Novell Doc: Novell Access Manager 3.0 SP4 Administration Guide

18.2 Client Modes

The client can access SSL VPN either in Enterprise mode or in Kiosk mode, depending on whether users have the administrator right in a Windows workstation or a root user permission in Linux or Macintosh workstations, or if they are users without administrator rights or root privileges.

This section has the following information:

18.2.1 Enterprise Mode

Clients can access SSL VPN in the Enterprise mode in the following scenarios:

Scenario 1: Admin or Root User

When you are an administrator or a root user of the machine, the tool identifies you as the admin or root user and the Enterprise mode of SSL VPN is enabled by default. You are connected to the SSL VPN in the Enterprise mode after you specify your credentials in the Access Manager page. An admin or a root user can connect to SSL VPN only in the Enterprise mode unless the system administrator configures the users to connect only in Kiosk mode. For more information on how to configure only Kiosk mode to users, see Section 21.1.2, Configuring SSL VPN to Connect Only in Kiosk Mode.

Scenario 2: Non-admin or Non-Root User Who Has Admin or Root Credentials

A non-admin or a non-root user can access SSL VPN in the Enterprise mode if the user knows the administrator or root user credentials. When a non-admin or a non-root user connects to SSL VPN, the user is prompted to specify the credentials on the Access Manager page. The tool identifies that the credentials supplied are those of the non-admin or a non-root user and displays the following dialog box.

Figure 18-2 SSL VPN dialog box

The user must specify the username and password of the administrator or the root user of the workstation in the dialog box, then click OK to enable the Enterprise mode.

The Enterprise mode is enabled by default in the subsequent sessions and the user is not prompted again for the administrator or root username and password.

If non-admin or non-root users who have connected to SSL VPN in the Enterprise mode want to connect to SSL VPN in Kiosk mode on the same machine, they must follow a certain procedure to do so. For more information, see Switching from Enterprise Mode to Kiosk Mode in the Novell Access Manager 3.0 SP4 VPN User Guide.

Scenario 3: Non-Admin or Non-Root User Who Has Preinstalled the Client Components

If a non-admin or a non-root user wants to install SSL VPN in Enterprise mode, you can preinstall the SSL VPN client components on the user’s machine. For more information, see ../../installation/data/bar1enw.html#bar1enwPre-Installing SSL VPN Client Components in the Novell Access Manager 3.0 SP4 Installation Guide. When non-admin or non-root users access the client components from a workstation that has the SSL VPN client components preinstalled, the users are not prompted to enter the credentials of the admin user or root user.

The users are connected to SSL VPN in the Enterprise mode after they specify their credentials on the Access Manager login page.

18.2.2 Kiosk Mode

When a user logs in to the SSL VPN client as a non-admin or non-root user, the following dialog box is displayed:

Figure 18-3 SSL VPN dialog box

The user can do one of the following to load the Kiosk mode of SSL VPN:

Click Ignore to connect to SSL VPN in Kiosk mode for that particular session. The user is prompted again to provide the administrator or the root username and password during the next login.
Click Ignore Forever to connect to SSL VPN in Kiosk mode in the current session, as well as in the subsequent sessions.

When the user has clicked Ignore Forever and want to connect to SSL VPN in Enterprise mode in the next session, the user has to follow a special procedure. For more information, see Switching from Kiosk Mode to Enterprise Mode in Novell Access Manager 3.0 SP4 VPN User Guide.

NOTE: When a non-admin user uses the Internet Explorer to establish SSL VPN connection for the first time, the ActiveX download fails. This happens because the ActiveX requires admin rights to download Activex. This issue might also occur if you have upgraded from an older version. If want to access SSL VPN by using the Internet Explorer, use the following URL:

https:<DNS-Name>/sslvpn/login?forcejre

For more information, see Section 21.1.1, Configuring SSL VPN to Download the Applet on Internet Explorer.

18.2.3 User Account Control Feature of Windows Vista and SSL VPN Connection

The UAC feature is enabled by default on Windows Vista.*. If you are a Windows Vista user and want to access SSL VPN, one of the following scenarios occur depending on the type of the user category that you belong to:

Super User: This is the first user account that is created when Windows Vista is installed on the system. This is the Administrator account and has the right to install or un-install one or more programs, new hardware, and drivers. If a user is a Super User of the machine, then SSL VPN connection is established in the Enterprise mode. If SSL VPN is configured to connect only in the Kiosk mode, the connection is made in the Kiosk mode.

Administrator Category User: An Administrator Category User has the rights do what the Super User does. But, when UAC is enabled in Vista, the users created under Administrator Category are prompted to confirm any changes made to the system settings or configuration or during installation or uninstallation of any software or hardware.

When an Administrator Category User makes an attempt to establish the SSL VPN connection, the user is prompted to confirm if the installation of a certain service can be made on the machine. The user can click Allow or Continue, depending on the prompt, to continue with the SSL VPN installation. If the user allows installation of all the SSL VPN components, the SSL VPN connection is established in the Enterprise mode. If SSL VPN is configured to connect only in the Kiosk mode, the connection is made in the Kiosk mode.

Standard Users: A user created under the Standard User category has minimal privileges. When UAC is enabled, the user is prompted for the Administrator password for any changes that the user intends to make to the system settings.

When a Standard user attempts to connect to SSL VPN, the user is prompted with the following dialog box:

Figure 18-4 SSL VPN Connection Prompt Dialog Box for Standard User

If the user clicks OK, the user is prompted to provide the Administrator credentials. If the credentials are valid, then the user is connected to SSL VPN in Enterprise mode. The user is connected to SSL VPN in Kiosk mode if the user clicks Ignore or Ignore Forever in this dialog box.