SSL VPN Server Guide
Novell
Access Manager
novdocx (en) 16 April 2010
AUTHORIZED DOCUMENTATION
3.1 SP2
June 11, 2010
www.novell.com
Novell Access Manager 3.1 SP2 SSL VPN Server Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverable for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 16 April 2010
Copyright © 2008-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 16 April 2010
novdocx (en) 16 April 2010
4 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
Contents
About This Guide 9
1 Overview of SSL VPN 11
1.1 SSL VPN Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Traditional and ESP-Enabled SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.1 ESP-Enabled Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.2.2 Traditional Novell SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.2.3 High-Bandwidth and Low-Bandwidth SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3 SSL VPN Client Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3.1 Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.3.2 Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Basic Configuration for SSL VPN 21
novdocx (en) 16 April 2010
2.1 Configuring Authentication for the ESP-Enabled Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . 21
2.2 Accelerating the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.1 Configuring the Default Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.2 Injecting the SSL VPN Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3 Configuring the IP Address, Port, and Network Address Translation (NAT) . . . . . . . . . . . . . . 27
2.3.1 Configuring the SSL VPN Gateway behind NAT or L4 . . . . . . . . . . . . . . . . . . . . . . . 28
2.3.2 Configuring the SSL VPN Gateway without NAT or an L4 Switch. . . . . . . . . . . . . . . 30
2.4 Configuring Route and Source NAT for Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.4.1 Configuring the OpenVPN Subnet in Routing Tables . . . . . . . . . . . . . . . . . . . . . . . . 33
2.5 Configuring DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.5.1 Configuring DNS Servers for Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.5.2 Configuring DNS Servers for Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.6 Configuring Certificate Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3 Configuring End-Point Security and Access Policies for SSL VPN 37
3.1 Configuring Policies to Check the Integrity of the Client Machine . . . . . . . . . . . . . . . . . . . . . . 38
3.1.1 Selecting the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.1.2 Configuring the Category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.1.3 Configuring Applications for a Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.1.4 Configuring Attributes for an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.1.5 Exporting and Importing Client Integrity Check Policies . . . . . . . . . . . . . . . . . . . . . . 44
3.2 Configuring Client Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2.1 Client Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2.2 Configuring a Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.3 Configuring Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.3.1 Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3.2 Ordering Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.3.3 Exporting and Importing Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.4 Configuring Full Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.4.1 Creating a Full Tunneling Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.2 Modifying Existing Traffic Policies for Full Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . 52
Contents 5
4 Configuring How Users Connect to SSL VPN 55
4.1 Preinstalling the SSL VPN Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.1.1 Installing Client Components for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.1.2 Installing Client Components for Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.1.3 Installing Client Components for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2 Configuring Client Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2.1 Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode . . . . . . . . . . 56
4.2.2 Allowing Users to Select the SSL VPN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2.3 Configuring Client Cleanup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.2.4 Configuring SSL VPN to Download the Java Applet on Internet Explorer . . . . . . . . . 59
4.2.5 Configuring a Custom Login Policy for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.3 Configuring SSL VPN to Connect through a Forward Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.3.1 Understanding How SSL VPN Connects through a Forward Proxy . . . . . . . . . . . . . 61
4.3.2 Creating the proxy.conf File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.4 Configuring SSL VPN for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.4.2 How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.4.3 Configuring a Custom Login Policy for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.4.4 Configuring the Access Gateway to Protect the Citrix Server . . . . . . . . . . . . . . . . . . 64
4.4.5 Configuring Single Sign-On between Citrix and SSL VPN . . . . . . . . . . . . . . . . . . . . 64
novdocx (en) 16 April 2010
5 Clustering the High-Bandwidth SSL VPN Servers 67
5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.3 Creating a Cluster of SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5.3.1 Creating a Cluster of SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3.2 Adding an SSL VPN Server to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.3.3 Removing an SSL VPN Server from a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
5.4 Clustering SSL VPN by Using an L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.4.1 Configuring a Cluster of ESP-Enabled SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5.4.2 Configuring a Cluster of Traditional SSL VPNs by Using an L4 Switch . . . . . . . . . . 73
5.5 Clustering SSL VPNs by Using the Access Gateway without an L4 Switch . . . . . . . . . . . . . . 74
5.5.1 Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.5.2 Installing the Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.5.3 Testing the Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.6 Configuring SSL VPN to Monitor the Health of the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
5.6.1 Services of the Real Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
5.6.2 Monitoring the SSL VPN Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6 Monitoring the SSL VPN Servers 79
6.1 Viewing and Editing SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.2 Enabling SSL VPN Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.3 Viewing SSL VPN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.3.1 Viewing the SSL VPN Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.3.2 Viewing the SSL VPN Server Statistics for the Cluster . . . . . . . . . . . . . . . . . . . . . . . 83
6.3.3 Viewing the Bytes Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
6.4 Disconnecting Active SSL VPN Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
6.5 Monitoring the Health of SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.5.1 Monitoring the Health of a Single Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.5.2 Monitoring the Health of an SSL VPN Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6.6 Viewing the Command Status of the SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6.6.1 Viewing Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
6.7 Monitoring SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
6.7.1 Configuring SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.7.2 Viewing SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6.7.3 Viewing SSL VPN Cluster Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
7 Server Configuration Settings 93
7.1 Managing SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
7.2 Configuring SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
7.3 Modifying SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
8 Additional Configurations 99
8.1 Customizing the SSL VPN User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
8.1.1 Customizing the Home Page and Exit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
8.1.2 Customizing Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
8.2 Creating DH Certificates with Different Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
8.3 Creating a Configuration File to Add Additional Configuration Changes . . . . . . . . . . . . . . . . 100
A Troubleshooting SSL VPN Configuration 101
novdocx (en) 16 April 2010
A.1 Successfully Connecting to the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
A.1.1 Connection Problems with Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
A.1.2 Connection Problems with Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
A.2 Adding Applications for Different Versions of Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
A.3 The SSL VPN Server Is in a Pending State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
A.4 Error: Failed to Fetch CIC Policy from the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
A.5 SSL VPN Connects in Kiosk Mode, But There Is No Data Transfer . . . . . . . . . . . . . . . . . . . 104
A.6 The TFTP Application and GroupWise Notify Do Not Work in Enterprise Mode . . . . . . . . . . 105
A.7 SSL VPN Not Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
A.7.1 Verifying and Restarting JCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
A.7.2 Verifying and Restarting the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
A.8 Verifying SSL VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
A.8.1 SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A.8.2 SSL VPN Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A.8.3 SSL VPN Macintosh Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A.8.4 SSL VPN Windows Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A.9 Unable to Contact the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A.10 Unable to Get Authentication Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
A.11 The SSL VPN Connection Is Successful But There Is No Data Transfer . . . . . . . . . . . . . . . 107
A.12 Unable to Connect to the SSL VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
A.13 Multiple Instances of SSL VPN Are Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
A.14 Issue with the Preinstalled Enterprise Mode Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
A.15 Socket Exception Error After Upgrading SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
A.16 SSL VPN Server Is Unable to Handle the Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
A.17 Embedded Service Provider Status Is Red . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
A.18 Connection Manager Log Does Not Display the Client IP Address . . . . . . . . . . . . . . . . . . . . 108
A.19 SSL VPN Full Tunnel Connection Disconnects on VMware . . . . . . . . . . . . . . . . . . . . . . . . . 109
A.20 Clustering Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
A.20.1 Bringing Up the Server If a Cluster Member Is Down . . . . . . . . . . . . . . . . . . . . . . . 109
A.20.2 Bringing Up a Binary If It Is Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
A.20.3 Debugging a Cluster If Session Sharing Doesn’t Properly Happen. . . . . . . . . . . . . 110
Contents 7
novdocx (en) 16 April 2010
8 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
About This Guide
The Novell Access Manager SSL VPN uses encryption and other security mechanisms to ensure
that data cannot be intercepted and only authorized users have access to the network. Users can
access SSL VPN services from any Web browser.
Chapter 1, “ Overview of SSL VPN,” on page 11
Chapter 2, “Basic Configuration for SSL VPN,” on page 21
Chapter 3, “Configuring End-Point Security and Access Policies for SSL VPN,” on page 37
Chapter 4, “Configuring How Users Connect to SSL VPN,” on page 55
Chapter 5, “Clustering the High-Bandwidth SSL VPN Servers,” on page 67
Chapter 6, “Monitoring the SSL VPN Servers,” on page 79
Chapter 7, “Server Configuration Settings,” on page 93
Chapter 8, “Additional Configurations,” on page 99
Appendix A, “Troubleshooting SSL VPN Configuration,” on page 101
novdocx (en) 16 April 2010
Audience
This guide is intended for Access Manager administrators. It is assumed that you have knowledge of
evolving Internet protocols, such as:
Extensible Markup Language (XML)
Simple Object Access Protocol (SOAP)
Security Assertion Markup Language (SAML)
Public Key Infrastructure (PKI) digital signature concepts and Internet security
Secure Socket Layer/Transport Layer Security (SSL/TLS)
Hypertext Transfer Protocol (HTTP and HTTPS)
Uniform Resource Identifiers (URIs)
Domain Name System (DNS)
Web Services Description Language (WSDL)
Feedback
We want to hear your comments and suggestions about this guide and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to Documentation Feedback (http://www.novell.com/documentation/
feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there.
Documentation Updates
For the most recent version of the Novell Access Manager SSL VPN Server Guide, visit the Novell
Access Manager Documentation Web site (http://www.novell.com/documentation/
novellaccessmanager).
About This Guide 9
Additional Documentation
For information about the other Access Manager devices and features, see the following:
Novell Access Manager 3.1 SP2 SSL VPN User Guide
Novell Access Manager 3.1 SP2 Installation Guide
Novell Access Manager 3.1 SP2 Setup Guide
Novell Access Manager 3.1 SP2 Administration Console Guide
Novell Access Manager 3.1 SP2 Identity Server Guide
Novell Access Manager 3.1 SP2 Access Gateway Guide
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
novdocx (en) 16 April 2010
10 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
1
Overview of SSL VPN
The Novell Access Manager SSL VPN uses Secure Sockets Layer (SSL) as the underlying security
protocol for network transmissions. It uses encryption and other security mechanisms to ensure that
data cannot be intercepted and only authorized users have access to the network. Users can access
SSL VPN services from any Web browser.
Section 1.1, “SSL VPN Features,” on page 11
Section 1.2, “Traditional and ESP-Enabled SSL VPNs,” on page 14
Section 1.3, “SSL VPN Client Modes,” on page 16
1.1 SSL VPN Features
Novell SSL VPN comes with a number of key features that make the product secure, easy to access,
and reliable.
novdocx (en) 16 April 2010
1
Browser-Based End User Access
Novell SSL VPN has browser-based end user access that does not require users to preinstall any
components on their machines. Users can access the SSL VPN services from any Web browser,
from their personal computer, laptop, or from an Internet kiosk.
When users access SSL VPN through the Web browser, they are prompted to authenticate. On
successful authentication, a Java applet or an ActiveX control is delivered to the client, depending
on the browser. This establishes a secure tunnel between the user’s machine and the SSL VPN
server.
Support on Linux, Macintosh, and Windows
The SSL VPN client is supported on Linux, Macintosh, and Windows environments. For a complete
list of operating software and browsers that are supported by SSL VPN, see “Client Machine
Requirements” in the Novell Access Manager 3.1 SP2 SSL VPN User Guide.
Support on 64-Bit Clients
Enterprise mode SSL VPN can be installed on 64-bit client configurations.
High-Bandwidth and Low-Bandwidth Versions
Novell SSL VPN comes in high-bandwidth and low-bandwidth versions. The default lowbandwidth SSL VPN server is restricted to 249 simultaneous user connections and a transfer rate of
90 Mbits per second because of export restrictions.
If the export law permits, you can install the high-bandwidth SSL VPN RPM to get the highbandwidth capabilities, because that version does not have connection and performance restrictions.
You can order the high-bandwidth SSL VPN key at no extra cost. It is essential to have the highbandwidth SSL VPN if you want to cluster the SSL VPN servers.
Overview of SSL VPN
11
For more information on how to order and install the high-bandwidth SSL VPN, and to upgrade the
high-bandwidth version to the latest build, see “Installing the Key for the High-Bandwidth
SSLVPN” in the Novell Access Manager 3.1 SP2 Installation Guide.
Traditional and ESP-Enabled Installation
You can install SSL VPN in two ways:
As an ESP-enabled SSL VPN, which is installed with the Identity Server and the
Administration Console.
As a Traditional SSL VPN, which is installed with the Identity Server, Administration Console,
and the Access Gateway.
For more information on these methods, see Section 1.2, “Traditional and ESP-Enabled SSL
VPNs,” on page 14.
Enterprise and Kiosk Modes for End User Access
The Novell SSL VPN uses both clientless and thin-client access methods. The clientless method is
called the Kiosk mode SSL VPN and the thin-client method is called the Enterprise mode SSL VPN.
novdocx (en) 16 April 2010
In Enterprise mode, all applications, including those on the desktop and the toolbar, are enabled for
SSL, regardless of whether they were opened before or after connecting to SSL VPN. In this mode,
a thin client is installed on the user’s workstation, and the IP Forwarding feature is enabled by
default. For more information on Enterprise mode, see Section 1.3.1, “Enterprise Mode,” on
page 17.
In Kiosk mode, only a limited set of applications are enabled for SSL VPN. In Kiosk mode,
applications that were opened before the SSL VPN connection was established are not enabled for
SSL. For more information on Kiosk mode, see Section 1.3.2, “Kiosk Mode,” on page 19.
As SSL VPN server administrators, you can decide which users can connect in Enterprise mode and
which users can connect in Kiosk mode, depending on the role of the user. Or you can let the client
select the mode in which the SSL VPN connection is made. For more information on how to do this,
see Chapter 4, “Configuring How Users Connect to SSL VPN,” on page 55. Enterprise mode is
root
available to a user who has the administrator right in a Windows workstation or a
privilege on Linux or Macintosh workstations. If the user does not have administrator rights or
user
root
user privileges for that workstation, the SSL VPN connection is made in Kiosk mode.
Customized Home and Exit Pages for End Users
The home page and the exit page of SSL VPN can be customized to suit the needs of different
customers. For more information, see Section 8.1, “Customizing the SSL VPN User Interface,” on
page 99.
Clustering SSL VPN Servers
The SSL VPN servers can be clustered to provide load balancing and fault tolerance, When you
form a cluster of SSL VPN servers, all members of a cluster should belong to only one type of SSL
VPN and they should all be running the high-bandwidth SSL VPN. For example, all the members of
a cluster should belong to either the ESP-enabled SSL VPN or the Traditional SSL VPN. For more
information on SSL VPN clustering, see Chapter 5, “Clustering the High-Bandwidth SSL VPN
Servers,” on page 67.
12 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
End-Point Security Checks
The Novell SSL VPN has a set of policies that can be configured to protect your network and
applications from clients that are using insufficient security restraints and also to restrict the traffic
based on the role of the client.
You can configure a client integrity check policy to run a check on the client workstations before
establishing a tunnel to SSL VPN server. This check ensures that the users have specified software
installed and running in their systems. Each client is associated with a security level, depending on
the assessment of the client integrity check and the relevant traffic policies that are assigned. For
more information on configuring end-point security, see Chapter 3, “Configuring End-Point
Security and Access Policies for SSL VPN,” on page 37.
Ability to Order Rules
If you have configured more than one rule for a user’s role, the rule that is placed first is applied
first. Novell SSL VPN allows you to change the order of rules by dragging and dropping them,
based on their priority. For more information on rule ordering in SSL VPN, see “Ordering Traffic
Policies” on page 49.
novdocx (en) 16 April 2010
Ability to Import and Export Policies
Novell SSL VPN allows you to export the existing configuration into an XML file through the
Administration Console. You can reimport this configuration later. This is a very useful feature
when you upgrade your servers from one version to another. For more information, see “Exporting
and Importing Traffic Policies” on page 50
Desktop Cleanup Feature
When a user accesses the protected resource from outside by using SSL VPN, it also means that the
sites that the user visited are stored in the browser history, or some sensitive information is stored in
the cache or cookies. This is a potential security threat if it is not properly dealt with. The Novell
SSL VPN client comes with the desktop cleanup feature, so the user has the option to delete all the
browser history, cache, cookies, and files from the system, before logging out of the SSL VPN
connection.
If the user uses Firefox to connect to SSL VPN, the browsing data that was stored after the SSL
VPN connection was made is deleted. In Internet Explorer, all the browser data is deleted, including
the data that was stored before the SSL VPN session was established.
Sandbox Feature
When you connect to SSL VPN in either Kiosk mode or Enterprise mode, a folder named VPNSANDBOX is created on your desktops You can manually copy files to this folder, including files
that you create or files that you download from your corporate network. This folder is automatically
deleted along with its contents when you logs out of the SSL VPN connection. This is a very useful
feature if you are browsing from an Internet connection and you do not want any sensitive
information to reach other persons. For more information on the sandbox feature of SSL VPN, see
“Using the Sandbox Feature” in the Novell Access Manager 3.1 SP2 SSL VPN User Guide.
Overview of SSL VPN 13
Custom Login Policy
When custom login policy is configured, SSL VPN redirects the custom login requests to different
URLs based on the policy. This is a very useful feature if users want to access applications such as
those on the Citrix application servers. For more information on how to configure a custom login
policy, see Section 4.2.5, “Configuring a Custom Login Policy for SSL VPN,” on page 59.
1.2 Traditional and ESP-Enabled SSL VPNs
The Novell SSL VPN can be deployed as either an ESP-enabled SSL VPN or a Traditional SSL
VPN.
When SSL VPN is deployed without the Access Gateway, an Embedded Service Provider (ESP)
component is installed along with the SSL VPN server. This deployment requires the Identity Server
and the Administration server to also be installed. This type of deployment is called an ESP-enabled
Novell SSL VPN.
When SSL VPN is deployed with the Access Gateway, it is called a Traditional Novell SSL VPN. In
this type of installation, SSL VPN is deployed with the Identity Server, Administration Console, and
the Linux Access Gateway components of Novell Access Manager.
novdocx (en) 16 April 2010
Section 1.2.1, “ESP-Enabled Novell SSL VPN,” on page 14
Section 1.2.2, “Traditional Novell SSL VPN,” on page 15
Section 1.2.3, “High-Bandwidth and Low-Bandwidth SSL VPNs,” on page 16
1.2.1 ESP-Enabled Novell SSL VPN
In an ESP-enabled Novell SSL VPN, the process involved in establishing a secure connection
between a client machine and the different components of Novell Access Manager is as follows:
1. The user specifies the following URL to access the SSL VPN server:
https://<www.sslvpn.novell.com>/sslvpn/login
<www.sslvpn.novell.com> is the DNS name of the SSL VPN server, and /sslvpn/login is the
path of the SSL VPN server.
2. The SSL VPN redirects the browser to the Identity Server for authentication.
3. After successful authentication, the Identity Server redirects the browser back to SSL VPN.
4. The Identity Server propagates the session information to the SSL VPN server through the
Embedded Service Provider.
5. The SSL VPN server injects the SSL VPN policy for that user into the SSL VPN servlet. The
SSL VPN servlet processes the parameters and sends the policy information back to the server.
6. The SSL VPN checks if the client machine has sufficient security restraints. For more
information on client integrity checks, see Section 3.1, “Configuring Policies to Check the
Integrity of the Client Machine,” on page 38.
7. When the user accesses the applications behind the protected network, the connection goes
through the secure tunnel formed with the SSL VPN server.
8. The browser stays open throughout the SSL VPN connection to allow the keep alive packets.
9. When the user clicks the logout button to close the SSL VPN session, all the client components
are automatically uninstalled from the workstation.
14 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
1.2.2 Traditional Novell SSL VPN
The following figure shows the Novell Access Manager components and the process involved in
establishing a secure connection between a client machine and traditional Novell SSL VPN server.
In this type of deployment, the Linux Access Gateway accelerates and protects the SSL VPN server.
Figure 1-1 Traditional Novell SSL VPN
Access
Gateway
6
2
DNS: www.ag.novell.com
www.ag.novell.com/sslvpn
novdocx (en) 16 April 2010
1
Browser
4
3
Identity
Server
5
7
External IP: 192.23.45.4
Internal IP: 10.0.0.4
SSL VPN
7
Application
1. The user specifies the following URL to access the SSL VPN server:
https://<www.ag.novell.com>:8443/sslvpn/login
<www.ag.novell.com> is the DNS name of the Access Gateway that accelerates the SSL VPN
server, and /sslvpn/login is the path of the SSL VPN server.
2. The Access Gateway redirects the user to the Identity Server for authentication, because the
URL is configured as a protected resource.
3. The Identity Server authenticates the user’s identity.
4. The Identity Server propagates the session information to the Access Gateway through the
Embedded Service Provider.
5. The Access Gateway injects the SSL VPN policy for that user into the SSL VPN servlet. The
SSL VPN servlet processes the parameters and sends the policy information back to the Access
Gateway.
6. The SSL VPN checks if the client machine has sufficient security restraints. For more
information on client integrity checks, see Chapter 3.1, “Configuring Policies to Check the
Integrity of the Client Machine,” on page 38.
Overview of SSL VPN 15
7. One of the following actions takes place, depending on the mode of the SSL VPN connection:
In Enterprise mode, a tunnel interface is created and is bound with the tunnel IP address
assigned by the SSL VPN server. A secure tunnel is established between the client
machine and the SSL VPN server, and the routing table is updated with the protected
network configuration.
In Kiosk mode, a secure tunnel is established between the client machine and the SSL
VPN server, and the protected network configuration is pushed to the client.
8. When the user accesses the applications behind the protected network, the connection goes
through the secure tunnel formed with the SSL VPN server and not through the Access
Gateway.
9. The browser stays open throughout the SSL VPN connection to allow the keep alive packets to
go through the Access Gateway.
10. When the user clicks the logout button to close the SSL VPN session, all the client components
are automatically uninstalled from the workstation.
1.2.3 High-Bandwidth and Low-Bandwidth SSL VPNs
novdocx (en) 16 April 2010
Novell SSL VPN comes in high-bandwidth and low-bandwidth versions.
Low-Bandwidth Version: The default SSL VPN server is a low-bandwidth version. It is restricted
to 249 simultaneous user connections and a transfer rate of 90 Mbits per second because of export
restrictions.
High-Bandwidth Version: The high-bandwidth version does not have the connection and
performance restrictions. It is essential to have the high-bandwidth SSL VPN installed if you want
to cluster the SSL VPN servers.
If the export law permits, you can order the high-bandwidth SSL VPN RPM and get the highbandwidth capabilities at no extra cost. After the export controls have been satisfied, the order will
be fulfilled. You can install the high-bandwidth SSL VPN RPM on both the Traditional Novell SSL
VPN server and on the ESP-enabled Novell SSL VPN server.
Your regular Novell sales channel can determine if the export law allows you to order the highbandwidth version at no extra cost.
For more information on how to order and install the high-bandwidth SSL VPN, and to upgrade the
high-bandwidth version to the latest build, see “Installing the Key for the High-Bandwidth
SSLVPN” in the Novell Access Manager 3.1 SP2 Installation Guide.
1.3 SSL VPN Client Modes
Novell SSL VPN has two client modes, Enterprise mode and Kiosk mode. In Enterprise mode,
which is available for users who have administrative privileges, all applications are enabled for SSL
VPN. In Kiosk mode, only a limited set of applications are enabled for SSL VPN.
Enterprise mode is available to users who have the administrator right in a Windows workstation or
root
user privilege on Linux or Macintosh workstations. If a user does not have administrator
a
root
rights or
16 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
user privileges for that workstation, the SSL VPN connection is made in Kiosk mode.
For more information on the client platforms and setups tested by Novell, see the Access Manager
3.1 Support Pack 1 SSLVPN integration testing report (http://www.novell.com/support/
viewContent.do?externalId=7004342&sliceId=1).
Section 1.3.1, “Enterprise Mode,” on page 17
Section 1.3.2, “Kiosk Mode,” on page 19
1.3.1 Enterprise Mode
In Enterprise mode, all applications, including those on the desktop and the toolbar, are enabled for
SSL, regardless of whether they were opened before or after connecting to SSL VPN. In this
approach, a thin client is installed on the user’s workstation. In Enterprise mode, the IP Forwarding
feature is enabled by default.
Enterprise mode is recommended for devices that are managed by an organization, such as a laptop
provided by the organization for its employees. Enterprise mode supports the following:
Protocols such as TCP, UDP, ICMP, and NetBIOS.
Applications that open TCP connections on both sides, such as VoIP and FTP.
novdocx (en) 16 April 2010
Enterprise applications such as CRM and SAP*.
Applications such as Windows File Sharing systems, the Novell Client
TM
, and Novell
SecureLogin.
You can configure a user to connect only in Enterprise mode, depending on the role of the user. For
more information, see Section 4.2.1, “Configuring Users to Connect Only in Enterprise Mode or
Kiosk Mode,” on page 56.
NOTE: If you have configured a user to connect in Enterprise mode only and that user does not
meet the prerequisites, the SSL VPN connection fails with an appropriate error message if it is using
the applet-based Web browser, or a blank screen if an ActiveX-based Web browser is used.
“Prerequisites” on page 17
“User Scenarios” on page 17
Prerequisites
A user can access SSL VPN in Enterprise mode if any one of the following prererequisites is in
place:
The user is an administrator or a
root
user of the machine, or a Super user or an Administrator
user in Windows Vista user.
The user is a non-admin or a non-
root
user, or a standard user in Windows Vista.
root
user who knows the credentials of the administrator or
The SSL VPN client components are preinstalled on the user’s machine.
User Scenarios
Depending on which prerequisites are in place, users have different login scenarios.
“Scenario 1: The User Is the Admin or Root User of the Machine” on page 18
Overview of SSL VPN 17
“Scenario 2: The User Is the Non-Admin or Non-Root User of Machine and Knows the Admin
or Root Credentials” on page 18
“Scenario 3: The User Is a Non-Admin or Non-Root User, but the Client Components Are
Preinstalled on the Machine” on page 19
Scenario 1: The User Is the Admin or Root User of the Machine
novdocx (en) 16 April 2010
When the user is an administrator or a
root
admin or
user and Enterprise mode is enabled by default after the user specifies credentials in
the Access Manager page. An admin or a
root
user of the machine, the tool identifies the user as the
root
user can connect to SSL VPN only in Enterprise
mode unless the system administrator configures the user to connect in Kiosk mode only. For more
information on how to configure users for Kiosk mode only, see Section 4.2.1, “Configuring Users
to Connect Only in Enterprise Mode or Kiosk Mode,” on page 56.
Scenario 2: The User Is the Non-Admin or Non-Root User of Machine and Knows the
Admin or Root Credentials
root
A non-admin or a nonadministrator or
root
user can access SSL VPN in Enterprise mode if the user knows the
user credentials. When a non-admin or a non-
root
user connects to SSL
VPN, the user is prompted to specify the credentials on the Access Manager page. The tool
root
identifies that the credentials supplied are those of the non-admin or a non-
user and displays
the following dialog box.
Figure 1-2 SSL VPN Dialog box
The user must specify the username and password of the administrator or the
machine in the dialog box, then click OK to enable Enterprise mode.
Enterprise mode is enabled by default in the subsequent sessions and the user is not prompted again
for the administrator or
18 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
root
username and password.
root
user of the
novdocx (en) 16 April 2010
Non-admin or non-
root
users who have connected to SSL VPN in Enterprise mode can connect to
SSL VPN in Kiosk mode on the same machine. For more information, see “Switching from
Enterprise Mode to Kiosk Mode” in the Novell Access Manager 3.1 SP2 SSL VPN User Guide.
NOTE: Users cannot switch from one mode to another if you have configured them to connect in
one mode only.
Scenario 3: The User Is a Non-Admin or Non-Root User, but the Client Components Are
Preinstalled on the Machine
root
If a non-admin or a non-
user wants to install SSL VPN in Enterprise mode, you can preinstall
the SSL VPN client components on the user’s machine. For more information, see Section 4.1,
root
“Preinstalling the SSL VPN Client Components,” on page 55. When non-admin or non-
users
access the client components from a workstation that has the SSL VPN client components
root
preinstalled, the users are not prompted to enter the credentials of the admin user or
user.
The users are connected to SSL VPN in Enterprise mode after they specify their credentials on the
Access Manager login page.
1.3.2 Kiosk Mode
In Kiosk mode, only a limited set of applications are enabled for SSL VPN. A non-admin user, a
root
nonshe does not have administrator access. In Kiosk mode, applications that were opened before the
SSL VPN connection was established are not SSL-enabled.
user, or a standard user in Windows Vista can connect to SSL VPN in Kiosk mode if he or
Kiosk mode supports TCP and UDP applications only. This mode is better suited for machines that
are not managed by an organization, such as home computers and computers in Web browsing
kiosks.
You can configure a user to connect in Kiosk mode only. When you have done so, a user is
connected to SSL VPN in Kiosk mode after the user provides credentials in the Novell Access
Manager login page. For more information, see Section 4.2.1, “Configuring Users to Connect Only
in Enterprise Mode or Kiosk Mode,” on page 56.
If you have left the mode selection to the client and a user logs in to the SSL VPN client as a non-
root
admin or non-
user, the following dialog box is displayed:
Overview of SSL VPN 19
Figure 1-3 SSL VPN Dialog Box
novdocx (en) 16 April 2010
The user can do one of the following to load the Kiosk mode:
Click Ignore to connect to SSL VPN in Kiosk mode for that particular session. The user is
root
prompted again to provide the administrator or the
username and password during the
next login.
Click Ignore Forever to connect to SSL VPN in Kiosk mode in the current session, as well as in
subsequent sessions.
A user who has clicked Ignore Forever can still switch to SSL VPN in Enterprise mode in the next
session. For more information, see “Switching from Kiosk Mode to Enterprise Mode” in the Novell
Access Manager 3.1 SP2 SSL VPN User Guide.
NOTE: When a non-admin user uses Internet Explorer to establish an SSL VPN connection, the
ActiveX download fails. This happens because ActiveX requires admin rights to download.This
issue might also occur if you have upgraded from an older version. If a user wants to access SSL
VPN with Internet Explorer, use the following URL:
https:<DNS-Name>/sslvpn/login?forcejre=true
For more information, see Section 4.2.4, “Configuring SSL VPN to Download the Java Applet on
Internet Explorer,” on page 59.
20 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
2
Basic Configuration for SSL VPN
SSL VPN servers are auto-imported into the Administration Console during installation.You can use
the SSL VPNs page in the Administration Console to view information about the current status of all
SSL VPN servers and to configure the SSL VPN servers.
Before you proceed with the SSL VPN configuration, you must do the following:
Install the SSL VPN server. For more information, see “Installing the SSL VPN Server” in the
Novell Access Manager 3.1 SP2 Installation Guide.
Install the Linux Access Gateway, if you want to accelerate SSL VPN by using the Linux
Access Gateway. For more information, see “Installing the Linux Access Gateway Appliance”
in the Novell Access Manager 3.1 SP2 Installation Guide.
Log in to the Administration Console as the admin user. For more information, see “Logging In
to the Administration Console” in the Novell Access Manager 3.1 SP2 Installation Guide.
Create an Identity Server configuration. For more information, see “Configuring an Identity
Server” in the Novell Access Manager 3.1 SP2 Identity Server Guide.
novdocx (en) 16 April 2010
2
If you have upgraded from SSL VPN 3.0 to SSL VPN 3.1, update the SSL VPN servers before
you proceed with any other configurations. For more information, see “Updating Configuration
Changes to the Upgraded Server” in the Novell Access Manager 3.1 SP2 Installation Guide.
This section has the following information:
Section 2.1, “Configuring Authentication for the ESP-Enabled Novell SSL VPN,” on page 21
Section 2.2, “Accelerating the Traditional Novell SSL VPN,” on page 23
Section 2.3, “Configuring the IP Address, Port, and Network Address Translation (NAT),” on
page 27
Section 2.4, “Configuring Route and Source NAT for Enterprise Mode,” on page 32
Section 2.5, “Configuring DNS Servers,” on page 33
Section 2.6, “Configuring Certificate Settings,” on page 35
2.1 Configuring Authentication for the ESPEnabled Novell SSL VPN
If you installed the ESP-enabled Novell SSL VPN, then an Embedded Service Provider component
was installed along with the SSL VPN server during the installation. You must now configure the
Embedded Service Provider in order to establish a trust relationship between the Identity Server and
the Embedded Service Provider.
NOTE: If you have installed the Traditional SSL VPN, refer to Section 2.2, “Accelerating the
Traditional Novell SSL VPN,” on page 23.
1 In the Administration Console, click Devices > SSL VPNs > Edit.
The Server configuration page is displayed.
2 Select Authentication Configuration from the Basic Gateway Configuration section.
Basic Configuration for SSL VPN
21
novdocx (en) 16 April 2010
3 Fill in the following fields:
Identity Server Cluster: Specifies the Identity Server cluster that you want the SSL VPN to
trust for authentication. Select the configuration you have assigned to the Identity Server.
Authentication Contract: Specifies the type of contract, which determines the information a
user must supply for authentication. By default, you can select from the following
authentication contracts:
Any Contract: If the user has authenticated, this option allows any contract defined for
the Identity Server to be valid, or if the user has not authenticated, it prompts the user to
authenticate using the default contract assigned to the Identity Server configuration.
Name/Password - Basic: Specifies basic authentication over HTTP, using a standard
login pop-up provided by the Web browser.
Name/Password - Form: Specifies a form-based authentication over HTTP, using the
Access Manager login form.
Secure Name/Password - Basic: Specifies basic authentication over HTTPS, using a
standard login pop-up provided by the Web browser.
Secure Name/Password - Form: Specifies a form-based authentication over HTTPS,
using the Access Manager login form.
Embedded Service Provider Base URL: The application path for the Embedded Service
Provider. This URL has the following constituents:
Protocol: Specifies the communication protocol. Specify HTTPS in order to run securely
in SSL mode. Use HTTP only if you do not require security.
Domain: The DNS name used to access the SSL VPN server. Using an IP address is not
recommended.
Port: Specifies the port values for the protocol. The port is 80 or 8080 for HTTP or 443 or
8443 for HTTPS. If you want to use port 80 or 433, select the port here, then select the
Redirect Requests from Non-Secure Port to Secure Port option. Selecting 80 for HTTP
and 443 for HTTPS implies that the port needs to be translated.
22 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
Application: Specifies the SSL VPN server application path.
Redirect Requests from Non-Secure Port to Secure Port: Specify this option to redirect the
browsers to the secure port in order to establish an SSL connection. If this option is not
selected, browsers that connect to the non-secure port are denied service.
SSL VPN Certificate: Configure a certificate for SSL.This certificate is used when SSL VPN
communicates with the SSL VPN server.
You can click the icon to select the default test-connector certificate created for SSL VPN. The
subject name of this certificate should match the DNS name of the SSL VPN server. For more
information, see the Section 2.6, “Configuring Certificate Settings,” on page 35.
Embedded Service Provider Certificate: Configure a certificate for the Embedded Service
Provider to communicate with the Identity Server. You can click the icon to select a certificate.
Make sure that the subject name of this certificate matches the DNS name of the SSL VPN
server. For more information, see Section 2.6, “Configuring Certificate Settings,” on page 35.
NOTE: Before you proceed with the configuration, verify if SSL VPN certificates are
imported into the trust store. To verify, log in to the Administration Console, select Security >
Trusted Roots, click the down arrow for the trusted root that you are interested in. Make sure
that two SSL VPN trust stores are displayed. If they do not exist, you must manually push the
certificates to the trust store.
novdocx (en) 16 April 2010
The following URLs are displayed when the Published DNS name is populated:
Login URL: Displays the URL that you need to use for logging users in to the protected
resources.
Logout URL: Displays the URL that you need to use for logging users out of protected
resources.
Metadata URL: Displays the location of the metadata.
Health Check URL: Displays the location of the health check.
4 Restart the Tomcat server when prompted.
5 To save your modifications, click OK, then click Update on the Configuration page.
6 Click Update on the Identity Server Configuration page.
7 (Optional) Proceed with Section 2.3, “Configuring the IP Address, Port, and Network Address
Translation (NAT),” on page 27, if you have not already configured the SSL VPN server
details.
2.2 Accelerating the Traditional Novell SSL VPN
NOTE: If you have installed the ESP-enabled Novell SSL VPN, skip this section and make sure
that you have completed Section 2.1, “Configuring Authentication for the ESP-Enabled Novell SSL
VPN,” on page 21.
If you have installed the traditional Novell SSL VPN, this is a mandatory configuration in order to
accelerate the SSL VPN server.
Section 2.2.1, “Configuring the Default Identity Injection Policy,” on page 24
Section 2.2.2, “Injecting the SSL VPN Header,” on page 24
Basic Configuration for SSL VPN 23
2.2.1 Configuring the Default Identity Injection Policy
The SSL VPN server requires a user credential profile consisting of the following elements:
Username and password information
A proxy session cookie
The roles assigned to the current user for authentication information
Each element added to the custom header requires a name with an “X-” prefix. The name you enter
is specific to the application using the custom header, and might be case sensitive. You need to
obtain this information from the application before creating the custom header. The Access Gateway
injects these headers into the SSL VPN server.
The SSL VPN server requires the following three headers:
Authentication header containing the credential profile with a username and password
Custom header containing a proxy session cookie element named X-SSLVPN-PROXY-
SESSION-COOKIE
Custom header containing roles for current user element, named X-SSLVPN-ROLE
novdocx (en) 16 April 2010
You can configure Access Gateway to inject the client IP address as a custom header along with the
other three headers. This custom header should be named X-SSLVPN-CLIENTIP. This enables
logging of the client IP address for SSL VPN. This is an optional configuration and is not enabled by
default. If it is not enabled, the SSL VPN server reports it to the Audit server as a connection
accepted from
Unknown Host
.
To add this header to the SSL VPN policy:
1 In the Administration Console, click Devices > Access Gateways > Policies.
2 (Conditional) If you have not created the SSL VPN default policy, click Create SSL VPN
Default. Then click Apply Changes.
3 In the list of policies, click SSLVPN Default > 1.
4 In the Actions section, click New, then select Inject into Custom Header.
5 Fill in the following values:
Custom Header Name: Specify X-SSLVPN-CLIENTIP.
Va lu e: Select Client IP.
6 Click OK twice.
7 Click Apply Changes.
2.2.2 Injecting the SSL VPN Header
The example in this section explains how to accelerate SSL VPN server in a path-based multihoming configuration.
Before you begin, make sure you have already created a proxy service and an authentication
procedure. For more information on creating a proxy service and authentication procedure, see
“Configuring a Reverse Proxy” in the Novell Access Manager 3.1 SP2 Setup Guide.
1 In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse
Proxy].
24 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
2 In the Proxy Service List section, click New.
novdocx (en) 16 April 2010
3 Fill in the following fields:
Proxy Service Name: Specify a name for the proxy service.
Multi-Homing Type: Specify the method for finding a second resource on the reverse proxy.
For this example configuration, Path-Based has been selected.
Published DNS Name: This field is populated by default with the published DNS name.
Path: Specify the path to the SSL VPN resource. This must be
/sslvpn
.
Web Server IP Address: Specify the public IP address of the SSL VPN server.
NOTE: If the SSL VPN server and the Linux Access Gateway are installed on the same
machine, you must configure the loopback IP address 127.0.0.1 as the Web Server IP address.
For more information on configuring the loopback IP address, see “Configuration Changes to
the SSL VPN Server Installed with the Access Gateway Appliance” in the Novell Access
Manager 3.1 SP2 Installation Guide.
Host Header: Select which hostname is forwarded to the Web server in the host header. If your
SSL VPN server has a DNS name, select Web Server Host Name.
Web Server Host Name: Specify the DNS name of the SSL VPN server.
4 Click OK.
5 To configure the default Identity Injection policy and protected resources, click the newly
added proxy service.
Basic Configuration for SSL VPN 25
novdocx (en) 16 April 2010
6 In the Path List section, make sure the Path is /sslvpn.
7 In the Path List section, select the /sslvpn check box, then click Enable SSL VPN.
8 Fill in the following fields:
Policy Container: Select a policy container from the list.
Policy: Select Create SSL VPN Default Policy from the drop-down list. A policy pop-up
appears. Click Apply Changes in the pop-up, then click Close.
The default SSL VPN policy injects both the username and password in the authentication
header. If you do not want the password to be pushed to the authentication header, configure a
policy with a username and a string constant. For more information on configuring policies, see
“Creating Identity Injection Policies” in the Novell Access Manager 3.1 SP2 Policy Guide.
You can also configure the SSL VPN policy to inject the client IP address, so that the IP
address can then be included in log entries. For more information, see Section 2.2.1,
“Configuring the Default Identity Injection Policy,” on page 24.
Name: Select Create SSL VPN Default Protected Resource from the drop-down list.
9 Click OK to close the Enable SSL VPN pop-up.
26 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
10 Click the Web Servers tab.
11 Specify 8080 in the Connect Port field, then click OK.
12 In the Proxy Service List section, click the name of the parent proxy service of the newly
created SSL VPN proxy service. This host does not have a multi-homing value.
13 Select the Protected Resources tab.
14 Select SSLVPN_Default from Protected Resources List.
15 Select an authentication contract from the Authentication Procedure drop-down list.
The user is assigned the timeout value of the contract used for authentication, and not the
default timeout value.
16 In the URL Path List section, ensure that the URL is /sslvpn/*.
novdocx (en) 16 April 2010
IMPORTANT: Make sure that you configure the URL as given above. Any variation leads to
the failure of SSL VPN service.
17 Click Configuration Panel, then click OK.
18 On the Configuration page, click OK.
19 On the Access Gateways page, click Update.
20 To update the Identity Server, click Identity Servers > Update.
21 Click Close.
22 (Optional) If you have not already configured the SSL VPN server details, proceed with
Section 2.3, “Configuring the IP Address, Port, and Network Address Translation (NAT),” on
page 27.
2.3 Configuring the IP Address, Port, and
Network Address Translation (NAT)
The Gateway Configuration page displays the current configuration of the SSL VPN server, such as
the external IP address if the SSL VPN server is behind NAT, the listening IP address, TCP
encryption port, Connection Manager port, and the type of encryption used.
Basic Configuration for SSL VPN 27
This section describes how to configure the IP addresses, port, subnet address and subnet mask, and
protocol for SSL VPN.
Section 2.3.1, “Configuring the SSL VPN Gateway behind NAT or L4,” on page 28
Section 2.3.2, “Configuring the SSL VPN Gateway without NAT or an L4 Switch,” on page 30
2.3.1 Configuring the SSL VPN Gateway behind NAT or L4
To configure SSL VPN behind NAT or by using an L4 switch:
1 In the Administration Console, click Devices > SSL VPNs > Edit.
The Server configuration page is displayed.
2 Select Basic Configuration from the Gateway Configuration section.
novdocx (en) 16 April 2010
3 Specify the following NAT/L4 configuration as follows:
Behind NAT/L4: Select the check box to specify that the SSL VPN Gateway is behind NAT.
28 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
Public IP Address: This field is enabled when the Behind NAT check box is selected. Specify
the public IP address (that is, the address exposed to the Internet user) that translates into the
SSL VPN Gateway IP address. This is the IP address where the external user on the Internet
must be able to access the SSL VPN server.
Port: Specify a port number for Kiosk mode as well as for Enterprise mode when the SSL
VPN server is behind an L4 switch or a behind NAT.
Protocol: Specify a protocol for Kiosk mode as well as for Enterprise mode, when the SSL
VPN server is behind an L4 switch or behind NAT. The protocol is TCP for Kiosk mode and
UDP for Enterprise mode.
4 Specify the device-specific configuration as follows:
Cluster Member: Select the cluster member from a list of IP addresses.
Listening IP Address: Specify the IP address that the SSL VPN listens on.
Port: Specify a port number for Kiosk mode as well as for Enterprise mode when the SSL
VPN server is behind an L4 switch or behind NAT. Make sure that the port you specify here is
free.
Protocol: Specify a protocol for Kiosk mode as well as for Enterprise mode, when the SSL
VPN server is behind an L4 switch or behind NAT. The protocol is TCP for Kiosk mode, but it
can either be TCP or UDP for Enterprise mode.
novdocx (en) 16 April 2010
5 Specify the following information to configure the assigned IP address pool for Enterprise
mode:
Subnet Address: Specify the IP address of the subnet pool where SSL VPN assigns the IP
address to each client in Enterprise mode. For this assigned IP address pool to work properly,
you must configure the routing table and source NAT. For more information, see Section 2.4,
“Configuring Route and Source NAT for Enterprise Mode,” on page 32.
Subnet Mask: Specify the subnet mask for Enterprise mode.
The values specified in the Subnet Address and Subnet Mask fields determine the IP addresses
that are assigned to the clients. Make sure that the assigned IP address and the IP address of the
client do not match.
NOTE: IP pooling is not applicable for Kiosk mode. In Enterprise mode, if you have only one
SSL VPN server installed, then you can configure only one IP pool. However, if you have
multiple SSL VPN servers in a cluster, then each SSL VPN server must have separately defined
IP pools.
6 Specify the other configuration as follows:
Cluster Communications Port: Specify the port that is used for communication between the
cluster members.
Identity Provider Address: Specify the IP addresses or the DNS name of the Identity Server
if you are configuring SSL VPN for the full tunneling mode. For more information on full
tunneling, see Section 3.4, “Configuring Full Tunneling,” on page 50.
Access Gateway Address: Specify the IP address or DNS name of the Access Gateway if your
server is accelerated by the Access Gateway and if you are configuring SSL VPN for the full
tunneling mode. This field is not present if you have installed the ESP-enabled SSL VPN. For
more information on full tunneling, see Section 3.4, “Configuring Full Tunneling,” on page 50.
Basic Configuration for SSL VPN 29
Inactivity Timeout (Minutes): You can configure the time in minutes. If no data exchange
takes place during the stipulated time, the connection is closed so that the resources are freed to
allow additional incoming connections. The inactivity timeout period can be one minute to
1800 minutes. The default inactive timeout period is 30 minutes.
Encryption: Select the type of encryption. It can be either AES128 or AES 256.
Enterprise Mode Compression: Specify if you want to enable compression in Enterprise
mode in order to reduce the time taken to establish connection.
Authentication Hardenings: This option is applicable to Enterprise mode clients only. When
this option is enabled, it provides protection against active attacks by using a keyed Hash
Message Authentication Code (HMAC) cryptographic hash such as SHA1 to sign and verify
packets. When this option is enabled, a packet is examined by a stateless filter and dropped if
the HMAC signature does not match.
To enabl e Authentication Hardening, select On. To manually regenerate the key click Re-
generate. This option uses random number generation to regenerate the key.
Server Debug Level: Set this option to On if you want to get more debug information from the
server. This option is set to Off by default.
Client Debug Level: Set this option to On if you want to get more debug information from the
client.This option is set to Off by default.
novdocx (en) 16 April 2010
7 To save your modifications, click OK, then click Update on the Configuration page.
2.3.2 Configuring the SSL VPN Gateway without NAT or an L4
Switch
1 In the Administration Console, click Devices > SSL VPNs > Edit.
The Server configuration page is displayed.
2 Select Basic Configuration from the Gateway Configuration section.
30 Novell Access Manager 3.1 SP2 SSL VPN Server Guide
Loading...