3.1 Setting Up an Accelerator

The example setup in this section uses the following servers: an origin Web server, an LDAP authentication server, and an iChain server.

Origin Web Server Details

DNS name: originserver.ichain.net
IP address: 192.168.10.1
Web server port: 80

LDAP Authentication Server Details

IP address: 172.16.10.2

iChain Server Details

Single network card with an IP address of 172. 16.10.1

The DNS name of the accelerator is accelerator.ichain.net

accelerator.ichain.net resolves to 172.16.10.1

3.1.1 Configuring the Accelerator

The iChain Proxy Server functions as the primary access point into your iChain infrastructure. This section provides a brief introduction to the basic steps needed to set up the iChain Proxy Server.

Using the Network Configuration Page

To set up the iChain Proxy Server for an iChain implementation:

  1. Access the URL of the proxy server where you installed the iChain Proxy Services software to launch the proxy server browser-based administration tool.

    For this example, this would be http://172.16.10.1:1959/appliance/config.html.

    NOTE:If the iChain Proxy Server is located behind a firewall and you are accessing the proxy server browser-based administration utility from a browser outside that firewall, you must open ports 1959, 2222, and 51100 on the firewall to administer the proxy server.

  2. Accept the default username (do not enter a password), then click OK.

  3. Click System > Actions > Password, then set a password for the proxy server.

  4. Click Home > Introduction, then verify that the iChain Proxy Server is installed and is running on the server.

    This is shown as a bitmap that indicates if you are running version 2.3.

  5. Click Network, then the IP Addresses tab.

  6. Configure, accept, or verify the Eth0 adapter setting (172.16.10.1).

  7. Click the Gateway-Firewall tab, then set the iChain Proxy Services default gateway to the gateway necessary to access your public IP address.

  8. Click Network, then the DNS tab.

  9. Specify the DNS domain name (for example, novell.com), the IP address of the DNS server, and the Appliance domain name or alias.

  10. Click Apply for the new settings to take effect.

  11. Click System > Actions, then verify the internal and external connections to your network by pinging the origin server you will be accelerating within your internal network and an external Host on the Internet.

    The following figure shows an example of iChain unsuccessfully pinging the origin server. If this is your experience, you must resolve this issue before proceeding.

Configuring Authentication

To set up access to the iChain Authorization Server for the authentication function, you need to create an authentication profile. Follow these steps to create an LDAP profile that authenticates users to your iChain Authorization Server:

  1. In the proxy server administration tool, click Configure, then click Authentication.

  2. Insert a new profile, name the profile, select LDAP Authentication, then click LDAP Options.

  3. Specify 389 as the LDAP server listening port for non-secured LDAP.

  4. Click Insert next to Server Addresses and set the server IP address to the iChain Authorization Server address.

  5. Specify a username and password for LDAP access.

    For the initial setup, try using the Admin user to avoid rights issues. If this is not possible, create an LDAP proxy user with rights set up as follows:

    1. Make the LDAP Proxy User a trustee of the user's container (or ROOT) and give it a specific assignment of Read, Compare, and Write rights to the Object Class property.

    2. The LDAP Proxy User also needs Write rights to the ISO object for license activation.

    3. The LDAP user also must have Read and Write rights to all users (in the user's containers).

      For more information about setting up proxy users, see the Novell Technical Information Document, “LDAP Proxy User Minimum Rights for iChain”.

  6. (Optional) Select Allow authentication through HTTP authorization header.

    You can use basic/proxy or the iChain login page for this authorization.

  7. (Optional) Select Allow authentication through NetIdentity.

  8. Specify the NetIdentity Realm.

    The NetIdentity Realm is the NetIdentity tree name.

  9. Select one of the following LDAP login methods:

    • Build distinguished name.

    • Search on a single attribute.

    • Search using a query.

  10. Click Insert, then specify an LDAP context. For example, ou=test,o=mycompany.

  11. Specify the Naming Attribute.

    This name uniquely identifies each entry in the Directory Information Tree.

  12. Repeat Step 10 for each context users will authenticate from.

  13. Click OK twice, then click Apply.

    To set login and search timeouts for this profile, see Setting Timeouts and Pool Limits for LDAP Profiles.

Configuring Authorization (Access Control)

To set up access to the authorization server for access control functions:

  1. In the proxy server administration tool, click Configure, then click Access Control.

  2. Specify the fully distinguished name of the ISO object name for the iChain service.

    You must use commas as delimiters. For example, cn=myISO,o=novell.

  3. Specify the following LDAP profile settings:

    • LDAP server addresses for the iChain LDAP access control servers
    • LDAP port on the iChain LDAP access control servers
    • LDAP proxy user
    • Password

    The LDAP user name and password must have the following rights:

    • Write rights to the ISO object for license activation.

    • Read and write rights to all users (in the user's containers).

    • Make the LDAP Proxy User a trustee of the user's container (or ROOT) and give it a specific assignment of Read, Compare and Write rights to the Object Class property.

  4. Click Apply.

  5. Click Refresh ACLCHECK.

Configuring FTP

Enable FTP on the administration IP address. In this example, it would be 172.16.10.1.

Figure 3-1 Configuring FTP

Configuring the Accelerator

To set up a Web Server accelerator:

  1. In the proxy server administration tool, click Configure, click Web Server Accelerator, then click Insert.

  2. In the Web Server Accelerator dialog box, specify a Name for the accelerator using a maximum of 8 characters.

    The name must be unique for each Web Server accelerator. In this example, it is named TEST.

  3. Specify a DNS name for the accelerator.

    This is the DNS name by which users access the resource. It should resolve to the public IP address of the iChain Proxy Server. In this example, the name is accelerator.ichain.net.

  4. Specify the Alternate host name.

    This is the DNS name of the origin server. In this example, it is originserver.ichain.net.

  5. In the Web server addresses field, click Insert, then specify the IP addresses of the origin Web server that contains the desired content.

    This will usually be on your private network. In this example, it is 192.168.10.1. Clients should not be able to access this server directly or the iChain infrastructure will be bypassed.

  6. In the Accelerator IP addresses field, check the public IP address or address that the DNS name specified in Step 3 resolves to.

    In this example, it is 172.16.10.1.

  7. Check Enable authentication.

  8. Click Authentication Options, select an existing profile from the list, then click Add to set the profile as the Service Profile.

  9. Check Enable Secure Exchange.

  10. Click OK twice, then click Apply.

Proceed with Section 3.2, Configuring the Authentication Server.