Preparing the network environment

Preparation of your network environment depends on the setup of specific resources and the requirements of your operating system.

To complete the HCL SafeLinx setup, you must provide information about your network environment. Before you install, be sure that you have access to the following information:
  • Admin user IDs and passwords for your organization's LDAP server, database servers, and other authentication servers
  • Contact information for other network administrators with whom you might have to coordinate work, for example, administrators of your firewall, DNS, database, LDAP, and application servers.
  • IP addresses or host names of LDAP servers, database servers, and firewalls
  • For LDAP authentication, the Base DN (distinguished name) in which to search for user accounts
  • The ports to be opened on both internet-facing and internally-facing firewalls. For more information, see Firewall issues.

For Windows deployments, after you run the Installation wizard, launch the First Steps configuration wizard by selecting the check box in the final installation panel. The wizard is available on Windows only and is not part of the Linux installations. From the First Steps configuration wizard, you can launch the Database configuration wizard to specify the storage method for SafeLinx configuration and session data. As an alternative to using the Database configuration wizard, you can use data definition language (DDL) scripts configure the persistent storage method. DDL scripts enable database setup in environments in which the SafeLinx admin does not have access privileges to the database server. If you use DDL scripts to configure SafeLinx databases, you would not run the Database configuration wizard. For more information, see Persistent data storage requirements and Configuring databases for HCL SafeLinx with DDL.

The Windows First steps configuration wizard also contains links that launch SafeLinx Administrator and online help. After database configuration is complete, open SafeLinx Administrator to add and configure other resources. The following tables describe some of the resources that are needed for different types of deployments.

Table 1. Resources needed for all deployments
Resource Description
Access manager The Access Manager is a process that manages interactions between SafeLinx Administrators, persistent data storage, and other SafeLinx Servers. The Access Manager process is installed automatically on all supported operating systems.

On Windows, the Access Manager runs as a pair of services called SafeLinx Access Manager Service (wgmgrd) and SafeLinx Secure Access Manager Service (wgmgrsd).

For Linux, the wgmgrd and wgmgrsd processes listen for incoming SafeLinx Administrator connections. These processes start automatically with the operating system. On Linux, the xinetd daemon starts first and it then starts other services such as the wgmgrd and wgmgrsd processes.

SafeLinx Server The SafeLinx Server integrates all configured application services, configuration objects, and supported networks within a single multihomed host. After the SafeLinx Server is created, the administrator is presented with an option to create an HTTP access service and then Mobile access services.

The HTTP access service enables secure socket layer (SSL) connections between mobile devices and the SafeLinx Server. Mobile access services establish a virtual private network (VPN) connection between the SafeLinx Server and SafeLinx Client. After you add Mobile access services, mobile network connections (MNCs) are created automatically for the following protocol types: UDP, TCP, HTTP, and HTTPS.

Note: Mobile access services are required for SafeLinx deployments that support SafeLinx Client access only.
Directory server service (DSS) A Directory server services resource references an LDAP or RADIUS authentication server to be used by the SafeLinx deployment. The DSS specifies a servers' host name or IP address, and the properties that are used to submit authenticated or anonymous queries to the directory server to validate user credentials. To configure an LDAP DSS, you must know the LDAP Base DN, the Administrator's DN and password. To configure a RADIUS DSS, you must know the RADIUS shared secret. In both cases, you must also decide whether the connection to the authentication server is to be secured or not.
Authentication profiles

After you create a DSS resource, you must create an Authentication profile. Authentication profiles define how SafeLinx interacts with the authentication server specified in a DSS to authenticate login credentials for HTTP access services or VPN connections.

In LDAP-bind authentication profiles, you can specify the user attributes that the service looks for when it attempts to validate user credentials. For example, in deployments that use Microsoft Active Directory Server, you might specify SAMAccountName in the User key field of authentication profile, and UserAccountControl in the LDAP attribute used for lock status field.
Table 2. Resources needed to support HTTP access services for clientless connections
Resource Description
HTTP access service HTTP access services enable secure connections between a remote mobile device and HTTP services on the internal network, such as HCL Traveler and HCL Sametime. Client-less HTTP connections are secured with secure sockets layer (SSL) encryption.
SSL certificates

Certificates are required to secure HTTP access service connections between mobile devices and the SafeLinx Server. To create requests for certificates, or to install and manage certificates, use the GSKit.

If you are setting up a proof-of-concept or evaluation deployment, you can use self-signed certificates to facilitate rapid deployment. However, there are drawbacks to using self-signed certificates in a production environment. For more information about setting up and configuring certificates, see the Certificates section in the Featured Documents technote on the SafeLinx support site.
Table 3. Resources needed to support mobile access services (VPNs) for SafeLinx Clients
Resource Description
Mobile network interface (MNI) A resource that defines a dedicated virtual IP subnet through which the SafeLinx Server and SafeLinx Clients communicate. An MNI reserves an IP address in a subnet as its own and this address is the SafeLinx Client's point-of-presence on the virtual private network.
Connection profile A resource that is assigned to an MNC to control the performance options between the MNC and SafeLinx Clients that connect to it.
Sample connection profiles are available in the Default Resources organizational unit (OU) in SafeLinx Administrator:
  • IP - used with transport profiles

You can alter the default connection profile or create a new profile.
Transport profile A resource that is assigned to an IP connection profile and is a set of transport-layer configuration properties. These properties are settings that identify the type of network, such as the adapter name and the speed of the connection. Multiple network names can be associated with one transport profile and more than one transport profile can be assigned to an IP connection profile.
Several sample transport profiles are available in the Default Resources organizational unit (OU) in SafeLinx Administrator:
  • LAN - used for 802.11b and faster networks
  • WiFi - used for 802.11b networks

You can alter the default transport profile or create a new profile.
Note: Your organization's firewall must be configured to allow connections from external clients and devices to the SafeLinx Server. If a second firewall stands between the SafeLinx Server and resources on the internal network, you must also establish rules that enable communications between them. For more information about firewall rules, see Firewall issues.
You must configure other network settings to set up mobile access services. For more information, see the following topics:
  • VPN addressing for SafeLinx Clients
  • MNC carrier connections