Secure Global Desktop 4.40 Administration Guide > Security > Securing Connections Between Client Devices and SGD Servers

Securing Connections Between Client Devices and SGD Servers

When securing connections between client devices and SGD servers, the following connections must be considered:

• The connection between an SGD Client and an SGD server
• The connection between a web browser and a web server on the SGD host

How you secure these connections is described in the following sections.

Securing the Connection Between an SGD Client and an SGD Server

When SGD is first installed, the initial connection between an SGD Client client and a SGD server is secure. However, after the user has logged in, the connection is downgraded to a standard connection. To be able to use secure connections permanently, you must enable SGD security services. You do this as follows:

1. Log in as superuser (root) on the SGD host.
2. Obtain and install an X.509 certificate for the SGD server.

   An X.509 certificate allows an SGD server to identify itself to an SGD Client.

   Note There are important security considerations regarding the types of X.509 certificate you can use.

3. Restart the SGD server.
4. Enable SGD security services.

   Use the following command:

   # tarantella security start

5. Repeat steps 1 to 4 for each SGD server in the array.
6. (Optional) Configure connection definitions to determine which users receive secure connections.

Secure connections between an SGD Client and an SGD server use a different port to standard connections. Secure connections use TCP port 5307 by default, but the port is configurable. You might have to configure your firewall to allow network traffic on this port. Alternatively, you can configure SGD for firewall forwarding, so that all connections to an SGD server use a single port, usually TCP port 443.

Securing the Connection Between a Web Browser and a Web Server on the SGD Host

SGD security services only secure the connections between an SGD Client and an SGD server. To secure the connections between a web browser and the web server on the SGD host, HTTPS connections must be enabled in the web server. This connection is used for the webtop and for authentication to SGD (when the SGD Client is operating in Webtop mode). By default, the SGD Web Server is configured to be a secure web server and use the same security certificate as the SGD server.

To enable secure connections to the SGD Web Server:

1. Log in as superuser (root) on the SGD host.
2. Obtain and install an X.509 certificate for use with SGD security services.

   Note You can use a separate X.509 certificate for the SGD Web Server if you prefer.

3. Enable SGD security services.
4. Enable secure (HTTPS) connections to the SGD Web Server.

   Use the following command:

   # tarantella webserver restart --ssl

Every web server in an array of SGD servers must use the same HTTP or HTTPS port. You must not mix HTTP and HTTPS web servers in the same SGD array.

Once you enable secure connections to a web server, the URL in the client profile must be re-configured to an HTTPS URL.

Using Connection Definitions to Give Users Different Types of Connection

Connection definitions are used to decide whether a secure connection or a standard connection is used between an SGD Client and an SGD server. The connection type can depend on the following factors:

• The DNS name or IP address of the user's client device
• The SGD server the user logs in to

Note If SGD security services are not enabled on a server, secure connections to that server are not available regardless of the user's connection definitions.

By default, the processing of connection definitions is enabled. If it is disabled, you enable it as follows:

1. In the SGD Administration Console click the Global Settings » Security tab.
2. Select the Connection Definitions check box.
3. Click Save.

Alternatively, use the following command:

$ tarantella config edit --security-applyconnections 1

If the processing of connection definitions is enabled, you can configure the connection definitions to determine which users receive standard or secure connections. You can configure connection definitions for organization objects, organizational unit objects, or user profile objects. The connection definitions for an organization can be overridden by the definitions for an organizational unit, and the definitions for an organizational unit can be overridden by the definitions for a user profile. By default, all users can receive secure connections if Secure Global Desktop security services are enabled.

You define connection definitions as follows:

1. In the SGD Administration Console, click the User Profiles tab and select the object you want to configure.
2. Click the Security tab.
3. Add a connection definition.
   1. In the Connection Definitions table, click the Add button. The Add New Connection Definition window displays.
   2. In the Client Device Address field, type an IP address or DNS name.
   3. In the Secure Global Desktop Server Address, type an IP address or DNS name.
   4. Select a Connection Type from the list.
   5. Click Add. The Add New Connection Definition window closes and the connection definition is added to the Connection Definitions table.
4. Add as many connection definitions as you need.

   The Connection Definitions table shows the definitions that are inherited from parent objects in the organizational hierarchy. It is best to create connection definitions for organization and organizational unit objects as this configures connections for many users at once and makes administration easier.

5. Use the Move Up and Move Down buttons to change the order of the connection definitions.

   The order of the connection definitions is important. The first matching entry is used. Make sure the most specific definitions appear before more general ones.

On the command line, use the following command to configure connection definitions:

$ tarantella object edit --name obj --conntype type_spec...

Replace type_spec with a connection type specification of the form client:server:type, for example 192.168.5.*:*:STD. Use STD or SSL to configure a standard or secure connection. Separate each type_spec with the "pipe" character, "|".

Note Connection definitions can include the * or ? wildcards to match more than one DNS name or IP address.

Example

The user profile object for Mulan Rouge has the following connection definitions:

If Mulan logs in to SGD from her usual client device, fez.indigo-insurance.com, the first connection definition in the list matches and Mulan receives a standard connection.

If Mulan logs in to SGD from a client device that is not part of indigo-insurance.com, the second connection definition in the list matches and Mulan receives a secure connection.

If Mulan had no connection definitions, the connection type is determined by the connection definitions of a parent object in the organizational hierarchy.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.