User manual NOVELL ACCESS MANAGER 3.1 SP1 SSL VPN SERVER GUIDE 03-17-2010

[. . . ] novdocx (en) 19 February 2010 AUTHORIZED DOCUMENTATION SSL VPN Server Guide Novell® 3. 1 SP1 March 17, 2010 Access Manager www. novell. com Novell Access Manager 3. 1 SP1 SSL VPN Server Guide novdocx (en) 19 February 2010 Legal Notices Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] This is the best routing approach because most applications, including ActiveFTP and TFTP, can work in this type of environment. To establish this type of routing, you need to add a static route to your network's routing infrastructure so that traffic to the OpenVPN subnet pool of addresses is sent via the SSL VPN gateway. 12. 2 Configuring Source NAT for SSL VPN You can configure the source NAT (SNAT) for SSL VPN Enterprise mode to change the dynamically assigned client addresses to the address of the SSL VPN server before sending them to the application server. The application server can then use the source address in the packets to send them back to the SSL VPN server, which can then reassign the client address and send the packets on to the client. This is the best approach if you are using SSL VPN for TCP and UDP applications. Other applications, such as ActiveFTP and TFTP, cannot work in this type of environment. To establish this type of routing, you need to create an entry in the iptables rule on the SSL VPN server. Section 12. 2. 1, "Configuring SNAT for Enterprise Mode, " on page 81 Section 12. 2. 2, "Ordering SNAT Entries, " on page 83 12. 2. 1 Configuring SNAT for Enterprise Mode 1 In the Administration Console, click Devices > SSL VPNs > Edit. 2 Select Advanced Configuration from the Gateway Configuration section. Configuring Route and Source NAT for Enterprise Mode 81 novdocx (en) 19 February 2010 The SSL VPN Advanced Configuration page is displayed. 3 If the SSL VPN server is a member of a cluster, the Cluster Member option is displayed. The SNAT Entry configuration is specific to different cluster members. Select the IP address of the cluster member for which you want to configure the SNAT entry. The New dialog box opens. 5 Specify the information in the following format: --protocol (-p): This is an optional parameter. --source (-s): Specifies the IP address of the subnet pool where SSL VPN assigns the IP address to each client in Enterprise mode. NOTE: This field is populated by the Enterprise mode IP address by default. But, you can edit the value in this field if you want to use this field to add iptables SNAT entries for other cases in Kiosk mode such as for full tunneling. 82 Novell Access Manager 3. 1 SP1 SSL VPN Server Guide novdocx (en) 19 February 2010 --destination (-d): This is an optional parameter. You can either specify the host IP address or the destination IP address or specify the IP address and the network mask combination in the following format: <destination>/<SubnetMask> The Network mask should be in the dotted decimal format only. Provide additional parameters (Will be appended to command): You can add any other parameters depending on your requirements. The new SNAT entry is displayed in the following format: iptables -t nat -A POSTROUTING -p <Any> s <openVPNSubnetIP> -d <destinationIP> --dport <destinationPort> -j SNAT --to <privateIPSSLVPN> <additional parameters> 6 To save your modifications, click OK, then click Update on the Configuration page. 12. 2. 2 Ordering SNAT Entries You can configure SNAT rules for a user's role. If you want to change the order of the rules based on their priority, you can click the up or down arrows to move them up or down respectively. Configuring Route and Source NAT for Enterprise Mode 83 novdocx (en) 19 February 2010 84 Novell Access Manager 3. 1 SP1 SSL VPN Server Guide novdocx (en) 19 February 2010 Configuring DNS Servers and Certificates 13 13 Some configurations are common to both the ESP-enabled Novell® SSL VPN and SSL VPN protected by the Access Gateway: Section 13. 1, "Configuring DNS Servers, " on page 85 Section 13. 2, "Configuring Certificate Settings, " on page 86 13. 1 Configuring DNS Servers The DNS servers configured here are pushed to the client from the SSL VPN server during the connection. You can configure DNS servers for Enterprise mode through the Administration Console. The DNS servers can be configured for Kiosk mode either during the installation if you are installing Linux Access Gateway and SSL VPN on the same machine, or by using YaST after the installation. Section 13. 1. 1, "Configuring DNS Servers for Enterprise Mode, " on page 85 Section 13. 1. 2, "Configuring DNS Servers for Kiosk Mode, " on page 86 13. 1. 1 Configuring DNS Servers for Enterprise Mode 1 In the Administration Console, click Devices > SSL VPNs > Edit. 2 Select DNS Server List from the Basic Gateway Configuration section. [. . . ] Action: At the command prompt, enter ifconfig to check if the TUN0 interface is down. If it is down, enter the etc/init. d/novell-sslvpn restart command to restart the SSL VPN services. If you are using a 64-bit machine and have changed the TUN interface, check to make sure the interface is up. If it is down, enter the etc/init. d/novell-sslvpn restart command to restart the SSL VPN services. 31. 10 Unable to Connect to the SSL VPN Gateway Possible Cause: A forward proxy is enabled in Internet Explorer. [. . . ]