Novell Access Manager 3.0 SP4 IR4 Readme

October 26, 2009

This Readme describes the fixes and known issues in the Access Manager 3.0 Support Pack 4 Interim Release 4 and provides installation instructions.

1.0 Documentation

The following sources provide information about Novell® Access Manager:

2.0 Installing the 3.0 SP4 IR4 Release

The Novell Access Manager 3.0 SP4 IR4 release contains a patch file for upgrading all components from SP4 or SP4 IR3 to SP4 IR4. When you start the upgrade process to SP4 IR4, you need to upgrade all Access Manager components.

2.1 The Patch File

The patch consists of one file, which can be downloaded from Novell.

The following table lists the files contained in the patch file:

Table 1 Access Manager 3.0 SP4 IR4 Upgrade Files

Component

Purpose

Filename

Identity Server, Administration Console, SSL VPN

Upgrade or Install

AM_304_SP4_IR4_IdentityServer.tar.gz

Linux* Access Gateway, SSL VPN

Upgrade

AM_304_SP4_IR4_lagrpms.tar.gz

NetWare® Access Gateway

Upgrade

AM_304_SP4_IR4_NetWareAccessGateway_Upgrade.txt

AM_304_SP4_IR4_NetWareAccessGateway_Upgrade.zip

Windows* J2EE* Agents

Upgrade or Install

AM_304_SP4_IR4_ApplicationServerAgents_Windows.exe

Linux J2EE Agents

Upgrade or Install

AM_304_SP4_IR4_ApplicationServerAgents_Linux.tar.gz

2.1.1 Verifying SP4 Version Numbers Before Upgrading

All components need to have been upgraded to at least SP4 before you can upgrade to SP4 IR4.

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value of the Version field to see if it displays a version that is eligible for upgrading to SP4 IR4.

    Component

    3.0 SP4

    3.0 SP4 IR1

    3.0 SP4 IR2

    3.0 SP4 IR3

    Administration Console

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    Identity Server

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    Linux Access Gateway

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    NetWare Access Gateway

    3.0.505

    3.0.505a

    3.0.505b

    3.0.505g

    J2EE Agents (all versions, all platforms)

    3.0.4.38

    3.0.4.56

    3.0.4.60

    3.0.4.70

    SSL VPN

    3.0.4

    3.0.4

    3.0.4

    3.0.4

2.1.2 Performing the Upgrade

Before you upgrade to this release, you should first back up your current configuration.

The Administration Console should be the first device you upgrade. You can then upgrade the various devices that you have imported into the Administration Console. We highly recommend that you upgrade all members of a cluster before moving to another type of device to upgrade. When you finish upgrading, you should perform a system backup.

For specific installation steps, installation requirements, and overview information, see the Novell Access Manager Installation Guide.

2.1.3 Upgrading the Identity Server and Administration Console

For the Identity Server and the Administration Console, copy the .tar.gz file to the machine where these components are installed. For more information about upgrading the Access Manager components, see “Upgrading Access Manager Components” in the Novell Access Manager Installation Guide.

2.1.4 Upgrading the Linux Access Gateway

The Linux Access Gateway file (AM_304_SP4_IR4_lagrpms.tar.gz) must be renamed. In the patch download, it needs to have a version-specific name, but for an upgrade, it needs the generic name. It should be renamed as follows:

AM_304_SP4_IR4_lagrpms.tar.gz renamed to lagrpms.tar.gz

For instructions on upgrading, see “Upgrading the Linux Access Gateway” in the Novell Access Manager Installation Guide.

2.1.5 Upgrading the SSL VPN Server

For instructions on upgrading, see “Upgrading the SSL VPN Server” in the Novell Access Manager Installation Guide.

For information on upgrading to the high bandwidth version, see Section 2.2, Upgrading to the High Bandwidth SSL VPN Server.

2.1.6 Upgrading the J2EE Agents

For instructions on upgrading the agents, see “Upgrading the J2EE Agents” in the Novell Access Manager J2EE Agent Guide.

2.1.7 Verifying the Upgrade to SP4 IR4

When you have finished, use the following procedure to verify that all components have been upgraded to SP4 IR4.

  1. In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version.

  2. Examine the value of the Version field to see if it displays the correct version.

    Component

    3.0 SP4 IR4 Version

    Administration Console

    3.0.4.94

    Identity Server

    3.0.4.94

    Linux Access Gateway

    3.0.4.94

    NetWare Access Gateway

    3.0.505h

    J2EE Agents (all versions, all platforms)

    3.0.4.94

    SSL VPN

    3.0.4

2.2 Upgrading to the High Bandwidth SSL VPN Server

The high bandwidth SSL VPN server does not ship with the product because of export laws and restrictions. The high bandwidth version does not have the connection and performance restrictions that are part of the version that ships with the product. Your regular Novell sales channel can determine if the export law allows you to order the high bandwidth version at no extra cost.

After you have ordered the high bandwidth version, log in to the Novell Customer Center and you will see a link that allows you to download the high bandwidth version.

For installation instructions, see “Installing SSL VPN” in the Novell Access Manager Installation Guide.

3.0 Bugs Fixed in SP4 IR4

3.1 Linux Access Gateway

  • Fixed security issues with the logout process.

  • Fixed the issue in using an encoded URL query string in the redirect to the URL policy of the ACL.

  • Fixed the issue of performing a case sensitive comparison of query parameters when injecting a query string.

  • Fixed issues that caused the Linux Access Gateway to crash under heavy load.

  • Fixed a rewriter issue that was causing the range section in the HTTP header to be stripped out.

  • Fixed issues with URL normalization.

  • Removed some TCP connect and listen configuration options.

  • Fixed issues with the tunneling feature.

3.2 Identity Server

  • Fixed an issue that prevented clustered Identity Servers from communicating with each other when separated by a firewall. For the ports that need to be opened in the firewall, see “When a Firewall Separates the Identity Server from a Component”.

  • Fixed an issue that allowed clustered Identity Servers to randomly lose communication with other cluster members.

  • Fixed an issue with the minor version information in the SAML 1.0 assertions.

3.3 Administration Console

  • Fixed an issue that caused the Administration Console to crash when accessing overview or Access Gateway information.

  • Internet Explorer* 7 (latest version) on Windows XP and Vista is now a supported browser for accessing the Administration Console.

3.4 SSL VPN

  • The SSL VPN build version number is now in sync with version numbering of other components.

  • Fixed the OpenVPN authentication error that occurred when clients tried to reconnect.

4.0 Bugs Fixed in SP4 IR3

4.1 Linux Access Gateway

  • The option to send alerts to an SNMP server has been removed as a configuration option because it is unsupported.

  • Fixed issues in converting double byte characters in Linux Access Gateway broker redirection.

  • Fixed an issue that caused remote desktop sessions to the terminal server across generic TCP tunnel to randomly lose keyboard and mouse control.

  • Fixed a few reliability issues.

  • Fixed a memory leak issue that occurred after updating the authorization library.

  • Fixed an issue that caused the original base64 encoded URL relay state to be changed after the successful authentication.

  • The IP addresses printed in the logs are now in the correct format.

4.2 Identity Server

  • Fixed a security vulnerability with X.509 certificates. For configuration options, see “Potential X.509 Certificate Vulnerability”.

  • Health check for LDAP Service. For more information, see TID 700333.

  • Fixed a token encoding issue which caused Kerberos authentication to fail with NTLM tokens

  • Fixed an issue that caused SAML 1.0 statistic gathering to fail.

  • Fixed an issue that caused an X.509 request to fail when it included LDAP attributes.

4.3 Administration Console

  • Fixed a certificate issues that caused certificates to be renewed daily.

5.0 Bugs Fixed in SP4 IR2

5.1 Linux Access Gateway

  • Fixed a problem that caused the Linux Access Gateway to fail if the machine had more than 4GB RAM.

  • Fixed an issue that cause the Linux Access Gateway to fail when the content-type encoding was specified as GZIP but the actual content was plain text.

  • Fixed an issue with cookie header parsing, which caused the Linux Access Gateway to fail.

  • Fixed a memory leak issue that resulted in proxy failure.

  • Fixed a problem that caused Identity Injection to fail when a NetIdentity-based authentication contract was used and the browser requests included an authorization header. When you use the /var/novell/.overwrite_AuthHeader_With_IIData touch file, it overwrites the browser authorization header with the Identity Injection data.

  • Fixed a problem that caused the Linux Access Gateway to serve client requests from the wrong Web server when the requests from parent and domain-based services were received on the same connection.

  • Fixed an issue with authentication that caused URLs with double byte characters to be handled incorrectly.

  • Fixed a delay in sending data from the Web server to the browser.

  • Fixed a problem with the rewriter, which caused the Linux Access Gateway to rewrite the Web server hostname incorrectly when a domain-based multi-homing service was configured. To enable Linux Access Gateway to rewrite more URLs, use the /var/novell/.incCOSSize touch file.

  • Fixed an issue with the custom rewriter that caused the rewriter to fail when include URLs were specified.

  • The rewriter now rewrites more URLs per page.

5.2 Identity Server

  • Fixed a problem with SAML 1.1 federation where the user was redirected to the User Portal application instead of the target URL.

  • Fixed an issue that caused Form Fill policies to fail when users were moved from one user store to another user store.

5.3 SSL VPN Server

  • Fixed an issue that didn’t clear the Update option when the configuration changes were lost because they weren’t saved and the session was closed.

6.0 Bugs Fixed in SP4 IR1

6.1 Linux Access Gateway

  • Fixed the Linux Access Gateway crash that occurred if an error message file did not exist for all the language profiles.

  • Fixed a protected resource matching issue if the /? character existed in the protected resource. Linux Access Gateway now treats /? as the directory match if it occurs at the end of the URL. Otherwise, it is treated as a query parameter

  • Fixed an issue in matching protected resources when the URL of protected resources contained encoded characters.

  • Fixed a Linux Access Gateway memory leak issue.

  • The URL normalization protection for back-end Web servers can now be disabled with the help of a touch file. However, this touch file is not active for path-based sub-services that are enabled with the Remove path on fill option.

  • Fixed an issue in logging out users in a cluster setup.

  • Fixed issues in rewriting HTML pages with double-byte characters.

  • The Linux Access Gateway can now be configured to run the /chroot/lag/opt/novell/bin/postapply.sh script after every apply, so that the settings remain as they were before applying the configuration changes. This script can be edited to add commands.

  • You can now customize all error messages that are served by the Linux Access Gateway and those that are configured in the Access Control Lists.

  • Fixed an issue with changing a domain name, which was leading to listener failure.

  • The rewriter now rewrites all the value tags.

  • Fixed issues with the LAG character profile rewriter by changing the algorithm used for search and replace.

  • Fixed an issue with service selection in the path-based multi-homing service. With this fix, the Linux Access Gateway selects the best match from the configured services.

6.2 Identity Server

  • Modified two statistic strings to clarify that they were gathering information about LDAP queries (Number of SAML Attribute Queries and Number of SAML-2 Attribute Queries)

  • Fixed an issue with the user store health check so that it is refreshed when the user selects Update from Server and when periodic health checks are performed.

  • Fixed an issue that limited top-level domain names to six characters.

  • Fixed an issue with the RSA SecurID Login Method.

  • Fixed an issue with the hidden target parameter for the login page.

  • Fixed an issue with reading the content length that caused login to fail.

  • Fixed an issue that caused a cluster member to assume an inactive state when it was configured with multiple IP addresses.

  • Fixed an issue with SAML2 metadata and certificates.

  • Fixed an issue with the LDAP search filters that caused slow performance.

6.3 Administration Console

  • Fixed an issue that caused configuration changes to report an HTTP 404 error.

6.4 SSL VPN

  • Fixed the SSL VPN Mac client so that it updates the DNS entries after logout.

  • Fixed issues in detecting forward proxy through the automatic configuration script settings of the Internet Explorer* when using the ActiveX* client.

7.0 Known Issues

7.1 Setup Considerations

  • Ensure that you synchronize the correct date, time, and time zone settings between the Identity Servers and Access Gateways servers. You must synchronize your servers to within one minute of each other. Otherwise, you encounter federation and session time-out errors. It is recommended that you use NTP for time synchronization.

  • Ensure that DNS names can be resolved.

  • Enable (allow) browser pop-ups for the Administration Console (administration server).

  • Network Address Translation routers cannot be placed between Access Manager components. All Access Manager components must be on the same side of a NAT router.

  • This release does not support installation of the Administration Console, Identity Server, Linux Access Gateway, and SSL VPN on a single machine.

7.2 Administration Console Known Issues

This section discusses known issues for the Administration Console.

7.2.1 Configuration Datastore Crashes

If you are having problems keeping the Administration Console running because eDirectory™ and Tomcat stop working, your configuration might be triggering a known issue with eDirectory 8.8.1.

Try the following workaround:

  1. Create a link in the etc directory for the nici.cfg file.

  2. Enter the following commands:

    cd /etc
    ln -sf /etc/opt/novell/nici.cfg nici.cfg
    
  3. Restart eDirectory:

    /etc/init.d/ndsd start
    
  4. Restart Tomcat:

    /etc/init.d/novell-tomcat4 restart
    

If this does not solve the problem, contact Novell. This issue is fixed in Access Manager 3.1 SP1.

7.2.2 Running in a VMware ESX Server Environment

If you are running Access Manager in a VMware* ESX Server environment (ESX Server 3.0.2) and your Access Gateway configuration contains a path-based multi-homing reverse proxy with over 200 protected resources, you might experience an extended delay (five minutes or more) when viewing the configuration page for the proxy. This issue is fixed in Access Manager 3.1 SP1.

7.2.3 Using an Auditing Server Other Than the One on the Administration Console

If you set up Access Manager to use an auditing server other than the one installed on the Administration Console, devices that are imported after this configuration do not receive the IP address of the auditing server. When the device is rebooted, it tries to send auditing events to the auditing server on the Administration Console.

To work around this issue after importing new devices, configure the auditing server to use the IP address of the Administration Console, then click OK. This saves the configuration to the Administration Console. Return to the Auditing page, reset the IP address to the address of the auditing server you want to use, then apply the configuration to all the devices imported into the Administration Console (use the Update links). After the configuration has been applied to the devices, reboot the devices.

For more information on how to change the IP address of the auditing server, see “Specifying the Logging Server and Events” in the Novell Access Manager Administration Guide

This issue is fixed in Access Manager 3.1 SP1.

7.3 Identity Server Known Issues

The following issues apply to the Identity Server:

7.3.1 Changing the Name of a Contract

Currently, you can change the name of a contract when it is being used to protect an Access Gateway resource. When you change the name of such a contract, subsequent updates to the Access Gateway fail with an XML validation error. For instructions on fixing this error, see Modifying a Configuration That References a Removed Object in the Novell Access Manager Administration Guide.

To avoid this problem, make sure the contract is not being used to protect a resource before changing the name. This rename problem is fixed in Access Manager 3.1 SP1.

7.3.2 Account Lockout on a Password Expiration Servlet

When users are within the grace login limit, and a password expiration servlet is specified on a Name/Password or Secure Name/Password (form-based) authentication contract, users are redirected to the password expiration servlet to change their passwords. If a user does not update the password correctly, or escapes out of the page for any reason, the account is locked.

7.3.3 Auto Provision X509

If there are already values in the LDAP attribute for X509 Subject Name mapping and you enable Auto Provision X509 for the X509 authentication class, the LDAP attribute values are overwritten with the client certificate subject name.

7.4 Linux Access Gateway Known Issues

This section discusses the known issues that apply to the current release of the Linux Access Gateway.

7.4.1 Not All the Installed Memory Can Be Seen

The kernel in the Linux Access Gateway can recognize only 4 GB of memory. If you install more that 4 GB of RAM, the memory above the limit is ignored. This problem has been fixed in the Linux Access Gateway in Access Manager 3.1.

7.4.2 Audit Events Are Not Sent to the Audit Server

On a new installation when you first enable Novell Auditing (click Access Manager > Access Gateways > Edit > Novell Audit) and select audit events, they are not generated and sent to the Audit Server.

To solve the problem, restart the Linux Access Gateway. Use the option on the Access Gateways page or use the following command:

/etc/init.d/novell-vmc restart

If you have clustered the Access Gateways, restart each Access Gateway in the cluster.

7.4.3 Communication Problems between the Novell Audit Client and the Audit Server Might Crash the Linux Access Gateway

If you have configured your Access Manager system to use a Novell Sentinel™ or Novell Audit server for auditing, the Novell Audit client sometimes disconnects from the auditing server. This usually happens when communication problems exist on the network. When this happens, the Linux Access Gateway might crash. It can also prevent the successful completion of any Linux Access Gateway configuration changes.

To solve this problem, make sure that no communication problems exist between the auditing client on the Linux Access Gateway and the auditing server.

7.4.4 Issues with Health Check While Reimporting a Linux Access Gateway with Initial Configuration

When reimporting a Linux Access Gateway with the initial configuration option, the health status displays the health of the previous configuration. You must apply changes from the Administration Console for health status to display the new configuration. Alternatively, you can enter the /etc/init.d/novell-vmc restart command from the command line to restart the Access Gateway. This issue does not happen when you reimport the proxy with the current configuration option.

7.4.5 Possible Redirection Issue with Some IE7 Versions

With Internet Explorer 7, if the Linux Access Gateway redirects the first request after authentication to a secure site. If the certificates are not present in the browser, the browser is not redirected to the proper site.

7.4.6 Issues with the Audit Server While Importing a Linux Access Gateway Configuration

When importing a Linux Access Gateway configuration, it is possible that the imported configuration contains an Audit server IP address that is different from the Audit server IP address that has been configured in the Administration Console. Updating the Linux Access Gateway configuration does not correct this address problem. As long as the addresses differ, the Access Gateway can hang during subsequent updates or restarts because the Novell Audit Agent of the Access Gateway cannot connect to its configured Audit server.

You must force the Linux Access Gateway to change its Audit server settings.

  1. In the Administration Console, click Access Manager > Auditing.

  2. Specify a different IP address for the Secure Logging Server, then click OK.

  3. Click Auditing, specify the correct IP address for the Secure Logging Server, then click OK.

  4. Update the Linux Access Gateway.

  5. Reboot every Access Manager machine, starting with the Administration Console.

    If you have already configured the other Access Manager machines to use the correct IP address of the Secure Logging Server, rebooting the Linux Access Gateway should be sufficient.

7.4.7 Upgrading the Linux Access Gateway Randomly Halts the Embedded Service Provider

After upgrading, the embedded service provider sometimes halts at the end of the upgrade process. When this happens, restart the Linux Access Gateway. In the Administration Console, click Access Manager > Access Gateways, select the Access Gateway, then click Reboot.

7.4.8 The Linux Access Gateway Version Is Incorrectly Displayed on the Administration Console

After the installation of the Linux Access Gateway, the wrong version of the product is displayed on the Administration Console. To get the correct version of the product, select Access Gateways > <Name of Server> > Upgrade or specify the following command from a Linux Access Gateway machine:

cat /etc/issue

7.4.9 In the Linux Access Gateway, YaST Is Non-Responsive When a Partition Is Deleted or Created by Using YaST

YaST becomes non-responsive if you click Finish after adding, deleting, or modifying a partition. To work around this problem, click Apply, then click Quit instead of clicking Finish.

7.4.10 Hostname Cannot Be Configured As linux

During installation, if you configure the hostname as linux, the Linux Access Gateway is not imported.

7.4.11 Issues When Importing Trusted Roots from Web Servers

The Linux Access Gateway requires both the server certificate and the root CA to be present in the trusted roots imported from Web servers. If the trusted root imported from the Web server displays only the server certificate, select the Do Not Verify option from the Web Server Trusted Root drop-down list when you are configuring SSL between the Proxy Service and Web servers. For more information, see “Configuring SSL between the Proxy Service and the Web Servers” in the Novell Access Manager Administration Guide.

7.4.12 Accelerating Web Servers That Do Not Support TLS and Do Not Fall Back to SSLV3

The Linux Access Gateway uses the TLS protocol by default. However, some Web servers that do not support the TLS protocol abort the SSL handshake because they do not fall back to SSLV3.

To work around this problem, create the /var/novell/.doNotUseTLS touch file and restart the Linux Access Gateway. When this touch file is set, the Linux Access Gateway tries the SSLV3 protocol by default, instead of the TLS protocol.

7.4.13 Rewriter Does Not Handle the [oa] Option in Search and Replace

The character rewriter profile does not support the [oa] option to search and replace plain words and strings.

7.4.14 Exclude Alias DNS with Scheme Option Does Not Work

The Exclude Alias DNS name with Scheme option does not work. For example, if you add https://www.mygroup.com, it is not excluded from the list. You must provide only the DNS name, such as www.mygroup.com.

7.4.15 Form Fill Auto Submit Issue

A Form Fill auto-submit fails when an input field in an HTML page contains name="submit".

7.4.16 Form Fill Does Not Work if the Web Page Contains an Apostrophe

The Linux Access Gateway Form Fill does not work if the Web page contains the apostrophe character.

7.4.17 Form Fill Fails If the Web Server Does Not Send the Content Type

Form Fill does not process the page if the Web server does not send the content type. Form Fill processes the following content types:

"text/html" "text/xml" "text/css" "text/javascript” "application/javascript" "application/x-javascript"

7.5 NetWare Access Gateway Known Issues

The NetWare Access Gateway embeds NetWare 6.5 SP6. The following topics are known issues for this operating system and the Access Gateway:

7.5.1 Mutual SSL

When you upgrade to Access Manager 3.0 SP1, the upgrade process disables mutual SSL between the proxy service and the Web servers.

To re-enable mutual SSL, select the SSL Mutual Certificate on the Web Servers page. Click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

7.5.2 Form Fill Data Is Not Cached

The NetWare Access Gateway does not cache Form Fill data. Therefore, if you assign a Form Fill policy to a protected resource that uses a wildcard (*) in the URL path, the NetWare Access Gateway queries the Identity Server for Form Fill data each time a user accesses any page that matches the protected resource. It is strongly recommended that you specify a specific page when you assign a Form Fill policy to a protected resource.

The NetWare Access Gateway does cache Identity Injection and Authorization policy information for the lifetime of the user’s session, so the protected resources for these policies can use wildcards in their URL paths.

7.5.3 Secondary Administration Console Command Failure

You can push commands from the secondary Administration Console, but any commands dealing with the Certificate Authority fail, unless you move the Certificate Authority to the secondary server.

7.5.4 DNS Naming

Do not begin an Access Gateway server DNS name with a number.

7.5.5 Using an SSH Client with the Secure File Transfer Protocol

In order to transfer files to and from the NetWare Access Gateway server when the SSH client that you are using for the transfer has the Secure File Transfer Protocol (SFTP) enabled, you must load ncpip.nlm and enable NCP™ for the SFTP.

WARNING:Enabling NCPIP is a security risk because it opens a listener on port 524 on all bound addresses.

To set up and configure NCPIP, add the following to the tune.ncf file:

load ncpip.old
SET NCP Exclude Addresses = ALL
SET NCP Include Addresses = 127.0.0.1

7.5.6 IDEATA.HAM Drivers and Serial ATA Controllers

In the BIOS you can specify the modes to use for the IDEATA.HAM driver to work with a SATA controller. (Legacy, Compatible, or Enhanced mode.) You do not need to manipulate the driver or OS.

The IDESATA.HAM driver works with all AHCI controllers in pure AHCI mode, which is the recommended mode because it is the fastest. This driver is invoked instead of IDEATA.HAM only when the BIOS setting for the particular chip set is set to AHCI.

7.5.7 SSL Certificate Log Error with X.509 Authentication from the NetWare Access Gateway

If you set up an X.509 contract and use it to authenticate from the NetWare Access Gateway, you might see an error generated in the Identity Server log for certificate or SSL mutual authentication. This occurs during SSL re-negotiation between Tomcat and the Internet Explorer browser, and is possibly an IE bug. This error does not occur with Firefox*. The Access Gateway can cause the error at the Identity Server by requesting the certificate authentication from the Identity Server, but it is not the only device that can cause the error. Any device requiring or requesting certificate authentication from the Identity Server, including the Identity Server itself, can cause the error. It is cosmetic.

7.5.8 Novell Remote Manager

NetWare abends can occur when Novell Remote Manager Group Operations are used on a NetWare Access Gateway. We recommend that you do not use Novell Remote Manager on a NetWare Access Gateway.

7.6 SSL VPN Known Issues

The following sections divide the known issues into general issues that apply to both the Enterprise mode and Kiosk mode and issues that apply only to the Enterprise mode and only to the Kiosk mode:

7.6.1 General SSL VPN Issues

7.6.1.1 SSL VPN Session Running on JRE 1.4 Disconnects after Approximately 10 Hours

The SSL VPN client sessions running on JRE* 1.4 are disconnected after being in use for approximately 10 hours. To work around this problem, use JRE 1.5 or later.

7.6.1.2 SSL VPN Server Goes Down When More Than 50 Roles Are Associated to a Single Traffic Rule

The SSL VPN server might go down when you create a traffic rules with more than 50 roles for each traffic rule.

7.6.1.3 SSL VPN Connection on Windows Through a Forward Proxy Fails When Authentication Is Enabled

When authentication is enabled in a forward proxy, the SSL VPN connection fails on a Windows client.

7.6.1.4 Using the Command Line to Restart the SSL VPN Server

You must use the command line to restart an SSL VPN server. The Start and Stop buttons in the Administration Console are not functional for this release. To restart the SSL VPN server, specify the following commands from the command line:

/etc/init.d/novell-sslvpn stop /etc/init.d/novell-sslvpn start

7.6.1.5 SSL VPN Statistics Displayed in the Administration Console Are Not in Order

The SSL VPN connection statistics that are displayed in the Administration Console are not in any order.

7.6.1.6 Logout Page Is Not Displayed

If the user does not have a traffic policy defined for the role, the user is denied access to the resources. However, the logout page is not displayed when user clicks the Logout button.

7.6.1.7 SSL VPN Client Randomly Displays the Nonsecure Items Dialog Box

In Internet Explorer, the SSL VPN client randomly displays the Do you want to display the nonsecure items dialog box after the connection is established. Click Yes to close the dialog box. If you do not click Yes, SSL VPN disconnects. You can also follow the steps given below to resolve the problem if you are planning to use SSL VPN for a long session.

  1. Open the Internet Explorer browser.

  2. Select Tools > Internet Options.

  3. Select the Security tab.

  4. Select Internet Zone, then click the Custom Level button.

  5. Select Enable for the Display mixed content option.

  6. Click OK.

7.6.1.8 HTTP Applications Cannot be Accessed When an SSL VPN Connection Is Made through the Forward Proxy

If a client uses an HTTP forward proxy to establish the SSL VPN session, no HTTP application can be accessed over this SSL VPN connection because the browser is configured to use the forward proxy server for HTTP requests.

7.6.1.9 UDP Traffic Throughput through the SSL VPN Encrypted Tunnel Is Low

The throughput of UDP traffic through the SSL VPN encrypted tunnel is low when compared to the TCP traffic.

7.6.2 Kiosk Mode Issues

7.6.2.1 ActiveX Download Requires Admin Privileges

If you are a non-admin user using Internet Explorer to establish an SSL VPN connection for the first time, the ActiveX download fails. This happens because you must have admin rights to download ActiveX. This issue might also occur if you have upgraded from an older version. If you want to access SSL VPN by using the Internet Explorer, you must add the forcejre=true command to the end of the URL. For more information, see “Configuring SSL VPN to Download the Applet on Internet Explorer” in the Novell Access Manager Administration Guide.

You can use Firefox to connect to SSL VPN in Kiosk mode.

7.6.2.2 Firefox Is Non-Responsive in Windows Kiosk Mode with Multiple Clients

Firefox randomly becomes non-responsive when multiple clients are running in Windows Kiosk mode.

7.6.2.3 Logout Page Display Issue

The SSL VPN logout page is not displayed after you click the Logout button when you use the Internet Explorer 6.0 browser on a Windows 2000 machine to access SSL VPN in Kiosk mode. This issue does not occur when you access SSL VPN in Enterprise mode.

7.6.2.4 Issues with Citrix Server Connection through SSL VPN

When a user attempts to disconnect the Citrix* server connection established through SSL VPN, the SSL VPN connection is refreshed. The attempts to reconnect to the SSL VPN server fail because the previous connection is not disconnected or terminated. Close the browser to terminate the process.

7.6.2.5 ActiveX Does Not Display the Dialog Box for a Non-Admin User

If you are a non-admin user who used SSL VPN in the Enterprise mode, and if you are trying to access SSL VPN through the Internet Explorer browser on the same machine, the dialog box prompting you to specify the administrator username and password is not displayed. The SSL VPN connection is established in the Kiosk mode. If you are a non-admin user and want to access SSL VPN by using the Internet Explorer, you must add the forcejre=true command to the end of the URL.

For more information, see “Configuring SSL VPN to Download the Applet on Internet Explorer” in the Novell Access Manager Administration Guide.

7.6.2.6 No Kiosk Mode Support for 64-Bit Clients

If you use 64-bit machines, you can access SSL VPN only in Enterprise mode. Accessing SSL VPN in Kiosk mode is not supported.

7.6.2.7 Unable to Create SSL Listeners Because of a NICI Error

If you upgrade to the Novell Access Manager 3.0 SP2 version, then roll back to the SP1 release, SSL listeners are not created because there is a difference in the NICI versions used. To work around the problem, do the following in SP1:

  1. Untar lagrpms.tar.gz.

  2. Remove the nici-<version>.rpm from the lagrpms directory.

  3. Re-tar the lagrpms directory as lagrpms.tar.gz.

  4. Use the new lagrpms.tar.gz for upgrading.

7.6.2.8 Macintosh Client Issues

The Macintosh* Tiger* OS client does not support GroupWise® 7.0.

7.6.2.9 Linux Browser Issues

In Linux, you cannot access protected HTTP traffic on the Firefox browser during the first SSL VPN connection, but subsequent connections work without problems.

To work around this problem, you can use another browser to access the protected resource as follows:

  1. Establish an SSL VPN connection in the Kiosk mode.

  2. Create a shortcut or launcher for Firefox on the desktop.

  3. Click SSLize Desktop Applications.

  4. Log out of the SSL VPN.

  5. Launch Firefox by using the SSL VPN-enabled shortcut.

    The Firefox browser launches even though there is no SSL VPN connection.

  6. Establish an SSL VPN connection in the Kiosk mode.

    New tabs and new instances of the Firefox browser now tunnel HTTP traffic.

7.6.2.10 Issues with the Intlclock Toolbar Application

The Intlclock toolbar application running on the SUSE® Linux Enterprise Desktop (SLED) 10 SP1 crashes when an SSL VPN connection is established or disconnected.

7.6.2.11 Applications in the Program Menu Are Not SSLized in Linux

In Linux, applications listed in the Program Menu are not SSLized.

7.6.2.12 Domain Name Search Does Not Work in Macintosh

Domain name search does not work in the Kiosk mode in Macintosh.

7.6.2.13 Active Mode FTP is Not Supported in Kiosk Mode

In SSL VPN Kiosk mode, the active mode of FTP is not supported.

7.6.3 Enterprise Mode Issues

7.6.3.1 Enterprise Mode Clients Randomly Disconnect

The Enterprise mode connection might occasionally be disconnected after being in use for approximately five hours, if the openVPN component stops responding.

7.6.3.2 No Support for 64-Bit Browsers

SSL VPN does not support 64-bit browsers to establish the initial login session.

7.6.3.3 Restrictions for SSL VPN Certificate Names

SSL VPN certificate names can contain only alphanumeric characters, space, underscore (_), hyphen (-), the at symbol @, and the dot (.).

7.6.3.4 No Error Message Is Displayed on an Invalid Credential Entry on Windows 2000 Machines

On Windows 2000 machines, if a non-admin user tries to establish an SSL VPN connection in the Enterprise mode and specifies the wrong credentials for the admin user, no error messages are displayed. However, the user is denied access after trying to establish the connection.

7.6.3.5 OpenVPN Connection Failed Error

When a user reconnects to the SSL VPN server, the 1701:OpenVPN Connection Failed error is displayed.

7.6.3.6 Connection Fails in SSL VPN if the Root User Password Is Not Set in Macintosh

In Macintosh, the SSL VPN connection fails if you log in as a root user and there is no password set for the root user. When there is no password set for the root user, the user can log in as an admin user, by using the credentials of the admin user.

7.7 Certificates Known Issues

In some combinations of Linux and Firefox, you might see the Browse button display incorrectly in the Import Private/Public Keypair window. This does not affect functionality.

8.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark

9.0 Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2007-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.