9.10 Upgrading the SSL VPN Servers

Upgrade time: about three minutes.

You can upgrade SSL VPN to 3.1 SP2 version from 3.0 SP4, 3.1, and 3.1 SP1 versions. For specific instructions for an upgrade path, see the following sections:

You can upgrade the Traditional SSL VPN server to the 3.1 SP2 version of the Traditional SSL VPN server. You cannot upgrade the Traditional Novell SSL VPN server to the ESP-enabled SSL VPN. However, you can perform a new installation of ESP-enabled version of SSL VPN and then migrate traffic policies that you configured for the traditional SSL VPN to the ESP-enabled SSL VPN.

9.10.1 Prerequisites

Make sure that you have done the following before you proceed with the upgrade:

  • Identify the way in which SSL VPN SP4 was installed. Download the relevant upgrade file from Novell and extract the file. For the actual filename, see the Readme.

  • Upgrade the Administration Console, Identity Server, and Access Gateway Appliance before upgrading SSL VPN servers that are installed on separate machines.

    If the SSL VPN server was installed with the other Access Manager components, the SSL VPN server is automatically upgraded along with the other component.

  • If you have installed high bandwidth SSL VPN, make sure you download and install the high bandwidth SSL VPN RPM. SSL VPN has a high bandwidth RPM that needs to be installed once to get its capabilities This RPM should be installed before upgrading the SSL VPN server. For information on how to install the high bandwidth SSL VPN RPM, see Section 8.3, Installing the Key for the High-Bandwidth SSLVPN.

  • The Access Manager Administration Console must be up and running before you begin upgrading SSL VPN servers. Do not perform any configuration tasks in the Administration Console during an SSL VPN Server upgrade

  • If you have customized the SSL VPN user interface, make a backup of the customized sslvpnclient.jsp file, then save it as /var/opt/novell/tomcat5/webapps/sslvpnsslvpnclient.jsp.rpmsave file. If a file with that name already exists, then either delete or move the existing file to another location before saving the current .jsp file. See Customizing the SSL VPN User Interface in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.

9.10.2 Upgrade Scenarios

Table 9-1 contains a list of upgrade scenarios available for SSL VPN, along with the procedure to upgrade the server.

Table 9-1 Upgrade Scenarios

Installation Scenario

Upgrade Procedure

Traditional SSL VPN, Identity Server, and the Administration Console on the same machine; Linux Access Gateway on a separate machine

The SSL VPN 3.0 version cannot coexist with other Novell Access Manager components that are running the 3.1 version. When SSL VPN is installed along with the other Novell Access Manager component on the same machine, the SSL VPN server is automatically upgraded to 3.1. For more information, see Section 9.7, Upgrading the Identity Server.

Traditional SSL VPN, Identity Server, Linux Access Gateway, and Administration Console on separate machines

To upgrade an SSL VPN server that is installed on a separate machine, see Section 9.10.3, Upgrading SSL VPN Installed on a Separate Machine.

Traditional SSL VPN and the Identity server on the same machine; Administration Console and Linux Access Gateway on separate machines

When SSL VPN is installed along with the Identity Server on the same machine, the SSL VPN server is automatically upgraded to 3.1. For more information, see Section 9.7, Upgrading the Identity Server.

Traditional SSL VPN and the Administration Console on same machine, Identity Server, Linux Access Gateway on a separate machine

When SSL VPN is installed along with the Administration Console on the same machine, the SSL VPN server is automatically upgraded to 3.1. For more information, see Section 9.6, Upgrading the Administration Console.

Traditional SSL VPN and the Linux Access Gateway on the same machine, Administration Console and Identity Server on separate machines

When SSL VPN is installed along with the Linux Access Gateway on the same machine, the SSL VPN server is automatically upgraded to 3.1. For more information, see Section 9.8, Upgrading the Linux Access Gateway Appliance.

Move from Traditional Novell SSL VPN 3.0 to ESP-enabled SSL VPN 3.1

If you have installed the Traditional Novell SSL VPN server and want to move to the ESP-enabled SSL VPN, you cannot upgrade the server directly. You need to install the ESP-enabled SSL VPN on a separate machine and then import the traffic policies from the 3.0 Traditional SSL VPN into the 3.1 ESP-enabled SSL VPN. For more information, see Section 9.10.4, Migrating a Traditional SSL VPN Server to the ESP-Enabled Version.

Upgrade traditional SSL VPN servers clustered in the 3.0 version by using the config.txt file or by using the server persistent method through Linux Access Gateway.

If you have configured a cluster of SSL VPN servers in 3.0 by using the config.txt file or though the Linux Access Gateway, do one of the following:

9.10.3 Upgrading SSL VPN Installed on a Separate Machine

  1. Upgrade the Administration Console, Identity Server, and Linux Access Gateways before you proceed with upgrading the SSL VPN server.

  2. Download the upgrade file from Novell and extract the file.

    One of the extracted files contains the Administration Console, the Identity Server, and SSL VPN. For the actual filename, see the Readme.

  3. Unpack the tar.gz file by using the following command:

    tar -xzvf <filename>

    For this installation, you need to unpack the Identity Server .tar.gz file, which contains the SSL VPN files.

  4. Log in as the root user.

  5. Open the unpacked Identity Server file, and enter the following at the terminal window:

    ./install.sh
    
  6. When you are prompted to install a product, type 3 to select SSL VPN, then press the Enter key.

    The system detects whether an SSL VPN Server is installed, and prompts you whether to upgrade.

  7. Type Y, then press the Enter key.

  8. Review and enter Y to accept the License Agreement.

  9. (Conditional) If the SSL VPN machine has been configured with multiple IP address, select an IP address for the SSL VPN server when you are prompted to do so.

  10. Press Enter to accept the current Administration Console IP address.

  11. Specify the name of the administrator for the Administration Console.

  12. Specify the administration password.

  13. Confirm the password, then wait as the system installs the components. This will take several minutes.

  14. To verify the results of the upgrade process, view the files in the /tmp/novell_access_manager/inst_lag.log directory.

    These log files are all dated and time-stamped.

  15. After you have upgraded the servers proceed with Updating Configuration Changes to the Upgraded Server.

NOTE:Occasionally, the first SSL VPN user connection might fail after upgrading, especially if you have encountered any problems during the upgrade process. To work around this problem, we recommend that you initiate multiple SSL VPN connections after upgrading.

9.10.4 Migrating a Traditional SSL VPN Server to the ESP-Enabled Version

NOTE:Before you proceed with this configuration, refer to Section 9.2, Upgrading from Access Manager 3.0 SP4 to Access Manager 3.1 SP2 to understand the prerequisites.

You cannot directly upgrade the traditional Novell SSL VPN from version 3.0 to version 3.1 of the ESP-enabled SSL VPN. However, you can install the ESP-enabled SSL VPN on a separate machine, then import the traffic policies from the traditional 3.0 SSL VPN into the newly installed ESP-enabled 3.1 SSL VPN.

If you have not already upgraded the Administration Console and the Identity Server to from 3.0 SP4 to 3.1, upgrade them. For more information, see Section 9.6, Upgrading the Administration Console and Section 9.7, Upgrading the Identity Server.

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

  2. Select Traffic Policies from the Policies section. The SSL VPN Traffic Policies page is displayed.

  3. Select the Traditional SSL VPN 3.0 SP4 from which you want to import the traffic policies, then click Export.

  4. Specify a filename for the XML document.

  5. Specify a location to save the XML file.

  6. Install the ESP-enabled 3.1 SSL VPN.

    For more information, see Section 8.1, Installing the ESP-Enabled SSL VPN.

  7. Log in to the Administration Console into which you want to import the ESP-enabled SSL VPN, then click Devices > SSL VPNs > Edit.

  8. Select Traffic Policies from the Policies section, then click Import in the traffic policies page.

  9. Browse and select the XML file that contains the saved traffic policies.

    When the traffic policies are imported into the SSL VPN server, they might not retain their original order. To order the traffic rules, see Ordering Traffic Policies in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.

  10. Select Authentication Configuration and establish a trust relationship with the Identity Server. For more information, see Configuring Authentication for the ESP-Enabled Novell SSL VPN. in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.

  11. To save your modifications, click OK, then click Update on the Configuration page.

    The health status of the SSL VPN server must display green.

  12. Delete the traditional SSL VPN from the Administration Console, then uninstall it.

    For instructions, see Section 10.5, Uninstalling the SSL VPN Server.