7.1 Installing the ESP-Enabled SSL VPN

When SSL VPN is deployed without the Access Gateway, an Embedded Service Provider (ESP) component is installed along with the SSL VPN server. This deployment is called an ESP-enabled NetIQ SSL VPN. This deployment requires the Administration Console and the Identity Server to be installed before the SSL VPN server is installed.

7.1.1 Deployment Scenarios

For installing the ESP-enabled version of SSL VPN, you have the following deployment scenarios:

Deployment Scenario 1: Installing SSL VPN on a Separate Machine

This deployment scenario consists of a demilitarized zone where the Identity Server and SSL VPN are deployed separately, without the Access Gateway. For installation instructions for this scenario, see Installing the ESP-Enabled SSL VPN. In this scenario, SSL VPN will be accessible on port 8443. When it is accessed on port 8080 it will be redirected to port 8443.

Figure 7-1 Deployment Scenario 1

Deployment Scenario 2: Installing SSL VPN and the Identity Server on the Same Machine

This deployment scenario consists of a demilitarized zone where the Identity Server and SSL VPN are on a single machine. The Access Gateway is deployed separately. For installation instructions for this scenario, see Installing the ESP-Enabled SSL VPN. In this scenario, SSL VPN will be accessible on secure port 3443. When this port is accessed on a non-secure port 3080, it will be redirected to port 3443.

Figure 7-2 Deployment Scenario 2

Deployment Scenario 3: Installing SSL VPN and the Administration Console on the Same Machine

This deployment scenario consists of a demilitarized zone where the SSL VPN, and Administration Console are on the same machine and Access Gateway and the Identity servers are deployed separately. For installation instructions for this scenario, see Installing the ESP-Enabled SSL VPN. In this scenario, SSL VPN will be accessible on secure port 8443. When this port is accessed on a non-secure port 8080, it will be redirected to port 8443.

Figure 7-3 Deployment Scenario 3

Deployment Scenario 4: Installing SSL VPN, the Administration Console, and the Identity Server on the Same Machine

This deployment scenario consists of a demilitarized zone where the Identity Server, SSL VPN, and Administration Console are on the same machine and Access Gateway is deployed separately. For installation instructions for this scenario, see Installing the ESP-Enabled SSL VPN. In this scenario SSL VPN will be accessible on secure port 3443. When this port is accessed on a non-secure port 3080, it will be redirected to port 3443.

Figure 7-4 Deployment Scenario 4

7.1.2 Installing the ESP-Enabled SSL VPN

The following installation steps are applicable to all the deployment scenarios of the ESP-enabled SSL VPN. The individual scenarios are explained in Deployment Scenarios.

  1. Access the install script.

    1. Make sure you have downloaded the software or that you have the CD available.

      For software download instructions, see the “NetIQ Access Manager Readme”

    2. Do one of the following:

      • If you are installing from CD or DVD, insert the disc into the drive, then navigate to the device. The location might be /media/cdrom, /media/cdrecorder, or /media/dvdrecorder, depending on your hardware.

      • If you downloaded the tar.gz file, unpack the file by using the following command:

        tar -xzvf <filename>

    3. Change to the novell-access-manager-3.2-xxx directory.

  2. At a command prompt, enter the following install script command:

    ./install.sh

    You are prompted to select an installation.

  3. Type 4 to install the ESP-Enabled SSL VPN, then press Enter.

  4. Review and accept the License Agreement.

    The following warning is displayed:

    An entry of 127.0.0.2 in the /etc/hosts file affects the Access Manager functionality. Do you want to proceed with removing it (y/n)

  5. Enter Y to proceed.

  6. (Conditional) If the SSL VPN machine has been configured with multiple IP addresses, select an IP address for the SSL VPN server when you are prompted to do so.

  7. Specify the following details:

    Enter the Primary Admin Console IP address: Specify the IP address of the primary Administration console.

    Enter the Access Manager Administration user ID: Specify the name of the administrator for the Administration Console.

    Enter the Access Manager Administration password Specify the administration password and confirm it by re-entering.

    Select the IP address used for the NetIQ Access Manager Server Communications Local Listener. Choose your server IP address from the list of addresses. Select an address, type a new address, or press Enter to accept the default.

    Select the IP address used for the SSL VPN listening IP address. Choose your server IP address from the list of addresses found. Select an address, type a new address, or press Enter to accept the default.

  8. (Conditional) If you are installing the SSL VPN server on the same machine as the Administration Console, you are not prompted for the IP address of the Administration Console. If the Administration Console is on a different machine, provide the IP address when you are prompted for it.

  9. Wait while the SSL VPN server is installed on your system and imported into the Administration Console. This takes few minutes.

    The installation ends with the following message: Installation complete.

  10. To verify the installation of the SSL VPN, continue with Section 7.4, Verifying That Your SSL VPN Service Is Installed.

  11. Add an entry in /etc/hosts file to map the SSL VPN server IP address with the domain name which the client is using to connect.

  12. If the export law permits and you want to install the high bandwidth version of SSL VPN, proceed with Section 7.3, Installing the Key for the High-Bandwidth SSL VPN.