Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 SSLVPN Server
Novell Access Management 3 Access Administration
Situation
Access Manager 3 setup with SSLVPN and Linux Access Gateway on
seperate devices. The SSLVPN clients could tunnel requests through
the server to the protected resources without problems. New traffic
rules could be applied and the SSLVPN clients, upon relogging in
would be able to inherit these new rules.
After applying Access Manager 3 Support Pack 1 release Candidate 1 however, any new rules that were applied in the Administration Console would not be visible to the users running the SSLVPN client. These clients, looking at the policies tab available after connecting, would never see the newly configured rules that should have applied to them.
Looking at the /etc/opt/novell/sslvpn/config.xml, one could see that the rules were indeed sent over to the SSLVPN server by the Admin Console, but the status of these newly configured rules were false. A typical example of the problem would be the following, where a new rule was configured denying all users access to all UDP applications on the 147.2.35.0/22 subnet ... even though the Admin Console claimed the rule was enabled, the status field clearly showed it was not.
Any
147.2.35.0
255.255.252.0
Any
Deny
After applying Access Manager 3 Support Pack 1 release Candidate 1 however, any new rules that were applied in the Administration Console would not be visible to the users running the SSLVPN client. These clients, looking at the policies tab available after connecting, would never see the newly configured rules that should have applied to them.
Looking at the /etc/opt/novell/sslvpn/config.xml, one could see that the rules were indeed sent over to the SSLVPN server by the Admin Console, but the status of these newly configured rules were false. A typical example of the problem would be the following, where a new rule was configured denying all users access to all UDP applications on the 147.2.35.0/22 subnet ... even though the Admin Console claimed the rule was enabled, the status field clearly showed it was not.
Resolution
Select the newly created SSLVPN traffic rule in the Admin Console
and disable and re-enable it. Note that there will be no indication
given that the rule is disabled, and re-enabled but the status
field in the above config.xml should now show true after the
operation is carried out. Once this is the case, the SSLVPN users
will be able to see this newly added policy.
This bug will also be fixed in the next build.
This bug will also be fixed in the next build.