Creating Temporary Security Access for NAM 3 using Roles
Novell Cool Solutions: Feature
By Michael Faris
Digg This -
Posted: 3 Oct 2007
Once in a while, you'll have a need for an application vendor to access a server on the inside of your network to troubleshoot or fix a problem. At the same time, you don't want them to access other servers or resources. To achieve this, you can create reverse proxies and roles to restrict them to specific resources.
Here are the basic steps:
- Create an additional IP for external access.
- Create a new Reverse Proxy.
- Create and configure new Roles.
- Activate new Roles.
Step 1: Create an additional IP for external access
1. Log in to the Administration Console.
2. Select Access Gateways and click Edit.
Figure 1 - Access Gateways
3. Under Network Settings > Adapter List, select the interface where you want add to the IP address.
4. Click New and enter the subnet mask and new IP address.
Figure 2 - Modifying the subnet
5. Click OK and Update your configuration.
6. Add an A record to your external DNS for this IP. We'll use vendors.myorg.com.
Step 2: Create a new Reverse Proxy
1. Select the Access Gateway again and click Edit.
2. Click Reverse Proxy / Authentication.
Figure 3 - Reverse Proxies / Authentication
3. Click New and enter the name of the new proxy: VNDR
Figure 4 - Adding "VNDR"
Figure 5 - "VNDR" added
4. Ensure there is a check mark beside the new IP address we created earlier.
5. Select Enable SSL between Browser and Access Gateway.
6. Under Proxy Service List, click New and define the new listener.
Figure 6 - Defining the new proxy listener
7. Enter the following information:
- Name of the proxy
- DNS name you gave the new IP Address
- IP address of the web server you want to send the users
8. Select Forward Received Host Name.
9. Click OK to update your configuration.
Step 3: Create New Roles and Policies
Now let's add a new policy to send this data to the browser.
1. Click Policies.
Figure 7 - Policy list
These are the existing policies you have created.
2. Click New.
3. Call this policy "vendor" and select Identity Server: Roles for the Type.
Figure 8 - Naming the policy
4. Click OK.
5. On this screen define the policy.
Figure 9 - Edit Policy screen
6. Enter a description for this Rule, if you want.
7. Click New and define the Condition:
- LDAP Group - Browse to your LDAP store and select the Group to be used for this access.
- LDAP Group - Is Member of
- LDAP Group - Current
- Result: False
- Activate Role: vendor
Now we need to add the authorization part of the Role.
1. On the Policy screen click New and enter an Authorization policy. Because this is an Authorization policy, I always prefix the name with an A.
Figure 10 - "A_vendor" policy
Figure 11 - Edit Policy for "A_vendor"
2. Select Access Gateway: Authorization for the type.
3. Click New and define the Condition:
- Select "If Not" as shown.
- Select Roles for Current User
- Comparison: String Equals
- Mode: Case Insensitive
- Value: Roles - type the role you created - vendor
- Result: False
- Actions: Do: Deny - Deny Message - "You do not have Vendor Authorized Access to this site"
4. Click OK to save, and Update your Configuration.
5. Create an additional Authorization Policy identical to the one above, except select "if" instead of "if Not" - Assign this policy to your other resources so members of the vendor group will be denied access.
6. Assign this Policy to the Reverse Proxy.
7. Select Access Gateways > Edit.
8. Choose the Reverse Proxy that you created - VNDR
9. Select the first Proxy Service in the list and click the Protected Resources tab.
10. Select the Protected Resource that will have this policy assigned.
11. Place a check in the box and click Enable.
Figure 12 - Enabling resources
12. Click OK and Update your Access Gateway.
Step 4: Activate your New Role
1. Select Identity Servers and click Edit.
2. Click Roles under General and enable "Vendor" - This is very important. If you miss this step, the protected resource will be useless, and everyone will get a 403 Forbidden error.
Figure 13 - Enabling "Vendor"
3. Click Apply and Update All.
You can add additional resources to this Reverse Proxy for the various vendors that need to fulfill support contracts. If your LDAP store is eDirectory, you can simply disable their accounts when not needed.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com