21.1 Advanced Configuration Settings

This section discusses some of the advanced setting that can be configured for the SSL VPN servers.

21.1.1 Configuring SSL VPN to Download the Applet on Internet Explorer

The SSL VPN client components are carried forward to client desktop through Java applet or ActiveX, along with the policies and the required client components.

Some Windows clients do not allow ActiveX controls to run in the Internet Explorer. In such scenarios, the user can force the Windows client to load a Java-based applet instead of the ActiveX controls. In order to force load the applet, enter the following URL to launch the SSL VPN user interface:

https:<DNS-Name>/sslvpn/login?forcejre

If your company’s policy does not allow ActiveX controls to be downloaded through Internet Explorer, you can change the SSL VPN configuration to always download the applet-based client. You can change the value within the <param-value> tags in the web.xml file to true from false as follows:

  1. Log in as root.

  2. Open the web.xml file found in the following location:

    /var/opt/novell/tomcat4/webapps/sslvpn/WEB-INF/

  3. In the <context-param> section, change the <param-value> to true as follows:

    <context-param> <param-name>forcejre</param-name> <param-value>true</param-value> <description>My organization does not allow activex ? enter true if so</description> </context-param>

    Save the web.xml file.

  4. Restart the Tomcat server by entering the following command:

    /etc/init.d/novell-tomcat restart

21.1.2 Configuring SSL VPN to Connect Only in Kiosk Mode

You can configure SSL VPN to connect in Kiosk mode only, even if the user is the admin or root user of the machine. To configure SSL VPN to connect in Kiosk mode only, update the config.txt file as follows:

  1. Login as root.

  2. Open config.txt which is located in the following path:

    /var/opt/novell/tomcat4/webapps/sslvpn/WEB-INF/

  3. Append the following line to the file:

    ForceKiosk=true

  4. Save and close the file.

  5. Enter the following command to restart tomcat:

    /etc/init.d/novell-tomcat4 restart

NOTE:By default, you cannot enable the Kiosk mode only option to Windows non-admin users connecting to SSL VPN through the Internet Explorer. This is because admin user privilege is required to download the ActiveX component of SSL VPN. But if the user’s Windows machine has JRE installed, then you can force Internet Explorer to connect to SSL VPN through applet. For more information about this, see Section 21.1.1, Configuring SSL VPN to Download the Applet on Internet Explorer.

21.1.3 Customizing the SSL VPN Home Page

You can customize the contents of the SSL VPN home page, resize the window and change the company logo depending on the requirements of the organization. This section has the following information:

Changing the Logo

  1. Browse to the following location and replace SSLVPN_Nlogo.gif

    /var/opt/novell/tomcat4/webapps/sslvpn/pages/other

    You must retain the filename and file size of the original graphic.

    NOTE:In the localized versions, the .gif file is located in the /pages_<language>/other folder. For example, if you want to customize the German version, you must browse to the following location:

    /var/opt/novell/tomcat4/webapps/sslvpn/pages_de/other

  2. In ActiveX, the logo is hyperlinked to www.novell.com. To change the hyperlink:

    1. Open /var/opt/novell/tomcat4/webapps/sslvpn/pages/banner.html.

    2. Browse to the <div id=”logo”> section, then change the <HREF> link to the URL of your choice.

    3. Save and close the file.

Customizing the Content of Home Page

  1. Browse to /var/opt/novell/tomcat4/webapps/sslvpn/pages.

  2. Do the following:

    1. Modify the contents of home.html file. This file is displayed to the user when ActiveX is downloaded to the client machine.

    2. Modify the contents of pre_applet_home.html and applet_home.html. These files are displayed to the user when a Java applet is downloaded to the client machine. The contents of pre_applet_home.html is displayed to the user when the SSL VPN connection is being made. This page changes to applet_home.html page, after the connection status changes to Connected.

      NOTE:This is a static HTML page and any JavaScript operation inside this page is not be supported.

  3. Save and close the file.

NOTE:

  • In the localized versions, banner.html is located in the /pages_<language> folder. For example, if you want to customize the German version, you must browse to the following location:

    /var/opt/novell/tomcat4/webapps/sslvpn/pages_de

  • If you have referenced other Web pages from your home page, you must wait till the connection status changes to Connected, before clicking the link.

Resizing the SSL VPN Client UI

You can customize the height and width of the UI and the width of the tabs used in the SSL VPN user interface. This section has the following information:

Resizing the SSL VPN Client UI in Applet

  1. Log in as root.

  2. Open config.txt which is located in the following path:

    /var/opt/novell/tomcat4/webapps/sslvpn/WEB-INF/

  3. Specify the following lines:

    UIConfig=<param1>, <param2>, <param3>

    Where, <param1> is the height of the applet UI, <param2> is the width of the applet UI and <param3> is the width of the list of tabs on the left hand side.

    For example, UIConfig=768, 1000, 150 is the default configuration. Some of the other parameters that can be used are:

    UIConfig=900,1200,100 UIConfig=1000,1400,90 and UIConfig=1200,1600,150

  4. Save and close the file.

Resizing the SSL VPN Client UI in ActiveX

  1. Browse to /var/opt/novell/tomcat4/webapps/sslvpn/pages

  2. You can open either nav.html or banner.html.

  3. Customize the content.

  4. Save and close the file.

21.1.4 Configuring Full Tunneling for the Kiosk Mode

Novell SSL VPN is configured for split tunneling by default. When SSL VPN is configured for split tunneling, only that traffic that is destined for the protected network goes through the VPN tunnel. However, if you have connected to the SSL VPN in the Kiosk mode and you want all traffic in the client machine to go through the tunnel (full tunneling), do the following:

  1. In the Administration Console, click Access Manager > SSL VPNs > Edit.

  2. Create a new traffic policy. For more information on adding new traffic policy, see Section 20.1, Configuring Traffic Policies.

  3. Click the newly added traffic policy. The Edit Traffic Policy page is displayed.

    Configure the following fields:

    • Destination Network: Specify 0.0.0.0 as the destination network IP address.

    • Protocol: Select Any as the protocol.

    • Port: Specify the port number as 0.

    • Action: Select Encrypt to allow the service in encrypted form.

    Leave the default values in the other fields unchanged.

  4. Click OK to save changes.

  5. In the Edit page, select Gateway Configuration from the Basic Gateway Configuration section.

    The SSL VPN Gateway Basic Configuration page is displayed.

  6. In the Private IP Address(es) field, specify all the IP addresses that the SSL VPN server can use to access the public resources.

  7. To save your modifications, click OK, then click Update on the Configuration page.

NOTE:Full tunneling is not supported in the Enterprise mode.

21.1.5 Creating DH Certificates with Different Key Sizes

The Enterprise mode of SSL VPN uses DH certificates for encryption. These certificates are created automatically during the installation or upgrade, with a default key size of 1024. You can create DH certificates with key sizes of your choice. You can create a DH certificate with a maximum key size of 4096. To create a DH certificate with a key size of your choice, enter the following command:

sslvpnc -k <keysize>

Replace <keysize> with the key size of your choice.