Access Gateway Guide Access Manager 4.0 Appliance SP1 May 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202- 4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. © 2013 NetIQ Corporation. All Rights Reserved. For information about NetIQ trademarks, see https://www.netiq.com/company/legal/. Contents About NetIQ Corporation 7 About this Book and the Library 9 1 Configuring the Access Gateway for SSL and Other Security Features 11 1.1 Using SSL on the Access Manager Appliance Communication Channels. 11 1.2 Prerequisites for SSL . 12 1.2.1 Prerequisites for SSL Communication between the Identity Server and Access Manager Appliance . 13 1.2.2 Prerequisites for SSL Communication between the Access Gateway and Web Servers . 13 1.3 Configuring SSL Communication with Browsers and the Identity Server . 14 1.4 Configuring SSL between the Proxy Service and the Web Servers. 16 1.5 Enabling Secure Cookies . 17 1.5.1 Securing the Embedded Service Provider Session Cookie on the Access Gateway . 17 1.5.2 Securing the Proxy Session Cookie . 18 1.6 Managing Access Gateway Certificates. 19 1.6.1 Managing Reverse Proxy and Web Server Certificates . 19 2 Configuring the Access Gateway to Protect Web Resources 21 2.1 Configuration Options . 21 2.2 Managing Reverse Proxies and Authentication . 23 2.2.1 Creating a Proxy Service . 26 2.2.2 Configuring a Proxy Service . .28 2.2.3 Modifying the DNS Setting for a Proxy Service . 29 2.3 Configuring Web Servers of a Proxy Service. 30 2.4 Configuring Protected Resources . 32 2.4.1 Setting Up a Protected Resource . 33 2.4.2 Configuring an Authentication Procedure for Non-Redirected Login. 36 2.4.3 Assigning an Authorization Policy to a Protected Resource . 38 2.4.4 Assigning an Identity Injection Policy to a Protected Resource. 39 2.4.5 Assigning a Form Fill Policy to a Protected Resource. 40 2.4.6 Assigning a Timeout Per Protected Resource . 41 2.4.7 Assigning a Policy to Multiple Protected Resources . 44 2.5 Configuring Protected Resources for Specific Applications . 45 2.5.1 Configuring Protected Resource for a SharePoint Server . 45 2.5.2 Configuring a Protected Resource for a SharePoint Server with an ADFS Server . 46 2.5.3 Configuring a Protected Resource for Outlook Web Access . 49 2.5.4 Configuring a Protected Resource for a Novell Vibe 3.3 Server . 52 2.5.5 Configuring Access to the Filr Site through Access Manager . 56 2.6 Configuring HTML Rewriting . 57 2.6.1 Understanding the Rewriting Process . 57 2.6.2 Specifying DNS Names to Rewrite . 59 2.6.3 Defining the Requirements for the Rewriter Profile . 62 2.6.4 Configuring the HTML Rewriter and Profile . 69 2.6.5 Creating or Modifying a Rewriter Profile . 72 2.6.6 Disabling the Rewriter . 74 2.7 Configuring Connection and Session Limits. 76 2.7.1 Configuring TCP Listen Options for Clients . 77 2.7.2 Configuring TCP Connect Options for Web Servers . 78 Contents 3 2.7.3 Configuring Connection and Session Persistence. 78 2.7.4 Configuring Web Servers. .79 3 Server Configuration Settings 81 3.1 Configuration Overview . 81 3.2 Saving, Applying, or Canceling Configuration Changes . 82 3.3 Managing Access Gateways . 84 3.3.1 Viewing and Modifying Gateway Settings . 84 3.3.2 Configuration Options . 86 3.3.3 Scheduling a Command . 89 3.4 Managing General Details of the Access Gateway . 89 3.4.1 Changing the Name of an Access Gateway and Modifying Other Server Details . 90 3.4.2 Exporting and Importing an Access Gateway Configuration . 90 3.5 Setting Up a Tunnel . 92 3.6 Setting the Date and Time . 93 3.7 Customizing Error Messages and Error Pages on Access Gateway . 95 3.7.1 Customizing and Localizing Error Messages. 95 3.7.2 Customizing the Error Pages . 96 3.8 Configuring Network Settings. 97 3.8.1 Viewing and Modifying Adapter Settings . 98 3.8.2 Viewing and Modifying Gateway Settings . 99 3.8.3 Viewing and Modifying DNS Settings . 101 3.8.4 Configuring Hosts . 102 3.8.5 Adding a New IP Address to the Access Gateway . 103 3.9 Customizing Logout Requests . 103 3.9.1 Customizing Applications to Use the Access Gateway Logout Page . 103 3.9.2 Customizing the Access Gateway Logout Page . 104 3.9.3 Configuring the Logout Disconnect Interval. 105.