Changing Ports in Novell Access Manager 3.0.1

Changing Ports in Novell Access Manager 3.0.1

Problem



Some organizations do not allow for multiple ports to be open to the outside world, other than 80 and 443. For example, some hotel guest networks only allow 80 and 443 outbound. What if your Sales VP is onsite with a customer and needs to retrieve a presentation they forgot? Do you think the customer would be nice enough to open some ports for them? Just for a little while?



Solution



Setup



  • Current Configuration - NetWare Access Gateway should be similar

  • All servers are Linux - SUSE 9 and 10


This is the scenario I used at my organization:







Click to view.


Figure 1




Figure 1 - Access Gateway configuration



Refer to Chendil Kumar's article on SSLVPN scenarios based on port 443:

Myth about TCP Port 443 and Novell Access Manager 3.0 SSLVPN

http://www.novell.com/coolsolutions/tip/18988.html



Procedure



Here are the steps I followed:



1. Log in to the Administration Console (modified iManager).







Click to view.


Figure 2




Figure 2 - iManager Admin Console



2. Expand Access Manager and select Identity Servers.







Click to view.


Figure 3





Figure 3 - Selecting Identity Servers



3. On the right, click Edit.







Click to view.


Figure 4




Figure 4 - Editing Identity Servers



4. Change the port within the Base URL from the default of 8443 to 443 and click Apply.



No, it's not that easy - there are a few more steps and a couple of gotchas to watch out for. Pay close attention to this popup - gotcha #1. We'll take care of it later.







Click to view.


Figure 5




Figure 5 - Warning pop-up



5. Click OK.







Click to view.


Figure 6




Figure 6 - Identity Servers warning



6. Click Update All to complete the Identity Server changes.



7. Select Access Gateways on the left.







Click to view.


Figure 7




Figure 7 - Access Gateways



8. Click Update to update the Access Gateways.



Now that the Configuration has been updated, we need to re-import the metadata from the IDP (Identity) server to the Access Gateways. Why? When you change the config of the IDP, it "breaks" the trust relationship between the services, and we'll need to fix that. If you stop here and test connecting, you could very well get a 100101044 error.



9. Click Edit on the Access Gateway.







Click to view.


Figure 8




Figure 8 - Editing Access Gateway Servers



10. Click Reverse Proxies/Authentication.







Click to view.


Figure 9




Figure 9 - Server Configuration



11. Click the dropdown list next to Identity Server Configuration and select None.







Click to view.


Figure 10




Figure 10 - Reverse Proxy Authentication



12. Click OK and then Update on the Access Gateway AND on the Identity Server.



One habit I have developed with NAM is that whenever I change ANYTHING and apply it, I check out ALL of the services to ensure none of them are waiting for an "Update".



13. Once the Updates are complete, click Edit on the Access Gateway.



14. Click Reverse Proxies/Authentication.



15. Change the Identity Server Configuration back to your [IDP Config].



16. Click OK and then Update on the Access Gateway AND on the Identity Server.



17. To check whether the re-import update completed successfully, select the Identity Servers and click Edit.



18. Click the Liberty tab on the top and then select Trusted Providers.







Click to view.


Figure 11




Figure 11 - Trusted Providers



You should see your Access Gateway listed under Service Providers.



Testing



Now for the test. An outside/public connection gives the best test for this application.



1. Open a browser and enter the URL for your SSLVPN:

http://[public_dns_name].mydomain.com/sslvpn/login



2. If your organization doesn't allow for ActiveX, then change the URL to
http://[public_dns_name].mydomain.com/sslvpn/login?forcejre



You should see the following login screen:







Click to view.


Figure 12




Figure 12 - NAM Login screen



3. Log in (depending on your Identity Store).







Click to view.


Figure 13




Figure 13 - Logging in with SSLVPN



You can edit the home page to suit your organization's needs. The file is located on the server you installed SSLVPN in this directory:

/var/opt/novell/tomcat4/webapps/sslvpn/home.html



Conclusion



Novell Access Manager 3.0.1 is a bit tricky for those who are unfamiliar with protected resources and iChain. It has some really improved features over iChain, and migrating is simpler than when you originally learned iChain.



If you are a newbie to this product, may I strongly suggest the Digital Airlines examples. It does a full walk through on the basic setup you could try in a lab, and it really explains the what and why of the product's setup.



You can find it here:

http://www.novell.com/documentation/novellaccessmanager/digiairexample/index.html?page=/documentation/novellaccessmanager/digiairexample/data/bookinfo.html

Labels (1)
Tags (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:09
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.