.2, “Creating the proxy.conf File,”...

  • Page 62: Configuring Ssl Vpn For Citrix Clients

    Citrix Application Server with the Access Gateway. If you are using the ESP-enabled Novell SSL VPN, you must install an Access Gateway in order to protect the Citrix server. The following sections discuss the configuration process: Section 4.4.1, “Prerequisites,”...

  • Page 63: Configuring A Custom Login Policy For Citrix Clients

    Citrix Client Configuration Figure 4-1 Access Gateway Identity Server SSL VPN Browser MetaFrame Servers 1. The client specifies the public DNS name of the Access Gateway that accelerates the Web Interface login page of the Citrix MetaFrame Presentation Server. 2. The Access Gateway redirects the user to the Identity Server for authentication, because the URL is configured as a protected resource.

  • Page 64: Configuring The Access Gateway To Protect The Citrix Server

    You need to create a Form Fill policy and assign it to the protected resource for the Citrix login page. 1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy]. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 65 7c Click Statements to Execute on Post. Copy the Citrix Script found in the Additional Resources (http://www.novell.com/documentation/novellaccessmanager31/index.html) section in the Novell Documentation site. 7d In the script, replace <ag-url> with the following: For a Traditional SSL VPN, use the hostname of the Access Gateway that is accelerating the SSL VPN server.
  • Page 66 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 67: Clustering The High-Bandwidth Ssl Vpn Servers

    For more information on configuring the L4 switch, see “Configuration Tips for the L4 Switch ” in the Novell Access Manager 3.1 SP2 Setup Guide. Using Access Gateway for Clustering: In a direct connection, the client directly establishes contact with the tunneling component, which could be a NAT IP address and not the L4 switch.

  • Page 68: Prerequisites

    All members of an SSL VPN cluster should belong to only one type. For example, all the members of a cluster should be either an ESP-enabled Novell SSL VPN or a Traditional Novell SSL VPN. You cannot have a cluster where some members are ESP-enabled Novell SSL VPNs and some are Traditional Novell SSL VPNs.

  • Page 69: Creating A Cluster Of Ssl Vpn Servers

    5.3.1 Creating a Cluster of SSL VPN Servers To create a new SSL VPN server cluster, you start by creating a cluster configuration with a primary server. 1 In the Administration Console, click Devices > SSL VPNs > Servers. 2 Select the SSL VPN server that you want to add to the cluster, then click New Cluster. 3 Specify a name for the cluster configuration.

  • Page 70: Adding An Ssl Vpn Server To A Cluster

    The trust relationship established with the Identity Server is lost when a server is removed from the cluster. 1 In the Administration Console, click Devices > SSL VPNs. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 71: Clustering Ssl Vpn By Using An L4 Switch

    2 Select the server, then click Stop. Wait for the Health tab to show a red icon, indicating that the server has stopped. 3 Select the server, then choose Actions > Remove from Cluster. 4 Click OK. 5.4 Clustering SSL VPN by Using an L4 Switch You configure the SSL VPN cluster to be behind a Layer 4 (L4) switch because it is essential in order to assign multiple SSL VPN servers to the same configuration.
  • Page 72 Enterprise Mode. For more information, see Section 2.3, “Configuring the IP Address, Port, and Network Address Translation (NAT),” on page 8 Select the Authentication Configuration link and configure the Embedded Service Provider Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 73: Configuring A Cluster Of Traditional Ssl Vpns By Using An L4 Switch

    For more information on installing ESP-enabled SSL VPNs, see “Installing the ESP-Enabled VPN” in the Novell Access Manager 3.1 SP2 Installation Guide. 2 Verify that the health of all the imported SSL VPNs is displayed as green or yellow. For more information on verifying the health, see “Verifying That Your SSL VPN Service Is...

  • Page 74: Clustering Ssl Vpns By Using The Access Gateway Without An L4 Switch

    Address Translation (NAT),” on page 8 Accelerate the SSL VPN server by using the Access Gateway. For more information, see Chapter 2.2, “Accelerating the Traditional Novell SSL VPN,” on page 9 To save your modifications, click OK, then click Update on the Configuration page.

  • Page 75: Installing The Scripts

    5.5.2 Installing the Scripts 1 Download the tar file containing scripts for SSL VPN automatic monitoring and failover from the Additional Resources section on the Novell Access Manager documentation page (http:// www.novell.com/documentation/novellaccessmanager/index.html). The tar file contains sslvpn-heartbeat.sh sslvpn-heartbeat 2 Copy the...

  • Page 76: Configuring Ssl Vpn To Monitor The Health Of The Cluster

    Manager, then the HTTP service on the L4 switch does not work. If the health check for the SSL service fails, the L4 switch assumes that all the services configured to use the same virtual IP are down. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 77: Monitoring The Ssl Vpn Server Health

    Real Server Settings Example Virtual Server Settings Example 5.6.2 Monitoring the SSL VPN Server Health The health status of the SSL VPN server can be monitored by using the heartbeat URL. The heartbeat URL uses the DNS name of the SSL VPN server as follows: Clustering the High-Bandwidth SSL VPN Servers...
  • Page 78 An Alteon switch does not support the L7 health check, so the string for the health check should look similar to the following: open 8080,tcp send GET /sslvpn/heartbeat HTTP/1.1\r\nHOST:heartbeat.lab.tst \r\n\r\n expect HTTP/1.1 200 close Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 79: Monitoring The Ssl Vpn Servers

    Monitoring the SSL VPN Servers This section describes the various ways you can determine whether the SSL VPN server is functioning normally and whether an Internet attack is in progress. Section 6.1, “Viewing and Editing SSL VPN Server Details,” on page 79 Section 6.2, “Enabling SSL VPN Audit Events,”...

  • Page 80: Enabling Ssl Vpn Audit Events

    6.2 Enabling SSL VPN Audit Events The Novell Audit Settings option allows you to configure the events you want audited. The following steps assume that you have already set up Novell Audit on your network. For more information, see Configuring the Administration Console in the Novell Access Manager 3.1 SP2...

  • Page 81: Viewing Ssl Vpn Statistics

    Event Description Authentication Logs Generates a log file containing the authentication details. Command Line Interface Logs Generates a log file containing command line actions. Command Line Interface Debug Logs Generates a log file containing command line actions. These logs help in debugging errors. Servlet Communications Logs Generates a log file containing information on servlet communication.
  • Page 82 Displays the number of active SSL VPN connections. Also displays the username, role of the user, and uptime of each user for each active connection. Bytes information is gathered in the following sections: Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 83: Viewing The Ssl Vpn Server Statistics For The Cluster

    Column Description Bytes Received Displays the number of bytes received. You can also view a graph, which lists the number of bytes sent for fixed intervals. For more information, see Section 6.3.3, “Viewing the Bytes Graphs,” on page Bytes Sent Displays the number of bytes sent.

  • Page 84: Viewing The Bytes Graphs

    1 In the Administration Console, click Devices > SSL VPNs > [Server Name] > Statistics. The Server Statistics page is displayed. 2 Click Live Statistics Monitoring. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 85: Monitoring The Health Of Ssl Vpn Servers

    3 Select the users that you want to disconnect, then click Disconnect. 4 Click OK to confirm your action. 6.5 Monitoring the Health of SSL VPN Servers You can monitor the health of an SSL VPN Server through the Health page, which displays the current status of the server.

  • Page 86: Monitoring The Health Of An Ssl Vpn Cluster

    1 In the Administration Console, click Devices > SSL VPNs > [Cluster Name] > Health. The Cluster Health section displays the current state, and the Description column explains the significance of the current state. The Services Details section provides the following information: Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 87: Viewing The Command Status Of The Ssl Vpn Server

    Server Name: Displays the name of the SSL VPN server in the cluster. Health: Displays the health status of the server. The following health states are possible: Icon Description A green status indicates that the server has not detected any problems. A red status with a bar indicates that the server is stopped.

  • Page 88: Viewing Command Information

    Delete: To delete a command, click Delete. Click OK in the confirmation dialog box. Refresh: To update the current cache of recently executed commands, click Refresh. 3 Click Close to return to the command status page. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 89: Monitoring Ssl Vpn Alerts

    6.7 Monitoring SSL VPN Alerts The Alerts page allows you to view information about current system alerts and to clear the alerts. An alert is generated whenever the SSL VPN Gateway detects a condition that prevents it from performing normal system services. Section 6.7.1, “Configuring SSL VPN Alerts,”...

  • Page 90: Viewing Ssl Vpn Alerts

    6.7.3 Viewing SSL VPN Cluster Alerts To view information about current alerts for all members of a cluster: 1 In the Administration Console, click Devices > SSL VPNs > [Name of Cluster] > Alerts. Novell Access Manager 3.1 SP2 SSL VPN Server Guide...
  • Page 91 2 Analyze the data that is displayed. Column Description Server Name Lists the name of the SSL VPN server that sent the alert. To view additional information about the alerts for a specific SSL VPN, click the specific SSL VPN. Severe Lists the number of critical alerts that have been sent and not acknowledged.
  • Page 92 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 93: Server Configuration Settings

    Server Configuration Settings This section describes the configuration settings that affect SSL VPN servers. Section 7.1, “Managing SSL VPN Servers,” on page 93 Section 7.2, “Configuring SSL VPN Servers,” on page 95 Section 7.3, “Modifying SSL VPN Server Details,” on page 96 7.1 Managing SSL VPN Servers Use the Servers page to view the status of SSL VPN servers, to modify their configuration, to create or delete clusters, or to stop and start the server.
  • Page 94 SSL VPN. It also indicates if the SSL VPN version is high-bandwidth or low-bandwidth. For example, if the high-bandwidth version of SSL VPN protected by the Access Gateway is installed, then the Type displayed is High (non-ESP). Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 95: Configuring Ssl Vpn Servers

    This link is not enabled of you have installed SSL VPN with the Linux Access Gateway. For more information, see Configuring Authentication for the ESP-Enabled Novell SSL VPN. DNS Servers List: Allows you to configure the DNS server list. For more information, Configuring DNS Servers.

  • Page 96: Modifying Ssl Vpn Server Details

    For more information, see Configuring Full Tunneling. The Novell Audit and Alerts section allows you to set up alerts so that notifications are sent when specified events occur. Novell Audit Settings: Allows you to configure Novell Audit settings. For more...
  • Page 97 The General tab of the Server Details page displays information such as name, management IP address, port, location, and the server version of the selected server. 3 Click Edit. 4 Verify the information and make any necessary changes. Name: Specify the IP address of the server. This field is mandatory. Management IP Address: Specify the IP address used to manage the server.
  • Page 98 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 99: Additional Configurations

    Section 8.1.1, “Customizing the Home Page and Exit Page,” on page 99 Section 8.1.2, “Customizing Error Messages,” on page 99 8.1.1 Customizing the Home Page and Exit Page To customize the home page, modify the /var/opt/novell/tomcat5/webapps/sslvpn/ file. sslvpnclient.jsp The home page content is displayed within the tags.

  • Page 100: Creating A Configuration File To Add Additional Configuration Changes

    3 Add the commands for additional OpenVPN configuration to these files. For example, to decrease the MTU size of the TUN interface, specify the command in the following format in both files: link-mtu 1200 4 Save your changes. 5 Restart the server. 100 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 101: A Troubleshooting Ssl Vpn Configuration

    Troubleshooting SSL VPN Configuration You might sometimes encounter issues while installing or configuring the SSL VPN servers. The SSL VPN server might not work the way you intended because of problems encountered during installation or configuration. The following sections list some of the scenarios that you might encounter and the steps to troubleshoot such issues: This section provides various troubleshooting scenarios that you might encounter while configuring SSL VPN.

  • Page 102: Successfully Connecting To The Server

    Verify 1, 2, and 3 Retry Blank JRE Not Screen Installed: With Mark Install JRE Check Applet Logs; Install Missing Failed Software Check Java Blank Settings Screen in the Displayed Browser 102 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 103: Connection Problems With Internet Explorer

    A.1.2 Connection Problems with Internet Explorer Using Internet Explorer to Connect to the SSL VPN Server Figure A-2 User Requests Remote Access Enter Correct Name and Password Successful Connection Access Manager 3.0 Login Local Login Username admin Password Login LIBERTY ALLIANCE Connection Failed: Verify 1 and 2...

  • Page 104: The Ssl Vpn Server Is In A Pending State

    For more information, see Chapter 4.3, “Configuring SSL VPN proxy.conf to Connect through a Forward Proxy,” on page 104 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 105: The Tftp Application And Groupwise Notify Do Not Work In Enterprise Mode

    Section A.7.2, “Verifying and Restarting the SSL VPN Server,” on page 105 A.7.1 Verifying and Restarting JCC To check the status of JCC, enter the following command: /etc/init.d/novell-jcc status. If it is not running, enter the following command to restart JCC: /etc/init.d/novell-jcc restart A.7.2 Verifying and Restarting the SSL VPN Server...

  • Page 106: Ssl Vpn Server

    Error Status: Check the status at /var/log/messages /var/log/stunnel.log, var/log/novell-openvpn.log SSL VPN Status: At the command prompt, enter the following command: /etc/init.d/novell-sslvpn status Message Log: Check the file for more information. /var/log/messages 106 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 107: Unable To Get Authentication Headers

    SSL VPN services. etc/init.d/novell-sslvpn restart Action: If you are using a 64-bit machine and have changed the TUN interface, check to make sure the interface is up. If it is down, enter the command to etc/init.d/novell-sslvpn restart...

  • Page 108: Multiple Instances Of Ssl Vpn Are Running

    UNKNOWN HOST Connection Manager logs instead of the IP address of the client.This is because this information is provided by the Access Gateway and is available only if the Traditional Novell SSL VPN server is deployed. 108 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

  • Page 109: Ssl Vpn Full Tunnel Connection Disconnects On Vmware

    Disconnects on VMware Possible Cause: An SSL VPN full tunnel connection might disconnect because of no keepalive response if the Novell Access Manager setup is on a host-only network, on a VMware interface of the client. Explanation: After full tunnel is enabled, a new route entry is added to the client routing table to route the keepalive packet to the SSL VPN server through the default gateway.

  • Page 110: Debugging A Cluster If Session Sharing Doesn't Properly Happen

    When a user is added, you can see the username in /var/log/messages of all cluster members NOTE: 8900 is the default port used for session sharing among cluster members. If a different port is configured, for session sharing. grep 110 Novell Access Manager 3.1 SP2 SSL VPN Server Guide...

This manual is also suitable for:

Access manager 3.1 sp2

Table of Contents