Home
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
Overview
HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
Key Components
Your SafeLinx deployment includes a range of components. Many components, including the access manager, SafeLinx Server, persistent data storage, and SafeLinx Administrator are common to all deployments. Other components, such as mobile access services, are used only if you support specific types of connections.
Authentication profiles
Authentication profiles define how SafeLinx interacts with the authentication server specified in a DSS to authenticate login credentials for HTTP access services or mobile access VPN connections.
Lightweight third-party authentication support
Both RADIUS and LDAP-bind authentication profiles can be configured to use lightweight third-party authentication (LTPA) and single sign-on (SSO) only for HTTP access services. HCL SafeLinx supports both LTPA Version 1 and the more secure LTPA Version 2 (LTPA2) tokens.
LTPA in a Domino/iNotes/Traveler server environment
If you use HTTP access services in a HCL Domino® or iNotes® environment, there are several notes to review about integration.

Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
- Overview
  HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
  - Key Components
    Your SafeLinx deployment includes a range of components. Many components, including the access manager, SafeLinx Server, persistent data storage, and SafeLinx Administrator are common to all deployments. Other components, such as mobile access services, are used only if you support specific types of connections.
    - Access manager
      The access manager is the server-side process that communicates with the SafeLinx Administrator administrative application to manage configuration information for the HCL SafeLinx Server.
    - SafeLinx Server
      The SafeLinx Server provides a gateway through which mobile computing devices on a range of external networks connect securely to resources on your organization's private internal network.
    - Persistent data storage
      The SafeLinx Server needs access to an ODBC-compliant relational database to store configuration information, session data, and accounting and billing information.
    - SafeLinx Administrator
      The SafeLinx Administrator is the application that you use to configure, monitor, and maintain the resources of one or more SafeLinx Servers.
    - Directory service servers
      A directory service server (DSS) is a resource that designates an external user account database, such as an LDAP server, and provides information on how to connect to it.
    - Organizational units
      Organizational units (OUs) are containers that are used to group and isolate resources and, in combination with ACLs and ACL profiles, to control administrative access to those resources.
    - Admins
      Admins are users who are authorized to use the SafeLinx Administrator to configure, define maintain, and monitor SafeLinx Server resources.
    - HTTP access services
      HTTP access services enable secure connections between a remote mobile device and HTTP services on the internal network, such as HCL Traveler and HCL Sametime. HTTP access services do not require installation of a VPN client, and are sometimes said to provide clientless access. HTTP access services are secured with Transport Layer Security (TLS) encryption.
    - Mobile access services
      Mobile access services provide SafeLinx Clients with secure, virtual private network (VPN) access from external networks so that you can make enterprise applications and data available to your mobile workforce. Mobile access services support a wide range of wireless and dial-up networks.
    - Messaging services
      Messaging services enable a web application server to send messages from a wired network to a client on a wireless network.
    - Authentication profiles
      Authentication profiles define how SafeLinx interacts with the authentication server specified in a DSS to authenticate login credentials for HTTP access services or mobile access VPN connections.
      - Lightweight third-party authentication support
        Both RADIUS and LDAP-bind authentication profiles can be configured to use lightweight third-party authentication (LTPA) and single sign-on (SSO) only for HTTP access services. HCL SafeLinx supports both LTPA Version 1 and the more secure LTPA Version 2 (LTPA2) tokens.
        LTPA in a Domino/iNotes/Traveler server environment
        If you use HTTP access services in a HCL Domino® or iNotes® environment, there are several notes to review about integration.
        LTPA considerations when SafeLinx doesn't function as a boundary server
        If SafeLinx is installed within a corporate network and doesn't function as a boundary server, you can configure it to accept LTPA cookies from other servers in the network.
    - Certificates
      SafeLinx uses X.509 certificates to establish TLS connections between the SafeLinx Server and other devices. Certificates can also be used for client authentication.
    - Wireless password policies
      A wireless password policy defines the rules that govern users' passwords. When you create a user ID and require a password, you can specify the password policy that applies to the user.
    - Device resolver
      The device resolver works in conjunction with network access servers (NAS) to uniquely identify devices whenever they connect to the network.
    - User accounts
      SafeLinx maintains a user database that contains account information for each user. These user account records can be added to the database in one of two ways, depending on how you manage authentication.
    - Groups
      A group is a collection of resources that you designate for combined use.
    - Access control lists and ACL profiles
      An access control list (ACL) is a table of access levels for all resource types per organizational unit (OU).
    - Client roles
      The SafeLinx Server connects with clients based on which features are installed and configured.
- Security
  HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
- Installation planning
  Before you install HCL SafeLinx, verify that you meet the hardware and software requirements, and that the network connections that you want to use are available.
- Roadmaps: Installing and setting up SafeLinx
  The following "roadmap" topics guide you through installing and initially configuring SafeLinx. Refer to the topic that corresponds to your relational database and server operating system.
- Installing and initial configuration
  Initial configuration and installation of HCL SafeLinx varies based on your operating system and relational database.
- Adding a secure login profile
  By default, the SafeLinx Administrator communicates with the access manager over an unencrypted connection. If you want the connection between the SafeLinx Administrator and the access manager to use transport layer security (TLS) protocols, add a secure login profile to the SafeLinx Administrator.
- Adding and configuring resources
  After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
- Administering
  The SafeLinx Administrator administration client is the primary tool for viewing, adding, configuring, and managing HCL SafeLinx resources. Along with the SafeLinx Administrator, you can use the HCL SafeLinx Monitor to view information about packet flow through the SafeLinx Server. You can also use a set of command line tools to perform common SafeLinx Server tasks.
- Programming reference
  There are several programming considerations of which you might want to take advantage.
- Database schema information
  HCL SafeLinx uses a DB2, Oracle, MySQL, or SQL database to store tables of information about current and past activity of SafeLinx Server sessions. The following tables are created and accessed by using the qualifier name wg for DB2 installations.
- Step by step: Nomad configuration
  Here are step-by-step instructions that serve as an example of how to install and configure HCL SafeLinx for Nomad on MySQL on Linux.

LTPA in a Domino/iNotes/Traveler server environment

If you use HTTP access services in a HCL Domino® or iNotes® environment, there are several notes to review about integration.

To use HTTP access services in a HCL Domino®, HCL iNotes®, or HCL Traveler environment:

Use a RADIUS/SecureID or LDAP-bind authentication profile.
Set the LTPA token realm or domain to a domain common to the external address of the SafeLinx server and the internal address of the Domino server.
For LDAP-bind authentication profiles, specify the LDAP user attribute to query in the LTPA token user identification field. Typically, the value of this field is set to distinguished name, but the values you use depends on your environment.
Select Enable SSO. Next, set the SSO domain to the fully qualified external address of the HCL SafeLinx server. Optionally, to require the use of secure SSO connections, select Enable SSO over SSL connections only.
Export the key to a key file and import this key file on the Domino® server. You can use a key that you generate from SafeLinx or import a key from another source.