7.2 Installing the Traditional SSL VPN Server

The traditional SSL VPN server does not have an Embedded Service Provider and must be configure as a protected resource of an Access Gateway. You can install the traditional SSL VPN server with Access Gateway Appliance, with the Identity Server, with the Administration Console, or on a separate machine.

7.2.1 Deployment Scenarios

The traditional SSL VPN server supports the following installation scenarios:

Deployment Scenario 1: Access Gateway and SSL VPN on the Same Server

This deployment scenario consists of a demilitarized zone where Access Gateway and SSL VPN are on the same server and the Identity Server is deployed separately. For installation instructions for this scenario, see Installing SSL VPN with Access Gateway Appliance. In this scenario, SSL VPN will be accessible on port 8443. When it is accessed on port 8080 it will be redirected to port 8443.

Figure 7-5 Deployment Scenario 1

Deployment Scenario 2: SSL VPN Server Installed on a Separate Machine

This deployment scenario consists of a demilitarized zone where the Access Gateway, Identity Server, and SSL VPN are deployed separately. For installation instructions for this scenario, see Installing the Traditional NetIQ SSL VPN. In this scenario, SSL VPN will be accessible on secure port 8443. When this port is accessed on a non-secure port 8080, it will be redirected to port 8443.

Figure 7-6 Deployment Scenario 2

Deployment Scenario 3: Identity Server and SSL VPN on the Same Server

This deployment scenario consists of a demilitarized zone where the Identity Server and SSL VPN are on one machine and the Access Gateway is deployed separately. For installation instructions for this scenario, see Installing SSL VPN on a Separate Machine, with the Identity Server, or with the Administration Console. In this scenario, SSL VPN will be accessible on secure port 3443. When this port is accessed on a non-secure port 3080, it will be redirected to port 3443.

Deployment Scenario 4: Administration Console and SSL VPN on the Same Server

This deployment scenario consists of a demilitarized zone where the Administration Console and SSL VPN are on one machine and the Access Gateway and Identity Server are deployed separately on different machines. For installation instructions for this scenario, see Installing SSL VPN on a Separate Machine, with the Identity Server, or with the Administration Console. In this scenario SSL VPN will be accessible on secure port 8443. When this port is accessed on a non-secure port 8080, it will be redirected to port 8443.

Figure 7-7 Deployment Scenario 4

Deployment Scenario 5: Administration Console, Identity Server, and SSL VPN on the Same Server

This deployment scenario consists of a demilitarized zone where the Identity Server, Administration Console, and SSL VPN are on one machine and the Access Gateway is deployed separately. For installation instructions for this scenario, see Installing SSL VPN on a Separate Machine, with the Identity Server, or with the Administration Console.

In this scenario SSL VPN will be accessible on secure port 3443. When this port is accessed on a nonā€secure port 3080, it will be redirected to port 3443.

Figure 7-8 Deployment Scenario 5

7.2.2 Installing the Traditional NetIQ SSL VPN

This section describes the installation procedures for different SSL VPN deployments:

Installing SSL VPN with Access Gateway Appliance

When SSL VPN is installed along with Access Gateway Appliance, the Access Gateway installation process installs SSL VPN along with the Access Gateway.

For more information on installing Access Gateway, refer to Section 5.3, Installing the Access Gateway Appliance in the NetIQ Access Manager 3.2 SP3 Installation Guide.

  1. Start the installation of Access Gateway. For details, refer to Section 5.3, Installing the Access Gateway Appliance in the NetIQ Access Manager 3.2 SP3 Installation Guide.

  2. In the Access Administrator Configuration section in the NetIQ Access Gateway Configuration page, select the Install and Enable SSL VPN Server check box to install and configure SSL VPN on Access Gateway.

  3. Follow the on-screen instructions to continue with the Access Gateway installation.

  4. If the export law permits and you want to install the high bandwidth version of SSL VPN, proceed with Section 7.3, Installing the Key for the High-Bandwidth SSL VPN.

Installing SSL VPN on a Separate Machine, with the Identity Server, or with the Administration Console

You can use an install script to install the traditional NetIQ SSL VPN on a separate machine, with the Identity Server, with the Administration Console, or with the Identity Server and the Administration Console.

  1. Access the install script.

    1. Make sure you have downloaded the software or that you have the CD available.

      For software download instructions, see the NetIQ Access Manager 3.2 Readme.

    2. Do one of the following:

      • If you are installing from CD or DVD, insert the disc into the drive, then navigate to the device. The location might be /media/cdrom, /media/cdrecorder, or /media/dvdrecorder, depending on your hardware.

      • If you downloaded the tar.gz file, unpack the file by using the following command:

        tar -xzvf <filename>

    3. Change to the novell-access-manager-3.2-xxx directory.

  2. At a command prompt, enter the following install script command:

    ./install.sh

    You are prompted to select an installation.

  3. Type 3 to install the traditional SSL VPN server, then press Enter.

  4. Review and accept the License Agreement.

  5. (Optional) If the SSL VPN is not installed on same machine as the Administration Console, specify the IP address of the Administration Console.

  6. (Optional) This warning is displayed if an entry of 127.0.0.2 is found in the /etc/hosts file.

    Warning: An entry of 127.0.0.2 in the /etc/hosts file affects the Access Manager functionality. Do you want to proceed with removing it (y/n) [y]?

    Enter Y to proceed.

  7. Specify the following details:

    Access Manager Administration User ID: The name of the administrator for the Administration Console.

    Access Manager Administration Password Specify the administration password.

    Confirm the password.

    IP address Used for the SSL VPN Listening IP Address: Select an address, type a new address, or press Enter to accept the default.

    The following warning is displayed:

    WARNING!! In 3.2 and later, SSL VPN will be accessible on ports 3080 (HTTP) and 3443 (HTTPs) when it is installed on the same machine as that of Identity Server.

  8. (Conditional) If the SSL VPN machine has been configured with multiple IP addresses, select an IP address for the SSL VPN server when you are prompted to do so.

  9. Wait while the SSL VPN server is installed on your system and imported into the Administration Console, which takes about 2 minutes.

    The installation ends with the following message: Installation complete.

  10. To verify the installation of the SSL VPN, continue with Section 7.4, Verifying That Your SSL VPN Service Is Installed.

  11. If the export law permits and you want to install the high bandwidth version of SSL VPN, proceed with Section 7.3, Installing the Key for the High-Bandwidth SSL VPN