User manual NOVELL ACCESS MANAGER 3.1 SP1 SSL VPN SERVER GUIDE 03-17-2010

[. . . ] novdocx (en) 19 February 2010 AUTHORIZED DOCUMENTATION SSL VPN Server Guide Novell® 3. 1 SP1 March 17, 2010 Access Manager www. novell. com Novell Access Manager 3. 1 SP1 SSL VPN Server Guide novdocx (en) 19 February 2010 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] The protocol can be ANY, UDP, TCP or ICMP. --source (-s): Specifies the IP address of the subnet pool where SSL VPN assigns the IP address to each client in Enterprise mode. NOTE: This field is populated by the Enterprise mode IP address by default. But, you can edit the value in this field if you want to use this field to add iptables SNAT entries for other cases in Kiosk mode such as for full tunneling. 82 Novell Access Manager 3. 1 SP1 SSL VPN Server Guide novdocx (en) 19 February 2010 --destination (-d): This is an optional parameter. You can either specify the host IP address or the destination IP address or specify the IP address and the network mask combination in the following format: <destination>/<SubnetMask> The Network mask should be in the dotted decimal format only. --destination-port (--dport): This is an optional parameter. -j SNAT --to-source (--to): This is a mandatory parameter. Specify a valid IP address of SSL VPN server. Provide additional parameters (Will be appended to command): You can add any other parameters depending on your requirements. But, these parameters will not be validated. The new SNAT entry is displayed in the following format: iptables -t nat -A POSTROUTING -p <Any> s <openVPNSubnetIP> -d <destinationIP> --dport <destinationPort> -j SNAT --to <privateIPSSLVPN> <additional parameters> 6 To save your modifications, click OK, then click Update on the Configuration page. 12. 2. 2 Ordering SNAT Entries You can configure SNAT rules for a user's role. However, the SNAT entries are process based on their order. If you want to change the order of the rules based on their priority, you can click the up or down arrows to move them up or down respectively. Configuring Route and Source NAT for Enterprise Mode 83 novdocx (en) 19 February 2010 84 Novell Access Manager 3. 1 SP1 SSL VPN Server Guide novdocx (en) 19 February 2010 Configuring DNS Servers and Certificates 13 13 Some configurations are common to both the ESP-enabled Novell® SSL VPN and SSL VPN protected by the Access Gateway: Section 13. 1, "Configuring DNS Servers, " on page 85 Section 13. 2, "Configuring Certificate Settings, " on page 86 13. 1 Configuring DNS Servers The DNS servers configured here are pushed to the client from the SSL VPN server during the connection. You can configure DNS servers for Enterprise mode through the Administration Console. The DNS servers can be configured for Kiosk mode either during the installation if you are installing Linux Access Gateway and SSL VPN on the same machine, or by using YaST after the installation. Section 13. 1. 1, "Configuring DNS Servers for Enterprise Mode, " on page 85 Section 13. 1. 2, "Configuring DNS Servers for Kiosk Mode, " on page 86 13. 1. 1 Configuring DNS Servers for Enterprise Mode 1 In the Administration Console, click Devices > SSL VPNs > Edit. The Server configuration page is displayed. 2 Select DNS Server List from the Basic Gateway Configuration section. The DNS server list page is displayed. 3 To configure a DNS server, click New in the DNS server section, specify the IP address of the server, then click OK. 4 To configure a domain, click New in the Domains section, specify the domain name, then click OK. Configuring DNS Servers and Certificates 85 novdocx (en) 19 February 2010 5 To delete a DNS server or a domain, select the check box next to the field and click Delete in the section. 6 To save your modifications, click OK, then click Update on the Configuration page. 13. 1. 2 Configuring DNS Servers for Kiosk Mode The DNS servers can be configured for Kiosk mode either during installation or by using YaST The configuration procedure is dependent on whether you have installed SSL VPN and the Linux Access Gateway on the same machine or on separate machines. NOTE: You must configure the DNS server for both Kiosk mode and Enterprise mode. [. . . ] Action: In the Administration Console, select Devices > Access Gateways > Edit > Reverse Proxy > Proxy List > Path-Based Multi-Homing > HTTP Options. Select the Allow Pages to Be Cached by the Browser check box. 31. 11 Multiple Instances of SSL VPN Are Running If you get this error while trying to connect to SSL VPN, it could be because there was an improper logout in the previous session and some of the processes did not close properly. Verify if any of the SSL VPN processes are running. For more information on how to verify, see Section 31. 6, "Verifying SSL VPN Components, " on page 163. [. . . ]