Security

Use this property page to configure the security options associated with the GroupWise^® WebAccess Application.

Timeout
When a user logs in to GroupWise through a Web browser, the WebAccess Application opens a session with the user. This option lets you specify a period of time after which the WebAccess Application closes a session that has become inactive. A session becomes inactive when the user does not perform any actions, such as opening a message, that generate calls to the WebAccess Application. Having a timeout period not only provides security for users' e-mail but also ensures that GroupWise WebAccess runs efficiently.

Timeout for Inactive Sessions
Select how long the WebAccess Application should wait before ending an inactive session. If the user attempts to perform an action after the session has timed out, he or she is prompted to log in again.

Path for Inactive Sessions
Browse for and select the folder where you want the WebAccess Application to save information about inactive sessions. This allows the WebAccess Application to return the user to the exact state he or she was in when the session timed out. Inactive sessions are automatically deleted after a period of time.

The default path is to the users directory, located in the WebAccess Application's home directory (by default, /opt/novell/groupwise/webacc/webaccess/users on the root of the Web server).

Securing Sessions
The following options can be used to secure sessions. If desired, both options can be used.

Use Client IP in Securing Sessions
Select this option if you want the WebAccess Application to bind the client IP address to the session. For that session, the WebAccess Application accepts requests only from the bound IP address. If you are using a proxy server that masks the client IP address, you should not use this option.

User Interface/Use Cookies/Disable Caching
You can increase security by using session cookies and disabling caching of WebAccess information. Session cookies and caching are configurable on a per-user interface (template basis). For example, you could use session cookies and disable caching for the Standard HTML interface and not use session cookies or disable caching for the Wireless Markup Language interface.

Use Cookies
Select this option if you want the WebAccess Application to use a session cookie to secure the user's session. The session cookie, which is created when the user opens the session, ties the session to the browser and ensures that the WebAccess Application accepts session requests from that browser only. The session cookie is held in memory and exists only as long as the user is logged in.

By default, session cookies are enabled for all interfaces, with the exception of the Web Clippings interface, which does not support session cookies.

Disable Caching
This option affects both Web browser caching and proxy server caching. Because the WebAccess Application sends sensitive mailbox information (such as message text and passwords) to users, caching of files by Web browsers and proxy servers can pose an information security risk.

If you select the Disable Caching option, the WebAccess Application includes a "disable caching" request in the header of each file that it sends. By default, Web browsers honor this request and do not cache files that include the request. Proxy servers, on the other hand, might or might not honor the request, depending on how they are configured. If the proxy server honors the request, the file is not cached; if it does not honor the request, the file is cached, regardless of this setting.

Single Sign-On
The WebAccess Application supports authentication to GroupWise using Base64 authentication header credentials generated by a trusted server (for example, a Novell^® iChain^® Authentication Server). The authentication header generated by the trusted server must contain the username and password required to log the user into GroupWise. For this to occur, one of the following conditions must be met:

• The regular GroupWise username and password must match the credentials passed from the trusted server.
  
  or
  
  
• The LDAP authentication credentials used by each POA (if LDAP has been enabled) must match the credentials passed from the trusted server (ConsoleOne > Post Office object > GroupWise tab > Security page).

If the credentials passed from the trusted server match the credentials being used by the GroupWise system, then the GroupWise WebAccess login page is bypassed and the user has immediate access to the requested mailbox.

To specify a trusted server whose authentication header credentials are accepted by the WebAccess Application, click Add to display the Add Trusted Server Information dialog box, then enter the server's IP address or DNS hostname. For more information about the fields in the Add Trusted Server Information dialog box, click the dialog box's Help button.

A trademark symbol (^®, ^TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For more information, see Legal Notices.