Secure Global Desktop Administration Guide > Security > Getting started with the Sun Secure Global Desktop Security Pack

Getting started with the Sun Secure Global Desktop Security Pack

Installing the Sun Secure Global Desktop Security Pack on a Secure Global Desktop server lets you give users secure connections between their client devices and that Secure Global Desktop server. The connections are secured using SSL, the Secure Sockets Layer.

Secure connections have these benefits:

Internet transactions are open to many forms of attack, for example packet-sniffing, DNS spoofing, and man-in-the-middle attacks. It is critical to recognize that even when SSL is used, a connection is only secure if SSL is configured correctly.

The Security Pack can only help raise security levels as part of an ongoing security strategy. The Security Pack can't transform your intranet into a high-security installation by itself.

Enabling secure connections

Once the Security Pack is installed on a Secure Global Desktop server, you must do the following before secure connections are possible:

1. Obtain and install an X.509 certificate for the Secure Global Desktop server to use. An X.509 certificate enables the Secure Global Desktop server to identify itself to a client device. (There are important security considerations regarding the types of X.509 certificate you can use.)
2. Turn on the Security Pack for that server, using tarantella security start. This enables secure connections for the users you've configured to have them.

Giving users different types of connection

You can decide which users receive secure (SSL-based) connections, and which users receive standard (unencrypted) connections. To do so, you configure the Connections attribute for a person object, organizational unit object, or organization object.

You can configure the type of connection based on these factors:

• Who the user is. Perhaps only members of the Accounts department need secure connections.
• The DNS name (or IP address) of the user's client device. Perhaps users only need secure connections when accessing Secure Global Desktop over the Internet.
• The Secure Global Desktop server's DNS name (or IP address). Perhaps users only need secure connections when accessing one particular Secure Global Desktop server.

The initial connection to a Secure Global Desktop server, before users type their username and password, is always secure if the Security Pack is installed and running. This means that usernames and passwords are always sent securely. Once the user is identified, the connection may be downgraded to a standard connection according to your configuration.

Here are some examples for customizing connection types:

• If you only want the members of one department to have secure connections.
• If your users only need secure connections when accessing Secure Global Desktop over the Internet.
• If your users only need a secure connection to one particular Secure Global Desktop server.

The Security Pack and secure (HTTPS) web servers

The Security Pack secures Secure Global Desktop-related connections between the client device and Secure Global Desktop server. It does not secure any other type of connection: for example, the connections made to a web server on the same host.

We recommend that you use a secure (HTTPS) web server. To do so you need an X.509 certificate for the web server as well as for the Secure Global Desktop server. Some web servers allow you to share the X.509 certificate between the web server and the Security Pack.

If you are using the browser-based webtop or you have developed your own web applications, you must also secure the SOAP connections to a Secure Global Desktop server.

Firewalls

Secure connections between the client device and Secure Global Desktop server use port 5307/tcp.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.