The following sections explain how to configure the Access Gateway with a domain-based multi-homing service. The instructions assume that you have a functioning Novell Filr server on Linux and a functioning Access Manager system (4.1.1 or higher) with a reverse proxy configured for SSL communication between the browsers and the Access Gateway.
The Filr server needs to be configured to trust the Access Gateway to allow single sign-on with Identity Injection and to provide simultaneous logout. You also need to create an Access Gateway proxy service and configure it.
For information on other possible Access Gateway configurations, see “Teaming 2.0: Integrating with Linux Access Gateway”.
To use Novell Filr as a protected resource of an Access Gateway and to use Identity Injection for single sign-on, the Filr server needs a trusted relationship with the Access Gateway. With a trusted relationship, the Filr server can process the authorization header credentials. The Filr server accepts only a simple user name (such as user1) and password in the authorization header.
To configure a trusted relationship and simultaneous logout, specify the reverse proxy configuration settings for your Filr appliance, as described in Section 1.8, Changing Reverse Proxy Configuration Settings.
To configure a reverse-proxy single sign-on service for Filr, complete the following tasks:
Before you can configure the domain-based proxy service, you need to create a new reverse proxy. For information, see Managing Reverse Proxies and Authentication
in the NetIQ Access Manager 4.1 Administration Guide.
In the Administration Console, click Devices > Access Gateways > Edit, then click the name of the reverse proxy that you created in Creating a New Reverse Proxy.
Click the reverse proxy link that you have previously created. In the Reverse Proxy List, click New, then fill in the following fields:
Proxy Service Name: Specify a display name for the proxy service that the Administration Console uses for its interfaces.
Published DNS Name: Specify the DNS name that you want the public to use to access your site. This DNS name must resolve to the IP address that you set up as the listening address. For example, Filr.doc.provo.novell.com.
IMPORTANT:To avoid incomplete logout problems, you must also create a an Additional Strings to Replace entry for each Filr appliance that points to this DNS name.
Web Server IP Address: Specify the IP address of the Filr server.
Host Header: Select the Forward received host name.
Web Server Host Name: Because of your selection in the Host Header field, this option is dimmed.
Click OK.
Click the newly added proxy service, then select the Web Servers tab.
Configure the Connect Port to match the Reverse Proxy Secure HTTP Port setting that you configured from the Filr appliance, as described in Section 1.8, Changing Reverse Proxy Configuration Settings. This will be either port 443 or 8443.
When using SSL, select Use SSL in the Access Manager configuration, then select one of the following:
Any in reverse proxy store: Select this option if your Filr and Access Manager servers are in separate geographical locations, or if you want added security within your local network.
Do not verify: Select this option if your Filr and Access Manager servers are part of the same local network.
Click TCP Connect Options.
Click OK.
Continue with Configuring Protected Resources.
You need to create two policies: LDAP Identity Injection and X-Forward-Proto:
In the Administration Console, click Policies > Policies.
Select the policy container, then click New.
Specify ldap_auth as the name for the policy, select Access Gateway: Identity Injection for the type, then click OK.
(Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.
In the Actions section, click New, then select Inject into Authentication Header.
Fill in the following fields:
User Name: If users are provisioned with cn or uid attributes, select Credential Profile, then select LDAP Credentials:LDAP User Name. In the Refresh Data Every drop-down, select Session.
or
If users are provisioned with mail attributes, select LDAP Attribute, then select mail. In the Refresh Data Every drop-down, select Session.
Password: Select Credential Profile, then select LDAP Credentials:LDAP Password.
Leave the default value for the Multi-Value Separator, which is comma.
Click OK.
To save the policy, click OK, then click Apply Changes.
For more information on creating such a policy, see Configuring an Authentication Header Policy
in the .
When communicating over HTTPS from the browser to Access Manager, and over HTTP from Access Manager to Filr, the X-Forwarded-Proto is a best practice.
In the Administration Console, click Policies > Policies.
Select the policy container, then click New.
Specify x-forward as the name for the policy, select Access Gateway: Identity Injection for the type, then click OK.
(Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.
In the Actions section, click New, then select Inject into Custom Header.
Fill in the following fields:
Custom Header Name: Specify X-Forward-Proto as the name.
Value: Select String Constant in the drop-down, then specify https.
Leave the other settings at the defaults.
Click OK.
To save the policy, click OK, then click Apply Changes.
For more information on creating such a policy, see Configuring an Authentication Header Policy
in the .NetIQ Access Manager 4.1 Administration Guide
Due to a security fix in Filr 2.0 and later, when users log out of Filr, they are taken to the Filr DNS name rather than the NAM host. This results in a condition where it appears that they are logged out although they actually are not.
To avoid these incomplete login conditions, create a word rewriter for each Filr host that points to the DNS name of the NAM host.
The NetIQ Access Manager Best Practices Guide contains pertinent rewriter examples in a section that deals with SharePoint. See Table 3-2 in the above-mentioned guide and also refer to the instructions associated with the table.
You need to create two protected resources, one for HTML content and a public protected resource:
Create a protected resource for HTML content:
In the Protected Resource List, click New, specify Basic auth with redirection for the name, then click OK.
(Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.
Click the Edit icon next to the Authentication Procedure drop-down list.
Create a new authentication procedure by clicking New, specifying a name for the authentication procedure, and then clicking OK.
In the dialog box that is displayed, fill in the following fields.
Contract: Select the Secure Name/Password - Form contract.
Non-Redirected Login: Select this option.
Realm: Specify a name that you want to use for the Filr server. This name does not correspond to a Filr configuration option. It appears when the user is prompted for credentials.
Redirect to Identity Server When No Authentication Header is Provided: Select this option.
Click OK twice.
In the URL Path List, add the following paths for HTML content:
/* /ssf/* /ssf/s/readFile/share/*
On the configuration page for the protected resource, select the authentication procedure that you just created from the Authentication Procedure drop-down list, then click OK.
Create a public protected resource for Web Services:
NetIQ Access Manager is not designed to protect certain public resources. You must complete the following steps to allow these resources to be protected by the Filr server itself, rather than by NetIQ Access Manager.
In the Protected Resource List, click New, specify public for the name, then click OK.
(Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.
For the Authentication Procedure, select None.
Click OK.
In the URL Path List, remove the /* path and add the following paths:
For public content:
/ssf/atom/* /ssf/ical/* /ssf/ws/* /ssf/rss/* /ssr/* /rest/* /rest / /dave/* /my_files/* /net_folders/* /shared_with_me /desktopapp/*
The /ssf/rss/* path enables non-redirected login for RSS reader connections.
Filr provides authentication for all of the paths listed above.
Click OK.
Assign the X-Forward-Proto Header policy to both protected resources that you created:
Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.
For each Filr protected resource, click the Identity Injection link, select the x-forward policy that you created, click Enable, then click OK.
Click OK.
Assign the Identity Injection policy to the HTML protected resource that you created, specifically, Basic auth with redirection.
Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.
For each Filr protected resource, click the Identity Injection link, select the ldap_auth policy that you created, click Enable, then click OK.
Click OK.
To save the configuration changes, click Devices > Access Gateways, then click Update.
In the Protected Resource List, ensure that the protected resources that you created are enabled.
To apply your changes, click Devices > Access Gateways, then click Update.
Continue with Disabling a Rewriter Profile and Enabling Port Redirection.
NOTE:If you have changed the Filr and Access Manager ports from their defaults (8443 for Filr and 443 for Access Manager), you cannot disable the rewriter profile and enable port redirection as described in this section. Instead, you must configure a rewriter profile in Access Manager, as described in Creating or Modifying a Rewriter Profile
in the .
To disable the HTML Rewriter and enable port redirection:
In the Proxy Service List in Access Manager, ensure that the HTML Rewriter is disabled.
Under the Web Servers tab, ensure that the Connect Port has been modified to port 443. (This matches the configuration that you made in Step 5 in Configuring the Domain-Based Proxy Service.)
Enable port redirection on the Filr server, as described in Section 1.2.1, Changing the Network Configuration Settings.
This allows Filr to listen on port 8443, and allows Access Manager to forward client requests to port 443.