Some organizations do not allow for multiple ports to be open to the outside world, other than 80 and 443. For example, some hotel guest networks only allow 80 and 443 outbound. What if your Sales VP is onsite with a customer and needs to retrieve a presentation they forgot? Do you think the customer would be nice enough to open some ports for them? Just for a little while?
- Current Configuration - NetWare Access Gateway should be similar
- All servers are Linux - SUSE 9 and 10
This is the scenario I used at my organization:
Figure 1 - Access Gateway configuration
Refer to Chendil Kumar's article on SSLVPN scenarios based on port 443:
Myth about TCP Port 443 and Novell Access Manager 3.0 SSLVPN
Here are the steps I followed:
1. Log in to the Administration Console (modified iManager).
Figure 2 - iManager Admin Console
2. Expand Access Manager and select Identity Servers.
Figure 3 - Selecting Identity Servers
3. On the right, click Edit.
Figure 4 - Editing Identity Servers
4. Change the port within the Base URL from the default of 8443 to 443 and click Apply.
No, it's not that easy - there are a few more steps and a couple of gotchas to watch out for. Pay close attention to this popup - gotcha #1. We'll take care of it later.
Figure 5 - Warning pop-up
5. Click OK.
Figure 6 - Identity Servers warning
6. Click Update All to complete the Identity Server changes.
7. Select Access Gateways on the left.
Figure 7 - Access Gateways
8. Click Update to update the Access Gateways.
Now that the Configuration has been updated, we need to re-import the metadata from the IDP (Identity) server to the Access Gateways. Why? When you change the config of the IDP, it "breaks" the trust relationship between the services, and we'll need to fix that. If you stop here and test connecting, you could very well get a 100101044 error.
9. Click Edit on the Access Gateway.
Figure 8 - Editing Access Gateway Servers
10. Click Reverse Proxies/Authentication.
Figure 9 - Server Configuration
11. Click the dropdown list next to Identity Server Configuration and select None.
Figure 10 - Reverse Proxy Authentication
12. Click OK and then Update on the Access Gateway AND on the Identity Server.
One habit I have developed with NAM is that whenever I change ANYTHING and apply it, I check out ALL of the services to ensure none of them are waiting for an "Update".
13. Once the Updates are complete, click Edit on the Access Gateway.
14. Click Reverse Proxies/Authentication.
15. Change the Identity Server Configuration back to your [IDP Config].
16. Click OK and then Update on the Access Gateway AND on the Identity Server.
17. To check whether the re-import update completed successfully, select the Identity Servers and click Edit.
18. Click the Liberty tab on the top and then select Trusted Providers.
Figure 11 - Trusted Providers
You should see your Access Gateway listed under Service Providers.
Now for the test. An outside/public connection gives the best test for this application.
1. Open a browser and enter the URL for your SSLVPN:
2. If your organization doesn't allow for ActiveX, then change the URL to
You should see the following login screen:
Figure 12 - NAM Login screen
3. Log in (depending on your Identity Store).
Figure 13 - Logging in with SSLVPN
You can edit the home page to suit your organization's needs. The file is located on the server you installed SSLVPN in this directory:
Novell Access Manager 3.0.1 is a bit tricky for those who are unfamiliar with protected resources and iChain. It has some really improved features over iChain, and migrating is simpler than when you originally learned iChain.
If you are a newbie to this product, may I strongly suggest the Digital Airlines examples. It does a full walk through on the basic setup you could try in a lab, and it really explains the what and why of the product's setup.
You can find it here:
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.