2.4 Basic Configuration for SSL VPN

This section explains how to create a basic configuration for the SSL VPN server.

2.4.1 Configuring Authentication for ESP-Enabled SSL VPN

This section explains how to establish a trust relationship between the Identity Server and the Embedded Service Provider of the SSL VPN server.

Table 2-3 ESP-Enabled SSL VPN Configuration Information

What You Need To Know

Example

Your Value

Name of the Identity Server cluster

idpa

_______________________

DNS name of the SSL VPN machine

sslvpn.test.novell.com

_______________________

A certificate where the subject name matches the DNS name of the SSL VPN machine

For information on how to create such a certificate, see Creating a Locally Signed Certificate in the Novell Access Manager 3.1 SP2 Administration Console Guide.

For more information, see Configuring Authentication for the ESP-Enabled Novell SSL VPN in the Novell Access Manager 3.1 SP2 Setup Guide.

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Select Authentication Configuration from the Gateway Configuration section.

  3. Fill in the following fields:

    Identity Server Cluster: idpa

    In Table 2-3, this is the sample name of the Identity Server cluster.

    Authentication Contract: Select Any Contract.

    Embedded Service Provider Base URL: https:sslvpn.test:8443/sslvpn

    In Table 2-3, this is the DNS name for the SSL VPN server. It assumes you want to use HTTPS. If you want to use HTTP, select http and make sure the port is 8080.

    Redirect Requests from Non-Secure Port to Secure Port: Select this option if you are using HTTPS.

    SSL VPN Certificate: Click the icon and select the certificate that has a subject name that matches the DNS name of the SSL VPN server.

    Embedded Service Provider Certificate: Click the icon and select the certificate that has a subject name that matches the DNS name of the SSL VPN server.

  4. Restart the Tomcat server when prompted.

  5. Click OK, then click Update on the Configuration page.

  6. Click Update on the Identity Server Configuration page.

2.4.2 Accelerating the Traditional SSL VPN Server

This section explains how to accelerate the traditional SSL VPN server in a path-based multi-homing configuration.

  1. In the Administration Console, click Devices > Access Gateways, then click Edit > [Name of Reverse Proxy].

  2. In the Proxy Service List, click New, then provide the following values:

    Proxy Service Name: Specify sslvpn.

    Multi-Homing Type: Select Path-Based.

    Path: Specify /sslvpn.

    Web Server IP Address: Specify the IP address of SSL VPN server.

    Host Header: If your SSL VPN server has a DNS name, select Web Server Host Name. Otherwise, select Forward Received Host Name.

    Web Server Host Name: Specify the DNS name of the SSL VPN server if you selected Web Server Host Name for the Host Header option.

  3. Click OK.

  4. In the Proxy Service List, click sslvpn > Web Servers.

  5. Change the Connect Port from 80 to 8080, then click OK.

  6. In the Proxy Service List, select the sslvpn.

  7. In the Path List, select the sslvpn path, then click Enable SSL VPN.

  8. Fill in the following fields:

    Policy Container: Select Master_Container.

    Policy: Select Create SSL VPN Default Policy. In the Policy List window, click Apply Changes, then click Close.

    Name: Select Create SSL VPN Default Protected Resource.

  9. Click OK twice, then update the Access Gateway and the SSL VPN server.