Skip past navigation linksSecure Global Desktop 4.40 Administration Guide > Security > SGD and DNS Names

SGD and DNS Names

SGD servers can have multiple DNS names. Each SGD server has one peer DNS name, and one or more external DNS names.

A peer DNS name is the DNS name that the SGD servers in the array use to identify themselves to each other. For example, boston.indigo-insurance.com.

An external DNS name is the DNS name that client devices use. For example, www.indigo-insurance.com.

These two types of DNS names might be associated with the same network card (NIC) on the SGD host, or they might each use a different network card.

In a network containing a firewall, you might need to make some names usable outside the firewall, for example across the Internet, and others usable inside the firewall. For example, users outside the firewall might be able to use www.indigo-insurance.com, but not boston.indigo-insurance.com. Users inside the firewall might be able to use either name.

When you install SGD you are prompted for the DNS name for the SGD server. This must be the peer DNS name that is used inside the firewall. This is the DNS name that the SGD Web Server binds to when it starts.

After installation, you can configure each SGD server with one or more external DNS names. These are the DNS names used outside the firewall. You do not have to make all your SGD servers available outside the firewall. However, if users log in to an SGD server from both inside and outside the firewall, they might not be able to resume some applications when logging in from outside the firewall.

If you are using mechanisms, such as an external hardware load balancer or round-robin DNS, to control the SGD server that a user connects to, you must configure SGD to work with these mechanisms.

Configuring External DNS Names

If an SGD server is known by different names on the network, for example inside and outside a firewall, you can configure the SGD server to have one or more external DNS names. When the user connects to the SGD Web Server, SGD can be configured to "instruct" the SGD Client to connect using a different DNS name. The DNS name is determined using the IP address of the client.

You configure the external DNS names for an SGD server as follows:

  1. Log in as superuser (root) on the SGD host.
  2. In the SGD Administration Console, click the SGD Servers tab and select an SGD server.

    The General tab displays.

  3. In the External DNS Names field, type the names of one or more DNS names.

    See below for more details on the format of the DNS name.

  4. Click Save.
  5. Restart the SGD server.

Alternatively, use the following command:

Skip past command syntax or program code$ tarantella config edit --server-dns-external dns_name ...

Each DNS name has the format Client-IP-Pattern:External-DNS-Name. The Client-IP-Pattern can be either of the following:

In the SGD Administration Console, press the Return key after each name definition. On the command line, use a comma to separate the names, for example:

Skip past command syntax or program code$ tarantella config edit --server-dns-external "192.168.10.*:boston.indigo-insurance.com,*:www.indigo-insurance.com"

The order of the names is important. The first matching IP pattern is used. For example if the following names are defined:

Skip past command syntax or program code192.168.10.*:boston.indigo-insurance.com
*:www.indigo-insurance.com

Clients with IP addresses beginning 192.168.10 connect to boston.indigo-insurance.com, and all other clients connect to www.indigo-insurance.com. If the order of the names was reversed, all clients connect to www.indigo-insurance.com.

If you are using multiple DNS names and you want to enable secure connections, you must make sure that the X.509 certificate contains each DNS name that is used. The X.509 certificate is used to secure the connection between the SGD Client and the SGD server. See SGD Security Services and X.509 Certificates for details.

Changing the Peer DNS Name of an SGD Server

SGD allows you to change the peer DNS name of an SGD server without having to reinstall.

You must detach the SGD server from the array and stop it before configuring SGD with the name change.

  1. Log in as superuser (root) on the SGD host.
  2. Make sure there are no user sessions and application sessions running on the SGD server, including suspended application sessions.
  3. Detach the SGD server from the array.

    If you are detaching the primary server, first make another server the primary server and then detach the server.

    Skip past command syntax or program code# tarantella array detach --secondary serv
  4. Stop the SGD server.
  5. Ensure that the DNS name change for the SGD host has taken effect.

    Check you DNS configuration and ensure that clients can resolve the new DNS name. You might also have to edit the /etc/hosts and the /etc/resolve.cnf files on the SGD host.

  6. Reconfigure the DNS name of the SGD server.

    Use the following command:

    Skip past command syntax or program code# tarantella serverrename --peerdns newname [ --extdns newname ]

    Use the --extdns option to change the external DNS name of the server. This option only works if the SGD server has a single external DNS name. If the server has more than one external DNS name, you must manually update the external DNS names.

    When prompted, type Y to proceed with the name change.

  7. Regenerate the server certificates used for secure intra-array communication. 
    Skip past command syntax or program code# tarantella security keystoregen
  8. (Optional) Create and install new server X.509 certificates and enable SGD security services.

    See Securing Connections Between Client Devices and SGD Servers.

  9. Restart the SGD Web Server.
  10. Restart the SGD server.
  11. Join the SGD server to the array. 
    Skip past command syntax or program code# tarantella array join --primary serv --secondary serv

After changing the DNS name, the /opt/tarantella/var/log/SERVER_RENAME.log file contains the details of the changes that were made. Your existing X.509 security certificates are backed up in the /opt/tarantella/var/tsp.OLD.number directory.

If you use the SGD server as an application server, you must manually reconfigure the application server object as follows:

  1. In the SGD Administration Console, click the Application Servers tab and select the SGD server.

    The General tab displays.

  2. (Optional) In the Name field, type the new name of the SGD server.
  3. In the Address field, type the new DNS name of the SGD server.
  4. Click Save.

Alternatively, use the following command to change the DNS name of the application server:

Skip past command syntax or program code$ tarantella object edit --name obj --address newname

Use the tarantella object rename command to rename the application server object.

You might have to reconfigure the printer queues on your application servers to use the new DNS name of the SGD server.

Related Topics

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.