Transcription

SSL VPN Server GuideAccess Manager 4.0November 2013

Legal NoticeTHIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARESUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLYSET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDESTHIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANYKIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OFEXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLYTO YOU.For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions ofthe End User License Agreement for the applicable version of the NetIQ product or software to which it relates orinteroperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree tothe terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy allcopies of the Module and contact NetIQ for further instructions.This document and the software described in this document may not be lent, sold, or given away without the prior writtenpermission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such licenseagreement or non-disclosure agreement, no part of this document or the software described in this document may bereproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise,without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used forillustration purposes and may not represent real companies, individuals, or data.This document could include technical inaccuracies or typographical errors. Changes are periodically made to theinformation herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may makeimprovements in or changes to the software described in this document at any time.U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S.Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4(for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’srights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclosethe software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in thelicense agreement. 2013 NetIQ Corporation and its affiliates. All Rights Reserved.For information about NetIQ trademarks, see https://www.netiq.com/company/legal/.

ContentsAbout NetIQ CorporationAbout This Book and the Library179Overview of SSL VPN1.11.21.311SSL VPN Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Traditional and ESP-Enabled SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.2.1ESP-Enabled SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.2.2Traditional NetIQ SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.2.3High-Bandwidth and Low-Bandwidth SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16SSL VPN Client Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161.3.1Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171.3.2Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Basic Configuration for SSL VPN2.12.22.32.42.52.621Configuring Authentication for the ESP-Enabled NetIQ SSL VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . 21Accelerating the Traditional NetIQ SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.2.1Configuring the Default Identity Injection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.2.2Injecting the SSL VPN Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Configuring the IP Address, Port, and Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . 272.3.1Configuring the SSL VPN Gateway behind NAT or L4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.3.2Configuring the SSL VPN Gateway without NAT or an L4 Switch. . . . . . . . . . . . . . . . . . . . 30Configuring Route and Source NAT for Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.4.1Configuring the OpenVPN Subnet in Routing Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Configuring DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.5.1Configuring DNS Servers for the Enterprise Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.5.2Configuring DNS Servers for the Kiosk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configuring Certificate Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Configuring End-Point Security and Access Policies for SSL VPN3.13.23.33.437Configuring Policies to Check the Integrity of the Client Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 383.1.1Selecting the Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383.1.2Configuring the Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.1.3Configuring Applications for a Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.1.4Configuring Attributes for an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.1.5Exporting and Importing Client Integrity Check Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Configuring Client Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.2.1Client Security Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.2.2Configuring a Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Configuring Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463.3.1Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.3.2Ordering Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.3.3Exporting and Importing Traffic Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Configuring Full Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503.4.1Creating a Full Tunneling Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Configuring How Users Connect to SSL VPN4.153Preinstalling the SSL VPN Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Contents3

4.24.34.44.1.1Installing Client Components for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.1.2Installing Client Components for Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.1.3Installing Client Components for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Configuring Client Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544.2.1Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode . . . . . . . . . . . . . . . 544.2.2Allowing Users to Select the SSL VPN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564.2.3Configuring Client Cleanup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564.2.4Configuring SSL VPN to Download the Java Applet on Internet Explorer . . . . . . . . . . . . . . 574.2.5Configuring a Custom Login Policy for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Configuring SSL VPN to Connect through a Forward Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584.3.1Understanding How SSL VPN Connects through a Forward Proxy . . . . . . . . . . . . . . . . . . 594.3.2Creating the proxy.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Configuring SSL VPN for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604.4.1Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604.4.2How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614.4.3Configuring a Custom Login Policy for Citrix Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624.4.4Configuring the Access Gateway to Protect the Citrix Server . . . . . . . . . . . . . . . . . . . . . . . 624.4.5Configuring Single Sign-On between Citrix and SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . 635 Clustering the High-Bandwidth SSL VPN Servers5.15.25.35.45.55.6Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Creating a Cluster of SSL VPN Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665.3.1Creating a Cluster of SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675.3.2Adding an SSL VPN Server to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685.3.3Removing an SSL VPN Server from a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Clustering SSL VPN by Using an L4 Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695.4.1Configuring a Cluster of ESP-Enabled SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695.4.2Configuring a Cluster of Traditional SSL VPNs by Using an L4 Switch . . . . . . . . . . . . . . . 71Clustering SSL VPNs by Using the Access Gateway without an L4 Switch . . . . . . . . . . . . . . . . . . . 725.5.1Configuring the Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725.5.2Installing the Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725.5.3Testing the Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Configuring SSL VPN to Monitor the Health of the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735.6.1Services of the Real Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745.6.2Monitoring the SSL VPN Server Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756 Monitoring the SSL VPN Servers6.16.26.36.46.56.66.746577Viewing and Editing SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Enabling SSL VPN Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Viewing SSL VPN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796.3.1Viewing the SSL VPN Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796.3.2Viewing SSL VPN Server Statistics for the Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816.3.3Viewing the Bytes Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Disconnecting Active SSL VPN Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Monitoring the Health of SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836.5.1Monitoring the Health of a Single Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836.5.2Monitoring the Health of an SSL VPN Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Viewing the Command Status of SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856.6.1Viewing Command Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Monitoring SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876.7.1Configuring SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876.7.2Viewing SSL VPN Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886.7.3Viewing SSL VPN Cluster Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89NetIQ Access Manager 4.0 SSL VPN Server Guide

7 Additional Configurations7.17.27.391Customizing SSL VPN User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917.1.1Customizing the Home Page and Exit Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917.1.2Customizing Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917.1.3Modifying Help Pages for the Customized Error Messages . . . . . . . . . . . . . . . . . . . . . . . . 92Creating DH Certificates with Different Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Creating a Configuration File to Add Additional Configuration Changes . . . . . . . . . . . . . . . . . . . . . . 928 Server Configuration Settings8.18.28.393Managing SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Configuring SSL VPN Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Modifying SSL VPN Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96A Troubleshooting SSL VPN ccessfully Connecting to the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100A.1.1Connection Problems with Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100A.1.2Connection Problems with Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Adding Applications for Different Versions of Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101The SSL VPN Server Is in a Pending State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Error: Failed to Fetch CIC Policy from the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103SSL VPN Connects in Kiosk Mode, But There Is No Data Transfer . . . . . . . . . . . . . . . . . . . . . . . . 103The TFTP Application and GroupWise Notify Do Not Work in Enterprise Mode . . . . . . . . . . . . . . . 103SSL VPN Does Not Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103A.7.1Verifying and Restarting JCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103A.7.2Verifying and Restarting the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Verifying SSL VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104A.8.1SSL VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104A.8.2SSL VPN Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104A.8.3SSL VPN Macintosh Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105A.8.4SSL VPN Windows Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Unable to Contact the SSL VPN Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Unable to Get Authentication Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105The SSL VPN Connection Is Successful But There Is No Data Transfer . . . . . . . . . . . . . . . . . . . . 105Unable to Connect to SSL VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Multiple Instances of SSL VPN Are Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Issue with the Preinstalled Enterprise Mode Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Socket Exception Error After Upgrading SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107SSL VPN Server Is Unable to Handle the Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Embedded Service Provider Status Is Red . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Connection Manager Log Does Not Display the Client IP Address . . . . . . . . . . . . . . . . . . . . . . . . . 107SSL VPN Full Tunnel Connection Disconnects on VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Clustering Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108A.20.1 Bringing Up the Server If a Cluster Member Is Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108A.20.2 Bringing Up a Binary If It Is Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108A.20.3 Debugging a Cluster If Session Sharing Doesn’t Properly Happen. . . . . . . . . . . . . . . . . . 108On Windows XP and 7, Loading ActiveX Takes More than Three Minutes to Connect to SSLVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109If There Is An Install Log Error, SSL VPN Client In Kiosk Mode Fails To Start . . . . . . . . . . . . . . . . 109If ESP SSL VPN Installation Terminates Abruptly, Reinstallation Fails . . . . . . . . . . . . . . . . . . . . . . 109Contents5

6NetIQ Access Manager 4.0 SSL VPN Server Guide

About NetIQ CorporationWe are a global, enterprise software company, with a focus on the three persistent challenges in yourenvironment: Change, complexity and risk—and how we can help you control them.Our ViewpointAdapting to change and managing complexity and risk are nothing newIn fact, of all the challenges you face, these are perhaps the most prominent variables that denyyou the control you need to securely measure, monitor, and manage your physical, virtual, andcloud computing environments.Enabling critical business services, better and fasterWe believe that providing as much control as possible to IT organizations is the only way toenable timelier and cost effective delivery of services. Persistent pressures like change andcomplexity will only continue to increase as organizations continue to change and thetechnologies needed to manage them become inherently more complex.Our PhilosophySelling intelligent solutions, not just softwareIn order to provide reliable control, we first make sure we understand the real-world scenariosin which IT organizations like yours operate — day in and day out. That's the only way we candevelop practical, intelligent IT solutions that successfully yield proven, measurable results.And that's so much more rewarding than simply selling software.Driving your success is our passionWe place your success at the heart of how we do business. From product inception todeployment, we understand that you need IT solutions that work well and integrate seamlesslywith your existing investments; you need ongoing support and training post-deployment; andyou need someone that is truly easy to work with — for a change. Ultimately, when you succeed,we all succeed.Our Solutions Identity & Access Governance Access Management Security Management Systems & Application Management Workload Management Service ManagementAbout NetIQ Corporation7

Contacting Sales SupportFor questions about products, pricing, and capabilities, contact your local partner. If you cannotcontact your partner, contact our Sales Support team.Worldwide:www.netiq.com/about netiq/officelocations.aspUnited States and Canada:1-888-323-6768Email:[email protected] Site:www.netiq.comContacting Technical SupportFor specific product issues, contact our Technical Support spNorth and South America:1-713-418-5555Europe, Middle East, and Africa: 353 (0) 91-782 677Email:[email protected] Site:www.netiq.com/supportContacting Documentation SupportOur goal is to provide documentation that meets your needs. If you have suggestions forimprovements, click Add Comment at the bottom of any page in the HTML versions of thedocumentation posted at www.netiq.com/documentation. You can also email [email protected] We value your input and look forward to hearing from you.Contacting the Online User CommunityQmunity, the NetIQ online community, is a collaborative network connecting you to your peers andNetIQ experts. By providing more immediate information, useful links to helpful resources, andaccess to NetIQ experts, Qmunity helps ensure you are mastering the knowledge you need to realizethe full potential of IT investments upon which you rely. For more information, visit http://community.netiq.com.8NetIQ Access Manager 4.0 SSL VPN Server Guide

About This Book and the LibraryThe NetIQ Access Manager SSL VPN uses encryption and other security mechanisms to ensure thatdata cannot be intercepted and only authorized users have access to the network. Users can accessSSL VPN services from any Web browser. Chapter 1, “ Overview of SSL VPN,” on page 11 Chapter 2, “Basic Configuration for SSL VPN,” on page 21 Chapter 3, “Configuring End-Point Security and Access Policies for SSL VPN,” on page 37 Chapter 4, “Configuring How Users Connect to SSL VPN,” on page 53 Chapter 5, “Clustering the High-Bandwidth SSL VPN Servers,” on page 65 Chapter 6, “Monitoring the SSL VPN Servers,” on page 77 Chapter 7, “Additional Configurations,” on page 91 Chapter 8, “Server Configuration Settings,” on page 93 Appendix A, “Troubleshooting SSL VPN Configuration,” on page 99Intended AudienceThis book is intended for Access Manager administrators. It is assumed that you have knowledge ofevolving Internet protocols, such as: Extensible Markup Language (XML) Simple Object Access Protocol (SOAP) Security Assertion Markup Language (SAML) Public Key Infrastructure (PKI) digital signature concepts and Internet security Secure Socket Layer/Transport Layer Security (SSL/TLS) Hypertext Transfer Protocol (HTTP and HTTPS) Uniform Resource Identifiers (URIs) Domain Name System (DNS) Web Services Description Language (WSDL)Other Information in the LibraryThe library provides the following information resources: NetIQ Access Manager 4.0 SSL VPN User Guide NetIQ Access Manager 4.0 Installation Guide NetIQ Access Manager 4.0 Setup Guide NetIQ Access Manager 4.0 Administration Console Guide NetIQ Access Manager 4.0 Identity Server Guide NetIQ Access Manager 4.0 Access Gateway GuideAbout This Book and the Library9

NOTE: Contact [email protected] for any query related to Access Manager SDK.10NetIQ Access Manager 4.0 SSL VPN Server Guide

11Overview of SSL VPNThe NetIQ Access Manager SSL VPN uses Secure Sockets Layer (SSL) as the underlying securityprotocol for network transmissions. It uses encryption and other security mechanisms to ensure thatdata cannot be intercepted and only authorized users have access to the network. Users can accessSSL VPN services from any Web browser. Section 1.1, “SSL VPN Features,” on page 11 Section 1.2, “Traditional and ESP-Enabled SSL VPNs,” on page 14 Section 1.3, “SSL VPN Client Modes,” on page 161.1SSL VPN FeaturesNetIQ SSL VPN comes with a number of key features that make the product secure, easy to access,and reliable.Browser-Based End User AccessNetIQ SSL VPN has browser-based end user access that does not require users to preinstall anycomponents on their machines. Users can access the SSL VPN services from any Web browser, fromtheir personal computer, laptop, or from an Internet kiosk.When users access SSL VPN through the Web browser, they are prompted to authenticate. Onsuccessful authentication, a Java applet or an ActiveX control is delivered to the client, depending onthe browser. This establishes a secure tunnel between the user’s machine and the SSL VPN server.Support on Linux, Macintosh, and WindowsThe SSL VPN client is supported on Linux, Macintosh, and Windows environments. For a completelist of operating software and browsers that are supported by SSL VPN, see “Client MachineRequirements” in the NetIQ Access Manager 4.0 SSL VPN User Guide.Support on 64-Bit ClientsThe Enterprise mode SSL VPN can be installed on 64-bit client configurations.High-Bandwidth and Low-Bandwidth VersionsThe SSL VPN comes in high-bandwidth and low-bandwidth versions. The default low-bandwidthSSL VPN server is restricted to 249 simultaneous user connections and a transfer rate of 90 Mbits persecond because of export restrictions.Overview of SSL VPN11

If the export law permits, you can install the high-bandwidth SSL VPN RPM to get the highbandwidth capabilities, because that version does not have connection and performance restrictions.You can order the high-bandwidth SSL VPN key at no extra cost. It is essential to have the highbandwidth SSL VPN if you want to cluster the SSL VPN servers.For more information on how to order and install the high-bandwidth SSL VPN, and to upgrade thehigh-bandwidth version to the latest build, see “Installing the Key for High-Bandwidth SSL VPN” inthe NetIQ Access Manager 4.0 Installation Guide.Traditional and ESP-Enabled InstallationYou can install SSL VPN in two ways: As an ESP-enabled SSL VPN, which is installed with the Identity Server and the AdministrationConsole. As a Traditional SSL VPN, which is installed with the Identity Server, Administration Console,and the Access Gateway.For more information on these methods, see Section 1.2, “Traditional and ESP-Enabled SSL VPNs,”on page 14.Enterprise and Kiosk Modes for End User AccessThe NetIQ SSL VPN uses both clientless and thin-client access methods. The clientless method iscalled the Kiosk mode SSL VPN and the thin-client method is called the Enterprise mode SSL VPN.In the Enterprise mode, all applications, including those on the desktop and the toolbar, are enabledfor SSL, regardless of whether they were opened before or after connecting to SSL VPN. In this mode,a thin client is installed on the user’s workstation, and the IP Forwarding feature is enabled bydefault. For more information on Enterprise mode, see Section 1.3.1, “Enterprise Mode,” on page 17.In the Kiosk mode, only a limited set of applications are enabled for SSL VPN. In Kiosk mode,applications that were opened before the SSL VPN connection was established are not enabled forSSL. For more information on Kiosk mode, see Section 1.3.2, “Kiosk Mode,” on page 19.As SSL VPN server administrators, you can decide which users can connect in Enterprise mode andwhich users can connect in Kiosk mode, depending on the role of the user. Or you can let the clientselect the mode in which the SSL VPN connection is made. For more information on how to do this,see Chapter 4, “Configuring How Users Connect to SSL VPN,” on page 53. Enterprise mode isavailable to a user who has the administrator right in a Windows workstation or a root user privilegeon Linux or Macintosh workstations. If the user does not have administrator rights or root userprivileges for that workstation, the SSL VPN connection is made

legal notice this document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement.