AppNote: A Rough Guide to Accelerating Virtual Office through iChain.
Novell Cool Solutions: AppNote
By Mark Russell
Digg This -
Posted: 27 May 2005
This article is a basic configuration to get you started with iChain and Virtual Office available outside of your network. This is an amalgam of knowledge pulled from TIDs and Manuals as I learn my way around the product. I would encourage feedback and constructive criticism from readers but if you can get through this article you will at the very least have your Virtual Office available on a secure connection to the outside world.
2. Assumed Knowledge
This article assumes you are familiar with webserver configuration and deployment, particularly with respect to port configuration. It's not strictly necessary for VO, but it will be if you want to accelerate other internal resources. I am also going to assume that the reader has some basic DNS knowledge, and is familiar with firewall configuration and NAT - or at least can find somebody who is. The biggest assumption of all is that you've already got Virtual Office working internally. I have neither the patience nor the strength in my fingers to cover the Virtual Office installation as well!
3. Software and Hardware configurations
- Operating system: NetWare 6.5 sp3
- eDirectory: version 18.104.22.168
- iManager: version 2.01 (required - 2.5 doesn't have the VO admin plug-ins)
- iChain: version 2.3.1 (90 day trial version)
- Webservers: All Apache2 based.
- Hardware: I'm using a Pentium IV PC with 1GB RAM and 2 x 100MBs-1 network cards (3 is preferable - see later)
4. Definitions and abbreviations used in this article
- Accelerator: the configuration which allows access to browser based resources via iChain
- Origin Webserver: the internal resource (intranet, Virtual office etc) that you want to access via iChain
- ISO: IChain Service Object
- ACL: Access Control List
- C1: ConsoleOne
- Caffeine: The elixhir of life!
- Install iChain authorisation server and extend schema (iChain CD 2 - self explanatory install); install C1 snap-ins
- Register relevant hostnames in external DNS - I'm multi-homing my websites and therefore have 5 domains resolving to a single IP address
- Poke NAT hole in Firewall or configure DMZ or whatever your security involves
- Boil the kettle, get the Coffee Machine going and avail yourself of a suitable supply of snack products. I would strongly recommend you put a big "Do Not Disturb Under Pain of Small Arms Fire" sign on your door.
6. iChain server install
- Install 3 network cards into the iChain server. One external, one internal, and for added security, the 3rd on a separate subnet for access to the iChain configuration utility (as recommended by Novell, but not strictly necessary)
- Insert bootable iChain Server CD and follow prompts (yes it's that easy!)
- Assuming the server builds okay, perform the following commands (unock password is blank by default and the eth0 address should be configured to your own subnet)
unlock set eth0 address = 10.x.x.x/255.255.0.0
- Browse to http://<ipaddress>/appliance/config.html where <ipaddress> is the address from which you will be administering the device; either the internal address of the iChain server, or the IP address of the third network card as mentioned in 6.1
- Login as "Config", the default password is blank and select System from the side menu bar and configure the time zone, date/time and Admin ACL to suit.
- Select Actions to configure passwords for the View and Configure logins
- Select Network. Configure the IP addresses and masks of your ethernet cards and your DNS servers as per your own network configuration and configure your default gateway and DNS proxy (if any) to suit. For the appliance domain name I'm using ichain.mydomain.com.
- Select Configure and choose which IP address the mini-ftp server runs on. You need this to be on the same subnet that you'll be running ConsoleOne from
- Press Apply to save all your changes.
7. iChain service object (ISO) install (in ConsoleOne)
- I've made a separate OU called "iChain" where I can keep all my ACLs, the ISO and the Trusted Root Certificate container
- Assuming you've got the relevant snap-ins installed (see 5.1), click the New iChain Object button and select iChain Service object
- On the General tab of the ISO properties, browse through eDirectory to your trusted root container. This is only necessary if you are going to use secure communication between iChain and the origin web servers.
Note - to set up a Trusted root container, see section 12 of this document.
Important Note - There is a Schema Conflict between the iChain and BorderManager ACL attributes which will cause problems in ConsoleOne and prevent your accelerators from working properly. Please read more in this TID: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10067543.htm
You can download the Schema repair utility from here: http://support.novell.com/servlet/filedownload/uns/ftf/ic23scma.exe/
8. Basic iChain Accelerator Config
- Go to Configure and select the Web Server Accelerator tab
- Click Insert to create a new accelerator and give your accelerator a name - e.g. "Intranet"
- The DNS Name is the external hostname of the internal server you're trying to accelerate - e.g. portal.mydomain.com or intranet.mydomain.com
- Cookie Domain should automatically complete with mydomain.com
- Accept the default Alternate host name and complete with the iChain appliance domain name from 6.7: ichain.mydomain.com
- On the right hand side under Web Server Addresses click Insert and enter the IP address of the internal web server you are accelerating (you can also change the port if it's not on port 80. Don't worry about secure stuff we'll come to that later - this is a basic config to get you started)
- Select the accelerator IP address. If you're making internal services available externally (which we are doing) then you need to tick the external IP address. If you're accelerating an internal webserver internally (to take advantage of secure Access control lists, for example), select the internal IP address.
- Click Apply
9. Basic Authentication setup
- Go to Configure and select Authentication
- Click Insert and give your profile a name and select the authentication mechanism. I'm using LDAP so this guide will also use LDAP!
- Select the LDAP radio button and click LDAP Authentication Options
NOTE: if you want to use unsecured LDAP access you will need to go to the properties of the LDAP group in eDirectory and ensure that the Require TLS for simple binds with password check box is OFF. But - ya know - use secure LDAP, it's more - um - secure (note this example is unsecured)
- Enter your LDAP server address
- Complete the LDAP username. I've created a default user that has nothing more than "read" property rights to the tree. Enter in LDAP format - e.g. cn=ldapuser,ou=mycontainer,o=myorganisation
- Select the LDAP login method. Because I'm simple I'm using the Search on a Single Attribute option which does mean that you have to configure each context separately, but this suits me so in my case, my LDAP search base list consists of all the LDAP contexts I wish to grant access to
- Click OK and Apply
10. Authenticating to your accelerator
- You may not require authentication, but here's an example of how to set it up. Go back to the Web Server Accelerator tab, select your accelerator and click Modify
- click the Enable Authentication check box and click Authentication Options
- Leave everything blank but select the authentication profile you've just created and click Add (You see where this is going now!? individually configurable webserver authentication! yay!)
- Go back to the properties of your ISO in ConsoleOne and on the Protected Resources tab, click the + button to define your resource.
- Give it a name (I use the same name as the authentication profile for ease of reference) and add the domain name of the webserver you're accelerating. If it's going to be external then it will be of the format accelerator.mydomain.com/* (/* is important!)
- Choose which form of authentication the service requires:
- None No authentication required.
- Restricted Anybody with an eDirectory account can authenticate, subject to the authentication profile defined above
- Secure Must have an eDirectory account, be part of the authentication profile, and be part of the requisite Access Control List (which we'll get to in a moment!)
11. Access Control Setup
- From the iChain proxy config applet select Configure and Access Control
- Enter the LDAP name of the ISO you created above. e.g. - cn=myichainISO,ou=myichaincontainer,o=myorganisation
- Enter your LDAP user and server address; click Ok and Apply
- To create an Access Control Rule in ConsoleOne, select your context and choose the iChain Access Control Rule option from the iChain object creation button
- In the properties of the ACL, go to the Access Control Tab and configure your allowed and excluded URLs
We could be here forever explaining ACLs and their various combinations so I won't go into it here. The iChain manual is pretty good for this - it's pretty straightforward if you think about it but remember you're defining *relative* URLs using a URL "postfix". The Resource Name is the name defined in your ISO (see section 10.4) and the Postfix is the relative URL after that. If your Intranet Resource is defined as intranet.yourdomain.com and you want to apply an ACL to intranet.yourdomain.com/files/secret.html then your URL postfix is /files/secret.html
- Note you may of course have to define multiple ACLs for different pages on the same website.
12. Configuring a Trusted Root
- First we need to get a trusted Root Certificate. You may have other options but in my case, I exported my own certificate authority to a text file. Go to the properties of your CA in your security container, select Certificates > Export and follow the defaults - save the certificate to your hard drive.
- Choose the context where you are going to keep your trusted root. For convenience, I keep mine in the same container as all my other iChain objects.
- click New Object and select NDSPKI:Trusted Root to create a new Trusted Root container and give it a name.
- Select the container and then click New Object again - select NDSPKI:Trusted Root Object (you don't have much choice since it's the only thing on the list!)
- Name the object and then either paste the certificate or read it from the file you just exported in step 12.1; click Finish. You can now use this to complete the Trusted Root Container property of your ISO
Right - that's the basic setup defined - have a play and see what you can do. I have not covered secure communication between origin webserver and iChain proxy but this will come in the next bit. I'm going to cover a basic Virtual Office acceleration based on my own setup. Clearly yours may differ slightly but I have neither the patience nor the available fingers to cover every single permutation (neither, I suspect dear reader, do you!). This is also a great time to fill up Mr. Coffee and grab a sandwich.
14. A Note on multiple webserver accelerators and Secure Exchange
You can configure a bunch of accelerators on the same IP address. I've got 5 at the moment and that's working well. If you want to accelerate hundreds then you need more ethernet cards and more iChain proxies! iChain is quite happy accelerating multiple webservers on the same IP address but if you are using secure communication between the iChain box and the origin webserver then you must configure different secure ports on the origin webservers you are trying to accelerate. For example - if you have 3 intranets and you want them all to be securely available externally then they must listen on different secure ports. The default is of course port 443 - and by default your 3 internal webservers are probably all listening on port 443. If you therefore have 3 internal resources you wish to make available you must use different secure ports (say, 443, 444 and 445) and this must be reflected in the iChain setup
use multi-homing. iChain can be configured (with some restrictions) to listen on the same secure port for multiple accelerators. This can be enabled by selecting "multi-homing" on the accelerators defined in your Web Server Accelerators config. You can do this by domain name or path name. Again, I'm not going to discuss that here as the ultimate objective of this guide is to accelerate only the Virtual office - but it's not hard to fiddle about and get it working to your satisfaction. Just bear in mind you may have to change the secure port settings on your origin webservers as mentioned above
- To enable secure exchange, Modify your accelerator and select the Enable Secure Exchange check box. Click Secure Exchange Options. In here you can specify port numbers and whether or not you want to enable the secure exchange between iChain and the origin Webserver - which requires a trusted root (see section 12)
15. Specific Virtual Office config
- As mentioned before, this article assumes you have VO working internally. It's not hard; just install all the relevant components from your NW6.5 product CD. You need to administer the VO from iManager v2.01 as iManager 2.5 does not have the requisite plug-ins. The version of VO that ships with OES has its own admin utility. I have found that the default installation works quite happily.
Note: For some specific configuration notes on accelerating NetStorage, please see section 16 in this article - it doesn't work through iChain by default.
Note 2: If you log into VO as the admin user, you get an extra link to the iManager gadget, allowing you to manage eDirectory from the comfort of your own bed!
- To create an accelerator for VO, go to the iChain admin GUI, choose the Config menu and select Web Server Accelerator.
- Give your accelerator a name and a DNS name; accept the default cookie domain.
- Select the option to Forward hostname sent by browser to webserver
- Complete the IP address of the VO server and the accelerator IP address.
- Select Enable Authentication and select your authentication profile. See sections 9 and 10 for more on authentication
- Select Enable secure exchange and go to the Secure Exchange options and select the check box marked Enable secure access between the iChain proxy and the origin webserver
- Make sure both sides of the diagram read port 443 (assuming 443 as a default)
- Note that when you select the enable secure access check box you get a message saying "A trusted root must be added to the trusted root container specified by the iChain Service Object" - see section 12 for information about setting up a trusted root.
- That's basically it! Pat yourself on the back and have another coffee
- To access VO you would go to http://<servernameoripaddress>/nps/; once your accelerator is configured then to access VO externally you will need to go to http://myhostname.mydomain.com/nps
- Even better, you can change the default web page on your internal VO server to go directly to the VO login. Simply go to https://IPaddressofserver:2200 and you should be given the option to change the default web page to the virtual office page. This means you can access your portal through simply http://myhostname.mydomain.com/nps without the "/nps" postfix.
16. Some Specific NetStorage settings for VO settings in iManager
- NetStorage will not accelerate through iChain with its default configuration. You need to make a couple of changes in iManager
- Go to Virtual Office > Services Administration > NetStorage in iManager. Select the Option to Enter a custom URL to Launch NetStorage: and in the box type the internal IP address or DNS host name of the NetStorage server. Note this will be http, not https and make sure there is no postfix to the URL or NetStorage will return a 404 error when you try to access it through iChain.
- In the Optional Settings, configure a Proxy URL and type the name of your VO accelerator - i.e. - check the picture below for an example.
- Some NetStorage installations don't like to upload or download files (regardless of iChain acceleration or not) - refer to the TID in 17.6. The TID refers to a NW6.0 installation but it happens in my 6.5sp3 install as well; I've submitted a bug report to Novell but the main difference between this TID and the 6.5 install is the location of the settings.properties file.
In NW6.5 the correct path is:
SYS:/tomcat/4/WEBAPPS/NETSTORAGE/WEB-INF/CLASSESEdit the file with WordPad and add the line:
ServerName=<internal ip address of your netstorage server>
IT should now read:
ServerProtocol = http:// ServerPort = 80 ServerName = 10.0.0.1
- When mapping drives in NetStorage, I've found it best to use the IP address of the server to which you are mapping: e.g.
MAP ROOT U:=10.0.0.1/VOLUMENAME:DIRECTORY\Using the DNS name doesn't always work for some reason. No idea why!
17. References and useful TIDs
- iChain 2.3 documentation: http://www.novell.com/documentation/ichain23/index.html
- Virtual Office Documentation: http://www.novell.com/documentation/virtual_office/index.html
- Novell NetStorage Documentation: http://www.novell.com/documentation/nw65/index.html
- How to Accelerate NetWare 6.5 Virtual Office with iChain 2.3: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10092310.htm
- Accelerating NetStorage through iChain Quick start Guide: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080205.htm
- Unable to Upload or Download files in NetStorage: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10070833.htm
- Accelerating iManager through iChain Quick start Guide: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080207.htm
- Accelerating NetWare Remote Manager Quick start Guide: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080151.htm
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com