|   | |
| Sun Java System Portal Server 6 2004Q2 Secure Remote Access Administration Guide | |
Chapter 11
Configuring NetletThis chapter describes how to configure Netlet attributes from the Sun Java System Identity Server administration console.
Note
Click Help at the top right corner of the Identity Server administration console, and click SRA Help for a quick reference on all the SRA attributes.
All the attributes that can be configured at the organization level can also be configured at the user level. See the Identity Server Administration Guide for more information on organization, role and user level attributes.
To configure Netlet attributes, follow these steps to configure attributes at the organization level:
- Log in to the Sun Java System Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
From here, you can perform the following tasks:
Assign Netlet Service to a User
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name.
The selected organization name is reflected as the location in the top left corner of the admin console.
- Select Users from the View drop-down list for the selected organization.
- Click the arrow next to the required user in the left pane.
- Select Services from the View drop-down list for this user, if the Netlet service is not already available for this user
- Click Add.
- Select Netlet from the Available Services list.
- Click Save
- The Netlet attributes can be modified by selecting Netlet service from the View drop-down list for this user.
Add a Netlet RuleYou can add or create Netlet rules at a global level in the Identity Management tab of the Identity Server administration console. These rules are inherited by any new organization that you create.
You can also create new rules or modify existing rules at the organization, role, or user levels.
To Add a Netlet Rule
- Log in to the Identity Server administration console as administrator.
- Choose the Identity Management tab.
- Choose the Organization for which you want to create the rule.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page is displayed in the right pane.
- Click Add in the Netlet Rules field.
The Add Netlet Rule page is displayed. All the fields of the rule are populated with sample values that you can change as required.
- Type a unique name for the rule in the Rule Name field.
- Specify the required ciphers. Select Default to retain the default encryption cipher. Select Other to choose from the list of available ciphers.
See To Specify the Default Cipher for details on the default cipher.
- Type the URL to the application to be invoked in the URL field.
- Select the Download Applet checkbox if an applet needs to be downloaded. Type the applet details in the format local-port:server-host:server-port in the associated edit box.
You need to specify the applet details only if the applet needs to be downloaded from a host other than the Portal Server host. The edit box is disabled if you do not select the checkbox. For more information see Downloading an Applet From a Remote Host.
- Select the Extend Session checkbox to ensure that the Portal Server session time is extended while the Netlet session corresponding to this rule is running.
- Type the local port on which Netlet listens in the Local Port field.
For an FTP rule, the local port value must be 30021.
- Type an entry in the Target Host(s) field.
For a static rule, enter the host name of the target machine for the Netlet connection.
For a dynamic rule, enter "TARGET".
- Type the port on the target host in the Target Port(s) field.
- Click Add to List to reflect the last three entries in the Local Port to Destination Port fields.
- Click Save.
The rule is saved and you are returned to the Netlet page. The new rule name displays in the Netlet Rules list.
Modify an Existing Netlet RuleYou can modify existing rules at the organization, role, or user levels from the Identity Management tab in the administration console. These rules are inherited by any new organization that you create.
To Modify a Netlet Rule
- Log in to the Identity Server administration console as administrator.
- Choose the Identity Management tab.
- Choose the Organization for which you want to modify the rule.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page is displayed in the right pane.
- Click name of the rule that you want to modify.
The Edit Netlet Rule page is displayed.
- Make changes as required and click Save.
The modified rule is saved and you are returned to the Netlet page.
Delete a Netlet RuleYou can delete Netlet rules at a global level in the Identity Management tab of the administration console.
To Delete a Netlet Rule
- Log in to the Identity Server administration console as administrator.
- Choose the Identity Management tab.
- Choose the Organization for which you want to delete the rule.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page is displayed in the right pane.
- Select the checkbox next to the rule that you want to delete from the Netlet Rules list.
- Click Delete.
The selected rule is removed from the Netlet Rules list.
Specify the Default Encryption CipherYou need to specify the default cipher for the Netlet rules. This is useful when using existing rules that did not include the cipher as a part of the rule. This is a mandatory field. See Backward Compatibility.
To Specify the Default Cipher
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Default Native VM Cipher or Default Java Plugin Cipher field and select the required cipher from the drop-down list. See Supported Ciphers for a list of supported ciphers.
- Click Save at the top or bottom of the Netlet page to record the change.
Assign the Default Loopback PortThis attribute specifies the port to be used on the local machine when applets are downloaded through Netlet. The default value of 58000 is used unless it is overridden in the Netlet rules.
To Assign the Default Loopback Port
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Default Loopback Port field and type the desired port number.
- Click Save at the top or bottom of the Netlet page to record the change.
Enable Reauthentication for ConnectionsEnable this option if you want the user to enter the Netlet password each time a Netlet connection needs to be established. If you enable this option, the warning popup for connections is not displayed on the user’s desktop. See Enable Warning Popup Dialog Box for Connections for details.
Enabling this option allows the user to change the reauthentication password using the Netlet channel edit option. The initial password is srap-Netlet by default.
To Enable Reauthentication for Connections
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Reauthenticate for Connections field and select the option.
- Click Save at the top or bottom of the Netlet page to record the change.
Enable Warning Popup Dialog Box for ConnectionsThis attribute displays a warning popup dialog box on the user’s desktop when someone is trying to connect to Netlet through the listen port and the user is running an application using Netlet. If you do not want the popup to appear on the user’s desktop, deselect this attribute.
To Enable the Warning Popup for Connections
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the "location" in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Select the Display Warning Popup for Connections checkbox to enable the warning popup.
- Click Save at the top or bottom of the Netlet page to record the change.
Enable the Display Checkbox in Port Warning DialogThis attribute displays a checkbox in the warning popup on the users desktop when Netlet tries to connect to the destination host through a freely available port on the local machine, if its enabled in the administration console. This checkbox gives the user the option to enable or disable the popup, by checking or unchecking it accordingly on the desktop.
You can allow the user to suppress this warning popup by disabling the Display Checkbox in Port Warning Dialog option in the administration console.
To Allow the User to Suppress the Port Warning Dialog
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Display Checkbox in Port Warning Dialog field and uncheck the box.
- Click Save at the top or bottom of the Netlet page to record the change.
Set the Keep Alive IntervalIf the client is connecting to the Gateway through a web proxy, then idle Netlet connections are disconnecteed due to proxy timeout. To prevent this, give a value less than the proxy timeout for this parameter.
To Set the Keep Alive Interval
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Keep Alive Interval (in minutes) field, and type the required time interval.
- Click Save at the top or bottom of the Netlet page to record the change.
Set the Terminate Netlet at Portal Logout OptionEnable this option if you want to ensure that all connections are terminated when a user logs out of the Portal Server. This ensures greater security. This option is enabled by default.
Disable this option to ensure that live Netlet connections are operational even after the user has logged out of the Portal Server desktop.
Note
Disabling this option does not allow the user to make new Netlet connections after logging out of the Portal Server. Only existing connections are preserved.
To Set the Terminate Netlet at Portal Logout Option
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Terminate Netlet at Portal Logout field and select or deselect the option as required.
- Click Save at the top or bottom of the Netlet page to record the change.
See also Running Netlet in a Sun Ray Environment.
Define Access to Netlet RulesYou can define access to specific Netlet rules for certain organizations, roles or users.
To Define Access to Netlet Rules
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Access to Netlet Rules field.
- Type the name of the rule that you want to make available for the selected organization in the Access to Netlet Rules field.
An asterisk (*) in this field indicates that all the defined Netlet rules are available for the selected organization.
- Click Add.
The specified rule is added to the Access to Netlet Rules list.
- Repeat steps 7, 8 and 9 for each Netlet rule that you want to make available.
- Click Save at the top or bottom of the Netlet page to record the change.
Denying Access to Netlet RulesYou can deny access to specific Netlet rules for certain organizations, roles or users.
To Deny Access to Netlet Rules
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Deny Netlet Rules field.
- Type the name of the rule to which you want to deny access for the selected organization in the Deny Netlet Rules field.
An asterisk (*) in this field indicates that all the defined Netlet rules are denied access for the selected organization.
- Click Add.
The specified rule is added to the Deny Netlet Rules list.
- Repeat steps 7, 8 and 9 for each Netlet rule for which you want to deny access.
- Click Save at the top or bottom of the Netlet page to record the change.
Allow Access to HostsYou can define access to specific hosts for certain organizations, roles or users. This enables you to allow access to certain hosts. For example, you can set up the Allow list with five hosts to which the user can telnet.
To Allow Access to Hosts
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Allowed Hosts field.
- Type the name of the host for which you want to allow access in the Allow Hosts field.
An asterisk (*) in this field indicates that all the hosts in the specified domain are accessible. For example, if you specify *.sesta.com, all the Netlet targets within the sesta.com domain can be executed by the user. You can also specify a wild card IP address such as xxx.xxx.xxx.*.
- Click Add.
The specified host is added to the Allowed Hosts list.
- Repeat steps 7 and 8 for each host that you want to make available.
- Click Save at the top or bottom of the Netlet page to record the change.
Deny Access to HostsYou can deny access to specific hosts within an organization. Specify the host for which you want to deny access in the Denied Hosts list.
To Deny Access to Hosts
- Log in to the Identity Server administration console as administrator.
- Select the Identity Management tab.
- Select Organizations from the View drop-down list.
- Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.
- Select Services from the View drop-down list.
- Click the arrow next to Netlet under SRA Configuration.
The Netlet page displays in the right pane.
- Scroll to the Denied Hosts field.
- Type the name of the host for which you want to deny access in the Denied Hosts field.
An asterisk (*) in this field indicates that the user is denied access to all the hosts within the selected organization. For example, to deny access to all the hosts in the organization sesta, type *.sesta.com in the Denied Hosts field.
To deny access to a specific host, specify the fully qualified name. For example, to deny access to a host abc, type abc.sesta.com.
- Click Add.
The specified domain is added to the Access to Domains list.
- Repeat steps 7 and 8 for each domain that you want to make available.
- Click Save at the top or bottom of the Netlet page to record the change.
Proxy ConfigurationThe following attributes can be configured at the user level:
If you do not specify these values in the administration console and Netlet is unable to determine the browser proxy setting, the user is asked for this information when a connection is being established through Netlet for the first time. This information is stored and used for future connections by the user.
Netlet fails to determine the browser proxy setting in the following scenarios:
- The user has Internet Explorer 4.x, 5.x or 6.x with Java plug-in (version less then 1.4.0), has enabled the "Use Browser Settings" option in the Proxies tab of the Java Plug-in Control Panel, and has specified an add-on product or INS file in the "Use automatic configuration script" field in the Local Area Network Settings dialog of Internet Explorer.
- The user has Netscape 6.2 with Java Plug-in (version 1.3.1_01 or greater) and has enabled the "Use Browser Settings" option in the Proxies tab of the Java Plug-in Control Panel.
In both these cases, Netlet may not be able to determine the browser settings, and hence the user is asked to supply the following information:
Enable Debug LoggingThe location of the debug information depends on the setting of the com.iplanet.services.debug.directory attribute in the AMConfig-instance-name.properties file on the Portal Server node.
For example, if the value of the com.iplanet.services.debug.directory attribute is:
/var/opt/SUNWam/debug/
Then the debug information for Netlet will be available in the srapNetlet file in the /var/opt/SUNWam/debug directory.
See the Identity Server Administration Guide for more information.