Preparing the network environment
Preparation of your network environment depends on the setup of specific resources and the requirements of your operating system.
- Admin user IDs and passwords for your organization's LDAP server, database servers, and other authentication servers
- Contact information for other network administrators with whom you might have to coordinate work, for example, administrators of your firewall, DNS, database, LDAP, and application servers.
- IP addresses or host names of LDAP servers, database servers, and firewalls
- For LDAP authentication, the Base DN (distinguished name) in which to search for user accounts
- The ports to be opened on both internet-facing and internally-facing firewalls. For more information, see Firewall issues.
For Windows deployments, after you run the Installation wizard, launch the First Steps configuration wizard by selecting the check box in the final installation panel. The wizard is available on Windows only and is not part of the AIX or Linux installations. From the First Steps configuration wizard, you can launch the Database configuration wizard to specify the storage method for SafeLinx configuration and session data. As an alternative to using the Database configuration wizard, you can use data definition language (DDL) scripts configure the persistent storage method. DDL scripts enable database setup in environments in which the SafeLinx admin does not have access privileges to the database server. If you use DDL scripts to configure SafeLinx databases, you would not run the Database configuration wizard. For more information, see Persistent data storage requirements and Configuring databases for HCL SafeLinx with DDL.
The Windows First steps configuration wizard also contains links that launch SafeLinx Administrator and online help. After database configuration is complete, open SafeLinx Administrator to add and configure other resources. The following tables describe some of the resources that are needed for different types of deployments.
|Access manager||The Access Manager is a process that manages interactions between SafeLinx Administrators,
persistent data storage, and other SafeLinx Servers. The Access Manager process is installed
automatically on all supported operating systems.
On Windows, the Access Manager runs as a pair
of services called SafeLinx Access Manager Service (
For AIX and Linux, the
|SafeLinx Server||The SafeLinx Server integrates all configured application services, configuration objects,
and supported networks within a single multihomed host. After the SafeLinx Server is created, the
administrator is presented with an option to create an HTTP access service and then Mobile access
The HTTP access service enables secure socket layer (SSL) connections between mobile devices and the SafeLinx Server. Mobile access services establish a virtual private network (VPN) connection between the SafeLinx Server and SafeLinx Client. After you add Mobile access services, mobile network connections (MNCs) are created automatically for the following protocol types: UDP, TCP, HTTP, and HTTPS.
Note: Mobile access services are required for SafeLinx deployments that support SafeLinx Client access only.
|Directory server service (DSS)||A Directory server services resource references an LDAP or RADIUS authentication server to be used by the SafeLinx deployment. The DSS specifies a servers' host name or IP address, and the properties that are used to submit authenticated or anonymous queries to the directory server to validate user credentials. To configure an LDAP DSS, you must know the LDAP Base DN, the Administrator's DN and password. To configure a RADIUS DSS, you must know the RADIUS shared secret. In both cases, you must also decide whether the connection to the authentication server is to be secured or not.|
After you create a DSS resource, you must create an Authentication profile. Authentication profiles define how SafeLinx interacts with the authentication server specified in a DSS to authenticate login credentials for HTTP access services or VPN connections.In LDAP-bind authentication profiles, you can specify the user attributes that the service looks for when it attempts to validate user credentials. For example, in deployments that use Microsoft Active Directory Server, you might specify SAMAccountName in the User key field of authentication profile, and UserAccountControl in the LDAP attribute used for lock status field.
|HTTP access service||HTTP access services enable secure connections between a remote mobile device and HTTP services on the internal network, such as IBM Traveler and IBM Sametime. Client-less HTTP connections are secured with secure sockets layer (SSL) encryption.|
Certificates are required to secure HTTP access service connections between mobile devices and the SafeLinx Server. To create requests for certificates, or to install and manage certificates, use the GSKit.
If you are setting up a proof-of-concept or evaluation deployment, you can use self-signed certificates to facilitate rapid deployment. However, there are drawbacks to using self-signed certificates in a production environment. For more information about setting up and configuring certificates, see the Certificates section in the Featured Documents technote on the SafeLinx support site.
|Mobile network interface (MNI)||A resource that defines a dedicated virtual IP subnet through which the SafeLinx Server and SafeLinx Clients communicate. An MNI reserves an IP address in a subnet as its own and this address is the SafeLinx Client's point-of-presence on the virtual private network.|
|Connection profile||A resource that is assigned to an MNC to control the performance options between the MNC and
SafeLinx Clients that connect to it.
Sample connection profiles are available in the Default Resources organizational unit (OU) in SafeLinx Administrator:
You can alter the default connection profile or create a new profile.
|Transport profile||A resource that is assigned to an IP connection profile and is a set of transport-layer
configuration properties. These properties are settings that identify the type of network, such as
the adapter name and the speed of the connection. Multiple network names can be associated with one
transport profile and more than one transport profile can be assigned to an IP connection profile.
Several sample transport profiles are available in the Default Resources organizational unit (OU) in SafeLinx Administrator:
You can alter the default transport profile or create a new profile.
- VPN addressing for SafeLinx Clients
- MNC carrier connections