After configuring and running both the OpenVPN server and client, it’s a good idea to test if the VPN is working. This involves some tests on both the server and client.
After the server is started, a new interface should be created. Run ifconfig to get a list of all available interfaces. In case tun is configured in the conf file as device type, a new interface with name tun0 is created.
Check server log for client connection
In case OpenVPN is started as a service, the log can be found at /var/log/messages. If you start it directly on the command line, the log will be shown on the shell. When a client connects, the log of the server shows the connection information.
tail -f /var/log/messages
The last lines show client1, meaning that the client not only connected, but is also correctly identified as client1. The connection is working.
Start OpenVPN and the client will try to connect to the server specified in the client.conf file. Client connecting and receiving IP.
After the connection was established, the client is also creating a new interface named tun0. Here a client named client1 connects and receives the IP 10.8.0.6.
Easiest way to test that client and server can talk to each other is to ping both. Just run a ping from the server to the client IP, and from the client to the server IP. For this, the VPN IP address must be used (e.g. 10.8.0.x).
Start the Afaria Server update. First agree to the license agreement, of course, only when you have read the license and agree to it.
Afaria server update starts. First the currently running server service is stopped.
The setup program will stop the Afaria services. In case this is not possible, you are asked to do it manually or to restart the computer. In case the services are stopped successfully, the setup will start the Afaria Server installation.
Select DB server type
Select host where the DB server is running on and how to log on to the DB.
At this step, while testing the DB connection, I got an error message. The installer cannot connect to the Afaria DB. In my case, this was solved by starting the MSSQLServer process (for some reasons, SQL Server wasn`t started anymore).
Error: No connection to DB
Solution: Start SQL Server
Select the Afaria DB.
Confirm installation path
Confirm service account credentials
This can take a while …
Select if you want to start the services. If you want to continue with the installation, do not start them now.
The last component to be installed is the SCEP plug-in. This module is responsible for requesting certificates on behalf of the user. It will make use of the CA and NDE functionality.
Select the version of the module to be installed. On a x64 architecture, the 64-bit version should be selected.
This starts the SCEP installation wizard.
Type: Microsoft SQL Server
This ends the installation of SAP Afaria 7.00. Now a fully functional SAP Afaria environment is installed and available on the same Windows Server 2008 R2. Be aware that it is a version of Afaria from 2012. Next step is to upgrade this version to the latest version available.
The next component to be installed is the Self Service Portal. This is a web page hosted by IIS that allows the end user to register themselves to Afaria. Access will be done through HTTP and as users will share confidential data with the server, SSL is a must.
While SSL was installed in IIS, access to the server using HTTP (without SSL) was not blocked. This is why the installer shows a warning message. As always: do not do this in a production environment, secure access to your Afaria server!
Name of virtual directory: SSP
Authentication: Active Directory
Active Directory: LDAP://tobias.de
Note: this actually depends on your environment setup. In my case, IIS is configured to authenticate against AD.
SAP Afaria service account credentials
Account name: afauser (created earlier)
Will be localhost as this is not a cluster installation and every Afaria component runs on the same server.
Remote Server: localhost
SAP Afaria API Server
This should be empty as it is a first installation. In upgrades, enrollment codes from client may appear.
After the installer ends, the Self Service Portal is installed and configured.
Inform SQL Server data. This data must match what was configured earlier on SQL Server!
Authentication: Windows Authentication
SAP Afaria server type will be master server.
Installation directory. Leave the value to standard.
Create the directory.
Inform the user data of the afauser created earlier.
Type of authentication
Here you have two options: Windows domain or LDAP based. It depends on where you created the afauser or what your company uses. In my case it does not really matter, as the AD is a LDAP server and Afaria is part of the same domain as the AD, so both options are valid.
NT domain based: your domain.
In case you get a warning about the domain: Confirm the domain.
NT domain based: ldap
Inform the connection data of LDAP server. The following information is to connect to Active Directory.
Server Address: FQDN of LDAP server (Afaria.tobias.de)
Port: 389 (standard port LDAP, no security)
Server Type: Microsoft Active Directory
User DN: cn-administrator,cn-users,dc-tobias,dc=de
Having a SSL certificate installed and available in IIS, access to web sites / applications can be secured using SSL. Next step is to secure the access to the Afaria Web Application. This will be done by activating SSL for the entire web site, that is: all resources under the default web site can be accessed using SSL. The SAP Afaria web application is not installed yet, but after it is installed, it will be run beneath the default web site by IIS. As the default web site is configured for IIS, all resources underneath it will be too.
Open IIS Manager
Select Default Web Site
Select https and click Edit …
Select SSL certificate afaria from list. Afaria is the friendly name / alias given the the IIS certificate in the previous step: installing SSL to IIS.
Assign this binding to all IP address and port 443.
To ensure confidentiality of user data, access to SAP Afaria by users needs to be done using SSL. For this to work, IIS must use its own valid SSL certificate. To do so, first a certificate request for IIS must be created. This request will be handled by the CA (installed on same server) and the created certificate must be made available in IIS.
IIS: Create certificate request
Start IIS Manager
Select default server and sever certificates in IIS section.
Create certificate request
Inform server information. The CA will include this information in the final certificate.
Common name: FQDN of the server
Country: BR, or your country
Select cryptographic service provider.
Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
Bit length: 1024
Inform file name. This is where the certificate request will be saved to. This file will be later submitted to the CA.
Now the certificate request is done by IIS. Next step is to submit the request to the CA.
CA: Issue certificate
As the CA is on the same server as IIS, it is only to submit the request to the CA. The certificate type is for a web server. In my case, using the CA wizard to submit the CSR did not work, as the web server template was not available. What worked was to use the command line to submit the CSR and inform there the web server template.
The web interfaces of Afaria run on top of IIS and are ASP applications. To be able to run them, IIS and ASP must be made available on the server. On way to achieve this is to activate the application server role on the Windows server. This is done by adding this role to the sever. Afterwards, IIS and ASP are installed and configured.
To add the application server role, open the server manager and select Add Roles.
In the list of available server roles, the already activated roles are greyed out. Select the role Application Server.
The wizard shows a popup informing that an additional role services is required to fulfill the pre-requisites of the application server role. In the current state of activated roles, these will be two services. For each one of them, select Add Required Role Services.
Keep IIS services as they are
Confirm the installation paramters.
Windows will install and configure IIS.
Confirm the installation results.
This installs the role application server. After the installation finishes, the server is ready to host ASP web pages.
Let the world know