Home
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
Adding and configuring resources
After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
Adding authentication profiles
Add an authentication profile to specify how HCL SafeLinx authenticates users before it permits access to application servers. SafeLinx supports the following authentication methods: LDAP-bind, RADIUS, and certificate-based.
Adding LDAP-bind authentication profiles
Add an LDAP-bind authentication profile to provide the SafeLinx Server with information about how to connect directly with an LDAP server to authenticate users.
Configuring LDAP-bind authentication profiles for use with Integrated Windows™ Authentication
You can configure an LDAP-bind authentication profile that connects to an Active Directory server to support Integrated Windows Authentication. Under this configuration, users of the SafeLinx Client for Windows can authenticate with the SafeLinx Server with their Windows credentials. Integrated Windows Authentication is sometimes referred to as the Pre-Logon Access Provider (PLAP), or as GINA (Graphical Identification and Authentication).

Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
- Overview
  HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
- Security
  HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
- Installation planning
  Before you install HCL SafeLinx, verify that you meet the hardware and software requirements, and that the network connections that you want to use are available.
- Roadmaps: Installing and setting up SafeLinx
  The following "roadmap" topics guide you through installing and initially configuring SafeLinx. Refer to the topic that corresponds to your relational database and server operating system.
- Installing and initial configuration
  Initial configuration and installation of HCL SafeLinx varies based on your operating system and relational database.
- Adding a secure login profile
  By default, the SafeLinx Administrator communicates with the access manager over an unencrypted connection. If you want the connection between the SafeLinx Administrator and the access manager to use transport layer security (TLS) protocols, add a secure login profile to the SafeLinx Administrator.
- Adding and configuring resources
  After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
  - Types of resources
    Before a deployment can support client connections, you must add components to the SafeLinx Server. You use the SafeLinx Administrator to add and configure components. These components include resources to support HTTP access services, mobile access services, and messaging services, and resources to establish security and facilitate administration.
  - Defining a SafeLinx Server by using the SafeLinx Administrator
    Before you can define a SafeLinx Server, you must configure the access manager. If you connect to a SafeLinx Server and its access manager is not yet configured, a wizard leads you through the access manager configuration first. After that process completes, you can configure the SafeLinx Server.
  - Configuring a directory server
    You can configure the SafeLinx Server to retrieve user profile information from an external LDAP server. The directory server that you configure also provides information about how to contact other directory server services. After you configure a directory server, you can assign it to an LDAP-bind authentication profile to authenticate clients when they log in.
  - Securing communications between the SafeLinx Server and other nodes
    The SafeLinx Server and the services that it hosts exchange data with clients on the external network and with different types of servers on the internal network. To ensure the privacy of these communications, you can use TLS protocols to encrypt connections between the SafeLinx Server and other nodes.
  - Adding HTTP access services
    Add one or more HTTP access services to provide secure access to internal applications for remote users who do not have the full HCL SafeLinx VPN client (SafeLinx Client) installed.
  - Configuring an HCL Nomad server
    You can configure a SafeLinx as an HCL Nomad server that acts as a proxy for HCL Nomad clients.
  - Configuring SafeLinx as a reverse proxy for Verse high availability
    You can configure HCL SafeLinx to function as a reverse proxy that distributes requests across HCL Verse servers to provide failover and load balancing.
  - Adding authentication profiles
    Add an authentication profile to specify how HCL SafeLinx authenticates users before it permits access to application servers. SafeLinx supports the following authentication methods: LDAP-bind, RADIUS, and certificate-based.
    - Adding LDAP-bind authentication profiles
      Add an LDAP-bind authentication profile to provide the SafeLinx Server with information about how to connect directly with an LDAP server to authenticate users.
      - Configuring LDAP-bind authentication profiles for use with Integrated Windows™ Authentication
        You can configure an LDAP-bind authentication profile that connects to an Active Directory server to support Integrated Windows Authentication. Under this configuration, users of the SafeLinx Client for Windows can authenticate with the SafeLinx Server with their Windows credentials. Integrated Windows Authentication is sometimes referred to as the Pre-Logon Access Provider (PLAP), or as GINA (Graphical Identification and Authentication).
    - Using RADIUS servers
      You can configure the SafeLinx Server to use and communicate with third-party RADIUS servers.
    - Configuring client certificate authentication for SafeLinx Clients
      You can configure an authentication profile that requires SafeLinx Clients to present X.509 certificates when they log in.
  - Adding a mobile access service
    If there is no mobile access service configured for the SafeLinx Server, you can add one.
  - Adding messaging services
    Add messaging services to the SafeLinx Server to enable applications to send messages to messaging clients, such as a pager or a phone, over mobile wireless networks. Messaging services include support for short message service (SMS) delivery, and mobile-originated message delivery.
  - Adding users
    If your SafeLinx deployment does not use an external LDAP or RADIUS authentication server, use SafeLinx Administrator to create user accounts. You can add users individually or in a batch mode.
- Administering
  The SafeLinx Administrator administration client is the primary tool for viewing, adding, configuring, and managing HCL SafeLinx resources. Along with the SafeLinx Administrator, you can use the HCL SafeLinx Monitor to view information about packet flow through the SafeLinx Server. You can also use a set of command line tools to perform common SafeLinx Server tasks.
- Programming reference
  There are several programming considerations of which you might want to take advantage.
- Database schema information
  HCL SafeLinx uses a DB2, Oracle, MySQL, or SQL database to store tables of information about current and past activity of SafeLinx Server sessions. The following tables are created and accessed by using the qualifier name wg for DB2 installations.
- Step by step: Nomad configuration
  Here are step-by-step instructions that serve as an example of how to install and configure HCL SafeLinx for Nomad on MySQL on Linux.

Configuring LDAP-bind authentication profiles for use with Integrated Windows™ Authentication

You can configure an LDAP-bind authentication profile that connects to an Active Directory server to support Integrated Windows Authentication. Under this configuration, users of the SafeLinx Client for Windows can authenticate with the SafeLinx Server with their Windows credentials. Integrated Windows Authentication is sometimes referred to as the Pre-Logon Access Provider (PLAP), or as GINA (Graphical Identification and Authentication).

Before you begin

Configure an LDAP-bind authentication profile to connect to an Active Directory server. For more information, see Adding LDAP-bind authentication profiles.

About this task

You can enable users of the SafeLinx Client for Windows to use their Windows credentials to authenticate with the SafeLinx Server. To configure SafeLinx to work with Integrated Windows Authentication, you must include specific settings in the LDAP-bind or RADIUS authentication profile that governs authentication for the SafeLinx Client users.

After you configure the authentication profile, you must also configure the SafeLinx Client for Windows to enable users to log in with their Windows credentials.

To configure an LDAP-bind authentication profile to support Integrated Windows Authentication, complete the following procedure.

Procedure

From the SafeLinx Administrator, expand the OU that contains the authentication profiles for your deployment and double-click Authentication Profile.
From the Authentication Profile resource list, click the LDAP-bind authentication profile that you want to configure, and then click Properties.
On the General page of the LDAP-bind authentication profile, select Request Windows credentials from GINA.
On the LDAP page, type sAMAccountName in the User key field field.
In the LDAP Attribute used for lock status field, type userAccountControl.
Configure the SafeLinx Client for Windows to support the use of Windows login credentials to authenticate with the SafeLinx Server.
For more information, see The SafeLinx Client for Windows in the SafeLinx Clients section.