NetIQ Access Manager includes the Access Gateway Appliance and Access Gateway Service. The Access Gateway Appliance is a dedicated machine that installs its own embedded Linux operating system. Whereas, the Access Gateway Service runs on top of an existing installation of a Linux or Windows operating system. Both types of gateways support similar functionalities, but they differ slightly in the way some of these features are supported. For example, both can be configured for the following features:
Protecting Web resources with contracts, Authorization, Form Fill, and Identity Injection policies.
Providing fault tolerance by clustering multiple gateways of the same type.
Providing fault tolerance by grouping multiple Web servers, so that if one Web server goes down, the content can be retrieved from another server in the group.
Rewriting URLs so that the names and IP addresses of the Web servers are hidden from the users making requests.
Generating alert, audit, and logging events with notify options.
Most differences among 3.1 Access Gateway, Access Gateway Appliance, and Access Gateway Service result from the differences required for an appliance and for a service. An appliance can know, control, and configure many features of the operating system. A service that runs on top of an operating system can query the operating system for some information, but it cannot configure or control the operating system. For the service, operating system utilities must be used to configure system parameters and hardware. For the appliance, the operating system features that are important to the appliance, such as time, DNS servers, gateways, and network interface cards, can be configured in the Administration Console.
This table describes the differences among the 3.1 Access Gateway, Access Gateway Appliance, and Access Gateway Service. Only your network and Web server configurations can determine whether the differences are significant.
Table B-1 Differences among the 3.1 Access Gateway, Access Gateway Appliance, and Access Gateway Service:
Feature |
3.1 Access Gateway Appliance |
Access Gateway Appliance |
Access Gateway Service |
---|---|---|---|
System architecture |
32-bit |
64-bit only |
64-bit only |
Platform support |
SLES only |
SLES only |
SLES 11 SP2 and SP3, Red Hat Enterprise Linux, Windows |
Network configuration
|
Can be done from the Administration Console. |
Can be done from the Administration Console. By default after the installation, only one network interface card will be displayed in the Administration Console. To detect other network interface card, do the following:
|
Configurable with standard operating system utilities. |
Date and time |
Can be done from the Administration Console. |
Can be done from the Administration Console. |
Configurable with standard operating system utilities. |
Rewriter: Number of URLs that can be rewritten |
There is a set limit. |
No limit |
No limit |
Rewriter: Profiles |
Can do word pattern matches in Word profiles and Character profiles. |
Can only do word pattern matches in Character profiles. |
Can only do word pattern matches in Character profiles. |
Rewriter: Word profiles |
Case-sensitive |
Case-insensitive |
Case-insensitive |
Rewriter: Special tokens for Word profiles |
Not supported |
Supports the [w]. [ow], [ep], [ew], and [oa] options. |
Supports the [w]. [ow], [ep], [ew], and [oa] options. |
Rewriter: webcal |
Not supported |
Supported |
Supported |
Cache directory |
Separate protected partition. |
Uses Apache-caching. The cached files are stored in clear text. The operating system must be configured to protect this directory. For more information about the Apache model, see “Caching Guide”. |
Uses filesystem provided by Apache mod_cache module. For more information about the Apache model, see “Caching Guide”. |
Cache freshness configuration options |
Supported |
Limited support. You can achieve the following with Advanced Options:
Continue Fill Time and HTTP Retries are not available. |
Similar to Access Gateway Appliance |
Custom cache control headers |
Supported |
Not supported |
Not supported |
Caching behavior |
For more information, see |
For more information, see |
For more information, see |
X-Forwarded-For header |
Can enable/disable from the Administration Console |
Cannot disable. By default, it is sent by Apache along with X-Forwarded-Host and X-Forwarded-Server headers. |
Cannot disable. By default, it is sent by Apache along with X-Forwarded-Host and X-Forwarded-Server headers. |
Via header |
Includes the device ID and version number. |
Includes the device ID. |
Includes the device ID. |
Stop and restart commands |
Shuts down the operating system or restarts the operating system and the Access Gateway Appliance. |
Stops and starts the Access Gateway Service without affecting other services or applications. The operating system can be rebooted or shutdown independently with standard operating system commands. |
Stops and starts the Access Gateway Service without affecting other services or applications. The operating system can be rebooted or shutdown independently with standard operating system commands. |
Access logs for proxy service: When protected resource logging fails |
Stop the proxy service if logging fails. |
Cannot stop the proxy service if logging fails. For more information about access logging, see |
Cannot stop the proxy service if logging fails. For more information about access logging, see |
Web server connections |
If the gateway has multiple network cards, you can specify which network card to use for the Web server connection. |
Use standard routing table on the right device to route the traffic for that Web server on the device. |
Use standard routing table on the device to route the traffic for that Web server on the right device. |
Web server certificate verification |
Configurable per proxy service. |
Globally configurable. If certificate verification is turned on for one proxy service, it is turned on for all proxy services. |
Globally configurable. If certificate verification is turned on for one proxy service, it is turned on for all proxy services. |
Load balancing cookie |
Access Gateway Appliance format. |
Access Gateway Appliance format. |
Access Gateway Appliance format. |
5-6 byte UTF characters (supported by IIS Web servers) |
Supported |
Not supported |
Not supported |
Custom configuration |
Touch files |
Advanced options. Click Access Gateways > Edit > Advanced Options or Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options. |
Similar to Access Gateway Appliance |
Device logging |
ics_dyn.log Uses Syslog |
ags_error.log and Apache error.log All logs are now in a central location /var/opt/novell/logs |
Similar to Access Gateway Appliance |
Device logging configuration |
Log level set with options in the nash shell. |
Configurable from the Administration Console. Click Access Gateways > Edit > Logging. |
Similar to Access Gateway Appliance |
Sending alerts to an SNMP server |
Not supported |
Supported |
Supported |
Manipulates cookies so that when a browser retains application cookies from the Web servers after a user logs out, these cookies become invalid. |
Not supported |
Supported |
Supported |
NetStorage |
Browser connections can be used. |
Browser and WebDAV connections can be used. |
Browser and WebDAV connections can be used. |
Inconsistency in 302 redirect message between HTTP and HTTPS. |
Request to HTTP port 80 is responded with the following HTML document: <HTML> <HEAD> <TITLE>Novell Proxy</TITLE> </HEAD> <BODY> <p>HTTP request is being redirected to HTTPS.<p> <a href="https://www.lagssl.com:443/"> redirect </a> </p> </BODY> </HTML> |
Similar to Access Gateway Service |
Request to HTTP port 80 is responded with the following HTML document: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML> <HEAD> <title>302 Found</title> </head> <body> <h1>Found</h1> <p>The document has moved <a href="https://www.magssl.com/"> here </a> </p> </body> </html> |
Customizing Error Pages |
ErrorPageTemplate.html.<lang> is modified for customizing error pages. ErrorMessages.xml.<lang> is available under /var/novell/cfgdb/ErrorPagesConfig |
Similar to Access Gateway Service |
/opt/novell/apache2/share/apache2/doc/errors/<http_status_code>.var Edit top.html, bottom.html ErrorMessages.xml.<lang> is available under /opt/novell/nam/mag/webapps/mag/WEB-INF/config/current |
Advanced Options configuration |
The error page from origin server is forwarded to the browser. |
Access Gateway overrides the origin server error page with Access Gateway’s error page. This is turned off by default to behave like the Linux Access Gateway. If you do not want to send the origin server's error page, but a customized error page in the Access Gateway, you can enable this as ProxyErrorOverride on. |
Access Gateway overrides the origin server error page with Access Gateway’s error page. For the error page to behave like Linux Access Gateway configure the ProxyErrorOverride off in Advanced Options. |
Alerts |
The warning message log file format has changed. The log file has fewer columns displayed when compared to Access Gateway Appliance/Service. For example, (Mon Jan 30 12:31:41 2012): Proxy configuration has changed |
The log file has more information than the file in the Linux Access Gateway Appliance. For example, <amLogEntry> 2012-01-30T12:17:22Z WARN ALERT: AMDEVICEID#ag-02EC8D7D5B8A8291: DateTime=1327906042643, Severity=Warn, ServiceType=ag, Message=Access Gateway configuration has changed </amLogEntry> |
Similar to Access Gateway Appliance |
Cache Control options |
Enable Custom Cache Control Header When objects reach the Custom Cache Control Expiration Time:
Cache Control Headers |
Enable Custom Cache Control Header When objects reach the Custom Cache Control Expiration Time:
The Cache Control Headers can be injected by using apache mod_headers module directives. |
Similar to Access Gateway Appliance |
Unreachable webserver |
Checks health of Web servers that are marked as unreachable every 30 seconds. |
The proxy checks the Web server for each new session request at an interval of 1 minute, by default. You can configure the advanced option for a different interval. For example, AdditionalBalancerMemberOptions retry=180 where 180 is in seconds. |
Similar to Access Gateway Appliance |
Client IP mismatch error |
On receiving IPC cookie from browser, Linux Access Gateway asks the user to authenticate if it is a protected resource that needs authentication, or, just treats the request for public resources as if the cookie was not received. |
On receiving IPC cookie from browser, Access Gateway checks for client IP address in the cookie. If the IP address in the cookie and the client IP address from which the request came do not match, Access Gateway displays an error page. |
Similar to Access Gateway Appliance |
Chunk response behavior |
Linux Access Gateway collects the complete chunk response and sends response with the Content-Length header to the client. |
Access Gateway forwards the chunked response as it is to the client. |
Similar to Access Gateway Appliance |
Search and replace |
If you are doing a search and replace of for example, abc with xyz. and if in the page abc is prefixed with characters like <, >, and &, they are not replaced. |
If you are doing a search and replace of for example, abc with xyz. and if in the page abc is prefixed with characters like <, >, and &, they are replaced. |
If you are doing a search and replace of for example, abc with xyz. and if in the page abc is prefixed with characters like <, >, and &, they are replaced. |
PostParking Size Limit |
The size limit is 50 KB. NOTE:With 3.1.5 the PostParking Size limit is increased to 64 KB. |
The size limit is 64 KB. |
The size limit is 64KB. |
Adapter List Options Allows to change the speed, duplex, and NAT behavior. |
Supported |
Not Supported |
Not supported |