HOB RD VPN 2.1 Administration Guide

Transcription

Administration Guide
HOB Remote Desktop VPN
blue edition
Software version: 2.1
Issue: December 2014
HOB Software and Documentation – Legal Notice
Contact: HOB GmbH & Co. KG
Schwadermuehlstr. 3
90556 Cadolzburg
Represented by: Klaus Brandstätter, Zoran Adamovic
Phone: + 49 9103 715 0
Fax: + 49 9103 715 271
E-mail: [email protected]
Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA
5180
Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE 132 747 002
Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter,
Zoran Adamovic, Schwadermuehlstr. 3, 90556 Cadolzburg
Disclaimer
All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited.
HOB RD VPN software and documentation have been tested and reviewed. Nevertheless, HOB will not be liable for any loss
or damage whatsoever arising from the use of any information or particulars in, or any error in, or omission from this document.
All information in this document is subject to change without notice, and does not represent a commitment on the part of HOB.
Liability for content
The contents of this publication were created with great care and diligence. While we keep it as up-to-date as practicable, we
cannot take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we
are responsible for our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG.
According to Chapters 8 to 10 of the TMG we are not obliged as a service provider to monitor transmitted or stored information
not created by us, or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of
information under the general laws remain unaffected. Liability is only possible however from the date of a specific infringement
being made known to us. Upon notification of such violations, the content will be removed immediately.
Liability for links
This publication may contain links to external websites over which we have no control. Therefore we can not accept any
responsibility for their content. The respective provider or operator of the website pages to which there are links is always
responsible for the content of the linked pages. The linked sites were checked at the time of linking for possible violations of
the law. At the time the link was created in this publication, no illegal or harmful contents had been identified. A continuous and
on-going examination of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of any
violations, such links will be removed immediately.
Copyright
The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying,
modifying, adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written
consent of the respective author or creator. The downloading of, and making copies of, these materials is only permitted for
private, non-commercial use. Where contents of this publication have not been created by the author, the copyright of the third
parties responsible for these contents shall be upheld. In particular any contents created by a third party are marked as such.
If you become aware of any copyright infringement within this publication, we kindly ask to be provided with this information.
Upon notification of any such violation, the concerned content will be removed immediately.
Trademarks
Microsoft Windows is a trademark of Microsoft Corporation.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
UNIX is a registered trademark of The Open Group (see http://www.unix.org/trademark.html).
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
Citrix, Citrix ICA, Citrix XenApp, Citrix Receiver for Java and other products are trademarks or registered trademarks of Citrix
Systems, Inc.
Mac OS and Apple are trademarks of Apple Inc., registered in the U.S. and other countries.
All other product names, company names and service names may be trademarks, registered trademarks or service marks of
their respective corporations or owners, even if they are not specifically marked as such.
Issued: December 3, 2014
2
Security Solutions by HOB
Purpose of this Guide
This guide is designed to provide the system administrators with detailed information
concerning HOB RD VPN to help them decide where and when this product can be most
effectively deployed in their enterprise network.
This documentation contains descriptions of numerous possible scenarios, and explains
the required conditions. The procedures for configuring the individual software components
are documented in detail with step-by-step instructions.
Symbols and Conventions
This manual uses certain symbols and conventions to help the reader. These are explained
below:
This symbol indicates useful tips that can make your work easier.
This symbol indicates additional informative text.
This symbol indicates an important tip or procedure that may have far-reaching
effects. Please consider carefully the consequences of any changes and
settings you make here.




References to program commands, options and buttons are printed in Bold, e.g. Select
the command Open….
Cross-references to section headings and figures with numbers are marked in color as
follows: Chapter 39 Information and Support.
File names and text to be entered by the user are displayed in the font Courier New.
This input is – unless otherwise mentioned - case sensitive.
In this documentation, HOB-specific terminology are abbreviated as follows:
HOB-specific Terminology
Abbreviation
HOB Remote Desktop Virtual Private Network
HOB RD VPN
HOB WebSecureProxy
HOB WSP
HOBLink Java Windows Terminal
HOBLink JWT
HOB WebSecureProxy Universal Client
HOB WSP UC
3
Other abbreviations commonly used in this documentation are as follows:
Full Name
Abbreviation
Common Criteria
CC
De-Militarized Zone (location between two firewalls)
DMZ
Evaluation Assurance Level
EAL
Remote Desktop
RD
Security Target
ST
4
Contents
1
2
3
4
5
6
7
Introducing HOB RD VPN
15
1.1
Features of HOB RD VPN blue edition......................................................... 15
1.2
Components of HOB RD VPN...................................................................... 16
HOB RD VPN Basic Concepts
21
2.1
HOB RD VPN Navigation Screen................................................................. 21
2.2
HOB Administration Portal............................................................................ 23
2.3
User Control ................................................................................................. 23
2.4
HOB RD VPN Domains ................................................................................ 24
2.5
Multi-Tenancy ............................................................................................... 26
2.6
Roles ............................................................................................................ 26
2.7
Global Administrator vs. Domain Administrator............................................ 28
2.8
HOB WebSecureProxy................................................................................. 29
2.9
HOB RD VPN Computer Cluster .................................................................. 30
Deployment Scenarios
33
3.1
Default Deployment Configuration................................................................ 33
3.2
Cluster Deployment Configuration................................................................ 34
HOB RD VPN Installation
37
4.1
System Requirements for Installation........................................................... 37
4.2
Prerequisites for Installation – Single Node and Cluster .............................. 38
4.3
Starting the HOB RD VPN Installer – Single Node and Cluster ................... 40
4.4
HOB RD VPN Installation – First Node and Cluster ..................................... 41
4.5
HOB RD VPN Installation – New Cluster Member ....................................... 51
4.6
Customizing HOB RD VPN User Pages....................................................... 60
4.7
Testing the Installation.................................................................................. 64
HOB RD VPN Navigation Screen
67
5.1
Portlets ......................................................................................................... 68
5.2
User Settings ................................................................................................ 69
HOB RD VPN Administration
75
6.1
Administration Access as a Domain Administrator....................................... 75
6.2
Administration Access as a Global Administrator......................................... 78
6.3
Creating a New Global Administrator ........................................................... 89
6.4
Logging and Error Messages in HOB RD VPN ............................................ 93
Multi-Tenancy
99
5
8
9
7.1
Default Domain Configuration after Installation ............................................ 99
7.2
Using the Integrated Directory Service ....................................................... 102
7.3
Using an External Directory Service as the Authentication Service............ 107
7.4
Using RADIUS Access Servers as the Authentication Service................... 113
7.5
Using Kerberos as the Authentication Service............................................ 119
7.6
Kerberos Single Sign-on ............................................................................. 125
7.7
HOB LDAP Scheme Extension ................................................................... 125
Roles and Users
127
8.1
Configuring Roles and Users in HOB WebSecureProxy ............................ 127
8.2
Configuring Roles and Users in HOB RD VPN Administration ................... 135
8.3
Configuring HOB RD VPN 2.1 .................................................................... 138
Defining Targets in the HOB WSP
153
9.1
Creating a Target ........................................................................................ 153
9.2
Configuring the RDP Hook.......................................................................... 163
10 Remote Desktop Computing using HOBLink J-Term/JWT
167
10.1
Configuring HOBLink J-Term/JWT to create RDP Connections ................. 167
10.2
Configuring HOBLink JWT .......................................................................... 169
10.3
Configuring a Scheme in HOBLink JWT ..................................................... 174
10.4
Configuring a Session in HOBLink JWT ..................................................... 176
10.5
Running Sessions ....................................................................................... 177
10.6
Load Balancing ........................................................................................... 179
11 Remote Desktop Computing using HOBLink JWT Webstart
11.1
Configuring RD Computing using HOBLink JWT........................................ 183
11.2
The Client Configuration Provider ............................................................... 185
11.3
Configuring HOBLink JWT .......................................................................... 186
11.4
Configuring a Session in HOBLink JWT Webstart ...................................... 188
11.5
Configuring a Scheme in HOBLink JWT Webstart ..................................... 189
11.6
Run Sessions .............................................................................................. 192
12 HOB RD VPN Desktop-on-Demand
193
12.1
Configuring HOB Desktop-on-Demand....................................................... 193
12.2
HOB Wake-on-LAN Relay .......................................................................... 200
13 Virtual Desktop Integration
6
183
207
13.1
HOB VDI – the Technology......................................................................... 207
13.2
The HOB VDI Agent.................................................................................... 208
13.3
The HOB VDI Control ................................................................................. 208
13.4
Requirements for HOB VDI ........................................................................ 209
13.5
Installing HOB VDI...................................................................................... 209
13.6
Configuring HOB VDI ................................................................................. 212
14 Remote Desktop Access using VNC
215
14.1
Configuring VNC Targets ........................................................................... 215
14.2
Configuring a Static VNC Bridge Connection ............................................. 218
14.3
Configuring a Dynamic VNC Bridge Connection ........................................ 220
14.4
Using the HOB VNC Bridge........................................................................ 221
15 Remote Desktop Access using SSH
223
15.1
SSH Targets ............................................................................................... 223
15.2
Using SSH .................................................................................................. 226
16 Terminal Emulations
227
16.1
Configuring HOB RD VPN for Terminal Emulations................................... 227
16.2
Configuring TN3270 Targets ...................................................................... 236
16.3
Configuring TN5250 Targets ...................................................................... 237
16.4
Configuring Telnet Targets ......................................................................... 240
17 HOB RD VPN Web Server Gate – Intranet Access
245
17.1
Configuring the HOB RD VPN Web Server Gate ....................................... 246
17.2
Using the HOB RD VPN Web Server Gate ................................................ 247
17.3
HOB Single Sign-on – Auto Logon to Intranet Servers .............................. 250
18 Remote Desktop Access using ICA
255
18.1
Installing HOB RD VPN for Remote Desktop Access with ICA .................. 255
18.2
Configuring Remote Desktop Access with ICA .......................................... 255
18.3
Implementing Single Sign-on for Access using ICA ................................... 261
18.4
Using ICA for Remote Desktop Access...................................................... 263
19 HOB RD VPN Web File Access
265
19.1
Configuring HOB RD VPN Web File Access .............................................. 265
19.2
Using HOB RD VPN Web File Access ....................................................... 267
20 Remote Access to Microsoft Exchange Server
271
20.1
Configuring Remote Access to Microsoft Exchange Server....................... 271
20.2
Configuring XML for HOB RD VPN Exchange Server Access ................... 274
20.3
Using HOB RD VPN Microsoft Exchange Server Access .......................... 275
21 Internal Network Adapter
21.1
277
Installing the Internal Network Adapter and HOB TUN Driver.................... 277
7
21.2
Configuring the Internal Network Adapter ................................................... 278
22 Using the HOB PPP Tunnel for Network Access
22.1
Configuring User Settings for the HOB PPP Tunnel ................................... 281
22.2
Network Address Translation ...................................................................... 283
22.3
Configuring the HOB PPP Tunnel............................................................... 285
22.4
Configuring L2TP for the HOB PPP Tunnel ................................................ 288
22.5
Configuring a Raw Packet Interface for the HOB PPP Tunnel ................... 289
22.6
Configuring Dynamic NAT .......................................................................... 292
22.7
Configuring the HOB TCP Tuner ................................................................ 296
22.8
Assigning the Server List ............................................................................ 301
22.9
Creating a HOB PPP Tunnel Portlet on the Navigation Screen.................. 302
22.10
Using the HOB PPP Tunnel ........................................................................ 303
23 HOBPhone
305
23.1
Configuring HOBPhone in HOB RD VPN ................................................... 305
23.2
Configuring the User Accounts in HOBPhone ............................................ 313
23.3
Using HOBPhone........................................................................................ 323
24 HOB WSP Universal Client
333
24.1
Configuring HOB WSP Universal Client ..................................................... 334
24.2
Configuring the HOB WebSecureProxy for SOCKS ................................... 338
24.3
Configuring the Client ................................................................................. 339
24.4
Configuring the Client Application with HOB WSP ..................................... 339
25 HOB Compliance Check
343
25.1
Configuring the HOB Compliance Check.................................................... 343
25.2
Assigning the HOB Compliance Check to a Role ....................................... 352
25.3
Using the HOB Compliance Check ............................................................. 353
26 HOB Target Filters
355
26.1
Configuring Target Filters ........................................................................... 355
26.2
Using Target Filters..................................................................................... 358
27 SSL Identifier
361
27.1
Configuring the SSL Identifier for the User ................................................. 361
27.2
Configuring the SSL Identifier for the WSP................................................. 364
27.3
Using the SSL Identifier .............................................................................. 366
28 Additional HOB Solutions
8
281
367
28.1
HOB Remote Desktop Enhanced Services ................................................ 367
28.2
HOB X11Gate ............................................................................................. 368
28.3
HOB MacGate ............................................................................................ 369
29 Security Checks
371
29.1
Server ......................................................................................................... 371
29.2
Firewall ....................................................................................................... 371
29.3
Ports ........................................................................................................... 372
29.4
Logging....................................................................................................... 372
30 HOB RD VPN Evaluated for Common Criteria
373
30.1
Information on Common Criteria ................................................................ 373
30.2
Security Objectives for the Operational Environment................................. 375
30.3
Delivery Accuracy Check............................................................................ 378
30.4
Consequences of Misconfiguration ............................................................ 381
30.5
System Requirements ................................................................................ 383
30.6
Configuration Tasks.................................................................................... 385
30.7
User Workshops and Schooling ................................................................. 387
30.8
Achieving Trustworthy Encryption .............................................................. 389
30.9
Using Certificates in HOB RD VPN ............................................................ 392
31 Flaw Remediation
31.1
395
Aspects of Flaw Remediation ..................................................................... 396
32 Frequently Asked Questions
397
33 Advanced HOB WSP Configuration
401
33.1
Adding Certificates and HOBLink Security Units to the HOB WSP............ 401
33.2
Manually Stopping and Starting the HOB WSP.......................................... 403
33.3
Configuration Changes and their Effectiveness and Impact....................... 404
34 XML Configuration for HOB Web Server Gate
34.1
407
Example HOB Web Server Gate Configuration.......................................... 407
35 XML Configuration for HOBLink JWT
409
35.1
Example configuration for Direct Connections ........................................... 409
35.2
Example configuration for connections using the HOB WSP ..................... 413
35.3
Connection parameters .............................................................................. 415
35.4
Display parameters..................................................................................... 420
35.5
Logon parameters ...................................................................................... 426
35.6
Security parameters ................................................................................... 427
35.7
Keyboard & Mouse parameters.................................................................. 430
35.8
Resources parameters ............................................................................... 433
35.9
Logging parameters.................................................................................... 438
9
35.10
Control parameters ..................................................................................... 440
35.11
Optimization parameters ............................................................................. 443
36 XML Configuration for the HOB WebSecureProxy
36.1
Configuring XML parameters for the HOB WSP ......................................... 450
36.2
Root Element and XML declaration ............................................................ 453
36.3
The <general> element ............................................................................... 476
36.4
The <connection> element ......................................................................... 480
36.5
The <authentication-library-object> element............................................... 484
36.6
The <server-list> element ........................................................................... 485
36.7
The <L2TP-gateway> element.................................................................... 486
36.8
The <raw-packet-interface> element .......................................................... 487
36.9
The <service> element ............................................................................... 488
36.10
The <Kerberos-5-KDC> element ................................................................ 489
36.11
The <radius-group> element....................................................................... 490
36.12
The <LDAP-service> element ..................................................................... 491
36.13
The <LDAP-template> element .................................................................. 493
36.14
The <target-filter> element.......................................................................... 494
36.15
The <cluster> element ................................................................................ 495
36.16
The <client-side-ssl> element ..................................................................... 496
36.17
The <OCSP-section> element .................................................................... 497
36.18
The <configuration-parameters> element ................................................... 497
37 Server Data Hook Configurations
499
37.1
The Authentication Library (xl-sdh-webserver-01.dll) ................................. 499
37.2
The Web Server Gate SDH (xl-sdh-webserver-01)..................................... 503
37.3
The Kerberos Ticket Service SDH (xl-sdh-krb5ts1-01) ............................... 504
37.4
The EA to LDAP SDH (xl-sdh-ea-ldap-01).................................................. 504
37.5
The Compliance Check SDH (xl-sdh-compl-check-01)............................... 505
37.6
The Dynamic NAT PPP Tunnel SDH (xl-sdh-ppp-pf-05) ............................ 507
37.7
The HOBPhone SDH (xl-sdh-hobphone-01)............................................... 507
37.8
The VNC Bridge SDH (xl-rdps-rfbc-1)......................................................... 508
37.9
The SOCKS SDH (xl-sdh-sock5-01) ........................................................... 511
38 HOB LDAP Scheme Extensions
10
449
513
38.1
Scheme Extension for Microsoft Active Directory ....................................... 513
38.2
Scheme Extensions for OpenDJ ................................................................. 522
38.3
Scheme Extensions for OpenLDAP ............................................................ 523
38.4
Scheme Extensions for IBM SecureWAY Directory Server ........................ 524
38.5
Adding HOB Specific Object Classes......................................................... 525
38.6
LDAP Attributes / Options........................................................................... 533
39 Information and Support
535
11
12
HOB RD VPN
About This Documentation
About This Documentation
This is a comprehensive product documentation created to describe all of the
procedures involved in installing, configuring and handling the HOB RD VPN
software. It does not contain descriptions of functions that are not part of the
HOB RD VPN package. Information concerning functions of third-party products
may be obtained from the corresponding user manuals of those products.
It is assumed that you, the reader of this manual, are an experienced IT
administrator, familiar with the basic concepts of cryptography and have elementary
knowledge of the JAVA technology.
This document describes all topics of HOB RD VPN that are related to the
installation, the administration, the evaluation aspects and the interface
descriptions.
Chapters 1 and 2 give an introduction to HOB RD VPN, a description of the basic
concepts, and the features and components that it contains.
Following this, generally there are 5 main areas:
The first section provides a detailed systematic guidance for the installation of the
product (Chapters 3 and 4).
The second section is a reference manual that describes the administration and
advanced features of HOB RD VPN (Chapters 5 to 8).
The third section provides additional information on defining connection targets and
establishing connections to other computers and networks (Chapters 9 to 27).
The fourth section provides additional information on additional HOB solutions and
topics, including security applications and compliance (Chapters 28 and 29).
The fifth section provides information on Common Criteria Evaluation and Flaw
Remediation with useful general information, such as the XML configurations,
FAQs and contact information (from Chapters 30 to 34).
This product documentation is automatically installed together with the main
component of HOB RD VPN, the HOB WebSecureProxy.
We recommend that you print this document on color printers only, or to
view it in zoom mode (150% or more), as it contains reproductions of
display icons.
The security functions of HOB RD VPN have been designed and implemented in a
manner that allows you to create a trusted channel between those distributed parts
of HOB RD VPN that protect the user data and security data transferred over this
channel from disclosure or undetected modification, and also prevents
masquerading of the remote trusted IT system. To enable this functionality,
HOB RD VPN provides the facility for you to generate encrypted security
certificates and the corresponding encryption keys.
As the administrator of HOB RD VPN for your company, you must ensure that all
potential users have been correctly trained to use this product and successfully
authenticated before allowing any action that HOB RD VPN has defined to be for
authenticated users only.
13
Common Criteria Evaluation of HOB RD VPN
HOB RD VPN
The security functions you use must control the access of subjects or users to the
resources of all Web and Remote Desktop servers based on the identity of the
resource. The security functions must also allow you and the other administrators
to specify the users or subjects that are allowed access to a specific named object
in that access mode.
An access list needs to be developed, detailing where each user is allowed to
access the servers, and how they are allowed to do this. This is an element of the
company policies for the user management of HOB RD VPN. These user
management policies are also required to qualify for EAL 4+ security certification.
Please bear in mind that HOB cannot prepare a solution that is applicable
to every possible system configuration or environment. For this reason
HOB can certify only the components of this product, meaning that HOB
cannot be held liable for situations that are outside the scope of this
product, and therefore out of the control of HOB.
Common Criteria Evaluation of
HOB RD VPN
This product is designed to comply with the Common Criteria (CC) and the
assurance level EAL 4+. The CC compliance is achieved only for a specific scenario
and configuration of HOB RD VPN.
HOB Product Management can send you a copy of the Security Target document
that is the core of the whole certification process. It is strongly recommended that
you read this document thoroughly to gain a deeper understanding of the security
functions carried out by this product.
For purposes of Common Criteria Evaluation for Security, a secure
connection to the directory service must be built for a user specific
configuration of the directory service to be used.
14
HOB RD VPN
1
HOB RD VPN blue edition is a software solution that is specially designed to give
you secure remote access over the Internet to the resources in your corporate
network.
This innovative HOB RD VPN software solution enables fast and secure access to
all your business data and applications from any place in the world. It delivers your
intranet, enterprise servers or office PC to you and your users – at the push of a
button – whether you are at your house, a hotel or the airport.
1.1
Features of HOB RD VPN blue edition
These special features have been developed for HOB RD VPN blue edition:

HOB Clustering Support
Clustering support is available for HOB RD VPN blue edition. Clustering support
includes both High Availability and Load Balancing across the servers of your
enterprise.

Multi-Tenancy
HOB RD VPN supports more than one authentication service and configuration
storage, allowing multiple domains to be used simultaneously on the same
machines.

HOBPhone
This feature provides voice telephony across your network.

Access and Rights
These include a Compliance Check and Role Assignment for your users.
HOB RD VPN introduces a role based concept with advanced Compliance
Check functionality and a flexible concept for user authentication and
configuration.

HOB PPP Tunnel
The HOB PPP Tunnel supports dynamic mode, private IP addresses and
includes all required components. An external L2TP service is not required but
may optionally be used.

User-specific Personal IP Address
The SSL Identifier feature allows you to easily identify the user of any client
machine, not just the machine itself, through the use of user-specific IP
addresses.

Improved Desktop-on-Demand Functionality
You can configure multiple simultaneous Desktop-on-Demand targets for a
user.

Third Party Software Support
HOB RD VPN supports connections to VNC enabled servers. HOB RD VPN
also supports the Citrix WebPortal and Citrix Receiver.
15
1.2
HOB RD VPN
Components of HOB RD VPN
The scope of delivery of HOB RD VPN consists of a range of different
complementary components and features:
1.2.1 HOB Integrated Components
These components are integral to the functioning of HOB RD VPN and are installed
automatically.

HOB WebSecureProxy
HOB WebSecureProxy (HOB WSP) is the server component of HOB RD VPN.
It is the central configuration point for all features and functionality of
HOB RD VPN.

Integrated Directory Service
This component manages the central user management. You can use this
integrated directory service or your own established directory service for the
storage of all configuration data and as the authentication service for all those
users and resources using HOB RD VPN. After installation the integrated
directory service is used as the default service.
1.2.2 HOB Portlets
Portlets are the applications that HOB RD VPN uses to execute the required tasks.
They are installed automatically.

HOBLink JWT
HOBLink JWT is the RDP client application used for accessing any RDP
capable server including Microsoft Remote Desktop servers or Windows
desktops. HOBLink JWT is also used to connect to VNC enabled services. It is
delivered bundled with HOBLink J-Term or as a stand-alone product when
connections to legacy terminals are not required.

HOBLink J-Term
HOBLink J-Term is the multi-protocol-capable client application for accessing
host systems via SSH, VT, TN3270, TN5250, HP700 and Siemens 9750.
Additional licenses may be needed for certain protocols.

HOB RD VPN Web Server Gate
The HOB RD VPN Web Server Gate provides secure access to the intranet
servers and can be used to access any available web service.

HOB RD VPN Web File Access
This component enables remote access to file servers. HOB RD VPN Web File
Access is a browser based file manager that is used to connect over SMB/CIFS
to any available share in the internal network.

HOB PPP Tunnel
The HOB PPP Tunnel provides secure transparent network access to the
complete enterprise network.
16
HOB RD VPN

HOBPhone
HOBPhone provides Voice over IP telephony across the machines within your
network.

HOB Universal Client
HOB Universal Client enables remote access for network installed third party
applications.

User Settings
This portlet allows the configuration of bookmarks and other settings for the
users.

Administration
This portlet allows quick and direct access to the HOB RD VPN administration
interface.
A complete list of all components and their release version numbers is
included in this installation of HOB RD VPN and can be found in the file
RDVPN_Component_Info.txt, included in the HOB RD VPN installation
media.
1.2.3 HOB Integrated Features
These features are also included with the installation of HOB RD VPN, and provide
added functionality to complement that of the core components.

Compliance Check
This is a further security measure designed to verify the state of the connecting
clients and can be used to verify that only clients that verify the central security
requirements can connect to the internal network.

VNC Bridge
The HOB VNC Bridge is a component that allows users to connect to any VNC
enabled services (such as Intel AMT or any VNC Server). The VNC Bridge
translates the VNC protocol to RDP, which results in significantly improved
performance.

ICA Support
HOB RD VPN can be used to secure remote ICA connections. HOB RD VPN
allows the use of the Citrix WebPortal and the Citrix Receiver in a secure way.

Desktop-on-Demand
This provides remote access to personal workstation computers running
Windows. This functionality can be combined with Wake-on-LAN technology to
grant this access even if the remote workstations are switched off.

HOB Virtual Desktop Interface Business
This is used for secure remote access to Windows operating systems running
as virtual machines in computer centers.
17

HOB RD VPN
HOB Remote Desktop Load Balancing
This feature allows Load Balancing within your Remote Desktop session host
server farm.
1.2.4 Optional Components
The following components are also delivered as part of HOB RD VPN, but are not
part of the HOB RD VPN installation. These components add extended functionality
and can be installed on your target server, on the client system or installed
separately.

Software Components

HOBLink Security Manager
This component utilizes the HOB Certification Authority to administer security
certificates for your system.
This component should not be installed on the target server. For more
information see the documentation provided for HOBLink Secure and the
HOBLink Security Manager.

HOB Remote Desktop Enhanced Services Load Balancer
This component enables the use of Load Balancing for Windows Servers with
Microsoft Remote Desktop session hosts. For more information see Section
10.6 Load Balancing.

HOB Wake-on-LAN Relay
This component enables the use of Desktop-on-Demand in different networks,
please see Section 12.2 HOB Wake-on-LAN Relay for more information.

HOB VDI Agent
This component enables the sharing for pools of virtual or non-virtual desktops,
please see Section 13.2 The HOB VDI Agent for more information.

HOB Virtual Wake-on-LAN Agent
This component enables Desktop-on-Demand functionality for virtual desktops,
please see Section 12.2 HOB Wake-on-LAN Relay for more information.

Client System Components

Anti Split Tunneling
This extra security feature restricts systems to using only specified, known
connections. It is most often used in conjunction with the HOB PPP Tunnel,
where it restricts connections to locations outside the HOB PPP Tunnel.
1.2.5 Additional HOB Solutions
The following are HOB solutions that are not delivered with HOB RD VPN but can
be purchased additionally. These solutions add extra functionality and usability, as
set out by the needs of your enterprise. They integrate perfectly with all other
components of HOB RD VPN.
18
HOB RD VPN

HOB Remote Desktop Enhanced Services
This component enables additional RDP functionality, such as HOB Local Drive
Mapping, which is required for virus checking, and HOB Audio.

HOB X11Gate
This provides a gateway for remote access to graphical systems under UNIX or
Linux.

HOB MacGate
HOB MacGate enables remote access to server machines using the Mac OS X
operating system.

HOB Secure Communication Server
HOB SCS is the propriety operating system that is designed exclusively for use
with HOB RD VPN. It is a stable, hardened platform that provides a simple,
secure and efficient way to implement the HOB RD VPN security solution.
19
20
HOB RD VPN
HOB RD VPN
2
HOB RD VPN allows you to connect from a client machine over the web to access
your desired target system and servers. HOB RD VPN serves as the access
gateway into your system by sitting as the first point of contact for an incoming
connection, analyzing and authenticating this connection and, if authenticated,
extending this connection to the desired target server or group of servers. This
process is shown graphically here, with HOB RD VPN being installed between the
firewall to the Internet and the firewall to your network:
Figure 1: HOB RD VPN Access to Target System
You can access HOB RD VPN with any standard browser (some integrated
components need a Java-enabled browser).
2.1
After a successful logon as a user you have access to the HOB RD VPN
Navigation Screen.
The HOB RD VPN Navigation Screen consists of different portlets, each of which
enables different applications or functionalities, and is described in more detail in
Chapter 5 HOB RD VPN Navigation Screen.
21
HOB RD VPN
Figure 2: HOB RD VPN Navigation Screen
You can use the links in the screen above to access the functionality you require
from your installation of HOB RD VPN.
In the Common Criteria evaluated configuration you will see the HOB RD VPN
Navigation Screen as above, but with reduced functionality and therefore with only
the following options:
Figure 3: HOB RD VPN Navigation Screen for Common Criteria Evaluation
22
HOB RD VPN
2.2
HOB Administration Portal
The HOB Administration Portal allows you, as the Global Administrator, access to
the administration interface and to configure the whole HOB RD VPN installation.
Figure 4: HOB RD VPN Administration Screen - System
Only Global Administrators can access the Administration Portal and administer the
HOB WebSecureProxy, the domain administrators have only a more limited access
to administration in that they can administer only their own domains, not the full
HOB RD VPN installation.
2.3
User Control
HOB RD VPN introduces much tighter definitions of what a user really is, and what
their roles should be. Each user has different tasks, objectives and responsibilities.
As such, each user has different requirements for the network, and so different
permissions for using resources to achieve these objectives.
No enterprise can function without its users, and these users cannot function
without clearly defined tasks or roles within the enterprise. HOB RD VPN not only
gives you a means to manage all of these items, but also allows you to administer
the elements of your network to better suit your users.
Figure 5: HOB RD VPN User Control
23
HOB RD VPN
A modern enterprise network is made up of multiple servers, numerous
workstations, and innumerable other hardware and software devices. The
administration of all of these entities is a priority of any enterprise wishing to
maximize efficiency. These resources, as well as the users, are administered
together as domains.
2.4
HOB RD VPN Domains
A domain is the main organizational unit of your system. All of your users and the
machines and resources that they use are members of domains. The users and
machines in your system can be organized into domains according to the needs of
your enterprise, and your enterprise can have multiple domains depending on what
you want from your data and what you want to achieve with that data.
Multiple client organizations (or tenants) are served by a single instance of the
HOB RD VPN software, in a form of software architecture that is referred to as
Multi-Tenancy. In HOB RD VPN multiple users share the same application, running
on the same operating system, on the same hardware, with the same data-storage
mechanism. The distinction between the users is achieved during application
design, thus users of one domain cannot share or see data from another domain,
as each domain works with a customized virtual application instance.
HOB RD VPN introduces a multi tenant capability. Each domain in HOB RD VPN
stands for an independent tenant. Each HOB RD VPN domain consists of two
elements:

Authentication Service
The authentication service defines the backend which is used to authenticate
the users for a specific domain. The Authentication Service can use Kerberos,
integrated directory service, external (LDAP-compliant) directory service or
RADIUS servers.

Configuration Storage
The configuration storage is used to store the configuration information of the
domain users. The configuration storage can use the integrated directory
service or an external (LDAP-compliant) directory service. If an external
directory service is used to store the HOB RD VPN configuration you need to
add the HOB Scheme Extension to the service.
24
HOB RD VPN
This table shows the possible combinations for authentication service and
configuration storage:
Configuration Storage
Note
Integrated Directory
Service
Integrated Directory Service Default after installation
Kerberos
Kerberos
External directory service
HOB scheme extension
required
External directory service Integrated Directory Service
External directory service Same external directory
service
RADIUS
RADIUS
External directory service
required
required
Table 1: Possible Authentication Service and Configuration Storage Combinations
If an external authentication service is used while the integrated directory
service is used as the configuration store, there is no user rights
management. This means that a user with the rights to configure sessions
can also configure the sessions of the other users of the same domain.
2.4.1 Integrated Directory Services
HOB RD VPN is delivered with an integrated directory service that is fully LDAP
compliant. HOB RD VPN uses this directory service by default to organize and
internally store all of the settings and configurations for the users and machines that
are currently registered in your network (this is done in the dc=internal,dc=root tree).
The integrated directory service can also be used as the authentication service and
configuration storage (see Chapter 3 Deployment Scenarios for more information).
Immediately after installation the integrated directory service is used as the
authentication service and configuration storage for the users created during
installation. Therefore a domain is automatically created on installation where these
users are stored, this is the domain dc=hobsoft,dc=root.
The Global Administrator can add additional domains to the integrated directory
service (e.g. dc=example,dc=root) or use the integrated directory service only as
authentication service or configuration storage. If it is used as configuration storage
the domain part is automatically created. An auto-create feature can also be used,
where every successfully authenticated user is automatically created in the domain
tree of the integrated directory server. This is also true for the groups that belong to
the user even when an external LDAP server is being used as the authentication
service.
This component handles all of the central user management and integrates the
HOB software into your existing enterprise infrastructure. This dedicated directory
service object management server is included as a constituent part of
25
HOB RD VPN
HOB RD VPN to make the management and administration of access rights and
permissions of workstation and users much simpler.
2.4.2 HOB Directory Services Scheme Extension
Storing HOB specific data with an element requires certain HOB object classes to
be available for certain LDAP elements. The directory services scheme defines the
attributes and classes used in your directory services. The existing set of classes
and attributes provided by HOB are sufficient for most applications. However, the
scheme is extensible, which means that you can define new classes and attributes.
See Chapter 38 HOB LDAP Scheme Extensions for more information on this topic.
2.5
Multi-Tenancy
HOB RD VPN can be configured to use multiple domains, so it is possible to use
one HOB RD VPN installation to successfully authenticate users from different
domains. Because of this HOB RD VPN introduces a multi-tenant capability, where
each domain in HOB RD VPN stands for an independent tenant.
It is possible to completely separate these domains so that every domain uses
different configurations (e.g. domain 1 can only access resources assigned to
domain 1, domain 2 can only access resources assigned to domain 2, for users of
either domain it is not possible to access resources assigned to the other domain).
If required, configurations can also be used from more than one domain (so that
different domains may be assigned access to the same target system).
There are many different reasons for using the multi-tenancy feature besides
connecting to different companies. Multi-tenancy is also used to support different
departments within a company, or it is used to allow customers or suppliers access
to special services without needing to add them to the integrated user directory
service.
Multi-tenancy refers to a single instance of the software running on a server while
serving multiple client organizations (tenants). Multi-tenancy is not the same as a
multi-instance architecture where separate software instances (or hardware
systems) are set up for different client organizations. With a multi-tenant
architecture, a software application such as HOB RD VPN virtually partitions its
data and configuration, so that each client organization (or domain) can work with
a customized virtual application instance.
Multi-tenancy is also regarded as one of the essential attributes of Cloud
Computing.
2.6
Roles
A role is the set of tasks each user and each hardware or software item is assigned
to do.
As with a domain, users have different roles within the enterprise. The logon
determines the roles to which each user is assigned, within that domain. There are
requirements for each role that must be fulfilled in order to be authenticated for the
role (not just enter a username and password). These requirements might be the
selected domain, user name, group membership or positive compliance check, and
so on.
26
HOB RD VPN
Once authenticated for the role, having therefore fulfilled the requirements, the user
is authorized to carry out certain pre-assigned functions using the resources within
the system.
Features that can be assigned to the roles include:

List of portlets that each user can access

Access to list of servers, referred to as the server list that each user can access

Selection of a target filter

Session timing limits before an automatic log out

GUI scheme display, background color, title banner, etc.

Other settings such as browser-caching etc.
Each user has a role, and specified under this role are their permissions and
capabilities within the system. These can be configured through the User Roles
configuration dialog, (part of the HOB WebSecureProxy configuration) shown here:
Figure 6: HOB WSP Administration User Roles – Normal User
In the main menu bar at the top of this screen you have the following menu options:

File – this menu item contains the following commands:
Save
click to save the current setting to the configuration storage. Changes
are automatically replicated to all cluster members without a restart
required. However, it may take some minutes before the new configuration becomes active. View the WSP log for information on when
the configuration has been reloaded.
click to import a configuration file in XML format from your file system
Import into this configuration storage. You would normally do this to reload a
backup of the configuration file
27
Save
HOB RD VPN
click to save the current setting to the configuration storage. Changes
are automatically replicated to all cluster members without a restart
required. However, it may take some minutes before the new configuration becomes active. View the WSP log for information on when
the configuration has been reloaded.
click to determine where HOB RD VPN is to store this current configExport uration, as an XML file, and assign a specific name to it. This is normally done to back up the current configuration for safety reasons
Exit
click to shut down this interface, without saving any changes that you
have made here
If there is a need to change the configuration manually, you need to take
extreme care with any changes that are made as an error in the
configuration could result in HOB RD VPN not starting at all anymore.
Make changes manually only under the assistance of HOB software
support.

Info – this menu item contains the following command:
About
click this to display a popup containing the name and current version
number of the software release you are using
For more information on the information and fields shown on this screen, please see
Chapter 8 Roles and Users.
Role Priority
Users can have several roles assigned to them. Roles are prioritized (from 1 to 100,
with 100 having the highest priority) so that when a user logs in, HOB RD VPN tries
to assign the highest role to the user. If it cannot assign the role with the highest
priority to the user (for example because of a failed compliance check), then it
moves to the role with the next highest priority.
2.7
Global Administrator vs. Domain Administrator
A clear distinction must be made between the administrator of the complete system
where HOB RD VPN is installed (this is the global administrator) and an
administrator who has rights to administer only one domain (the domain
administrator).
2.7.1 Global Administrator
During installation you have to create a global administrator. This global
administrator has full access rights to the whole HOB RD VPN installation. After
installation additional global administrators can be added.
Global administrators are the only users that can administer and configure
HOB RD VPN itself.
After installation:
28
HOB RD VPN



Global administrators are the only users that can log on to the global
administration interface. The Global Administration interface is accessed
through a browser and entering https://rdvpn.example.com:10000 in the
address field.
Global administrators can configure all resources and users in the complete
system (dc=internal,dc=root) as well as users in the default domain
(dc=hobsoft,dc=root).
Global administrators cannot log on to the HOB RD VPN User Portal.
2.7.2 Domain Administrator
A domain administrator cannot set the configuration of the HOB RD VPN
installation.
The domain administrator can configure user settings within their own domain. If
you are using the tenant functionality the global administrator can delegate the user
configuration to the domain administrators within the domains.
After installation:



2.8
Domain administrators can configure users in the default domain
(dc=hobsoft,dc=root).
Domain administrators can logon to the HOB RD VPN portal and access the
administration portlet, referred to as User Configuration on the HOB RD VPN
Navigation screen.
Domain administrators cannot logon to the global administration interface.
HOB WebSecureProxy
The HOB WebSecureProxy (HOB WSP) is the integrated server component of
HOB RD VPN. It is the central collection point for queries coming over the Internet
from clients such as HOBLink J-Term or HOBLink JWT and is installed as part of
the HOB RD VPN installation process. The HOB WSP is located in the DMZ to
protect your servers effectively from direct access over the Internet and to forward
the queries to the target server.
Authentication is performed over a browser with an SSL / HTTPS connection to the
HOB WSP. This means that the authentication process itself is encrypted and
secure. HOB WSP also has an integrated OCSP (Online Certificate Status
Protocol) interface enabling client SSL certificates to be inspected for validity.
The HOB WSP ensures the security of access is implemented taking the following
criteria into account:

Confidentiality – the data cannot be read by anyone who is unauthorized

Integrity – the data cannot be manipulated by anyone who is unauthorized

Authenticity – before any exchange of data, each participant in the exchange
must prove their identity during logon
All communication between the HOB WSP and the client is SSL encrypted, while
internally the HOB WSP communicates to the server side without encryption. Data
traffic takes place over the configurable port 443, which is enabled as default in
29
HOB RD VPN
most firewalls. A connection to the HOB WSP automatically redirects port 80 to port
443 (these are the default ports, other ports may be chosen if you wish).
Where your system consists of multiple HOB WSP servers in a cluster, these can
be plugged and unplugged into the cluster according to your needs. All internal data
is distributed across the cluster with load balancing, so that when a client logs on to
any HOB WSP in the network, they are automatically registered to all network
HOB WSPs, and none are overloaded.
The HOB WebSecureProxy should be installed on a separate machine that does
not allow direct access to the machine for unprivileged users and that does not host
any productive relevant services such as database servers or alternative web
servers (in addition to the integrated server components of the HOB WSP).
The logical access to this machine is restricted to authorized administrators.
2.9
HOB RD VPN Computer Cluster
A computer cluster is a group of linked computers, working together closely to
effectively form a single server. In HOB RD VPN, the cluster members (commonly
called nodes) are connected to each other through your local area network, and
generally have a higher performance and availability than a single computer.
Advantages of the HOB RD VPN Computer Cluster
The following are some of the advantages that accrue through the employment of
a computer cluster:




All nodes are members with equal status, so a cluster is reliable because there
are no state switches (active/passive, master/slave)
No additional hardware is required
A cluster is easy to deploy, only the DNS records and HOB RD VPN require
configuration
A Geo-cluster is possible, where the linked computers need not be in the same
geographical location

Very fail-safe

Easy to add and remove cluster members

Very efficient load balancing

Small overhead for synchronization

Uses high availability mechanisms that are integrated in the browser itself
You can set up a high availability cluster within your network to improve the
availability of services that the cluster provides. This operates by having redundant
nodes on standby to provide the service if other system components fail. The most
common size for a high availability cluster is two nodes, as this is the minimum node
requirement to provide redundancy.
Load balancing is the distribution of the computer workload over selected
computers in your cluster that are configured to function as a single virtual
computer. Requests from the user are managed and distributed among all of the
30
HOB RD VPN
computers within the cluster. This allows you to balance your computational work
among different machines, thus improving the performance of the cluster systems.
With HOB RD VPN the advantages obtained from clustering are gained by
implementing several servers to act together as the HOB WebSecureProxy,
avoiding the problem of having a single-point-of-failure for the central component.
31
32
HOB RD VPN
HOB RD VPN
3
HOB RD VPN is designed to be installed in the DMZ (De-Militarized Zone – the area
between the Internet firewall and the firewall protecting your internal network). It can
also be deployed in a number of different configurations to take account of the
differing infrastructures. The most common deployments are described here.
3.1
Default Deployment Configuration
HOB RD VPN has a default deployment that is described in the illustration below:
Figure 1: Default Deployment Configuration Scenario
Clients connect over the Internet to HOB RD VPN using a secure SSL encrypted
connection (typically a browser-based HTTPS connection), with HOB RD VPN
acting as a gateway for this connection. Once this (external) connection has been
established, one or more internal connections are also created. This then gives the
client the possibility to reach their configured targets (for example Windows Remote
Desktop Services or HOB Web File Access).
You must deploy a server inside the DMZ where HOB RD VPN can be installed.
Additionally you need to have two ports configured for communication with a client
machine, which can be located outside your network. One port is used for the
connections from the clients over the Internet, also referred to as the user portal,
and is by default port number 443. This port is used as standard for all HTTPS
connections as it handles the SSL encryption protocol. The second port is used for
the administration interface to manage the connections between the machines in
your computer cluster and is the default port number 10000, which also only
accepts SSL connections.
This server cannot have any other connections on the network ports 389,
4444, 8080 and 8989, please see Section 4.2 Prerequisites for Installation
– Single Node and Cluster for more information on this topic.
For the default scenario illustrated above you need to allow connections on port 443
from the Internet to the server where HOB RD VPN is installed. You also need to
33
HOB RD VPN
allow connections from the HOB RD VPN server to the targets inside your private
network.
3.2
Cluster Deployment Configuration
A cluster consists of a collection of interconnected computers used to create a
common resource pool of servers for the computing needs of your enterprise. To
set up a cluster, install more than one HOB RD VPN server in the DMZ between the
Internet and the internal network. The HOB RD VPN Cluster feature supports both
High Availability (HA) and Load Balancing.
Figure 2: Example Cluster Deployment Configuration Scenario
For this deployment you will need two official IP addresses for each cluster member
or node:


An address for the initial connection to other machines within the cluster (the primary connection). This interface is also used for load balancing between the
HOB RD VPN cluster members
An address for the user portal (the secondary connection). This is the address
that the users will work with after the initial connection.
The external DNS server must also be configured accordingly to this scenario.
34
HOB RD VPN
Example of IP Address assignments:
Cluster
Node
Cluster DNS Name
Cluster IP Cluster Node DNS
Address name
User
Portal IP
Address
cluster
node 1
rdvpn.example.com
1.1.10.1 rdvpn1.example.com 1.1.10.2
cluster
node 2
rdvpn.example.com
cluster
node 3
rdvpn.example.com
Table 1: Example Cluster Deployment IP Address Configuration
For best practice, at least three network interfaces should be configured: a
user portal, a cluster connection and a synchronization connection. An
administration connection can also be created (this administration
connection may also be published in the internet, if necessary, but only if it
abides by the security conventions of your company).
For the synchronization of the data, either of the two IP addresses of each node or
another address that you set aside for this purpose can be used to synchronize the
state of the HOB RD VPN nodes to each other.
Following the example cluster deployment above, the cluster uses the URL
rdvpn.example.com as its location, and this URL points to the three cluster
member IP addresses 1.1.10.1, 1.1.20.1 and 1.1.30.1.
Figure 3: Example Cluster Deployment Configuration Scenario
In Figure 3 it can be seen how the components of a cluster interact with one another
(three cluster components are shown for clarity). The user wishes to access the
35
HOB RD VPN
computer cluster over the internet using the address rdvpn.example.com. This
address connects to the servers present in the cluster, rdvpn1.example.com,
rdvpn2.example.com and rdvpn3.example.com, all of which are located in
the DMZ. The computer rdvpn1.example.com can be accessed through the
cluster and also directly over the user portal from the internet using
rdvpn1.example.com as the address. There must also be a direct connection
between each member of the cluster for synchronization purposes. This connection
can use either the IP address of the cluster members or an IP address set aside for
this purpose.
The following table shows this external example DNS configuration:
DNS Entry
IP Address Entry
rdvpn.example.com
1.1.10.1, 1.1.20.1, 1.1.30.1
rdvpn1.example.com
1.1.10.2
rdvpn2.example.com
1.1.20.2
rdvpn3.example.com
1.1.30.2
Table 2: Example Cluster Deployment IP Address Configuration
The process is as follows:
1.
The client connects to e.g. rdvpn.example.com and receives a configured
IP address for each node in the cluster. The client receives these configured IP
addresses (e.g. 1.1.10.1, 1.1.20.1, 1.1.30.1) in a specific order as set
by the DNS server, generally on a round robin basis.
2.
HOB RD VPN now connects the client to the first of these IP addresses. If this
system is unavailable, then the second IP address is tried, and so on until a
connection is made. Only in the exceptional circumstance of no IP address
being available, or no response being obtained, will the connection fail.
3.
When a connection is successful, the HOB RD VPN cluster node redirects this
client to the second IP address of that node. Using as an example the entries
in Table 1 above, if the first cluster node is unavailable but the second
responds, then the connection is made from: rdvpn.example.com with an IP
of 1.1.20.1, which then redirects to rdvpn2.example.com and an IP of
1.1.20.2, where the work is done.
4.
This is the IP address that the client can now use for all following requests.
The format of the names used for the cluster is optional, depending on the
requirements of the system in use. For example, according to the
conventions of your company, cluster1.example.com could point to:
cl1.hobrdvpn.example.com, member1.example.com or
another.hobrdvpn.example.com.
36
HOB RD VPN
4
This section outlines the requirements necessary before HOB RD VPN blue edition
can be installed, and also the installation process itself.
4.1
System Requirements for Installation
HOB RD VPN blue edition is available for the following platforms:

Microsoft Windows (x86, EM64T)

Linux (x86, EM64T)
It is the responsibility of the server administrator to ensure that the
operating system in use is adequately configured and updated with the
latest patches and releases to the most efficient operation, and to minimize
the risks from exploitation or attacks from external sources.
4.1.1 Installation on the Server Side
Under Windows:
To correctly install HOB RD VPN on a Windows system, the following are required:



An Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing
speed
At least 512 MB of available RAM
Up to 800 MB of non-volatile hard disk storage space (this value is for a typical
installation and depends on the operating system in use)
Under Linux:
To correctly install HOB RD VPN on a Linux system, the following are required:
For the HOB WebSecureProxy (gateway):

speed

1 GB of RAM available

450 – 800 MB of non-volatile storage space
Required software:

SuSE Linux Enterprise Server 11 on Intel EM64T – required for the HOB WSP
The Web Secure Proxy is not Java software and does therefore not require
a JVM.
37
HOB RD VPN
You must ensure that all access to sensitive files or security critical data is
monitored or prohibited at all times to maintain the security levels assured
by Common Criteria.
A Common Criteria conformant server installation requires the Linux
operating system installed with SLES 11 Patch Level 2 and Kernel 3.x.x,
and the processes rngd or haveged must be deactivated.
Also, logging must be activated and the logfiles must be saved in the
logfiles directory, see Section 30.8 Achieving Trustworthy Encryption on
page 389.
4.1.2 Requirements on the Client Side:
HOB RD VPN blue edition is designed to be used with different client operating
systems that have a Java 1.6 or newer enabled browser (it is possible to use Java
1.5 but this is not recommended).
This is the ONLY software requirement on the client side under Windows, Linux or
Mac.
In a Common Criteria evaluated environment you must ensure that the
browser on the client machine to be used can support TLS protocol 1.1
and/or 1.2. These are the only protocols that can be used.
4.2
Prerequisites for Installation – Single Node and Cluster
The following prerequisites are required to install HOB RD VPN blue edition on your
network system:
4.2.1 Preparing the Base Operating System

The operating system has to have the latest available security patches applied.

The internal/external Firewalls have to be properly configured.

The DNS system must also be configured for HOB RD VPN.

As HOB RD VPN needs certain ports to be open for communication with the connecting clients, you must ensure that these are not currently also in use on the
target operating system.
For a server installation that conforms to Common Criteria server
requirements, all other ports are kept closed.
38
HOB RD VPN
The following table lists the internal ports that must be configured for inter-process
communication between the components of HOB RD VPN.
Port
Environment
Function
Note
10000
Network
Administration access to
Intranet
Connection to the
administration portal. The
port is configurable during
installation
443
Internet
User Portal
Clients from the internet
connect from this port. The
port is configurable during
installation.
80
Internet
HTTP Redirector
If clients from the internet
connect to this port, they will
be redirected to the secure
internet access port, and
SSL will be used.
4444
Network
Synchronization with
integrated database
Synchronization with the
integrated directory service.
Required for cluster
installations.
8989
Network
Synchronization with
integrated database
Synchronization with the
integrated directory service.
Required for cluster
installations.
389
Internal
Integrated directory service This port allows
communication with the
integrated directory service
over TCP.
8080
Internal
Web File Access
Inter-process
communication for Web File
Access.
Table 1: External and Internal Port Configuration



Ports labelled as Network are accessible over the company network.
Ports labelled as Internet are accessible from the company network and should
be opened in the firewall for access from the Internet.
Ports labelled as Internal are accessible only from within the HOB RD VPN
server network.
For cluster installations, the Integrated Directory Service must run on the
default port 389 for ALL cluster members.
39
4.3
HOB RD VPN
Starting the HOB RD VPN Installer – Single Node and
Cluster
The installation of HOB RD VPN is a very straightforward process that has been
designed to be as simple as possible. The same installation process is followed for
both Microsoft Windows and for Linux, where if there are any differences in the
installation process depending on the operating system then these are specified at
the relevant steps. It is possible to install:

A standalone deployment of HOB RD VPN (single installation) or the first node
of a Cluster Installation
Or:

1.
An additional cluster member installation. If this is your desired deployment installation, please see 4.5 HOB RD VPN Installation – New Cluster Member.
If installing from a CD/DVD, insert the HOB RD VPN DVD into the DVD-ROM
drive.
The HOB RD VPN start page opens in the browser. If the DVD start image does not
automatically appear then open the file start.htm (under both Windows and
Linux operating systems) in the root directory of the DVD. Click Download Installer
for your operating system.
2.
Start the installer and follow the instructions onscreen.
Only a system administrator or a user with full administrative rights on this
computer can install this product.
The first steps of the installation are the same regardless of whether you are
installing a single instance of HOB RD VPN or installing a cluster deployment.
40
HOB RD VPN
4.4
HOB RD VPN Installation – First Node and Cluster
Once the installer is running you simply follow the instructions on each screen, then
click either Next to proceed to the next screen, Previous to return to the previous
screen, or Cancel to end the installation process. These buttons are standard and
are found on all screens of the installation process.
Figure 1: Select Installation Directory
1.
2.
Here you determine the installation directory where the HOB RD VPN
installation is to be installed on your system. It is safe to use the default setting
here but you should install it according to the conventions of your system. By
default it will be installed:

On a Windows system in: C:\Program Files\HOB\rdvpn

On a Linux system in: /opt/HOB/rdvpn
Once this information has been entered, click Next.
41
HOB RD VPN
Figure 2: Select TUN Driver Installation
3.
On this screen you select to install the HOB TUN Driver. This software
component is necessary for the SSL Identifier and the HOB PPP Tunnel to
function. Due to the advantages brought by the HOB PPP Tunnel and by the
SSL Identifier, it is strongly recommended you install the HOB TUN Driver even
though it is still in the experimental phase. For more information on this subject,
please see 4.5 HOB RD VPN Installation – New Cluster Member.
The HOB TUN Driver is a component that is only installed on a Windows
operating system - this screen can be ignored for all non-Windows
installations, as a TUN driver is already installed on Linux systems.
42
HOB RD VPN
Figure 3: Choose Installation Type
4.
If this is the installation of the first machine for the company network or for a
standalone network, then on this screen select the first option, Single
Installation or first node for a Cluster Installation. If this installation is to add
a second or subsequent machine to an existing cluster, the select Additional
Node for a Cluster Installation. Click Next once the selection has been made.
If a standalone or single node installation is already deployed, it can be
upgraded at any time to a cluster configuration. In this case, simply run the
installation program again and when this step is reached, click Additional
Node for a Cluster Installation to add another node to the installation,
creating a cluster. See 4.5 HOB RD VPN Installation – New Cluster
Member on how to install further nodes for the cluster.
5.
The HOB RD VPN installer now checks the availability of the required ports.
Depending on the operating system and the settings, a warning may be
received at this point in the installation from the firewall.
43
HOB RD VPN
Figure 4: Host Name and Port Security Warning
This warning can take the following form for a Windows installation (as
seen in Figure 4), warnings for other systems such as Linux appear
differently or may not have a warning at this stage:
6.
Select the networks where you wish access to be allowed and click Allow
access to let the installer perform these checks.
Figure 5: Enter Default Host Name and Port Numbers
7.
44
In this screen the full qualified Hostname and Port numbers of the connection
that is to be used for Administration Access, and where the HOB RD VPN
installation accesses the internal network are top be specified. In this example
HOB RD VPN
rdvpn.example.com is used, and the port number 10000 is entered by default.
The information entered here is used for administration and configuration
tasks.
To continue the installation and to achieve conformity with Common
Criteria standards, this field must be filled with a dummy entry (for example
x.x.x) and must not contain a valid server hostname (see Chapter 30
HOB RD VPN Evaluated for Common Criteria for more information), as
follows:
8.
Specific port numbers for access to the internal database and for access to
HOB Web File Access can also be entered here, or default port numbers may
be used.
9.
A green check mark appears when these details have been correctly entered.
The other details on the screen are completed automatically. Click Next when
this information has been entered.
Keep in mind that this qualified hostname may differ from the name by
which the system is accessible from the internal network.
Figure 6: Define Target System – RDP Targets
10. In the Define Target Systems dialog valid connections for RDP enabled
systems can be created. These connections are created immediately after
45
HOB RD VPN
installation for the Hobsoft domain (the default domain configured by the
HOB RD VPN installation) and the users created for this domain.
To achieve conformity with Common Criteria standards these fields must
not contain valid entries for RDP targets or legacy targets and must remain
empty, see Chapter 30 HOB RD VPN Evaluated for Common Criteria for
more information.
Figure 7: Define Target System – Legacy Targets
11. In the Define Target Systems - Legacy Targets dialog, connections for the
legacy protocols TN 3270, TN 5250 (for both protocols an additional license
must be purchased) and VT Telnet (no additional license required) can be
created.
46
HOB RD VPN
Figure 8: Global Administrator Setup
12. In Figure 8 a Global Administrator must be created. The global administrator
has full administration rights for the whole HOB RD VPN installation and full
access to all HOB RD VPN related tasks.
Figure 9: User Account Setup
13. In this screen you can add up to three HOB RD VPN users. These users enable
you to access HOB RD VPN immediately after installation. You can choose
different roles for these users from the dropdown box, whether Domain
Administrator, Power User or User (you may of course assign other roles and
47
HOB RD VPN
role names according to the conventions of your company once the installation
is completed).
The configurations that conform to Common Criteria can contain only one
entry with the role Domain Administrator or Power User. An entry with
the role of User should not be entered here.
Domain administrators set up at this stage of the install process have
rights to administer only the default domain, which has been given the
name Hobsoft by default. After installation you can add additional users
to this Hobsoft domain (all global and domain administrators can do
this).
14. In the next screen, Figure 10, a certificate of identification is created. This
certificate is used to establish the validity of the installation on the client. The
default period of validity is 1 year, to change this select the required duration
from the dropdown box. Complete the fields on this screen and click Next.
New certificates, necessary if the current certificates have expired, can be
created in the Certificates feature of HOB RD VPN Administration, see
6.2.9 Global Administration Screen – Certificates.
To achieve conformity with Common Criteria standards these fields must
be filled with dummy values. Certificates created here must not be used for
a Common Criteria evaluated configuration, as this configuration requires
separate certificates created through the process as described in Chapter
30 HOB RD VPN Evaluated for Common Criteria for more information.
Figure 10: Create Certificate
48
HOB RD VPN
The installer software when combined with the underlying tool that creates
the certificate (as shown in the dialog above) has certain limitations. These
limitations restrict the characters that are entered into these dialog fields to
the 7-bit ASCII character set. Otherwise the data that is entered may be
misinterpreted and in particular the password may be changed. This could
mean that when using the HOBLink Security Manager, the password that
was originally entered in the dialog above may not open the HOBLink
Security Units created during this installation by the certificate tool. See
33.1 Adding Certificates and HOBLink Security Units to the HOB WSP in
this document and the HOBLink Secure and HOBLink Security Manager
Administration Guide for more information.
15. Once all the settings are configured the screen (see Figure 11) summarizing
the data required for the installation is shown. Shown below is the screen for a
Microsoft Windows installation.
Figure 11: Installation Summary for Windows
16. If everything is in order, click Install to proceed with the HOB RD VPN
installation and the Register HOB RD VPN dialog is displayed.
49
HOB RD VPN
Figure 12: Register HOB RD VPN
17. In the Product key field you have to enter a valid product key to register this
installation of HOB RD VPN. This key can be found in the HOB Software
License document that is delivered along with the product CD. Alternatively, if
purchased online, it can be found in the e-mail received once payment has
been confirmed.
18. If there is no key available you can choose to test the installation by clicking the
Evaluation Version button. This creates a temporary license file that is valid
for 30 days. The time remaining in the evaluation period is displayed each time
you log in. Once this expires, you must enter a valid product key to continue
using the software.
19. Click OK to close this dialog box and finish the installation process.
Figure 13: Installation Complete
20. Once the installation is complete you can close the installer by clicking Done.
To check if the installation was successful, please read Section 4.7 Testing the
Installation.
50
HOB RD VPN
To install the individual components, and to set up the configuration of these
individual components, please see their corresponding chapters in this
administration guide.
4.5
HOB RD VPN Installation – New Cluster Member
To install a cluster deployment in your system you need one installation of
HOB RD VPN to hold the base settings. You can use a new server installation with
an empty configuration or use a server that is already installed and use an already
configured system.
If you are installing a new cluster installation then you must first install the base
node of the cluster. See 4.4 HOB RD VPN Installation – First Node and Cluster.
Make sure that your base installation for your cluster installation and your new
cluster member are configured with the required different IP addresses and ports.
See Figure 1 in Section 4.2.1 Preparing the Base Operating System on page 38 and
make sure that the ports marked as external are accessible for all cluster members.
If you already have a base node for your HOB RD VPN installation you can proceed
with the following steps for the second and subsequent nodes.
4.5.1 Base Configuration for a Cluster
1.
To set up the base configuration for a cluster, use the installed first node (where
HOB RD VPN has been installed) to logon to HOB RD VPN via a browser
using the following URL: https://rdvpn.example.com:10000.
2.
This opens the HOB RD VPN Logon screen for HOB RD VPN blue edition,
where you enter your username and password as the global administrator.
Figure 14: HOB RD VPN Logon
The HOB RD VPN Administration Portal opens once you successfully logon.
51
HOB RD VPN
Figure 15: HOB RD VPN Administration Portal
3.
Here you select the link EA Admin on the left to start the HOB RD VPN
Administration configuration program and select the desired resource in the
database, which in this case is the HOB RD VPN central component, the
HOB WebSecureProxy. The HOB WebSecureProxy is found under the path
dc=root,dc=internal,ou=servers in the organization hierarchy.
4.
Select this element from the organization hierarchy on the left side, and then
select the WebSecureProxy element that is displayed in the panel on the right.
Figure 16: HOB RD VPN Administration
5.
52
Now use the arrow on the dropdown box on the right to select HOB RD VPN
2.1 > WebSecureProxy blue, and then click the Configure button, as shown
above.
HOB RD VPN
6.
This opens the HOB WebSecureProxy Configuration screen. Select the
element WSP Servers from the organization hierarchy in the panel on the left
and the following screen is displayed.
Figure 17: HOB WSP Configuration - Servers
7.
On this opening tab select WSP Server(1) > Main Connection to set up the
connection for your users to the HOB WSP and you see the following:
Figure 18: WSP Main Connection Properties
8.
In the Properties tab on this screen the User portal network interface is
entered in the first field. This user portal is the connection created by the users
to access HOB RD VPN; it is also referred to as the Navigation Screen. The
53
HOB RD VPN
HTTP port and HTTPS port numbers to be used for the connections must also
be entered in the relevant fields on this screen. See 3.2 Cluster Deployment
Configuration for more detail on the data to be entered here.
9.
Now go to WSP Server(1) and enter the required network interface information
(the IP address for the network interface and the alias) in the Network
Interfaces tab. Use the Add button to bring up the dialog to enter this
information, and then Add & Close to add this information to the network
interfaces table.
Figure 19: Network Interfaces
10. You also need to enter the network interface information for the HOB RD VPN
administration access in the Administration Access tab. Keep in mind that the
user portal and administration access must use different IP addresses, while
the network interface could use one of these two or a third unique address.
54
HOB RD VPN
Figure 20: Administration Access
11. Once this information has been entered, you can now start to enter the relevant
domain information by selecting the links under your Main Connection.
12. To add a second node to the configuration and thereby creating a cluster, you
need to select WSP Servers and click Add at the bottom of the hierarchy tree.
A second WSP Server object appears, with a similar tree structure to that
already configured. However, the opening screen for the additional WSP server
(WSP Server (2)) has a different layout, see below.
Figure 21: Additional WSP Server Configuration
55
HOB RD VPN
When adding a second WSP server, a new element appears in the tree
structure, the Primary Connection. This is the connection used for one
WSP server to connect to another, and is only present when more than one
WSP server is configured in the network. The Main Connection is the
standard connection that handles the traffic within the network.
13. Now that the Network Interfaces have been entered, this information needs to
synchronize with the rest of the cluster objects. Select the Cluster
Synchronization tab.
Figure 22: Additional WSP Server Configuration – Cluster Synchronization
14. Here you need to enter the Network Interface for this machine, the Port
through which it connects to the system (in this case 13290), and the
acceptable Timeout and Timeout Receive (in milliseconds) for any
connection. By default this is 1000, you may change this as desired.
15. The standard port for all HTTPS connections is 443. If you wish to configure
another port for the cluster access information you may enter the new port
number here.
16. The cluster synchronization steps must be performed with the same settings for
all cluster members.
4.5.2 Installing Cluster Members
The network system has been configured to accept new additions to the computer
cluster, so these now need to be installed. The installation of a HOB RD VPN
cluster is a very straightforward process that has been designed to be as simple as
possible. Follow these instructions for each server.
1.
56
Start the HOB RD VPN installer, as shown in 4.4 HOB RD VPN Installation –
First Node and Cluster. Installation up to this point is identical as that for a
HOB RD VPN
single node installation. From this stage of the installation process the
installation is specifically for a cluster node installation only.
Figure 23: Select Installation Type
2.
Select Additional node for a Cluster Installation to start the installation of a
new cluster member.
Figure 24: Cluster Installation
3.
Click Next to start the installation process. After installation of the new cluster
node, the installer needs some additional information to enable the
synchronization and to synchronize the data with the already installed cluster
node.
57
HOB RD VPN
Figure 25: Cluster Global Administrator Data
4.
Here you enter the settings of the already installed cluster member. The new
cluster member must be able to access this system over the network, to enable
synchronization and to synchronize the data. If more than one cluster member
is already installed, you can select any of these to be the master node – this
node is then used for the replication of the configuration data. Synchronization
of the cluster retrieves the data of all cluster nodes and shares this to all
members.
5.
Enter the Hostname or the IP address of this master cluster member and enter
the credentials of the global administrator. Click Next for the installation to
authenticate these credentials.
6.
If everything is in order, Figure 26 is displayed where you enter and confirm
your cluster connection password for the installation of a cluster member or
members. This is a freely selectable password to be used for the
synchronization of your whole cluster. If you already have a working cluster you
must choose the password that you are already using for the cluster.
Make sure you remember this password!
58
HOB RD VPN
Figure 26: Enter Cluster Password
7.
Once your password is successfully confirmed, click Next for the installer to
perform the synchronization. This may take some time, depending of the size
of your integrated directory service. Once this is completed the Register
HOB RD VPN dialog is displayed.
Figure 27: Register HOB RD VPN
8.
In the Product key field you have to enter a valid product key to register this
edition of HOB RD VPN. The key can be found in the document HOB Software
License delivered along with the product CD or, if purchased online, in the email received once payment has been confirmed.
9.
Alternatively you can choose to test it by clicking Evaluation Version. This will
create a temporary license file that will be valid for 30 days. The time remaining
in the evaluation period is displayed each time you log in. Once this has
expired, you must enter a valid product key to continue using the software.
The installation is now ready and you can successfully use the cluster installation.
59
4.6
HOB RD VPN
Customizing HOB RD VPN User Pages
The HOB RD VPN user pages (the login or logout pages, for example) can be
customized. Among the possible changes you can make are that you can integrate
your own logo and your own banner, or you can adapt the text used onscreen to
those of your choice or company policy.
4.6.1 Changing the GUI Schema
The schema for the user pages are written as .xml files and are stored in a number
of different locations within the installation directory (INSTALLDIR) of HOB RD VPN.
Use these schemes to set the text and design of the user pages as you wish them
to be seen by your users (a standard level of experience is required to edit the
formatting of these .xml files).
Any new schema created for the GUIs are to be stored in the following folder:
INSTALLDIR/www/public/skins.
To change the scheme currently being used for your GUI, you need to open the
HOB WebSecureProxy configuration and select the role whose display is to be
changed. Now select the Privileges tab and you will see the following dialog:
Figure 28: HOB WSP – Role Settings – Properties
Select from the GUI scheme dropdown list the schema that you wish to apply to
your interface, as shown in the above dialog.
To add new GUI schemes to the list shown in the dropdown box in this
dialog, create the scheme in .xml format and add it to: INSTALLDIR/www/
public/lib/hob/rdvpn/configuration/defaults/skins.xml.
This dropdown list already contains the following default GUI schema:

60
Default – this is the default setting, where the HOB RD VPN banner is displayed
HOB RD VPN


Maroon – here the text on the login and logout screens are displayed in a maroon font.
Green – here the text on the login and logout screens are displayed in a green
font as shown in this screenshot:
Figure 29: HOB RD VPN Navigation Screen with Text in Green Font


Blue – here the text on the login and logout screens are displayed in a blue font.
No Banner – with this setting the dialog is displayed without any banner, as
shown here:
Figure 30: HOB RD VPN Navigation Screen Without a Banner
61
HOB RD VPN
Save the file and close it. Logout and login again, and you will see that the GUI
scheme has changed.
4.6.2 Replacing the Banner
The screenshot below shows the banner on the login screen in the web browser. To
change this, you need to replace the banner file in HOB RD VPN with your own
chosen banner file. Once you have replaced the HOB RD VPN banner with your
own, this becomes the banner selected as Default.
Figure 31: HOB RD VPN Login Showing the HOB RD VPN Banner
The banner file (banner_rdvpn.jpg) is stored in the following directory:
INSTALLDIR\www\public\skins\$SKINNAME$\img.
Replace this files with a .jpg file of your choice (the .jpg file must have a size of 871
x 98 pixels). Save the configuration (with Default selected in the Privileges tab of
the role settings, as described above) and logout from HOB RD VPN. On your next
login, the banner will have changed.
4.6.3 Replacing the Text “HOB RemoteDesktop VPN” on the Login Page
To change the text appearing on the HOB RD VPN login screen (shown here
without the web browser), perform the following steps:
Figure 32: HOB RD VPN Login
62
HOB RD VPN
The text contained in the HOB RD VPN login
(INSTALLDIR\www\public\login.hsl) and the HOB RD VPN logout screen
(INSTALLDIR\www\public\logout.hsl) is generated through a reference to a
resources file. To change the text, only this resource file needs changing.
The following steps are necessary to make this change (in this example the text
“HOB RemoteDesktop VPN”):
1.
Open the login.hsl file in Notepad (or any similar text editor) to identify the
reference on the page you want to edit. In this file you can find the name of the
product under <xsl:value-of select=”lang/products/rdvpn”/>, and this
is the reference to the text you want to edit.
2.
For safety, create a backup copy of the file:
INSTALLDIR\wsp\plugins\web_server\res.xml.
3.
Now open this file in the text editor and locate the reference lang/products/
rdvpn (here lang is used for the display language, currently English or
German). To change the entry in English, look for the node <en>, underneath
which is the node <products>, underneath which is the node <rdvpn>. This
node contains the entry HOB RemoteDesktop VPN, which you can now edit.
To change the German text, locate the node <de> and then follow the same
path with the nodes <products> and <rdvpn>.
To make the changes effective, you need to restart HOB RD VPN.
This method is also used to edit the HOB RD VPN navigation screen,
which is located under INSTALLDIR\www\protected\welcome.hsl.
4.6.4 Replacing the Text on the Logout Page
To change the text appearing on the HOB RD VPN Logout screen (shown here),
perform the following steps:
Figure 33: HOB RD VPN Logout
1.
Open the logout.hsl file in a text editor and locate the reference for the text
to be changed.
2.
Create a backup copy of the file:
INSTALLDIR\wsp\plugins\web_server\res.xml.
3.
Open this file in the editor and locate the reference lang/products/rdvpn.
Locate the node <products>, underneath which is the node <rdvpn>. This
node contains the text that you can now edit.
To make the changes effective, you need to restart HOB RD VPN.
63
4.7
HOB RD VPN
Testing the Installation
To test whether the installation has been successful, perform the following steps:
4.7.1 Testing as a Domain Administrator or User
Once the installation is done the installation can be tested by pointing the browser
to the HOB RD VPN URL (in this example this is: https://rdvpn.example.com).
The HOB RD VPN Logon screen appears. Now logon as a domain administrator,
power user or user with any valid domain username and password created during
the installation. The RDP connections can also be tested with the respective link on
the HOB RD VPN navigation screen.
Figure 34: HOB RD VPN Logon
If the logon is successful for any of the pre-configured roles of domain administrator,
power user or user, the following HOB RD VPN navigation screen appears:
Figure 35: HOB RD VPN Navigation
64
HOB RD VPN
This screen shows that user1 (this user name is shown above the title banner) is
currently logged in as Domain Administrator, so this has been a successful
installation.
Global Administrator logon credentials cannot be used to test in this case.
4.7.2 Testing as the Global Administrator
To test the administration features you should point your browser to the
administration interface URL created during installation. In our example this is:
https://rdvpn.example.com:10000.
In the Logon screen that appears (see Table 34 on page 64) enter your username
and password as Global Administrator. The following screen appears:
Figure 36: HOB RD VPN Administration Access
You can now use the links on this screen to access the administration interface for
testing.
4.7.3 Uninstallation
HOB RD VPN can be uninstalled via the Windows operating system uninstallation
function.

Click Start > Control Panel > Software > HOB RD VPN > Change/Remove
and then click Uninstall.
To uninstall HOB RD VPN on a Linux operating system:

Go to the folder INSTALLDIR\Uninstall HOB RD VPN and execute Uninstall
HOB RD VPN
After carrying out the step above, you may have to restart your system to complete
the uninstallation.
65
66
HOB RD VPN
HOB RD VPN
5
HOB RD VPN can be accessed immediately after installation by pointing your
browser to the HOB RD VPN URL (in our example this is: https://
rdvpn.example.com).
You can also use the HTTP URL http://rdvpn.example.com, which redirects
your browser to a secure https connection, https://rdvpn.example.com.
You can log on to the HOB RD VPN Navigation screen with the users you have
created during installation, but not with the Global Administrator created during
installation.
Depending on the role that is assigned to the user when their settings are
configured, different portlets (links to different functionalities) will be available to
them after a successful logon.
Here you can see the navigation screen for the user user2, after a successful logon
with the power user role (this information is shown above the banner). Depending
on the user configuration set up during installation, this user can successfully
connect to RDP targets, legacy protocol targets, use Web-based applications and
Intranet services. The user can also access Microsoft Windows shares by using
HOB Web File Access, and modify their User Settings.
67
5.1
HOB RD VPN
Portlets
Portlets are essentially bookmarks to the features and applications within
HOB RD VPN. They greatly speed up the access and usability of these features.
Instead of new websites being created to access these applications, portlets can be
configured by the administrator or by the users themselves (for example for
organization, ease of use and desired appearance). Portlets are completely
configurable and customizable to suit the requirements of your company and your
users.
The following table lists the possible portlets, the required HOB component for that
portlet, and the functionality that the portlet provides.
Portlet
Component/Application
Functionality
User Configuration
HOB EA Administration
Perform administrative tasks
Access to Desktops and
Applications
HOBLink JWT
Access Target Servers using
RDP on the client side
Access to Enterprise
Connectivity
HOBLink J-Term
Access Target Servers using
RDP or Telnet SSH. Access
target servers using TN3270,
TN5250 and other legacy
protocols, if licensed
Access to Web
Applications and Intranet
Web Server Gate
Allows access to any kind of web
server including Outlook Web
Access and Citrix Web Portal
Access to File Systems
Web File Access
Access CIFS/SMB capable
shares in your network
HOBPhone
HOBPhone
Access your client machine as a
VoIP phone
PPP Tunnel
HOB PPP Tunnel
Network level access to internal
resources
HOB WSP Universal Client HOB WSP Universal Client Use third party applications to
access internal systems securely
User Settings
Modify own user settings
Table 1: Portlets in HOB RD VPN
68
HOB RD VPN
The following table shows the portlets that are already configured according to the
roles available on installation:
Portlet
Domain
Power User
Administrator
User
User Configuration
X
Applications with HOBLink JWT
X
X
X
Applications with HOBLink J-Term
X
X
X
Access to Web Applications
X
X
X
Access to File Systems
X
X
User Settings
X
X
HOBPhone
X
HOB PPP Tunnel
X
HOB WSP Universal Client
X
Table 2: Portlet Assignments
It is up to the domain administrator (who is assigned all portlets by default) to decide
as to which portlets are assigned to the other users depending on their role, in
accordance to the conventions of the company.
5.2
User Settings
This portlet allows domain administrators and users to personalize the look and feel
of the navigation screen. There are three sets of links here:

User Settings - here you can expand or collapse the required portlet, and arrange the portlets as desired.

Cookies - here you can save and organize any cookies.

Change password - here you or your users can change their access password.
5.2.1 User Settings - Web Server Gate Bookmarks
Here you can set any bookmarks that you want to appear on the navigation screen.
69
HOB RD VPN
Figure 2: HOB User Settings - Web Server Gate Bookmarks
70
1.
Enter a Name and a URL for each bookmark you wish to add to the navigation
screen.
2.
Use the green Plus symbol to add new bookmarks (or the red X symbol to
delete them), and the Up and Down arrows to adjust the order in which they
are displayed on the HOB RD VPN Navigation screen, see Figure 1.
3.
Click Save All to save your changes when you are satisfied with your
bookmarks, or Cancel to discard any changes.
HOB RD VPN
5.2.2 User Settings - Desktop-on-Demand
Here you can set the connection data for the Desktop-on-Demand feature.
Figure 3: HOB User Settings - Desktop-on-Demand
Use the green Plus symbol to add new Desktop-on-Demand data (or the red X
symbol to delete them), and the Up and Down arrows to adjust the order in which
they are displayed on the navigation screen. You can enter the following data here:





Workstation – enter the name of the workstation you wish to be able to connect
to.
IP Address – enter the IP address of the workstation to be accessed.
Port – enter the port number where the workstation listens for RDP connections.
This should be port number 3389 by default.
MAC Address – enter the MAC address of the workstation to be woken, if you
need to use a Wake-on-LAN functionality.
Timeout – enter the amount of time in seconds to wait for a wake command to
be successful. The default time here is 180 seconds.
Use the Save All button to save your changes when you are finished entering your
data.
71
HOB RD VPN
5.2.3 User Settings – Portlets
To change the look of the HOB RD VPN Navigation screen, and to set the portlets
available to your users:
Figure 4: HOB User Settings - Portlets
Enable the radio buttons for each portlet that you want displayed on the
HOB RD VPN Navigation screen, and then use the Up and Down arrows to adjust
the order in which they are displayed.
72
HOB RD VPN
5.2.4 User Settings – Others
Here on this screen you can set the display language to be used by HOB RD VPN,
and whether the Web Server Gate flyer is shown.
Figure 5: HOB User Settings Screen - Others
Language – select from the dropdown box to set the display language. English and
German are the only languages currently available, more languages will be
available with later releases of this product.
Web Server Gate Flyer – select Show to have the Web Server Gate Flyer
displayed as a floating popup on all screens, or Hide to keep it docked to the main
screen.
Flyer - when activated the flyer is displayed as a floating popup on all
screens. The flyer contains the following two icons:
Home - use this to return to the Home page of HOB RD VPN, the
HOB RD VPN Navigation screen
Log Out - use this to log out of HOB RD VPN and close the program
73
HOB RD VPN
5.2.5 Cookies
This screen allows you to review your current cookie list.
Figure 6: HOB User Settings Screen - Cookies
Use the Delete button to remove any cookie from this list.
5.2.6 Change Password
This screen allows each user to change their password, if desired.
Figure 7: HOB User Settings Screen - Change Password
Enter your old password, then the new password. Enter your new password again
to confirm, and click Change Password to make the change.
The password change functionality is not supported for all configuration
options.
74
HOB RD VPN
6
The administration portal is the set of Graphical User Interfaces (GUIs) that the
administrator of HOB RD VPN can use to manage, monitor and adapt the software
to account for changes in the system. Users and resources can be added, edited or
deleted, permissions set and users and resources assigned into their respective
administration groups. The configuration interface is named HOB Enterprise
Access Administration (HOB EA Admin) and is delivered as an integral part of the
HOB RD VPN software solution.
This HOB RD VPN administration interface (HOB EA Admin) can be started using
a browser or the Start Menu of the workstation. To start the HOB RD VPN
administration from a browser, open the HOB RD VPN default page with a browser
and logon, either:


6.1
As a domain administrator using: https://rdvpn.example.com.
As global administrator using: https://rdvpn.example.com:10000 (use the
port number that was selected during the installation).
Administration Access as a Domain Administrator
Type the URL given above to access the administration interface from a browser
and enter your logon credentials in the HOB RD VPN Logon screen. Then:
1.
Once the HOB Navigation Screen opens, click the User Configuration link.
2.
The HOB EA Administration dialog is shown (see below). You will need to
authenticate again on the Connect to HOB Enterprise Access dialog for the
HOB EA Administration program to open.
Figure 1: HOB RD VPN Administration - Logon
3.
Enter your User Name and then your Password/PIN for authentication. If you
use your user name but for different roles, such as a user role and an
75
HOB RD VPN
administrator role, you can use the Change Password checkbox to bring up
extra fields allowing you to set a new password to access your alternative role.
In order to ensure compatibility with Common Criteria, the checkbox Save
password must be left unchecked, as shown below.
Figure 2: HOB RD VPN Administration - Logon Compatible for Common Criteria
Once you have successfully logged on, the following screen is displayed. Here you
can administer and configure the resources with your domain.
Figure 3: HOB RD VPN Administration
76
HOB RD VPN
The HOB RD VPN Administration screen contains the resources that are present
in your organization hierarchy in the left hand panel and the constituent elements
(users, groups, containers and objects) present in the highlighted element in the
right hand panel. The name of the selected resource is always shown in the title of
the right hand panel.
Select from the domain list displayed on the left the domain that you wish to
administer. The elements or resources contained within each domain are shown in
the panel on the right. In the example shown here there is one domain, dc=hobsoft,
with two elements, ou=groups and ou=users.
Use the following buttons to manage the resources in your enterprise.
Connect – establish a connection to your resource management database
Disconnect – end the connection to the database
Add Item – add a new item (user, group, object or container) to the database
Edit Item – edit the selected item
Delete Item – delete the selected item
Configure – configure the selected part of the database
Cut – cut the selected item from the database but not delete it
Paste – insert the cut item in this location in the database
Search – search for a specific element in the database
About – click to see the name and version of the software you have installed
At the bottom of the screen there are two buttons and a dropdown box. These are:
Properties – use this button to display the properties
of the selected resource
Configure – use this to open the configuration tool for
the selected resource
Select – in this dropdown box you use the arrow on
the left to select the part of the database that you want
to access for editing, whether User Settings,
Utilities, the HOB WebSecureProxy, etc
77
6.2
HOB RD VPN
Administration Access as a Global Administrator
Once you logon to a browser using the global administrator logon the administration
portal opens directly.
The following applications are available for the global administrator only; they are
not available to a domain administrator and are not displayed on the domain
administrator interface.
6.2.1 HOB RD VPN Administration Screen – System
This screen shows information about the edition of HOB WebSecureProxy that is
currently installed on the system.
Figure 4: HOB RD VPN Administration - System
As well as the installed version of the HOB WebSecureProxy, this screen shows the
process ID of the current installation and for how long it has been running.
78
HOB RD VPN
6.2.2 HOB RD VPN Administration Screen - Gateways
Here you can see the currently configured gateways for the current connections.
Figure 5: HOB RD VPN Administration - Gateways
The Gateways screen shows details about the gateways for the administration
access and for the user portal. The information shown includes the numbers of the
ports being used by the gateways, their configurations and the status of the
connections to the gateways.
6.2.3 HOB RD VPN Administration Screen – Users
Here you can display all of the users that are currently logged on to the system.
Figure 6: HOB RD VPN Administration - Users
Using the fields at the top of this screen, you can choose to display users according
to a set number per page, or according to user name. In the list of users you can
see their roles and IP addresses, and how long they have been logged on.


Previous and Next – use these arrow buttons to navigate between users when
not all can be displayed on the screen at the same time.
Display users named – you can insert a username into the field to display the
connections of the specific queried user or users directly.
79

HOB RD VPN
Logout Selected Users – use this button to log out those users that you have
selected from the list of current users.
6.2.4 HOB RD VPN Administration Screen - Connections
This dialog is used to review the currently established connections, and to
disconnect those that are not in use.
Figure 7: HOB RD VPN Administration - Connections



Previous and Next – use these arrow buttons to navigate between users to see
their connections.
Display users named – you can enter the username into the field to bring up
the required user directly.
Disconnect selected connections – use this button to disconnect those connections that you have selected from the list shown.
6.2.5 HOB RD VPN Administration Screen – Logs
This section is covered in more detail in Section 6.4 Logging and Error Messages
in HOB RD VPN on page 93.
The logging dialog (see Figure 23) displays the log of activity for the functioning of
machines that were recently or are currently active, and the communication
between them.
6.2.6 Global Administration Screen – Services
This dialog displays the plugins that are currently installed on the server and allows
them to be monitored. Plugins are enhancements to existing software applications,
adding specific abilities. Plugins usually cannot be run independently of the main
application, and in most cases can be stopped and restarted if necessary. Among
the plugins that come with your installation of HOB RD VPN is OpenDJ (the
integrated directory service).
80
HOB RD VPN
Figure 8: Global Administration - Services

Plugin – the names of the plugins are listed in this column.

Status – the current status of the plugins are shown here.

Options – the options are either to stop (click the black X for this), start (click the
black tick if the plugin is already stopped) or to restart (click the arrow) the selected service.
The field at the bottom shows a log of the event activity of the management screen.
6.2.7 Global Administration Screen - EA-Admin
This link launches the EA Administration interface as shown above in Section 6.1
Administration Access as a Domain Administrator on page 75. Here you can
administer the domains and their resources, and also administer the HOB
WebSecureProxy.
The EA Admin can also be started directly on the server where HOB RD VPN has
been installed. This is done by using:
Under Microsoft Windows:
Go to the Start menu, then: All Programs > HOB RD VPN 2.1 > Administration
> EA Administration
Under Linux:
Run the program INSTALLDIR/utilities/EAAdmin
6.2.8 Global Administration Screen - Backup
This feature allows the data contained within the system Directory Service to be
exported to a backup file location, or imported back from that backup location.
For a backup the data stored in the directory service must first be converted to LDIF
(LDAP Data Interchange Format), which is a standard plain text data interchange
format used for representing directory content and update requests. LDIF conveys
directory content as a set of records, one record for each object (or entry), and one
record per update requests, such as Add, Modify, Delete, and Rename.
81
HOB RD VPN
Figure 9: Global Administration - Backup - Export LDIF


Export LDIF – export the data in LDIF format to the backup location. This button
brings the Username and Password fields on screen, where you need to authenticate. Once authenticated, click Export for this operation to be carried out.
Input Credentials – this shows a log of all entries into this screen.
Figure 10: Global Administration – Backup - Import LDIF

Import LDIF – extract the data from the backup location to the current servers
for use. This button also brings the Username and Password fields on screen
(as shown above), where you need to authenticate using configured
HOB RD VPN credentials. Once you have authenticated, use the Browse button
to locate the desired LDIF file.
Once it is selected, use the checkboxes to specify whether the file being imported
should overwrite the existing data or be appended to it (and whether existing data
should be replaced with the incoming data).
82

Upload & Import – click for this import operation to be carried out.

Input Credentials – this shows a log of all entries into this screen.
HOB RD VPN
6.2.9 Global Administration Screen – Certificates
This feature is where the system certificates are managed. These are the security
certificates that are used to authenticate each element of the system. Access is not
allowed from workstations or machines that do not possess current valid
certificates.
To achieve conformity with Common Criteria, this feature cannot be used
to generate security certificates. Instead you must generate a set of
certificates using the Auto Wizard in the HOB Security Manager (see
Section 33.1 Adding Certificates and HOBLink Security Units to the
HOB WSP in this document and the HOBLink Secure and HOBLink
Security Manager Administration Guide for more information). The result of
this process will be a set of configuration files (also known as HOBLink
Security Units) for HOB WSP.
For each type of certificate these symbols on the right hand side have the same
functions. They are active only when the mouse moves over them:
Upload – click to upload a certificate into the certificate directory
Download – click to download a certificate from the certificate
directory
New Certificate – click to create a new certificate
Certificates have the following formats:



PWD (Password) – this extension signifies that this certificate file contains the
password data.
CFG (Configuration) – this extension signifies that this certificate file contains the
configuration data.
CDB (Certificate database) – this extension signifies that this certificate file contains the database data. For detailed information about the files that can be uploaded here, and how
to create them, see the HOBLink Secure and HOBLink Security Manager
Administration documentation.
83
HOB RD VPN
Certificates – Upload Certificate
Use this screen to upload a certificate into HOB RD VPN from your network data
storage.
Figure 11: Global Administration - Upload Certificate




84
Administrator Access Certificates – this server certificate (and its certificate
chain) are used to secure the authentication and the communication of the Global Administrator who is allowed to access the HOB RD VPN administration functions.
User Portal Certificates – this server certificate (and its certificate chain) contain the data used to secure the authentication and communication of the users
authorized for access to the User Portal functions.
Cluster Access Certificates – this server certificate (and its certificate chain)
contain the data used to secure the authentication and communication of the users authorized for access to the User Portal functions if a HOB RD VPN cluster
is used and the user is redirected to this particular node in the cluster.
Internal Client Certificates – these certificates are used in case the HOB WSP
connects to a target system using an SSL connection. These certificates must
include the root certificates of all target systems that the HOB WSP is connecting
to.
HOB RD VPN



External Client Certificates – these certificates are used on the client side (for
example by HOBLink JWT) to connect to the HOB WSP. These certificates must
include the root certificates of the server certificate that is used by HOB RD VPN.
If these certificates are available on the client system and shall not be downloaded from the server, you can use the Delete icon to remove existing files.
Import to External Client Certificates – check this box to import the current
certificate to the list of external client certificates.
Upload – click to perform the upload.
Certificates – Download Certificate
Use this screen to download a certificate package in zipped form. Each certificate
package contains a certificate file for that function (Administrator Access, User
Portal, and so on).
Figure 12: Global Administration - Download Certificate

Download Certificate Package – click on this link to download all of the files required for the current function (in this example shown, the certificates required
for administrator access). You are prompted to save the certificate files in zip
form to a location in your system. The Download Certificate Package procedures
for other certificate types are performed in the same manner.
85
HOB RD VPN
Certificates – Create New Certificate
Use this screen to create a new certificate for administrator access, user portal and
cluster access. The process is identical for all three certificate types.
Figure 13: Global Administration - Create New Certificate
Enter the required data in each of the relevant fields, and select the validity period
for this certificate from the dropdown box.


86
Import to External Client Certificates – check this box to import the current
certificate to the list of external client certificates.
Create – click to create the new certificate. A pop-up appears to prompt you that
a new certificate has been successfully created, or that the creation has failed.
This information is also shown in the Status field at the bottom of the screen.
HOB RD VPN
6.2.10 Global Administration Screen – Updater
This feature is where updated versions of existing files can be uploaded and
installed. Backup files can also be uploaded this way.
Figure 14: Global Administration - Updater

Browse – use this to locate the desired update file.

Upload & Install – click this button to perform the update.

Status – this field shows the current log of activity on this screen.

Update Packages – this list shows the recent update activity, the files and file
packages that have been uploaded, the current status of uploaded file packages,
and their upload date.
87
HOB RD VPN
6.2.11 Global Administration Screen – Extensions
This feature allows you to download the install tools for the following extensions
available for HOB RD VPN. Extensions are extra features or functionalities that are
delivered with this installation of HOB RD VPN, but are optional in that they need
not be activated.
Figure 15: Global Administration - Extensions
Click on the relevant link below to find more information on the desired extensions,
and how these may be configured:









88
VDI WSP – see Chapter 13 Virtual Desktop Integration.
Wake-on-LAN Agent for Windows – see Chapter 12 HOB RD VPN Desktopon-Demand.
Wake-on-LAN Agent for Unix/Linux – see Chapter 12 HOB RD VPN Desktopon-Demand.
WTS Load Balancing – see Chapter 10 Remote Desktop Computing using
HOBLink J-Term/JWT.
Security Manager for Windows – save the Windows installation file required for
the HOBLink Security Manager: see the HOBLink Secure and HOBLink Security Manager documentation delivered with this product.
Security Manager for Unix/Linux – save the Unix/Linux installation file for the
HOBLink Security Manager: see the HOBLink Secure and HOBLink Security
Manager documentation delivered with this product.
Security Manager for Mac OS X – save the Mac OS X installation file for the
HOBLink Security Manager: see the HOBLink Secure and HOBLink Security
Manager documentation delivered with this product.
Anti Split Tunnel – this feature is available for use with the HOB PPP Tunnel –
see Chapter 22 Using the HOB PPP Tunnel for Network Access – and the
HOB Compliance Check – see Chapter 25 HOB Compliance Check
PPP Tunnel for Unix – see Chapter 22 Using the HOB PPP Tunnel for Network
Access.
HOB RD VPN
6.3
Creating a New Global Administrator
When installing HOB RD VPN 2.1 you can only enter one global administrator (this
is a mandatory step). Once the installation of HOB RD VPN is complete, this global
administrator can create more global administrators by modifying the internal
configuration system. This modification is done through the HOB EA Administration
interface. After the internal configuration system has been modified, the newly
created global administrator (or administrators, there is no limit on the number of
administrators that is possible) can logon to the administration portal and can be
used to perform changes through the HOB WSP GUI.
The steps to modify the internal configuration system and create a new Global
Administrator are as follows:
1.
Open the HOB EA Administration interface and log on using as the global
administrator. The credentials that you use are those that you created when
installing HOB RD VPN.
2.
Locate the organizational unit ou=users,dc=internal,dc=root and select it
as shown in this diagram:
Figure 16: HOB EA Administration – Creating New Global Administrator
3.
Now right click on this item or use the Add item icon and choose User, as
shown below. This new user will be given the full privileges of the global
administrator.
89
HOB RD VPN
Figure 17: HOB EA Administration – Adding New User
4.
Enter the desired name for this second (or extra) global administrator in the
Properties tab, as shown here:
Figure 18: HOB EA Administration – Properties Tab
90
HOB RD VPN
5.
Now select the Membership tab and the following screen is displayed:
Figure 19: HOB EA Administration – Membership Tab
6.
Click the Add Membership button, and you will see the following screen:
Figure 20: HOB EA Administration – Selecting New Membership
7.
In this screen, add cn=globalAdministrators,ou=groups,dc=internal,
dc=root as the membership for this new user. Click Select to confirm this
membership.
91
8.
HOB RD VPN
Once the selection has been confirmed this screen is shown:
Figure 21: HOB EA Administration – Membership Tab
9.
Click OK and a popup appears for you to create a password for this user.
Figure 22: HOB EA Administration – Enter Password to Confirm
10. Enter a new password for this new global administrator and click OK. This
saves the modifications to the internal configuration system and makes the new
configurations ready for use.
The new global administrator has now been created and can now be used for
example to immediately gain access to the Administration Port.
To create any new users, groups or domain administrators for the network,
you use exactly this same procedure. The only difference is when you
select the membership for the new user or administrator, which must be the
appropriate membership for the newly created user or administrator.
92
HOB RD VPN
6.4
Logging and Error Messages in HOB RD VPN
Logging is the process of recording events that occur within HOB RD VPN. Logging
is designed to provide an audit trail that can be used to understand the activity of
the system and to diagnose problems, if any. If any issues are revealed, the log will
report this in the form of an error message.
Logs and error messages are essential to understanding the activities of complex
systems, and log file entries can also be combined from multiple sources. This,
when combined with statistical analysis, can reveal correlations between events
that are seemingly unrelated on different servers within your system, thus allowing
you to identify and correct any issues that arise.
6.4.1 Logging in HOB RD VPN Administration
The logging dialog shown here displays the log of activity for the functioning of
machines that were recently or are currently active, and the communication
between them. This dialog provides you with the information you require to ensure
that HOB RD VPN is functioning smoothly, and that there are no issues of
communication between the machines in your system.
Figure 23: HOB RD VPN Administration - Logs

Display – use this field to determine how many log file entries are shown in the
display field at any one time.
93





HOB RD VPN
Fit to page size – click this to display the log message in a format that will fit in
the display field, with text wrapping.
Previous and Next – use these arrow buttons to navigate between the pages in
the logfiles.
Autorefresh – click this to automatically update the logfile that is displayed.
When clicked, this button performs a refresh and counts down 30 seconds when
it will refresh again. This continues until you leave this screen.
Search – use this to find and display a specific logfile.
RegExp (Regular Expressions) – allow a search of the logs for known regular
expressions, such as a specific application name.

Start at – use this field to enter a starting date for your search.

Refresh – click this to update the logfile that is displayed.
Individual log entries take the following format:
Figure 24: HOB RD VPN Administration – Logs – Individual Log Messages



Time – this shows the time according to the system clock when the log entry was
made.
Error ID – this combination of numbers and characters identify the message. For
example an Error ID of HWSPS003I signifies a HOB WSP entry with an individual message number 003. The character at the end of this ID (in this example I
is shown) signifies the category of this message (see below).
Category – this identifies the type of message that is being reported. The message can be one of three types:

I indicates an entry that gives Information

W indicates an entry that signifies a Warning

E indicates an entry that signifies an Error

Application – this identifies the application that is sending a report.

INETA (Internet Address) – this identifies the machine sending a report.

Message – this text alerts the administrator to the reason the log entry has been
made.
This is the standard format used by HOB RD VPN on both Windows and Linux or
Unix systems.
6.4.2 HOB RD VPN Logging in Windows Systems
The following is a typical Windows Log File, identifying the machines involved, the
applications running and any possible warnings that are generated:
HWSPM001I IBIPGW08 started/Version 2.3x86Apr5 2013/HOB WebSecureProxy/SSL
gateway
HWSPM013I loaded configuration file C:\Program
Files\HOB\RDVPN\wsp\wsp.xml.
94
HOB RD VPN
HWSPM014I fingerprint (SHA1) of configuration file 141A CE67 0222 19C9 C610
0495 1290 E187 C568 ABD5.
HWSPM001I IBIPGW08 started/Version 2.3 x86 Apr 5 2013/HOB WebSecureProxy/
SSL gateway
HWSPM015I this ComputerName ComputerXX11 process-id 6128.
HWSPM016I WSP time started 26.04.13 10:17:51.
HWSPM017I fingerprint of this HOB WebSecureProxy AAAA EEEE 1111 2222 5594
B1D4 E7C1 62C0 56E5.
HWSPM018I processing configuration file C:\Program Files\HOB\RDVPN2.1.10\wsp\wsp.xml.
HWSPM014I fingerprint (SHA1) of configuration file AAAA CCCC 2222 1919 C610
0495 1290 E187 C568 ABD5.
HWSPIP041I Library WS2_32 loaded
HWSPM041I m_hssl_getversioninfo SSL-Version: 1, Revision=25, Release=19.0
HWSPM043I m_hssl_getversioninfo HOBLink Secure SSL Software Module,
Version 01.25, Rev. 19.00, 12.03.2012
HWSPM092I configuration display: SECDRBG: Seed o.k.
HWSPM092I configuration display: HIWSI001I: HOB WebServer initialized
(ServerDataHook: Web Server/2.3.0.43/x86 (CC))
(ServerDataHook: Web Server/2.3.0.43/x86 (CC))
HWSPM092I configuration display: HCOCI001I: ServerDataHook: Compliance
Check V2.3.0.7 initialized
HWSPM092I configuration display: HEALDI001I ServerDataHook: EA-LDAP
V2.3.0.18 initialized
HWSPM092I configuration display: HPHONEI000I ServerDataHook: HOBPhone
HWSPM092I configuration display: HWSPATI001I HOB Authentication Library
HWSPM090I create gateway User Portal port=443 + 80.
HWSPM090I create gateway Administration Access port=10000.
HWSPM083I number of CPUs online 1.
HWSPM080I max-poss-work-thread set to 32.
HWSPM081I max-active-work-thread set to 16.
6.4.3 HOB RD VPN Logging in Linux/Unix systems
The following is a typical Log File generated when HOB RD VPN is being used on
a Linux or Unix system.
HWSPM110I found character set UTF-8 translated to UTF-8.
HWSPM001I nbipgw20 started / Version 2.3 Rev.13 Linux EM64T Apr 17 2013 /
HOB WebSecureProxy SSL-Gateway for Unix
HWSPM015I this ComputerName Computer-51 process-id 7775.
95
HOB RD VPN
HWSPM016I WSP time started 26.04.13 10:07:50.
HWSPM017I fingerprint of this HOB WebSecureProxy 99AA CC55 3301 29A6 1F7E
0BA4 066F 4422 4BD0 0011.
HWSPM018I processing configuration file /opt/HOB/rdvpn/wsp/wsp.xml.
HWSPM014I fingerprint (SHA1) of configuration file CC77 11AA 4242 ABCD 7922
8CFE 8C07 1168 9D29 DB8A.
HWSPM041I m_hssl_getversioninfo SSL-Version: 1, Revision=26, Release=5.0
HWSPM043I m_hssl_getversioninfo HOBLink Secure SSL Software Module,
Version 3.2 01.26, Rev. 05.00, 11.04.2013
HWSPMnnnW WSP Trace administration command but <allow-wsp-trace> not
configured
configured
configured
HWSPXMLC0UUUUW Error LDAP-service rdvpn invalid node found "internal" ignored
HWSPM092I configuration display: SECDRBG: Seed o.k.
(ServerDataHook: Web Server/2.3.0.42/Linux em64t (CC) )
(ServerDataHook: Web Server/2.3.0.42/Linux em64t (CC) )
HWSPM092I configuration display: HSOCI001I: SOCKS5 Server initialized
(ServerDataHook: Socks4+5/2.3.0.21/Linux em64t (CC))
HWSPM092I configuration display: HSOCI002I: Flags: 0
HWSPM092I configuration display: HCOCI001I: ServerDataHook: Compliance
Check V2.3.0.6 initialized
HWSPM092I configuration display: HEALDI001I ServerDataHook: EA-LDAP
HWSPM092I configuration display: HPHONEI000I ServerDataHook: HOBPhone
HWSPXMLC01109W Error connection User Portal element "gate-in-ineta" has no
child - ignored
HWSPM133I Listen-Gateway: nbipgw19-l01073-I connected to HOB ListenGateway for WebSecureProxy V2.1 Apr 17 2013 Protocol Version 0.0
HWSPM090I create gateway User Portal port=443 + 80.
HWSPM090I create gateway Administration Access port=10000.
HWSPM083I number of CPUs online 2.
HWSPM080I max-poss-work-thread set to 32.
HWSPM081I max-active-work-thread set to 16.
96
HOB RD VPN
data received on pipe
6.4.4 Reading Error Messages in HOB RD VPN
On the analysis of the log files generated by HOB RD VPN, you can clearly see how
the machines you are using are operating, and at what times the necessary updates
and maintenance are being performed.
If there are any issues with the functioning of the system, these will also be revealed
through the logging process. Clear identification, through the error messages, of
any issues (the machine affected, the software and applications being used,
whether any required data is missing or defective, for example) allows you to
remedy these issues quickly and efficiently.
The error message can be one of three types:

I indicates an entry that gives Information

W indicates an entry that signifies a Warning

E indicates an entry that signifies an Error
As an administrator, it is imperative that you are aware of the logging functionality
of HOB RD VPN, as this tool can prove invaluable for your day to day operations.
6.4.5 Error Messages in HOBLink JWT/J-Term
The HOBLink JWT and HOBLink J-Term applications each provide a GUI interface
to the user. These GUI interfaces can then display corresponding GUI dialogs
containing any error messages for the users. The user can then respond directly to
the displayed error messages (for example entering some required data that has
not yet been entered), or can forward them to the administrator.
The GUI is designed to be provided in multiple languages. English and German are
the only languages currently available.
97
98
HOB RD VPN
HOB RD VPN
7
Multi-Tenancy
Multi-Tenancy
Multi-tenancy is a principle in software architecture where a single instance of the
software runs on a server, serving multiple client tenants (or domains). In the
HOB RD VPN multi-tenant architecture, the software is designed to virtually
partition the data and configuration, so each client organization works with a
customized virtual application instance. HOB RD VPN can be configured to use
multiple domains, so a single HOB RD VPN installation can authenticate users from
many different domains, where each domain in HOB RD VPN is an independent
tenant.
These HOB RD VPN domains can use different configurations (Domain 1 users can
only access resources assigned to Domain 1, users of others domains cannot
access resources assigned to this domain, for example). Configurations can also
be used from more than one domain if required (for example different domains may
be assigned access to the same target system).
Multi-tenancy can be used in your HOB RD VPN installation to support different
departments within your company, and can be used to allow your customers or
suppliers access to special services without needing to add them to the internal user
directory service.
7.1
Default Domain Configuration after Installation
After installation, HOB RD VPN uses the integrated directory service for both
authentication service and configuration storage. For this, the HOB RD VPN
installation creates a default domain named hobsoft. This domain resides in the
directory service under dc=hobsoft,dc=root.
You can use the administration interface to perform additional administration tasks
for this domain as the global administrator or as the domain administrator of the
hobsoft domain.
With the administration interface you can administer both the users and their
configurations.
99
Multi-Tenancy
HOB RD VPN
Figure 1: HOB EA Administration – HOB RD VPN Domains
HOB RD VPN can be configured to use a wide range of different tenants using
different domain configurations. A domain in HOB RD VPN consists of two
components, an Authentication Service and a Configuration Storage.
100
HOB RD VPN
Multi-Tenancy
The possible combinations of Authentication Service and Configuration Storage are
shown in this table:
Authentication Configuration RDN Base
Service
Storage
Domain
Administrator Create User
Administrator Account /
Automatically
Group DN
Password
Internal LDAP
(default)
Internal LDAP
(default)
dc=hobsoft
(grayed out)
cn=domainAd (grayed out)
ministrator
s,
dc=hobsoft,
dc=internal
, dc=root
(grayed out)
(grayed out)
Internal LDAP
(new)
(required)
cn=domainAd (grayed out)
ministrator
s, “Value of
RDN-Base”,
dc=internal
, dc=root
(grayed out)
(grayed out)
Combination 1
Internal LDAP
(new)
External LDAP Internal LDAP
Combination 3
Name of LDAP (not mandatory) Required for
(not mandatory)
(grayed out)
Domain
Administrators
Group DN or
Create User
Automatically
(not mandatory)
External LDAP External LDAP (grayed out)
Kerberos /
RADIUS
Internal LDAP
Combination 2
Kerberos /
RADIUS
Name of
(not mandatory)
Kerberos /
RADIUS
Domain (grayed
out)
External LDAP (grayed out)
Combination 2
(grayed out)
(grayed out)
(grayed out)
Required for
(not mandatory)
Domain
Administrators
Group DN or
Create User
Automatically
(not mandatory)
(not mandatory) Required for
(grayed out)
Domain
Administrators
Group DN (not
mandatory)
Table 1: Authentication Service and Configuration Storage combinations in HOB RD VPN
Note to Combination 1:
The hobsoft domain is created during the installation process, and the integrated
LDAP is referred to under the name rdvpn in the HOB WebSecureProxy. To
integrate other domains, HOB EA Administration automatically creates ou=groups
and cn=domainadministrator,ou=groups under this domain:
(cn=domainadministrators,ou=groups,dc=DOMAIN,dc=root). All of the
domains created in this way must then be created in the HOB WSP interface,
entered into the domain table (in this case another display name must used
because rdvpn is already preset) and assigned to the roles. No additional entry
should be made under domains > LDAP > LDAPdomains. All users who are
members of the domain administrators group have administration rights within this
domain.
101
Multi-Tenancy
HOB RD VPN
If RADIUS and Kerberos are used for the HOB integrated LDAP, there is the
possibility of using the auto-create user function. If this is not used, then all the
objects must be manually created or imported. Here the domain name must be the
same as the name of the RADIUS domain so that the mapping function can be
used. The mechanism of the domain administrators is as shown in Note 1.
When auto-create users is used, successfully authenticated users are automatically
created in the root of the domain. RADIUS and Kerberos are flat structures (without
subnodes and without groups). Subnodes and groups can be created in the
integrated LDAP, and the users can be moved and added to groups. When logging
on, the user and their configuration are found in the subnodes and they are not
recreated in the root directory. To use the auto-create user functionality, an
administrative account is required in the HOB WSP configuration. This
administrative account must have read and write rights in this domain, so must
belong to either the global administrator or a domain administrator for that domain.
It is the same as for Combination 2 in that for the auto-create user functionality to
be used, the user uses the same subnode structure that was used in the original
LDAP. The groups of users are similarly created and group membership is also
created as in the original LDAP. The review of the subnodes and the groups is
checked at each login, in that the user is moved and / or group membership is
changed in the integrated LDAP depending on the changes in the external LDAP.
7.2
Using the Integrated Directory Service
After installation, HOB RD VPN uses the integrated directory service for both
authentication service and configuration storage.
The tree of the integrated DS contains two domain components (dc):

dc=internal,dc=root

dc=hobsoft,dc=root.
7.2.1 Domain Component dc=internal,dc=root
Internal objects located in this component include:


102
The WebSecureProxy (WSP) Object
On installation there is a default random password set for this object that is
unique for each installation. This object holds the configuration of the WSP and
is also used as a read-only search user for the integrated directory service.
Global Administrator
This user is also created at installation with a freely selectable username (that
must not be "System Admin" itself) and a password. This user has administrative
rights to the whole integrated directory service. Additional system administrators
(with the same rights) can be created later in RD VPN Administration.
HOB RD VPN
Multi-Tenancy
7.2.2 Domain Component dc=hobsoft,dc=root
After installation dc=hobsoft,dc=root is the default domain used as
authentication service and configuration storage. On installation it is possible to add
users and select suitable groups for them. Users in the group
cn=Administrators,ou=groups,dc=hobsoft,dc=root have only administrative
rights to the elements below the dc=hobsoft,dc=root part of the tree, making
them domain administrators for the rdvpn domain.
Figure 2: Default Integrated Directory Structure
Adding another domain for authentication service and configuration storage is the
equivalent of adding a copy of the initial dc=hobsoft,dc=root but with another
name, for example dc=customer1,dc=root.
103
Multi-Tenancy
HOB RD VPN
7.2.3 Configuring an Integrated Directory Service
Follow these short steps to create a new domain in the integrated Directory Service:
1.
Logon to HOB EA Administration.
2.
Select the resource dc=root and right click to Add a domain, entering a name
in the Account field for this domain, in this case NewDomain.
Figure 3: Add Domain to Existing Domain
This creates the domain dc=NewDomain. Within this domain the object ou=groups
as well as the cn=domainAdministrators group it contains are automatically
created.
Using the checkboxes here you can choose to Apply HOB product
configurations from an already configured domain (a browse dialog opens
automatically to allow you to specify the configuration). You may also select the
checkbox to Open the configuration dialog for HOBLink JWT when this dialog
is closed if desired.
Within this domain you can now create the required users, groups, and
organizational units as needed. All of the users who are members of the
domainAdministrators group are assigned by this configuration administration
rights for the newly created domain.
104
3.
Start the WebSecureProxy GUI. This is done from the HOB EA Administration
interface by selecting the WebSecureProxy object, going to the dropdown list
to the right of the Configure button and selecting HOB RD VPN 2.1 >
WebSecureProxy blue, and clicking the Configure button.
4.
Now select Domains from the list on the left and in the Domains tab click Add
from the buttons on the right.
5.
In the Authentication Service panel enter the service Type, the service Name
(selecting both from those already configured) and a Display Name for the
service that can be freely chosen.
HOB RD VPN
6.
Multi-Tenancy
In the Configuration Storage panel you need to select a Storage Name and
enter the RDN-BASE (Relative Distinguished Name) dc=newDomain as a base
name. This is the name of the new domain that was entered in Figure 3 above.
Now click Add & Close to save the changes, add the domain to the list and
close the dialog.
Figure 4: Add Settings to new Domain
7.
Select the Show Domain List on login dialog checkbox on the Domain List
dialog (see below) if you want a dropdown list of domains to be shown when
administrators are logging on. If you do not do this, a text box for the domain
registration is shown in the dialog showing the current domain.
Figure 5: HOB WebSecureProxy – Domain List
105
Multi-Tenancy
8.
HOB RD VPN
The users that are members of this domain can now be assigned to roles. Open
the WebSecureProxy dialog, and go to the select member screen as shown
here:
Figure 6: Select Member to Add to New Domain
9.
Select the domain, the role within the domain and click the Select button to
assign this object or user to the selected domain. The following screen is
shown:
Figure 7: Check Configuration under Roles
10. Click File > Save to save your changes. Now go to Roles > Settings >
Requirements > Members and you will see the new domain in the domain list.
106
HOB RD VPN
7.3
Multi-Tenancy
Using an External Directory Service as the Authentication Service
An external directory service can be used for authentication:

In conjunction with the same external directory service as Configuration Storage.
In this scenario the integrated directory service is not involved. The global administrator of HOB RD VPN has to provide the necessary credentials for the domain
(a directory service-based authentication service and a directory service-based
configuration service) in the WSP configuration file. This can be done using the
WSP configuration.
Note that the authentication service and the configuration storage must be
the same directory service

In conjunction with the integrated directory service as Configuration Storage.
In this scenario a new domain component named dc=root is created.
7.3.1 Configuring an External Directory Service for Authentication and Configuration
The following steps show the procedure required to use an external directory
service as the authentication service and configuration storage.
1.
Add the HOB LDAP Scheme Extension to your directory service. After
installation you can find the HOB scheme extension in the HOB Scheme
Extensions folder of your HOB RD VPN Installation, for more information see
Chapter 38 HOB LDAP Scheme Extensions.
2.
Log in with global administrator credentials to the HOB RD VPN administration
page (see Section 6.2 Administration Access as a Global Administrator on
page 78) and in the column on the left, select EA-Admin. In the following
popup then log in to HOB EA Admin with your global administrator credentials.
3.
In HOB EA Admin, select ou=servers in dc=internal and then click on the
directory content item cn=WebSecureProxy. Now click the > button to the right
of the Configure button and select HOB RD VPN 2.1 > WebSecureProxy
blue, and click Configure.
4.
In the HOB WSP screen that now opens, select Domains > LDAP > LDAP
Domains from the tree structure at the left (scroll down to these items) and click
Add at the bottom of the screen.
5.
The LDAP Domain tab opens in the pane on the right. Here you can either
accept the default name of the new domain, or enter a name of your choosing
(in the example External LDAP is used).
107
Multi-Tenancy
HOB RD VPN
Figure 8: HOB WSP Administration - LDAP Domain
6.
Once the domain has been added (you can see it has now appeared in the tree
on the left), a server must be added to this domain. Click Add again to add at
least one directory server instance.
Figure 9: WSP Administration - Add Server to External LDAP
Here you enter the information of the LDAP server to be used in this domain. The
fields are as follows:



108
Name – A default LDAP server name appears here. You can accept this or enter
a new name.
IP address – Enter here the IP address of your LDAP server.
Port – The port number 389 is set here as default. If you set the LDAP server to
use SSL the port will be set to the default SSL port number 636.
HOB RD VPN










Multi-Tenancy
LDAP template – Select here the type of LDAP server you are using. You can
choose from the following: OpenDJ, OpenLDAP, IBM SecureWay Directory
Server or Microsoft Active Directory.
Use network adapter – This is set as default to Any.
Base DN - Set here the base DN (Domain Name) for your LDAP server. Click
the … (browse) button to select from the available base DNs.
Search administrator DN – This administrator user is used to search the userid
during the login process. If the authentication is not done with the LDAP where
the configurations are stored and the administrator for the configuration store is
not configured, the search administrator is used.
Search administrator PW – Enter here the administrator’s corresponding password.
Timeout search (sec) – Here you can set the time in seconds for the system’s
search timeout. Default is ten seconds.
Wait connect (sec) – Here you can set the time in seconds for the system to
wait for a server connection. Default is ten seconds.
Use SSL – If the LDAP server is to use SSL, this must be activated by clicking
this checkbox. If activated, the LDAP server port will change from 389 to the
standard SSL port 636.
Search nested group level – Here you can set the number of organizational levels (nested groups) to search through for user settings. The higher the number,
the more levels will be searched. If you have a high level setting here, you may
need to increase your Timeout search.
Global directory – This can only be used with Microsoft Active Directory as
LDAP Template. Activate this service by clicking this checkbox. If you select a
global directory to use, the server port will change to 3268 (or 3269 for an SSL
connection). Then only the Microsoft Global Directory indexed entries will be
used.
109
Multi-Tenancy
7.
HOB RD VPN
Now click the Domains item in the tree structure and click the Add button in
the Domains pane on the right. This screen appears:
Figure 10: WSP Administration - Add Domain to External LDAP
8.
In the Add Domain dialog you add the name of the domain just created to be
used for Authentication Service and for Configuration Storage.
9.
Now the users that are allowed to logon to HOB RD VPN need to have a role
assigned to them.
10. To add a role, click Roles towards the top of the tree structure and then click
the Add button at the bottom left to add a new role, or use a default role, for
example Power User.
11. In the Settings tab that now opens select the tab Members, then select the tab
with the name of your LDAP domain. In the example shown below the domain
External LDAP is used.
110
HOB RD VPN
Multi-Tenancy
Figure 11: WSP Administration - Add Member to External LDAP
12. Click the Add button on the right to bring the Select member dialog box on
screen. Select the organizational unit, user or user group who are to have
authorization to use the domain you just created and add this entry to the
Members list by clicking Select at the lower left. This is the same as process
as in the previous section, see Figure 6 on page 106.
13. Click File > Save in the main menu to save any changes made here.
7.3.2 Configuring an External Directory Service for Authentication Only
The following steps show the procedure required to use an external directory
service as the authentication service only.
1.
Start HOB EA Administration and open the HOB WebSecureProxy
configuration dialog as shown in the previous sections of this chapter.
2.
Create an external LDAP domain (Domains > LDAP > LDAP Domains and
click the Add button) and give this new domain a Name.
3.
Create at least one LDAP server as shown (in the example here the name
External LDAP Server is used).
111
Multi-Tenancy
HOB RD VPN
Figure 12: WSP Administration - LDAP Server configuration
4.
Now to add a Domain. Select the node Domains in the hierarchy and click
Add. The following screen appears:
Figure 13: WSP Administration - LDAP Domains – Add Domain
The field Domain Administrators Group DN must be manually entered. This
configuration defines the group of the domain administrators, which in this LDAP is:
cn=example,ou=groups,dc=externalLDAP,dc=root.
The administrative account entry needs to be of an element that has read and write
permission. The Global Administrator is a typical administrative account.
Use the buttons on the right side (Add to save the data and clear the fields to enter
new data, Add & Close to save this data and close this dialog, or Cancel to close
the dialog without saving) to manage the entries for this domain.
112
HOB RD VPN
Multi-Tenancy
5.
If the Create User Automatically function is not enabled, the administrator
must manually create the Domain, OUs and user groups. The user must be
created with the same name as that used in the external directory service.
6.
If Create User Automatically is enabled then the domain, the user and this
user’s group including the directory structure, are created automatically (as
shown below) when a user is logging from the external LDAP.
Figure 14: HOB EA Administration – External LDAP Domain Hierarchy
7.
At this stage the users still get the error message No role assigned as they
have not yet been assigned roles. So now you assign a role to the users and
then assign them configurations.
8.
When you do both of these configurations using Groups, the users that are in
these groups can logon immediately.
9.
If, in the HOB EA Admin and in the roles of the HOB WSP only groups are used,
you can adjust the user’s rights in the external LDAP at a later time by adding
the user to or removing them from specific groups.
10. Now, when the Create User Automatically is activated, the group
membership is checked not only when users initially logon, but it is checked
again at every subsequent logon.
7.4
Using RADIUS Access Servers as the Authentication
Service
Remote Authentication Dial-In User Service (RADIUS) is a standard networking
protocol that provides centralized authentication, authorization, and accounting
management for computers to connect and use a network service. It is often used
to manage access to the Internet or internal networks, wireless networks, and
integrated e-mail services.

Used in conjunction with an external directory service;
In this scenario the integrated directory service is not involved. The
113
Multi-Tenancy
HOB RD VPN
HOB RD VPN administrator has to provide the necessary credentials for the domain (a RADIUS-based authentication service and a directory service-based
configuration service) in the WSP configuration file. This can be done in the WSP
configuration.

Used in conjunction with the integrated directory service;
In this scenario a new domain component under dc=root is created. The name
is the same as the domain name in the WSP configuration.
Figure 15: Default Directory Structure with RADIUS
7.4.1 Configuring HOB RD VPN for RADIUS
To use RADIUS authentication in HOB RD VPN you have to configure a RADIUS
domain and a RADIUS server in the HOB WebSecureProxy configuration. The
following configuration steps show the configuration of RADIUS in HOB RD VPN.
1.
114
Open the HOB RD VPN WebSecureProxy configuration program as shown in
the previous section, Section 7.2.3 Configuring an Integrated Directory Service
on page 104.
HOB RD VPN
2.
Multi-Tenancy
Expand the Domains knot of the left-hand tree and click the Radius item.
Figure 16: WSP Configuration - Adding a Radius Domain
3.
Click the Add button at the bottom of the screen to create a new Radius domain
and enter a name of your choice, for example Radius Domain.
Figure 17: Configuring a Radius Domain
The following fields can be found on this screen:


Name – insert the name to be given to this server here.
Global Settings - the fields that can be found in this panel are:
115
Multi-Tenancy

HOB RD VPN
Enable MS-CHAP-V2 (Microsoft Challenge Handshake Authentication Protocol
Version 2) – this is an authentication protocol for a PPP connection between a
computer with a Microsoft Windows operating system and a network Access
Server. Check this box to use this protocol and strengthen the security of the
connection, otherwise the standard protocol used by your network for tunnel
transmissions is used by default.
Before you check this box you must ensure that the RADIUS server also
supports this protocol






Character set – in this panel you specify the character set to be used for connections with this server. There are two dropdown boxes here:
Filter name - select from this dropdown box the alphabetical group of names
containing the character set you wish, or select All to select from the complete
list.
Name - select from this dropdown box the name of the character set you wish to
use, for example UTF-8, ANSI-819, etc.
Timeout – this holds the allowable time in seconds before a connection will be
closed if there is no reply. The default is 30 seconds.
Retry after Error – this sets the amount of time in seconds to wait following an
error until a reconnection may be attempted. The default is 120 seconds.
Comment – you may enter a comment to any user of this server here.
Click File > Save in the main menu to save the data entered here.
4.
Click the new Radius Domain item and then the Add button to create a new
Radius server.
Figure 18: Configuring a Radius Server
116
HOB RD VPN
5.


Enter the values that specify this Radius server in the following fields on this
screen and how to connect it:
Name - enter a name of your choice for this server, for example Radius Server.
Use Network Adapter – select the network adapter to be used for the connection with this Radius server from the dropdown box.

Host IP Address – enter the IP address of the Radius server.

Port – enter the port under which the Radius server is available.



Multi-Tenancy
Use same shared secret – this checkbox is active only if you are configuring a
cluster installation. When configuring a cluster, leave the checkbox enabled if
you want to use the same shared secret for all members of the cluster. If you disable this checkbox a list appears where you can enter different shared secrets
for each member of the HOB RD VPN cluster.
Shared Secret – the RADIUS protocol requires the use of a shared secret – a
text string that is available only to the RADIUS client (HOB RD VPN in this case)
and the Radius server against which it authenticates.
Comment – This field can be used to enter comments for this Radius server.
7.4.2 With External LDAP
RADIUS Access servers are used specifically for authentication, they are not used
for configuration storage. HOB RD VPN allows for the use of external LDAP servers
and domains that can be used for configuration storage. When RADIUS is used for
authentication with HOB RD VPN, as soon as the user is authenticated by the
RADIUS server the configuration for that user is pulled from the configuration
storage of the external LDAP, based on the unique username of that user. In this
case the configuration for the users may be created automatically based on the
group membership of that user, or it must be create manually for that user.
7.4.3 With Integrated LDAP
When an external authentication service is used (in this case RADIUS), the
HOB RD VPN integrated LDAP may be used. There are two variations:


With Create User Automatically – when this functionality is activated, on the
authentication of a user by RADIUS when logging into HOB RD VPN, the user is
created automatically by HOB RD VPN in the internal LDAP and can be modified
later by the administrator. Configurations that are not inherited can be created
after the first login of the user.
Without Create User Automatically – if this functionality is not activated, on the
authentication of a user by RADIUS when logging into HOB RD VPN, the configuration for that user is pulled from those created by the administrator and stored
in the integrated LDAP. The user and the configuration of this user must be configured by the administrator before the user logs in for the first time.
117
Multi-Tenancy
HOB RD VPN
Figure 19: Adding a Radius Domain with Integrated LDAP
This dialog has the following fields in the Authentication Service panel:



Type – select Radius from the dropdown box.
Name – this is the name of this authentication service, it is given the name Radius Domain by default, and cannot be edited.
Display Name – this holds the name under which this particular domain is identified if there is more than one domain operating from the same base configuration.
This dialog has the following fields in the Configuration Storage panel:

Name – this holds the name of this storage.

RDN Base – this holds the base domain configuration. This cannot be edited.

Domain Administrators Group DN – this field has to specify a group object (not
an OU) where all domain administrators are members. All members of this group
are allowed to change the configuration of other users within the same domain.
The following are the fields in the Administrative Account panel:




118
DN – this holds the DN for the administrator of this domain. This administrator
user is used in the background to change the configurations if a domain administrator uses the HOB EA Administration. It is also used when a user changes
their own configuration (if the user has permission to do this).
Password – enter a password for this account here.
Create User Automatically – check this box to enable you to automatically create a user. These following fields are also in this panel:
Default group - enter the default group to be used for users created automatically here
HOB RD VPN

Multi-Tenancy
Default tree RDN - here you enter the tree RDN for this automatically created
user
Click Add to save the data and clear the fields to enter new data, Add & Close to
save this data and close this dialog, or Cancel to close the dialog without saving.
7.5
Using Kerberos as the Authentication Service
Kerberos is a computer network authentication protocol that works on the basis of
issuing identity tickets for nodes (both client and server side nodes) communicating
over a non-secure network to allow them to prove their identity to one another in a
secure manner.


Used in conjunction with an external directory service:
In this scenario the integrated directory service is not involved. The Administrator
of HOB RD VPN has to provide the necessary credentials for the domain (a Kerberos-based authentication service and a directory-service-based configuration
service) in the WSP configuration file. This can be done in the WSP configuration.
Used in conjunction with the integrated directory service:
In this scenario a new domain component under dc=root is created. The name
is the same as the domain name in the WSP configuration.
119
Multi-Tenancy
HOB RD VPN
Figure 20: Default Directory Structure with Kerberos
7.5.1 Configuring HOB RD VPN for Kerberos
To use Kerberos authentication in HOB RD VPN you have to configure a Kerberos
domain and a Kerberos server in the HOB WebSecureProxy configuration. The
following configuration steps show the configuration of Kerberos in HOB RD VPN.
120
1.
the earlier section, Section 7.2.3 Configuring an Integrated Directory Service
on page 104.
2.
Select the Domains element of the left-hand tree and select the Kerberos
item.
HOB RD VPN
Multi-Tenancy
Figure 21: WSP Administration - Adding a Kerberos Domain
3.
Click the Add button to create a new Kerberos domain, the following screen is
shown:
Figure 22: Configuring a Kerberos Domain
The fields on this screen are as follows:

Name – here you must enter a name to be given to this domain, for example
Kerberos Domain.
These fields are in the Global Settings panel:

Comment – here you insert a comment to be seen by the users of this domain
121
Multi-Tenancy





4.
HOB RD VPN
Default Realm – this holds the name of the realm that is the default for this configuration.
Clock Skew – here you enter a value for the amount of seconds the clocks of
the two communicating machines are allowed to diverge from each other, and
still be authenticated. The default is 300.
Ticket Lifetime – enter here the length of time in seconds that this ticket will be
valid for authentication purposes.
Renewable Lifetime – enter here the length of time in seconds that a ticket can
be renewed to continue a single session.
Allow Initial Ticket – check this box to allow the initial Kerberos ticket to be used
for subsequent connections to this server.
Select the new Kerberos Domain item from the Domains element of the tree
and click Add to create a new Kerberos server.
Figure 23: Configuring a Kerberos Server
5.

Enter the values that specify this server in the tab and how to connect it.
Name – enter a name of your choice for this server, for example Kerberos
Server.




122
IP Address – enter the IP address of the Kerberos server in this field.
Port – enter the port under which the Kerberos server is available. The default
is port number 88.
Timeout – this field holds the time in seconds before an authentication attempt
is automatically failed. The default is 60 seconds.
Retry After Error – here you tell the server the delay in seconds to wait before
authentication can be attempted again following a failure. The default period is
120 seconds.
HOB RD VPN


Multi-Tenancy
Maximum Ticket Size – here you enter the maximum allowable size in bytes for
a Kerberos ticket. The default is 2048 bytes.
Maximum Sessions – enter here the maximum number of concurrent sessions
that can run on the Kerberos server at any one time. The default is 10 sessions.
7.5.2 With an External LDAP
Kerberos servers are used specifically for authentication, they are not used for
configuration storage. HOB RD VPN allows for the use of external LDAP servers
and domains that can be used for configuration storage. When Kerberos is used for
authentication with HOB RD VPN, as soon as the user is authenticated by the
Kerberos server the configuration for that user is pulled from the configuration
storage of the external LDAP, based on the unique username of that user. In this
case the configuration for the users may be created automatically based on the
group membership of that user, or it must be created manually for that user.
7.5.3 With an Integrated LDAP
When an external authentication service is used (in this case Kerberos), the
HOB RD VPN integrated LDAP may be used. There are two variations:


With Create User Automatically – when this functionality is activated, on the
authentication of a user by Kerberos when logging into HOB RD VPN, the user
is created automatically by HOB RD VPN in the internal LDAP and can be modified later by the administrator. Configurations that are not inherited can be created after the first login of the user.
Without Create User Automatically – if this functionality is not activated, on the
authentication of a user by Kerberos when logging into HOB RD VPN, the configuration for that user is pulled from those created by the administrator and
stored in the integrated LDAP. The user and the configuration of this user must
be configured by the administrator before the user logs for the first time.
1.
the earlier section, Section 7.2.3 Configuring an Integrated Directory Service
on page 104.
2.
Select the Domains element of the left-hand tree and click Add on the right of
the screen to add a new Kerberos domain.
123
Multi-Tenancy
HOB RD VPN
Figure 24: Adding a Kerberos Domain
This dialog has the following fields in the Authentication Service panel:


Type – select Kerberos from the dropdown box.
Name – this is the name of this authentication service, it is given the Kerberos
Domain name by default, and cannot be edited.


Display Name – this holds the name under which this particular domain is identified if there is more than one domain operating from the same base configuration.
Use as default - check this box to use this authentication service as the default
service
The Configuration Storage panel has the following fields:

Name – this holds the name of this storage.

RDN Base – this holds the base domain configuration. This cannot be edited.

Domain Administrators Group DN – this field has to specify a group object (not
an OU) where all domain administrators are members. All members of this group
are allowed to change the configuration of other users within the same domain.
The following are the fields in the Administrative Account panel:



124
DN – this holds the DN for the administrator of this domain. This administrator
user is used in the background to change the configurations if a domain administrator uses the HOB EA Administration. It is also used when a user changes
their own configuration (if the user has permission to do this).
Password – enter a password for this account here.
Create User Automatically – check this box to enable you to automatically create a user.These following fields are also in this panel:
HOB RD VPN


Multi-Tenancy
Default group - enter the default group to be used for users created automatically here
Default tree RDN - here you enter the tree RDN for this automatically created
user
Click Add to save the data and clear the fields to enter new data, Add & Close to
save this data and close this dialog, or Cancel to close the dialog without saving.
7.6
Kerberos Single Sign-on
This setting allows the use of the Kerberos Single Sign-on (a standard computer
network authentication) protocol to allow nodes communicating over a non-secure
network to prove their identity to one another in a secure manner. It provides mutual
authentication - both the user and the server verify each other's identity through the
use of Kerberos Tickets. With this feature a user logs on once to the network
through an initial system log in and gains access to all systems on that network
without being prompted to log on again to each of them.
Additional software applications requiring authentication (e-mail clients, wikis,
revision control systems, etc.) use the ticket-granting ticket to acquire service
tickets that prove the identity of the user to the e-mail server, wiki server, etc.
without prompting the user to re-enter credentials.


In a Windows environment your logon fetches the Kerberos ticket-granting ticket
(TGT). Directory service-aware applications fetch service tickets, so the user is
not prompted to re-authenticate.
In a UNIX/Linux environment your logon via Kerberos fetches the TGT, which is
stored within the HOB WSP. Kerberized client applications such as Evolution,
Firefox, and SVN and many other use service tickets, so the user need not reauthenticate.
The Kerberos protocol uses Port 88 by default.
7.7
HOB LDAP Scheme Extension
Storing HOB specific data with an element requires certain HOB object classes to
be available for certain LDAP elements. The HOB LDAP Scheme Extension allows
you to define and expand on the attributes and classes used in your directory
services. The existing set of classes and attributes provided by HOB are sufficient
for most applications. However, the scheme is extensible, which means that you
can define new classes and attributes.
As an LDAP Scheme Extension is a security critical operation, it usually
requires certain administrator rights on the server systems.
You can find all necessary information on the HOB LDAP Scheme Extension in
Chapter 38 HOB LDAP Scheme Extensions.
The HOB LDAP Scheme Extension can be used with the following LDAP systems:

To use the HOB LDAP Scheme Extension for Microsoft Active Directory see
Section 38.1 Scheme Extension for Microsoft Active Directory
125
Multi-Tenancy



HOB RD VPN
To use the HOB LDAP Scheme Extension for OpenDJ see Section 38.2 Scheme
Extensions for OpenDJ
To use the HOB LDAP Scheme Extension for OpenLDAP see Section 38.3
Scheme Extensions for OpenLDAP
To use the HOB LDAP Scheme Extension for IBM SecureWay Directory Server
see Section 38.4 Scheme Extensions for IBM SecureWAY Directory Server
If you have any difficulty in executing the LDAP scheme extension according to the
instructions given under the above referenced links (for example due to conflicting
versions), you can always insert the HOB specific object classes manually.
126
HOB RD VPN
8
Roles and Users
Roles and Users
HOB RD VPN is a software solution that configures the many different resources
(servers, clients, applications, etc.) of your enterprise to work together with optimum
efficiency. HOB RD VPN organizes these resources into roles (Administrator,
Power User and User are the names of the three default roles preconfigured by
HOB RD VPN, you can define, configure and use other roles according to the
demands of your enterprise), and it is the membership of these roles that
determines when and how the individual resources of the system are best
employed. Roles can be placed in groups, and the properties of the group can be
inherited by all the members of that group.


A Role in HOB RD VPN can be defined as the set of permissions and functions
assigned to the users of HOPB RD VPN.
A User in HOB RD VPN can be defined as the staff members of your enterprise
and your business partners who are allowed use the resources of your network
and access your company data.
The resources in your system can be assigned to any role at any time by being
configured for multiple roles or groups. The role that then governs that resource is
determined by the priority that is assigned to that role.
HOB RD VPN contains an integrated directory service user database to manage
the users, but any already established directory service that is used in your
enterprise can easily be combined with HOB RD VPN to administer the users and
resources in your network.
All roles and users must be configured:

In the HOB RD VPN Administration interface

In the HOB WebSecureProxy
It is the responsibility of the server administrator to ensure that all users
have received the required instruction in the correct use of this product.
Please refer to Chapter 30 HOB RD VPN Evaluated for Common Criteria
for more information on this topic.
To satisfy the needs of the evaluation for Common Criteria, only a role with
similar access rights as set for the default role "User" can be used as a
standard for your users.
8.1
Configuring Roles and Users in
HOB WebSecureProxy
To configure Users and their roles in the HOB WebSecureProxy you need to open
the HOB RD VPN administration portal. The HOB administration portal is opened
as described here:

As a domain administrator, open a browser and logon to HOB RD VPN. When
the HOB Navigation Screen opens click the User Configuration link. You will
need to authenticate again when the HOB EA Administration program opens.
127
Roles and Users
HOB RD VPN

Or you can go to the Start Menu of your workstation (for example if it is a Windows 7 workstation), click on the Start Menu of your workstation and then click
the application button (shown here) HOB EA Administration.
HOB EA Administration icon

As a global administrator, open a browser and logon to HOB RD VPN. In the
global administrator navigation screen select EA-Admin (the user configuration
interface) and the administration portal opens directly. You will need to authenticate again when the HOB EA Administration program opens.
Figure 2: HOB EA Administration
From this screen you can select the WebSecureProxy blue object from the right
hand panel as shown above, then click the Configure button at the bottom, as in
this screen:
128
HOB RD VPN
Roles and Users
Figure 3: HOB EA Administration - Configure WebSecureProxy
This brings the main configuration tool for HOB RD VPN, the HOB
WebSecureproxy interface, on screen, as shown here:
Figure 4: HOB WebSecureProxy Configuration
Once the WSP Administration portal has opened, select the element Roles from the
organization hierarchy on the left. There are three defaults settings here (User,
Power User and Domain Administrator) for initial use, but these may be edited as
you wish. You may also define as many as you wish according to the conventions
of your company. Use the Add and Remove buttons at the bottom of the
organization hierarchy on the left to add or remove roles in the organization, or
select from the list of roles here the role you wish to configure. The examples shown
below are for a standard User Role.
129
Roles and Users
HOB RD VPN
In the Settings screen (see Home below) there is the Name text field where you
enter the name of the role you are configuring, and there are two tabs, as follows:

Requirements

Privileges
8.1.1 Configuring Roles – Requirements Tab
The Requirements tab holds required settings for the role. Under HOB WSP >
Requirements there is a tab field containing the following two sub-tabs:

General

Members
Requirements – General Tab
This screen shows the General tab under HOB WSP > Roles > Requirements:
Figure 5: Roles - Users - Requirements - General
Here you can enter the following information for this role:


Compliance Check – select the desired Compliance Check from the list of available configured compliance checks in the dropdown box. See Chapter 25 HOB
Compliance Check more information on this subject.
Priority – this is the priority from 1 (lowest importance) to 100 (highest importance) assigned to this compliance check. Each role or user can be subject to
multiple compliance checks depending on the desired and allowed access settings, and each check can be assigned a specific priority value. The check with
the highest priority is assigned to the user on logon.
Requirements – Members Tab
This tab shows the servers, each shown on a separate sub-tab, holding the
configuration of this role, making access to this server by those of your users with
this role possible. In the example shown here the User role is a member of the
130
HOB RD VPN
Roles and Users
rdvpn and Internal LDAP servers, as shown by the names of the sub-tabs below
the Members tab.
Figure 6: Roles - Users - Settings – Requirements - Members
These buttons are on the Settings tab and allow you to do the following:

Add – use this button to display the following popup where you can use to add
a new membership for all users with this role.
Figure 7: Roles - Select Members
In this popup you use the buttons at the bottom to make your selection, and you can
use the Search filter at the top right to help locate a specific attribute for a user
configuration you wish to select.


Edit – click this to display a popup (identical to the Add Member popup shown
above) where you can edit the membership that has been selected.
Remove – use this button to remove the selected membership for the list.
131
Roles and Users
HOB RD VPN
8.1.2 Configuring Roles – Privileges Tab
The Privileges tab holds the access permissions for the user. Under this tab there
are five sub-tabs:

Properties

Portlets

Server Lists

Target Filters

User Settings
Privileges Tab – Properties
Using this tab you can assign the following settings for the user when logging on to
the selected role:
Figure 8: Roles - Users Privileges - Properties




132
GUI Scheme – here you can decide on the font color of the user portal and navigation screens, and whether the banner is shown.
Page After Login – here you set the page the user sees as default directly after
a successful login.
Minimum Idle Time (min) – set the amount of time in minutes the session can
remain idle before it is timed out and closed. The default time is 30 minutes.
Maximum Relogin Time (min) – here you set the maximum allowable time the
session can be open before the user must login again to keep the session open.
The default time is 480 minutes.

Browser caching – check to allow caching of browser use for this role.

Login Cookie - check to allow the cookies for the login page to be stored.
HOB RD VPN
Roles and Users
Privileges Tab – Portlets
Here you can determine the portlets or the links to the functionality of HOB RD VPN
that are to be available to each role. Portlets are assigned to each user according
to the role that has been assigned to each user.
Figure 9: Roles - Users Privileges - Portlets
The buttons to the right of the Portlets tab allow you to do the following:
Add... - use this button to add a new portlet (enter the name and the
state, whether opened or closed) for all users with this role.
Edit... - this button lets you open the selected portlet for editing.
Remove - this button allows you to remove the selected portlet from
the list.
Up – allows you to set the order in which the portlets appear on the
navigation screen for this role, moving the selected portlet up.
Down – allows you to set the order in which the portlets appear on
the navigation screen for this role, moving the selected portlet down.
Privileges Tab – Server Lists
Here you set which server lists are available for access by the users assigned to
this role. A server list is created as the target for each Outgoing Connection that you
configure. The server lists shown in the panel in the following screen are all defaults
created by HOB RD VPN.
133
Roles and Users
HOB RD VPN
Figure 10: Roles - Users - Privileges - Server Lists
The buttons on the Server List tab allow you to do the following:

Check All – this selects all available server lists shown in the server list panel.

Clear All – this deselects all available server lists.
Privileges Tab – Target Filters
Here the target filters that are to be assigned to the role can be selected. A Target
Filter is an extra security feature that restricts the user from accessing targets that
have not been configured by the administrators (e.g. unauthorized Internet sites).
Target Filters are created by selecting Target Filters in the organization hierarchy
and using the Add button. For more information see Chapter 26 HOB Target Filters.
Figure 11: Roles - Users - Privileges - Target Filters

134
Target Filter – select the target filter to be used for this role from the list in the
dropdown box of target filters that have already been configured.
HOB RD VPN
Roles and Users
Privileges Tab – User Settings
Under this tab you can assign the bookmarks and other settings for all of the users
that are to be assigned this role.
Figure 12: Roles - Users - Privileges - User Settings





8.2
Bookmarks for WebServerGate – check to activate Web Server Gate bookmarks for this role. See Chapter 17 HOB RD VPN Web Server Gate – Intranet
Access for more information.
Bookmarks for WebFileAccess – check to activate Web File Access bookmarks for this role. See Chapter 19 HOB RD VPN Web File Access for more information.
Bookmarks for Sessions – check to activate bookmarks for the Sessions you
wish to open for this role. See Chapter 10 Remote Desktop Computing using
HOBLink J-Term/JWT for more information.
Desktop-on-Demand Configuration – check to enable the Desktop-on-Demand configuration for this role. See Chapter 12 HOB RD VPN Desktop-on-Demand for more information.
Other Settings – check to allow other settings for this role.
Configuring Roles and Users in HOB RD VPN Administration
In the HOB RD VPN administration interface you can review and manage the
settings and values of each element of the configuration for each role and user
individually. This can be done through the HOB RD VPN administration interface
using the Properties and Configure buttons. These buttons are found at the
bottom of the HOB RD VPN administration interface.
135
Roles and Users
HOB RD VPN
At the bottom of the HOB RD VPN administration interface you can also find the
dropdown box where you select the part of the database that you want to access for
editing, whether User Settings, Utilities, the HOB WebSecureProxy, and so on:
use this button to display the properties of the
selected resource
use this to open the configuration tool for the selected
resource
use the arrow on the left of this dropdown box to select
the part of the database to be edited
Go to HOB EA Administration and select a domain resource that you wish to
manage.
Figure 13: HOB EA Administration Start
Select a domain (in this example two domains, dc=hobsoft and dc=internal, are
shown) and then select an object from within the selected domain. Here the object
ou=users was selected. Now select an element within this object, for example
cn=user1, and click the Properties button. In the dialog that appears you can see
the full name of this object in the title bar. In the dialog itself there are two tabs,
Properties and Membership, containing the data stored for the domain resource
(for example cn=user1) that you have selected. Use this dialog to edit or update the
selected resource.
136
HOB RD VPN
Roles and Users
Figure 14: HOB RD VPN Domain Administration - Properties


Account – this holds the name of the resource you wish to see.
Set the password – check so that you, as the administrator, bring up a dialog
where you set the logon password that must be used by this user.
Click the LDAP Details button to see the directory service entry for this resource,
and the following dialog is displayed.
Figure 15: HOB RD VPN - LDAP Attribute Details
Here you can see the Attribute Name and Attribute Value currently stored in the
configuration storage for this resource, cn=user1.
use this button to add another attribute
use this button to remove a selected attribute
use this button to edit the selected attribute
use this button to close this dialog, saving any changes to this resource
137
Roles and Users
HOB RD VPN
The Membership tab allows you to manage the memberships that belong to the
user resources in this domain:
Figure 16: HOB RD VPN Domain Administration Properties Membership
Here you see each membership for this resource. Use the Add Membership and
Delete Membership buttons to add your users and objects to groups, or delete
memberships that are no longer suitable for this resource. The OK button saves any
changes and closes this dialog, the Cancel button closes the dialog without saving
the changes.
For more information on how to create a new user, group or administrator,
please see Section 6.3 Creating a New Global Administrator.
8.3
Configuring HOB RD VPN 2.1
HOB RD VPN allows you configure many elements of the resources in your
network and gives you the flexibility to adapt HOB RD VPN to your requirements
and those of your company and policies. What you can configure depends on the
elements currently selected in your hierarchy. For example, User Settings can only
be configured if an element of type User is selected, the WebSecureProxy can be
configured only if an element of type Object is selected. Select the resource area
to configure from the dropdown box (see the following figure) and click Configure.
138
HOB RD VPN
Roles and Users
Figure 17: HOB EA Administration - Configure
The resources of HOB RD VPN can be configured according to the following areas:

HOB RD VPN 2.1

Sessions

Utilities
8.3.1 Configuring HOB RD VPN 2.1
Under this heading, the settings for HOB RD VPN can be configured. The settings
that can be configured here are as follows:

User Settings

HOBPhone

HOBLink JWT

WebSecureProxy blue

WSP Universal Client
Configuring User Settings

Under User Settings you can create bookmarks, configure Desktop-on-Demand, create Personalized IP addresses and more. To edit a User, for example,
select User Settings from the dropdown box and click Configure. The following
screen shows the settings that can be configured for the element of the default
Hobsoft domain: ou=users,dc=hobsoft,dc=root.
139
Roles and Users
HOB RD VPN
Figure 18: HOB RD VPN - User Settings Configuration
Select the setting from the list on the left to which you wish to add and click the Add
button at the bottom. This opens the specific dialog page for that element. Elements
that have already been added for this user are shown in the panel on the left and
can be freely selected from there for further editing or removal.
Use the Save button at the bottom of the screen to save your changes and continue,
and the Close button to finish making changes and exit when you are finished with
the User Settings dialog. These are standard buttons on each screen of this portal.
Bookmarks – WebServerGate
A bookmark is a locally stored Uniform Resource Locator (URL) to a required or
requested internet resource.
Following a successful logon, the initial Welcome page contains the bookmarks
within the portlets that are configured here. These bookmarks give the users access
to web applications and the company intranet to use the links to the features and
applications for which they have access rights and permissions.
Make sure that the WebServerGate portlet is added to the specific role of
the selected user.
140
HOB RD VPN
Roles and Users
Figure 19: HOB RD VPN - User Settings - Bookmarks
From this screen select the Bookmark element WebServerGate and click Add. You
will see the following screen:
Figure 20: HOB RD VPN - User Settings Bookmarks - Web Server Gate

Name – Enter a name for the bookmark here.

URL – enter the desired URL here.
Search Network - use this button to locate the URL for any desired bookmark

Up, Down – these buttons move the bookmark within the bookmark list on the
left.
Use the Save button to save any changes to this setting, use Close to close this
screen without saving any changes.
141
Roles and Users
HOB RD VPN
Bookmarks – WebFileAccess
HOB WebFileAccess enables remote access to file servers, and the path, a locally
stored Uniform Resource Locator (URL), used for this access can be stored as a
bookmark for ease of use. To configure a WebFileAccess bookmark, select the
element WebFileAccess from the User Settings screen and click Add to bring up
the following screen:
Figure 21: HOB RD VPN - User Settings Bookmarks - Web File Access

Name – enter a name for the bookmark here

URL – enter the desired server name of file share name here

Use Credentials - enable this checkbox to make users of this bookmark authenticate themselves to receive access

Username - enter the username to be used for access with this bookmark

Password - enter the password that matches the above entered username

Confirm Password - enter the password to confirm

Up, Down – these buttons move the bookmark within the list of configured bookmarks
Make sure that the WebFileAccess portlet is added to the specific role of
the selected user.
142
HOB RD VPN
Roles and Users
Desktop-on-Demand
The Desktop-on-Demand feature allows you to connect, not only to servers in your
network, but also to user-specific workstations within your network that you
currently have access rights to. Desktop-on-Demand operates by using the Host IP
address of the target workstation belonging to a specific user. The MAC address of
the user workstation is required when the Wake-on-LAN feature is also to be
activated.
For more information about this feature see Chapter 12 HOB RD VPN Desktop-onDemand. To set up a Desktop-on-Demand portal, select the Desktop-on-Demand
element in the list on the left of this screen and click Add. This brings up this screen:
Figure 22: HOB RD VPN - User Settings - Desktop-on-Demand

Name – here you enter the name of the Desktop-on-Demand setting.

Host IP Address – enter the IP of the computer to be connected to in this field.

MAC Address – enter in this field the MAC address of the computer to be woken.
Search - use this search button to fetch the MAC address of the specified
machine and enter it into the MAC address field. This functions only when
a valid IP address has already been entered above



Port – this is the port to be used for the Desktop-on-Demand connection. The
default port number is 3389.
Delay (sec) – enter the time allowed in seconds for the desired machine to be
woken before the attempt is considered a failure.
Test the Current Settings – use this button to test the entered settings are correct and the desired machine can be woken on demand.
143
Roles and Users
HOB RD VPN
Personalized IP Addresses
The User Settings screen also lets you manage specific IP addresses for HOB
PPP Tunnel Endpoints and the HOB SSL Identifier.
Figure 23: HOB RD VPN - User Settings - Personalized IP Addresses
In this screen, select the element you wish to configure and click Add.
Tunnel Endpoints
When creating a secure HOB PPP Tunnel, IP addresses must be specified here as
the possible endpoints for the connection. These virtual addresses are the only
ones visible inside the network where the target server resides, acting as the
internal endpoint of your PPP Tunnel. These specified endpoints must be unique
addresses in your network.
Figure 24: HOB RD VPN - User Settings - Personalized IP Addresses - Tunnel Endpoints

144
Add – use this button to add the desired IP address to the list of those available.
HOB RD VPN

Roles and Users
Remove – use this button to remove the selected IP address from the list.
See Chapter 22 Using the HOB PPP Tunnel for Network Access for more
information about the Personalized IP Addresses feature.
SSL Identifier
The HOB SSL Identifier is a feature developed by HOB that enables the sender of
a message to be identified by a personalized IP address associated with their user
logon, rather than the IP address of the HOB WSP. You enter this specific IP
address here, and the user will then carry this IP address throughout their
connection to the network, thus remaining permanently identifiable.
Figure 25: HOB RD VPN - User Settings - Personalized IP Addresses - SSL Identifier


Add – here you add the desired IP address to the list of SSL Identifier addresses.
Each user may have multiple addresses to identify them, but each of these IP
addresses can only be assigned to one user each.
See Chapter 27 SSL Identifier for more information about this feature.
145
Roles and Users
HOB RD VPN
Messages
Under Messages you can specify any messages that you wish to be shown to the
users each time they make a logon to the system. Select the Messages element
from the User Settings screen and click Add to display the following screen:
Figure 26: HOB RD VPN - User Settings - Messages

Message – Enter the desired message in the text field. This message is displayed to the user, based on the role for which they are authenticated when they
logon to the network. The message must be entered in HTML syntax so that it
can be displayed with any desired formatting.
146
HOB RD VPN
Roles and Users
Others
This screen contains additional settings you can assign to your users. There are two
settings you can set under this heading, enabling the flyer (a floating popup) and
setting the display language that your users will see on screen.
Figure 27: HOB RD VPN - User Settings - Others
Activate the Flyer – check this box to enable the flyer.
Flyer - when activated the flyer is displayed as a floating popup on all
screens. The flyer contains two icons as follows:
Home - use this to return to the Home page of HOB RD VPN
Log Out - use this to log out of HOB RD VPN and close the program
Language – select the language for the interface from the language dropdown box.
Currently English and German are the only languages available, more languages
will be available with later releases of this product.
For more details about the following settings, see the relevant chapters:




HOBPhone – see Chapter 23 HOBPhone
HOBLink JWT (with only HOBLink JWT Stand-Alone installed) – see Chapter
11 Remote Desktop Computing using HOBLink JWT Webstart
HOB WebSecureProxy – see Section 8.1 Configuring Roles and Users in
HOB WebSecureProxy
HOB WSP Universal Client – see Chapter 24 HOB WSP Universal Client
147
Roles and Users
HOB RD VPN
8.3.2 Configuring Sessions
The following types of sessions can be configured here:
HOBLink JWT
HOBLink JWT is the RDP client application component used by HOB RD VPN to
connect client machines to any RDP capable server, including those currently
running Microsoft Remote Desktop Services, or to Microsoft Windows Desktops.
For more information see Chapter 10 Remote Desktop Computing using HOBLink
J-Term/JWT.
HOBLink J-Term
HOBLink J-Term is the multi-protocol-capable client application for accessing host
systems via SSH, VT, TN3270, TN5250, HP700 and Siemens 9750. The dialogs
here allow you to set how these terminal sessions are connected and how they
appear to the user on the client machine. For more information see Chapter 16
Terminal Emulations.
HOBLink FTP
File Transfer Protocol (FTP) is a standard network protocol used to transfer files
from one host to another host over a TCP-based network, such as the Internet. This
dialog allows you to set how your FTP session can be connected and how it
appears to the user on their client machine. For more information see Section 16.4
Configuring Telnet Targets.
HOBLink SSH
Secure Shell (SSH) is a network protocol for secure data communication, remote
shell services or command execution and other secure network services between
two networked computers. HOBLink SSH connects these two or more machines via
a secure channel over an insecure network: one machine acting as a server and the
other or others as clients that run SSH server and SSH client programs respectively.
This dialog allows you to set how the SSH session is connected and how it appears
to the user on their client machine. For more information see Chapter 15 Remote
Desktop Access using SSH.
148
HOB RD VPN
Roles and Users
8.3.3 Configuring Utilities
Under Utilities you manage the transfer of a session, along with data and settings,
from one version of the application to another, more current version. You can also
generate and maintain the authentication certificates of your users.
There are two types of utilities that can be configured here:

JWT Migration
Use this utility to migrate an older HOBLink JWT configuration to a current version
of the application.

User Certificates
This utility allows you to manage the certificates used to authenticate your users by
reviewing the information contained on the certificates, validating these certificates
and creating new certificates.
There are three tabs on this dialog:

X.509 Certificates

Certificate Identification

Create Certificate Identification
X.509 Certificates
X.509 is a security standard that specifies, amongst other things, the standard
formats for public key certificates, certificate revocation lists, and certification path
validation. In the X.509 system, a certification authority issues a certificate binding
a public key to a particular distinguished name, or to an alternative name such as
an e-mail address or a DNS entry.
This dialog displays the Subject DN and the Issuer DN. This is the information
contained in the X.509 certificate that you use to authenticate your users.
Figure 28: Utilities Administration Screen - X.509 Certificates
149
Roles and Users
HOB RD VPN
On this screen you can use the following buttons to help manage the certificates:
use this button to import a certificate into the list of X.509 certificates
required for authentication. Files for import must have one of the following
formats: Binary DER, Base 64 encapsulated DER, PKCS#7. When
importing a certificate, this button brings the following dialog on screen.
Here you select the certificate you wish to import and then click Open.
Figure 29: X.509 Certificates - Import
this button lets you export the selected certificate to another machine that
the user, authenticated on one machine, needs to use.
this shows the selected certificate in more detail, with version number,
date of issue, and more
this button allows you to delete the selected certificate
use this button to call up the HOB RD VPN Help on this topic
click to save any changes, close this dialog and return to the previous
screen
150
HOB RD VPN
Roles and Users
Certificate Identification
This dialog displays the Subject DN and the Issuer DN. This is the information about
the issuer of the certificate that you use to authenticate the certificate.
Figure 30: Utilities Administration Screen - Certificate Identification
use this to add a new certificate to those in you network
this allows you to update the selected certificate
this button allows you to delete the selected certificate
this button allows you to retrieve a certificate from the X.509 certificates
screen
151
Roles and Users
HOB RD VPN
Create Certificate Identification
This dialog displays the details about the current configuration that you can extract
to create a new authentication certificate.
Figure 31: Utilities Administration Screen - Create Certificate Identification

Include sublevels –- check this box to include all sub levels of the current configuration under the current root configuration.
click to take the required information from the selected configuration file
to create a new certificate
screen
152
HOB RD VPN
9
In any network you connect from one computer (your client computer or desktop) to
another (a target computer or a target group of computers) using RDP and other
widely used protocols. Where there are multiple target computers you need to use
servers to administer them and facilitate the connections between them.
To establish a connection to a new target you need to configure an outgoing
connection from your computer to that target. This configured connection must
contain a name for the connection to a desired target computer or target group of
computers (the group being collected together into the form of a Server List), a type
or mode of the connection, the predefined protocol to be used, and other
information to ensure that the connection is successful.
9.1
Creating a Target
To create a target, follow these steps:
1.
Open the HOB RD VPN administration interface as described in the previous
chapters.
2.
Select the object WebSecureProxy from your hierarchy.
3.
Select the function WebSecureProxy from the dropdown box at the bottom
and click the Configure button. This opens the HOB WebSecureProxy
configuration screen.
4.
Under Outgoing Connections in the hierarchy panel on the left you can see
the list of predefined targets. Select the target type you wish to configure (for
example an RDP target) and you will see the following screen:
Figure 1: Outgoing Connection - RDP Target Configuration
153
HOB RD VPN
This opening screen for configuring RDP Targets is used here as an
example, the same procedure is used for setting up other target type
connections.
5.
Now click Add to create a new target for this outgoing connection type and the
Server List screen for this target is displayed. This Server List screen enables
you to set up a list of servers that will be accessible to the users who will have
this target configured for their role.
Figure 2: Outgoing Connection - RDP Target Configuration - Server List

6.
154
Name – In this field you enter the name you wish to use for this connection to the
group of servers specified in the configured server list.
Click Add again to enter the configuration data for this target.
HOB RD VPN
9.1.1 Server Configuration - RDP Target – 1:1 Proxy Gateway Mode
This dialog screen is displayed when the 1:1 Proxy Gateway connection mode is
chosen (a direct connection from your workstation to the chosen server list).
Figure 3: Outgoing Connection - RDP Target Server Configuration - 1:1 Proxy Gateway Mode
The following information is common to all outgoing connection target types:


Name – enter the name to be used for this connection to the desired target.
Mode – you can select from the dropdown box the connection mode to be used.
The five possible modes or types of connection that can be used are:





1:1 Proxy Gateway – a connection from a specific machine to another target machine over the HOB WSP
Dynamic Proxy Gateway – a connection from a machine to another target
machine over the HOB WSP, the target machine being chosen dynamically
and not permanently configured
WTS Load Balancing – used when you have a connection to a group of machines. To use this mode you must have a number of servers already configured for load balancing that you can make the connection to. The WTS
Load Balancing module must be installed on these systems. This module is
also included in the HOB RD Selector Agent and HOB RD ES products from
HOB
VDI – a connection to virtualized desktops on a remote central server, only
available when VDI is enabled on the HOB WSP
Server Data Hook – a connection that works by intercepting functional calls,
events or messages from servers within a network (this mode is available
only when configuring Other Targets)
Each connection mode has different requirements, so the dialogs that you see
change according to the mode selected.
155




HOB RD VPN
Use Network Adapter – select from the dropdown box the network adapter to
be used. The network adapter is configured as part of the HOB WSP configuration, where you select WSP Servers > Network Adapters. An entry of Any in
this field means that the operating system decides which adapter to use. This is
the default setting.
Predefined Protocol – select from this dropdown box the predefined protocol
that is to be used for this connection, for example RDP Windows Terminal Server–HOB EXT-1. This protocol is a HOB protocol created to allow the connection
to be made.
Timeout (sec) – enter here the amount of time in seconds the client must wait
before a connection is timed out. The default setting is 600 seconds.
Protocol Plugins - in this box you select the protocol plugin that you wish to use
in this configuration. Use the Add and Remove buttons on the right to manage
the list of configured protocol plugins.
Protocol Plugins are optional software features that enhance the
functionality of the HOB RD VPN connection. They can be configured
under the Extensions element of HOB WebSecureProxy. For more
information, see Section 9.2 Configuring the RDP Hook on page 163,
Section 22.6 Configuring Dynamic NAT on page 292 and Section 22.7
Configuring the HOB TCP Tuner on page 296
The remainder of this tab contains data fields that are specific for the
connection mode that has been selected (see Mode, above)
In the example screen shown above in this section, the selected mode is 1:1 Proxy
Gateway, so the panel with this title contains the following fields where the data
required to establish a 1:1 Proxy Gateway mode connection is entered.


Host IP Address – enter here the IP address of the machine you wish to connect
to.
Host Port – enter here the port number you wish to use for the connection. For
connections using RDP this should be 3389
On the Expert Options tab for the configuration of RDP Targets, you see the
following options:
156
HOB RD VPN
Figure 4: RDP Target Server Configuration - 1:1 Proxy Gateway Mode - Expert Options






Use raw packet interface (SSL Identifier) - enable this checkbox to use the
HOB SSL Identifier feature. For more information about this feature, see Section
27 SSL Identifier on page 361
Use client side SSL - check to use client side SSL (currently disabled)
Connect to other server - check to allow a connection to a server that is not the
specified server for this configuration
Connect round robin - check to use a round robin connection process
DNS lookup before connect - check to ensure that the DNS is evaluated before
the connection is allowed be made
Nagle Algorithm - this box contains the following fields:



Overwrite default behavior - check to activate the following fields:
Disable send client - allows you to disable the client sending the communication. The dropdown box contains the options No (default), Yes and Automatic
Disable send server - allows you to disable the server sending the communication. The dropdown box contains the options No (default), Yes and Automatic
157
HOB RD VPN
9.1.2 Server Configuration - RDP Target – Dynamic Proxy Gateway Mode
This dialog screen is displayed when the Dynamic Proxy Gateway is chosen as the
connection mode. This connection type is used when your system uses a dynamic
method of connection, and does not always connect directly to a machine with a
static address, as in the 1:1 Proxy Gateway mode in Section 9.1.1 Server
Configuration - RDP Target – 1:1 Proxy Gateway Mode.
Figure 5: RDP Target Configuration - Dynamic Proxy Gateway Mode
This connection type has the following fields:






158
in this case Dynamic Proxy Gateway – a connection where the target machine
is chosen dynamically and not permanently configured - is selected.
be used. The network adapter is configured as part of the HOB WSP configuration, where you select WSP Servers > Network Adapters. The default entry of
Any in this field means that the operating system decides which adapter to use.
Predefined Protocol – this option is disabled for this connection type.
before a connection is timed out. The default is 600 seconds.
Protocol Plugins - in this box you can use the Add and Remove buttons on the
right to manage the protocol plugins that you require. This is also disabled under
this connection type.
HOB RD VPN
On the Expert Options tab for the configuration of RDP Targets under the
Dynamic Proxy Gateway mode, you see the following options:
Figure 6: RDP Target Server Configuration - Dynamic Proxy Gateway Mode - Expert Options
The options on this screen are identical to the options for 1:1 Proxy Gateway
mode, for more information see the descriptions for Figure 4 on page 157.
9.1.3 Server Configuration - RDP Target – WTS Load Balancing Mode
This dialog screen is displayed when the WTS Load Balancing connection mode
is chosen. Load Balancing is the distribution of a computer’s workload across all the
computers in a server farm, as a computer cluster, to reduce pressure on individual
machines and to increase efficiency via resource optimization.
Load Balancing is described in more detail in Chapter 10 Remote Desktop
Computing using HOBLink J-Term/JWT and also in the documentation for the
separate HOB product HOB RD ES.
159
HOB RD VPN
Figure 7: RDP Target Configuration - WTS Load Balancing Mode & Server List Connection Type
In addition to the common data fields (see above for more information), this tab also
contains the following fields that are available only under the WTS Load Balancing
connection mode:



160
Connection Type – select from the radio buttons the type of connection to be
used, either Broadcast or Server List
Broadcast port – if Broadcast has been selected, then enter the port to be used
for the broadcast here. The port 4095 is entered by default for this broadcast, and
the port has to be configured on the target systems in the valid load balancing
agents (HOB RD Balancer, HOB RD Selector Agent and HOB RD ES). For more
information see Chapter 10 Remote Desktop Computing using HOBLink J-Term/
JWT and the documentation for these components.
Server List – this field holds the list of servers and the ports configured in the
HOB VDI Agent on the system to which the connection will be directed. Use the
Browse button to select from the list of answering servers, the Add button to add
a server manually, the Edit button to changes a server entry and the Remove
button to delete a server from this list.
HOB RD VPN
On the Expert Options tab for the configuration of RDP Targets under the WTS
Load Balancing mode, you see the following options:
Figure 8: RDP Target Server Configuration - WTS Load Balancing Mode - Expert Options
9.1.4 Server Configuration – RDP Target – VDI Mode
This dialog screen is displayed when the VDI connection mode is chosen. This
connection mode provides a connection to virtualized desktops on one or more
remote central servers. This mode must be activated by first configuring the element
WSP Servers (you can configure this in the HOB RD VPN administration interface,
see above), otherwise it will not be available for selection as outgoing connection
mode.
The administrator has to install and configure the HOB VDI Agent on the
target virtual machines. See Chapter 13 Virtual Desktop Integration for
more information
161
HOB RD VPN
Figure 9: RDP Target Configuration with VDI Mode and Broadcast Connection Type
In addition to the common data fields (see above for more information), this tab also
contains the following fields that are available only under the VDI-WSP connection
mode:



162
Connection type – select from the radio buttons the type of connection to be
used, either Broadcast or Server List.
Broadcast port – if Broadcast has been selected, then enter the port to be used
for the broadcast here. The port 5090 is entered by default for this broadcast, and
the port has to be configured on the target systems in the HOB VDI Agent. For
more information see Chapter 13 Virtual Desktop Integration.
Server List – this field holds the list of servers and the ports, as configured in the
HOB VDI Agent on that system, to which the connection will be directed. Use the
Browse, Add, Edit and Remove buttons to manage this list.
HOB RD VPN
On the Expert Options tab for the configuration of RDP Targets under the VDI
mode, you see the following options:
Figure 10: RDP Target Server Configuration - VDI Mode - Expert Options
9.1.5 Server Configuration – Server Data Hook Connection Mode
This mode is used only when in particular circumstances under the
recommendation from HOB. In these cases the relevant documentation will be
made available.
9.2
Configuring the RDP Hook
The RDP Hook is a protocol plugin that you can use to perform extra operations on
an RDP communication in your network.
The RDP Hook is included in the installation of HOB RD VPN as an optional feature
that is included in the delivered software, but must be separately configured for use.
To configure a RDP Hook for the HOB RD VPN, follow these steps:
1.
Open the configuration program of the HOB WebSecureProxy.
2.
Open the Extensions > Protocol Plugins > RDP Hook scheme on the left in
the tree structure. The following tab screen is displayed:
163
HOB RD VPN
Figure 11: HOB WSP Configuration - Extensions - Protocol Plugins - RDP Hook
3.
Click the Add button at the bottom to create a new RDP Hook for this
configuration and the following screen is displayed:
Figure 12: HOB WSP Configuration - RDP Hook Settings
The fields to be configured on this screen are as follows:


164
Name - here you enter the name you want to assign to this RDP Hook configuration
Virus Scanning Service - select from the dropdown list the virus scanning service to use with this configuration
HOB RD VPN






4.
Virus Checking Maximum File Size - enter the maximum size for files allowed
in this communication, and then select from the dropdown box the byte measurement, either KB, MB or GB.
Encryption to Client - select from the dropdown box the level of encryption to
be applied to files sent to a client, either Automatic, Medium or High.
Compression to Server - select from the dropdown box the level of compression to be applied to files sent to the server, either Automatic, Yes or No.
Trace Level - enter the level of trace required for this communication
Disable Microsoft Local Drive Mapping - check this box to disable Microsoft
Local Drive Mapping
Disable HOB Local Drive Mapping - check this box to dis able the local drive
mapping feature provided by HOB
Save the configuration (Main menu > File > Save), and the RDP Hook protocol
plugin component has been configured and can be selected for use in the
configuration of targets for HOB RD VPN.
165
166
HOB RD VPN
HOB RD VPN
Remote Desktop Computing using HOBLink J-Term/JWT
10 Remote Desktop Computing using
HOBLink J-Term/JWT
HOB RD VPN is a complete software solution with many distinct components to
provide maximum functionality. This optimum level of connectivity is provided
through the HOBLink J-Term component that is delivered with the integrated
HOBLink JWT plug-in.
HOBLink JWT is the RDP client application component used by HOB RD VPN to
connect client machines to any RDP capable server including Microsoft Remote
Desktop Services or Windows Desktops, while HOBLink J-Term provides for
connectivity to legacy Terminal protocol machines.
HOBLink JWT is also available as a standalone plug-in without the
component HOBLink J-Term. For more information on this standalone
version please see Chapter 11 Remote Desktop Computing using
HOBLink JWT Webstart.
RDP is a common protocol that is used to establish connections to computers,
running under a Windows operating system, over a network connection. RDP
provides machines with a graphical interface to another computer. The RDP client
software must be installed on the client machine, while RDP server must be
installed on the server side.
10.1 Configuring HOBLink J-Term/JWT to create RDP
Connections
To configure a remote desktop connection you need to configure both the
HOB WSP and HOBLink J-Term/JWT, the remote desktop client, using the RDP
protocol. Take the following steps to configure HOB RD VPN for remote desktop
computing:
10.1.1 Configuring the WebSecureProxy
1.
Logon and start the HOB RD VPN Administration interface.
2.
Select the Servers element of your internal hierarchy and select the object
WebSecureProxy and click the Configure button.
3.
The WebSecureProxy configuration interface is displayed. Select Outgoing
Connections > RDP Targets (this is an example, the configuration of other,
non-RDP target types is essentially identical).
4.
Click the Add button to add a new RDP target, which should be a list of the
servers to be accessed by the connection you are configuring.
5.
Click Add again to add an individual server as the target for this connection,
and you can see the following screen:
167
HOB RD VPN
Figure 1: HOB RD VPN WSP Configuration Screen - Outgoing Connections - RDP Targets
See the previous Section 9.1 Creating a Target on page 153 for more detail on the
information you need to enter here. Depending on the connection mode that has
been selected, the panel at the bottom of the dialog screen changes.


Name – enter the name you want to use for this connection.
Mode – you can select from the dropdown box the connection mode to be used
for the connection to the client machine. The four possible modes or types of
connection that can be used are as follows:







168
1:1 Proxy Gateway – a direct connection from one machine to another configured machine
Dynamic Proxy Gateway - a direct connection from one machine to a dynamically selected machine in the network
WTS Load Balancing – used when you have a connection to a group of machines already configured for load balancing that you can make the connection to. The WTS Load Balancing module must be installed on these
systems
Use Network Adapter – select the network adapter to be used. The default is
Any.
Predefined Protocol – select the predefined communication protocol to be
used. The protocol that can be selected depends on the tape of target desired.
HOB RD VPN
The remainder of this tab contains data fields that are specific for the connection
mode that has been selected.
6.
Once you have entered this information, select Roles and select the role (for
example Power User) to which you want to add the desired server list.
7.
Select Privileges > Server Lists and you can see the following screen:
Figure 2: HOB WSP Configuration – Roles – Settings – Server Lists
8.
From the server lists displayed, check the required server lists (multiple server
lists may be selected) for use as the servers available to this role for a
connection.
10.2 Configuring HOBLink JWT
HOBLink JWT is the remote desktop connectivity client that is an integral part of
HOB RD VPN. HOBLink JWT uses the RDP protocol to connect to Windows
Terminal machines, place these connections into schemes, and activate these
schemes through sessions.
The HOBLink JWT Administration screen (see Figure 4 on page 170) is used to
manage the settings for each user session for their connections to the desired
targets. These dialogs allow you to configure how the remote desktop connects to
your system (sessions), and how these sessions appear to the user on the client
machine (schemes). What you configure here will be stored in the configuration
storage of this domain.
Depending on the edition of HOB RD VPN that you are using, the options
on this dialog can vary. HOBLink JWT can be provided either together with
HOBLink J-Term (for connections to Terminal operating systems) or
separately as a stand-alone installation, without the HOBLink J-Term
components. The functionality is in any case the same.
1.
169
2.
HOB RD VPN
Select the element of your internal hierarchy you want to assign this target to
and select Sessions > HOBLink J-Term/JWT (or HOBLink JWT depending
on your installation) > Configure, as shown here:
Figure 3: HOB RD VPN Administration – Configure – HOB RD VPN 2.1 - HOBLink JWT
The HOBLink JWT Administration start screen is then displayed. This screen
(shown here) takes the form of two panels:
Figure 4: HOBLink JWT Administration Start Screen
On the panel to the left is the list of sessions and schemes available to each
particular resource. On the panel to the right is a configuration tab for each selection
170
HOB RD VPN
from the left hand side. The right hand panel changes depending on the selection
made on the left.
Below these two panels, the following buttons and their functions are common to all
of the tabs on the HOBLink JWT Administration screen:








New – use this button to create a new element of the category you selected in
the list on the left
Delete – use this button to delete the selected item
Lookup – this button allows you to check the current status of the selected item
whether it is in use or idle
Cancel – use this button to close this dialog without saving any changes that you
have made
Default – use this button to restore the default settings to the selected configuration element
Verify – use this button to confirm if the changes to the session you have made
are correct and to ensure no data is missing
Close – this button saves any changes, closes this dialog and returns you to the
HOB EA Admin screen
Help – use this button to call up the HOB RD VPN Help for this topic
There are three tabs on the HOBLink JWT Administration screen:

Member Rights

Sessions Manager

True Windows Applications
10.2.1 Member Rights
On this tab you enable members of the session to have the following rights:
Figure 5: HOBLink JWT Administration - Member Rights
171


HOB RD VPN
Create JWT Sessions – check this box to allow the user to create HOBLink JWT
sessions. A session is the set of communication exchanges between two machines that comprise a conversation or dialog over a configured connection.
Create Schemes – this list contains the schemes that the user may create for
the current session. Schemes set the functionality available during a session as
well as the physical appearance of the interface being used. Check the box beside a scheme to allow users to change the corresponding configuration. You
can use the Select All and Unselect All buttons to refine your selection.
Click Close to save the changes and close this screen.
10.2.2 Sessions Manager
On this tab you manage the sessions that are available to the user.
Figure 6: Sessions Administration - HOBLink JWT Sessions Manager

Priority – here you set the priority for the session to receive a connection to the
servers.

New – Click to add a new session to those available to the user.

Delete – Use this to remove the selected session from the list.

Rename – Use this to update the name of the selected session.

Available Sessions – this shows a list of existing available sessions.

Selected Sessions – this shows those sessions already selected. Use the two
arrow buttons to select or deselect a session.
172
HOB RD VPN
10.2.3 True Windows Applications
Here you can set the applications you wish to have as True Windows applications
for your users. True Windows is a feature of HOBLink JWT together with
HOB RD ES that allows the user to experience the full functionality of using a
Microsoft Windows installation on their client machine even though the installation
is on a network machine and not on the client.
Figure 7: Sessions Administration - HOBLink JWT True Windows Applications


All applications available – check to make all applications configured on the
server farm within HOB RD ES available as True Windows. This disables the Application List field
Inherit True Windows applications from parent item – check this to automatically inherit all applications currently available to the parent item of this resource

Application List – here a list of all applications currently available are shown

Browsing Port - set the port to be used for browsing for these applications

Application – enter the name of the desired applications here
Browse - use this button to search through those applications that are
already on the system
click to add the selected application to the list
click to delete the selected application from the list
173
HOB RD VPN
10.3 Configuring a Scheme in HOBLink JWT
Schemes are used to set the functionality that is available to the user during a
session, as well as to determine the physical appearance of the interface being
used.
To open the configuration for HOBLink JWT:
1.
2.
Select the element of your hierarchy you want to create a connection for (user,
group, object, etc.) and select Sessions > HOBLink JWT > Configure, as
shown in the previous section, Section 10.2 Configuring HOBLink JWT on
page 169.
3.
Now select Schemes > Connection > New to open the configuration of a new
connection.
The following screen is displayed:
Figure 8: HOBLink JWT Administration - Schemes - Connection
Scheme Name – enter a name for this new connection.
Options for Connection Type:
Connection Type – select from the dropdown box the type of connection you want
to create under this scheme. The options are:



174
Direct – a direct connection from one computer to another
Load Balancing – a connection from one computer to a number of servers working as a server farm, with load balancing in operation
WebSecureProxy Direct – a direct connection from one computer to the
HOB WSP
HOB RD VPN


WebSecureProxy Load Balancing – a connection from one computer to the
HOB WSP, which then connects to one of the members of a server farm, and
with load balancing in operation
WebSecureProxy Socks Mode – a direct connection from one computer to the
HOB WSP and using the SOCKS protocol
Options for Server:



Choose Terminal Server at Runtime – check to enable the user to select a Terminal Server to connect to, otherwise the server named in the field Terminal
Server is used
Terminal Server – enter the name of the Terminal Server you wish to connect
to. The Browse button may be used here. The server needs to have HOB Load
Balancing installed to be listed here
Port – enter the number of the port to be used for the connection
Options for WSP Server in case of HOB RD VPN:


Prompt user when connecting – check this box to receive a prompt for the connection to the HOB WSP.
Server name – this field is active only if the Prompt User box is not selected.
Here the name of the server (that has already been configured as one of the RDP
Targets) to be used for the connection is shown
Options for Proxy:
Use Client Side Proxy – select from the dropdown box the type of proxy to be used
on the client side. The options for this are:

None – do not use a proxy on the client side

Auto Detect – use the default proxy already configured on the client side

User Defined – use your own configured proxy on the client side
175
HOB RD VPN
10.4 Configuring a Session in HOBLink JWT
Once the scheme for the connection has been configured, you need to create a
session where it can be used and then add the connection to this session.
Under Sessions you manage the connection between the users, the servers and
the applications. Here you can also specify the on screen display, the printers to be
used, how files are to be transferred, and more.
Click Sessions > New and the following screen is displayed:
Figure 9: HOBLink JWT Sessions



176
Session Name – here you enter a name for this session, such as Test Session.
Scheme Types – this is a listing of the different types of schemes that have already been configured, such as connection schemes, and can be added to this
session.
Available Schemes – this is a listing of the schemes that have been configured
for each scheme type, and can be selected as the scheme type for this session.
HOB RD VPN
10.5 Running Sessions
Once HOB RD VPN has been installed and correctly configured to suit the
requirements of your firm, you can now save the configuration and run sessions. A
session is the use of a connection to a server where you wish to work.
1.
Open the HOB RD VPN default page with a browser and logon as the newly
configured user with a connection. The HOB navigation screen opens.
2.
Under the Access to Desktops and Applications portlet you will see the
bookmark Run Sessions. Click this link to start your session.
3.
The Sessions screen opens and the session manager screen, see Figure 11
below, opens. This shows the servers to which you can connect to in this
session. Your access to these servers is determined according to the role that
has been assigned to you and how you are authenticated.
177
HOB RD VPN
Figure 11: HOB RD VPN Session Manager Screen
4.
Select the required server and a connection can then be made directly to that
server.
5.
Logon to this server over the authentication page (if required by the practice of
your firm), and you can begin your work.
Mac OS X Security Issue – Unidentified Developer Application
Following the MAC OS X security update Mac Security Update 2013-002, for those
machines running OS X v10.8.4 or higher it is no longer possible to start a
HOBLink JWT session with Java Web Start (.jnlp). This is because as all Java
Web Start (.jnlp) applications downloaded from the Internet now need to have a
recognized Developer ID. The Mac OS X system Gatekeeper will check
downloaded Java Web Start applications for such an ID and block applications from
launching when they are not properly recognized, i.e. unidentified.
In such a case the following screen is displayed:
Figure 12: MAC OS X Security Warning – Unidentified Developer
In HOB RD VPN the .jnlp file is dynamically generated on the server side.
Therefore it is not possible for HOB as the manufacturer to deliver the file with an
appropriate ID. To start HOBLink JWT in this situation, the Security and Privacy
Settings must be changed, with the command Allow applications downloaded
from to be set to Anywhere, as shown below.
178
HOB RD VPN
Figure 13: MAC OS X Security & Privacy Settings
Close this screen for the changes to take effect and HOBLink JWT can now be
started correctly and safely.
10.6 Load Balancing
Load balancing (also known as WTS Load Balancing) is the process by which
sessions can be assigned across multiple servers. Load balancing enhances the
performance of the servers, optimizing their use and ensures that no single server
is overwhelmed. Each server in the farm can be configured individually, particularly
important if the various servers do not all have the same performance capabilities.
For optimal performance, the constant evaluation of the CPU load and other
parameters on the Windows servers themselves is needed. HOB Load Balancing
evaluates up to 13 different parameters over different time durations and can be
custom tailored to fit your existing system for enhanced efficiency. The great
advantage is in the use of weighted server parameters instead of the “round robin”
method. This means the administrator can individually configure the extent of the
load on the servers within the server farm, even for very large server farms in a
load-sharing setup. There is no limitation on the number of servers that can be
monitored and balanced in this way.
The HOB Load Balancing solution also supports unexpectedly disconnected
sessions. In this case the user is reconnected to the same server on which they
were working before the session disconnected, regardless of the current load on
that server, and with no loss of data.
This basic functionality can also be extended by a powerful user management
feature such as LDAP or Microsoft Active Directory. There are no specific
prerequisites on the client side (except that the client has a Java-capable browser).
179
HOB RD VPN
For more information on this component, see the relevant documentation for the
HOB product HOB RD Selector, delivered with this optional component.
Figure 14: HOB RD ES - Server Load Information
The following are the parameters that can be used to calculate the load on the
servers:



Page File Usage – this displays the amount of memory which is transferred to
disk by the system
Paging Total, Reads, Writes – this is a combination of the Page Reads and the
Page Writes used for idle applications

Page Read – this shows the number of read pages per second

Page Write – this shows the number of written pages per second

Memory Usage – this value displays the amount of memory being used

Load of NICs – this value shows the current load of the Network Interface Cards






180
CPU Load – this value displays how much of the Central Processing Unit is being used
Number of Processes – this value displays the number of processes in progress
Number of Threads – this value shows the number of threads involved in the
processes
Load of Hard-Disks – this value displays the load on the hard-disks
Input and Output Activity – this value displays the number of requests from or
to devices
Active Sessions – this value shows the number of active sessions
Disconnected Sessions – this value shows the number of disconnected sessions
HOB RD VPN
There is also a Write Log File functionality for when you want to write a log file of
the calculation. This log file is written to <RDSA path>\BM\logs and uses the .csv
(comma separated values) format.
10.6.1 Configuring Load Balancing
When the connection mode WTS Load Balancing has been selected, you have the
option to use either a Broadcast to connect to the servers of the server farm or to
use a specific Server List of pre-configured servers to which the communication is
sent.
When creating a connection using Load balancing over a Broadcast connection
type, the following screen is shown. For a connection using the Load Balancing
mode with the Server List connection type please see Section 9.1.3 Server
Configuration - RDP Target – WTS Load Balancing Mode.
Figure 15: RDP Targets - WTS Load Balancing - Broadcast Mode
Here you can see that you need only to select the Broadcast radio button and enter
the port to be used for the broadcast.
Click File > Save to save any changes made here, and File > Close to close this
screen.
181
182
HOB RD VPN
HOB RD VPN
Remote Desktop Computing using HOBLink
11 Remote Desktop Computing using
HOBLink JWT Webstart
HOBLink JWT is the RDP client application component solution for connections to
computers running under a Windows operating system. This solution is delivered as
part of HOB RD VPN when access to legacy protocol machines (provided by
HOBLink J-Term) is not required.
HOBLink JWT Webstart delivers the same functionality for connections to any RDP
capable server including Microsoft Remote Desktop Services or Windows Desktops
as HOBLink JWT when delivered with HOBLink J-Term.
11.1 Configuring RD Computing using HOBLink JWT
To configure a remote desktop connection you need to configure both the
HOB WSP and HOBLink JWT using the RDP protocol, please proceed as follows:
11.1.1 Configuring the WebSecureProxy
1.
2.
WebSecureProxy. From the dropdown box at the bottom select the function
WebSecureProxy blue, and click the Configure button.
3. The WebSecureProxy configuration interface is displayed. Select Outgoing
Connections > RDP Targets and click the Add button to add a new RDP
target server list, which is a list of the servers to be accessed by the connection
you are configuring. Here the name Windows Terminal Servers is used as
an illustration.
4. Click Add again to add an individual server as the target for this connection.
The name Example_RDP_Server is used in the example shown here on the
following screen:
183
Remote Desktop Computing using HOBLink JWT Webstart
HOB RD VPN
Figure 1: HOB RD VPN WSP Configuration - Outgoing Connections - RDP Targets
See Section 10.1 Configuring HOBLink J-Term/JWT to create RDP Connections on
page 167 for more information on the information you need to enter here.
5.
Once you have entered the information you need to create a target, click File
> Save to save any changes made here.
6.
Now select Roles and select the role (for example PowerUser) to which you
want to add the desired server list.
7.
Select Privileges > Server Lists and you can see the following screen:
Figure 2: HOB WSP Configuration – Roles – Settings – Server Lists
184
HOB RD VPN
8.
From the server lists displayed, check the server list you have newly created
(Windows Terminal Servers) to use it as the list of servers available to this
connection.
9.
Click File > Save to save any changes made here, and then File > Close to
close this screen.
11.2 The Client Configuration Provider
The Client Configuration Provider is a feature specific to HOBLink JWT. It is a
server list dedicated to providing this particular configuration to all the clients that
require it. It is active by default.
The configuration set here is carried through for all users that are assigned for this
configuration. To disable this particular client configuration provider, you need to
edit the WSP server list itself.
Figure 3: HOB RD VPN WSP Configuration – WSP Servers - Unique Access
1.
To edit the server list select WSP Servers > Unique Access tab in the
WebSecureProxy configuration interface, and deselect (or select) the
checkbox Client Configuration Provider, as shown above.
2.
Once this server list has been deselected you can still assign configurations to
the individual roles, this must be done under the Roles configuration – see
Chapter 8 Roles and Users for more information.
3.
Click File > Save to save any changes made here.
185
HOB RD VPN
11.3 Configuring HOBLink JWT
HOBLink JWT is configured in the same manner as HOBLink J-Term/JWT as
shown in the previous chapter (please see Chapter 10 Remote Desktop Computing
using HOBLink J-Term/JWT) with only a small number of differences, described
here.
1.
If the configuration is stored on an external LDAP server, the logon to the
external LDAP in this case must be done by the Domain Administrator of
the domain that includes the LDAP server you want to access.
2.
Select the element of your internal hierarchy you want to assign this target to
and select Sessions > HOBLink JWT Webstart, as shown here:
Figure 4: HOB RD VPN Administration – Configure – Sessions - HOBLink JWT Webstart
The HOBLink JWT Administration screen for HOBLink JWT Webstart is then
displayed.
186
HOB RD VPN
Figure 5: HOBLink JWT Webstart Administration Screen
This screen takes the form of two panels. On the panel to the left is the list of
sessions and schemes available to each particular resource. On the panel to the
right is a configuration tab for each selection from the left hand side. The right hand
panel changes depending on the selection made on the left. Below these two panels
the following buttons and their functions are common to all of the tabs on the
HOBLink JWT Webstart Administration screen:

New – use this button to create a new HOBLink JWT session

Delete – use this button to delete the selected HOBLink JWT session

OK – use this button to apply the changes and to exit the configuration mode



Apply – use this button to save any changes made and continue with the configuration
Cancel – use this button to close this dialog without saving any changes that you
have made
Default – use this button to restore the default settings to the selected
HOBLink JWT session
use this Help button to call up the Help available for this topic
187
HOB RD VPN
11.4 Configuring a Session in HOBLink JWT Webstart
The HOBLink JWT Administration screen is used to manage the settings for each
user session for their connections to the desired targets. These dialogs allow you to
configure how the remote desktop connects (Sessions) and how these sessions
appear to the user on the client machine (Schemes). What you configure here will
be stored in the configuration storage of this domain.
Once the scheme for the connection has been configured, you need to create a
session where it can be used and then add the scheme connection to this session.
You manage the connection between the users, the servers and the applications
under Sessions in the hierarchy.
1.
Click Sessions > New and a popup appears where you enter a name for this
session. Now click OK and the following screen is displayed:
Figure 6: HOBLink JWT Navigation Screen




188
Scheme Name – this shows the name you have given to this session, such as
Example Session.
In the Settings tab, you have the following fields:
Active – check this to keep this session available for use when you wish to make
a connection.
Session Icon – here you select the icon to be displayed in the session list when
you start HOBLink JWT.
2.
Under this configured session name you can now configure the schemes that
are to be part of this session configuration, see the next section for more
information.
3.
Use the OK button to apply the changes and to exit the configuration mode.
HOB RD VPN
11.5 Configuring a Scheme in HOBLink JWT Webstart
HOBLink JWT allows the user to configure schemes for the current session to set
the functionality available during that session as well as the physical appearance of
the interface being used. Multiple schemes can be configured, and these schemes
can be assigned to the users based on their roles, managing the performance of
their sessions.
To open the configuration for HOBLink JWT Webstart:
1.
2.
Select the element of your hierarchy you want to create a connection for (User,
Group, Object, etc.) and select Sessions > HOBLink JWT Webstart >
Configure.
3.
In the screen that opens, select Schemes > Connection > New to open the
configuration for a new connection. Enter a name for this new connection (here
Example Connection is used) in the popup that appears and click OK.
Figure 7: HOBLink JWT Webstart Connection - Direct
This dialog is the default and shows the connection type Direct selected in the first
dropdown box on this tab.


Connection Type - select from this dropdown box that connection type that is to
be configured
Connection to Server - this group of fields allow the configuration for this connection type to be entered
The screens that you see at this point change to reflect the type of
connection selected. The lower panel of each tab in this dialog holds the
options available for the selected connection configuration type.
189
HOB RD VPN
In the following dialog the connection type WebSecureProxy Socks Mode has
been selected, giving you this screen:
Figure 8: HOBLink JWT Webstart Connection Screen
The fields you see on this screen are:


Scheme Name – this is shown above the tab field and contains the name you
have given to this connection scheme.
Connection Type – the dropdown box contains the types of connections currently available under this scheme. The available options are:





190
Direct – a direct connection from one computer to another. The connection
is made directly to the given RDP Server without the use of HOB RD VPN
Load Balancing – a connection from one computer to a number of servers
working as a server farm, with load balancing in operation. The connection
is established using the patented HOB Load Balancing mechanism without
the use of HOB RD VPN
WebSecureProxy Direct – a direct connection from one computer to the
HOB WSP. With this option HOBLink JWT connects to the HOB WSP using
SSL and requires a corresponding configuration of a direct connection in the
WSP setup
WebSecureProxy Load Balancing – a connection from one computer to
the HOB WSP, which then connects to one of the members of a server farm,
and with load balancing in operation. With this option HOBLink JWT connects to the HOB WSP using SSL and requires a corresponding configuration of a direct connection with Load Balancing in the HOB WSP setup (this
setup is currently not configurable over the HOB WSP GUI)
WebSecureProxy Socks Mode – a direct connection from one computer to
the HOB WSP and using the SOCKS protocol. HOBLink JWT connects to
the HOB WSP and the configuration of the HOB WSP controls the remain-
HOB RD VPN
ing establishment of the session. At least one RDP target needs to be configured

4.
Server List – this field contains the list of all available HOB RD VPN servers (for
example there is a server list named Test Server) and the port under which
each server list can be accessed. Use the Add, Edit and Delete buttons to manage this server list.
The screen that is displayed when the WebSecureProxy & Load Balancing
connection type has been selected is shown below. This connection type must be
selected for the WSP & Load Balancing tab to be activated, so that the following
options can be configured:
Figure 9: HOBLink JWT Connection – WSP & Load Balancing

WSP Socks Server – there are two fields in this panel:



Prompt user when connecting – This brings a prompt for the user to select
a server when making a connection. This is selected by default. If no server
is entered and this checkbox is not enabled, an error message appears
Socks server name – enter here the name of the SOCKS server you wish
to connect to. The name you enter here is the name of the server entered as
the RDP Target under Outgoing Connections in the HOB WSP configuration, see Section 11.1.1 Configuring the WebSecureProxy on page 183 for
more information.
Load Balancing (this setting only applies if either the connection mode WebSecureProxy Load Balancing or WebSecureProxy Socks Mode is in use and the
RDP target is configured to use Load Balancing) – this panel has two options:

Connect to server with least load – choose a server to accept the connection
191

5.
HOB RD VPN
Select from all responding servers – allow the user to select a server from
a list of those available for this connection
11.6 Run Sessions
Once HOB RD VPN has been installed and correctly configured to suit the
requirements of your firm, you can now save the configuration and run your
sessions. A session is the use of a connection to a server where you wish to work.
1.
Open the HOB RD VPN default page with a browser and logon as the newly
configured user with a connection. The HOB navigation screen opens.
2.
Under the Access to Desktops and Applications portlet for HOBLink JWT
you can see the sessions that are configured for this user. Click these links to
directly start your session.
Your access to the servers through these configured sessions is
determined according to the role that has been assigned to you and how
you are authenticated on the HOB WSP
192
3.
Select the required server and a connection is made directly to that server.
4.
Logon to this server over the authentication page (if required by the practice of
your firm), and you can begin your work.
HOB RD VPN
HOB RD VPN Desktop-on-Demand
12 HOB RD VPN Desktop-on-Demand
HOB RD VPN Desktop-on-Demand is a function within HOB RD VPN that enables
secure remote access to Windows workstations, even when the remote computer
has been switched off. This access is possible both over an internal LAN and over
the Internet.
When there is an active connection to the workstation the usability and functionality
is as if a user works actually at a local workstation. This means that when using
HOB RD VPN Desktop-on-Demand, as well as waking up your PC remotely, you
can:

Copy and paste between the local client and the workstation

Print on the local client via HOB EasyPrint

Output audio from the desktop PC onto the local client

Exchange data between the local client and desktop PC using integrated local
drive-mapping
HOB RD VPN Desktop-on-Demand can be used for desktop PCs running Microsoft
Windows XP, Windows Vista, Windows 7 or Windows 8.
HOB RD VPN Desktop-on-Demand needs an RDP server on the target
workstation which is not contained in the Home Editions of Windows 8, 7,
Vista or XP. This server is contained only in the Professional, Business,
Enterprise or Ultimate Editions of these operating systems.
To access Linux or Apple Mac machines using HOB RD VPN Desktop-on-Demand,
HOB offers the add-on component HOB X11Gate, which translates the X Window
protocol into RDP. To access an Apple Mac server in your network you can use the
HOB MacGate feature of HOB RD VPN, which is an RDP server for machines
running Mac OS X.
12.1 Configuring HOB Desktop-on-Demand
HOB RD VPN Desktop-on-Demand is part of the HOB RD VPN installation and is
installed preferably in the DMZ (Demilitarized Zone). This DMZ is a special sub
network set up to allow services to users outside of the local area network, such as
e-mail, web and Domain Name System (DNS) servers - the hosts most vulnerable
to attack - while protecting the rest of the network behind an intervening firewall that
controls the traffic between the DMZ servers and the internal network clients if an
intruder were to attempt an attack.
193
HOB RD VPN
Figure 1: Desktop-on-Demand Standard Deployment
The HOB RD VPN Desktop-on-Demand data is saved by HOB administration to
either the integrated directory service or the external directory service your network
is using. To save the data to an external directory service server, the corresponding
structures have to be created via a scheme extension.
12.1.1 Requirements for the Workstation PC
To integrate a workstation for HOB RD VPN Desktop-on-Demand there are 3
requirements:
1.
The target workstation must be reachable using the RDP protocol. This means
that any of the following are possible:
Microsoft Windows (not a Home edition) is installed as the operating system
on the workstation PC
Linux is installed as the operating system with HOB X11Gate also installed
Mac is installed as the operating system with HOB MacGate also installed
2.
The Wake-on-LAN function must be activated in the BIOS if you want to use
the Wake-on-LAN functionality.
The Remote Desktop function must be activated as follows:
For Microsoft Windows 8: click the Settings charm > Change PC
Settings
For Microsoft Windows 7: click Control Panel > System & Security >
Allow Remote Access > Remote Desktop > Select User
For Microsoft Windows XP & Vista: click Control Panel > System >
Remote tab, and check the Allow Users to Connect Remotely to This
Computer checkbox
12.1.2 Firewall Settings
The second (internal) firewall that separates the DMZ from the corporate network
must allow broadcasts to pass. If this requirement is not met, the information listed
in the Section 12.2 HOB Wake-on-LAN Relay applies.
194
HOB RD VPN
12.1.3 Entering Desktop-on-Demand Data
To initialize the Wake-on-LAN function of a computer that has been switched off,
you need to provide the HOB WebSecureProxy with the IP address of the computer,
the port number (which is 3389 by default) and the MAC address of its network card
in the network. This data can, together with the username and password, be read
from the desktop PC as it is saved in either the directory service holding the
configuration storage or in the XML file (wsp.xml, for more information see Chapter
36 XML Configuration for the HOB WebSecureProxy) of the HOB WSP
configuration.
The steps required to retrieve the data needed for an HOB RD VPN
Desktop-on-Demand connection are described in the Section 12.1.6 Configuring
User Settings for HOB Desktop-on-Demand.
12.1.4 Configuring the Desktop-on-Demand Data
To successfully wake client PCs via the remote desktop function, you need to
perform the following configuration steps:

Configuring HOB WebSecureProxy

Configuring User Settings

Configuring HOBLink JWT
These configuration procedures are described in the following sections.
12.1.5 Configuring the HOB WebSecureProxy for Desktop-on-Demand
1.
Start the HOB WebSecureProxy configuration program by logging on and
starting the HOB RD VPN Administration interface.
2.
Select the Servers element of the internal hierarchy and select the
WebSecureProxy object. From the dropdown box on the bottom left of the
dialog select the function WebSecureProxy blue and click Configure.
3.
The HOB WebSecureProxy configuration interface is displayed. Select
Extensions in the hierarchy structure on the left and select the extension
Desktop-on-Demand.
4.
For Use network adapter select a network adapter from the drop-down list, or
leave the default of Any.
195
HOB RD VPN
Figure 2: Desktop-on-Demand Settings
5.
Now select a Role from the Roles item of the left-hand tree, for example the
role PowerUser, and you will see this screen:
Figure 3: Desktop-on-Demand Settings of the Role
196
6.
Click the Privileges tab and in the second level the Server Lists tab.
7.
Activate the Desktop-on-Demand checkbox.
8.
Select File > Save from the menu to apply the changes.
HOB RD VPN
12.1.6 Configuring User Settings for HOB Desktop-on-Demand
1.
Start the HOB RD VPN Administration program and select the desired user in
the database.
2.
Select HOB RD VPN 2.1 > User Settings > Configure, and this screen is
displayed:
Figure 4: HOB RD VPN Administration - Configure User Settings
3.
This brings up the following screen, the start screen for HOB RD VPN
administration.
Figure 5: HOB RD VPN Administration Start Screen
4.
In the list on the left side select Desktop on Demand and you will see this
screen:
197
HOB RD VPN
Figure 6: HOB RD VPN Administration - Desktop-on-Demand Screen
5.
Now click Add to create a new configuration for HOB RD VPN
Desktop-on-Demand, which represents a target workstation. The following
screen appears:
Figure 7: Desktop-on-Demand Configuring the Data for a Workstation
6.
Enter a Name of your choice, for example Example Work Station.
7.
Enter the Host IP address, MAC address and Port under which the
workstation is accessible for RDP connections.
Click this Retrieve & Apply button to obtain and enter the MAC address.
This button works only when the remote desktop is already running. If it is
not already running, you can enter the MAC address manually.
198
HOB RD VPN
8.
In the Delay (sec) field you enter the time in seconds that HOB WSP is to wait
for a positive response from the workstation while waking it up. If this time limit
is exceeded, then the HOB WSP displays a connection failed message. The
default for this field is 180 seconds, but this may be increased if the target
computer needs more time to boot.
9.
You can use the button Test the Current Settings to determine if the data
entered is valid. This button does not attempt to make any connection.
10. Click Save to apply the data, store the settings in the database and close this
dialog.
12.1.7 Configuring HOBLink JWT for Desktop-on-Demand
1.
Start the HOB EA Administration program.
2.
Select a user or user group in right-hand panel. Right-click and select
Configure > Sessions > HOBLink JWT, as shown in Section 10.2 Configuring
HOBLink JWT on page 169.
3.
The HOBLink JWT Administration program starts. Create a new Connection
scheme by clicking Schemes > Connection and clicking the New button.
4.
Enter a Scheme Name of your choice and select a Connection Type from the
list.
Connections via HOB WebSecureProxy require either HOB
WebSecureProxy SOCKS Mode or WebSecureProxy Load Balancing
to be chosen as the Connection Type.
Figure 8: Desktop-on-Demand - JWT Scheme Settings
5.
Select the HOB WSP tab and enter Desktop-on-Demand as Server Name.
199
HOB RD VPN
Figure 9: Desktop-on-Demand - JWT Scheme Settings
6.
Click Close to apply the changes.
12.2 HOB Wake-on-LAN Relay
As discussed above HOB RD VPN Desktop-on-Demand can “wake up” remote
computers that are switched off. To do this, a “Wake-on-LAN packet” is sent over
the network from HOB RD VPN to the workstation computer.
But in many network scenarios these Wake-on-LAN packets are not able to pass
the firewalls. This problem can be solved easily by using the HOB Wake-on-LAN
Relay.
Figure 10: Desktop-on-Demand - Standard Deployment with Wake-on-LAN Relay
The HOB Wake-on-LAN Relay is a software package that has to be installed on a
server in the enterprise network. The Wake-on-LAN installation program is
contained in HOB RD VPN installation package/disc.
Wake-on-LAN packets are sent as a broadcast using the UDP protocol, but in this
standard scenario the broadcast packets may be blocked by the second, internal
200
HOB RD VPN
firewall (Firewall 2) from entering further into the internal network. The HOB WSP
can send IP Unicast packets to the HOB Wake-on-LAN Relay. The Unicast packets
can pass the firewall without problems. When the HOB Wake-on-LAN Relay
receives one of these packets it sends broadcast UDP packets into the network and
thus wakes up the target workstation.
The following sections describe how to get the HOB Wake-on-LAN Relay up and
started. The following steps are necessary:

Installing HOB Wake-on-LAN Relay

Configuring HOB WebSecureProxy
12.2.1 Installing the HOB Wake-on-LAN Relay
The HOB Wake-on-LAN Relay is a software package that has to be installed on a
server in the corporate network. This server should be permanently running to
ensure uninterrupted service.
The HOB Wake-on-LAN Relay is also available as a hardware solution.
This is a small, energy-efficient embedded Linux machine. For more
information visit the HOB Web site or contact the HOB support.
The HOB Wake-on-LAN Relay needs to be installed only once per network section.
The following steps are required to install the HOB Wake-on-LAN Relay on a server.
1.
Logon to HOB RD VPN as the global administrator.
Figure 11: HOB RD VPN Administration - Extensions
2.
Click the Extensions link in the left area of the window.
3.
Depending on the operating system of the server click the WakeOnLan Agent
for Windows or WakeOnLan Agent for Unix/Linux link - this will download
the installer package.
4.
Run the installer containing the setup program for HOB Wake-on-LAN Relay.
201
HOB RD VPN
Figure 12: HOB Wake-on-LAN Relay Installation - Introduction
5.
The setup program will guide you through the installation process.
Figure 13: HOB Wake-on-LAN Relay Installation - License Agreement
202
6.
In this screen, accept the terms of the license agreement and click Next.
7.
Now you will be asked to enter a Listen port (the port used by the
HOB Wake-on-LAN Relay to wait for data from HOB WebSecureProxy, see
Section 12.2.2 Configuring the HOB WebSecureProxy on page 204) and a
Send port (the port which HOB Wake-on-LAN Relay uses to send Wake-onLAN packages to the workstation). Enter the desired values here.
HOB RD VPN
Figure 14: HOB Wake-on-LAN Relay Installation - Configure Ports
8.
Click Next and you can set the location for the installation of the
HOB Wake-on-LAN Relay files.
Figure 15: HOB Wake-on-LAN Relay Installation - Choose Install Folder
9.
Click Install and the HOB Wake-on-LAN Relay is installed as a service. It will
be started automatically whenever you start the operating system.
203
HOB RD VPN
12.2.2 Configuring the HOB WebSecureProxy
To use the HOB Wake-on-LAN Relay the following configuration steps are
necessary in HOB WebSecureProxy:
1.
Open the HOB RD VPN WebSecureProxy configuration program.
2.
Select WSP Servers and then select the Wake-on-LAN tab in the right-hand
pane.
Figure 16: HOB WebSecureProxy - Wake-on-LAN Tab
3.
Select the Use Wake-on-LAN Relay checkbox. This activates the Add button
so that you can specify new connection data for a Wake-on-LAN Relay server.
4.
Enter a value in the Common port field if you want HOB WSP to use one
common port for all Wake-on-LAN Relays.
5.
Click the Add button to bring the Add Wake-on-LAN Relay dialog onto the
screen.
Figure 17: Add Data for Wake-on-LAN Relay
204
6.
Here you enter a value for Host IP address that specifies the address of the
server where the HOB Wake-on-LAN Relay is installed.
7.
If you do not wish to use the same port for all IP addresses in the Wake-on-LAN
Relay, then deactivate the Use common port checkbox and enter a different
port number in the Port field for this IP address.
8.
Click Add in the dialog to add these data to the list and keep the dialog open.
HOB RD VPN
9.
Click Add & Close to add these data to the list and close the dialog.
10. Click Cancel to abandon any changes and close this dialog.
11. Save the changed configuration by selecting File > Save in the menu.
205
206
HOB RD VPN
HOB RD VPN
Virtual Desktop Integration
13 Virtual Desktop Integration
HOB Virtual Desktop Integration (HOB VDI) is an enterprise-level implementation
of the Virtual Desktop technology. Instead of accessing real desktop computers this
technology offers access to virtualized desktops on a remote central server.
HOB VDI needs a current single-user operating system (SUOS) on the virtual
desktops. The operating systems Microsoft Windows 8, Windows 7, Windows Vista
and Windows XP are currently supported by HOB VDI.
Figure 1: HOB VDI Standard Deployment
In HOB VDI, your client environment moves the workload from the PC and other
devices to a data center server. This makes it easier to manage the (virtual) client
as applications and client operating environments are hosted on servers and
storage in the data center. This means you as a user can access your desktop from
any location, without being tied to a single client device. As the resources are
centralized, you can still access the same client environment, applications and data
while moving between work locations. As an IT administrator, this gives you a more
centralized, efficient client environment that is easier to maintain and respond more
quickly to the changing needs of the user and business.
13.1 HOB VDI – the Technology
HOB VDI gives SSL encrypted access to single-user operating systems. On the
client side HOBLink JWT, the Java RDP client is used to display the remote
session. On the client computer neither a local installation of software nor
administrator rights are required.
With HOB VDI there is a pool of VDI Single-User Operating Systems (SUOS). A free
SUOS is automatically assigned when a user starts an RDP client. If the connection
is interrupted, the SUOS remains in the disconnected state for a certain,
configurable amount of time and the user needs only to restart the RDP client to
automatically reconnect to the session.
HOB VDI, as compared with Windows Remote Desktop Servers, has the
advantage, that applications which are not RDP Server-capable can be used. Also,
under HOB VDI, the individual users are more isolated from each other, which is
207
HOB RD VPN
often a desirable security advantage. With HOB VDI, however, you require
considerably more hardware than with Remote Desktop Services.
13.1.1 Load Balancing Technology
HOB uses a self-developed, patented technology for load balancing for Windows
Remote Desktop Services that is also used for HOB VDI. The RDP client sends
small UDP packets to find the server and SUOS. These UDP packets can be sent
as a broadcast or, using a server list, UDP Unicast packets are sent to all servers
or SUOS (or relays, see Section 13.5 Installing HOB VDI on page 209). If there is
an available SUOS, or if a reconnect can be made, that SUOS responds with a
corresponding UDP packet. If an RDP client receives several UDP packets in
response to its load balancing request, then the RDP client can select the bestsuited server or SUOS.
13.2 The HOB VDI Agent
The HOB VDI Agent is an inherent component of the HOB VDI solution installed on
each SUOS. The HOB VDI Agent runs as a service and knows the current status of
the SUOS. The HOB VDI Agent receives UDP packets for load balancing or HOB
VDI administration and when required responds with corresponding UDP packets.
Only one person at a time can work on a SUOS. The HOB VDI Agent ensures that
a second person cannot log on to an active SUOS. A SUOS will only be released
for a connection if:

No user is logged on to the SUOS (even if the user is currently disconnected from
the session)

No user is in the process of logging on to the SUOS

A user logoff from this SUOS has been carried out
13.3 The HOB VDI Control
The HOB VDI Control is an administration tool which uses an MMC (Microsoft
Management Console) Snap-In for the HOB VDI solutions in compliance with the
standard MMC version 3. With this administration tool an administrator can query
all HOB VDI SUOS and the current state of the corresponding system. An
administrator can also use the HOB VDI Control to actively intervene in the SUOS
and force disconnection or a user logoff, or to shutdown or restart one or more
SUOS.
The HOB VDI Control tool sends UDP packets with encrypted passwords to the
HOB VDI Agent. Each SUOS has a list of valid passwords and information on
whether the password allows only queries or also active intervention in the SUOS.
Each UDP packet also has a timestamp as well as an encrypted password, which
prevents replay attacks.
208
HOB RD VPN
13.4 Requirements for HOB VDI
Requirements for the HOB VDI Agent
As a SUOS any of the following operating systems can be used:

Microsoft Windows 8

Microsoft Windows 7

Microsoft Windows Vista

Microsoft Windows XP
The SUOS can run under any virtualization software that supports this operating
system, for example products from VMware, Microsoft or Citrix.
The HOB VDI Agent has to be installed under each SUOS in the SUOS pool.
HOB VDI needs an RDP server on the SUOS, which is not contained in the
Home Editions of Microsoft Windows 8, 7, Vista or XP. This RDP server is
contained only in the Professional, Business, Enterprise or Ultimate
Editions of these operating systems.
Requirements for HOB VDI Administration Tool
The HOB VDI Administration Tool runs under any operation system that has
Microsoft .net framework 2.5 or later installed and that offers an MMC version 3
compatible Microsoft Management Console, such as Windows Vista or newer.
13.5 Installing HOB VDI
13.5.1 Installing HOB VDI Agent
The HOB VDI Agent needs to be installed on every SUOS. The following steps are
required to install the HOB VDI Agent on a SUOS.
1.
Logon to HOB RD VPN as a global administrator.
2.
3.
Click the VDI WSP link - this will download the installer HOB_VDI.exe.
209
4.
HOB RD VPN
Run the HOB_VDI.exe program, which is the setup program of HOB VDI. The
setup program guides you through the installation process.
Figure 3: HOB VDI Installation - Introduction
5.
Click Next on each page to move to the next dialog in this process.
Figure 4: HOB VDI Installation - Select Installation Type
210
6.
In the dialog Please select a setup type choose Custom and select a location
for the installation files to be saved. Now click Next.
7.
In the dialog Select Features choose HOB VDI Agent.
HOB RD VPN
Figure 5: HOB VDI Installation - Select Installation Features
8.
Click Next. Continue with the other dialogs, and finish the installation. After the
installation this SUOS is ready to be accessed from the HOB WSP as a part of
the HOB VDI.
13.5.2 Installing HOB VDI Control
The following steps are required to install the HOB VDI Control on a host or on a
PC. The HOB VDI Control needs to be installed only once.
1.
Logon to HOB RD VPN as a global administrator.
2.
3.
Click the VDI WSP link - this will download the installer HOB_VDI.exe. Continue
with the process as described in Section 13.5 Installing HOB VDI on page 209.
4.
In the dialog Please select a setup type choose Custom.
211
HOB RD VPN
Figure 6: HOB VDI Installation - Select Installation Features
5.
Now under Select Features make sure that you select HOB VDI Control. Click
Next, and finish the installation process as before.
After the installation you can view the HOB VDI Control via the Microsoft
Management Console.
13.6 Configuring HOB VDI
In order to provide access via HOB VDI for your users, you have to make some
configurations to the HOB WebSecureProxy. The next step now is to create an
outgoing connection that uses HOB VDI.
Configuring HOB WebSecureProxy for VDI
212
1.
Start the HOB RD VPN WebSecureProxy configuration program.
2.
Having done this, click the RDP Targets item under Outgoing connections in
the left-hand pane.
3.
Click the Add button to create a new entry and enter the name of the new
server list, such as VDI Server List.
HOB RD VPN
Figure 7: HOB WSP - Server List Configuration
4.
Click the Add button again to create a new scheme in this list, and the following
screen is shown. Enter the name of your choice in the Name field, for example
Example VDI Server.
5.
On the Server Configuration tab, select VDI from the drop-down list to be the
Mode. The appearance of the remainder of this tab changes depending on the
mode you select here.
Figure 8: HOB WSP - Server Configuration VDI Connection Mode

Name – enter the name to be used for this HOB VDI connection.
213




214
HOB RD VPN
Mode – select from the dropdown box the connection mode to be used. For a
HOB VDI connection only the HOB VDI mode can be chosen.
be used. The network adapter is configured as part of the HOB WSP configuration. An entry of Any in this field means that the operating system decides which
adapter to use. This is the default setting.
Predefined Protocol – select from this dropdown box the predefined protocol
that is to be used for this connection, for example RDP Windows Terminal
Server–HOB EXT-1. This protocol is a HOB protocol created to allow the connection to be made.
6.
Under Connection type you should select either Broadcast or Server List. If
your HOB RD VPN installation and the Target Servers are not in the same
network (for example the HOB RD VPN is in the DMZ and the server is in the
LAN), the use of broadcasts is not possible so you have to use the Server List.
7.
If you are using Server List, add one or more entries in the server list by using
the Add or Browse button. You can use the Edit and Remove buttons to
further refine this list.
8.
Save the settings and close the HOB WebSecureProxy configuration tool.
HOB RD VPN
Remote Desktop Access using VNC
14 Remote Desktop Access using
VNC
Virtual Network Computing is a common graphical desktop sharing system that
uses the RFB protocol to remotely control another computer through the graphical
user interfaces. VNC is platform-independent, in that a VNC viewer on one
operating system may connect to a VNC server on the same or any other operating
system. Also multiple clients may connect to a VNC server at the same time.
The HOB VNC Bridge component allows users to access their Virtual Network
Computing (VNC) desktop sharing system network using HOBLink JWT.
HOB RD VPN uses the HOB VNC Bridge component to replace the RFB protocol
in their public internet or WAN communications with the RDP protocol, resulting is
significantly improved performances. RDP has been shown to be faster than RFB
and does not require as much bandwidth. For this reason RDP should be used in
all communications in the public internet or a WAN, while RFB should be used
internally within the network. This is because the RFB protocol is designed to be
used for remote access to graphical user interfaces, and is applicable to all systems
and applications that use windows, including X11, Microsoft Windows and
Macintosh.
14.1 Configuring VNC Targets
The HOB VNC Bridge is an application that converts RDP protocol messages into
the RFB protocol used by VNC servers. The VNC Bridge comes in two forms, so
when you click Add to create a new target you will be prompted to select either a
static (1:1 Proxy Gateway) or a dynamic (Dynamic Proxy Gateway) VNC Bridge for
the connection.


1.
Static VNC Bridge – this establishes a regular, direct 1:1 proxy gateway connection from one machine to another belonging to the specified server list.
Dynamic VNC Bridge – this creates a connection that is a proxy gateway connection to a specific machine between the user workstation and a server of the
server list, but this server IP address is dynamically assigned only when the connection is established.
To create a target, open the administration interface and select
WebSecureProxy > Configure. This opens the HOB WebSecureProxy
configuration screen. Under Outgoing Connections you can see the list of
predefined targets. From this list of outgoing connections, select VNC Targets
to display the following screen.
215
HOB RD VPN
Figure 1: HOB WSP - Outgoing Connections - VNC Targets
2.
Now click Add to begin the configuration by adding a VNC Target to the list of
outgoing connections.
Figure 2: HOB WSP - Outgoing Connections - VNC Server List
3.
216
Here you enter the Name you will use for this VNC server list. Click Add again
to add a server to the server list and configure it using the Server
Configuration tab.
HOB RD VPN
Figure 3: HOB WSP - Outgoing Connections - VNC Server Configuration
There are two possible modes or types of VNC connection that can be used:


1:1 Proxy Gateway – a connection from a specific machine to another target
machine over the HOB WSP
Dynamic Proxy Gateway – a connection from a machine to another target machine over the HOB WSP, the target machine being chosen dynamically and not
permanently configured
Each mode has different requirements, so the dialog changes according to the
mode selected.
217
HOB RD VPN
14.2 Configuring a Static VNC Bridge Connection
For a Static VNC Bridge connection using the 1:1 Proxy Gateway mode you need
to also configure a specific VNC server. Open the HOB RD VPN WebSecureProxy
configuration and you will see the following screen:
Figure 4: Outgoing Connection - Static VNC Bridge - Server Configuration






Mode – for Static VNC connections select the connection mode 1:1 Proxy Gateway, which gives a direct connection from one machine to another.
be used. An entry of Any in this field means that the operating system decides
which adapter to use. This is the default setting.
Predefined Protocol – this dropdown box contains the predefined protocol to be
used for this connection. By default it is RDP Windows Terminal Server–HOB
EXT-1, a protocol created by HOB to allow the connection to be made. This field
is disabled and cannot be changed.
before a connection is timed out. The default setting is 600 seconds. This field
is active only for a 1:1 Proxy Gateway mode VNC connection.
1:1 Proxy Gateway – this box contains fields where you enter data required to
establish a 1:1 Proxy Gateway mode connection.


218
Host IP Address – enter here the IP address of the host machine that you
are building a connection to.
Host Port – enter here the number of the port to be used for this connection.
The port 5900 is entered by default for VNC connections.
HOB RD VPN
14.2.1 Configuring the HOB WSP for Static VNC Bridge
Click on the third tab here, VNC Server, and you see the following dialog:
Figure 5: Outgoing Connection - Static VNC Bridge - VNC Server Configuration






Password – here you enter the password that will grant you access to the VNC
server.
Server maps keys – check this box to ignore the keystroke setting on the client
and allow the VNC server to map key strokes instead, leave unchecked to keep
the client keystroke settings.
Server maps capslock – check this to allow the server to ignore keystrokes
made with the capslock button on the client and the VNC Bridge to send the complete message fully capitalized, leave unchecked to keep the client settings.
Shared connection – check this to allow multiple VNC client connections to be
used simultaneously. This can be forbidden by the VNC server, regardless of the
setting here. This is checked already by default.
Use local cursor – check to allow multiple users to use the cursor on the server.
While this saves resources as the cursor is sent only once, a user may lose sight
of its actual location if another user moves it, as the server is not constantly updating the cursor position. This is checked already by default.
Use clipboard – check to allow the clipboard be used to copy text only between
the local machine and the server. This is checked already by default.
219
HOB RD VPN
14.3 Configuring a Dynamic VNC Bridge Connection
When configuring a Dynamic VNC Bridge connection a static 1:1 proxy gateway
connection cannot be made (as there is a dynamic connection only and a direct 1:1
connection to a specific machine cannot occur) and no specific VNC server
configuration is required.
Figure 6: Outgoing Connection - Dynamic VNC Bridge - Server Configuration





220
Mode – for Dynamic VNC connections select the connection mode Dynamic
Proxy Gateway, which gives a direct connection from one machine to a dynamically selected, configured destination machine in the network.
Use network adapter – select from the dropdown box the network adapter to be
used. An entry of Any in this field means that the operating system decides
Predefined protocol – this dropdown box contains the predefined protocol to be
before a connection is timed out. The default setting is 600 seconds. This field
is disabled for a dynamic VNC connection.
HOB RD VPN
14.4 Using the HOB VNC Bridge
HOB RD VPN uses the HOB VNC Bridge to remotely control another computer
through the graphical user interfaces. The HOB VNC Bridge can be used to access
systems running under Windows (including home editions), Linux, Unix and Mac (in
this case Apple Remote Desktop (ARD) is used) operating systems that have a
VNC server installed.
Once the connection to the target machine has been made, you can operate that
machine as if you are directly sitting at it, seeing and using the graphical user
interfaces.
221
222
HOB RD VPN
HOB RD VPN
Remote Desktop Access using SSH
15 Remote Desktop Access using
SSH
SSH (Secure Shell) is a network protocol often used for secure data
communication, remote shell services or command execution and other secure
network services between two networked computers. SSH connects these two
networked computers, a server (running SSH server programs) and a client
(running SSH client programs) via a secure channel over an insecure network.
15.1 SSH Targets
To configure a remote desktop connection using SSH you need to configure the
HOB WSP. To do so, take the following steps:
1.
2.
Select the Servers element of your internal hierarchy and select
WebSecureProxy > Configure.
3.
Connections > SSH Targets.
Figure 1: HOB WSP SSH Target Configuration - Start Screen
4.
Click Add to create a new outgoing connection that will use SSH.
5.
The server list screen for this target is displayed. Enter the name for this target
server list, for example SSH Server List.
223
HOB RD VPN
Figure 2: HOB WSP SSH Target Configuration - Server List
6.
Now click Add to configure a server for this connection. This brings up the
Server Configuration screen:
Figure 3: HOB WSP SSH Target Server Configuration
In this screen you enter the following information:


224
Mode – for SSH connections the connection mode 1:1 Proxy Gateway is the
only selection that can be made, and is the default.
HOB RD VPN






Host IP address – enter here the IP address of the host machine that you
are building a connection to.
Host port – enter here the number of the port to be used for this connection.
The port 22 is entered by default for SSH connections.
7.
Save the configuration by clicking File > Save from the main menu.
8.
Now select the role to which this outgoing connection is to be assigned (in the
example shown here is for the PowerUser role).
Figure 4: HOB WSP Roles - SSH Server List
9.
Go to User > Settings and select the tab Privileges > Server Lists. From this
list select SSH Server List, which has just been created.
10. Save the configuration (main menu > File > Save), and the SSH target has
been configured and is ready for use.
225
HOB RD VPN
15.2 Using SSH
HOB RD VPN uses the SSH protocol to secure connections from the system server
running SSH to the target machine running SSH client programs. If the connection
between the two runs over an insecure network, such as the public Internet, then
SSH adds security to the connection to prevent data loss or manipulation.
226
HOB RD VPN
Terminal Emulations
16 Terminal Emulations
HOB RD VPN delivers HOBLink J-Term 3.6 as the Terminal Emulation solution for
the following systems:

TN 3270

TN 5250

Telnet VT

HP700

Siemens 9750 (BS2000)
HOBLink J-Term uses the HOB EA Administration feature for central administration
and configuration. It uses HOBLink Secure for the encryption of communication
data.
To successfully configure HOB RD VPN for use with Terminal Emulations, two
steps must be completed:
1.
Configuring the HOB WebSecureProxy
2.
Configuring HOBLink J-Term
16.1 Configuring HOB RD VPN for Terminal Emulations
The administration portal of HOB RD VPN is known as HOB EA Administration
(HOB EA Admin) and is a Java-based application. This program enables the
following:

The creation and administration of users, groups and containers and their settings

Configuration of the HOB RD VPN applications

Configuration of HOB WSP
16.1.1 Configuring the HOB WebSecureProxy
1.
Log in with Global Administrator credentials to the HOB RD VPN
Administration page.
227
Terminal Emulations
HOB RD VPN
Figure 1: HOB RD VPN Administration Start Screen
2.
From the links column on the left, select EA-Admin, and then log in to EA
Admin with your Global Administrator credentials.
3.
The HOB EA Administration dialog appears.
Figure 2: HOB EA Administration screen
228
4.
Here you select the organizational unit servers (ou=servers) in the domain
component internal (dc=internal) and then click on the directory content item
cn=WebSecureProxy.
5.
Now click the > (arrow) button in the dropdown box, select WebSecureProxy
and click Configure.
6.
The HOB WSP screen opens.
HOB RD VPN
Terminal Emulations
Figure 3: HOB WebSecureProxy Configuration Screen
7.
In this screen select Outgoing Connections as you want to create a
connection from the HOB WebServerProxy to a target machine.
8.
Under Outgoing Connections you need to select the server type you wish to
access. For this example a 3270 session is being configured, so select 3270
Targets and click Add to create a connection to a 3270 server.
Figure 4: HOB WSP Outgoing Connections - 3270 Targets
9.
The Server List tab is now shown. Give this server list a name, such as
Terminal Emulation Server List.
229
Terminal Emulations
HOB RD VPN
Figure 5: HOB WSP 3270 Targets - Server List
10. This server list now needs to be populated. Click Add.
Figure 6: HOB WSP 3270 Targets - Server Configuration
The fields on this screen that need to be completed are as follows:


Name – enter a name you want to use for this 3270 server configuration. Here
Example 3270 Server is used.
The modes or types of connection available for a 3270 server connection are as
follows (other modes are available for other Terminal Server connections):

230
1:1 Proxy Gateway – a direct connection from one machine to another
HOB RD VPN


Terminal Emulations
WTS Load Balancing – used when you have a simultaneous connection to
a group of machines. To use this mode you must have a number of servers
already configured that you can make the connection to
VDI-WSP – a connection to virtualized desktops on a remote central server,
only available when VDI is enabled on the HOB WSP



be used. An entry of Any in this field means that the operating system decides
Predefined Protocol – this dropdown box contains the predefined protocol to be
used for this connection. By default it is TELNET 3270. This field is disabled and
cannot be changed.


Host IP Address – enter here the IP address of the host machine that you are
building a connection to.
Host Port – enter here the number of the port to be used for this connection. The
port 23 is entered by default for VNC connections.
11. Save the configuration by using Main menu > File > Save.
12. Now select the entry Roles in the tree structure at the left and select the role
for which this configuration is being made. In this example, the configuration is
being made for the role User.
13. On the Settings tab select the tab Privileges and then select the tab Server
Lists. Here, check the box next to the newly configured Terminal Emulation
Server List.
231
Terminal Emulations
HOB RD VPN
Figure 7: HOB WSP Roles - Privileges - Server Lists
14. Save the configuration (Main menu > File > Save) and return to the HOB EA
Admin start screen
15. Now here you need to configure the terminal emulation, in this case
HOBLink J-Term, that will allow you to access this server for this connection.
Select the item for which you want to configure a terminal emulation
(HOBLink J-Term) session. You can select an item from the Organization
Hierarchy pane, where the configuration made will apply to all subordinate
units. In the example shown below in Figure 8, the item dc=hobsoft has been
selected. The HOBLink J-Term session configured here will apply to all
organizational (ou) units in this container. If you only want to configure the
session for an individual user or user group, expand the directory container (dc)
and select the user or group in the expanded list for which the configuration is
to be made.
232
HOB RD VPN
Terminal Emulations
16.1.2 Configuring HOBLink J-Term
1.
To configure HOBLink J-Term, open the HOB RD VPN administration interface
and select the item you want to create the connection for, such as a User or a
Group. From the dropdown box select Sessions > HOBLink J-Term >
Configure. This opens the HOBLink J-Term administration screen.
Figure 8: HOB RD VPN Administration – Sessions - HOBLink J-Term
2.
Here in the HOBLink J-Term Administration screen you can create and
configure your HOBLink J-Term sessions.
Figure 9: HOBLink J-Term Administration- Start Screen
233
Terminal Emulations
HOB RD VPN
3.
In the Member Rights tab, you can select the rights to be assigned to the
individual user, the members of the user group or the members of the domain
component that you are currently configuring.
4.
Select the Sessions menu item and click the New button at the bottom of the
dialog.
Figure 10: HOBLink J-Term Administration- Sessions
5.
In the pop-up menu that then appears select either Display Session (used on
a PC to start host applications and take advantage of all the functions of a
terminal) or Printer Session (makes it possible to use a PC printer as a host
printer) for the new session and click OK.
Figure 11: HOBLink J-Term Administration- Select Sessions Popup
234
6.
For each Session type, you can select the available schemes to apply to your
configuration from the Scheme Type lists Connection, Display, Screen Print,
Color on the Session tab.
7.
Using the Schemes menu item you can create new schemes for use in the
session you are configuring. The schemes created here can also subsequently
be assigned to other existing or newly created sessions. To see the various
HOB RD VPN
Terminal Emulations
schemes that can be configured with this tool, expand the Schemes list by
clicking the + plus sign next to the menu item Schemes.
Figure 12: HOBLink J-Term Administration- Schemes
The schemes you can configure using this dialog are:



Connection – Select an existing connection scheme or create a new connection
scheme to be used in the current session configuration. For terminal emulations
with HOBLink J-Term you can select from the following connection types:

TN3270E

TN5250

Telnet VT

SSH

HP700

Siemens 97801

Siemens 9750
Host Printer – In this scheme you can set up host printer margins, enable an
Escape printer or use protocol-dependent settings for example.
Display – In this scheme you can set the display appearance of the relevant session, in terms of the font or cursor shape for example, as well as set the clipboard
options or specific protocol options.

Screen Print – Select and configure printers for the relevant session.

Color – Set or modify display, GUI colors here.

Macro – Select, create or edit macros here.

File Transfer – Select, create or edit file transfer schemes here. You can choose
from FTP or IND$FILE (MVS/TSO, VM/CMS, or CICS/VSE) protocols.
235
Terminal Emulations










HOB RD VPN
Keyboard – Create a new or select an existing keyboard scheme for your configuration. With this setting you can set your keyboard actions such as apply key
sequences, functions keys, or macros to a selected key.
Keypad – Here you can create a new or select an existing keypad for on-screen
display and use.
Mouse – Here you can create a new or select an existing mouse scheme to define mouse-button actions for the session to which it applies.
Hotspots – With this setting you can create a new or select an existing onscreen hotspots for various actions (for example macros or function keys).
Menu – Here you create new or you can select or edit existing menu items here
for use in either display or printer sessions.
Toolbar – Create new or select existing toolbar schemes, where you can for example customize toolbar icons.
Others – Here you can customize your session windows (show/hide toolbar,
menu bar, status bar), enter user-defined options, VT settings and HTTP proxy
settings.
Backup Connections – Create new or select existing backup connection
schemes to apply to your session. If the primary connection scheme fails for any
reason, the backup connection schemes will be tried in order of their priority until
a connection can be established.
Conversion Table – Create a new or select an existing conversion table for use
with file transfer and host printer data.
APIs – Select/Create a scheme to determine API settings for your session.
To configure a scheme, simply click the New button at the bottom of the screen, and
enter the necessary data in the fields on the tab that opens for the respective
scheme.
16.2 Configuring TN3270 Targets
TN3270 is the Telnet protocol used by an IBM 3270 class terminal to communicate
over a TCP/IP network. To configure a 3270 target, follow the steps outlined in the
previous section, Section 16.1 Configuring HOB RD VPN for Terminal Emulations
on page 227.
236
HOB RD VPN
Terminal Emulations
16.3 Configuring TN5250 Targets
TN5250 is the Telnet protocol used by an IBM 5250 class terminal to communicate
over a TCP/IP network.
1.
In the same manner as in the previous sections (see Section 16.1 Configuring
HOB RD VPN for Terminal Emulations on page 227) select the target that you
wish to configure from the Outgoing Connections list of the
HOB WebSecureProxy configuration dialog.
Figure 13: HOB WSP - Outgoing Connections
2.
To configure a TN5250 target, select TN5250 Targets from the Outgoing
Connections list.
Figure 14: HOB WSP - Outgoing Connections 5250 Targets
237
Terminal Emulations
3.
HOB RD VPN
Click Add and the server list screen for this target is displayed. Enter name for
this target server list, for example Server List 5250.
Figure 15: TN5250 Targets Server List
4.
Click Add. You will see the following screen:
Figure 16: TN5250 Targets - Server Configuration


238
Name – select the name to be used for this connection. In this example the name
5250_Server is used.
The modes or types of connection available for a 5250 server connection are as
follows (other modes are available for other Terminal Server connections):
HOB RD VPN



Terminal Emulations
VDI-WSP – a connection to virtualized desktops on a remote central server,
this mode is available only when VDI is enabled on the HOB WSP



used for this connection. By default it is TELNET 5250. This field is disabled and
cannot be changed.


Host IP Address – enter here the IP address of the host machine that you are
building a connection to.
Host Port – enter here the number of the port to be used for this connection. The
port 23 is entered by default for VNC connections.
5.
Save the configuration by using Main menu > File > Save.
6.
Now select the entry Roles in the tree structure at the left (as described in the
previous sections) and select the role for which this configuration is being
made.
Figure 17: Roles - Server Lists
239
Terminal Emulations
7.
HOB RD VPN
In this example, the configuration is being made for the role User. On the
Settings tab select Privileges and here select the tab Server Lists and check
the box next to Server List 5250.
16.4 Configuring Telnet Targets
Telnet is a network protocol used on the Internet or in a LAN to provide bidirectional
interactive text-oriented communications using a virtual terminal connection. User
data is interspersed in-band with Telnet control information in a data connection
using TCP.
1.
In the same manner as in the previous sections (see Section 16.1 Configuring
HOB RD VPN for Terminal Emulations on page 227) start the
2.
Select the target from the Outgoing Connections list that you wish to
configure, in this case Telnet Targets.
Figure 18: HOB WSP Outgoing Connections - Telnet Targets
3.
240
Click Add to create a server list for this target.
HOB RD VPN
Terminal Emulations
Figure 19: HOB WSP Server List - Telnet
4.
Enter the name for this target server list and click Add. This screen is shown:
Figure 20: Outgoing Connection - Telnet Target Configuration


Name – select the name of the connection to be used.
The possible modes or types of connection that can be used are as follows:


241
Terminal Emulations

HOB RD VPN



used. the default is Any.
Predefined protocol – select the Telnet protocol to be used from the list.
before a connection is timed out. The default is 600 seconds.
mode that has been selected.




HOBCOM proxy – check this box to activate the HOBCOM Proxy server for connections to a Windows Terminal Legacy machine.
Host IP address – enter here the IP address of the host machine that is to be
the target of this connection.
Host port – enter here the port number you wish to use for the connection to the
desired target machine. The port 23 is entered by default for Telnet connections.
5.
6.
Now select the entry Roles in the tree structure at the left (as described in the
previous sections) and select the role for which this configuration is being
made.
Figure 21: Roles - Server Lists
242
HOB RD VPN
7.
Terminal Emulations
In this example, the configuration is being made for the role PowerUser. On
the Settings tab select Privileges and here select the tab Server Lists and
check the box next to Telnet Server List.
243
Terminal Emulations
244
HOB RD VPN
HOB RD VPN
HOB RD VPN Web Server Gate – Intranet Ac-
17 HOB RD VPN Web Server Gate –
Intranet Access
The HOB RD VPN Web Server Gate component provides your enterprise with
secure access from remote locations over the Internet to web servers and pages
that are internal to the enterprise.
Enterprise-internal Web servers are normally protected by firewalls and therefore
cannot be accessed over the Internet. The HOB RD VPN Web Server Gate enables
the user to specify a server to contact. Any data then sent to this server comes first
to the HOB RD VPN Web Server Gate, which then reroutes the SSL encrypted data
over the HOB WSP to the desired server. Authorized users can thus remotely
access web-based services inside the corporate network from anywhere in the
world. E-mail access over the Outlook Web Access front end of the Microsoft
Exchange Server is also possible.
As all of the browser connections are rerouted through the HOB RD VPN
Web Server Gate and therefore are not directly accessed from their server
of origin, they violate the Same Origin Policy, which is a fundamental policy
for browser security. In the event that one malicious server manages to
establish contact with the HOB RD VPN Web Server Gate, this could affect
the integrity of the HOB RD VPN Web Server Gate and through this could
affect the other trusted servers with whom the HOB RD VPN Web Server
Gate is in contact.
With this in mind, HOB strongly recommends that the following measures
are implemented to resist this:




Prohibit or restrict access to external web servers through using
the HOB RD VPN Web Server Gate (this can be done by using a
target filter, a firewall or a whitewall, for example)
Control internal web servers, making sure they are free of fraudulent code
Reduce the period of validity for cookies, so that a threat agent
has less time to abuse the captured session (this can however be
inconvenient)
Close any web application with a true termination, meaning that a
proper logout must be completed and not just the window closed
Remote access with HOB RD VPN is secured via HTTPS. Only after successfully
authenticating at the HOB RD VPN Web Server Gate can a user communicate with
an internal server.
The scenario shown below depicts a connection to an internal web server that is set
up to use the HOB RD VPN Web Server Gate.
245
HOB RD VPN Web Server Gate – Intranet Access
HOB RD VPN
Figure 1: HOB RD VPN Web Server Gate - Standard Scenario
All of the browser connections are routed over the HOB RD VPN Web Server Gate
and then relayed by this to the web server.
17.1 Configuring the HOB RD VPN Web Server Gate
The HOB RD VPN Web Server Gate must be configured through the use of the
HOB WebServerProxy configuration interface.
Enabling Bookmarks for the HOB Navigation Screen
1.
To enable bookmarks to be created, open the administration interface and
select WebSecureProxy > Configure. This opens the HOB WebSecureProxy
2.
Now select Roles and choose the individual role for which you wish to
configure the HOB Web Server Gate. The Settings tab for this role is then
shown onscreen.
3.
From the tabs on this dialog select Privileges > User Settings, as shown here:
Figure 2: Roles - User Settings Screen - Privileges - Web Server Gate Bookmarks

246
Name - this field contains the name that you assign to this particular role.
HOB RD VPN
4.
On the Privileges – User Settings tab itself you can select the settings and
bookmarks you wish to enable. Select Bookmarks for Web Server Gate.
5.
Close the screen and users with this role can now set their own bookmarks that
will show permanently on the navigation screen of HOB RD VPN.
17.2 Using the HOB RD VPN Web Server Gate
A special task for the HOB RD VPN Web Server Gate is to establish connections
between locations within the Intranet and then establish links from these locations
to other internal Web servers, as illustrated in the figure below.
Figure 3: HOB RD VPN Web Server Gate - Sub-network Scenario
Intranet Hyperlinks on HTML Pages of Internal Web Servers
To make these hyperlinks also accessible for external access over the Internet, the
HOB RD VPN Web Server Gate methodically examines the currently open internal
HTML page for corresponding hyperlinks. The syntax is thereby translated in such
a way that the linked Intranet pages can be opened when being accessed over the
Internet.
A wide variety of hyperlink types are used in Intranets; the number of
existing formats is very large and still growing. It is therefore unlikely that
all Intranet hyperlinks will be known, and as there cannot be a 100%
certainty that Intranet hyperlinks will always be translated as expected,
some cannot be resolved.
17.2.1 Creating Bookmarks for the HOB Navigation Screen
There are two methods of creating permanent bookmarks (or hyperlinks) on the
navigation screen for the HOB RD VPN Web Server Gate. The global administrator
can create bookmarks that will appear for all users of a certain role, and the users
themselves can create their own bookmarks.
Creating Bookmarks – Global Administrator
1.
Open the administration interface of HOB RD VPN and select HOB RD VPN
2.1 > User Settings > Configure. This opens the HOB WebSecureProxy
247
2.
HOB RD VPN
Select Bookmarks > Web Server Gate and you will see this screen:
Figure 4: WSP Bookmarks - Web Server Gate
3.
Now click Add to create a new bookmark. The following dialog is shown:
Figure 5: WSP Bookmarks - Web Server Gate

Name – here you enter the name you wish to use for this bookmark.

URL – enter the URL that you want associated with this name.
use this Search icon to locate the required URL

Up, Down – use these to arrange the order of the bookmarks on the navigation
screen.
You can use the Save and Close buttons when you are finished creating the Web
Server Gate bookmarks. The bookmarks that have been created in this way appear
on the navigation screen for all users associated with the assigned role.
248
HOB RD VPN
Creating Bookmarks – User
1.
Start the navigation screen of HOB RD VPN and then select User Settings.
Figure 6: HOB ERD VPN Navigation Screen
2.
Now select the Settings bookmark, this brings up the dialog below:
Figure 7: HOB RD VPN - WSG Bookmarks
249
HOB RD VPN
There are two icons on this screen: .
use this icon to add a new bookmark to this list. When clicked, a field appears
on the screen where the required name and URL for the bookmark can be
entered
use this icon to delete a selected bookmark from the list
3.
Use the Up and Down arrows to adjust the order in which the bookmarks are
displayed on the navigation screen.
4.
When you are satisfied with your bookmarks click Save All to save and return
to the navigation screen. The example bookmarks can now be seen on this
screen under Access to Web Applications and Intranet.
17.3 HOB Single Sign-on – Auto Logon to Intranet Servers
HOB RD VPN Web Server Gate contains functionality for an auto logon feature, the
HOB Single Sign-on. With this function users of HOB RD VPN Web Server Gate do
not need to authenticate several times over many logon pages. Only one
authentication is required - when a user is initially logging on to HOB RD VPN.
When setting up the HOB Single Sign-on, certain important pieces of information
must be specified. These are generally the user name, the user password, the
location (normally in the form of a URL) of the site the user wishes to access, and
the notification that a logon is desired (most normally the Logon button on the logon
dialog).
Single Sign-on is the name of the HOB auto logon facility and it works in the
following manner:
250
HOB RD VPN
1.
The user logs into HOB RD VPN and the HOB RD VPN Web Server Gate page
is displayed.
Figure 9: HOB RD VPN Login Screen
2.
The HOB RD VPN Web Server Gate recognizes whether the user is configured
to use Single Sign-on.
3.
Now select a destination to go to from the HOB RD VPN Web Server Gate.
4.
When redirecting to this destination, the Single Sign-on facility forwards the
user logon information provided to the destination logon page, and
automatically completes the logon process without the user needing to enter
any more information.
The Single Sign-on can be configured with the HOB WebSecureProxy configuration
tool, as follows:
1.
Open the administration interface of HOB RD VPN and select
configuration screen. Select Extensions, you will see this screen:
Figure 10: HOB WSP Extensions
251
2.
HOB RD VPN
Under Extensions select Integrated Web Server, then the Single Sign-on
tab and you will see the following:
Figure 11: HOB WSP Integrated Web Server - Single Sign-on
this brings up the dialog below to allow you to add a new Single Sign-on
configuration to the list
edit the selected Single Sign-on configuration
delete the selected Single Sign-on configuration from the list
Figure 12: HOB WSP Integrated Web Server - Add Single Sign-on Page
252

Name – here you enter a name for this Single Sign-on configuration.

URL – here you add the URL to which these users are given an automatic logon.
HOB RD VPN

Components – this table lists the components that have been added to this Single Sign-on configuration. These components are the notification of how the user
authentication is passed on to the destination for automatic authentication there.
this brings up the dialog below to allow you to add a new component to
the Single Sign-on configuration
edit the details of the selected configuration
delete the selected component from the list
Figure 13: HOB WSP Integrated Web Server - Add Single Sign-on Component



Name – here you enter a name for the component you wish to add.
Type – here you specify from the dropdown box the type of component you wish
to add to the Single Sign-on, either an Input (either a username or password), a
Form or an Action.
Value - here you select either a User Name or a User Password for this component.
The following buttons are common to both dialogs and have the same functions:
add a new page or component to the list
add a new page or component to the list and close this dialog. This
saves any changes that you have made
close this dialog without adding a new page or component. No changes
are saved
Any changes to the list of Single Sign-on components or pages can now be seen in
the Single Sign-on tab list and are applied to the next login for the configured users.
253
254
HOB RD VPN
HOB RD VPN
Remote Desktop Access using ICA
18 Remote Desktop Access using ICA
Independent Computing Architecture (ICA) is a proprietary protocol for an
application server system that sets out a specification for sending data between
server and clients, but is not bound to any one platform.
HOB RD VPN uses the ICA protocol to allow Windows applications to be run on a
suitable Windows server, and for any supported client to gain access to those
applications. The ICA protocol is also supported on a number of Unix server
platforms and can be used to access applications running on those platforms.
HOB RD VPN also uses ICA client software to access thin client platforms, as ICA
is often built into thin client software.
18.1 Installing HOB RD VPN for Remote Desktop Access
with ICA
The HOB implementation for ICA is an integrated component of HOB RD VPN, and
is installed automatically. It need only be enabled in the configuration of
HOB RD VPN for it to be available for use.
The HOB implementation for ICA uses the HOB Web Server Gate functionality to
access the Citrix XenApp Web Interface. In order to make this access, the HOB
implementation for ICA uses the Citrix Receiver, so therefore the XenApp Web
Interface must also be configured for the Citrix Receiver.
The HOB Socks5 Extension is needed to route the ICA traffic over a secure SSL
connection through HOB RD VPN to the target system.
Additionally the administrator or the user can create a bookmark for the
HOB Web Server Gate to have easy access to Citrix XenApp Web Interface.
18.2 Configuring Remote Desktop Access with ICA
To provide Remote Desktop Access via ICA you have to perform the following
configuration steps:

Configure an Outgoing Connection for ICA

Enable ICA for a User Role

Create a WebServerGate Bookmark
These configuration steps are described in the following sections
18.2.1 Configuring an Outgoing Connection for ICA
1.
Start the EA Administration interface by logging into HOB RD VPN. Select
2.
Open the Outgoing connections knot in the left-hand tree and select the ICA
Targets item.
255
HOB RD VPN
Figure 1: HOB WSP - Outgoing Connections ICA Targets
3.
Click the Add button to create a new server list and enter a name for this server
list, for example ICA Server List.
Figure 2: HOB WSP - ICA Targets Server List
256
4.
Click this new sever list item in the tree and click the Add button to create a new
server.
5.
The name ICA_Server(1) is automatically created. Change this name to one
that better suits. In this example ICA_Server is used, as can be seen here:
HOB RD VPN
Figure 3: HOB WSP ICA Targets - Server Configuration
6.
In the Server configuration tab enter the URL under which the Citrix server is
available. The administrator of the Citrix server will provide this URL. Make sure
to use the complete URL including the path.
The following fields can be configured:






Name – enter the name you wish to use for the ICA connection.
Mode – this is the type of connection to be set for this target. In this configuration
the mode must be ICA by default.
Use network adapter – the dropdown box lists the network adapter to be used.
This is dependent on the connection mode, so is disabled by default.
Predefined protocol – the dropdown box lists the predefined protocol to be
used. This is dependent on the connection mode, so is disabled by default.
Timeout (sec) – here the number of seconds the client must wait before a connection is timed out if there is no response to the connection request is shown.
This field is disabled here by default, the timeout limit is 600 seconds.
URL – enter in this box the desired destination for this connection.
18.2.2 Enabling ICA for a User Role
The next step is to enable ICA usage for the role or roles which are allowed to use
this connection.
1.
2.
Select Roles and then a specific role for configuration from the organizational
tree, for example Power User.
3.
For this user role select the Privileges tab in the right pane and then select the
Server Lists tab.
257
HOB RD VPN
Figure 4: Configuring ICA Settings for a User Role
4.
Activate the server list ICA Server List from the list of those available.
As ICA uses the SOCKS protocol, the server list for SOCKS 5 must also be
enabled at this point.
5.
Close the configuration, and the changes are saved.
18.2.3 Creating a WebServerGate Bookmark
The final step is to add a WebServerGate bookmark for the ICA connection. This
bookmark will appear in the start screen of the user.
258
1.
Open the HOB EA Administration program.
2.
Right-click the desired user or user group and choose Configure >
HOB RD VPN > User Settings.
HOB RD VPN
Figure 5: HOB EA Administration - User Settings
3.
This will display this next dialog on the screen:
Figure 6: HOB RD VPN Bookmarks - Web Server Gate
4.
Select Bookmarks > WebServerGate in the left-hand tree and click the Add
button.
5.
On this next screen, the fields to be completed are:
259
HOB RD VPN
Figure 7: HOB RD VPN Bookmark - ICA Server


Name – here you enter the name you wish to use for this bookmark, for example
ICA Server.
URL – enter the URL under which the Citrix server is available. Use the format:
http://www.mycompany.com.
use this Search icon to locate the required URL.
Up, Down – use these to arrange the order of the bookmarks on the navigation
screen.
6.
260
You can use the Save and Close buttons when you are finished creating the
HOB Web Server Gate bookmarks. The bookmarks that have been created in
this way appear on the navigation screen for all users associated with the
assigned role.
HOB RD VPN
18.3 Implementing Single Sign-on for Access using ICA
You can also set up HOB RD VPN to provide Single Sign-on functionality when
accessing remote desktops with ICA.
1.
From the HOB WSP Configuration select Integrated Web Server > Single
Sign-on.
Figure 8: HOB WSP – Integrated Web Server – Single Sign-on for ICA
2.
Use the Add button to bring up the data entry popup for this screen and enter
the required settings:
Figure 9: HOB WSP Single Sign-On - Add Page Component



Name – here you enter a name for this Single Sign-on configuration.
URL – here you add the URL for which these users are given an auto logon. The
URL value that you enter must be the web page requesting the URL.
Components – this table lists the components that have been added to this Single Sign-on configuration. These components are the notification of how the user
authentication is passed on to the destination for automatic authentication there.
261
HOB RD VPN
Use the Add button to create a new component and then select the component type
Form from the dropdown box, and enter the name of the form tag from the website,
for example ICA Component.
Figure 10: HOB WSP Single Sign-on - Add SSO Component
The fields for the Add SSO Component are as follows:



Name – here you enter a name for the component you wish to add.
Type – here you specify from the dropdown box the type of component you wish
to add to the Single Sign-on, either an Input (either username or password), a
Form or an Action.
Value – here you select either a User Name or a User Password for this component.



3.
262
For a component of type Input, add the name of the input field where the username is requested. Enter the value of the username
For an input component where a password is required, you need to add the
name of the input field where the password is requested and enter the value
of the password
For an input component where the domain name is required, add the name
of the input field where the domain is requested and manually insert the domain name you are using
Click Add & Close to save your changes and close this dialog or click Cancel
to close the dialog without saving any changes.
HOB RD VPN
18.4 Using ICA for Remote Desktop Access
Once ICA has been successfully configured for HOB RD VPN your users can log
on to the HOB RD VPN portal and access your applications using the ICA protocol.
Figure 11: HOB RD VPN Administration User Settings
You can now access the ICA Web Interface by entering its URL in the
HOB Web Server Gate URL field or by selecting the configured bookmark under
the Access to Web Applications and Intranet bookmarks.
263
264
HOB RD VPN
HOB RD VPN
19 HOB RD VPN Web File Access
HOB RD VPN Web File Access is the component of HOB RD VPN that allows
authorized users to access files on servers within the enterprise network over an
SSL-encrypted, browser-based connection. The file system is displayed in a tree
structure similar to that of Windows Explorer.
HOB RD VPN Web File Access is a plug-in and can be deactivated when it is not
needed. This solution is based on a web server that uses the SMB protocol to
access the corresponding file server.
HOB RD VPN Web File Access is an integrated component of HOB RD VPN, and
is installed automatically. It is also configurable as a portlet.
19.1 Configuring HOB RD VPN Web File Access
Follow these steps to set up and use HOB RD VPN Web File Access:
1.
Logon and start HOB RD VPN Administration.
2.
Having selected the ou=groups element of your Internal hierarchy (individual
users can also be selected), select a groups of users (in this example
powerUsers is selected) and then User Settings > Configure.
Figure 1: HOB RD VPN Administration Internal - User Settings
265
3.
HOB RD VPN
In the User Settings screen as shown here select Bookmarks >
Web File Access and click Add.
Figure 2: HOB RD VPN User Settings - Bookmarks Web Files Access
4.
now click Add to create a new Web File Access bookmark.
Figure 3: HOB RD VPN User Settings - Web File Access Configuration
In this dialog you enter the following information:

266
Name – enter the name of the Web File Access configuration to be assigned to
the selected user, for example Web File Access Bookmark.
HOB RD VPN


URL – enter the URL for the user to access the internal servers where they can
work with the system data and applications. You can enter this URL in IP address
notation or in the server name form, as shown above.
Use Credentials - check this so each user must authenticate when they attempt
to use this Web File Access bookmark.

Username - enter here the name the user is to use to access the files.

Password - this field contains the password the user will use to access the files.

Confirm password - enter the password here again to confirm the previous entry.
5.
Use the Up and Down buttons to modify the order in which the Web File Access
bookmark appears on the HOB RD VPN Welcome Gate.
6.
Click Save to save the configuration and Close to close the User Settings
dialog, and this user now has a HOB RD VPN Web File Access bookmark for
access to the system.
Depending on the element originally selected, HOB RD VPN Web File Access can
now be automatically inherited by all of its sub elements (Users, Groups or Objects).
19.2 Using HOB RD VPN Web File Access
To start HOB RD VPN Web File Access click the link in the Web File Access portlet
on your HOB RD VPN navigation screen and the Web File Access Logon dialog
(below) appears.
Figure 4: HOB Web File Access - Logon
On this logon dialog you find the following fields and buttons:


URL – here you enter the URL of the servers you wish to access, thus opening
a path to give you a share of the servers at this location. Enter the path according
to the format shown, \\server\share.
Reconnect at Logon – check this box so that this connection is automatically
created the next time you logon.
267

HOB RD VPN
Connect with Different Credentials – by default HOB Web File Access uses
your HOB RD VPN logon credentials to access your server shares. Check this
box to enable you to authenticate with different credentials, most often to create
access to a new share or a share to a server that is not in the specified domain.

Map Share – click this button to map a path to a shared server.

Cancel – click to exit without saving any changes.
After a successful authentication the Web File Access window below opens. The
two columns display the servers and directories on the left, and on the right the files
contained in the sub-directories selected from the left-hand column are shown.
Figure 5: HOB Web File Access - File Hierarchy
When working in HOB RD VPN, you can use the following on screen icons (in the
title bar) to assist your work. They have the following functionality:
Map Share – allows you to map a connection to a shared drive
Select a Share for Disconnection – this allows you to disconnect an
already mapped share
New Folder – allows you to create a new folder in a directory
Select One File to Rename – allows you to rename the selected file
Select One File to Delete – allows you to delete the selected file
Upload File – allows you to upload a file to your present location
Select One File to Download – allows you to download the chosen file
268
HOB RD VPN
Download as Zip – allows you to download zipped files
Open a New Tab – you can open a new tab with this icon
Close Other Tabs – this icon allows you to close all tabs other than that on
which you are currently working
Search – use this icon to start the search feature that will allow you to locate
the files you wish to work with. This icon brings up the following dialog:
Figure 6: HOB Web File Access - Add Server
Enter your search in the Query field, You can enable the checkbox File Contents
to search the contents of each file for the query string and the Recursive checkbox
to also search through the subfolders.
You can add more servers to those that you can currently access. Do this by using
the Map Share icon in the Main Menu bar. This brings up the following dialog:
Figure 7: HOB Web File Access - Add Server



URL – here you enter the URL of the server to which you want to create a share.
Use the format shown, \\server\share.
Reconnect at Logon – check this box so that this connection is automatically
created the next time you logon.
Connect with Different Credentials – by default HOB Web File Access uses
your HOB RD VPN logon credentials to access your server shares. Check this
box to enable you to authenticate with different credentials, most often to create
access to a new share or a share to a server that is not in the specified domain.

Map Share – click this button to map a path to this server.

Cancel – click to exit without saving any changes.
269
270
HOB RD VPN
HOB RD VPN
Remote Access to Microsoft Exchange Server
20 Remote Access to Microsoft
Exchange Server
HOB RD VPN allows you to provide remote access from Microsoft Outlook to a
Microsoft Exchange Server in your company. This access is provided through the
Microsoft Remote Procedure Call (MS-RPC) protocol, which is used for software
components distributed across several networked computers to communicate with
each other. The administrative front-ends of Microsoft Exchange Server are all
Microsoft RPC client/server applications.
20.1 Configuring Remote Access to Microsoft Exchange
Server
Configuring HOB RD VPN Exchange Server Access is performed in the same
manner as configuring a standard outgoing connection target for HOB RD VPN.
Take the following steps to set up and use HOB RD VPN Exchange Server Access:
1.
2.
WebSecureProxy and click the Configure button.
3.
Connections > Other Targets.
Figure 1: HOB WSP Outgoing Connections - Other Targets
4.
Click the Add button to add a new target, in this example Exchange Server
List, which is the name of the Exchange Server you wish to access with this
connection.
271
HOB RD VPN
Figure 2: HOB WSP - Other Targets Server List
5.
Click Add again to add an individual server as target, in this example
Exchange_Server, and you can see the following screen:
Figure 3: HOB WSP – Other Targets Server Configuration
Depending on the connection mode that has been selected, the panel at the bottom
of the dialog screen changes.

Name – enter the name you want to use for this connection. Here Exchange_
Server is used as an example.

272
Mode – you can select from the dropdown box the connection mode to be used
for the connection to the client machine. All possible modes or types of connection that your network uses be selected:
HOB RD VPN







1:1 Proxy Gateway – a direct connection from one machine to another. This
is the mode that is used with HOB RD VPN Exchange Server Access
WTS Load Balancing – this mode is used when you have a connection to
a group of machines
Server Data Hook – a connection that works by intercepting functional calls,
events or messages from servers within a network. This is a standard communication mode but cannot be used with HOB RD VPN Exchange Server
Access
Use network adapter – select from the dropdown box the network adapter (this
interface card connects the computer to the computer network) to be used. The
default is Any.
Predefined protocol – select from the dropdown box the predefined communication protocol to be used. For this target type any protocol may be selected.
mode that has been selected, in this case 1:1 Proxy Gateway:
Host IP address – enter here the IP address of the host machine that is to be the
target of this connection, in this case that Microsoft Exchange Server in your
network to which you are to connect.
Host port – enter here the port number you wish to use for the connection to the
desired target machine.
6.
Once you have entered this information, you need to make the target available
to the users. Select WSP Servers from the hierarchy on the left side and select
the tab Unique Access. You see the following screen:
Figure 4: HOB WSP – WSP Servers – Unique Access
273
HOB RD VPN
7.
From the server lists displayed, check the required server list, in this case
Exchange Server List.
8.
This selection makes this server list available as a target for outgoing connections
to all users currently connected to the network.
20.2 Configuring XML for HOB RD VPN Exchange Server
Access
Now that the configuration has been made in the GUI, there is one more step
required for the target to be used, in that SSL must be activated for outgoing
connections to the Microsoft Exchange Server.
This step cannot be performed in the GUI, so you must go to the XML configuration
files for the HOB WSP. Here, you locate the relevant server entry and change the
command <use-client-side-SSL> to Yes. Doing this enables client side SSL on
the outgoing connection. This is shown here:
<server-entry>
<name>Exchange</name>
<function>DIRECT</function>
<protocol>MS-RPC</protocol>
<serverineta>Exchange Server</serverineta>
<serverport>443</serverport>
<use-client-side-SSL>YES</use-client-side-SSL>
</server-entry>
Please see Chapter 36 XML Configuration for the HOB WebSecureProxy for more
information.
274
HOB RD VPN
20.3 Using HOB RD VPN Microsoft Exchange Server Access
Microsoft Outlook must now be configured so that Microsoft Outlook accesses the
Microsoft Exchange Server via the HOB WSP.
The steps are as following:
1.
Open the Microsoft Exchange account configuration dialog.
2.
Under the Connection tab, make sure that the checkbox Connect to
Microsoft Exchange using HTTP is enabled.
3.
Click Exchange Proxy Settings.
4.
Under Exchange Proxy Settings > Connection Settings, enter the name of
the HOB WSP.
5.
Under Proxy Authentication Settings select Basic Authentication.
6.
Click OK.
More detailed information on the configuration of Microsoft Outlook and
Microsoft Exchange Server is outside the scope of this documentation,
refer to your documentation for Microsoft Outlook and Microsoft Exchange
Server for more information on this topic.
275
276
HOB RD VPN
HOB RD VPN
Internal Network Adapter
21 Internal Network Adapter
The Internal Network Adapter is a virtual network device that is delivered as an
integrated component of HOB RD VPN. It is a required component if you want to
use the following features of HOB RD VPN:

The HOB PPP Tunnel without an internal L2TP server

The HOB SSL Identifier
21.1 Installing the Internal Network Adapter and HOB TUN
Driver
To use the Internal Network Adapter you need to install the HOB TUN Driver during
the installation procedure. The installation of the HOB TUN Driver is an option
during the installation process of HOB RD VPN, although due to the advantages
brought by the HOB PPP Tunnel and by the HOB SSL Identifier, it is strongly
recommended you install the HOB TUN Driver even though it is still in the
experimental phase.
As the HOB TUN Driver is currently in an experimental state, it is
delivered with HOB RD VPN for testing purposes only and should not be
used in a productive environment. It will be installed only if this option is
specifically chosen during the installation.
In the installation process of HOB RD VPN you will see the following screen:
Figure 1: Installation Screen - Select TUN Driver
Select the first option on this screen to install the HOB TUN Driver. For more
information on this subject, please see Section 4.5 HOB RD VPN Installation – New
Cluster Member.
277
HOB RD VPN
The HOB TUN Driver is a component that is only installed on a Windows
operating system - this screen can be ignored for all non-Windows
installations, as a TUN driver is already installed on Linux systems.
21.2 Configuring the Internal Network Adapter
To use the Internal Network Adapter a Raw Packet Interface must be configured.
This interface allows the redirect of all incoming connections to the correct Internal
Network Adapter of those that are already configured in the system. To do so, the
following configuration steps are necessary:
1.
2.
Expand the WSP Servers node of the hierarchy on the left and select Raw
Packet Interface.
3.
Enter the necessary values for the configuration. If you are currently using the
HOB SSL Identifier you need to enter values for the Raw packet interface IP
Address and Use network adapter items only, see this screen:
Figure 2: Configuring the Internal Network Adapter


Raw Packet Interface IP Address – here you enter an IP address that identifies
the Internal Network Adapter. Make sure that the IP address used is not part of
the HOB RD VPN server network and is not used otherwise. The last block of
this IP address can be any number except for 0 or 3 (a valid example is:
100.100.10.1).
Use network adapter – choose Any or one of the network adapters from the list.
This network adapter is used as an interface into the internal network. The adapters in the system can be configured in the WSP Servers area of the
HOB RD VPN WebSecureProxy configuration.
For more information on this topic, see Chapter 27 SSL Identifier.
278
HOB RD VPN
4.
If you are using the HOB PPP Tunnel (without an internal L2TP server) you
must also specify values for the DNS Servers For The Client and the Tunnel
IP Address Pool Ranges, the fields for which are found on this Tunnel tab:
Figure 3: Internal Network Adapter - Tunnel
This tab screen contains the following fields:

DNS Servers For The Client – enter the IP addresses of the DNS servers that
the PPP Tunnel client is to use for the DNS resolution of host names from the
internal network.





Tunnel DNS 1 - here you enter the IP address of the first DNS server. This
must be entered for each HOB WSP in your system
Tunnel DNS 2 - here you enter the IP address of a second DNS server
Tunnel NBNS 1 - here you enter the IP address of the NetBiOS Naming
System service to be queried for the HOB PPP Tunnel
Tunnel NBNS 2 - here you enter the IP address of the second NetBiOS
Naming System service
Tunnel IP Address Ranges - when using the HOB PPP Tunnel, an IP address
is assigned to the PPP client when it connects. Enter here the range of IP addresses that can be used for the HOB PPP Tunnel, specifying the Start and End
fields to define the range from which this IP address can come.
Use the Add and Remove buttons to manage the address ranges in this list.
For more information on this topic, see Chapter 22 Using the HOB PPP Tunnel for
Network Access.
Save the configuration (main menu > File > Save), and the Internal Network
Adapter has been configured and is ready for use.
279
280
HOB RD VPN
HOB RD VPN
Using the HOB PPP Tunnel for Network Ac-
22 Using the HOB PPP Tunnel for
Network Access
The HOB PPP Tunnel is a feature of HOB RD VPN that enables a remote user to
connect to the enterprise network over the Internet, giving the remote user full
access to all network resources via HOB RD VPN as if they are working directly on
a machine within the enterprise network. The HOB PPP Tunnel gives the user
complete network access to all of the resources in the central network, and all IP
based communication protocols such as TCP, UDP or ICMP also go through the
HOB PPP Tunnel.
This access works bi-directionally, in that a user can also access all resources on
the client from the central network. The HOB PPP Tunnel uses the PPP and L2TP
protocols to transmit data through the VPN without restriction from special software
requirements or firewall problems. These protocols are already integrated into the
operating systems of the VPN client computer, and so no separate VPN software
need be installed on the client.
The data that is transferred through the HOB PPP Tunnel undergoes compression,
making this access highly efficient, and SSL encryption, supported by all network
devices, with strong authentication ensure that the access is secure.
Currently the operating systems on the client that support and are supported by the
HOB PPP Tunnel include:

Windows 8

Windows 7

Windows Vista

Apple MAC

Linux

FreeBSD

Solaris
No software needs to be installed on any Windows clients in order to use
the HOB PPP Tunnel, and the user does not need to have any
administrator rights on the client machine. There is also no requirement to
install any special device drivers on the client.
22.1 Configuring User Settings for the HOB PPP Tunnel
To configure the HOB PPP Tunnel, you first need to specify Tunnel Endpoints.
These endpoints are the specific addresses to which you want the HOB PPP Tunnel
to connect to. This is done through HOB RD VPN User Settings, accessed through
the HOB RD VPN Administration interface.
1.
Select the element that is to be configured for access to the HOB PPP Tunnel.
In this example the element is in the default dc=hobsoft domain and here is
the user with the resource name: cn=user3,ou=user,dc=hobsoft,dc=root.
281
Using the HOB PPP Tunnel for Network Access
HOB RD VPN
2.
Now select User Settings from the dropdown box and click Configure, as
shown below.
Figure 2: HOB RD VPN Administration - User Settings
3.

Now using this dialog for the selected user you can create your Tunnel
Endpoints, which are located under the Personalized IP Addresses element.
Personalized IP Addresses
Here you manage specific IP addresses for HOB PPP Tunnel Endpoints and the
HOB SSL Identifier. For more information about the HOB SSL Identifier, please see
Chapter 27 SSL Identifier.
282
HOB RD VPN

Tunnel Endpoints
To create a secure HOB PPP Tunnel, specify the IP addresses of the endpoints of
the connection. This means that only certain pre-configured destinations may be
selected for the secure connection, those IP addresses the clients are assigned in
the company network. For more information on Tunnel Endpoints see Section 8.3.1
Configuring HOB RD VPN 2.1.
Figure 3: HOB RD VPN - User Settings - Personalized IP Addresses
Add – use this button to add the desired IP address to the list of those available to
the user as Tunnel Endpoints.
22.2 Network Address Translation
Network Address Translation (NAT) is the process of modifying IP address
information in IP packet headers that are in transit across a traffic routing device.
This most often happens when a computer maps a private (unregistered) IP
address within a local network to a (registered) public IP address. It is very common
to use a single public IP address as a gateway to the many private IP addresses
that can exist on your network.
NAT allows an internal host such as a web server to have an unregistered (private)
IP address and still be reachable over the Internet. A look up table of all registered
IP addresses must be maintained to ensure correct routing of communications.
NAT can also act as a firewall by preventing outside computers from connecting
with the local network, unless it is a connection initiated from within the local
network. When queries for the database server arrive from a client, the NAT
rewrites the headers of IP packages, and forwards them to the database server with
the least load. The reply packets are then returned to the client and it appears the
information came from one database server and only one IP address.
283
HOB RD VPN
When connecting with the HOB PPP Tunnel to addresses within your computer
network from outside the system, a secure connection from the client to the server
that is not affected by NAT or Domain Name System (DNS) issues is built. This is
also the case when you want to use the HOB PPP Tunnel to access systems that
are in different sub-networks to the addressed L2TP server.
A dynamic form of NAT is used in cases where the user would like to communicate
across multiple company networks, not just the network in which they are located.
In the sample scenario depicted below the servers in subnet 1 are directly
accessible from the remote client, while those in subnet 2 are not directly accessible
from the client, so in this case NAT or DNS issues would normally arise.
Figure 4: Connecting Remotely to a Server in a Sub Network
As the configurations for the various networks can be stored on different servers,
and you can be working across different networks, you also need to specify whether
a HOB TUN or an external L2TP server is to be used.
This NAT process works in this way: the sender of a message sends the
communication to the HOB WSP. The HOB WSP translates the network element of
the IP address to suit the current network, while the Host element remains
unchanged.
When the client initiates the communication it is the destination address that is
translated, when the server initiates the communication it is the sender IP address
that is translated.
When starting, the client machine informs the HOB WSP about the network where
it is located. Only if this matches the intranet (server network) is NAT performed.
The network part of the IP address is translated while the host part is not translated.
The following IP addresses are translated:

IP addresses in the PPP protocol

IP addresses in DNS replies

284
IP addresses in normal data packets, where from the client to the server the destination address is translated, while from the server to the client the sender address is translated
HOB RD VPN
22.3 Configuring the HOB PPP Tunnel
The HOB PPP Tunnel uses a dynamic process for network address translation. This
dynamic form of NAT is used where a private (unregistered) IP address is mapped
to a (registered) public IP address drawn from a pool of registered (public) IP
addresses the client wishes to communicate with, addresses that are not part of the
corporate network, but are external to the system. This pool can be used when the
client is communicating with a private network consisting of a large number of both
private and public workstations and IP addresses. The network could be, for
example, a large hotel with an address pool, typically in the range 10.x.x.x, or a
large industry convention. This dynamic NAT is very often used where the user
would like to communicate across multiple company networks, not just within the
network where they are currently located.
Dynamic NAT gives access to any networks that are behind the HOB WSP and so
does not prevent an intruder accessing any of these networks that are behind the
HOB WSP. This has given rise to the impression that dynamic NAT is insecure. It
in fact helps to secure a network layout as it masks the internal configuration of a
private network. When the network layout is secured it makes it more difficult for
someone outside the network to monitor individual usage patterns or target a
specific location. Dynamic NAT also allows a private network to use private IP
addresses that are invalid on the Internet but are useful as internal addresses.
The first step is to enable the HOB PPP Tunnel in the configuration program of the
HOB WebSecureProxy.
1.
Start the HOB WebSecureProxy configuration program.
2.
Open the Extensions > PPP Tunnel scheme at the left of the tree structure.
Figure 5: HOB WSP Configuration - HOB PPP Tunnel
3.
Click the Add button and a small list pops up, see the dialog below.
285
HOB RD VPN
Figure 6: HOB WSP Configuration - HOB PPP Tunnel Settings








286
Name – here you enter a name you wish to use for this HOB PPP Tunnel configuration.
Mode – the connection mode is PPP Tunnel by default.
Use network adapter – this dropdown list contains the different types of network
adapter configured for this system. This is disabled by default
Predefined protocol - this field contains the different types of protocols configured for this system. This is disabled by default as only the protocol HOB-PPPT1 can be used for the HOB PPP Tunnel.
Target filter - this dropdown list contains the different types of target filter configured for this system. The default is None. For more information on Target Filters, please see Chapter 26 HOB Target Filters.
Server network – enter here the server network for which the HOB PPP Tunnel
is to be configured. If you require flexibility and want to specify an IP block using
a CIDR (Classless Inter Domain Routing) subnet mask notation, enter the suffix
in the small field on the right.
Authentication method - this dropdown list contains the authentication methods available for this communication. Pass through (L2TP Gateway only) is
the default if an L2TP Gateway is enabled, this is not available if a Ray Packet
Interface is being used. Other options are None and Negotiate.
Negotiate Authentication Methods - this list box is active only if the authentication method of Negotiate is selected. You select the type of negotiate authentication from this list, the available authentication types are EAP, MS-CHAP-V2
and PAP. Use the buttons on the side to manage this list.
HOB RD VPN



4.
Protocol Plugins - this list contains the configured protocol plugins that are
available for this communication. To add a configuration for protocol plugins to
this list, please see Chapter 22.6 Configuring Dynamic NAT on page 292 or
Chapter 22.7 Configuring the HOB TCP Tuner on page 296 for more information
on the configuration of Dynamic NAT or the HOB TCP Tuner.
Use raw packet interface - check this box to enable the raw packet interface.
L2TP Gateway - this dropdown list contains the possible L2TP gateways that
can be used for this communication. This is disabled if the Use Raw Packet Interface checkbox has been enabled. For more information on this topic, see
Chapter 22.4 Configuring L2TP for the HOB PPP Tunnel on page 288.
Once all the fields on this tab have been completed, you need to go to the
second tab, Client Configuration.
Figure 7: HOB WSP Configuration - HOB PPP Tunnel Client Configuration
The fields to complete here are:
IP number:Port - enter the connection information for the PPP Tunnel client in this
field. It is important that you specify here the IP address (or the DNS name) together
with the port number for the connection from the internet. If this field is left empty,
the information is (in most cases) extracted from the URL in the browser, depending
on the system setup.
System Parameters - here you enter the system parameters required for this PPP
Tunnel configuration for each operating system on the relevant tab
5.
Save the configuration (Main menu > File > Save), and the HOB PPP Tunnel
component has been configured and is ready for use.
287
HOB RD VPN
22.4 Configuring L2TP for the HOB PPP Tunnel
The configuration of a PPP Tunnel with Dynamic NAT for an internal L2TP server
is performed similarly to those configurations described in the previous section. An
external L2TP server need not be configured, and individual IP addresses do not
need to be configured for NAT.
To configure an L2TP Gateway, follow these steps:
1.
2.
Open the Extensions > L2TP Gateway scheme on the left in the tree
structure. The following screen is displayed:
Figure 8: HOB WSP Configuration - L2TP Configuration
The fields on this dialog are as follows:


Name – here you enter the name you wish to use for this L2TP Gateway configuration.
Use network adapter – select from the dropdown list the adapter you want to
use. The default is Any.
L2TP Gateway settings:


Host IP address – here you enter the address of the machine that hosts the
L2TP gateway.
Host IP port – here you enter the port of the L2TP gateway. The default port is
1701.
Authentication If Required
288

Character set - select the character set to be used from the dropdown box

User ID - enter the ID for the user who will use this PPP Tunnel configuration

User password - enter the password for this user
HOB RD VPN
Save the configuration (Main menu > File > Save), and the L2TP Gateway
component has been configured and can be selected for use in the configuration of
the HOB PPP Tunnel
22.5 Configuring a Raw Packet Interface for the HOB PPP
Tunnel
Each communication requires an interface that allows the data, in the form of raw
packets, to be transmitted. For this a raw packet interface must be configured for
the HOB PPP Tunnel to enable communication.
22.5.1 Configuring the Raw Packet Interface - Settings
To configure a raw packet interface for the HOB PPP Tunnel, follow these steps:
1.
2.
Open the WSP Servers > Raw Packet Interface scheme on the left in the tree
structure. The following tab screen is displayed:
Figure 9: HOB WSP Configuration - Raw Packet Interface Settings
These are the fields on this first tab that need to be completed for the raw packet
interface to be configured:



Allowed Raw Packet Interface IP Address Ranges - this list specifies the
range of IP addresses and the prefix size that the raw packet interface can process for any communication. Use the Add and Remove buttons to manage this
list.
Raw packet interface IP address - enter the IP address of the raw packet interface
Use network adapter - select from the dropdown list the network adapter to be
used. Create a network interface under WSP Servers > WSP Server(1) > Network Interfaces and then use the Add button.
289

HOB RD VPN
Windows driver installation strategy - select from the dropdown list the strategy to be used for the installation of Microsoft Windows drivers, the default is
no-install-or-uninstall.
22.5.2 Configuring the Raw Packet Interface - Tunnel
The second tab on this dialog is the Tunnel tab. This Tunnel tab is where you
configure DNS or NBNS for the PPP Tunnel clients.
The Domain Name System or DNS is the naming system for computers, services,
or any resource connected to the Internet or a private network. It associates domain
names assigned to each of the participating entities with the various system-specific
information held by the system. A Domain Name Service translates queries for
domain names into IP addresses for the purpose of locating computer services and
devices worldwide. The HOB PPP Tunnel can use its own DNS, in a similar setup
to NAT. When the tunnel is enabled, you can assign specific (numerical) IP
addresses to stated host names.
NBNS (NetBiOS Naming System) is similar to DNS and is used to confirm the
presence of machines in the network.
The Tunnel tab has the following fields:
Figure 10: HOB WSP Configuration - Raw Packet Interface Tunnel
This tab screen contains the following fields:
DNS Servers For The Client


290
Tunnel DNS 1 - here you enter the IP address of the first DNS server to be used
for the HOB PPP Tunnel. This must be entered for each HOB WSP in your system.
Tunnel DNS 2 - here you enter the IP address of the second DNS server to be
used for the HOB PPP Tunnel.
HOB RD VPN


Tunnel NBNS 1 - here you enter the IP address of the NetBiOS Naming System
service to be queried for the HOB PPP Tunnel.
Tunnel NBNS 2 - here you enter the IP address of the second NetBiOS Naming
System service to be queried for the HOB PPP Tunnel.
Tunnel IP Address Ranges - here you enter the range of IP addresses that can be
used for the HOB PPP Tunnel.
22.5.3 Configuring the Raw Packet Interface - SSL Identifier
If the SSL Identifier is required for communication over the HOB PPP Tunnel, it can
also be configured here. The third tab on this dialog shows the following:
Figure 11: HOB WSP Configuration - Raw Packet Interface Tunnel with SSL Identifier
The fields on this dialog are:




TCP connection timeout (sec) - here the number of seconds to wait before the
connection times out is entered, the default is 3000.
Number of TCP connection attempts - the number of attempts that can be
made to establish a connection is entered here.
Use Random TCP Source port - check this to use a random TCP source port.
Allowed TCP Source Port Ranges - in this list the TCP source port ranges
(from the Start to the End) can be entered. Use the Add and Remove buttons to
manage this list.
For more information on the HOB SSL Identifier, see Chapter 27 SSL Identifier on
page 361.
Save the configuration using Main menu > File > Save and the Raw Packet
Interface component has been configured and can be selected for use in the
configuration of the HOB PPP Tunnel.
291
HOB RD VPN
22.6 Configuring Dynamic NAT
Dynamic NAT is used where a private (unregistered) IP address is mapped to a
(registered) public IP address drawn from a pool of registered (public) IP addresses
the client wishes to communicate with. These addresses are not part of the
corporate network, but are external to the system. This pool can be used when the
client is communicating with a private network consisting of a large number of both
private and public workstations and IP addresses.
Dynamic NAT is very often used where the user would like to communicate across
multiple company networks.
22.6.1 The Dynamic NAT Tab
To configure Dynamic NAT for the HOB PPP Tunnel, follow these steps:
1.
2.
Select the Extensions > Dynamic NAT scheme on the left in the tree structure.
Figure 12: HOB WSP Configuration - Dynamic NAT
3.
292
Now select Add to create a new Dynamic NAT configuration for the HOB PPP
Tunnel. The following dialog is displayed:
HOB RD VPN
Figure 13: HOB WSP Configuration - Extensions - Dynamic NAT
The fields to be completed on this first tab screen are:




Name - here you enter a name for this Dynamic NAT configuration
Translated Network - here you enter the address of the network from where the
IP address of the clients can be taken for this communication
Alternate Translated Network - here you can enter the address of an alternate
or backup network from where the IP address of the clients can be taken for this
communication
ALG-SIP - check to enable the Application Level Gateway (ALG) use the SIP
protocol for the communication
293
HOB RD VPN
22.6.2 The DNS Tab
The second tab for this dialog is the DNS tab. Here you configure the pool of IP
addresses that are to be used for communication under dynamic NAT.
Figure 14: HOB WSP Configuration - DNS tab
In this tab you use the Add, Edit and Remove buttons to manage the list of DNS
entries. To enter a DNS onto this list, click the Add button to bring up the following
dialog:
Figure 15: Add DNS Entry to DNS List
On this popup you can see the following fields:


DNS - this is the name of the pool of IP addresses that you are creating or editing
DNS IP Addresses - here you enter the IP addresses that will be added to the
DNS pool
Here you use the Add, Edit and Remove buttons on the right to manage this list of
IP addresses that will make up the IP address pool available for use by this DNS.
The Add button at the bottom adds this DNS to the DNS list and keeps the dialog
open, the Add & Close button adds the DNS to the DNS list and closes the dialog,
Cancel closes the dialog without any changes being saved.
294
HOB RD VPN
When you click the Add button to add a new IP address to the IP address pool the
following popup appears:
Figure 16: Add IP Address to DNS List
IP Address - here you enter the IP address that you want to add to the pool of IP
addresses used by this DNS.
22.6.3 The Exclude DNS Tab
This tab is important to the configuration when there are certain addresses that are
not to be used in standard communication using dynamic NAT. Here you specify
specific IP addresses that, for whatever reason, are not to be used.
Figure 17: HOB WSP Configuration - Exclude DNS Tab

Exclude DNS List - this list holds the individual IP addresses that are to be excluded from all DNS IP address pools.
You can use the Add and Remove buttons to manage this list.
Save the configuration using Main menu > File > Save and the Dynamic NAT
the HOB PPP Tunnel
295
HOB RD VPN
22.7 Configuring the HOB TCP Tuner
The HOB TCP Tuner is a protocol plugin that allows the server to more efficiently
transmit communications that use the TCP transmission protocol. It also regulates
the flow of the transmissions in such a way that it eliminates the occurrence of TCP
packets moving at different speeds, thus causing TCP meltdown.
To configure the HOB TCP Tuner for the HOB PPP Tunnel, follow these steps:
1.
2.
Select the Extensions > TCP Tuner scheme on the left in the tree structure.
Figure 18: HOB WSP Configuration - Extensions - TCP Tuner
Now click the Add button at the bottom to create a new TCP Tuner configuration for
the HOB PPP Tunnel.
296
HOB RD VPN
22.7.1 HOB TCP Tuner - Dynamic NAT Tab
The first tab on the screen that is now displayed is the Dynamic NAT tab. This
allows you to specify how the HOB TCP Tuner will use Dynamic NAT.
Figure 19: HOB WSP Configuration - TCP Tuner - Dynamic NAT Tab
The fields to be completed on this first tab screen are:






Name - here you enter a name for this Dynamic NAT configuration
Translated Network - here you enter the address of the network from where the
IP address of the clients can be taken for this communication
Alternate Translated Network - here you can enter the address of an alternate
or backup network from where the IP address of the clients can be taken for this
communication
ALG-SIP - check to enable the Application Level Gateway (ALG) use the SIP
protocol for the communication
Display NATted IP Addresses - check this to display those IP addresses that
have been translated from one network
Integrated DNS Server - check this to enable an integrated server for DNS
297
HOB RD VPN
22.7.2 HOB TCP Tuner - DNS Tab
The second tab on the HOB TCP Tuner dialog is the DNS tab. Here you configure
the pool of IP addresses that are to be used for TCP communication under Dynamic
NAT.
Figure 20: HOB WSP Configuration - TCP Tuner - DNS Tab
In this tab you use the Add, Edit and Remove buttons to manage the list of DNS
entries. To enter a DNS onto this list, click the Add button to bring up the following
dialog:
Figure 21: Add DNS Entry to DNS List
On this popup you can see the following fields:


DNS - this is the name of the pool of IP addresses that you are creating or editing
DNS IP Addresses - here you enter the IP addresses that will be added to the
DNS pool
Here you use the Add, Edit and Remove buttons on the right to manage this list of
IP addresses that will make up the IP address pool available for use by this DNS.
298
HOB RD VPN
The Add button at the bottom adds this DNS to the DNS list and keeps this dialog
open, the Add & Close button adds the DNS to the DNS list and closes the dialog,
Cancel closes the dialog without any changes being saved.
When you click add th add a new IP address to the IP address pool the following
popup appears:
Figure 22: Add IP Address to DNS List

IP Address - here you enter the IP address that you want to add to the pool of
IP addresses used by this DNS.
22.7.3 HOB TCP Tuner - Exclude DNS Tab
The next tab on the screen is the Exclude DNS tab. On this tab you specify specific
IP addresses that, for whatever reason, are not to be used in standard
communication using dynamic NAT.
Figure 23: HOB WSP Configuration - TCP Tuner - Exclude DNS Tab
Exclude DNS List - this list holds the individual IP addresses that are to be
excluded from all DNS IP address pools.
299
HOB RD VPN
22.7.4 HOB TCP Tuner - SOCKS Servers Tab
The next tab on the screen is the Socks Servers tab. Here you specify the IP
address for the DNS of the SOCKS server and the TCP port that it uses.
Figure 24: HOB WSP Configuration - TCP Tuner - SOCKS Servers Tab
22.7.5 HOB TCP Tuner - FTP Servers Tab
The next tab on the screen is the FTP Servers tab. Here you specify the IP address
for the DNS of the FTP server and the TCP port that it uses.
Figure 25: HOB WSP Configuration - TCP Tuner - FTP Servers Tab
300
HOB RD VPN
Save the configuration using Main menu > File > Save and the HOB TCP Tuner
the HOB PPP Tunnel
22.8 Assigning the Server List
The final step in the configuration is to assign the HOB PPP Tunnel Server List to
the HOB WSP itself, for the HOB WSP to use when creating connections.
1.
In the HOB WSP configuration interface select the role for which the HOB PPP
Tunnel is configured, for example User.
2.
Under the Settings tab select Privileges > Server Lists.
Figure 26: HOB WSP Configuration - Roles - Server Lists
3.
Check the PPP Tunnel server list from those already configured. If you have
configured more than one list for the HOB PPP Tunnel, you may select all of
these for use.
4.
Use the Check All or Clear All buttons to help you refine your selection.
5.
Save the configuration (Main menu > File > Save), and the Server List is ready
for use.
301
HOB RD VPN
22.9 Creating a HOB PPP Tunnel Portlet on the Navigation
Screen
To create the portlet that allows your users to easily enable the HOB PPP Tunnel
for their sessions, you have to select the role for which the portlet is to be assigned
in the HOB WSP configuration interface. In the example shown in this section the
User role has been selected.
1.
In the HOB WSP configuration interface select the tab Privileges > Portlets
and the following screen is displayed.
Figure 27: HOB WSP Administration - Role Settings - Privileges - Portlets
2.
Click Add to add the new portlet to the list of those available already to this role,
and the Add Portlet dialog is displayed.
Figure 28: Add Portlet
302
3.
Under Portlet select HOB PPP Tunnel from the dropdown box to add it to the
portlet list.
4.
Choose the State in which the portlet will appear on the HOB RD VPN
navigation screen, either Open (expanded) or Closed (collapsed).
5.
Click Add & Close to add this portlet the list. This dialog also closes.
6.
Save the changes to the HOB WSP configuration (Main menu > File > Save)
and close the dialog. The new portlet for the HOB PPP Tunnel is now available.
HOB RD VPN
22.10 Using the HOB PPP Tunnel
Open the HOB RD VPN start page and click the Start PPP Tunnel menu item that
is displayed on this page, if it has been configured by the administrator. Once this
menu item is selected the HOB PPP Tunnel starts and a tray icon appears in the
notification area of the client computer.
Click on the tray icon to open a status dialog of the HOB PPP Tunnel, which you
can also use to terminate the connection.
Other resources on the Internet can still be visited with the same browser
once the HOB PPP Tunnel has started. This does not affect the
HOB PPP Tunnel, nor will closing the browser disconnect or close the
HOB PPP Tunnel. This is not the case if Anti-Split Tunneling has been
enabled.
22.10.1 Anti-Split Tunnel
It is possible for users to still have access to other HOB RD VPN functions when
using the HOB PPP Tunnel; once they are properly installed and configured in the
central network, these connections can be configured for access without using the
HOB PPP Tunnel. This is known as a Split Tunnel.
Many companies consider that a split tunnel creates a security risk, so HOB have
also developed an Anti-Split Tunnel feature to restrict the use of the Split Tunnel.
Please see Section 25.1.3 Compliance Check - Anti-Split Tunnelling for more
information.
22.10.2 Reconnect After a Short Interruption of the Connection
If there is a temporary network interruption and the client loses its connection, the
user does not need to restart the HOB PPP Tunnel. Instead, the HOB PPP Tunnel
automatically resynchronizes itself with the network as soon as the interruption is
remedied. In almost all cases, the applications continue running on the client
without any problems.
The network connection of the client can be broken when, for example, the provider
temporarily interrupts the DSL line and then re-establishes the connection.
303
304
HOB RD VPN
HOB RD VPN
HOBPhone
23 HOBPhone
HOBPhone is a Java-based SIP client that allows HOB RD VPN users to securely
connect to the telephone system of your company over the internet. This means that
the users are reachable and can make phone calls everywhere as if they are
physically within the company network.
HOBPhone supports up to 5 accounts or lines, with each account able to handle a
virtually unlimited number of simultaneous active calls. The total number of calls is
limited only by the processing power, memory or bandwidth of the client. This
means that HOBPhone can also be used to connect clients on different networks in
a conference.
23.1 Configuring HOBPhone in HOB RD VPN
HOBPhone is included as an integral part of the HOB RD VPN installation. The
following configuration steps are necessary before the HOB RD VPN users can
make their first phone call via HOBPhone:

Configuring the HOB WSP for HOBPhone

Activating HOBPhone for a specific user role in the HOB WSP

Configuring a telephone system in the directory service

Configuring the connection to the telephone system
23.1.1 Configuring the HOB WSP for HOBPhone
The first step is to configure the HOB WebSecureProxy for VoIP:
1.
2.
Select the Servers element of your internal hierarchy and select
WebSecureProxy > Configure. This starts the HOB WebSecureProxy
configuration interface.
3.
Although fully integrated into HOB RD VPN, HOBPhone is a optional feature.
For this reason the configuration dialog of HOBPhone is found as an extension
to HOB RD VPN. So, to configure HOBPhone, you must select the item
Extensions. The following screen appears:
305
HOBPhone
HOB RD VPN
4.
Now you need to select the item Extensions > HOBPhone. This screen
appears:
Figure 2: Configuring HOBPhone – Settings Tab
The fields on this screen to be completed are:

Name – here you enter a name you wish to use for this HOBPhone configuration.

Mode – this field holds the required connection mode, it is disabled by default.


306
Use Network Adapter – this field holds the required network adapter information, and is disabled by default.
Predefined Protocol – this field holds the required communication protocol and
is disabled by default, as the necessary protocol, HOB-VOIP-1, is already entered and cannot be changed.
HOB RD VPN



5.
HOBPhone
VOIP server network adapter – here you select your network desired adapter
from the dropdown list, or leave as Any for the default adapter to be used. This
network adapter will be used by HOB RD VPN for all VoIP connections to the
telephone system.
Keep alive (sec) - the amount of time in seconds the connection waits for new
HTTP requests/responses to be made once the connection is established, before it shuts down due to inactivity. The default is 10 seconds.
Select the Address Book tab.
Figure 3: Configuring HOBPhone – Address Book Tab
6.
In this tab you need to enter the Address book URL – the URL under which
the electronic address book is available.
Save the changes and the HOBPhone component is now configured in the
HOB WSP.
23.1.2 Activating HOBPhone for a Specific User Role
Now that you have configured the HOB WSP for HOBPhone, it must now be
assigned to at least one specific Role for your users.
1.
Open the HOB WebSecureProxy configuration, select the desired role (for
example User, as shown here) and go to Privileges > Server Lists.
307
HOBPhone
HOB RD VPN
Figure 4: HOB WSP Configuration- Roles - Server Lists
2.
Select the HOBPhone option from the list of configured server lists.
3.
Now go to Privileges > Portlets to create a portlet for HOBPhone on the
HOB RD VPN Navigation Screen.
Figure 5: HOB WSP Configuration - Roles - Portlets
4.
308
Here use the Add button and, from the Add Portlet popup dialog, select
HOBPhone from the dropdown box. You can also use this dialog to choose to
have the portlet appear in either an Opened state on the navigation screen, or
Closed.
HOB RD VPN
HOBPhone
Figure 6: Add HOBPhone Portlet Popup
5.
Click Add & Close to add this portlet to the list of those available and close the
dialog.
6.
Save the configuration and restart the HOB RD VPN Service.
7.
Now you need to configure the UDP Gate for transmissions using the UDP
protocol. This is found under the WSP Servers > WSP Server item.
Figure 7: HOB WSP Configuration - WSP Servers - UDP Access
Select the tab UDP Access. This tab contains the following fields:



Enable UDP Gate - check this to activate the UDP Gate for HOBPhone communications. The following two fields only become enabled when this box is
checked:
UDP Listening Adapter - enter here the adapter you want to use to listen to
HOBPhone communications.
UDP Listening Port - enter here the number of the port you want to use for UDP
communications. The default is 8150.
23.1.3 Configuring a Telephone System
Each firm has different requirements, so HOB RD VPN allows you to create a
telephone system as an object that can be added to your resource management
hierarchy. There can be multiple systems configured as necessary. For each
system that is configured, all sub nodes under this configuration inherit this
configuration.
309
HOBPhone
HOB RD VPN
Figure 8: HOB EA Admin – New Object – Telephone System
Select the node that will contain the new telephone system and click the New >
Organizational Unit icon in the task bar. Give the new Organizational Unit a name
(for example Telephone System, as shown here) and save the configuration.
23.1.4 Configuring the connection to the Telephone System
HOB RD VPN needs some information about the telephone system(s) that will be
connected. The best practice for this is to place the configuration on the root node,
as this then makes it possible for every user to use this VoIP system.
1.
310
Select the root node of your directory service (for example dc=hobsoft,
dc=root) and open the HOBPhone configuration dialog by right-clicking this
node and choosing Configure > HOB RD VPN 2.1 > HOBPhone.
HOB RD VPN
HOBPhone
Figure 9: HOB EA Administration - HOBPhone
2.
The following screen appears.
Figure 10: HOBPhone Configuration - Start Screen
3.
Select the Telephone systems item in the left-hand tree and click the Add
button.
311
HOBPhone
HOB RD VPN
The following dialog is displayed:
Figure 11: HOBPhone Configuration - Settings

Name – enter a name of your choice to label this telephone system configuration.

Description – here you can enter a short description for the telephone system.


Host IP Address – here you specify the IP address to be used for the VoIP connection.
Port – here you specify the port to be used for the VoIP connection (the default
is 5060). This is the port number for the SIP access to the VoIP system (also referred to as the PBX (Private Branch eXchange) - a telephone exchange that
serves a particular business or office).
The connection between the HOB WSP and the PBX requires the SIP port
to be open for both incoming and outgoing data on the PBX (normally the
SIP port 5060 by default but this can be changed), as well as any ports
required for RTP (Real-time Transport Protocol) connections. RTP is used
to deliver audio and video packets over IP networks. RTP ports are
assigned dynamically and can be any port in the number range 1024 to
65535. These can usually be restricted via the PBX settings (for example,
asterisk uses ports 10000-20000 by default) on the PBX side.
The dynamically assigned RTP ports on the HOB WSP side should
correspond to the ports provided by the operating system the HOB WSP is
running on. Defaults are: 49152 – 65535 for Microsoft Windows Server
2008 systems, 32768 – 61000 on the majority of Linux systems, and 1025
– 5000 on Microsoft Windows Server 2003 or older BSD systems.
Other firewall rules may be required by the HOB WSP for other reasons,
for example to reach the LDAP server.
312
HOB RD VPN
HOBPhone
The HOB WSP uses port 5060 to send SIP data if the parameter <SIPuse-UDP-port-5060> is set to YES in the configuration, otherwise a
dynamic port is used.


Max Sessions – here you see the maximum number of sessions (default is 500)
that can be used simultaneously for this connection.
Gateway Name – here you set the name of the gateway. Set the Gateway Name
to RTP-UDP. This is the default Gateway Name in HOB RD VPN and should always be used.
Now Save the changes and Close this dialog.
23.2 Configuring the User Accounts in HOBPhone
Now that HOBPhone has been configured and is ready for use, starting the
application displays the main HOBPhone interface screen, shown here.
Figure 12: HOBPhone Main Interface
The functions of HOBPhone are organized as menu items and as GUI buttons.
These GUI menu items and buttons are organized as follows, from the top:



Menu (Phone, Account), used for configuring user accounts
Information panel, displaying messages concerning the current status and activity in HOBPhone
The Number Entry field, Make Call and End Call icons for making calls
313
HOBPhone


HOB RD VPN
Function Tabs (Call, Call History, Missed Call Log, Conference Call, Address Book) for activating the different functions of HOBPhone. Each of these
Function Tabs have their own individual buttons and layouts
Sound and Account Panels to manage the current call
23.2.1 HOBPhone Menu
The contents of the menu (Phone, Account), shown in the menu bar at the top, are
as follows:

Menu > Phone




Device Configuration – use this option to configure the devices to use for
input and output and audio levels, see Section 23.2.3 Configuring Audio Devices on page 317 for more information.
Preferences – use this to configure the codecs that are required and to enable codec settings where applicable
Exit – finish using the HOBPhone application and shut down this feature
Menu > Account





Configure – use this option to configure the accounts for the users of the
application. See Section 23.2.2 Configuring HOBPhone User Accounts on
page 314 for more information.
Register – use this option to attempt to register the selected account and
enable this number to be used for calls
Unregister – use to unregister the selected account and make this number
no longer available for calls
Register All – this option enables you to register all configured accounts at
the same time
Unregister All – this option enables you to unregister all configured accounts at the same time
23.2.2 Configuring HOBPhone User Accounts
HOBPhone User accounts can be configured directly using the HOBPhone
interface.
The standalone HOBPhone feature allows configuration through the
HOBPhone interface, the HOBPhone feature of HOB RD VPN uses the
HOB WSP, where the user accounts are read only, and any changes to
these configurations must be made directly in the configuration storage for
your system.
To enter account details or adjust the user settings, start HOBPhone and in the
main interface screen you can either click Menu > Account > Configure or you can
right click on the individual account icon to display the following screen:
314
HOB RD VPN
HOBPhone
Figure 13: HOBPhone Configuration - General Tab




Account Name – the first field is a dropdown box that holds the name of the account that you are configuring. Use the dropdown arrow to select a different account. This account list is restricted to 5 accounts.
Delete Entry – use this button to remove the configuration of the currently displayed account.
There are two tabs that are available on this screen, General and Advanced.
The General tab is shown by default, and the settings that can be edited here
are, from top to bottom:
Protocol – HOBPhone is an application based on the SIP protocol, only SIP can
be selected here

Full Name – this holds the full name of the user attached to the SIP messages

Ident – this holds the user identity or phone number

Display number – this holds the number or name to be displayed on the local
interface only instead of the username (for example a dial group number) in the
HOBPhone interface

Registrar – here the IP address or valid DNS name of the PBX is stored

Port - the port of the PBX to use (defaults to the SIP port 5060 if not set)



Password - you enter your password as configured at the PBX to access features or a specific account here
Outbound Proxy – this contains the address of the outbound SIP proxy – SIP
requests are sent to this address
Outbound Proxy Port – this field contains the outbound proxy port number, by
default this is the SIP port 5060
315
HOBPhone
HOB RD VPN
OK – store this configuration for the specified account (a popup appears you to
prompt you to store it locally in a specific file location) and close this screen
Revert – do not save the changes to this account configuration and return to the
first account configuration
Figure 14: HOBPhone Configuration - Advanced Tab
The settings that can be edited on the Advanced tab are:

Use SRTP – enable this button to use SRTP (Secure Real-time Transport Protocol). In direct mode SRTP must be supported by all components (the PBX and
all other participants in the call) for the call data to be encrypted.
When using the WSP mode, the data can be encrypted between the
HOBPhone and HOB RD VPN regardless of the capabilities of the PBX or
other participants. If using the UDP gate the voice audio is encrypted using
the SRTP protocol, otherwise SSL is used with the communication with the
HOB WSP (unless a different protocol is used in your system, then this is
also used here).


Autoregister – an attempt to register this account with the PBX will be made automatically whenever the HOBPhone application is started
Sip Transport – when using HOBPhone to connect to the HOB WSP, all SIP
data is always passed encrypted via the TCP protocol. The UDP/TCP option only
applies to the standalone HOBPhone. Voice communications are always sent
over UDP except when in WSP mode without a UDP Gate.
Voice communications are always sent over UDP except when in WSP
mode and a UDP Gate is not being used.
316
HOB RD VPN

HOBPhone
Local IP - this setting is used when the user wishes to specify which IP address
on the local machine HOBPhone is to use to connect to the specified registrar.
The list of available IP addresses is shown is the dropdown box list. The default
setting is Auto.
On start of the application, HOBPhone attempts to find the best path to the
registrar for each account. If a path cannot be determined then the user is
prompted to choose an IP account.
This behavior can be overridden by specifying an IP address to use. Note
that this is only useful if the machine has multiple static IP addresses and
the user wishes HOBPhone to use a particular IP address to connect to the
registrar.
OK – store this configuration for the specified account and close this screen
Revert – do not save the changes to this account configuration and return to the
General tab of this account configuration
23.2.3 Configuring Audio Devices
From the main HOBPhone interface menu, select Phone > Device Configuration
and a popup is displayed. This pop up shows the list of audio devices available to
HOBPhone. Devices with audio output capability are shown with a Playback and
Ring option. Recording devices are shown with a Record option. The name of the
device is shown above each volume slider. There are also two virtual devices that
are not always present – Primary Sound Driver and Remote Audio.
Figure 15: HOBPhone Configuration – Device Configuration


Primary Sound Driver – this is a default virtual device provided by Java and
uses the default audio device automatically

Playback – check this button to activate call audio over this device

Ring – check to activate the ring audio device on incoming calls
Headphones – this shows the headphone device currently in use

Playback – check this button to activate call audio over this device

Ring – check to activate the ring audio device on incoming calls
317
HOBPhone

HOB RD VPN
Speakers – this shows the name of the loudspeaker device in use



Ring – check to activate the ring function on the loudspeaker device for incoming calls
Primary Sound Capture Driver – this device is used to record incoming sounds
and automatically uses the default audio device


Playback – check this button to activate call audio over the loudspeaker device
Record – check to activate the record device on incoming calls
Microphone - this shows the name of the microphone device in use

Record - this allows the microphone to record sounds from the user
Any changes made here are automatically implemented.
23.2.4 Configuring Audio Settings and Advanced Options
This Preferences option on the main HOBPhone menu allows you to configure the
record and playback quality and encoding settings, as well as recorded messages
and advanced settings.
Audio configuration files are created automatically on first use. By default the first
audio recording device found is enabled for voice input and the first audio output
device found is enabled for voice output. All audio output devices on the system are
enabled to ring on calls.
Codecs
This section holds options related to how audio is recorded and transmitted over the
network.
Figure 16: HOBPhone Configuration – Audio Settings G.711
Audio settings of HOBPhone consist of the following:

318
16Khz Sampling – if this option is selected HOBPhone will sample all recorded
audio at 16Khz. Otherwise all recorded audio is sampled at 8Khz. Only enable
this option if you plan to use a codec that supports 16Khz sampling. Changing
this option requires a restart of the HOBPhone.
HOB RD VPN


HOBPhone
G.711 (Codec Configuration) – there are two algorithms used for this codec,
PCMA and PCMU (also known as A-law, used mostly in Europe and worldwide,
and µ-law algorithm, used mostly in North America and Japan). These are the
default codecs supported by all SIP compliant devices. The codecs provide 8Khz
sampling and a bandwidth requirement of 64kbps (around 85kbps including
headers).
Speex (Codec Configuration) – this configuration can be used for less bandwidth
usage (when Narrowband is selected) or better voice quality (when Wideband
is selected).
There are five preset constant bit rates (select from the Quality dropdown box) and
a variable bit rate available.
The Quality setting only applies when the VBR (Variable Bit Rate) setting
is set to OFF.
Figure 17: HOBPhone – Audio Settings Speex Narrow Band
The following are the bandwidth requirements for Speex:
Audio Quality Setting
8Khz Sampling
(Narrowband)
16Khz Sampling
(Wideband)
Lowest (8Kbps)
29Kbps
34Kbps
Low (11Kbps)
32Kbps
42Kbps
Medium (15Kbps)
36Kbps
48.5Kbps
High (18.2Kbps)
39Kbps
55Kbps
Maximum (24.6Kbps)
45Kbps
63Kbps
VBR
23-45Kbps
25-63Kbps
Table 1: Available bandwidths for Speex settings
319
HOBPhone
HOB RD VPN
The VBR (Variable Bit Rate) setting can be used with both 8 kHz and 16 kHz, giving
full usability and also by reducing the bandwidth during conversation pauses or
slack points, increasing the efficiency of the connection.
As not all participants in a communication will have the same settings, the
band that is used is selected in the following order:
• with 16 kHz sampling ON: 1. 16 kHz, 2. 8 kHz, 3. Other Codecs
• with 16 kHz sampling OFF: 1. 8 kHz, 2. Other Codecs, 3. 16 kHz
The first preference that is also available on the receiving end is also
chosen
The following screen is shown with the Speex and Wide Band settings selected:
Figure 18: HOBPhone – Audio Settings Speex Wide Band
The following screen is shown with the Speex, Wide Band and VBR (Variable Bit
Rate) settings selected:
Figure 19: HOBPhone – Audio Settings Speex VBR
The VBR (Variable Bit Rate) setting can be used with both 8 kHz and 16 kHz, giving
full usability and also by reducing the bandwidth during conversation pauses or
slack points, increasing the efficiency of the connection.
320
HOB RD VPN

HOBPhone
GSM (Codec Configuration) – this configuration can be used for communication
over the GSM bandwidths.
GSM Full Rate – GSM requires around 35kpbs bandwidth and is of slightly lower
quality than G711. If enabled and supported by both participants in a call GSM is
favored over G711.
Recorded Messages
The recorded messages section allows the user to create up to three prerecorded
messages that can be played to answer a call. This is useful when you receive a
call during another call which you do not want to interrupt.
Figure 20: HOBPhone - Recorded Messages
If a message is enabled and no recording has been created the caller will hear a
beep.
allows the user to record a message. Recorded messages are saved
locally and limited to 15 seconds in length
deletes a recorded message
plays the recorded message
321
HOBPhone
HOB RD VPN
Advanced Options
This tab allows you the following options:
Figure 21: HOBPhone Preferences - Advanced Options



AEC – This option enables Acoustic Echo Cancellation. This option requires
considerable hardware resources.
Remove special characters from phone numbers - this option automatically
removes all non-letter characters from phone numbers. This option can be useful
for instance when copying a number with brackets from another source or when
address book entries have embedded spaces.
Use replacement rules – This option allows the addition of custom rules that
modify dialed phone numbers.
To add a rule click the Add button, then complete these three fields:

Find - this text will be replaced with the text entered in the Replace with field

Replace with - this text will replace the text entered in the Find field

Line - apply this rule to the specified line. You can either select a specific line or
All lines to apply the rule to all accounts.
The text in the Find field can be placed in double quotes "" to specify that an exact
match is required. This feature can be used to set quick-dial shortcuts.
Some examples how this can be used:
Find "1", Replace with "1234" will call the number 1234 when "1" is
dialed.
Text can also be similarly used:
Find "John", Replace with "01234567890" will dial the number
01234567890 when "John" is dialed.
This can also be used to preset an external call prefix:
Find + (no quotes), Replace with "900" will replace any + in the number
with 900
322
HOB RD VPN
HOBPhone
When an outgoing call is made all dialing rules are checked and applied
sequentially from top-to-bottom.
Jitter Buffer Length – this sets the length of the jitter buffer for incoming audio.
This improves audio quality when jitter is present on the network connection. If a
buffer is too long, slight audio delays might result. The default is set to 60ms.
23.3 Using HOBPhone
The HOBPhone main interface has 5 tabs providing different functionality. In
addition to these tabs, the following buttons and options are common to all tabs:


Menu (Phone, Account, Call) – used for configuring user accounts
Information panel – displaying messages concerning the current activity in
HOBPhone
Enter Number field, Dial and End Call – use these for
making calls. Enter the account number you want to make
a connection to in the Enter Number field, click the Dial
button to make the connection to the displayed destination
or to answer an incoming call, while the End Call button
terminates a connection and ends the call.
Function Tabs (Call, Call History, Missed Call Log,
Conference Call, Address Book) – use the Function Tabs
to access the other functionality of HOBPhone (see below
for more detail)
Sound Control – these icons allow you to place a call on
loudspeaker or to turn the microphone on or off. The icon
is shown in gray when turned off.
Accounts – this shows the currently registered
HOBPhone accounts of this user (in this example four of
the possible five are configured, account number 4 is
selected and so is shown as the largest)
Account Icon with Phone – the phone symbol in this icon
shows that this account is currently active and is
connected.
Accounts shown in Green are registered and can be used to make calls,
accounts shown in Yellow are configured but not yet registered (could not
register or no attempt has been made), accounts shown in Gray are not
configured and accounts shown in Red have been deregistered and can no
longer be used to make calls. Only registered (green) accounts may make
calls.
On receiving an incoming call, there is an in-GUI alert (if the application is running
and the GUI is open), the HOBPhone interface automatically pops up (if the
application is running but the GUI is collapsed), or the person attempting to initiate
a HOBPhone call with you receives a message that you are not reachable (if the
application not running).
323
HOBPhone
HOB RD VPN
23.3.1 Call Tab
This screen can be accessed by using the Call icon on the HOBPhone interface
(see below) and is used for making or answering calls received through the
HOBPhone application.
Call icon
Figure 22: HOBPhone Main Interface – Call Tab with Number Pad
Dial – click to make a call to the displayed destination or to answer
an incoming call
Backspace – click to delete the previous character entered in the
number entry field

Making a Call
To make an outgoing call using the HOBPhone, you have the following two options:
324
1.
Manually enter the number in the Number Entry field and click the Dial button,
or:
2.
Use the Address Book button to select a number from the Address Book and
click Dial – see Address Book Tab below for more details
HOB RD VPN
HOBPhone
When entering a dial number, the following conventions are applied:

Spaces are ignored

Numbers are truncated at the @ character, if present
The + symbol is passed as is to the PBX, which may or may not recognize
it depending on the settings of the PBX

Answering a Call
When you are alerted to an incoming call, answer by using the Dial button or by
using the Call > Accept option in the main HOBPhone interface menu. The caller
identity and other information are displayed in the information panel.

Using HOBPhone during an Active call
While a call is active, the main interface of HOBPhone will take appear as the
following screen:
Figure 23: HOBPhone Main Interface – Active Call
On this screen, all of the most recent activity of HOBPhone is displayed, with the
currently active call highlighted with a green background, as shown here:
325
HOBPhone
HOB RD VPN
The available functions that can be performed through the icons for this active call
are as follows:
End Call – use this icon to finish the call and close the connection
Place on Hold – when you have an active call (incoming or outgoing) that
you wish to place on hold, click this icon shown beside the currently active
call.
Currently on Hold - click this to reactivate the call
Transfer Call – when you have an active (incoming or outgoing) call you
wish to forward, click this button shown beside each currently active call.
Enter the number of the user to receive this call (or select them from the
address book) and click the Dial button to connect. This then connects the
active call to the destination (currently only an unattended transfer is
possible, in which case if the intended recipient of the transferred call is not
able to accept the call then the call fails and the person who transfers the
call is not notified of this).
Add to Conference – to add an active call to a conference call, or to begin
a conference call, click this icon. See Section 23.3.4 Conference Calls Tab
below for more information.
326
HOB RD VPN
HOBPhone
23.3.2 Call History Tab
This screen can be accessed by clicking the Call History icon on the tab screen
(this is effectively the same screen as that displayed when a call is currently active).
Call History icon
Figure 24: HOBPhone Main Interface – Call History
All Calls – click this button to display a list of all calls made and
received using HOBPhone
Outgoing calls – click this to display a list of all calls that were made
using HOBPhone
Incoming calls – click this to display a list of all calls that were
received using HOBPhone
327
HOBPhone
HOB RD VPN
23.3.3 Missed Calls Tab
This screen can be accessed by clicking the Missed Call icon on the Dial screen.
Missed Call icon
Figure 25: HOBPhone Main Interface – Missed Calls
23.3.4 Conference Calls Tab
This screen can be accessed by clicking the Conference Call on the HOBPhone
interface.
Conference Call icon
You can host a conference call with as many participants as are configured in the
application. Use the buttons in the icon panel of the main interface while making or
taking a call to initiate the conference call. As more calls are made, these can be
added to a conference. Note that the conference can accept participants from any
account (line). The number of participants in a conference is limited only by the
client hardware (bandwidth or processing power).
In the screen shown here as an example, there is one call currently active in the
conference call (shown with a green background), while a second participant in the
conference call (shown with a yellow background) is on hold.
328
HOB RD VPN
HOBPhone
Figure 26: HOBPhone Main Interface – Conference Calls
Hold All Participants – use this button to place all participants of the
conference call on hold, without breaking the connection
Split Conference Call – click this button to break a connection
between accounts in a conference, while maintaining your own
connection with each of those accounts. This effectively splits a
conference call into a number of more individual calls
End Conference Call – click to finish the conference and close all
connections
329
HOBPhone
HOB RD VPN
23.3.5 Address Book Tab
This screen can be accessed by clicking the Address Book icon on the HOBPhone
interface.
Address Book icon
The Address Book is an optional feature, and is not included in all versions
of HOBPhone.
Figure 27: HOBPhone Main Interface - Address Book






330
Addressbook URL – this is the URL of the server that is the exchange for HOBPhone communications. In the simplest case HOBPhone requires only this URL
to make a connection.
Authentication Method – the protocol used for authentication (for example
NTLM) is selected from this dropdown box
Addressbook Username – this is the username under which your contact details are saved in this address book
Addressbook Password – this is the password you are using
Connect through RD VPN – check this radio button to enable the connection
through HOB RD VPN
RD VPN URL – this is the URL of the HOB RD VPN to which access is being
made
HOB RD VPN

HOBPhone
RD VPN Username – this is the (domain) username that you use to access the
HOB RD VPN

RD VPN Password – this is the password for access the HOB RD VPN

KDC Host – this is by default Kerberos

KDC Username – here you enter the username of the KDC host

KDC Password – this is the password of the KDC host

Connect – click this to connect to the KDC host
331
HOBPhone
332
HOB RD VPN
HOB RD VPN
24 HOB WSP Universal Client
HOB WSP Universal Client (HOB WSP UC) enables remote access from a mobile
client device to locally installed third party applications. This applies generally to
those applications that the administrator has published on a server within the
network.
At the request of the customer, third-party applications such as Citrix ICA can also
be optionally integrated into HOB RD VPN. This requires that the relevant ports and
protocols are specifically configured for these applications.
Figure 1: Connection with HOB WebSecureProxy Universal Client and HOB WebSecureProxy
HOB WebSecureProxy Universal Client and HOB WebSecureProxy both function
as gateways for the network. They enable locally installed third party applications to
communicate over a secure channel through the Internet.
As the SSL-encrypted communications of the HOB WSP Universal Client between
the client device and the server within the enterprise network all go exclusively over
the HOB WSP, HOB RD VPN must be installed on the same server as the
HOB WSP.
HOB WSP Universal Client is configurable as a portlet.
HOB WSP Universal Client does not support browsing in an Intranet. This
is possible if the SOCKS protocol is used, but HOB RD VPN must be
configured specifically for this. For more information see Chapter 17
HOB RD VPN Web Server Gate – Intranet Access.
Requirements for the PC: For the synchronization of data between the host
machine and the mobile client device one of the following programs should be
available on the host:

Microsoft Windows Mobile Device Center

Microsoft ActiveSync
333
HOB RD VPN
24.1 Configuring HOB WSP Universal Client
The administrator must first configure the HOB WSP Universal Client for the
corresponding user or user group. To do this, open the Administration portal, select
the desired user or user group and then select HOB RD VPN > WSP Universal
Client in the dropdown list at bottom right and click Configure, as shown here:
Figure 2: WSP Administration - WSP Universal Client Configuration
The following dialog is displayed that shows the WSP UC gateway configurations
that are currently set up in the system.
Figure 3: HOB WSP UC Configuration

334
Gateway Name – here the name of the gateway machine for the communication
with the remote client device is shown.
HOB RD VPN






Incoming port – here the port on the gateway machine receiving the incoming
communications is listed.
Target IP – here the IP address of the target machine (if entered) is shown.
Applicat. Socks – this shows if the SOCKS protocol is to be used for the applications, either Yes or No.
Advanced mode – this shows if the Advanced mode is currently configured, either Yes or No (in this case only the General mode is used).
Inherited From – this shows the resource from where these settings are inherited.
Tracing – this box shows if tracing of the traffic through the gateway is enabled.
The buttons at the bottom have the following functions:
New – click to add a new gateway for the WSP Universal Client
Edit – click to edit an existing entry in the list
Delete – click to remove the selected entry from the list
Refresh – this allows you to reload the information in this list
Save – use this to save your changes and continue working here
Close – use this to save your changes and exit from this screen
When the New button is clicked, the following dialog opens. It allows you to create
and configure a new gateway for WSP Universal Client. This screen is displayed
with two tabs, the General and Advanced tabs.
335
HOB RD VPN
24.1.1 General Tab
On the General tab you set the connection details for the HOB WSP Universal
Client.
Figure 4: WSP UC - New Gateway Configuration - General Tab

Incoming Connection - in this first box the fields are:






Gateway Name – enter a desired name for your connection here
Predefined Port – select from the dropdown box the predefined port for this
connection to the server. The SOCKS port (port 1080) is the default port
Port – enter the port number, if not disabled due to the selection in the previous field
Network Adapter IP – select the IP address of the desired adapter from the
list of those available: Localhost (use that of the local machine), Any (use the
default adapter of the HOB WSP) or Specify IP Address (use a specific
adapter) that are available for the IP of the network adapter
IP Address – enter the network adapter IP address in this field, if Specify IP
Address is selected in the previous field
Outgoing Connection - in this box the fields to be completed are:

Target IP – enter the IP of the target client here, if not disabled. Under Target IP, you can enter either the IP address or domain name of the IMAP
server that is being used only for direct connections of the WSP UC to the
IMAP server, i.e. without being redirected over the WSP
Direct connections should be used only if the client application is being run
within the enterprise network, i.e. the connection to the target server is not
being made over the Internet. In such a case, this connection does not
require either authentication or SSL encryption.
336
HOB RD VPN

Use SOCKS Protocol for Application – enable this checkbox to use the
SOCKS protocol belonging to the application you wish to use
24.1.2 Advanced Tab
On the Advanced tab you can set advanced options and also tracing for the
HOB WSP Universal Client configuration.
Figure 5: WSP UC - New Gateway Configuration - Advanced Tab

Advanced Options – here you can enter more advanced configuration options
for the WSP Universal Client gateway








Enable Advanced Mode – click to activate the following options on the
gateway
Protocol Name – use the arrow icon at the end of the field to select the desired protocol from the protocol list
Use Following Server Name – click to use the HOB WSP as the server for
the gateway
SOCKS Server Name –enter the name of the SOCKS server if this is being
used for the gateway
Enable Client Data Hook – click to enable the Client Data Hook. This allows extra functionality (in the form of applications or libraries) to be added
to the client communication running the SOCKS protocol
Class Name (incl. package) – insert the name of the class to where the
data intercepted by the client data hook is to be stored
Redirect MS Outlook Connection – check to redirect the Microsoft Outlook
connection to the WSP Universal Client gateway
Tracing – use the fields in this panel to set up a trace of the data traveling over
the HOB WSP Universal Client gateway.
337


HOB RD VPN
Enable Trace – check to enable tracing of the gateway traffic. The trace
data is stored in the HOB WSP for the administration staff to monitor performance
File Name (without path) – enter the name of the file where the trace data
is to be stored
Use the OK button at the bottom to save any edits and close this dialog, the Cancel
button to close the dialog without saving, and the Help button if you need more
information.
24.2 Configuring the HOB WebSecureProxy for SOCKS
In the HOB WebSecureProxy a SOCKS connection must be configured over which
the HOB WSP Universal Client can connect. To do so, follow these steps:
1.
Start the HOB WSP administration and click WebSecureProxy > Configure.
2.
Select Extensions > SOCKS to display the SOCKS Settings tab. Here you
can configure the SOCKS server for the HOB WSP Universal Client
connection.
Figure 6: WSP UC - SOCKS Settings
338
3.
Enter a Name to be used for this SOCKS connection.
4.
Select a Network Adapter for this SOCKS connection from the dropdown box.
The other fields on this screen are disabled by default.
5.
When done, go to the main menu > File > Save to save this configuration.
HOB RD VPN
24.3 Configuring the Client
The applications to which access is to be granted through the HOB WSP Universal
Client must be installed locally on the client machine. When the HOB WSP
Universal Client is started as a Java applet, no configuration of the client is required.
24.4 Configuring the Client Application with HOB WSP
Once HOB WebSecureProxy Universal Client is configured on your system, you
can configure the client applications for communication with the HOB WSP. In the
following example, an e-mail program is configured. Two independent
configurations (one for sending, one for receiving) have to be made.
To Configure a Client Application
1.
Open the HOB WebSecureProxy configuration dialog by starting the
HOB WSP administration and clicking WebSecureProxy > Configure.
2.
Open the scheme Other Targets in the tree structure at the left.
Figure 7: HOB WSP Configuration - Other Targets
3.
Open the desired scheme or click Add to create a new scheme, as shown here:
339
HOB RD VPN
Figure 8: HOB WSP Configuration - Other Targets Server List
4.
Enter a Name for this server list that you wish to configure for the WSP
Universal Client.
5.
Click Add again to bring up the following dialog:
Figure 9: Socks Server Lists Scheme: Socks Server Configuration for IMAP
340
6.
Enter the configuration name in this tab, for example Universal Server IMAP
(for receiving e-mail).
7.
For Predefined protocol select the setting Mail IMAP.
8.
For Host IP Address enter the IP address or domain name of your IMAP
server.
HOB RD VPN
9.
Now click Add again to set up a new server configuration for sending e-mail.
Figure 10: Socks Server Lists Scheme: Socks Server Configuration for SMTP
10. Now enter a name for this new configuration here, for example Universal
Client SMTP (for sending e-mail).
11. For the Predefined protocol select the setting Mail SEND.
12. For Host IP Address enter the IP address or the domain name of the sending
e-mail server.
13. Save the configuration by using Main menu > File > Save and close the
The connection must also be configured in the application, so that the
communication from the HOB WSP is accepted on the client side. This
configuration is outside the scope of this documentation, please see the
documentation available for the relevant application for more information
on this topic.
For example Microsoft Outlook and Microsoft Exchange Server are
standard e-mail applications that must be configured on the client side to
communicate with HOB RD VPN.
341
342
HOB RD VPN
HOB RD VPN
HOB Compliance Check
25 HOB Compliance Check
The HOB Compliance Check is an optional function that consists of a further
security step carried out on each user that accesses, or tries to access the network.
The HOB Compliance Check is a more in depth analysis of the user identity and the
client configuration. This analysis is used to more precisely determine access rights
to sensitive data in the network.
A compliance check is applied to the user according to the role under which they
are authenticated. Each user can have multiple roles, and be authenticated
differently according to the data they are accessing or machines they are using,
therefore each user can undergo multiple different compliance checks each time
they log on, depending on their role.
25.1 Configuring the HOB Compliance Check
To configure the HOB Compliance Check, just follow these simple steps:
1.
Open the HOB WSP administration interface and select WebSecureProxy >
Configure. This opens the HOB WebSecureProxy configuration screen.
2.
Now select Compliance Check from the pane on the left and you see the
following:
Figure 1: HOB WSP Configuration – HOB Compliance Check


3.
Name – here you insert a name for the Compliance Check that is being created.
Mode – here you specify the connection mode to be used for this particular Compliance Check.
Now click Add to create this compliance check and open the configuration
interface, where you use the following tabs to configure the HOB Compliance
Check:
343

Settings

Integrity Check

Anti-Split Tunnel

Rules
HOB RD VPN
25.1.1 Compliance Check - Settings
The only setting required here is the entry of a name for this particular compliance
check configuration.
Figure 2: HOB WSP Configuration – HOB Compliance Check - Settings

Name – here you enter a name for this particular HOB Compliance Check.
25.1.2 Compliance Check - Integrity Check
The Integrity Check is a security measure that examines the client machine making
a connection to the system. The integrity check looks at the anti virus software
currently installed on the client and the status of that software.
344
HOB RD VPN
Figure 3: HOB WSP Configuration – HOB Compliance Check - Integrity Check




Enable – activate the compliance check for each authentication attempt for this
user by checking this box.
Name – here you assign a name to the integrity check to be added to this particular compliance check, for example the name Compliance Check Policy
is used here.
Antivirus/AntiSpyware/Firewall – in this tab sheet you decide which anti virus
software, which anti spyware software and which firewalls are to be used for this
communication configuration. You may select anti virus programs for Windows,
Linux and Mac OS X systems, with a tab for each. Use the two arrow buttons to
move the chosen anti virus programs to the selected list, or to remove them from
this list.
Settings – here the settings are used to determine how up to date the anti virus
or anti spyware program needs to be for the compliance check and how long
since an anti virus or spyware scan has been performed. The default length is 24
hours in both cases, although these settings are not supported by all anti virus
products.
25.1.3 Compliance Check - Anti-Split Tunnelling
The Anti-Split Tunnel from HOB is a security measure that prevents a user that is
connected to the system through the HOB PPP Tunnel from simultaneously using
another connection from the same client machine to the Internet. As a result there
is no chance of an unauthorized user entering the system through an already
established connection.
345
HOB RD VPN
Figure 4: HOB WSP Configuration – HOB Compliance Check - Anti Split Tunnelling




Enable – check this box to activate Anti-Split Tunneling.
Disable local network – check this box to disconnect this client from the local
network, meaning they can connect only to the servers of your system.
Set local DNS – check this box to set up a DNS on the local client.
Allowed Networks – here you set the permission to allow access to networks
through the Anti-Split Tunnel. Use the Add and Remove buttons to manage the
list of allowed networks to which the user may connect. When you click Add, an
entry field appears in this list. Each entry requires that you enter the address of
the networks that this client may connect to and the prefix size of mask of the
client.
25.1.4 Compliance Check - Rules
Rules are used to determine the connection to the system and the access levels to
be granted to the users for these rules. The rules must be assigned to the users
according to their roles. Rules can be created for the following:

Port

File

Mac

IP

Process
Use the Add, Edit and Remove buttons to maintain the rules lists.
346
HOB RD VPN

Rules for Port
Here you manage the compliance check rules for the ports being used for the
connection to the system.
Figure 5: HOB Compliance Check - Rules for Port
To enter a port rule click the Add button on the right. The following dialog is
displayed:
Figure 6: HOB Compliance Check - Add a Rule for Port



Name – the name to be used for this port rule.
Access – the level of access to be granted over the port (Must Be Open– access is granted if this rule is satisfied, or Must Not be Open – access is denied
if this rule is satisfied).
Port – enter the number of the selected port.
Use the Add button to add this rule to the list and leave this dialog open, Add &
Close to add this rule to the list and close this dialog and Cancel to close the dialog
without saving the changes.
347

HOB RD VPN
Rules for File
Here you specify how a user can connect to the files that available to this user, if
required.
Figure 7: HOB Compliance Check - Rules for File
Use the Add, Edit and Remove buttons to maintain this list.
To enter a file rule click the Add button on the right. The following dialog is
displayed:
Figure 8: HOB Compliance Check - Add a Rule for File




348
Name – the name to be used for the rule.
Access – the level of access to be granted over the port. The options here are
Must Exist (access must be granted) or Must Not Exist (access denied).
File – the location of the file that the user can access. Use the Browse (…) button
to locate the desired file.
Hash – here the hash of the selected file is entered, if desired. Use the Create
button to enter the hash.
HOB RD VPN


Modified Date and Time – here you specify the date and time to assign to the
File rule.
Date condition – here you specify the allowable age for the file, if it is to be older,
newer or the same age (equal) than the modified date and time for access to be
granted.

Rules for Mac
Here you specify the rules to be used when connecting to a machine via a Mac
address.
Figure 9: HOB Compliance Check - Rules for Mac
Use the Add, Edit and Remove buttons to maintain this list.
To enter a file rule click the Add button on the right. The following dialog is
displayed:
Figure 10: HOB Compliance Check - Add a Rule for Mac
In this dialog the fields to be completed are:


Name – the name to be used for this rule.
Must Not Be Valid (access must be granted) or Must be Valid (access denied).
349

HOB RD VPN
Mac Address – enter the Mac address for the selected rule.

Rules for IP
In this tab you specify the IP addresses that the user can connect to and those to
which access is denied.
Figure 11: HOB Compliance Check - Rules for IP
Use the Add, Edit and Remove buttons to maintain this list. To enter a file rule click
the Add button on the right. The following dialog is displayed:
Figure 12: HOB Compliance Check - Add a Rule for IP
In this dialog the fields to be completed are:



Name – the name of the IP rule to be used.
Must be Valid (access must be granted) or Must not be Valid (access denied).
IP Network – enter the IP network and the subnet mask to be used with this rule.
350
HOB RD VPN

Rules for Process
Here you can specify the processes that can be set for this user.
Figure 13: HOB Compliance Check - Rules for Process
Use the Add, Edit and Remove buttons to maintain this list. To enter a process rule
click the Add button on the right. The following dialog is displayed:
Figure 14: HOB Compliance Check - Add a Rule for Process



Name – the name of the process to be used.
Must be Run (access must be granted) or Must Not be Run (access denied).
Process Name – enter the name of the process used with this rule.
351
HOB RD VPN
25.2 Assigning the HOB Compliance Check to a Role
Now that the HOB Compliance Check is configured, it needs to be assigned to the
users as part of their roles. To do this, in the HOB WSP configuration interface
select the desired role from the hierarchy on the left. in this example, the role User
has been selected. Now on the Requirements > General tab you can see the
following:
Figure 15: HOB WSP Configuration - Compliance Check – Assigning to User Roles
On this tab are the following fields:



352
Compliance Check – select the configured Compliance Check (here Compliance Check has been selected) from the dropdown box
Priority – assign the priority (from 1 - the lowest to 100 – the highest) required
to this compliance check. In the case of multiple compliance checks applying to
a role, the checks are carried out according to the order of the priority, the greatest first.
High Entropy - checked by default, this enables that high entropy is used for
greater security when running the compliance check.
HOB RD VPN
25.3 Using the HOB Compliance Check
The HOB Compliance Check is intended to be an extra layer of security that can be
added to the authentication of the user. It is also used when authorizing a user to
their role and their permissions within the system.
Anti Split Tunnel
The Anti Split Tunnel restricts systems to using connections that go exclusively
through the PPP Tunnel, all other connections being blocked from access.
Administrators can also configure resources and functions of HOB RD VPN on
security grounds to use only the HOB PPP Tunnel, via the Windows Firewall on the
client. This is not a function of HOB RD VPN, so this must be done manually
For access to a public network, the user must first close the connection to the
corporate network. For those users who require access to a public network while
working in their local network, the Anti Split Tunnel is not enabled by default. This
must be enabled by the administrators.
Anti Split Tunneling is a utility that functions only with Microsoft Windows
systems.
Exceptions to Anti Split Tunneling can be configured by the administrator with
regard to the local network, DNS servers and dedicated servers or hosts. This utility
runs as a service on your PC and if activated is an essential condition for
HOB RD VPN to work, increasing the security of your system.
Before Anti Split Tunneling can be used, the Anti Split Tunnel utility must
be installed on the client. If this service is not running, the user
automatically receives information on how to install it when logging on to
HOB RD VPN. Administration rights are required for the installation of this
service on the client system.
353
354
HOB RD VPN
HOB RD VPN
HOB Target Filters
26 HOB Target Filters
Target filters give the administrator of HOB RD VPN a flexible and granular means
of access control. A target filter in HOB RD VPN is a combination of one or more
“Allow” or “Deny” rules that enable you to restrict the access of the users to certain
connection targets in the corporate network. After configuring a target filter you can
assign the target filter to a role.
Target filters have an effect on the following connections:

Web Server Gate

PPP Tunnel

SOCKS
Any connections that are defined in the Outgoing Connections of the
HOB WebSecureProxy are not affected by the Target Filters.
Figure 1: Using Target Filters - a Typical Scenario
26.1 Configuring Target Filters
To activate a target filter, you have to perform the following configuration steps:

Adding a target filter

Editing filter rules
The target must then be applied to a user role for it to be used.
26.1.1 Adding a Target Filter
The following steps show you how to add a new target filter:
1.
Start the HOB RD VPN WebSecureProxy configuration program.
2.
Click the Target Filters item in the left-hand pane. This screen is displayed:
355
HOB Target Filters
HOB RD VPN
Figure 2: HOB WSP Configuration - Target Filters
3.
Click the Add button at the bottom of this screen. A new target filter scheme
called Target Filter(1) is created (you may change this default name as you
require).
Figure 3: HOB WSP Configuration - Target Filter Settings
356
4.
Enter a name of your choice for the new target filter in the Name field, such as
Example Target Filter. Every new target filter already contains one default
rule, shown highlighted in the example dialog above. The default rule denies all
connections, meaning that no connection targets are currently accessible with
this target filter. Now create at least one additional rule, use the Add button to
do so.
5.
When you click the Add button the Add rule dialog appears.
HOB RD VPN
HOB Target Filters
Figure 4: WSP Configuration - Adding a Rule
The Add Rule dialog consists of the following fields:
Action – check either Allow or Deny.
Allow - makes the connection to a connection target possible
Deny - prevents a connection being made
A combination of several Allow and Deny rules allows you to create a target filter
that accurately controls access to your network resources. Whenever
HOB RD VPN is requested to open a connection, the rules stack is processed
beginning with the first rule. As soon as a request matches a filter rule, the rule is
executed (Allow or Deny) and the execution of the rule stack stops. If the rule does
not match, the next rule in the stack is checked and so on. When no rule matches,
the default Deny rule at the bottom of the stack is performed.
DNS name – In the DNS name field you can enter the DNS name, for example
www.mycompany.example.com, of a connection target. If flexibility is required and it
is intended to specify an IP block, leave this edit field empty and enter the desired
data in the IP network field.
IP network – In the IP network field you can enter either a single IP address in
dotted decimal notation, such as 100.100.10.1, or an IP block in IP/CIDR notation,
such as 100.100.10.1/30 (enter the suffix in the small field on the right).
Protocol – The protocol dropdown list specifies the protocol to which the current
filter refers. Every rule allows the setting of only one protocol. If you want to allow/
deny another protocol you have to create an additional rule (the Custom Protocol
entry field is active only if Other has been selected as the protocol).
Ports – You can create a list of ports that are allowed or denied for the connection
by this rule .
Arrow - use this to add a port number to the list of allowed ports
Delete - remove an existing port from the list
357
HOB Target Filters
HOB RD VPN
It is recommended that not only TCP and UDP ports are released. You may
also allow ICMP / ICMPv6 to ensure the immediate assignment of the IPv6
address of the HOB PPP Adapter. This is because when using IPv6, there
can be problems when the ICMPv6 (0x3a) protocol is disabled. This can
delay the assignment of the IPv6 address of the PPP adapter. With the
activation of the ICMPv6 protocol, the IPv6 address of the PPP adapter is
assigned immediately.
6.
Click Add to add the currently edited rule to the list of Target filter rules. The
default rule always remains the lowest rule and is not editable.
7.
If desired, you can change the order of the rules by using the Up or Down
buttons on the right side of the Target Filter panel. Note that you cannot move
the default rule from the lowest position of the filter rule stack.
8.
If desired, you can change an existing rule by selecting the rule and then the
Edit… button.
9.
To save the changes made so far in the configuration, select File > Save from
the menu. When you have added all the filter rules desired, you need to assign
the new target filter to a user role (see next section for more information).
26.2 Using Target Filters
After you have configured a target filter you can assign it to a user role. Note that
you can assign only one target filter to one user role. To assign a target filter:
1.
Go to the HOB RD VPN WebSecureProxy configuration program and select
the Roles item in the left-hand pane to display the user schemes.
2.
Click the desired role, for example Power User.
3.
Click the Privileges tab in the right-hand pane and then select the Target
Filters tab.
Figure 5: Assigning a Target Filter to the User Role
358
HOB RD VPN
HOB Target Filters
4.
The Target Filter dropdown list contains all target filters that you have already
configured. Choose the desired target filter (in this case Company Target
Filter) from this list.
5.
Select File > Save from the menu to save the changes in the configuration.
359
HOB Target Filters
360
HOB RD VPN
HOB RD VPN
SSL Identifier
27 SSL Identifier
The SSL Identifier is a feature of HOB RD VPN that allows you to accurately identify
the initiator of all communications within the system as well as all those
communications that enter the system from outside.
The standard process of communication is that an incoming communication comes
to the SSL gateway, the web server responsible for the messages. This web server,
the HOB WebSecureProxy, analyses the IP address of the intended destination. It
then terminates the external message and initiates a new message, from the
gateway to the destination. This means that the source of the message received by
the destination is the SSL VPN gateway, not the original external source. As such
the intended final destination cannot always determine the original sender of any
messages, only that the message came from the gateway.
Figure 1: Standard Deployment - SSL VPN
To counteract this issue, HOB developed the SSL Identifier to attach an
identification of the user sending the message to the message, and this
identification is carried through the gateway into the internal network. This means
that the source of each message can be completely and properly identified at all
times.
27.1 Configuring the SSL Identifier for the User
The SSL Identifier identifies the source of a communication by user name to the
destination target of that communication. To do this the IP address of that user must
be entered under that users logon and authentication data.
1.
Open the HOB RD VPN administration interface and select the user to be
assigned the SSL Identifier (in this example User3).
361
SSL Identifier
HOB RD VPN
2.
Use the dropdown box on the right to select User Settings. Click Configure
and the following screen is displayed:
Figure 3: HOB RD VPN Administration - Start Screen
3.
362
Now select Personalized IP Addresses > SSL Identifier from the
organizational hierarchy on the left, and this screen is displayed:
HOB RD VPN
SSL Identifier
Figure 4: SSL Identifier - Enter IP Addresses
4.
Click Add to enter the IP address with which this user name is to be associated.
Multiple IP addresses may be added for each user. These IP addresses are
assigned to the user by the system for each transaction in the system, replacing
the IP address of the machine that originates these transactions. Use Remove
to delete any selected entries from this list.
5.
Click Save or Close when finished entering your data.
363
SSL Identifier
HOB RD VPN
27.2 Configuring the SSL Identifier for the WSP
Now that the HOBPhone has been set up, it must be activated and assigned to the
users according to their roles through the HOB WSP.
1.
To activate the SSL Identifier, open the HOB RD VPN administration interface
and select WebSecureProxy > Configure. This opens the
HOB WebSecureProxy configuration screen.
Figure 5: HOB WSP Configuration - Server Configuration
364
1.
Select the server list for the Outgoing Connection that is to use the SSL
Identifier. In this example shown above the RDP Targets > Windows
Terminal Servers server list has been selected.
2.
Now select the individual server (or add a new server if needed), in this case
Example_RDP_Server.
3.
Select the Expert Options tab for this server, the following screen is displayed:
HOB RD VPN
SSL Identifier
Figure 6: HOB WSP Configuration - Expert Options
4.
Check the Use Raw Packet Interface (SSL Identifier) checkbox to activate
the SSL Identifier.
5.
Now that the SSL Identifier is active for this server it needs to be assigned to a
role.
6.
Select the role of those users that are to use the SSL Identifier, in this example
below the role PowerUser, and the following screen is shown:
Figure 7: HOB WSP Configuration - Server List for Role
7.
In the Settings tab select Privileges > Server Lists and select the server list
for this role, in this example the Windows Terminal Servers list.
365
SSL Identifier
8.
HOB RD VPN
Save the configuration and the SSL Identifier is now active for all
communication with the selected server for users with the chosen role.
27.3 Using the SSL Identifier
Each user receives a dedicated user specific personal IP address through which
they can be traced throughout the system. These personalized IP addresses for the
user are stored in a directory service form, and can be accessed by the WSP
whenever the user logs onto the system.
When a user is created, or edited, they can be given an SSL Identifier by the
administrator in accordance with the procedure outlined above.
The IP addresses that are assigned to the users are created and stored in the
directory service for the domain of which the users are members. Individual users
may of course be members of multiple domains, so they would need to have
multiple SSL Identifier IP addresses assigned to them.
366
HOB RD VPN
Additional HOB Solutions
28 Additional HOB Solutions
The following solutions have been developed by HOB but are not delivered with
HOB RD VPN. These solutions can be purchased additionally to complement
HOB RD VPN, as they add extra functionality and usability, as set out by the needs
of your enterprise. They fit seamlessly with all other components of HOB RD VPN.
HOB Remote Desktop Enhanced Services
Enables additional RDP functionality, such as HOB Local Drive Mapping,
HOB Audio, etc. HOB Local Drive Mapping is an essential requirement for certain
forms of virus checking procedures.
HOB X11Gate
HOB X11Gate 2 provides access to applications residing on UNIX/Linux servers
from a Windows Terminal Server Client (TSC) such as HOBLink JWT, running on
any platform. Using this solution both UNIX servers and Windows Terminal Servers
(WTS) can be accessed with just one client software
HOB MacGate
HOB MacGate gives you Remote Desktop access to your Mac computer over a
network, either a LAN or the Internet.
28.1 HOB Remote Desktop Enhanced Services
The HOB Remote Desktop Enhanced Services (HOB RD ES) solution comprises a
set of features that provides Windows Servers with additional functionality that is not
provided by Microsoft.
Features at a Glance:

Optional expansion for HOB RD VPN and HOBLink JWT

Expanded Load Balancing, including large server farms

Enhanced access via HOB Local Drive Mapping

Greater program accessibility with HOB Application Publishing

More usable interface interaction with HOB True Windows

Optimized printer solutions with HOB Printer Port Mapping

Integration of scanners
HOB RD Enhanced Services features are a set of additional functions that can be
used with HOB RD VPN for secure remote access to the applications and data in
your enterprise network to make your daily work easier and more efficient.
HOB RD ES consists of several modules that must be installed on the Windows
servers in order to obtain this functionality. HOB RD ES provides a snap-in for the
Microsoft Management Console (MMC), with which these features can be
configured. The snap-in can be installed either on a Windows Server or locally on
the administrator workstation. The modules are not all installed automatically, so
you have the choice of which modules you wish to install.
367
HOB RD VPN
There is also an easy-to-use modularized program for when you are planning to
install HOB RD ES.
28.2 HOB X11Gate
The HOB X11Gate is a purely software based solution and can be installed centrally
on a Linux/Unix server. As HOB X11Gate is as individual a solution as your
company itself, it fits perfectly to your individual company IT infrastructure, and no
additional hardware is required.
HOB X11Gate can be used via an RDP client on any platform (Microsoft Windows,
Mac OS, Linux, thin client etc.) for SSL secured, Web based access to company
Linux/Unix servers. HOB X11 Gate also enables access for multiple users
simultaneously.
HOB has developed HOB X11Gate as the solution for access to Linux machines
using HOB Desktop-on-Demand. This solution translates X11 or X-Windows
protocols into RDP, which is required for Desktop-on-Demand.
HOB recommends using the HOB RDP clients HOBLink JWT or HOBLink iWT, or
the standard Microsoft Windows RDP client. HOB X11 Gate provides 128 bit RDP
encryption for highly secure connections.


Performant connections at very low bandwidth
Multi-session capability: simultaneous access for multiple users and multiple
connections

Support of multiple keyboard layouts

Web based administration portal

Reconnection of disconnected sessions

Support of OpenGL applications on Linux/Unix server using emulation

IPv4 and IPv6 capability

RDP encryption up to 128 bit

Enhanced security features in combination with HOB RD VPN
28.2.1 System Requirements for HOB X11Gate
There are a number of components required for the installation of HOB X11Gate.
These are as follows:
X11 Server System
The server side must have one of the following supported 64 bit Linux/Unix
distributions as the operating system:
368

SUSE Linux Enterprise Server 11

CentOS Release 6.5

Ubuntu 12.04 LTS

Red Hat Enterprise Linux Server 6.5
HOB RD VPN
Installation with a Java Virtual Machine:

JVM Version 1.7 (or later)
Hardware requirements:

Processor with minimum 1 GHz

At least 1 GB RAM

250 MB free hard disk memory
Client System
The following RDP clients are supported:

HOBLink JWT

HOBLink iWT

MS Remote Desktop Connection
28.3 HOB MacGate
HOB MacGate gives you Remote Desktop access to your Mac computer over a
network, either a LAN or the internet. This access is possible from every client
platform: Windows PC, Linux PC, thin client or even from another Mac.




All components and elements of the Mac user interface such as the menu list,
dock, icons and the program windows are fully functional in the Remote Desktop
session.
Many users work on a Windows PC as well as a Mac, so HOB MacGate fully integrates both of these systems.
HOB MacGate delivers access to the RDP client is from the client side, achieving
high performance connections across all Java-compatible platforms. The client
Remote Desktop connection application from Windows can also be used.
HOB MacGate is the secure solution for remote access to a Mac computer over
the Internet. It requires only HOB RD VPN and the HOB WebSecureProxy, and
because the window with the Remote Desktop is launched through a browser
you do not install any software on the client computer.



Remote Desktop access using RDP protocols
Open the desired Mac applications remotely while working in your PC environment
Access by RDP client (for example Microsoft Remote Desktop Connection or
HOBLink JWT)

IP Port configurable for each access

Support of the RDP security procedures

Logging of HOB MacGate messages

Synchronization from remote and local screen resolutions
369

Copy and paste of text in both directions

Support of multiple country-specific keyboards
HOB RD VPN
28.3.1 Installation
For the installation of HOB MacGate on a Mac there is an easy-to-use installation
program. HOB MacGate installs itself on the Mac as an application that runs in the
background (as a Daemon) and waits for access to a client. A simple icon in the
system control panel means that HOB MacGate can be configured by using a
standard dialog.
28.3.2 System Requirements for HOB MacGate
There are a number of components that are required for the installation of HOB
MacGate:
Mac Server System

The operating system Mac OS X 10.4 or later

A processor with a minimum of 1GHz

A minimum of 256 MB RAM is recommended
Client System


370
Supported RDP clients running on each system
An RDP client: either HOBLink JWT or Microsoft Remote Desktop Connection
(MSTSC) must be installed and configured
HOB RD VPN
Security Checks
29 Security Checks
29.1 Server
Secure Web servers are a very important requirement for web-based applications
such as HOB RD VPN. A protected Web server configuration plays a decisive role
in your network security. Poorly configured virtual directories or careless mistakes
can facilitate unauthorized access. A forgotten authorization can become a
welcome backdoor for an attacker, or an overlooked port can enable direct access
from outside. Neglected user accounts enable attackers to surreptitiously
circumvent your security measures.
To make your server secure, you must first determine the level of security needed.
Once this has been determined, you can proceed to configuring the desired security
level. This section will help you to approach this problem systematically. Follow the
steps below to secure your server:


Restrict user rights
Access to the computer settings and those of its directories must be restricted to
administrators alone.
When using the HOB WSP Web Server
Deactivate or terminate any other installed Web Server.

Deactivate or terminate any other remote access, e.g. FTP.

Protect the HOB RD VPN directories:
The following sub-directories containing configuration data have to be protected
from unauthorized access:
Sub-Directory
Contents
/portal.db
Enterprise Access database configuration data
/sslsettings
SSL certificate (HOB Certificate files)
/sslpublic
SSL certificate (HOB Certificate files – for optional
client authentication)
/wsp
HOB WSP configuration data
Table 1: Sub-Directory Contents

Secure TCP/IP connections
- Firewall
- Ports
- SSL
29.2 Firewall
A firewall is used to block unused ports and only allow data traffic to pass over
authorized ports, for example. To do this, it must be able to monitor incoming
queries in order to protect the Web server from known attack types. A firewall is a
useful tool to detect and defend against attacks, and discover their source.
371
Security Checks
HOB RD VPN
29.3 Ports
Services that are executed on the server use special ports to listen for incoming
queries. Close all unneeded ports and check regularly whether any new ports in
listening status are detected. These could indicate an unauthorized access and a
security risk.
To determine which ports are listening, i.e. are currently open, run the following
command in the command line:
netstat -n -a
This displays a list of all ports with their accompanying addresses and current
status. Make sure that you know every service listening at a port, and determine
whether these services are necessary.
While doing this, limit the number of Internet-side ports (for further information, see
the following section) and encrypt or restrict your data traffic.
29.3.1 Restrict Internet-Side Ports to TCP 80 and 443
Restrict incoming data traffic for HTTP to Port 80. For HTTPS (SSL), restrict
incoming data traffic to Port 443.
For outgoing (internet side) Network Interface Cards (NIC), you should use only
TCP filters.
29.3.2 Overview of Port assignments for Intranet/Intranet
This table contains a list of the ports currently assigned by default to specific
servers.
Network
Port Number
Port Function
Internet
443
HTTPS
80
HTTP/HOB HTTP Redirector
3389
Remote Desktop Server
23
Host (3270, 5250, VT etc.)
1812
RADIUS Server
389
LDAP Server
636
LDAP Server (SSL)
13282
HOB WSP Agent
Intranet
Table 2: Port Assignments
29.4 Logging
HOB RD VPN has a monitoring function in the form of a Logbook that records, for
example, faulty logons, error messages that were displayed, timed out logon
attempts, etc. It can also be configured so that it can automatically inform the
administrator responsible via e-mail of any events.
372
HOB RD VPN
HOB RD VPN Evaluated for Common Criteria
30 HOB RD VPN Evaluated for
Common Criteria
30.1 Information on Common Criteria
This chapter describes the different aspects of the CC / EAL4 evaluation of
HOB RD VPN. It describes tasks and requirements that must be fulfilled to satisfy
the HOB RD VPN Security Assurance Requirements and to operate HOB RD VPN
in compliance with the evaluation requirements. A Common Criteria compliant use
of HOB RD VPN is ensured only if you fully read, understand and follow the
procedures laid out in the following sections.
The following instructions provide you with an installation quick guide according to
the CC evaluation of HOB RD VPN (EAL 4). This chapter takes precedence over
any other chapter in case there is a conflict. More information can be found in the
corresponding chapters describing each item. Please make sure to strictly follow
the instructions and do not hesitate to contact HOB if there is a doubt about any of
these steps.
Related to the Common Criteria Certification, HOB has developed a process to
perform Flaw Remediation. This is a set of activities that is defined and operated
to ensure the identification, categorization and correction of any security flaw. For
more information on this topic, please see Chapter 31 Flaw Remediation.
The CC evaluated installation includes the following 3 components:

HOB WebSecureProxy

HOBLink JWT (including Webstart Module)

HOBLink Security Manager
All 3 components include the HOBLink Secure SSL Software Module.
The HOB WebSecureProxy uses the following 2 ServerDataHooks:

ServerDataHook: WebServer (including Web Server Gate)

ServerDataHook: Client Configuration
A complete list of all components and their release version numbers is
included in this installation of HOB RD VPN and can be found in the file
RDVPN_Component_Info.txt, included in the HOB RD VPN installation
media.
Version details of the current evaluated releases of HOB RD VPN and their
components can be found on the HOB website. The URL of the relevant
website is included together with the license information that is delivered
as part of the HOB RD VPN installation upon purchase.
373
HOB RD VPN
This table lays out the steps that are to be followed to conform to the EAL4
evaluation for Common Criteria security:
Steps Comment
1.
Read about the product and how it is to be used. For more information
please see Chapter 1 Introducing HOB RD VPN
2.
Read the license agreement. If you do not accept the license agreement,
you are not allowed to install or run HOB software.
3.
Make sure that the assumptions specified in Section 30.2 Security
Objectives for the Operational Environment are valid.
4.
Check the integrity of your installation media using the mechanism
described in Section 30.3 Delivery Accuracy Check.
5.
Refer to Section 30.4 Consequences of Misconfiguration if you have any
issues while following these instructions.
6.
Make sure you have a valid environment for the installation, see Section
30.5 System Requirements for more information.
7.
Install HOB RD VPN on the server machine, see Chapter 4 HOB RD VPN
Installation. The HOB WebSecureProxy (HOB WSP) is installed
automatically as part of the HOB RD VPN installation.
Please note that the installation of HOB RD VPN is processed differently in
two installation dialogs for CC and for non-CC conformity (see Chapter 4
HOB RD VPN Installation). The standard non-CC conforming access for
the HOB WSP and the targets known to the HOB WSP must not be
entered during the installation process, but instead entered only after a
manual configuration. See Point 10, Configure HOB RD VPN and the
HOB WebSecureProxy, in this table below for more information.
8.
The HOB WSP must be stopped manually, see Section 33.2 Manually
Stopping and Starting the HOB WSP.
9.
Install the HOBLink Security Manager on a dedicated machine without any
network connection. See the HOBLink Secure Administration Guide for
more information on this topic.
10.
Configure HOB RD VPN and the HOB WebSecureProxy.
See Section 30.8 Achieving Trustworthy Encryption to obtain a valid
Common Criteria configuration.
See Chapter 36 XML Configuration for the HOB WebSecureProxy for
more information on this topic.
See Section 4.2 Prerequisites for Installation – Single Node and Cluster for
valid port numbers to be visible from the internet.
11.
Generate a set of certificates using the Auto Wizard in the HOB Security
Manager. See Section 30.9.1 Using HOBLink Security Manager for more
information. The result of this process is a set of configuration files (also
known as HOBLink Security Units) for HOB WSP that conforms to CC
requirements.
Important: The procedure described in Section 6.2.9 Global
Administration Screen – Certificates must not be used.
374
HOB RD VPN
12.
Select whether TLS protocol 1.1 and/or 1.2 is to be used on the client
machines and ensure the browsers to be used can support these
protocols. These are the only protocols that can be used in an evaluated
environment.
13.
Copy the newly generated HOBLink Security Units to the destination
folders within the HOB RD VPN installation according to Section 33.1
Adding Certificates and HOBLink Security Units to the HOB WSP.
14.
Perform the Scheme Extensions for the external LDAP system that hosts
your HOBLink JWT and user-specific HOB Web Server Gate
configurations. See Section 10.2 Configuring HOBLink JWT for more
information. Concerning the use of LDAP as the Authentication Service,
see Section 30.6.3 Notes on Certified Components.
15.
Configure HOBLink JWT. See Chapter 35 XML Configuration for
HOBLink JWT for more information.
16.
The HOB WSP must be now be started manually, see Section 33.2
Manually Stopping and Starting the HOB WSP.
17.
Inform the users about their necessary cooperation; please see Section
30.7 User Workshops and Schooling.
Table 1: Steps for Certification
Creating and modifying any configuration with the GUI tools, such as the
HOB RD VPN WebSecureProxy configuration program, is not part of the
CC certification, although the GUI tools may also be used.
In the case of the HOB WSP configuration the administrator is strongly
recommended to manually check whether the configuration has the correct
contents before the server is put into production. To do this, use the
parameter list of the wsp.xml file (see Chapter 36 XML Configuration for
the HOB WebSecureProxy for this information) as a reference. You can
also check that HOBLink JWT and HOB Web Server Gate configurations
for your users are correctly defined by using an LDAP browser.
Please contact HOB software support if you have any problems or questions
regarding these procedures.
30.2 Security Objectives for the Operational Environment
As the competent and trained administrator of HOB RD VPN within your company,
you are responsible for the operational environment of your company. You and your
administrator colleagues need to be competent and trustworthy individuals capable
of managing HOB RD VPN and the security of the information it contains. You
cannot be careless, willfully negligent, or hostile, and must be able to follow and
abide by the instructions provided in this Administration Guide. Similarly you should
ensure that the users of your system are also not careless, willfully negligent or
hostile and that they abide by and follow the instructions given by you, the
administrators.
You are also responsible that remote trusted IT systems providing the functions
required by HOB RD VPN are sufficiently protected from any attack that may cause
those functions to provide false results. In addition you must ensure that these
375
HOB RD VPN
systems, which should also include intrusion and denial-of-service detection
systems, are installed and configured in accordance as specified in this document.
As the competent and trained administrator of HOB RD VPN you must establish
and implement procedures to ensure that information is protected in an appropriate
manner. In particular you need to ensure that:











376
All of your network and peripheral cabling is suitable for the transmission of the
most sensitive data held by the system, and that these physical links are adequately protected against threats to the confidentiality and integrity of the data
transmitted.
Your users are authorized to access those parts of the data managed by
HOB RD VPN, receiving the necessary authorization and access information
(username and password) from the administration department, and are trained
to use HOB RD VPN in a secure manner in a benign environment, cooperating
fully with their fellow users and administration staff.
With this last point in mind, you should ensure that the following Section Important Information for Remote Users is printed out and distributed to each of the authorized users of your company.
Any connection between untrusted users of your system and the protected resources of your web servers and Remote Desktop servers is established via the
HOB WSP. You must ensure that only authorized users to access the resources
protected by HOB RD VPN.
The procedures you use to ensure that the hardware, software and firmware
components of the system are distributed, installed and configured in a secure
manner supporting the security mechanisms provided by HOB RD VPN are
properly established and implemented.
You protect those parts of HOB RD VPN critical to the enforcement of the security policy from any physical attack that might compromise IT security objectives.
This protection must be commensurate with the value of the IT assets protected
by HOB RD VPN.
You destroy the RSA keys that are maintained with the HOBLink Security Units
as soon as they are no longer needed. See the HOBLink Secure Administration
Guide, Chapter Certificate Management for more information on this topic.
You must ensure that all security updates for the software involved (operating
system, Java, application software, etc.) are regularly checked and kept as up to
date as possible.
The server components must be installed on a physical, true hard disk to avoid
the depletion of the system device file dev/random and ensure that this system
file has sufficient data.
You install the Security Manager tool on a separate machine that is not physically
connected to any network and that the HOBLink Security Units generated by this
tool are transferred securely to the HOB WSP.
Ensure that the operation of the HOBLink Security Manager, as well as the system and the operating system where it is installed, is adequately protected in
terms of restricted physical access and disabled network access. You must be
aware that the secure operation of HOB RD VPN strongly relies on the integrity
HOB RD VPN
of the certificates and the cryptographic keys that are generated by the HOBLink
Security Manager.







You install and configure the operating system, the Java Virtual Machine, and
the web browser in accordance with this HOB RD VPN Administration Guide and
that these mechanisms operate as specified. Also make sure that only the software specified here is used as the underlying platform to ensure that the correct
date and time information is available.
The HOB WebSecureProxy is installed on a separate machine without unprivileged users having local access and that does not host any productive relevant
services, such as database servers or alternative web servers, in addition to the
software that is provided through the HOB product installation. The logical access to this machine is restricted to authorized administrators.
The LDAP server must implement all required functionality, in particular correctly
performing the Identification & Authorization of a user who is attempting to make
a connection to your network. This decision is resolved through a request by the
WSP via an LDAP-bind operation to the LDAP server.
The LDAP server must be under the same management control with the same
security policy constraints and the same level of physical security as the
HOB WSP.
Any connection between an untrusted network and the protected resources of
web and Remote Desktop servers must be established via the HOB WSP over
the appropriate architecture.
Those responsible for the HOB WSP must ensure that those parts of the
HOB WSP responsible for security policy enforcement are protected from physical attack, a protection commensurate with the value of the IT assets protected.
You must ensure that the LDAP server storing the user credentials used by the
HOB WSP to authenticate users effectively protects user credentials against
brute force attacks. The following measures are effective and should serve as
guidelines:
o
The password used by each user for access to their user accounts must
have a complex structure and be of sufficient length to ensure a sufficiently
high level of security for the user accounts. The use of uppercase and
lowercase letters and numbers and special characters in passwords is
imperative. The password length must be a minimum of 10 characters, but
12 or more characters is recommended. The password for the global
administrator must, in particular, satisfy these very high standards. The
details of what constitutes a valid password must explicitly be made known
to the users. This information must be communicated to the users through
referring to the item covering their Logon information in Section Important
Information for Remote Users.
o
Furthermore, the LDAP system with which the user authentication is
implemented must be capable of recognizing consecutive failed login
attempts and preventing any further login attempts once a fixed number of
attempt failures has been reached. The number of unsuccessful login
attempts (with wrong passwords) before the user is locked out should be
between approximately 5 to 15 consecutive attempt failures. If a locking of
the account is to performed, the LDAP server could generally perform the
377
HOB RD VPN
following actions:
1. A complete lock of the account, so that only the Global Administrator can
free it again;
2. An enforced delay on authentication of several seconds after each failed
login with a greater number of attempts before the account is completely
locked;
3. An enforced delay on authentication of several minutes (up to 1 hour or
more) after the account is locked until it is freed automatically. In this case,
HOB recommends that a reasonable balance is found based on the
different measures that are already installed and already widely accepted
and used by the users.
These objectives are designed to counter and eliminate the threats faced by
security issues, and also to complement the policies developed to ensure a safe
and secure environment for the data contained within the system.
30.3 Delivery Accuracy Check
To enable a secure delivery from HOB to the customers, HOB uses a private third
party parcel service to deliver the HOB software. This avoids the chance of the
delivery being delayed or intercepted. Nevertheless, in spite of the efforts made to
choose reliable parcel services for software delivery, HOB actually has no influence
on the software once it has left the company premises.
30.3.1 HOB Software Distribution Check
To ensure that you receive the product in exactly the same condition in which it was
shipped, the HOB Software Distribution Checker (a small Java tool) has been
placed on the HOB website that calculates a hash value of the CD contents and
compares it with a reference value for the CD that is known to the tool on the HOB
web server.
The tool can be found on the HOB website, under this link:
http://www.hobsoft.com/support/support.jsp, and then follow the link to the
HOB Software Distribution Checker itself. The address for this link is:
https://ftp.hob.de/tools/distribcheck/auto.html.
A Java version of JRE 1.4 or higher is required to be installed on your browser to
run this tool.
It is a good security measure to always check that a valid certificate for this website
is used. This can be done as follows:
1.
Launch your chosen internet browser and click the HTTPS secure icon in the
address bar of the site you wish to enter, which should resemble this symbol
(the exact appearance of this symbol depends on the browser used):
HTTPS secure icon
This launches the validity check that is performed automatically by the browser in
the background for each website you attempt to access. This validity check
378
HOB RD VPN
examines the name of the destination server and the site being accessed is
approved by the certificate authority.
2.
The browser will then display a dialog (the actual dialog is dependent on the
browser being used, the one shown here is from Microsoft Internet Explorer)
that indicates if the certificate has been accepted as valid or rejected. This
dialog is for a valid certificate:
Figure 1: Website Validity Check – Valid Result
If the site is rejected as invalid because the name is wrong or the site is not trusted,
you will see something like this (the screenshot below is from an Opera browser):
Figure 2: Website Validity Check – Invalid Result
If everything is secure, then you can proceed with the HOB Software Distribution
Check. If the certificate is not shown to be secure, in general you should not use it.
In this case, when using the HOB Software Distribution Checker you should verify
whether your list of trusted certificates in your browser is up to date.
Any HotFix that you wish to install also needs to be checked with the HOB
Software Distribution Checker. Extract the Zip files for any HotFix into an
empty directory and then run the HOB Software Distribution Check on this
directory.
379
HOB RD VPN
30.3.2 Perform a HOB Software Distribution Check
To perform the software distribution check you will need an up-to-date browser with
the Java plugin. Point your browser to the specified internet site containing this Java
tool, namely: https://ftp.hob.de/tools/distribcheck/auto.html.
The software checker prompts you to specify the root node of the CD or DVD to be
checked. The HOB Software Distribution Checker GUI dialogs that you will see are
shown here, as follows:
Figure 3: Software Distribution Check – Start
Click the Select Folder button to specify the folder where the HOB software is
stored. The HOB Software Distribution Checker then reads the complete structure
below the node and computes a hash value of the complete content. In this way
every single file, file name and file location within the structure is taken into
consideration. The software checker uses the information provided by this file to find
the reference hash value in its database.
Figure 4: Software Distribution Check – Result
380
HOB RD VPN
The result of the comparison is shown along with the identified software name and
version as well as the calculated hash value (in hex and bubble babble code). The
possible results are either Successful (in which case the following text is
displayed):

The checked HOB Software (software name entered here) has proven to be a
legitimate version.
In this case you can be sure that obtained software 100% matches the software
produced by HOB and has not been manipulated.
Or the result is Erroneous, when this text is displayed:

The result of checking the HOB Software (software name entered here) did not
verify its data integrity (see Help)!
In this case you have obtained software that has errors. These errors may be simply
errors of the storage media (if software is provided on CD) or errors that have
occurred during the data transfer (if the software is downloaded). In severe cases,
however, the data may have been manipulated by a third party.
If you receive an Erroneous result from the HOB Software Distribution
Check, there is a security issue with an element of your HOB RD VPN
installation and you must report it as soon as possible to HOB. The issue
can then be evaluated by the HOB development department.
HOB RD VPN requires you to conduct an integrity check to verify the proper
condition of the product. HOB has no influence on the actual actions of the delivery
service or any of the customers once the product has been shipped, however, so it
is the responsibility of you as the administrator to perform the required integrity
check.
30.4 Consequences of Misconfiguration
HOB RD VPN was designed to prevent configuration errors from compromising
security. It may be that, however, certain errors arise not from misconfiguration but
from the environment in which the system is operating. If this is the case, you will
need to contact HOB directly to solve any problems caused by these environmental
hazards.
HOB WebSecureProxy, the core component of HOB RD VPN, in particular fails to
operate if a configuration file contains logical errors. In such cases the appropriate
error codes are provided either on the console or in the system log file.
381
HOB RD VPN
In greater detail, improper configuration can have the following consequences as
shown in this table:
Component
Configuration
Error
Consequence
Detection /
Correction
Security Manager
Certificates may be
Workstation for
Security Manager has unusable
incorrect real time
clock settings
Recreate and redistribute HOBLink
Security Units.
Security Manager
Weak cryptographic The overall security of
the solution can be
settings (cipher
suites) were chosen compromised
for the SSL sessions.
This can only be
detected by manually
checking the settings
in the HOBLink
Security Units
Security Manager
Workstation for
Security Manager is
not isolated from the
productive
environment (for
example from the
LAN)
WebSecureProxy
There is a mistake in The HOB WSP fails
the XML configuration to operate
file structure
Appropriate error
codes are provided in
the system log file –
Identification of the
problem is of the
highest importance
WebSecureProxy
The overall security of
Server has
the solution can be
accessible
maintenance hooks compromised
such as telnet or RDP
capability
This can only be
detected by manually
checking the settings
of the server OS. All
ports except the listen
ports of
HOB RD VPN should
be closed and the
machine operated
only through the
console.
WebSecureProxy
Certificates
suspected to be
broken or to have
been abused will not
be replaced
The overall security of
the solution can be
compromised or a
man-in-the-middle
attack can be
launched
A process for the
reporting of certificate
abuse must be
installed, and users
must be instructed in
the use of this
process. Certificates
and HL Security Units
must be replaced
immediately if abuse
is suspected.
The overall security of Check the network
configuration
the solution can be
compromised, in
particular the server
HOBLink Security
Units can be revealed
by attackers
Table 2: Consequences of Misconfiguration
382
HOB RD VPN
30.5 System Requirements
The following are the system requirements necessary to conform to the Common
Criteria EAL4 evaluation.
30.5.1 Requirements for HOB RD VPN Server
A fresh installation of the supported operating system is necessary for a valid
Common Criteria installation of HOB RD VPN
The supported operating system for the Common Criteria evaluation is:

SUSE Linux Enterprise Server 11 on Intel EM64T with Service Patch Level 2 (including Kernel 3.x.x)
To install the HOB WebSecureProxy (gateway) the following hardware is required:

speed

1 GB of RAM available

450 – 800 MB of non-volatile storage space
For other valid hardware requirements, see Hardware Requirements in Section 4.1
System Requirements for Installation. You must ensure that you install the
operating system in a safe and secure manner. Refer to the SUSE documentation
to achieve this. Finally, you need to ensure that no other service accepts
connections from the network.
30.5.2 Requirements for HOBLink Security Manager
The following are the requirements for the installation of HOBLink Security
Manager:

Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing
speed

256 Mbytes of RAM available

160 Mbytes of non-volatile storage space
One of the following operating systems must be installed:

Microsoft Windows 7 (any edition) SP1, 32-bit or 64-bit

Microsoft Windows 8

Apple Mac OS 10.8 Intel 64-bit

openSUSE Linux 12.2 (with a graphical subsystem installed)
You also need to make sure the Security Manager system has no network
connection.
The installation of the HOBLink Security Manager on Mac OS X requires a preinstalled Java virtual machine. Apple Java 1.6.0 update 65 or higher (64-bit) has to
be used. For Microsoft Windows and Linux operating systems the HOBLink
Security Installer includes its own independent Java virtual machine, Sun Java
1.6.0 update 26 (32-bit).
383
HOB RD VPN
30.5.3 Requirements on the client side
The following are the requirements for the installation of a Common Criteria
qualified evaluation of HOB RD VPN on the client side:


Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing
speed
256 Mbytes of RAM available
One of the following operating systems must be installed:

Microsoft Windows 7 (any edition) SP1, 32-bit or 64-bit

Microsoft Windows 8 (any edition), 32-bit or 64-bit

Apple Mac OS 10.8 Intel 64-bit

Linux openSUSE 12.2 (with a graphical subsystem installed)
One of the following browsers is also required:
Operating System
Browser
Microsoft Windows 7,
Windows 8
Microsoft Internet Explorer IE 9
Opera
Minimum Version
12.12
29 (version 24 only TLS
Firefox (not defined for CC 1.1)
evaluation)
Chrome
Linux openSUSE
Opera
12.12
29 (version 24 only TLS
Firefox (not defined for CC 1.1)
evaluation)
Chrome
Apple MacOS X
Opera
12.12
Safari (not defined for CC
evaluation)
Firefox (not defined for CC
evaluation)
Table 3: Requirements for the Internet Browser employed
A Java Virtual Machine is also required, with the following versions of Java:

Windows: Oracle Java 1.7.0 update 45 or higher (32-bit)

Mac OS X: Oracle Java 1.7.0 update 45 or higher (64-bit)

Linux: Oracle Java 1.7.0 update 45 or higher (32-bit)
Note that for the JVMs as well as for both Internet Explorer and Opera TLS
v1.1 and TLS v1.2 must be explicitly activated as these protocols are (or
may be) disabled per default.
The Java settings can be found in the Java Control Panel.
384
HOB RD VPN
Browsers other than those already mentioned here can be used with these
client side systems, but only if these alternative browsers fully support TLS
v1.1 and TLS v1.2
To satisfy the needs of the evaluation for Common Criteria, only a role with
similar access rights as set for the default role User can be used as a
standard for your users.
30.6 Configuration Tasks
This section identifies the Configuration Tasks for HOB RD VPN and for the
HOB RD VPN environment that are required to obtain a valid Common Criteria
certification.
An installation of HOB RD VPN includes functions and components that can be
extended according to the selection of features by the user. Certain of these
functions or components may not be subject to the common criteria evaluation. This
means that these additional features provided by HOB RD VPN should not be used
in a configuration subject to a Common Criteria validated operation. As these
additional features were not included in the testing for the evaluation for Common
Criteria, the use of these features might result in operating the HOB RD VPN
installation in a way that is not compliant with the evaluated configuration.
30.6.1 Certified Components of HOB RD VPN:
Component
Comments
HOB
WebSecureProxy
This component must be configured in a secure manner,
see Notes on Certified Components below
This also contains the additional module HOB RD VPN
Web Server (including HOB Web Server Gate), which
must be configured in a secure manner, see Section
30.6.3 Notes on Certified Components
Target Filters must be configured to restrict access to
HOB RD VPN Web Server Gate, see Section 30.6.3 Notes
on Certified Components
HOBLink JWT
Must be configured in a secure manner, see Notes below
HOBLink Security
Manager
The description of HOBLink Secure and the HOBLink
Security Manager is provided in the HOBLink Secure
Administration Guide documentation
Table 4: Certified Components for Configuration
All of the above components also contain the additional module
HOBLink Secure, the description of which is provided in the
HOBLink Secure Administration Guide documentation.
385
HOB RD VPN
30.6.2 Uncertified Components of HOB RD VPN:
Component
Comments
Integrated Directory
Service
To make it possible to use any third party directory
server, only the LDAP interface is certified. HOB
ensures that the Integrated Directory server is
implemented as securely as possible.
HOBLink J-Term
To keep the certification status, HOBLink J-Term must
be configured as described in the Notes below
HOB RD VPN Web File
Access
Using HOB RD VPN Web File Access does not
influence the certification in any way, see Notes below
HOB PPP Tunnel
Using HOB PPP tunnel does not influence the
certification in any way, see Notes below
HOBPhone
Using HOBPhone does not influence the certification in
any way, see Notes below
Administration
As all administration tools are outside the scope of the
certification, this allows the administrator to use the
integrated tools and/or any third party tool to configure
HOB RD VPN in a valid CC installation
User Settings
Using User Settings does not influence a valid certified
installation, as long as the restrictions described in the
Notes below are fulfilled
HOB Universal client
Using HOB Universal Client does not influence the
certification, as long as the configuration is performed
as described in the Notes below
Compliance Check
Using Compliance Check does not influence the
certification in any way, but enhances security.
Desktop-on-Demand
If you use Desktop-on-Demand the RDP targets are
part of the LDAP configuration of the user or group. As
this is outside the HOB WebSecureProxy configuration,
this violates the certification requirements. In a certified
environment HOB Desktop-on-Demand cannot be
used, see Notes below
SSL Identifier
Using the SSL Identifier does not influence the
certification in any way, see Notes below
Kerberos Authentication Using Kerberos as the Authentication Service is not
certified. In a certified environment Kerberos cannot be
Radius Authentication
Using Radius as the Authentication Service is not
certified. In a certified environment Radius cannot be
Table 5: Uncertified Components for Configuration
386
HOB RD VPN
30.6.3 Notes on Certified Components

HOB WebSecureProxy:
– Only LDAP is allowed as the Authentication Service
– The LDAP protocol version that is allowed must be Version 3 or later
– A target filter rule that allows only the needed connections must be applied to all
roles. This is especially required to deny all unwanted HTTP and HTTPS access.
– Desktop-on-Demand must not be activated in any role, as it could be used to
bypass the HOB WebSecureProxy configuration for RDP connections.
– The user role must be set to “User” or to an equivalent role that you use according
to the policies of your company, see Chapter 8 Roles and Users.



HOBLink JWT - HOBLink JWT configurations should not be configured with preconfigured usernames and passwords.
HOBLink J-Term - RDP connections over HOBLink J-Term are not allowed in
an evaluated environment. All other HOBLink J-Term connections are possible,
but are outside of the evaluation.
HOB Web File Access - HOB Web File Access can be used, but is not part of
the evaluation.

PPP Tunnel - HOB PPP Tunnel can be used, but is not part of the evaluation.

HOBPhone - HOBPhone can be used, but is not part of the evaluation.

HOB Universal Client - HOB Universal Client can be used, but is not part of the
evaluation. There is one restriction, in that HOB Universal Client must not have
configurations for RDP connections.
30.7 User Workshops and Schooling
It is strongly recommended that all users are comprehensively schooled in the use
of HOB RD VPN. Only those users that are sufficiently schooled in the use of the
product can ensure that the required procedures are properly followed and that all
measures to guarantee diligence in maintaining the appropriate levels of security for
the system and data are taken.
Important Information for Remote Users
This section is deliberately placed onto a single page for ease of use, as it is
intended for you to print out and distribute to each of those end users authorized to
use HOB RD VPN.
387
HOB RD VPN
ALL POTENTIAL REMOTE USERS MUST READ THIS
SECTION CAREFULLY!
Dear Remote User,
Your computer uses a HOB software product that offers you secure communication
and protected data transfer. The user or client part of the HOB RD VPN software
uses the HOBLink Secure encryption module as a part of the HOBLink JWT
component. This add-on provides highly performance cryptography based on the
industry standard SSL protocol and requires no manual intervention or
configuration from your side.
You should run an RDP session for a maximum of no more than one
working day. At the end of each working day, you should perform a
complete Logoff from the Terminal Server that you were using.
You must manually enter your login information. This explicitly
excludes robots and keyboard macro recorders from being used for this
purpose, and the original native keyboard and mouse drivers need not be
replaced. You must not use Macro Recorders for keyboard or mouse to
playback data and execute the log on process.
Protect your workstation when you leave it unattended. To this end a
“locking the workstation” policy should be in operation within your company
and all users must be familiar with it.
Remember also that the security of your communication depends on
the accuracy of the system clock of your computer. Make sure (and
check periodically) that your computer uses the correct (real) date and
time.
If you suspect that an unauthorized person has gained access to
these files do not hesitate to inform your IT department. Please
remember that the origin of every single file can be tracked down to you.
Do not communicate any details concerning the log on information
for HOBLink JWT or HOB Web Server Gate. Keep your user credentials
secret and handle passwords according to your company or IT department
policy and rules. To this end, a “Keep your passwords confidential” note
should be effective and you should be familiar with it.
If you feel that you need further help to avoid unauthorized access to your computer
or to set the system clock of your computer, contact your IT department.
388
HOB RD VPN
30.8 Achieving Trustworthy Encryption
In order to achieve trustworthy encryption, a number of steps must be considered
on both the server side and on the client side of any communication.
30.8.1 Achieving trustworthy encryption on the server side
The areas to consider here are as follows:
Log Files are used to record all important activities made by your users and other
administrators. To use log files, the following steps must be in operation:
1.
The logging tool must be activated.
2.
A log file must be periodically written at specific time intervals (for example
every hour) according to the security policy of your company. This can be done
automatically.
3.
This log file must be written to the /var folder. This is a default folder that holds
all the log files of the system.
You must store the log files in the /var folder for a reasonable amount of time
before being deleted, the recommended minimum period being one week. The
contents of the /var folder and all of its subfolders are used to occasionally
increase the quality of random number generation.
There are some less obvious requirements that must be achieved to ensure
optimum performance of the system device file /dev/random on Linux systems:



To reach the required performance level it is required that the system be installed
on a true hard disk. Solid state disks (SSDs) are optionally possible, but cannot
be exclusively used, see also Section 30.2 Security Objectives for the Operational Environment. To feed the system device file /dev/random with suitable data
it is required to store the files of the /var folder on this true hard disk. As information is periodically written to this hard disk the depletion of the system device
file /dev/random on the server is then avoided.
Processes such as haveged or rngd must not be active on the server system, as
these tools weaken the random generation within the OS and are not allowed in
a CC compliant server system, see Section 4.1.1 Installation on the Server Side
concerning these processes.
Standard Linux/UNIX systems have a so-called clock source or time source that
is used by the kernel and can usually be configured. When HOB RD VPN is running on a Linux/UNIX system a sufficiently precise clock source must be set to
allow HOB RD VPN to function properly. Suitable and accurate clock sources include HPET (High Precision Event Timer) and TSC (Time Stamp Counter).
HOB RD VPN may not work correctly if an inaccurate clock source such as "Jiffies" (as used by some CentOS systems, for example) is the only clock source
available.
389
HOB RD VPN
To increase the entropy available for trustworthy encryption on the client
side, and therefore the security, the HOB WSP configuration parameter
<high-entropy>) must be set to YES, as shown here:
<roles>
<role>
<name>User</name>
<high-entropy>YES</high-entropy>
</role>
.
</roles>
See Section 37.1 The Authentication Library (xl-sdh-webserver-01.dll) for
more information.
30.8.2 CPU support for the AES cryptographic function
Intel ® CPUs that include the Intel ® AES New Instructions set partly support the
processing of the AES protocol within the CPU. The CPU-based support of the AES
algorithm is not part of the Common Criteria evaluation. If the CPU support is
desired and activated, the Common Criteria evaluation for all certified components
and algorithms holds, with the exception of the calculations performed by the CPU
itself.
You must be aware that HOB RD VPN is not running in a configuration compliant to
the Common Criteria evaluation if the server component or one of the client
components is operating with activated CPU support for the AES algorithm.
See Section 4.1.7.3 CPU Support When AES is Used (if available) of the
HOBLink Secure Administration Guide and HOBLink Security Manager.
30.8.3 Achieving trustworthy encryption on the client side
You must ensure that all systems used on the client side of any communication are
installed and configured in accordance with the company security policies and
rules, and with the instructions contained in this document.
HOB strongly recommends that your users should run an RDP session for
a maximum of not more than one working day. You should ensure that the
users always close and log properly off from their terminal sessions at the
end of the working day in accordance with the User Guide that you
distribute to each of your users.
Not closing a session will lead to a lack of random numbers (used for authentication
and the safeguarding of data) available to HOBLink JWT. Ensure that when a user
closes a terminal session the connection is properly closed and that the JVM is shut
down. You (as administrator) should use a test client system to ensure that the shut
down process is correctly completed.
HOB RD VPN does not require hardware-based encryption tools or random
generator boards to be installed on the computer systems involved. Instead a
random number generator is implemented that gains randomness from user
interaction with their input devices to perform a qualified initialization. Creating
390
HOB RD VPN
valuable random numbers guarantees that non-guessable session keys are chosen
to encrypt and safeguard the communication data.
The users must follow the login rule that they must perform the input of their
credentials themselves every time they fill in the sign on dialog. Macroreplay tools or a simple copy & paste operation cannot be used to repeat a
recorded keyboard input whenever needed, and a robot that operates the
keyboard (and mouse) also cannot be used.
In addition to other sources supplied by the system, the user interaction through a
dialog is used to create unpredictable initialization values for the random number
generator. As long as this dialog is displayed and has focus, every key stroke and
every mouse move in certain areas of the dialog are used to increase the quality of
the random initialization values.
The following image displays the dialog shown when HOBLink JWT starts, before
any keyboard or mouse events have been made:
Figure 5: HOBLink JWT Security Dialog – Insufficient Information
Random information can be achieved by keyboard input or mouse cursor
movement within the dialog. The best and fairest results require both keyboard and
mouse events. The mouse must be moved slowly!
When the collected data are judged as sufficient the following dialog shows the
displayed text:
391
HOB RD VPN
Figure 6: HOBLink JWT Security Dialog - Initialize Random Number Generator
When the OK button on this dialog is clicked, HOBLink JWT has received a
sufficient level of input and the program starts.
30.9 Using Certificates in HOB RD VPN
This section contains only a very short description of how security certificates
should be used in HOB RD VPN. For a full explanation of the process, please see
the HOBLink Secure and HOBLink Security Manager Administration Guide.
The HOBLink Security Manager uses the Auto Wizard tool to generate 3 server files
(server.cdg, server.cdb and server.pwd) and 3 client files (client.cdg,
client.cdb and client.pwd). These files must be securely transferred to the
HOB RD VPN server must be placed in special directories in the HOB RD VPN
installation, see Section 33.1 Adding Certificates and HOBLink Security Units to the
HOB WSP.
The wsp.xml configuration must be adjusted accordingly, see Chapter 36 XML
Configuration for the HOB WebSecureProxy.
With the help of the Auto Wizard of the HOBLink Security Manager an
independently created PKI is established. As part of the certification no OCSP or
Certificate Revoke is supported.
The administrator is responsible for managing the certificates themselves. In a
suspected case of loss of the integrity of a new certificate or the key data it contains,
new certificates and HL Security Units need to be created and the HL Security Units
will be promptly replaced on the server system.
30.9.1 Using HOBLink Security Manager
To create HOBLink Security Units that conform to Common Criteria requirements,
the Auto Wizard function of HOBLink Security Manager must be used.
This Auto Wizard is fully described in Chapter 3.5 of the HOBLink Secure and
HOBLink Security Manager Administration Guide. For a configuration that fully
conforms to Common Criteria requirements, please note that in the first dialog of the
Auto Wizard (see Point 4 in the above mentioned chapter) the option do not use
client authentication must be selected.
392
HOB RD VPN
All fields must be completed in the next Auto Wizard dialog. In the entry field for
Server Certificate Common Name the URL of the server where the HOB RD VPN
server component is installed must be entered.
Please note that with the selection of a 1536 bit asymmetric key size, only
a security strength of less than 100-bit encryption security is ensured.
393
394
HOB RD VPN
HOB RD VPN
Flaw Remediation
31 Flaw Remediation
HOB has developed and runs Flaw Remediation, a set of activities that are used to
achieve Common Criteria standards in security of HOB RD VPN blue edition. The
Flaw Remediation process serves to identify and correct any potential security flaw
that may occur in your system.
This Flaw Remediation process mainly covers four aspects of interaction between
a customer (you, as the administrator) and HOB as the product manufacturer:




You can report problems that you interpret as security-critical problems
All customers are informed by HOB in the event that a problem is rated to be a
security flaw
Any customer can ask HOB about the state of a security flaw and its correction
All customers are informed about the correction of a security flaw and receive an
updated and corrected version of the product from HOB under the terms of the
maintenance contract
In more detail, for HOB RD VPN blue edition this means the following:
To obtain the Common Criteria Certification standard for security, it is mandatory
to sign a maintenance agreement so that HOB can contact you. This
maintenance agreement (either a Software Maintenance Agreement Certificate or
a Software Maintenance Contract) guarantees you full support in the correction of
problems or software bugs, and access to new updates that correct the problem.
In addition to the reporting of a problem, you can also contact HOB directly if you
suspect a security flaw. As a customer with a maintenance agreement, you can
contact HOB at any time to report a problem. Once informed of any potential
problem, HOB will immediately analyze and rate the problem.
You should always run the HOB Software Distribution Check (see Section
30.3.1 HOB Software Distribution Check) in any case to check the validity
and integrity of the product when you purchase or download a new product
or new product version.
On reporting a suspected security flaw, the information that HOB sends you
contains a description of the characteristics of the security flaw, its consequences
and a possible work-around, if any, of instructions to be followed until the problem
is solved. This could be, for example, a temporary change in the firewall settings, a
modification of the active services or the activation of additional monitoring
functions.
HOB requests all customers, in your own interest, to treat information on security
flaws as confidential.
For all software issues, HOB runs an internal ticket system to record any problem,
task, or the information required when contacting a customer. In the event of a
security flaw, the customer receives the ID of the corresponding ticket in addition to
the general information, as a reference. This ID should always be used when
contacting HOB for information on a problem.
395
Flaw Remediation
HOB RD VPN
When a problem is solved, HOB delivers a new, corrected version of the product
with an explanation of the security flaw and how it was solved. You can then
download the new version using the address of the download web server and the
access credentials given to you under the maintenance agreement. This must be
verified and the downloaded software installed to use and run the corrected version.
Keep in mind that the Common Criteria certification becomes invalid if the
maintenance agreement is cancelled or allowed to expire.
31.1 Aspects of Flaw Remediation
Flaw Remediation is a process that consists of the following procedures:
1.
The first step is to make sure it is a problem. If you suspect that there is a
security issue with any element of your HOB RD VPN installation, you must
report it as soon as possible to HOB. The potential problem is then evaluated
by the HOB development department and a priority is assigned to that issue
according to the evaluated severity of the problem.
2.
Every reported problem is assigned an HOB reference number or ticket, and
this ticket is passed onto you as the customer concerned. This ticket number
should be used in all dealings with HOB about this security flaw.
3.
Once the potential problem has been solved, a corrected version of the product
is created and made available to you and to any other customers that have
been potentially affected by this flaw. This corrected version you receive from
HOB as CD/DVD or as a downloaded packed zip file from the HOB Web server.
When you receive or download a new product version, you should always
verify the successful download using the HOB Software Distribution Check
(see Section 30.3.1 HOB Software Distribution Check).
4.
Once you have performed the HOB Software Distribution Check on this
updated version of the product to assure its integrity and the Check proves that
your software is in order, you may install the new version, solving your security
issue.
Any HotFix that you wish to install also needs to be checked with the HOB
Software Distribution Check. Extract the zip files for any HotFix into an
empty directory and then run the HOB Software Distribution Check on this
directory.
396
HOB RD VPN
Frequently Asked Questions
32 Frequently Asked Questions
The following are some questions that are often asked about HOB RD VPN blue
edition and its workings:
Q: What information is cached on the client?
A: No information from any session is cached on the client, all data stays securely
stored in the network. Once the connection to the servers is ended when the
session is closed, there is no data remaining on the client.
Q: I don´t want to have to re-enter all my data, which directories work with
HOB RD VPN?
A: The following directory services for authentication work with HOB RD VPN:

Microsoft Active Directory

IBM Directory Server

Novell eDirectory

Siemens DirX Directory

Oracle Directory Server Enterprise Edition

OpenLDAP

User Management
Q: Which authentication methods does HOB RD VPN support?
A: User authentication in HOB RD VPN is performed using:

SSL client certificates

RADIUS

Kerberos Single Sign-on (SSO)

LDAP

To check the user certificates, the Online Certificate Status Protocol (OCSP) is
also supported.
Q: Single Sign-On is very important for me. Does HOB RD VPN support this?
A: For true single sign-on (SSO) HOB recommends the use of Kerberos. Kerberos
SSO is fully supported by HOB RD VPN.
Authentication with one-time passwords is also supported. All major manufacturers
can support the RADIUS protocol used for this.
Q: Can I customize parts of HOB RD VPN (company logos, slogans, and so
on)?
A: Using the XML configuration files, HOB RD VPN can be configured for both
ease-of-use as well as look-and-feel, as required. The HOB RD VPN GUI allows
you to pull any required graphics on slogans from your data storage and apply them
on screen.
397
HOB RD VPN
Q: How difficult and cumbersome is it to update the software or to apply Hotfixes?
A: All customers with maintenance contracts can easily download and install the
necessary updates that will be notified to them by HOB, when such updates are
made available.
Q: How do I apply the JWT Trace?
A: The JWT Trace allows you to apply a trace when using HOBLink JWT so that you
can follow the exact path used during the connection. To employ the trace, go to the
screen where you would normally configure a HOBLink JWT session
(HOB RD VPN Administration > HOB RD VPN 2.1 > HOBLink JWT >
Configure) and select the scheme Others from the list.
Figure 1: HOBLink JWT Administration – Scheme Others
Under Others add a scheme with the DOTRACE parameter set to YES. Make sure
this is given in the session the user is having problems with:
398
HOB RD VPN
Figure 2: HOBLink JWT Administration – Session Others
The encrypted trace file will then be found on the client machine in the hob_jportal
folder found in the users folder.
Q: Where do I find the HOB RD VPN version and release information?
A: This information is found: at the bottom of the HOB RD VPN Navigation screen,
under the About icon in the task bar of the HOB Administration interface (see
Section 6.1 Administration Access as a Domain Administrator on page 75), or under
the Info menu in the task bar of the HOB WSP interface (see Section 2.6 Roles on
page 26).
Q: How do I save my configurations in HOB RD VPN?
A: There is a save function built into each GUI for HOB RD VPN, HOBLink JWT and
the HOB WSP. When any changes to the configurations have been made, simply
use these save functions and the edited configuration will be saved.
To save the complete configuration in another location during an update, for
example, follow these easy steps:
1.
Log into the HOB RD VPN 2.1 Global Administrator web page and use the links
on the left hand side to go to the Backup page.
2.
Click on Export LDIF and export the file to the location of your choice. You can
then import this file into your next updated release of HOB RD VPN 2.1.
399
400
HOB RD VPN
HOB RD VPN
Advanced HOB WSP Configuration
33 Advanced HOB WSP Configuration
This chapter contains the information needed to allow you to make the required
changes to the configuration of the HOB WSP.
33.1 Adding Certificates and HOBLink Security Units to
the HOB WSP
If the security setting of the SSL connection is to be more precisely configured, it
cannot be made via the Global Administrator interface, as this is accessed via a web
browser. It is necessary that the HOBLink Security Manager tool is available as a
standalone or is accessible from within the EA administration tool, depending on the
installed version of HOB RD VPN.
The HOBLink Security Manager creates files both for the server side and for the
client side. The files it creates must be placed in defined directories in the
installation. In this section the directories on the HOB RD VPN server and the
corresponding entries to the WSP configuration for the relevant files are shown and
described for both the server and the client sides.
33.1.1 Server Side Security Units in HOB RD VPN

User-Portal (Port 443):
WSP-Configuration:
<connection>
<name>User Portal</name>
....
<SSL-config-file>INSTALLDIR/sslsettings/corporate/hserver.cfg</
SSL-config-file>
<SSL-certdb-file>INSTALLDIR/sslsettings/corporate/hserver.cdb</
SSL-certdb-file>
<SSL-password-file>INSTALLDIR/sslsettings/corporate/
hserver.pwd</SSL-password-file>
....
</connection>

Administration Portal (Port 10000):
WSP-Configuration:
<connection>
<name>Administration Access</name>
....
<SSL-config-file>INSTALLDIR/sslsettings/admin/hserver.cfg</SSLconfig-file>
<SSL-certdb-file>INSTALLDIR/sslsettings/admin/hserver.cdb</SSLcertdb-file>
401
HOB RD VPN
<SSL-password-file>INSTALLDIR/sslsettings/admin/hserver.pwd</
SSL-password-file>
....
</connection>

Cluster Settings:
INSTALLDIR/sslsettings/cluster/sslsettings

Using SSL to connect from the WSP to a server in the corporate network
(for example HTTPS in Web Server Gate):
WSP-Configuration:
<client-side-SSL>
<SSL-config-file>INSTALLDIR/sslsettings/hclient.cfg</SSLconfig-file>
<SSL-certdb-file>INSTALLDIR/sslsettings/hclient.cdb</SSLcertdb-file>
<SSL-password-file>INSTALLDIR/sslsettings/hclient.pwd</SSLpassword-file>
....
</client-side-SSL>
In this case, the HOB WSP takes the role of the client to the destination server.
33.1.2 Client Side Security Units in HOB RD VPN

Using SSL for HOBLink JWT on the client side:
INSTALLDIR/www/public/lib/sslpublic

Using SSL for Web browsers on the client side:
The root certificate of the server must be available to the browser as a trusted root
certificate. The majority of the public CA root certificates are included in the
standard browser. If the root certificate is not available, the browser displays a
warning alert at the start of the connection. To avoid receiving this alert, the root
certificate must be imported into the browser. This is mandatory for the CC
evaluation.
If the root certificate of the server is available to the HL Security Unit on the server
side, the public part of the root certificate must be exported with the help of HOBLink
Security Manager, see the HOBLink Secure Administration Guide for more
information.
The root certificate must be distributed by the administrator in a secure manner to
the client (user) as the safety of the correct connection to the target server is
explicitly assured by this root certificate. HOB recommends that the administrator
pre-installs the exported root certificate on all client systems.
If this is not possible, the root certificate must be delivered securely and verified by
comparison of the fingerprint hash values with public values alternatively generated
402
HOB RD VPN
by the administrator. The delivery can for example be made by means of encrypted
media by a secure postal service.
The user on the client side must not use the root certificate for other purposes or
pass the certificate on to third parties. The provision of root certificates for other
client side software offered by HOB is described in the documentation of the
respective software.
The Java Runtime Environment (JRE) installed on the client system must be set up
so that trusted root certificates are drawn from the browser certificate store.
Otherwise, the root certificate must be separately imported into the trusted root
certificate store of the JRE.
33.2 Manually Stopping and Starting the HOB WSP
HOB RD VPN will automatically accept any changes that you make to the
configuration of the system, however, for certain changes it is required that you stop
and then restart the HOB WSP in order for these changes to become effective. To
stop and start the HOB WSP, follow these steps as described below for the
operating system you use.
33.2.1 Stopping the HOB WSP under Windows
HOB RD VPN is created as a Windows Service and as such can be launched and
stopped through the Windows Services Management Console.
1.
From the main start menu on your machine, select Start > Control Panel >
Administrative Tools > Services
2.
In the dialog that is now displayed, scroll down until you locate the
HOB RD VPN service, as shown here, and select it.
Figure 1: Microsoft Windows Administration – Services
3.
Now stop the service using either the command on the left of this panel or using
the Stop icon in the menu bar.
Stop icon - this stops the service
403
HOB RD VPN
33.2.2 Starting the HOB WSP under Windows:
After the installation on a Windows system HOB RD VPN starts automatically. The
service is configured so that it will start automatically after each restart. To change
these settings, see the Windows Help for the Services Management Console.
1.
Follow the first two steps outlined above to stop the service.
2.
Now, either using the Start icon in the menu bar or using the command on the
left of this panel, start (or restart) the service.
Start icon - this starts the service
33.2.3 Stopping the HOB WSP under Linux:
Open a console window and change to the directory INSTALLDIR/management
(using the command cd INSTALLDIR/management).
Run the script: ./stop-mgmt-service.sh.
33.2.4 Starting the HOB WSP under Linux:
Open a console window and change to the directory INSTALLDIR/management
(using the command cd INSTALLDIR/management).
Now run the script: ./start-mgmt-service.sh.
Once the HOB WSP has been stopped and restarted, any changes made to the
configuration will be in effect.
This procedure is necessary for any changes made to the manual.xml file
that are required for conformity to Common Criteria evaluation standards.
33.2.5 Starting the HOB WSP automatically under Linux
Once the installation has been successfully completed, HOB RD VPN starts
automatically as the final step of the installation process. If you perform a complete
system restart after installation, under Linux HOB RD VPN is not started
automatically. If you want to register the script ./start-mgmt-service.sh for an
automatic start of HOB RD VPN along with that of your system, consult the Linux
documentation for your distribution.
33.3 Configuration Changes and their Effectiveness and
Impact
In standard cases the HOB WSP reads the file wsp.xml containing the
configuration for the HOB WSP. This file is automatically updated by the
management service from the internal LDAP server that is included in the
HOB RD VPN server installation. If the configuration is changed by the HOB WSP
administration tool, the HOB WSP loads the new configuration and uses it for new
connections (this may however take some time). Existing connections are not
affected.
If the HOB WSP fails to interpret the configuration (i.e. the wsp.xml file) properly,
or fails for any other reason during the start-up phase, a fail-safe configuration with
404
HOB RD VPN
a minimum of entries is used to start the HOB WSP. This configuration only enables
the administrator access to the HOB WSP to check and correct a possibly
erroneous configuration or to examine the start-up failure. A message about this
state of the HOB WSP is written to the system log. Normal user connections are no
longer possible in such cases.
If a more sophisticated control of the configuration is required, a manually edited
configuration file manual.xml can be used. Details are found in Chapter 36 XML
Configuration for the HOB WebSecureProxy.
To have the changes in the manual.xml take effect, the HOB WSP must be
manually stopped and started again (see section above). This causes the existing
connections to be interrupted when the HOB WSP is stopped. If there are errors in
the manual.xml configuration then the HOB WSP cannot be started manually until
the configuration is corrected.
405
406
HOB RD VPN
HOB RD VPN
XML Configuration for HOB Web Server Gate
34 XML Configuration for
HOB Web Server Gate
This section contains the user defined parameters used in the configuration of the
HOB Web Server Gate. The bookmarks that are used for each user in the
HOB Web Server Gate are stored in the directory storage system for that user
under the attribute hobrdvpnbmwsg. The bookmarks are stored either in the user
object, in the tree of the user object or in the groups of which the user is a member.
34.1 Example HOB Web Server Gate Configuration
<WSG-bookmarks>
<version>1</version>
<bookmark>
<url>http://www.MyCompany.com</url>
<name>My Company</name>
</bookmark>
<bookmark>
<url>http://www.AnotherCompany.com</url>
<name>Partner1</name>
</bookmark>
</WSG-bookmarks>
Explanation of the illustrated elements:
This is the root element. In the example shown above, <WSG<WSG-bookmarks> bookmarks> has one child element for the current version,
shown here as having the value of 1.
<bookmark>
This is another child element where the element <bookmark>
can be added as many times as desired.
The element <bookmark> has two child elements, <url> and <name>:
<url>
The value of this child element is the location to where the
HOB Web Server Gate should connect.
<name>
The value of this child element is the name that is displayed
in the Navigation screen.
407
XML Configuration for HOB Web Server Gate
408
HOB RD VPN
HOB RD VPN
XML Configuration for HOBLink JWT
35 XML Configuration for
HOBLink JWT
This section contains the user defined parameters used in the configuration of
HOBLink JWT 3.3.
Some parameters disappear when the configuration is saved and reopened. These are the options that can be configured over other panels in
the configuration.
The following Section 35.1 Example configuration for Direct Connections is an
example HOBLink JWT XML configuration file. This example uses direct
connections between HOBLink JWT and the RDP Targets. It is included here to
help you create your own XML configuration or configurations, and shows how such
a file should be constructed.
The second example in Section 35.2 Example configuration for connections using
the HOB WSP shows how to set up the configuration for connections from
HOBLink JWT to the RDP Target via the HOB WSP.
35.1 Example configuration for Direct Connections
This is an example for direct connections between HOBLink JWT and RDP Targets:
<?xml version="1.0" encoding="UTF-8"?>
<jwt-configuration>
<session-list>
<session-entry>
<name>session1</name>
<iconname>BIG_JWTICON</iconname>
<activate>yes</activate>
<connection>
<name>Connection1</name>
</connection>
<logon>
<name>logon1</name>
</logon>
<display>
<name>display1</name>
</display>
<keyboard>
<name>keyboard1</name>
</keyboard>
<printer></printer>
<ldm></ldm>
<portredirection></portredirection>
<otherdevices></otherdevices>
<expert></expert>
</session-entry>
<session-entry>
409
HOB RD VPN
<name>session2</name>
<connection>
</connection>
<logon></logon>
<display>
</display>
<keyboard>
</keyboard>
<printer></printer>
<ldm></ldm>
<portredirection></portredirection>
<otherdevices></otherdevices>
<expert></expert>
</session-entry>
</session-list>
<schemes>
<connection-list>
<connection-entry>
<conntype>direct</conntype>
<autocon>yes</autocon>
<ipaddress>rdpserver1</ipaddress>
<ipport>3389</ipport>
<macaddress></macaddress>
<usewakeonlan>no</usewakeonlan>
<wakeonlantimeout>90</wakeonlantimeout>
<wakeonlanmode>broadcast</wakeonlanmode>
<wakeonlanport>9</wakeonlanport>
<wakeonlanrelaylist></wakeonlanrelaylist>
<broadcast>yes</broadcast>
<lbselection>reconnect</lbselection>
<gateport>4095</gateport>
<serverlist></serverlist>
<wsplist></wsplist>
<startupmode>desktop</startupmode>
<proxymode>auto</proxymode>
<servercertificates>no</servercertificates>
<sslfile></sslfile>
<ssldir></ssldir>
<compression>yes</compression>
<queue_events>no</queue_events>
<harddiskcachesize>0</harddiskcachesize>
<memorycachesize>8000</memorycachesize>
410
HOB RD VPN
</connection-entry>
<connection-entry>
<conntype>direct</conntype>
<autocon>yes</autocon>
<ipaddress>rdpserver2</ipaddress>
<macaddress></macaddress>
<wakeonlanrelaylist></wakeonlanrelaylist>
<serverlist></serverlist>
<wsplist></wsplist>
<sslfile></sslfile>
<ssldir></ssldir>
</connection-entry>
</connection-list>
<logon-list>
<logon-entry>
<name>logon1</name>
<userid>user1</userid>
<domain>domain1</domain>
<autologon>no</autologon>
<password>^+</password>
</logon-entry>
</logon-list>
<display-list>
<display-entry>
<window>frame</window>
<sessionwidth>800</sessionwidth>
<sessionheight>600</sessionheight>
<screenratiox>0</screenratiox>
<screenratioy>0</screenratioy>
<screen>1</screen>
<colordepth>0</colordepth>
<connbar>yes</connbar>
411
HOB RD VPN
<allowbackground>no</allowbackground>
<allowshowcontent>yes</allowshowcontent>
<allowmenuanim>yes</allowmenuanim>
<allowthemes>yes</allowthemes>
<allowcursorshadow>no</allowcursorshadow>
<allowcursorblinking>yes</allowcursorblinking>
<allowfontsmoothing>no</allowfontsmoothing>
</display-entry>
<display-entry>
<window>fullscreen</window>
<sessionwidth>1920</sessionwidth>
<sessionheight>1120</sessionheight>
<screenratiox>0</screenratiox>
<screenratioy>0</screenratioy>
<screen>1</screen>
<colordepth>0</colordepth>
<connbar>yes</connbar>
<allowbackground>no</allowbackground>
<allowshowcontent>yes</allowshowcontent>
<allowmenuanim>yes</allowmenuanim>
<allowthemes>yes</allowthemes>
<allowcursorshadow>no</allowcursorshadow>
<allowcursorblinking>yes</allowcursorblinking>
<allowfontsmoothing>no</allowfontsmoothing>
</display-entry>
</display-list>
<keyboard-list>
<keyboard-entry>
<clipboard>2</clipboard>
<keyboardlayout>us</keyboardlayout>
<keycombinations>8,24,a,23,8,21,8,22,
8,9b,8,7f,a,6d,a,6b,8,23,a,25,a,4b,a,49,a,
42,a,28</keycombinations>
<enablekeypad>yes</enablekeypad>
<keyboardhook>3</keyboardhook>
</keyboard-entry>
</keyboard-list>
<printer-list></printer-list>
<ldm-list></ldm-list>
<portredirection-list></portredirection-list>
<otherdevices-list></otherdevices-list>
<expert-list></expert-list>
</schemes>
<inheritedsessions></inheritedsessions>
</jwt-configuration>
412
HOB RD VPN
35.2 Example configuration for connections using the
HOB WSP
This is an example for connections between HOBLink JWT and RDP Targets via
the HOB WSP:
<jwt-configuration>
<session-list>
<session-entry>
<name>JWT-Session</name>
<connection>
<name>Select</name>
</connection>
<logon/>
<display/>
<keyboard/>
<printer/>
<ldm/>
<portredirection/>
<otherdevices/>
<expert/>
</session-entry>
</session-list>
<schemes>
<connection-list>
<connection-entry>
<name>Select</name>
<conntype>wspsocks</conntype>
<autocon>no</autocon>
<ipaddress/>
<macaddress/>
<wakeonlanrelaylist/>
<serverlist/>
<wsplist>
<server>
<ip>x.x.x</ip>
<port>443</port>
</server>
413
HOB RD VPN
</wsplist>
<sslfile/>
<ssldir/>
</connection-entry>
</connection-list>
<logon-list/>
<display-list/>
<keyboard-list/>
<printer-list/>
<ldm-list/>
<portredirection-list/>
<otherdevices-list/>
<expert-list/>
</schemes>
<inheritedsessions/>
</jwt-configuration>
414
HOB RD VPN
35.3 Connection parameters
The following are the HOBLink JWT XML configuration parameters used for
Connections settings.
Name
Description
Values/Syntax
Default
Value
Requirement
s/ Limitations
IPADDRESS
Name or IP
address of
Windows Terminal
Server
CONNTYPE =
direct
IPPORT
IP port of the
[0 ... 65535] - An
3389
Windows Terminal integer that specifies
Server
the IP port
CONNTYPE =
direct
MACADDRESS
MAC address of
the Windows
Terminal Server
CONNTYPE =
direct
USEWAKEONLAN Allows a Wake-OnLAN request to
boot the server to
be sent
yes - Sends a Wake- no
On-LAN request to
boot the server
no - Does nothing
CONNTYPE =
direct
MACADDRESS
WAKEONLANTIM The maximum time
EOUT
to wait for
connection
accepts.
[10 ... 600] - An
90
integer that specifies
the timeout in
seconds.
USEWAKEONLAN
= yes
WAKEONLANMO Controls the
DE
method of how
Wake-On-LAN
requests are
transmitted.
broadcast Broadcasts the
Wake-On-LAN
request
relay - Sends the
Wake-On-LAN
request to the
configured relays
USEWAKEONLAN
= yes
broadcast
WAKEONLANPOR Destination port for [0 ... 65535] - An
9
T
Wake-On-LAN
broadcasts.
the IP port
WAKEONLANMO
DE = broadcast
WAKEONLANREL List of Wake-OnAYLIST
LAN Relays.
A comma
separated list of
servers.
WAKEONLANMO
DE = relay
Syntax:
PORT = 9
RELAY = IP[:PORT]
WAKEONLANRELA
YLIST =
[RELAY[,WAKEONL
ANRELAYLIST]]
Example:
relay1.hob.de:9,
relay2.hob.de:9
AUTOCON
Allows the WTS to yes - Connects to the no
be chosen at
server immediately
runtime in a GUI. no - Shows a GUI to
choose the server
address
CONNTYPE =
direct
APPNAME
Path of application
to start instead of
Desktop
(Application
Serving)
STARTUPMODE =
app
415
416
HOB RD VPN
WORKINGDIR
Working directory
for application
used in Application
Serving.
STARTUPMODE =
app
BROADCAST
Type of broadcast yes - Use broadcast
(Load Balancing). no - Use server list
LBSELECTION
Server selection
show - Select from all reconnect
procedure for Load responding servers
Balancing.
reconnect - Connect
to the server with the
least load
CONNTYPE =
loadbalancing /
wsplb / wspsocks
SERVERLIST
List of servers
used for server list
(Load Balancing).
A comma
separated list of
servers.
Syntax:
SERVER =
IP[:PORT]
SERVERLIST =
[SERVER[,SERVER
LIST]]
Example:
wts1.hob.de:4095,
wts2.hob.de:4095
CONNTYPE =
loadbalancing /
wsplb / wspsocks
BROADCAST = no
LBOVERALLTIME Maximum overall
OUT
timeout for Load
Balancing.
[0 ... MAXINT] - An
20000
a timeout in
milliseconds
CONNTYPE =
loadbalancing /
wsplb / wspsocks
LBACTIVITYTIME Activity timeout for
OUT
Load Balancing.
This specifies the
maximum time to
wait after the last
response packet
has been received
0 - An infinite timeout 4000
[1 ... MAXINT] - An
a timeout in
milliseconds
CONNTYPE =
loadbalancing /
wsplb / wspsocks
LBSELECTION =
reconnect
LBRESENDTIMEO Resend request
UT
timeout for Load
Balancing. This
specifies the
timeout to resend
the Load Balancing
requests. In case
of BROADCAST=
no the requests are
only resent to all
unacknowledged
servers.
[1 ... MAXINT] - An
a timeout in
milliseconds
CONNTYPE =
loadbalancing /
wsplb / wspsocks
COMPRESSION
Use Microsoft
Point-To-PointCompression
Protocol (MPPC)
for data exchange.
yes - Enables data
compression
no - Disables data
compression
PUBAPPNAME
Name of published
application to
connect to
(Published
Application / True
Windows).
yes
CONNTYPE =
loadbalancing /
wsplb / wspsocks
yes
STARTUPMODE =
pubapp / seamless
HOB RD VPN
GATEPORT
The port used for [0 ... 65535] - An
4095
UDP load
balancing if
the IP port
broadcast is used.
CONNTYPE
Type of
connection.
direct - Use a direct direct
connection to the
WTS
loadbalancing - Use
HOB Load Balancing
to choose a WTS
wspdirect Establishes a WSP
direct connection
wsplb - WSP
connection with HOB
Load Balancing
wspsocks - WSP
connection with the
WSP SOCKS
authentication
protocol
WSPLIST
List of WSPs.
A comma
separated list of
servers.
Syntax:
WSP = IP[:PORT]
WSPLIST =
[WSP[,WSPLIST]]
Example:
wsp1.hob.de:4095,
wsp2.hob.de:4095
PROXYMODE
Determines the
Proxy mode.
auto - Automatic
auto
detection
no - Disable proxies
socks - Use SOCKS
proxy protocol
socks4 - Use SOCKS
V4 proxy protocol
http - Use HTTP
proxy protocol
PROXYLIST
List of SOCKS or
HTTP Proxies.
A comma
separated list of
servers.
Syntax:
SERVER =
IP[:PORT]
PROXYLIST =
[SERVER[,PROXYLI
ST]]
Example:
httpproxy1.hob.de:80
80,
httpproxy2.hob.de:80
80
PROXYUSER
User ID for the
proxy
authentication.
PROXYMODE
PROXYPASSWO
RD
Password for the
proxy
authentication.
PROXYMODE
CONNTYPE =
wspdirect / wsplb /
wspsocks
PORT=1080 - If PROXYMODE =
PROXYMODE = socks / socks4 /
socks / socks4 http
PORT=8080 - If
PROXYMODE =
http
417
TIMEOUT
Time to wait for
answer from WTS
while building the
connection.
RECEIVEBUFFER Sets the TCP
SIZE
receive buffer size
for the RDP
connection in
bytes.
CONSOLESESSI
ON
HOB RD VPN
[1 ... MAXINT] - An
a timeout in
milliseconds
0 - System default
8192
[1 ... MAXINT] - An
the size in bytes
The minimum and
maximum buffer
sizes are system
dependent
Connect to the
yes - Connects to the no
console session of console session
the WTS.
no - Does not request
a specific session
WSP_SELECTION Preselect server
for WSP SOCKS
mode.
WSPAUTH = yes
TWSINGLESERV Name of the Load
ERCONF
Balancing
configuration for
TrueWindows
Single Server.
This is the
configuration name
in the registry on
the server
WSPOLD
Indicates that JWT
connects to an old
WSP that does not
know the protocol
extension HOBRDP-EXT1
STARTUPMODE =
seamless
no
CONNTYPE =
wspsocks
KEEPALIVEINTER Specifies an
VAL
interval used to
keep the
connection alive.
JWT sends keepalive packets from
client to server to
avoid having
network devices
cut due to
inactivity.
0 - Disables this
0
option
[1 ... MAXINT] - An
the interval in
seconds
WSPUSETLS
yes - Allows a TLS
yes
connection to the
WTS through a WSP
tunnel
no - Allows only
common RDP
encryption
Specifies whether
to use an RDP or
TLS mode in the
WSP connection.
DISCONNECTTIM Specifies the
EOUT
maximum time
used to wait for a
disconnect
response from the
WTS.
418
yes - Uses the raw
RDP protocol
no - Uses the HOBRDP-EXT1 protocol
"default"
CONNTYPE =
wspdirect / wsplb
0 - Infinite timeout
10
[1 ... MAXINT] - An
the timeout in
seconds
HOB RD VPN
HOBXPERTTIME
OUT
Specifies the
maximum time
used to wait for a
reply from the HOB
RD ES Service.
0 - Infinite timeout
10
[1 ... MAXINT] - An
the timeout in
seconds
STARTUPMODE
Specifies the
startup mode.
desktop - Shows the desktop
entire remote
desktop
pubapp - Starts a
published application
in a single session
window
app - Starts an
application in a single
session window
seamless - Embeds a
published application
in the local window
management
RDPTARGETNAM Defines an
E
alternate target
name for the
destination WTS.
This parameter is
only used for WSP
direct connections
to WTS with
CredSSP
Automatically if
possible
WSPDYNIP
Specifies the IP
address for WSP
dynamic connect.
CONNTYPE =
wspsocks
WSPDYNPORT
Specifies the IP
port for WSP
dynamic connect
CONNTYPE =
wspsocks
WSPDYNVNCSSL Specifies the use
of SSL for VNC
with WSP dynamic
connect
yes - Enables SSL
no
for the VNC
connection
no - Disables SSL for
the VNC connection
CONNTYPE =
wspsocks
WSPDYNVNCSHA Specifies the
RED
shared option for
VNC with WSP
dynamic connect.
yes - Enables the
VNC shared option
no - Disables the
VNC shared option
CONNTYPE =
wspsocks
no
419
HOB RD VPN
35.4 Display parameters
The following are the HOBLink JWT XML configuration parameters used for Display
settings.
420
Name
Description
Values/Syntax
Default Value Requirements/
Limitations
WIDTH
Width of applet
area in HTML page
HEIGHT
Height of applet
area in HTML page
WINDOW
Type of session
window
frame - Displays the frame
session top-level
window with a title
and a border
fullscreen - Displays
the session in a
fullscreen window
maximized - Displays
the session in a
maximized top-level
window with a title
and a border
applet - Displays the
session in the WEB
page of the browser
containing the applet
(deprecated)
seamless - Use
STARTUPMODE=se
amless instead
NOWARNING
Suppress warning
messages such as
"certificate file
cannot be written"
yes - Suppresses
warning messages
no – Does not
suppress warning
messages
no
GEOMX
Specifies the
external X position
of the session
window in frame
mode (can also be
negative) and the
internal position of
the session panel
in fullscreen or
applet mode
[MIN_INT...MAX_INT
] - Position in pixels
relative to the screen
[0...100]% - Position
in percent (0% is left
justified, 100% is
right justified)
auto - Window is
automatically
adjusted
0WINDOW = frame/
If WINDOW=fra fullscreen/applet
me
auto If WINDOW=full
screen or
WINDOW=apple
t
GEOMY
Specifies the
external Y position
of the session
window in frame
mode (can also be
negative) and the
internal position of
the session panel
in fullscreen or
applet mode.
[MIN_INT...MAX_INT
[0...100]% - Position
in percent (0% is top
justified, 100% is
bottom justified)
auto - Window is
automatically
adjusted
0 – if
WINDOW = frame/
WINDOW=frame fullscreen/applet
auto If WINDOW=full
screen or
WINDOW=apple
t
STARTUPMODE =
desktop / app /
pubapp
or
TWPUREJAVA =
yes
HOB RD VPN
SCREENRATIOX
Horizontal ratio of [10 ... 400] - An
screen to be used integer that specifies
for a session
the ratio in percent
WINDOW = frame
SCREENRATIOY
Vertical ratio of
[10 ... 400] - An
screen to be used integer that specifies
for a session
the ratio in percent
WINDOW = frame
TITLE
String that will be
assigned to title of
a JWT window
SESSIONWIDTH
Width of N RDP
session
[300 ... 32767] - An 800
the width in pixels
SESSIONHEIGHT Height of an RDP
session
[200 ... 32767] - An 600
the height in pixels
COLORDEPTH
Color depth of
RDP session in
bits per pixel
0 - Automatic
0
detection (uses the
local depth)
8 - Mode with 256
colors
15 - Mode with 32768
colors
16 - Mode with 65536
colors
24 - Mode with
16777216 colors
32 - Mode with
16777216 colors
(including alpha)
DISPLAYIP
Display WTS name
or address in title
bar of the session
window
yes - Displays the IP yes
address
no - Hides the IP
address
DISPLAYNAME
Specifies the name
displayed instead
of an IP address
DISPLAYEDNAME String that contains
the displayed
configuration name
HIDETASKBAR
Hide the local
taskbar in full
screen mode
yes - Hides the local no
taskbar to display the
entire session
window
no - Does not control
the local taskbar
Windows OS only
with native
extension (JNI)
CONNBAR
Display the
connection bar in
fullscreen mode
yes - Displays the
yes
connection bar
no - Does not display
the connection bar
WINDOW = frame
/ applet
ALLOWTHEMES
Allow the user to
change themes in
a JWT session
yes - Enables themes yes
in RDP
no - Disables themes
to reduce the
bandwidth
421
HOB RD VPN
ALLOWBACKGRO Allow the user to
UND
change the
wallpaper in a JWT
session
yes - Enables
wallpaper in RDP
no - Disables
wallpaper to reduce
the bandwidth
no
ALLOWMENUANI Allow the user to
M
change menu
animation in a JWT
session
yes - Enables menu
animation in RDP
no - Disables menu
animation to reduce
the bandwidth
yes
ALLOWSHOWCO Allow the user to
NTENT
change windows to
"show content
while dragging" in
a JWT session
yes - Enables the
yes
window dragging
option in RDP
no - Disables window
dragging option to
reduce the bandwidth
ALLOWCURSORS Allow the user to
HADOW
use cursors with
shadows in a JWT
session
yes - Enables cursor no
shadows in RDP
no - Disables cursor
shadows to reduce
the bandwidth
ALLOWCURSORB Allow the user to
LINKING
use blinking text
cursors in a JWT
session
yes
yes - Enables text
cursor blinking in
RDP
no - Disables text
cursor blinking to
ALLOWFONTSMO Allow the user to
yes - Enables font
no
OTHING
use font smoothing smoothing in RDP
in a JWT session no - Disables font
smoothing to reduce
the bandwidth
ALLOWDESKTOP Allow the user to
COMPOSITION
enable desktop
composition
NOERRDLG
Do not show an
error dialog (e.g. if
you use
PowerFuse and
logoff, PF
disconnects you at
once and logs you
off in the
background).
SHOWDISCREAS Specifies if the
ON
disconnect reason
message is
displayed (e.g. if
PowerFuse=no
then disconnects
immediately and
logs off in the
background)
422
This feature is
under development
yes - Avoids RDP
errors being
displayed
no - Shows every
error
no
yes - Displays all
yes
disconnect reasons
no - Hides disconnect
reasons
HOB RD VPN
SCREEN
The screen where -1 - Displays session -1
the JWT window is on the current screen
displayed
0 - Displays session
on both screens
on main screen
on second screen
X11RDPUI
Controls the use of
the RDP graphics
extension for X11
based systems
yes - Use the native yes
extension
no - Use the platform
independent
implementation
X11 based OS with
native extension
(JNI)
WINRDPUI
Controls the use of
the RDP graphics
extension for
Windows OS
systems
yes - Use the native
extension
no - Use the platform
independent
implementation
yes - If
BETATEST =
yes
no - Otherwise
X11 based OS with
native extension
(JNI)
MACMENUBARM Controls the
ODE
behavior of the
menu bar for Mac
OS X in a
fullscreen session
below - Places the
fullscreen window
below the menubar
hidden - Hides the
menubar
auto - Hides and
shows the menubar
automatically
hidden
WINDOW =
fullscreen
Mac OS only with
native extension
(JNI)
TRYOUTINFO
Indicates whether
to show the tryout
box within the
tryout period
yes - Shows the
yes
tryout info box
no - Hides the tryout
info box
TWPUREJAVA
Controls the use of
TrueWindows
PureJava if native
support is available
yes - Use
no
TrueWindows Pure
Java instead of a
native extension
no - Use the native
extension if available
RDPUSEMONITO Enables support
RLAYOUT
that advertises a
local monitor layout
to the WTS
yes - Transmits the yes
local monitor layout
to the WTS
no - Uses the single
monitor layout mode
on the WTS
STARTDIALOGX
[MIN_INT...MAX_INT auto
[0...100]% - Position
in percent (0% is
adjusted left, 100% is
adjusted right)
auto - Window
automatically
adjusted
Controls the X
position of the
startup dialog (can
also be negative)
STARTUPMODE =
seamless
423
STARTDIALOGY
Controls the Y
position of the
startup dialog (can
also be negative)
STARTDIALOGBA Specifies an
NNER
alternative banner
(image) in the start
dialog
HOB RD VPN
[MIN_INT...MAX_INT auto
[0...100]% - Position
in percent (0% is
adjusted top, 100% is
adjusted bottom)
auto - Window
automatically
adjusted
Syntax: PARAM =
KEY=VALUE
STARTDIALOGBAN
NER =
[STARTDIALOGBAN
NER[,PARAM]]
Values: url - The URL
of the image
(supported formats
are GIF, JPG and
PNG)
scale - Scale mode
(no or ninegrid)
ng.top - Upper part of
the ninegrid
transformation in
pixels
ng.left - Left part of
the ninegrid
transformation in
pixels
ng.bottom - Lower
part of the ninegrid
transformation in
pixels
ng.right - Right part
of the ninegrid
transformation in
pixels
bgcolor - RGB
background color
value in the form
"0xRRGGBB"
min.width - Minimum
width of the image in
pixels
min.height - Minimum
height in pixels
align.h - Horizontal
alignment
(left|center|right)
align.v - Vertical
alignment
(top|center|bottom)
Example: url=http://
domain.example/
banner.jpg,
min.width=600,
bgcolor=0xffffff
424
HOB RD VPN
STARTDIALOGPO Maximum time to
PUPTIME
wait until the
startup dialog is
shown while the
connection is being
established
-1 - An infinite
1000
timeout
0 - Shows the dialog
immediately
[1...MAXINT] - An
a timeout in
milliseconds
DISABLEDSESSI Controls the
ONDISPLAYMOD display mode of a
E
disabled session
grayscale - Displays grayscale
a grayscaled image
of the current session
screen
black - Displays a
black background
425
HOB RD VPN
35.5 Logon parameters
The following are the HOBLink JWT XML configuration parameters used for Logon
settings.
Name
Description
USERID
User name on
WTS
PASSWORD
Password on WTS
DOMAIN
Domain for user on
WTS
AUTOLOGON
Login automatically yes - Enables
to the WTS
automatic login
no - Disables
automatic login
SINGLESIGNON
Use HOB Singlesign-on
WSP_USERID
User ID for login to
WSP
WSPAUTH = yes
WSP_PASSWOR Password for login
D
to WSP
WSPAUTH = yes
USE_WSP_ACCO Inherit User ID/
UNT
Password from
login to WSP for
TS
Default Value Requirements/
Limitations
no
yes - Uses WSP
no
credentials for TS
login
no - Does not change
TS login settings
Password token for
login to WSP
CERTFILE
Controls if the TS yes - Saves an
yes
license is saved in incoming TS license
the local registry
in the registry
no - Never save such
licenses
WSPAUTH = yes
WSPAUTH = yes
TIMEZONEOFFSE Specifies the raw
T
offset from GMT in
minutes. The offset
is automatically
detected if not
specified
[-720 ... +720] - An
the raw offset from
GMT in minutes
LBQUERYUSER
yes - Asks the user yes
for their credentials
no - Does not ask the
user for credentials
Controls if the user
is asked for
credentials for load
balancing if no
user name is
configured
USERID and PAS
SWORD
yes - Uses Singleno
sign-on credentials
no - Uses credentials
of the profile
SSO_TOKEN
WSPDYNVNCPAS Specifies the VNC
SWORD
password for WSP
dynamic connect
426
Values/Syntax
CONNTYPE =
loadbalancing
CONNTYPE =
wspsocks
HOB RD VPN
35.6 Security parameters
Security settings.
Name
Description
Values/Syntax
Default
Value
Requirements/
Limitations
SECPROFILEURL Specifies the URL An absolute URL or a
to request the XML path relative to the
configuration
applet code base.
Example: https://
domain.example/
requesthandler.sync
?id=profile001../
requesthandler.sync
?id=profile001"
HTML Applet tag
parameter.
Web mode of JWT
only (Applet)
SECPROFILEPAR
AMS
SECPROFILEPAR Specifies the
AMS
security
parameters to
request the XML
configuration
HTML Applet tag
parameter.
Web mode of JWT
only (Applet)
SECPROFILEURL
Syntax:CSS =
cs[:CSS]
CMS = cm[:CMS]
PARAM =
CSS | mod | exp | ran
d | CMS
SECPROFILEPARA
MS =
[PARAM[,SECPROFI
LEPARAMS]]
Values: cs - The
cipher suites
supported by the
server ("AES-128",
"AES-256", "RC4128", "RC4-256").
The delimiter is ":"
mod - RSA modulus
in hexadecimal
format
exp - RSA public
exponent in
hexadecimal format
rand - A random
number generated by
the server (should
equal the generated
key)
cm - (Optional) The
compression
algorithms supported
by the server ("raw",
"gzip", "zlib"). The
delimiter is ":"
Example: "cs=AES128, mod=0xcf...11,
exp=0x010001,
rand=0x9d...af"
427
SERVERCERTIFI Indicates if the SSL
CATES
files shall be
downloaded from
the web server
yes - Loads SSL files yes
from server from
location
"$CODEBASE$/
$SSLFILE$.[cfg | cdb
| pwd]"
no - Loads SSL files
from local system
from location
"$SSLDIR$/
$SSLFILE$.[cfg | cdb
| pwd]"
Web mode of JWT
only (Applet)
SSLDIR
The directory of the
SSL files
"$USERHOME$/
hob/jwt"
SSLFILE
The name of the
SSL files
(certificate
database,
configuration and
password)
"hclient"
SSLFILERDP
SSL file pattern for
RDP-TLS
(certificate
database,
configuration and
password)
"hclient"
SSLDUMMY
Runs a WSP
yes - Uses an
no
connection without unencrypted
SSL encryption
connection
no - Uses an
encrypted connection
RDPSECURITYM Allows a fixed
ODE
security layer to be
used without
negotiation
428
HOB RD VPN
negotiate negotiate
Negotiates the best
RDP security
between client and
server
rdp - Forces the
client to use the
standard RDP
security layer only
tls - Forces the client
to use the TLS
security layer only
credssp - Forces the
client to use the
CredSSP security
layer only
HOB RD VPN
RDPSECURITYLA Controls and limits
YER
the used and
allowed RDP
Security Layers. It
allows an order
and combination of
such layers to be
specified
Syntax:
LAYER = [rdp or tls
or credssp]
LAYERS =
LAYER[+LAYERS]
RDPSECURITYLAY
ER =
LAYERS[,RDPSECU
RITYLAYER]
Values:
rdp - Uses the
standard RDP
security layer
tls - Uses the TLS
security layer
credssp - Uses the
CredSSP security
layer with preceding
authentication
Example:
"credssp" - Allows
CredSSP
connections only
"rdp,tls+credssp" Tries RDP Security
as first and TLS or
CredSSP as second
"credssp,rdp+tls" RDPSECURITYM
- If
ODE = negotiate
SINGLESIGNO
N = yes
"rdp+credssp,tls"
- If
VERIFYLOGIN
= yes
"rdp,tls+credssp"
- Otherwise
429
HOB RD VPN
35.7 Keyboard & Mouse parameters
Keyboard & Mouse settings.
Name
Description
Values/Syntax
DISABLEALTGR
Send CTRL+ALT
rather than AltGr
(input assistance
for handicapped
users).
yes - Sends
no
CTRL+ALT to the
WTS if the user
presses AltGr
no - Send AltGr to the
WTS
ACTIVATENUMLO Switch on
CK
NumLock at
connection start
yes - Activates
NumLock
no - Deactivates
NumLock
KEYBOARDLAYO Name of the
UT
requested
keyboard layout
default, arabicegypt, default
bulgarian, canadian,
chinese, croatian,
czech, danish, dutch,
australian, uk, us,
finnish, flemish,
french, belgian,
frenchcanadian,
frenchcanadianstand
ard, swissfrench,
german,
swissgerman, greek,
hebrew, hungarian,
icelandic, italian,
japanese,
japanese_ime,
korean, norwegian,
polish, polish214,
portuguese, brazil,
romanian, russian,
slovak, slovenian,
spanish, spanishlatin,
swedish, thai,
turkishf, turkishq,
ukrainian
LOCKMODE
yes - Enables
workaround to
correct wrong key
events
no - Disables
workaround
Workaround for
keyboard problems
with locking keys
(Caps-, Scroll- and
NumLock) with
some Java VMs
SWAPMOUSEBU Swap left and right
TTONS
mouse buttons (if
you have lefthanded profile both
on local OS and
WTS)
430
Default
Value
Requirements/
Limitations
Does not change
the NumLock
state
no
yes - Swaps left and no
right mouse buttons
the mouse buttons
auto - Swaps the
mouse buttons
depending on the
local system settings
Automatic
detection is not yet
available on all
platforms
HOB RD VPN
ENABLEKEYPAD Controls if keypad
can be launched
via CTRL+ALT+K
(or a self-defined
hotkey)
yes - Allows the user no
to open the keypad
no - Prevents the
user from opening
the keypad
KEYBOARDHOOK Specifies how to
redirect Windows
key combinations
0 - Disables Windows 3
Keyboard hook
1 - Uses Keyboard
hook without
redirecting Windows
key combinations
2 - Uses Keyboard
hook and redirects all
Windows key
combinations
3 - Uses Keyboard
hook and redirects all
Windows key
combinations in full
screen mode
Windows OS only
with native
extension (JNI)
KEYCOMBINATIO Comma separated Syntax:
NS
values for hotkeys HOTKEY =
MODIFIERS,VIRTUA
LKEY
KEYCOMBINATION
S=
[HOTKEY[,KEYCOM
BINATIONS]]
DRAGANDDROP
Controls if drag &
drop is enabled
yes - Enables drag & yes
drop between
TrueWindows and
local applications
no - Disables drag &
drop
STARTUPMODE =
seamless
This feature is
under development
DIRECTKEYMAPP Enables non-client yes - Sends keys
no
ING
keyboard mode
directly to WTS and
ignores the local
keyboard layout
no - Translates keys
from the local
keyboard layout to
the server layout
USEUNICODEINP Enables support
UT
for Unicode input
events. This allows
for the support of
local keyboard
characters not
supported by the
Windows keyboard
layout
yes - Sends the
no
unicode character
output of the local
key combination if
the character is not
supported by the
Windows layout
no - Sends the
scancodes of the
local key combination
if the character is not
supported by the
Windows layout
DIRECTKEYMAPP
ING = no
431
432
HOB RD VPN
MACONEBUTTON Enable right mouse
MOUSE
button emulation
on a Mac. A
combination of a
control key and
mouse click can be
used to emulate a
right mouse button
yes - Enables this
option
no - Disables this
option
MACCONTROLKE Mapping of the
YMAPPING
Mac OS specific
ControlKey
ctrl - Maps this key to auto
Control (left and
right)
winkey - Maps this
key to Windows keys
(left and right)
auto - Maps to
Control if a OneButton-Mouse is
used, otherwise the
Windows key is used
yes - If the
Mac OS only
current mouse is
a single button
mouse
no - otherwise
Mac OS only
HOB RD VPN
35.8 Resources parameters
Resources settings.
Name
Description
Values/Syntax
Default
Value
COMPUTERNAM Overrides the local
E
computer name
(used for TS
licensing).
This parameter
affects the TS
licensing protocol
and is the name of
the subject in the
TS license
The local
computer name
CLIENTNAME
Specifies the name
of the client. This
parameter affects
the client name
displayed in the
Task Manager and
the location name
of redirected
devices, e.g.
printers.
Value
of COMPUTER
NAME
AUTOMAPPRT
Map printers
automatically
AUTOMAPPRTPA A pattern for printer
TTERN
names of
automatically
mapped printers
DEFAULTPRINTE Name of printer to
R
be the default in a
WTS session. It
can be either the
name of a preconfigured printer
or a system printer
Requirements/
Limitations
all - Includes all local all
printers
default - Includes
local default printer
no - Uses configured
printers only
Windows OS only
with native
extension (JNI)
Syntax:
"<NAME>"
TEXT = any string
(system properties
are possible)
KEY = "<NAME>"
PATTERN =
[TEXT]KEY[:PATTE
RN]
Example:
"<NAME>
(%USERNAME%@
%USERDNSDOMAI
N%)"
AUTOMAPPRT =
all / default
For system printer
-AUTOMAPPRT =
all / default
433
HOBPPMHIDESE Specifies if the
SSIONID
session ID should
be a part of the
printer name
yes - Hides the
session ID to keep
the printer name
constant
no - Assigns the
session ID to the
printer name in the
session
EASYPRINTIMPL Specifies the
default Easy print
implementation
auto - Uses
auto
automatic detection
for the
implementation used
native - Uses the
native
implementation (if
supported)
java2d - Uses the
standard Java
printing API
java2d_img - Uses
the standard Java
printing API with
complete images
(slow and high
memory usage)
CLIPBOARD
434
HOB RD VPN
Enables clipboard 0 - Disabled
support
1 - Text only
2 - Full support
(Windows only)
no
1
Full support on
Windows OS only
with native
extension (JNI)
NATIVECLIPBOA Use native
RD
clipboard (for
complete format
support)
yes - Uses the native yes
clipboard extension
no - Uses the Java
clipboard
Windows OS only
with native
extension (JNI)
CLIPBOARDAUTO Specifies if the
MAPDRIVE
dynamic mapping
of a local drive for
file clipping support
is allowed
never - Never allows
a dynamic drive to be
mapped
always - Maps all
dynamic drives
without prompting
never - if
AUTOLDM = no
always - if
AUTOLDM = yes
TWAUTOMAPDRI Specifies if the
VE
dynamic mapping
of a local drive (in a
running session) is
allowed
never - Never allows
a dynamic drive to be
mapped
ask - Asks the user to
map a dynamic drive
always - Maps all
dynamic drives
without prompting
never - if
AUTOLDM = no
ask - if
AUTOLDM = yes
LDMREDIRECTO Specifies the
R
default redirector
for local drive
mapping
hob - HOB Enhanced ms
Local Drive Mapping
ms - Standard Local
Drive Mapping
PRTREDIRECTO Specifies the
R
default redirector
for printer port
mapping
ms
hob - HOB Printer
Port Mapping
ms - Standard Printer
Port Mapping
HOB RD VPN
PRINTDLGMODE Specifies the
system - Uses the
default print dialog system default print
for Easy Print
dialog
limited - Uses a
limited print dialog
AUTOLDM
limited
Automatically map yes - Maps all drives no
local drives
with the redirector
specified in
LDMREDIRECTOR
ms - Maps all drives
via Standard Local
Drive Mapping
hob - Maps all drives
via HOB Enhanced
Local Drive Mapping
no – Does not map
any drives
LDMSTRICTCASE Use strict caseSENSITIVITY
sensitivity on casesensitive file
systems in Local
Drive Mapping
yes - Enables strict
case-sensitivity
(some server
applications may
have problems)
no - Use an eased
case-sensitivity
no
Unix based OS
only (includes Mac
OS)
TWAIN
yes - Enables TWAIN no
Enables the
TWAIN redirection no - Disables TWAIN
to support
scanners
Windows OS only
with native
extension (JNI).
HOB Enhanced
Terminal Services
on WTS
SANEIP
The IP address of
the SANE daemon
TWAINT = yes
SANEPORT
The IP port of the
SANE daemon
[0 ... 65535] - An
6566
the IP port
TWAINT = yes
SMARTCARD
Enables the
Smartcard
redirection
yes - Enables access no
to local Smartcards
no - Disables access
to local Smartcards
Windows OS only
with native
extension (JNI)
"localhost"
435
436
HOB RD VPN
DEVICELIST
A definition of
redirected devices
(printers, drives
and ports)
Syntax:
DEVTYPE =
"[prt]" | "[com]" | "[lpr]
" | "[pcl]" | "[ipp]" |"[dr
v]" | "[par]"
DEVPARAM =
KEY=VALUE
DEVPARAMLIST =
[DEVPARAM[,DEVP
ARAMLIST]]
DEVICELIST =
DEVTYPE[DEVPAR
AMLIST][DEVICELIS
T]
Example:
"[drv]localpath=C:
[pcl]name=SamplePri
nter, driver="HP
DeskJet 1120C",
printer=default"
AUDIODEVOUT
Specifies the audio rdpsound - Uses the rdpsound
output system
standard RDP audio
(playback)
hobaudio - Uses
HOB audio
no - Disables audio
AUDIODEVIN
no
Specifies the audio rdpsound - Uses
input system
standard RDP audio
(recording)
hobaudio - Uses
HOB audio
no - Disables audio
RDPSOUNDCHAN Specifies if audio
NEL
data are sent with
UDP or as a virtual
channel over a
normal RDP
connection
udp - Uses UDP to
transport the audio
data
vc - Uses a channel
within the RDP
connection to
transport the audio
data
VCFILENAMES
Syntax:
FILENAME =
DLLFILE|CLASSFIL
E
VCFILENAMES =
[FILENAME[,VCFILE
NAMES]]
Example:
C:\Virtual
Channels\vc.dll,
com.company.produc
t.vc.VC.class
A commaseparated list of
DLLs and Java
Classes supporting
either the MS
Virtual Channel
interface or the
HOB Java Virtual
Channel interface
udp
AUDIODEVOUT =
rdpsound
MS Virtual
Channels on
Windows OS only
with native
extension (JNI).
Java Virtual
Channels must be
accessible by class
path
HOB RD VPN
VCWEBLIBS
A commaseparated list of
virtual channel key
names for the
WEB mode
Syntax:
VCWEBLIBS =
[KEYNAME[,VCWEB
LIBS]]
Example:
hob.hltc.vc.speechmi
ke
VCREADREG
Tells if registry
should be read to
retrieve virtual
channels
yes - Loads MS
Virtual Channels
registered in the
Windows registry
no - Does not load
such channels
VCOPT
A parameter used Syntax:
as a prefix for a
VCOPT.<channel>.<
virtual channel
option>=<value>
option
JARFILEFILTER
A list of filename
filters to specify the
resources that
should be loaded
via a JAR file
Syntax:
FILEPATTERN = A
file name or a
pattern.
JARFILEFILTER =
[FILEPATTERN[;JAR
FILEFILTER]]
Example:
"*.jpg; *.xml"
HTML Applet tag
parameter.
Web mode of JWT
only (Applet)
LOOKANDFEEL
Specifies the used Example:
Swing Look & Feel "javax.swing.plaf.met
al.MetalLookAndFeel
"
HTML Applet tag
parameter.
Web mode of JWT
only (Applet)
Web mode of JWT
only.
MS Virtual
Channels on
Windows OS only
with native
extension (JNI).
Java Virtual
Channels must be
accessible by class
path
no
Windows OS only
with native
extension (JNI)
Swing Look & Feel
must be available
in Java runtime
437
HOB RD VPN
35.9 Logging parameters
Logging settings.
Name
Description
Values/Syntax
Default
Value
DOTRACE
Creates an
encrypted trace file
with all connection
data
yes - Writes a trace no
file to
"$USERHOME$/hob/
jwt/
jwt_$PROFILE$.log.
hcrypt"
no - Disables tracing
TRACEFILE
Specifies the
pathname of the
trace file
The file can be an
absolute or relative
pathname. It is
possible to insert
patterns for
environment
variables.
Example:
"%TEMP%/
jwt_trace.log.hcrypt"
METERINGIP
Name or IP
address of
metering server
Requirements/
Limitations
"$USERHOME$/ DOTRACE=yes
hob/jwt/
jwt_$PROFILE$.
log.hcrypt"
13270
METERINGPORT IP port of metering [0 ... 65535] - An
server
the IP port
METERINGTYPE
The type of the
metering protocol
tcp - Uses TCP
udp
based protocol
udp - Uses UDP
based protocol
both - Uses TCP and
UDP
TRACELEVEL
Trace level used in [0 ... 10] - A higher
debug versions
value increases the
and for audio
traced amount of
data
no
TRACEKEYBOAR Enables the
D
keyboard trace.
The output
messages are
directed to the
session trace file
no
DEBUGHOBAUDI Enables debugging yes - Enables
O
for HOB audio
debugging options
no - Disables
debugging options
438
0
DEBUGKEYBOAR Enables keyboard yes - Enables
D
debugging
debugging options
no - Disables
debugging options
yes - Enables
keyboard trace
messages
no - Disables
keyboard trace
messages
METERINGIP
DOTRACE = yes
no
HOB RD VPN
TRACEKEYBOAR Traces the
DFILE
downloaded
keyboard file. The
output messages
are directed to the
session trace file
yes - Enables trace
option
no - Disables trace
option
MEASURETRAFFI Specifies whether
C
to write a CSV file
with information
about bytes sent
and received
yes - Writes a file
no
containing statistical
information to
"$USERHOME$/hob/
jwt/
jwt_$PROFILE$.csv"
no - Does nothing
MEASURETRAFFI Specifies an
CTIME
interval in seconds
to create a further
entry in the CSV
file
[1 ... MAXINT] - An
60
the interval in
seconds
no
DOTRACE = yes
MEASURETRAFFI
C = yes
439
HOB RD VPN
35.10 Control parameters
The following are the HOBLink JWT XML configuration parameters used for Control
settings.
Name
Description
Values/Syntax
ADJUSTMENT
Limits the
parameters that
can be changed by
the user
all - All options
all
enabled
minimal - Enables the
options KEYBOARD,
KEYBOARDHOOK,
SESSIONWIDTH,
SESSIONHEIGHT,
SCREENRATIO,
SCREENRATIOX
and
SCREENRATIOY.
no - No options
enabled
ADJUSTMENTOP A commaTIONS
separated list of
parameters that
can be adjusted by
the user. It can be
used in
combination with
the parameter
ADJUSTMENT.
440
Default
Value
Requirements/
Limitations
These prefixes can
be used to control a
single option:
"+": enables
adjustment
"-": disables
adjustment
"!": enables
adjustment without
caching
"*": enables an open
editable choice
These postfixes can
be used to control a
single option:
"[VALUE,...]" Syntax:
VARIABLE = [+||!|*]KEY[VALUE,...]
ADJUSTMENTOPTI
ONS =
[VARIABLE[,ADJUS
TMENTOPTIONS]]
Example:
"+KEYBOARD, COLORDEPTH,
!WINDOW,
USERID[Administrat
or, Demo1, User2],
*DOMAIN[DOM1,
DOM2]"
HOB RD VPN
SHUTDOWN
Executes a system
shutdown after the
last session has
been finished and
exits the current
process
HOMEDIR
Name of home
directory (which is
the default path for
SSL files, traces,
DLLs, etc.)
PROFILEBASE
Alternative URL of
the profile base
directory
yes - Executes the
no
shutdown command
after session end
no - Does nothing
Administrative
privileges for
shutdown are
required
Windows OS (NT
based) - executes
'shutdown.exe /L /
Y /T:0' or
'shutdown.exe /s /f
/t 0'
Windows OS (9x) executes
'RUNDLL32
SHELL32.DLL,SH
ExitWindowsEx 5'
Unix - executes
'shutdown -h'
The codebase of HTML Applet tag
the applet
parameter.
Web mode of JWT
only (Applet)
EXECUTEAFTERJ Controls the use of
WT
the JavaScript
function
ExecuteAfterJWT
no
yes - Executes
function
"ExecuteAfterJWT"
after all sessions are
closed
no - Does nothing
HTML Applet tag
parameter.
Web mode of JWT
only (Applet)
JAVASCRIPTEVE Controls the use of
NTHANDLER
the JavaScript
function
EventHandlerJWT
yes - Passes JWT
no
events to the function
"EventHandlerJWT"
no - Does nothing
HTML Applet tag
parameter.
Web mode of JWT
only (Applet)
DISKCACHEPATH Directory of the
persistent bitmap
cache
EXPERTS
"$USERHOME$/
hob/jwt"
Allows all
parameters to be
set in a single
string
ALLOWCLOSEWI Controls if closing yes - Allows the user yes
N
of the session
to disconnect the
window is allowed session
no - Prevents the
user disconnecting
the session to force a
session logoff
RDPAUTORECON Controls the
ask - Asks the user to ask
NECT
automatic
reconnect
reconnect function no - Disables
automatic reconnect
441
442
HOB RD VPN
ENVMENTVARIAB Comma separated
LES
commands to set
environments
values if not yet
existing. Optionally
a "+" to append a
value, "-" to delete
a value and "!" to
overwrite an
existing value can
be assigned
Syntax:
VARIABLE = [+||!]KEY[=VALUE]
ENVMENTVARIABL
ES =
[VARIABLE[,ENVME
NTVARIABLES]]
RDPOPTIONS
Enables the UI
panel to change
RDP specific
options
yes - Allows the user
to change some RDP
options
no - Disables this UI
VERIFYLOGIN
Verifies that the
login credentials
specified for an
automatic login are
correct
yes - Aborts the RDP no
session if the login
fails
no - Uses the default
behavior
Windows OS only
with native
extension (JNI)
yes - if
CONNTYPE =
direct and
AUTOCON = no
no - Otherwise
Requires SP1 for
Windows Server
2003.
Requires CredSSP
support for
Windows Server
2008.
AUTOLOGON =
yes
SSLDIR, SSLFILE,
SSLFILERDP
HOB RD VPN
35.11 Optimization parameters
Optimization settings.
Name
Description
Values/Syntax
Default
Value
QUEUE_EVENTS Queue mouse and
keyboard events
rather than sending
each in a separate
block
yes - Collects up to no
10 input events within
a time window of 50
milliseconds
no - Disables event
queue
MOUSEMOVES
Send mouse
motion events to
the WTS
yes - Sends all
yes
mouse events to the
server
no - Sends only
mouse click events to
the server
REFRESHRATE
Specifies the time
in which at least
one screen update
will be made
[0 ... 10000] - An
150
the time in
milliseconds
HARDDISKCACH Size of the
ESIZE
persistent bitmap
cache
[0 ... MAXINT] - An
0
the maximum size in
KBytes
CACHE0SIZE
Number of entries
in memory 0 cache
(up to 16x16
pixels)
[0 ... MAXINT] - An
the cache size in
elements
CACHE1SIZE
Number of entries
in memory 1 cache
(up to 32x32
pixels)
[0 ... MAXINT] - An
the cache size in
elements
CACHE2SIZE
Number of entries
in memory 2 cache
(up to 64x64
pixels)
[0 ... MAXINT] - An
the cache size in
elements
NOSHAREDEVIAT The threshold that [0 ... 100] - An integer 0
ION
specifies when to that specifies a
threshold in percent
use session
sharing or when to
start a new true
windows session
HOBPPMCOMPR Enables
ESSION
compression for
the HOB Printer
Port Mapping
yes - Enables ZLIB
compression
no - Disables
compression
Requirements/
Limitations
CONNTYPE =
loadbalancing /
wsplb / wspsocks
yes
MEMORYCACHE Specifies the size 0 - Uses default
8000
SIZE
of the RDP bitmap settings
cache
[1 ... MAXINT] - An
the size in KBytes
443
HOB RD VPN
OFFSCREENCAC Specifies the size
HESIZE
of the RDP
offscreen bitmap
cache
0 - Uses default
2560
settings
[1 ... MAXINT] - An
the size in KBytes
NINEGRIDCACHE Specifies the size
SIZE
of the RDP
ninegrid bitmap
cache
0 - Uses default
2560
settings
[1 ... MAXINT] - An
the size in KBytes
CONFIGVERSION Integer containing
the configuration
version number
444
HOBAUDIORATE Specifies the
OUT
bandwidth
available for HOB
audio for data
transmission from
server to client
0 - Automatic
0
detection
[1 ... MAXINT] - An
the bandwidth in
bytes per second
AUDIODEVOUT =
hobaudio
OUTMIN
minimum
bandwidth
available for HOB
audio for data
transmission from
server to client
[0 ... MAXINT] - An
0
the bandwidth in
bytes per second
HOBAUDIORATE
OUT = 0
OUTMAX
maximum
bandwidth
available for HOB
audio for data
transmission from
server to client.
[0 ... MAXINT] - An
MAXINT
the bandwidth in
bytes per second
HOBAUDIORATE
OUT = 0
HOBAUDIORATEI Specifies the
N
bandwidth
available for HOB
audio for data
transmission from
client to server
[0 ... MAXINT] - An
Automatic
integer that specifies detection
the bandwidth in
bytes per second
AUDIODEVIN =
hobaudio
NMIN
minimum
bandwidth
available for HOB
audio for data
transmission from
client to server
[0 ... MAXINT] - An
0
the bandwidth in
bytes per second
HOBAUDIORATEI
N=0
NMAX
maximum
bandwidth
available for HOB
audio for data
transmission from
client to server
[0 ... MAXINT] - An
MAXINT
the bandwidth in
bytes per second
HOBAUDIORATEI
N=0
HOB RD VPN
VCFREELIBRARY Specifies whether
a virtual channel
library should be
unloaded after a
session
disconnect. Some
third-party
channels are not
designed to be
unloaded
yes - Unloads the
yes
channel from the
JWT process
no - Does not unload
the library
Native MS Virtual
Channel support
VCSENDPRIORIT Specifies the
Y
thread priority of
the thread used in
a virtual channel
extension to send
data to the WTS
0 - System default
1 - Lowest
2 - Below normal
3 - Normal
4 - Above normal
5 - Highest
0
Native MS Virtual
Channel support
CACHEIMMEDIAT Controls
ELY
immediate bitmap
caching in RDP
yes - Enables
immediate bitmap
caching
no - Cache bitmaps
only if used more
than once
no
RESETBITMAPCA Resets the bitmap
CHE
cache after each
capability
exchange. Such
capability
exchanges occur
between logon
session and user
session or when
session shadowing
takes place. This
option solves some
caching problems
when connecting to
Windows XP
Professional that
are typically shown
in the form of a
flashing black
rectangle.
yes - Resets the
bitmap cache
no - Bitmap cache
remains unaffected
no
BETATEST
Controls the beta
features to be
tested
yes - Enables new
no
features that are not
released until now.
no - Uses only
released features
COLORREDUCTI Controls dynamic
ON
color fidelity
yes - Uses color
no
space conversion to
the colors
445
446
HOB RD VPN
COLORSUBSAMP Controls color subLING
sampling if
dynamic color
fidelity is enabled.
The color values of
bitmaps are
reduced to half the
resolution
yes - Uses color sub- no
sampling to reduce
the bandwidth
the resolution
COLORREDUCTI
ON = yes
RDPNINEGRID
yes - Enables RDP
NineGrid bitmaps
no - Disables RDP
NineGrid bitmaps
yes
Ninegrid bitmaps
can cause
problems when
used in a remote
control session on
Windows Server
2003 (Error 7025)
RDPFRAMEMARK Controls the
ER
redirection of RDP
frame markers. An
enabled redirection
may reduce
flickering and
results in a better
look and feel
yes - Enables RDP
frame markers
no - Disables RDP
frame markers
yes - If
BETATEST =
yes
no - Otherwise
Requires Windows
Server 2008 or
higher
RDPNETWORKC Specifies the type
ONNTYPE
of network
connection used by
the client
0 - unspecified
1 - modem
2 - broadband low
3 - satellite
4 - broadband high
5 - WAN
6 - LAN
0
AUDIOQUALITYO The audio output
UT
quality (playback)
max - Uses the audio auto
format with the
highest bandwidth
high - Enables audio
formats greater than
22050 bytes/s
medium - Enables
audio formats
between 8000 and
22050 bytes/s
low - Enables audio
formats of less than
8001 bytes/s
min - Uses the audio
format with the
lowest bandwidth
auto - Enables all
audio formats
Controls the
redirection of
NineGrid bitmaps.
An enabled
redirection results
in bandwidth
reduction, but
increases client
CPU/GPU
requirements
AUDIODEVIN =
rdpsound /
hobaudio
HOB RD VPN
AUDIOQUALITYIN The audio input
max - Uses the audio auto
quality (recording) format with the
highest bandwidth
high - Enables audio
formats greater than
22050 bytes/s
medium - Enables
audio formats
between 8000 and
22050 bytes/s
low - Enables audio
formats of less than
8001 bytes/s
min - Uses the audio
format with the
lowest bandwidth
auto - Enables all
audio formats
AUDIODEVIN =
rdpsound /
hobaudio
AUDIOQUALITYO Value of the
UTMIN
minimum
bandwidth for
supported audio
formats (playback)
[0 ... MAXINT] - An
the average number
of bytes per second
AUDIODEVIN =
rdpsound /
hobaudio
AUDIOQUALITYO Value of the
UTMAX
maximum
bandwidth for
supported audio
formats (playback)
[0 ... MAXINT] - An
the average number
of bytes per second
AUDIODEVIN =
rdpsound /
hobaudio
AUDIOQUALITYIN Value of the
MIN
minimum
bandwidth for
supported audio
formats (recording)
[0 ... MAXINT] - An
the average number
of bytes per second
AUDIODEVIN =
rdpsound /
hobaudio
AUDIOQUALITYIN Value of the
MAX
maximum
bandwidth for
supported audio
formats (recording)
[0 ... MAXINT] - An
the average number
of bytes per second
AUDIODEVIN =
rdpsound /
hobaudio
447
448
HOB RD VPN
HOB RD VPN
XML Configuration for the
36 XML Configuration for the
HOB WebSecureProxy
HOB WebSecureProxy is the heart of HOB RD VPN. The configuration of the
HOB WSP, and therefore also HOB RD VPN, is done with XML, a markup language
that defines a set of rules for encoding documents in a format that is both human
readable and machine readable. The design goals of XML emphasize simplicity,
generality, and usability.
The HOB WebSecureProxy can be configured by changing the settings in one of
two XML files, wsp.xml and manual.xml. When the HOB WSP starts it reads by
default the configuration from a file called wsp.xml.
HOB RD VPN by default sets a higher priority for manual.xml than wsp.xml, so
once you start using manual.xml for your configuration the wsp.xml will not be
referenced again, and all future changes to the configuration settings must be done
manually.
The file wsp.xml is automatically generated by HOB RD VPN itself, all entries to
this file are made through the HOB WSP GUI. Every time the configuration settings
are saved (through clicking Save on the main menu), the wsp.xml is overwritten
with the current settings. This results in the HOB WSP configuration automatically
being changed in your configuration storage.
The file manual.xml is the configuration file that you manually generate using any
standard XML editor. Using a manual configuration rather than the HOB WSP GUI
allows you more control of each parameter of the configuration. The manual.xml
file must be manually reviewed and maintained for any possible changes to the
configuration.
Please note that the configuration file of the HOB WebSecureProxy
contains sensitive security relevant data such as passwords or shared
secrets.
For a Common Criteria compliant configuration, it is necessary that the manual.xml
file be used.
The current configuration must always be available as the XML configuration file
manual.xml. If changes to the configuration are made through the HOB WSP GUI,
the resulting configuration needs to be exported from the integrated directory
service. The configuration file or the changes must then be transferred to the
manual.xml, which must now be reviewed manually. For a description of the effects
of a change to the HOB WSP configuration, see Section 33.3 Configuration
Changes and their Effectiveness and Impact.
If this configuration is identified as valid and correct in this review, then it can be
used as the new configuration for the HOB WSP. To enable this newly updated
manual.xml, the HOB WSP must be stopped and restarted. This stopping and
restarting process may however lead to the loss of some or all of the current user
connections. For information on how to manually stop and restart the HOB WSP
see Section 33.2 Manually Stopping and Starting the HOB WSP.
449
XML Configuration for the HOB WebSecureProxy
HOB RD VPN
This chapter now describes the syntax, parameters and valid values for the
configuration file for HOB WSP, and how these parameters are used.
36.1 Configuring XML parameters for the HOB WSP
To configure the XML parameters for the HOB WSP, follow these steps:
1.
Open the HOB EA Administration interface.
2.
Select the HOB WebSecureProxy object from the network structure.
3.
Click the Properties button on the bottom left.
Figure 1: HOB EA Administration Interface
You will now see the following dialog:
450
HOB RD VPN
Figure 2: HOB RD VPN Administration - Properties
4.
Click the LDAP details button and you will see the following dialog:
Figure 3: HOB RD VPN Administration – Properties – LDAP Details
5.
Select the attribute you wish to edit, in this case the HOB WSP (here referred
to as hobgwwsp for HOB Gateway WSP).
6.
Click the Edit button at the bottom and you will see the following dialog:
451
HOB RD VPN
Figure 4: HOB RD VPN Administration – Properties – LDAP Attributes
This displays the XML parameters for the selected attribute, the HOB WSP. You
can use the buttons at the bottom of the dialog for editing.


452
Import – click this button to bring up another dialog allowing you to import a selected parameter to this attribute.
Export – click this button to bring up another dialog allowing you to export the
selected parameters to another attribute.

Save – save any changes but do not close the dialog.

Close – close the dialog without saving any changes.

Help – access the help available for this topic.
HOB RD VPN
36.2 Root Element and XML declaration
The HOB WSP configuration file starts with a XML declaration as a prolog with the
following content:
The configuration itself starts with the <sslgate-configuration> Root Element.
This generic tag in the WSP configuration file represents the root of the
configuration tree. This tag appears only once and opens at the beginning and
closes at the end of the configuration. All other parameters are found in between
these tags:
<sslgate-configuration>
… All configuration parameters
</sslgate-configuration>
All of the following base objects: general, connection, authenticationlibrary, server-list, etc. explained here are objects of the root element.
The following is an example HOB RD VPN wsp.xml configuration file. It is included
here to help you create your own XML configuration or configurations, by showing
how such a file should be constructed:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sslgate-configuration>
<general>
<max-poss-work-thread>32</max-poss-work-thread>
<max-active-work-thread>16</max-active-work-thread>
<report-intv>1200</report-intv>
<time-cache-disk-file>5</time-cache-disk-file>
<time-reload-disk-file>5</time-reload-disk-file>
<network-statistic-level>4</network-statistic-level>
<clear-used-memory>NO</clear-used-memory>
<memory-log-size>4194304</memory-log-size>
<suppress-warning-LDAP-template-not-referenced>YES</suppress-warning-LDAPtemplate-not-referenced>
<prot-syslog>YES</prot-syslog>
</general>
<connection>
<name>User Portal</name>
<language>en</language>
<function>SELECT-SOCKS5-HTTP</function>
<conn-type>secondary</conn-type>
453
HOB RD VPN
<permanently-moved-from-port>80</permanently-moved-from-port>
<permanently-moved-to-port>443</permanently-moved-to-port>
<permanently-moved-URL>rdvpn.exsample.local</permanently-moved-URL>
<gate-in-ineta>100.100.100.1</gate-in-ineta>
<SSL-config-file>../sslsettings/corporate/hserver.cfg</SSL-config-file>
<SSL-certdb-file>../sslsettings/corporate/hserver.cdb</SSL-certdb-file>
<SSL-password-file>../sslsettings/corporate/hserver.pwd </SSL-passwordfile>
<max-session>1000</max-session>
<do-not-close-by-load-balancing>YES</do-not-close-by-load-balancing>
<select-server>
<server-list-name>Compliance Check</server-list-name>
<server-list-name>HOBWebServer</server-list-name>
<server-list-name>EA-LDAP</server-list-name>
<server-list-name>KerberosTicketService</server-list-name>
</select-server>
<authentication-library>
<library-file-name>plugins/web_server/xl-sdh-webserver-01.dll</libraryfile-name>
<configuration-section>
<allow-multiple-login>YES</allow-multiple-login>
<close-sessions-at-logout>YES</close-sessions-at-logout>
<check-client-ineta>NO</check-client-ineta>
<domains>
<show-list>YES</show-list>
<domain>
<name>LDAP 1</name>
<type>LDAP</type>
<corresponding-LDAP-service>LDAP 1</corresponding-LDAP-service>
<auto-user-create>NO</auto-user-create>
</domain>
<domain>
<name>rdvpn</name>
<type>LDAP</type>
<corresponding-LDAP-service>rdvpn</corresponding-LDAPservice>
<base>dc=hobsoft</base>
<admin-group>cn=domainAdministrators,dc=hobsoft,
dc=internal,dc=root</admin-group>
454
HOB RD VPN
</domain>
<domain>
<name>OpenLDAP</name>
<type>LDAP</type>
<display-name>test</display-name>
<base>dc=OpenLDAP</base>
<admin-dn>cn=admin,ou=users,dc=internal,dc=root</admin-dn>
<admin-password>password</admin-password>
<auto-user-create>YES</auto-user-create>
</domain>
<domain>
<name>LDAP 1</name>
<type>LDAP</type>
<display-name>LDAP Service</display-name>
<base>dc=LDAP 1</base>
<admin-dn>cn=admin,ou=users,dc=internal,dc=root</admin-dn>
<admin-password>password</admin-password>
<auto-user-create>YES</auto-user-create>
</domain>
<domain>
<name>Kerberos Domain 1</name>
<type>Kerberos</type>
<base>dc=Kerberos Domain 1</base>
</domain>
</domains>
<roles>
<role>
<name>User</name>
<priority>1</priority>
<high-entropy>YES</high-entropy>
<session-time-limits>
<idle-period>1800</idle-period>
455
HOB RD VPN
<maximal-period>28800</maximal-period>
</session-time-limits>
<site-after-auth/>
<compliancecheck>Compliance Check 1</compliancecheck>
<target-filter>Target Filter 1</target-filter>
<portlets>
<portlet>
<name>jterm</name>
<open>YES</open>
</portlet>
<portlet>
<name>wsg</name>
<open>YES</open>
</portlet>
</portlets>
<allow-browser-caching>YES</allow-browser-caching>
<allow-configuration>
<wsg-bookmarks>YES</wsg-bookmarks>
<wfa-bookmarks>YES</wfa-bookmarks>
<desktop-on-demand>NO</desktop-on-demand>
<others>YES</others>
</allow-configuration>
<gui-skin>default</gui-skin>
<members>
<member>
<type>ou</type>
<dn>dc=hobsoft,dc=root</dn>
</member>
</members>
<select-server>
<server-list-name>PPPTunnel</server-list-name> */(crosswiseNAT internal L2TP)
<server-list-name>Socks5</server-list-name>
<server-list-name>Desktop-On-Demand</server-list-name>
<server-list-name>Windows Terminal Servers</server-list-name>
<server-list-name>Windows Terminal Server 2</server-list-name>
</select-server>
</role>
<role>
456
HOB RD VPN
<name>PowerUser</name>
<site-after-auth/>
<compliancecheck/>
<portlets>
<portlet>
<name>jterm</name>
<open>YES</open>
</portlet>
<portlet>
<name>wsg</name>
<open>YES</open>
</portlet>
<portlet>
<name>wfa</name>
<open>YES</open>
</portlet>
<portlet>
<name>settings</name>
<open>YES</open>
</portlet>
</portlets>
<desktop-on-demand>NO</desktop-on-demand>
<members>
<member>
<type>ou</type>
<dn>CN=Users,dc=example,dc=local</dn>
</member>
457
HOB RD VPN
<member>
<type>ou</type>
<dn>OU=external,DC=example,DC=local</dn>
</member>
<member>
<type>ou</type>
</member>
<member>
<type>ou</type>
<dn>dc=root</dn>
</member>
</members>
<select-server>
<server-list-name>PPPTunnel </server-list-name> */(crosswiseNAT internal L2TP)
<server-list-name>Socks5</server-list-name>
</select-server>
</role>
<role>
<name>DomainAdministrator</name>
<site-after-auth/>
<compliancecheck/>
<portlets>
<portlet>
<name>admin</name>
<open>YES</open>
</portlet>
<portlet>
<name>jterm</name>
<open>YES</open>
</portlet>
<portlet>
458
HOB RD VPN
<name>wsg</name>
<open>YES</open>
</portlet>
<portlet>
<name>wfa</name>
<open>YES</open>
</portlet>
<portlet>
<name>settings</name>
<open>YES</open>
</portlet>
</portlets>
<desktop-on-demand>YES</desktop-on-demand>
<members>
<member>
<type>ou</type>
</member>
</members>
<select-server>
</select-server>
</role>
</roles>
</configuration-section>
</authentication-library>
<dynamic-LDAP>YES</dynamic-LDAP>
<dynamic-Kerberos-5-KDC>YES</dynamic-Kerberos-5-KDC>
</connection>
<connection>
<name>Administration Access</name>
<language>en</language>
459
HOB RD VPN
<function>SELECT-SOCKS5-HTTP</function>
<conn-type>admin</conn-type>
<gate-in-ineta>100.100.100.1</gate-in-ineta>
<SSL-config-file>../sslsettings/admin/hserver.cfg</SSL-config-file>
<SSL-certdb-file>../sslsettings/admin/hserver.cdb</SSL-certdb-file>
<SSL-password-file>../sslsettings/admin/hserver.pwd</SSL-passwordfile>
<do-not-close-by-load-balancing>YES</do-not-close-by-load-balancing>
<select-server>
<server-list-name>AdminWebServer</server-list-name>
<server-list-name>EA-LDAP</server-list-name>
</select-server>
<library-file-name>plugins/web_server/xl-sdh-webserver-01.dll </libraryfile-name>
<allow-multiple-login>YES</allow-multiple-login>
<close-sessions-at-logout>YES</close-sessions-at-logout>
<check-client-ineta>NO</check-client-ineta>
<domains>
<show-list>NO</show-list>
<domain>
<type>ldap</type>
<name>rdvpn</name>
<display-name>AdminAccess</display-name>
<corresponding-LDAP-service>rdvpn</corresponding-LDAP-service>
<base>dc=internal</base>
</domain>
</domains>
<roles>
<role>
<name>Global Administrator</name>
<portlets>
<portlet>
<name>globaladmin</name>
460
HOB RD VPN
<open>YES</open>
</portlet>
<portlet>
<name>wsg</name>
<open>YES</open>
</portlet>
</portlets>
<allow-browser-caching>NO</allow-browser-caching>
<desktop-on-demand>YES</desktop-on-demand>
<gui-skin>No-banner</gui-skin>
<members>
<member>
<type>group</type>
<dn>cn=globalAdministrators,ou=groups,dc=internal,dc=root</dn>
</member>
</members>
<select-server>
</select-server>
</role>
</roles>
</authentication-library>
<dynamic-LDAP>YES</dynamic-LDAP>
</connection>
<LDAP-service>
<name>rdvpn</name>
<internal>YES</internal>
<trace-level>0</trace-level>
<LDAP-entry>
461
HOB RD VPN
<name>OpenDS</name>
<comment>OpenDS</comment>
<LDAP-template>OpenDS</LDAP-template>
<serverineta>127.0.0.1</serverineta>
<wait-connect>20</wait-connect>
<timeout-search>20</timeout-search>
<search-result-buffer-size>2048</search-result-buffer-size>
<base-dn>dc=root</base-dn>
<dn>cn=websecureproxy,ou=servers,dc=internal,dc=root</dn>
<password>password</password>
</LDAP-entry>
</LDAP-service>
<LDAP-template>
<editable>NO</editable>
<name>OpenDS</name>
<user-attribute>person</user-attribute>
<group-attribute>groupofuniquenames</group-attribute>
<member-attribute>uniqueMember</member-attribute>
<user-prefix>cn</user-prefix>
<search-default-attribute>cn</search-default-attribute>
</LDAP-template>
<LDAP-template>
<group-attribute>posixGroup</group-attribute>
<member-attribute>memberUid</member-attribute>
<user-prefix>uid</user-prefix>
<search-default-attribute>uid</search-default-attribute>
</LDAP-template>
<LDAP-template>
<name>IBM Directory Server</name>
<group-attribute>groupOfNames</group-attribute>
<member-attribute>member</member-attribute>
462
HOB RD VPN
</LDAP-template>
<LDAP-template>
<name>Microsoft Active Directory</name>
<group-attribute>group</group-attribute>
<membership-attribute>memberOf</membership-attribute>
<search-default-attribute>samAccountName</search-default-attribute>
</LDAP-template>
<LDAP-template>
<name>iPlanet Directory Server</name>
<member-attribute>uniquemember</member-attribute>
</LDAP-template>
<LDAP-template>
<name>Novell Directory Server</name>
<group-attribute>groupOfUniqueNames</group-attribute>
<membership-attribute>groupMembership</membership-attribute>
</LDAP-template>
<LDAP-template>
<name>Siemens DirX LDAP</name>
<member-attribute>uniquemember</member-attribute>
<search-default-attribute>cn</search-default-attribute>
463
HOB RD VPN
</LDAP-template>
<server-list>
<name>HOBWebServer</name>
<server-entry>
<name>Integrated Web Server</name>
<protocol>HTTP</protocol>
<option-connect-other-server>YES</option-connect-other-server>
<server-data-hook>
<library-file-name>plugins/web_server/xl-sdh-webserver-01.dll</
library-file-name>
<root-dir>../www</root-dir>
<http-hostname>rdvpn.exsample.local</http-hostname>
<settings>0</settings>
<flags>0</flags>
<compression>NO</compression>
<site-after-auth>/protected/welcome.hsl</site-after-auth>
<show-site-after-auth-checkbox>NO</show-site-after-auth-checkbox>
<gui-skin>Default</gui-skin>
<virtual-link>
<alias>/WebFileAccess</alias>
<url>/http://100.0.0.1:8080/WebFileAccess</url>
</virtual-link>
<HOB-PPP-Tunnel>
<enabled>YES</enabled>
<server-entry-name>crosswiseNAT PPPTunnel</server-entry-name> */
(internal L2TP)
<address/>
<localhost>100.0.0.2</localhost>
<system-parameters>
<windows>rasdial HOB-L2TP-01 %TEXT:wsp_userid; %TEXT:wsp_password; /
PHONEBOOK:HOB-PPP-T1-01.pbk</windows>
<mac>-detach refuse-chap lock passive : ipcp-accept-local ipcp-acceptremote crtscts usepeerdns noccp novj idle 1800 mtu 1410 mru 1410 debug dump
connect-delay 5000 nodefaultroute call hobppptunnel ipparam hob%%TEXT:snw_ineta;-%%text:snw_mask; user %TEXT:wsp_userid; password
%TEXT:wsp_password;</mac>
<freebsd>-detach refuse-chap lock passive : ipcp-accept-local ipcp-acceptremote crtscts noccp novj idle 1800 mtu 1410 mru 1410 debug nodefaultroute
call hobppptunnel ipparam hob-%%TEXT:snw_ineta;-%%text:snw_mask; user
%TEXT:wsp_userid;</freebsd>
464
HOB RD VPN
<solaris>-detach refuse-chap lock passive : ipcp-accept-local ipcp-acceptremote crtscts usepeerdns noccp novj idle 1800 mtu 1410 mru 1410 debug dump
connect-delay 5000 nodefaultroute call hobppptunnel ipparam hob%%TEXT:snw_ineta;-%%text:snw_mask; user %TEXT:wsp_userid; password
%TEXT:wsp_password;</solaris>
<linux>-detach refuse-chap refuse-eap lock passive : ipcp-accept-local
ipcp-accept-remote crtscts usepeerdns noccp novj idle 1800 mtu 1410 mru
1410 debug dump connect-delay 5000 nodefaultroute call hobppptunnel
ipparam hob-%%TEXT:snw_ineta;-%%text:snw_mask; user %TEXT:wsp_userid;
password %TEXT:wsp_password;</linux>
</system-parameters>
</HOB-PPP-Tunnel>
</server-data-hook>
</server-entry>
</server-list>
<server-list>
<name>AdminWebServer</name>
<server-entry>
<name>Integrated Web Server</name>
<protocol>HTTP</protocol>
<server-data-hook>
<library-file-name>plugins/web_server/xl-sdh-webserver-01.dll</
library-file-name>
<root-dir>../www</root-dir>
<http-hostname>rdvpn.exsample.local</http-hostname>
<flags>0</flags>
<compression>NO</compression>
<virtual-link>
<alias>/RDVPNCertificateManager</alias>
<url>/http://100.0.0.1:8080/RDVPNCertificateManager</url>
</virtual-link>
<virtual-link>
<alias>/RDVPNDirectoryServices</alias>
<url>/http://100.0.0.1:8080/RDVPNDirectoryServices</url>
</virtual-link>
<virtual-link>
<alias>/RDVPNPluginManager</alias>
<url>/http://100.0.0.1:8080/RDVPNPluginManager</url>
465
HOB RD VPN
</virtual-link>
<virtual-link>
<alias>/RDVPNUpdater</alias>
<url>/http://100.0.0.1:8080/RDVPNUpdater</url>
</virtual-link>
<site-after-auth>/protected/portlets/globaladmin/status.hsl </
site-after-auth>
<show-site-after-auth-checkbox>NO</show-site-after-auth-checkbox>
<gui-skin>Default</gui-skin>
</server-data-hook>
</server-entry>
</server-list>
<server-list>
<name>Socks5</name>
<server-entry>
<name>SOCKS</name>
<protocol>SOCKS</protocol>
<server-data-hook>
<library-file-name>plugins/socks5/xl-sdh-sock5-01.dll</libraryfile-name>
<flags>0</flags>
</server-data-hook>
</server-entry>
</server-list>
<server-list>
<name>Compliance Check</name>
<server-entry>
<name>Compliance Check</name>
<protocol>COMPL_CHECK</protocol>
<server-data-hook>
<library-file-name>plugins/compliance-check/xl-sdh-compl-check01.dll</library-file-name>
<compliancelist>
466
HOB RD VPN
<compliancecheck>
<name>Compliance Check 1</name>
<integrity-check>
<enable>YES</enable>
<policy>
<name>Policy(1)</name>
<age-def-file>24</age-def-file>
<last-scan>24</last-scan>
<antivirus>
<win>
<vendor>
<product>
<name>Simulacrum Internet Security 2008</name>
<version>12.x</version>
</product>
<product>
</product>
<product>
</product>
<product>
</product>
</vendor>
</win>
<linux>
<vendor>
<name>Panda Software</name>
<product>
<name>Panda Antivirus</name>
</product>
<product>
<name>Simulacrum Security for Linux</name>
467
HOB RD VPN
</product>
</vendor>
</linux>
<mac>
<vendor>
<name>Simulacrum Security</name>
<product>
<name>Simulacrum Antivirus</name>
</product>
</vendor>
</mac>
</antivirus>
</policy>
</integrity-check>
<anti-split-tunnel>
<enable>NO</enable>
<command>
<type/>
<mode/>
<success>YES</success>
<result_string/>
</command>
<parameters>
<wsp/>
<disable-local-networks>NO</disable-local-networks>
<set-local-dns>YES</set-local-dns>
<interval-wsp>60</interval-wsp>
<interval-ast>10</interval-ast>
</parameters>
<allow/>
</anti-split-tunnel>
<rules/>
</compliancecheck>
</compliancelist>
</server-data-hook>
</server-entry>
468
HOB RD VPN
</server-list>
<server-list>
<name>EA-LDAP</name>
<server-entry>
<name>EA-LDAP</name>
<protocol>HOBEA</protocol>
<server-data-hook>
<library-file-name>plugins/ea_ldap/xl-sdh-ea-ldap-01.dll</libraryfile-name>
<reload-path>../management/plugins/wsp_admin_plugin.port </reloadpath>
<domainadministrator-group>
<rdn>cn=domainAdministrators,ou=groups</rdn>
<autocreate>YES</autocreate>
</domainadministrator-group>
</server-data-hook>
</server-entry>
</server-list>
<server-list>
<name>KerberosTicketService</name>
<server-entry>
<name>Kerberos-5-Ticket-Services</name>
<protocol>HOB-KRB5TS1</protocol>
<server-data-hook>
<library-file-name>plugins/krb5ts/xl-sdh-krb5ts1-01.dll </library-filename>
<trace-krb5-api>NO</trace-krb5-api>
<trace-network>NO</trace-network>
</server-data-hook>
</server-entry>
</server-list>
<server-list>
<name>Desktop-On-Demand</name>
<server-entry>
<name>Desktop-On-Demand</name>
469
HOB RD VPN
<function>PASS-THRU-TO-DESKTOP</function>
<protocol>HOB-RDP-EXT1</protocol>
</server-entry>
</server-list>
<client-side-SSL>
<SSL-config-file>../sslsettings/hclient.cfg</SSL-config-file>
<SSL-certdb-file>../sslsettings/hclient.cdb</SSL-certdb-file>
<SSL-password-file>../sslsettings/hclient.pwd</SSL-password-file>
<usage-DN>NOTHING</usage-DN>
</client-side-SSL>
<server-list>
<name>Windows Terminal Servers</name>
<server-entry>
<name>RDP Server 1a</name>
<serverineta>rdp1a.example.local</serverineta>
</server-entry>
<server-entry>
<name>RDP Server 1b</name>
<serverineta>rdp1b.example.local</serverineta>
</server-entry>
</server-list>
<LDAP-service>
<LDAP-entry>
<name>LDAP Server(1)</name>
<LDAP-template>Microsoft Active Directory</LDAP-template>
<base-dn>DC=example,DC=local</base-dn>
<dn>cn=Administrator,cn=Users,DC=example,DC=local</dn>
</LDAP-entry>
470
HOB RD VPN
<name>LDAP 1</name>
<trace-level>3</trace-level>
</LDAP-service>
<LDAP-template>
<name>LDAP Template(1)</name>
<group-attribute>group</group-attribute>
<search-default-attribute>SamAccountName</search-default-attribute>
<membership-attribute>memberOf</membership-attribute>
</LDAP-template>
<raw-packet-interface>
<TUN-adapter-ineta>100.100.200.1</TUN-adapter-ineta>
<TUN-adapter-use-interface-ineta>100.100.100.1</TUN-adapter-use-interfaceineta>
<PPP-server>
<DNS-ineta-IPV4-1>100.100.12.1</DNS-ineta-IPV4-1>
<DNS-ineta-IPV4-2>100.100.12.2</DNS-ineta-IPV4-2>
</PPP-server>
<PPP-ineta-pool>
<ineta-start>100.100.50.100</ineta-start>
<ineta-end>100.100.50.150</ineta-end>
</PPP-ineta-pool>
</raw-packet-interface>
<server-list>
<name>PPPTunnel</name>
*/(crosswiseNAT - internal L2TP)
<server-entry>
<name>crosswiseNAT PPPTunnel (internal L2TP)</name>
<function>HOB-PPP-T1</function>
<PPP-authentication-method>none</PPP-authentication-method>
<server-data-hook>
<library-file-name>plugins/tunnel/xl-sdh-ppp-pf-04.dll</libraryfile-name>
<ALG-SIP>YES</ALG-SIP>
<crosswise-NAT>
<real-network-ineta/>
<translated-network-ineta/>
<prefix/>
471
HOB RD VPN
</crosswise-NAT>
</server-data-hook>
<server-network>100.100.10.0/24</server-network>
</server-entry>
</server-list>
<LDAP-service>
<LDAP-entry>
<name>OpenLDAP Server</name>
<serverineta>openldap.example.locale</serverineta>
<LDAP-template>OpenLDAP</LDAP-template>
<base-dn>dc=openldap,dc=local</base-dn>
<dn>cn=admin,dc=openldap,dc=local</dn>
</LDAP-entry>
</LDAP-service>
<target-filter>
<name>Target Filter 1</name>
<deny>
<DNS-name>private.example.com</DNS-name>
<protocol>TCP</protocol>
<TCP-port>80</TCP-port>
</deny>
<deny>
<DNS-name>secret.example.com</DNS-name>
</deny>
<allow>
</allow>
472
HOB RD VPN
</target-filter>
<target-filter>
<name>Target Filter 2</name>
<allow>
<ineta>100.100.10.1</ineta>
</allow>
<allow>
<ineta>100.100.11.0/24</ineta>
</allow>
</target-filter>
<Kerberos-5-KDC>
<server-entry>
<name>Kerberos Server 1</name>
<timeout>60</timeout>
<retry-after-error>120</retry-after-error>
<max-ticketsize>2048</max-ticketsize>
</server-entry>
<server-entry>
<name>Kerberos Server 2</name>
<timeout>60</timeout>
<retry-after-error>120</retry-after-error>
<max-ticketsize>2048</max-ticketsize>
</server-entry>
<name>Kerberos Domain 1</name>
<comment/>
<default-realm>EXAMPLE.LOC</default-realm>
<clockskew>300</clockskew>
<ticket-lifetime>36000</ticket-lifetime>
<renewable-lifetime>36000</renewable-lifetime>
<allow-initial-ticket>YES</allow-initial-ticket>
</Kerberos-5-KDC>
<server-list>
<server-entry>
473
HOB RD VPN
<name>RDP Server 2</name>
<serverineta>rdp2.example.local</serverineta>
</server-entry>
<name>Windows Terminal Server 2</name>
</server-list>
</sslgate-configuration>
<server-entry>
<name>HOBVOIP1</name>
<protocol>HOB-VOIP-1</protocol>
<server-data-hook>
<library-file-name>plugins/hobphone/xl-sdh-hobphone-01.dll</
library-file-name>
<use-UDP-gw-name>RTP-UDP</use-UDP-gw-name>
<UDP-gate-timeout-ms>3000</UDP-gate-timeout-ms>
<UDP-gate-keepalive-sec>10</UDP-gate-keepalive-sec>
<addressbook>
<name> addressbook1</name>
<type>msexchange</type>
<url>https://hobphoneexample.company.com/ews/exchange.asmx</
url>
<connection-mode>WSG</connection-mode>
<gate-url>https://hobphoneexample.company.com:54321</gate-url>
<domain>local</domain>
</addressbook>
<addressbook>
<name>default</name>
<url>https://addressbookexample.company.com/ews/
exchange.asmx</url>
<gate-url> https://addressbookexample.company.com:54321</gateurl>
</addressbook>
<addressbook>
<name>addressbook2</name>
474
HOB RD VPN
<url>https://addressbookexample2.company.com/ews/
exchange.asmx</url>
<gate-url>https://addressbookexample2.company.com:54321</gateurl>
<domain>hobc02p</domain>
</addressbook>
</server-data-hook>
</server-entry>
475
HOB RD VPN
36.3 The <general> element
The <general> element encloses configuration parameters that are valid for the
basic workflow of the HOB WSP. The <general> tag is optional, but it is mostly
used. The <general> element can appear only once in the configuration file.
The <general> tag holds different elements for Windows and Unix/Linux versions
of the HOB WSP
36.3.1 Common (Windows and Linux/Unix) elements:
Element
Description
Valid Values
alert-subsystemconfiguration
SNMP for future use
allow-wsp-trace
Allows the WSP Tracing
functionality
clear-used-memory
This parameter clears the YES/NO, default is NO
memory before releasing it
to the operating system
disk-file-size-max
Maximum size of one
single file
X KB, X MB, X GB, default
is 0
disk-file-storage
Maximum size of cache
is 0
enable-sign-on-nopassword
User login without
password
YES/NO, default is NO
ignore-PTTD-connecterror-host-unreachable
Ignore host unreachable
message for DOD
max-poss-work-thread
Maximum number of work 4 – 1024
threads
The default is not set
(calculated based on CPU
Cores found)
max-active-work-thread
Maximum number of
active work threads
4 – the value set in maxposs-work-thread
The default is not set
(calculated based on CPU
Cores found)
476
memory-log-size
Memory size for internal
logging
is 0
memory-threshold
SNMP for future use
network-statistic-level
Reports statistics of
0-9
network usage. The higher
the values the more
information will be
reported
prio-work-thread
Optional. Priority of work
threads. Higher values
have higher priority.
1-5, default is 3
HOB RD VPN
prio-process
Optional. Priority of
process. Higher values
have higher priority.
1-5, default is 3
reload-configuration
If enabled then the WSP YES/NO, default is NO
checks the configuration
file for modifications and
reloads the configuration if
needed. For Linux/Unix
this will start another WSP
process.
report-intv
Optional. Interval in
Seconds
seconds to report statistics
for use of threats, memory,
connections, etc.
SIP-local-ineta
Internal IP Address to
communicate with SIP
Gateway
Own IP address
SIP-use-UDP-port-5060
Opens Port 5060 for SIP
communications
suppress-warning-LDAP- Suppress warning if
template-not-referenced available LDAP templates
are not referenced
SNMP-configuration
Has only child elements
for SNMP configuration
trap-send-level
SNMP for future use
trap-target
Contains the following child elements
Child Elements of traptarget
Description
gate-out-ineta
SNMP for future use
target-ineta
SNMP for future use
target-port
SNMP for future use
comment
SNMP for future use
TCP-sndbuf
Optional. Sendbuffer for all X KB, X MB, X GB
sessions, a socket option
for optimization.
TCP-rcvbuf
Optional. Receive buffer
for all sessions, a socket
option for optimization.
X KB, X MB, X GB
time-cache-disk-file
Time in seconds a file
remains in cache
Seconds, default is 900
time-reload-disk-file
Time in seconds to check Seconds, default is 300
for modifications of files in
cache
time-repeat-delay-alert
SNMP for future use
Valid Values
UDP-gate
477
HOB RD VPN
Child Element of UDPgate
Description
Valid Values
gate-ineta
Internal IP Address
IP Address
UDP-port
Port
Port number
UDP-gw-ineta
Child Elements of UDP- Description
gw-ineta
Valid Values
gate-ineta
Internal IP Address for
communication with SIP
Gateway
IP Address
name
Name of this UDP-gwineta
String
VDI-sign-on-time
The amount of time the
Default is 10 seconds
VDI target is locked while
waiting for the login
procedure
wake-on-lan-port
Optional. Port of WOL
Relay Agent, if not in
wake-on-lan-relay-ineta
A Port number. Default is
65535
wake-on-lan-relay-ineta
Optional. May be used
multiple times. Wake-onLAN relay agent
IP Address, FQDN, IP
Address:Port, FQDN:Port
36.3.2 Windows specific elements:
Element
Description
Valid Values
event-server-name
Optional. Server Name of IP or FQDN
the server to send the
event log. If not set, the
local machine is used
event-source-name
Optional. Source Name for
event log events. If not set,
logs are written to the
application event log.
Used names have to be
registered previously in
Windows
prot-event-log
Optional. Commands
WSP to create log to
Windows Event Log
YES/NO
Child Elements of
windows-core-dump
Description
Valid Values
diskdirfd
Disk-directory for core
dumps
Directory
windows-core-dump
478
HOB RD VPN
ineta-mgw
Optional. Mail-gateway, to IP or FQDN
use for sending dumps
email-rcpt
Optional. E-mail recipient E-mail address
for sending core dumps
email-sender
Optional. E-mail sender of E-mail address
the core dump email
password
Optional. Password for
encrypting the core dump
file
36.3.3 Unix/Linux specific elements:
Element
Description
listen-error
Actions performed for a
WAIT, IGNORE, ABEND
listen error. WAIT WSP
tries to open the Port over
and over again. IGNORE
WSP ignores the error and
ABEND stops WSP
pid-file
Name of file to write PID
(process Id) to
prot-syslog
Optional. Sets if WSP is to YES/NO
log to syslog
listen-gateway
Configure child objects or YES/NO, default is NO
enable the listen-gateway
with default values. The
listen gateway is used for
example to open ports if
the WSP is not started
with root rights
Child elements of listen- Description
gateway
domain-socket-name
Name of FIFO for
listen gateway
shared-secret
Shared secret for
listen gateway
Valid Values
Filename
Valid Values
479
HOB RD VPN
36.4 The <connection> element
The <connection> tag is responsible for the configuration of the opened ports that
are listening for connections. Without a <connection> tag the HOB WSP is not
listening for incoming connections.
The HOB WSP handles two half-sessions, one from the client to the HOB WSP and
one from the HOB WSP to the target server. The <connection> tags can be used
to configure both half-sessions, but for the half session from the client
<connection> is required. The half session to the target server is in general
configured within a <server-entry> tag.
36.4.1 Client to WSP half-session:
480
Element
Description
Valid Values
name
Internal Name of the
connection. Mandatory
function
Special keyword to
describe the functional
behavior of the
connection. In general if
you use the <function> tag
in the <connection> tag to
forward to server-lists,
then SELECT-SOCKS5HTTP is always used in
connection tag.
DIRECT, RDP, ICA,
WTSGATE, VDI-WSPGATE, PASS-THRU-TODESKTOP, SELECTSOCKS5-HTTP, HOBPPP-T1, SSTP, L2TP.
language
Language used in
authentication dialogue
English, German only.
Spanish, French, Italian
and Dutch to be
supported.
gateport
Mandatory. Listen port for The default configuration:
incoming connections
is 443
gate-in-ineta
IP address for the listen
IP Address
port to open. Used on
multi-homed systems and
also cluster configurations.
serverineta
IP Address of the server to
which the connection is
made, may only be used
when the function
DIRECT/function is used
serverport
Port of the server to which
the connection is made,
may only used when
function DIRECT/function
is used
RDP and ICA are not valid
in a Unix environment
Default is DIRECT
HOB RD VPN
backlog
Number of connections
requests that are queued
by OS/TCP-Stack, when
they cannot be accepted
immediately.
timeout
May be specified in
connection and/or serverlist for both half-sessions.
Specifies the timeout in
seconds of inactivity, after
which the connection is
ended. If defined also in
server-list the lower value
is chosen
conn-type
Used to identify the
connection
Number of connections,
default is 10
Primary, secondary, admin
permanently-moved-from- Configuration of the HTTP
port
Redirector, listens on
incoming connections and
redirects to: permanentlymoved-to-port
permanently-moved-toport
Specifies the Port to
redirect to
permanently-moved-URL Specifies the URL to
redirect to
SSL-config-file
Mandatory. Specifies the
configuration file of the
HOB Security Units
Path and filename
SSL-certdb-file
database file of the HOB
Security Units
Path and filename
SSL-password-file
password file of the HOB
Security Units
Path and filename
max-session
Maximum number of
concurrently open
connections
Any number, by default
there is No limit
do-not-close-by-loadbalancing
Used in cluster
configuration, this session
should stay open
select-server
Holds the child entries for
valid server-lists
server-list-name (see
section server-list)
Name of server-list
481
HOB RD VPN
authentication-library
Holds the child elements
for the authentication
library, see section the
element. It is possible to
use authentication-library
or authentication-libraryobject as child object of a
connection, see
authentication-libraryobject
authentication-libraryobject
References a valid
The name of a valid
authentication library, see authentication-librarysection The
object
authentication-libraryobject element. It is
possible to use
authentication-library or
authentication-libraryobject as child object of a
connection, see
dynamic-radius
All radius domains are
valid
YES/NO
dynamic-Kerberos-5-KDC All Kerberos domains are YES/NO
valid
482
dynamic-LDAP
All LDAP domains are
valid
YES/NO
DNS-lookup-beforeconnect
DNS lookup before each
connect
library-file-name
Filename for the
authentication library
xl-sdh-webserver-01.dll
disable-naegle-send-client Disable the naegle
algorithms for any
connection to the client
Automatic, YES, NO
disable-naegle-sendserver
Disable the naegle
algorithms for any
connection to the server
Automatic, YES, NO
Default is Automatic
authentication-radius
Holds child objects for valid radius servers
Child Element of
authentication-radius
Description
Valid Values
radius-name
Name of Radius server
entry
configured name of a valid
radius server entry
user-list
Holds child elements for valid user groups for
authentication
Default is Automatic
HOB RD VPN
Child Element of userlist
Description
user-group-name
Name of valid user group
Valid Values
36.4.2 WSP to Target Server half-session:
Element
Description
Valid Values
function
Special keyword to
describe the functional
behavior of the
connection.
DIRECT, RDP, ICA,
WTSGATE, VDI-WSPGATE, PASS-THRU-TODESKTOP, SELECTSOCKS5-HTTP, HOBPPP-T1, SSTP, L2TP.
RDP and ICA are not valid
in a Unix environment
Default is DIRECT
use-ineta-appl
Use SSL Identifier
connect-round-robin
If there are multiple targets YES/NO. The default is
for DNS-lookup, do the
Sequential, starting from
connect in random order first
protocol
Protocol of this server,
optional or mandatory
serverineta
IP or FQDN of Target
serverport
Port of Target
gate-out-ineta
Used for multihomed
configurations
server-data-hook
Used server data hook, if
any. See server data hook
section for more details
library-file-name
Filename of server data
hook
option-connect-otherserver
Allows target servers other YES/NO, default is NO
than those configured on
server ineta to be used
YES/NO
483
HOB RD VPN
36.5 The <authentication-library-object> element
The <authentication-library-object> tag is used to configure an
<authentication-library> section. This <authentication-library>
configuration could then be used in more than one <connection> tag.
This tag is used with the following elements:
Element
Description
name
The name of the
<authentication-libraryobject. This name could be
referenced in the
<authentication-libraryobject> tag of a
connection. This means
one could configure
settings in a
<authentication-libraryobject> and use the
<name tag to reference it
in any <connection> tag
The <authenticationlibrary> element is a child
element of the
<connection> tag. To use
the same <authenticationlibrary> settings in more
than one connection, the
<authentication-libraryobject> tag can be used
library-file-name
Path and name to the
used WSP-AT3 Library.
Valid Values
Path and Filename
For all valid configuration parameters, see the <authentication-library>
element description in the list above.
484
HOB RD VPN
36.6 The <server-list> element
This element is used to hold the details of the servers to be made available to the
current connection.
Element
Description
name
Internal name of the server
list. Mandatory.
server-entry
Holds the child elements of one server entry.
Child Elements of
server-entry
Description
name
Name of the server entry.
Mandatory.
function
Function of this server
entry
protocol
Protocol of this server
entry
serverineta
IP address or DNS name
of the target system
serverport
Port of the target system
option-connect-otherserver
Determines whether this
server entry is allowed to
dynamically change the
target
use-ineta-appl
Use the SSL Identifier for
this server entry
L2TP-gateway
Name of the L2TP Server
entry
server-data-hook
SDH library filename, holds only the following child
elements
Child Elements of
server-data-hook
Description
library-file-name
Filename of the server
data hook
configuration-section
Configuration section for
this server data hook, see
Chapter 37 Server Data
Hook Configurations for
the valid configuration
section of the chosen
server data hook
Valid Values
Valid Values
Valid Values
485
HOB RD VPN
36.7 The <L2TP-gateway> element
This element is used to hold the configuration of the gateway for the L2TP server
that controls the connection.
486
Element
Description
Valid Values
name
Internal name for this
L2TP Gateway. Mandatory
serverineta
IP address or DNS name
of the L2TP gateway
serverport
Port of the L2TP Gateway
gate-ineta
IP address of the outgoing
interface
authenticate-use-userid
User ID if authentication is
required
authenticate-usepassword-plain
Password if authentication
is required
authenticate-usepassword-encrypted
Password in base64 if
authentication is required
PPP-charset
Character set used for
ASCII-850, ANSI-819,
communication with L2TP UTF-8
Gateway
HOB RD VPN
36.8 The <raw-packet-interface> element
The <raw-packet-interface> is required for the communication with the TUN
Adapter and is needed for SSL Identifier and PPP Tunnels with an internal Tunnel
Endpoint.
Element
Description
Valid Values
TUN-adapter-ineta
INETA for TUN Adapter.
Required also for SSL
Identifier configuration
Any unused IP Address for
use for the TUN Adapter
TUN-adapter-useinterface-ineta
Use real interface with the IP Address of the network
TUN Adapter. Required
interface card
also for SSL Identifier
configuration
Appl-use-random-tcpsource-port
Required for SSL Identifier YES/NO
configuration only
PPP-server
Has only child elements for PPP Tunnel configuration
Child Elements of PPPServer
Description
DNS-ineta-IPV4-1
IP Address of first DNS
server
DNS-ineta-IPV4-2
IP Address of second DNS
server
PPP-ineta-pool
Has only child elements for PPP-ineta-pool
Child Elements of PPPineta-pool
Description
Valid Values
ineta-start
Start IP address of IP
address pool for PPP
Tunnel clients
Values must be from the
same network containing
the IP Address of the
network interface card
ineta-end
End IP address of IP
address pool for PPP
Tunnel clients
Values must be from the
same network containing
the IP Address of the
network interface card
Valid Values
487
HOB RD VPN
36.9 The <service> element
This element is used to hold the details of the services used in creating the
connection.
488
Element
Description
Valid Values
name
Name of the service entry
type
Supported Service Type
name
server-group
Holds only sub elements
Child Elements of
server-group
Description
name
Name of the server-group
element
server-entry
Holds only the following child elements
Child Elements of
server-entry
Description
name
Internal server name
vendor
Virus Checking vendor
serverineta
IP address of this ICAP
server
serverport
Port of the ICAP service
Virus-Checking-ICAPHTTP
Valid Values
Valid Values
c-icap
HOB RD VPN
36.10 The <Kerberos-5-KDC> element
This element is used to hold the configuration details for the Kerberos server for this
connection.
Element
Description
name
Internal name, mandatory
comment
Comment if any is needed
default-realm
Name of the REALM
clockskew
Allowed clock differences
ticket-lifetime
Kerberos settings
renewable-lifetime
Kerberos settings
allow-initial-ticket
Kerberos settings
server-entry
Holds only the following child elements
Child Elements of
Server-entry
Description
name
Internal name
serverineta
IP or DNS of KDC
serverport
Port for KDC
timeout
Connection timeout
retry-after-error
Specifies when to connect
again after an error
max-ticketsize
Maximum size of tickets
that can be sent
max-session
Maximum number of
simultaneous connections
to Server
Valid Values
Valid Values
489
HOB RD VPN
36.11 The <radius-group> element
The <radius-group> element holds the necessary data for a specific RADIUS
domain for authentication. The <radius-group> element is optional and can be
configured multiple times if you have more than one radius domain for
authentication.
490
Element
Description
Valid Values
name
Name of the radius
domain, used as reference
option
Enable additional radius
options, at the moment
only MS-CHAP-V2 is
supported.
charset
Describes the charset
UTF-8
used to communicate with
the radius server
timeout
Specifies how long the
HOB WSP waits for an
answer from the radius
server
retry-after-error
Specifies when HOB WSP seconds
is to communicate with this
radius domain again
comment
Any comment the
administrator wants to add
radius-server
Holds only child elements for the configuration of a
radius server. Can be configured multiple times
Child Elements of
radius-server
Description
Valid Values
name
Unique name of the
Radius server
Text
radius-ineta
IP Address or FQHN of the IP Address or FQHN
Radius Server
UDP-port
Port for communication
with the Radius server
shared-secret-plain
Shared secret of the
Radius server
shared-secret-encrypted
Shared secret of the
Radius server encrypted in
base64
comment
Comment for this Radius
server
gate-ineta
Interface for
radius server. Optional
MS-CHAP-V2
seconds
HOB RD VPN
36.12 The <LDAP-service> element
The <LDAP-service> element holds the necessary data for a specific LDAP
domain for authentication. The <LDAP-service> element is optional and can be
configured multiple times if you have more than one LDAP domain for
authentication.
Element
Description
name
Unique Name of LDAP
domain
LDAP-entry
Holds only Child entries for the configuration of an
LDAP Server
Child Elements of LDAP- Description
entry
Valid Values
Valid Values
name
unique Name of LDAP
Server
serverineta
IP Address or FQHN of
LDAP server
IP Address or FQHN
serverport
Port for Access to LDAP
Server
Portnumber
LDAP-template
Reference to LDAP
Template. To get the
required LDAP settings.
base-dn
Base Distinguished Name
(DN) of LDAP Server
dn
Distinguished Name (DN)
of LDAP User for search
requests
password
Password of LDAP User
for search requests
timeout-search
Timeout for access to
LDAP Server
wait-connect
Specifies how long to wait seconds
for a successful connect
retry-after-error
Specifies when to connect
again after an error
max-session
Max number of
simultaneous connections
to server
comment
Any comment if required
gate-out-ineta
WSP Network Interface for
communication with LDAP
Server
global-directory
Check to see if the LDAP
Server a Microsoft Global
directory
seconds
491
492
search-nested-groupslevel
For future use
search-default-attribute
Attribute name, used for
LDAP search
SSL-config-file
Configuration file of HOB
Security units for LDAPS
SSL-certdb-file
Database file of HOB
SSL-password-file
Password file of HOB
HOB RD VPN
HOB RD VPN
36.13 The <LDAP-template> element
This element is used to hold the configuration for the LDAP Template. This is
optional and can be added multiple times.
Element
Description
editable
Specifies if this template is YES/NO
editable within the GUI
name
Name of template for
reference
user-attribute
Name of user attribute
group-attribute
Name of group attribute
member-attribute
Name of member attribute
membership-attribute
Name of membership
attribute
user-prefix
User-prefix used in LDAP,
for example cn
search-default-attribute
Attribute to search for, for
example uid
Valid Values
493
HOB RD VPN
36.14 The <target-filter> element
This element is used to hold the necessary data for the HOB Target Filter. This is
optional, and multiple target filters may be configured.
494
Element
Description
name
Name of target filter, for
reference
allow
Holds child elements that
allow connections
deny
Holds child elements that
deny connections
Valid Values
Child Elements of Allow Description
Valid Values
DNS-name
Specifies the connection
target DNS Name
DNS Name
ineta
Specifies the IP Address
or IP Network of the
connection target
IP Address Network in
CIDR notation (e.g.
10.1.1.0/24)
protocol
Specifies the IP Protocol
used for the connection
TCP, UDP, ICMP or valid
protocol numbers in
hexadecimal notation (e.g.
0x3a for IPv6 ICMP)
TCP-port
Specifies the TCP Port
UDP-port
Specifies the UDP Port
Child Elements of Deny Description
Valid Values
DNS-name
Specifies the connection
target DNS Name
DNS Name
ineta
Specifies the IP Address
or IP Network of the
connection target
IP Address Network in
CIDR notation (e.g.
10.1.1.0/24)
protocol
Specifies the IP Protocol
TCP, UDP, ICMP or valid
protocol numbers in
hexadecimal notation
((e.g. 0x3a for IPv6 ICMP)
TCP-port
Specifies the TCP Port
UDP-port
Specifies the UDP Port
HOB RD VPN
36.15 The <cluster> element
This element is used to hold the required data for you to configure a cluster in your
network.
Element
Description
Valid Values
load-balancing-diff
Difference of the
calculated load for load
balancing
1-10000
load-balancing-formula
Formula to calculate the
current load of a cluster
node
interval-load-balancingprobe
Interval how often the
current load is measured
seconds
time-retry-connect
Retry connect if
connection is not
established
seconds
cluster-entry
Contains child objects,
which represents the
cluster members
name
Name used in messages
type
Describes the position of
the <cluster-entry>
TCP-port
Type=LOCAL: used for
listen
LOCAL or REMOTE
Type=REMOTE: used for
connect
gate-ineta
Type=LOCAL: used IP
Address
remote-ineta
Type=REMOTE: used for
connection to cluster node
timeout-millisec
Type=REMOTE: timeout if milliseconds
cluster node is not
available
495
HOB RD VPN
36.16 The <client-side-ssl> element
This element configures HOBLink Security Units for use by client side SSL if the
HOB WSP acts as the client for an SSL-enabled connection.
496
Element
Description
Valid Values
SSL-config-file
Full Path to HOBLink
Security Unit configuration
file for client side SSL
SSL-certdb-file
Security Unit database file
for client side SSL
SSL-password-file
Security Unit password file
for client side SSL
usage-DN
optional, parameter to
NOTHING/CHECK-URL
check distinguished name
from certificate
HOB RD VPN
36.17 The <OCSP-section> element
This section is used for setting the configuration of the Online Certificate Status
Protocol (OCSP). Use of the OCSP is optional.
Element
Description
Valid Values
OCSP-responder
This element has only child elements for the
configuration of an OCSP responder. An OCSPresponder can be configured multiple times.
Child Elements of OCSP- Description
responder
Valid Values
gate-ineta
Optional, used to assign
the outgoing network
adapter
IP Address
OCSP-URL
URL of the OCSPresponder
URL
OCSP-ineta
Used to overwrite the IP
Address or FQHN of
OCSP-responder
IP Address or FQHN
OCSP-port
Overwrite the OCSPresponder Port
Port Number
timeout
Timeout for the connection seconds
to the OCSP responder
wait-retry
Timeout in seconds to
retry a male OCSresponder
seconds
36.18 The <configuration-parameters> element
This section is used only to hold parameters for the WSP Configuration GUI. It is
ignored by the HOB WebSecureProxy.
497
498
HOB RD VPN
HOB RD VPN
Server Data Hook Configurations
37 Server Data Hook Configurations
The HOB WebSecureProxy functionality is easily extended by using Server Data
Hooks (SDH), configured through the use of the <server-data-hook> (SDH)
element. A SDH can be referenced in the HOB WebSecureProxy configuration. If a
SDH is referenced in the HOB WebSecureProxy configuration file, the
HOB WebSecureProxy can call the libraries and use their additional functionality.
HOB RD VPN includes many such SDHs for different functionalities. Any of these
SDHs can use their own settings, which are configured in their own
<configuration-section> within the WebSecureProxy configuration file. This
section gives a short overview of the included SDHs, their functionality and their
configuration settings in their <configuration-section>.
37.1 The Authentication Library (xl-sdh-webserver-01.dll)
The Authentication Library SDH is a basic SDH, and is needed in almost any
configuration. It is responsible for authenticating the users, checking their
requirements and privileges and assigning the users to each specific role.
The Authentication Library is a special SDH and is therefore not referenced
inside a <server-data-hook> element, but is referenced inside a
<authentication-library-object> or the <authenticationlibrary>.
The following configuration settings are possible.
Element
Description
Valid Values
allow-multiple-login
Indicates if a user could
logon multiple times
YES/NO
close-sessions-at-logout
Indicates if all sessions
YES/NO
should be terminated, if a
user logs out
domains
Configuration of domain mappings. Has only child
elements
Child Elements of
domains
Description
show-list
Determines if a dropdown YES/NO
list of the configured
domains is to be shown; if
not shown then the user
has to insert the domain.
domain
Inside the <domain> tag a valid domain is described.
Domain could occur multiple times inside the
<domains> tag.
Child Elements of
domain
Description
Valid Values
Valid Values
499
500
HOB RD VPN
type
Describes the
Type for this domain
Kerberos, Radius or LDAP
name
The reference name for
the configured domain in
<Kerberos-5-KDC>,
<radius-group> or <LDAPservice>, depending on
the <type> tag.
corresponding-LDAPservice
The reference name of the
used configuration storage
in <LDAP-service>
base
Not mandatory. Relative
Distinguished Name
(RDN) to the base DN of
the <LDAP-service>
Definition.
auto-user-create
Determines whether a
YES/NO
successfully authenticated
user should be
automatically created in
the configuration storage
or not. Not available for all
domain configurations.
admin-dn
Administrative Account for
access to LDAP, if a
different Authentication
Service is used for write
access to LDAP, for
example own user settings
(if allowed) or domain
administrator access.
admin-password
Password of the <admindn> account
admin-group
Group of domain
administrators. All
members of this group are
valid domain
administrators.
roles
The configuration of the roles take place inside the
<roles> tag
Child Element of roles
Description
role
The <role> tag configures a role. The <role> tag can
occur multiple times inside the <roles> tag
Child Elements of role
Description
name
Name of the role
Valid Values
Valid Values
HOB RD VPN
priority
Sets the roles priority. The 1-100
role with the highest
priority is chosen for a
user if the requirements for
more than one role are
fulfilled.
session-time-limits
Sets the time limitations
that a session is valid
idle-period
After this time an idle
session is invalid
Seconds
maximal-period
After this time a valid
session has to use new
security settings
Seconds
site-after-auth
Overwrite the default login
page from the webserver
configuration
compliancecheck
Referenced name of a
compliance check, if any is
used
allow-browser-caching
Sets if browser caching is YES/NO
allowed or not
target-filter
Referenced name of a
target-filter, if any is used
high-entropy
YES/NO, default is YES
The entry ”Yes“ means
that before the encrypted
connections of the JWT
stand-alone can be made,
an additional dialog is
shown that processes the
user input in order to
strengthen the entropy of
the random generator. The
random generator is used
by all cryptographic
functions.
For a configuration
compliant with the CC, this
value may not be set to
“NO”.
portlets
Configuration of the valid portlets for this role
Child Elements of
portlets
Description
portlet
Configuration of the available portlet, can occur
multiple times
Child Elements of portlet Description
Valid Values
Valid Values
501
HOB RD VPN
name
Name of the portlet
open
Indicates if this portlet
YES/NO
should be open or closed
as default
allow-configuration
Holds child notes for user
controlled configuration
settings
Child Elements of allow- Description
configuration
502
Admin, jterm, wsg, wfa,
settings, hobphone,
ppptunnel, wspuc
Valid Values
wsg-bookmarks
Sets if the user is allowed YES/NO
to save Web Server Gate
Bookmarks or not
wfa-bookmarks
to save Web File Access
Bookmarks or not
desktop-on-demand
to save Desktop on
Demand Bookmarks or not
others
Sets if the user allowed to YES/NO
change other settings (for
example language
settings) or not
gui-skin
Sets the GUI skin to be
used
Members
Holds child elements for the configuration of the valid
users this role could be assigned to
Child Elements of
members
Description
member
The <member> tag configures a valid member for this
role. Can occur multiple times inside the <members>
tag
Child Elements of
member
Description
Valid Values
type
Type of the LDAP object
Group, User, OU
dn
DN for these valid
members
select-server
Displays the valid server
lists
server-list-name
Name of a valid server list
that should be accessible
to this role
Default, dark-blue, green,
maroon, no-banner
Valid Values
HOB RD VPN
37.2 The Web Server Gate SDH (xl-sdh-webserver-01)
The parameters for the Web server and Web Server Gate SDH are set inside the
<configuration-section> of a <server-data-hook> entry with the xl-sdhwebserver-01 <library-file-name>.
Element
Description
root-dir
Sets the root directory of
the integrated webserver.
This should point to: ../
www.
http-hostname
The http host header
name for which this
webserver is responsible
settings
Must be set to: 0
0
flags
Must be set to: 0
0
compression
This sets if compression is YES/NO
On or Off
virtual-link
Use the virtual link entry to
create virtual links inside
the webserver
alias
The webserver listens for
this name and forwards
the request to the URL tag
url
The URL belonging to the
virtual link
site-after-auth
The website that is
displayed after a
successful authentication
gui-skin
The default GUI skin of the
webserver
show-site-after-authcheckbox
Checkbox to force the
redirect to the <site-afterauth>
Valid Values
503
HOB RD VPN
37.3 The Kerberos Ticket Service SDH (xl-sdh-krb5ts1-01)
The parameters for the Kerberos Ticket Service are set inside the
<configuration-section> of a <server-data-hook> entry that has the xl-sdhkrb5ts1-01 <library-file-name>.
Element
Description
Valid Values
trace-krb5-api
Used only for debugging, YES/NO, default is NO
should be always set to no
trace-network
Used only for debugging, YES/NO, default is NO
should be always set to no
37.4 The EA to LDAP SDH (xl-sdh-ea-ldap-01)
The parameters for the EA to LDAP SDH are set inside the <configurationsection> of a <server-data-hook> entry with the xl-sdh-ea-ldap-01
<library-file-name>.
504
Element
Description
reload-path
Gives the path to a file with
the random port for the
administration interface
Valid Values
HOB RD VPN
37.5 The Compliance Check SDH (xl-sdh-compl-check-01)
The parameters for the Compliance Check SDH are set inside the
<configuration-section> of a <server-data-hook> entry with the xl-sdhcompl-check-01 <library-file-name>.
Element
Description
compliancelist
Holds all compliance
check sub entries
compliancecheck
Holds values of a
dedicated compliance
check.
name
Name of the compliance
check, for reference
integrity-check
Only compliance check
sub-nodes are held here
version
Compliance check
version, currently version
3
enable
Sets if the compliance
check is enabled or not
policy
Sub-nodes with settings
for the compliance check
Valid Values
Yes/No
The following is an example of a possible configuration of the Compliance Check
SDH, also known as xl-sdh-compl-check-01, using the parameters shown above.
<compliancelist>
<compliancecheck>
<name>ExampleComplianceCheck</name>
<integrity-check>
<enable>YES</enable>
<policy>
<name>ExamplePolicy</name>
<age-def-file>24</age-def-file>
<last-scan>24</last-scan>
<antivirus>
<win>
<vendor>
<name>24-7Safe.com</name>
<product>
505
HOB RD VPN
<name>24-7Antivirus</name>
</product>
</vendor>
</win>
</antivirus>
</policy>
</integrity-check>
<anti-split-tunnel>
<enable>NO</enable>
<command>
<type/>
<mode/>
<success>YES</success>
<result_string/>
</command>
<parameters>
<wsp/>
<disable-local-networks>NO</disable-localnetworks>
<set-local-dns>YES</set-local-dns>
<interval-wsp>60</interval-wsp>
<interval-ast>10</interval-ast>
</parameters>
</anti-split-tunnel>
</compliancecheck>
</compliancelist>
506
HOB RD VPN
37.6 The Dynamic NAT PPP Tunnel SDH (xl-sdh-ppp-pf05)
The parameters for the Dynamic NAT PPP Tunnel SDH are set inside the
<configuration-section> of a <server-data-hook> entry with the xl-sdhppp-pf-01 <library-file-name>.
Element
Description
Valid Values
ALG-SIP
This determines whether
the SIP Application Level
Gateway should be
enabled or not
YES/NO
NAT-control
Contains only sub-nodes
ineta-use-1
First private IP address
range for dynamic NAT
ineta-use-2
Second private IP address
range for dynamic NAT, if
a collision is detected for
the first range
DNS-name
Holds sub-nodes for the
DNS Servers
ineta
IP Address of the DNS
Servers
37.7 The HOBPhone SDH (xl-sdh-hobphone-01)
This is an example of a possible configuration of the HOBPhone SDH, also known
as xl-sdh-hobphone-01.
The parameters for HOBPhone are set inside the configuration section of a
<server-data-hook> entry with the xl-sdh-hobphone <library-file-name>.
Element
Description
use-UDP-gw-name
Name of the configured
UDP Gateway, if any
UDP-gate-timeout-ms
Timeout for the configured Enter a value in
UDP Gateway, if any
milliseconds
UDP-gate-keepalive-sec
Keepalive duration of the Enter a value in seconds
configured UDP Gateway,
if any
Valid Values
507
HOB RD VPN
37.8 The VNC Bridge SDH (xl-rdps-rfbc-1)
This is an example of a possible configuration of the VNC Bridge SDH, also known
as xl-sdh-rfbc-1.
The parameters for the VNC Bridge are set inside the configuration section of a
<server-data-hook> entry with the xl-rdps-rfbc-1 <library-file-name>.
Element
Description
Valid Values
vnc-shared-flag
Sets the VNC-shared-flag. If YES/NO, default is NO
the VNC-shared flag is set,
more VNC-clients can
connect to the same
session.
Note: Sharing a session
might not work, because it is
forbidden in the settings of
the VNC-server.
vnc-password-plain
Sets the VNC-password.
Not required if
authentication works without
password. Dynamic VNC
sessions set the password
in JWT.
vnc-password-encrypted
Same as <vnc-passwordplain> but password is
coded in base64.
vnc-version
Sets the maximum used
VNC-version. Protocol
Version e.g. 3.3.
host-user
Sets the VNC user if
authentication works with
user/password.
host-password-plain
Sets the password if
authentication works with
user/password.
host-password-encrypted Sets the password coded in
base64 if authentication
works with user/password.
encryption
508
This sets the encryptionlevel, similar to real-vnc.
prefer-off, prefer-on,
always-on, alwaysmaximum, let-vncserver-choose.
HOB RD VPN
use-local-cursor
YES: The server sends the YES/NO, default is YES
cursor only once in the
Cursor pseudo-encoding if
able to do so, thus the
screen is not updated each
the time the cursor is
moved. The user cannot see
where the cursor is if
another user moves it.
NO: The cursor is painted by
the server all the time and
sent as part of the screen. If
more users are connected to
the session, all can see the
actual position of the cursor,
but the server cannot send
the position of the cursor if
another user moves it, as in
RDP.
server-maps-keys
NO: The VNC Bridge maps YES/NO, default is NO
the keys to the keyboard set
on the client side (can also
be set to system standard).
Note: For best results, set
the server keyboard to that
set on the client, as it can be
that some characters are not
displayable if there is a
different keyboard set. For
example: if there is a
German keyboard on the
client side, and an English
keyboard on server side: é
may not be displayable,
depending on the system)
YES: Is only needed for
some VNC servers that map
the keys on their own. Now
the client keyboard setting is
ignored as the keys are
mapped to the keyboard set
on the server. A need for
this is only found out by trial
and error, unless there is an
option on the VNC server.
Try this option if characters
specific to your local
keyboard, such as öäüéß on
a German keyboard, cannot
be displayed.
509
server-maps-capslock
HOB RD VPN
NO: As specified in the
RFB-Protocol, the server
ignores the pressing of the
Capslock key. Instead the
VNC-Bridge sends
capitalized characters if
capslock is pressed.
YES: This setting is only
needed for servers that do
not ignore capslock. The
capslock on the client side is
ignored in this case. You
can determine if this setting
is needed if the wrong
behavior is seen when
capslock is pressed. The
need of this setting can only
be found out by trial and
error, except when there is
an option on the VNCserver. If there is an option
on the server, the best
results are when the server
ignores capslock and
<server-maps-capslock> is
set to NO.
use-clipboard
YES: The clipboard is used. YES/NO, default is YES
Note: VNC only allows text
to be copied.
NO: The clipboard is turned
off
max-cut-text
510
The maximum size (in kb) of 0-256, default is 256
the text that can be copied.
Note: VNC works differently
to RDP. In VNC every text
that is copied on the server
is sent to the VNC-client,
regardless of if it is used on
the VNC-client, or the copyand-paste-operation is just
happening on the serverside. The text is than stored
in the VNC-bridge, until the
RDP-client requests it.
HOB RD VPN
authentication
show-splash-screen
This decides where the
authentication credentials
are taken from. If RD-VPNcredentials is set, the
settings <vnc-password>,
<hostpassword> and <hostuser> are ignored. In case
the server requires a VNCPassword and RD-VPNcredentials is set, the userpassword is taken as the
VNC-Password.
WSP-configuration, RDVPN-credentials
Default is WSPconfiguration
Used only for debugON/OFF, default is OFF
reasons. Waits the given
amount of seconds after the
initialization-phase, so that
the user can read the
messages on the splashscreen.
37.9 The SOCKS SDH (xl-sdh-sock5-01)
This is an example of a possible configuration of the SOCKS SDH, also known as
xl-sdh-socks-01. The parameters for the SOCKS SDH are set inside the
<configuration-section> of a <server-data-hook> entry with the xl-sdhsock5-01 <library-file-name>.
Element
Description
Valid Values
settings
Must be set to: 0
0
flags
Must be set to: 0
0
511
512
HOB RD VPN
HOB RD VPN
HOB LDAP Scheme Extensions
38 HOB LDAP Scheme Extensions
The HOB LDAP Scheme Extension allows you to define and expand on the
attributes and classes used in your directory services. The base scheme that is
included the system contains a set of class definitions such as user, computer, and
organizationalUnit, and attribute definitions such as userName,
telephoneNumber, and objectSid. The existing set of classes and attributes
provided by HOB is sufficient for most applications. However, the scheme is
extensible, which means that you can define new classes and attributes.
If the existing classes and attributes do not fit with the type of data you want to store,
you need to extend the scheme, using the HOB LDAP Scheme Extension to add
attributes and object classes to the scheme of your existing LDAP system. By
means of the object classes, data can be linked to a user object. The attributes
represent references to the respective data set, which are linked to a user object
within the object class.
If an external directory service is used the scheme extension has to be applied. The
HOB scheme extensions are located in: \INSTALLDIR\LDAP-schemaextensions.
As an LDAP Scheme Extension is a security critical operation, it usually
requires certain administrator rights on the server systems.
This chapter contains the necessary information for making a scheme extension.
Scheme additions are permanent; you can disable classes and attributes,
but you can never remove them from the scheme.
In the course of the LDAP Scheme Extension attributes and object classes are
added to the scheme of an existing LDAP system. By means of the object classes,
data can be linked to a user object. The attributes represent references to the
respective data set, which are linked to a user object within the object class.
Scheme extensions are available for the following directory services:

Microsoft Active Directory

OpenDJ

OpenLDAP

IBM SecureWay Directory Server
38.1 Scheme Extension for Microsoft Active Directory
To run the LDAP schema extension for Microsoft Active Directory, Windows 2008
Server or Windows Server 2003 must be completely installed, including all
extensions for the Active Directory Services.
To use all software tools required to operate Active Directory Services, you may be
required to additionally install the relevant Windows Administration Tools from
the Windows 2008 Server or Windows Server 2003 installation (from the delivered
513
HOB RD VPN
file ADMINPAK.MSI). Windows 2008 R2 Server and Windows 2012 Server usually
do not require any additional subsequent installations.
The schema extension must always be run on the server where Microsoft Active
Directory is installed. The schema extension cannot be run using a "remote"
connection. You must be logged on as an administrator to the relevant Microsoft
Windows Server with full rights for data access and for Microsoft Active Directory.
This administrator, whose account you have used for your current logon, must be a
group member of the Schema administrators. If this requires a modification of the
user account, you must log on again or reboot the system.
Microsoft themselves say the following concerning these operations:
“To modify the schema, you must use an account that is a member of the
Schema Admins group and has the necessary rights. By default, the only
member in that security group is the Administrator account in the root
domain of the enterprise. If you want to add other accounts, you have to
add them explicitly. Membership in the Schema Admins group must be
highly restricted to prevent unauthorized access to the schema because
modifying the schema improperly can have serious consequences.”
38.1.1 General issues with Microsoft Active Directory on Windows Servers
To avoid unexpected problems with the schema extensions, please read and follow
the instructions below.
Due to the gravity of the system intervention when changing the Microsoft
Active Directory schema, Microsoft has implemented certain security
barriers which must be overcome or taken into consideration before
extending the schema with the HOB entries.
The scheme extension must be executed on the primary Microsoft Active
Directory server first. If the Microsoft Active Directory installation is
distributed over a server cluster, one of these servers will be the "primary"
Microsoft Active Directory Server.
The actions described in the section below must be performed manually; however,
HOB has written a batch file to simplify this task.
In the \INSTALLDIR\LDAP-schema-extensions\MS-ActiveDirectory directory
you will find the batch file prepare.bat. In this batch file, the 2 actions described
below are carried out:


514
A registration call is carried out to display the Active Directory schema in the Microsoft Management Console. To do this the DLL file Schmmgmt.dll is registered in your system via the program Regsvr32.exe, contained in Windows.
Authorization for a schema extension must be activated in the Active Directory
Schema Console. The Active Directory Schema Console is opened in a Microsoft Management Console (MMC). Here, as administrator, you may have to
manually activate the schema change in the Operations Master of the Active Directory Schema Console.
HOB RD VPN
To perform these actions proceed as follows:
1.
Copy the prepare.bat batch file from \INSTALLDIR\LDAP-schemaextensions\MS-ActiveDirectory to a directory on the Microsoft Active
Directory Server.
2.
Open a console window for command line entry and go to the directory on the
Microsoft Active Directory Server.
3.
Start the batch file with the following entry in the console window: prepare
[ENTER].
4.
The DLL registration is terminated when the following message appears:
DLLRegistryServer in Schmmgmt.dll succeeded.
5.
Click OK.
6.
Start the Microsoft Management Console (MMC) window with the following
entry in the console window: mmc [ENTER].
7.
The MMC starts. Select Add/Remove Snap-in... from the File menu of the
MMC window.
8.
Now select Active Directory Schema from the list of Available snap-ins and
add it to the Selected snap-ins.
9.
Click OK.
10. Select the entry Active Directory Schema in the Console Root pane of the
MMC window.
11. Right-click the text Active Directory Schema, and in the displayed menu
select Operations Master....
Figure 1: MS Active Directory MMC - Active Directory Schema options menu
12. The Change Schema Master dialog opens. Verify that it is allowed to modify
and extend the Microsoft Active Directory Schema and to activate schema
changes to be made on this Domain Controller if it is not already activated.
13. Click OK to close the dialog.
515
HOB RD VPN
14. In the main menu select Console > Save to save the changes.
You can use the Active Directory Schema MMC later to verify the schema
extension.
15. Close the Microsoft Management Console.
This procedure must be done only once.
38.1.2 Running LDAP Scheme extensions
1.
To run the LDAP scheme extension copy all files from the sub-directory
\INSTALLDIR\LDAP-schema-extensions\MS-ActiveDirectory to a
directory on the Microsoft Active Directory Server.
2.
From this directory run the tool HOB_AD_Util.exe.
3.
Click the button Extend Schema for HOB EA in the dialog program window
that is displayed.
Figure 2: HOB EA Utility for MS Active Directory
4.
This shows the Select HOB EA Objectclasses dialog:
Figure 3: Select HOB EA Objectclasses
516
5.
From this dialog select HOB EA Scheme Extension and click OK.
6.
Following a successful LDAP scheme extension the dialog below is displayed:
HOB RD VPN
Figure 4: Result of the HOB LDAP Scheme Extension
7.
Click OK to close this screen and return to the Select HOB EA Objectclasses
dialog, where you can now select the HOB Scheme Extension for any other
extension that you want to make, for example HOBPhone.
8.
Close the window of the HOB LDAP Scheme Extension tool.
38.1.3 Verifying the LDAP Scheme extension
You can use the Active Directory Schema MMC window as explained in Section
38.1.1 General issues with Microsoft Active Directory on Windows Servers to verify
the schema extension.
1.
Open the MMC window again and expand the hierarchy tree in the Console
Root pane of this window.
2.
If you select Classes or Attributes in the Console Root pane, the object
classes and attributes in the schema are displayed in the center pane of the
window.
3.
You can find HOB specific entries in each list of available object classes or
attributes depending on the selected item. The list of HOB specific attributes
can be found in Section 38.5 Adding HOB Specific Object Classes.
517
HOB RD VPN
Figure 5: Microsoft Active Directory MMC - Active Directory Schema Attributes
38.1.4 Assigning HOB Specific Attributes to Microsoft Active Directory Objects
After the scheme extension in Microsoft Active Directory is performed, it is
necessary to give the necessary authorization to the Microsoft Active Directory
objects created for the HOB specific configurations. This way it is possible to save
a HOB specific configuration using a HOB specific attribute for an Microsoft Active
Directory object. For more information on this topic, see Section 38.5 Adding HOB
Specific Object Classes.
The HOB-specific attributes (from the schema extension) are mandatory
for configuring some HOB products.
This assignment must be performed manually. You need to carefully decide to
which Microsoft Active Directory objects (Users, Groups, Containers, for example)
this assignment is to be added. In the following section the figures refer to a group
item that is used as an example.
1.
518
Open the snap-in Active Directory Users and Computers in a Microsoft
Management Console (MMC) window.
HOB RD VPN
Figure 6: Microsoft Active Directory Users and Computers
2.
Activate the Advanced Features item from the View menu.
3.
Select an item from the available Microsoft Active Directory objects (User,
Group, Container) and open the corresponding context menu.
Figure 7: Microsoft Active Directory Users and Computers - Object context menu
4.
Open the Properties dialog of the selected item from the context menu.
519
HOB RD VPN
Figure 8: Microsoft Active Directory Users and Computers - Group properties
5.
From the resulting dialog (above), select the tab Attribute Editor and the
following dialog is displayed:
6.
Scroll down and select the attribute objectClass from the list of attributes and
click the Edit button to edit this selected attribute.
Figure 9: Microsoft Active Directory Users and Computers Properties - Attribute Editor 'objectClass'
7.
520
In the Edit Attribute dialog (below) enter the HOB specific object class hoboc
to the selected attribute objectClass by entering it in the Value to Add field.
HOB RD VPN
Figure 10: Microsoft Active Directory Attribute Editor - Add hoboc in Edit dialog
8.
Click Add to add this value to the objectClass attribute.
Figure 11: Microsoft Active Directory Attribute Editor - hoboc Added to ObjectClass
9.
Now that the object class hoboc has been added to the attribute objectClass
for the selected object, HOB-specific configuration data can be stored in an
attribute that belongs to the object class hoboc for this object (a group object
is used in this example).
521
HOB RD VPN
Figure 12: Microsoft Active Directory - Properties Dialog after Assignment
These steps must be repeated for all objects that are to be configured for
HOB products.
38.2 Scheme Extensions for OpenDJ
To make the HOB LDAP Scheme Extension for OpenDJ you must copy a single
specific .ldif file across into the relevant directory.
This file, 90-hobschema.ldif is currently located in the directories of the server
installation:
INSTALLDIR\LDAP-schema-extensions\openDS
Locate this file and copy it to the following target directory on the external directory
server:
INSTALLDIR_of_OpenDJ\config\schema.
When the file has been copied to the directory restart OpenDJ. At this point the
scheme extension is completed.
The new entries in the LDAP scheme will only take effect once the LDAP
Server has been restarted.
522
HOB RD VPN
38.3 Scheme Extensions for OpenLDAP
The OpenLDAP Server can be deployed on any of the following UNIX systems:

Apple MACOS X

Be BeOS

FreeBSD

Hewlett Packard HP-UX

Hewlett Packard Tru64 UNIX

IBM AIX

Linux

OpenBSD

Silicon Graphics IRIX

Sun Microsystems Solaris

Sun Microsystems SunOS
A recommended and competent point of reference providing comprehensive
knowledge and assistance for OpenLDAP is provided by the web site
www.openldap.org. This site contains detailed information about installing
OpenLDAP and also provides a detailed FAQ section that can answer many
questions.
38.3.1 Make the HOB LDAP scheme extension available to the Server
To make the HOB LDAP Scheme Extension for OpenLDAP you must copy the file
hob.schema across into the relevant directory.
This file hob.schema is currently located in the directories of the server installation:
INSTALLDIR\LDAP-schema-extensions\openLDAP
Locate this file and copy it to the relevant target directory on the external directory
server.
38.3.2 Set Include path of the HOB scheme extension
After the installation of OpenLDAP (depending on the individual installation
parameters) the following file can be found in the configuration directory of
OpenLDAP:
/etc/openldap/slapd.conf
This file includes the Include directives. These provide additional configuration
information and can be used to improve the structure of your configuration file.
In the referenced file set the include path to the HOB scheme extension, as follows:
include /etc/openldap/schema/hob.schema.
server has been restarted.
523
HOB RD VPN
38.4 Scheme Extensions for IBM SecureWAY Directory
Server
To make the HOB LDAP Scheme Extension for IBM SecureWay Directory Server
you must copy the following files across into the relevant directory:

V3.ibmhob.at (contains HOB specific attributes)

V3.ibmhob.oc (contains HOB specific object classes)
These files are currently located in the directories of the server installation:
INSTALLDIR\LDAP-schema-extensions\IBM-DirectoryServer.
If you are the authorized system administrator you must now customize the LDAP
configuration file.
On the AS400 you will find a sub-directory name DirSrv. This directory holds files
describing attributes and object classes of the LDAP Directory Service. This is the
destination directory where you need to paste the files V3.ibmhob.at and
V3.ibmhob.oc from the directory referenced above. Locate these files and copy
them to the following target directory on the external directory server:
/QIBM/UserData/OS400/DirSrv/.
The sub directory DirSrv also contains the file slapd.conf. This file includes a list
of all attributes and object classes files that are available to the LDAP. All files must
be included in the LDAP system using the key word includeSchema. Use this key
word to add the file names V3.ibmhob.at and V3.ibmhob.oc to the slapd.conf
file along with their complete paths. The lines added might look as follows:
includeSchema /QIBM/UserData/OS400/DirSrv/V3.ibmhob.at
includeSchema /QIBM/UserData/OS400/DirSrv/V3.ibmhob.oc
Add the entry of the attribute file V3.ibmhob.at before you add the object
class file V3.ibmhob.oc, as the attributes must be known to the system
before any object classes can be included.
Usually the file slapd.conf is already sorted by attribute files and object class files.
The above referenced files should be placed on a new line after the last file of the
respective type.
Server has been restarted.
524
HOB RD VPN
38.5 Adding HOB Specific Object Classes
To conduct the HOB LDAP Scheme Extension on other LDAP systems, you must
manually register the relevant HOB object classes.
For HOB RD VPN the applicable object class is hoboc
For HOBPhone the applicable object class is hobphone
For HOBCOM the applicable object class is hobcom
For versions of the HOB WebSecureProxy in previous versions of
HOB RD VPN and certain versions of HOBLink VPN the applicable object
class is hobgateway.
Adding the object class hoboc is mandatory, whereas the object classes
hobphone is only needed for HOBPhone and hobcom is needed only for
HOBCOM.
The object class hobgateway is contained here but is not required for this
edition of HOB RD VPN.
For the registration of the object classes use the Scheme Management tool that is
provided by the LDAP system.
The IDs used in the HOB Scheme Extension are officially registered and can be
found under:
http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers.
HOB specific attributes
Attributes can be generated by indicating the attribute name and its ASN1-ID (OID
number) according to the following tables:
525
HOB RD VPN
38.5.1 Attributes for the HOB Object Class hoboc:
526
Attribute Name
OID Number
Description
Objectclass
hobhlserver
1.3.6.1.4.1.6275.2
HOB Enterprise
Access Settings
hoboc
hobhobte
1.3.6.1.4.1.6275.3
HOB EA Terminal hoboc
Emulation Settings
hobvpn
1.3.6.1.4.1.6275.4
HOBLink VPN
Settings
hobmonitor
1.3.6.1.4.1.6275.5
HOB EA Monitoring hoboc
Settings
hobproxy
1.3.6.1.4.1.6275.6
HOB EA Proxy
Settings
hoboc
hobjwt
1.3.6.1.4.1.6275.7
HOB EA JWT
Settings
hoboc
hobalias
1.3.6.1.4.1.6275.9
HOB EA Alias
Name Settings
hoboc
hobx11
1.3.6.1.4.1.6275.11 HOB X11 Settings hoboc
hobb
1.3.6.1.4.1.6275.12 HOBLink VPN BM hoboc
Settings
hobc
1.3.6.1.4.1.6275.13 HOBLink VPN NAT hoboc
Settings
hobd
1.3.6.1.4.1.6275.14 HOBLink VPN
Management
Settings
hobe
1.3.6.1.4.1.6275.15 HOBLink SSH
hoboc
Configuration (not a
hxml file) as
property file
hobf
1.3.6.1.4.1.6275.16 HOBLink SSH hoboc
Known Hosts (not a
hxml file)
hobg
1.3.6.1.4.1.6275.17 HOB LogView
Settings
hoboc
hobh
1.3.6.1.4.1.6275.18 FTP Browser
hoboc
hobi
1.3.6.1.4.1.6275.19 HOBLink VPN
hoboc
NameSpaceProvid
er Settings
hobj
1.3.6.1.4.1.6275.20 WSP Desktop-On- hoboc
Demand
hobk
1.3.6.1.4.1.6275.21 HOB WSP UC
Settings
hoboc
hobl
1.3.6.1.4.1.6275.22 WSP WebServer
hoboc
hobm
1.3.6.1.4.1.6275.23 HOB EA Integrity
Check
hoboc
hoboc
hoboc
HOB RD VPN
hobn
1.3.6.1.4.1.6275.24 HOB EA reserve n hoboc
Settings
hobo
1.3.6.1.4.1.6275.25 HOB EA reserve o hoboc
Settings
hobp
1.3.6.1.4.1.6275.26 HOB-Track
hoboc
hobq
1.3.6.1.4.1.6275.27 HOB Workplace
Settings
hoboc
hobr
1.3.6.1.4.1.6275.28 Telnet Resource
Manager (not a
hxml file)
hoboc
hobs
1.3.6.1.4.1.6275.29 HOB HOBLink
Secure Settings
(SSL)
hoboc
hobt
1.3.6.1.4.1.6275.30 HOBLink VPN
Startup Rules
hoboc
hobvpnprop
1.3.6.1.4.1.6275.31 HOBLink VPN
Property Settings
hoboc
hobcert (*)
1.3.6.1.4.1.6275.32 HOB Certificate
Identification
hoboc
hobcookies
1.3.6.1.4.1.6275.33 HOB RD VPN User hoboc
Cookies
hobverification (*)
1.3.6.1.4.1.6275.34 HOB RD VPN
Verification IDs
hobrdvpnuser
Settings
hobrdvpnlog
1.3.6.1.4.1.6275.36 HOB RD VPN Log hoboc
Settings
hobreservec
1.3.6.1.4.1.6275.37 HOB reserve c
Settings
hoboc
hobreserved
1.3.6.1.4.1.6275.38 HOB reserve d
Settings
hoboc
hobreservee
1.3.6.1.4.1.6275.39 HOB reserve e
Settings
hoboc
hobreservef
1.3.6.1.4.1.6275.40 HOB reserve f
Settings
hoboc
hobreserveg
1.3.6.1.4.1.6275.41 HOB reserve g
Settings
hoboc
hobreserveh
1.3.6.1.4.1.6275.42 HOB reserve j
Settings
hoboc
hobreservei
1.3.6.1.4.1.6275.43 HOB reserve j
Settings
hoboc
hobreservej
1.3.6.1.4.1.6275.44 HOB reserve j
Settings
hoboc
Extensions:
hoboc
527
HOB RD VPN
hobrdvpnbmwfa
Bookmarks WFA
hobrdvpnbmwsg
Bookmarks WSG
hobrdvpnbmsess
Bookmarks Session
hobrdvpndod
1.3.6.1.4.1.6275.48 HOB RD VPN
Desktop-OnDemand Settings
hoboc
hobrdvpnpi
1.3.6.1.4.1.6275.49 HOB RD VPN
Personal IPs
hoboc
hobrdvpnmsg
Messages
hobuserhistory (*)
History
racfid
1.3.6.1.4.1.6275.52 IBM RACF ID (used hoboc
by W&W, IBM Tivoli
only)
racfpassticket
1.3.6.1.4.1.6275.53 RACF Passticket
(IBM Tivoli only)
hobica
1.3.6.1.4.1.6275.54 HOB RD VPN Citrix hoboc
ICA Settings
hobmstsc
1.3.6.1.4.1.6275.55 HOB RD VPN MS
RDP Settings
hoboc
hobsid
1.3.6.1.4.1.6275.56 HOB RD VPN
External Security
Identifier
hoboc
hobjwtsa
1.3.6.1.4.1.6275.57 HOB HL JWT
Standalone
Webstart
Configuration
hoboc
hoboc
Table 1: Attributes for the HOB Object Class hoboc
All attributes are single-valued, except for those marked (*), which are multi-valued.
528
HOB RD VPN
38.5.2 Attributes for the HOB Object Class hobphone:
Attribute Name
OID Number
Description
Objectclass
hobphoneconfig
1.3.6.1.4.1.1636.201 HOBPhone
Configuration
hobphone
hobphonelog
1.3.6.1.4.1.1636.202 HOBPhone Logs
hobphone
hobphonepbx
1.3.6.1.4.1.1636.203 HOBPhone PBX
Configuration
hobphone
hobphonereserva
1.3.6.1.4.1.1636.204 HOBPhone
Reserved A
hobphone
hobphonereservb
1.3.6.1.4.1.1636.205 HOBPhone
Reserved B
hobphone
hobphonereservc
1.3.6.1.4.1.1636.206 HOBPhone
Reserved C
hobphone
hobphonereservd
1.3.6.1.4.1.1636.207 HOBPhone
Reserved D
hobphone
hobphonereserve
1.3.6.1.4.1.1636.208 HOBPhone
Reserved E
hobphone
hobphonereservf
1.3.6.1.4.1.1636.209 HOBPhone
Reserved F
hobphone
hobphonereservg
1.3.6.1.4.1.1636.210 HOBPhone
Reserved G
hobphone
Table 2: Attributes for the HOB Object Class hobphone
529
HOB RD VPN
38.5.3 Attributes for the HOB Object Class hobcom:
Attribute Name
OID Number
Description
Objectclass
hcCoMask
1.3.6.1.4.1.1636.10 HOBCOM
hobcom
authorization mask
hcEnFull
1.3.6.1.4.1.1636.11 HOBCOM
encryption range
hobcom
hcEnKey
1.3.6.1.4.1.1636.12 HOBCOM
encryption key
hobcom
hcEnKeyHex
1.3.6.1.4.1.1636.13 HOBCOM
hobcom
encryption hex key
hcGroup
1.3.6.1.4.1.1636.14 HOBCOM group
number
hobcom
hcName
1.3.6.1.4.1.1636.15 HOBCOM user
name
hobcom
hcNo
1.3.6.1.4.1.1636.16 HOBCOM personal hobcom
number
hcPassword
1.3.6.1.4.1.1636.17 HOBCOM user
password
hcTegro
1.3.6.1.4.1.1636.18 HOBCOM terminal hobcom
group name
hcType
1.3.6.1.4.1.1636.19 HOBCOM entry
hobcom
type (user / printer)
hcUserID
1.3.6.1.4.1.1636.20 HOBCOM RACF
UserID
hcSessMan (*)(*)
1.3.6.1.4.1.1636.21 HOBCOM session hobcom
manager entries
hcSession
1.3.6.1.4.1.1636.22 HOBCOM session hobcom
count
hcBtList (*)
1.3.6.1.4.1.1636.23 HOBCOM batch
task list entries as
property file
hcUserList (*) (*)
1.3.6.1.4.1.1636.24 HOBCOM sub user hobcom
entries as property
file
hobcom
hobcom
hobcom
Table 3: Attributes for the HOB Object Class hobcom
530
HOB RD VPN
38.5.4 Attributes for the HOB Object Class hobgateway:
Attribute Name
OID Number
Description
Objectclass
hobgwwsp
1.3.6.1.4.1.6275.101 HOB Gateway
Attributes Web
Secure Proxy
hobgateway
hobgwa
1.3.6.1.4.1.6275.102 HOB Gateway
Attributes 1
Settings
hobgateway
hobgwb
1.3.6.1.4.1.6275.103 HOB Gateway
Attributes 2
Settings
hobgateway
hobgwc
1.3.6.1.4.1.6275.104 HOB Gateway
Attributes 3
Settings
hobgateway
hobgwd
1.3.6.1.4.1.6275.105 HOB Gateway
Attributes 4
Settings
hobgateway
hobgwe
1.3.6.1.4.1.6275.106 HOB Gateway
Attributes 5
Settings
hobgateway
hobgwf
1.3.6.1.4.1.6275.107 HOB Gateway
Attributes 6
Settings
hobgateway
hobgwg
1.3.6.1.4.1.6275.108 HOB Gateway
Attributes 7
Settings
hobgateway
hobgwh
1.3.6.1.4.1.6275.109 HOB Gateway
Attributes 8
Settings
hobgateway
hobgwi
1.3.6.1.4.1.6275.110 HOB Gateway
Attributes 9
Settings
hobgateway
hobgwcert (*)
1.3.6.1.4.1.6275.111 HOB Gateway
Certificate
hobgateway
Table 4: Attributes for the HOB Object Class hobgateway
531
HOB RD VPN
38.5.5 Applicable Attribute Syntax
Select the applicable attribute syntax according to the following table.
Object class
Attribute
Syntax
hoboc
For all attributes from the
Attribute names column
of Table 1, and that use the
object class hoboc.
All attributes are of type binary
octets and use the attribute
syntax BINARY. They are of
type single value except where
stated otherwise.
hobphone
object class hobphone.
type single value.
hobcom
object class hobcom.
All attributes are of type
IA5String
(1.3.6.1.4.1.1466.115.121.1.26)
They are of type single value
except where stated otherwise.
hobgateway
object class hobgateway.
type single value except where
stated otherwise.
Table 5: Attribute types for the HOB Object Classes
38.5.6 Object Classes
Generate object class names and ASN1-ID (OID number) according to the following
table:
Object Class
ASN.1-ID
hoboc
1.3.6.1.4.1.6275.1
hobphone
1.3.6.1.4.1.1636.200
hobcom
1.3.6.1.4.1.1636.1
hobgateway
1.3.6.1.4.1.6275.100
Table 6: HOB Object Class ID numbers
To the object class names you now add the MAY attributes to the object class
required for the respective LDAP system (see Tables 1- 4 above).
You can also add MUST attributes if they are required by the LDAP system. These
are dependent on the LDAP system in use.
532
HOB RD VPN
38.6 LDAP Attributes / Options
LDAP-related key terms for the selected LDAP server system are displayed here. If
you have specified LDAP Server System: Generic, you can make valid entries for
your LDAP server.
Applicable LDAP Attributes are:

User (object name) – this attribute name identifies the object as a user.

Group (object name) – this attribute name identifies the object as a group.


Member (membership attribute) – the group attribute is part of the group properties and identifies users as members of groups.
Attribute Value of Member – Enter an attribute name (for example uid) in this
field that characterizes the value of the attribute that settles the group membership (for example member).
When a user logs on, HOB RD VPN determines which groups this user is a member
of. If the membership information is not stored with the user, all groups have to be
examined to see whether the user logging on is configured as a member of the
group.
To do this, the group attribute is normally checked to see if it contains the DN
(distinguished name) of the user. In this case, as is the same with most LDAP
systems, leave the value of the Attribute Value of Member field empty.
However, if your LDAP system is configured in such a manner that the group
attribute is not a DN, but instead a different attribute (uid, for example) is used for
characterizing the group membership, this is not possible. In this case enter the
name of this attribute (uid) in the Attribute Value of Member field.



Membership (User attribute) – membership is part of the properties of the user.
The user attribute indicates the membership of users in groups.
Timeout (in sec) – this determines the time limit in seconds for the LDAP server
to respond. If there is no response within the specified period, an error message
occurs.
User prefix – determines the key word required for the LDAP Server. Depending
on the LDAP Server System that has been configured on the Connection tab,
this field will contain a pre-defined value, such as cn= for IBM Tivoli Directory
Server.
For more information refer to the user guide of your LDAP Server System.
LDAP System Type
The type of LDAP system is configured under the attribute <LDAP-template> in the
<LDAP-service> element in the HOB WebSecureProxy configuration.
Timeout can be configured under the attribute <timeout-search> in the <LDAPservice> element in the HOB WebSecureProxy configuration.
For more information see Section 36.12 The <LDAP-service> element.
533
HOB RD VPN
Other LDAP Attributes
The other LDAP attributes defined above can be configured under the <LDAPtemplate> element in the HOB WebSecureProxy configuration.
For more information see Section 36.13 The <LDAP-template> element.
534
HOB RD VPN
39 Information and Support
If you would like further information about HOB RD VPN, other products from HOB,
HOB Inc, HOB GmbH & Co. KG, or if you need product support, please contact us
through the following numbers and addresses:
U.S.A. and Canada
General Enquiries:
Phone:
+ 1 866 914 9970
Fax:
+ 49 9103 715 3299
E-mail:
[email protected]
Web:
www.hobsoft.com
Technical Support:
Phone:
+ 1 866 914 9970
Fax:
+ 49 9103 715 3299
E-mail:
[email protected]
Germany
General Enquiries:
Phone:
+ 49 9103 715 0
Fax:
+ 49 9103 715 3271
E-mail:
[email protected]
Web:
www.hob.de
Technical Support:
Phone:
+ 49 9103 715 3161
Fax:
+ 49 9103 715 3299
E-mail:
[email protected]
Other Countries
General Enquiries:
Phone:
+ 49 9103 715 3103
Fax:
+ 49 9103 715 3299
E-mail:
[email protected]
Web:
www.hobsoft.com
Technical Support:
Phone:
+ 49 9103 715 3103
Fax:
+ 49 9103 715 3299
E-mail:
[email protected]
535
HOB RD VPN
536

HOB RD VPN 2.1 Administration Guide

Transcription

Similar documents

Home Office

HOB Remote Desktop VPN

HOBLink JWT-Benutzerhandbuch

Von 3D-Modellen zu Objekten im FS9

Innominate mGuard smart - Phoenix Contact Cyber Security Bietet