Novell Access Manager 3.1 provides a number of key enhancements to various components. These enhancements extend the product’s federation capabilities, improve management, enhance security, and add cross-platform capabilities to major components. These key features include:
Support for WS Federation and Windows CardSpace
Windows and Linux versions of the Identity Server and Administration Console
Improved administration interface, which includes delegated administration
SSL VPN enhancements for configuration and data confidentiality
For component specifics, see the following sections:
New administration view:
For more information, see Configuring the Default View
in the Novell Access Manager 3.1 SP2 Administration Console Guide.
Delegated administration:
You can now assign rights to users so that they can manage clusters, standalone devices, and the policies in a container. For more information, see Managing Delegated Administrators
in the Novell Access Manager 3.1 SP2 Administration Console Guide.
Windows version: The Administration Console can now be installed on Windows Server 2003. See Section 4.1.2, Installing on Windows.
Authentication protocols:
CardSpace, WS Federation, and STS are now supported. See Configuring CardSpace
and Configuring WS Federation
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
User session limits:
Users can now be limited to one or more sessions. See Creating a Cluster Configuration
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
Windows version: The Identity Server can now be installed on Windows Server 2003. See Section 5.3, Installing on Windows.
Kerberos:
You can now configure Kerberos to support multiple user principal names (UPNs) for the same user. See Creating the Authentication Class, Method, and Contract
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
The Active Directory user account for the Identity Server is no longer restricted to using DES encryption. If you change the account to use a higher encryption, make sure you create a new keytab file that supports the changed encryption.
Multiple authentication contracts:
The login page now supports multiple local authentication contracts. See Logging In to the User Portal
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
Customizing error strings:
You can now create custom properties files to customize error strings. See Customizing Messages
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
Policy extension API: This allows you to write custom extensions for conditions, data elements, and actions. See Novell Access Manager Developer Tools and Examples.
Force read option:
You can select this for LDAP attributes so that the current value is retrieved from the LDAP server rather than from cache. See Using the Refresh Data Option
in the Novell Access Manager 3.1 SP2 Policy Guide.
Roles from external sources:
You can now activate roles that were assigned to the user from an external source. See Activating Roles from External Sources
in the Novell Access Manager 3.1 SP2 Policy Guide.
Copy options: You can now copy conditions, condition groups, actions, and rules.
New Implementation Method for High Bandwidth RPMs: With this release, customers who are eligible to install the high bandwidth SSL VPN must install the key high bandwidth SSL VPN RPM, after they get the export clearance. This key RPM is installed only once. There is no need to upgrade the key RPM every time the servlet and the server RPMs for SSL VPN are upgraded. In the previous releases, the high bandwidth RPM needed to be upgraded every time the SSL VPN server and servlet RPMs were upgraded.
ESP-Enabled Version of SSL VPN: You can now install the ESP-enabled version of SSL VPN. When SSL VPN is installed in the ESP-enabled mode, it is installed along with the Identity Server and Administration Console, and without the Access Gateway. This version comes with all the features that are available in the traditional SSL VPN, which is protected by the Access Gateway. For more information on installing the ESP-enabled version of SSL VPN, see Section 8.1, Installing the ESP-Enabled SSL VPN.
New End User Interface for SSL VPN: With this release, the SSL VPN client is available to you in a new user-friendly interface. For more information, see the Novell Access Manager 3.1 SP2 SSL VPN User Guide.
SSL VPN Clustering:
The SSL VPN servers can now be clustered to provide failover and load balancing. To configure a cluster, all SSL VPN servers must be upgraded to the high bandwidth version. You can create a cluster of either the traditional SSL VPNs or the ESP-enabled SSL VPNs. For more information, see Clustering the High-Bandwidth SSL VPN Servers
in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
Ability to Configure Client Connection Mode at the Server:
The administrator can now configure the mode of SSL VPN a client should use. The administrator can decide if users should be allowed to connect in a Kiosk mode or Enterprise mode or leave the choice to the users. For more information, see Configuring How Users Connect to SSL VPN
in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
Configure Security Levels for a Client:
You can now configure different security levels for a client based on the integrity of the client machine. The users are then provided access to resources based on the security level to which a client belongs. For more information, see Configuring Client Security Levels
in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
Role Selection:
You can now configure roles for different users. These rules can then be managed in the SSL VPN server. For more information, see Configuring Traffic Policies
in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
Rule Ordering:
If you have configured more than one rule for a user’s role, the rule that is placed first is applied first. You can now change the order of rules by dragging and dropping them, based on their priority. For more information, see Ordering Traffic Policies
in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
Define Port Ranges:
You can now define a range of ports in the SSL VPN gateway configuration page. For more information, see Configuring the IP Address, Port, and Network Address Translation (NAT)
in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
Export and Import of Configuration:
You can import the SSL VPN configuration into an XML file through the Administration Console. This configuration can be reimported later. For more information, see Exporting and Importing Traffic Policies
in the Novell Access Manager 3.1 SP2 SSL VPN Server Guide.
Log Filtering:
The SSL VPN client now allows you to view logs that are applicable to a particular component. For example, you can check the logs only for the client Integrity check or only for the installation of components. For more information, see Viewing SSL VPN Logs
in the Novell Access Manager 3.1 SP2 SSL VPN User Guide.
SSL VPN Is Accessible on Internet Explorer 7 Protected Mode: The SSL VPN client component installation now works when the Enable Protected Mode option of Windows Vista is selected in the Internet Explorer 7. When the User Account Control feature of Windows Vista is enabled, the Enable Protected Mode feature of Internet Explorer is selected by default.
SSL VPN Connection Works on Windows Vista with User Account Control: The Enterprise mode as well as the Kiosk mode of SSL VPN works when the User Account Control (UAC) feature of Windows Vista is enabled. The UAC feature is enabled by default for all Windows Vista users.
Sandbox Feature:
The SSL VPN client now comes with the sandbox feature. When this feature is enabled, a folder named VPN-SANDBOX is created on the user’s desktop after the SSL VPN connection is established. Users can copy or download all information into that folder. This folder is deleted when the SSL VPN connection is terminated. For more information, see Using the Sandbox Feature
in the Novell Access Manager 3.1 SP2 SSL VPN User Guide.
NetWare Access Gateway: The NetWare Access Gateway is not supported in Novell Access Manager 3.1. You cannot make any configuration changes to the gateway. You can only export its configuration and migrate it to a Linux Access Gateway. See Section 9.11, Converting a NetWare Access Gateway.
Protected Resource Feature:
You can now specify a query string in the URL path of a resource protected on the Linux Access Gateway. For more information, see Using a Query String in the URL Path
in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
Securing Cookies:
If you configure SSL between the browsers and the Linux Access Gateway, you can configure the Embedded Service Provider so that it always sends secure cookies. You can also configure the Access Gateway session cookie to be secure. See Enabling Secure Cookies
in the Novell Access Manager 3.1 SP2 Access Gateway Guide.
New Installer:
The J2EE Agents can now be installed with the help of new multi-platform installer. You can use these installers to install Agents on JBoss, WebSphere, and WebLogic application servers. For more information on how to install the J2EE agents with the help of the installer, see Installing the J2EE Agents
in the Novell Access Manager 3.1 SP2 J2EE Agent Guide.
Support on AIX:
The J2EE Agent for WebSphere can now be installed on the AIX platform. For more information see Installing the J2EE Agent on WebSphere
in the Novell Access Manager 3.1 SP2 J2EE Agent Guide.
Clustering:
The J2EE Agents installed on different machines can now be clustered. For more information on clustering J2EE agents, see Clustering J2EE Agents
in the Novell Access Manager 3.1 SP2 J2EE Agent Guide.