Home
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
Adding and configuring resources
After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
Adding a mobile access service
If there is no mobile access service configured for the SafeLinx Server, you can add one.
Storing client-based certificates
SafeLinx Clients can use client certificates to authenticate with the Connection Manager. To use client certificate authentication, install an X.509 certificate that you obtain from a certificate authority (CA) on the mobile device.

Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
- Overview
  HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
- Security
  HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
- Installation planning
  Before you install HCL SafeLinx, verify that you meet the hardware and software requirements, and that the network connections that you want to use are available.
- Roadmaps: Installing and setting up SafeLinx
  The following "roadmap" topics guide you through installing and initially configuring SafeLinx. Refer to the topic that corresponds to your relational database and server operating system.
- Installing and initial configuration
  Initial configuration and installation of HCL SafeLinx varies based on your operating system and relational database.
- Adding a secure login profile
  By default, the SafeLinx Administrator communicates with the access manager over an unencrypted connection. If you want the connection between the SafeLinx Administrator and the access manager to use transport layer security (TLS) protocols, add a secure login profile to the SafeLinx Administrator.
- Adding and configuring resources
  After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
  - Types of resources
    Before a deployment can support client connections, you must add components to the SafeLinx Server. You use the SafeLinx Administrator to add and configure components. These components include resources to support HTTP access services, mobile access services, and messaging services, and resources to establish security and facilitate administration.
  - Defining a SafeLinx Server by using the SafeLinx Administrator
    Before you can define a SafeLinx Server, you must configure the access manager. If you connect to a SafeLinx Server and its access manager is not yet configured, a wizard leads you through the access manager configuration first. After that process completes, you can configure the SafeLinx Server.
  - Configuring a directory server
    You can configure the SafeLinx Server to retrieve user profile information from an external LDAP server. The directory server that you configure also provides information about how to contact other directory server services. After you configure a directory server, you can assign it to an LDAP-bind authentication profile to authenticate clients when they log in.
  - Securing communications between the SafeLinx Server and other nodes
    The SafeLinx Server and the services that it hosts exchange data with clients on the external network and with different types of servers on the internal network. To ensure the privacy of these communications, you can use TLS protocols to encrypt connections between the SafeLinx Server and other nodes.
  - Adding HTTP access services
    Add one or more HTTP access services to provide secure access to internal applications for remote users who do not have the full HCL SafeLinx VPN client (SafeLinx Client) installed.
  - Configuring an HCL Nomad server
    You can configure a SafeLinx as an HCL Nomad server that acts as a proxy for HCL Nomad clients.
  - Adding authentication profiles
    Add an authentication profile to specify how HCL SafeLinx authenticates users before it permits access to application servers. SafeLinx supports the following authentication methods: LDAP-bind, RADIUS, and certificate-based.
  - Adding a mobile access service
    If there is no mobile access service configured for the SafeLinx Server, you can add one.
    - Adding a mobile network connection
      The SafeLinx Server accepts connections for mobile access services and messaging services through mobile network connections (MNCs). Use the SafeLinx Administrator to add an MNC to the SafeLinx Server for each type of external network that client devices use.
    - Adding a mobile network interface
      You add a mobile network interface (MNI) to a mobile access service to define the IP interface through which the service exchanges information with SafeLinx Clients.
    - Connection and transport profiles
      A connection profile is a set of configuration properties that is assigned to a mobile network connection (MNC) to control security and performance between an MNC and the SafeLinx Clients that connect to it. When you create an MNC or edit its properties, you assign it a connection profile.
    - Storing client-based certificates
      SafeLinx Clients can use client certificates to authenticate with the Connection Manager. To use client certificate authentication, install an X.509 certificate that you obtain from a certificate authority (CA) on the mobile device.
    - Adding a routing alias to route traffic through a SafeLinx Client to a subnetwork
      A mobile access service can route data to a designated subnetwork through a multihomed SafeLinx Client. To enable subnetwork routing through a SafeLinx Client, define a routing alias that specifies the IP addresses of the client and of the destination subnetwork.
    - Configuring cluster nodes
      Automatically installed and inactive by default, each cluster manager resource is displayed under the SafeLinx Server. Cluster managers define subordinate or principal nodes in a cluster.
    - Configuring a redundant RNC with remotely controlled A/B switches
      On Motorola PMR networks you can configure a remotely controlled A/B switch to instruct the radio network controller (RNC) to send traffic to a specific Motorola private mobile radio (PMR) base station. You can configure mobile access services to send alert messages to a remotely controlled A/B switch attached to a redundant RNC 3000. You can define up to four switches.
    - Resources for mobile access services
      To support mobile access services, you can add the following types of resources to your HCL SafeLinx deployment.
  - Adding messaging services
    Add messaging services to the SafeLinx Server to enable applications to send messages to messaging clients, such as a pager or a phone, over mobile wireless networks. Messaging services include support for short message service (SMS) delivery, and mobile-originated message delivery.
  - Adding users
    If your SafeLinx deployment does not use an external LDAP or RADIUS authentication server, use SafeLinx Administrator to create user accounts. You can add users individually or in a batch mode.
- Administering
  The SafeLinx Administrator administration client is the primary tool for viewing, adding, configuring, and managing HCL SafeLinx resources. Along with the SafeLinx Administrator, you can use the HCL SafeLinx Monitor to view information about packet flow through the SafeLinx Server. You can also use a set of command line tools to perform common SafeLinx Server tasks.
- Programming reference
  There are several programming considerations of which you might want to take advantage.
- Database schema information
  HCL SafeLinx uses a DB2, Oracle, MySQL, or SQL database to store tables of information about current and past activity of SafeLinx Server sessions. The following tables are created and accessed by using the qualifier name wg for DB2 installations.
- Step by step: Nomad configuration
  Here are step-by-step instructions that serve as an example of how to install and configure HCL SafeLinx for Nomad on MySQL on Linux.

Storing client-based certificates

SafeLinx Clients can use client certificates to authenticate with the Connection Manager. To use client certificate authentication, install an X.509 certificate that you obtain from a certificate authority (CA) on the mobile device.

Procedure

To store client-based certificates:

From a computer that has a copy of the IBM® Key Management tool, create a certificate request.
For more information, see Requesting an X.509 certificate from a third-party certificate authority.
Submit the certificate request to a certificate authority (CA). When you submit the request, specify that you would like the CA to return the certificate request file with a file type of p12.
Transfer the p12 file to the device or computer where you want to install the certificate.
Start the SafeLinx Client connection that uses certificate-based authentication. When the Authentication dialog box opens, click or tap Browse and select the certificate file. Then, click or tap OK twice.
The client certificate is stored in the default certificate store.
Note:
If you use the SafeLinx Client on Windows, you can use a setting in the [CONNECTION] section of the artour.ini file to specify the Windows Registry key from which the SafeLinx Client retrieves the certificate.

If you want the SafeLinx Client to use the certificate store specified in the HKEY_CURRENT_USER key, use the following setting:
```
CertificateStoreLocation=1 
```
If you want the SafeLinx Client to use the certificate store specified in the HKEY_LOCAL_MACHINE key, use the following setting:
```
CertificateStoreLocation=2 
```
The default setting is 1.

Rate this topic

5 stars 4 stars 3 stars 2 stars 1 star

Comment on this topic.

By clicking this box, you acknowledge that you are NOT a U.S. Federal Government employee or agency, nor are you submitting information with respect to or on behalf of one. HCL provides software and services to U.S. Federal Government customers through its partners immixGroup, Inc. Contact this team at https://hcltechsw.com/resources/us-government-contact. Do not include any personal data in this Comment box. Note: To report a problem or question about the product software, do not use this form. Instead, go to the HCL Software Support site.