Home
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
Adding and configuring resources
After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
Adding a mobile access service
If there is no mobile access service configured for the SafeLinx Server, you can add one.
Resources for mobile access services
To support mobile access services, you can add the following types of resources to your HCL SafeLinx deployment.
TCP-Lite
TCP-Lite is a service that provides an alternative transport channel for TCP communications. To reduce the amount of data that is sent, the TCP-Lite service intercepts TCP communications and strips out some of the session control information.

Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
- Overview
  HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
- Security
  HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
- Installation planning
  Before you install HCL SafeLinx, verify that you meet the hardware and software requirements, and that the network connections that you want to use are available.
- Roadmaps: Installing and setting up SafeLinx
  The following "roadmap" topics guide you through installing and initially configuring SafeLinx. Refer to the topic that corresponds to your relational database and server operating system.
- Installing and initial configuration
  Initial configuration and installation of HCL SafeLinx varies based on your operating system and relational database.
- Adding a secure login profile
  By default, the SafeLinx Administrator communicates with the access manager over an unencrypted connection. If you want the connection between the SafeLinx Administrator and the access manager to use transport layer security (TLS) protocols, add a secure login profile to the SafeLinx Administrator.
- Adding and configuring resources
  After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
  - Types of resources
    Before a deployment can support client connections, you must add components to the SafeLinx Server. You use the SafeLinx Administrator to add and configure components. These components include resources to support HTTP access services, mobile access services, and messaging services, and resources to establish security and facilitate administration.
  - Defining a SafeLinx Server by using the SafeLinx Administrator
    Before you can define a SafeLinx Server, you must configure the access manager. If you connect to a SafeLinx Server and its access manager is not yet configured, a wizard leads you through the access manager configuration first. After that process completes, you can configure the SafeLinx Server.
  - Configuring a directory server
    You can configure the SafeLinx Server to retrieve user profile information from an external LDAP server. The directory server that you configure also provides information about how to contact other directory server services. After you configure a directory server, you can assign it to an LDAP-bind authentication profile to authenticate clients when they log in.
  - Securing communications between the SafeLinx Server and other nodes
    The SafeLinx Server and the services that it hosts exchange data with clients on the external network and with different types of servers on the internal network. To ensure the privacy of these communications, you can use TLS protocols to encrypt connections between the SafeLinx Server and other nodes.
  - Adding HTTP access services
    Add one or more HTTP access services to provide secure access to internal applications for remote users who do not have the full HCL SafeLinx VPN client (SafeLinx Client) installed.
  - Configuring an HCL Nomad server
    You can configure a SafeLinx as an HCL Nomad server that acts as a proxy for HCL Nomad clients.
  - Configuring SafeLinx as a reverse proxy for Verse high availability
    You can configure HCL SafeLinx to function as a reverse proxy that distributes requests across HCL Verse servers to provide failover and load balancing.
  - Adding authentication profiles
    Add an authentication profile to specify how HCL SafeLinx authenticates users before it permits access to application servers. SafeLinx supports the following authentication methods: LDAP-bind, RADIUS, and certificate-based.
  - Adding a mobile access service
    If there is no mobile access service configured for the SafeLinx Server, you can add one.
    - Adding a mobile network connection
      The SafeLinx Server accepts connections for mobile access services and messaging services through mobile network connections (MNCs). Use the SafeLinx Administrator to add an MNC to the SafeLinx Server for each type of external network that client devices use.
    - Adding a mobile network interface
      You add a mobile network interface (MNI) to a mobile access service to define the IP interface through which the service exchanges information with SafeLinx Clients.
    - Connection and transport profiles
      A connection profile is a set of configuration properties that is assigned to a mobile network connection (MNC) to control security and performance between an MNC and the SafeLinx Clients that connect to it. When you create an MNC or edit its properties, you assign it a connection profile.
    - Storing client-based certificates
      SafeLinx Clients can use client certificates to authenticate with the Connection Manager. To use client certificate authentication, install an X.509 certificate that you obtain from a certificate authority (CA) on the mobile device.
    - Adding a routing alias to route traffic through a SafeLinx Client to a subnetwork
      A mobile access service can route data to a designated subnetwork through a multihomed SafeLinx Client. To enable subnetwork routing through a SafeLinx Client, define a routing alias that specifies the IP addresses of the client and of the destination subnetwork.
    - Configuring cluster nodes
      Automatically installed and inactive by default, each cluster manager resource is displayed under the SafeLinx Server. Cluster managers define subordinate or principal nodes in a cluster.
    - Configuring a redundant RNC with remotely controlled A/B switches
      On Motorola PMR networks you can configure a remotely controlled A/B switch to instruct the radio network controller (RNC) to send traffic to a specific Motorola private mobile radio (PMR) base station. You can configure mobile access services to send alert messages to a remotely controlled A/B switch attached to a redundant RNC 3000. You can define up to four switches.
    - Resources for mobile access services
      To support mobile access services, you can add the following types of resources to your HCL SafeLinx deployment.
      - TCP-Lite
        TCP-Lite is a service that provides an alternative transport channel for TCP communications. To reduce the amount of data that is sent, the TCP-Lite service intercepts TCP communications and strips out some of the session control information.
        HTTP codec
        HTTP codec is a service that uses TCP-Lite as an underlying transport. This transport provides a reduction in the over-the-air (OTA) byte count by removing or byte-encoding header fields in a HyperText Transport Protocol (HTTP) data stream.
      - Groups for mobile access services
        You can create groups for mobile access services as a way to collect and store resources that can then be used collectively.
      - Mobile devices
        Mobile devices are defined to a SafeLinx Server, but they are used by mobile access services only.
      - Modem profiles
        A modem profile contains configuration information that enables the mobile access services to communicate with a public switched telephone network (PSTN) modem.
      - Network address translator
        A network address translator (NAT) reassigns the IP addresses of SafeLinx Clients who connect through an MNI that is configured to use NAT. The real source address of a SafeLinx Client packet gets assigned to the NAT address and the NAT maps the packet to a specific port. You can use a NAT to redirect traffic through a specified subnetwork that is represented by an MNI.
      - Packet mappings
        Although packet mappings are defined to a SafeLinx Server, packet mappings are expressly used by mobile access services.
      - Filters
        A filter is a resource that is assigned to an MNI. Positive or negative filters control some types of traffic through a specified MNI subnetwork. You add filters to a SafeLinx Server, but they apply to mobile access services only.
  - Adding messaging services
    Add messaging services to the SafeLinx Server to enable applications to send messages to messaging clients, such as a pager or a phone, over mobile wireless networks. Messaging services include support for short message service (SMS) delivery, and mobile-originated message delivery.
  - Adding users
    If your SafeLinx deployment does not use an external LDAP or RADIUS authentication server, use SafeLinx Administrator to create user accounts. You can add users individually or in a batch mode.
- Administering
  The SafeLinx Administrator administration client is the primary tool for viewing, adding, configuring, and managing HCL SafeLinx resources. Along with the SafeLinx Administrator, you can use the HCL SafeLinx Monitor to view information about packet flow through the SafeLinx Server. You can also use a set of command line tools to perform common SafeLinx Server tasks.
- Programming reference
  There are several programming considerations of which you might want to take advantage.
- Database schema information
  HCL SafeLinx uses a DB2, Oracle, MySQL, or SQL database to store tables of information about current and past activity of SafeLinx Server sessions. The following tables are created and accessed by using the qualifier name wg for DB2 installations.
- Step by step: Nomad configuration
  Here are step-by-step instructions that serve as an example of how to install and configure HCL SafeLinx for Nomad on MySQL on Linux.

TCP-Lite

TCP-Lite is a service that provides an alternative transport channel for TCP communications. To reduce the amount of data that is sent, the TCP-Lite service intercepts TCP communications and strips out some of the session control information.

TCP-Lite provides a simplified version of TCP that suppresses transmission of some of the TCP protocol data units (PDUs) that are used to negotiate the creation and closure of sessions. At the same time, TCP-Lite transmits all of the application data from the original channel, maintaining the order, integrity, reliability, and security of the original TCP transport.

Applications that use TCP to communicate between a client and server need no modification to use TCP-Lite. In environments in which clients require multiple or frequent session establishment, TCP-Lite reliably reduces the amount of data that is transferred between the client and server.

A TCP-Lite transport is applied to a transport profile, which is applied to a connection profile. The connection profile is a set of configuration properties that are assigned to an MNC to control the performance options between an MNC and SafeLinx Clients that connect to it.

The Table 1 lists the key properties that you can set for a TCP-Lite service:

Table 1. TCP-Lite service properties
Property	Description
TCP destination port to filer on	The destination port number of an application that can use TCP-Lite for transport. Only packets with the specified port number are allowed to use TCP-Lite.
IP address	The destination address of an application server for which TCP-Lite transport is valid. Packets that are sent to other IP addresses cannot use TCP-Lite.
Subnet mask	A bit-wise subnet mask to apply to the preceding address to define a range of destination addresses for which TCP-Lite transport is valid.
Maximum number of retransmits	The number of times that a packet can be retransmitted before it is discarded and the session is reset.
Retransmit interval	The time in seconds that the TCP-Lite transport waits before it retransmits a data segment whose receipt was not acknowledged.