Environment
Novell Access Manager 3.1 Linux Support Pack 1 applied
Client running Windows XP and IE7 with Groupwise client 8.0.1 client (requirement)
Situation
Resolution
Basic Information
Enabling and configuration of GroupWise published calendars is done in Console1
To enable: POA object->properties->GroupWise tab->Agent settings->checkbox “Enable Calendar Publishingâ€
To set URL('s) of Calendar Publishing hosts: gwise system->Tools->gwise system operations->â€Web Calendar Publishing Hostsâ€
ex: http://<>/gwcal/calendar
name: seen by browsers making connection
URL: seen by browsers making connection
Address: Used for server-to-server connections between POA and Cal publishing host
Port: Used for server-to-server connections between POA and Cal publishing host
User setup activities:
Users are not allowed to publish their main GroupWise calendar, only other calendars.
To create a calendar: In the gwise client, highlight the calendar icon, rt click, then New Calendar.
To publish a calendar: In the gwise client, highlight the calendar icon, rt click, then Publish. Now on the Publish tab of the pop-up, select “Publish this calendarâ€.
Using (subscribing to) a published calendar:
Browse to http(s)://<Cal_Pub_Host>/gwcal to see a list of published calendars. The download link simply downloads the .ics file. The subscribe link launches the gwise client (if gwise is the default app for .ics type files) and allows the user to subscribe to that calendar. The gwise client opens a “Subscribe to Calendar†pop-up dialog where the user can then view/modify several options:
Location: is the URL of the calendar publishing host
Folder Name: is the name of the folder. If the calendar publishing web server is accessed through a proxy or other device requiring authentication, this field will be blank until after credentials are entered (below) and a connection is made.
Requires Authentication: select this option and enter username/pwd if the gwclient connection to the calendar publishing host is through a reverse proxy such as NAM and requires authentication (only Basic Auth is supported).
After reviewing/selecting the above options, click Subscribe
The subscribed calendar should now be shown as an icon in the left frame of the gwise client under the Calendar icon. Highlighting the subscribed calendar icon causes an HTTP GET to be sent to the URL of the published calendar. If successful, the icon shows a down arrow and contents of the calendar are then shown. If a failure occurs, the icon may be shown with a red x. Details of the connection status, url, login credentials, etc. can be seen by rt clicking the icon->Properties->Subscribe tab.
User Experience
From Win XP/IE7 machine with gwise 8.0.0 5/14/2009 or later client installed, browse to the URL of the calendar publishing host through the AG (ex: https://<PublishedDNS>/gwcal)
-user will be see a Basic pop-up dialog for login to the Access Gateway
Enter username/password
-if valid credentials are entered, user will now see page “Novell GroupWise Calendar Publishing Host†which has “Download†and “Subscribe†links to all published calendars.
-note that the Download links should should be rewritten with the scheme/name/port of the accelerator used to access the page. The Subscribe links should be a scheme of webcal:// but the dns name, port, and path of these links should also be rewritten.
Click a Subscribe link
-this launches the gwise client and a “Subscribe to calendar†pop-up is displayed. The “Location:†field should have the appropriate, rewritten URL for accessing the calendar publishing host through the AG. Note that the gwise client at this point does NOT connect through the AG. It uses a gwise protocol on port 1677. This connection on 1677 does not have to succeed, for example the user may be at home and using the gwise client in caching mode.
Select checkbox “This calendar requires authentication†and enter credentials for authentication to the Access Gateway.
Click Subscribe
-an icon for this calendar subscription should be created under the Calendar icon in the left frame of the gwise client
Highlight the new icon
-this action causes the gwise client to send an http(s) GET with populated Authorization header to the URL in the Location field as noted above. If the connection is successful, the icon will show a down-arrow image. When highlighted, the main gwise client frame will then show contents of the calendar.
Access Manager sample configurations
Following are examples of various configurations which have been used during testing with NAM 3.1.1 and GroupWise 8 published calendars. These configurations assume that GroupWise Webaccess and the Calendar Publishing Host are running on the same web server, both being accessed through the Access Gateway.
Proxy Service Type: Domain Based Multi-Homing
Published DNS Name: mattdbmhgw8lag.cit.novell.com
Host Header: Web Server Host Name
Web Server Host Name: internal.matt.lag.cit.novell.com
Connect Port: 80
HTML Rewriting:
Use a Char type rewriter profile with default settings except for one Search/Replace entry needed for rewriting the Subscribe links on the gwcal/calendar page. For example:
Search = webcal://<internal Web Server Host Name>
Replace = webcal://<Published DNS Name>
Be sure to enable this profile and put it at the top of the rewriter profile list (above the default, unmodified Word profile)
Protected Resources:
“pr1†for webaccess:
path /gw/*
Authentication Procedure: Secure Name/Password – Form type contract
ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header
“pr2†for ajax
path /gw/webacc?User.context*
Authentication Procedure: Non-redirected login enabled, points to same contract used by pr1. Option “Redirect to Identity Server When No Authentication Header is Provided†is disabled.
ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header
“pr3†for published calendar page
path /gwcal/*
Authentication Procedure: Same as used by pr2
ii policy – none
Path-Based Multi-Homing (Remove Path on Fill disabled)
Published DNS Name: matt.lag.cit.novell.com
Host Header: Web Server Host Name
Web Server Host Name: internal.matt.lag.cit.novell.com
Connect Port: 80
Path List: /gw, /gwcal
Remove Path on Fill: disabled
Reinsert Path in “set-cookie†Header: enabled
HTML Rewriting:
Uses both a Character type rewriter profile:
Character profile:
All default settings except for one Search/Replace entry needed for rewriting the Subscribe links on the gwcal/calendar page. For example:
Search = webcal://<internal Web Server Host Name>
Replace = webcal://<Published DNS Name>
Be sure to enable this profile and put it at the top of the rewriter profile list (above the default Word profile)
Protected Resources:
“pr1†for webaccess:
path /gw/*
Authentication Procedure: Secure Name/Password – Form type contract
ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header
“pr2†for ajax
path /gw/webacc?User.context*
Authentication Procedure: Non-redirected login enabled, points to same contract used by pr1
ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header
“pr3†for published calendar page:
path /gwcal/*
Authentication Procedure: Same Authentication Procedure used by pr2
ii policy – none
Path-Based Multi-Homing (Remove Path on Fill enabled)
Published DNS Name: matt.lag.cit.novell.com
Host Header: Web Server Host Name
Web Server Host Name:<different than the Published DNS Name>
Connect Port: 80
Path List: /testGW8
Remove Path on Fill: enabled
Reinsert Path in “set-cookie†Header: enabled
HTML Rewriting:
Uses both a Word and Character type rewriter profile:
Character profile:
All default settings except for one Search/Replace entry needed for rewriting the Subscribe links on the gwcal/calendar page. For example:
Search = webcal://<internal Web Server Host Name>
Replace = webcal://<Published DNS Name>
Be sure to enable this profile and put it at the top of the rewriter profile list
Word Profile:
All default settings except those noted below:
“Rewrite Inbound Headers:†enabled
“Variable or Attribute Name to Search for is:†value
“String to Search for is:†Search=/gw[ew], Replace=$path/gw
Protected Resources:
pr1 for webaccess:
path /testGW8/gw/*
Authentication Procedure: Secure Name/Password – Form type contract
ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header
pr2 for ajax
path /testGW8/gw/webacc?User.context*
Authentication Procedure: Non-redirected login enabled, points to same contract used by pr1
ii policy to inject Credential Profile LDAP Name or FDN and Password into Authorization header
pr3 for published calendar page
path /testGW8/gwcal/*
Authentication Procedure: Same Authentication Procedure used by pr2
ii policy – none