3.2.4 Managing General Details of Access Gateway

  1. Click Devices > Access Gateways > [Name of Access Gateway].

  2. Click one of the following options:

    Edit: To edit the general details of Access Gateway. See Changing the Name of an Access Gateway and Modifying Other Server Details.

    New NIC: (Only for 3.1 SP4 Access Gateway Appliance) To trigger a scan to detect a new network interface card that you have added to the machine after installing Access Gateway Appliance. This might take some time. For more information, see Adding New Network Interfaces to Access Gateway Appliance.

    New IP: To trigger a scan to detect new IP addresses. This might take some time. If you have used a system utility to add an IP address after you have installed Access Gateway Service, use this option to update Access Gateway Service to display the new IP address as a configuration option. For more information about this option, see Adding a New IP Address to Access Gateway.

    Configuration: To export the configuration of this Access Gateway or to import the configuration of a saved configuration file. See Exporting and Importing an Access Gateway Configuration.

  3. Click Close.

Changing the Name of an Access Gateway and Modifying Other Server Details

The default name of an Access Gateway is its IP address. You can change this to a more descriptive name and modify other details that can help you identify one Access Gateway from another.

  1. Click Devices > Access Gateways > [Name of Access Gateway] > Edit.

  2. Specify the following values:

    Field

    Description

    Name

    Specify Administration Console display name for Access Gateway. The default name is the IP address of Access Gateway. The name must use alphanumeric characters and can include spaces, hyphens, and underscores.

    Management IP Address

    Specify the IP address used to manage Access Gateway. Select an IP address from the list. For information about changing the Management IP Address, see Changing the IP Address of Access Gateway Appliance.

    Port

    Specify the port to use for communication with Administration Console.

    Location

    Specify the location of Access Gateway. This is optional, but useful if your network has multiple Access Gateway servers.

    Description

    Describe the purpose of this Access Gateway. This is optional, but useful if your network has multiple Access Gateways.

  3. Click OK > OK > Close.

Exporting and Importing an Access Gateway Configuration

You can export an existing Access Gateway configuration and its dependent policies, and then import this configuration to a new server. This feature is especially useful for deployments that set up configurations in a staging environment, test and validate the configuration, then want to deploy the configuration on new hardware that exists in the production environment.

Important Points:

  • The export feature is not a backup tool. This feature handles configuration information applicable to all members of a cluster, and network IP addresses and DNS names are filtered out during the import. The server-specific information that is filtered out is the information you set specifically for each member in a cluster. If you want a copy of all configuration information, including server-specific information, you need to perform a backup. See Section 30.0, Back Up and Restore.

  • The export feature is not an upgrade tool. You cannot export a configuration from one version of Access Manager and import it into a newer version of Access Manager.

  • If your Access Gateway is not a member of a cluster and you have configured it to use multiple IP addresses, the export feature filters out multiple IP addresses and uses only eth0. You need to use the backup utility to save this type of information. If you need to reinstall the machine, leave Access Gateway configuration in Administration Console and reinstall Access Gateway. If you use the same IP address for Access Gateway, it imports into Administration Console and inherits the configuration.

When exporting the file, you can select to password-protect the file, which encrypts the file. If you are using the exported file to move an Access Gateway from a staging area to a production area and you need to change the names of the proxy services and DNS names from a staging name to a production area and you need to change the names of the proxy services and DNS names from a staging name to a production name, do not select to encrypt the file. You need a simple text file so you can search and replace these names. If you select not to encrypt the file, remember that the file contains sensitive information and protect it accordingly.

The following sections explain this process:

Exporting the Configuration

  1. Click Devices > Access Gateway > [Name of Access Gateway].

  2. Click Configuration > Export.

  3. (Conditional) If you want to encrypt the file, specify the following details:

    Password protect: Select this option to encrypt the file.

    Password: Specify a password to use for encrypting the file. When you import the configuration onto another device, you are prompted for this password.

  4. Click OK, then select to save the configuration to a file.

    The filename is the name of Access Gateway with an xml extension.

  5. (Conditional) If you want to change the names of the proxy services and their DNS names from a staging name to a production name, complete the following:

    1. Open the configuration file in a text editor.

    2. Search and remove the staging suffix.

      If you have specified DNS names with a staging suffix (for example, innerwebstaging.provo.novell.com), you can search for staging.provo.novell.com and remove staging from the name.

      In particular, you need to change the following:

      • Any fully qualified DNS names from the staging name to the production name (DNSName elements in the file)

      • The cookie domains associated with each proxy service (AuthenticationCookieDomain elements in the file)

      • The URL masks in pin lists that contain fully qualified names (URLMask elements in the file)

      Depending upon your naming standards, you might want to change the names of the following:

      • UserInterfaceID elements (proxy service, pin list, and protected resource user interface ID's)

      • Description elements (proxy service, pin list, and protected resource descriptions)

      • Name (proxy service, pin list, and protected resource names)

      • SubServiceID elements

      • MultiHomeMasterSubserviceIDRef elements

      • LogDirectoryName elements

      • ProfileIDRef elements

      • ProtectedResourceID elements

      • ProfileID elements (TCP Listen options name)

    3. (Conditional) If your web servers in the staging area have different IP addresses and hostnames than the web Servers in the production area, you can search and replace them in the configuration file or wait until after the import and modify them in Administration Console.

  6. Export the policies used by Access Gateway. Click Policies > Policies, then select Name to include all policies or individually select the policies to export.

    You need to export all Access Gateway policies and any Role policies used by Access Gateway policies.

  7. Click Export and modify the proposed filename if needed.

  8. Click OK, then select to save the policy configurations to a file.

  9. (Conditional) If you have created multiple policy containers, select the next policy container in the list, and repeat Step 6 through Step 8.

    The policies for each container must be saved to a separate export file.

  10. (Conditional) If your policies redirect users to staging URLs when they are denied access, search and replace these URLs with the production URLs. Open the policy file with a text editor and search for your staging name.

  11. Copy Access Gateway and policy configuration files to a place accessible by the new Access Gateway.

  12. Continue with Importing the Configuration.

Importing the Configuration

  1. Verify that Access Gateway meets the conditions for an import:

    • Access Gateway must not be a member of a cluster. If it is a member of a cluster, remove it from the cluster before continuing.

      Click Devices > Access Gateways, select Access Gateway, then click Actions > Remove from Cluster.

      You can create a cluster and add this machine to the cluster as the primary server after you have completed the import.

    • Access Gateway must be an unconfigured machine. If it contains reverse proxies, delete them before continuing.

      Click Devices > Access Gateways > Edit > Reverse Proxies / Authentication. In the Reverse Proxy List, select Name, then click Delete. Update Access Gateway and Identity Server.

  2. Click Policies > Policies.

    The policies that Access Gateway is dependent upon must be imported first.

  3. (Conditional) If you have exported policies from more than one container, create the policy containers. Click the Containers tab; in the Container List, click New, specify the name for the container, then click OK.

  4. (Conditional) If your system already contains policies, delete them if they are not being used.

    If they are in use and you have policies with the same names as the policies you are going to import, you need to manually reconcile the duplicate policies. See step 5 in Cleaning Up and Verifying the Configuration.

  5. In the Policy List, click Import.

  6. Browse to the location of the policy configuration file, select the file, then click OK.

  7. (Conditional) If you exported multiple policy configuration files, repeat Step 5 and Step 6.

  8. Enable all new Role policies. Click Identity Servers > Edit > Roles.

  9. Either select Name to enable all policies or individually select the policies, then click Enable.

  10. Click OK, then click Update.

  11. To import Access Gateway configuration, click Access Gateways > [Name of Access Gateway] > Configuration > Import.

  12. Browse to the location of the configuration file, select the file, enter a password if you specified one on export, then click OK.

  13. Continue with Cleaning Up and Verifying the Configuration.

Cleaning Up and Verifying the Configuration

  1. When the configuration import has finished, verify the configuration for your reverse proxies.

    1. Click Access Gateways > Edit > [Name of Reverse Proxy].

    2. Verify the listening address.

      This is especially important if your Access Gateway has multiple network adapters. By default, the IP address of eth0 is always selected as the listening address.

    3. Verify the certificates assigned to the reverse proxy.

      The Subject Name of the certificate must match the published DNS name of the primary proxy service in the Proxy Service List.

    4. Verify the web server configuration. In the Proxy Service List, click the Web Server Addresses link. Check the following values:

      • Web Server Host Name: If this name has a staging prefix or suffix, remove it.

      • IP addresses in the Web Server List: If the IP addresses in the production area are different from the IP addresses in the staging area, modify the IP addresses to match the production area.

      • Certificates: If you have configured SSL or mutual SSL between the proxy service and the web servers, configure the Web Server Trusted Root and SSL Mutual Certificate options. The export and import configuration option does not export and import certificates.

    5. Click OK twice.

  2. (Conditional) If you have multiple reverse proxies, repeat Step 1 for each proxy service.

  3. On the Configuration page, click Reverse Proxy / Authentication, then select the Identity Server Cluster configuration.

  4. If you have multiple reverse proxies, verify that the Reverse Proxy value in the Embedded Service Provider section is the reverse proxy you want to use for authentication, then click OK twice.

  5. (Conditional) If Administration Console already contained some policies, verify that you do not have policies with duplicate names. Click Policies > Policies.

    Policies with duplicate names have Copy-n appended to the end of the name, with n representing a number. If you have duplicates, reconcile them:

    • If they contain the same rules, you need to reconfigure the resources that use one policy to use the other policy before you can delete the duplicate policy.

    • If they contain different rules, rename the duplicate policies.

  6. (Conditional) Apply any policy configuration changes.

  7. Click Access Gateways > Update.

  8. Click Identity Servers > Update.

    If your Identity Server does not prompt you for an update, complete the following steps to trigger the update:

    1. Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.

    2. Set the Identity Server Cluster field to None, then click OK.

    3. Click Reverse Proxy / Authentication.

    4. Set the Identity Server Cluster field to the correct value, then click OK.

    5. Update Access Gateway.

    6. Update Identity Server.

  9. Configure the keystores for Access Gateway.

    If you have configured Access Gateway for SSL between Identity Server and Access Gateway and between Access Gateway and the browsers, verify that the trust stores and the keystores contain the correct certificates.

    1. Click Security > Certificates.

    2. Find the certificate for Access Gateway.

      The subject name of this certificate must match the DNS name of Access Gateway. If this certificate is not in the list, you need to create it or import it.

      This certificate must be in use by the ESP Mutual SSL and Proxy Key Store of Access Gateway.

    3. If the certificate is not in use by the required keystores, select the certificate, then click Actions > Add Certificate to Keystores.

    4. Click the Select Keystore icon, select ESP Mutual SSL and Proxy Key Store of Access Gateway, then click OK twice.

  10. Configure the trust stores for Access Gateway.

    1. Click Security > Certificates > Trusted Roots.

      The trusted root certificate of the CA that signed Access Gateway certificate needs to be in the NIDP-truststore.

      The trusted root certificate of the CA that signed Identity Server certificate, needs to be in the ESP Trust Store of Access Gateway.

    2. If you need to add a trusted root to a trust store, select the trusted root, click Add Trusted Roots to Trust Stores.

    3. Click the Trust Store icon, select the required trust store, then click OK twice.

  11. If you made any keystore or trust store modifications, update Access Gateway and Identity Server.

  12. (Optional) Create a cluster configuration and add this server as the primary server.