NetIQ Access Manager includes the Access Gateway Appliance and Access Gateway Service. The Access Gateway Appliance is a dedicated machine that installs its own embedded Linux operating system. Whereas, the Access Gateway Service runs on top of an existing installation of a Linux or Windows operating system. Both types of gateways support similar functionalities, but they differ slightly in the way some of these features are supported. For example, both can be configured for the following features:
Protecting Web resources with contracts, Authorization, Form Fill, and Identity Injection policies.
Providing fault tolerance by clustering multiple gateways of the same type.
Providing fault tolerance by grouping multiple Web servers, so that if one Web server goes down, the content can be retrieved from another server in the group.
Rewriting URLs so that the names and IP addresses of the Web servers are hidden from the users making requests.
Generating alert, audit, and logging events with notify options.
Most differences among 3.1 SP4 Access Gateway, Access Gateway Appliance, and Access Gateway Service result from the differences required for an appliance and for a service. An appliance can know, control, and configure many features of the operating system. A service that runs on top of an operating system can query the operating system for some information, but it cannot configure or control the operating system. For the service, operating system utilities must be used to configure system parameters and hardware. For the appliance, the operating system features that are important to the appliance, such as time, DNS servers, gateways, and network interface cards, can be configured in the Administration Console.
This table describes the differences among the 3.1 SP4 Access Gateway, Access Gateway Appliance, and Access Gateway Service. Only your network and Web server configurations can determine whether the differences are significant.
Table D-1 Differences among the 3.1 SP4 Access Gateway, Access Gateway Appliance, and Access Gateway Service:
Feature |
3.1 SP4 Access Gateway Appliance |
Access Gateway Appliance |
Access Gateway Service |
---|---|---|---|
System architecture |
32-bit |
64-bit only |
64-bit only |
Platform support |
SLES only |
SLES 11 SP2 or SP3, Red Hat Enterprise Linux |
SLES 11 SP2 or SP3, Red Hat Enterprise Linux, Windows |
Network configuration
|
Can be done from the Administration Console. |
Can be done from the Administration Console. By default after the installation, only one network interface card will be displayed in the Administration Console. To detect other network interface card, do the following:
|
Configurable with standard operating system utilities. |
Date and time |
Can be done from the Administration Console. |
Can be done from the Administration Console. |
Configurable with standard operating system utilities. |
Rewriter: Number of URLs that can be rewritten |
There is a set limit. |
No limit. |
No limit. |
Rewriter: Profiles |
Can do word pattern matches in Word profiles and Character profiles. |
Can only do word pattern matches in Character profiles. |
Can only do word pattern matches in Character profiles. |
Rewriter: Word profiles |
Case-sensitive. |
Case-insensitive. |
Case-insensitive. |
Rewriter: Special tokens for Word profiles |
Not supported. |
Supports the [w]. [ow], [ep], [ew], and [oa] options. |
Supports the [w]. [ow], [ep], [ew], and [oa] options. |
Rewriter: webcal |
Not supported. |
Supported. |
Supported. |
Cache directory |
Separate protected partition. |
Uses Apache-caching. The cached files are stored in clear text. The operating system must be configured to protect this directory. For more information on the Apache model, see “Caching Guide”. |
Uses filesystem provided by Apache mod_cache module. For more information on the Apache model, see “Caching Guide”. |
Cache freshness configuration options |
Supported. |
Limited support. You can achieve the following with Advanced Options:
Continue Fill Time and HTTP Retries are not available. |
Limited support. You can achieve the following with Advanced Options:
Continue Fill Time and HTTP Retries are not available. |
Custom cache control headers |
Supported. |
Not supported. |
Not supported. |
Caching behavior |
For more information, see |
For more information, see |
For more information, see |
X-Forwarded-For header |
Can enable/disable from the Administration Console |
Cannot disable. By default, it is sent by Apache along with X-Forwarded-Host and X-Forwarded-Server headers. |
Cannot disable. By default, it is sent by Apache along with X-Forwarded-Host and X-Forwarded-Server headers. |
Via header |
Includes the device ID and version number. |
Includes the device ID. |
Includes the device ID. |
Stop and restart commands |
Shuts down the operating system or restarts the operating system and the Access Gateway Appliance. |
Stops and starts the Access Gateway Service without affecting other services or applications. The operating system can be rebooted or shutdown independently with standard operating system commands. |
Stops and starts the Access Gateway Service without affecting other services or applications. The operating system can be rebooted or shutdown independently with standard operating system commands. |
Access logs for proxy service: When protected resource logging fails |
Stop the proxy service if logging fails. |
Cannot stop the proxy service if logging fails. For more information on access logging, see |
Cannot stop the proxy service if logging fails. For more information on access logging, see |
Web server connections |
If the gateway has multiple network cards, you can specify which network card to use for the Web server connection. |
Use standard routing table on the right device to route the traffic for that Web server on the device. |
Use standard routing table on the device to route the traffic for that Web server on the right device. |
Web server certificate verification |
Configurable per proxy service. |
Globally configurable. If certificate verification is turned on for one proxy service, it is turned on for all proxy services. |
Globally configurable. If certificate verification is turned on for one proxy service, it is turned on for all proxy services. |
Load balancing cookie |
Access Gateway Appliance format. |
Access Gateway Appliance format. |
Access Gateway Appliance format. |
5-6 byte UTF characters (supported by IIS Web servers) |
Supported. |
Unsupported. |
Unsupported. |
Custom configuration |
Touch files. |
Advanced options. Click Access Gateways > Edit > Advanced Options or Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options. |
Advanced options. Click Access Gateways > Edit > Advanced Options or Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options. |
Device logging |
ics_dyn.log Uses Syslog |
ags_error.log and Apache error.log All logs are now in a central location /var/opt/novell/logs |
ags_error.log and Apache error.log All logs are now in a central location /var/opt/novell/logs |
Device logging configuration |
Log level set with options in the nash shell. |
Configurable from the Administration Console. Click Access Gateways > Edit > Logging. |
Configurable from the Administration Console. Click Access Gateways > Edit > Logging. |
Sending alerts to an SNMP server |
Unsupported. |
Supported. |
Supported. |
Manipulates cookies so that when a browser retains application cookies from the Web servers after a user logs out, these cookies become invalid. |
Unsupported. |
Supported. |
Supported. |
NetStorage |
Browser connections can be used. |
Browser and WebDAV connections can be used. |
Browser and WebDAV connections can be used. |
Inconsistency in 302 redirect message between HTTP and HTTPS. |
Request to HTTP port 80 is responded with the following HTML document: <HTML><HEAD><TITLE>Novell Proxy</TITLE></HEAD><BODY><b><p>HTTP request is being redirected to HTTPS.<p><A HREF="https://www.lagssl.com:443/">redirect</A> </b></BODY></HTML> |
Request to HTTP port 80 is responded with the following HTML document: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.magssl.com/">here</a>.</p></body></html> |
Request to HTTP port 80 is responded with the following HTML document: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.magssl.com/">here</a>.</p></body></html> |
Customizing Error Pages |
|
|
|
Advanced Options configuration |
The error page from origin server is forwarded to the browser. |
Access Gateway overrides the origin server error page with Access Gateway’s error page. This is turned off by default to behave like the Linux Access Gateway. If you do not want to send the origin server's error page, but a customized error page in the Access Gateway, you can enable this as ProxyErrorOverride on. |
Access Gateway overrides the origin server error page with Access Gateway’s error page. For the error page to behave like Linux Access Gateway configure the ProxyErrorOverride off in Advanced Options. |
Alerts |
The warning message log file format has changed. The log file has fewer columns displayed when compared to Access Gateway Appliance/Service. For example, (Mon Jan 30 12:31:41 2012): Proxy configuration has changed |
The log file has more information than the file in the Linux Access Gateway Appliance. For example, <amLogEntry> 2012-01-30T12:17:22Z WARN ALERT: AMDEVICEID#ag-02EC8D7D5B8A8291:DateTime=1327906042643, Severity=Warn, ServiceType=ag, Message=Access Gateway configuration has changed </amLogEntry> |
The log file has more information than the file in the Linux Access Gateway Appliance. For example, <amLogEntry> 2012-01-30T12:17:22Z WARN ALERT: AMDEVICEID#ag-02EC8D7D5B8A8291:DateTime=1327906042643, Severity=Warn, ServiceType=ag, Message=Access Gateway configuration has changed </amLogEntry> |
Cache Control options |
Enable Custom Cache Control Header When objects reach the Custom Cache Control Expiration Time:
Cache Control Headers |
Enable Custom Cache Control Header When objects reach the Custom Cache Control Expiration Time:
The Cache Control Headers can be injected using apache mod_headers module directives. |
Enable Custom Cache Control Header When objects reach the Custom Cache Control Expiration Time:
The Cache Control Headers can be injected using apache mod_headers module directives. |
Unreachable webserver |
Checks health of Web servers that are marked as unreachable every 30 seconds. |
The proxy checks the Web server for each new session request at an interval of 1 minute, by default. You can configure the advanced option for a different interval, for example, AdditionalBalancerMemberOptions retry=180, where 180 is in seconds. |
The proxy checks the web server for each new session request at an interval of 1 minute, by default. You can configure the advanced option for a different interval, for example, AdditionalBalancerMemberOptions retry=180, where 180 is in seconds. |
Client IP mismatch error |
On receiving IPC cookie from browser, Linux Access Gateway asks the user to authenticate if it is a protected resource that needs authentication, or, just treats the request for public resources as if the cookie was not received. |
On receiving IPC cookie from browser, Access Gateway checks for client IP address in the cookie. If the IP address in the cookie and the client IP address from which the request came do not match, Access Gateway displays an error page. |
On receiving IPC cookie from browser, Access Gateway checks for client IP address in the cookie. If the IP address in the cookie and the client IP address from which the request came do not match, Access Gateway displays an error page. |
Chunk response behavior |
Linux Access Gateway collects the complete chunk response and sends response with the Content-Length header to the client. |
Access Gateway forwards the chunked response as it is to the client. |
Access Gateway forwards the chunked response as it is to the client. |
Search and replace |
If you are doing a search and replace of for example, abc with xyz. and if in the page abc is prefixed with characters like <, >, and &, they are not replaced. |
If you are doing a search and replace of for example, abc with xyz. and if in the page abc is prefixed with characters like <, >, and &, they are replaced. |
If you are doing a search and replace of for example, abc with xyz. and if in the page abc is prefixed with characters like <, >, and &, they are replaced. |
PostParking Size Limit |
The size limit is 50 KB. NOTE:With 3.1.5 the PostParking Size limit is increased to 64 KB. |
The size limit is 64 KB. |
The size limit is 64KB. |
Adapter List Options Allows to change the speed, duplex, and NAT behavior. |
Supported. |
Unsupported. |
Unsupported. |
NTLM authentication |
The Linux Access Gateway users accessing the back end Web servers using NTLM protocol, will be able to access the application page once credentials are applied. |
The Access Gateway users cannot access the application page unless they continuously submit their credentials. The back end application cannot accept NTLM token when proxied through the Access Gateway. For more information, see TID 7014114. |
The Access Gateway users cannot access the application page unless they continuously submit their credentials. The back end application cannot accept NTLM token when proxied through the Access Gateway. For more information, see TID 7014114. |