NetIQ Documentation: Novell Access Manager 3.1 SP5 SSL VPN Server Guide

1.3 SSL VPN Client Modes

Novell SSL VPN has two client modes, Enterprise mode and Kiosk mode. In Enterprise mode, which is available for users who have administrative privileges, all applications are enabled for SSL VPN. In Kiosk mode, only a limited set of applications are enabled for SSL VPN.

Enterprise mode is available to users who have the administrator right in a Windows workstation or a root user privilege on Linux or Macintosh workstations. If a user does not have administrator rights or root user privileges for that workstation, the SSL VPN connection is made in Kiosk mode.

For more information on the client platforms and setups tested by Novell, see the Access Manager 3.1 Support Pack 1 SSLVPN integration testing report.

1.3.1 Enterprise Mode

In Enterprise mode, all applications, including those on the desktop and the toolbar, are enabled for SSL, regardless of whether they were opened before or after connecting to SSL VPN. In this approach, a thin client is installed on the user’s workstation. In Enterprise mode, the IP Forwarding feature is enabled by default.

Enterprise mode is recommended for devices that are managed by an organization, such as a laptop provided by the organization for its employees. Enterprise mode supports the following:

Protocols such as TCP, UDP, ICMP, and NetBIOS.
Applications that open TCP connections on both sides, such as VoIP and FTP.
Enterprise applications such as CRM and SAP*.
Applications such as Windows File Sharing systems, the Novell Client™, and Novell SecureLogin.

You can configure a user to connect only in Enterprise mode, depending on the role of the user. For more information, see Section 4.2.1, Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode.

NOTE:If you have configured a user to connect in Enterprise mode only and that user does not meet the prerequisites, the SSL VPN connection fails with an appropriate error message if it is using the applet-based Web browser, or a blank screen if an ActiveX-based Web browser is used.

Prerequisites

A user can access SSL VPN in Enterprise mode if any one of the following prererequisites is in place:

The user is an administrator or a root user of the machine, or a Super user or an Administrator user in Windows Vista user.
The user is a non-admin or a non-root user who knows the credentials of the administrator or root user, or a standard user in Windows Vista.
The SSL VPN client components are preinstalled on the user’s machine.

User Scenarios

Depending on which prerequisites are in place, users have different login scenarios.

Scenario 1: The User Is the Admin or Root User of the Machine

When the user is an administrator or a root user of the machine, the tool identifies the user as the admin or root user and Enterprise mode is enabled by default after the user specifies credentials in the Access Manager page. An admin or a root user can connect to SSL VPN only in Enterprise mode unless the system administrator configures the user to connect in Kiosk mode only. For more information on how to configure users for Kiosk mode only, see Section 4.2.1, Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode.

Scenario 2: The User Is the Non-Admin or Non-Root User of Machine and Knows the Admin or Root Credentials

A non-admin or a non-root user can access SSL VPN in Enterprise mode if the user knows the administrator or root user credentials. When a non-admin or a non-root user connects to SSL VPN, the user is prompted to specify the credentials on the Access Manager page. The tool identifies that the credentials supplied are those of the non-admin or a non-root user and displays the following dialog box.

Figure 1-2 SSL VPN Dialog box

The user must specify the username and password of the administrator or the root user of the machine in the dialog box, then click OK to enable Enterprise mode.

Enterprise mode is enabled by default in the subsequent sessions and the user is not prompted again for the administrator or root username and password.

Non-admin or non-root users who have connected to SSL VPN in Enterprise mode can connect to SSL VPN in Kiosk mode on the same machine. For more information, see Switching from Enterprise Mode to Kiosk Mode in the Novell Access Manager 3.1 SP5 SSL VPN User Guide.

NOTE:Users cannot switch from one mode to another if you have configured them to connect in one mode only.

Scenario 3: The User Is a Non-Admin or Non-Root User, but the Client Components Are Preinstalled on the Machine

If a non-admin or a non-root user wants to install SSL VPN in Enterprise mode, you can preinstall the SSL VPN client components on the user’s machine. For more information, see Section 4.1, Preinstalling the SSL VPN Client Components. When non-admin or non-root users access the client components from a workstation that has the SSL VPN client components preinstalled, the users are not prompted to enter the credentials of the admin user or root user.

The users are connected to SSL VPN in Enterprise mode after they specify their credentials on the Access Manager login page.

1.3.2 Kiosk Mode

In Kiosk mode, only a limited set of applications are enabled for SSL VPN. A non-admin user, a non-root user, or a standard user in Windows Vista can connect to SSL VPN in Kiosk mode if he or she does not have administrator access. In Kiosk mode, applications that were opened before the SSL VPN connection was established are not SSL-enabled.

Kiosk mode supports TCP and UDP applications only. This mode is better suited for machines that are not managed by an organization, such as home computers and computers in Web browsing kiosks.

You can configure a user to connect in Kiosk mode only. When you have done so, a user is connected to SSL VPN in Kiosk mode after the user provides credentials in the Novell Access Manager login page. For more information, see Section 4.2.1, Configuring Users to Connect Only in Enterprise Mode or Kiosk Mode.

If you have left the mode selection to the client and a user logs in to the SSL VPN client as a non-admin or non-root user, the following dialog box is displayed:

Figure 1-3 SSL VPN Dialog Box

The user can do one of the following to load the Kiosk mode:

Click Ignore to connect to SSL VPN in Kiosk mode for that particular session. The user is prompted again to provide the administrator or the root username and password during the next login.
Click Ignore Forever to connect to SSL VPN in Kiosk mode in the current session, as well as in subsequent sessions.

A user who has clicked Ignore Forever can still switch to SSL VPN in Enterprise mode in the next session. For more information, see Switching from Kiosk Mode to Enterprise Mode in the Novell Access Manager 3.1 SP5 SSL VPN User Guide.

NOTE: When a non-admin user uses Internet Explorer to establish an SSL VPN connection, the ActiveX download fails. This happens because ActiveX requires admin rights to download.This issue might also occur if you have upgraded from an older version. If a user wants to access SSL VPN with Internet Explorer, use the following URL:

https:<DNS-Name>/sslvpn/login?forcejre=true

For more information, see Section 4.2.4, Configuring SSL VPN to Download the Java Applet on Internet Explorer.