Welcome
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
Adding and configuring resources
After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
Adding HTTP access services
Add one or more HTTP access services to provide secure access to internal applications for remote users who do not have the full HCL SafeLinx VPN client (SafeLinx Client) installed.
Configuring OIDC authentication
You can configure HTTP access services such as HCL Nomad to use OpenID Connect (OIDC) authentication rather than LDAP authentication or local authentication.

Welcome
Welcome to the HCL SafeLinx documentation, where you can find information about how to install, maintain, and use HCL SafeLinx.
What's new in SafeLinx 1.4?
HCL SafeLinx 1.4 introduces the following new functionality.
Getting started
This information provides an overview for network administrators planning to install HCL SafeLinx. It contains the minimum information that is needed to get you started. For detailed information about installing HCL SafeLinx, see the installation information in the section adminguide/admin_guide.html.
Administering
This section describes how to plan for, install, configure, operate, and manage the SafeLinx Server.
- Overview
  HCL SafeLinx uses standards-based protocols to enable secure access from mobile computing devices outside the firewall to business applications and data on your organization's internal network.
- Security
  HCL SafeLinx includes a range of options for configuring the security of your network, applications, and data.
- Installation planning
  Before you install HCL SafeLinx, verify that you meet the hardware and software requirements, and that the network connections that you want to use are available.
- Roadmaps: Installing and setting up SafeLinx
  The following "roadmap" topics guide you through installing and initially configuring SafeLinx. Refer to the topic that corresponds to your relational database and server operating system.
- Installing and initial configuration
  Initial configuration and installation of HCL SafeLinx varies based on your operating system and relational database.
- Adding a secure login profile
  By default, the SafeLinx Administrator communicates with the access manager over an unencrypted connection. If you want the connection between the SafeLinx Administrator and the access manager to use transport layer security (TLS) protocols, add a secure login profile to the SafeLinx Administrator.
- Adding and configuring resources
  After you complete the installation and initial configuration, continue to prepare the deployment by configuring other network resources.
  - Types of resources
    Before a deployment can support client connections, you must add components to the SafeLinx Server. You use the SafeLinx Administrator to add and configure components. These components include resources to support HTTP access services, mobile access services, and messaging services, and resources to establish security and facilitate administration.
  - Defining a SafeLinx Server by using the SafeLinx Administrator
    Before you can define a SafeLinx Server, you must configure the access manager. If you connect to a SafeLinx Server and its access manager is not yet configured, a wizard leads you through the access manager configuration first. After that process completes, you can configure the SafeLinx Server.
  - Configuring a directory server
    You can configure the SafeLinx Server to retrieve user profile information from an external LDAP server. The directory server that you configure also provides information about how to contact other directory server services. After you configure a directory server, you can assign it to an LDAP-bind authentication profile to authenticate clients when they log in.
  - Securing communications between the SafeLinx Server and other nodes
    The SafeLinx Server and the services that it hosts exchange data with clients on the external network and with different types of servers on the internal network. To ensure the privacy of these communications, you can use TLS protocols to encrypt connections between the SafeLinx Server and other nodes.
  - Adding HTTP access services
    Add one or more HTTP access services to provide secure access to internal applications for remote users who do not have the full HCL SafeLinx VPN client (SafeLinx Client) installed.
    - Consolidation of multiple HTTP access services under one IP address
      The HTTP listener supports configuring multiple HTTP services, each with its own service URL, to use the same IP address and port.
    - Configuring HTTP access: Single URL
      HTTP Access Services provide load balancing and failover for multiple application servers, and different applications over the same service definition (or TCP listen port).
    - Configuring special access rules for application server URLs
      You can configure special rules that allow anonymous access to or deny all access to specific application server URLs.
    - Configuring Safelinx with Forward proxy authentication
      SafeLinx can be configured as a forward proxy, so that it only allows the addresses mentioned in the proxy urls. Earlier it was only plain fwd proxy, authentication support for the same is now available.
    - URL rewriting for HTTP access services
      By default, when you click a link in a mobile application that connects through HTTP access services, the link opens only if it points to content in the same application. To enable mobile applications such as HCL Connections, iNotes®, and others to render content from links to other internal sites, you can configure the HTTP access service to allow URL rewriting.
    - Adding an application server pool
      Create an application server pool to define a collection of one or more HCL Traveler high-availability clusters. Each cluster can contain multiple Traveler servers. Using an application server pool, you can manage your Traveler clusters as a single entity and balance the load across servers. After you add an application server pool, you assign it to an HTTP access service.
    - Enabling LDAP lookups to determine a user's Traveler server
      HCL SafeLinx manages incoming connection requests from Traveler clients, directing the request to an available Traveler server. With SafeLinx, you can configure the HTTP access service to connect users to a Traveler server specified by an attribute in the user's LDAP record.
    - Specifying path prefixes to identify Traveler requests
      You can configure SafeLinx to recognize one or more path prefixes that are associated with HCL Traveler servers.
    - iNotes® attachment blocking
      To reduce the risk of unauthorized access to confidential information, you can configure SafeLinx to restrict external users from sending or receiving attachments.
    - Configuring SAML authentication
      You can configure HTTP access services such as HCL Nomad to use Security Assertion Markup Language (SAML) authentication rather than LDAP authentication or local authentication.
    - Configuring OIDC authentication
      You can configure HTTP access services such as HCL Nomad to use OpenID Connect (OIDC) authentication rather than LDAP authentication or local authentication.
    - Client certificate authentication for HTTP access services
      When a client initiates a TLS connection to an HTTP access service, client and server exchange data to negotiate the connection. As part of the negotiation, the HTTP access service always presents a certificate to assure the client that it is connected to the correct server. You can also configure the HTTP access service to require a client browser or application to present a certificate when it initiates the connection. Such mutual authentication protects against man-in-the-middle attacks by providing both participants with proof that they are communicating with the intended party. Client certificates can also be used to authenticate users or devices.
    - Enabling authentication chaining between RADIUS and LDAP for HTTP access services
      With HCL SafeLinx, RADIUS authentication profiles that are used by HTTP access services can be linked to existing LDAP authentication profiles. Enabling this type of authentication chaining allows SafeLinx to verify a user's LDAP credentials before it processes the RADIUS authentication. You can specify the LDAP user ID attribute that you want SafeLinx to use in generating LTPA tokens for single sign-on. RADIUS to LDAP authentication chaining is supported for HTTP access services only.
    - Integration with mobile device management (MDM) systems
      With HCL SafeLinx, you can integrate an MDM system with authentication profiles that support HTTP access services. Through the integration, you can enable secondary authentication for mobile devices through an MDM server. The SafeLinx gateway prevents devices that do not comply with MDM policies from connecting to internal resources. SafeLinx currently supports integration with IBM MaaS360.
    - Creating custom login pages
      You can build customized login and logout pages to challenge users to submit their credentials and to display after users end their sessions.
    - Setting Up CertManager with Domino and SafeLinx Server
      You can setup an automatic update for SSL certificate using the CertManager and ACME providers.
  - Configuring an HCL Nomad server
    You can configure a SafeLinx as an HCL Nomad server that acts as a proxy for HCL Nomad clients.
  - Configuring SafeLinx as a reverse proxy for Verse high availability
    You can configure HCL SafeLinx to function as a reverse proxy that distributes requests across HCL Verse servers to provide failover and load balancing.
  - Adding authentication profiles
    Add an authentication profile to specify how HCL SafeLinx authenticates users before it permits access to application servers. SafeLinx supports the following authentication methods: LDAP-bind, RADIUS, and certificate-based.
  - Adding a mobile access service
    If there is no mobile access service configured for the SafeLinx Server, you can add one.
  - Adding messaging services
    Add messaging services to the SafeLinx Server to enable applications to send messages to messaging clients, such as a pager or a phone, over mobile wireless networks. Messaging services include support for short message service (SMS) delivery, and mobile-originated message delivery.
  - Adding users
    If your SafeLinx deployment does not use an external LDAP or RADIUS authentication server, use SafeLinx Administrator to create user accounts. You can add users individually or in a batch mode.
- Administering
  The SafeLinx Administrator administration client is the primary tool for viewing, adding, configuring, and managing HCL SafeLinx resources. Along with the SafeLinx Administrator, you can use the HCL SafeLinx Monitor to view information about packet flow through the SafeLinx Server. You can also use a set of command line tools to perform common SafeLinx Server tasks.
- Programming reference
  There are several programming considerations of which you might want to take advantage.
- Database schema information
  HCL SafeLinx uses a DB2, Oracle, MySQL, or SQL database to store tables of information about current and past activity of SafeLinx Server sessions. The following tables are created and accessed by using the qualifier name wg for DB2 installations.
- Step by step: Nomad configuration
  Here are step-by-step instructions that serve as an example of how to install and configure HCL SafeLinx for Nomad on MySQL on Linux.
SafeLinx Administrator
The SafeLinx Administrator is a Java application that lets administrators configure, monitor, and maintain the resources of one or more SafeLinx Servers.
SafeLinx Clients
SafeLinx Clients can establish virtual private network (VPN) connections with mobile access services across various wireless and wireline network. SafeLinx Clients use these optimized, secure IP tunnels to communicate with resources on the internal network.
Troubleshooting
Use this section to assist you with problems that you might experience, including problems with installation.
Notices

Configuring OIDC authentication

You can configure HTTP access services such as HCL Nomad to use OpenID Connect (OIDC) authentication rather than LDAP authentication or local authentication.

Before you begin

Configure the HTTP access service you will enable for OIDC. For HCL Nomad instructions, see Nomad server in the Nomad administration documentation.

About this task

OIDC authentication delegates user authentication to a OIDC identity provider (IdP) such as Domino OIDC provider. When OIDC is configured, users log on to an HTTP access service with their OIDC IdP identities.

To configure OIDC authentication for an HTTP access service, complete the following steps.

Procedure

(Linux only) Install OIDC Service Provider support for SafeLinx. On Linux, you can choose to install SafeLinx OIDC support by selecting "y" (yes) at the prompt Install OIDC Service Provider support? To install support for OIDC after SafeLinx installation from the installer archive, run the following command:
sudo rpm -ivh HCLSafeLinx-oidc-<safelinxversion>.rpm.

For example: sudo rpm -ivh HCLSafeLinx-oidc-1.4.4.rpm
Note: OIDC Service Provider support is installed automatically on Windows.
To enable OIDC, complete the following steps to start a local OIDC service provider on the SafeLinx server.
1. OIDC service can be started only if oidc.config.yml file is present.
2. A valid oidc.config.yml file should have all the required inputs to SafeLinx-oidc service to work as expected. Find <SafeLinx installation path>/oidc/oidc.confif.example.yml file got all required details to configure yml file properly.
3. OIDC can be configured in SafeLinx Administrator in the Mode tab (Select OIDC IDP & provider the valid service provider address).
4. The IDP URI & port should match with the login_uri & port in oidc.config.yml file.
5. <SafeLinx service URL>/sl_oidc/callback should be registered as redirect URI in OIDC Provider.