Sun logo      Previous      Contents      Index      Next     

Sun ONE Portal Server, Secure Remote Access 6.2 Administrator's Guide

Chapter 11
Configuring the Netlet

This chapter describes how to configure Netlet attributes from the Sun™ ONE Identity Server administration console.

Note

Click Documentation at the top right corner of the Identity Server administration console, and click SRA Help for a quick reference on all the Secure Remote Access attributes.

All the attributes that can be configured at the organization level can also be configured at the user level. See the Sun ONE Identity Server Administration Guide for more information on organization, role and user level attributes.

Some additional attributes can be configured at the user level. If you do not specify these values in the administration console, the user will be asked for this information when a connection is being established through the Netlet for the first time. The user will be asked for this information if:

In both these cases, the Netlet may not be able to determine the browser settings, and hence the user is asked to supply the following information:

To configure Netlet attributes, follow these steps to configure attributes at the organization level:

  1. Log in to the Sun™ ONE Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. From here, you can perform the following tasks:

Assign the Netlet Service to a User

  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name.

    5. The selected organization name is reflected as the location in the top left corner of the admin console.

  5. Select Users from the View drop-down list for the selected organization.
  6. Click the arrow next to the required user in the left pane.
  7. Select Services from the View drop-down list for this user, if the Netlet service is not already available for this user
  8. Click Add.
  9. Select Netlet from the Available Services list.
  10. Click Save
  11. The Netlet attibutes can be modified by selecting "Netlet" service from the View drop-down list for this user.

Add a Netlet Rule

You can add or create Netlet rules at a global level in the Identity Management tab of the Identity Server administration console. These rules are inherited by any new organization that you create.

You can also create new rules or modify existing rules at the organization, role, or user levels.

    To Add a Netlet Rule
  1. Log in to the Identity Server administration console as administrator.
  2. Choose the Identity Management tab.
  3. Choose the Organization for which you want to create the rule.
  4. Select Services from the View drop-down list.
  5. Click the arrow next to Netlet under SRA Configuration.

    6. The Netlet page is displayed in the right pane.

  6. Click Add in the Netlet Rules field.

    7. The Add Netlet Rule page is displayed. All the fields of the rule are populated with sample values that you can change as required.

  7. Type a unique name for the rule in the Rule Name field.
  8. Specify the required ciphers. Select Default to retain the default encryption cipher. Select Other to choose from the list of available ciphers.

    9. See "To Specify the Default Cipher" for details on the default cipher.

  9. Type the URL to the application to be invoked in the URL field.
  10. Select the Download Applet checkbox if an applet needs to be downloaded. Type the applet details in the format client port:server host:server port in the associated edit box.

    11. Note

    Specify a unique client port for each rule.

    You need to specify the applet details only if the applet needs to be downloaded from a host other than the Portal Server host. The edit box is disabled if you do not select the checkbox.

  11. Select the Extend Session checkbox to ensure that the Portal Server session time is extended while the Netlet session corresponding to this rule is running.
  12. Type the client port on which the Netlet listens in the Client Port field.

    13. For an FTP rule, the client port value must be 30021.

  13. Type an entry in the Target Host(s) field.

    14. For a static rule, enter the host name of the target machine for the Netlet connection.

    For a dynamic rule, enter "TARGET".

  14. Type the port on the target host in the Target Port(s) field.
  15. Click Add to List to reflect the last three entries in the Port-Host-Port List field.
  16. Click Save.

    17. The rule is saved and you are returned to the Netlet page. The new rule name displays in the Netlet Rules list.

Modify an Existing Netlet Rule

You can modify modify existing rules at the organization, role, or user levels from the Identity Management tab in the administration console. These rules are inherited by any new organization that you create.

    To Modify a Netlet Rule
  1. Log in to the Identity Server administration console as administrator.
  2. Choose the Identity Management tab.
  3. Choose the Organization for which you want to modify the rule.
  4. Select Services from the View drop-down list.
  5. Click the arrow next to Netlet under SRA Configuration.

    6. The Netlet page is displayed in the right pane.

  6. Click name of the rule that you want to modify.

    7. The Edit Netlet Rule page is displayed.

  7. Make changes as required and click Save.

    8. The modified rule is saved and you are returned to the Netlet page.

Delete a Netlet Rule

You can delete Netlet rules at a global level in the Identity Management tab of the administration console.

    To Delete a Netlet Rule
  1. Log in to the Identity Server administration console as administrator.
  2. Choose the Identity Management tab.
  3. Choose the Organization for which you want to delete the rule.
  4. Click the arrow next to Netlet under SRA Configuration.

    5. The Netlet page is displayed in the right pane.

  5. Select the checkbox next to the rule that you want to delete from the Netlet Rules list.
  6. Click Delete.

    7. The selected rule is removed from the Netlet Rules list.

    Note

    This section describes the configuration of all the attributes at the organization level.

Specify the Default Encryption Cipher

You need to specify the default cipher for the Netlet rules. This is useful when using existing rules that did not include the cipher as a part of the rule. This is a mandatory field. See "Backward Compatibility".

    To Specify the Default Cipher
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Default Native VM Cipher or Default Java Plugin Cipher field and select the required cipher from the drop-down list. See "Supported Ciphers" for a list of supported ciphers.

  8. Click Save at the top or bottom of the Netlet page to record the change.

Assign the Default Loopback Port

This attribute specifies the port to be used on the client when applets are downloaded through the netlet. The default value of 8000 is used unless it is overridden in the Netlet rules.

    To Assign the Default Loopback Port
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Default Loopback Port field and type the desired port number.
  8. Click Save at the top or bottom of the Netlet page to record the change.

Enable Reauthentication for Connections

Enable this option if you want the user to enter the Netlet password each time a Netlet connection needs to be established. If you enable this option, the warning popup for connections is not displayed on the user’s desktop. See "Disable Warning Popup for Connections" for details.

Enabling this option allows the user to change the reauthentication password using the Netlet channel edit option. The initial password is srap-Netlet by default.

    To Enable Reauthentication for Connections
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Reauthentication for Connections field and select the option.
  8. Click Save at the top or bottom of the Netlet page to record the change.

Disable Warning Popup for Connections

This attribute displays a message on the user’s desktop warning that someone is trying to connect to the Netlet through the listen port. The message displays when the user runs the application over the netlet, and also when an intruder tries to gain access to the desktop through the listen port.

If you do not want the popup to appear on the user’s desktop, deselect this attribute.

    To Enable the Warning Popup for Connections
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the "location" in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Select the Warning Popup for Connections checkbox to enable the warning popup.
  8. Click Save at the top or bottom of the Netlet page to record the change.

Enable the Show Checkbox in Port Warning Dialog

A warning popup is displayed on the user’s desktop when the Netlet tries to connect to the destination host through a freely available port on the local machine. This warning popup displays on the user’s desktop only if the Warning Popup for Connections option is enabled in the administration console.

You can allow the user to suppress this warning popup by enabling the Show Checkbox in Port Warning Dialog option in the administration console.

    To Allow the User to Suppress the Port Warning Dialog
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Show Checkbox in Port Warning Dialog field and check the box.
  8. Click Save at the top or bottom of the Netlet page to record the change.

Set the Keep Alive Interval

You can set the time interval in minutes for which a Netlet connection is kept alive even if there is no operation.

If you do not specify a value for this attribute, the idle Netlet connection times out with all other Portal Server idle connections per the "Max idle time (minutes)" value specified in the Session Attributes section of the Identity Server Configuration.

    To Set the Keep Alive Interval
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Keep Alive Interval (in minutes) field, and type the required time interval.
  8. Click Save at the top or bottom of the Netlet page to record the change.

Set the Terminate Netlet at Portal Logout Option

Enable this option if you want to ensure that all connections are terminated when a user logs out of the Portal Server. This ensures greater security. This option is enabled by default.

Disable this option to ensure that live Netlet connections are operational even after the user has logged out of the Portal Server desktop.

Note

Disabling this option does not allow the user to make new Netlet connections after logging out of the Portal Server. Only existing connections are preserved.

    To Set the Terminate Netlet at Portal Logout Option
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Terminate Netlet at Portal Logout field and select or deselect the option as required.
  8. Click Save at the top or bottom of the Netlet page to record the change.

    9. See also Terminating the Netlet at Logout.

Define Access to Netlet Rules

You can define access to specific Netlet rules for certain organizations, roles or users.

    To Define Access to Netlet Rules
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Access to Netlet Rules field.
  8. Type the name of the rule that you want to make available for the selected organization in the Access to Netlet Rules field.

    9. An asterisk (*) in this field indicates that all the defined Netlet rules are available for the selected organization.

  9. Click Add.

    10. The specified rule is added to the Access to Netlet Rules list.

  10. Repeat steps 7, 8 and 9 for each Netlet rule that you want to make available.
  11. Click Save at the top or bottom of the Netlet page to record the change.

Denying Access to Netlet Rules

You can deny access to specific Netlet rules for certain organizations, roles or users.

    To Deny Access to Netlet Rules
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Deny Netlet Rules field.
  8. Type the name of the rule to which you want to deny access for the selected organization in the Deny Netlet Rules field.

    9. An asterisk (*) in this field indicates that all the defined Netlet rules are denied access for the selected organization.

  9. Click Add.

    10. The specified rule is added to the Deny Netlet Rules list.

  10. Repeat steps 7, 8 and 9 for each Netlet rule for which you want to deny access.
  11. Click Save at the top or bottom of the Netlet page to record the change.

Allow Access to Hosts

You can define access to specific hosts for certain organizations, roles or users. This enables you to restrict access to certain hosts. For example, you can set up the Allow list with five hosts to which the user can telnet.

    To Allow Access to Hosts
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Allowed Hosts field.
  8. Type the name of the host for which you want to allow access in the Allow Hosts field.

    9. An asterisk (*) in this field indicates that all the hosts in the specified domain are accessible. For example, if you specify *.sesta.com, all the Netlet targets within the sesta.com domain can be executed by the user. You can also specify a wild card IP address such as xxx.xxx.xxx.*.

  9. Click Add.

    10. The specified host is added to the Allowed Hosts list.

  10. Repeat steps 7 and 8 for each host that you want to make available.
  11. Click Save at the top or bottom of the Netlet page to record the change.

Deny Access to Hosts

You can deny access to specific hosts within an organization. Specify the host for which you want to deny access in the Denied Hosts list.

    To Deny Access to Hosts
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Identity Management tab.
  3. Select Organizations from the View drop-down list.
  4. Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
  5. Select Services from the View drop-down list.
  6. Click the arrow next to Netlet under SRA Configuration.

    7. The Netlet page displays in the right pane.

  7. Scroll to the Denied Hosts field.
  8. Type the name of the host for which you want to deny access in the Denied Hosts field.

    9. An asterisk (*) in this field indicates that the user is denied access to all the hosts within the selected organization. For example, to deny access to all the hosts in the organization sesta, type *.sesta.com in the Denied Hosts field.

    To deny access to a specific host, specify the fully qualified name. For example, to deny access to a host abc, type abc.sesta.com.

  9. Click Add.

    10. The specified domain is added to the Access to Domains list.

  10. Repeat steps 7 and 8 for each domain that you want to make available.
  11. Click Save at the top or bottom of the Netlet page to record the change.


Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.