My Thoughts on HCL SafeLinx
HCL SafeLinx is another product originally created by IBM under the name IBM Mobile Connect and has been around for a very long time. I have used it under this name in the past but never really taken much notice of it until now. The product like so many others has been re-branded to HCL SafeLinx and has had a fair amount of development done to it. I wasn’t actually even aware HCL had taken Mobile Connect with them or that SafeLinx was the same product. It wasn’t until I was recently forced to use it for the Nomad Desktop Beta that I decided would be a good idea to implement as I wanted to get ahead of the curve, Nomad Desktop is going to be a real sales push from my point of view and quite a game-changer, anyway back to SafeLinx.
HCL Nomad Desktop needs a web proxy service to not only direct the network traffic but to also take a web-based secure connection and then send that onto any number of Domino servers, step up SafeLinx. Here is the very clever some might say magic part, You have an external address (URL) for example nomad.acme.com. This address points to our firewall, our firewall then points this traffic to the internal or DMZ based SafeLinx server. SafeLinx then has a resource document for this address that for any web-based secure traffic on say port 443 take it, then authenticate the user against a predetermined LDAP Server (in our case Domino). Once a user is authenticated what SafeLinx does is create a clientless VPN session. Each resource document is individual depending on what resource you want to use so in the case of Nomad this Resource Document has the settings to take the Encrypted Web Browser traffic on port 443 and convert it to a Domino encrypted connection on 1352 to the Domino back end servers and then likewise in reverse to get the traffic or information back to the Web Browser or Web App.
In doing this it means you do not need to expose any other port to the outside world other than port 443 and even then it is a dedicated authentication only based service that can be sat in a customer DMZ for extra security. It also means that just using that single address of https://nomad.acme.com I can use the Nomad Desktop Client to get to any one of our Domino servers.
Brilliant so that works for Nomad Desktop what else can I use it for I hear you cry, well you can use exactly the same approach for Nomad Mobile of course in fact you can just use the same resource document so that also covers the mobile access, in fact, it’s what we as a company are using right now. You can also use it for every product in the HCL Digital experience stack!!! this means single points of entry for Traveler, SameTime, Verse, Volt etc. Not only that but anything that uses the web can have an HTTP resource document at that point the list of what you can’t put through it is extremely small. So what happens now if you have all your traffic going through this one clientless VPN / Web Proxy Server and it fails. It’s a single point of failure right? SafeLinx also allows you to cluster any number of SafeLinx servers so that if one fails the other takes over the duties it also allows for load balancing as well so all the tasks do not need to be taken on by a single server.
The news just keeps getting better… If you have a current Domino license SafeLinx is part of your current entitlement so you already own it!!!! (Please check with your account manager regarding your current entitlement to HCL Software)