Novell ACCESS MANAGER 3.1 SP1 - SSL VPN SERVER GUIDE... User manual
Novell®
www.novell.com
novdocx (en) 19 February 2010
AUTHORIZED DOCUMENTATION
Novell Access Manager 3.1 SP1 SSL VPN Server Guide
Access Manager
3.1 SP1
March 17, 2010
SSL VPN Server Guide
novdocx (en) 19 February 2010
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverable for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Copyright © 2008-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
novdocx (en) 19 February 2010
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
4Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
Contents 5
Contents
novdocx (en) 19 February 2010
About This Guide 11
Part I Overview of SSL VPN 13
1 SSL VPN Features 15
2 Traditional and ESP-Enabled SSL VPNs 19
2.1 ESP-Enabled Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3 High and Low Bandwidth SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 SSL VPN Client Modes 23
3.1 Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.2 User Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2 Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Part II Installing and Deploying the SSL VPN Server 27
4 Installing the SSL VPN Server 29
4.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Limitations With 64-Bit Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3 Installing ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.3.1 Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.3.2 Installing the ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.4 Installing the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.4.1 Deployment Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.4.2 Installing the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.5 Installing the RPM Containing Key For High Bandwidth SSL VPN . . . . . . . . . . . . . . . . . . . . . 41
4.6 Uninstalling the RPM Containing Key For High Bandwidth SSL VPN . . . . . . . . . . . . . . . . . . . 42
4.7 Verifying That Your SSL VPN Service Is Installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5 Upgrading SSL VPN Servers 43
5.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2 Upgrade Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3 Upgrading SSL VPN Installed on a Separate Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.4 Migrating a Traditional SSL VPN Server to the ESP-Enabled Version . . . . . . . . . . . . . . . . . . 46
5.4.1 Upgrade Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.4.2 Migrating Traffic Policies from Traditional SSL VPN to ESP- Enabled SSL VPN . . . 48
5.5 Upgrading Clustered SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.6 Updating Configuration Changes to the Upgraded Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.7 Configuration Changes to the SSL VPN Server Installed with the Linux Access Gateway . . . 50
6Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
6 Preinstalling the SSL VPN Client Components 53
6.1 Installing Client Components for Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2 Installing Client Components for Macintosh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.3 Installing Client Components for Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
7 Uninstalling the SSL VPN Server 55
7.1 Deleting the Server from the Administration Console and from the Cluster. . . . . . . . . . . . . . . 55
7.2 Uninstalling the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
8 Deploying SSL VPN 57
8.1 Installing ESP-Enabled SSL VPN on a Single Machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8.1.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
8.1.2 Deployment Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
8.2 Deploying a Cluster of Single-Machine SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
8.2.1 Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
8.2.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
8.2.3 Deployment Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
8.3 Deploying the Traditional Novell SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
8.3.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
8.3.2 Deployment Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Part III Configuring SSL VPN 65
9 Configuring Authentication for ESP-Enabled Novell SSL VPN 67
10 Accelerating the Traditional Novell SSL VPN 69
10.1 Configuring the Default Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
10.2 Injecting the SSL VPN Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
11 Configuring the IP Address, Port, and NAT 75
11.1 Configuring the SSL VPN Gateway Behind NAT or L4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
11.2 Configuring the SSL VPN Gateway Without NAT or L4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
12 Configuring Route and Source NAT for Enterprise Mode 81
12.1 Configuring the OpenVPN Subnet in Routing Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
12.2 Configuring Source NAT for SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
12.2.1 Configuring SNAT for Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
12.2.2 Ordering SNAT Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
13 Configuring DNS Servers and Certificates 85
13.1 Configuring DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
13.1.1 Configuring DNS Servers for Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
13.1.2 Configuring DNS Servers for Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
13.2 Configuring Certificate Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Contents 7
novdocx (en) 19 February 2010
14 Configuring End-Point Security and Access Policies for SSL VPN 89
14.1 Configuring Policies to Check the Integrity of Client Machine . . . . . . . . . . . . . . . . . . . . . . . . . 90
14.1.1 Selecting the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
14.1.2 Configuring the Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
14.1.3 Configuring Applications for a Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
14.1.4 Configuring Attributes for an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
14.1.5 Exporting and Importing Client Integrity Check Policies . . . . . . . . . . . . . . . . . . . . . . 95
14.2 Configuring Client Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
14.3 Configuring Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
14.3.1 Configuring Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
14.3.2 Rule Ordering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
14.3.3 Exporting and Importing Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
15 Configuring How Users Connect to SSL VPN 101
15.1 Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode . . . . . . . . . . . . . . . . 101
15.2 Allowing Users to Select the SSL VPN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
15.3 Configuring SSL VPN to Download the Java Applet on Internet Explorer . . . . . . . . . . . . . . . 103
15.4 Configuring a Custom Login Policy for SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
15.5 Customizing SSL VPN User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
15.5.1 Customizing the Home Page and Exit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
15.5.2 Customizing Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
15.5.3 Modifying Help Pages for the Customized Error Messages . . . . . . . . . . . . . . . . . . 105
16 Configuring Full Tunneling 107
17 Configuring SSL VPN to Connect through a Forward Proxy 109
17.1 Understanding How SSL VPN Connects Through a Forward Proxy . . . . . . . . . . . . . . . . . . . 109
17.2 Creating the proxy.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
18 Configuring SSL VPN for Citrix Clients 111
18.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
18.2 How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
18.3 Configuring a Custom Login Policy for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
18.4 Configuring the Access Gateway to protect the Citrix Server . . . . . . . . . . . . . . . . . . . . . . . . 113
18.5 Configuring Single Sign-On Between Citrix and SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 114
19 Additional Configurations 117
19.1 Creating DH Certificates with Different Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
19.2 Creating a Configuration File to Add Additional Configuration Changes . . . . . . . . . . . . . . . . 117
19.3 Disconnecting Active SSL VPN Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
19.4 Modifying SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Part IV Clustering the High Bandwidth SSL VPN Servers 121
20 Overview of SSL VPN Clusters 123
20.1 Cluster Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
20.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
20.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
8Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
21 Creating a Cluster of SSL VPN Servers 125
21.1 Creating a Cluster of SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
21.2 Adding An SSL VPN Server to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
21.3 Removing an SSL VPN Server from a Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
22 Clustering SSL VPN by Using L4 129
22.1 Configuring a Cluster of ESP-Enabled SSL VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
22.2 Configuring a Cluster of Traditional SSL VPNs by Using L4 . . . . . . . . . . . . . . . . . . . . . . . . . 131
23 Clustering SSL VPNs By Using Access Gateway and Without L4 133
23.1 Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
23.2 Installing the Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
23.3 Testing the Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
24 Configuring SSL VPN to Monitor Health of Cluster 135
24.1 Services of the Real Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
24.1.1 A Note about Alteon Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
24.1.2 Real Server Settings Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
24.1.3 Virtual Server Settings Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
24.2 Monitoring the SSL VPN Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Part V Monitoring the SSL VPN Servers 139
25 Enabling SSL VPN Audit Events 141
26 Viewing SSL VPN Statistics 143
26.1 Viewing Statistics of SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
26.2 Viewing Statistics of SSL VPN Server Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
26.3 Viewing the Bytes Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
27 Monitoring Health of SSL VPN Servers 147
27.1 Monitoring Health of Single Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
27.2 Monitoring Health of SSL VPN Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
28 Viewing the Command Status of the SSL VPN Server 149
28.1 Viewing Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
29 Monitoring SSL VPN Alerts 151
29.1 Configuring SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
29.2 Viewing SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
29.3 Viewing SSL VPN Cluster Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Contents 9
novdocx (en) 19 February 2010
Part VI Troubleshooting SSL VPN 155
30 Troubleshooting SSL VPN Installation 157
30.1 Manually Uninstalling the Enterprise Mode Thin Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
30.2 SSL VPN Health Status is Yellow After an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
31 Troubleshooting SSL VPN Configuration 159
31.1 Successfully Connecting to the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
31.1.1 Connection Problems with Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
31.1.2 Connection Problems with Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
31.2 The SSL VPN Server Is in a Pending State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
31.3 SSL VPN Connects in Kiosk Mode, But There Is No Data Transfer . . . . . . . . . . . . . . . . . . . 162
31.4 The TFTP Application and GroupWise Notify Do Not Work in Enterprise Mode . . . . . . . . . . 162
31.5 SSL VPN Not Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
31.5.1 Verifying and Restarting JCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
31.5.2 Verifying and Restarting the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
31.6 Verifying SSL VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
31.6.1 SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
31.6.2 SSL VPN Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
31.6.3 SSL VPN Macintosh Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
31.6.4 SSL VPN Windows Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
31.7 Unable to Contact the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
31.8 Unable to Get Authentication Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
31.9 The SSL VPN Connection Is Successful But There Is No Data Transfer . . . . . . . . . . . . . . . 164
31.10 Unable to Connect to the SSL VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
31.11 Multiple Instances of SSL VPN Are Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
31.12 Issue with the Preinstalled Enterprise Mode Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
31.13 Socket Exception Error After Upgrading SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
31.14 SSL VPN Server Is Unable to Handle the Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
31.15 Embedded Service Provider Status Is Red . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
31.16 Connection Manager Log Does Not Display the Client IP Address . . . . . . . . . . . . . . . . . . . . 166
31.17 SSL VPN Full Tunnel Connection Disconnects on VMware . . . . . . . . . . . . . . . . . . . . . . . . . 166
31.18 Clustering Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
31.18.1 Bringing Up the Server If a Cluster Member Is Down . . . . . . . . . . . . . . . . . . . . . . . 167
31.18.2 Bringing Up a Binary If It Is Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
31.18.3 Debugging a Cluster If Session Sharing Doesn’t Properly Happen. . . . . . . . . . . . . 167
10 Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
About This Guide 11
novdocx (en) 19 February 2010
About This Guide
The Novell®Access Manager SSL VPN uses encryption and other security mechanisms to ensure
that the data cannot be intercepted and only authorized users have access to the network. Users can
access SSL VPN services from any Web browser. This guide has the following information:
Part I, “Overview of SSL VPN,” on page 13
Part II, “Installing and Deploying the SSL VPN Server,” on page 27
Part III, “Configuring SSL VPN,” on page 65
Part IV, “Clustering the High Bandwidth SSL VPN Servers,” on page 121
Part V, “Monitoring the SSL VPN Servers,” on page 139
Part VI, “Troubleshooting SSL VPN,” on page 155
Audience
This guide is intended for Access Manager administrators. It is assumed that you have knowledge of
evolving Internet protocols, such as:
Extensible Markup Language (XML)
Simple Object Access Protocol (SOAP)
Security Assertion Markup Language (SAML)
Public Key Infrastructure (PKI) digital signature concepts and Internet security
Secure Socket Layer/Transport Layer Security (SSL/TSL)
Hypertext Transfer Protocol (HTTP and HTTPS)
Uniform Resource Identifiers (URIs)
Domain Name System (DNS)
Web Services Description Language (WSDL)
Feedback
We want to hear your comments and suggestions about this guide and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to Documentation Feedback (http://www.novell.com/documentation/
feedback.html) at www.novell.com/documentation/feedback.html and enter your comments there.
Documentation Updates
For the most recent version of the Novell Access Manager SSL VPN Server Guide, visit the Novell
Access Manager Documentation Web site (http://www.novell.com/documentation/
novellaccessmanager).
Additional Documentation
Novell Access Manager 3.1 SP1 Installation Guide
Novell Access Manager 3.1 SP1 Setup Guide
12 Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
Novell Access Manager 3.1 SP1 Quick Starts
Novell Access Manager 3.1 SSL VPN User Guide
For information about the other Access Manager devices and features, see the following:
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux or UNIX, should use forward slashes as required by your software.
Overview of SSL VPN
I
13
novdocx (en) 19 February 2010
I
Overview of SSL VPN
The Novell®Access Manager SSL VPN uses Secure Sockets Layer (SSL) as the underlying security
protocol for network transmissions. It uses encryption and other security mechanisms to ensure that
the data cannot be intercepted and only authorized users have access to the network. Users can
access SSL VPN services from any Web browser.
This section has the following information:
Chapter 1, “SSL VPN Features,” on page 15
Chapter 2, “Traditional and ESP-Enabled SSL VPNs,” on page 19
Chapter 3, “SSL VPN Client Modes,” on page 23
14 Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
SSL VPN Features
1
15
novdocx (en) 19 February 2010
1
SSL VPN Features
Novell®SSL VPN comes with a number of key features that make the product secure, easy to
access, and reliable.
Browser-Based End User Access
Novell SSL VPN has browser-based end user access that does not require users to preinstall any
components on their machines. Users can access the SSL VPN services from any Web browser,
from their personal computers, laptop, or from an Internet kiosk.
When users access SSL VPN through the Web browser, they are prompted to authenticate. On
successful authentication, a Java* applet or an ActiveX* control is delivered to the client, depending
on the browser. This establishes a secure tunnel between the user’s machine and the SSL VPN
server.
Support on Linux, Macintosh, and Windows
The SSL VPN client is supported on Linux, Macintosh*, and Windows* environments. For a
complete list of operating software and browsers that are supported by SSL VPN, see “Client
Machine Requirements” in the Novell Access Manager 3.1 SSL VPN User Guide.
Support on 64-Bit Clients
Enterprise mode SSL VPN can be installed on 64-bit client configurations.
High and Low Bandwidth Versions
Novell SSL VPN comes in high and low bandwidth versions. The default low bandwidth SSL VPN
server is restricted to 249 simultaneous user connections and a transfer rate of 44 Mbits per second
because of export restrictions.
If the export law permits, you can install the high bandwidth SSL VPN RPM to get the high
bandwidth capabilities, because that version does not have connection and performance restrictions.
You can order the high bandwidth SSL VPN key at no extra cost. It is also essential to have the high
bandwidth SSL VPN if you want to cluster the SSL VPN servers.
For more information on how to order and install the high bandwidth SSL VPN, and to upgrade the
high bandwidth version to the latest build, see Section 4.5, “Installing the RPM Containing Key For
High Bandwidth SSL VPN,” on page 41.
Traditional and ESP-Enabled Installation
You can install SSL VPN in two ways.
As an ESP-enabled SSL VPN, which is installed with the Identity Server and the
Administration console.
As a Traditional SSL VPN, which is installed with the Identity Server, Administration Console,
and the Access Gateway.
16 Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
For more information on these methods, see Chapter 2, “Traditional and ESP-Enabled SSL VPNs,”
on page 19.
Enterprise and Kiosk Modes for End User Access
The Novell SSL VPN uses both clientless and thin-client access methods. The clientless method is
called the Kiosk mode SSL VPN and the thin-client method is called the Enterprise mode SSL VPN.
In Enterprise mode, all applications, including those on the desktop and the toolbar, are enabled for
SSL, regardless of whether they were opened before or after connecting to SSL VPN. In this mode,
a thin client is installed on the user’s workstation, and the IP Forwarding feature is enabled by
default. For more information on Enterprise mode, see Section 3.1, “Enterprise Mode,” on page 23
In Kiosk mode, only a limited set of applications enabled for SSL VPN. In Kiosk mode, applications
that were opened before the SSL VPN connection was established are not enabled for SSL. For
more information on Kiosk mode, see Section 3.2, “Kiosk Mode,” on page 25.
As SSL VPN server administrators, you can decide which users can connect in Enterprise mode and
which users can connect in Kiosk mode, depending on the role of the user. Or you can let the client
decide the mode in which the SSL VPN connection is made. For more information on how to do
this, see Chapter 15, “Configuring How Users Connect to SSL VPN,” on page 101. Enterprise mode
is available to a user who has the administrator right in a Windows workstation or a
root
user
privilege on Linux or Macintosh workstations, and if the user does not have administrator rights or
root
user privileges for that workstation, the SSL VPN connection is made in Kiosk mode.
Customized Home and Exit Pages for End Users
The home page and the exit page of SSL VPN can be customized to suit the needs of different
customers. For more information, see Section 15.5, “Customizing SSL VPN User Interface,” on
page 104.
Clustering SSL VPN Servers
The SSL VPN servers can be clustered to provide load balancing and fault tolerance, When you
form a cluster of SSL VPN servers, all members of a cluster should belong to only one type of SSL
VPN and they should all be running the high bandwidth SSL VPN. For example, all the members of
a cluster should belong to either the ESP-enabled SSL VPN or the traditional SSL VPN. For more
information on SSL VPN clustering, see Part IV, “Clustering the High Bandwidth SSL VPN
Servers,” on page 121.
End-Point Security Checks
The Novell SSL VPN has a set of policies that can be configured to protect your network and
applications from clients that are using insufficient security restraints and also to restrict the traffic
based on the role of the client.
You can configure a client integrity check policy to run a check on the client workstations before
establishing a tunnel to SSL VPN server. This check ensures that the users have specified software
installed and running in their systems. Each client is associated with a security level, depending on
the assessment of the client integrity check and the relevant traffic policies are assigned. For more
information on configuring end-point security, see Chapter 14, “Configuring End-Point Security and
Access Policies for SSL VPN,” on page 89.
SSL VPN Features 17
novdocx (en) 19 February 2010
Ability to Order Rules
If you have configured more than one rule for a user’s role, the rule that is placed first is applied
first. Novell SSL VPN allows you to change the order of rules by dragging and dropping them,
based on their priority. For more information on rule ordering in SSL VPN, see Section 14.3.2,
“Rule Ordering,” on page 99.
Ability to Import and Export Policies
Novell SSL VPN allows you to export the existing configuration into an XML file through the
Administration Console. You can reimport this configuration later. This is a very useful feature
when you upgrade your servers from one version to another. For more information, see
Section 14.3.3, “Exporting and Importing Traffic Policies,” on page 100
Desktop Cleanup Feature
When a user accesses the protected resource from outside by using SSL VPN, it also means that the
sites that the user visited are stored in the browser history, or some sensitive information is stored in
the cache or cookies. This is a potential security threat if it is not properly dealt with. The Novell
SSL VPN client comes with the desktop cleanup feature, so the user has the option to delete all the
browser history, cache, cookies, and files from the system, before logging out of the SSL VPN
connection.
If the user uses Firefox* to connect to SSL VPN, the browsing data that was stored after the SSL
VPN connection was made is deleted. In Internet Explorer*, all the browser data is deleted including
the data that was stored before the SSL VPN session was established.
Sandbox Feature
When you connect to SSL VPN in either Kiosk mode or Enterprise mode, a folder named VPN-
SANDBOX is created on your desktops can manually copy any files that you download from your
corporate network or any other files into this folder. This folder is automatically deleted along with
its contents when the user logs out of the SSL VPN connection. For more information on the
sandbox feature of SSL VPN, see “Sandbox Feature” in the Novell Access Manager 3.1 SSL VPN
User Guide.
Custom Login Policy
When custom login policy is configured, SSL VPN redirects the custom login requests to different
URLs based on the policy. This is a very useful feature if users want to access applications such as
those on the Citrix* application servers. For more information on how to configure a custom login
policy, see Section 15.4, “Configuring a Custom Login Policy for SSL VPN,” on page 103.
18 Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
Traditional and ESP-Enabled SSL VPNs
2
19
novdocx (en) 19 February 2010
2
Traditional and ESP-Enabled SSL
VPNs
The Novell®SSL VPN can be deployed as either an ESP-enabled SSL VPN or a Traditional SSL
VPN.
When SSL VPN is deployed without the Access Gateway, an Embedded Service Provider (ESP)
component is installed along with the SSL VPN server. This deployment requires the Identity Server
and the Administration server to also be installed. This type of deployment is called an ESP-enabled
Novell SSL VPN.
When SSL VPN is deployed with the Access Gateway, it is called a Traditional Novell SSL VPN. In
this type of installation, SSL VPN is deployed with the Identity Server, Administration Console, and
the Linux Access Gateway components of Novell Access Manager.
Section 2.1, “ESP-Enabled Novell SSL VPN,” on page 19
Section 2.2, “Traditional Novell SSL VPN,” on page 20
Section 2.3, “High and Low Bandwidth SSL VPNs,” on page 21
2.1 ESP-Enabled Novell SSL VPN
In ESP-enabled Novell SSL VPN, the process involved in establishing a secure connection between
a client machine and the different components of Novell Access Manager is as follows:
1. The user specifies the following URL to access the SSL VPN server:
https://<www.sslvpn.novell.com>/sslvpn/login
<www.sslvpn.novell.com> is the DNS name of the SSL VPN server, and /sslvpn/login is the
path of the SSL VPN server.
2. The SSL VPN redirects the browser to the Identity Server for authentication.
3. After successful authentication, the Identity Server redirects the browser back to SSL VPN.
4. The Identity Server propagates the session information to the SSL VPN server through the
Embedded Service Provider.
5. The SSL VPN server injects the SSL VPN policy for that user into the SSL VPN servlet. The
SSL VPN servlet processes the parameters and sends the policy information back to the server.
6. The SSL VPN checks if the client machine has sufficient security restraints. For more
information on client integrity checks, see Chapter 14.1, “Configuring Policies to Check the
Integrity of Client Machine,” on page 90.
7. When the user accesses the applications behind the protected network, the connection goes
through the secure tunnel formed with the SSL VPN server.
8. The browser stays open throughout the SSL VPN connection to allow the keep-alive packets.
9. When the user clicks the logout button to close the SSL VPN session, all the client components
are automatically uninstalled from the workstation.
20 Novell Access Manager 3.1 SP1 SSL VPN Server Guide
novdocx (en) 19 February 2010
2.2 Traditional Novell SSL VPN
The following figure shows the Novell Access Manager components and the process involved in
establishing a secure connection between a client machine and traditional Novell SSL VPN server.
In this type of deployment, the Linux Access Gateway accelerates and protects the SSL VPN server.
Figure 2-1 Traditional Novell SSL VPN
1. The user specifies the following URL to access the SSL VPN server:
https://<www.ag.novell.com>/sslvpn/login
<www.ag.novell.com> is the DNS name of the Access Gateway that accelerates the SSL VPN
server, and /sslvpn/login is the path of the SSL VPN server.
2. The Access Gateway redirects the user to the Identity Server for authentication, because the
URL is configured as a protected resource.
3. The Identity Server authenticates the user’s identity.
4. The Identity Server propagates the session information to the Access Gateway through the
Embedded Service Provider.
5. The Access Gateway injects the SSL VPN policy for that user into the SSL VPN servlet. The
SSL VPN servlet processes the parameters and sends the policy information back to the Access
Gateway.
6. The SSL VPN checks if the client machine has sufficient security restraints. For more
information on client integrity checks, see Chapter 14.1, “Configuring Policies to Check the
Integrity of Client Machine,” on page 90.
External IP: 192.23.45.4
Internal IP: 10.0.0.4
Browser
SSL VPN
Identity
Server
Access
Gateway
Application
3
7
7
6
1
452
DNS: www.ag.novell.com
www.ag.novell.com/sslvpn
This manual suits for next models
1
Table of contents
Other Novell Software manuals
Novell
Novell Account Management 2.1 User manual
Novell
Novell GROUPWISE 8 - DOMAINS User manual
Novell
Novell APPARMOR 2.1 - Instruction Manual
Novell
Novell PLATESPIN ORCHESTRATE 2.0.2 - HIGH AVAILABILITY CONFIGURATION GUIDE... User manual
Novell
Novell GROUPWISE 7 - TROUBLESHOOTING 1 User manual
Novell
Novell SUPPORT ADVISOR - 04-2010 User manual
Novell
Novell EDIRECTORY 8.8 - GUIDE User manual
Novell
Novell GROUPWISE 8 - MONITOR User manual
Novell
Novell LINUX ENTERPRISE DESKTOP 11 - OPENOFFICE User manual
Novell
Novell GROUPWISE 8 - LIBRARIES AND DOCUMENTS User manual
Novell
Novell CLIENT FOR LINUX 1.2 User manual
Novell
Novell SENTINEL 6.1 SP2 - INSTALLATION GUIDE... User manual
Novell
Novell CONSOLE ONE 1.3.X User manual
Novell
Novell BUSINESS CONTINUITY CLUSTERING 1.0 -... User manual
Novell
Novell OPEN ENTERPRISE SERVER 2 SP2 - PLANING AND IMPLEMENTATION GUIDE... User manual
Novell
Novell LINUX ENTERPRISE DESKTOP 10 SP1 - KDE... User manual
Novell
Novell IDENTITY MANAGER 3.6.1 Installation guide
Novell
Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER User manual
Novell
Novell IDENTITY ASSURANCE SOLUTION 3.0.2 -... User manual
Novell
Novell LINUX ENTERPRISE DESKTOP 10 SP2 User manual
Popular Software manuals by other brands
Honeywell
Honeywell ARENA user guide
HP
HP C7791C - DesignJet 130 Color Inkjet Printer printing guide
FARONICS
FARONICS DEEP FREEZE SERVER STANDARD manual
Red Hat
Red Hat ENTERPRISE LINUX 4 - DEVELOPER TOOLS GUIDE manual
Autodesk
Autodesk 23703-010008-1600A - Civil 3D 2006... manual
GRASS VALLEY
GRASS VALLEY K2 INSYNC datasheet
Red Hat
Red Hat NETWORK - USER REFERENCE GUIDE 2.0 User reference guide
GRASS VALLEY
GRASS VALLEY Aurora Edit Security Application note
Alcatel
Alcatel OmniTouch UC manual
Philips
Philips TV Video Accessories Software upgrade instructions
Panasonic
Panasonic LightPen3 operating instructions
Red Hat
Red Hat NETWORK SATELLITE SERVER 3.6 installation guide
Philips
Philips 23-LCD HDTV MONITOR FLAT TV DIGITAL CRYSTAL CLEAR... release note
Texas Instruments
Texas Instruments TI-83 Plus Silver Edition Guide book
Dell
Dell PowerConnect W-Airwave manual
HP
HP LeftHand P4000 - SAN Solutions release note
Enterasys
Enterasys ANG-1000 release note
Mitsubishi
Mitsubishi SRRM25ZE user manual