NetIQ Access Gateway for Cloud 1.0 is an appliance that provides a simple, secure way to manage access to Software-as-a-Service (SaaS) applications for corporate users. It provides out-of-the box security and compliance capabilities for SaaS services including full user provisioning, dynamic credentialing, privileged user management, Single Sign-On (SSO) and compliance reporting.
Many features were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Gateway for Cloud forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups.
This release requires the following:
One VMware server
vSphere Hypervisor 5.0
vSphere 5.0
ESXi 4.1
ESX 4.1
Minimum hardware requirements per node
60 GB disk space
2 cores
8 GB RAM
One browser for administration
Firefox 10 and 11
Chrome
For detailed information on system requirements, see Requirements
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Complete the following steps to install Access Gateway for Cloud:
Deploy the Access Gateway for Cloud virtual appliance.
For more information, see Deploy Virtual Appliances.
From a supported browser, access the initialization Web interface at the URL displayed on the appliance screen after it is deployed.
For example: https://ip_address/appliance/Init.html
Fill in the fields displayed to initialize the appliance.
Click .
A successfully initialized appliance automatically redirects the browser to the Access Gateway for Cloud administration login page (https://dns_of_ag4c_appliance/appliance/Admin.html).
For more details about the installation, see Installing Access Gateway for Cloud
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
For more troubleshooting information, see Troubleshooting Access Gateway for Cloud
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Issue: If time is not synchronized on the ESX and ESXi servers, intermittent issues can occur, such as roles not being granted to the administrative account for the appliance.
Solution: Configure NTP on the ESX or ESXi server.
Issue: The initialization page takes a long time to display if there is no DHCP server in your environment. The initialization page eventually displays and assigns a 192.xxx.xxx IP address to the appliance.
Workaround:
Edit the VMX file for the appliance before the first boot. For more information, see Configuring the Appliance without a DHCP Server
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Issue: If you want to change the preferred DNS server, you must select in Step 1 on the initialization page, which assigns a static IP address to the appliance.
Workaround: After the initialization process complete, in the Admin page, change the IP address from static to DHCP.
Issue: Access Gateway for Cloud assigns a number to each node as it is added to the cluster. The initialization process looks at the existing node numbers, and if a node is down, the appliance thinks that number is available and creates the new node with the existing number.
Having two nodes with the same number causes problems with the internal database and the initialization process never completes.
Workaround:
Verify that all of the nodes in your cluster are healthy and communicating. For more information, see Troubleshooting Different States
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Issue: After switching the master node, health displays the Active Director connector as red.
Workaround: Reboot the new master node.
Issue: After switching the master node, health displays that one or more of the other nodes are red while the master node is green.
Workaround: Reboot the new master node. If the issue persists, reboot the red nodes.
Issue: If you delete a Connector for Google Apps for Business, the email proxy is left running on the appliance. When you add a new Connector for Google Apps for Business, the users can use the mobile access feature, even though the Admin page interface displays that the mobile access feature is disabled.
Workaround: Enable the Mobile Access feature and apply the change. Next, disable the mobile access feature and apply the change. Applying the disable again turns off the email proxy for the appliance.
Leaving the VMware image running allows users to authenticate to a node that does not exist in the Admin page. When you delete a node from the cluster, the appliance deletes the node from the interface, but the VMware image still exists and is running.
Use the following procedure to delete a node from a cluster.
Remove the node from the L4 switch.
Delete the node from the cluster in the Admin page.
Stop the VMware image on the ESX server.
Delete the VMware image on the ESX server.
Issue: After adding a new node to the cluster, the node is red in the Admin page. The status of the node is Command Failure.
Workaround: Reboot the new node.
Issue: After adding a new node to the cluster, the progress goes to 100%, but the Init page displays a message stating you must reboot the new node and try again to complete the initialization process. Rebooting the new node does not fix the problem.
Workaround: You must completely remove the new node and try again.
Log in to the Admin page.
Delete the new node that is red.
Remove the VMware image for the failed node from your VMware server.
Deploy the image to the VMware server again.
For more information on how to deploy the image, see Deploying the Appliance
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
From the Init page, add the new node to the cluster.
For more information on how to add a new node, see Adding a Node to the Cluster
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Issue: User email address changes in Active Directory are not provisioned to Salesforce.
Workaround: No workaround at this time.
Issue: The appliance fails to provision all users in two Active Directory groups with overlapping users to one Salesforce group.
Workaround: No workaround at this time.
Issue: Removing a user from a mapped group when there is an outstanding approval request, causes the deleted user to be provisioned to the SaaS application when the administrator grants the approval.
Workaround: Verify that the user is a member of the group before granting approval or deny the request after removing the user from the group.
Issues: If you delete a user, then recreate a user with the same sAMAccount name, the new user can log in to Access Gateway for Cloud.
Workaround: Every user must have a unique sAMAccount name. Do not recreate a new user with a deleted user sAMAccount name.
Issue: If you have multiple domains, and two users with the same sAMAccount name, the users can authenticate to the other user’s account.
Workaround: Access Gateway for Cloud requires that all users, even in different domains, have a unique sAMAccount name.
Issue: The https://dns_of_ag4c_appliance/appliance/PolicyMapping.html page does not display the connectors for the SaaS applications.
Solution: There are two possible solutions:
Verify that the connectors are configured properly and enabled. For more information, see Configuring the Connector for Google Apps for Business
and Configuring the Connector for Salesforce
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
Click the icon in the upper-right corner of the PolicyMapping.html page.
Issue: After working in the Admin page, you access the PolicyMapping page in the Web page or open a second tab to access the PolicyMapping page. The PolicyMapping page never displays.
Workaround: Clear your browser’s cache and cookies, then close the browser.
Issue: Modifying a mapping without checking the approval box causes a Problem Applying Changes error to appear.
Workaround: Ignore the error. Access Gateway for Cloud saves the changes but displays the message.
Issue: If the master node is down, the PolicyMapping page returns a 500 Internal Server Error.
Workaround: Solve the problem that caused the master to node to be down. The PolicyMapping page is dependent on the master node.
Issue: If the master node is down, the Approval page is blank.
Workaround: Solve the problem that caused the master to node to be down. The Approval page is dependant on the master node.
Issue: Adding 5,000 users to two mapped roles that require approvals, generates 10,000 approvals simultaneously. The Approval page displays the new approvals being added for a short while, but then you do not see new approvals added and you can no longer access the Approval page.
Rebooting the node does not fix the issue.
Workaround: Add only smaller amounts of users simultaneously. NetIQ recommends adding 2,000 users simultaneously as a maximum number of users to add.
Issue: Enabling the option while running reports causes the report status to disappear.
Workaround: Refresh the browser to display the status of the report.
Issue: After deleting connectors, reports contain information about the deleted connectors.
Workaround: No workaround at this time.
Issue: The numeric value appears after deleting and recreating mappings for connectors.
Workaround: No workaround at this time.
Issue: If the master node is down, the Reporting page is blank.
Workaround: Solve the problem that caused the master to node to be down. The Reporting page is dependent on the master node.
Issue: When you use Chrome to access PolicyMapping.html, some of the icons are not rendered properly. PolicyMapping.html does not display the name of the connector in the drop-down list.
Workaround: Use Firefox when accessing PolicyMapping.html.
Issue: Login to the SaaS applications fails with Kerberos enabled, but the user is not authenticated to Active Directory.
Workaround: This issue is a bug with IE and the Microsoft incident number is 687000. The user must be authenticated to Active Directory to log in.
Issue: After implementing Access Gateway for Cloud, you might have some issues with existing Google Apps for Business accounts. Any users that either do not exist in the identity store, or are not merged with the existing Google account, can no longer log in to the Google domain.
For example:
User jsmith has an account in Google Apps for Business.
Implement Access Gateway for Cloud with single sign-on.
User jsmith attempts to log in to the Google domain and fails.
Google Apps for Business does not allow direct login and single sign-on to the domain.
Solution: Give users authorization to access the Google Apps for Business resource through Access Gateway for Cloud.
If the matching account exists in Active Directory, skip to Step 2. Otherwise, create a matching account in the identity store (Active Directory).
Grant the user authorization to the Google Apps for Business resource by adding the user to the proper group in Active Directory.
or
Map the Active Directory group to the Google Apps for Business group through the PolicyMapping page.
For more information, see Loading Google Apps for Business Authorizations
in the NetIQ Access Gateway for Cloud 1.0 Installation and Configuration Guide.
The two accounts merge when the user receives authorization for Google Apps for Business through the PolicyMapping page. Access Gateway for Cloud automatically generates a new password and resets the Google Apps for Business password.
When users access the resource after the merge occurs, they automatically log in to Google Apps for Business through single sign-on.
Access Gateway for Cloud depends on timestamps to function properly. Time must be synchronized between the VMware host, each Access Gateway for Cloud node in the cluster, and the workstations administering Access Gateway for Cloud.
Issue: If time is not synchronized, provisioning fails, configurations fail, and authentication for users fail.
Solution: Use the following items to solve time synchronization issues:
All nodes in the cluster must reside in the same time zone.
Configure NTP on the ESX or ESXi server.
If you convert the OVF file to a VMX file, deselect the default option of > > > guest time with host.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
© 2012 NetIQ Corporation and its affiliates. All Rights Reserved.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.
Access Manager, ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Cloud Manager, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PlateSpin, PlateSpin Recon, Privileged User Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its affiliates in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.
For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.