Novell is now a part of Micro Focus

My Favorites


Please to see your favorites.

How to accelerate NetWare 6.5 Virtual Office server with iChain 2.3

(Last modified: 02Nov2005)

This document (10092310) is provided subject to the disclaimer at the end of this document.


How to accelerate NetWare 6.5 Virtual Office server with iChain 2.3


iChain 2.3

Netware 6.5


Virtual office running


The following documnent outlines detailed information on what is required to get Virtual Office (VO) under Netware 6.5 accelerated through an iChain 2.3 server. It coveres the key URLs Virtual office uses, some VO configuration tips, iChain configuration tips including rewriter changes, some basic troubleshooting tips, as well as a list of outstanding known issues and workaround if they exist.

Access URL's:


·         User access to Virtual Office is similar to http(s)://<server_name>/vo.


·         VO administration is performed using iManager (https://<server_name>/nps/iManager) under the "Virtual Office Administration" task.


The gadgets, links, buttons, etc. on the VO home page provide access to back-end applications like NetStorage, iPrint, eGuide, eMail, Web Search, and ZENworks. In some cases, only the browser itself will connect to the back-end application server. In other cases, the VO server itself also makes a connection to the server running the application.


VO Configuration using iManager:


Virtual Office configuration is performed with iManager under the "Virtual Office" task using links "Services Administration" and "Environment Administration".  Individual configuration pages for the back-end applications NetStorage, iPrint, eGuide, eMail, Web Search, and ZENworks can be found under the "Services Administration" link. Each application can be independently Enabled (or not) using a check-box on its configuration page. Enabling the application (or not) simply determines whether or not the link and/or button for user access to  that application from .the VO home page is present. These applications being also need to be configured in the usual manner.


The configuration page for each application also requires one or more URL references to be specified. When configured properly, users will be able to access the enabled applications from the VO home page using links or toolbar icons that redirect the browser to the URL configured for that application.


Even when accessing VO and its applications through iChain, the application URL’s configured in iManager generally should use the actual scheme://<DNSName:port of the host server running that particular application. This will allow connection between the VO server and the application server when necessary, and also allow proper connection for internal VO users. iChain’s rewriter is then responsible for updating these URL references when accessing VO and its applications through an accelerator.


·         eGuide and NetStorage configuration


The eGuide and NetStorage configuration pages provide radio button selections and  a "Proxy URL" setting. The Help text implies that this is for use with iChain configurations but is somewhat unclear. A better description might be as follows:


The radio button selection determines the URL used by the gadget for its connection to the eGuide or NetStorage server. This setting interacts with the "Proxy URL:" setting as follows:


If "Proxy URL" is left blank, the URL value in the selected radio button is also sent to the browser for its connection to the eGuide or NetStorage server.


If "Proxy URL" is configured, this URL value will be sent to the browser for connection to the eGuide or NetStorage server. The gadget connection between the Virtual Office server and the eGuide or NetStorage server is still determined by the radio button select.ed above. This type of configuration may be required if using a NAT or proxy device between the browser and Virtual Office that does not do URL rewriting. It may also be useful in some configurations when using path-based multi-home accelerators to provide access to the eGuide or NetStorage server(s).


Note that the URL configured in iManager for the eGuide setting "Enter a custom URL to Launch eGuide:" may include the path (ex: https://<DNSnameOfeGuideServer>/eGuide/servlet/eGuide) while the same setting on the NetStorage page should not include a path (ex: http://<DNSnameOfNetStorageServer>). If a path is included, the user will see a 404 error when clicking the NetStorage toolbar icon in on the VO home page.


·         eMail configuration:


The URL behind the eMail toolbar button on the VO home page is determined by the configuration under the Email Server: drop-down list and associated Edit button. For use with GroupWise WebAccess, select "Novell GroupWise" from the drop-down list, then press the Edit button. On the Edit page, enter the URL of the WebAccess server (ex: http://MyWebAccess/servlet/webacc).


If an accelerator is also used to provide access to this GroupWise WebAccess server for external browsers, the scheme, hostname, and port specified in the URL should normally still match the scheme, hostname, and port of the WebAccess server used to access it directly (not through iChain). When VO users press the eMail toolbar button on the VO home page, iChain's rewriter will then update the URL reference being sent from VO to the browser to match the public side scheme, hostname, and port of the WebAccess accelerator.


When  "Home Page Reduced eMail View" is enabled, the URL's for IMAP/POP3 and SMTP can be configured with the Edit button. These settings are intended to be defaults that the user can use with the eMail gadget on the VO home page, or they have the ability to manually edit these settings inside the gadget itself. Thes.e URL's are used ONLY by the gadget for connection to the mail server(s) to make a connection on behalf of the user. The browser is not redirected, so no additional accelerator considerations are necessary. 


·         Web Search configuration:


The Web Search configuration page requires a URL which the VO server can resolve for its connection to the Web Search server, and a sub-path of /NSearch/SearchServlet is used. I believe this URL is also used to build the search results links displayed in the browser but with a sub-path of /novellsearch. For the browser to use these links, it must be able to resolve this URL’s host name or iChain's rewriter would have to see a match in protocol/HostName/port of an accelerator and rewrite as appropriate for that accelerator.


If pbmh accelerators are used to access the Web Search server, matching sub-path match strings would need to be configured in the accelerator(s) (one for /NSearch, one for /novellsearch). iChain 2.3 allows a single accelerator to use multiple sub-path match strings using entries in rewriter.cfg. For example, if the accelerator "nsearch" is pbmh and "Sub-path match string" is set to /NSearch with option "Remove sub-path from URL" disabled, an entry in rewriter.cfg as shown below would also provide a match for /novellsearch:


[Alias Host Names]



·         iPrint configuration:


The iPrint configuration page needs a URL which browsers can use to access the /ipp home page on the iPrint server. If an accelerator is also used to provide access to the iPrint server for external browsers, the scheme, hostname, and port specified in the URL should normally still match the scheme, hostname, and port of the iPrint server used to access it directly (not through iChain). When VO. users press the iPrint toolbar button on the VO home page, iChain's rewriter will then update the URL reference being sent from VO to the browser to match the public side scheme, hostname, and port of the WebAccess accelerator.


Note that the ipp home page provides links to install the iPrint client as well as to install and  control printers. Additional accelerators are needed to install and use printers and should be configured according to guidelines provided in iChain/iPrint interoperability TID's.


·         Bookmarks configuration:


The bookmarks gadget can be enabled/disabled in iManager. Bookmarks can be configured in iManager or by the user in the Bookmark gadget itself. Bookmark URL's configured in the gadget when accessing VO through iChain are subject to typical rewriting and may be confusing to the user.


·         ZENworks configuration:


The "ZENworks" configuration page controls the behavior of the "Applications" toolbar button in the VO home page. The setting "…URL to the ZENworks web page:" is used only for connection between browser and the ZFD Midtier server (no connection occurs between the VO and Midtier servers).


Upon initial connection to the Midtier server from an IE browser, the Zen For Desktops plugins are installed. After a reboot, the next access to the Midtier server will present an HTML page with links for navigating and launching the user’s associated NAL applications, if configured.


When supporting internal and external workstations through iChain simultaneously, setting "…URL to the ZENworks web page:" should be a URL with a host name that internal workstations resolve to the ZFD Midtier server (ex: http://<MyZFDMidtier>/myapps.html). For iChain users, rewriter will update this URL with the scheme://hostname:port of the appropriately configured accelerator to provide access to the Midtier server.  Currently, the Custom rewriter must be used to properly update the URL reference for the Midtier server address that is sent to the workstation. Details can be found in other iChain/ZFD interoperability documentation.


·         Chat configuration:


The Chat gadget is displayed on the team home page which is accessed by a team member or owner by clicking the desired team under "My Virtual Team" in the left pane of the VO home page. The default port for Chat is 2122 and can be configured in iManager->Virtual Office->Environment Administration->Team configuration. A team owner can use the Edit button on the gadget itself to configure for HTTP(S) instead of sockets for use through iChain. After using Edit to select option "Use HTTP instead of sockets", I have used Chat successfully between a user connected through an accelerator for VO (SecureExchange enabled both sides) and an internal user connecting directly to VO, and also between users connected through iChain. If configuration setting "Secure All Messages" is set to "true", Chat is not working through an iChain accelerator.


Additional Accelerator configuration notes:


When accessing VO with the typical URL like http://<Server_Name>/vo, the user is redirected to https://<Server_Name>/nps. If path-based multi homing accelerators are used for access to VO, each path needs to be considered.


The accelerator for the VO home page should have Secure Exchange enabled on both sides of proxy. For troubleshooting purposes, VO can be configured to run HTTP only but is not supported in this mode.


If iChain is providing access for VO "back-end" applications like NetStorage, iPrint, eGuide, eMail, Web Search, and ZENworks, additional accelerators will be required and should be configured according to guidelines provided in iChain interoperability TID’s provided for those products.


Single sign on notes for iChain:


·         Accelerator option "Forward authentication information to web server" can provide SSO to the VO server since it accepts LDAP formatted credentials in the Authorization header. In addition, OLAC could be used to inject other attributes as needed.

·         Since Virtual Office is based on NPS, a NetIdentity-aware application, an LDAP authentication profile with setting "Allow authentication through NetIdentity " enabled and "NetIdentity Realm" name set to match the Realm name of the Virtual Office server can be used to provide SSO to workstations with NetIdentity installed. Note that the Xtier server running VO must be configured to use an SSL certificate with a Subject name that matches the DNS name of the accelerator used to access VO. Use iManager or /oneNet/nsadmin to configure Xtier with the wildcard certificate.

·         Sample FF script below. VO’s default Logout link directs user back to same VO login form, so FormFill just logs the user right back in. The logout URL can be customized but currently only works if  the Authorization headers sent to VO are populated using Forward authentication. See Miscellaneous section of this doc for details on modifying the logout URL.






      <title>Virtual Office</title>

      Login failed












      <title>Virtual Office</title>






         <input name="username" value="~">

         <input name="password" value="~">






·         OLAC


Miscellaneous known issues:


 Missing .gif files on Web Search results pages and in Highlighter tool.


Chat not working through iChain if gadget option "Secure All Messages" is enabled.


The MiddleTierAddress value in myapps.html sets an incorrect workstation registry value if protocol (http/https) is included. Not being able to include the protocol causes problems for iChain’s rewriter. When using the "Applications" button on the VO home page to access a ZFD4 Midtier server through an accelerator and direct from internal workstations, custom rewriter may be required.


A sample custom rewriter setup is shown below:


·         On the iChain server, create file /etc/proxy/custom.cfg with the following contents:











-where the value in [URL] is the DNS Name of  the accelerator for the Midtier web server

-where [Replace] holds the original IP Address or DNS Name and port for MiddleTierAddress as configured in myapps.html and the accelerator DNS Name and public side listening port that rewrite.nlm will replace it with.


·         On the iChain server, load custom rewriter:


"load rewrite.nlm -s -f /etc/proxy/custom.cfg"



VO idle timeout:


The VO idle timeout should be set to match the idle timeout of the accelerator. To modify the Virtual Office idle timeout, edit tomcat/4/webapps/nps/web-inf/web.xml. Search for the <session-timeout> tag. Default is 10 minutes.


Simultaneous logout:


For simult.aneous logout with iChain and VO, edit file tomcat\4\webapps\nps\portal\gadgets\com.novell.nps.authentication.Authenticator\skins\virtualOffice\devices\default\main.xsl using WordPad.  Search for BM-Logout, then follow the help text to add/remove comment characters and update the hostname in the URL of that section


Note that simultaneous logout only works if the accelerator/authentication profile being used for VO access is providing user credentials in the Authorization header. This can be done using OLAC and/or accelerator option "Forward authentication information to web server".


Basic Troubleshooting Tips:


Setting up VO to use HTTP (for troubleshooting only):


Edit sys:/tomcat/4/webapps/nps/web-inf/web.xml. Comment out the <security-constraint> section at the bottom of the file.


Edit sys:/apache2/conf/httpd.conf. Under section "Virtual Office Config", change the URL value in both occurrences of  "RewriteRule" from https to http.


Can’t download files from VO user's public web page:


If Secure Exchange is DISABLED, files can be downloaded from user's public web pages by right-clicking on the link and selecting option "Save target as..." (note: to access a user's public web page, use the eGuide gadget to search for the desired user, then click the "Web Page" icon in the search results list). If Secure Exchange is enabled (between Browser and Proxy only, or on both sides of Proxy), files cannot be downloaded. An error message is give in IE stating "Internet Explorer cannot download <filename> from <hostname>. The file could not be written to the cache". This is a general issue with IE and is covered in TID10075939. As a workaround, enable accelerator option "Allow pages to be cached at the browser".





The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10092310
  • Solution ID: NOVL96389
  • Creation Date: 06Apr2004
  • Modified Date: 02Nov2005
    • NetIQiChain

Did this document solve your problem? Provide Feedback