Defining Web Resource Profile Bookmarks

When you create a Web resource profile, the system automatically creates a bookmark that links to the primary URL or domain that you specified in the resource profile. The system enables you to modify this bookmark as well as create additional bookmarks within the same domain.

For example, you may create a resource profile that controls access to your company intranet. Within the profile, you may specify:

•Resource profile name: Your Intranet

•Primary resource: http://intranet.com

•Web access control autopolicy: Allow access to http://intranet.com:80/*

•Roles: Sales, Engineering

When you create this policy, the system automatically creates a bookmark called "Your Intranet" enabling access to http://intranet.com and displays the bookmark to members of the Sales and Engineering roles.

You may then choose to create the following additional bookmarks to associate with the resource profile:

•"Sales Intranet" bookmark: Creates a link to the http://intranet.com/sales page and displays the link to members of the Sales role.

•"Engineering Intranet" bookmark: Creates a link to the http://intranet.com/engineering page and displays the link to members of the Engineering role.

When configuring bookmarks, note that:

•You can only assign bookmarks to roles that you have already associated with the resource profile-not all of the roles defined on the system. To change the list of roles associated with the resource profile, use settings in its Roles tab.

•Bookmarks simply control which links to display to users-not which resources the users can access. For instance, in the example used above, a member of the Sales role would not see a link to the Engineering Intranet page, but he could access it by entering http://intranet.com/engineering his Web browser's address bar.

•You cannot create bookmarks that link to additional URLs and domains defined through Web access control autopolicies.

You can use two different methods to create Web bookmarks:

•Create bookmarks through existing resource profiles (recommended) - When you select this method, the system automatically populates the bookmark with key parameters (such as the Web interface (NFuse) URL) using settings from the resource profile. Additionally, while you are creating the associated resource profile, the system guides you through the process of creating any required policies to enable access to the bookmark.

•Create standard bookmarks - When you select this option, you must manually enter all bookmark parameters during configuration. Additionally, you must enable access to the Web feature and create resource policies that enable access to the web sites defined in the bookmark.

Creating Bookmarks Through Existing Resource Profiles

To configure Web resource profile bookmarks:

1.If you want to create a resource profile bookmark through the standard resource profiles page:

1. In the admin console, select Users > Resource Profiles > Web > Resource Profile Name > Bookmarks.
2. Click the appropriate link in the Bookmark column if you want to modify an existing bookmark. Or, click New Bookmark to create an additional bookmark.

Alternatively, if you want to create a resource profile bookmark through the user roles page:

2.In the admin console, select Users > User Roles > Role Name > Web > Bookmarks.

3.Click New Bookmark.

4.From the Type list, choose Pick a Web Resource Profile. (The system does not display this option if you have not already created a Web resource profile.)

5.Select an existing resource profile.

6.Click OK. (If you have not already associated the selected role with the resource profile, the system automatically makes the association for you. The system also enables any access control policies for the role that are required by the resource profile.)

7.If this role is not already associated with the selected resource profile, the system displays an informational message. If you see this message, click Save Changes to add this role to the resource profile's list of roles and to update the profile's autopolicies as required. Then, repeat the previous steps to create the bookmark.

When you create a resource profile bookmark through the user roles page (instead of the standard resource profiles page), the system only associates the generated bookmark with the selected role. The system does not assign the bookmark to all of the roles associated with the selected resource profile.

8.Optionally change the name and description of the bookmark. (By default, the system populates names the bookmark using the resource profile name.)

9.In the URL field, add a suffix to the URL if you want to create links to sub-sections of the domain defined in the primary resource profile.

Make sure to enter a unique URL in this field. If you create two bookmarks with the same URL, the system deletes one of the bookmarks from the end-user view. You will still be able to see both bookmarks, however, in the administrator console.

10.Under Options, select the Bookmark opens in new window check box if want to enable the system to automatically open the Web resource in a new browser window. Next, select:

•Do not display browser address bar - Select this option to remove the address bar from the browser window. This feature forces all Web traffic through the system by precluding users in the specified role from typing a new URL in the address bar, which circumvents the system.

•Do not display browser toolbar - Select this option to remove the menu and toolbar from the browser. This feature removes all menus, browsing buttons, and bookmarks from the browser window so that the user browses only through the system.

11.If you are configuring the bookmark through the resource profile pages, under Roles, specify the roles to which you want to display the bookmark:

•ALL selected roles - Select this option to display the bookmark to all of the roles associated with the resource profile.

•Subset of selected roles - Select this option to display the bookmark to a subset of the roles associated with the resource profile. Then select roles from the ALL Selected Roles list and click Add to move them to the Subset of selected roles list.

12.Click Save Changes.

Creating Standard Web Bookmarks

Information in this section is provided for backwards compatibility. We recommend that you configure access to Web URLs and servers through resource profiles instead, since they provide a simpler, more unified configuration method.

Use the Bookmarks tab to create bookmarks that appear on the welcome page for users mapped to this role. You can create two types of bookmarks through this page:

•Web URL bookmarks - These bookmarks link the user to Web URLs on the World Wide Web or on your corporate Intranet. When you create Web bookmarks, you can insert the user's username in the URL path to provide single sign-on access to back-end Web applications. For Web bookmark configuration instructions, see the instructions that follow.

•Java applet bookmarks - These bookmarks link the user to a Java applets that you upload through the Users > Resource Profiles > Web > Hosted Java Applets page of the admin console.

When you create either of these bookmark types, the corresponding links appear on the welcome page for users mapped to this role.

To create a bookmark to a Web resource:

1.In the admin console, choose Users > User Roles > Role > Web > Bookmarks.

2.Click New Bookmark.

3.Select Standard.

4.Enter a name and description for the bookmark (optional). This information displays on the home page instead of the URL.

5.Enter a Category for the URL. See the Categorize Bookmarks figure.

6.Enter the URL to bookmark. If you want to insert the user's username, enter <username> at the appropriate place in the URL.

Make sure to enter a unique URL in this field. If you create two bookmarks with the same URL, the system deletes one of the bookmarks from the end-user view. You will still be able to see both bookmarks, however, in the administrator console.

7.Under Auto-allow, click Auto-allow Bookmark to automatically create a corresponding Web access resource policy. Note that this functionality applies only to role bookmarks and not bookmarks created by users. Next, select:

•Only this URL to allow users to access only the URL.

•Everything under this URL to allow the user to access any path under the URL.

You may not see the Auto-allow option if you are using a new installation or if an administrator hides the option.

8.Under Display options, click Open bookmark in a new window to automatically open the Web resource in a new browser window. Note that this functionality applies only to role bookmarks and not bookmarks created by users. Next, select:

•Do not display the URL address bar if you want to remove the address bar from the browser window. This feature forces all Web traffic through the system by precluding users in the specified role from typing a new URL in the address bar, which circumvents the system.

•Do not display the menu and the toolbar to remove the menu and toolbar from the browser. This feature removes all menus, browsing buttons, and bookmarks from the browser window so that the user browses only through the system.

9.Click Save Changes or Save + New to add another.

Categorize Bookmarks

 

Specifying Web Browsing Options

The system enables you to configure a wide-variety of Web browsing options for a user role.

To configure the Web browsing options for a role:

1.Select Users > User Roles > RoleName > Web > Options. Complete the configuration as described in Web Browsing Options for a Role.

2.Click Save Changes.

Web Browsing Options for a Role

Settings	Guidelines
User can type URLs in the browse bar	(Default) Select this option to enable users to enter URLs on the welcome page and browse to Internet sites.
User can add bookmarks	(Default) Select this option to enable users to create personal web bookmarks on the system welcome page.
Mask hostnames while browsing	Select this option to obscure the target resources in the URLs to which the users browse. When you select this option, the system masks IP addresses and hostnames in the user's: Web browser address bar (when the user navigates to a page) Web browser status bar (when a user hovers over a hyperlink) HTML source files (when the user chooses to View Source) The hostname encoding feature (also called hostname obfuscation or URL obfuscation) prevents casual observers from noting the URL of an internal resource by obscuring the target server within the URL without masking the full path name, target file, or port number. For example, if a user navigates to www.msn.com without selective rewriting or hostname encoding enabled, the system displays an unobscured URL in his Web browser's address bar: http://www.msn.com/ If you then enable selective rewriting, the system might display the following URL: https://mycompanyserver.com/,DanaInfo=www.msn.com,SSO=U+ If you then enable hostname encoding, and the same user navigates to the same site, he sees a URL in which the hostname (www.msn.com) is obscured: https://i5.asglab.pulsesecure.net/,DanaInfo=.awxyCqxtGkxw,SSO=U+ Hostname encoding uses a lightweight reversible algorithm so that users can bookmark encoded URLs. (The system can translate the encoded URL and resolve it back to the original URL.) For compatibility, previously created bookmarks to unmasked URLs continue to work when hostname encoding is enabled.   If you enable selective rewriting and hostname encoding, the system only obscures the hostnames and IP addresses of those servers that you have chosen to rewrite using the selective rewrite feature. Links not rewritten by the system are not obscured. For example, the rewriter does not intermediate ftp, rtsp, mms and mailto links and therefore the hostnames in these links are not masked. This is required to pass security audits. If you enable the framed toolbar and hostname encoding, the system does not obscure hostnames that the user enters in the framed toolbar's browse field. The system does not obscure hostnames and IP addresses in log entries, including hostname encoding log entries.
Advanced options
Allow Java applets	(Default) Select this option to enable users to browse to Web pages containing client-side Java applets. The system appears to the application server as a browser over SSL. The system transparently handles any HTTP requests and TCP connections initiated by a Java applet and handles signed Java applets. If you enable this feature, users can launch Java applets and run applications that are implemented as client-side Java applets, such as the Virtual Computing (VNC) Java client, Citrix NFuse Java client, WRQ Reflections Web client, and Lotus WebMail.
Allow Flash content	(Default) Select this option to enable the system to intermediate Flash content through its Content Intermediation Engine. Note that the system provides limited support for ActionScript 2.0 and Flash Remoting, and does not support XMLSocket connections. The Content Intermediation Engine supports Flash versions 5, 6, 7 and 8, including dynamic rewriting of internal Web links during an access request. We support the rewriting of Actionscript in Flash. The calls in Actionscript that are supported are: load, send, sendAndLoad, loadVariables, loadMovie, loadVariablesNum, loadMovieNum, loadClip, loadSound, apply, connect on classes of XML, Sound, MovieClip, NetConnection, and MovieClipLoader. The eval equivalent of Actionscript is not supported. Therefore, we recommend that the above function calls not be embedded in an Actionscript string object. Note, Flash applications that use the XMLSocket object or Flash Remoting are not supported. For more information, see the Content Intermediation Engine Best Practices Guide.
Persistent cookies	(Default) Select this option to enable users to customize their browsing experiences by enabling them to keep persistent cookies. By default, the system flushes Web cookies that are stored during a user session. A user can delete cookies through the Advanced Preferences page if you enable this option.
Unrewritten pages open in new window	Select this option to configure the system to open content in a new browser window when a user access an unrewritten Web page. Opening content in a new window can help remind users that they still have a secure session. When a user request is made to a resource to which this option applies, the system displays a page that contains a link to the requested resource and directs the users to click on the link. This link opens the resource in a new browser window and the page from which the request originates continues to display in the system. If you uncheck this box, users might not realize that their session is still active and that to return to the system, they need to use the browser's Back button. Users must return to the system to sign out. If they simply close the browser window, their sessions remain active until the session time limit expires.
Allow browsing untrusted SSL Web servers	(Default) Select this option to allow access to untrusted web sites through the system. Untrusted web sites are those whose server certificates are not installed, expired, or revoked through the System > Configuration > Certificates > Trusted Servers CAs tab of the admin console. If a web page has internal references to files within a SCRIPT tag and these files are hosted on different HTTPS servers that have SSL certificates not trusted by the system, the web page does not render correctly. In these cases, the Warn users about the certificate problems option must be disabled. Warn users about the certificate problems. (Default) Select this option to warn users about the certificate problems option and the user accesses non-HTML content (such as images, js, and css) served from a different SSL server than the HTML page, the page containing the links may not display correctly. You can avoid this problem either by deselecting this option or by uploading a valid production SSL certificate on the servers that serve the non-HTML content. If enabled, display a warning to the user when he first accesses an untrusted web site telling him why the site's certificate is untrusted and allowing him to either continue or cancel. If the user chooses to continue after viewing the warning, the system does not display any more warnings for that site during the current session. This option is not applicable for auth-only URLs (for example, ActiveSync) and Secure Mail URLs. Allow users to bypass warnings on a server-by-server basis. Select this option to allow the user to suppress all further warnings for an untrusted web site. If a user chooses this option, he never sees a warning for this site again, provided that he accesses it from the current device or cluster. If you choose to allow users to access untrusted web sites without seeing a warning, the system still logs a message to the user access log whenever a user navigates to an untrusted site. Also note that if a user chooses to suppress warnings, he can clear the persistent settings of the untrusted web sites using the Delete Passwords option in the System > Preferences > Advanced tab in the end user console.
Rewrite file:// URLs	Select this option to rewrite file:// URLs so that they are routed through the system's file browsing CGI.
Rewrite links in PDF files	Select this option to rewrite hyperlinks in PDFs.
Auto populate domain information	Select this option to display the domain information in the end user authentication intermediate page that prompts for credentials. When this option is not selected, the domain text box will be blank.
HTTP Connection Timeout
HTTP Connection Timeout	Specify the duration to wait for a response from an HTTP server before timing out and closing the connection. Use values from 30 to 1800 seconds (default is 240). Higher timeout values might exhaust system resources if applications do not close connections properly or take too long to close the connections. Unless an application requires a higher timeout value, we recommend accepting the default value.
WebSocket Connection Timeout	Specify the duration to wait for data transfer between the client and server. Use values from 30 to 1800 seconds (default is 900). WebSocket is a web technology that provides bidirectional, full-duplex communication channels over a single TCP connection. This provides a mechanism for browser-based applications that need two-way communication with servers that do not rely on opening multiple HTTP connections. Communication is done over the regular TCP port numbers 80 or 443. Currently, only the following web resource policies support WebSocket: Web ACL Access Passthrough Proxy Options The WebSocket URL that starts with ws:// or wss:// is not allowed in any of the web resource profile pages, web resource policies or web bookmark pages. The following Web options under Roles accept WebSocket requests: Mask hostnames while browsing Persistent cookies Allow browsing untrusted SSL web sites
ActiveSyncLongLived Connection Timeout	Specify the duration of a long-lived request used to synchronize an iOS device with a Microsoft Exchange server (Secure Mail must be enabled for the role). When the request expires, the device issues a new request. Use values from 30 to 7200 seconds. Microsoft recommends using 1800 seconds (the default).