What's new in SafeLinx 1.3?
HCL SafeLinx 1.3 introduces the following new functionality.
- Removed support for FlexNet license server. For information on the fixes in it, see the HCL SafeLinx 1.3 Release Notes.
- SafeLinx as a reverse proxy for HCL Verse You can configure SafeLinx to function as a reverse proxy for HCL Verse to provide failover and load balancing. For more information, see Configuring SafeLinx as a reverse proxy for Verse high availability.
-
Support for SNI SafeLinx now supports the Server Name Indication (SNI) extension to TLS whereby a client indicates which host name it is attempting to connect to at the start of the TLS handshake. When you consolidate multiple HTTP services to listen on one external IP address and port, SNI allows each service to have its own X.509 certificate and other TLS attributes. In prior releases, SafeLinx used the Host name in the HTTP header to determine the host to connect to, which did not allow for service-specific X.509 certificates and TLS attributes.
Your current HTTP services configuration continues to work without modification. You now have the option to configure X.509 certificates and TLS attributes separately for HTTP services that share one IP address and port.
For more information, see Consolidation of multiple HTTP access services under one IP address.
- Access manager binding to one IP address and port number You can configure the access manager to bind to a specific IP address and port number when connecting to the SafeLinx Administrator. For more information, see Configuring the access manager to bind to a specific IP address.
- "No authentication required" rule for HTTP services You can now configure
an HTTP service to use a "No authentication required" rule that defines a server
path that doesn't require authentication. SafeLinx allows anonymous access for
any requests that begin with the path specified in the rule. This rule is
defined using the NOAUTH keyword.
For example, to allow anonymous access to any request on the server myserver.internal.com that begins with /path/open/, specify the following rule:
NOAUTH https://myserver.internal.com/path/open
This type of rule should be used with caution. For security reasons, only one anonymous request is allowed per TLS socket.
For more information, see Configuring special access rules for application server URLs.
- SAML configuration change A new entry in config.yml
is required for SAML. This entry enables the session cookie for the Service
Provider function to flow without TLS. If you have an existing SAML
configuration, add the following entry to the
session
section of the config.yml file.session: cookie: secure: false
The config.example.yml file provided with SafeLinx includes this setting.