Home
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
Overview
HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
Key Components
Your SafeLinx deployment includes a range of components. Many components, including the access manager, SafeLinx Server, persistent data storage, and SafeLinx Administrator are common to all deployments. Other components, such as mobile access services, are used only if you support specific types of connections.
Authentication profiles
Authentication profiles define how SafeLinx interacts with the authentication server specified in a DSS to authenticate login credentials for HTTP access services or mobile access VPN connections.
Lightweight third-party authentication support
Both RADIUS and LDAP-bind authentication profiles can be configured to use lightweight third-party authentication (LTPA) and single sign-on (SSO) only for HTTP access services. HCL SafeLinx supports both LTPA Version 1 and the more secure LTPA Version 2 (LTPA2) tokens.
LTPA considerations when SafeLinx doesn't function as a boundary server
If SafeLinx is installed within a corporate network and doesn't function as a boundary server, you can configure it to accept LTPA cookies from other servers in the network.

Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
- Overview
  HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
  - Key Components
    Your SafeLinx deployment includes a range of components. Many components, including the access manager, SafeLinx Server, persistent data storage, and SafeLinx Administrator are common to all deployments. Other components, such as mobile access services, are used only if you support specific types of connections.
    - Access manager
      The access manager is the server-side process that communicates with the SafeLinx Administrator administrative application to manage configuration information for the HCL SafeLinx Server.
    - SafeLinx Server
      The SafeLinx Server provides a gateway through which mobile computing devices on a range of external networks connect securely to resources on your organization's private internal network.
    - Persistent data storage
      The SafeLinx Server needs access to an ODBC-compliant relational database to store configuration information, session data, and accounting and billing information.
    - SafeLinx Administrator
      The SafeLinx Administrator is the application that you use to configure, monitor, and maintain the resources of one or more SafeLinx Servers.
    - Directory service servers
      A directory service server (DSS) is a resource that designates an external user account database, such as an LDAP server, and provides information on how to connect to it.
    - Organizational units
      Organizational units (OUs) are containers that are used to group and isolate resources and, in combination with ACLs and ACL profiles, to control administrative access to those resources.
    - Admins
      Admins are users who are authorized to use the SafeLinx Administrator to configure, define maintain, and monitor SafeLinx Server resources.
    - HTTP access services
      HTTP access services enable secure connections between a remote mobile device and HTTP services on the internal network, such as HCL Traveler and HCL Sametime. HTTP access services do not require installation of a VPN client, and are sometimes said to provide clientless access. HTTP access services are secured with Transport Layer Security (TLS) encryption.
    - Mobile access services
      Mobile access services provide SafeLinx Clients with secure, virtual private network (VPN) access from external networks so that you can make enterprise applications and data available to your mobile workforce. Mobile access services support a wide range of wireless and dial-up networks.
    - Messaging services
      Messaging services enable a web application server to send messages from a wired network to a client on a wireless network.
    - Authentication profiles
      Authentication profiles define how SafeLinx interacts with the authentication server specified in a DSS to authenticate login credentials for HTTP access services or mobile access VPN connections.
      - Lightweight third-party authentication support
        Both RADIUS and LDAP-bind authentication profiles can be configured to use lightweight third-party authentication (LTPA) and single sign-on (SSO) only for HTTP access services. HCL SafeLinx supports both LTPA Version 1 and the more secure LTPA Version 2 (LTPA2) tokens.
        LTPA in a Domino/iNotes/Traveler server environment
        If you use HTTP access services in a HCL Domino® or iNotes® environment, there are several notes to review about integration.
        LTPA considerations when SafeLinx doesn't function as a boundary server
        If SafeLinx is installed within a corporate network and doesn't function as a boundary server, you can configure it to accept LTPA cookies from other servers in the network.
    - Certificates
      SafeLinx uses X.509 certificates to establish TLS connections between the SafeLinx Server and other devices. Certificates can also be used for client authentication.
    - Wireless password policies
      A wireless password policy defines the rules that govern users' passwords. When you create a user ID and require a password, you can specify the password policy that applies to the user.
    - Device resolver
      The device resolver works in conjunction with network access servers (NAS) to uniquely identify devices whenever they connect to the network.
    - User accounts
      SafeLinx maintains a user database that contains account information for each user. These user account records can be added to the database in one of two ways, depending on how you manage authentication.
    - Groups
      A group is a collection of resources that you designate for combined use.
    - Access control lists and ACL profiles
      An access control list (ACL) is a table of access levels for all resource types per organizational unit (OU).
    - Client roles
      The SafeLinx Server connects with clients based on which features are installed and configured.
- Security
  HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
- Installation planning
  Before you install HCL SafeLinx, verify that you meet the hardware and software requirements, and that the network connections that you want to use are available.
- Roadmaps: Installing and setting up SafeLinx
  The following "roadmap" topics guide you through installing and initially configuring SafeLinx. Refer to the topic that corresponds to your relational database and server operating system.
- Installing and initial configuration
  Initial configuration and installation of HCL SafeLinx varies based on your operating system and relational database.
- Adding a secure login profile
  By default, the SafeLinx Administrator communicates with the access manager over an unencrypted connection. If you want the connection between the SafeLinx Administrator and the access manager to use transport layer security (TLS) protocols, add a secure login profile to the SafeLinx Administrator.
- Adding and configuring resources
  After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
- Administering
  The SafeLinx Administrator administration client is the primary tool for viewing, adding, configuring, and managing HCL SafeLinx resources. Along with the SafeLinx Administrator, you can use the HCL SafeLinx Monitor to view information about packet flow through the SafeLinx Server. You can also use a set of command line tools to perform common SafeLinx Server tasks.
- Programming reference
  There are several programming considerations of which you might want to take advantage.
- Database schema information
  HCL SafeLinx uses a DB2, Oracle, MySQL, or SQL database to store tables of information about current and past activity of SafeLinx Server sessions. The following tables are created and accessed by using the qualifier name wg for DB2 installations.
- Step by step: Nomad configuration
  Here are step-by-step instructions that serve as an example of how to install and configure HCL SafeLinx for Nomad on MySQL on Linux.

LTPA considerations when SafeLinx doesn't function as a boundary server

If SafeLinx is installed within a corporate network and doesn't function as a boundary server, you can configure it to accept LTPA cookies from other servers in the network.

A SafeLinx proxy server typically functions as a boundary firewall server that manages all incoming requests. As such, for security reasons it accepts only LTPA cookies that it generates.

Sometimes SafeLinx doesn't function as a boundary server. For example, in the case of HCL Nomad for web browsers, you set up SafeLinx within the corporate network where it functions as a proxy for accessing Domino databases.

When SafeLinx doesn't function as a boundary server, you can configure it to accept LTPA cookies from other servers in the network. Doing so avoids the need for users to authenticate again through SafeLinx after previously authenticating through another server. For example, if users log into HCL Verse or HCL Connections, they can open Nomad for web browsers without authenticating through SafeLinx.

To configure SafeLinx to accept LTPA cookies from other servers in the network, enter the following command:

chwg -s <objectclass> -l <keyvalue> -a ibm-wlAllowLtpa=TRUE

where <objectclass> is the object class for the configured resource and <keyvalue> is the keyvalue for the resource.

A Nomad for web browsers example:

chwg -s hcl-wlNomad -l nomad-web-proxy0 -a ibm-wlAllowLtpa=TRUE