18.1 Server Module

The SSL VPN server is made up of a servlet and a server module. By default, the server module is installed on the machine in which the SSL VPN servlet is running, but you can install the server module on a different machine. The servlet communicates with the SSL VPN server over TCP™ port 2010.

When users access SSL VPN through the Web browser, they are prompted to authenticate. The identity information provided by the user is exchanged between the Access Gateway and the SSL VPN server. On successful authentication, a Java agent or an ActiveX agent is delivered to the client, depending on the browser. This agent establishes a secure tunnel between the user’s machine and the SSL VPN server.

This section has the following information:

18.1.1 SSL VPN Modes

The Novell Access Manager SSL VPN is available in two modes, namely, the Enterprise mode and the Kiosk mode. The two modes are available depending on whether you have the administrator right in a Windows workstation or a root user privilege on Linux or Macintosh workstations, or if you are a user without administrator rights or root user privileges.

This section has the following information:

Kiosk Mode

In the Kiosk mode of SSL VPN, only a limited set of applications are enabled for SSL VPN. A non-admin or a non-root user who does not have the administrator access can connect to SSL VPN in the Kiosk mode. In Kiosk mode, applications that were opened before the SSL VPN connection was established are not SSL-enabled.

The Kiosk mode supports TCP and UDP applications only. This mode is better suited for machines that are not managed by an organization, such as home computers and computers in Web browsing kiosks.

Enterprise Mode

You can access SSL VPN in the Enterprise mode if you have admin or root user access to the workstation, if you know the admin or root user credentials, or if you have preinstalled the client components on the workstation.

In Enterprise mode, all applications, including those on the desktop and the toolbar are SSL-enabled, regardless of whether they were opened before or after connecting to SSL VPN. In this approach, a thin client is installed on your workstation. This thin client takes care of the administrator activities required for the Enterprise mode of SSL VPN. In the Enterprise mode, the IP Forwarding feature is enabled by default.

The Enterprise mode is recommended for devices that are managed by an organization, such as a laptop provided by the organization for its employees. The Enterprise mode of SSL VPN supports the following:

  • Protocols such as TCP, UDP, ICMP, and NetBIOS.

  • Applications that open TCP connections on both sides, such as VoIP and FTP.

  • Enterprise applications such as CRM and SAP*.

  • Applications such as Windows File Sharing systems, the Novell Client™ and Novell SecureLogin.

18.1.2 How SSL VPN Protects Resources

The following figure shows the Novell Access Manager components and the process involved in establishing a secure connection between a client machine and an SSL VPN server:

Figure 18-1 How SSL VPN Functions

  1. The user specifies the following URL to access the SSL VPN server:

    https://<www.ag.novell.com>/sslvpn/login

    Here, <www.ag.novell.com> indicates the DNS name of the Access Gateway that accelerates the SSL VPN server, and /sslvpn/login indicates the path of the SSL VPN server.

  2. The Access Gateway redirects the user to the Identity Server for authentication, because the URL is configured as a protected resource.

  3. The Identity Server authenticates the user’s identity.

  4. The Identity Server propagates the session information to the Access Gateway through the Embedded Service Provider.

  5. The Access Gateway injects the SSL VPN policy for that user into the SSL VPN servlet. The SSL VPN servlet processes the parameters and sends the policy information back to the Access Gateway.

  6. The SSL VPN checks if the client machine has sufficient security restraints. For more information on client integrity checks, see Section 20.2, Configuring Client Integrity Check Policy to Protect the Internal Network.

    1. In Enterprise mode, a tunnel interface is created and is bound with the tunnel IP address assigned by the SSL VPN server. A secure tunnel is established between the client machine and the SSL VPN server and the routing table is updated with the protected network configuration.

    2. In Kiosk mode, a secure tunnel is established between the client machine and the SSL VPN server and the protected network configuration is pushed to the client.

  7. When the user accesses the applications behind the protected network, the connection goes through the secure tunnel formed with the SSL VPN server and not through the Access Gateway.

  8. Keep the browser open throughout the SSL VPN connection to allow the keep alive packets to go through the Access Gateway.

  9. When the user clicks the logout button to close the SSL VPN session, all the client components are automatically uninstalled from the workstation.

18.1.3 Configuring the SSL VPN Servers

SSL VPN servers are auto-imported into the Administration Console during installation.You can use the SSL VPNs page in the Administration Console to view information about the current status of all SSL VPN servers and to configure the SSL VPN servers.

When you click the SSL VPNs link in the Administration Console, the following page appears:

The SSL VPN configuration page

The following server information is displayed:

  • Name: Displays a list of servers added to Administration Console. Click the particular server to view or modify its configuration. For more information, see Section 21.5, Modifying SSL VPN Server Details.

  • Status: Indicates the configuration status of the SSL VPN server. Possible states are pending, update, and current. Current indicates that all configuration changes have been applied. Update indicates that a configuration change has been made, but not applied. Click this link to apply the changes. Depending upon what has been modified, updating the complete configuration might cause logged-in users to lose data and lose their connection. Pending indicates that the server is processing a configuration change, but has not completed the process.

  • Health: Indicates whether the server is functional. Click the icon to view additional information about the operational status of the server. For more information, see Section 34.5, Monitoring the Health of an SSL VPN Server.

  • Alerts: Indicates if any alert was sent. This option is not available to you if the alert count is 0. For more information, see Section 36.3, Monitoring SSL VPN Alerts.

  • Commands: Indicates the status of commands issued to all servers. For more information, see Section 35.3, Viewing Command Status of the SSL VPN Server.

  • Statistics: Indicates the number of active client connections and the time when the server was started. Click View to get the statistics information. For more information see, Section 33.3, Viewing SSL VPN Statistics.

  • Configuration: Click Edit in the Configuration column of the SSL VPNs page to view and modify the configuration of the SSL VPN server. This page specifies the date and time when the last modification was made and lists the full distinguished name of the user who made the last modification. For more information, see Section 19.0, Configuring Basic Setup.