HOB RD VPN 2.1 Administration Guide
Transcription
HOB RD VPN 2.1 Administration Guide
Administration Guide HOB Remote Desktop VPN blue edition Software version: 2.1 Issue: December 2014 HOB Software and Documentation – Legal Notice Contact: HOB GmbH & Co. KG Schwadermuehlstr. 3 90556 Cadolzburg Represented by: Klaus Brandstätter, Zoran Adamovic Phone: + 49 9103 715 0 Fax: + 49 9103 715 271 E-mail: [email protected] Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA 5180 Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE 132 747 002 Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter, Zoran Adamovic, Schwadermuehlstr. 3, 90556 Cadolzburg Disclaimer All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited. HOB RD VPN software and documentation have been tested and reviewed. Nevertheless, HOB will not be liable for any loss or damage whatsoever arising from the use of any information or particulars in, or any error in, or omission from this document. All information in this document is subject to change without notice, and does not represent a commitment on the part of HOB. Liability for content The contents of this publication were created with great care and diligence. While we keep it as up-to-date as practicable, we cannot take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we are responsible for our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG. According to Chapters 8 to 10 of the TMG we are not obliged as a service provider to monitor transmitted or stored information not created by us, or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information under the general laws remain unaffected. Liability is only possible however from the date of a specific infringement being made known to us. Upon notification of such violations, the content will be removed immediately. Liability for links This publication may contain links to external websites over which we have no control. Therefore we can not accept any responsibility for their content. The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages. The linked sites were checked at the time of linking for possible violations of the law. At the time the link was created in this publication, no illegal or harmful contents had been identified. A continuous and on-going examination of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of any violations, such links will be removed immediately. Copyright The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying, modifying, adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written consent of the respective author or creator. The downloading of, and making copies of, these materials is only permitted for private, non-commercial use. Where contents of this publication have not been created by the author, the copyright of the third parties responsible for these contents shall be upheld. In particular any contents created by a third party are marked as such. If you become aware of any copyright infringement within this publication, we kindly ask to be provided with this information. Upon notification of any such violation, the concerned content will be removed immediately. Trademarks Microsoft Windows is a trademark of Microsoft Corporation. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. UNIX is a registered trademark of The Open Group (see http://www.unix.org/trademark.html). Oracle and Java are registered trademarks of Oracle and/or its affiliates. Citrix, Citrix ICA, Citrix XenApp, Citrix Receiver for Java and other products are trademarks or registered trademarks of Citrix Systems, Inc. Mac OS and Apple are trademarks of Apple Inc., registered in the U.S. and other countries. All other product names, company names and service names may be trademarks, registered trademarks or service marks of their respective corporations or owners, even if they are not specifically marked as such. Issued: December 3, 2014 2 Security Solutions by HOB Purpose of this Guide This guide is designed to provide the system administrators with detailed information concerning HOB RD VPN to help them decide where and when this product can be most effectively deployed in their enterprise network. This documentation contains descriptions of numerous possible scenarios, and explains the required conditions. The procedures for configuring the individual software components are documented in detail with step-by-step instructions. Symbols and Conventions This manual uses certain symbols and conventions to help the reader. These are explained below: This symbol indicates useful tips that can make your work easier. This symbol indicates additional informative text. This symbol indicates an important tip or procedure that may have far-reaching effects. Please consider carefully the consequences of any changes and settings you make here. References to program commands, options and buttons are printed in Bold, e.g. Select the command Open…. Cross-references to section headings and figures with numbers are marked in color as follows: Chapter 39 Information and Support. File names and text to be entered by the user are displayed in the font Courier New. This input is – unless otherwise mentioned - case sensitive. In this documentation, HOB-specific terminology are abbreviated as follows: HOB-specific Terminology Abbreviation HOB Remote Desktop Virtual Private Network HOB RD VPN HOB WebSecureProxy HOB WSP HOBLink Java Windows Terminal HOBLink JWT HOB WebSecureProxy Universal Client HOB WSP UC Security Solutions by HOB 3 Other abbreviations commonly used in this documentation are as follows: Full Name Abbreviation Common Criteria CC De-Militarized Zone (location between two firewalls) DMZ Evaluation Assurance Level EAL Remote Desktop RD Security Target ST 4 Security Solutions by HOB Contents 1 2 3 4 5 6 7 Introducing HOB RD VPN 15 1.1 Features of HOB RD VPN blue edition......................................................... 15 1.2 Components of HOB RD VPN...................................................................... 16 HOB RD VPN Basic Concepts 21 2.1 HOB RD VPN Navigation Screen................................................................. 21 2.2 HOB Administration Portal............................................................................ 23 2.3 User Control ................................................................................................. 23 2.4 HOB RD VPN Domains ................................................................................ 24 2.5 Multi-Tenancy ............................................................................................... 26 2.6 Roles ............................................................................................................ 26 2.7 Global Administrator vs. Domain Administrator............................................ 28 2.8 HOB WebSecureProxy................................................................................. 29 2.9 HOB RD VPN Computer Cluster .................................................................. 30 Deployment Scenarios 33 3.1 Default Deployment Configuration................................................................ 33 3.2 Cluster Deployment Configuration................................................................ 34 HOB RD VPN Installation 37 4.1 System Requirements for Installation........................................................... 37 4.2 Prerequisites for Installation – Single Node and Cluster .............................. 38 4.3 Starting the HOB RD VPN Installer – Single Node and Cluster ................... 40 4.4 HOB RD VPN Installation – First Node and Cluster ..................................... 41 4.5 HOB RD VPN Installation – New Cluster Member ....................................... 51 4.6 Customizing HOB RD VPN User Pages....................................................... 60 4.7 Testing the Installation.................................................................................. 64 HOB RD VPN Navigation Screen 67 5.1 Portlets ......................................................................................................... 68 5.2 User Settings ................................................................................................ 69 HOB RD VPN Administration 75 6.1 Administration Access as a Domain Administrator....................................... 75 6.2 Administration Access as a Global Administrator......................................... 78 6.3 Creating a New Global Administrator ........................................................... 89 6.4 Logging and Error Messages in HOB RD VPN ............................................ 93 Multi-Tenancy Security Solutions by HOB 99 5 8 9 7.1 Default Domain Configuration after Installation ............................................ 99 7.2 Using the Integrated Directory Service ....................................................... 102 7.3 Using an External Directory Service as the Authentication Service............ 107 7.4 Using RADIUS Access Servers as the Authentication Service................... 113 7.5 Using Kerberos as the Authentication Service............................................ 119 7.6 Kerberos Single Sign-on ............................................................................. 125 7.7 HOB LDAP Scheme Extension ................................................................... 125 Roles and Users 127 8.1 Configuring Roles and Users in HOB WebSecureProxy ............................ 127 8.2 Configuring Roles and Users in HOB RD VPN Administration ................... 135 8.3 Configuring HOB RD VPN 2.1 .................................................................... 138 Defining Targets in the HOB WSP 153 9.1 Creating a Target ........................................................................................ 153 9.2 Configuring the RDP Hook.......................................................................... 163 10 Remote Desktop Computing using HOBLink J-Term/JWT 167 10.1 Configuring HOBLink J-Term/JWT to create RDP Connections ................. 167 10.2 Configuring HOBLink JWT .......................................................................... 169 10.3 Configuring a Scheme in HOBLink JWT ..................................................... 174 10.4 Configuring a Session in HOBLink JWT ..................................................... 176 10.5 Running Sessions ....................................................................................... 177 10.6 Load Balancing ........................................................................................... 179 11 Remote Desktop Computing using HOBLink JWT Webstart 11.1 Configuring RD Computing using HOBLink JWT........................................ 183 11.2 The Client Configuration Provider ............................................................... 185 11.3 Configuring HOBLink JWT .......................................................................... 186 11.4 Configuring a Session in HOBLink JWT Webstart ...................................... 188 11.5 Configuring a Scheme in HOBLink JWT Webstart ..................................... 189 11.6 Run Sessions .............................................................................................. 192 12 HOB RD VPN Desktop-on-Demand 193 12.1 Configuring HOB Desktop-on-Demand....................................................... 193 12.2 HOB Wake-on-LAN Relay .......................................................................... 200 13 Virtual Desktop Integration 6 183 207 13.1 HOB VDI – the Technology......................................................................... 207 13.2 The HOB VDI Agent.................................................................................... 208 13.3 The HOB VDI Control ................................................................................. 208 Security Solutions by HOB 13.4 Requirements for HOB VDI ........................................................................ 209 13.5 Installing HOB VDI...................................................................................... 209 13.6 Configuring HOB VDI ................................................................................. 212 14 Remote Desktop Access using VNC 215 14.1 Configuring VNC Targets ........................................................................... 215 14.2 Configuring a Static VNC Bridge Connection ............................................. 218 14.3 Configuring a Dynamic VNC Bridge Connection ........................................ 220 14.4 Using the HOB VNC Bridge........................................................................ 221 15 Remote Desktop Access using SSH 223 15.1 SSH Targets ............................................................................................... 223 15.2 Using SSH .................................................................................................. 226 16 Terminal Emulations 227 16.1 Configuring HOB RD VPN for Terminal Emulations................................... 227 16.2 Configuring TN3270 Targets ...................................................................... 236 16.3 Configuring TN5250 Targets ...................................................................... 237 16.4 Configuring Telnet Targets ......................................................................... 240 17 HOB RD VPN Web Server Gate – Intranet Access 245 17.1 Configuring the HOB RD VPN Web Server Gate ....................................... 246 17.2 Using the HOB RD VPN Web Server Gate ................................................ 247 17.3 HOB Single Sign-on – Auto Logon to Intranet Servers .............................. 250 18 Remote Desktop Access using ICA 255 18.1 Installing HOB RD VPN for Remote Desktop Access with ICA .................. 255 18.2 Configuring Remote Desktop Access with ICA .......................................... 255 18.3 Implementing Single Sign-on for Access using ICA ................................... 261 18.4 Using ICA for Remote Desktop Access...................................................... 263 19 HOB RD VPN Web File Access 265 19.1 Configuring HOB RD VPN Web File Access .............................................. 265 19.2 Using HOB RD VPN Web File Access ....................................................... 267 20 Remote Access to Microsoft Exchange Server 271 20.1 Configuring Remote Access to Microsoft Exchange Server....................... 271 20.2 Configuring XML for HOB RD VPN Exchange Server Access ................... 274 20.3 Using HOB RD VPN Microsoft Exchange Server Access .......................... 275 21 Internal Network Adapter 21.1 277 Installing the Internal Network Adapter and HOB TUN Driver.................... 277 Security Solutions by HOB 7 21.2 Configuring the Internal Network Adapter ................................................... 278 22 Using the HOB PPP Tunnel for Network Access 22.1 Configuring User Settings for the HOB PPP Tunnel ................................... 281 22.2 Network Address Translation ...................................................................... 283 22.3 Configuring the HOB PPP Tunnel............................................................... 285 22.4 Configuring L2TP for the HOB PPP Tunnel ................................................ 288 22.5 Configuring a Raw Packet Interface for the HOB PPP Tunnel ................... 289 22.6 Configuring Dynamic NAT .......................................................................... 292 22.7 Configuring the HOB TCP Tuner ................................................................ 296 22.8 Assigning the Server List ............................................................................ 301 22.9 Creating a HOB PPP Tunnel Portlet on the Navigation Screen.................. 302 22.10 Using the HOB PPP Tunnel ........................................................................ 303 23 HOBPhone 305 23.1 Configuring HOBPhone in HOB RD VPN ................................................... 305 23.2 Configuring the User Accounts in HOBPhone ............................................ 313 23.3 Using HOBPhone........................................................................................ 323 24 HOB WSP Universal Client 333 24.1 Configuring HOB WSP Universal Client ..................................................... 334 24.2 Configuring the HOB WebSecureProxy for SOCKS ................................... 338 24.3 Configuring the Client ................................................................................. 339 24.4 Configuring the Client Application with HOB WSP ..................................... 339 25 HOB Compliance Check 343 25.1 Configuring the HOB Compliance Check.................................................... 343 25.2 Assigning the HOB Compliance Check to a Role ....................................... 352 25.3 Using the HOB Compliance Check ............................................................. 353 26 HOB Target Filters 355 26.1 Configuring Target Filters ........................................................................... 355 26.2 Using Target Filters..................................................................................... 358 27 SSL Identifier 361 27.1 Configuring the SSL Identifier for the User ................................................. 361 27.2 Configuring the SSL Identifier for the WSP................................................. 364 27.3 Using the SSL Identifier .............................................................................. 366 28 Additional HOB Solutions 8 281 367 28.1 HOB Remote Desktop Enhanced Services ................................................ 367 28.2 HOB X11Gate ............................................................................................. 368 Security Solutions by HOB 28.3 HOB MacGate ............................................................................................ 369 29 Security Checks 371 29.1 Server ......................................................................................................... 371 29.2 Firewall ....................................................................................................... 371 29.3 Ports ........................................................................................................... 372 29.4 Logging....................................................................................................... 372 30 HOB RD VPN Evaluated for Common Criteria 373 30.1 Information on Common Criteria ................................................................ 373 30.2 Security Objectives for the Operational Environment................................. 375 30.3 Delivery Accuracy Check............................................................................ 378 30.4 Consequences of Misconfiguration ............................................................ 381 30.5 System Requirements ................................................................................ 383 30.6 Configuration Tasks.................................................................................... 385 30.7 User Workshops and Schooling ................................................................. 387 30.8 Achieving Trustworthy Encryption .............................................................. 389 30.9 Using Certificates in HOB RD VPN ............................................................ 392 31 Flaw Remediation 31.1 395 Aspects of Flaw Remediation ..................................................................... 396 32 Frequently Asked Questions 397 33 Advanced HOB WSP Configuration 401 33.1 Adding Certificates and HOBLink Security Units to the HOB WSP............ 401 33.2 Manually Stopping and Starting the HOB WSP.......................................... 403 33.3 Configuration Changes and their Effectiveness and Impact....................... 404 34 XML Configuration for HOB Web Server Gate 34.1 407 Example HOB Web Server Gate Configuration.......................................... 407 35 XML Configuration for HOBLink JWT 409 35.1 Example configuration for Direct Connections ........................................... 409 35.2 Example configuration for connections using the HOB WSP ..................... 413 35.3 Connection parameters .............................................................................. 415 35.4 Display parameters..................................................................................... 420 35.5 Logon parameters ...................................................................................... 426 35.6 Security parameters ................................................................................... 427 35.7 Keyboard & Mouse parameters.................................................................. 430 35.8 Resources parameters ............................................................................... 433 35.9 Logging parameters.................................................................................... 438 Security Solutions by HOB 9 35.10 Control parameters ..................................................................................... 440 35.11 Optimization parameters ............................................................................. 443 36 XML Configuration for the HOB WebSecureProxy 36.1 Configuring XML parameters for the HOB WSP ......................................... 450 36.2 Root Element and XML declaration ............................................................ 453 36.3 The <general> element ............................................................................... 476 36.4 The <connection> element ......................................................................... 480 36.5 The <authentication-library-object> element............................................... 484 36.6 The <server-list> element ........................................................................... 485 36.7 The <L2TP-gateway> element.................................................................... 486 36.8 The <raw-packet-interface> element .......................................................... 487 36.9 The <service> element ............................................................................... 488 36.10 The <Kerberos-5-KDC> element ................................................................ 489 36.11 The <radius-group> element....................................................................... 490 36.12 The <LDAP-service> element ..................................................................... 491 36.13 The <LDAP-template> element .................................................................. 493 36.14 The <target-filter> element.......................................................................... 494 36.15 The <cluster> element ................................................................................ 495 36.16 The <client-side-ssl> element ..................................................................... 496 36.17 The <OCSP-section> element .................................................................... 497 36.18 The <configuration-parameters> element ................................................... 497 37 Server Data Hook Configurations 499 37.1 The Authentication Library (xl-sdh-webserver-01.dll) ................................. 499 37.2 The Web Server Gate SDH (xl-sdh-webserver-01)..................................... 503 37.3 The Kerberos Ticket Service SDH (xl-sdh-krb5ts1-01) ............................... 504 37.4 The EA to LDAP SDH (xl-sdh-ea-ldap-01).................................................. 504 37.5 The Compliance Check SDH (xl-sdh-compl-check-01)............................... 505 37.6 The Dynamic NAT PPP Tunnel SDH (xl-sdh-ppp-pf-05) ............................ 507 37.7 The HOBPhone SDH (xl-sdh-hobphone-01)............................................... 507 37.8 The VNC Bridge SDH (xl-rdps-rfbc-1)......................................................... 508 37.9 The SOCKS SDH (xl-sdh-sock5-01) ........................................................... 511 38 HOB LDAP Scheme Extensions 10 449 513 38.1 Scheme Extension for Microsoft Active Directory ....................................... 513 38.2 Scheme Extensions for OpenDJ ................................................................. 522 38.3 Scheme Extensions for OpenLDAP ............................................................ 523 38.4 Scheme Extensions for IBM SecureWAY Directory Server ........................ 524 Security Solutions by HOB 38.5 Adding HOB Specific Object Classes......................................................... 525 38.6 LDAP Attributes / Options........................................................................... 533 39 Information and Support Security Solutions by HOB 535 11 12 Security Solutions by HOB HOB RD VPN About This Documentation About This Documentation This is a comprehensive product documentation created to describe all of the procedures involved in installing, configuring and handling the HOB RD VPN software. It does not contain descriptions of functions that are not part of the HOB RD VPN package. Information concerning functions of third-party products may be obtained from the corresponding user manuals of those products. It is assumed that you, the reader of this manual, are an experienced IT administrator, familiar with the basic concepts of cryptography and have elementary knowledge of the JAVA technology. This document describes all topics of HOB RD VPN that are related to the installation, the administration, the evaluation aspects and the interface descriptions. Chapters 1 and 2 give an introduction to HOB RD VPN, a description of the basic concepts, and the features and components that it contains. Following this, generally there are 5 main areas: The first section provides a detailed systematic guidance for the installation of the product (Chapters 3 and 4). The second section is a reference manual that describes the administration and advanced features of HOB RD VPN (Chapters 5 to 8). The third section provides additional information on defining connection targets and establishing connections to other computers and networks (Chapters 9 to 27). The fourth section provides additional information on additional HOB solutions and topics, including security applications and compliance (Chapters 28 and 29). The fifth section provides information on Common Criteria Evaluation and Flaw Remediation with useful general information, such as the XML configurations, FAQs and contact information (from Chapters 30 to 34). This product documentation is automatically installed together with the main component of HOB RD VPN, the HOB WebSecureProxy. We recommend that you print this document on color printers only, or to view it in zoom mode (150% or more), as it contains reproductions of display icons. The security functions of HOB RD VPN have been designed and implemented in a manner that allows you to create a trusted channel between those distributed parts of HOB RD VPN that protect the user data and security data transferred over this channel from disclosure or undetected modification, and also prevents masquerading of the remote trusted IT system. To enable this functionality, HOB RD VPN provides the facility for you to generate encrypted security certificates and the corresponding encryption keys. As the administrator of HOB RD VPN for your company, you must ensure that all potential users have been correctly trained to use this product and successfully authenticated before allowing any action that HOB RD VPN has defined to be for authenticated users only. Security Solutions by HOB 13 Common Criteria Evaluation of HOB RD VPN HOB RD VPN The security functions you use must control the access of subjects or users to the resources of all Web and Remote Desktop servers based on the identity of the resource. The security functions must also allow you and the other administrators to specify the users or subjects that are allowed access to a specific named object in that access mode. An access list needs to be developed, detailing where each user is allowed to access the servers, and how they are allowed to do this. This is an element of the company policies for the user management of HOB RD VPN. These user management policies are also required to qualify for EAL 4+ security certification. Please bear in mind that HOB cannot prepare a solution that is applicable to every possible system configuration or environment. For this reason HOB can certify only the components of this product, meaning that HOB cannot be held liable for situations that are outside the scope of this product, and therefore out of the control of HOB. Common Criteria Evaluation of HOB RD VPN This product is designed to comply with the Common Criteria (CC) and the assurance level EAL 4+. The CC compliance is achieved only for a specific scenario and configuration of HOB RD VPN. HOB Product Management can send you a copy of the Security Target document that is the core of the whole certification process. It is strongly recommended that you read this document thoroughly to gain a deeper understanding of the security functions carried out by this product. For purposes of Common Criteria Evaluation for Security, a secure connection to the directory service must be built for a user specific configuration of the directory service to be used. 14 Security Solutions by HOB HOB RD VPN 1 Introducing HOB RD VPN Introducing HOB RD VPN HOB RD VPN blue edition is a software solution that is specially designed to give you secure remote access over the Internet to the resources in your corporate network. This innovative HOB RD VPN software solution enables fast and secure access to all your business data and applications from any place in the world. It delivers your intranet, enterprise servers or office PC to you and your users – at the push of a button – whether you are at your house, a hotel or the airport. 1.1 Features of HOB RD VPN blue edition These special features have been developed for HOB RD VPN blue edition: HOB Clustering Support Clustering support is available for HOB RD VPN blue edition. Clustering support includes both High Availability and Load Balancing across the servers of your enterprise. Multi-Tenancy HOB RD VPN supports more than one authentication service and configuration storage, allowing multiple domains to be used simultaneously on the same machines. HOBPhone This feature provides voice telephony across your network. Access and Rights These include a Compliance Check and Role Assignment for your users. HOB RD VPN introduces a role based concept with advanced Compliance Check functionality and a flexible concept for user authentication and configuration. HOB PPP Tunnel The HOB PPP Tunnel supports dynamic mode, private IP addresses and includes all required components. An external L2TP service is not required but may optionally be used. User-specific Personal IP Address The SSL Identifier feature allows you to easily identify the user of any client machine, not just the machine itself, through the use of user-specific IP addresses. Improved Desktop-on-Demand Functionality You can configure multiple simultaneous Desktop-on-Demand targets for a user. Third Party Software Support HOB RD VPN supports connections to VNC enabled servers. HOB RD VPN also supports the Citrix WebPortal and Citrix Receiver. Security Solutions by HOB 15 Introducing HOB RD VPN 1.2 HOB RD VPN Components of HOB RD VPN The scope of delivery of HOB RD VPN consists of a range of different complementary components and features: 1.2.1 HOB Integrated Components These components are integral to the functioning of HOB RD VPN and are installed automatically. HOB WebSecureProxy HOB WebSecureProxy (HOB WSP) is the server component of HOB RD VPN. It is the central configuration point for all features and functionality of HOB RD VPN. Integrated Directory Service This component manages the central user management. You can use this integrated directory service or your own established directory service for the storage of all configuration data and as the authentication service for all those users and resources using HOB RD VPN. After installation the integrated directory service is used as the default service. 1.2.2 HOB Portlets Portlets are the applications that HOB RD VPN uses to execute the required tasks. They are installed automatically. HOBLink JWT HOBLink JWT is the RDP client application used for accessing any RDP capable server including Microsoft Remote Desktop servers or Windows desktops. HOBLink JWT is also used to connect to VNC enabled services. It is delivered bundled with HOBLink J-Term or as a stand-alone product when connections to legacy terminals are not required. HOBLink J-Term HOBLink J-Term is the multi-protocol-capable client application for accessing host systems via SSH, VT, TN3270, TN5250, HP700 and Siemens 9750. Additional licenses may be needed for certain protocols. HOB RD VPN Web Server Gate The HOB RD VPN Web Server Gate provides secure access to the intranet servers and can be used to access any available web service. HOB RD VPN Web File Access This component enables remote access to file servers. HOB RD VPN Web File Access is a browser based file manager that is used to connect over SMB/CIFS to any available share in the internal network. HOB PPP Tunnel The HOB PPP Tunnel provides secure transparent network access to the complete enterprise network. 16 Security Solutions by HOB HOB RD VPN Introducing HOB RD VPN HOBPhone HOBPhone provides Voice over IP telephony across the machines within your network. HOB Universal Client HOB Universal Client enables remote access for network installed third party applications. User Settings This portlet allows the configuration of bookmarks and other settings for the users. Administration This portlet allows quick and direct access to the HOB RD VPN administration interface. A complete list of all components and their release version numbers is included in this installation of HOB RD VPN and can be found in the file RDVPN_Component_Info.txt, included in the HOB RD VPN installation media. 1.2.3 HOB Integrated Features These features are also included with the installation of HOB RD VPN, and provide added functionality to complement that of the core components. Compliance Check This is a further security measure designed to verify the state of the connecting clients and can be used to verify that only clients that verify the central security requirements can connect to the internal network. VNC Bridge The HOB VNC Bridge is a component that allows users to connect to any VNC enabled services (such as Intel AMT or any VNC Server). The VNC Bridge translates the VNC protocol to RDP, which results in significantly improved performance. ICA Support HOB RD VPN can be used to secure remote ICA connections. HOB RD VPN allows the use of the Citrix WebPortal and the Citrix Receiver in a secure way. Desktop-on-Demand This provides remote access to personal workstation computers running Windows. This functionality can be combined with Wake-on-LAN technology to grant this access even if the remote workstations are switched off. HOB Virtual Desktop Interface Business This is used for secure remote access to Windows operating systems running as virtual machines in computer centers. Security Solutions by HOB 17 Introducing HOB RD VPN HOB RD VPN HOB Remote Desktop Load Balancing This feature allows Load Balancing within your Remote Desktop session host server farm. 1.2.4 Optional Components The following components are also delivered as part of HOB RD VPN, but are not part of the HOB RD VPN installation. These components add extended functionality and can be installed on your target server, on the client system or installed separately. Software Components HOBLink Security Manager This component utilizes the HOB Certification Authority to administer security certificates for your system. This component should not be installed on the target server. For more information see the documentation provided for HOBLink Secure and the HOBLink Security Manager. HOB Remote Desktop Enhanced Services Load Balancer This component enables the use of Load Balancing for Windows Servers with Microsoft Remote Desktop session hosts. For more information see Section 10.6 Load Balancing. HOB Wake-on-LAN Relay This component enables the use of Desktop-on-Demand in different networks, please see Section 12.2 HOB Wake-on-LAN Relay for more information. HOB VDI Agent This component enables the sharing for pools of virtual or non-virtual desktops, please see Section 13.2 The HOB VDI Agent for more information. HOB Virtual Wake-on-LAN Agent This component enables Desktop-on-Demand functionality for virtual desktops, please see Section 12.2 HOB Wake-on-LAN Relay for more information. Client System Components Anti Split Tunneling This extra security feature restricts systems to using only specified, known connections. It is most often used in conjunction with the HOB PPP Tunnel, where it restricts connections to locations outside the HOB PPP Tunnel. 1.2.5 Additional HOB Solutions The following are HOB solutions that are not delivered with HOB RD VPN but can be purchased additionally. These solutions add extra functionality and usability, as set out by the needs of your enterprise. They integrate perfectly with all other components of HOB RD VPN. 18 Security Solutions by HOB HOB RD VPN Introducing HOB RD VPN HOB Remote Desktop Enhanced Services This component enables additional RDP functionality, such as HOB Local Drive Mapping, which is required for virus checking, and HOB Audio. HOB X11Gate This provides a gateway for remote access to graphical systems under UNIX or Linux. HOB MacGate HOB MacGate enables remote access to server machines using the Mac OS X operating system. HOB Secure Communication Server HOB SCS is the propriety operating system that is designed exclusively for use with HOB RD VPN. It is a stable, hardened platform that provides a simple, secure and efficient way to implement the HOB RD VPN security solution. Security Solutions by HOB 19 Introducing HOB RD VPN 20 HOB RD VPN Security Solutions by HOB HOB RD VPN 2 HOB RD VPN Basic Concepts HOB RD VPN Basic Concepts HOB RD VPN allows you to connect from a client machine over the web to access your desired target system and servers. HOB RD VPN serves as the access gateway into your system by sitting as the first point of contact for an incoming connection, analyzing and authenticating this connection and, if authenticated, extending this connection to the desired target server or group of servers. This process is shown graphically here, with HOB RD VPN being installed between the firewall to the Internet and the firewall to your network: Figure 1: HOB RD VPN Access to Target System You can access HOB RD VPN with any standard browser (some integrated components need a Java-enabled browser). 2.1 HOB RD VPN Navigation Screen After a successful logon as a user you have access to the HOB RD VPN Navigation Screen. The HOB RD VPN Navigation Screen consists of different portlets, each of which enables different applications or functionalities, and is described in more detail in Chapter 5 HOB RD VPN Navigation Screen. Security Solutions by HOB 21 HOB RD VPN Basic Concepts HOB RD VPN Figure 2: HOB RD VPN Navigation Screen You can use the links in the screen above to access the functionality you require from your installation of HOB RD VPN. In the Common Criteria evaluated configuration you will see the HOB RD VPN Navigation Screen as above, but with reduced functionality and therefore with only the following options: Figure 3: HOB RD VPN Navigation Screen for Common Criteria Evaluation 22 Security Solutions by HOB HOB RD VPN 2.2 HOB RD VPN Basic Concepts HOB Administration Portal The HOB Administration Portal allows you, as the Global Administrator, access to the administration interface and to configure the whole HOB RD VPN installation. Figure 4: HOB RD VPN Administration Screen - System Only Global Administrators can access the Administration Portal and administer the HOB WebSecureProxy, the domain administrators have only a more limited access to administration in that they can administer only their own domains, not the full HOB RD VPN installation. 2.3 User Control HOB RD VPN introduces much tighter definitions of what a user really is, and what their roles should be. Each user has different tasks, objectives and responsibilities. As such, each user has different requirements for the network, and so different permissions for using resources to achieve these objectives. No enterprise can function without its users, and these users cannot function without clearly defined tasks or roles within the enterprise. HOB RD VPN not only gives you a means to manage all of these items, but also allows you to administer the elements of your network to better suit your users. Figure 5: HOB RD VPN User Control Security Solutions by HOB 23 HOB RD VPN Basic Concepts HOB RD VPN A modern enterprise network is made up of multiple servers, numerous workstations, and innumerable other hardware and software devices. The administration of all of these entities is a priority of any enterprise wishing to maximize efficiency. These resources, as well as the users, are administered together as domains. 2.4 HOB RD VPN Domains A domain is the main organizational unit of your system. All of your users and the machines and resources that they use are members of domains. The users and machines in your system can be organized into domains according to the needs of your enterprise, and your enterprise can have multiple domains depending on what you want from your data and what you want to achieve with that data. Multiple client organizations (or tenants) are served by a single instance of the HOB RD VPN software, in a form of software architecture that is referred to as Multi-Tenancy. In HOB RD VPN multiple users share the same application, running on the same operating system, on the same hardware, with the same data-storage mechanism. The distinction between the users is achieved during application design, thus users of one domain cannot share or see data from another domain, as each domain works with a customized virtual application instance. HOB RD VPN introduces a multi tenant capability. Each domain in HOB RD VPN stands for an independent tenant. Each HOB RD VPN domain consists of two elements: Authentication Service The authentication service defines the backend which is used to authenticate the users for a specific domain. The Authentication Service can use Kerberos, integrated directory service, external (LDAP-compliant) directory service or RADIUS servers. Configuration Storage The configuration storage is used to store the configuration information of the domain users. The configuration storage can use the integrated directory service or an external (LDAP-compliant) directory service. If an external directory service is used to store the HOB RD VPN configuration you need to add the HOB Scheme Extension to the service. 24 Security Solutions by HOB HOB RD VPN HOB RD VPN Basic Concepts This table shows the possible combinations for authentication service and configuration storage: Authentication Service Configuration Storage Note Integrated Directory Service Integrated Directory Service Default after installation Kerberos Integrated Directory Service Kerberos External directory service HOB scheme extension required External directory service Integrated Directory Service External directory service Same external directory service RADIUS Integrated Directory Service RADIUS External directory service HOB scheme extension required HOB scheme extension required Table 1: Possible Authentication Service and Configuration Storage Combinations If an external authentication service is used while the integrated directory service is used as the configuration store, there is no user rights management. This means that a user with the rights to configure sessions can also configure the sessions of the other users of the same domain. 2.4.1 Integrated Directory Services HOB RD VPN is delivered with an integrated directory service that is fully LDAP compliant. HOB RD VPN uses this directory service by default to organize and internally store all of the settings and configurations for the users and machines that are currently registered in your network (this is done in the dc=internal,dc=root tree). The integrated directory service can also be used as the authentication service and configuration storage (see Chapter 3 Deployment Scenarios for more information). Immediately after installation the integrated directory service is used as the authentication service and configuration storage for the users created during installation. Therefore a domain is automatically created on installation where these users are stored, this is the domain dc=hobsoft,dc=root. The Global Administrator can add additional domains to the integrated directory service (e.g. dc=example,dc=root) or use the integrated directory service only as authentication service or configuration storage. If it is used as configuration storage the domain part is automatically created. An auto-create feature can also be used, where every successfully authenticated user is automatically created in the domain tree of the integrated directory server. This is also true for the groups that belong to the user even when an external LDAP server is being used as the authentication service. This component handles all of the central user management and integrates the HOB software into your existing enterprise infrastructure. This dedicated directory service object management server is included as a constituent part of Security Solutions by HOB 25 HOB RD VPN Basic Concepts HOB RD VPN HOB RD VPN to make the management and administration of access rights and permissions of workstation and users much simpler. 2.4.2 HOB Directory Services Scheme Extension Storing HOB specific data with an element requires certain HOB object classes to be available for certain LDAP elements. The directory services scheme defines the attributes and classes used in your directory services. The existing set of classes and attributes provided by HOB are sufficient for most applications. However, the scheme is extensible, which means that you can define new classes and attributes. See Chapter 38 HOB LDAP Scheme Extensions for more information on this topic. 2.5 Multi-Tenancy HOB RD VPN can be configured to use multiple domains, so it is possible to use one HOB RD VPN installation to successfully authenticate users from different domains. Because of this HOB RD VPN introduces a multi-tenant capability, where each domain in HOB RD VPN stands for an independent tenant. It is possible to completely separate these domains so that every domain uses different configurations (e.g. domain 1 can only access resources assigned to domain 1, domain 2 can only access resources assigned to domain 2, for users of either domain it is not possible to access resources assigned to the other domain). If required, configurations can also be used from more than one domain (so that different domains may be assigned access to the same target system). There are many different reasons for using the multi-tenancy feature besides connecting to different companies. Multi-tenancy is also used to support different departments within a company, or it is used to allow customers or suppliers access to special services without needing to add them to the integrated user directory service. Multi-tenancy refers to a single instance of the software running on a server while serving multiple client organizations (tenants). Multi-tenancy is not the same as a multi-instance architecture where separate software instances (or hardware systems) are set up for different client organizations. With a multi-tenant architecture, a software application such as HOB RD VPN virtually partitions its data and configuration, so that each client organization (or domain) can work with a customized virtual application instance. Multi-tenancy is also regarded as one of the essential attributes of Cloud Computing. 2.6 Roles A role is the set of tasks each user and each hardware or software item is assigned to do. As with a domain, users have different roles within the enterprise. The logon determines the roles to which each user is assigned, within that domain. There are requirements for each role that must be fulfilled in order to be authenticated for the role (not just enter a username and password). These requirements might be the selected domain, user name, group membership or positive compliance check, and so on. 26 Security Solutions by HOB HOB RD VPN HOB RD VPN Basic Concepts Once authenticated for the role, having therefore fulfilled the requirements, the user is authorized to carry out certain pre-assigned functions using the resources within the system. Features that can be assigned to the roles include: List of portlets that each user can access Access to list of servers, referred to as the server list that each user can access Selection of a target filter Session timing limits before an automatic log out GUI scheme display, background color, title banner, etc. Other settings such as browser-caching etc. Each user has a role, and specified under this role are their permissions and capabilities within the system. These can be configured through the User Roles configuration dialog, (part of the HOB WebSecureProxy configuration) shown here: Figure 6: HOB WSP Administration User Roles – Normal User In the main menu bar at the top of this screen you have the following menu options: File – this menu item contains the following commands: Save click to save the current setting to the configuration storage. Changes are automatically replicated to all cluster members without a restart required. However, it may take some minutes before the new configuration becomes active. View the WSP log for information on when the configuration has been reloaded. click to import a configuration file in XML format from your file system Import into this configuration storage. You would normally do this to reload a backup of the configuration file Security Solutions by HOB 27 HOB RD VPN Basic Concepts Save HOB RD VPN click to save the current setting to the configuration storage. Changes are automatically replicated to all cluster members without a restart required. However, it may take some minutes before the new configuration becomes active. View the WSP log for information on when the configuration has been reloaded. click to determine where HOB RD VPN is to store this current configExport uration, as an XML file, and assign a specific name to it. This is normally done to back up the current configuration for safety reasons Exit click to shut down this interface, without saving any changes that you have made here If there is a need to change the configuration manually, you need to take extreme care with any changes that are made as an error in the configuration could result in HOB RD VPN not starting at all anymore. Make changes manually only under the assistance of HOB software support. Info – this menu item contains the following command: About click this to display a popup containing the name and current version number of the software release you are using For more information on the information and fields shown on this screen, please see Chapter 8 Roles and Users. Role Priority Users can have several roles assigned to them. Roles are prioritized (from 1 to 100, with 100 having the highest priority) so that when a user logs in, HOB RD VPN tries to assign the highest role to the user. If it cannot assign the role with the highest priority to the user (for example because of a failed compliance check), then it moves to the role with the next highest priority. 2.7 Global Administrator vs. Domain Administrator A clear distinction must be made between the administrator of the complete system where HOB RD VPN is installed (this is the global administrator) and an administrator who has rights to administer only one domain (the domain administrator). 2.7.1 Global Administrator During installation you have to create a global administrator. This global administrator has full access rights to the whole HOB RD VPN installation. After installation additional global administrators can be added. Global administrators are the only users that can administer and configure HOB RD VPN itself. After installation: 28 Security Solutions by HOB HOB RD VPN HOB RD VPN Basic Concepts Global administrators are the only users that can log on to the global administration interface. The Global Administration interface is accessed through a browser and entering https://rdvpn.example.com:10000 in the address field. Global administrators can configure all resources and users in the complete system (dc=internal,dc=root) as well as users in the default domain (dc=hobsoft,dc=root). Global administrators cannot log on to the HOB RD VPN User Portal. 2.7.2 Domain Administrator A domain administrator cannot set the configuration of the HOB RD VPN installation. The domain administrator can configure user settings within their own domain. If you are using the tenant functionality the global administrator can delegate the user configuration to the domain administrators within the domains. After installation: 2.8 Domain administrators can configure users in the default domain (dc=hobsoft,dc=root). Domain administrators can logon to the HOB RD VPN portal and access the administration portlet, referred to as User Configuration on the HOB RD VPN Navigation screen. Domain administrators cannot logon to the global administration interface. HOB WebSecureProxy The HOB WebSecureProxy (HOB WSP) is the integrated server component of HOB RD VPN. It is the central collection point for queries coming over the Internet from clients such as HOBLink J-Term or HOBLink JWT and is installed as part of the HOB RD VPN installation process. The HOB WSP is located in the DMZ to protect your servers effectively from direct access over the Internet and to forward the queries to the target server. Authentication is performed over a browser with an SSL / HTTPS connection to the HOB WSP. This means that the authentication process itself is encrypted and secure. HOB WSP also has an integrated OCSP (Online Certificate Status Protocol) interface enabling client SSL certificates to be inspected for validity. The HOB WSP ensures the security of access is implemented taking the following criteria into account: Confidentiality – the data cannot be read by anyone who is unauthorized Integrity – the data cannot be manipulated by anyone who is unauthorized Authenticity – before any exchange of data, each participant in the exchange must prove their identity during logon All communication between the HOB WSP and the client is SSL encrypted, while internally the HOB WSP communicates to the server side without encryption. Data traffic takes place over the configurable port 443, which is enabled as default in Security Solutions by HOB 29 HOB RD VPN Basic Concepts HOB RD VPN most firewalls. A connection to the HOB WSP automatically redirects port 80 to port 443 (these are the default ports, other ports may be chosen if you wish). Where your system consists of multiple HOB WSP servers in a cluster, these can be plugged and unplugged into the cluster according to your needs. All internal data is distributed across the cluster with load balancing, so that when a client logs on to any HOB WSP in the network, they are automatically registered to all network HOB WSPs, and none are overloaded. The HOB WebSecureProxy should be installed on a separate machine that does not allow direct access to the machine for unprivileged users and that does not host any productive relevant services such as database servers or alternative web servers (in addition to the integrated server components of the HOB WSP). The logical access to this machine is restricted to authorized administrators. 2.9 HOB RD VPN Computer Cluster A computer cluster is a group of linked computers, working together closely to effectively form a single server. In HOB RD VPN, the cluster members (commonly called nodes) are connected to each other through your local area network, and generally have a higher performance and availability than a single computer. Advantages of the HOB RD VPN Computer Cluster The following are some of the advantages that accrue through the employment of a computer cluster: All nodes are members with equal status, so a cluster is reliable because there are no state switches (active/passive, master/slave) No additional hardware is required A cluster is easy to deploy, only the DNS records and HOB RD VPN require configuration A Geo-cluster is possible, where the linked computers need not be in the same geographical location Very fail-safe Easy to add and remove cluster members Very efficient load balancing Small overhead for synchronization Uses high availability mechanisms that are integrated in the browser itself You can set up a high availability cluster within your network to improve the availability of services that the cluster provides. This operates by having redundant nodes on standby to provide the service if other system components fail. The most common size for a high availability cluster is two nodes, as this is the minimum node requirement to provide redundancy. Load balancing is the distribution of the computer workload over selected computers in your cluster that are configured to function as a single virtual computer. Requests from the user are managed and distributed among all of the 30 Security Solutions by HOB HOB RD VPN HOB RD VPN Basic Concepts computers within the cluster. This allows you to balance your computational work among different machines, thus improving the performance of the cluster systems. With HOB RD VPN the advantages obtained from clustering are gained by implementing several servers to act together as the HOB WebSecureProxy, avoiding the problem of having a single-point-of-failure for the central component. Security Solutions by HOB 31 HOB RD VPN Basic Concepts 32 HOB RD VPN Security Solutions by HOB HOB RD VPN 3 Deployment Scenarios Deployment Scenarios HOB RD VPN is designed to be installed in the DMZ (De-Militarized Zone – the area between the Internet firewall and the firewall protecting your internal network). It can also be deployed in a number of different configurations to take account of the differing infrastructures. The most common deployments are described here. 3.1 Default Deployment Configuration HOB RD VPN has a default deployment that is described in the illustration below: Figure 1: Default Deployment Configuration Scenario Clients connect over the Internet to HOB RD VPN using a secure SSL encrypted connection (typically a browser-based HTTPS connection), with HOB RD VPN acting as a gateway for this connection. Once this (external) connection has been established, one or more internal connections are also created. This then gives the client the possibility to reach their configured targets (for example Windows Remote Desktop Services or HOB Web File Access). You must deploy a server inside the DMZ where HOB RD VPN can be installed. Additionally you need to have two ports configured for communication with a client machine, which can be located outside your network. One port is used for the connections from the clients over the Internet, also referred to as the user portal, and is by default port number 443. This port is used as standard for all HTTPS connections as it handles the SSL encryption protocol. The second port is used for the administration interface to manage the connections between the machines in your computer cluster and is the default port number 10000, which also only accepts SSL connections. This server cannot have any other connections on the network ports 389, 4444, 8080 and 8989, please see Section 4.2 Prerequisites for Installation – Single Node and Cluster for more information on this topic. For the default scenario illustrated above you need to allow connections on port 443 from the Internet to the server where HOB RD VPN is installed. You also need to Security Solutions by HOB 33 Deployment Scenarios HOB RD VPN allow connections from the HOB RD VPN server to the targets inside your private network. 3.2 Cluster Deployment Configuration A cluster consists of a collection of interconnected computers used to create a common resource pool of servers for the computing needs of your enterprise. To set up a cluster, install more than one HOB RD VPN server in the DMZ between the Internet and the internal network. The HOB RD VPN Cluster feature supports both High Availability (HA) and Load Balancing. Figure 2: Example Cluster Deployment Configuration Scenario For this deployment you will need two official IP addresses for each cluster member or node: An address for the initial connection to other machines within the cluster (the primary connection). This interface is also used for load balancing between the HOB RD VPN cluster members An address for the user portal (the secondary connection). This is the address that the users will work with after the initial connection. The external DNS server must also be configured accordingly to this scenario. 34 Security Solutions by HOB HOB RD VPN Deployment Scenarios Example of IP Address assignments: Cluster Node Cluster DNS Name Cluster IP Cluster Node DNS Address name User Portal IP Address cluster node 1 rdvpn.example.com 1.1.10.1 rdvpn1.example.com 1.1.10.2 cluster node 2 rdvpn.example.com 1.1.20.1 rdvpn2.example.com 1.1.20.2 cluster node 3 rdvpn.example.com 1.1.30.1 rdvpn3.example.com 1.1.30.2 Table 1: Example Cluster Deployment IP Address Configuration For best practice, at least three network interfaces should be configured: a user portal, a cluster connection and a synchronization connection. An administration connection can also be created (this administration connection may also be published in the internet, if necessary, but only if it abides by the security conventions of your company). For the synchronization of the data, either of the two IP addresses of each node or another address that you set aside for this purpose can be used to synchronize the state of the HOB RD VPN nodes to each other. Following the example cluster deployment above, the cluster uses the URL rdvpn.example.com as its location, and this URL points to the three cluster member IP addresses 1.1.10.1, 1.1.20.1 and 1.1.30.1. Figure 3: Example Cluster Deployment Configuration Scenario In Figure 3 it can be seen how the components of a cluster interact with one another (three cluster components are shown for clarity). The user wishes to access the Security Solutions by HOB 35 Deployment Scenarios HOB RD VPN computer cluster over the internet using the address rdvpn.example.com. This address connects to the servers present in the cluster, rdvpn1.example.com, rdvpn2.example.com and rdvpn3.example.com, all of which are located in the DMZ. The computer rdvpn1.example.com can be accessed through the cluster and also directly over the user portal from the internet using rdvpn1.example.com as the address. There must also be a direct connection between each member of the cluster for synchronization purposes. This connection can use either the IP address of the cluster members or an IP address set aside for this purpose. The following table shows this external example DNS configuration: DNS Entry IP Address Entry rdvpn.example.com 1.1.10.1, 1.1.20.1, 1.1.30.1 rdvpn1.example.com 1.1.10.2 rdvpn2.example.com 1.1.20.2 rdvpn3.example.com 1.1.30.2 Table 2: Example Cluster Deployment IP Address Configuration The process is as follows: 1. The client connects to e.g. rdvpn.example.com and receives a configured IP address for each node in the cluster. The client receives these configured IP addresses (e.g. 1.1.10.1, 1.1.20.1, 1.1.30.1) in a specific order as set by the DNS server, generally on a round robin basis. 2. HOB RD VPN now connects the client to the first of these IP addresses. If this system is unavailable, then the second IP address is tried, and so on until a connection is made. Only in the exceptional circumstance of no IP address being available, or no response being obtained, will the connection fail. 3. When a connection is successful, the HOB RD VPN cluster node redirects this client to the second IP address of that node. Using as an example the entries in Table 1 above, if the first cluster node is unavailable but the second responds, then the connection is made from: rdvpn.example.com with an IP of 1.1.20.1, which then redirects to rdvpn2.example.com and an IP of 1.1.20.2, where the work is done. 4. This is the IP address that the client can now use for all following requests. The format of the names used for the cluster is optional, depending on the requirements of the system in use. For example, according to the conventions of your company, cluster1.example.com could point to: cl1.hobrdvpn.example.com, member1.example.com or another.hobrdvpn.example.com. 36 Security Solutions by HOB HOB RD VPN 4 HOB RD VPN Installation HOB RD VPN Installation This section outlines the requirements necessary before HOB RD VPN blue edition can be installed, and also the installation process itself. 4.1 System Requirements for Installation HOB RD VPN blue edition is available for the following platforms: Microsoft Windows (x86, EM64T) Linux (x86, EM64T) It is the responsibility of the server administrator to ensure that the operating system in use is adequately configured and updated with the latest patches and releases to the most efficient operation, and to minimize the risks from exploitation or attacks from external sources. 4.1.1 Installation on the Server Side Under Windows: To correctly install HOB RD VPN on a Windows system, the following are required: An Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing speed At least 512 MB of available RAM Up to 800 MB of non-volatile hard disk storage space (this value is for a typical installation and depends on the operating system in use) Under Linux: To correctly install HOB RD VPN on a Linux system, the following are required: For the HOB WebSecureProxy (gateway): An Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing speed 1 GB of RAM available 450 – 800 MB of non-volatile storage space Required software: SuSE Linux Enterprise Server 11 on Intel EM64T – required for the HOB WSP The Web Secure Proxy is not Java software and does therefore not require a JVM. Security Solutions by HOB 37 HOB RD VPN Installation HOB RD VPN You must ensure that all access to sensitive files or security critical data is monitored or prohibited at all times to maintain the security levels assured by Common Criteria. A Common Criteria conformant server installation requires the Linux operating system installed with SLES 11 Patch Level 2 and Kernel 3.x.x, and the processes rngd or haveged must be deactivated. Also, logging must be activated and the logfiles must be saved in the logfiles directory, see Section 30.8 Achieving Trustworthy Encryption on page 389. 4.1.2 Requirements on the Client Side: HOB RD VPN blue edition is designed to be used with different client operating systems that have a Java 1.6 or newer enabled browser (it is possible to use Java 1.5 but this is not recommended). This is the ONLY software requirement on the client side under Windows, Linux or Mac. In a Common Criteria evaluated environment you must ensure that the browser on the client machine to be used can support TLS protocol 1.1 and/or 1.2. These are the only protocols that can be used. 4.2 Prerequisites for Installation – Single Node and Cluster The following prerequisites are required to install HOB RD VPN blue edition on your network system: 4.2.1 Preparing the Base Operating System The operating system has to have the latest available security patches applied. The internal/external Firewalls have to be properly configured. The DNS system must also be configured for HOB RD VPN. As HOB RD VPN needs certain ports to be open for communication with the connecting clients, you must ensure that these are not currently also in use on the target operating system. For a server installation that conforms to Common Criteria server requirements, all other ports are kept closed. 38 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation The following table lists the internal ports that must be configured for inter-process communication between the components of HOB RD VPN. Port Environment Function Note 10000 Network Administration access to Intranet Connection to the administration portal. The port is configurable during installation 443 Internet User Portal Clients from the internet connect from this port. The port is configurable during installation. 80 Internet HTTP Redirector If clients from the internet connect to this port, they will be redirected to the secure internet access port, and SSL will be used. 4444 Network Synchronization with integrated database Synchronization with the integrated directory service. Required for cluster installations. 8989 Network Synchronization with integrated database Synchronization with the integrated directory service. Required for cluster installations. 389 Internal Integrated directory service This port allows communication with the integrated directory service over TCP. 8080 Internal Web File Access Inter-process communication for Web File Access. Table 1: External and Internal Port Configuration Ports labelled as Network are accessible over the company network. Ports labelled as Internet are accessible from the company network and should be opened in the firewall for access from the Internet. Ports labelled as Internal are accessible only from within the HOB RD VPN server network. For cluster installations, the Integrated Directory Service must run on the default port 389 for ALL cluster members. Security Solutions by HOB 39 HOB RD VPN Installation 4.3 HOB RD VPN Starting the HOB RD VPN Installer – Single Node and Cluster The installation of HOB RD VPN is a very straightforward process that has been designed to be as simple as possible. The same installation process is followed for both Microsoft Windows and for Linux, where if there are any differences in the installation process depending on the operating system then these are specified at the relevant steps. It is possible to install: A standalone deployment of HOB RD VPN (single installation) or the first node of a Cluster Installation Or: 1. An additional cluster member installation. If this is your desired deployment installation, please see 4.5 HOB RD VPN Installation – New Cluster Member. If installing from a CD/DVD, insert the HOB RD VPN DVD into the DVD-ROM drive. The HOB RD VPN start page opens in the browser. If the DVD start image does not automatically appear then open the file start.htm (under both Windows and Linux operating systems) in the root directory of the DVD. Click Download Installer for your operating system. 2. Start the installer and follow the instructions onscreen. Only a system administrator or a user with full administrative rights on this computer can install this product. The first steps of the installation are the same regardless of whether you are installing a single instance of HOB RD VPN or installing a cluster deployment. 40 Security Solutions by HOB HOB RD VPN 4.4 HOB RD VPN Installation HOB RD VPN Installation – First Node and Cluster Once the installer is running you simply follow the instructions on each screen, then click either Next to proceed to the next screen, Previous to return to the previous screen, or Cancel to end the installation process. These buttons are standard and are found on all screens of the installation process. Figure 1: Select Installation Directory 1. 2. Here you determine the installation directory where the HOB RD VPN installation is to be installed on your system. It is safe to use the default setting here but you should install it according to the conventions of your system. By default it will be installed: On a Windows system in: C:\Program Files\HOB\rdvpn On a Linux system in: /opt/HOB/rdvpn Once this information has been entered, click Next. Security Solutions by HOB 41 HOB RD VPN Installation HOB RD VPN Figure 2: Select TUN Driver Installation 3. On this screen you select to install the HOB TUN Driver. This software component is necessary for the SSL Identifier and the HOB PPP Tunnel to function. Due to the advantages brought by the HOB PPP Tunnel and by the SSL Identifier, it is strongly recommended you install the HOB TUN Driver even though it is still in the experimental phase. For more information on this subject, please see 4.5 HOB RD VPN Installation – New Cluster Member. The HOB TUN Driver is a component that is only installed on a Windows operating system - this screen can be ignored for all non-Windows installations, as a TUN driver is already installed on Linux systems. 42 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation Figure 3: Choose Installation Type 4. If this is the installation of the first machine for the company network or for a standalone network, then on this screen select the first option, Single Installation or first node for a Cluster Installation. If this installation is to add a second or subsequent machine to an existing cluster, the select Additional Node for a Cluster Installation. Click Next once the selection has been made. If a standalone or single node installation is already deployed, it can be upgraded at any time to a cluster configuration. In this case, simply run the installation program again and when this step is reached, click Additional Node for a Cluster Installation to add another node to the installation, creating a cluster. See 4.5 HOB RD VPN Installation – New Cluster Member on how to install further nodes for the cluster. 5. The HOB RD VPN installer now checks the availability of the required ports. Depending on the operating system and the settings, a warning may be received at this point in the installation from the firewall. Security Solutions by HOB 43 HOB RD VPN Installation HOB RD VPN Figure 4: Host Name and Port Security Warning This warning can take the following form for a Windows installation (as seen in Figure 4), warnings for other systems such as Linux appear differently or may not have a warning at this stage: 6. Select the networks where you wish access to be allowed and click Allow access to let the installer perform these checks. Figure 5: Enter Default Host Name and Port Numbers 7. 44 In this screen the full qualified Hostname and Port numbers of the connection that is to be used for Administration Access, and where the HOB RD VPN installation accesses the internal network are top be specified. In this example Security Solutions by HOB HOB RD VPN HOB RD VPN Installation rdvpn.example.com is used, and the port number 10000 is entered by default. The information entered here is used for administration and configuration tasks. To continue the installation and to achieve conformity with Common Criteria standards, this field must be filled with a dummy entry (for example x.x.x) and must not contain a valid server hostname (see Chapter 30 HOB RD VPN Evaluated for Common Criteria for more information), as follows: 8. Specific port numbers for access to the internal database and for access to HOB Web File Access can also be entered here, or default port numbers may be used. 9. A green check mark appears when these details have been correctly entered. The other details on the screen are completed automatically. Click Next when this information has been entered. Keep in mind that this qualified hostname may differ from the name by which the system is accessible from the internal network. Figure 6: Define Target System – RDP Targets 10. In the Define Target Systems dialog valid connections for RDP enabled systems can be created. These connections are created immediately after Security Solutions by HOB 45 HOB RD VPN Installation HOB RD VPN installation for the Hobsoft domain (the default domain configured by the HOB RD VPN installation) and the users created for this domain. To achieve conformity with Common Criteria standards these fields must not contain valid entries for RDP targets or legacy targets and must remain empty, see Chapter 30 HOB RD VPN Evaluated for Common Criteria for more information. Figure 7: Define Target System – Legacy Targets 11. In the Define Target Systems - Legacy Targets dialog, connections for the legacy protocols TN 3270, TN 5250 (for both protocols an additional license must be purchased) and VT Telnet (no additional license required) can be created. 46 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation Figure 8: Global Administrator Setup 12. In Figure 8 a Global Administrator must be created. The global administrator has full administration rights for the whole HOB RD VPN installation and full access to all HOB RD VPN related tasks. Figure 9: User Account Setup 13. In this screen you can add up to three HOB RD VPN users. These users enable you to access HOB RD VPN immediately after installation. You can choose different roles for these users from the dropdown box, whether Domain Administrator, Power User or User (you may of course assign other roles and Security Solutions by HOB 47 HOB RD VPN Installation HOB RD VPN role names according to the conventions of your company once the installation is completed). The configurations that conform to Common Criteria can contain only one entry with the role Domain Administrator or Power User. An entry with the role of User should not be entered here. Domain administrators set up at this stage of the install process have rights to administer only the default domain, which has been given the name Hobsoft by default. After installation you can add additional users to this Hobsoft domain (all global and domain administrators can do this). 14. In the next screen, Figure 10, a certificate of identification is created. This certificate is used to establish the validity of the installation on the client. The default period of validity is 1 year, to change this select the required duration from the dropdown box. Complete the fields on this screen and click Next. New certificates, necessary if the current certificates have expired, can be created in the Certificates feature of HOB RD VPN Administration, see 6.2.9 Global Administration Screen – Certificates. To achieve conformity with Common Criteria standards these fields must be filled with dummy values. Certificates created here must not be used for a Common Criteria evaluated configuration, as this configuration requires separate certificates created through the process as described in Chapter 30 HOB RD VPN Evaluated for Common Criteria for more information. Figure 10: Create Certificate 48 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation The installer software when combined with the underlying tool that creates the certificate (as shown in the dialog above) has certain limitations. These limitations restrict the characters that are entered into these dialog fields to the 7-bit ASCII character set. Otherwise the data that is entered may be misinterpreted and in particular the password may be changed. This could mean that when using the HOBLink Security Manager, the password that was originally entered in the dialog above may not open the HOBLink Security Units created during this installation by the certificate tool. See 33.1 Adding Certificates and HOBLink Security Units to the HOB WSP in this document and the HOBLink Secure and HOBLink Security Manager Administration Guide for more information. 15. Once all the settings are configured the screen (see Figure 11) summarizing the data required for the installation is shown. Shown below is the screen for a Microsoft Windows installation. Figure 11: Installation Summary for Windows 16. If everything is in order, click Install to proceed with the HOB RD VPN installation and the Register HOB RD VPN dialog is displayed. Security Solutions by HOB 49 HOB RD VPN Installation HOB RD VPN Figure 12: Register HOB RD VPN 17. In the Product key field you have to enter a valid product key to register this installation of HOB RD VPN. This key can be found in the HOB Software License document that is delivered along with the product CD. Alternatively, if purchased online, it can be found in the e-mail received once payment has been confirmed. 18. If there is no key available you can choose to test the installation by clicking the Evaluation Version button. This creates a temporary license file that is valid for 30 days. The time remaining in the evaluation period is displayed each time you log in. Once this expires, you must enter a valid product key to continue using the software. 19. Click OK to close this dialog box and finish the installation process. Figure 13: Installation Complete 20. Once the installation is complete you can close the installer by clicking Done. To check if the installation was successful, please read Section 4.7 Testing the Installation. 50 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation To install the individual components, and to set up the configuration of these individual components, please see their corresponding chapters in this administration guide. 4.5 HOB RD VPN Installation – New Cluster Member To install a cluster deployment in your system you need one installation of HOB RD VPN to hold the base settings. You can use a new server installation with an empty configuration or use a server that is already installed and use an already configured system. If you are installing a new cluster installation then you must first install the base node of the cluster. See 4.4 HOB RD VPN Installation – First Node and Cluster. Make sure that your base installation for your cluster installation and your new cluster member are configured with the required different IP addresses and ports. See Figure 1 in Section 4.2.1 Preparing the Base Operating System on page 38 and make sure that the ports marked as external are accessible for all cluster members. If you already have a base node for your HOB RD VPN installation you can proceed with the following steps for the second and subsequent nodes. 4.5.1 Base Configuration for a Cluster 1. To set up the base configuration for a cluster, use the installed first node (where HOB RD VPN has been installed) to logon to HOB RD VPN via a browser using the following URL: https://rdvpn.example.com:10000. 2. This opens the HOB RD VPN Logon screen for HOB RD VPN blue edition, where you enter your username and password as the global administrator. Figure 14: HOB RD VPN Logon The HOB RD VPN Administration Portal opens once you successfully logon. Security Solutions by HOB 51 HOB RD VPN Installation HOB RD VPN Figure 15: HOB RD VPN Administration Portal 3. Here you select the link EA Admin on the left to start the HOB RD VPN Administration configuration program and select the desired resource in the database, which in this case is the HOB RD VPN central component, the HOB WebSecureProxy. The HOB WebSecureProxy is found under the path dc=root,dc=internal,ou=servers in the organization hierarchy. 4. Select this element from the organization hierarchy on the left side, and then select the WebSecureProxy element that is displayed in the panel on the right. Figure 16: HOB RD VPN Administration 5. 52 Now use the arrow on the dropdown box on the right to select HOB RD VPN 2.1 > WebSecureProxy blue, and then click the Configure button, as shown above. Security Solutions by HOB HOB RD VPN 6. HOB RD VPN Installation This opens the HOB WebSecureProxy Configuration screen. Select the element WSP Servers from the organization hierarchy in the panel on the left and the following screen is displayed. Figure 17: HOB WSP Configuration - Servers 7. On this opening tab select WSP Server(1) > Main Connection to set up the connection for your users to the HOB WSP and you see the following: Figure 18: WSP Main Connection Properties 8. In the Properties tab on this screen the User portal network interface is entered in the first field. This user portal is the connection created by the users to access HOB RD VPN; it is also referred to as the Navigation Screen. The Security Solutions by HOB 53 HOB RD VPN Installation HOB RD VPN HTTP port and HTTPS port numbers to be used for the connections must also be entered in the relevant fields on this screen. See 3.2 Cluster Deployment Configuration for more detail on the data to be entered here. 9. Now go to WSP Server(1) and enter the required network interface information (the IP address for the network interface and the alias) in the Network Interfaces tab. Use the Add button to bring up the dialog to enter this information, and then Add & Close to add this information to the network interfaces table. Figure 19: Network Interfaces 10. You also need to enter the network interface information for the HOB RD VPN administration access in the Administration Access tab. Keep in mind that the user portal and administration access must use different IP addresses, while the network interface could use one of these two or a third unique address. 54 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation Figure 20: Administration Access 11. Once this information has been entered, you can now start to enter the relevant domain information by selecting the links under your Main Connection. 12. To add a second node to the configuration and thereby creating a cluster, you need to select WSP Servers and click Add at the bottom of the hierarchy tree. A second WSP Server object appears, with a similar tree structure to that already configured. However, the opening screen for the additional WSP server (WSP Server (2)) has a different layout, see below. Figure 21: Additional WSP Server Configuration Security Solutions by HOB 55 HOB RD VPN Installation HOB RD VPN When adding a second WSP server, a new element appears in the tree structure, the Primary Connection. This is the connection used for one WSP server to connect to another, and is only present when more than one WSP server is configured in the network. The Main Connection is the standard connection that handles the traffic within the network. 13. Now that the Network Interfaces have been entered, this information needs to synchronize with the rest of the cluster objects. Select the Cluster Synchronization tab. Figure 22: Additional WSP Server Configuration – Cluster Synchronization 14. Here you need to enter the Network Interface for this machine, the Port through which it connects to the system (in this case 13290), and the acceptable Timeout and Timeout Receive (in milliseconds) for any connection. By default this is 1000, you may change this as desired. 15. The standard port for all HTTPS connections is 443. If you wish to configure another port for the cluster access information you may enter the new port number here. 16. The cluster synchronization steps must be performed with the same settings for all cluster members. 4.5.2 Installing Cluster Members The network system has been configured to accept new additions to the computer cluster, so these now need to be installed. The installation of a HOB RD VPN cluster is a very straightforward process that has been designed to be as simple as possible. Follow these instructions for each server. 1. 56 Start the HOB RD VPN installer, as shown in 4.4 HOB RD VPN Installation – First Node and Cluster. Installation up to this point is identical as that for a Security Solutions by HOB HOB RD VPN HOB RD VPN Installation single node installation. From this stage of the installation process the installation is specifically for a cluster node installation only. Figure 23: Select Installation Type 2. Select Additional node for a Cluster Installation to start the installation of a new cluster member. Figure 24: Cluster Installation 3. Click Next to start the installation process. After installation of the new cluster node, the installer needs some additional information to enable the synchronization and to synchronize the data with the already installed cluster node. Security Solutions by HOB 57 HOB RD VPN Installation HOB RD VPN Figure 25: Cluster Global Administrator Data 4. Here you enter the settings of the already installed cluster member. The new cluster member must be able to access this system over the network, to enable synchronization and to synchronize the data. If more than one cluster member is already installed, you can select any of these to be the master node – this node is then used for the replication of the configuration data. Synchronization of the cluster retrieves the data of all cluster nodes and shares this to all members. 5. Enter the Hostname or the IP address of this master cluster member and enter the credentials of the global administrator. Click Next for the installation to authenticate these credentials. 6. If everything is in order, Figure 26 is displayed where you enter and confirm your cluster connection password for the installation of a cluster member or members. This is a freely selectable password to be used for the synchronization of your whole cluster. If you already have a working cluster you must choose the password that you are already using for the cluster. Make sure you remember this password! 58 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation Figure 26: Enter Cluster Password 7. Once your password is successfully confirmed, click Next for the installer to perform the synchronization. This may take some time, depending of the size of your integrated directory service. Once this is completed the Register HOB RD VPN dialog is displayed. Figure 27: Register HOB RD VPN 8. In the Product key field you have to enter a valid product key to register this edition of HOB RD VPN. The key can be found in the document HOB Software License delivered along with the product CD or, if purchased online, in the email received once payment has been confirmed. 9. Alternatively you can choose to test it by clicking Evaluation Version. This will create a temporary license file that will be valid for 30 days. The time remaining in the evaluation period is displayed each time you log in. Once this has expired, you must enter a valid product key to continue using the software. The installation is now ready and you can successfully use the cluster installation. Security Solutions by HOB 59 HOB RD VPN Installation 4.6 HOB RD VPN Customizing HOB RD VPN User Pages The HOB RD VPN user pages (the login or logout pages, for example) can be customized. Among the possible changes you can make are that you can integrate your own logo and your own banner, or you can adapt the text used onscreen to those of your choice or company policy. 4.6.1 Changing the GUI Schema The schema for the user pages are written as .xml files and are stored in a number of different locations within the installation directory (INSTALLDIR) of HOB RD VPN. Use these schemes to set the text and design of the user pages as you wish them to be seen by your users (a standard level of experience is required to edit the formatting of these .xml files). Any new schema created for the GUIs are to be stored in the following folder: INSTALLDIR/www/public/skins. To change the scheme currently being used for your GUI, you need to open the HOB WebSecureProxy configuration and select the role whose display is to be changed. Now select the Privileges tab and you will see the following dialog: Figure 28: HOB WSP – Role Settings – Properties Select from the GUI scheme dropdown list the schema that you wish to apply to your interface, as shown in the above dialog. To add new GUI schemes to the list shown in the dropdown box in this dialog, create the scheme in .xml format and add it to: INSTALLDIR/www/ public/lib/hob/rdvpn/configuration/defaults/skins.xml. This dropdown list already contains the following default GUI schema: 60 Default – this is the default setting, where the HOB RD VPN banner is displayed Security Solutions by HOB HOB RD VPN HOB RD VPN Installation Maroon – here the text on the login and logout screens are displayed in a maroon font. Green – here the text on the login and logout screens are displayed in a green font as shown in this screenshot: Figure 29: HOB RD VPN Navigation Screen with Text in Green Font Blue – here the text on the login and logout screens are displayed in a blue font. No Banner – with this setting the dialog is displayed without any banner, as shown here: Figure 30: HOB RD VPN Navigation Screen Without a Banner Security Solutions by HOB 61 HOB RD VPN Installation HOB RD VPN Save the file and close it. Logout and login again, and you will see that the GUI scheme has changed. 4.6.2 Replacing the Banner The screenshot below shows the banner on the login screen in the web browser. To change this, you need to replace the banner file in HOB RD VPN with your own chosen banner file. Once you have replaced the HOB RD VPN banner with your own, this becomes the banner selected as Default. Figure 31: HOB RD VPN Login Showing the HOB RD VPN Banner The banner file (banner_rdvpn.jpg) is stored in the following directory: INSTALLDIR\www\public\skins\$SKINNAME$\img. Replace this files with a .jpg file of your choice (the .jpg file must have a size of 871 x 98 pixels). Save the configuration (with Default selected in the Privileges tab of the role settings, as described above) and logout from HOB RD VPN. On your next login, the banner will have changed. 4.6.3 Replacing the Text “HOB RemoteDesktop VPN” on the Login Page To change the text appearing on the HOB RD VPN login screen (shown here without the web browser), perform the following steps: Figure 32: HOB RD VPN Login 62 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation The text contained in the HOB RD VPN login (INSTALLDIR\www\public\login.hsl) and the HOB RD VPN logout screen (INSTALLDIR\www\public\logout.hsl) is generated through a reference to a resources file. To change the text, only this resource file needs changing. The following steps are necessary to make this change (in this example the text “HOB RemoteDesktop VPN”): 1. Open the login.hsl file in Notepad (or any similar text editor) to identify the reference on the page you want to edit. In this file you can find the name of the product under <xsl:value-of select=”lang/products/rdvpn”/>, and this is the reference to the text you want to edit. 2. For safety, create a backup copy of the file: INSTALLDIR\wsp\plugins\web_server\res.xml. 3. Now open this file in the text editor and locate the reference lang/products/ rdvpn (here lang is used for the display language, currently English or German). To change the entry in English, look for the node <en>, underneath which is the node <products>, underneath which is the node <rdvpn>. This node contains the entry HOB RemoteDesktop VPN, which you can now edit. To change the German text, locate the node <de> and then follow the same path with the nodes <products> and <rdvpn>. To make the changes effective, you need to restart HOB RD VPN. This method is also used to edit the HOB RD VPN navigation screen, which is located under INSTALLDIR\www\protected\welcome.hsl. 4.6.4 Replacing the Text on the Logout Page To change the text appearing on the HOB RD VPN Logout screen (shown here), perform the following steps: Figure 33: HOB RD VPN Logout 1. Open the logout.hsl file in a text editor and locate the reference for the text to be changed. 2. Create a backup copy of the file: INSTALLDIR\wsp\plugins\web_server\res.xml. 3. Open this file in the editor and locate the reference lang/products/rdvpn. Locate the node <products>, underneath which is the node <rdvpn>. This node contains the text that you can now edit. To make the changes effective, you need to restart HOB RD VPN. Security Solutions by HOB 63 HOB RD VPN Installation 4.7 HOB RD VPN Testing the Installation To test whether the installation has been successful, perform the following steps: 4.7.1 Testing as a Domain Administrator or User Once the installation is done the installation can be tested by pointing the browser to the HOB RD VPN URL (in this example this is: https://rdvpn.example.com). The HOB RD VPN Logon screen appears. Now logon as a domain administrator, power user or user with any valid domain username and password created during the installation. The RDP connections can also be tested with the respective link on the HOB RD VPN navigation screen. Figure 34: HOB RD VPN Logon If the logon is successful for any of the pre-configured roles of domain administrator, power user or user, the following HOB RD VPN navigation screen appears: Figure 35: HOB RD VPN Navigation 64 Security Solutions by HOB HOB RD VPN HOB RD VPN Installation This screen shows that user1 (this user name is shown above the title banner) is currently logged in as Domain Administrator, so this has been a successful installation. Global Administrator logon credentials cannot be used to test in this case. 4.7.2 Testing as the Global Administrator To test the administration features you should point your browser to the administration interface URL created during installation. In our example this is: https://rdvpn.example.com:10000. In the Logon screen that appears (see Table 34 on page 64) enter your username and password as Global Administrator. The following screen appears: Figure 36: HOB RD VPN Administration Access You can now use the links on this screen to access the administration interface for testing. 4.7.3 Uninstallation HOB RD VPN can be uninstalled via the Windows operating system uninstallation function. Click Start > Control Panel > Software > HOB RD VPN > Change/Remove and then click Uninstall. To uninstall HOB RD VPN on a Linux operating system: Go to the folder INSTALLDIR\Uninstall HOB RD VPN and execute Uninstall HOB RD VPN After carrying out the step above, you may have to restart your system to complete the uninstallation. Security Solutions by HOB 65 HOB RD VPN Installation 66 HOB RD VPN Security Solutions by HOB HOB RD VPN 5 HOB RD VPN Navigation Screen HOB RD VPN Navigation Screen HOB RD VPN can be accessed immediately after installation by pointing your browser to the HOB RD VPN URL (in our example this is: https:// rdvpn.example.com). You can also use the HTTP URL http://rdvpn.example.com, which redirects your browser to a secure https connection, https://rdvpn.example.com. You can log on to the HOB RD VPN Navigation screen with the users you have created during installation, but not with the Global Administrator created during installation. Depending on the role that is assigned to the user when their settings are configured, different portlets (links to different functionalities) will be available to them after a successful logon. Figure 1: HOB RD VPN Navigation Screen Here you can see the navigation screen for the user user2, after a successful logon with the power user role (this information is shown above the banner). Depending on the user configuration set up during installation, this user can successfully connect to RDP targets, legacy protocol targets, use Web-based applications and Intranet services. The user can also access Microsoft Windows shares by using HOB Web File Access, and modify their User Settings. Security Solutions by HOB 67 HOB RD VPN Navigation Screen 5.1 HOB RD VPN Portlets Portlets are essentially bookmarks to the features and applications within HOB RD VPN. They greatly speed up the access and usability of these features. Instead of new websites being created to access these applications, portlets can be configured by the administrator or by the users themselves (for example for organization, ease of use and desired appearance). Portlets are completely configurable and customizable to suit the requirements of your company and your users. The following table lists the possible portlets, the required HOB component for that portlet, and the functionality that the portlet provides. Portlet Component/Application Functionality User Configuration HOB EA Administration Perform administrative tasks Access to Desktops and Applications HOBLink JWT Access Target Servers using RDP on the client side Access to Enterprise Connectivity HOBLink J-Term Access Target Servers using RDP or Telnet SSH. Access target servers using TN3270, TN5250 and other legacy protocols, if licensed Access to Web Applications and Intranet Web Server Gate Allows access to any kind of web server including Outlook Web Access and Citrix Web Portal Access to File Systems Web File Access Access CIFS/SMB capable shares in your network HOBPhone HOBPhone Access your client machine as a VoIP phone PPP Tunnel HOB PPP Tunnel Network level access to internal resources HOB WSP Universal Client HOB WSP Universal Client Use third party applications to access internal systems securely User Settings Modify own user settings Table 1: Portlets in HOB RD VPN 68 Security Solutions by HOB HOB RD VPN HOB RD VPN Navigation Screen The following table shows the portlets that are already configured according to the roles available on installation: Portlet Domain Power User Administrator User User Configuration X Access to Desktops and Applications with HOBLink JWT X X X Access to Desktops and Applications with HOBLink J-Term X X X Access to Web Applications X X X Access to File Systems X X User Settings X X HOBPhone X HOB PPP Tunnel X HOB WSP Universal Client X Table 2: Portlet Assignments It is up to the domain administrator (who is assigned all portlets by default) to decide as to which portlets are assigned to the other users depending on their role, in accordance to the conventions of the company. 5.2 User Settings This portlet allows domain administrators and users to personalize the look and feel of the navigation screen. There are three sets of links here: User Settings - here you can expand or collapse the required portlet, and arrange the portlets as desired. Cookies - here you can save and organize any cookies. Change password - here you or your users can change their access password. 5.2.1 User Settings - Web Server Gate Bookmarks Here you can set any bookmarks that you want to appear on the navigation screen. Security Solutions by HOB 69 HOB RD VPN Navigation Screen HOB RD VPN Figure 2: HOB User Settings - Web Server Gate Bookmarks 70 1. Enter a Name and a URL for each bookmark you wish to add to the navigation screen. 2. Use the green Plus symbol to add new bookmarks (or the red X symbol to delete them), and the Up and Down arrows to adjust the order in which they are displayed on the HOB RD VPN Navigation screen, see Figure 1. 3. Click Save All to save your changes when you are satisfied with your bookmarks, or Cancel to discard any changes. Security Solutions by HOB HOB RD VPN HOB RD VPN Navigation Screen 5.2.2 User Settings - Desktop-on-Demand Here you can set the connection data for the Desktop-on-Demand feature. Figure 3: HOB User Settings - Desktop-on-Demand Use the green Plus symbol to add new Desktop-on-Demand data (or the red X symbol to delete them), and the Up and Down arrows to adjust the order in which they are displayed on the navigation screen. You can enter the following data here: Workstation – enter the name of the workstation you wish to be able to connect to. IP Address – enter the IP address of the workstation to be accessed. Port – enter the port number where the workstation listens for RDP connections. This should be port number 3389 by default. MAC Address – enter the MAC address of the workstation to be woken, if you need to use a Wake-on-LAN functionality. Timeout – enter the amount of time in seconds to wait for a wake command to be successful. The default time here is 180 seconds. Use the Save All button to save your changes when you are finished entering your data. Security Solutions by HOB 71 HOB RD VPN Navigation Screen HOB RD VPN 5.2.3 User Settings – Portlets To change the look of the HOB RD VPN Navigation screen, and to set the portlets available to your users: Figure 4: HOB User Settings - Portlets Enable the radio buttons for each portlet that you want displayed on the HOB RD VPN Navigation screen, and then use the Up and Down arrows to adjust the order in which they are displayed. 72 Security Solutions by HOB HOB RD VPN HOB RD VPN Navigation Screen 5.2.4 User Settings – Others Here on this screen you can set the display language to be used by HOB RD VPN, and whether the Web Server Gate flyer is shown. Figure 5: HOB User Settings Screen - Others Language – select from the dropdown box to set the display language. English and German are the only languages currently available, more languages will be available with later releases of this product. Web Server Gate Flyer – select Show to have the Web Server Gate Flyer displayed as a floating popup on all screens, or Hide to keep it docked to the main screen. Flyer - when activated the flyer is displayed as a floating popup on all screens. The flyer contains the following two icons: Home - use this to return to the Home page of HOB RD VPN, the HOB RD VPN Navigation screen Log Out - use this to log out of HOB RD VPN and close the program Security Solutions by HOB 73 HOB RD VPN Navigation Screen HOB RD VPN 5.2.5 Cookies This screen allows you to review your current cookie list. Figure 6: HOB User Settings Screen - Cookies Use the Delete button to remove any cookie from this list. 5.2.6 Change Password This screen allows each user to change their password, if desired. Figure 7: HOB User Settings Screen - Change Password Enter your old password, then the new password. Enter your new password again to confirm, and click Change Password to make the change. The password change functionality is not supported for all configuration options. 74 Security Solutions by HOB HOB RD VPN 6 HOB RD VPN Administration HOB RD VPN Administration The administration portal is the set of Graphical User Interfaces (GUIs) that the administrator of HOB RD VPN can use to manage, monitor and adapt the software to account for changes in the system. Users and resources can be added, edited or deleted, permissions set and users and resources assigned into their respective administration groups. The configuration interface is named HOB Enterprise Access Administration (HOB EA Admin) and is delivered as an integral part of the HOB RD VPN software solution. This HOB RD VPN administration interface (HOB EA Admin) can be started using a browser or the Start Menu of the workstation. To start the HOB RD VPN administration from a browser, open the HOB RD VPN default page with a browser and logon, either: 6.1 As a domain administrator using: https://rdvpn.example.com. As global administrator using: https://rdvpn.example.com:10000 (use the port number that was selected during the installation). Administration Access as a Domain Administrator Type the URL given above to access the administration interface from a browser and enter your logon credentials in the HOB RD VPN Logon screen. Then: 1. Once the HOB Navigation Screen opens, click the User Configuration link. 2. The HOB EA Administration dialog is shown (see below). You will need to authenticate again on the Connect to HOB Enterprise Access dialog for the HOB EA Administration program to open. Figure 1: HOB RD VPN Administration - Logon 3. Enter your User Name and then your Password/PIN for authentication. If you use your user name but for different roles, such as a user role and an Security Solutions by HOB 75 HOB RD VPN Administration HOB RD VPN administrator role, you can use the Change Password checkbox to bring up extra fields allowing you to set a new password to access your alternative role. In order to ensure compatibility with Common Criteria, the checkbox Save password must be left unchecked, as shown below. Figure 2: HOB RD VPN Administration - Logon Compatible for Common Criteria Once you have successfully logged on, the following screen is displayed. Here you can administer and configure the resources with your domain. Figure 3: HOB RD VPN Administration 76 Security Solutions by HOB HOB RD VPN HOB RD VPN Administration The HOB RD VPN Administration screen contains the resources that are present in your organization hierarchy in the left hand panel and the constituent elements (users, groups, containers and objects) present in the highlighted element in the right hand panel. The name of the selected resource is always shown in the title of the right hand panel. Select from the domain list displayed on the left the domain that you wish to administer. The elements or resources contained within each domain are shown in the panel on the right. In the example shown here there is one domain, dc=hobsoft, with two elements, ou=groups and ou=users. Use the following buttons to manage the resources in your enterprise. Connect – establish a connection to your resource management database Disconnect – end the connection to the database Add Item – add a new item (user, group, object or container) to the database Edit Item – edit the selected item Delete Item – delete the selected item Configure – configure the selected part of the database Cut – cut the selected item from the database but not delete it Paste – insert the cut item in this location in the database Search – search for a specific element in the database About – click to see the name and version of the software you have installed At the bottom of the screen there are two buttons and a dropdown box. These are: Properties – use this button to display the properties of the selected resource Configure – use this to open the configuration tool for the selected resource Select – in this dropdown box you use the arrow on the left to select the part of the database that you want to access for editing, whether User Settings, Utilities, the HOB WebSecureProxy, etc Security Solutions by HOB 77 HOB RD VPN Administration 6.2 HOB RD VPN Administration Access as a Global Administrator Once you logon to a browser using the global administrator logon the administration portal opens directly. The following applications are available for the global administrator only; they are not available to a domain administrator and are not displayed on the domain administrator interface. 6.2.1 HOB RD VPN Administration Screen – System This screen shows information about the edition of HOB WebSecureProxy that is currently installed on the system. Figure 4: HOB RD VPN Administration - System As well as the installed version of the HOB WebSecureProxy, this screen shows the process ID of the current installation and for how long it has been running. 78 Security Solutions by HOB HOB RD VPN HOB RD VPN Administration 6.2.2 HOB RD VPN Administration Screen - Gateways Here you can see the currently configured gateways for the current connections. Figure 5: HOB RD VPN Administration - Gateways The Gateways screen shows details about the gateways for the administration access and for the user portal. The information shown includes the numbers of the ports being used by the gateways, their configurations and the status of the connections to the gateways. 6.2.3 HOB RD VPN Administration Screen – Users Here you can display all of the users that are currently logged on to the system. Figure 6: HOB RD VPN Administration - Users Using the fields at the top of this screen, you can choose to display users according to a set number per page, or according to user name. In the list of users you can see their roles and IP addresses, and how long they have been logged on. Previous and Next – use these arrow buttons to navigate between users when not all can be displayed on the screen at the same time. Display users named – you can insert a username into the field to display the connections of the specific queried user or users directly. Security Solutions by HOB 79 HOB RD VPN Administration HOB RD VPN Logout Selected Users – use this button to log out those users that you have selected from the list of current users. 6.2.4 HOB RD VPN Administration Screen - Connections This dialog is used to review the currently established connections, and to disconnect those that are not in use. Figure 7: HOB RD VPN Administration - Connections Previous and Next – use these arrow buttons to navigate between users to see their connections. Display users named – you can enter the username into the field to bring up the required user directly. Disconnect selected connections – use this button to disconnect those connections that you have selected from the list shown. 6.2.5 HOB RD VPN Administration Screen – Logs This section is covered in more detail in Section 6.4 Logging and Error Messages in HOB RD VPN on page 93. The logging dialog (see Figure 23) displays the log of activity for the functioning of machines that were recently or are currently active, and the communication between them. 6.2.6 Global Administration Screen – Services This dialog displays the plugins that are currently installed on the server and allows them to be monitored. Plugins are enhancements to existing software applications, adding specific abilities. Plugins usually cannot be run independently of the main application, and in most cases can be stopped and restarted if necessary. Among the plugins that come with your installation of HOB RD VPN is OpenDJ (the integrated directory service). 80 Security Solutions by HOB HOB RD VPN HOB RD VPN Administration Figure 8: Global Administration - Services Plugin – the names of the plugins are listed in this column. Status – the current status of the plugins are shown here. Options – the options are either to stop (click the black X for this), start (click the black tick if the plugin is already stopped) or to restart (click the arrow) the selected service. The field at the bottom shows a log of the event activity of the management screen. 6.2.7 Global Administration Screen - EA-Admin This link launches the EA Administration interface as shown above in Section 6.1 Administration Access as a Domain Administrator on page 75. Here you can administer the domains and their resources, and also administer the HOB WebSecureProxy. The EA Admin can also be started directly on the server where HOB RD VPN has been installed. This is done by using: Under Microsoft Windows: Go to the Start menu, then: All Programs > HOB RD VPN 2.1 > Administration > EA Administration Under Linux: Run the program INSTALLDIR/utilities/EAAdmin 6.2.8 Global Administration Screen - Backup This feature allows the data contained within the system Directory Service to be exported to a backup file location, or imported back from that backup location. For a backup the data stored in the directory service must first be converted to LDIF (LDAP Data Interchange Format), which is a standard plain text data interchange format used for representing directory content and update requests. LDIF conveys directory content as a set of records, one record for each object (or entry), and one record per update requests, such as Add, Modify, Delete, and Rename. Security Solutions by HOB 81 HOB RD VPN Administration HOB RD VPN Figure 9: Global Administration - Backup - Export LDIF Export LDIF – export the data in LDIF format to the backup location. This button brings the Username and Password fields on screen, where you need to authenticate. Once authenticated, click Export for this operation to be carried out. Input Credentials – this shows a log of all entries into this screen. Figure 10: Global Administration – Backup - Import LDIF Import LDIF – extract the data from the backup location to the current servers for use. This button also brings the Username and Password fields on screen (as shown above), where you need to authenticate using configured HOB RD VPN credentials. Once you have authenticated, use the Browse button to locate the desired LDIF file. Once it is selected, use the checkboxes to specify whether the file being imported should overwrite the existing data or be appended to it (and whether existing data should be replaced with the incoming data). 82 Upload & Import – click for this import operation to be carried out. Input Credentials – this shows a log of all entries into this screen. Security Solutions by HOB HOB RD VPN HOB RD VPN Administration 6.2.9 Global Administration Screen – Certificates This feature is where the system certificates are managed. These are the security certificates that are used to authenticate each element of the system. Access is not allowed from workstations or machines that do not possess current valid certificates. To achieve conformity with Common Criteria, this feature cannot be used to generate security certificates. Instead you must generate a set of certificates using the Auto Wizard in the HOB Security Manager (see Section 33.1 Adding Certificates and HOBLink Security Units to the HOB WSP in this document and the HOBLink Secure and HOBLink Security Manager Administration Guide for more information). The result of this process will be a set of configuration files (also known as HOBLink Security Units) for HOB WSP. For each type of certificate these symbols on the right hand side have the same functions. They are active only when the mouse moves over them: Upload – click to upload a certificate into the certificate directory Download – click to download a certificate from the certificate directory New Certificate – click to create a new certificate Certificates have the following formats: PWD (Password) – this extension signifies that this certificate file contains the password data. CFG (Configuration) – this extension signifies that this certificate file contains the configuration data. CDB (Certificate database) – this extension signifies that this certificate file contains the database data. For detailed information about the files that can be uploaded here, and how to create them, see the HOBLink Secure and HOBLink Security Manager Administration documentation. Security Solutions by HOB 83 HOB RD VPN Administration HOB RD VPN Certificates – Upload Certificate Use this screen to upload a certificate into HOB RD VPN from your network data storage. Figure 11: Global Administration - Upload Certificate 84 Administrator Access Certificates – this server certificate (and its certificate chain) are used to secure the authentication and the communication of the Global Administrator who is allowed to access the HOB RD VPN administration functions. User Portal Certificates – this server certificate (and its certificate chain) contain the data used to secure the authentication and communication of the users authorized for access to the User Portal functions. Cluster Access Certificates – this server certificate (and its certificate chain) contain the data used to secure the authentication and communication of the users authorized for access to the User Portal functions if a HOB RD VPN cluster is used and the user is redirected to this particular node in the cluster. Internal Client Certificates – these certificates are used in case the HOB WSP connects to a target system using an SSL connection. These certificates must include the root certificates of all target systems that the HOB WSP is connecting to. Security Solutions by HOB HOB RD VPN HOB RD VPN Administration External Client Certificates – these certificates are used on the client side (for example by HOBLink JWT) to connect to the HOB WSP. These certificates must include the root certificates of the server certificate that is used by HOB RD VPN. If these certificates are available on the client system and shall not be downloaded from the server, you can use the Delete icon to remove existing files. Import to External Client Certificates – check this box to import the current certificate to the list of external client certificates. Upload – click to perform the upload. Certificates – Download Certificate Use this screen to download a certificate package in zipped form. Each certificate package contains a certificate file for that function (Administrator Access, User Portal, and so on). Figure 12: Global Administration - Download Certificate Download Certificate Package – click on this link to download all of the files required for the current function (in this example shown, the certificates required for administrator access). You are prompted to save the certificate files in zip form to a location in your system. The Download Certificate Package procedures for other certificate types are performed in the same manner. Security Solutions by HOB 85 HOB RD VPN Administration HOB RD VPN Certificates – Create New Certificate Use this screen to create a new certificate for administrator access, user portal and cluster access. The process is identical for all three certificate types. Figure 13: Global Administration - Create New Certificate Enter the required data in each of the relevant fields, and select the validity period for this certificate from the dropdown box. 86 Import to External Client Certificates – check this box to import the current certificate to the list of external client certificates. Create – click to create the new certificate. A pop-up appears to prompt you that a new certificate has been successfully created, or that the creation has failed. This information is also shown in the Status field at the bottom of the screen. Security Solutions by HOB HOB RD VPN HOB RD VPN Administration 6.2.10 Global Administration Screen – Updater This feature is where updated versions of existing files can be uploaded and installed. Backup files can also be uploaded this way. Figure 14: Global Administration - Updater Browse – use this to locate the desired update file. Upload & Install – click this button to perform the update. Status – this field shows the current log of activity on this screen. Update Packages – this list shows the recent update activity, the files and file packages that have been uploaded, the current status of uploaded file packages, and their upload date. Security Solutions by HOB 87 HOB RD VPN Administration HOB RD VPN 6.2.11 Global Administration Screen – Extensions This feature allows you to download the install tools for the following extensions available for HOB RD VPN. Extensions are extra features or functionalities that are delivered with this installation of HOB RD VPN, but are optional in that they need not be activated. Figure 15: Global Administration - Extensions Click on the relevant link below to find more information on the desired extensions, and how these may be configured: 88 VDI WSP – see Chapter 13 Virtual Desktop Integration. Wake-on-LAN Agent for Windows – see Chapter 12 HOB RD VPN Desktopon-Demand. Wake-on-LAN Agent for Unix/Linux – see Chapter 12 HOB RD VPN Desktopon-Demand. WTS Load Balancing – see Chapter 10 Remote Desktop Computing using HOBLink J-Term/JWT. Security Manager for Windows – save the Windows installation file required for the HOBLink Security Manager: see the HOBLink Secure and HOBLink Security Manager documentation delivered with this product. Security Manager for Unix/Linux – save the Unix/Linux installation file for the HOBLink Security Manager: see the HOBLink Secure and HOBLink Security Manager documentation delivered with this product. Security Manager for Mac OS X – save the Mac OS X installation file for the HOBLink Security Manager: see the HOBLink Secure and HOBLink Security Manager documentation delivered with this product. Anti Split Tunnel – this feature is available for use with the HOB PPP Tunnel – see Chapter 22 Using the HOB PPP Tunnel for Network Access – and the HOB Compliance Check – see Chapter 25 HOB Compliance Check PPP Tunnel for Unix – see Chapter 22 Using the HOB PPP Tunnel for Network Access. Security Solutions by HOB HOB RD VPN 6.3 HOB RD VPN Administration Creating a New Global Administrator When installing HOB RD VPN 2.1 you can only enter one global administrator (this is a mandatory step). Once the installation of HOB RD VPN is complete, this global administrator can create more global administrators by modifying the internal configuration system. This modification is done through the HOB EA Administration interface. After the internal configuration system has been modified, the newly created global administrator (or administrators, there is no limit on the number of administrators that is possible) can logon to the administration portal and can be used to perform changes through the HOB WSP GUI. The steps to modify the internal configuration system and create a new Global Administrator are as follows: 1. Open the HOB EA Administration interface and log on using as the global administrator. The credentials that you use are those that you created when installing HOB RD VPN. 2. Locate the organizational unit ou=users,dc=internal,dc=root and select it as shown in this diagram: Figure 16: HOB EA Administration – Creating New Global Administrator 3. Now right click on this item or use the Add item icon and choose User, as shown below. This new user will be given the full privileges of the global administrator. Security Solutions by HOB 89 HOB RD VPN Administration HOB RD VPN Figure 17: HOB EA Administration – Adding New User 4. Enter the desired name for this second (or extra) global administrator in the Properties tab, as shown here: Figure 18: HOB EA Administration – Properties Tab 90 Security Solutions by HOB HOB RD VPN 5. HOB RD VPN Administration Now select the Membership tab and the following screen is displayed: Figure 19: HOB EA Administration – Membership Tab 6. Click the Add Membership button, and you will see the following screen: Figure 20: HOB EA Administration – Selecting New Membership 7. In this screen, add cn=globalAdministrators,ou=groups,dc=internal, dc=root as the membership for this new user. Click Select to confirm this membership. Security Solutions by HOB 91 HOB RD VPN Administration 8. HOB RD VPN Once the selection has been confirmed this screen is shown: Figure 21: HOB EA Administration – Membership Tab 9. Click OK and a popup appears for you to create a password for this user. Figure 22: HOB EA Administration – Enter Password to Confirm 10. Enter a new password for this new global administrator and click OK. This saves the modifications to the internal configuration system and makes the new configurations ready for use. The new global administrator has now been created and can now be used for example to immediately gain access to the Administration Port. To create any new users, groups or domain administrators for the network, you use exactly this same procedure. The only difference is when you select the membership for the new user or administrator, which must be the appropriate membership for the newly created user or administrator. 92 Security Solutions by HOB HOB RD VPN 6.4 HOB RD VPN Administration Logging and Error Messages in HOB RD VPN Logging is the process of recording events that occur within HOB RD VPN. Logging is designed to provide an audit trail that can be used to understand the activity of the system and to diagnose problems, if any. If any issues are revealed, the log will report this in the form of an error message. Logs and error messages are essential to understanding the activities of complex systems, and log file entries can also be combined from multiple sources. This, when combined with statistical analysis, can reveal correlations between events that are seemingly unrelated on different servers within your system, thus allowing you to identify and correct any issues that arise. 6.4.1 Logging in HOB RD VPN Administration The logging dialog shown here displays the log of activity for the functioning of machines that were recently or are currently active, and the communication between them. This dialog provides you with the information you require to ensure that HOB RD VPN is functioning smoothly, and that there are no issues of communication between the machines in your system. Figure 23: HOB RD VPN Administration - Logs Display – use this field to determine how many log file entries are shown in the display field at any one time. Security Solutions by HOB 93 HOB RD VPN Administration HOB RD VPN Fit to page size – click this to display the log message in a format that will fit in the display field, with text wrapping. Previous and Next – use these arrow buttons to navigate between the pages in the logfiles. Autorefresh – click this to automatically update the logfile that is displayed. When clicked, this button performs a refresh and counts down 30 seconds when it will refresh again. This continues until you leave this screen. Search – use this to find and display a specific logfile. RegExp (Regular Expressions) – allow a search of the logs for known regular expressions, such as a specific application name. Start at – use this field to enter a starting date for your search. Refresh – click this to update the logfile that is displayed. Individual log entries take the following format: Figure 24: HOB RD VPN Administration – Logs – Individual Log Messages Time – this shows the time according to the system clock when the log entry was made. Error ID – this combination of numbers and characters identify the message. For example an Error ID of HWSPS003I signifies a HOB WSP entry with an individual message number 003. The character at the end of this ID (in this example I is shown) signifies the category of this message (see below). Category – this identifies the type of message that is being reported. The message can be one of three types: I indicates an entry that gives Information W indicates an entry that signifies a Warning E indicates an entry that signifies an Error Application – this identifies the application that is sending a report. INETA (Internet Address) – this identifies the machine sending a report. Message – this text alerts the administrator to the reason the log entry has been made. This is the standard format used by HOB RD VPN on both Windows and Linux or Unix systems. 6.4.2 HOB RD VPN Logging in Windows Systems The following is a typical Windows Log File, identifying the machines involved, the applications running and any possible warnings that are generated: HWSPM001I IBIPGW08 started/Version 2.3x86Apr5 2013/HOB WebSecureProxy/SSL gateway HWSPM013I loaded configuration file C:\Program Files\HOB\RDVPN\wsp\wsp.xml. 94 Security Solutions by HOB HOB RD VPN HOB RD VPN Administration HWSPM014I fingerprint (SHA1) of configuration file 141A CE67 0222 19C9 C610 0495 1290 E187 C568 ABD5. HWSPM001I IBIPGW08 started/Version 2.3 x86 Apr 5 2013/HOB WebSecureProxy/ SSL gateway HWSPM015I this ComputerName ComputerXX11 process-id 6128. HWSPM016I WSP time started 26.04.13 10:17:51. HWSPM017I fingerprint of this HOB WebSecureProxy AAAA EEEE 1111 2222 5594 B1D4 E7C1 62C0 56E5. HWSPM018I processing configuration file C:\Program Files\HOB\RDVPN2.1.10\wsp\wsp.xml. HWSPM014I fingerprint (SHA1) of configuration file AAAA CCCC 2222 1919 C610 0495 1290 E187 C568 ABD5. HWSPIP041I Library WS2_32 loaded HWSPM041I m_hssl_getversioninfo SSL-Version: 1, Revision=25, Release=19.0 HWSPM043I m_hssl_getversioninfo HOBLink Secure SSL Software Module, Version 01.25, Rev. 19.00, 12.03.2012 HWSPM092I configuration display: SECDRBG: Seed o.k. HWSPM092I configuration display: HIWSI001I: HOB WebServer initialized (ServerDataHook: Web Server/2.3.0.43/x86 (CC)) HWSPM092I configuration display: HIWSI001I: HOB WebServer initialized (ServerDataHook: Web Server/2.3.0.43/x86 (CC)) HWSPM092I configuration display: HCOCI001I: ServerDataHook: Compliance Check V2.3.0.7 initialized HWSPM092I configuration display: HEALDI001I ServerDataHook: EA-LDAP V2.3.0.18 initialized HWSPM092I configuration display: HPHONEI000I ServerDataHook: HOBPhone V2.3.0.1 initialized HWSPM092I configuration display: HWSPATI001I HOB Authentication Library V2.3.3.0 initialized HWSPM090I create gateway User Portal port=443 + 80. HWSPM092I configuration display: HWSPATI001I HOB Authentication Library V2.3.3.0 initialized HWSPM090I create gateway Administration Access port=10000. HWSPM083I number of CPUs online 1. HWSPM080I max-poss-work-thread set to 32. HWSPM081I max-active-work-thread set to 16. 6.4.3 HOB RD VPN Logging in Linux/Unix systems The following is a typical Log File generated when HOB RD VPN is being used on a Linux or Unix system. HWSPM110I found character set UTF-8 translated to UTF-8. HWSPM001I nbipgw20 started / Version 2.3 Rev.13 Linux EM64T Apr 17 2013 / HOB WebSecureProxy SSL-Gateway for Unix HWSPM015I this ComputerName Computer-51 process-id 7775. Security Solutions by HOB 95 HOB RD VPN Administration HOB RD VPN HWSPM016I WSP time started 26.04.13 10:07:50. HWSPM017I fingerprint of this HOB WebSecureProxy 99AA CC55 3301 29A6 1F7E 0BA4 066F 4422 4BD0 0011. HWSPM018I processing configuration file /opt/HOB/rdvpn/wsp/wsp.xml. HWSPM014I fingerprint (SHA1) of configuration file CC77 11AA 4242 ABCD 7922 8CFE 8C07 1168 9D29 DB8A. HWSPM041I m_hssl_getversioninfo SSL-Version: 1, Revision=26, Release=5.0 HWSPM043I m_hssl_getversioninfo HOBLink Secure SSL Software Module, Version 3.2 01.26, Rev. 05.00, 11.04.2013 HWSPMnnnW WSP Trace administration command but <allow-wsp-trace> not configured HWSPMnnnW WSP Trace administration command but <allow-wsp-trace> not configured HWSPMnnnW WSP Trace administration command but <allow-wsp-trace> not configured HWSPXMLC0UUUUW Error LDAP-service rdvpn invalid node found "internal" ignored HWSPM092I configuration display: SECDRBG: Seed o.k. HWSPM092I configuration display: HIWSI001I: HOB WebServer initialized (ServerDataHook: Web Server/2.3.0.42/Linux em64t (CC) ) HWSPM092I configuration display: HIWSI001I: HOB WebServer initialized (ServerDataHook: Web Server/2.3.0.42/Linux em64t (CC) ) HWSPM092I configuration display: HSOCI001I: SOCKS5 Server initialized (ServerDataHook: Socks4+5/2.3.0.21/Linux em64t (CC)) HWSPM092I configuration display: HSOCI002I: Flags: 0 HWSPM092I configuration display: HCOCI001I: ServerDataHook: Compliance Check V2.3.0.6 initialized HWSPM092I configuration display: HEALDI001I ServerDataHook: EA-LDAP V2.3.0.17 initialized HWSPM092I configuration display: HPHONEI000I ServerDataHook: HOBPhone V2.3.0.1 initialized HWSPXMLC01109W Error connection User Portal element "gate-in-ineta" has no child - ignored HWSPM092I configuration display: HWSPATI001I HOB Authentication Library V2.3.3.0 initialized HWSPM133I Listen-Gateway: nbipgw19-l01073-I connected to HOB ListenGateway for WebSecureProxy V2.1 Apr 17 2013 Protocol Version 0.0 HWSPM090I create gateway User Portal port=443 + 80. HWSPM092I configuration display: HWSPATI001I HOB Authentication Library V2.3.3.0 initialized HWSPM090I create gateway Administration Access port=10000. HWSPM083I number of CPUs online 2. HWSPM080I max-poss-work-thread set to 32. HWSPM081I max-active-work-thread set to 16. 96 Security Solutions by HOB HOB RD VPN HOB RD VPN Administration data received on pipe 6.4.4 Reading Error Messages in HOB RD VPN On the analysis of the log files generated by HOB RD VPN, you can clearly see how the machines you are using are operating, and at what times the necessary updates and maintenance are being performed. If there are any issues with the functioning of the system, these will also be revealed through the logging process. Clear identification, through the error messages, of any issues (the machine affected, the software and applications being used, whether any required data is missing or defective, for example) allows you to remedy these issues quickly and efficiently. The error message can be one of three types: I indicates an entry that gives Information W indicates an entry that signifies a Warning E indicates an entry that signifies an Error As an administrator, it is imperative that you are aware of the logging functionality of HOB RD VPN, as this tool can prove invaluable for your day to day operations. 6.4.5 Error Messages in HOBLink JWT/J-Term The HOBLink JWT and HOBLink J-Term applications each provide a GUI interface to the user. These GUI interfaces can then display corresponding GUI dialogs containing any error messages for the users. The user can then respond directly to the displayed error messages (for example entering some required data that has not yet been entered), or can forward them to the administrator. The GUI is designed to be provided in multiple languages. English and German are the only languages currently available. Security Solutions by HOB 97 HOB RD VPN Administration 98 HOB RD VPN Security Solutions by HOB HOB RD VPN 7 Multi-Tenancy Multi-Tenancy Multi-tenancy is a principle in software architecture where a single instance of the software runs on a server, serving multiple client tenants (or domains). In the HOB RD VPN multi-tenant architecture, the software is designed to virtually partition the data and configuration, so each client organization works with a customized virtual application instance. HOB RD VPN can be configured to use multiple domains, so a single HOB RD VPN installation can authenticate users from many different domains, where each domain in HOB RD VPN is an independent tenant. These HOB RD VPN domains can use different configurations (Domain 1 users can only access resources assigned to Domain 1, users of others domains cannot access resources assigned to this domain, for example). Configurations can also be used from more than one domain if required (for example different domains may be assigned access to the same target system). Multi-tenancy can be used in your HOB RD VPN installation to support different departments within your company, and can be used to allow your customers or suppliers access to special services without needing to add them to the internal user directory service. 7.1 Default Domain Configuration after Installation After installation, HOB RD VPN uses the integrated directory service for both authentication service and configuration storage. For this, the HOB RD VPN installation creates a default domain named hobsoft. This domain resides in the directory service under dc=hobsoft,dc=root. You can use the administration interface to perform additional administration tasks for this domain as the global administrator or as the domain administrator of the hobsoft domain. With the administration interface you can administer both the users and their configurations. Security Solutions by HOB 99 Multi-Tenancy HOB RD VPN Figure 1: HOB EA Administration – HOB RD VPN Domains HOB RD VPN can be configured to use a wide range of different tenants using different domain configurations. A domain in HOB RD VPN consists of two components, an Authentication Service and a Configuration Storage. 100 Security Solutions by HOB HOB RD VPN Multi-Tenancy The possible combinations of Authentication Service and Configuration Storage are shown in this table: Authentication Configuration RDN Base Service Storage Domain Administrator Create User Administrator Account / Automatically Group DN Password Internal LDAP (default) Internal LDAP (default) dc=hobsoft (grayed out) cn=domainAd (grayed out) ministrator s, dc=hobsoft, dc=internal , dc=root (grayed out) (grayed out) Internal LDAP (new) (required) cn=domainAd (grayed out) ministrator s, “Value of RDN-Base”, dc=internal , dc=root (grayed out) (grayed out) Combination 1 Internal LDAP (new) External LDAP Internal LDAP Combination 3 Name of LDAP (not mandatory) Required for (not mandatory) (grayed out) Domain Administrators Group DN or Create User Automatically (not mandatory) External LDAP External LDAP (grayed out) Kerberos / RADIUS Internal LDAP Combination 2 Kerberos / RADIUS Name of (not mandatory) Kerberos / RADIUS Domain (grayed out) External LDAP (grayed out) Combination 2 (grayed out) (grayed out) (grayed out) Required for (not mandatory) Domain Administrators Group DN or Create User Automatically (not mandatory) (not mandatory) Required for (grayed out) Domain Administrators Group DN (not mandatory) Table 1: Authentication Service and Configuration Storage combinations in HOB RD VPN Note to Combination 1: The hobsoft domain is created during the installation process, and the integrated LDAP is referred to under the name rdvpn in the HOB WebSecureProxy. To integrate other domains, HOB EA Administration automatically creates ou=groups and cn=domainadministrator,ou=groups under this domain: (cn=domainadministrators,ou=groups,dc=DOMAIN,dc=root). All of the domains created in this way must then be created in the HOB WSP interface, entered into the domain table (in this case another display name must used because rdvpn is already preset) and assigned to the roles. No additional entry should be made under domains > LDAP > LDAPdomains. All users who are members of the domain administrators group have administration rights within this domain. Security Solutions by HOB 101 Multi-Tenancy HOB RD VPN Note to Combination 2: If RADIUS and Kerberos are used for the HOB integrated LDAP, there is the possibility of using the auto-create user function. If this is not used, then all the objects must be manually created or imported. Here the domain name must be the same as the name of the RADIUS domain so that the mapping function can be used. The mechanism of the domain administrators is as shown in Note 1. When auto-create users is used, successfully authenticated users are automatically created in the root of the domain. RADIUS and Kerberos are flat structures (without subnodes and without groups). Subnodes and groups can be created in the integrated LDAP, and the users can be moved and added to groups. When logging on, the user and their configuration are found in the subnodes and they are not recreated in the root directory. To use the auto-create user functionality, an administrative account is required in the HOB WSP configuration. This administrative account must have read and write rights in this domain, so must belong to either the global administrator or a domain administrator for that domain. Note to Combination 3: It is the same as for Combination 2 in that for the auto-create user functionality to be used, the user uses the same subnode structure that was used in the original LDAP. The groups of users are similarly created and group membership is also created as in the original LDAP. The review of the subnodes and the groups is checked at each login, in that the user is moved and / or group membership is changed in the integrated LDAP depending on the changes in the external LDAP. 7.2 Using the Integrated Directory Service After installation, HOB RD VPN uses the integrated directory service for both authentication service and configuration storage. The tree of the integrated DS contains two domain components (dc): dc=internal,dc=root dc=hobsoft,dc=root. 7.2.1 Domain Component dc=internal,dc=root Internal objects located in this component include: 102 The WebSecureProxy (WSP) Object On installation there is a default random password set for this object that is unique for each installation. This object holds the configuration of the WSP and is also used as a read-only search user for the integrated directory service. Global Administrator This user is also created at installation with a freely selectable username (that must not be "System Admin" itself) and a password. This user has administrative rights to the whole integrated directory service. Additional system administrators (with the same rights) can be created later in RD VPN Administration. Security Solutions by HOB HOB RD VPN Multi-Tenancy 7.2.2 Domain Component dc=hobsoft,dc=root After installation dc=hobsoft,dc=root is the default domain used as authentication service and configuration storage. On installation it is possible to add users and select suitable groups for them. Users in the group cn=Administrators,ou=groups,dc=hobsoft,dc=root have only administrative rights to the elements below the dc=hobsoft,dc=root part of the tree, making them domain administrators for the rdvpn domain. Figure 2: Default Integrated Directory Structure Adding another domain for authentication service and configuration storage is the equivalent of adding a copy of the initial dc=hobsoft,dc=root but with another name, for example dc=customer1,dc=root. Security Solutions by HOB 103 Multi-Tenancy HOB RD VPN 7.2.3 Configuring an Integrated Directory Service Follow these short steps to create a new domain in the integrated Directory Service: 1. Logon to HOB EA Administration. 2. Select the resource dc=root and right click to Add a domain, entering a name in the Account field for this domain, in this case NewDomain. Figure 3: Add Domain to Existing Domain This creates the domain dc=NewDomain. Within this domain the object ou=groups as well as the cn=domainAdministrators group it contains are automatically created. Using the checkboxes here you can choose to Apply HOB product configurations from an already configured domain (a browse dialog opens automatically to allow you to specify the configuration). You may also select the checkbox to Open the configuration dialog for HOBLink JWT when this dialog is closed if desired. Within this domain you can now create the required users, groups, and organizational units as needed. All of the users who are members of the domainAdministrators group are assigned by this configuration administration rights for the newly created domain. 104 3. Start the WebSecureProxy GUI. This is done from the HOB EA Administration interface by selecting the WebSecureProxy object, going to the dropdown list to the right of the Configure button and selecting HOB RD VPN 2.1 > WebSecureProxy blue, and clicking the Configure button. 4. Now select Domains from the list on the left and in the Domains tab click Add from the buttons on the right. 5. In the Authentication Service panel enter the service Type, the service Name (selecting both from those already configured) and a Display Name for the service that can be freely chosen. Security Solutions by HOB HOB RD VPN 6. Multi-Tenancy In the Configuration Storage panel you need to select a Storage Name and enter the RDN-BASE (Relative Distinguished Name) dc=newDomain as a base name. This is the name of the new domain that was entered in Figure 3 above. Now click Add & Close to save the changes, add the domain to the list and close the dialog. Figure 4: Add Settings to new Domain 7. Select the Show Domain List on login dialog checkbox on the Domain List dialog (see below) if you want a dropdown list of domains to be shown when administrators are logging on. If you do not do this, a text box for the domain registration is shown in the dialog showing the current domain. Figure 5: HOB WebSecureProxy – Domain List Security Solutions by HOB 105 Multi-Tenancy 8. HOB RD VPN The users that are members of this domain can now be assigned to roles. Open the WebSecureProxy dialog, and go to the select member screen as shown here: Figure 6: Select Member to Add to New Domain 9. Select the domain, the role within the domain and click the Select button to assign this object or user to the selected domain. The following screen is shown: Figure 7: Check Configuration under Roles 10. Click File > Save to save your changes. Now go to Roles > Settings > Requirements > Members and you will see the new domain in the domain list. 106 Security Solutions by HOB HOB RD VPN 7.3 Multi-Tenancy Using an External Directory Service as the Authentication Service An external directory service can be used for authentication: In conjunction with the same external directory service as Configuration Storage. In this scenario the integrated directory service is not involved. The global administrator of HOB RD VPN has to provide the necessary credentials for the domain (a directory service-based authentication service and a directory service-based configuration service) in the WSP configuration file. This can be done using the WSP configuration. Note that the authentication service and the configuration storage must be the same directory service In conjunction with the integrated directory service as Configuration Storage. In this scenario a new domain component named dc=root is created. 7.3.1 Configuring an External Directory Service for Authentication and Configuration The following steps show the procedure required to use an external directory service as the authentication service and configuration storage. 1. Add the HOB LDAP Scheme Extension to your directory service. After installation you can find the HOB scheme extension in the HOB Scheme Extensions folder of your HOB RD VPN Installation, for more information see Chapter 38 HOB LDAP Scheme Extensions. 2. Log in with global administrator credentials to the HOB RD VPN administration page (see Section 6.2 Administration Access as a Global Administrator on page 78) and in the column on the left, select EA-Admin. In the following popup then log in to HOB EA Admin with your global administrator credentials. 3. In HOB EA Admin, select ou=servers in dc=internal and then click on the directory content item cn=WebSecureProxy. Now click the > button to the right of the Configure button and select HOB RD VPN 2.1 > WebSecureProxy blue, and click Configure. 4. In the HOB WSP screen that now opens, select Domains > LDAP > LDAP Domains from the tree structure at the left (scroll down to these items) and click Add at the bottom of the screen. 5. The LDAP Domain tab opens in the pane on the right. Here you can either accept the default name of the new domain, or enter a name of your choosing (in the example External LDAP is used). Security Solutions by HOB 107 Multi-Tenancy HOB RD VPN Figure 8: HOB WSP Administration - LDAP Domain 6. Once the domain has been added (you can see it has now appeared in the tree on the left), a server must be added to this domain. Click Add again to add at least one directory server instance. Figure 9: WSP Administration - Add Server to External LDAP Here you enter the information of the LDAP server to be used in this domain. The fields are as follows: 108 Name – A default LDAP server name appears here. You can accept this or enter a new name. IP address – Enter here the IP address of your LDAP server. Port – The port number 389 is set here as default. If you set the LDAP server to use SSL the port will be set to the default SSL port number 636. Security Solutions by HOB HOB RD VPN Multi-Tenancy LDAP template – Select here the type of LDAP server you are using. You can choose from the following: OpenDJ, OpenLDAP, IBM SecureWay Directory Server or Microsoft Active Directory. Use network adapter – This is set as default to Any. Base DN - Set here the base DN (Domain Name) for your LDAP server. Click the … (browse) button to select from the available base DNs. Search administrator DN – This administrator user is used to search the userid during the login process. If the authentication is not done with the LDAP where the configurations are stored and the administrator for the configuration store is not configured, the search administrator is used. Search administrator PW – Enter here the administrator’s corresponding password. Timeout search (sec) – Here you can set the time in seconds for the system’s search timeout. Default is ten seconds. Wait connect (sec) – Here you can set the time in seconds for the system to wait for a server connection. Default is ten seconds. Use SSL – If the LDAP server is to use SSL, this must be activated by clicking this checkbox. If activated, the LDAP server port will change from 389 to the standard SSL port 636. Search nested group level – Here you can set the number of organizational levels (nested groups) to search through for user settings. The higher the number, the more levels will be searched. If you have a high level setting here, you may need to increase your Timeout search. Global directory – This can only be used with Microsoft Active Directory as LDAP Template. Activate this service by clicking this checkbox. If you select a global directory to use, the server port will change to 3268 (or 3269 for an SSL connection). Then only the Microsoft Global Directory indexed entries will be used. Security Solutions by HOB 109 Multi-Tenancy 7. HOB RD VPN Now click the Domains item in the tree structure and click the Add button in the Domains pane on the right. This screen appears: Figure 10: WSP Administration - Add Domain to External LDAP 8. In the Add Domain dialog you add the name of the domain just created to be used for Authentication Service and for Configuration Storage. 9. Now the users that are allowed to logon to HOB RD VPN need to have a role assigned to them. 10. To add a role, click Roles towards the top of the tree structure and then click the Add button at the bottom left to add a new role, or use a default role, for example Power User. 11. In the Settings tab that now opens select the tab Members, then select the tab with the name of your LDAP domain. In the example shown below the domain External LDAP is used. 110 Security Solutions by HOB HOB RD VPN Multi-Tenancy Figure 11: WSP Administration - Add Member to External LDAP 12. Click the Add button on the right to bring the Select member dialog box on screen. Select the organizational unit, user or user group who are to have authorization to use the domain you just created and add this entry to the Members list by clicking Select at the lower left. This is the same as process as in the previous section, see Figure 6 on page 106. 13. Click File > Save in the main menu to save any changes made here. 7.3.2 Configuring an External Directory Service for Authentication Only The following steps show the procedure required to use an external directory service as the authentication service only. 1. Start HOB EA Administration and open the HOB WebSecureProxy configuration dialog as shown in the previous sections of this chapter. 2. Create an external LDAP domain (Domains > LDAP > LDAP Domains and click the Add button) and give this new domain a Name. 3. Create at least one LDAP server as shown (in the example here the name External LDAP Server is used). Security Solutions by HOB 111 Multi-Tenancy HOB RD VPN Figure 12: WSP Administration - LDAP Server configuration 4. Now to add a Domain. Select the node Domains in the hierarchy and click Add. The following screen appears: Figure 13: WSP Administration - LDAP Domains – Add Domain The field Domain Administrators Group DN must be manually entered. This configuration defines the group of the domain administrators, which in this LDAP is: cn=example,ou=groups,dc=externalLDAP,dc=root. The administrative account entry needs to be of an element that has read and write permission. The Global Administrator is a typical administrative account. Use the buttons on the right side (Add to save the data and clear the fields to enter new data, Add & Close to save this data and close this dialog, or Cancel to close the dialog without saving) to manage the entries for this domain. 112 Security Solutions by HOB HOB RD VPN Multi-Tenancy 5. If the Create User Automatically function is not enabled, the administrator must manually create the Domain, OUs and user groups. The user must be created with the same name as that used in the external directory service. 6. If Create User Automatically is enabled then the domain, the user and this user’s group including the directory structure, are created automatically (as shown below) when a user is logging from the external LDAP. Figure 14: HOB EA Administration – External LDAP Domain Hierarchy 7. At this stage the users still get the error message No role assigned as they have not yet been assigned roles. So now you assign a role to the users and then assign them configurations. 8. When you do both of these configurations using Groups, the users that are in these groups can logon immediately. 9. If, in the HOB EA Admin and in the roles of the HOB WSP only groups are used, you can adjust the user’s rights in the external LDAP at a later time by adding the user to or removing them from specific groups. 10. Now, when the Create User Automatically is activated, the group membership is checked not only when users initially logon, but it is checked again at every subsequent logon. 7.4 Using RADIUS Access Servers as the Authentication Service Remote Authentication Dial-In User Service (RADIUS) is a standard networking protocol that provides centralized authentication, authorization, and accounting management for computers to connect and use a network service. It is often used to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. Used in conjunction with an external directory service; In this scenario the integrated directory service is not involved. The Security Solutions by HOB 113 Multi-Tenancy HOB RD VPN HOB RD VPN administrator has to provide the necessary credentials for the domain (a RADIUS-based authentication service and a directory service-based configuration service) in the WSP configuration file. This can be done in the WSP configuration. Used in conjunction with the integrated directory service; In this scenario a new domain component under dc=root is created. The name is the same as the domain name in the WSP configuration. Figure 15: Default Directory Structure with RADIUS 7.4.1 Configuring HOB RD VPN for RADIUS To use RADIUS authentication in HOB RD VPN you have to configure a RADIUS domain and a RADIUS server in the HOB WebSecureProxy configuration. The following configuration steps show the configuration of RADIUS in HOB RD VPN. 1. 114 Open the HOB RD VPN WebSecureProxy configuration program as shown in the previous section, Section 7.2.3 Configuring an Integrated Directory Service on page 104. Security Solutions by HOB HOB RD VPN 2. Multi-Tenancy Expand the Domains knot of the left-hand tree and click the Radius item. Figure 16: WSP Configuration - Adding a Radius Domain 3. Click the Add button at the bottom of the screen to create a new Radius domain and enter a name of your choice, for example Radius Domain. Figure 17: Configuring a Radius Domain The following fields can be found on this screen: Name – insert the name to be given to this server here. Global Settings - the fields that can be found in this panel are: Security Solutions by HOB 115 Multi-Tenancy HOB RD VPN Enable MS-CHAP-V2 (Microsoft Challenge Handshake Authentication Protocol Version 2) – this is an authentication protocol for a PPP connection between a computer with a Microsoft Windows operating system and a network Access Server. Check this box to use this protocol and strengthen the security of the connection, otherwise the standard protocol used by your network for tunnel transmissions is used by default. Before you check this box you must ensure that the RADIUS server also supports this protocol Character set – in this panel you specify the character set to be used for connections with this server. There are two dropdown boxes here: Filter name - select from this dropdown box the alphabetical group of names containing the character set you wish, or select All to select from the complete list. Name - select from this dropdown box the name of the character set you wish to use, for example UTF-8, ANSI-819, etc. Timeout – this holds the allowable time in seconds before a connection will be closed if there is no reply. The default is 30 seconds. Retry after Error – this sets the amount of time in seconds to wait following an error until a reconnection may be attempted. The default is 120 seconds. Comment – you may enter a comment to any user of this server here. Click File > Save in the main menu to save the data entered here. 4. Click the new Radius Domain item and then the Add button to create a new Radius server. Figure 18: Configuring a Radius Server 116 Security Solutions by HOB HOB RD VPN 5. Enter the values that specify this Radius server in the following fields on this screen and how to connect it: Name - enter a name of your choice for this server, for example Radius Server. Use Network Adapter – select the network adapter to be used for the connection with this Radius server from the dropdown box. Host IP Address – enter the IP address of the Radius server. Port – enter the port under which the Radius server is available. Multi-Tenancy Use same shared secret – this checkbox is active only if you are configuring a cluster installation. When configuring a cluster, leave the checkbox enabled if you want to use the same shared secret for all members of the cluster. If you disable this checkbox a list appears where you can enter different shared secrets for each member of the HOB RD VPN cluster. Shared Secret – the RADIUS protocol requires the use of a shared secret – a text string that is available only to the RADIUS client (HOB RD VPN in this case) and the Radius server against which it authenticates. Comment – This field can be used to enter comments for this Radius server. Click File > Save in the main menu to save the data entered here. 7.4.2 With External LDAP RADIUS Access servers are used specifically for authentication, they are not used for configuration storage. HOB RD VPN allows for the use of external LDAP servers and domains that can be used for configuration storage. When RADIUS is used for authentication with HOB RD VPN, as soon as the user is authenticated by the RADIUS server the configuration for that user is pulled from the configuration storage of the external LDAP, based on the unique username of that user. In this case the configuration for the users may be created automatically based on the group membership of that user, or it must be create manually for that user. 7.4.3 With Integrated LDAP When an external authentication service is used (in this case RADIUS), the HOB RD VPN integrated LDAP may be used. There are two variations: With Create User Automatically – when this functionality is activated, on the authentication of a user by RADIUS when logging into HOB RD VPN, the user is created automatically by HOB RD VPN in the internal LDAP and can be modified later by the administrator. Configurations that are not inherited can be created after the first login of the user. Without Create User Automatically – if this functionality is not activated, on the authentication of a user by RADIUS when logging into HOB RD VPN, the configuration for that user is pulled from those created by the administrator and stored in the integrated LDAP. The user and the configuration of this user must be configured by the administrator before the user logs in for the first time. Security Solutions by HOB 117 Multi-Tenancy HOB RD VPN Figure 19: Adding a Radius Domain with Integrated LDAP This dialog has the following fields in the Authentication Service panel: Type – select Radius from the dropdown box. Name – this is the name of this authentication service, it is given the name Radius Domain by default, and cannot be edited. Display Name – this holds the name under which this particular domain is identified if there is more than one domain operating from the same base configuration. This dialog has the following fields in the Configuration Storage panel: Name – this holds the name of this storage. RDN Base – this holds the base domain configuration. This cannot be edited. Domain Administrators Group DN – this field has to specify a group object (not an OU) where all domain administrators are members. All members of this group are allowed to change the configuration of other users within the same domain. The following are the fields in the Administrative Account panel: 118 DN – this holds the DN for the administrator of this domain. This administrator user is used in the background to change the configurations if a domain administrator uses the HOB EA Administration. It is also used when a user changes their own configuration (if the user has permission to do this). Password – enter a password for this account here. Create User Automatically – check this box to enable you to automatically create a user. These following fields are also in this panel: Default group - enter the default group to be used for users created automatically here Security Solutions by HOB HOB RD VPN Multi-Tenancy Default tree RDN - here you enter the tree RDN for this automatically created user Click Add to save the data and clear the fields to enter new data, Add & Close to save this data and close this dialog, or Cancel to close the dialog without saving. 7.5 Using Kerberos as the Authentication Service Kerberos is a computer network authentication protocol that works on the basis of issuing identity tickets for nodes (both client and server side nodes) communicating over a non-secure network to allow them to prove their identity to one another in a secure manner. Used in conjunction with an external directory service: In this scenario the integrated directory service is not involved. The Administrator of HOB RD VPN has to provide the necessary credentials for the domain (a Kerberos-based authentication service and a directory-service-based configuration service) in the WSP configuration file. This can be done in the WSP configuration. Used in conjunction with the integrated directory service: In this scenario a new domain component under dc=root is created. The name is the same as the domain name in the WSP configuration. Security Solutions by HOB 119 Multi-Tenancy HOB RD VPN Figure 20: Default Directory Structure with Kerberos 7.5.1 Configuring HOB RD VPN for Kerberos To use Kerberos authentication in HOB RD VPN you have to configure a Kerberos domain and a Kerberos server in the HOB WebSecureProxy configuration. The following configuration steps show the configuration of Kerberos in HOB RD VPN. 120 1. Open the HOB RD VPN WebSecureProxy configuration program as shown in the earlier section, Section 7.2.3 Configuring an Integrated Directory Service on page 104. 2. Select the Domains element of the left-hand tree and select the Kerberos item. Security Solutions by HOB HOB RD VPN Multi-Tenancy Figure 21: WSP Administration - Adding a Kerberos Domain 3. Click the Add button to create a new Kerberos domain, the following screen is shown: Figure 22: Configuring a Kerberos Domain The fields on this screen are as follows: Name – here you must enter a name to be given to this domain, for example Kerberos Domain. These fields are in the Global Settings panel: Comment – here you insert a comment to be seen by the users of this domain Security Solutions by HOB 121 Multi-Tenancy 4. HOB RD VPN Default Realm – this holds the name of the realm that is the default for this configuration. Clock Skew – here you enter a value for the amount of seconds the clocks of the two communicating machines are allowed to diverge from each other, and still be authenticated. The default is 300. Ticket Lifetime – enter here the length of time in seconds that this ticket will be valid for authentication purposes. Renewable Lifetime – enter here the length of time in seconds that a ticket can be renewed to continue a single session. Allow Initial Ticket – check this box to allow the initial Kerberos ticket to be used for subsequent connections to this server. Select the new Kerberos Domain item from the Domains element of the tree and click Add to create a new Kerberos server. Figure 23: Configuring a Kerberos Server 5. Enter the values that specify this server in the tab and how to connect it. Name – enter a name of your choice for this server, for example Kerberos Server. 122 IP Address – enter the IP address of the Kerberos server in this field. Port – enter the port under which the Kerberos server is available. The default is port number 88. Timeout – this field holds the time in seconds before an authentication attempt is automatically failed. The default is 60 seconds. Retry After Error – here you tell the server the delay in seconds to wait before authentication can be attempted again following a failure. The default period is 120 seconds. Security Solutions by HOB HOB RD VPN Multi-Tenancy Maximum Ticket Size – here you enter the maximum allowable size in bytes for a Kerberos ticket. The default is 2048 bytes. Maximum Sessions – enter here the maximum number of concurrent sessions that can run on the Kerberos server at any one time. The default is 10 sessions. Click File > Save in the main menu to save the data entered here. 7.5.2 With an External LDAP Kerberos servers are used specifically for authentication, they are not used for configuration storage. HOB RD VPN allows for the use of external LDAP servers and domains that can be used for configuration storage. When Kerberos is used for authentication with HOB RD VPN, as soon as the user is authenticated by the Kerberos server the configuration for that user is pulled from the configuration storage of the external LDAP, based on the unique username of that user. In this case the configuration for the users may be created automatically based on the group membership of that user, or it must be created manually for that user. 7.5.3 With an Integrated LDAP When an external authentication service is used (in this case Kerberos), the HOB RD VPN integrated LDAP may be used. There are two variations: With Create User Automatically – when this functionality is activated, on the authentication of a user by Kerberos when logging into HOB RD VPN, the user is created automatically by HOB RD VPN in the internal LDAP and can be modified later by the administrator. Configurations that are not inherited can be created after the first login of the user. Without Create User Automatically – if this functionality is not activated, on the authentication of a user by Kerberos when logging into HOB RD VPN, the configuration for that user is pulled from those created by the administrator and stored in the integrated LDAP. The user and the configuration of this user must be configured by the administrator before the user logs for the first time. 1. Open the HOB RD VPN WebSecureProxy configuration program as shown in the earlier section, Section 7.2.3 Configuring an Integrated Directory Service on page 104. 2. Select the Domains element of the left-hand tree and click Add on the right of the screen to add a new Kerberos domain. Security Solutions by HOB 123 Multi-Tenancy HOB RD VPN Figure 24: Adding a Kerberos Domain This dialog has the following fields in the Authentication Service panel: Type – select Kerberos from the dropdown box. Name – this is the name of this authentication service, it is given the Kerberos Domain name by default, and cannot be edited. Display Name – this holds the name under which this particular domain is identified if there is more than one domain operating from the same base configuration. Use as default - check this box to use this authentication service as the default service The Configuration Storage panel has the following fields: Name – this holds the name of this storage. RDN Base – this holds the base domain configuration. This cannot be edited. Domain Administrators Group DN – this field has to specify a group object (not an OU) where all domain administrators are members. All members of this group are allowed to change the configuration of other users within the same domain. The following are the fields in the Administrative Account panel: 124 DN – this holds the DN for the administrator of this domain. This administrator user is used in the background to change the configurations if a domain administrator uses the HOB EA Administration. It is also used when a user changes their own configuration (if the user has permission to do this). Password – enter a password for this account here. Create User Automatically – check this box to enable you to automatically create a user.These following fields are also in this panel: Security Solutions by HOB HOB RD VPN Multi-Tenancy Default group - enter the default group to be used for users created automatically here Default tree RDN - here you enter the tree RDN for this automatically created user Click Add to save the data and clear the fields to enter new data, Add & Close to save this data and close this dialog, or Cancel to close the dialog without saving. 7.6 Kerberos Single Sign-on This setting allows the use of the Kerberos Single Sign-on (a standard computer network authentication) protocol to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It provides mutual authentication - both the user and the server verify each other's identity through the use of Kerberos Tickets. With this feature a user logs on once to the network through an initial system log in and gains access to all systems on that network without being prompted to log on again to each of them. Additional software applications requiring authentication (e-mail clients, wikis, revision control systems, etc.) use the ticket-granting ticket to acquire service tickets that prove the identity of the user to the e-mail server, wiki server, etc. without prompting the user to re-enter credentials. In a Windows environment your logon fetches the Kerberos ticket-granting ticket (TGT). Directory service-aware applications fetch service tickets, so the user is not prompted to re-authenticate. In a UNIX/Linux environment your logon via Kerberos fetches the TGT, which is stored within the HOB WSP. Kerberized client applications such as Evolution, Firefox, and SVN and many other use service tickets, so the user need not reauthenticate. The Kerberos protocol uses Port 88 by default. 7.7 HOB LDAP Scheme Extension Storing HOB specific data with an element requires certain HOB object classes to be available for certain LDAP elements. The HOB LDAP Scheme Extension allows you to define and expand on the attributes and classes used in your directory services. The existing set of classes and attributes provided by HOB are sufficient for most applications. However, the scheme is extensible, which means that you can define new classes and attributes. As an LDAP Scheme Extension is a security critical operation, it usually requires certain administrator rights on the server systems. You can find all necessary information on the HOB LDAP Scheme Extension in Chapter 38 HOB LDAP Scheme Extensions. The HOB LDAP Scheme Extension can be used with the following LDAP systems: To use the HOB LDAP Scheme Extension for Microsoft Active Directory see Section 38.1 Scheme Extension for Microsoft Active Directory Security Solutions by HOB 125 Multi-Tenancy HOB RD VPN To use the HOB LDAP Scheme Extension for OpenDJ see Section 38.2 Scheme Extensions for OpenDJ To use the HOB LDAP Scheme Extension for OpenLDAP see Section 38.3 Scheme Extensions for OpenLDAP To use the HOB LDAP Scheme Extension for IBM SecureWay Directory Server see Section 38.4 Scheme Extensions for IBM SecureWAY Directory Server If you have any difficulty in executing the LDAP scheme extension according to the instructions given under the above referenced links (for example due to conflicting versions), you can always insert the HOB specific object classes manually. 126 Security Solutions by HOB HOB RD VPN 8 Roles and Users Roles and Users HOB RD VPN is a software solution that configures the many different resources (servers, clients, applications, etc.) of your enterprise to work together with optimum efficiency. HOB RD VPN organizes these resources into roles (Administrator, Power User and User are the names of the three default roles preconfigured by HOB RD VPN, you can define, configure and use other roles according to the demands of your enterprise), and it is the membership of these roles that determines when and how the individual resources of the system are best employed. Roles can be placed in groups, and the properties of the group can be inherited by all the members of that group. A Role in HOB RD VPN can be defined as the set of permissions and functions assigned to the users of HOPB RD VPN. A User in HOB RD VPN can be defined as the staff members of your enterprise and your business partners who are allowed use the resources of your network and access your company data. The resources in your system can be assigned to any role at any time by being configured for multiple roles or groups. The role that then governs that resource is determined by the priority that is assigned to that role. HOB RD VPN contains an integrated directory service user database to manage the users, but any already established directory service that is used in your enterprise can easily be combined with HOB RD VPN to administer the users and resources in your network. All roles and users must be configured: In the HOB RD VPN Administration interface In the HOB WebSecureProxy It is the responsibility of the server administrator to ensure that all users have received the required instruction in the correct use of this product. Please refer to Chapter 30 HOB RD VPN Evaluated for Common Criteria for more information on this topic. To satisfy the needs of the evaluation for Common Criteria, only a role with similar access rights as set for the default role "User" can be used as a standard for your users. 8.1 Configuring Roles and Users in HOB WebSecureProxy To configure Users and their roles in the HOB WebSecureProxy you need to open the HOB RD VPN administration portal. The HOB administration portal is opened as described here: As a domain administrator, open a browser and logon to HOB RD VPN. When the HOB Navigation Screen opens click the User Configuration link. You will need to authenticate again when the HOB EA Administration program opens. Security Solutions by HOB 127 Roles and Users HOB RD VPN Figure 1: HOB RD VPN Navigation Screen Or you can go to the Start Menu of your workstation (for example if it is a Windows 7 workstation), click on the Start Menu of your workstation and then click the application button (shown here) HOB EA Administration. HOB EA Administration icon As a global administrator, open a browser and logon to HOB RD VPN. In the global administrator navigation screen select EA-Admin (the user configuration interface) and the administration portal opens directly. You will need to authenticate again when the HOB EA Administration program opens. Figure 2: HOB EA Administration From this screen you can select the WebSecureProxy blue object from the right hand panel as shown above, then click the Configure button at the bottom, as in this screen: 128 Security Solutions by HOB HOB RD VPN Roles and Users Figure 3: HOB EA Administration - Configure WebSecureProxy This brings the main configuration tool for HOB RD VPN, the HOB WebSecureproxy interface, on screen, as shown here: Figure 4: HOB WebSecureProxy Configuration Once the WSP Administration portal has opened, select the element Roles from the organization hierarchy on the left. There are three defaults settings here (User, Power User and Domain Administrator) for initial use, but these may be edited as you wish. You may also define as many as you wish according to the conventions of your company. Use the Add and Remove buttons at the bottom of the organization hierarchy on the left to add or remove roles in the organization, or select from the list of roles here the role you wish to configure. The examples shown below are for a standard User Role. Security Solutions by HOB 129 Roles and Users HOB RD VPN In the Settings screen (see Home below) there is the Name text field where you enter the name of the role you are configuring, and there are two tabs, as follows: Requirements Privileges 8.1.1 Configuring Roles – Requirements Tab The Requirements tab holds required settings for the role. Under HOB WSP > Requirements there is a tab field containing the following two sub-tabs: General Members Requirements – General Tab This screen shows the General tab under HOB WSP > Roles > Requirements: Figure 5: Roles - Users - Requirements - General Here you can enter the following information for this role: Compliance Check – select the desired Compliance Check from the list of available configured compliance checks in the dropdown box. See Chapter 25 HOB Compliance Check more information on this subject. Priority – this is the priority from 1 (lowest importance) to 100 (highest importance) assigned to this compliance check. Each role or user can be subject to multiple compliance checks depending on the desired and allowed access settings, and each check can be assigned a specific priority value. The check with the highest priority is assigned to the user on logon. Requirements – Members Tab This tab shows the servers, each shown on a separate sub-tab, holding the configuration of this role, making access to this server by those of your users with this role possible. In the example shown here the User role is a member of the 130 Security Solutions by HOB HOB RD VPN Roles and Users rdvpn and Internal LDAP servers, as shown by the names of the sub-tabs below the Members tab. Figure 6: Roles - Users - Settings – Requirements - Members These buttons are on the Settings tab and allow you to do the following: Add – use this button to display the following popup where you can use to add a new membership for all users with this role. Figure 7: Roles - Select Members In this popup you use the buttons at the bottom to make your selection, and you can use the Search filter at the top right to help locate a specific attribute for a user configuration you wish to select. Edit – click this to display a popup (identical to the Add Member popup shown above) where you can edit the membership that has been selected. Remove – use this button to remove the selected membership for the list. Security Solutions by HOB 131 Roles and Users HOB RD VPN 8.1.2 Configuring Roles – Privileges Tab The Privileges tab holds the access permissions for the user. Under this tab there are five sub-tabs: Properties Portlets Server Lists Target Filters User Settings Privileges Tab – Properties Using this tab you can assign the following settings for the user when logging on to the selected role: Figure 8: Roles - Users Privileges - Properties 132 GUI Scheme – here you can decide on the font color of the user portal and navigation screens, and whether the banner is shown. Page After Login – here you set the page the user sees as default directly after a successful login. Minimum Idle Time (min) – set the amount of time in minutes the session can remain idle before it is timed out and closed. The default time is 30 minutes. Maximum Relogin Time (min) – here you set the maximum allowable time the session can be open before the user must login again to keep the session open. The default time is 480 minutes. Browser caching – check to allow caching of browser use for this role. Login Cookie - check to allow the cookies for the login page to be stored. Security Solutions by HOB HOB RD VPN Roles and Users Privileges Tab – Portlets Here you can determine the portlets or the links to the functionality of HOB RD VPN that are to be available to each role. Portlets are assigned to each user according to the role that has been assigned to each user. Figure 9: Roles - Users Privileges - Portlets The buttons to the right of the Portlets tab allow you to do the following: Add... - use this button to add a new portlet (enter the name and the state, whether opened or closed) for all users with this role. Edit... - this button lets you open the selected portlet for editing. Remove - this button allows you to remove the selected portlet from the list. Up – allows you to set the order in which the portlets appear on the navigation screen for this role, moving the selected portlet up. Down – allows you to set the order in which the portlets appear on the navigation screen for this role, moving the selected portlet down. Privileges Tab – Server Lists Here you set which server lists are available for access by the users assigned to this role. A server list is created as the target for each Outgoing Connection that you configure. The server lists shown in the panel in the following screen are all defaults created by HOB RD VPN. Security Solutions by HOB 133 Roles and Users HOB RD VPN Figure 10: Roles - Users - Privileges - Server Lists The buttons on the Server List tab allow you to do the following: Check All – this selects all available server lists shown in the server list panel. Clear All – this deselects all available server lists. Privileges Tab – Target Filters Here the target filters that are to be assigned to the role can be selected. A Target Filter is an extra security feature that restricts the user from accessing targets that have not been configured by the administrators (e.g. unauthorized Internet sites). Target Filters are created by selecting Target Filters in the organization hierarchy and using the Add button. For more information see Chapter 26 HOB Target Filters. Figure 11: Roles - Users - Privileges - Target Filters 134 Target Filter – select the target filter to be used for this role from the list in the dropdown box of target filters that have already been configured. Security Solutions by HOB HOB RD VPN Roles and Users Privileges Tab – User Settings Under this tab you can assign the bookmarks and other settings for all of the users that are to be assigned this role. Figure 12: Roles - Users - Privileges - User Settings 8.2 Bookmarks for WebServerGate – check to activate Web Server Gate bookmarks for this role. See Chapter 17 HOB RD VPN Web Server Gate – Intranet Access for more information. Bookmarks for WebFileAccess – check to activate Web File Access bookmarks for this role. See Chapter 19 HOB RD VPN Web File Access for more information. Bookmarks for Sessions – check to activate bookmarks for the Sessions you wish to open for this role. See Chapter 10 Remote Desktop Computing using HOBLink J-Term/JWT for more information. Desktop-on-Demand Configuration – check to enable the Desktop-on-Demand configuration for this role. See Chapter 12 HOB RD VPN Desktop-on-Demand for more information. Other Settings – check to allow other settings for this role. Configuring Roles and Users in HOB RD VPN Administration In the HOB RD VPN administration interface you can review and manage the settings and values of each element of the configuration for each role and user individually. This can be done through the HOB RD VPN administration interface using the Properties and Configure buttons. These buttons are found at the bottom of the HOB RD VPN administration interface. Security Solutions by HOB 135 Roles and Users HOB RD VPN At the bottom of the HOB RD VPN administration interface you can also find the dropdown box where you select the part of the database that you want to access for editing, whether User Settings, Utilities, the HOB WebSecureProxy, and so on: use this button to display the properties of the selected resource use this to open the configuration tool for the selected resource use the arrow on the left of this dropdown box to select the part of the database to be edited Go to HOB EA Administration and select a domain resource that you wish to manage. Figure 13: HOB EA Administration Start Select a domain (in this example two domains, dc=hobsoft and dc=internal, are shown) and then select an object from within the selected domain. Here the object ou=users was selected. Now select an element within this object, for example cn=user1, and click the Properties button. In the dialog that appears you can see the full name of this object in the title bar. In the dialog itself there are two tabs, Properties and Membership, containing the data stored for the domain resource (for example cn=user1) that you have selected. Use this dialog to edit or update the selected resource. 136 Security Solutions by HOB HOB RD VPN Roles and Users Figure 14: HOB RD VPN Domain Administration - Properties Account – this holds the name of the resource you wish to see. Set the password – check so that you, as the administrator, bring up a dialog where you set the logon password that must be used by this user. Click the LDAP Details button to see the directory service entry for this resource, and the following dialog is displayed. Figure 15: HOB RD VPN - LDAP Attribute Details Here you can see the Attribute Name and Attribute Value currently stored in the configuration storage for this resource, cn=user1. use this button to add another attribute use this button to remove a selected attribute use this button to edit the selected attribute use this button to close this dialog, saving any changes to this resource Security Solutions by HOB 137 Roles and Users HOB RD VPN The Membership tab allows you to manage the memberships that belong to the user resources in this domain: Figure 16: HOB RD VPN Domain Administration Properties Membership Here you see each membership for this resource. Use the Add Membership and Delete Membership buttons to add your users and objects to groups, or delete memberships that are no longer suitable for this resource. The OK button saves any changes and closes this dialog, the Cancel button closes the dialog without saving the changes. For more information on how to create a new user, group or administrator, please see Section 6.3 Creating a New Global Administrator. 8.3 Configuring HOB RD VPN 2.1 HOB RD VPN allows you configure many elements of the resources in your network and gives you the flexibility to adapt HOB RD VPN to your requirements and those of your company and policies. What you can configure depends on the elements currently selected in your hierarchy. For example, User Settings can only be configured if an element of type User is selected, the WebSecureProxy can be configured only if an element of type Object is selected. Select the resource area to configure from the dropdown box (see the following figure) and click Configure. 138 Security Solutions by HOB HOB RD VPN Roles and Users Figure 17: HOB EA Administration - Configure The resources of HOB RD VPN can be configured according to the following areas: HOB RD VPN 2.1 Sessions Utilities 8.3.1 Configuring HOB RD VPN 2.1 Under this heading, the settings for HOB RD VPN can be configured. The settings that can be configured here are as follows: User Settings HOBPhone HOBLink JWT WebSecureProxy blue WSP Universal Client Configuring User Settings Under User Settings you can create bookmarks, configure Desktop-on-Demand, create Personalized IP addresses and more. To edit a User, for example, select User Settings from the dropdown box and click Configure. The following screen shows the settings that can be configured for the element of the default Hobsoft domain: ou=users,dc=hobsoft,dc=root. Security Solutions by HOB 139 Roles and Users HOB RD VPN Figure 18: HOB RD VPN - User Settings Configuration Select the setting from the list on the left to which you wish to add and click the Add button at the bottom. This opens the specific dialog page for that element. Elements that have already been added for this user are shown in the panel on the left and can be freely selected from there for further editing or removal. Use the Save button at the bottom of the screen to save your changes and continue, and the Close button to finish making changes and exit when you are finished with the User Settings dialog. These are standard buttons on each screen of this portal. Bookmarks – WebServerGate A bookmark is a locally stored Uniform Resource Locator (URL) to a required or requested internet resource. Following a successful logon, the initial Welcome page contains the bookmarks within the portlets that are configured here. These bookmarks give the users access to web applications and the company intranet to use the links to the features and applications for which they have access rights and permissions. Make sure that the WebServerGate portlet is added to the specific role of the selected user. 140 Security Solutions by HOB HOB RD VPN Roles and Users Figure 19: HOB RD VPN - User Settings - Bookmarks From this screen select the Bookmark element WebServerGate and click Add. You will see the following screen: Figure 20: HOB RD VPN - User Settings Bookmarks - Web Server Gate Name – Enter a name for the bookmark here. URL – enter the desired URL here. Search Network - use this button to locate the URL for any desired bookmark Up, Down – these buttons move the bookmark within the bookmark list on the left. Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. Security Solutions by HOB 141 Roles and Users HOB RD VPN Bookmarks – WebFileAccess HOB WebFileAccess enables remote access to file servers, and the path, a locally stored Uniform Resource Locator (URL), used for this access can be stored as a bookmark for ease of use. To configure a WebFileAccess bookmark, select the element WebFileAccess from the User Settings screen and click Add to bring up the following screen: Figure 21: HOB RD VPN - User Settings Bookmarks - Web File Access Name – enter a name for the bookmark here URL – enter the desired server name of file share name here Use Credentials - enable this checkbox to make users of this bookmark authenticate themselves to receive access Username - enter the username to be used for access with this bookmark Password - enter the password that matches the above entered username Confirm Password - enter the password to confirm Up, Down – these buttons move the bookmark within the list of configured bookmarks Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. Make sure that the WebFileAccess portlet is added to the specific role of the selected user. 142 Security Solutions by HOB HOB RD VPN Roles and Users Desktop-on-Demand The Desktop-on-Demand feature allows you to connect, not only to servers in your network, but also to user-specific workstations within your network that you currently have access rights to. Desktop-on-Demand operates by using the Host IP address of the target workstation belonging to a specific user. The MAC address of the user workstation is required when the Wake-on-LAN feature is also to be activated. For more information about this feature see Chapter 12 HOB RD VPN Desktop-onDemand. To set up a Desktop-on-Demand portal, select the Desktop-on-Demand element in the list on the left of this screen and click Add. This brings up this screen: Figure 22: HOB RD VPN - User Settings - Desktop-on-Demand Name – here you enter the name of the Desktop-on-Demand setting. Host IP Address – enter the IP of the computer to be connected to in this field. MAC Address – enter in this field the MAC address of the computer to be woken. Search - use this search button to fetch the MAC address of the specified machine and enter it into the MAC address field. This functions only when a valid IP address has already been entered above Port – this is the port to be used for the Desktop-on-Demand connection. The default port number is 3389. Delay (sec) – enter the time allowed in seconds for the desired machine to be woken before the attempt is considered a failure. Test the Current Settings – use this button to test the entered settings are correct and the desired machine can be woken on demand. Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. Security Solutions by HOB 143 Roles and Users HOB RD VPN Personalized IP Addresses The User Settings screen also lets you manage specific IP addresses for HOB PPP Tunnel Endpoints and the HOB SSL Identifier. Figure 23: HOB RD VPN - User Settings - Personalized IP Addresses In this screen, select the element you wish to configure and click Add. Tunnel Endpoints When creating a secure HOB PPP Tunnel, IP addresses must be specified here as the possible endpoints for the connection. These virtual addresses are the only ones visible inside the network where the target server resides, acting as the internal endpoint of your PPP Tunnel. These specified endpoints must be unique addresses in your network. Figure 24: HOB RD VPN - User Settings - Personalized IP Addresses - Tunnel Endpoints 144 Add – use this button to add the desired IP address to the list of those available. Security Solutions by HOB HOB RD VPN Roles and Users Remove – use this button to remove the selected IP address from the list. Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. See Chapter 22 Using the HOB PPP Tunnel for Network Access for more information about the Personalized IP Addresses feature. SSL Identifier The HOB SSL Identifier is a feature developed by HOB that enables the sender of a message to be identified by a personalized IP address associated with their user logon, rather than the IP address of the HOB WSP. You enter this specific IP address here, and the user will then carry this IP address throughout their connection to the network, thus remaining permanently identifiable. Figure 25: HOB RD VPN - User Settings - Personalized IP Addresses - SSL Identifier Add – here you add the desired IP address to the list of SSL Identifier addresses. Each user may have multiple addresses to identify them, but each of these IP addresses can only be assigned to one user each. Remove – use this button to remove the selected IP address from the list. Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. See Chapter 27 SSL Identifier for more information about this feature. Security Solutions by HOB 145 Roles and Users HOB RD VPN Messages Under Messages you can specify any messages that you wish to be shown to the users each time they make a logon to the system. Select the Messages element from the User Settings screen and click Add to display the following screen: Figure 26: HOB RD VPN - User Settings - Messages Message – Enter the desired message in the text field. This message is displayed to the user, based on the role for which they are authenticated when they logon to the network. The message must be entered in HTML syntax so that it can be displayed with any desired formatting. Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. 146 Security Solutions by HOB HOB RD VPN Roles and Users Others This screen contains additional settings you can assign to your users. There are two settings you can set under this heading, enabling the flyer (a floating popup) and setting the display language that your users will see on screen. Figure 27: HOB RD VPN - User Settings - Others Activate the Flyer – check this box to enable the flyer. Flyer - when activated the flyer is displayed as a floating popup on all screens. The flyer contains two icons as follows: Home - use this to return to the Home page of HOB RD VPN Log Out - use this to log out of HOB RD VPN and close the program Language – select the language for the interface from the language dropdown box. Currently English and German are the only languages available, more languages will be available with later releases of this product. Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. For more details about the following settings, see the relevant chapters: HOBPhone – see Chapter 23 HOBPhone HOBLink JWT (with only HOBLink JWT Stand-Alone installed) – see Chapter 11 Remote Desktop Computing using HOBLink JWT Webstart HOB WebSecureProxy – see Section 8.1 Configuring Roles and Users in HOB WebSecureProxy HOB WSP Universal Client – see Chapter 24 HOB WSP Universal Client Security Solutions by HOB 147 Roles and Users HOB RD VPN 8.3.2 Configuring Sessions The following types of sessions can be configured here: HOBLink JWT HOBLink JWT is the RDP client application component used by HOB RD VPN to connect client machines to any RDP capable server, including those currently running Microsoft Remote Desktop Services, or to Microsoft Windows Desktops. For more information see Chapter 10 Remote Desktop Computing using HOBLink J-Term/JWT. HOBLink J-Term HOBLink J-Term is the multi-protocol-capable client application for accessing host systems via SSH, VT, TN3270, TN5250, HP700 and Siemens 9750. The dialogs here allow you to set how these terminal sessions are connected and how they appear to the user on the client machine. For more information see Chapter 16 Terminal Emulations. HOBLink FTP File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. This dialog allows you to set how your FTP session can be connected and how it appears to the user on their client machine. For more information see Section 16.4 Configuring Telnet Targets. HOBLink SSH Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers. HOBLink SSH connects these two or more machines via a secure channel over an insecure network: one machine acting as a server and the other or others as clients that run SSH server and SSH client programs respectively. This dialog allows you to set how the SSH session is connected and how it appears to the user on their client machine. For more information see Chapter 15 Remote Desktop Access using SSH. 148 Security Solutions by HOB HOB RD VPN Roles and Users 8.3.3 Configuring Utilities Under Utilities you manage the transfer of a session, along with data and settings, from one version of the application to another, more current version. You can also generate and maintain the authentication certificates of your users. There are two types of utilities that can be configured here: JWT Migration Use this utility to migrate an older HOBLink JWT configuration to a current version of the application. User Certificates This utility allows you to manage the certificates used to authenticate your users by reviewing the information contained on the certificates, validating these certificates and creating new certificates. There are three tabs on this dialog: X.509 Certificates Certificate Identification Create Certificate Identification X.509 Certificates X.509 is a security standard that specifies, amongst other things, the standard formats for public key certificates, certificate revocation lists, and certification path validation. In the X.509 system, a certification authority issues a certificate binding a public key to a particular distinguished name, or to an alternative name such as an e-mail address or a DNS entry. This dialog displays the Subject DN and the Issuer DN. This is the information contained in the X.509 certificate that you use to authenticate your users. Figure 28: Utilities Administration Screen - X.509 Certificates Security Solutions by HOB 149 Roles and Users HOB RD VPN On this screen you can use the following buttons to help manage the certificates: use this button to import a certificate into the list of X.509 certificates required for authentication. Files for import must have one of the following formats: Binary DER, Base 64 encapsulated DER, PKCS#7. When importing a certificate, this button brings the following dialog on screen. Here you select the certificate you wish to import and then click Open. Figure 29: X.509 Certificates - Import this button lets you export the selected certificate to another machine that the user, authenticated on one machine, needs to use. this shows the selected certificate in more detail, with version number, date of issue, and more this button allows you to delete the selected certificate use this button to call up the HOB RD VPN Help on this topic click to save any changes, close this dialog and return to the previous screen 150 Security Solutions by HOB HOB RD VPN Roles and Users Certificate Identification This dialog displays the Subject DN and the Issuer DN. This is the information about the issuer of the certificate that you use to authenticate the certificate. Figure 30: Utilities Administration Screen - Certificate Identification use this to add a new certificate to those in you network this allows you to update the selected certificate this button allows you to delete the selected certificate this button allows you to retrieve a certificate from the X.509 certificates use this button to call up the HOB RD VPN Help on this topic click to save any changes, close this dialog and return to the previous screen Security Solutions by HOB 151 Roles and Users HOB RD VPN Create Certificate Identification This dialog displays the details about the current configuration that you can extract to create a new authentication certificate. Figure 31: Utilities Administration Screen - Create Certificate Identification Include sublevels –- check this box to include all sub levels of the current configuration under the current root configuration. click to take the required information from the selected configuration file to create a new certificate use this button to call up the HOB RD VPN Help on this topic click to save any changes, close this dialog and return to the previous screen 152 Security Solutions by HOB HOB RD VPN 9 Defining Targets in the HOB WSP Defining Targets in the HOB WSP In any network you connect from one computer (your client computer or desktop) to another (a target computer or a target group of computers) using RDP and other widely used protocols. Where there are multiple target computers you need to use servers to administer them and facilitate the connections between them. To establish a connection to a new target you need to configure an outgoing connection from your computer to that target. This configured connection must contain a name for the connection to a desired target computer or target group of computers (the group being collected together into the form of a Server List), a type or mode of the connection, the predefined protocol to be used, and other information to ensure that the connection is successful. 9.1 Creating a Target To create a target, follow these steps: 1. Open the HOB RD VPN administration interface as described in the previous chapters. 2. Select the object WebSecureProxy from your hierarchy. 3. Select the function WebSecureProxy from the dropdown box at the bottom and click the Configure button. This opens the HOB WebSecureProxy configuration screen. 4. Under Outgoing Connections in the hierarchy panel on the left you can see the list of predefined targets. Select the target type you wish to configure (for example an RDP target) and you will see the following screen: Figure 1: Outgoing Connection - RDP Target Configuration Security Solutions by HOB 153 Defining Targets in the HOB WSP HOB RD VPN This opening screen for configuring RDP Targets is used here as an example, the same procedure is used for setting up other target type connections. 5. Now click Add to create a new target for this outgoing connection type and the Server List screen for this target is displayed. This Server List screen enables you to set up a list of servers that will be accessible to the users who will have this target configured for their role. Figure 2: Outgoing Connection - RDP Target Configuration - Server List 6. 154 Name – In this field you enter the name you wish to use for this connection to the group of servers specified in the configured server list. Click Add again to enter the configuration data for this target. Security Solutions by HOB HOB RD VPN Defining Targets in the HOB WSP 9.1.1 Server Configuration - RDP Target – 1:1 Proxy Gateway Mode This dialog screen is displayed when the 1:1 Proxy Gateway connection mode is chosen (a direct connection from your workstation to the chosen server list). Figure 3: Outgoing Connection - RDP Target Server Configuration - 1:1 Proxy Gateway Mode The following information is common to all outgoing connection target types: Name – enter the name to be used for this connection to the desired target. Mode – you can select from the dropdown box the connection mode to be used. The five possible modes or types of connection that can be used are: 1:1 Proxy Gateway – a connection from a specific machine to another target machine over the HOB WSP Dynamic Proxy Gateway – a connection from a machine to another target machine over the HOB WSP, the target machine being chosen dynamically and not permanently configured WTS Load Balancing – used when you have a connection to a group of machines. To use this mode you must have a number of servers already configured for load balancing that you can make the connection to. The WTS Load Balancing module must be installed on these systems. This module is also included in the HOB RD Selector Agent and HOB RD ES products from HOB VDI – a connection to virtualized desktops on a remote central server, only available when VDI is enabled on the HOB WSP Server Data Hook – a connection that works by intercepting functional calls, events or messages from servers within a network (this mode is available only when configuring Other Targets) Each connection mode has different requirements, so the dialogs that you see change according to the mode selected. Security Solutions by HOB 155 Defining Targets in the HOB WSP HOB RD VPN Use Network Adapter – select from the dropdown box the network adapter to be used. The network adapter is configured as part of the HOB WSP configuration, where you select WSP Servers > Network Adapters. An entry of Any in this field means that the operating system decides which adapter to use. This is the default setting. Predefined Protocol – select from this dropdown box the predefined protocol that is to be used for this connection, for example RDP Windows Terminal Server–HOB EXT-1. This protocol is a HOB protocol created to allow the connection to be made. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. Protocol Plugins - in this box you select the protocol plugin that you wish to use in this configuration. Use the Add and Remove buttons on the right to manage the list of configured protocol plugins. Protocol Plugins are optional software features that enhance the functionality of the HOB RD VPN connection. They can be configured under the Extensions element of HOB WebSecureProxy. For more information, see Section 9.2 Configuring the RDP Hook on page 163, Section 22.6 Configuring Dynamic NAT on page 292 and Section 22.7 Configuring the HOB TCP Tuner on page 296 The remainder of this tab contains data fields that are specific for the connection mode that has been selected (see Mode, above) In the example screen shown above in this section, the selected mode is 1:1 Proxy Gateway, so the panel with this title contains the following fields where the data required to establish a 1:1 Proxy Gateway mode connection is entered. Host IP Address – enter here the IP address of the machine you wish to connect to. Host Port – enter here the port number you wish to use for the connection. For connections using RDP this should be 3389 On the Expert Options tab for the configuration of RDP Targets, you see the following options: 156 Security Solutions by HOB HOB RD VPN Defining Targets in the HOB WSP Figure 4: RDP Target Server Configuration - 1:1 Proxy Gateway Mode - Expert Options Use raw packet interface (SSL Identifier) - enable this checkbox to use the HOB SSL Identifier feature. For more information about this feature, see Section 27 SSL Identifier on page 361 Use client side SSL - check to use client side SSL (currently disabled) Connect to other server - check to allow a connection to a server that is not the specified server for this configuration Connect round robin - check to use a round robin connection process DNS lookup before connect - check to ensure that the DNS is evaluated before the connection is allowed be made Nagle Algorithm - this box contains the following fields: Overwrite default behavior - check to activate the following fields: Disable send client - allows you to disable the client sending the communication. The dropdown box contains the options No (default), Yes and Automatic Disable send server - allows you to disable the server sending the communication. The dropdown box contains the options No (default), Yes and Automatic Security Solutions by HOB 157 Defining Targets in the HOB WSP HOB RD VPN 9.1.2 Server Configuration - RDP Target – Dynamic Proxy Gateway Mode This dialog screen is displayed when the Dynamic Proxy Gateway is chosen as the connection mode. This connection type is used when your system uses a dynamic method of connection, and does not always connect directly to a machine with a static address, as in the 1:1 Proxy Gateway mode in Section 9.1.1 Server Configuration - RDP Target – 1:1 Proxy Gateway Mode. Figure 5: RDP Target Configuration - Dynamic Proxy Gateway Mode This connection type has the following fields: 158 Name – enter the name to be used for this connection to the desired target. Mode – you can select from the dropdown box the connection mode to be used. in this case Dynamic Proxy Gateway – a connection where the target machine is chosen dynamically and not permanently configured - is selected. Use Network Adapter – select from the dropdown box the network adapter to be used. The network adapter is configured as part of the HOB WSP configuration, where you select WSP Servers > Network Adapters. The default entry of Any in this field means that the operating system decides which adapter to use. Predefined Protocol – this option is disabled for this connection type. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default is 600 seconds. Protocol Plugins - in this box you can use the Add and Remove buttons on the right to manage the protocol plugins that you require. This is also disabled under this connection type. Security Solutions by HOB HOB RD VPN Defining Targets in the HOB WSP On the Expert Options tab for the configuration of RDP Targets under the Dynamic Proxy Gateway mode, you see the following options: Figure 6: RDP Target Server Configuration - Dynamic Proxy Gateway Mode - Expert Options The options on this screen are identical to the options for 1:1 Proxy Gateway mode, for more information see the descriptions for Figure 4 on page 157. 9.1.3 Server Configuration - RDP Target – WTS Load Balancing Mode This dialog screen is displayed when the WTS Load Balancing connection mode is chosen. Load Balancing is the distribution of a computer’s workload across all the computers in a server farm, as a computer cluster, to reduce pressure on individual machines and to increase efficiency via resource optimization. Load Balancing is described in more detail in Chapter 10 Remote Desktop Computing using HOBLink J-Term/JWT and also in the documentation for the separate HOB product HOB RD ES. Security Solutions by HOB 159 Defining Targets in the HOB WSP HOB RD VPN Figure 7: RDP Target Configuration - WTS Load Balancing Mode & Server List Connection Type In addition to the common data fields (see above for more information), this tab also contains the following fields that are available only under the WTS Load Balancing connection mode: 160 Connection Type – select from the radio buttons the type of connection to be used, either Broadcast or Server List Broadcast port – if Broadcast has been selected, then enter the port to be used for the broadcast here. The port 4095 is entered by default for this broadcast, and the port has to be configured on the target systems in the valid load balancing agents (HOB RD Balancer, HOB RD Selector Agent and HOB RD ES). For more information see Chapter 10 Remote Desktop Computing using HOBLink J-Term/ JWT and the documentation for these components. Server List – this field holds the list of servers and the ports configured in the HOB VDI Agent on the system to which the connection will be directed. Use the Browse button to select from the list of answering servers, the Add button to add a server manually, the Edit button to changes a server entry and the Remove button to delete a server from this list. Security Solutions by HOB HOB RD VPN Defining Targets in the HOB WSP On the Expert Options tab for the configuration of RDP Targets under the WTS Load Balancing mode, you see the following options: Figure 8: RDP Target Server Configuration - WTS Load Balancing Mode - Expert Options The options on this screen are identical to the options for 1:1 Proxy Gateway mode, for more information see the descriptions for Figure 4 on page 157. 9.1.4 Server Configuration – RDP Target – VDI Mode This dialog screen is displayed when the VDI connection mode is chosen. This connection mode provides a connection to virtualized desktops on one or more remote central servers. This mode must be activated by first configuring the element WSP Servers (you can configure this in the HOB RD VPN administration interface, see above), otherwise it will not be available for selection as outgoing connection mode. The administrator has to install and configure the HOB VDI Agent on the target virtual machines. See Chapter 13 Virtual Desktop Integration for more information Security Solutions by HOB 161 Defining Targets in the HOB WSP HOB RD VPN Figure 9: RDP Target Configuration with VDI Mode and Broadcast Connection Type In addition to the common data fields (see above for more information), this tab also contains the following fields that are available only under the VDI-WSP connection mode: 162 Connection type – select from the radio buttons the type of connection to be used, either Broadcast or Server List. Broadcast port – if Broadcast has been selected, then enter the port to be used for the broadcast here. The port 5090 is entered by default for this broadcast, and the port has to be configured on the target systems in the HOB VDI Agent. For more information see Chapter 13 Virtual Desktop Integration. Server List – this field holds the list of servers and the ports, as configured in the HOB VDI Agent on that system, to which the connection will be directed. Use the Browse, Add, Edit and Remove buttons to manage this list. Security Solutions by HOB HOB RD VPN Defining Targets in the HOB WSP On the Expert Options tab for the configuration of RDP Targets under the VDI mode, you see the following options: Figure 10: RDP Target Server Configuration - VDI Mode - Expert Options The options on this screen are identical to the options for 1:1 Proxy Gateway mode, for more information see the descriptions for Figure 4 on page 157. 9.1.5 Server Configuration – Server Data Hook Connection Mode This mode is used only when in particular circumstances under the recommendation from HOB. In these cases the relevant documentation will be made available. 9.2 Configuring the RDP Hook The RDP Hook is a protocol plugin that you can use to perform extra operations on an RDP communication in your network. The RDP Hook is included in the installation of HOB RD VPN as an optional feature that is included in the delivered software, but must be separately configured for use. To configure a RDP Hook for the HOB RD VPN, follow these steps: 1. Open the configuration program of the HOB WebSecureProxy. 2. Open the Extensions > Protocol Plugins > RDP Hook scheme on the left in the tree structure. The following tab screen is displayed: Security Solutions by HOB 163 Defining Targets in the HOB WSP HOB RD VPN Figure 11: HOB WSP Configuration - Extensions - Protocol Plugins - RDP Hook 3. Click the Add button at the bottom to create a new RDP Hook for this configuration and the following screen is displayed: Figure 12: HOB WSP Configuration - RDP Hook Settings The fields to be configured on this screen are as follows: 164 Name - here you enter the name you want to assign to this RDP Hook configuration Virus Scanning Service - select from the dropdown list the virus scanning service to use with this configuration Security Solutions by HOB HOB RD VPN 4. Defining Targets in the HOB WSP Virus Checking Maximum File Size - enter the maximum size for files allowed in this communication, and then select from the dropdown box the byte measurement, either KB, MB or GB. Encryption to Client - select from the dropdown box the level of encryption to be applied to files sent to a client, either Automatic, Medium or High. Compression to Server - select from the dropdown box the level of compression to be applied to files sent to the server, either Automatic, Yes or No. Trace Level - enter the level of trace required for this communication Disable Microsoft Local Drive Mapping - check this box to disable Microsoft Local Drive Mapping Disable HOB Local Drive Mapping - check this box to dis able the local drive mapping feature provided by HOB Save the configuration (Main menu > File > Save), and the RDP Hook protocol plugin component has been configured and can be selected for use in the configuration of targets for HOB RD VPN. Security Solutions by HOB 165 Defining Targets in the HOB WSP 166 HOB RD VPN Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT 10 Remote Desktop Computing using HOBLink J-Term/JWT HOB RD VPN is a complete software solution with many distinct components to provide maximum functionality. This optimum level of connectivity is provided through the HOBLink J-Term component that is delivered with the integrated HOBLink JWT plug-in. HOBLink JWT is the RDP client application component used by HOB RD VPN to connect client machines to any RDP capable server including Microsoft Remote Desktop Services or Windows Desktops, while HOBLink J-Term provides for connectivity to legacy Terminal protocol machines. HOBLink JWT is also available as a standalone plug-in without the component HOBLink J-Term. For more information on this standalone version please see Chapter 11 Remote Desktop Computing using HOBLink JWT Webstart. RDP is a common protocol that is used to establish connections to computers, running under a Windows operating system, over a network connection. RDP provides machines with a graphical interface to another computer. The RDP client software must be installed on the client machine, while RDP server must be installed on the server side. 10.1 Configuring HOBLink J-Term/JWT to create RDP Connections To configure a remote desktop connection you need to configure both the HOB WSP and HOBLink J-Term/JWT, the remote desktop client, using the RDP protocol. Take the following steps to configure HOB RD VPN for remote desktop computing: 10.1.1 Configuring the WebSecureProxy 1. Logon and start the HOB RD VPN Administration interface. 2. Select the Servers element of your internal hierarchy and select the object WebSecureProxy and click the Configure button. 3. The WebSecureProxy configuration interface is displayed. Select Outgoing Connections > RDP Targets (this is an example, the configuration of other, non-RDP target types is essentially identical). 4. Click the Add button to add a new RDP target, which should be a list of the servers to be accessed by the connection you are configuring. 5. Click Add again to add an individual server as the target for this connection, and you can see the following screen: Security Solutions by HOB 167 Remote Desktop Computing using HOBLink J-Term/JWT HOB RD VPN Figure 1: HOB RD VPN WSP Configuration Screen - Outgoing Connections - RDP Targets See the previous Section 9.1 Creating a Target on page 153 for more detail on the information you need to enter here. Depending on the connection mode that has been selected, the panel at the bottom of the dialog screen changes. Name – enter the name you want to use for this connection. Mode – you can select from the dropdown box the connection mode to be used for the connection to the client machine. The four possible modes or types of connection that can be used are as follows: 168 1:1 Proxy Gateway – a direct connection from one machine to another configured machine Dynamic Proxy Gateway - a direct connection from one machine to a dynamically selected machine in the network WTS Load Balancing – used when you have a connection to a group of machines already configured for load balancing that you can make the connection to. The WTS Load Balancing module must be installed on these systems VDI – a connection to virtualized desktops on a remote central server, only available when VDI is enabled on the HOB WSP Use Network Adapter – select the network adapter to be used. The default is Any. Predefined Protocol – select the predefined communication protocol to be used. The protocol that can be selected depends on the tape of target desired. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT The remainder of this tab contains data fields that are specific for the connection mode that has been selected. 6. Once you have entered this information, select Roles and select the role (for example Power User) to which you want to add the desired server list. 7. Select Privileges > Server Lists and you can see the following screen: Figure 2: HOB WSP Configuration – Roles – Settings – Server Lists 8. From the server lists displayed, check the required server lists (multiple server lists may be selected) for use as the servers available to this role for a connection. 10.2 Configuring HOBLink JWT HOBLink JWT is the remote desktop connectivity client that is an integral part of HOB RD VPN. HOBLink JWT uses the RDP protocol to connect to Windows Terminal machines, place these connections into schemes, and activate these schemes through sessions. The HOBLink JWT Administration screen (see Figure 4 on page 170) is used to manage the settings for each user session for their connections to the desired targets. These dialogs allow you to configure how the remote desktop connects to your system (sessions), and how these sessions appear to the user on the client machine (schemes). What you configure here will be stored in the configuration storage of this domain. Depending on the edition of HOB RD VPN that you are using, the options on this dialog can vary. HOBLink JWT can be provided either together with HOBLink J-Term (for connections to Terminal operating systems) or separately as a stand-alone installation, without the HOBLink J-Term components. The functionality is in any case the same. 1. Logon and start the HOB RD VPN Administration interface. Security Solutions by HOB 169 Remote Desktop Computing using HOBLink J-Term/JWT 2. HOB RD VPN Select the element of your internal hierarchy you want to assign this target to and select Sessions > HOBLink J-Term/JWT (or HOBLink JWT depending on your installation) > Configure, as shown here: Figure 3: HOB RD VPN Administration – Configure – HOB RD VPN 2.1 - HOBLink JWT The HOBLink JWT Administration start screen is then displayed. This screen (shown here) takes the form of two panels: Figure 4: HOBLink JWT Administration Start Screen On the panel to the left is the list of sessions and schemes available to each particular resource. On the panel to the right is a configuration tab for each selection 170 Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT from the left hand side. The right hand panel changes depending on the selection made on the left. Below these two panels, the following buttons and their functions are common to all of the tabs on the HOBLink JWT Administration screen: New – use this button to create a new element of the category you selected in the list on the left Delete – use this button to delete the selected item Lookup – this button allows you to check the current status of the selected item whether it is in use or idle Cancel – use this button to close this dialog without saving any changes that you have made Default – use this button to restore the default settings to the selected configuration element Verify – use this button to confirm if the changes to the session you have made are correct and to ensure no data is missing Close – this button saves any changes, closes this dialog and returns you to the HOB EA Admin screen Help – use this button to call up the HOB RD VPN Help for this topic There are three tabs on the HOBLink JWT Administration screen: Member Rights Sessions Manager True Windows Applications 10.2.1 Member Rights On this tab you enable members of the session to have the following rights: Figure 5: HOBLink JWT Administration - Member Rights Security Solutions by HOB 171 Remote Desktop Computing using HOBLink J-Term/JWT HOB RD VPN Create JWT Sessions – check this box to allow the user to create HOBLink JWT sessions. A session is the set of communication exchanges between two machines that comprise a conversation or dialog over a configured connection. Create Schemes – this list contains the schemes that the user may create for the current session. Schemes set the functionality available during a session as well as the physical appearance of the interface being used. Check the box beside a scheme to allow users to change the corresponding configuration. You can use the Select All and Unselect All buttons to refine your selection. Click Close to save the changes and close this screen. 10.2.2 Sessions Manager On this tab you manage the sessions that are available to the user. Figure 6: Sessions Administration - HOBLink JWT Sessions Manager Priority – here you set the priority for the session to receive a connection to the servers. New – Click to add a new session to those available to the user. Delete – Use this to remove the selected session from the list. Rename – Use this to update the name of the selected session. Available Sessions – this shows a list of existing available sessions. Selected Sessions – this shows those sessions already selected. Use the two arrow buttons to select or deselect a session. Click Close to save the changes and close this screen. 172 Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT 10.2.3 True Windows Applications Here you can set the applications you wish to have as True Windows applications for your users. True Windows is a feature of HOBLink JWT together with HOB RD ES that allows the user to experience the full functionality of using a Microsoft Windows installation on their client machine even though the installation is on a network machine and not on the client. Figure 7: Sessions Administration - HOBLink JWT True Windows Applications All applications available – check to make all applications configured on the server farm within HOB RD ES available as True Windows. This disables the Application List field Inherit True Windows applications from parent item – check this to automatically inherit all applications currently available to the parent item of this resource Application List – here a list of all applications currently available are shown Browsing Port - set the port to be used for browsing for these applications Application – enter the name of the desired applications here Browse - use this button to search through those applications that are already on the system click to add the selected application to the list click to delete the selected application from the list Click Close to save the changes and close this screen. Security Solutions by HOB 173 Remote Desktop Computing using HOBLink J-Term/JWT HOB RD VPN 10.3 Configuring a Scheme in HOBLink JWT Schemes are used to set the functionality that is available to the user during a session, as well as to determine the physical appearance of the interface being used. To open the configuration for HOBLink JWT: 1. Logon and start the HOB RD VPN Administration interface. 2. Select the element of your hierarchy you want to create a connection for (user, group, object, etc.) and select Sessions > HOBLink JWT > Configure, as shown in the previous section, Section 10.2 Configuring HOBLink JWT on page 169. 3. Now select Schemes > Connection > New to open the configuration of a new connection. The following screen is displayed: Figure 8: HOBLink JWT Administration - Schemes - Connection Scheme Name – enter a name for this new connection. Options for Connection Type: Connection Type – select from the dropdown box the type of connection you want to create under this scheme. The options are: 174 Direct – a direct connection from one computer to another Load Balancing – a connection from one computer to a number of servers working as a server farm, with load balancing in operation WebSecureProxy Direct – a direct connection from one computer to the HOB WSP Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT WebSecureProxy Load Balancing – a connection from one computer to the HOB WSP, which then connects to one of the members of a server farm, and with load balancing in operation WebSecureProxy Socks Mode – a direct connection from one computer to the HOB WSP and using the SOCKS protocol Options for Server: Choose Terminal Server at Runtime – check to enable the user to select a Terminal Server to connect to, otherwise the server named in the field Terminal Server is used Terminal Server – enter the name of the Terminal Server you wish to connect to. The Browse button may be used here. The server needs to have HOB Load Balancing installed to be listed here Port – enter the number of the port to be used for the connection Options for WSP Server in case of HOB RD VPN: Prompt user when connecting – check this box to receive a prompt for the connection to the HOB WSP. Server name – this field is active only if the Prompt User box is not selected. Here the name of the server (that has already been configured as one of the RDP Targets) to be used for the connection is shown Options for Proxy: Use Client Side Proxy – select from the dropdown box the type of proxy to be used on the client side. The options for this are: None – do not use a proxy on the client side Auto Detect – use the default proxy already configured on the client side User Defined – use your own configured proxy on the client side Click Close to save the changes and close this screen. Security Solutions by HOB 175 Remote Desktop Computing using HOBLink J-Term/JWT HOB RD VPN 10.4 Configuring a Session in HOBLink JWT Once the scheme for the connection has been configured, you need to create a session where it can be used and then add the connection to this session. Under Sessions you manage the connection between the users, the servers and the applications. Here you can also specify the on screen display, the printers to be used, how files are to be transferred, and more. Click Sessions > New and the following screen is displayed: Figure 9: HOBLink JWT Sessions 176 Session Name – here you enter a name for this session, such as Test Session. Scheme Types – this is a listing of the different types of schemes that have already been configured, such as connection schemes, and can be added to this session. Available Schemes – this is a listing of the schemes that have been configured for each scheme type, and can be selected as the scheme type for this session. Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT 10.5 Running Sessions Once HOB RD VPN has been installed and correctly configured to suit the requirements of your firm, you can now save the configuration and run sessions. A session is the use of a connection to a server where you wish to work. 1. Open the HOB RD VPN default page with a browser and logon as the newly configured user with a connection. The HOB navigation screen opens. Figure 10: HOB RD VPN Navigation Screen 2. Under the Access to Desktops and Applications portlet you will see the bookmark Run Sessions. Click this link to start your session. 3. The Sessions screen opens and the session manager screen, see Figure 11 below, opens. This shows the servers to which you can connect to in this session. Your access to these servers is determined according to the role that has been assigned to you and how you are authenticated. Security Solutions by HOB 177 Remote Desktop Computing using HOBLink J-Term/JWT HOB RD VPN Figure 11: HOB RD VPN Session Manager Screen 4. Select the required server and a connection can then be made directly to that server. 5. Logon to this server over the authentication page (if required by the practice of your firm), and you can begin your work. Mac OS X Security Issue – Unidentified Developer Application Following the MAC OS X security update Mac Security Update 2013-002, for those machines running OS X v10.8.4 or higher it is no longer possible to start a HOBLink JWT session with Java Web Start (.jnlp). This is because as all Java Web Start (.jnlp) applications downloaded from the Internet now need to have a recognized Developer ID. The Mac OS X system Gatekeeper will check downloaded Java Web Start applications for such an ID and block applications from launching when they are not properly recognized, i.e. unidentified. In such a case the following screen is displayed: Figure 12: MAC OS X Security Warning – Unidentified Developer In HOB RD VPN the .jnlp file is dynamically generated on the server side. Therefore it is not possible for HOB as the manufacturer to deliver the file with an appropriate ID. To start HOBLink JWT in this situation, the Security and Privacy Settings must be changed, with the command Allow applications downloaded from to be set to Anywhere, as shown below. 178 Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT Figure 13: MAC OS X Security & Privacy Settings Close this screen for the changes to take effect and HOBLink JWT can now be started correctly and safely. 10.6 Load Balancing Load balancing (also known as WTS Load Balancing) is the process by which sessions can be assigned across multiple servers. Load balancing enhances the performance of the servers, optimizing their use and ensures that no single server is overwhelmed. Each server in the farm can be configured individually, particularly important if the various servers do not all have the same performance capabilities. For optimal performance, the constant evaluation of the CPU load and other parameters on the Windows servers themselves is needed. HOB Load Balancing evaluates up to 13 different parameters over different time durations and can be custom tailored to fit your existing system for enhanced efficiency. The great advantage is in the use of weighted server parameters instead of the “round robin” method. This means the administrator can individually configure the extent of the load on the servers within the server farm, even for very large server farms in a load-sharing setup. There is no limitation on the number of servers that can be monitored and balanced in this way. The HOB Load Balancing solution also supports unexpectedly disconnected sessions. In this case the user is reconnected to the same server on which they were working before the session disconnected, regardless of the current load on that server, and with no loss of data. This basic functionality can also be extended by a powerful user management feature such as LDAP or Microsoft Active Directory. There are no specific prerequisites on the client side (except that the client has a Java-capable browser). Security Solutions by HOB 179 Remote Desktop Computing using HOBLink J-Term/JWT HOB RD VPN For more information on this component, see the relevant documentation for the HOB product HOB RD Selector, delivered with this optional component. Figure 14: HOB RD ES - Server Load Information The following are the parameters that can be used to calculate the load on the servers: Page File Usage – this displays the amount of memory which is transferred to disk by the system Paging Total, Reads, Writes – this is a combination of the Page Reads and the Page Writes used for idle applications Page Read – this shows the number of read pages per second Page Write – this shows the number of written pages per second Memory Usage – this value displays the amount of memory being used Load of NICs – this value shows the current load of the Network Interface Cards 180 CPU Load – this value displays how much of the Central Processing Unit is being used Number of Processes – this value displays the number of processes in progress Number of Threads – this value shows the number of threads involved in the processes Load of Hard-Disks – this value displays the load on the hard-disks Input and Output Activity – this value displays the number of requests from or to devices Active Sessions – this value shows the number of active sessions Disconnected Sessions – this value shows the number of disconnected sessions Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink J-Term/JWT There is also a Write Log File functionality for when you want to write a log file of the calculation. This log file is written to <RDSA path>\BM\logs and uses the .csv (comma separated values) format. 10.6.1 Configuring Load Balancing When the connection mode WTS Load Balancing has been selected, you have the option to use either a Broadcast to connect to the servers of the server farm or to use a specific Server List of pre-configured servers to which the communication is sent. When creating a connection using Load balancing over a Broadcast connection type, the following screen is shown. For a connection using the Load Balancing mode with the Server List connection type please see Section 9.1.3 Server Configuration - RDP Target – WTS Load Balancing Mode. Figure 15: RDP Targets - WTS Load Balancing - Broadcast Mode Here you can see that you need only to select the Broadcast radio button and enter the port to be used for the broadcast. Click File > Save to save any changes made here, and File > Close to close this screen. Security Solutions by HOB 181 Remote Desktop Computing using HOBLink J-Term/JWT 182 HOB RD VPN Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink 11 Remote Desktop Computing using HOBLink JWT Webstart HOBLink JWT is the RDP client application component solution for connections to computers running under a Windows operating system. This solution is delivered as part of HOB RD VPN when access to legacy protocol machines (provided by HOBLink J-Term) is not required. HOBLink JWT Webstart delivers the same functionality for connections to any RDP capable server including Microsoft Remote Desktop Services or Windows Desktops as HOBLink JWT when delivered with HOBLink J-Term. 11.1 Configuring RD Computing using HOBLink JWT To configure a remote desktop connection you need to configure both the HOB WSP and HOBLink JWT using the RDP protocol, please proceed as follows: 11.1.1 Configuring the WebSecureProxy 1. Logon and start the HOB RD VPN Administration interface. 2. Select the Servers element of your internal hierarchy and select the object WebSecureProxy. From the dropdown box at the bottom select the function WebSecureProxy blue, and click the Configure button. 3. The WebSecureProxy configuration interface is displayed. Select Outgoing Connections > RDP Targets and click the Add button to add a new RDP target server list, which is a list of the servers to be accessed by the connection you are configuring. Here the name Windows Terminal Servers is used as an illustration. 4. Click Add again to add an individual server as the target for this connection. The name Example_RDP_Server is used in the example shown here on the following screen: Security Solutions by HOB 183 Remote Desktop Computing using HOBLink JWT Webstart HOB RD VPN Figure 1: HOB RD VPN WSP Configuration - Outgoing Connections - RDP Targets See Section 10.1 Configuring HOBLink J-Term/JWT to create RDP Connections on page 167 for more information on the information you need to enter here. 5. Once you have entered the information you need to create a target, click File > Save to save any changes made here. 6. Now select Roles and select the role (for example PowerUser) to which you want to add the desired server list. 7. Select Privileges > Server Lists and you can see the following screen: Figure 2: HOB WSP Configuration – Roles – Settings – Server Lists 184 Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink 8. From the server lists displayed, check the server list you have newly created (Windows Terminal Servers) to use it as the list of servers available to this connection. 9. Click File > Save to save any changes made here, and then File > Close to close this screen. 11.2 The Client Configuration Provider The Client Configuration Provider is a feature specific to HOBLink JWT. It is a server list dedicated to providing this particular configuration to all the clients that require it. It is active by default. The configuration set here is carried through for all users that are assigned for this configuration. To disable this particular client configuration provider, you need to edit the WSP server list itself. Figure 3: HOB RD VPN WSP Configuration – WSP Servers - Unique Access 1. To edit the server list select WSP Servers > Unique Access tab in the WebSecureProxy configuration interface, and deselect (or select) the checkbox Client Configuration Provider, as shown above. 2. Once this server list has been deselected you can still assign configurations to the individual roles, this must be done under the Roles configuration – see Chapter 8 Roles and Users for more information. 3. Click File > Save to save any changes made here. Security Solutions by HOB 185 Remote Desktop Computing using HOBLink JWT Webstart HOB RD VPN 11.3 Configuring HOBLink JWT HOBLink JWT is configured in the same manner as HOBLink J-Term/JWT as shown in the previous chapter (please see Chapter 10 Remote Desktop Computing using HOBLink J-Term/JWT) with only a small number of differences, described here. 1. Logon and start the HOB RD VPN Administration interface. If the configuration is stored on an external LDAP server, the logon to the external LDAP in this case must be done by the Domain Administrator of the domain that includes the LDAP server you want to access. 2. Select the element of your internal hierarchy you want to assign this target to and select Sessions > HOBLink JWT Webstart, as shown here: Figure 4: HOB RD VPN Administration – Configure – Sessions - HOBLink JWT Webstart The HOBLink JWT Administration screen for HOBLink JWT Webstart is then displayed. 186 Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink Figure 5: HOBLink JWT Webstart Administration Screen This screen takes the form of two panels. On the panel to the left is the list of sessions and schemes available to each particular resource. On the panel to the right is a configuration tab for each selection from the left hand side. The right hand panel changes depending on the selection made on the left. Below these two panels the following buttons and their functions are common to all of the tabs on the HOBLink JWT Webstart Administration screen: New – use this button to create a new HOBLink JWT session Delete – use this button to delete the selected HOBLink JWT session OK – use this button to apply the changes and to exit the configuration mode Apply – use this button to save any changes made and continue with the configuration Cancel – use this button to close this dialog without saving any changes that you have made Default – use this button to restore the default settings to the selected HOBLink JWT session use this Help button to call up the Help available for this topic Security Solutions by HOB 187 Remote Desktop Computing using HOBLink JWT Webstart HOB RD VPN 11.4 Configuring a Session in HOBLink JWT Webstart The HOBLink JWT Administration screen is used to manage the settings for each user session for their connections to the desired targets. These dialogs allow you to configure how the remote desktop connects (Sessions) and how these sessions appear to the user on the client machine (Schemes). What you configure here will be stored in the configuration storage of this domain. Once the scheme for the connection has been configured, you need to create a session where it can be used and then add the scheme connection to this session. You manage the connection between the users, the servers and the applications under Sessions in the hierarchy. 1. Click Sessions > New and a popup appears where you enter a name for this session. Now click OK and the following screen is displayed: Figure 6: HOBLink JWT Navigation Screen 188 Scheme Name – this shows the name you have given to this session, such as Example Session. In the Settings tab, you have the following fields: Active – check this to keep this session available for use when you wish to make a connection. Session Icon – here you select the icon to be displayed in the session list when you start HOBLink JWT. 2. Under this configured session name you can now configure the schemes that are to be part of this session configuration, see the next section for more information. 3. Use the OK button to apply the changes and to exit the configuration mode. Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink 11.5 Configuring a Scheme in HOBLink JWT Webstart HOBLink JWT allows the user to configure schemes for the current session to set the functionality available during that session as well as the physical appearance of the interface being used. Multiple schemes can be configured, and these schemes can be assigned to the users based on their roles, managing the performance of their sessions. To open the configuration for HOBLink JWT Webstart: 1. Logon and start the HOB RD VPN Administration interface. 2. Select the element of your hierarchy you want to create a connection for (User, Group, Object, etc.) and select Sessions > HOBLink JWT Webstart > Configure. 3. In the screen that opens, select Schemes > Connection > New to open the configuration for a new connection. Enter a name for this new connection (here Example Connection is used) in the popup that appears and click OK. Figure 7: HOBLink JWT Webstart Connection - Direct This dialog is the default and shows the connection type Direct selected in the first dropdown box on this tab. Connection Type - select from this dropdown box that connection type that is to be configured Connection to Server - this group of fields allow the configuration for this connection type to be entered The screens that you see at this point change to reflect the type of connection selected. The lower panel of each tab in this dialog holds the options available for the selected connection configuration type. Security Solutions by HOB 189 Remote Desktop Computing using HOBLink JWT Webstart HOB RD VPN In the following dialog the connection type WebSecureProxy Socks Mode has been selected, giving you this screen: Figure 8: HOBLink JWT Webstart Connection Screen The fields you see on this screen are: Scheme Name – this is shown above the tab field and contains the name you have given to this connection scheme. Connection Type – the dropdown box contains the types of connections currently available under this scheme. The available options are: 190 Direct – a direct connection from one computer to another. The connection is made directly to the given RDP Server without the use of HOB RD VPN Load Balancing – a connection from one computer to a number of servers working as a server farm, with load balancing in operation. The connection is established using the patented HOB Load Balancing mechanism without the use of HOB RD VPN WebSecureProxy Direct – a direct connection from one computer to the HOB WSP. With this option HOBLink JWT connects to the HOB WSP using SSL and requires a corresponding configuration of a direct connection in the WSP setup WebSecureProxy Load Balancing – a connection from one computer to the HOB WSP, which then connects to one of the members of a server farm, and with load balancing in operation. With this option HOBLink JWT connects to the HOB WSP using SSL and requires a corresponding configuration of a direct connection with Load Balancing in the HOB WSP setup (this setup is currently not configurable over the HOB WSP GUI) WebSecureProxy Socks Mode – a direct connection from one computer to the HOB WSP and using the SOCKS protocol. HOBLink JWT connects to the HOB WSP and the configuration of the HOB WSP controls the remain- Security Solutions by HOB HOB RD VPN Remote Desktop Computing using HOBLink ing establishment of the session. At least one RDP target needs to be configured 4. Server List – this field contains the list of all available HOB RD VPN servers (for example there is a server list named Test Server) and the port under which each server list can be accessed. Use the Add, Edit and Delete buttons to manage this server list. Use the OK button to apply the changes and to exit the configuration mode. The screen that is displayed when the WebSecureProxy & Load Balancing connection type has been selected is shown below. This connection type must be selected for the WSP & Load Balancing tab to be activated, so that the following options can be configured: Figure 9: HOBLink JWT Connection – WSP & Load Balancing WSP Socks Server – there are two fields in this panel: Prompt user when connecting – This brings a prompt for the user to select a server when making a connection. This is selected by default. If no server is entered and this checkbox is not enabled, an error message appears Socks server name – enter here the name of the SOCKS server you wish to connect to. The name you enter here is the name of the server entered as the RDP Target under Outgoing Connections in the HOB WSP configuration, see Section 11.1.1 Configuring the WebSecureProxy on page 183 for more information. Load Balancing (this setting only applies if either the connection mode WebSecureProxy Load Balancing or WebSecureProxy Socks Mode is in use and the RDP target is configured to use Load Balancing) – this panel has two options: Connect to server with least load – choose a server to accept the connection Security Solutions by HOB 191 Remote Desktop Computing using HOBLink JWT Webstart 5. HOB RD VPN Select from all responding servers – allow the user to select a server from a list of those available for this connection Use the OK button to apply the changes and to exit the configuration mode. 11.6 Run Sessions Once HOB RD VPN has been installed and correctly configured to suit the requirements of your firm, you can now save the configuration and run your sessions. A session is the use of a connection to a server where you wish to work. 1. Open the HOB RD VPN default page with a browser and logon as the newly configured user with a connection. The HOB navigation screen opens. Figure 10: HOB RD VPN Navigation Screen 2. Under the Access to Desktops and Applications portlet for HOBLink JWT you can see the sessions that are configured for this user. Click these links to directly start your session. Your access to the servers through these configured sessions is determined according to the role that has been assigned to you and how you are authenticated on the HOB WSP 192 3. Select the required server and a connection is made directly to that server. 4. Logon to this server over the authentication page (if required by the practice of your firm), and you can begin your work. Security Solutions by HOB HOB RD VPN HOB RD VPN Desktop-on-Demand 12 HOB RD VPN Desktop-on-Demand HOB RD VPN Desktop-on-Demand is a function within HOB RD VPN that enables secure remote access to Windows workstations, even when the remote computer has been switched off. This access is possible both over an internal LAN and over the Internet. When there is an active connection to the workstation the usability and functionality is as if a user works actually at a local workstation. This means that when using HOB RD VPN Desktop-on-Demand, as well as waking up your PC remotely, you can: Copy and paste between the local client and the workstation Print on the local client via HOB EasyPrint Output audio from the desktop PC onto the local client Exchange data between the local client and desktop PC using integrated local drive-mapping HOB RD VPN Desktop-on-Demand can be used for desktop PCs running Microsoft Windows XP, Windows Vista, Windows 7 or Windows 8. HOB RD VPN Desktop-on-Demand needs an RDP server on the target workstation which is not contained in the Home Editions of Windows 8, 7, Vista or XP. This server is contained only in the Professional, Business, Enterprise or Ultimate Editions of these operating systems. To access Linux or Apple Mac machines using HOB RD VPN Desktop-on-Demand, HOB offers the add-on component HOB X11Gate, which translates the X Window protocol into RDP. To access an Apple Mac server in your network you can use the HOB MacGate feature of HOB RD VPN, which is an RDP server for machines running Mac OS X. 12.1 Configuring HOB Desktop-on-Demand HOB RD VPN Desktop-on-Demand is part of the HOB RD VPN installation and is installed preferably in the DMZ (Demilitarized Zone). This DMZ is a special sub network set up to allow services to users outside of the local area network, such as e-mail, web and Domain Name System (DNS) servers - the hosts most vulnerable to attack - while protecting the rest of the network behind an intervening firewall that controls the traffic between the DMZ servers and the internal network clients if an intruder were to attempt an attack. Security Solutions by HOB 193 HOB RD VPN Desktop-on-Demand HOB RD VPN Figure 1: Desktop-on-Demand Standard Deployment The HOB RD VPN Desktop-on-Demand data is saved by HOB administration to either the integrated directory service or the external directory service your network is using. To save the data to an external directory service server, the corresponding structures have to be created via a scheme extension. 12.1.1 Requirements for the Workstation PC To integrate a workstation for HOB RD VPN Desktop-on-Demand there are 3 requirements: 1. The target workstation must be reachable using the RDP protocol. This means that any of the following are possible: Microsoft Windows (not a Home edition) is installed as the operating system on the workstation PC Linux is installed as the operating system with HOB X11Gate also installed Mac is installed as the operating system with HOB MacGate also installed 2. The Wake-on-LAN function must be activated in the BIOS if you want to use the Wake-on-LAN functionality. The Remote Desktop function must be activated as follows: For Microsoft Windows 8: click the Settings charm > Change PC Settings For Microsoft Windows 7: click Control Panel > System & Security > Allow Remote Access > Remote Desktop > Select User For Microsoft Windows XP & Vista: click Control Panel > System > Remote tab, and check the Allow Users to Connect Remotely to This Computer checkbox 12.1.2 Firewall Settings The second (internal) firewall that separates the DMZ from the corporate network must allow broadcasts to pass. If this requirement is not met, the information listed in the Section 12.2 HOB Wake-on-LAN Relay applies. 194 Security Solutions by HOB HOB RD VPN HOB RD VPN Desktop-on-Demand 12.1.3 Entering Desktop-on-Demand Data To initialize the Wake-on-LAN function of a computer that has been switched off, you need to provide the HOB WebSecureProxy with the IP address of the computer, the port number (which is 3389 by default) and the MAC address of its network card in the network. This data can, together with the username and password, be read from the desktop PC as it is saved in either the directory service holding the configuration storage or in the XML file (wsp.xml, for more information see Chapter 36 XML Configuration for the HOB WebSecureProxy) of the HOB WSP configuration. The steps required to retrieve the data needed for an HOB RD VPN Desktop-on-Demand connection are described in the Section 12.1.6 Configuring User Settings for HOB Desktop-on-Demand. 12.1.4 Configuring the Desktop-on-Demand Data To successfully wake client PCs via the remote desktop function, you need to perform the following configuration steps: Configuring HOB WebSecureProxy Configuring User Settings Configuring HOBLink JWT These configuration procedures are described in the following sections. 12.1.5 Configuring the HOB WebSecureProxy for Desktop-on-Demand 1. Start the HOB WebSecureProxy configuration program by logging on and starting the HOB RD VPN Administration interface. 2. Select the Servers element of the internal hierarchy and select the WebSecureProxy object. From the dropdown box on the bottom left of the dialog select the function WebSecureProxy blue and click Configure. 3. The HOB WebSecureProxy configuration interface is displayed. Select Extensions in the hierarchy structure on the left and select the extension Desktop-on-Demand. 4. For Use network adapter select a network adapter from the drop-down list, or leave the default of Any. Security Solutions by HOB 195 HOB RD VPN Desktop-on-Demand HOB RD VPN Figure 2: Desktop-on-Demand Settings 5. Now select a Role from the Roles item of the left-hand tree, for example the role PowerUser, and you will see this screen: Figure 3: Desktop-on-Demand Settings of the Role 196 6. Click the Privileges tab and in the second level the Server Lists tab. 7. Activate the Desktop-on-Demand checkbox. 8. Select File > Save from the menu to apply the changes. Security Solutions by HOB HOB RD VPN HOB RD VPN Desktop-on-Demand 12.1.6 Configuring User Settings for HOB Desktop-on-Demand 1. Start the HOB RD VPN Administration program and select the desired user in the database. 2. Select HOB RD VPN 2.1 > User Settings > Configure, and this screen is displayed: Figure 4: HOB RD VPN Administration - Configure User Settings 3. This brings up the following screen, the start screen for HOB RD VPN administration. Figure 5: HOB RD VPN Administration Start Screen 4. In the list on the left side select Desktop on Demand and you will see this screen: Security Solutions by HOB 197 HOB RD VPN Desktop-on-Demand HOB RD VPN Figure 6: HOB RD VPN Administration - Desktop-on-Demand Screen 5. Now click Add to create a new configuration for HOB RD VPN Desktop-on-Demand, which represents a target workstation. The following screen appears: Figure 7: Desktop-on-Demand Configuring the Data for a Workstation 6. Enter a Name of your choice, for example Example Work Station. 7. Enter the Host IP address, MAC address and Port under which the workstation is accessible for RDP connections. Click this Retrieve & Apply button to obtain and enter the MAC address. This button works only when the remote desktop is already running. If it is not already running, you can enter the MAC address manually. 198 Security Solutions by HOB HOB RD VPN HOB RD VPN Desktop-on-Demand 8. In the Delay (sec) field you enter the time in seconds that HOB WSP is to wait for a positive response from the workstation while waking it up. If this time limit is exceeded, then the HOB WSP displays a connection failed message. The default for this field is 180 seconds, but this may be increased if the target computer needs more time to boot. 9. You can use the button Test the Current Settings to determine if the data entered is valid. This button does not attempt to make any connection. 10. Click Save to apply the data, store the settings in the database and close this dialog. 12.1.7 Configuring HOBLink JWT for Desktop-on-Demand 1. Start the HOB EA Administration program. 2. Select a user or user group in right-hand panel. Right-click and select Configure > Sessions > HOBLink JWT, as shown in Section 10.2 Configuring HOBLink JWT on page 169. 3. The HOBLink JWT Administration program starts. Create a new Connection scheme by clicking Schemes > Connection and clicking the New button. 4. Enter a Scheme Name of your choice and select a Connection Type from the list. Connections via HOB WebSecureProxy require either HOB WebSecureProxy SOCKS Mode or WebSecureProxy Load Balancing to be chosen as the Connection Type. Figure 8: Desktop-on-Demand - JWT Scheme Settings 5. Select the HOB WSP tab and enter Desktop-on-Demand as Server Name. Security Solutions by HOB 199 HOB RD VPN Desktop-on-Demand HOB RD VPN Figure 9: Desktop-on-Demand - JWT Scheme Settings 6. Click Close to apply the changes. 12.2 HOB Wake-on-LAN Relay As discussed above HOB RD VPN Desktop-on-Demand can “wake up” remote computers that are switched off. To do this, a “Wake-on-LAN packet” is sent over the network from HOB RD VPN to the workstation computer. But in many network scenarios these Wake-on-LAN packets are not able to pass the firewalls. This problem can be solved easily by using the HOB Wake-on-LAN Relay. Figure 10: Desktop-on-Demand - Standard Deployment with Wake-on-LAN Relay The HOB Wake-on-LAN Relay is a software package that has to be installed on a server in the enterprise network. The Wake-on-LAN installation program is contained in HOB RD VPN installation package/disc. Wake-on-LAN packets are sent as a broadcast using the UDP protocol, but in this standard scenario the broadcast packets may be blocked by the second, internal 200 Security Solutions by HOB HOB RD VPN HOB RD VPN Desktop-on-Demand firewall (Firewall 2) from entering further into the internal network. The HOB WSP can send IP Unicast packets to the HOB Wake-on-LAN Relay. The Unicast packets can pass the firewall without problems. When the HOB Wake-on-LAN Relay receives one of these packets it sends broadcast UDP packets into the network and thus wakes up the target workstation. The following sections describe how to get the HOB Wake-on-LAN Relay up and started. The following steps are necessary: Installing HOB Wake-on-LAN Relay Configuring HOB WebSecureProxy 12.2.1 Installing the HOB Wake-on-LAN Relay The HOB Wake-on-LAN Relay is a software package that has to be installed on a server in the corporate network. This server should be permanently running to ensure uninterrupted service. The HOB Wake-on-LAN Relay is also available as a hardware solution. This is a small, energy-efficient embedded Linux machine. For more information visit the HOB Web site or contact the HOB support. The HOB Wake-on-LAN Relay needs to be installed only once per network section. The following steps are required to install the HOB Wake-on-LAN Relay on a server. 1. Logon to HOB RD VPN as the global administrator. Figure 11: HOB RD VPN Administration - Extensions 2. Click the Extensions link in the left area of the window. 3. Depending on the operating system of the server click the WakeOnLan Agent for Windows or WakeOnLan Agent for Unix/Linux link - this will download the installer package. 4. Run the installer containing the setup program for HOB Wake-on-LAN Relay. Security Solutions by HOB 201 HOB RD VPN Desktop-on-Demand HOB RD VPN Figure 12: HOB Wake-on-LAN Relay Installation - Introduction 5. The setup program will guide you through the installation process. Figure 13: HOB Wake-on-LAN Relay Installation - License Agreement 202 6. In this screen, accept the terms of the license agreement and click Next. 7. Now you will be asked to enter a Listen port (the port used by the HOB Wake-on-LAN Relay to wait for data from HOB WebSecureProxy, see Section 12.2.2 Configuring the HOB WebSecureProxy on page 204) and a Send port (the port which HOB Wake-on-LAN Relay uses to send Wake-onLAN packages to the workstation). Enter the desired values here. Security Solutions by HOB HOB RD VPN HOB RD VPN Desktop-on-Demand Figure 14: HOB Wake-on-LAN Relay Installation - Configure Ports 8. Click Next and you can set the location for the installation of the HOB Wake-on-LAN Relay files. Figure 15: HOB Wake-on-LAN Relay Installation - Choose Install Folder 9. Click Install and the HOB Wake-on-LAN Relay is installed as a service. It will be started automatically whenever you start the operating system. Security Solutions by HOB 203 HOB RD VPN Desktop-on-Demand HOB RD VPN 12.2.2 Configuring the HOB WebSecureProxy To use the HOB Wake-on-LAN Relay the following configuration steps are necessary in HOB WebSecureProxy: 1. Open the HOB RD VPN WebSecureProxy configuration program. 2. Select WSP Servers and then select the Wake-on-LAN tab in the right-hand pane. Figure 16: HOB WebSecureProxy - Wake-on-LAN Tab 3. Select the Use Wake-on-LAN Relay checkbox. This activates the Add button so that you can specify new connection data for a Wake-on-LAN Relay server. 4. Enter a value in the Common port field if you want HOB WSP to use one common port for all Wake-on-LAN Relays. 5. Click the Add button to bring the Add Wake-on-LAN Relay dialog onto the screen. Figure 17: Add Data for Wake-on-LAN Relay 204 6. Here you enter a value for Host IP address that specifies the address of the server where the HOB Wake-on-LAN Relay is installed. 7. If you do not wish to use the same port for all IP addresses in the Wake-on-LAN Relay, then deactivate the Use common port checkbox and enter a different port number in the Port field for this IP address. 8. Click Add in the dialog to add these data to the list and keep the dialog open. Security Solutions by HOB HOB RD VPN 9. HOB RD VPN Desktop-on-Demand Click Add & Close to add these data to the list and close the dialog. 10. Click Cancel to abandon any changes and close this dialog. 11. Save the changed configuration by selecting File > Save in the menu. Security Solutions by HOB 205 HOB RD VPN Desktop-on-Demand 206 HOB RD VPN Security Solutions by HOB HOB RD VPN Virtual Desktop Integration 13 Virtual Desktop Integration HOB Virtual Desktop Integration (HOB VDI) is an enterprise-level implementation of the Virtual Desktop technology. Instead of accessing real desktop computers this technology offers access to virtualized desktops on a remote central server. HOB VDI needs a current single-user operating system (SUOS) on the virtual desktops. The operating systems Microsoft Windows 8, Windows 7, Windows Vista and Windows XP are currently supported by HOB VDI. Figure 1: HOB VDI Standard Deployment In HOB VDI, your client environment moves the workload from the PC and other devices to a data center server. This makes it easier to manage the (virtual) client as applications and client operating environments are hosted on servers and storage in the data center. This means you as a user can access your desktop from any location, without being tied to a single client device. As the resources are centralized, you can still access the same client environment, applications and data while moving between work locations. As an IT administrator, this gives you a more centralized, efficient client environment that is easier to maintain and respond more quickly to the changing needs of the user and business. 13.1 HOB VDI – the Technology HOB VDI gives SSL encrypted access to single-user operating systems. On the client side HOBLink JWT, the Java RDP client is used to display the remote session. On the client computer neither a local installation of software nor administrator rights are required. With HOB VDI there is a pool of VDI Single-User Operating Systems (SUOS). A free SUOS is automatically assigned when a user starts an RDP client. If the connection is interrupted, the SUOS remains in the disconnected state for a certain, configurable amount of time and the user needs only to restart the RDP client to automatically reconnect to the session. HOB VDI, as compared with Windows Remote Desktop Servers, has the advantage, that applications which are not RDP Server-capable can be used. Also, under HOB VDI, the individual users are more isolated from each other, which is Security Solutions by HOB 207 Virtual Desktop Integration HOB RD VPN often a desirable security advantage. With HOB VDI, however, you require considerably more hardware than with Remote Desktop Services. 13.1.1 Load Balancing Technology HOB uses a self-developed, patented technology for load balancing for Windows Remote Desktop Services that is also used for HOB VDI. The RDP client sends small UDP packets to find the server and SUOS. These UDP packets can be sent as a broadcast or, using a server list, UDP Unicast packets are sent to all servers or SUOS (or relays, see Section 13.5 Installing HOB VDI on page 209). If there is an available SUOS, or if a reconnect can be made, that SUOS responds with a corresponding UDP packet. If an RDP client receives several UDP packets in response to its load balancing request, then the RDP client can select the bestsuited server or SUOS. 13.2 The HOB VDI Agent The HOB VDI Agent is an inherent component of the HOB VDI solution installed on each SUOS. The HOB VDI Agent runs as a service and knows the current status of the SUOS. The HOB VDI Agent receives UDP packets for load balancing or HOB VDI administration and when required responds with corresponding UDP packets. Only one person at a time can work on a SUOS. The HOB VDI Agent ensures that a second person cannot log on to an active SUOS. A SUOS will only be released for a connection if: No user is logged on to the SUOS (even if the user is currently disconnected from the session) No user is in the process of logging on to the SUOS A user logoff from this SUOS has been carried out 13.3 The HOB VDI Control The HOB VDI Control is an administration tool which uses an MMC (Microsoft Management Console) Snap-In for the HOB VDI solutions in compliance with the standard MMC version 3. With this administration tool an administrator can query all HOB VDI SUOS and the current state of the corresponding system. An administrator can also use the HOB VDI Control to actively intervene in the SUOS and force disconnection or a user logoff, or to shutdown or restart one or more SUOS. The HOB VDI Control tool sends UDP packets with encrypted passwords to the HOB VDI Agent. Each SUOS has a list of valid passwords and information on whether the password allows only queries or also active intervention in the SUOS. Each UDP packet also has a timestamp as well as an encrypted password, which prevents replay attacks. 208 Security Solutions by HOB HOB RD VPN Virtual Desktop Integration 13.4 Requirements for HOB VDI Requirements for the HOB VDI Agent As a SUOS any of the following operating systems can be used: Microsoft Windows 8 Microsoft Windows 7 Microsoft Windows Vista Microsoft Windows XP The SUOS can run under any virtualization software that supports this operating system, for example products from VMware, Microsoft or Citrix. The HOB VDI Agent has to be installed under each SUOS in the SUOS pool. HOB VDI needs an RDP server on the SUOS, which is not contained in the Home Editions of Microsoft Windows 8, 7, Vista or XP. This RDP server is contained only in the Professional, Business, Enterprise or Ultimate Editions of these operating systems. Requirements for HOB VDI Administration Tool The HOB VDI Administration Tool runs under any operation system that has Microsoft .net framework 2.5 or later installed and that offers an MMC version 3 compatible Microsoft Management Console, such as Windows Vista or newer. 13.5 Installing HOB VDI 13.5.1 Installing HOB VDI Agent The HOB VDI Agent needs to be installed on every SUOS. The following steps are required to install the HOB VDI Agent on a SUOS. 1. Logon to HOB RD VPN as a global administrator. 2. Click the Extensions link in the left area of the window. Figure 2: HOB RD VPN Administration - Extensions 3. Click the VDI WSP link - this will download the installer HOB_VDI.exe. Security Solutions by HOB 209 Virtual Desktop Integration 4. HOB RD VPN Run the HOB_VDI.exe program, which is the setup program of HOB VDI. The setup program guides you through the installation process. Figure 3: HOB VDI Installation - Introduction 5. Click Next on each page to move to the next dialog in this process. Figure 4: HOB VDI Installation - Select Installation Type 210 6. In the dialog Please select a setup type choose Custom and select a location for the installation files to be saved. Now click Next. 7. In the dialog Select Features choose HOB VDI Agent. Security Solutions by HOB HOB RD VPN Virtual Desktop Integration Figure 5: HOB VDI Installation - Select Installation Features 8. Click Next. Continue with the other dialogs, and finish the installation. After the installation this SUOS is ready to be accessed from the HOB WSP as a part of the HOB VDI. 13.5.2 Installing HOB VDI Control The following steps are required to install the HOB VDI Control on a host or on a PC. The HOB VDI Control needs to be installed only once. 1. Logon to HOB RD VPN as a global administrator. 2. Click the Extensions link in the left area of the window. 3. Click the VDI WSP link - this will download the installer HOB_VDI.exe. Continue with the process as described in Section 13.5 Installing HOB VDI on page 209. 4. In the dialog Please select a setup type choose Custom. Security Solutions by HOB 211 Virtual Desktop Integration HOB RD VPN Figure 6: HOB VDI Installation - Select Installation Features 5. Now under Select Features make sure that you select HOB VDI Control. Click Next, and finish the installation process as before. After the installation you can view the HOB VDI Control via the Microsoft Management Console. 13.6 Configuring HOB VDI In order to provide access via HOB VDI for your users, you have to make some configurations to the HOB WebSecureProxy. The next step now is to create an outgoing connection that uses HOB VDI. Configuring HOB WebSecureProxy for VDI 212 1. Start the HOB RD VPN WebSecureProxy configuration program. 2. Having done this, click the RDP Targets item under Outgoing connections in the left-hand pane. 3. Click the Add button to create a new entry and enter the name of the new server list, such as VDI Server List. Security Solutions by HOB HOB RD VPN Virtual Desktop Integration Figure 7: HOB WSP - Server List Configuration 4. Click the Add button again to create a new scheme in this list, and the following screen is shown. Enter the name of your choice in the Name field, for example Example VDI Server. 5. On the Server Configuration tab, select VDI from the drop-down list to be the Mode. The appearance of the remainder of this tab changes depending on the mode you select here. Figure 8: HOB WSP - Server Configuration VDI Connection Mode Name – enter the name to be used for this HOB VDI connection. Security Solutions by HOB 213 Virtual Desktop Integration 214 HOB RD VPN Mode – select from the dropdown box the connection mode to be used. For a HOB VDI connection only the HOB VDI mode can be chosen. Use Network Adapter – select from the dropdown box the network adapter to be used. The network adapter is configured as part of the HOB WSP configuration. An entry of Any in this field means that the operating system decides which adapter to use. This is the default setting. Predefined Protocol – select from this dropdown box the predefined protocol that is to be used for this connection, for example RDP Windows Terminal Server–HOB EXT-1. This protocol is a HOB protocol created to allow the connection to be made. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. 6. Under Connection type you should select either Broadcast or Server List. If your HOB RD VPN installation and the Target Servers are not in the same network (for example the HOB RD VPN is in the DMZ and the server is in the LAN), the use of broadcasts is not possible so you have to use the Server List. 7. If you are using Server List, add one or more entries in the server list by using the Add or Browse button. You can use the Edit and Remove buttons to further refine this list. 8. Save the settings and close the HOB WebSecureProxy configuration tool. Security Solutions by HOB HOB RD VPN Remote Desktop Access using VNC 14 Remote Desktop Access using VNC Virtual Network Computing is a common graphical desktop sharing system that uses the RFB protocol to remotely control another computer through the graphical user interfaces. VNC is platform-independent, in that a VNC viewer on one operating system may connect to a VNC server on the same or any other operating system. Also multiple clients may connect to a VNC server at the same time. The HOB VNC Bridge component allows users to access their Virtual Network Computing (VNC) desktop sharing system network using HOBLink JWT. HOB RD VPN uses the HOB VNC Bridge component to replace the RFB protocol in their public internet or WAN communications with the RDP protocol, resulting is significantly improved performances. RDP has been shown to be faster than RFB and does not require as much bandwidth. For this reason RDP should be used in all communications in the public internet or a WAN, while RFB should be used internally within the network. This is because the RFB protocol is designed to be used for remote access to graphical user interfaces, and is applicable to all systems and applications that use windows, including X11, Microsoft Windows and Macintosh. 14.1 Configuring VNC Targets The HOB VNC Bridge is an application that converts RDP protocol messages into the RFB protocol used by VNC servers. The VNC Bridge comes in two forms, so when you click Add to create a new target you will be prompted to select either a static (1:1 Proxy Gateway) or a dynamic (Dynamic Proxy Gateway) VNC Bridge for the connection. 1. Static VNC Bridge – this establishes a regular, direct 1:1 proxy gateway connection from one machine to another belonging to the specified server list. Dynamic VNC Bridge – this creates a connection that is a proxy gateway connection to a specific machine between the user workstation and a server of the server list, but this server IP address is dynamically assigned only when the connection is established. To create a target, open the administration interface and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. Under Outgoing Connections you can see the list of predefined targets. From this list of outgoing connections, select VNC Targets to display the following screen. Security Solutions by HOB 215 Remote Desktop Access using VNC HOB RD VPN Figure 1: HOB WSP - Outgoing Connections - VNC Targets 2. Now click Add to begin the configuration by adding a VNC Target to the list of outgoing connections. Figure 2: HOB WSP - Outgoing Connections - VNC Server List 3. 216 Here you enter the Name you will use for this VNC server list. Click Add again to add a server to the server list and configure it using the Server Configuration tab. Security Solutions by HOB HOB RD VPN Remote Desktop Access using VNC Figure 3: HOB WSP - Outgoing Connections - VNC Server Configuration There are two possible modes or types of VNC connection that can be used: 1:1 Proxy Gateway – a connection from a specific machine to another target machine over the HOB WSP Dynamic Proxy Gateway – a connection from a machine to another target machine over the HOB WSP, the target machine being chosen dynamically and not permanently configured Each mode has different requirements, so the dialog changes according to the mode selected. Security Solutions by HOB 217 Remote Desktop Access using VNC HOB RD VPN 14.2 Configuring a Static VNC Bridge Connection For a Static VNC Bridge connection using the 1:1 Proxy Gateway mode you need to also configure a specific VNC server. Open the HOB RD VPN WebSecureProxy configuration and you will see the following screen: Figure 4: Outgoing Connection - Static VNC Bridge - Server Configuration Name – enter the name to be used for this connection to the desired target. Mode – for Static VNC connections select the connection mode 1:1 Proxy Gateway, which gives a direct connection from one machine to another. Use Network Adapter – select from the dropdown box the network adapter to be used. An entry of Any in this field means that the operating system decides which adapter to use. This is the default setting. Predefined Protocol – this dropdown box contains the predefined protocol to be used for this connection. By default it is RDP Windows Terminal Server–HOB EXT-1, a protocol created by HOB to allow the connection to be made. This field is disabled and cannot be changed. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. This field is active only for a 1:1 Proxy Gateway mode VNC connection. 1:1 Proxy Gateway – this box contains fields where you enter data required to establish a 1:1 Proxy Gateway mode connection. 218 Host IP Address – enter here the IP address of the host machine that you are building a connection to. Host Port – enter here the number of the port to be used for this connection. The port 5900 is entered by default for VNC connections. Security Solutions by HOB HOB RD VPN Remote Desktop Access using VNC 14.2.1 Configuring the HOB WSP for Static VNC Bridge Click on the third tab here, VNC Server, and you see the following dialog: Figure 5: Outgoing Connection - Static VNC Bridge - VNC Server Configuration Password – here you enter the password that will grant you access to the VNC server. Server maps keys – check this box to ignore the keystroke setting on the client and allow the VNC server to map key strokes instead, leave unchecked to keep the client keystroke settings. Server maps capslock – check this to allow the server to ignore keystrokes made with the capslock button on the client and the VNC Bridge to send the complete message fully capitalized, leave unchecked to keep the client settings. Shared connection – check this to allow multiple VNC client connections to be used simultaneously. This can be forbidden by the VNC server, regardless of the setting here. This is checked already by default. Use local cursor – check to allow multiple users to use the cursor on the server. While this saves resources as the cursor is sent only once, a user may lose sight of its actual location if another user moves it, as the server is not constantly updating the cursor position. This is checked already by default. Use clipboard – check to allow the clipboard be used to copy text only between the local machine and the server. This is checked already by default. Security Solutions by HOB 219 Remote Desktop Access using VNC HOB RD VPN 14.3 Configuring a Dynamic VNC Bridge Connection When configuring a Dynamic VNC Bridge connection a static 1:1 proxy gateway connection cannot be made (as there is a dynamic connection only and a direct 1:1 connection to a specific machine cannot occur) and no specific VNC server configuration is required. Figure 6: Outgoing Connection - Dynamic VNC Bridge - Server Configuration 220 Name – enter the name to be used for this connection to the desired target. Mode – for Dynamic VNC connections select the connection mode Dynamic Proxy Gateway, which gives a direct connection from one machine to a dynamically selected, configured destination machine in the network. Use network adapter – select from the dropdown box the network adapter to be used. An entry of Any in this field means that the operating system decides which adapter to use. This is the default setting. Predefined protocol – this dropdown box contains the predefined protocol to be used for this connection. By default it is RDP Windows Terminal Server–HOB EXT-1, a protocol created by HOB to allow the connection to be made. This field is disabled and cannot be changed. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. This field is disabled for a dynamic VNC connection. Security Solutions by HOB HOB RD VPN Remote Desktop Access using VNC 14.4 Using the HOB VNC Bridge HOB RD VPN uses the HOB VNC Bridge to remotely control another computer through the graphical user interfaces. The HOB VNC Bridge can be used to access systems running under Windows (including home editions), Linux, Unix and Mac (in this case Apple Remote Desktop (ARD) is used) operating systems that have a VNC server installed. Once the connection to the target machine has been made, you can operate that machine as if you are directly sitting at it, seeing and using the graphical user interfaces. Security Solutions by HOB 221 Remote Desktop Access using VNC 222 HOB RD VPN Security Solutions by HOB HOB RD VPN Remote Desktop Access using SSH 15 Remote Desktop Access using SSH SSH (Secure Shell) is a network protocol often used for secure data communication, remote shell services or command execution and other secure network services between two networked computers. SSH connects these two networked computers, a server (running SSH server programs) and a client (running SSH client programs) via a secure channel over an insecure network. 15.1 SSH Targets To configure a remote desktop connection using SSH you need to configure the HOB WSP. To do so, take the following steps: 1. Logon and start the HOB RD VPN Administration interface. 2. Select the Servers element of your internal hierarchy and select WebSecureProxy > Configure. 3. The WebSecureProxy configuration interface is displayed. Select Outgoing Connections > SSH Targets. Figure 1: HOB WSP SSH Target Configuration - Start Screen 4. Click Add to create a new outgoing connection that will use SSH. 5. The server list screen for this target is displayed. Enter the name for this target server list, for example SSH Server List. Security Solutions by HOB 223 Remote Desktop Access using SSH HOB RD VPN Figure 2: HOB WSP SSH Target Configuration - Server List 6. Now click Add to configure a server for this connection. This brings up the Server Configuration screen: Figure 3: HOB WSP SSH Target Server Configuration In this screen you enter the following information: 224 Name – enter the name to be used for this connection to the desired target. Mode – for SSH connections the connection mode 1:1 Proxy Gateway is the only selection that can be made, and is the default. Security Solutions by HOB HOB RD VPN Remote Desktop Access using SSH Use network adapter – select from the dropdown box the network adapter to be used. An entry of Any in this field means that the operating system decides which adapter to use. This is the default setting. Predefined protocol – this dropdown box contains the predefined protocol to be used for this connection. By default it is RDP Windows Terminal Server–HOB EXT-1, a protocol created by HOB to allow the connection to be made. This field is disabled and cannot be changed. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. 1:1 Proxy Gateway – this box contains fields where you enter data required to establish a 1:1 Proxy Gateway mode connection. Host IP address – enter here the IP address of the host machine that you are building a connection to. Host port – enter here the number of the port to be used for this connection. The port 22 is entered by default for SSH connections. 7. Save the configuration by clicking File > Save from the main menu. 8. Now select the role to which this outgoing connection is to be assigned (in the example shown here is for the PowerUser role). Figure 4: HOB WSP Roles - SSH Server List 9. Go to User > Settings and select the tab Privileges > Server Lists. From this list select SSH Server List, which has just been created. 10. Save the configuration (main menu > File > Save), and the SSH target has been configured and is ready for use. Security Solutions by HOB 225 Remote Desktop Access using SSH HOB RD VPN 15.2 Using SSH HOB RD VPN uses the SSH protocol to secure connections from the system server running SSH to the target machine running SSH client programs. If the connection between the two runs over an insecure network, such as the public Internet, then SSH adds security to the connection to prevent data loss or manipulation. 226 Security Solutions by HOB HOB RD VPN Terminal Emulations 16 Terminal Emulations HOB RD VPN delivers HOBLink J-Term 3.6 as the Terminal Emulation solution for the following systems: TN 3270 TN 5250 Telnet VT HP700 Siemens 9750 (BS2000) HOBLink J-Term uses the HOB EA Administration feature for central administration and configuration. It uses HOBLink Secure for the encryption of communication data. To successfully configure HOB RD VPN for use with Terminal Emulations, two steps must be completed: 1. Configuring the HOB WebSecureProxy 2. Configuring HOBLink J-Term 16.1 Configuring HOB RD VPN for Terminal Emulations The administration portal of HOB RD VPN is known as HOB EA Administration (HOB EA Admin) and is a Java-based application. This program enables the following: The creation and administration of users, groups and containers and their settings Configuration of the HOB RD VPN applications Configuration of HOB WSP 16.1.1 Configuring the HOB WebSecureProxy 1. Log in with Global Administrator credentials to the HOB RD VPN Administration page. Security Solutions by HOB 227 Terminal Emulations HOB RD VPN Figure 1: HOB RD VPN Administration Start Screen 2. From the links column on the left, select EA-Admin, and then log in to EA Admin with your Global Administrator credentials. 3. The HOB EA Administration dialog appears. Figure 2: HOB EA Administration screen 228 4. Here you select the organizational unit servers (ou=servers) in the domain component internal (dc=internal) and then click on the directory content item cn=WebSecureProxy. 5. Now click the > (arrow) button in the dropdown box, select WebSecureProxy and click Configure. 6. The HOB WSP screen opens. Security Solutions by HOB HOB RD VPN Terminal Emulations Figure 3: HOB WebSecureProxy Configuration Screen 7. In this screen select Outgoing Connections as you want to create a connection from the HOB WebServerProxy to a target machine. 8. Under Outgoing Connections you need to select the server type you wish to access. For this example a 3270 session is being configured, so select 3270 Targets and click Add to create a connection to a 3270 server. Figure 4: HOB WSP Outgoing Connections - 3270 Targets 9. The Server List tab is now shown. Give this server list a name, such as Terminal Emulation Server List. Security Solutions by HOB 229 Terminal Emulations HOB RD VPN Figure 5: HOB WSP 3270 Targets - Server List 10. This server list now needs to be populated. Click Add. Figure 6: HOB WSP 3270 Targets - Server Configuration The fields on this screen that need to be completed are as follows: Name – enter a name you want to use for this 3270 server configuration. Here Example 3270 Server is used. Mode – you can select from the dropdown box the connection mode to be used. The modes or types of connection available for a 3270 server connection are as follows (other modes are available for other Terminal Server connections): 230 1:1 Proxy Gateway – a direct connection from one machine to another Security Solutions by HOB HOB RD VPN Terminal Emulations WTS Load Balancing – used when you have a simultaneous connection to a group of machines. To use this mode you must have a number of servers already configured that you can make the connection to VDI-WSP – a connection to virtualized desktops on a remote central server, only available when VDI is enabled on the HOB WSP Each connection mode has different requirements, so the dialogs that you see change according to the mode selected. Use Network Adapter – select from the dropdown box the network adapter to be used. An entry of Any in this field means that the operating system decides which adapter to use. This is the default setting. Predefined Protocol – this dropdown box contains the predefined protocol to be used for this connection. By default it is TELNET 3270. This field is disabled and cannot be changed. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. 1:1 Proxy Gateway – this box contains fields where you enter data required to establish a 1:1 Proxy Gateway mode connection. Host IP Address – enter here the IP address of the host machine that you are building a connection to. Host Port – enter here the number of the port to be used for this connection. The port 23 is entered by default for VNC connections. 11. Save the configuration by using Main menu > File > Save. 12. Now select the entry Roles in the tree structure at the left and select the role for which this configuration is being made. In this example, the configuration is being made for the role User. 13. On the Settings tab select the tab Privileges and then select the tab Server Lists. Here, check the box next to the newly configured Terminal Emulation Server List. Security Solutions by HOB 231 Terminal Emulations HOB RD VPN Figure 7: HOB WSP Roles - Privileges - Server Lists 14. Save the configuration (Main menu > File > Save) and return to the HOB EA Admin start screen 15. Now here you need to configure the terminal emulation, in this case HOBLink J-Term, that will allow you to access this server for this connection. Select the item for which you want to configure a terminal emulation (HOBLink J-Term) session. You can select an item from the Organization Hierarchy pane, where the configuration made will apply to all subordinate units. In the example shown below in Figure 8, the item dc=hobsoft has been selected. The HOBLink J-Term session configured here will apply to all organizational (ou) units in this container. If you only want to configure the session for an individual user or user group, expand the directory container (dc) and select the user or group in the expanded list for which the configuration is to be made. 232 Security Solutions by HOB HOB RD VPN Terminal Emulations 16.1.2 Configuring HOBLink J-Term 1. To configure HOBLink J-Term, open the HOB RD VPN administration interface and select the item you want to create the connection for, such as a User or a Group. From the dropdown box select Sessions > HOBLink J-Term > Configure. This opens the HOBLink J-Term administration screen. Figure 8: HOB RD VPN Administration – Sessions - HOBLink J-Term 2. Here in the HOBLink J-Term Administration screen you can create and configure your HOBLink J-Term sessions. Figure 9: HOBLink J-Term Administration- Start Screen Security Solutions by HOB 233 Terminal Emulations HOB RD VPN 3. In the Member Rights tab, you can select the rights to be assigned to the individual user, the members of the user group or the members of the domain component that you are currently configuring. 4. Select the Sessions menu item and click the New button at the bottom of the dialog. Figure 10: HOBLink J-Term Administration- Sessions 5. In the pop-up menu that then appears select either Display Session (used on a PC to start host applications and take advantage of all the functions of a terminal) or Printer Session (makes it possible to use a PC printer as a host printer) for the new session and click OK. Figure 11: HOBLink J-Term Administration- Select Sessions Popup 234 6. For each Session type, you can select the available schemes to apply to your configuration from the Scheme Type lists Connection, Display, Screen Print, Color on the Session tab. 7. Using the Schemes menu item you can create new schemes for use in the session you are configuring. The schemes created here can also subsequently be assigned to other existing or newly created sessions. To see the various Security Solutions by HOB HOB RD VPN Terminal Emulations schemes that can be configured with this tool, expand the Schemes list by clicking the + plus sign next to the menu item Schemes. Figure 12: HOBLink J-Term Administration- Schemes The schemes you can configure using this dialog are: Connection – Select an existing connection scheme or create a new connection scheme to be used in the current session configuration. For terminal emulations with HOBLink J-Term you can select from the following connection types: TN3270E TN5250 Telnet VT SSH HP700 Siemens 97801 Siemens 9750 Host Printer – In this scheme you can set up host printer margins, enable an Escape printer or use protocol-dependent settings for example. Display – In this scheme you can set the display appearance of the relevant session, in terms of the font or cursor shape for example, as well as set the clipboard options or specific protocol options. Screen Print – Select and configure printers for the relevant session. Color – Set or modify display, GUI colors here. Macro – Select, create or edit macros here. File Transfer – Select, create or edit file transfer schemes here. You can choose from FTP or IND$FILE (MVS/TSO, VM/CMS, or CICS/VSE) protocols. Security Solutions by HOB 235 Terminal Emulations HOB RD VPN Keyboard – Create a new or select an existing keyboard scheme for your configuration. With this setting you can set your keyboard actions such as apply key sequences, functions keys, or macros to a selected key. Keypad – Here you can create a new or select an existing keypad for on-screen display and use. Mouse – Here you can create a new or select an existing mouse scheme to define mouse-button actions for the session to which it applies. Hotspots – With this setting you can create a new or select an existing onscreen hotspots for various actions (for example macros or function keys). Menu – Here you create new or you can select or edit existing menu items here for use in either display or printer sessions. Toolbar – Create new or select existing toolbar schemes, where you can for example customize toolbar icons. Others – Here you can customize your session windows (show/hide toolbar, menu bar, status bar), enter user-defined options, VT settings and HTTP proxy settings. Backup Connections – Create new or select existing backup connection schemes to apply to your session. If the primary connection scheme fails for any reason, the backup connection schemes will be tried in order of their priority until a connection can be established. Conversion Table – Create a new or select an existing conversion table for use with file transfer and host printer data. APIs – Select/Create a scheme to determine API settings for your session. To configure a scheme, simply click the New button at the bottom of the screen, and enter the necessary data in the fields on the tab that opens for the respective scheme. 16.2 Configuring TN3270 Targets TN3270 is the Telnet protocol used by an IBM 3270 class terminal to communicate over a TCP/IP network. To configure a 3270 target, follow the steps outlined in the previous section, Section 16.1 Configuring HOB RD VPN for Terminal Emulations on page 227. 236 Security Solutions by HOB HOB RD VPN Terminal Emulations 16.3 Configuring TN5250 Targets TN5250 is the Telnet protocol used by an IBM 5250 class terminal to communicate over a TCP/IP network. 1. In the same manner as in the previous sections (see Section 16.1 Configuring HOB RD VPN for Terminal Emulations on page 227) select the target that you wish to configure from the Outgoing Connections list of the HOB WebSecureProxy configuration dialog. Figure 13: HOB WSP - Outgoing Connections 2. To configure a TN5250 target, select TN5250 Targets from the Outgoing Connections list. Figure 14: HOB WSP - Outgoing Connections 5250 Targets Security Solutions by HOB 237 Terminal Emulations 3. HOB RD VPN Click Add and the server list screen for this target is displayed. Enter name for this target server list, for example Server List 5250. Figure 15: TN5250 Targets Server List 4. Click Add. You will see the following screen: Figure 16: TN5250 Targets - Server Configuration 238 Name – select the name to be used for this connection. In this example the name 5250_Server is used. Mode – you can select from the dropdown box the connection mode to be used. The modes or types of connection available for a 5250 server connection are as follows (other modes are available for other Terminal Server connections): Security Solutions by HOB HOB RD VPN Terminal Emulations 1:1 Proxy Gateway – a direct connection from one machine to another WTS Load Balancing – used when you have a simultaneous connection to a group of machines. To use this mode you must have a number of servers already configured that you can make the connection to VDI-WSP – a connection to virtualized desktops on a remote central server, this mode is available only when VDI is enabled on the HOB WSP Each connection mode has different requirements, so the dialogs that you see change according to the mode selected. Use network adapter – select from the dropdown box the network adapter to be used. An entry of Any in this field means that the operating system decides which adapter to use. This is the default setting. Predefined protocol – this dropdown box contains the predefined protocol to be used for this connection. By default it is TELNET 5250. This field is disabled and cannot be changed. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. 1:1 Proxy Gateway – this box contains fields where you enter data required to establish a 1:1 Proxy Gateway mode connection. Host IP Address – enter here the IP address of the host machine that you are building a connection to. Host Port – enter here the number of the port to be used for this connection. The port 23 is entered by default for VNC connections. 5. Save the configuration by using Main menu > File > Save. 6. Now select the entry Roles in the tree structure at the left (as described in the previous sections) and select the role for which this configuration is being made. Figure 17: Roles - Server Lists Security Solutions by HOB 239 Terminal Emulations 7. HOB RD VPN In this example, the configuration is being made for the role User. On the Settings tab select Privileges and here select the tab Server Lists and check the box next to Server List 5250. 16.4 Configuring Telnet Targets Telnet is a network protocol used on the Internet or in a LAN to provide bidirectional interactive text-oriented communications using a virtual terminal connection. User data is interspersed in-band with Telnet control information in a data connection using TCP. 1. In the same manner as in the previous sections (see Section 16.1 Configuring HOB RD VPN for Terminal Emulations on page 227) start the HOB WebSecureProxy configuration dialog. 2. Select the target from the Outgoing Connections list that you wish to configure, in this case Telnet Targets. Figure 18: HOB WSP Outgoing Connections - Telnet Targets 3. 240 Click Add to create a server list for this target. Security Solutions by HOB HOB RD VPN Terminal Emulations Figure 19: HOB WSP Server List - Telnet 4. Enter the name for this target server list and click Add. This screen is shown: Figure 20: Outgoing Connection - Telnet Target Configuration Name – select the name of the connection to be used. Mode – you can select from the dropdown box the connection mode to be used. The possible modes or types of connection that can be used are as follows: 1:1 Proxy Gateway – a direct connection from one machine to another WTS Load Balancing – used when you have a simultaneous connection to a group of machines. To use this mode you must have a number of servers already configured that you can make the connection to Security Solutions by HOB 241 Terminal Emulations HOB RD VPN VDI – a connection to virtualized desktops on a remote central server, only available when VDI is enabled on the HOB WSP Each connection mode has different requirements, so the dialogs that you see change according to the mode selected. Use network adapter – select from the dropdown box the network adapter to be used. the default is Any. Predefined protocol – select the Telnet protocol to be used from the list. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default is 600 seconds. The remainder of this tab contains data fields that are specific for the connection mode that has been selected. 1:1 Proxy Gateway – this box contains fields where you enter data required to establish a 1:1 Proxy Gateway mode connection. HOBCOM proxy – check this box to activate the HOBCOM Proxy server for connections to a Windows Terminal Legacy machine. Host IP address – enter here the IP address of the host machine that is to be the target of this connection. Host port – enter here the port number you wish to use for the connection to the desired target machine. The port 23 is entered by default for Telnet connections. 5. Save the configuration by using Main menu > File > Save. 6. Now select the entry Roles in the tree structure at the left (as described in the previous sections) and select the role for which this configuration is being made. Figure 21: Roles - Server Lists 242 Security Solutions by HOB HOB RD VPN 7. Terminal Emulations In this example, the configuration is being made for the role PowerUser. On the Settings tab select Privileges and here select the tab Server Lists and check the box next to Telnet Server List. Security Solutions by HOB 243 Terminal Emulations 244 HOB RD VPN Security Solutions by HOB HOB RD VPN HOB RD VPN Web Server Gate – Intranet Ac- 17 HOB RD VPN Web Server Gate – Intranet Access The HOB RD VPN Web Server Gate component provides your enterprise with secure access from remote locations over the Internet to web servers and pages that are internal to the enterprise. Enterprise-internal Web servers are normally protected by firewalls and therefore cannot be accessed over the Internet. The HOB RD VPN Web Server Gate enables the user to specify a server to contact. Any data then sent to this server comes first to the HOB RD VPN Web Server Gate, which then reroutes the SSL encrypted data over the HOB WSP to the desired server. Authorized users can thus remotely access web-based services inside the corporate network from anywhere in the world. E-mail access over the Outlook Web Access front end of the Microsoft Exchange Server is also possible. As all of the browser connections are rerouted through the HOB RD VPN Web Server Gate and therefore are not directly accessed from their server of origin, they violate the Same Origin Policy, which is a fundamental policy for browser security. In the event that one malicious server manages to establish contact with the HOB RD VPN Web Server Gate, this could affect the integrity of the HOB RD VPN Web Server Gate and through this could affect the other trusted servers with whom the HOB RD VPN Web Server Gate is in contact. With this in mind, HOB strongly recommends that the following measures are implemented to resist this: Prohibit or restrict access to external web servers through using the HOB RD VPN Web Server Gate (this can be done by using a target filter, a firewall or a whitewall, for example) Control internal web servers, making sure they are free of fraudulent code Reduce the period of validity for cookies, so that a threat agent has less time to abuse the captured session (this can however be inconvenient) Close any web application with a true termination, meaning that a proper logout must be completed and not just the window closed Remote access with HOB RD VPN is secured via HTTPS. Only after successfully authenticating at the HOB RD VPN Web Server Gate can a user communicate with an internal server. The scenario shown below depicts a connection to an internal web server that is set up to use the HOB RD VPN Web Server Gate. Security Solutions by HOB 245 HOB RD VPN Web Server Gate – Intranet Access HOB RD VPN Figure 1: HOB RD VPN Web Server Gate - Standard Scenario All of the browser connections are routed over the HOB RD VPN Web Server Gate and then relayed by this to the web server. 17.1 Configuring the HOB RD VPN Web Server Gate The HOB RD VPN Web Server Gate must be configured through the use of the HOB WebServerProxy configuration interface. Enabling Bookmarks for the HOB Navigation Screen 1. To enable bookmarks to be created, open the administration interface and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. 2. Now select Roles and choose the individual role for which you wish to configure the HOB Web Server Gate. The Settings tab for this role is then shown onscreen. 3. From the tabs on this dialog select Privileges > User Settings, as shown here: Figure 2: Roles - User Settings Screen - Privileges - Web Server Gate Bookmarks 246 Name - this field contains the name that you assign to this particular role. Security Solutions by HOB HOB RD VPN HOB RD VPN Web Server Gate – Intranet Ac- 4. On the Privileges – User Settings tab itself you can select the settings and bookmarks you wish to enable. Select Bookmarks for Web Server Gate. 5. Close the screen and users with this role can now set their own bookmarks that will show permanently on the navigation screen of HOB RD VPN. 17.2 Using the HOB RD VPN Web Server Gate A special task for the HOB RD VPN Web Server Gate is to establish connections between locations within the Intranet and then establish links from these locations to other internal Web servers, as illustrated in the figure below. Figure 3: HOB RD VPN Web Server Gate - Sub-network Scenario Intranet Hyperlinks on HTML Pages of Internal Web Servers To make these hyperlinks also accessible for external access over the Internet, the HOB RD VPN Web Server Gate methodically examines the currently open internal HTML page for corresponding hyperlinks. The syntax is thereby translated in such a way that the linked Intranet pages can be opened when being accessed over the Internet. A wide variety of hyperlink types are used in Intranets; the number of existing formats is very large and still growing. It is therefore unlikely that all Intranet hyperlinks will be known, and as there cannot be a 100% certainty that Intranet hyperlinks will always be translated as expected, some cannot be resolved. 17.2.1 Creating Bookmarks for the HOB Navigation Screen There are two methods of creating permanent bookmarks (or hyperlinks) on the navigation screen for the HOB RD VPN Web Server Gate. The global administrator can create bookmarks that will appear for all users of a certain role, and the users themselves can create their own bookmarks. Creating Bookmarks – Global Administrator 1. Open the administration interface of HOB RD VPN and select HOB RD VPN 2.1 > User Settings > Configure. This opens the HOB WebSecureProxy configuration screen. Security Solutions by HOB 247 HOB RD VPN Web Server Gate – Intranet Access 2. HOB RD VPN Select Bookmarks > Web Server Gate and you will see this screen: Figure 4: WSP Bookmarks - Web Server Gate 3. Now click Add to create a new bookmark. The following dialog is shown: Figure 5: WSP Bookmarks - Web Server Gate Name – here you enter the name you wish to use for this bookmark. URL – enter the URL that you want associated with this name. use this Search icon to locate the required URL Up, Down – use these to arrange the order of the bookmarks on the navigation screen. You can use the Save and Close buttons when you are finished creating the Web Server Gate bookmarks. The bookmarks that have been created in this way appear on the navigation screen for all users associated with the assigned role. 248 Security Solutions by HOB HOB RD VPN HOB RD VPN Web Server Gate – Intranet Ac- Creating Bookmarks – User 1. Start the navigation screen of HOB RD VPN and then select User Settings. Figure 6: HOB ERD VPN Navigation Screen 2. Now select the Settings bookmark, this brings up the dialog below: Figure 7: HOB RD VPN - WSG Bookmarks Security Solutions by HOB 249 HOB RD VPN Web Server Gate – Intranet Access HOB RD VPN There are two icons on this screen: . use this icon to add a new bookmark to this list. When clicked, a field appears on the screen where the required name and URL for the bookmark can be entered use this icon to delete a selected bookmark from the list 3. Use the Up and Down arrows to adjust the order in which the bookmarks are displayed on the navigation screen. Figure 8: HOB RD VPN Navigation Screen 4. When you are satisfied with your bookmarks click Save All to save and return to the navigation screen. The example bookmarks can now be seen on this screen under Access to Web Applications and Intranet. 17.3 HOB Single Sign-on – Auto Logon to Intranet Servers HOB RD VPN Web Server Gate contains functionality for an auto logon feature, the HOB Single Sign-on. With this function users of HOB RD VPN Web Server Gate do not need to authenticate several times over many logon pages. Only one authentication is required - when a user is initially logging on to HOB RD VPN. When setting up the HOB Single Sign-on, certain important pieces of information must be specified. These are generally the user name, the user password, the location (normally in the form of a URL) of the site the user wishes to access, and the notification that a logon is desired (most normally the Logon button on the logon dialog). Single Sign-on is the name of the HOB auto logon facility and it works in the following manner: 250 Security Solutions by HOB HOB RD VPN 1. HOB RD VPN Web Server Gate – Intranet Ac- The user logs into HOB RD VPN and the HOB RD VPN Web Server Gate page is displayed. Figure 9: HOB RD VPN Login Screen 2. The HOB RD VPN Web Server Gate recognizes whether the user is configured to use Single Sign-on. 3. Now select a destination to go to from the HOB RD VPN Web Server Gate. 4. When redirecting to this destination, the Single Sign-on facility forwards the user logon information provided to the destination logon page, and automatically completes the logon process without the user needing to enter any more information. The Single Sign-on can be configured with the HOB WebSecureProxy configuration tool, as follows: 1. Open the administration interface of HOB RD VPN and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. Select Extensions, you will see this screen: Figure 10: HOB WSP Extensions Security Solutions by HOB 251 HOB RD VPN Web Server Gate – Intranet Access 2. HOB RD VPN Under Extensions select Integrated Web Server, then the Single Sign-on tab and you will see the following: Figure 11: HOB WSP Integrated Web Server - Single Sign-on this brings up the dialog below to allow you to add a new Single Sign-on configuration to the list edit the selected Single Sign-on configuration delete the selected Single Sign-on configuration from the list Figure 12: HOB WSP Integrated Web Server - Add Single Sign-on Page 252 Name – here you enter a name for this Single Sign-on configuration. URL – here you add the URL to which these users are given an automatic logon. Security Solutions by HOB HOB RD VPN HOB RD VPN Web Server Gate – Intranet Ac- Components – this table lists the components that have been added to this Single Sign-on configuration. These components are the notification of how the user authentication is passed on to the destination for automatic authentication there. this brings up the dialog below to allow you to add a new component to the Single Sign-on configuration edit the details of the selected configuration delete the selected component from the list Figure 13: HOB WSP Integrated Web Server - Add Single Sign-on Component Name – here you enter a name for the component you wish to add. Type – here you specify from the dropdown box the type of component you wish to add to the Single Sign-on, either an Input (either a username or password), a Form or an Action. Value - here you select either a User Name or a User Password for this component. The following buttons are common to both dialogs and have the same functions: add a new page or component to the list add a new page or component to the list and close this dialog. This saves any changes that you have made close this dialog without adding a new page or component. No changes are saved Any changes to the list of Single Sign-on components or pages can now be seen in the Single Sign-on tab list and are applied to the next login for the configured users. Security Solutions by HOB 253 HOB RD VPN Web Server Gate – Intranet Access 254 HOB RD VPN Security Solutions by HOB HOB RD VPN Remote Desktop Access using ICA 18 Remote Desktop Access using ICA Independent Computing Architecture (ICA) is a proprietary protocol for an application server system that sets out a specification for sending data between server and clients, but is not bound to any one platform. HOB RD VPN uses the ICA protocol to allow Windows applications to be run on a suitable Windows server, and for any supported client to gain access to those applications. The ICA protocol is also supported on a number of Unix server platforms and can be used to access applications running on those platforms. HOB RD VPN also uses ICA client software to access thin client platforms, as ICA is often built into thin client software. 18.1 Installing HOB RD VPN for Remote Desktop Access with ICA The HOB implementation for ICA is an integrated component of HOB RD VPN, and is installed automatically. It need only be enabled in the configuration of HOB RD VPN for it to be available for use. The HOB implementation for ICA uses the HOB Web Server Gate functionality to access the Citrix XenApp Web Interface. In order to make this access, the HOB implementation for ICA uses the Citrix Receiver, so therefore the XenApp Web Interface must also be configured for the Citrix Receiver. The HOB Socks5 Extension is needed to route the ICA traffic over a secure SSL connection through HOB RD VPN to the target system. Additionally the administrator or the user can create a bookmark for the HOB Web Server Gate to have easy access to Citrix XenApp Web Interface. 18.2 Configuring Remote Desktop Access with ICA To provide Remote Desktop Access via ICA you have to perform the following configuration steps: Configure an Outgoing Connection for ICA Enable ICA for a User Role Create a WebServerGate Bookmark These configuration steps are described in the following sections 18.2.1 Configuring an Outgoing Connection for ICA 1. Start the EA Administration interface by logging into HOB RD VPN. Select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. 2. Open the Outgoing connections knot in the left-hand tree and select the ICA Targets item. Security Solutions by HOB 255 Remote Desktop Access using ICA HOB RD VPN Figure 1: HOB WSP - Outgoing Connections ICA Targets 3. Click the Add button to create a new server list and enter a name for this server list, for example ICA Server List. Figure 2: HOB WSP - ICA Targets Server List 256 4. Click this new sever list item in the tree and click the Add button to create a new server. 5. The name ICA_Server(1) is automatically created. Change this name to one that better suits. In this example ICA_Server is used, as can be seen here: Security Solutions by HOB HOB RD VPN Remote Desktop Access using ICA Figure 3: HOB WSP ICA Targets - Server Configuration 6. In the Server configuration tab enter the URL under which the Citrix server is available. The administrator of the Citrix server will provide this URL. Make sure to use the complete URL including the path. The following fields can be configured: Name – enter the name you wish to use for the ICA connection. Mode – this is the type of connection to be set for this target. In this configuration the mode must be ICA by default. Use network adapter – the dropdown box lists the network adapter to be used. This is dependent on the connection mode, so is disabled by default. Predefined protocol – the dropdown box lists the predefined protocol to be used. This is dependent on the connection mode, so is disabled by default. Timeout (sec) – here the number of seconds the client must wait before a connection is timed out if there is no response to the connection request is shown. This field is disabled here by default, the timeout limit is 600 seconds. URL – enter in this box the desired destination for this connection. 18.2.2 Enabling ICA for a User Role The next step is to enable ICA usage for the role or roles which are allowed to use this connection. 1. Open the HOB RD VPN WebSecureProxy configuration program. 2. Select Roles and then a specific role for configuration from the organizational tree, for example Power User. 3. For this user role select the Privileges tab in the right pane and then select the Server Lists tab. Security Solutions by HOB 257 Remote Desktop Access using ICA HOB RD VPN Figure 4: Configuring ICA Settings for a User Role 4. Activate the server list ICA Server List from the list of those available. As ICA uses the SOCKS protocol, the server list for SOCKS 5 must also be enabled at this point. 5. Close the configuration, and the changes are saved. 18.2.3 Creating a WebServerGate Bookmark The final step is to add a WebServerGate bookmark for the ICA connection. This bookmark will appear in the start screen of the user. 258 1. Open the HOB EA Administration program. 2. Right-click the desired user or user group and choose Configure > HOB RD VPN > User Settings. Security Solutions by HOB HOB RD VPN Remote Desktop Access using ICA Figure 5: HOB EA Administration - User Settings 3. This will display this next dialog on the screen: Figure 6: HOB RD VPN Bookmarks - Web Server Gate 4. Select Bookmarks > WebServerGate in the left-hand tree and click the Add button. 5. On this next screen, the fields to be completed are: Security Solutions by HOB 259 Remote Desktop Access using ICA HOB RD VPN Figure 7: HOB RD VPN Bookmark - ICA Server Name – here you enter the name you wish to use for this bookmark, for example ICA Server. URL – enter the URL under which the Citrix server is available. Use the format: http://www.mycompany.com. use this Search icon to locate the required URL. Up, Down – use these to arrange the order of the bookmarks on the navigation screen. 6. 260 You can use the Save and Close buttons when you are finished creating the HOB Web Server Gate bookmarks. The bookmarks that have been created in this way appear on the navigation screen for all users associated with the assigned role. Security Solutions by HOB HOB RD VPN Remote Desktop Access using ICA 18.3 Implementing Single Sign-on for Access using ICA You can also set up HOB RD VPN to provide Single Sign-on functionality when accessing remote desktops with ICA. 1. From the HOB WSP Configuration select Integrated Web Server > Single Sign-on. Figure 8: HOB WSP – Integrated Web Server – Single Sign-on for ICA 2. Use the Add button to bring up the data entry popup for this screen and enter the required settings: Figure 9: HOB WSP Single Sign-On - Add Page Component Name – here you enter a name for this Single Sign-on configuration. URL – here you add the URL for which these users are given an auto logon. The URL value that you enter must be the web page requesting the URL. Components – this table lists the components that have been added to this Single Sign-on configuration. These components are the notification of how the user authentication is passed on to the destination for automatic authentication there. Security Solutions by HOB 261 Remote Desktop Access using ICA HOB RD VPN Use the Add button to create a new component and then select the component type Form from the dropdown box, and enter the name of the form tag from the website, for example ICA Component. Figure 10: HOB WSP Single Sign-on - Add SSO Component The fields for the Add SSO Component are as follows: Name – here you enter a name for the component you wish to add. Type – here you specify from the dropdown box the type of component you wish to add to the Single Sign-on, either an Input (either username or password), a Form or an Action. Value – here you select either a User Name or a User Password for this component. 3. 262 For a component of type Input, add the name of the input field where the username is requested. Enter the value of the username For an input component where a password is required, you need to add the name of the input field where the password is requested and enter the value of the password For an input component where the domain name is required, add the name of the input field where the domain is requested and manually insert the domain name you are using Click Add & Close to save your changes and close this dialog or click Cancel to close the dialog without saving any changes. Security Solutions by HOB HOB RD VPN Remote Desktop Access using ICA 18.4 Using ICA for Remote Desktop Access Once ICA has been successfully configured for HOB RD VPN your users can log on to the HOB RD VPN portal and access your applications using the ICA protocol. Figure 11: HOB RD VPN Administration User Settings You can now access the ICA Web Interface by entering its URL in the HOB Web Server Gate URL field or by selecting the configured bookmark under the Access to Web Applications and Intranet bookmarks. Security Solutions by HOB 263 Remote Desktop Access using ICA 264 HOB RD VPN Security Solutions by HOB HOB RD VPN HOB RD VPN Web File Access 19 HOB RD VPN Web File Access HOB RD VPN Web File Access is the component of HOB RD VPN that allows authorized users to access files on servers within the enterprise network over an SSL-encrypted, browser-based connection. The file system is displayed in a tree structure similar to that of Windows Explorer. HOB RD VPN Web File Access is a plug-in and can be deactivated when it is not needed. This solution is based on a web server that uses the SMB protocol to access the corresponding file server. HOB RD VPN Web File Access is an integrated component of HOB RD VPN, and is installed automatically. It is also configurable as a portlet. 19.1 Configuring HOB RD VPN Web File Access Follow these steps to set up and use HOB RD VPN Web File Access: 1. Logon and start HOB RD VPN Administration. 2. Having selected the ou=groups element of your Internal hierarchy (individual users can also be selected), select a groups of users (in this example powerUsers is selected) and then User Settings > Configure. Figure 1: HOB RD VPN Administration Internal - User Settings Security Solutions by HOB 265 HOB RD VPN Web File Access 3. HOB RD VPN In the User Settings screen as shown here select Bookmarks > Web File Access and click Add. Figure 2: HOB RD VPN User Settings - Bookmarks Web Files Access 4. now click Add to create a new Web File Access bookmark. Figure 3: HOB RD VPN User Settings - Web File Access Configuration In this dialog you enter the following information: 266 Name – enter the name of the Web File Access configuration to be assigned to the selected user, for example Web File Access Bookmark. Security Solutions by HOB HOB RD VPN HOB RD VPN Web File Access URL – enter the URL for the user to access the internal servers where they can work with the system data and applications. You can enter this URL in IP address notation or in the server name form, as shown above. Use Credentials - check this so each user must authenticate when they attempt to use this Web File Access bookmark. Username - enter here the name the user is to use to access the files. Password - this field contains the password the user will use to access the files. Confirm password - enter the password here again to confirm the previous entry. 5. Use the Up and Down buttons to modify the order in which the Web File Access bookmark appears on the HOB RD VPN Welcome Gate. 6. Click Save to save the configuration and Close to close the User Settings dialog, and this user now has a HOB RD VPN Web File Access bookmark for access to the system. Depending on the element originally selected, HOB RD VPN Web File Access can now be automatically inherited by all of its sub elements (Users, Groups or Objects). 19.2 Using HOB RD VPN Web File Access To start HOB RD VPN Web File Access click the link in the Web File Access portlet on your HOB RD VPN navigation screen and the Web File Access Logon dialog (below) appears. Figure 4: HOB Web File Access - Logon On this logon dialog you find the following fields and buttons: URL – here you enter the URL of the servers you wish to access, thus opening a path to give you a share of the servers at this location. Enter the path according to the format shown, \\server\share. Reconnect at Logon – check this box so that this connection is automatically created the next time you logon. Security Solutions by HOB 267 HOB RD VPN Web File Access HOB RD VPN Connect with Different Credentials – by default HOB Web File Access uses your HOB RD VPN logon credentials to access your server shares. Check this box to enable you to authenticate with different credentials, most often to create access to a new share or a share to a server that is not in the specified domain. Map Share – click this button to map a path to a shared server. Cancel – click to exit without saving any changes. After a successful authentication the Web File Access window below opens. The two columns display the servers and directories on the left, and on the right the files contained in the sub-directories selected from the left-hand column are shown. Figure 5: HOB Web File Access - File Hierarchy When working in HOB RD VPN, you can use the following on screen icons (in the title bar) to assist your work. They have the following functionality: Map Share – allows you to map a connection to a shared drive Select a Share for Disconnection – this allows you to disconnect an already mapped share New Folder – allows you to create a new folder in a directory Select One File to Rename – allows you to rename the selected file Select One File to Delete – allows you to delete the selected file Upload File – allows you to upload a file to your present location Select One File to Download – allows you to download the chosen file 268 Security Solutions by HOB HOB RD VPN HOB RD VPN Web File Access Download as Zip – allows you to download zipped files Open a New Tab – you can open a new tab with this icon Close Other Tabs – this icon allows you to close all tabs other than that on which you are currently working Search – use this icon to start the search feature that will allow you to locate the files you wish to work with. This icon brings up the following dialog: Figure 6: HOB Web File Access - Add Server Enter your search in the Query field, You can enable the checkbox File Contents to search the contents of each file for the query string and the Recursive checkbox to also search through the subfolders. You can add more servers to those that you can currently access. Do this by using the Map Share icon in the Main Menu bar. This brings up the following dialog: Figure 7: HOB Web File Access - Add Server URL – here you enter the URL of the server to which you want to create a share. Use the format shown, \\server\share. Reconnect at Logon – check this box so that this connection is automatically created the next time you logon. Connect with Different Credentials – by default HOB Web File Access uses your HOB RD VPN logon credentials to access your server shares. Check this box to enable you to authenticate with different credentials, most often to create access to a new share or a share to a server that is not in the specified domain. Map Share – click this button to map a path to this server. Cancel – click to exit without saving any changes. Security Solutions by HOB 269 HOB RD VPN Web File Access 270 HOB RD VPN Security Solutions by HOB HOB RD VPN Remote Access to Microsoft Exchange Server 20 Remote Access to Microsoft Exchange Server HOB RD VPN allows you to provide remote access from Microsoft Outlook to a Microsoft Exchange Server in your company. This access is provided through the Microsoft Remote Procedure Call (MS-RPC) protocol, which is used for software components distributed across several networked computers to communicate with each other. The administrative front-ends of Microsoft Exchange Server are all Microsoft RPC client/server applications. 20.1 Configuring Remote Access to Microsoft Exchange Server Configuring HOB RD VPN Exchange Server Access is performed in the same manner as configuring a standard outgoing connection target for HOB RD VPN. Take the following steps to set up and use HOB RD VPN Exchange Server Access: 1. Logon and start the HOB RD VPN Administration interface. 2. Select the Servers element of your internal hierarchy and select the object WebSecureProxy and click the Configure button. 3. The WebSecureProxy configuration interface is displayed. Select Outgoing Connections > Other Targets. Figure 1: HOB WSP Outgoing Connections - Other Targets 4. Click the Add button to add a new target, in this example Exchange Server List, which is the name of the Exchange Server you wish to access with this connection. Security Solutions by HOB 271 Remote Access to Microsoft Exchange Server HOB RD VPN Figure 2: HOB WSP - Other Targets Server List 5. Click Add again to add an individual server as target, in this example Exchange_Server, and you can see the following screen: Figure 3: HOB WSP – Other Targets Server Configuration Depending on the connection mode that has been selected, the panel at the bottom of the dialog screen changes. Name – enter the name you want to use for this connection. Here Exchange_ Server is used as an example. 272 Mode – you can select from the dropdown box the connection mode to be used for the connection to the client machine. All possible modes or types of connection that your network uses be selected: Security Solutions by HOB HOB RD VPN Remote Access to Microsoft Exchange Server 1:1 Proxy Gateway – a direct connection from one machine to another. This is the mode that is used with HOB RD VPN Exchange Server Access WTS Load Balancing – this mode is used when you have a connection to a group of machines VDI – a connection to virtualized desktops on a remote central server, only available when VDI is enabled on the HOB WSP Server Data Hook – a connection that works by intercepting functional calls, events or messages from servers within a network. This is a standard communication mode but cannot be used with HOB RD VPN Exchange Server Access Use network adapter – select from the dropdown box the network adapter (this interface card connects the computer to the computer network) to be used. The default is Any. Predefined protocol – select from the dropdown box the predefined communication protocol to be used. For this target type any protocol may be selected. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 600 seconds. The remainder of this tab contains data fields that are specific for the connection mode that has been selected, in this case 1:1 Proxy Gateway: Host IP address – enter here the IP address of the host machine that is to be the target of this connection, in this case that Microsoft Exchange Server in your network to which you are to connect. Host port – enter here the port number you wish to use for the connection to the desired target machine. 6. Once you have entered this information, you need to make the target available to the users. Select WSP Servers from the hierarchy on the left side and select the tab Unique Access. You see the following screen: Figure 4: HOB WSP – WSP Servers – Unique Access Security Solutions by HOB 273 Remote Access to Microsoft Exchange Server HOB RD VPN 7. From the server lists displayed, check the required server list, in this case Exchange Server List. 8. Save the configuration by using Main menu > File > Save. This selection makes this server list available as a target for outgoing connections to all users currently connected to the network. 20.2 Configuring XML for HOB RD VPN Exchange Server Access Now that the configuration has been made in the GUI, there is one more step required for the target to be used, in that SSL must be activated for outgoing connections to the Microsoft Exchange Server. This step cannot be performed in the GUI, so you must go to the XML configuration files for the HOB WSP. Here, you locate the relevant server entry and change the command <use-client-side-SSL> to Yes. Doing this enables client side SSL on the outgoing connection. This is shown here: <server-entry> <name>Exchange</name> <function>DIRECT</function> <protocol>MS-RPC</protocol> <serverineta>Exchange Server</serverineta> <serverport>443</serverport> <use-client-side-SSL>YES</use-client-side-SSL> </server-entry> Please see Chapter 36 XML Configuration for the HOB WebSecureProxy for more information. 274 Security Solutions by HOB HOB RD VPN Remote Access to Microsoft Exchange Server 20.3 Using HOB RD VPN Microsoft Exchange Server Access Microsoft Outlook must now be configured so that Microsoft Outlook accesses the Microsoft Exchange Server via the HOB WSP. The steps are as following: 1. Open the Microsoft Exchange account configuration dialog. 2. Under the Connection tab, make sure that the checkbox Connect to Microsoft Exchange using HTTP is enabled. 3. Click Exchange Proxy Settings. 4. Under Exchange Proxy Settings > Connection Settings, enter the name of the HOB WSP. 5. Under Proxy Authentication Settings select Basic Authentication. 6. Click OK. More detailed information on the configuration of Microsoft Outlook and Microsoft Exchange Server is outside the scope of this documentation, refer to your documentation for Microsoft Outlook and Microsoft Exchange Server for more information on this topic. Security Solutions by HOB 275 Remote Access to Microsoft Exchange Server 276 HOB RD VPN Security Solutions by HOB HOB RD VPN Internal Network Adapter 21 Internal Network Adapter The Internal Network Adapter is a virtual network device that is delivered as an integrated component of HOB RD VPN. It is a required component if you want to use the following features of HOB RD VPN: The HOB PPP Tunnel without an internal L2TP server The HOB SSL Identifier 21.1 Installing the Internal Network Adapter and HOB TUN Driver To use the Internal Network Adapter you need to install the HOB TUN Driver during the installation procedure. The installation of the HOB TUN Driver is an option during the installation process of HOB RD VPN, although due to the advantages brought by the HOB PPP Tunnel and by the HOB SSL Identifier, it is strongly recommended you install the HOB TUN Driver even though it is still in the experimental phase. As the HOB TUN Driver is currently in an experimental state, it is delivered with HOB RD VPN for testing purposes only and should not be used in a productive environment. It will be installed only if this option is specifically chosen during the installation. In the installation process of HOB RD VPN you will see the following screen: Figure 1: Installation Screen - Select TUN Driver Select the first option on this screen to install the HOB TUN Driver. For more information on this subject, please see Section 4.5 HOB RD VPN Installation – New Cluster Member. Security Solutions by HOB 277 Internal Network Adapter HOB RD VPN The HOB TUN Driver is a component that is only installed on a Windows operating system - this screen can be ignored for all non-Windows installations, as a TUN driver is already installed on Linux systems. 21.2 Configuring the Internal Network Adapter To use the Internal Network Adapter a Raw Packet Interface must be configured. This interface allows the redirect of all incoming connections to the correct Internal Network Adapter of those that are already configured in the system. To do so, the following configuration steps are necessary: 1. Open the HOB RD VPN WebSecureProxy configuration program. 2. Expand the WSP Servers node of the hierarchy on the left and select Raw Packet Interface. 3. Enter the necessary values for the configuration. If you are currently using the HOB SSL Identifier you need to enter values for the Raw packet interface IP Address and Use network adapter items only, see this screen: Figure 2: Configuring the Internal Network Adapter Raw Packet Interface IP Address – here you enter an IP address that identifies the Internal Network Adapter. Make sure that the IP address used is not part of the HOB RD VPN server network and is not used otherwise. The last block of this IP address can be any number except for 0 or 3 (a valid example is: 100.100.10.1). Use network adapter – choose Any or one of the network adapters from the list. This network adapter is used as an interface into the internal network. The adapters in the system can be configured in the WSP Servers area of the HOB RD VPN WebSecureProxy configuration. For more information on this topic, see Chapter 27 SSL Identifier. 278 Security Solutions by HOB HOB RD VPN 4. Internal Network Adapter If you are using the HOB PPP Tunnel (without an internal L2TP server) you must also specify values for the DNS Servers For The Client and the Tunnel IP Address Pool Ranges, the fields for which are found on this Tunnel tab: Figure 3: Internal Network Adapter - Tunnel This tab screen contains the following fields: DNS Servers For The Client – enter the IP addresses of the DNS servers that the PPP Tunnel client is to use for the DNS resolution of host names from the internal network. Tunnel DNS 1 - here you enter the IP address of the first DNS server. This must be entered for each HOB WSP in your system Tunnel DNS 2 - here you enter the IP address of a second DNS server Tunnel NBNS 1 - here you enter the IP address of the NetBiOS Naming System service to be queried for the HOB PPP Tunnel Tunnel NBNS 2 - here you enter the IP address of the second NetBiOS Naming System service Tunnel IP Address Ranges - when using the HOB PPP Tunnel, an IP address is assigned to the PPP client when it connects. Enter here the range of IP addresses that can be used for the HOB PPP Tunnel, specifying the Start and End fields to define the range from which this IP address can come. Use the Add and Remove buttons to manage the address ranges in this list. For more information on this topic, see Chapter 22 Using the HOB PPP Tunnel for Network Access. Save the configuration (main menu > File > Save), and the Internal Network Adapter has been configured and is ready for use. Security Solutions by HOB 279 Internal Network Adapter 280 HOB RD VPN Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- 22 Using the HOB PPP Tunnel for Network Access The HOB PPP Tunnel is a feature of HOB RD VPN that enables a remote user to connect to the enterprise network over the Internet, giving the remote user full access to all network resources via HOB RD VPN as if they are working directly on a machine within the enterprise network. The HOB PPP Tunnel gives the user complete network access to all of the resources in the central network, and all IP based communication protocols such as TCP, UDP or ICMP also go through the HOB PPP Tunnel. This access works bi-directionally, in that a user can also access all resources on the client from the central network. The HOB PPP Tunnel uses the PPP and L2TP protocols to transmit data through the VPN without restriction from special software requirements or firewall problems. These protocols are already integrated into the operating systems of the VPN client computer, and so no separate VPN software need be installed on the client. The data that is transferred through the HOB PPP Tunnel undergoes compression, making this access highly efficient, and SSL encryption, supported by all network devices, with strong authentication ensure that the access is secure. Currently the operating systems on the client that support and are supported by the HOB PPP Tunnel include: Windows 8 Windows 7 Windows Vista Apple MAC Linux FreeBSD Solaris No software needs to be installed on any Windows clients in order to use the HOB PPP Tunnel, and the user does not need to have any administrator rights on the client machine. There is also no requirement to install any special device drivers on the client. 22.1 Configuring User Settings for the HOB PPP Tunnel To configure the HOB PPP Tunnel, you first need to specify Tunnel Endpoints. These endpoints are the specific addresses to which you want the HOB PPP Tunnel to connect to. This is done through HOB RD VPN User Settings, accessed through the HOB RD VPN Administration interface. 1. Select the element that is to be configured for access to the HOB PPP Tunnel. In this example the element is in the default dc=hobsoft domain and here is the user with the resource name: cn=user3,ou=user,dc=hobsoft,dc=root. Security Solutions by HOB 281 Using the HOB PPP Tunnel for Network Access HOB RD VPN Figure 1: HOB EA Administration - User Settings 2. Now select User Settings from the dropdown box and click Configure, as shown below. Figure 2: HOB RD VPN Administration - User Settings 3. Now using this dialog for the selected user you can create your Tunnel Endpoints, which are located under the Personalized IP Addresses element. Personalized IP Addresses Here you manage specific IP addresses for HOB PPP Tunnel Endpoints and the HOB SSL Identifier. For more information about the HOB SSL Identifier, please see Chapter 27 SSL Identifier. 282 Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- Tunnel Endpoints To create a secure HOB PPP Tunnel, specify the IP addresses of the endpoints of the connection. This means that only certain pre-configured destinations may be selected for the secure connection, those IP addresses the clients are assigned in the company network. For more information on Tunnel Endpoints see Section 8.3.1 Configuring HOB RD VPN 2.1. Figure 3: HOB RD VPN - User Settings - Personalized IP Addresses Add – use this button to add the desired IP address to the list of those available to the user as Tunnel Endpoints. Remove – use this button to remove the selected IP address from the list. Use the Save button to save any changes to this setting, use Close to close this screen without saving any changes. 22.2 Network Address Translation Network Address Translation (NAT) is the process of modifying IP address information in IP packet headers that are in transit across a traffic routing device. This most often happens when a computer maps a private (unregistered) IP address within a local network to a (registered) public IP address. It is very common to use a single public IP address as a gateway to the many private IP addresses that can exist on your network. NAT allows an internal host such as a web server to have an unregistered (private) IP address and still be reachable over the Internet. A look up table of all registered IP addresses must be maintained to ensure correct routing of communications. NAT can also act as a firewall by preventing outside computers from connecting with the local network, unless it is a connection initiated from within the local network. When queries for the database server arrive from a client, the NAT rewrites the headers of IP packages, and forwards them to the database server with the least load. The reply packets are then returned to the client and it appears the information came from one database server and only one IP address. Security Solutions by HOB 283 Using the HOB PPP Tunnel for Network Access HOB RD VPN When connecting with the HOB PPP Tunnel to addresses within your computer network from outside the system, a secure connection from the client to the server that is not affected by NAT or Domain Name System (DNS) issues is built. This is also the case when you want to use the HOB PPP Tunnel to access systems that are in different sub-networks to the addressed L2TP server. A dynamic form of NAT is used in cases where the user would like to communicate across multiple company networks, not just the network in which they are located. In the sample scenario depicted below the servers in subnet 1 are directly accessible from the remote client, while those in subnet 2 are not directly accessible from the client, so in this case NAT or DNS issues would normally arise. Figure 4: Connecting Remotely to a Server in a Sub Network As the configurations for the various networks can be stored on different servers, and you can be working across different networks, you also need to specify whether a HOB TUN or an external L2TP server is to be used. This NAT process works in this way: the sender of a message sends the communication to the HOB WSP. The HOB WSP translates the network element of the IP address to suit the current network, while the Host element remains unchanged. When the client initiates the communication it is the destination address that is translated, when the server initiates the communication it is the sender IP address that is translated. When starting, the client machine informs the HOB WSP about the network where it is located. Only if this matches the intranet (server network) is NAT performed. The network part of the IP address is translated while the host part is not translated. The following IP addresses are translated: IP addresses in the PPP protocol IP addresses in DNS replies 284 IP addresses in normal data packets, where from the client to the server the destination address is translated, while from the server to the client the sender address is translated Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- 22.3 Configuring the HOB PPP Tunnel The HOB PPP Tunnel uses a dynamic process for network address translation. This dynamic form of NAT is used where a private (unregistered) IP address is mapped to a (registered) public IP address drawn from a pool of registered (public) IP addresses the client wishes to communicate with, addresses that are not part of the corporate network, but are external to the system. This pool can be used when the client is communicating with a private network consisting of a large number of both private and public workstations and IP addresses. The network could be, for example, a large hotel with an address pool, typically in the range 10.x.x.x, or a large industry convention. This dynamic NAT is very often used where the user would like to communicate across multiple company networks, not just within the network where they are currently located. Dynamic NAT gives access to any networks that are behind the HOB WSP and so does not prevent an intruder accessing any of these networks that are behind the HOB WSP. This has given rise to the impression that dynamic NAT is insecure. It in fact helps to secure a network layout as it masks the internal configuration of a private network. When the network layout is secured it makes it more difficult for someone outside the network to monitor individual usage patterns or target a specific location. Dynamic NAT also allows a private network to use private IP addresses that are invalid on the Internet but are useful as internal addresses. The first step is to enable the HOB PPP Tunnel in the configuration program of the HOB WebSecureProxy. 1. Start the HOB WebSecureProxy configuration program. 2. Open the Extensions > PPP Tunnel scheme at the left of the tree structure. Figure 5: HOB WSP Configuration - HOB PPP Tunnel 3. Click the Add button and a small list pops up, see the dialog below. Security Solutions by HOB 285 Using the HOB PPP Tunnel for Network Access HOB RD VPN Figure 6: HOB WSP Configuration - HOB PPP Tunnel Settings The fields on this screen are as follows: 286 Name – here you enter a name you wish to use for this HOB PPP Tunnel configuration. Mode – the connection mode is PPP Tunnel by default. Use network adapter – this dropdown list contains the different types of network adapter configured for this system. This is disabled by default Predefined protocol - this field contains the different types of protocols configured for this system. This is disabled by default as only the protocol HOB-PPPT1 can be used for the HOB PPP Tunnel. Target filter - this dropdown list contains the different types of target filter configured for this system. The default is None. For more information on Target Filters, please see Chapter 26 HOB Target Filters. Server network – enter here the server network for which the HOB PPP Tunnel is to be configured. If you require flexibility and want to specify an IP block using a CIDR (Classless Inter Domain Routing) subnet mask notation, enter the suffix in the small field on the right. Authentication method - this dropdown list contains the authentication methods available for this communication. Pass through (L2TP Gateway only) is the default if an L2TP Gateway is enabled, this is not available if a Ray Packet Interface is being used. Other options are None and Negotiate. Negotiate Authentication Methods - this list box is active only if the authentication method of Negotiate is selected. You select the type of negotiate authentication from this list, the available authentication types are EAP, MS-CHAP-V2 and PAP. Use the buttons on the side to manage this list. Security Solutions by HOB HOB RD VPN 4. Using the HOB PPP Tunnel for Network Ac- Protocol Plugins - this list contains the configured protocol plugins that are available for this communication. To add a configuration for protocol plugins to this list, please see Chapter 22.6 Configuring Dynamic NAT on page 292 or Chapter 22.7 Configuring the HOB TCP Tuner on page 296 for more information on the configuration of Dynamic NAT or the HOB TCP Tuner. Use raw packet interface - check this box to enable the raw packet interface. L2TP Gateway - this dropdown list contains the possible L2TP gateways that can be used for this communication. This is disabled if the Use Raw Packet Interface checkbox has been enabled. For more information on this topic, see Chapter 22.4 Configuring L2TP for the HOB PPP Tunnel on page 288. Once all the fields on this tab have been completed, you need to go to the second tab, Client Configuration. Figure 7: HOB WSP Configuration - HOB PPP Tunnel Client Configuration The fields to complete here are: IP number:Port - enter the connection information for the PPP Tunnel client in this field. It is important that you specify here the IP address (or the DNS name) together with the port number for the connection from the internet. If this field is left empty, the information is (in most cases) extracted from the URL in the browser, depending on the system setup. System Parameters - here you enter the system parameters required for this PPP Tunnel configuration for each operating system on the relevant tab 5. Save the configuration (Main menu > File > Save), and the HOB PPP Tunnel component has been configured and is ready for use. Security Solutions by HOB 287 Using the HOB PPP Tunnel for Network Access HOB RD VPN 22.4 Configuring L2TP for the HOB PPP Tunnel The configuration of a PPP Tunnel with Dynamic NAT for an internal L2TP server is performed similarly to those configurations described in the previous section. An external L2TP server need not be configured, and individual IP addresses do not need to be configured for NAT. To configure an L2TP Gateway, follow these steps: 1. Open the configuration program of the HOB WebSecureProxy. 2. Open the Extensions > L2TP Gateway scheme on the left in the tree structure. The following screen is displayed: Figure 8: HOB WSP Configuration - L2TP Configuration The fields on this dialog are as follows: Name – here you enter the name you wish to use for this L2TP Gateway configuration. Use network adapter – select from the dropdown list the adapter you want to use. The default is Any. L2TP Gateway settings: Host IP address – here you enter the address of the machine that hosts the L2TP gateway. Host IP port – here you enter the port of the L2TP gateway. The default port is 1701. Authentication If Required 288 Character set - select the character set to be used from the dropdown box User ID - enter the ID for the user who will use this PPP Tunnel configuration User password - enter the password for this user Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- Save the configuration (Main menu > File > Save), and the L2TP Gateway component has been configured and can be selected for use in the configuration of the HOB PPP Tunnel 22.5 Configuring a Raw Packet Interface for the HOB PPP Tunnel Each communication requires an interface that allows the data, in the form of raw packets, to be transmitted. For this a raw packet interface must be configured for the HOB PPP Tunnel to enable communication. 22.5.1 Configuring the Raw Packet Interface - Settings To configure a raw packet interface for the HOB PPP Tunnel, follow these steps: 1. Open the configuration program of the HOB WebSecureProxy. 2. Open the WSP Servers > Raw Packet Interface scheme on the left in the tree structure. The following tab screen is displayed: Figure 9: HOB WSP Configuration - Raw Packet Interface Settings These are the fields on this first tab that need to be completed for the raw packet interface to be configured: Allowed Raw Packet Interface IP Address Ranges - this list specifies the range of IP addresses and the prefix size that the raw packet interface can process for any communication. Use the Add and Remove buttons to manage this list. Raw packet interface IP address - enter the IP address of the raw packet interface Use network adapter - select from the dropdown list the network adapter to be used. Create a network interface under WSP Servers > WSP Server(1) > Network Interfaces and then use the Add button. Security Solutions by HOB 289 Using the HOB PPP Tunnel for Network Access HOB RD VPN Windows driver installation strategy - select from the dropdown list the strategy to be used for the installation of Microsoft Windows drivers, the default is no-install-or-uninstall. 22.5.2 Configuring the Raw Packet Interface - Tunnel The second tab on this dialog is the Tunnel tab. This Tunnel tab is where you configure DNS or NBNS for the PPP Tunnel clients. The Domain Name System or DNS is the naming system for computers, services, or any resource connected to the Internet or a private network. It associates domain names assigned to each of the participating entities with the various system-specific information held by the system. A Domain Name Service translates queries for domain names into IP addresses for the purpose of locating computer services and devices worldwide. The HOB PPP Tunnel can use its own DNS, in a similar setup to NAT. When the tunnel is enabled, you can assign specific (numerical) IP addresses to stated host names. NBNS (NetBiOS Naming System) is similar to DNS and is used to confirm the presence of machines in the network. The Tunnel tab has the following fields: Figure 10: HOB WSP Configuration - Raw Packet Interface Tunnel This tab screen contains the following fields: DNS Servers For The Client 290 Tunnel DNS 1 - here you enter the IP address of the first DNS server to be used for the HOB PPP Tunnel. This must be entered for each HOB WSP in your system. Tunnel DNS 2 - here you enter the IP address of the second DNS server to be used for the HOB PPP Tunnel. Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- Tunnel NBNS 1 - here you enter the IP address of the NetBiOS Naming System service to be queried for the HOB PPP Tunnel. Tunnel NBNS 2 - here you enter the IP address of the second NetBiOS Naming System service to be queried for the HOB PPP Tunnel. Tunnel IP Address Ranges - here you enter the range of IP addresses that can be used for the HOB PPP Tunnel. 22.5.3 Configuring the Raw Packet Interface - SSL Identifier If the SSL Identifier is required for communication over the HOB PPP Tunnel, it can also be configured here. The third tab on this dialog shows the following: Figure 11: HOB WSP Configuration - Raw Packet Interface Tunnel with SSL Identifier The fields on this dialog are: TCP connection timeout (sec) - here the number of seconds to wait before the connection times out is entered, the default is 3000. Number of TCP connection attempts - the number of attempts that can be made to establish a connection is entered here. Use Random TCP Source port - check this to use a random TCP source port. Allowed TCP Source Port Ranges - in this list the TCP source port ranges (from the Start to the End) can be entered. Use the Add and Remove buttons to manage this list. For more information on the HOB SSL Identifier, see Chapter 27 SSL Identifier on page 361. Save the configuration using Main menu > File > Save and the Raw Packet Interface component has been configured and can be selected for use in the configuration of the HOB PPP Tunnel. Security Solutions by HOB 291 Using the HOB PPP Tunnel for Network Access HOB RD VPN 22.6 Configuring Dynamic NAT Dynamic NAT is used where a private (unregistered) IP address is mapped to a (registered) public IP address drawn from a pool of registered (public) IP addresses the client wishes to communicate with. These addresses are not part of the corporate network, but are external to the system. This pool can be used when the client is communicating with a private network consisting of a large number of both private and public workstations and IP addresses. Dynamic NAT is very often used where the user would like to communicate across multiple company networks. 22.6.1 The Dynamic NAT Tab To configure Dynamic NAT for the HOB PPP Tunnel, follow these steps: 1. Open the configuration program of the HOB WebSecureProxy. 2. Select the Extensions > Dynamic NAT scheme on the left in the tree structure. The following screen is displayed: Figure 12: HOB WSP Configuration - Dynamic NAT 3. 292 Now select Add to create a new Dynamic NAT configuration for the HOB PPP Tunnel. The following dialog is displayed: Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- Figure 13: HOB WSP Configuration - Extensions - Dynamic NAT The fields to be completed on this first tab screen are: Name - here you enter a name for this Dynamic NAT configuration Translated Network - here you enter the address of the network from where the IP address of the clients can be taken for this communication Alternate Translated Network - here you can enter the address of an alternate or backup network from where the IP address of the clients can be taken for this communication ALG-SIP - check to enable the Application Level Gateway (ALG) use the SIP protocol for the communication Security Solutions by HOB 293 Using the HOB PPP Tunnel for Network Access HOB RD VPN 22.6.2 The DNS Tab The second tab for this dialog is the DNS tab. Here you configure the pool of IP addresses that are to be used for communication under dynamic NAT. Figure 14: HOB WSP Configuration - DNS tab In this tab you use the Add, Edit and Remove buttons to manage the list of DNS entries. To enter a DNS onto this list, click the Add button to bring up the following dialog: Figure 15: Add DNS Entry to DNS List On this popup you can see the following fields: DNS - this is the name of the pool of IP addresses that you are creating or editing DNS IP Addresses - here you enter the IP addresses that will be added to the DNS pool Here you use the Add, Edit and Remove buttons on the right to manage this list of IP addresses that will make up the IP address pool available for use by this DNS. The Add button at the bottom adds this DNS to the DNS list and keeps the dialog open, the Add & Close button adds the DNS to the DNS list and closes the dialog, Cancel closes the dialog without any changes being saved. 294 Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- When you click the Add button to add a new IP address to the IP address pool the following popup appears: Figure 16: Add IP Address to DNS List IP Address - here you enter the IP address that you want to add to the pool of IP addresses used by this DNS. 22.6.3 The Exclude DNS Tab This tab is important to the configuration when there are certain addresses that are not to be used in standard communication using dynamic NAT. Here you specify specific IP addresses that, for whatever reason, are not to be used. Figure 17: HOB WSP Configuration - Exclude DNS Tab Exclude DNS List - this list holds the individual IP addresses that are to be excluded from all DNS IP address pools. You can use the Add and Remove buttons to manage this list. Save the configuration using Main menu > File > Save and the Dynamic NAT component has been configured and can be selected for use in the configuration of the HOB PPP Tunnel Security Solutions by HOB 295 Using the HOB PPP Tunnel for Network Access HOB RD VPN 22.7 Configuring the HOB TCP Tuner The HOB TCP Tuner is a protocol plugin that allows the server to more efficiently transmit communications that use the TCP transmission protocol. It also regulates the flow of the transmissions in such a way that it eliminates the occurrence of TCP packets moving at different speeds, thus causing TCP meltdown. To configure the HOB TCP Tuner for the HOB PPP Tunnel, follow these steps: 1. Open the configuration program of the HOB WebSecureProxy. 2. Select the Extensions > TCP Tuner scheme on the left in the tree structure. The following screen is displayed: Figure 18: HOB WSP Configuration - Extensions - TCP Tuner Now click the Add button at the bottom to create a new TCP Tuner configuration for the HOB PPP Tunnel. 296 Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- 22.7.1 HOB TCP Tuner - Dynamic NAT Tab The first tab on the screen that is now displayed is the Dynamic NAT tab. This allows you to specify how the HOB TCP Tuner will use Dynamic NAT. Figure 19: HOB WSP Configuration - TCP Tuner - Dynamic NAT Tab The fields to be completed on this first tab screen are: Name - here you enter a name for this Dynamic NAT configuration Translated Network - here you enter the address of the network from where the IP address of the clients can be taken for this communication Alternate Translated Network - here you can enter the address of an alternate or backup network from where the IP address of the clients can be taken for this communication ALG-SIP - check to enable the Application Level Gateway (ALG) use the SIP protocol for the communication Display NATted IP Addresses - check this to display those IP addresses that have been translated from one network Integrated DNS Server - check this to enable an integrated server for DNS Security Solutions by HOB 297 Using the HOB PPP Tunnel for Network Access HOB RD VPN 22.7.2 HOB TCP Tuner - DNS Tab The second tab on the HOB TCP Tuner dialog is the DNS tab. Here you configure the pool of IP addresses that are to be used for TCP communication under Dynamic NAT. Figure 20: HOB WSP Configuration - TCP Tuner - DNS Tab In this tab you use the Add, Edit and Remove buttons to manage the list of DNS entries. To enter a DNS onto this list, click the Add button to bring up the following dialog: Figure 21: Add DNS Entry to DNS List On this popup you can see the following fields: DNS - this is the name of the pool of IP addresses that you are creating or editing DNS IP Addresses - here you enter the IP addresses that will be added to the DNS pool Here you use the Add, Edit and Remove buttons on the right to manage this list of IP addresses that will make up the IP address pool available for use by this DNS. 298 Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- The Add button at the bottom adds this DNS to the DNS list and keeps this dialog open, the Add & Close button adds the DNS to the DNS list and closes the dialog, Cancel closes the dialog without any changes being saved. When you click add th add a new IP address to the IP address pool the following popup appears: Figure 22: Add IP Address to DNS List IP Address - here you enter the IP address that you want to add to the pool of IP addresses used by this DNS. 22.7.3 HOB TCP Tuner - Exclude DNS Tab The next tab on the screen is the Exclude DNS tab. On this tab you specify specific IP addresses that, for whatever reason, are not to be used in standard communication using dynamic NAT. Figure 23: HOB WSP Configuration - TCP Tuner - Exclude DNS Tab Exclude DNS List - this list holds the individual IP addresses that are to be excluded from all DNS IP address pools. You can use the Add and Remove buttons to manage this list. Security Solutions by HOB 299 Using the HOB PPP Tunnel for Network Access HOB RD VPN 22.7.4 HOB TCP Tuner - SOCKS Servers Tab The next tab on the screen is the Socks Servers tab. Here you specify the IP address for the DNS of the SOCKS server and the TCP port that it uses. Figure 24: HOB WSP Configuration - TCP Tuner - SOCKS Servers Tab You can use the Add and Remove buttons to manage this list. 22.7.5 HOB TCP Tuner - FTP Servers Tab The next tab on the screen is the FTP Servers tab. Here you specify the IP address for the DNS of the FTP server and the TCP port that it uses. Figure 25: HOB WSP Configuration - TCP Tuner - FTP Servers Tab 300 Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- You can use the Add and Remove buttons to manage this list. Save the configuration using Main menu > File > Save and the HOB TCP Tuner component has been configured and can be selected for use in the configuration of the HOB PPP Tunnel 22.8 Assigning the Server List The final step in the configuration is to assign the HOB PPP Tunnel Server List to the HOB WSP itself, for the HOB WSP to use when creating connections. 1. In the HOB WSP configuration interface select the role for which the HOB PPP Tunnel is configured, for example User. 2. Under the Settings tab select Privileges > Server Lists. Figure 26: HOB WSP Configuration - Roles - Server Lists 3. Check the PPP Tunnel server list from those already configured. If you have configured more than one list for the HOB PPP Tunnel, you may select all of these for use. 4. Use the Check All or Clear All buttons to help you refine your selection. 5. Save the configuration (Main menu > File > Save), and the Server List is ready for use. Security Solutions by HOB 301 Using the HOB PPP Tunnel for Network Access HOB RD VPN 22.9 Creating a HOB PPP Tunnel Portlet on the Navigation Screen To create the portlet that allows your users to easily enable the HOB PPP Tunnel for their sessions, you have to select the role for which the portlet is to be assigned in the HOB WSP configuration interface. In the example shown in this section the User role has been selected. 1. In the HOB WSP configuration interface select the tab Privileges > Portlets and the following screen is displayed. Figure 27: HOB WSP Administration - Role Settings - Privileges - Portlets 2. Click Add to add the new portlet to the list of those available already to this role, and the Add Portlet dialog is displayed. Figure 28: Add Portlet 302 3. Under Portlet select HOB PPP Tunnel from the dropdown box to add it to the portlet list. 4. Choose the State in which the portlet will appear on the HOB RD VPN navigation screen, either Open (expanded) or Closed (collapsed). 5. Click Add & Close to add this portlet the list. This dialog also closes. 6. Save the changes to the HOB WSP configuration (Main menu > File > Save) and close the dialog. The new portlet for the HOB PPP Tunnel is now available. Security Solutions by HOB HOB RD VPN Using the HOB PPP Tunnel for Network Ac- 22.10 Using the HOB PPP Tunnel Open the HOB RD VPN start page and click the Start PPP Tunnel menu item that is displayed on this page, if it has been configured by the administrator. Once this menu item is selected the HOB PPP Tunnel starts and a tray icon appears in the notification area of the client computer. Click on the tray icon to open a status dialog of the HOB PPP Tunnel, which you can also use to terminate the connection. Other resources on the Internet can still be visited with the same browser once the HOB PPP Tunnel has started. This does not affect the HOB PPP Tunnel, nor will closing the browser disconnect or close the HOB PPP Tunnel. This is not the case if Anti-Split Tunneling has been enabled. 22.10.1 Anti-Split Tunnel It is possible for users to still have access to other HOB RD VPN functions when using the HOB PPP Tunnel; once they are properly installed and configured in the central network, these connections can be configured for access without using the HOB PPP Tunnel. This is known as a Split Tunnel. Many companies consider that a split tunnel creates a security risk, so HOB have also developed an Anti-Split Tunnel feature to restrict the use of the Split Tunnel. Please see Section 25.1.3 Compliance Check - Anti-Split Tunnelling for more information. 22.10.2 Reconnect After a Short Interruption of the Connection If there is a temporary network interruption and the client loses its connection, the user does not need to restart the HOB PPP Tunnel. Instead, the HOB PPP Tunnel automatically resynchronizes itself with the network as soon as the interruption is remedied. In almost all cases, the applications continue running on the client without any problems. The network connection of the client can be broken when, for example, the provider temporarily interrupts the DSL line and then re-establishes the connection. Security Solutions by HOB 303 Using the HOB PPP Tunnel for Network Access 304 HOB RD VPN Security Solutions by HOB HOB RD VPN HOBPhone 23 HOBPhone HOBPhone is a Java-based SIP client that allows HOB RD VPN users to securely connect to the telephone system of your company over the internet. This means that the users are reachable and can make phone calls everywhere as if they are physically within the company network. HOBPhone supports up to 5 accounts or lines, with each account able to handle a virtually unlimited number of simultaneous active calls. The total number of calls is limited only by the processing power, memory or bandwidth of the client. This means that HOBPhone can also be used to connect clients on different networks in a conference. 23.1 Configuring HOBPhone in HOB RD VPN HOBPhone is included as an integral part of the HOB RD VPN installation. The following configuration steps are necessary before the HOB RD VPN users can make their first phone call via HOBPhone: Configuring the HOB WSP for HOBPhone Activating HOBPhone for a specific user role in the HOB WSP Configuring a telephone system in the directory service Configuring the connection to the telephone system 23.1.1 Configuring the HOB WSP for HOBPhone The first step is to configure the HOB WebSecureProxy for VoIP: 1. Logon and start the HOB RD VPN Administration interface. 2. Select the Servers element of your internal hierarchy and select WebSecureProxy > Configure. This starts the HOB WebSecureProxy configuration interface. 3. Although fully integrated into HOB RD VPN, HOBPhone is a optional feature. For this reason the configuration dialog of HOBPhone is found as an extension to HOB RD VPN. So, to configure HOBPhone, you must select the item Extensions. The following screen appears: Security Solutions by HOB 305 HOBPhone HOB RD VPN Figure 1: HOB RD VPN Administration - Extensions 4. Now you need to select the item Extensions > HOBPhone. This screen appears: Figure 2: Configuring HOBPhone – Settings Tab The fields on this screen to be completed are: Name – here you enter a name you wish to use for this HOBPhone configuration. Mode – this field holds the required connection mode, it is disabled by default. 306 Use Network Adapter – this field holds the required network adapter information, and is disabled by default. Predefined Protocol – this field holds the required communication protocol and is disabled by default, as the necessary protocol, HOB-VOIP-1, is already entered and cannot be changed. Security Solutions by HOB HOB RD VPN 5. HOBPhone VOIP server network adapter – here you select your network desired adapter from the dropdown list, or leave as Any for the default adapter to be used. This network adapter will be used by HOB RD VPN for all VoIP connections to the telephone system. Timeout (sec) – enter here the amount of time in seconds the client must wait before a connection is timed out. The default setting is 3 seconds. Keep alive (sec) - the amount of time in seconds the connection waits for new HTTP requests/responses to be made once the connection is established, before it shuts down due to inactivity. The default is 10 seconds. Select the Address Book tab. Figure 3: Configuring HOBPhone – Address Book Tab 6. In this tab you need to enter the Address book URL – the URL under which the electronic address book is available. Save the changes and the HOBPhone component is now configured in the HOB WSP. 23.1.2 Activating HOBPhone for a Specific User Role Now that you have configured the HOB WSP for HOBPhone, it must now be assigned to at least one specific Role for your users. 1. Open the HOB WebSecureProxy configuration, select the desired role (for example User, as shown here) and go to Privileges > Server Lists. Security Solutions by HOB 307 HOBPhone HOB RD VPN Figure 4: HOB WSP Configuration- Roles - Server Lists 2. Select the HOBPhone option from the list of configured server lists. 3. Now go to Privileges > Portlets to create a portlet for HOBPhone on the HOB RD VPN Navigation Screen. Figure 5: HOB WSP Configuration - Roles - Portlets 4. 308 Here use the Add button and, from the Add Portlet popup dialog, select HOBPhone from the dropdown box. You can also use this dialog to choose to have the portlet appear in either an Opened state on the navigation screen, or Closed. Security Solutions by HOB HOB RD VPN HOBPhone Figure 6: Add HOBPhone Portlet Popup 5. Click Add & Close to add this portlet to the list of those available and close the dialog. 6. Save the configuration and restart the HOB RD VPN Service. 7. Now you need to configure the UDP Gate for transmissions using the UDP protocol. This is found under the WSP Servers > WSP Server item. Figure 7: HOB WSP Configuration - WSP Servers - UDP Access Select the tab UDP Access. This tab contains the following fields: Enable UDP Gate - check this to activate the UDP Gate for HOBPhone communications. The following two fields only become enabled when this box is checked: UDP Listening Adapter - enter here the adapter you want to use to listen to HOBPhone communications. UDP Listening Port - enter here the number of the port you want to use for UDP communications. The default is 8150. 23.1.3 Configuring a Telephone System Each firm has different requirements, so HOB RD VPN allows you to create a telephone system as an object that can be added to your resource management hierarchy. There can be multiple systems configured as necessary. For each system that is configured, all sub nodes under this configuration inherit this configuration. Security Solutions by HOB 309 HOBPhone HOB RD VPN Figure 8: HOB EA Admin – New Object – Telephone System Select the node that will contain the new telephone system and click the New > Organizational Unit icon in the task bar. Give the new Organizational Unit a name (for example Telephone System, as shown here) and save the configuration. 23.1.4 Configuring the connection to the Telephone System HOB RD VPN needs some information about the telephone system(s) that will be connected. The best practice for this is to place the configuration on the root node, as this then makes it possible for every user to use this VoIP system. 1. 310 Select the root node of your directory service (for example dc=hobsoft, dc=root) and open the HOBPhone configuration dialog by right-clicking this node and choosing Configure > HOB RD VPN 2.1 > HOBPhone. Security Solutions by HOB HOB RD VPN HOBPhone Figure 9: HOB EA Administration - HOBPhone 2. The following screen appears. Figure 10: HOBPhone Configuration - Start Screen 3. Select the Telephone systems item in the left-hand tree and click the Add button. Security Solutions by HOB 311 HOBPhone HOB RD VPN The following dialog is displayed: Figure 11: HOBPhone Configuration - Settings The fields on this screen are as follows: Name – enter a name of your choice to label this telephone system configuration. Description – here you can enter a short description for the telephone system. Host IP Address – here you specify the IP address to be used for the VoIP connection. Port – here you specify the port to be used for the VoIP connection (the default is 5060). This is the port number for the SIP access to the VoIP system (also referred to as the PBX (Private Branch eXchange) - a telephone exchange that serves a particular business or office). The connection between the HOB WSP and the PBX requires the SIP port to be open for both incoming and outgoing data on the PBX (normally the SIP port 5060 by default but this can be changed), as well as any ports required for RTP (Real-time Transport Protocol) connections. RTP is used to deliver audio and video packets over IP networks. RTP ports are assigned dynamically and can be any port in the number range 1024 to 65535. These can usually be restricted via the PBX settings (for example, asterisk uses ports 10000-20000 by default) on the PBX side. The dynamically assigned RTP ports on the HOB WSP side should correspond to the ports provided by the operating system the HOB WSP is running on. Defaults are: 49152 – 65535 for Microsoft Windows Server 2008 systems, 32768 – 61000 on the majority of Linux systems, and 1025 – 5000 on Microsoft Windows Server 2003 or older BSD systems. Other firewall rules may be required by the HOB WSP for other reasons, for example to reach the LDAP server. 312 Security Solutions by HOB HOB RD VPN HOBPhone The HOB WSP uses port 5060 to send SIP data if the parameter <SIPuse-UDP-port-5060> is set to YES in the configuration, otherwise a dynamic port is used. Max Sessions – here you see the maximum number of sessions (default is 500) that can be used simultaneously for this connection. Gateway Name – here you set the name of the gateway. Set the Gateway Name to RTP-UDP. This is the default Gateway Name in HOB RD VPN and should always be used. Now Save the changes and Close this dialog. 23.2 Configuring the User Accounts in HOBPhone Now that HOBPhone has been configured and is ready for use, starting the application displays the main HOBPhone interface screen, shown here. Figure 12: HOBPhone Main Interface The functions of HOBPhone are organized as menu items and as GUI buttons. These GUI menu items and buttons are organized as follows, from the top: Menu (Phone, Account), used for configuring user accounts Information panel, displaying messages concerning the current status and activity in HOBPhone The Number Entry field, Make Call and End Call icons for making calls Security Solutions by HOB 313 HOBPhone HOB RD VPN Function Tabs (Call, Call History, Missed Call Log, Conference Call, Address Book) for activating the different functions of HOBPhone. Each of these Function Tabs have their own individual buttons and layouts Sound and Account Panels to manage the current call 23.2.1 HOBPhone Menu The contents of the menu (Phone, Account), shown in the menu bar at the top, are as follows: Menu > Phone Device Configuration – use this option to configure the devices to use for input and output and audio levels, see Section 23.2.3 Configuring Audio Devices on page 317 for more information. Preferences – use this to configure the codecs that are required and to enable codec settings where applicable Exit – finish using the HOBPhone application and shut down this feature Menu > Account Configure – use this option to configure the accounts for the users of the application. See Section 23.2.2 Configuring HOBPhone User Accounts on page 314 for more information. Register – use this option to attempt to register the selected account and enable this number to be used for calls Unregister – use to unregister the selected account and make this number no longer available for calls Register All – this option enables you to register all configured accounts at the same time Unregister All – this option enables you to unregister all configured accounts at the same time 23.2.2 Configuring HOBPhone User Accounts HOBPhone User accounts can be configured directly using the HOBPhone interface. The standalone HOBPhone feature allows configuration through the HOBPhone interface, the HOBPhone feature of HOB RD VPN uses the HOB WSP, where the user accounts are read only, and any changes to these configurations must be made directly in the configuration storage for your system. To enter account details or adjust the user settings, start HOBPhone and in the main interface screen you can either click Menu > Account > Configure or you can right click on the individual account icon to display the following screen: 314 Security Solutions by HOB HOB RD VPN HOBPhone Figure 13: HOBPhone Configuration - General Tab Account Name – the first field is a dropdown box that holds the name of the account that you are configuring. Use the dropdown arrow to select a different account. This account list is restricted to 5 accounts. Delete Entry – use this button to remove the configuration of the currently displayed account. There are two tabs that are available on this screen, General and Advanced. The General tab is shown by default, and the settings that can be edited here are, from top to bottom: Protocol – HOBPhone is an application based on the SIP protocol, only SIP can be selected here Full Name – this holds the full name of the user attached to the SIP messages Ident – this holds the user identity or phone number Display number – this holds the number or name to be displayed on the local interface only instead of the username (for example a dial group number) in the HOBPhone interface Registrar – here the IP address or valid DNS name of the PBX is stored Port - the port of the PBX to use (defaults to the SIP port 5060 if not set) Password - you enter your password as configured at the PBX to access features or a specific account here Outbound Proxy – this contains the address of the outbound SIP proxy – SIP requests are sent to this address Outbound Proxy Port – this field contains the outbound proxy port number, by default this is the SIP port 5060 Security Solutions by HOB 315 HOBPhone HOB RD VPN OK – store this configuration for the specified account (a popup appears you to prompt you to store it locally in a specific file location) and close this screen Revert – do not save the changes to this account configuration and return to the first account configuration Figure 14: HOBPhone Configuration - Advanced Tab The settings that can be edited on the Advanced tab are: Use SRTP – enable this button to use SRTP (Secure Real-time Transport Protocol). In direct mode SRTP must be supported by all components (the PBX and all other participants in the call) for the call data to be encrypted. When using the WSP mode, the data can be encrypted between the HOBPhone and HOB RD VPN regardless of the capabilities of the PBX or other participants. If using the UDP gate the voice audio is encrypted using the SRTP protocol, otherwise SSL is used with the communication with the HOB WSP (unless a different protocol is used in your system, then this is also used here). Autoregister – an attempt to register this account with the PBX will be made automatically whenever the HOBPhone application is started Sip Transport – when using HOBPhone to connect to the HOB WSP, all SIP data is always passed encrypted via the TCP protocol. The UDP/TCP option only applies to the standalone HOBPhone. Voice communications are always sent over UDP except when in WSP mode without a UDP Gate. Voice communications are always sent over UDP except when in WSP mode and a UDP Gate is not being used. 316 Security Solutions by HOB HOB RD VPN HOBPhone Local IP - this setting is used when the user wishes to specify which IP address on the local machine HOBPhone is to use to connect to the specified registrar. The list of available IP addresses is shown is the dropdown box list. The default setting is Auto. On start of the application, HOBPhone attempts to find the best path to the registrar for each account. If a path cannot be determined then the user is prompted to choose an IP account. This behavior can be overridden by specifying an IP address to use. Note that this is only useful if the machine has multiple static IP addresses and the user wishes HOBPhone to use a particular IP address to connect to the registrar. OK – store this configuration for the specified account and close this screen Revert – do not save the changes to this account configuration and return to the General tab of this account configuration 23.2.3 Configuring Audio Devices From the main HOBPhone interface menu, select Phone > Device Configuration and a popup is displayed. This pop up shows the list of audio devices available to HOBPhone. Devices with audio output capability are shown with a Playback and Ring option. Recording devices are shown with a Record option. The name of the device is shown above each volume slider. There are also two virtual devices that are not always present – Primary Sound Driver and Remote Audio. Figure 15: HOBPhone Configuration – Device Configuration Primary Sound Driver – this is a default virtual device provided by Java and uses the default audio device automatically Playback – check this button to activate call audio over this device Ring – check to activate the ring audio device on incoming calls Headphones – this shows the headphone device currently in use Playback – check this button to activate call audio over this device Ring – check to activate the ring audio device on incoming calls Security Solutions by HOB 317 HOBPhone HOB RD VPN Speakers – this shows the name of the loudspeaker device in use Ring – check to activate the ring function on the loudspeaker device for incoming calls Primary Sound Capture Driver – this device is used to record incoming sounds and automatically uses the default audio device Playback – check this button to activate call audio over the loudspeaker device Record – check to activate the record device on incoming calls Microphone - this shows the name of the microphone device in use Record - this allows the microphone to record sounds from the user Any changes made here are automatically implemented. 23.2.4 Configuring Audio Settings and Advanced Options This Preferences option on the main HOBPhone menu allows you to configure the record and playback quality and encoding settings, as well as recorded messages and advanced settings. Audio configuration files are created automatically on first use. By default the first audio recording device found is enabled for voice input and the first audio output device found is enabled for voice output. All audio output devices on the system are enabled to ring on calls. Codecs This section holds options related to how audio is recorded and transmitted over the network. Figure 16: HOBPhone Configuration – Audio Settings G.711 Audio settings of HOBPhone consist of the following: 318 16Khz Sampling – if this option is selected HOBPhone will sample all recorded audio at 16Khz. Otherwise all recorded audio is sampled at 8Khz. Only enable this option if you plan to use a codec that supports 16Khz sampling. Changing this option requires a restart of the HOBPhone. Security Solutions by HOB HOB RD VPN HOBPhone G.711 (Codec Configuration) – there are two algorithms used for this codec, PCMA and PCMU (also known as A-law, used mostly in Europe and worldwide, and µ-law algorithm, used mostly in North America and Japan). These are the default codecs supported by all SIP compliant devices. The codecs provide 8Khz sampling and a bandwidth requirement of 64kbps (around 85kbps including headers). Speex (Codec Configuration) – this configuration can be used for less bandwidth usage (when Narrowband is selected) or better voice quality (when Wideband is selected). There are five preset constant bit rates (select from the Quality dropdown box) and a variable bit rate available. The Quality setting only applies when the VBR (Variable Bit Rate) setting is set to OFF. Figure 17: HOBPhone – Audio Settings Speex Narrow Band The following are the bandwidth requirements for Speex: Audio Quality Setting 8Khz Sampling (Narrowband) 16Khz Sampling (Wideband) Lowest (8Kbps) 29Kbps 34Kbps Low (11Kbps) 32Kbps 42Kbps Medium (15Kbps) 36Kbps 48.5Kbps High (18.2Kbps) 39Kbps 55Kbps Maximum (24.6Kbps) 45Kbps 63Kbps VBR 23-45Kbps 25-63Kbps Table 1: Available bandwidths for Speex settings Security Solutions by HOB 319 HOBPhone HOB RD VPN The VBR (Variable Bit Rate) setting can be used with both 8 kHz and 16 kHz, giving full usability and also by reducing the bandwidth during conversation pauses or slack points, increasing the efficiency of the connection. As not all participants in a communication will have the same settings, the band that is used is selected in the following order: • with 16 kHz sampling ON: 1. 16 kHz, 2. 8 kHz, 3. Other Codecs • with 16 kHz sampling OFF: 1. 8 kHz, 2. Other Codecs, 3. 16 kHz The first preference that is also available on the receiving end is also chosen The following screen is shown with the Speex and Wide Band settings selected: Figure 18: HOBPhone – Audio Settings Speex Wide Band The following screen is shown with the Speex, Wide Band and VBR (Variable Bit Rate) settings selected: Figure 19: HOBPhone – Audio Settings Speex VBR The VBR (Variable Bit Rate) setting can be used with both 8 kHz and 16 kHz, giving full usability and also by reducing the bandwidth during conversation pauses or slack points, increasing the efficiency of the connection. 320 Security Solutions by HOB HOB RD VPN HOBPhone GSM (Codec Configuration) – this configuration can be used for communication over the GSM bandwidths. GSM Full Rate – GSM requires around 35kpbs bandwidth and is of slightly lower quality than G711. If enabled and supported by both participants in a call GSM is favored over G711. Recorded Messages The recorded messages section allows the user to create up to three prerecorded messages that can be played to answer a call. This is useful when you receive a call during another call which you do not want to interrupt. Figure 20: HOBPhone - Recorded Messages If a message is enabled and no recording has been created the caller will hear a beep. allows the user to record a message. Recorded messages are saved locally and limited to 15 seconds in length deletes a recorded message plays the recorded message Security Solutions by HOB 321 HOBPhone HOB RD VPN Advanced Options This tab allows you the following options: Figure 21: HOBPhone Preferences - Advanced Options AEC – This option enables Acoustic Echo Cancellation. This option requires considerable hardware resources. Remove special characters from phone numbers - this option automatically removes all non-letter characters from phone numbers. This option can be useful for instance when copying a number with brackets from another source or when address book entries have embedded spaces. Use replacement rules – This option allows the addition of custom rules that modify dialed phone numbers. To add a rule click the Add button, then complete these three fields: Find - this text will be replaced with the text entered in the Replace with field Replace with - this text will replace the text entered in the Find field Line - apply this rule to the specified line. You can either select a specific line or All lines to apply the rule to all accounts. The text in the Find field can be placed in double quotes "" to specify that an exact match is required. This feature can be used to set quick-dial shortcuts. Some examples how this can be used: Find "1", Replace with "1234" will call the number 1234 when "1" is dialed. Text can also be similarly used: Find "John", Replace with "01234567890" will dial the number 01234567890 when "John" is dialed. This can also be used to preset an external call prefix: Find + (no quotes), Replace with "900" will replace any + in the number with 900 322 Security Solutions by HOB HOB RD VPN HOBPhone When an outgoing call is made all dialing rules are checked and applied sequentially from top-to-bottom. Jitter Buffer Length – this sets the length of the jitter buffer for incoming audio. This improves audio quality when jitter is present on the network connection. If a buffer is too long, slight audio delays might result. The default is set to 60ms. 23.3 Using HOBPhone The HOBPhone main interface has 5 tabs providing different functionality. In addition to these tabs, the following buttons and options are common to all tabs: Menu (Phone, Account, Call) – used for configuring user accounts Information panel – displaying messages concerning the current activity in HOBPhone Enter Number field, Dial and End Call – use these for making calls. Enter the account number you want to make a connection to in the Enter Number field, click the Dial button to make the connection to the displayed destination or to answer an incoming call, while the End Call button terminates a connection and ends the call. Function Tabs (Call, Call History, Missed Call Log, Conference Call, Address Book) – use the Function Tabs to access the other functionality of HOBPhone (see below for more detail) Sound Control – these icons allow you to place a call on loudspeaker or to turn the microphone on or off. The icon is shown in gray when turned off. Accounts – this shows the currently registered HOBPhone accounts of this user (in this example four of the possible five are configured, account number 4 is selected and so is shown as the largest) Account Icon with Phone – the phone symbol in this icon shows that this account is currently active and is connected. Accounts shown in Green are registered and can be used to make calls, accounts shown in Yellow are configured but not yet registered (could not register or no attempt has been made), accounts shown in Gray are not configured and accounts shown in Red have been deregistered and can no longer be used to make calls. Only registered (green) accounts may make calls. On receiving an incoming call, there is an in-GUI alert (if the application is running and the GUI is open), the HOBPhone interface automatically pops up (if the application is running but the GUI is collapsed), or the person attempting to initiate a HOBPhone call with you receives a message that you are not reachable (if the application not running). Security Solutions by HOB 323 HOBPhone HOB RD VPN 23.3.1 Call Tab This screen can be accessed by using the Call icon on the HOBPhone interface (see below) and is used for making or answering calls received through the HOBPhone application. Call icon Figure 22: HOBPhone Main Interface – Call Tab with Number Pad Dial – click to make a call to the displayed destination or to answer an incoming call Backspace – click to delete the previous character entered in the number entry field Making a Call To make an outgoing call using the HOBPhone, you have the following two options: 324 1. Manually enter the number in the Number Entry field and click the Dial button, or: 2. Use the Address Book button to select a number from the Address Book and click Dial – see Address Book Tab below for more details Security Solutions by HOB HOB RD VPN HOBPhone When entering a dial number, the following conventions are applied: Spaces are ignored Numbers are truncated at the @ character, if present The + symbol is passed as is to the PBX, which may or may not recognize it depending on the settings of the PBX Answering a Call When you are alerted to an incoming call, answer by using the Dial button or by using the Call > Accept option in the main HOBPhone interface menu. The caller identity and other information are displayed in the information panel. Using HOBPhone during an Active call While a call is active, the main interface of HOBPhone will take appear as the following screen: Figure 23: HOBPhone Main Interface – Active Call On this screen, all of the most recent activity of HOBPhone is displayed, with the currently active call highlighted with a green background, as shown here: Security Solutions by HOB 325 HOBPhone HOB RD VPN The available functions that can be performed through the icons for this active call are as follows: End Call – use this icon to finish the call and close the connection Place on Hold – when you have an active call (incoming or outgoing) that you wish to place on hold, click this icon shown beside the currently active call. Currently on Hold - click this to reactivate the call Transfer Call – when you have an active (incoming or outgoing) call you wish to forward, click this button shown beside each currently active call. Enter the number of the user to receive this call (or select them from the address book) and click the Dial button to connect. This then connects the active call to the destination (currently only an unattended transfer is possible, in which case if the intended recipient of the transferred call is not able to accept the call then the call fails and the person who transfers the call is not notified of this). Add to Conference – to add an active call to a conference call, or to begin a conference call, click this icon. See Section 23.3.4 Conference Calls Tab below for more information. 326 Security Solutions by HOB HOB RD VPN HOBPhone 23.3.2 Call History Tab This screen can be accessed by clicking the Call History icon on the tab screen (this is effectively the same screen as that displayed when a call is currently active). Call History icon Figure 24: HOBPhone Main Interface – Call History All Calls – click this button to display a list of all calls made and received using HOBPhone Outgoing calls – click this to display a list of all calls that were made using HOBPhone Incoming calls – click this to display a list of all calls that were received using HOBPhone Security Solutions by HOB 327 HOBPhone HOB RD VPN 23.3.3 Missed Calls Tab This screen can be accessed by clicking the Missed Call icon on the Dial screen. Missed Call icon Figure 25: HOBPhone Main Interface – Missed Calls 23.3.4 Conference Calls Tab This screen can be accessed by clicking the Conference Call on the HOBPhone interface. Conference Call icon You can host a conference call with as many participants as are configured in the application. Use the buttons in the icon panel of the main interface while making or taking a call to initiate the conference call. As more calls are made, these can be added to a conference. Note that the conference can accept participants from any account (line). The number of participants in a conference is limited only by the client hardware (bandwidth or processing power). In the screen shown here as an example, there is one call currently active in the conference call (shown with a green background), while a second participant in the conference call (shown with a yellow background) is on hold. 328 Security Solutions by HOB HOB RD VPN HOBPhone Figure 26: HOBPhone Main Interface – Conference Calls Hold All Participants – use this button to place all participants of the conference call on hold, without breaking the connection Split Conference Call – click this button to break a connection between accounts in a conference, while maintaining your own connection with each of those accounts. This effectively splits a conference call into a number of more individual calls End Conference Call – click to finish the conference and close all connections Security Solutions by HOB 329 HOBPhone HOB RD VPN 23.3.5 Address Book Tab This screen can be accessed by clicking the Address Book icon on the HOBPhone interface. Address Book icon The Address Book is an optional feature, and is not included in all versions of HOBPhone. Figure 27: HOBPhone Main Interface - Address Book 330 Addressbook URL – this is the URL of the server that is the exchange for HOBPhone communications. In the simplest case HOBPhone requires only this URL to make a connection. Authentication Method – the protocol used for authentication (for example NTLM) is selected from this dropdown box Addressbook Username – this is the username under which your contact details are saved in this address book Addressbook Password – this is the password you are using Connect through RD VPN – check this radio button to enable the connection through HOB RD VPN RD VPN URL – this is the URL of the HOB RD VPN to which access is being made Security Solutions by HOB HOB RD VPN HOBPhone RD VPN Username – this is the (domain) username that you use to access the HOB RD VPN RD VPN Password – this is the password for access the HOB RD VPN KDC Host – this is by default Kerberos KDC Username – here you enter the username of the KDC host KDC Password – this is the password of the KDC host Connect – click this to connect to the KDC host Security Solutions by HOB 331 HOBPhone 332 HOB RD VPN Security Solutions by HOB HOB RD VPN HOB WSP Universal Client 24 HOB WSP Universal Client HOB WSP Universal Client (HOB WSP UC) enables remote access from a mobile client device to locally installed third party applications. This applies generally to those applications that the administrator has published on a server within the network. At the request of the customer, third-party applications such as Citrix ICA can also be optionally integrated into HOB RD VPN. This requires that the relevant ports and protocols are specifically configured for these applications. Figure 1: Connection with HOB WebSecureProxy Universal Client and HOB WebSecureProxy HOB WebSecureProxy Universal Client and HOB WebSecureProxy both function as gateways for the network. They enable locally installed third party applications to communicate over a secure channel through the Internet. As the SSL-encrypted communications of the HOB WSP Universal Client between the client device and the server within the enterprise network all go exclusively over the HOB WSP, HOB RD VPN must be installed on the same server as the HOB WSP. HOB WSP Universal Client is configurable as a portlet. HOB WSP Universal Client does not support browsing in an Intranet. This is possible if the SOCKS protocol is used, but HOB RD VPN must be configured specifically for this. For more information see Chapter 17 HOB RD VPN Web Server Gate – Intranet Access. Requirements for the PC: For the synchronization of data between the host machine and the mobile client device one of the following programs should be available on the host: Microsoft Windows Mobile Device Center Microsoft ActiveSync Security Solutions by HOB 333 HOB WSP Universal Client HOB RD VPN 24.1 Configuring HOB WSP Universal Client The administrator must first configure the HOB WSP Universal Client for the corresponding user or user group. To do this, open the Administration portal, select the desired user or user group and then select HOB RD VPN > WSP Universal Client in the dropdown list at bottom right and click Configure, as shown here: Figure 2: WSP Administration - WSP Universal Client Configuration The following dialog is displayed that shows the WSP UC gateway configurations that are currently set up in the system. Figure 3: HOB WSP UC Configuration 334 Gateway Name – here the name of the gateway machine for the communication with the remote client device is shown. Security Solutions by HOB HOB RD VPN HOB WSP Universal Client Incoming port – here the port on the gateway machine receiving the incoming communications is listed. Target IP – here the IP address of the target machine (if entered) is shown. Applicat. Socks – this shows if the SOCKS protocol is to be used for the applications, either Yes or No. Advanced mode – this shows if the Advanced mode is currently configured, either Yes or No (in this case only the General mode is used). Inherited From – this shows the resource from where these settings are inherited. Tracing – this box shows if tracing of the traffic through the gateway is enabled. The buttons at the bottom have the following functions: New – click to add a new gateway for the WSP Universal Client Edit – click to edit an existing entry in the list Delete – click to remove the selected entry from the list Refresh – this allows you to reload the information in this list Save – use this to save your changes and continue working here Close – use this to save your changes and exit from this screen When the New button is clicked, the following dialog opens. It allows you to create and configure a new gateway for WSP Universal Client. This screen is displayed with two tabs, the General and Advanced tabs. Security Solutions by HOB 335 HOB WSP Universal Client HOB RD VPN 24.1.1 General Tab On the General tab you set the connection details for the HOB WSP Universal Client. Figure 4: WSP UC - New Gateway Configuration - General Tab Incoming Connection - in this first box the fields are: Gateway Name – enter a desired name for your connection here Predefined Port – select from the dropdown box the predefined port for this connection to the server. The SOCKS port (port 1080) is the default port Port – enter the port number, if not disabled due to the selection in the previous field Network Adapter IP – select the IP address of the desired adapter from the list of those available: Localhost (use that of the local machine), Any (use the default adapter of the HOB WSP) or Specify IP Address (use a specific adapter) that are available for the IP of the network adapter IP Address – enter the network adapter IP address in this field, if Specify IP Address is selected in the previous field Outgoing Connection - in this box the fields to be completed are: Target IP – enter the IP of the target client here, if not disabled. Under Target IP, you can enter either the IP address or domain name of the IMAP server that is being used only for direct connections of the WSP UC to the IMAP server, i.e. without being redirected over the WSP Direct connections should be used only if the client application is being run within the enterprise network, i.e. the connection to the target server is not being made over the Internet. In such a case, this connection does not require either authentication or SSL encryption. 336 Security Solutions by HOB HOB RD VPN HOB WSP Universal Client Use SOCKS Protocol for Application – enable this checkbox to use the SOCKS protocol belonging to the application you wish to use 24.1.2 Advanced Tab On the Advanced tab you can set advanced options and also tracing for the HOB WSP Universal Client configuration. Figure 5: WSP UC - New Gateway Configuration - Advanced Tab Advanced Options – here you can enter more advanced configuration options for the WSP Universal Client gateway Enable Advanced Mode – click to activate the following options on the gateway Protocol Name – use the arrow icon at the end of the field to select the desired protocol from the protocol list Use Following Server Name – click to use the HOB WSP as the server for the gateway SOCKS Server Name –enter the name of the SOCKS server if this is being used for the gateway Enable Client Data Hook – click to enable the Client Data Hook. This allows extra functionality (in the form of applications or libraries) to be added to the client communication running the SOCKS protocol Class Name (incl. package) – insert the name of the class to where the data intercepted by the client data hook is to be stored Redirect MS Outlook Connection – check to redirect the Microsoft Outlook connection to the WSP Universal Client gateway Tracing – use the fields in this panel to set up a trace of the data traveling over the HOB WSP Universal Client gateway. Security Solutions by HOB 337 HOB WSP Universal Client HOB RD VPN Enable Trace – check to enable tracing of the gateway traffic. The trace data is stored in the HOB WSP for the administration staff to monitor performance File Name (without path) – enter the name of the file where the trace data is to be stored Use the OK button at the bottom to save any edits and close this dialog, the Cancel button to close the dialog without saving, and the Help button if you need more information. 24.2 Configuring the HOB WebSecureProxy for SOCKS In the HOB WebSecureProxy a SOCKS connection must be configured over which the HOB WSP Universal Client can connect. To do so, follow these steps: 1. Start the HOB WSP administration and click WebSecureProxy > Configure. 2. Select Extensions > SOCKS to display the SOCKS Settings tab. Here you can configure the SOCKS server for the HOB WSP Universal Client connection. Figure 6: WSP UC - SOCKS Settings 338 3. Enter a Name to be used for this SOCKS connection. 4. Select a Network Adapter for this SOCKS connection from the dropdown box. The other fields on this screen are disabled by default. 5. When done, go to the main menu > File > Save to save this configuration. Security Solutions by HOB HOB RD VPN HOB WSP Universal Client 24.3 Configuring the Client The applications to which access is to be granted through the HOB WSP Universal Client must be installed locally on the client machine. When the HOB WSP Universal Client is started as a Java applet, no configuration of the client is required. 24.4 Configuring the Client Application with HOB WSP Once HOB WebSecureProxy Universal Client is configured on your system, you can configure the client applications for communication with the HOB WSP. In the following example, an e-mail program is configured. Two independent configurations (one for sending, one for receiving) have to be made. To Configure a Client Application 1. Open the HOB WebSecureProxy configuration dialog by starting the HOB WSP administration and clicking WebSecureProxy > Configure. 2. Open the scheme Other Targets in the tree structure at the left. Figure 7: HOB WSP Configuration - Other Targets 3. Open the desired scheme or click Add to create a new scheme, as shown here: Security Solutions by HOB 339 HOB WSP Universal Client HOB RD VPN Figure 8: HOB WSP Configuration - Other Targets Server List 4. Enter a Name for this server list that you wish to configure for the WSP Universal Client. 5. Click Add again to bring up the following dialog: Figure 9: Socks Server Lists Scheme: Socks Server Configuration for IMAP 340 6. Enter the configuration name in this tab, for example Universal Server IMAP (for receiving e-mail). 7. For Predefined protocol select the setting Mail IMAP. 8. For Host IP Address enter the IP address or domain name of your IMAP server. Security Solutions by HOB HOB RD VPN 9. HOB WSP Universal Client Now click Add again to set up a new server configuration for sending e-mail. Figure 10: Socks Server Lists Scheme: Socks Server Configuration for SMTP 10. Now enter a name for this new configuration here, for example Universal Client SMTP (for sending e-mail). 11. For the Predefined protocol select the setting Mail SEND. 12. For Host IP Address enter the IP address or the domain name of the sending e-mail server. 13. Save the configuration by using Main menu > File > Save and close the HOB WebSecureProxy configuration dialog. The connection must also be configured in the application, so that the communication from the HOB WSP is accepted on the client side. This configuration is outside the scope of this documentation, please see the documentation available for the relevant application for more information on this topic. For example Microsoft Outlook and Microsoft Exchange Server are standard e-mail applications that must be configured on the client side to communicate with HOB RD VPN. Security Solutions by HOB 341 HOB WSP Universal Client 342 HOB RD VPN Security Solutions by HOB HOB RD VPN HOB Compliance Check 25 HOB Compliance Check The HOB Compliance Check is an optional function that consists of a further security step carried out on each user that accesses, or tries to access the network. The HOB Compliance Check is a more in depth analysis of the user identity and the client configuration. This analysis is used to more precisely determine access rights to sensitive data in the network. A compliance check is applied to the user according to the role under which they are authenticated. Each user can have multiple roles, and be authenticated differently according to the data they are accessing or machines they are using, therefore each user can undergo multiple different compliance checks each time they log on, depending on their role. 25.1 Configuring the HOB Compliance Check To configure the HOB Compliance Check, just follow these simple steps: 1. Open the HOB WSP administration interface and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. 2. Now select Compliance Check from the pane on the left and you see the following: Figure 1: HOB WSP Configuration – HOB Compliance Check 3. Name – here you insert a name for the Compliance Check that is being created. Mode – here you specify the connection mode to be used for this particular Compliance Check. Now click Add to create this compliance check and open the configuration interface, where you use the following tabs to configure the HOB Compliance Check: Security Solutions by HOB 343 HOB Compliance Check Settings Integrity Check Anti-Split Tunnel Rules HOB RD VPN 25.1.1 Compliance Check - Settings The only setting required here is the entry of a name for this particular compliance check configuration. Figure 2: HOB WSP Configuration – HOB Compliance Check - Settings Name – here you enter a name for this particular HOB Compliance Check. 25.1.2 Compliance Check - Integrity Check The Integrity Check is a security measure that examines the client machine making a connection to the system. The integrity check looks at the anti virus software currently installed on the client and the status of that software. 344 Security Solutions by HOB HOB RD VPN HOB Compliance Check Figure 3: HOB WSP Configuration – HOB Compliance Check - Integrity Check Enable – activate the compliance check for each authentication attempt for this user by checking this box. Name – here you assign a name to the integrity check to be added to this particular compliance check, for example the name Compliance Check Policy is used here. Antivirus/AntiSpyware/Firewall – in this tab sheet you decide which anti virus software, which anti spyware software and which firewalls are to be used for this communication configuration. You may select anti virus programs for Windows, Linux and Mac OS X systems, with a tab for each. Use the two arrow buttons to move the chosen anti virus programs to the selected list, or to remove them from this list. Settings – here the settings are used to determine how up to date the anti virus or anti spyware program needs to be for the compliance check and how long since an anti virus or spyware scan has been performed. The default length is 24 hours in both cases, although these settings are not supported by all anti virus products. Save the configuration by using Main menu > File > Save. 25.1.3 Compliance Check - Anti-Split Tunnelling The Anti-Split Tunnel from HOB is a security measure that prevents a user that is connected to the system through the HOB PPP Tunnel from simultaneously using another connection from the same client machine to the Internet. As a result there is no chance of an unauthorized user entering the system through an already established connection. Security Solutions by HOB 345 HOB Compliance Check HOB RD VPN Figure 4: HOB WSP Configuration – HOB Compliance Check - Anti Split Tunnelling Enable – check this box to activate Anti-Split Tunneling. Disable local network – check this box to disconnect this client from the local network, meaning they can connect only to the servers of your system. Set local DNS – check this box to set up a DNS on the local client. Allowed Networks – here you set the permission to allow access to networks through the Anti-Split Tunnel. Use the Add and Remove buttons to manage the list of allowed networks to which the user may connect. When you click Add, an entry field appears in this list. Each entry requires that you enter the address of the networks that this client may connect to and the prefix size of mask of the client. Save the configuration by using Main menu > File > Save. 25.1.4 Compliance Check - Rules Rules are used to determine the connection to the system and the access levels to be granted to the users for these rules. The rules must be assigned to the users according to their roles. Rules can be created for the following: Port File Mac IP Process Use the Add, Edit and Remove buttons to maintain the rules lists. 346 Security Solutions by HOB HOB RD VPN HOB Compliance Check Rules for Port Here you manage the compliance check rules for the ports being used for the connection to the system. Figure 5: HOB Compliance Check - Rules for Port To enter a port rule click the Add button on the right. The following dialog is displayed: Figure 6: HOB Compliance Check - Add a Rule for Port Name – the name to be used for this port rule. Access – the level of access to be granted over the port (Must Be Open– access is granted if this rule is satisfied, or Must Not be Open – access is denied if this rule is satisfied). Port – enter the number of the selected port. Use the Add button to add this rule to the list and leave this dialog open, Add & Close to add this rule to the list and close this dialog and Cancel to close the dialog without saving the changes. Save the configuration by using Main menu > File > Save. Security Solutions by HOB 347 HOB Compliance Check HOB RD VPN Rules for File Here you specify how a user can connect to the files that available to this user, if required. Figure 7: HOB Compliance Check - Rules for File Use the Add, Edit and Remove buttons to maintain this list. To enter a file rule click the Add button on the right. The following dialog is displayed: Figure 8: HOB Compliance Check - Add a Rule for File 348 Name – the name to be used for the rule. Access – the level of access to be granted over the port. The options here are Must Exist (access must be granted) or Must Not Exist (access denied). File – the location of the file that the user can access. Use the Browse (…) button to locate the desired file. Hash – here the hash of the selected file is entered, if desired. Use the Create button to enter the hash. Security Solutions by HOB HOB RD VPN HOB Compliance Check Modified Date and Time – here you specify the date and time to assign to the File rule. Date condition – here you specify the allowable age for the file, if it is to be older, newer or the same age (equal) than the modified date and time for access to be granted. Use the Add button to add this rule to the list and leave this dialog open, Add & Close to add this rule to the list and close this dialog and Cancel to close the dialog without saving the changes. Save the configuration by using Main menu > File > Save. Rules for Mac Here you specify the rules to be used when connecting to a machine via a Mac address. Figure 9: HOB Compliance Check - Rules for Mac Use the Add, Edit and Remove buttons to maintain this list. To enter a file rule click the Add button on the right. The following dialog is displayed: Figure 10: HOB Compliance Check - Add a Rule for Mac In this dialog the fields to be completed are: Name – the name to be used for this rule. Access – the level of access to be granted over the port. The options here are Must Not Be Valid (access must be granted) or Must be Valid (access denied). Security Solutions by HOB 349 HOB Compliance Check HOB RD VPN Mac Address – enter the Mac address for the selected rule. Use the Add button to add this rule to the list and leave this dialog open, Add & Close to add this rule to the list and close this dialog and Cancel to close the dialog without saving the changes. Save the configuration by using Main menu > File > Save. Rules for IP In this tab you specify the IP addresses that the user can connect to and those to which access is denied. Figure 11: HOB Compliance Check - Rules for IP Use the Add, Edit and Remove buttons to maintain this list. To enter a file rule click the Add button on the right. The following dialog is displayed: Figure 12: HOB Compliance Check - Add a Rule for IP In this dialog the fields to be completed are: Name – the name of the IP rule to be used. Access – the level of access to be granted over the port. The options here are Must be Valid (access must be granted) or Must not be Valid (access denied). IP Network – enter the IP network and the subnet mask to be used with this rule. Use the Add button to add this rule to the list and leave this dialog open, Add & Close to add this rule to the list and close this dialog and Cancel to close the dialog without saving the changes. 350 Security Solutions by HOB HOB RD VPN HOB Compliance Check Save the configuration by using Main menu > File > Save. Rules for Process Here you can specify the processes that can be set for this user. Figure 13: HOB Compliance Check - Rules for Process Use the Add, Edit and Remove buttons to maintain this list. To enter a process rule click the Add button on the right. The following dialog is displayed: Figure 14: HOB Compliance Check - Add a Rule for Process Name – the name of the process to be used. Access – the level of access to be granted over the port. The options here are Must be Run (access must be granted) or Must Not be Run (access denied). Process Name – enter the name of the process used with this rule. Use the Add button to add this rule to the list and leave this dialog open, Add & Close to add this rule to the list and close this dialog and Cancel to close the dialog without saving the changes. Save the configuration by using Main menu > File > Save. Security Solutions by HOB 351 HOB Compliance Check HOB RD VPN 25.2 Assigning the HOB Compliance Check to a Role Now that the HOB Compliance Check is configured, it needs to be assigned to the users as part of their roles. To do this, in the HOB WSP configuration interface select the desired role from the hierarchy on the left. in this example, the role User has been selected. Now on the Requirements > General tab you can see the following: Figure 15: HOB WSP Configuration - Compliance Check – Assigning to User Roles On this tab are the following fields: 352 Compliance Check – select the configured Compliance Check (here Compliance Check has been selected) from the dropdown box Priority – assign the priority (from 1 - the lowest to 100 – the highest) required to this compliance check. In the case of multiple compliance checks applying to a role, the checks are carried out according to the order of the priority, the greatest first. High Entropy - checked by default, this enables that high entropy is used for greater security when running the compliance check. Security Solutions by HOB HOB RD VPN HOB Compliance Check 25.3 Using the HOB Compliance Check The HOB Compliance Check is intended to be an extra layer of security that can be added to the authentication of the user. It is also used when authorizing a user to their role and their permissions within the system. Anti Split Tunnel The Anti Split Tunnel restricts systems to using connections that go exclusively through the PPP Tunnel, all other connections being blocked from access. Administrators can also configure resources and functions of HOB RD VPN on security grounds to use only the HOB PPP Tunnel, via the Windows Firewall on the client. This is not a function of HOB RD VPN, so this must be done manually For access to a public network, the user must first close the connection to the corporate network. For those users who require access to a public network while working in their local network, the Anti Split Tunnel is not enabled by default. This must be enabled by the administrators. Anti Split Tunneling is a utility that functions only with Microsoft Windows systems. Exceptions to Anti Split Tunneling can be configured by the administrator with regard to the local network, DNS servers and dedicated servers or hosts. This utility runs as a service on your PC and if activated is an essential condition for HOB RD VPN to work, increasing the security of your system. Before Anti Split Tunneling can be used, the Anti Split Tunnel utility must be installed on the client. If this service is not running, the user automatically receives information on how to install it when logging on to HOB RD VPN. Administration rights are required for the installation of this service on the client system. Security Solutions by HOB 353 HOB Compliance Check 354 HOB RD VPN Security Solutions by HOB HOB RD VPN HOB Target Filters 26 HOB Target Filters Target filters give the administrator of HOB RD VPN a flexible and granular means of access control. A target filter in HOB RD VPN is a combination of one or more “Allow” or “Deny” rules that enable you to restrict the access of the users to certain connection targets in the corporate network. After configuring a target filter you can assign the target filter to a role. Target filters have an effect on the following connections: Web Server Gate PPP Tunnel SOCKS Any connections that are defined in the Outgoing Connections of the HOB WebSecureProxy are not affected by the Target Filters. Figure 1: Using Target Filters - a Typical Scenario 26.1 Configuring Target Filters To activate a target filter, you have to perform the following configuration steps: Adding a target filter Editing filter rules The target must then be applied to a user role for it to be used. 26.1.1 Adding a Target Filter The following steps show you how to add a new target filter: 1. Start the HOB RD VPN WebSecureProxy configuration program. 2. Click the Target Filters item in the left-hand pane. This screen is displayed: Security Solutions by HOB 355 HOB Target Filters HOB RD VPN Figure 2: HOB WSP Configuration - Target Filters 3. Click the Add button at the bottom of this screen. A new target filter scheme called Target Filter(1) is created (you may change this default name as you require). Figure 3: HOB WSP Configuration - Target Filter Settings 356 4. Enter a name of your choice for the new target filter in the Name field, such as Example Target Filter. Every new target filter already contains one default rule, shown highlighted in the example dialog above. The default rule denies all connections, meaning that no connection targets are currently accessible with this target filter. Now create at least one additional rule, use the Add button to do so. 5. When you click the Add button the Add rule dialog appears. Security Solutions by HOB HOB RD VPN HOB Target Filters Figure 4: WSP Configuration - Adding a Rule The Add Rule dialog consists of the following fields: Action – check either Allow or Deny. Allow - makes the connection to a connection target possible Deny - prevents a connection being made A combination of several Allow and Deny rules allows you to create a target filter that accurately controls access to your network resources. Whenever HOB RD VPN is requested to open a connection, the rules stack is processed beginning with the first rule. As soon as a request matches a filter rule, the rule is executed (Allow or Deny) and the execution of the rule stack stops. If the rule does not match, the next rule in the stack is checked and so on. When no rule matches, the default Deny rule at the bottom of the stack is performed. DNS name – In the DNS name field you can enter the DNS name, for example www.mycompany.example.com, of a connection target. If flexibility is required and it is intended to specify an IP block, leave this edit field empty and enter the desired data in the IP network field. IP network – In the IP network field you can enter either a single IP address in dotted decimal notation, such as 100.100.10.1, or an IP block in IP/CIDR notation, such as 100.100.10.1/30 (enter the suffix in the small field on the right). Protocol – The protocol dropdown list specifies the protocol to which the current filter refers. Every rule allows the setting of only one protocol. If you want to allow/ deny another protocol you have to create an additional rule (the Custom Protocol entry field is active only if Other has been selected as the protocol). Ports – You can create a list of ports that are allowed or denied for the connection by this rule . Arrow - use this to add a port number to the list of allowed ports Delete - remove an existing port from the list Security Solutions by HOB 357 HOB Target Filters HOB RD VPN It is recommended that not only TCP and UDP ports are released. You may also allow ICMP / ICMPv6 to ensure the immediate assignment of the IPv6 address of the HOB PPP Adapter. This is because when using IPv6, there can be problems when the ICMPv6 (0x3a) protocol is disabled. This can delay the assignment of the IPv6 address of the PPP adapter. With the activation of the ICMPv6 protocol, the IPv6 address of the PPP adapter is assigned immediately. 6. Click Add to add the currently edited rule to the list of Target filter rules. The default rule always remains the lowest rule and is not editable. 7. If desired, you can change the order of the rules by using the Up or Down buttons on the right side of the Target Filter panel. Note that you cannot move the default rule from the lowest position of the filter rule stack. 8. If desired, you can change an existing rule by selecting the rule and then the Edit… button. 9. To save the changes made so far in the configuration, select File > Save from the menu. When you have added all the filter rules desired, you need to assign the new target filter to a user role (see next section for more information). 26.2 Using Target Filters After you have configured a target filter you can assign it to a user role. Note that you can assign only one target filter to one user role. To assign a target filter: 1. Go to the HOB RD VPN WebSecureProxy configuration program and select the Roles item in the left-hand pane to display the user schemes. 2. Click the desired role, for example Power User. 3. Click the Privileges tab in the right-hand pane and then select the Target Filters tab. Figure 5: Assigning a Target Filter to the User Role 358 Security Solutions by HOB HOB RD VPN HOB Target Filters 4. The Target Filter dropdown list contains all target filters that you have already configured. Choose the desired target filter (in this case Company Target Filter) from this list. 5. Select File > Save from the menu to save the changes in the configuration. Security Solutions by HOB 359 HOB Target Filters 360 HOB RD VPN Security Solutions by HOB HOB RD VPN SSL Identifier 27 SSL Identifier The SSL Identifier is a feature of HOB RD VPN that allows you to accurately identify the initiator of all communications within the system as well as all those communications that enter the system from outside. The standard process of communication is that an incoming communication comes to the SSL gateway, the web server responsible for the messages. This web server, the HOB WebSecureProxy, analyses the IP address of the intended destination. It then terminates the external message and initiates a new message, from the gateway to the destination. This means that the source of the message received by the destination is the SSL VPN gateway, not the original external source. As such the intended final destination cannot always determine the original sender of any messages, only that the message came from the gateway. Figure 1: Standard Deployment - SSL VPN To counteract this issue, HOB developed the SSL Identifier to attach an identification of the user sending the message to the message, and this identification is carried through the gateway into the internal network. This means that the source of each message can be completely and properly identified at all times. 27.1 Configuring the SSL Identifier for the User The SSL Identifier identifies the source of a communication by user name to the destination target of that communication. To do this the IP address of that user must be entered under that users logon and authentication data. 1. Open the HOB RD VPN administration interface and select the user to be assigned the SSL Identifier (in this example User3). Security Solutions by HOB 361 SSL Identifier HOB RD VPN Figure 2: HOB EA Administration - User Settings 2. Use the dropdown box on the right to select User Settings. Click Configure and the following screen is displayed: Figure 3: HOB RD VPN Administration - Start Screen 3. 362 Now select Personalized IP Addresses > SSL Identifier from the organizational hierarchy on the left, and this screen is displayed: Security Solutions by HOB HOB RD VPN SSL Identifier Figure 4: SSL Identifier - Enter IP Addresses 4. Click Add to enter the IP address with which this user name is to be associated. Multiple IP addresses may be added for each user. These IP addresses are assigned to the user by the system for each transaction in the system, replacing the IP address of the machine that originates these transactions. Use Remove to delete any selected entries from this list. 5. Click Save or Close when finished entering your data. Security Solutions by HOB 363 SSL Identifier HOB RD VPN 27.2 Configuring the SSL Identifier for the WSP Now that the HOBPhone has been set up, it must be activated and assigned to the users according to their roles through the HOB WSP. 1. To activate the SSL Identifier, open the HOB RD VPN administration interface and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. Figure 5: HOB WSP Configuration - Server Configuration 364 1. Select the server list for the Outgoing Connection that is to use the SSL Identifier. In this example shown above the RDP Targets > Windows Terminal Servers server list has been selected. 2. Now select the individual server (or add a new server if needed), in this case Example_RDP_Server. 3. Select the Expert Options tab for this server, the following screen is displayed: Security Solutions by HOB HOB RD VPN SSL Identifier Figure 6: HOB WSP Configuration - Expert Options 4. Check the Use Raw Packet Interface (SSL Identifier) checkbox to activate the SSL Identifier. 5. Now that the SSL Identifier is active for this server it needs to be assigned to a role. 6. Select the role of those users that are to use the SSL Identifier, in this example below the role PowerUser, and the following screen is shown: Figure 7: HOB WSP Configuration - Server List for Role 7. In the Settings tab select Privileges > Server Lists and select the server list for this role, in this example the Windows Terminal Servers list. Security Solutions by HOB 365 SSL Identifier 8. HOB RD VPN Save the configuration and the SSL Identifier is now active for all communication with the selected server for users with the chosen role. 27.3 Using the SSL Identifier Each user receives a dedicated user specific personal IP address through which they can be traced throughout the system. These personalized IP addresses for the user are stored in a directory service form, and can be accessed by the WSP whenever the user logs onto the system. When a user is created, or edited, they can be given an SSL Identifier by the administrator in accordance with the procedure outlined above. The IP addresses that are assigned to the users are created and stored in the directory service for the domain of which the users are members. Individual users may of course be members of multiple domains, so they would need to have multiple SSL Identifier IP addresses assigned to them. 366 Security Solutions by HOB HOB RD VPN Additional HOB Solutions 28 Additional HOB Solutions The following solutions have been developed by HOB but are not delivered with HOB RD VPN. These solutions can be purchased additionally to complement HOB RD VPN, as they add extra functionality and usability, as set out by the needs of your enterprise. They fit seamlessly with all other components of HOB RD VPN. HOB Remote Desktop Enhanced Services Enables additional RDP functionality, such as HOB Local Drive Mapping, HOB Audio, etc. HOB Local Drive Mapping is an essential requirement for certain forms of virus checking procedures. HOB X11Gate HOB X11Gate 2 provides access to applications residing on UNIX/Linux servers from a Windows Terminal Server Client (TSC) such as HOBLink JWT, running on any platform. Using this solution both UNIX servers and Windows Terminal Servers (WTS) can be accessed with just one client software HOB MacGate HOB MacGate gives you Remote Desktop access to your Mac computer over a network, either a LAN or the Internet. 28.1 HOB Remote Desktop Enhanced Services The HOB Remote Desktop Enhanced Services (HOB RD ES) solution comprises a set of features that provides Windows Servers with additional functionality that is not provided by Microsoft. Features at a Glance: Optional expansion for HOB RD VPN and HOBLink JWT Expanded Load Balancing, including large server farms Enhanced access via HOB Local Drive Mapping Greater program accessibility with HOB Application Publishing More usable interface interaction with HOB True Windows Optimized printer solutions with HOB Printer Port Mapping Integration of scanners HOB RD Enhanced Services features are a set of additional functions that can be used with HOB RD VPN for secure remote access to the applications and data in your enterprise network to make your daily work easier and more efficient. HOB RD ES consists of several modules that must be installed on the Windows servers in order to obtain this functionality. HOB RD ES provides a snap-in for the Microsoft Management Console (MMC), with which these features can be configured. The snap-in can be installed either on a Windows Server or locally on the administrator workstation. The modules are not all installed automatically, so you have the choice of which modules you wish to install. Security Solutions by HOB 367 Additional HOB Solutions HOB RD VPN There is also an easy-to-use modularized program for when you are planning to install HOB RD ES. 28.2 HOB X11Gate The HOB X11Gate is a purely software based solution and can be installed centrally on a Linux/Unix server. As HOB X11Gate is as individual a solution as your company itself, it fits perfectly to your individual company IT infrastructure, and no additional hardware is required. HOB X11Gate can be used via an RDP client on any platform (Microsoft Windows, Mac OS, Linux, thin client etc.) for SSL secured, Web based access to company Linux/Unix servers. HOB X11 Gate also enables access for multiple users simultaneously. HOB has developed HOB X11Gate as the solution for access to Linux machines using HOB Desktop-on-Demand. This solution translates X11 or X-Windows protocols into RDP, which is required for Desktop-on-Demand. HOB recommends using the HOB RDP clients HOBLink JWT or HOBLink iWT, or the standard Microsoft Windows RDP client. HOB X11 Gate provides 128 bit RDP encryption for highly secure connections. Features at a Glance: Performant connections at very low bandwidth Multi-session capability: simultaneous access for multiple users and multiple connections Support of multiple keyboard layouts Web based administration portal Reconnection of disconnected sessions Support of OpenGL applications on Linux/Unix server using emulation IPv4 and IPv6 capability RDP encryption up to 128 bit Enhanced security features in combination with HOB RD VPN 28.2.1 System Requirements for HOB X11Gate There are a number of components required for the installation of HOB X11Gate. These are as follows: X11 Server System The server side must have one of the following supported 64 bit Linux/Unix distributions as the operating system: 368 SUSE Linux Enterprise Server 11 CentOS Release 6.5 Ubuntu 12.04 LTS Red Hat Enterprise Linux Server 6.5 Security Solutions by HOB HOB RD VPN Additional HOB Solutions Installation with a Java Virtual Machine: JVM Version 1.7 (or later) Hardware requirements: Processor with minimum 1 GHz At least 1 GB RAM 250 MB free hard disk memory Client System The following RDP clients are supported: HOBLink JWT HOBLink iWT MS Remote Desktop Connection 28.3 HOB MacGate HOB MacGate gives you Remote Desktop access to your Mac computer over a network, either a LAN or the internet. This access is possible from every client platform: Windows PC, Linux PC, thin client or even from another Mac. All components and elements of the Mac user interface such as the menu list, dock, icons and the program windows are fully functional in the Remote Desktop session. Many users work on a Windows PC as well as a Mac, so HOB MacGate fully integrates both of these systems. HOB MacGate delivers access to the RDP client is from the client side, achieving high performance connections across all Java-compatible platforms. The client Remote Desktop connection application from Windows can also be used. HOB MacGate is the secure solution for remote access to a Mac computer over the Internet. It requires only HOB RD VPN and the HOB WebSecureProxy, and because the window with the Remote Desktop is launched through a browser you do not install any software on the client computer. Features at a Glance: Remote Desktop access using RDP protocols Open the desired Mac applications remotely while working in your PC environment Access by RDP client (for example Microsoft Remote Desktop Connection or HOBLink JWT) IP Port configurable for each access Support of the RDP security procedures Logging of HOB MacGate messages Synchronization from remote and local screen resolutions Security Solutions by HOB 369 Additional HOB Solutions Copy and paste of text in both directions Support of multiple country-specific keyboards HOB RD VPN 28.3.1 Installation For the installation of HOB MacGate on a Mac there is an easy-to-use installation program. HOB MacGate installs itself on the Mac as an application that runs in the background (as a Daemon) and waits for access to a client. A simple icon in the system control panel means that HOB MacGate can be configured by using a standard dialog. 28.3.2 System Requirements for HOB MacGate There are a number of components that are required for the installation of HOB MacGate: Mac Server System The operating system Mac OS X 10.4 or later A processor with a minimum of 1GHz A minimum of 256 MB RAM is recommended Client System 370 Supported RDP clients running on each system An RDP client: either HOBLink JWT or Microsoft Remote Desktop Connection (MSTSC) must be installed and configured Security Solutions by HOB HOB RD VPN Security Checks 29 Security Checks 29.1 Server Secure Web servers are a very important requirement for web-based applications such as HOB RD VPN. A protected Web server configuration plays a decisive role in your network security. Poorly configured virtual directories or careless mistakes can facilitate unauthorized access. A forgotten authorization can become a welcome backdoor for an attacker, or an overlooked port can enable direct access from outside. Neglected user accounts enable attackers to surreptitiously circumvent your security measures. To make your server secure, you must first determine the level of security needed. Once this has been determined, you can proceed to configuring the desired security level. This section will help you to approach this problem systematically. Follow the steps below to secure your server: Restrict user rights Access to the computer settings and those of its directories must be restricted to administrators alone. When using the HOB WSP Web Server Deactivate or terminate any other installed Web Server. Deactivate or terminate any other remote access, e.g. FTP. Protect the HOB RD VPN directories: The following sub-directories containing configuration data have to be protected from unauthorized access: Sub-Directory Contents /portal.db Enterprise Access database configuration data /sslsettings SSL certificate (HOB Certificate files) /sslpublic SSL certificate (HOB Certificate files – for optional client authentication) /wsp HOB WSP configuration data Table 1: Sub-Directory Contents Secure TCP/IP connections - Firewall - Ports - SSL 29.2 Firewall A firewall is used to block unused ports and only allow data traffic to pass over authorized ports, for example. To do this, it must be able to monitor incoming queries in order to protect the Web server from known attack types. A firewall is a useful tool to detect and defend against attacks, and discover their source. Security Solutions by HOB 371 Security Checks HOB RD VPN 29.3 Ports Services that are executed on the server use special ports to listen for incoming queries. Close all unneeded ports and check regularly whether any new ports in listening status are detected. These could indicate an unauthorized access and a security risk. To determine which ports are listening, i.e. are currently open, run the following command in the command line: netstat -n -a This displays a list of all ports with their accompanying addresses and current status. Make sure that you know every service listening at a port, and determine whether these services are necessary. While doing this, limit the number of Internet-side ports (for further information, see the following section) and encrypt or restrict your data traffic. 29.3.1 Restrict Internet-Side Ports to TCP 80 and 443 Restrict incoming data traffic for HTTP to Port 80. For HTTPS (SSL), restrict incoming data traffic to Port 443. For outgoing (internet side) Network Interface Cards (NIC), you should use only TCP filters. 29.3.2 Overview of Port assignments for Intranet/Intranet This table contains a list of the ports currently assigned by default to specific servers. Network Port Number Port Function Internet 443 HTTPS 80 HTTP/HOB HTTP Redirector 3389 Remote Desktop Server 23 Host (3270, 5250, VT etc.) 1812 RADIUS Server 389 LDAP Server 636 LDAP Server (SSL) 13282 HOB WSP Agent Intranet Table 2: Port Assignments 29.4 Logging HOB RD VPN has a monitoring function in the form of a Logbook that records, for example, faulty logons, error messages that were displayed, timed out logon attempts, etc. It can also be configured so that it can automatically inform the administrator responsible via e-mail of any events. 372 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria 30 HOB RD VPN Evaluated for Common Criteria 30.1 Information on Common Criteria This chapter describes the different aspects of the CC / EAL4 evaluation of HOB RD VPN. It describes tasks and requirements that must be fulfilled to satisfy the HOB RD VPN Security Assurance Requirements and to operate HOB RD VPN in compliance with the evaluation requirements. A Common Criteria compliant use of HOB RD VPN is ensured only if you fully read, understand and follow the procedures laid out in the following sections. The following instructions provide you with an installation quick guide according to the CC evaluation of HOB RD VPN (EAL 4). This chapter takes precedence over any other chapter in case there is a conflict. More information can be found in the corresponding chapters describing each item. Please make sure to strictly follow the instructions and do not hesitate to contact HOB if there is a doubt about any of these steps. Related to the Common Criteria Certification, HOB has developed a process to perform Flaw Remediation. This is a set of activities that is defined and operated to ensure the identification, categorization and correction of any security flaw. For more information on this topic, please see Chapter 31 Flaw Remediation. The CC evaluated installation includes the following 3 components: HOB WebSecureProxy HOBLink JWT (including Webstart Module) HOBLink Security Manager All 3 components include the HOBLink Secure SSL Software Module. The HOB WebSecureProxy uses the following 2 ServerDataHooks: ServerDataHook: WebServer (including Web Server Gate) ServerDataHook: Client Configuration A complete list of all components and their release version numbers is included in this installation of HOB RD VPN and can be found in the file RDVPN_Component_Info.txt, included in the HOB RD VPN installation media. Version details of the current evaluated releases of HOB RD VPN and their components can be found on the HOB website. The URL of the relevant website is included together with the license information that is delivered as part of the HOB RD VPN installation upon purchase. Security Solutions by HOB 373 HOB RD VPN Evaluated for Common Criteria HOB RD VPN This table lays out the steps that are to be followed to conform to the EAL4 evaluation for Common Criteria security: Steps Comment 1. Read about the product and how it is to be used. For more information please see Chapter 1 Introducing HOB RD VPN 2. Read the license agreement. If you do not accept the license agreement, you are not allowed to install or run HOB software. 3. Make sure that the assumptions specified in Section 30.2 Security Objectives for the Operational Environment are valid. 4. Check the integrity of your installation media using the mechanism described in Section 30.3 Delivery Accuracy Check. 5. Refer to Section 30.4 Consequences of Misconfiguration if you have any issues while following these instructions. 6. Make sure you have a valid environment for the installation, see Section 30.5 System Requirements for more information. 7. Install HOB RD VPN on the server machine, see Chapter 4 HOB RD VPN Installation. The HOB WebSecureProxy (HOB WSP) is installed automatically as part of the HOB RD VPN installation. Please note that the installation of HOB RD VPN is processed differently in two installation dialogs for CC and for non-CC conformity (see Chapter 4 HOB RD VPN Installation). The standard non-CC conforming access for the HOB WSP and the targets known to the HOB WSP must not be entered during the installation process, but instead entered only after a manual configuration. See Point 10, Configure HOB RD VPN and the HOB WebSecureProxy, in this table below for more information. 8. The HOB WSP must be stopped manually, see Section 33.2 Manually Stopping and Starting the HOB WSP. 9. Install the HOBLink Security Manager on a dedicated machine without any network connection. See the HOBLink Secure Administration Guide for more information on this topic. 10. Configure HOB RD VPN and the HOB WebSecureProxy. See Section 30.8 Achieving Trustworthy Encryption to obtain a valid Common Criteria configuration. See Chapter 36 XML Configuration for the HOB WebSecureProxy for more information on this topic. See Section 4.2 Prerequisites for Installation – Single Node and Cluster for valid port numbers to be visible from the internet. 11. Generate a set of certificates using the Auto Wizard in the HOB Security Manager. See Section 30.9.1 Using HOBLink Security Manager for more information. The result of this process is a set of configuration files (also known as HOBLink Security Units) for HOB WSP that conforms to CC requirements. Important: The procedure described in Section 6.2.9 Global Administration Screen – Certificates must not be used. 374 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria 12. Select whether TLS protocol 1.1 and/or 1.2 is to be used on the client machines and ensure the browsers to be used can support these protocols. These are the only protocols that can be used in an evaluated environment. 13. Copy the newly generated HOBLink Security Units to the destination folders within the HOB RD VPN installation according to Section 33.1 Adding Certificates and HOBLink Security Units to the HOB WSP. 14. Perform the Scheme Extensions for the external LDAP system that hosts your HOBLink JWT and user-specific HOB Web Server Gate configurations. See Section 10.2 Configuring HOBLink JWT for more information. Concerning the use of LDAP as the Authentication Service, see Section 30.6.3 Notes on Certified Components. 15. Configure HOBLink JWT. See Chapter 35 XML Configuration for HOBLink JWT for more information. 16. The HOB WSP must be now be started manually, see Section 33.2 Manually Stopping and Starting the HOB WSP. 17. Inform the users about their necessary cooperation; please see Section 30.7 User Workshops and Schooling. Table 1: Steps for Certification Creating and modifying any configuration with the GUI tools, such as the HOB RD VPN WebSecureProxy configuration program, is not part of the CC certification, although the GUI tools may also be used. In the case of the HOB WSP configuration the administrator is strongly recommended to manually check whether the configuration has the correct contents before the server is put into production. To do this, use the parameter list of the wsp.xml file (see Chapter 36 XML Configuration for the HOB WebSecureProxy for this information) as a reference. You can also check that HOBLink JWT and HOB Web Server Gate configurations for your users are correctly defined by using an LDAP browser. Please contact HOB software support if you have any problems or questions regarding these procedures. 30.2 Security Objectives for the Operational Environment As the competent and trained administrator of HOB RD VPN within your company, you are responsible for the operational environment of your company. You and your administrator colleagues need to be competent and trustworthy individuals capable of managing HOB RD VPN and the security of the information it contains. You cannot be careless, willfully negligent, or hostile, and must be able to follow and abide by the instructions provided in this Administration Guide. Similarly you should ensure that the users of your system are also not careless, willfully negligent or hostile and that they abide by and follow the instructions given by you, the administrators. You are also responsible that remote trusted IT systems providing the functions required by HOB RD VPN are sufficiently protected from any attack that may cause those functions to provide false results. In addition you must ensure that these Security Solutions by HOB 375 HOB RD VPN Evaluated for Common Criteria HOB RD VPN systems, which should also include intrusion and denial-of-service detection systems, are installed and configured in accordance as specified in this document. As the competent and trained administrator of HOB RD VPN you must establish and implement procedures to ensure that information is protected in an appropriate manner. In particular you need to ensure that: 376 All of your network and peripheral cabling is suitable for the transmission of the most sensitive data held by the system, and that these physical links are adequately protected against threats to the confidentiality and integrity of the data transmitted. Your users are authorized to access those parts of the data managed by HOB RD VPN, receiving the necessary authorization and access information (username and password) from the administration department, and are trained to use HOB RD VPN in a secure manner in a benign environment, cooperating fully with their fellow users and administration staff. With this last point in mind, you should ensure that the following Section Important Information for Remote Users is printed out and distributed to each of the authorized users of your company. Any connection between untrusted users of your system and the protected resources of your web servers and Remote Desktop servers is established via the HOB WSP. You must ensure that only authorized users to access the resources protected by HOB RD VPN. The procedures you use to ensure that the hardware, software and firmware components of the system are distributed, installed and configured in a secure manner supporting the security mechanisms provided by HOB RD VPN are properly established and implemented. You protect those parts of HOB RD VPN critical to the enforcement of the security policy from any physical attack that might compromise IT security objectives. This protection must be commensurate with the value of the IT assets protected by HOB RD VPN. You destroy the RSA keys that are maintained with the HOBLink Security Units as soon as they are no longer needed. See the HOBLink Secure Administration Guide, Chapter Certificate Management for more information on this topic. You must ensure that all security updates for the software involved (operating system, Java, application software, etc.) are regularly checked and kept as up to date as possible. The server components must be installed on a physical, true hard disk to avoid the depletion of the system device file dev/random and ensure that this system file has sufficient data. You install the Security Manager tool on a separate machine that is not physically connected to any network and that the HOBLink Security Units generated by this tool are transferred securely to the HOB WSP. Ensure that the operation of the HOBLink Security Manager, as well as the system and the operating system where it is installed, is adequately protected in terms of restricted physical access and disabled network access. You must be aware that the secure operation of HOB RD VPN strongly relies on the integrity Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria of the certificates and the cryptographic keys that are generated by the HOBLink Security Manager. You install and configure the operating system, the Java Virtual Machine, and the web browser in accordance with this HOB RD VPN Administration Guide and that these mechanisms operate as specified. Also make sure that only the software specified here is used as the underlying platform to ensure that the correct date and time information is available. The HOB WebSecureProxy is installed on a separate machine without unprivileged users having local access and that does not host any productive relevant services, such as database servers or alternative web servers, in addition to the software that is provided through the HOB product installation. The logical access to this machine is restricted to authorized administrators. The LDAP server must implement all required functionality, in particular correctly performing the Identification & Authorization of a user who is attempting to make a connection to your network. This decision is resolved through a request by the WSP via an LDAP-bind operation to the LDAP server. The LDAP server must be under the same management control with the same security policy constraints and the same level of physical security as the HOB WSP. Any connection between an untrusted network and the protected resources of web and Remote Desktop servers must be established via the HOB WSP over the appropriate architecture. Those responsible for the HOB WSP must ensure that those parts of the HOB WSP responsible for security policy enforcement are protected from physical attack, a protection commensurate with the value of the IT assets protected. You must ensure that the LDAP server storing the user credentials used by the HOB WSP to authenticate users effectively protects user credentials against brute force attacks. The following measures are effective and should serve as guidelines: o The password used by each user for access to their user accounts must have a complex structure and be of sufficient length to ensure a sufficiently high level of security for the user accounts. The use of uppercase and lowercase letters and numbers and special characters in passwords is imperative. The password length must be a minimum of 10 characters, but 12 or more characters is recommended. The password for the global administrator must, in particular, satisfy these very high standards. The details of what constitutes a valid password must explicitly be made known to the users. This information must be communicated to the users through referring to the item covering their Logon information in Section Important Information for Remote Users. o Furthermore, the LDAP system with which the user authentication is implemented must be capable of recognizing consecutive failed login attempts and preventing any further login attempts once a fixed number of attempt failures has been reached. The number of unsuccessful login attempts (with wrong passwords) before the user is locked out should be between approximately 5 to 15 consecutive attempt failures. If a locking of the account is to performed, the LDAP server could generally perform the Security Solutions by HOB 377 HOB RD VPN Evaluated for Common Criteria HOB RD VPN following actions: 1. A complete lock of the account, so that only the Global Administrator can free it again; 2. An enforced delay on authentication of several seconds after each failed login with a greater number of attempts before the account is completely locked; 3. An enforced delay on authentication of several minutes (up to 1 hour or more) after the account is locked until it is freed automatically. In this case, HOB recommends that a reasonable balance is found based on the different measures that are already installed and already widely accepted and used by the users. These objectives are designed to counter and eliminate the threats faced by security issues, and also to complement the policies developed to ensure a safe and secure environment for the data contained within the system. 30.3 Delivery Accuracy Check To enable a secure delivery from HOB to the customers, HOB uses a private third party parcel service to deliver the HOB software. This avoids the chance of the delivery being delayed or intercepted. Nevertheless, in spite of the efforts made to choose reliable parcel services for software delivery, HOB actually has no influence on the software once it has left the company premises. 30.3.1 HOB Software Distribution Check To ensure that you receive the product in exactly the same condition in which it was shipped, the HOB Software Distribution Checker (a small Java tool) has been placed on the HOB website that calculates a hash value of the CD contents and compares it with a reference value for the CD that is known to the tool on the HOB web server. The tool can be found on the HOB website, under this link: http://www.hobsoft.com/support/support.jsp, and then follow the link to the HOB Software Distribution Checker itself. The address for this link is: https://ftp.hob.de/tools/distribcheck/auto.html. A Java version of JRE 1.4 or higher is required to be installed on your browser to run this tool. It is a good security measure to always check that a valid certificate for this website is used. This can be done as follows: 1. Launch your chosen internet browser and click the HTTPS secure icon in the address bar of the site you wish to enter, which should resemble this symbol (the exact appearance of this symbol depends on the browser used): HTTPS secure icon This launches the validity check that is performed automatically by the browser in the background for each website you attempt to access. This validity check 378 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria examines the name of the destination server and the site being accessed is approved by the certificate authority. 2. The browser will then display a dialog (the actual dialog is dependent on the browser being used, the one shown here is from Microsoft Internet Explorer) that indicates if the certificate has been accepted as valid or rejected. This dialog is for a valid certificate: Figure 1: Website Validity Check – Valid Result If the site is rejected as invalid because the name is wrong or the site is not trusted, you will see something like this (the screenshot below is from an Opera browser): Figure 2: Website Validity Check – Invalid Result If everything is secure, then you can proceed with the HOB Software Distribution Check. If the certificate is not shown to be secure, in general you should not use it. In this case, when using the HOB Software Distribution Checker you should verify whether your list of trusted certificates in your browser is up to date. Any HotFix that you wish to install also needs to be checked with the HOB Software Distribution Checker. Extract the Zip files for any HotFix into an empty directory and then run the HOB Software Distribution Check on this directory. Security Solutions by HOB 379 HOB RD VPN Evaluated for Common Criteria HOB RD VPN 30.3.2 Perform a HOB Software Distribution Check To perform the software distribution check you will need an up-to-date browser with the Java plugin. Point your browser to the specified internet site containing this Java tool, namely: https://ftp.hob.de/tools/distribcheck/auto.html. The software checker prompts you to specify the root node of the CD or DVD to be checked. The HOB Software Distribution Checker GUI dialogs that you will see are shown here, as follows: Figure 3: Software Distribution Check – Start Click the Select Folder button to specify the folder where the HOB software is stored. The HOB Software Distribution Checker then reads the complete structure below the node and computes a hash value of the complete content. In this way every single file, file name and file location within the structure is taken into consideration. The software checker uses the information provided by this file to find the reference hash value in its database. Figure 4: Software Distribution Check – Result 380 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria The result of the comparison is shown along with the identified software name and version as well as the calculated hash value (in hex and bubble babble code). The possible results are either Successful (in which case the following text is displayed): The checked HOB Software (software name entered here) has proven to be a legitimate version. In this case you can be sure that obtained software 100% matches the software produced by HOB and has not been manipulated. Or the result is Erroneous, when this text is displayed: The result of checking the HOB Software (software name entered here) did not verify its data integrity (see Help)! In this case you have obtained software that has errors. These errors may be simply errors of the storage media (if software is provided on CD) or errors that have occurred during the data transfer (if the software is downloaded). In severe cases, however, the data may have been manipulated by a third party. If you receive an Erroneous result from the HOB Software Distribution Check, there is a security issue with an element of your HOB RD VPN installation and you must report it as soon as possible to HOB. The issue can then be evaluated by the HOB development department. HOB RD VPN requires you to conduct an integrity check to verify the proper condition of the product. HOB has no influence on the actual actions of the delivery service or any of the customers once the product has been shipped, however, so it is the responsibility of you as the administrator to perform the required integrity check. 30.4 Consequences of Misconfiguration HOB RD VPN was designed to prevent configuration errors from compromising security. It may be that, however, certain errors arise not from misconfiguration but from the environment in which the system is operating. If this is the case, you will need to contact HOB directly to solve any problems caused by these environmental hazards. HOB WebSecureProxy, the core component of HOB RD VPN, in particular fails to operate if a configuration file contains logical errors. In such cases the appropriate error codes are provided either on the console or in the system log file. Security Solutions by HOB 381 HOB RD VPN Evaluated for Common Criteria HOB RD VPN In greater detail, improper configuration can have the following consequences as shown in this table: Component Configuration Error Consequence Detection / Correction Security Manager Certificates may be Workstation for Security Manager has unusable incorrect real time clock settings Recreate and redistribute HOBLink Security Units. Security Manager Weak cryptographic The overall security of the solution can be settings (cipher suites) were chosen compromised for the SSL sessions. This can only be detected by manually checking the settings in the HOBLink Security Units Security Manager Workstation for Security Manager is not isolated from the productive environment (for example from the LAN) WebSecureProxy There is a mistake in The HOB WSP fails the XML configuration to operate file structure Appropriate error codes are provided in the system log file – Identification of the problem is of the highest importance WebSecureProxy The overall security of Server has the solution can be accessible maintenance hooks compromised such as telnet or RDP capability This can only be detected by manually checking the settings of the server OS. All ports except the listen ports of HOB RD VPN should be closed and the machine operated only through the console. WebSecureProxy Certificates suspected to be broken or to have been abused will not be replaced The overall security of the solution can be compromised or a man-in-the-middle attack can be launched A process for the reporting of certificate abuse must be installed, and users must be instructed in the use of this process. Certificates and HL Security Units must be replaced immediately if abuse is suspected. The overall security of Check the network configuration the solution can be compromised, in particular the server HOBLink Security Units can be revealed by attackers Table 2: Consequences of Misconfiguration 382 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria 30.5 System Requirements The following are the system requirements necessary to conform to the Common Criteria EAL4 evaluation. 30.5.1 Requirements for HOB RD VPN Server A fresh installation of the supported operating system is necessary for a valid Common Criteria installation of HOB RD VPN The supported operating system for the Common Criteria evaluation is: SUSE Linux Enterprise Server 11 on Intel EM64T with Service Patch Level 2 (including Kernel 3.x.x) To install the HOB WebSecureProxy (gateway) the following hardware is required: An Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing speed 1 GB of RAM available 450 – 800 MB of non-volatile storage space For other valid hardware requirements, see Hardware Requirements in Section 4.1 System Requirements for Installation. You must ensure that you install the operating system in a safe and secure manner. Refer to the SUSE documentation to achieve this. Finally, you need to ensure that no other service accepts connections from the network. 30.5.2 Requirements for HOBLink Security Manager The following are the requirements for the installation of HOBLink Security Manager: Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing speed 256 Mbytes of RAM available 160 Mbytes of non-volatile storage space One of the following operating systems must be installed: Microsoft Windows 7 (any edition) SP1, 32-bit or 64-bit Microsoft Windows 8 Apple Mac OS 10.8 Intel 64-bit openSUSE Linux 12.2 (with a graphical subsystem installed) You also need to make sure the Security Manager system has no network connection. The installation of the HOBLink Security Manager on Mac OS X requires a preinstalled Java virtual machine. Apple Java 1.6.0 update 65 or higher (64-bit) has to be used. For Microsoft Windows and Linux operating systems the HOBLink Security Installer includes its own independent Java virtual machine, Sun Java 1.6.0 update 26 (32-bit). Security Solutions by HOB 383 HOB RD VPN Evaluated for Common Criteria HOB RD VPN 30.5.3 Requirements on the client side The following are the requirements for the installation of a Common Criteria qualified evaluation of HOB RD VPN on the client side: Intel Pentium Processor 1 GHz or CPU with equivalent or higher processing speed 256 Mbytes of RAM available One of the following operating systems must be installed: Microsoft Windows 7 (any edition) SP1, 32-bit or 64-bit Microsoft Windows 8 (any edition), 32-bit or 64-bit Apple Mac OS 10.8 Intel 64-bit Linux openSUSE 12.2 (with a graphical subsystem installed) One of the following browsers is also required: Operating System Browser Microsoft Windows 7, Windows 8 Microsoft Internet Explorer IE 9 Opera Minimum Version 12.12 29 (version 24 only TLS Firefox (not defined for CC 1.1) evaluation) Chrome Linux openSUSE Opera 12.12 29 (version 24 only TLS Firefox (not defined for CC 1.1) evaluation) Chrome Apple MacOS X Opera 12.12 Safari (not defined for CC evaluation) Firefox (not defined for CC evaluation) Table 3: Requirements for the Internet Browser employed A Java Virtual Machine is also required, with the following versions of Java: Windows: Oracle Java 1.7.0 update 45 or higher (32-bit) Mac OS X: Oracle Java 1.7.0 update 45 or higher (64-bit) Linux: Oracle Java 1.7.0 update 45 or higher (32-bit) Note that for the JVMs as well as for both Internet Explorer and Opera TLS v1.1 and TLS v1.2 must be explicitly activated as these protocols are (or may be) disabled per default. The Java settings can be found in the Java Control Panel. 384 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria Browsers other than those already mentioned here can be used with these client side systems, but only if these alternative browsers fully support TLS v1.1 and TLS v1.2 To satisfy the needs of the evaluation for Common Criteria, only a role with similar access rights as set for the default role User can be used as a standard for your users. 30.6 Configuration Tasks This section identifies the Configuration Tasks for HOB RD VPN and for the HOB RD VPN environment that are required to obtain a valid Common Criteria certification. An installation of HOB RD VPN includes functions and components that can be extended according to the selection of features by the user. Certain of these functions or components may not be subject to the common criteria evaluation. This means that these additional features provided by HOB RD VPN should not be used in a configuration subject to a Common Criteria validated operation. As these additional features were not included in the testing for the evaluation for Common Criteria, the use of these features might result in operating the HOB RD VPN installation in a way that is not compliant with the evaluated configuration. 30.6.1 Certified Components of HOB RD VPN: Component Comments HOB WebSecureProxy This component must be configured in a secure manner, see Notes on Certified Components below This also contains the additional module HOB RD VPN Web Server (including HOB Web Server Gate), which must be configured in a secure manner, see Section 30.6.3 Notes on Certified Components Target Filters must be configured to restrict access to HOB RD VPN Web Server Gate, see Section 30.6.3 Notes on Certified Components HOBLink JWT Must be configured in a secure manner, see Notes below HOBLink Security Manager The description of HOBLink Secure and the HOBLink Security Manager is provided in the HOBLink Secure Administration Guide documentation Table 4: Certified Components for Configuration All of the above components also contain the additional module HOBLink Secure, the description of which is provided in the HOBLink Secure Administration Guide documentation. Security Solutions by HOB 385 HOB RD VPN Evaluated for Common Criteria HOB RD VPN 30.6.2 Uncertified Components of HOB RD VPN: Component Comments Integrated Directory Service To make it possible to use any third party directory server, only the LDAP interface is certified. HOB ensures that the Integrated Directory server is implemented as securely as possible. HOBLink J-Term To keep the certification status, HOBLink J-Term must be configured as described in the Notes below HOB RD VPN Web File Access Using HOB RD VPN Web File Access does not influence the certification in any way, see Notes below HOB PPP Tunnel Using HOB PPP tunnel does not influence the certification in any way, see Notes below HOBPhone Using HOBPhone does not influence the certification in any way, see Notes below Administration As all administration tools are outside the scope of the certification, this allows the administrator to use the integrated tools and/or any third party tool to configure HOB RD VPN in a valid CC installation User Settings Using User Settings does not influence a valid certified installation, as long as the restrictions described in the Notes below are fulfilled HOB Universal client Using HOB Universal Client does not influence the certification, as long as the configuration is performed as described in the Notes below Compliance Check Using Compliance Check does not influence the certification in any way, but enhances security. Desktop-on-Demand If you use Desktop-on-Demand the RDP targets are part of the LDAP configuration of the user or group. As this is outside the HOB WebSecureProxy configuration, this violates the certification requirements. In a certified environment HOB Desktop-on-Demand cannot be used, see Notes below SSL Identifier Using the SSL Identifier does not influence the certification in any way, see Notes below Kerberos Authentication Using Kerberos as the Authentication Service is not certified. In a certified environment Kerberos cannot be used, see Notes below Radius Authentication Using Radius as the Authentication Service is not certified. In a certified environment Radius cannot be used, see Notes below Table 5: Uncertified Components for Configuration 386 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria 30.6.3 Notes on Certified Components HOB WebSecureProxy: – Only LDAP is allowed as the Authentication Service – The LDAP protocol version that is allowed must be Version 3 or later – A target filter rule that allows only the needed connections must be applied to all roles. This is especially required to deny all unwanted HTTP and HTTPS access. – Desktop-on-Demand must not be activated in any role, as it could be used to bypass the HOB WebSecureProxy configuration for RDP connections. – The user role must be set to “User” or to an equivalent role that you use according to the policies of your company, see Chapter 8 Roles and Users. HOBLink JWT - HOBLink JWT configurations should not be configured with preconfigured usernames and passwords. HOBLink J-Term - RDP connections over HOBLink J-Term are not allowed in an evaluated environment. All other HOBLink J-Term connections are possible, but are outside of the evaluation. HOB Web File Access - HOB Web File Access can be used, but is not part of the evaluation. PPP Tunnel - HOB PPP Tunnel can be used, but is not part of the evaluation. HOBPhone - HOBPhone can be used, but is not part of the evaluation. HOB Universal Client - HOB Universal Client can be used, but is not part of the evaluation. There is one restriction, in that HOB Universal Client must not have configurations for RDP connections. 30.7 User Workshops and Schooling It is strongly recommended that all users are comprehensively schooled in the use of HOB RD VPN. Only those users that are sufficiently schooled in the use of the product can ensure that the required procedures are properly followed and that all measures to guarantee diligence in maintaining the appropriate levels of security for the system and data are taken. Important Information for Remote Users This section is deliberately placed onto a single page for ease of use, as it is intended for you to print out and distribute to each of those end users authorized to use HOB RD VPN. Security Solutions by HOB 387 HOB RD VPN Evaluated for Common Criteria HOB RD VPN ALL POTENTIAL REMOTE USERS MUST READ THIS SECTION CAREFULLY! Dear Remote User, Your computer uses a HOB software product that offers you secure communication and protected data transfer. The user or client part of the HOB RD VPN software uses the HOBLink Secure encryption module as a part of the HOBLink JWT component. This add-on provides highly performance cryptography based on the industry standard SSL protocol and requires no manual intervention or configuration from your side. You should run an RDP session for a maximum of no more than one working day. At the end of each working day, you should perform a complete Logoff from the Terminal Server that you were using. You must manually enter your login information. This explicitly excludes robots and keyboard macro recorders from being used for this purpose, and the original native keyboard and mouse drivers need not be replaced. You must not use Macro Recorders for keyboard or mouse to playback data and execute the log on process. Protect your workstation when you leave it unattended. To this end a “locking the workstation” policy should be in operation within your company and all users must be familiar with it. Remember also that the security of your communication depends on the accuracy of the system clock of your computer. Make sure (and check periodically) that your computer uses the correct (real) date and time. If you suspect that an unauthorized person has gained access to these files do not hesitate to inform your IT department. Please remember that the origin of every single file can be tracked down to you. Do not communicate any details concerning the log on information for HOBLink JWT or HOB Web Server Gate. Keep your user credentials secret and handle passwords according to your company or IT department policy and rules. To this end, a “Keep your passwords confidential” note should be effective and you should be familiar with it. If you feel that you need further help to avoid unauthorized access to your computer or to set the system clock of your computer, contact your IT department. 388 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria 30.8 Achieving Trustworthy Encryption In order to achieve trustworthy encryption, a number of steps must be considered on both the server side and on the client side of any communication. 30.8.1 Achieving trustworthy encryption on the server side The areas to consider here are as follows: Log Files are used to record all important activities made by your users and other administrators. To use log files, the following steps must be in operation: 1. The logging tool must be activated. 2. A log file must be periodically written at specific time intervals (for example every hour) according to the security policy of your company. This can be done automatically. 3. This log file must be written to the /var folder. This is a default folder that holds all the log files of the system. You must store the log files in the /var folder for a reasonable amount of time before being deleted, the recommended minimum period being one week. The contents of the /var folder and all of its subfolders are used to occasionally increase the quality of random number generation. There are some less obvious requirements that must be achieved to ensure optimum performance of the system device file /dev/random on Linux systems: To reach the required performance level it is required that the system be installed on a true hard disk. Solid state disks (SSDs) are optionally possible, but cannot be exclusively used, see also Section 30.2 Security Objectives for the Operational Environment. To feed the system device file /dev/random with suitable data it is required to store the files of the /var folder on this true hard disk. As information is periodically written to this hard disk the depletion of the system device file /dev/random on the server is then avoided. Processes such as haveged or rngd must not be active on the server system, as these tools weaken the random generation within the OS and are not allowed in a CC compliant server system, see Section 4.1.1 Installation on the Server Side concerning these processes. Standard Linux/UNIX systems have a so-called clock source or time source that is used by the kernel and can usually be configured. When HOB RD VPN is running on a Linux/UNIX system a sufficiently precise clock source must be set to allow HOB RD VPN to function properly. Suitable and accurate clock sources include HPET (High Precision Event Timer) and TSC (Time Stamp Counter). HOB RD VPN may not work correctly if an inaccurate clock source such as "Jiffies" (as used by some CentOS systems, for example) is the only clock source available. Security Solutions by HOB 389 HOB RD VPN Evaluated for Common Criteria HOB RD VPN To increase the entropy available for trustworthy encryption on the client side, and therefore the security, the HOB WSP configuration parameter <high-entropy>) must be set to YES, as shown here: <roles> <role> <name>User</name> <high-entropy>YES</high-entropy> </role> . </roles> See Section 37.1 The Authentication Library (xl-sdh-webserver-01.dll) for more information. 30.8.2 CPU support for the AES cryptographic function Intel ® CPUs that include the Intel ® AES New Instructions set partly support the processing of the AES protocol within the CPU. The CPU-based support of the AES algorithm is not part of the Common Criteria evaluation. If the CPU support is desired and activated, the Common Criteria evaluation for all certified components and algorithms holds, with the exception of the calculations performed by the CPU itself. You must be aware that HOB RD VPN is not running in a configuration compliant to the Common Criteria evaluation if the server component or one of the client components is operating with activated CPU support for the AES algorithm. See Section 4.1.7.3 CPU Support When AES is Used (if available) of the HOBLink Secure Administration Guide and HOBLink Security Manager. 30.8.3 Achieving trustworthy encryption on the client side You must ensure that all systems used on the client side of any communication are installed and configured in accordance with the company security policies and rules, and with the instructions contained in this document. HOB strongly recommends that your users should run an RDP session for a maximum of not more than one working day. You should ensure that the users always close and log properly off from their terminal sessions at the end of the working day in accordance with the User Guide that you distribute to each of your users. Not closing a session will lead to a lack of random numbers (used for authentication and the safeguarding of data) available to HOBLink JWT. Ensure that when a user closes a terminal session the connection is properly closed and that the JVM is shut down. You (as administrator) should use a test client system to ensure that the shut down process is correctly completed. HOB RD VPN does not require hardware-based encryption tools or random generator boards to be installed on the computer systems involved. Instead a random number generator is implemented that gains randomness from user interaction with their input devices to perform a qualified initialization. Creating 390 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria valuable random numbers guarantees that non-guessable session keys are chosen to encrypt and safeguard the communication data. The users must follow the login rule that they must perform the input of their credentials themselves every time they fill in the sign on dialog. Macroreplay tools or a simple copy & paste operation cannot be used to repeat a recorded keyboard input whenever needed, and a robot that operates the keyboard (and mouse) also cannot be used. In addition to other sources supplied by the system, the user interaction through a dialog is used to create unpredictable initialization values for the random number generator. As long as this dialog is displayed and has focus, every key stroke and every mouse move in certain areas of the dialog are used to increase the quality of the random initialization values. The following image displays the dialog shown when HOBLink JWT starts, before any keyboard or mouse events have been made: Figure 5: HOBLink JWT Security Dialog – Insufficient Information Random information can be achieved by keyboard input or mouse cursor movement within the dialog. The best and fairest results require both keyboard and mouse events. The mouse must be moved slowly! When the collected data are judged as sufficient the following dialog shows the displayed text: Security Solutions by HOB 391 HOB RD VPN Evaluated for Common Criteria HOB RD VPN Figure 6: HOBLink JWT Security Dialog - Initialize Random Number Generator When the OK button on this dialog is clicked, HOBLink JWT has received a sufficient level of input and the program starts. 30.9 Using Certificates in HOB RD VPN This section contains only a very short description of how security certificates should be used in HOB RD VPN. For a full explanation of the process, please see the HOBLink Secure and HOBLink Security Manager Administration Guide. The HOBLink Security Manager uses the Auto Wizard tool to generate 3 server files (server.cdg, server.cdb and server.pwd) and 3 client files (client.cdg, client.cdb and client.pwd). These files must be securely transferred to the HOB RD VPN server must be placed in special directories in the HOB RD VPN installation, see Section 33.1 Adding Certificates and HOBLink Security Units to the HOB WSP. The wsp.xml configuration must be adjusted accordingly, see Chapter 36 XML Configuration for the HOB WebSecureProxy. With the help of the Auto Wizard of the HOBLink Security Manager an independently created PKI is established. As part of the certification no OCSP or Certificate Revoke is supported. The administrator is responsible for managing the certificates themselves. In a suspected case of loss of the integrity of a new certificate or the key data it contains, new certificates and HL Security Units need to be created and the HL Security Units will be promptly replaced on the server system. 30.9.1 Using HOBLink Security Manager To create HOBLink Security Units that conform to Common Criteria requirements, the Auto Wizard function of HOBLink Security Manager must be used. This Auto Wizard is fully described in Chapter 3.5 of the HOBLink Secure and HOBLink Security Manager Administration Guide. For a configuration that fully conforms to Common Criteria requirements, please note that in the first dialog of the Auto Wizard (see Point 4 in the above mentioned chapter) the option do not use client authentication must be selected. 392 Security Solutions by HOB HOB RD VPN HOB RD VPN Evaluated for Common Criteria All fields must be completed in the next Auto Wizard dialog. In the entry field for Server Certificate Common Name the URL of the server where the HOB RD VPN server component is installed must be entered. Please note that with the selection of a 1536 bit asymmetric key size, only a security strength of less than 100-bit encryption security is ensured. Security Solutions by HOB 393 HOB RD VPN Evaluated for Common Criteria 394 HOB RD VPN Security Solutions by HOB HOB RD VPN Flaw Remediation 31 Flaw Remediation HOB has developed and runs Flaw Remediation, a set of activities that are used to achieve Common Criteria standards in security of HOB RD VPN blue edition. The Flaw Remediation process serves to identify and correct any potential security flaw that may occur in your system. This Flaw Remediation process mainly covers four aspects of interaction between a customer (you, as the administrator) and HOB as the product manufacturer: You can report problems that you interpret as security-critical problems All customers are informed by HOB in the event that a problem is rated to be a security flaw Any customer can ask HOB about the state of a security flaw and its correction All customers are informed about the correction of a security flaw and receive an updated and corrected version of the product from HOB under the terms of the maintenance contract In more detail, for HOB RD VPN blue edition this means the following: To obtain the Common Criteria Certification standard for security, it is mandatory to sign a maintenance agreement so that HOB can contact you. This maintenance agreement (either a Software Maintenance Agreement Certificate or a Software Maintenance Contract) guarantees you full support in the correction of problems or software bugs, and access to new updates that correct the problem. In addition to the reporting of a problem, you can also contact HOB directly if you suspect a security flaw. As a customer with a maintenance agreement, you can contact HOB at any time to report a problem. Once informed of any potential problem, HOB will immediately analyze and rate the problem. You should always run the HOB Software Distribution Check (see Section 30.3.1 HOB Software Distribution Check) in any case to check the validity and integrity of the product when you purchase or download a new product or new product version. On reporting a suspected security flaw, the information that HOB sends you contains a description of the characteristics of the security flaw, its consequences and a possible work-around, if any, of instructions to be followed until the problem is solved. This could be, for example, a temporary change in the firewall settings, a modification of the active services or the activation of additional monitoring functions. HOB requests all customers, in your own interest, to treat information on security flaws as confidential. For all software issues, HOB runs an internal ticket system to record any problem, task, or the information required when contacting a customer. In the event of a security flaw, the customer receives the ID of the corresponding ticket in addition to the general information, as a reference. This ID should always be used when contacting HOB for information on a problem. Security Solutions by HOB 395 Flaw Remediation HOB RD VPN When a problem is solved, HOB delivers a new, corrected version of the product with an explanation of the security flaw and how it was solved. You can then download the new version using the address of the download web server and the access credentials given to you under the maintenance agreement. This must be verified and the downloaded software installed to use and run the corrected version. Keep in mind that the Common Criteria certification becomes invalid if the maintenance agreement is cancelled or allowed to expire. 31.1 Aspects of Flaw Remediation Flaw Remediation is a process that consists of the following procedures: 1. The first step is to make sure it is a problem. If you suspect that there is a security issue with any element of your HOB RD VPN installation, you must report it as soon as possible to HOB. The potential problem is then evaluated by the HOB development department and a priority is assigned to that issue according to the evaluated severity of the problem. 2. Every reported problem is assigned an HOB reference number or ticket, and this ticket is passed onto you as the customer concerned. This ticket number should be used in all dealings with HOB about this security flaw. 3. Once the potential problem has been solved, a corrected version of the product is created and made available to you and to any other customers that have been potentially affected by this flaw. This corrected version you receive from HOB as CD/DVD or as a downloaded packed zip file from the HOB Web server. When you receive or download a new product version, you should always verify the successful download using the HOB Software Distribution Check (see Section 30.3.1 HOB Software Distribution Check). 4. Once you have performed the HOB Software Distribution Check on this updated version of the product to assure its integrity and the Check proves that your software is in order, you may install the new version, solving your security issue. Any HotFix that you wish to install also needs to be checked with the HOB Software Distribution Check. Extract the zip files for any HotFix into an empty directory and then run the HOB Software Distribution Check on this directory. 396 Security Solutions by HOB HOB RD VPN Frequently Asked Questions 32 Frequently Asked Questions The following are some questions that are often asked about HOB RD VPN blue edition and its workings: Q: What information is cached on the client? A: No information from any session is cached on the client, all data stays securely stored in the network. Once the connection to the servers is ended when the session is closed, there is no data remaining on the client. Q: I don´t want to have to re-enter all my data, which directories work with HOB RD VPN? A: The following directory services for authentication work with HOB RD VPN: Microsoft Active Directory IBM Directory Server Novell eDirectory Siemens DirX Directory Oracle Directory Server Enterprise Edition OpenLDAP User Management Q: Which authentication methods does HOB RD VPN support? A: User authentication in HOB RD VPN is performed using: SSL client certificates RADIUS Kerberos Single Sign-on (SSO) LDAP To check the user certificates, the Online Certificate Status Protocol (OCSP) is also supported. Q: Single Sign-On is very important for me. Does HOB RD VPN support this? A: For true single sign-on (SSO) HOB recommends the use of Kerberos. Kerberos SSO is fully supported by HOB RD VPN. Authentication with one-time passwords is also supported. All major manufacturers can support the RADIUS protocol used for this. Q: Can I customize parts of HOB RD VPN (company logos, slogans, and so on)? A: Using the XML configuration files, HOB RD VPN can be configured for both ease-of-use as well as look-and-feel, as required. The HOB RD VPN GUI allows you to pull any required graphics on slogans from your data storage and apply them on screen. Security Solutions by HOB 397 Frequently Asked Questions HOB RD VPN Q: How difficult and cumbersome is it to update the software or to apply Hotfixes? A: All customers with maintenance contracts can easily download and install the necessary updates that will be notified to them by HOB, when such updates are made available. Q: How do I apply the JWT Trace? A: The JWT Trace allows you to apply a trace when using HOBLink JWT so that you can follow the exact path used during the connection. To employ the trace, go to the screen where you would normally configure a HOBLink JWT session (HOB RD VPN Administration > HOB RD VPN 2.1 > HOBLink JWT > Configure) and select the scheme Others from the list. Figure 1: HOBLink JWT Administration – Scheme Others Under Others add a scheme with the DOTRACE parameter set to YES. Make sure this is given in the session the user is having problems with: 398 Security Solutions by HOB HOB RD VPN Frequently Asked Questions Figure 2: HOBLink JWT Administration – Session Others The encrypted trace file will then be found on the client machine in the hob_jportal folder found in the users folder. Q: Where do I find the HOB RD VPN version and release information? A: This information is found: at the bottom of the HOB RD VPN Navigation screen, under the About icon in the task bar of the HOB Administration interface (see Section 6.1 Administration Access as a Domain Administrator on page 75), or under the Info menu in the task bar of the HOB WSP interface (see Section 2.6 Roles on page 26). Q: How do I save my configurations in HOB RD VPN? A: There is a save function built into each GUI for HOB RD VPN, HOBLink JWT and the HOB WSP. When any changes to the configurations have been made, simply use these save functions and the edited configuration will be saved. To save the complete configuration in another location during an update, for example, follow these easy steps: 1. Log into the HOB RD VPN 2.1 Global Administrator web page and use the links on the left hand side to go to the Backup page. 2. Click on Export LDIF and export the file to the location of your choice. You can then import this file into your next updated release of HOB RD VPN 2.1. Security Solutions by HOB 399 Frequently Asked Questions 400 HOB RD VPN Security Solutions by HOB HOB RD VPN Advanced HOB WSP Configuration 33 Advanced HOB WSP Configuration This chapter contains the information needed to allow you to make the required changes to the configuration of the HOB WSP. 33.1 Adding Certificates and HOBLink Security Units to the HOB WSP If the security setting of the SSL connection is to be more precisely configured, it cannot be made via the Global Administrator interface, as this is accessed via a web browser. It is necessary that the HOBLink Security Manager tool is available as a standalone or is accessible from within the EA administration tool, depending on the installed version of HOB RD VPN. The HOBLink Security Manager creates files both for the server side and for the client side. The files it creates must be placed in defined directories in the installation. In this section the directories on the HOB RD VPN server and the corresponding entries to the WSP configuration for the relevant files are shown and described for both the server and the client sides. 33.1.1 Server Side Security Units in HOB RD VPN User-Portal (Port 443): WSP-Configuration: <connection> <name>User Portal</name> .... <SSL-config-file>INSTALLDIR/sslsettings/corporate/hserver.cfg</ SSL-config-file> <SSL-certdb-file>INSTALLDIR/sslsettings/corporate/hserver.cdb</ SSL-certdb-file> <SSL-password-file>INSTALLDIR/sslsettings/corporate/ hserver.pwd</SSL-password-file> .... </connection> Administration Portal (Port 10000): WSP-Configuration: <connection> <name>Administration Access</name> .... <SSL-config-file>INSTALLDIR/sslsettings/admin/hserver.cfg</SSLconfig-file> <SSL-certdb-file>INSTALLDIR/sslsettings/admin/hserver.cdb</SSLcertdb-file> Security Solutions by HOB 401 Advanced HOB WSP Configuration HOB RD VPN <SSL-password-file>INSTALLDIR/sslsettings/admin/hserver.pwd</ SSL-password-file> .... </connection> Cluster Settings: INSTALLDIR/sslsettings/cluster/sslsettings Using SSL to connect from the WSP to a server in the corporate network (for example HTTPS in Web Server Gate): WSP-Configuration: <client-side-SSL> <SSL-config-file>INSTALLDIR/sslsettings/hclient.cfg</SSLconfig-file> <SSL-certdb-file>INSTALLDIR/sslsettings/hclient.cdb</SSLcertdb-file> <SSL-password-file>INSTALLDIR/sslsettings/hclient.pwd</SSLpassword-file> .... </client-side-SSL> In this case, the HOB WSP takes the role of the client to the destination server. 33.1.2 Client Side Security Units in HOB RD VPN Using SSL for HOBLink JWT on the client side: INSTALLDIR/www/public/lib/sslpublic Using SSL for Web browsers on the client side: The root certificate of the server must be available to the browser as a trusted root certificate. The majority of the public CA root certificates are included in the standard browser. If the root certificate is not available, the browser displays a warning alert at the start of the connection. To avoid receiving this alert, the root certificate must be imported into the browser. This is mandatory for the CC evaluation. If the root certificate of the server is available to the HL Security Unit on the server side, the public part of the root certificate must be exported with the help of HOBLink Security Manager, see the HOBLink Secure Administration Guide for more information. The root certificate must be distributed by the administrator in a secure manner to the client (user) as the safety of the correct connection to the target server is explicitly assured by this root certificate. HOB recommends that the administrator pre-installs the exported root certificate on all client systems. If this is not possible, the root certificate must be delivered securely and verified by comparison of the fingerprint hash values with public values alternatively generated 402 Security Solutions by HOB HOB RD VPN Advanced HOB WSP Configuration by the administrator. The delivery can for example be made by means of encrypted media by a secure postal service. The user on the client side must not use the root certificate for other purposes or pass the certificate on to third parties. The provision of root certificates for other client side software offered by HOB is described in the documentation of the respective software. The Java Runtime Environment (JRE) installed on the client system must be set up so that trusted root certificates are drawn from the browser certificate store. Otherwise, the root certificate must be separately imported into the trusted root certificate store of the JRE. 33.2 Manually Stopping and Starting the HOB WSP HOB RD VPN will automatically accept any changes that you make to the configuration of the system, however, for certain changes it is required that you stop and then restart the HOB WSP in order for these changes to become effective. To stop and start the HOB WSP, follow these steps as described below for the operating system you use. 33.2.1 Stopping the HOB WSP under Windows HOB RD VPN is created as a Windows Service and as such can be launched and stopped through the Windows Services Management Console. 1. From the main start menu on your machine, select Start > Control Panel > Administrative Tools > Services 2. In the dialog that is now displayed, scroll down until you locate the HOB RD VPN service, as shown here, and select it. Figure 1: Microsoft Windows Administration – Services 3. Now stop the service using either the command on the left of this panel or using the Stop icon in the menu bar. Stop icon - this stops the service Security Solutions by HOB 403 Advanced HOB WSP Configuration HOB RD VPN 33.2.2 Starting the HOB WSP under Windows: After the installation on a Windows system HOB RD VPN starts automatically. The service is configured so that it will start automatically after each restart. To change these settings, see the Windows Help for the Services Management Console. 1. Follow the first two steps outlined above to stop the service. 2. Now, either using the Start icon in the menu bar or using the command on the left of this panel, start (or restart) the service. Start icon - this starts the service 33.2.3 Stopping the HOB WSP under Linux: Open a console window and change to the directory INSTALLDIR/management (using the command cd INSTALLDIR/management). Run the script: ./stop-mgmt-service.sh. 33.2.4 Starting the HOB WSP under Linux: Open a console window and change to the directory INSTALLDIR/management (using the command cd INSTALLDIR/management). Now run the script: ./start-mgmt-service.sh. Once the HOB WSP has been stopped and restarted, any changes made to the configuration will be in effect. This procedure is necessary for any changes made to the manual.xml file that are required for conformity to Common Criteria evaluation standards. 33.2.5 Starting the HOB WSP automatically under Linux Once the installation has been successfully completed, HOB RD VPN starts automatically as the final step of the installation process. If you perform a complete system restart after installation, under Linux HOB RD VPN is not started automatically. If you want to register the script ./start-mgmt-service.sh for an automatic start of HOB RD VPN along with that of your system, consult the Linux documentation for your distribution. 33.3 Configuration Changes and their Effectiveness and Impact In standard cases the HOB WSP reads the file wsp.xml containing the configuration for the HOB WSP. This file is automatically updated by the management service from the internal LDAP server that is included in the HOB RD VPN server installation. If the configuration is changed by the HOB WSP administration tool, the HOB WSP loads the new configuration and uses it for new connections (this may however take some time). Existing connections are not affected. If the HOB WSP fails to interpret the configuration (i.e. the wsp.xml file) properly, or fails for any other reason during the start-up phase, a fail-safe configuration with 404 Security Solutions by HOB HOB RD VPN Advanced HOB WSP Configuration a minimum of entries is used to start the HOB WSP. This configuration only enables the administrator access to the HOB WSP to check and correct a possibly erroneous configuration or to examine the start-up failure. A message about this state of the HOB WSP is written to the system log. Normal user connections are no longer possible in such cases. If a more sophisticated control of the configuration is required, a manually edited configuration file manual.xml can be used. Details are found in Chapter 36 XML Configuration for the HOB WebSecureProxy. To have the changes in the manual.xml take effect, the HOB WSP must be manually stopped and started again (see section above). This causes the existing connections to be interrupted when the HOB WSP is stopped. If there are errors in the manual.xml configuration then the HOB WSP cannot be started manually until the configuration is corrected. Security Solutions by HOB 405 Advanced HOB WSP Configuration 406 HOB RD VPN Security Solutions by HOB HOB RD VPN XML Configuration for HOB Web Server Gate 34 XML Configuration for HOB Web Server Gate This section contains the user defined parameters used in the configuration of the HOB Web Server Gate. The bookmarks that are used for each user in the HOB Web Server Gate are stored in the directory storage system for that user under the attribute hobrdvpnbmwsg. The bookmarks are stored either in the user object, in the tree of the user object or in the groups of which the user is a member. 34.1 Example HOB Web Server Gate Configuration <WSG-bookmarks> <version>1</version> <bookmark> <url>http://www.MyCompany.com</url> <name>My Company</name> </bookmark> <bookmark> <url>http://www.AnotherCompany.com</url> <name>Partner1</name> </bookmark> </WSG-bookmarks> Explanation of the illustrated elements: This is the root element. In the example shown above, <WSG<WSG-bookmarks> bookmarks> has one child element for the current version, shown here as having the value of 1. <bookmark> This is another child element where the element <bookmark> can be added as many times as desired. The element <bookmark> has two child elements, <url> and <name>: <url> The value of this child element is the location to where the HOB Web Server Gate should connect. <name> The value of this child element is the name that is displayed in the Navigation screen. Security Solutions by HOB 407 XML Configuration for HOB Web Server Gate 408 HOB RD VPN Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT 35 XML Configuration for HOBLink JWT This section contains the user defined parameters used in the configuration of HOBLink JWT 3.3. Some parameters disappear when the configuration is saved and reopened. These are the options that can be configured over other panels in the configuration. The following Section 35.1 Example configuration for Direct Connections is an example HOBLink JWT XML configuration file. This example uses direct connections between HOBLink JWT and the RDP Targets. It is included here to help you create your own XML configuration or configurations, and shows how such a file should be constructed. The second example in Section 35.2 Example configuration for connections using the HOB WSP shows how to set up the configuration for connections from HOBLink JWT to the RDP Target via the HOB WSP. 35.1 Example configuration for Direct Connections This is an example for direct connections between HOBLink JWT and RDP Targets: <?xml version="1.0" encoding="UTF-8"?> <jwt-configuration> <session-list> <session-entry> <name>session1</name> <iconname>BIG_JWTICON</iconname> <activate>yes</activate> <connection> <name>Connection1</name> </connection> <logon> <name>logon1</name> </logon> <display> <name>display1</name> </display> <keyboard> <name>keyboard1</name> </keyboard> <printer></printer> <ldm></ldm> <portredirection></portredirection> <otherdevices></otherdevices> <expert></expert> </session-entry> <session-entry> Security Solutions by HOB 409 XML Configuration for HOBLink JWT HOB RD VPN <name>session2</name> <iconname>BIG_JWTICON</iconname> <activate>yes</activate> <connection> <name>Connection2</name> </connection> <logon></logon> <display> <name>display2</name> </display> <keyboard> <name>keyboard1</name> </keyboard> <printer></printer> <ldm></ldm> <portredirection></portredirection> <otherdevices></otherdevices> <expert></expert> </session-entry> </session-list> <schemes> <connection-list> <connection-entry> <name>Connection1</name> <conntype>direct</conntype> <autocon>yes</autocon> <ipaddress>rdpserver1</ipaddress> <ipport>3389</ipport> <macaddress></macaddress> <usewakeonlan>no</usewakeonlan> <wakeonlantimeout>90</wakeonlantimeout> <wakeonlanmode>broadcast</wakeonlanmode> <wakeonlanport>9</wakeonlanport> <wakeonlanrelaylist></wakeonlanrelaylist> <broadcast>yes</broadcast> <lbselection>reconnect</lbselection> <gateport>4095</gateport> <serverlist></serverlist> <wsplist></wsplist> <startupmode>desktop</startupmode> <proxymode>auto</proxymode> <servercertificates>no</servercertificates> <sslfile></sslfile> <ssldir></ssldir> <compression>yes</compression> <queue_events>no</queue_events> <harddiskcachesize>0</harddiskcachesize> <memorycachesize>8000</memorycachesize> 410 Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT </connection-entry> <connection-entry> <name>Connection2</name> <conntype>direct</conntype> <autocon>yes</autocon> <ipaddress>rdpserver2</ipaddress> <ipport>3389</ipport> <macaddress></macaddress> <usewakeonlan>no</usewakeonlan> <wakeonlantimeout>90</wakeonlantimeout> <wakeonlanmode>broadcast</wakeonlanmode> <wakeonlanport>9</wakeonlanport> <wakeonlanrelaylist></wakeonlanrelaylist> <broadcast>yes</broadcast> <lbselection>reconnect</lbselection> <gateport>4095</gateport> <serverlist></serverlist> <wsplist></wsplist> <startupmode>desktop</startupmode> <proxymode>auto</proxymode> <servercertificates>no</servercertificates> <sslfile></sslfile> <ssldir></ssldir> <compression>yes</compression> <queue_events>no</queue_events> <harddiskcachesize>0</harddiskcachesize> <memorycachesize>8000</memorycachesize> </connection-entry> </connection-list> <logon-list> <logon-entry> <name>logon1</name> <userid>user1</userid> <domain>domain1</domain> <autologon>no</autologon> <password>^+</password> </logon-entry> </logon-list> <display-list> <display-entry> <name>display1</name> <window>frame</window> <sessionwidth>800</sessionwidth> <sessionheight>600</sessionheight> <screenratiox>0</screenratiox> <screenratioy>0</screenratioy> <screen>1</screen> <colordepth>0</colordepth> <connbar>yes</connbar> Security Solutions by HOB 411 XML Configuration for HOBLink JWT HOB RD VPN <allowbackground>no</allowbackground> <allowshowcontent>yes</allowshowcontent> <allowmenuanim>yes</allowmenuanim> <allowthemes>yes</allowthemes> <allowcursorshadow>no</allowcursorshadow> <allowcursorblinking>yes</allowcursorblinking> <allowfontsmoothing>no</allowfontsmoothing> </display-entry> <display-entry> <name>display2</name> <window>fullscreen</window> <sessionwidth>1920</sessionwidth> <sessionheight>1120</sessionheight> <screenratiox>0</screenratiox> <screenratioy>0</screenratioy> <screen>1</screen> <colordepth>0</colordepth> <connbar>yes</connbar> <allowbackground>no</allowbackground> <allowshowcontent>yes</allowshowcontent> <allowmenuanim>yes</allowmenuanim> <allowthemes>yes</allowthemes> <allowcursorshadow>no</allowcursorshadow> <allowcursorblinking>yes</allowcursorblinking> <allowfontsmoothing>no</allowfontsmoothing> </display-entry> </display-list> <keyboard-list> <keyboard-entry> <name>keyboard1</name> <clipboard>2</clipboard> <keyboardlayout>us</keyboardlayout> <keycombinations>8,24,a,23,8,21,8,22, 8,9b,8,7f,a,6d,a,6b,8,23,a,25,a,4b,a,49,a, 42,a,28</keycombinations> <enablekeypad>yes</enablekeypad> <keyboardhook>3</keyboardhook> </keyboard-entry> </keyboard-list> <printer-list></printer-list> <ldm-list></ldm-list> <portredirection-list></portredirection-list> <otherdevices-list></otherdevices-list> <expert-list></expert-list> </schemes> <inheritedsessions></inheritedsessions> </jwt-configuration> 412 Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT 35.2 Example configuration for connections using the HOB WSP This is an example for connections between HOBLink JWT and RDP Targets via the HOB WSP: <?xml version="1.0" encoding="UTF-8"?> <jwt-configuration> <session-list> <session-entry> <name>JWT-Session</name> <iconname>BIG_JWTICON</iconname> <activate>yes</activate> <connection> <name>Select</name> </connection> <logon/> <display/> <keyboard/> <printer/> <ldm/> <portredirection/> <otherdevices/> <expert/> </session-entry> </session-list> <schemes> <connection-list> <connection-entry> <name>Select</name> <conntype>wspsocks</conntype> <autocon>no</autocon> <ipaddress/> <ipport>3389</ipport> <macaddress/> <usewakeonlan>no</usewakeonlan> <wakeonlantimeout>90</wakeonlantimeout> <wakeonlanmode>broadcast</wakeonlanmode> <wakeonlanport>9</wakeonlanport> <wakeonlanrelaylist/> <broadcast>yes</broadcast> <lbselection>reconnect</lbselection> <gateport>4095</gateport> <serverlist/> <wsplist> <server> <ip>x.x.x</ip> <port>443</port> </server> Security Solutions by HOB 413 XML Configuration for HOBLink JWT HOB RD VPN </wsplist> <startupmode>desktop</startupmode> <proxymode>auto</proxymode> <servercertificates>no</servercertificates> <sslfile/> <ssldir/> <compression>yes</compression> <queue_events>no</queue_events> <harddiskcachesize>0</harddiskcachesize> <memorycachesize>8000</memorycachesize> </connection-entry> </connection-list> <logon-list/> <display-list/> <keyboard-list/> <printer-list/> <ldm-list/> <portredirection-list/> <otherdevices-list/> <expert-list/> </schemes> <inheritedsessions/> </jwt-configuration> 414 Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT 35.3 Connection parameters The following are the HOBLink JWT XML configuration parameters used for Connections settings. Name Description Values/Syntax Default Value Requirement s/ Limitations IPADDRESS Name or IP address of Windows Terminal Server CONNTYPE = direct IPPORT IP port of the [0 ... 65535] - An 3389 Windows Terminal integer that specifies Server the IP port CONNTYPE = direct MACADDRESS MAC address of the Windows Terminal Server CONNTYPE = direct USEWAKEONLAN Allows a Wake-OnLAN request to boot the server to be sent yes - Sends a Wake- no On-LAN request to boot the server no - Does nothing CONNTYPE = direct MACADDRESS WAKEONLANTIM The maximum time EOUT to wait for connection accepts. [10 ... 600] - An 90 integer that specifies the timeout in seconds. USEWAKEONLAN = yes WAKEONLANMO Controls the DE method of how Wake-On-LAN requests are transmitted. broadcast Broadcasts the Wake-On-LAN request relay - Sends the Wake-On-LAN request to the configured relays USEWAKEONLAN = yes broadcast WAKEONLANPOR Destination port for [0 ... 65535] - An 9 T Wake-On-LAN integer that specifies broadcasts. the IP port WAKEONLANMO DE = broadcast WAKEONLANREL List of Wake-OnAYLIST LAN Relays. A comma separated list of servers. WAKEONLANMO DE = relay Syntax: PORT = 9 RELAY = IP[:PORT] WAKEONLANRELA YLIST = [RELAY[,WAKEONL ANRELAYLIST]] Example: relay1.hob.de:9, relay2.hob.de:9 AUTOCON Allows the WTS to yes - Connects to the no be chosen at server immediately runtime in a GUI. no - Shows a GUI to choose the server address CONNTYPE = direct APPNAME Path of application to start instead of Desktop (Application Serving) STARTUPMODE = app Security Solutions by HOB 415 XML Configuration for HOBLink JWT 416 HOB RD VPN WORKINGDIR Working directory for application used in Application Serving. STARTUPMODE = app BROADCAST Type of broadcast yes - Use broadcast (Load Balancing). no - Use server list LBSELECTION Server selection show - Select from all reconnect procedure for Load responding servers Balancing. reconnect - Connect to the server with the least load CONNTYPE = loadbalancing / wsplb / wspsocks SERVERLIST List of servers used for server list (Load Balancing). A comma separated list of servers. Syntax: SERVER = IP[:PORT] SERVERLIST = [SERVER[,SERVER LIST]] Example: wts1.hob.de:4095, wts2.hob.de:4095 CONNTYPE = loadbalancing / wsplb / wspsocks BROADCAST = no LBOVERALLTIME Maximum overall OUT timeout for Load Balancing. [0 ... MAXINT] - An 20000 integer that specifies a timeout in milliseconds CONNTYPE = loadbalancing / wsplb / wspsocks LBACTIVITYTIME Activity timeout for OUT Load Balancing. This specifies the maximum time to wait after the last response packet has been received 0 - An infinite timeout 4000 [1 ... MAXINT] - An integer that specifies a timeout in milliseconds CONNTYPE = loadbalancing / wsplb / wspsocks LBSELECTION = reconnect LBRESENDTIMEO Resend request UT timeout for Load Balancing. This specifies the timeout to resend the Load Balancing requests. In case of BROADCAST= no the requests are only resent to all unacknowledged servers. 0 - An infinite timeout 2000 [1 ... MAXINT] - An integer that specifies a timeout in milliseconds CONNTYPE = loadbalancing / wsplb / wspsocks COMPRESSION Use Microsoft Point-To-PointCompression Protocol (MPPC) for data exchange. yes - Enables data compression no - Disables data compression PUBAPPNAME Name of published application to connect to (Published Application / True Windows). yes CONNTYPE = loadbalancing / wsplb / wspsocks yes STARTUPMODE = pubapp / seamless Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT GATEPORT The port used for [0 ... 65535] - An 4095 UDP load integer that specifies balancing if the IP port broadcast is used. CONNTYPE Type of connection. direct - Use a direct direct connection to the WTS loadbalancing - Use HOB Load Balancing to choose a WTS wspdirect Establishes a WSP direct connection wsplb - WSP connection with HOB Load Balancing wspsocks - WSP connection with the WSP SOCKS authentication protocol WSPLIST List of WSPs. A comma separated list of servers. Syntax: WSP = IP[:PORT] WSPLIST = [WSP[,WSPLIST]] Example: wsp1.hob.de:4095, wsp2.hob.de:4095 PROXYMODE Determines the Proxy mode. auto - Automatic auto detection no - Disable proxies socks - Use SOCKS proxy protocol socks4 - Use SOCKS V4 proxy protocol http - Use HTTP proxy protocol PROXYLIST List of SOCKS or HTTP Proxies. A comma separated list of servers. Syntax: SERVER = IP[:PORT] PROXYLIST = [SERVER[,PROXYLI ST]] Example: httpproxy1.hob.de:80 80, httpproxy2.hob.de:80 80 PROXYUSER User ID for the proxy authentication. PROXYMODE PROXYPASSWO RD Password for the proxy authentication. PROXYMODE Security Solutions by HOB CONNTYPE = wspdirect / wsplb / wspsocks PORT=1080 - If PROXYMODE = PROXYMODE = socks / socks4 / socks / socks4 http PORT=8080 - If PROXYMODE = http 417 XML Configuration for HOBLink JWT TIMEOUT Time to wait for answer from WTS while building the connection. RECEIVEBUFFER Sets the TCP SIZE receive buffer size for the RDP connection in bytes. CONSOLESESSI ON HOB RD VPN 0 - An infinite timeout 90000 [1 ... MAXINT] - An integer that specifies a timeout in milliseconds 0 - System default 8192 [1 ... MAXINT] - An integer that specifies the size in bytes The minimum and maximum buffer sizes are system dependent Connect to the yes - Connects to the no console session of console session the WTS. no - Does not request a specific session WSP_SELECTION Preselect server for WSP SOCKS mode. WSPAUTH = yes TWSINGLESERV Name of the Load ERCONF Balancing configuration for TrueWindows Single Server. This is the configuration name in the registry on the server WSPOLD Indicates that JWT connects to an old WSP that does not know the protocol extension HOBRDP-EXT1 STARTUPMODE = seamless no CONNTYPE = wspsocks KEEPALIVEINTER Specifies an VAL interval used to keep the connection alive. JWT sends keepalive packets from client to server to avoid having network devices cut due to inactivity. 0 - Disables this 0 option [1 ... MAXINT] - An integer that specifies the interval in seconds WSPUSETLS yes - Allows a TLS yes connection to the WTS through a WSP tunnel no - Allows only common RDP encryption Specifies whether to use an RDP or TLS mode in the WSP connection. DISCONNECTTIM Specifies the EOUT maximum time used to wait for a disconnect response from the WTS. 418 yes - Uses the raw RDP protocol no - Uses the HOBRDP-EXT1 protocol "default" CONNTYPE = wspdirect / wsplb 0 - Infinite timeout 10 [1 ... MAXINT] - An integer that specifies the timeout in seconds Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT HOBXPERTTIME OUT Specifies the maximum time used to wait for a reply from the HOB RD ES Service. 0 - Infinite timeout 10 [1 ... MAXINT] - An integer that specifies the timeout in seconds STARTUPMODE Specifies the startup mode. desktop - Shows the desktop entire remote desktop pubapp - Starts a published application in a single session window app - Starts an application in a single session window seamless - Embeds a published application in the local window management RDPTARGETNAM Defines an E alternate target name for the destination WTS. This parameter is only used for WSP direct connections to WTS with CredSSP Automatically if possible WSPDYNIP Specifies the IP address for WSP dynamic connect. CONNTYPE = wspsocks WSPDYNPORT Specifies the IP port for WSP dynamic connect CONNTYPE = wspsocks WSPDYNVNCSSL Specifies the use of SSL for VNC with WSP dynamic connect yes - Enables SSL no for the VNC connection no - Disables SSL for the VNC connection CONNTYPE = wspsocks WSPDYNVNCSHA Specifies the RED shared option for VNC with WSP dynamic connect. yes - Enables the VNC shared option no - Disables the VNC shared option CONNTYPE = wspsocks Security Solutions by HOB no 419 XML Configuration for HOBLink JWT HOB RD VPN 35.4 Display parameters The following are the HOBLink JWT XML configuration parameters used for Display settings. 420 Name Description Values/Syntax Default Value Requirements/ Limitations WIDTH Width of applet area in HTML page HEIGHT Height of applet area in HTML page WINDOW Type of session window frame - Displays the frame session top-level window with a title and a border fullscreen - Displays the session in a fullscreen window maximized - Displays the session in a maximized top-level window with a title and a border applet - Displays the session in the WEB page of the browser containing the applet (deprecated) seamless - Use STARTUPMODE=se amless instead NOWARNING Suppress warning messages such as "certificate file cannot be written" yes - Suppresses warning messages no – Does not suppress warning messages no GEOMX Specifies the external X position of the session window in frame mode (can also be negative) and the internal position of the session panel in fullscreen or applet mode [MIN_INT...MAX_INT ] - Position in pixels relative to the screen [0...100]% - Position in percent (0% is left justified, 100% is right justified) auto - Window is automatically adjusted 0WINDOW = frame/ If WINDOW=fra fullscreen/applet me auto If WINDOW=full screen or WINDOW=apple t GEOMY Specifies the external Y position of the session window in frame mode (can also be negative) and the internal position of the session panel in fullscreen or applet mode. [MIN_INT...MAX_INT ] - Position in pixels relative to the screen [0...100]% - Position in percent (0% is top justified, 100% is bottom justified) auto - Window is automatically adjusted 0 – if WINDOW = frame/ WINDOW=frame fullscreen/applet auto If WINDOW=full screen or WINDOW=apple t STARTUPMODE = desktop / app / pubapp or TWPUREJAVA = yes Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT SCREENRATIOX Horizontal ratio of [10 ... 400] - An screen to be used integer that specifies for a session the ratio in percent WINDOW = frame SCREENRATIOY Vertical ratio of [10 ... 400] - An screen to be used integer that specifies for a session the ratio in percent WINDOW = frame TITLE String that will be assigned to title of a JWT window SESSIONWIDTH Width of N RDP session [300 ... 32767] - An 800 integer that specifies the width in pixels SESSIONHEIGHT Height of an RDP session [200 ... 32767] - An 600 integer that specifies the height in pixels COLORDEPTH Color depth of RDP session in bits per pixel 0 - Automatic 0 detection (uses the local depth) 8 - Mode with 256 colors 15 - Mode with 32768 colors 16 - Mode with 65536 colors 24 - Mode with 16777216 colors 32 - Mode with 16777216 colors (including alpha) DISPLAYIP Display WTS name or address in title bar of the session window yes - Displays the IP yes address no - Hides the IP address DISPLAYNAME Specifies the name displayed instead of an IP address DISPLAYEDNAME String that contains the displayed configuration name HIDETASKBAR Hide the local taskbar in full screen mode yes - Hides the local no taskbar to display the entire session window no - Does not control the local taskbar Windows OS only with native extension (JNI) CONNBAR Display the connection bar in fullscreen mode yes - Displays the yes connection bar no - Does not display the connection bar WINDOW = frame / applet ALLOWTHEMES Allow the user to change themes in a JWT session yes - Enables themes yes in RDP no - Disables themes to reduce the bandwidth Security Solutions by HOB 421 XML Configuration for HOBLink JWT HOB RD VPN ALLOWBACKGRO Allow the user to UND change the wallpaper in a JWT session yes - Enables wallpaper in RDP no - Disables wallpaper to reduce the bandwidth no ALLOWMENUANI Allow the user to M change menu animation in a JWT session yes - Enables menu animation in RDP no - Disables menu animation to reduce the bandwidth yes ALLOWSHOWCO Allow the user to NTENT change windows to "show content while dragging" in a JWT session yes - Enables the yes window dragging option in RDP no - Disables window dragging option to reduce the bandwidth ALLOWCURSORS Allow the user to HADOW use cursors with shadows in a JWT session yes - Enables cursor no shadows in RDP no - Disables cursor shadows to reduce the bandwidth ALLOWCURSORB Allow the user to LINKING use blinking text cursors in a JWT session yes yes - Enables text cursor blinking in RDP no - Disables text cursor blinking to reduce the bandwidth ALLOWFONTSMO Allow the user to yes - Enables font no OTHING use font smoothing smoothing in RDP in a JWT session no - Disables font smoothing to reduce the bandwidth ALLOWDESKTOP Allow the user to COMPOSITION enable desktop composition NOERRDLG Do not show an error dialog (e.g. if you use PowerFuse and logoff, PF disconnects you at once and logs you off in the background). SHOWDISCREAS Specifies if the ON disconnect reason message is displayed (e.g. if PowerFuse=no then disconnects immediately and logs off in the background) 422 This feature is under development yes - Avoids RDP errors being displayed no - Shows every error no yes - Displays all yes disconnect reasons no - Hides disconnect reasons Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT SCREEN The screen where -1 - Displays session -1 the JWT window is on the current screen displayed 0 - Displays session on both screens 1 - Displays session on main screen 2 - Displays session on second screen X11RDPUI Controls the use of the RDP graphics extension for X11 based systems yes - Use the native yes extension no - Use the platform independent implementation X11 based OS with native extension (JNI) WINRDPUI Controls the use of the RDP graphics extension for Windows OS systems yes - Use the native extension no - Use the platform independent implementation yes - If BETATEST = yes no - Otherwise X11 based OS with native extension (JNI) MACMENUBARM Controls the ODE behavior of the menu bar for Mac OS X in a fullscreen session below - Places the fullscreen window below the menubar hidden - Hides the menubar auto - Hides and shows the menubar automatically hidden WINDOW = fullscreen Mac OS only with native extension (JNI) TRYOUTINFO Indicates whether to show the tryout box within the tryout period yes - Shows the yes tryout info box no - Hides the tryout info box TWPUREJAVA Controls the use of TrueWindows PureJava if native support is available yes - Use no TrueWindows Pure Java instead of a native extension no - Use the native extension if available RDPUSEMONITO Enables support RLAYOUT that advertises a local monitor layout to the WTS yes - Transmits the yes local monitor layout to the WTS no - Uses the single monitor layout mode on the WTS STARTDIALOGX [MIN_INT...MAX_INT auto ] - Position in pixels relative to the screen [0...100]% - Position in percent (0% is adjusted left, 100% is adjusted right) auto - Window automatically adjusted Security Solutions by HOB Controls the X position of the startup dialog (can also be negative) STARTUPMODE = seamless 423 XML Configuration for HOBLink JWT STARTDIALOGY Controls the Y position of the startup dialog (can also be negative) STARTDIALOGBA Specifies an NNER alternative banner (image) in the start dialog HOB RD VPN [MIN_INT...MAX_INT auto ] - Position in pixels relative to the screen [0...100]% - Position in percent (0% is adjusted top, 100% is adjusted bottom) auto - Window automatically adjusted Syntax: PARAM = KEY=VALUE STARTDIALOGBAN NER = [STARTDIALOGBAN NER[,PARAM]] Values: url - The URL of the image (supported formats are GIF, JPG and PNG) scale - Scale mode (no or ninegrid) ng.top - Upper part of the ninegrid transformation in pixels ng.left - Left part of the ninegrid transformation in pixels ng.bottom - Lower part of the ninegrid transformation in pixels ng.right - Right part of the ninegrid transformation in pixels bgcolor - RGB background color value in the form "0xRRGGBB" min.width - Minimum width of the image in pixels min.height - Minimum height in pixels align.h - Horizontal alignment (left|center|right) align.v - Vertical alignment (top|center|bottom) Example: url=http:// domain.example/ banner.jpg, min.width=600, bgcolor=0xffffff 424 Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT STARTDIALOGPO Maximum time to PUPTIME wait until the startup dialog is shown while the connection is being established -1 - An infinite 1000 timeout 0 - Shows the dialog immediately [1...MAXINT] - An integer that specifies a timeout in milliseconds DISABLEDSESSI Controls the ONDISPLAYMOD display mode of a E disabled session grayscale - Displays grayscale a grayscaled image of the current session screen black - Displays a black background Security Solutions by HOB 425 XML Configuration for HOBLink JWT HOB RD VPN 35.5 Logon parameters The following are the HOBLink JWT XML configuration parameters used for Logon settings. Name Description USERID User name on WTS PASSWORD Password on WTS DOMAIN Domain for user on WTS AUTOLOGON Login automatically yes - Enables to the WTS automatic login no - Disables automatic login SINGLESIGNON Use HOB Singlesign-on WSP_USERID User ID for login to WSP WSPAUTH = yes WSP_PASSWOR Password for login D to WSP WSPAUTH = yes USE_WSP_ACCO Inherit User ID/ UNT Password from login to WSP for TS Default Value Requirements/ Limitations no yes - Uses WSP no credentials for TS login no - Does not change TS login settings Password token for login to WSP CERTFILE Controls if the TS yes - Saves an yes license is saved in incoming TS license the local registry in the registry no - Never save such licenses WSPAUTH = yes WSPAUTH = yes TIMEZONEOFFSE Specifies the raw T offset from GMT in minutes. The offset is automatically detected if not specified [-720 ... +720] - An integer that specifies the raw offset from GMT in minutes LBQUERYUSER yes - Asks the user yes for their credentials no - Does not ask the user for credentials Controls if the user is asked for credentials for load balancing if no user name is configured USERID and PAS SWORD yes - Uses Singleno sign-on credentials no - Uses credentials of the profile SSO_TOKEN WSPDYNVNCPAS Specifies the VNC SWORD password for WSP dynamic connect 426 Values/Syntax CONNTYPE = loadbalancing CONNTYPE = wspsocks Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT 35.6 Security parameters The following are the HOBLink JWT XML configuration parameters used for Security settings. Name Description Values/Syntax Default Value Requirements/ Limitations SECPROFILEURL Specifies the URL An absolute URL or a to request the XML path relative to the configuration applet code base. Example: https:// domain.example/ requesthandler.sync ?id=profile001../ requesthandler.sync ?id=profile001" HTML Applet tag parameter. Web mode of JWT only (Applet) SECPROFILEPAR AMS SECPROFILEPAR Specifies the AMS security parameters to request the XML configuration HTML Applet tag parameter. Web mode of JWT only (Applet) SECPROFILEURL Security Solutions by HOB Syntax:CSS = cs[:CSS] CMS = cm[:CMS] PARAM = CSS | mod | exp | ran d | CMS SECPROFILEPARA MS = [PARAM[,SECPROFI LEPARAMS]] Values: cs - The cipher suites supported by the server ("AES-128", "AES-256", "RC4128", "RC4-256"). The delimiter is ":" mod - RSA modulus in hexadecimal format exp - RSA public exponent in hexadecimal format rand - A random number generated by the server (should equal the generated key) cm - (Optional) The compression algorithms supported by the server ("raw", "gzip", "zlib"). The delimiter is ":" Example: "cs=AES128, mod=0xcf...11, exp=0x010001, rand=0x9d...af" 427 XML Configuration for HOBLink JWT SERVERCERTIFI Indicates if the SSL CATES files shall be downloaded from the web server yes - Loads SSL files yes from server from location "$CODEBASE$/ $SSLFILE$.[cfg | cdb | pwd]" no - Loads SSL files from local system from location "$SSLDIR$/ $SSLFILE$.[cfg | cdb | pwd]" Web mode of JWT only (Applet) SSLDIR The directory of the SSL files "$USERHOME$/ hob/jwt" SSLFILE The name of the SSL files (certificate database, configuration and password) "hclient" SSLFILERDP SSL file pattern for RDP-TLS (certificate database, configuration and password) "hclient" SSLDUMMY Runs a WSP yes - Uses an no connection without unencrypted SSL encryption connection no - Uses an encrypted connection RDPSECURITYM Allows a fixed ODE security layer to be used without negotiation 428 HOB RD VPN negotiate negotiate Negotiates the best RDP security between client and server rdp - Forces the client to use the standard RDP security layer only tls - Forces the client to use the TLS security layer only credssp - Forces the client to use the CredSSP security layer only Security Solutions by HOB HOB RD VPN RDPSECURITYLA Controls and limits YER the used and allowed RDP Security Layers. It allows an order and combination of such layers to be specified Security Solutions by HOB XML Configuration for HOBLink JWT Syntax: LAYER = [rdp or tls or credssp] LAYERS = LAYER[+LAYERS] RDPSECURITYLAY ER = LAYERS[,RDPSECU RITYLAYER] Values: rdp - Uses the standard RDP security layer tls - Uses the TLS security layer credssp - Uses the CredSSP security layer with preceding authentication Example: "credssp" - Allows CredSSP connections only "rdp,tls+credssp" Tries RDP Security as first and TLS or CredSSP as second "credssp,rdp+tls" RDPSECURITYM - If ODE = negotiate SINGLESIGNO N = yes "rdp+credssp,tls" - If VERIFYLOGIN = yes "rdp,tls+credssp" - Otherwise 429 XML Configuration for HOBLink JWT HOB RD VPN 35.7 Keyboard & Mouse parameters The following are the HOBLink JWT XML configuration parameters used for Keyboard & Mouse settings. Name Description Values/Syntax DISABLEALTGR Send CTRL+ALT rather than AltGr (input assistance for handicapped users). yes - Sends no CTRL+ALT to the WTS if the user presses AltGr no - Send AltGr to the WTS ACTIVATENUMLO Switch on CK NumLock at connection start yes - Activates NumLock no - Deactivates NumLock KEYBOARDLAYO Name of the UT requested keyboard layout default, arabicegypt, default bulgarian, canadian, chinese, croatian, czech, danish, dutch, australian, uk, us, finnish, flemish, french, belgian, frenchcanadian, frenchcanadianstand ard, swissfrench, german, swissgerman, greek, hebrew, hungarian, icelandic, italian, japanese, japanese_ime, korean, norwegian, polish, polish214, portuguese, brazil, romanian, russian, slovak, slovenian, spanish, spanishlatin, swedish, thai, turkishf, turkishq, ukrainian LOCKMODE yes - Enables workaround to correct wrong key events no - Disables workaround Workaround for keyboard problems with locking keys (Caps-, Scroll- and NumLock) with some Java VMs SWAPMOUSEBU Swap left and right TTONS mouse buttons (if you have lefthanded profile both on local OS and WTS) 430 Default Value Requirements/ Limitations Does not change the NumLock state no yes - Swaps left and no right mouse buttons no - Does not change the mouse buttons auto - Swaps the mouse buttons depending on the local system settings Automatic detection is not yet available on all platforms Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT ENABLEKEYPAD Controls if keypad can be launched via CTRL+ALT+K (or a self-defined hotkey) yes - Allows the user no to open the keypad no - Prevents the user from opening the keypad KEYBOARDHOOK Specifies how to redirect Windows key combinations 0 - Disables Windows 3 Keyboard hook 1 - Uses Keyboard hook without redirecting Windows key combinations 2 - Uses Keyboard hook and redirects all Windows key combinations 3 - Uses Keyboard hook and redirects all Windows key combinations in full screen mode Windows OS only with native extension (JNI) KEYCOMBINATIO Comma separated Syntax: NS values for hotkeys HOTKEY = MODIFIERS,VIRTUA LKEY KEYCOMBINATION S= [HOTKEY[,KEYCOM BINATIONS]] DRAGANDDROP Controls if drag & drop is enabled yes - Enables drag & yes drop between TrueWindows and local applications no - Disables drag & drop STARTUPMODE = seamless This feature is under development DIRECTKEYMAPP Enables non-client yes - Sends keys no ING keyboard mode directly to WTS and ignores the local keyboard layout no - Translates keys from the local keyboard layout to the server layout USEUNICODEINP Enables support UT for Unicode input events. This allows for the support of local keyboard characters not supported by the Windows keyboard layout Security Solutions by HOB yes - Sends the no unicode character output of the local key combination if the character is not supported by the Windows layout no - Sends the scancodes of the local key combination if the character is not supported by the Windows layout DIRECTKEYMAPP ING = no 431 XML Configuration for HOBLink JWT 432 HOB RD VPN MACONEBUTTON Enable right mouse MOUSE button emulation on a Mac. A combination of a control key and mouse click can be used to emulate a right mouse button yes - Enables this option no - Disables this option MACCONTROLKE Mapping of the YMAPPING Mac OS specific ControlKey ctrl - Maps this key to auto Control (left and right) winkey - Maps this key to Windows keys (left and right) auto - Maps to Control if a OneButton-Mouse is used, otherwise the Windows key is used yes - If the Mac OS only current mouse is a single button mouse no - otherwise Mac OS only Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT 35.8 Resources parameters The following are the HOBLink JWT XML configuration parameters used for Resources settings. Name Description Values/Syntax Default Value COMPUTERNAM Overrides the local E computer name (used for TS licensing). This parameter affects the TS licensing protocol and is the name of the subject in the TS license The local computer name CLIENTNAME Specifies the name of the client. This parameter affects the client name displayed in the Task Manager and the location name of redirected devices, e.g. printers. Value of COMPUTER NAME AUTOMAPPRT Map printers automatically AUTOMAPPRTPA A pattern for printer TTERN names of automatically mapped printers DEFAULTPRINTE Name of printer to R be the default in a WTS session. It can be either the name of a preconfigured printer or a system printer Security Solutions by HOB Requirements/ Limitations all - Includes all local all printers default - Includes local default printer no - Uses configured printers only Windows OS only with native extension (JNI) Syntax: "<NAME>" TEXT = any string (system properties are possible) KEY = "<NAME>" PATTERN = [TEXT]KEY[:PATTE RN] Example: "<NAME> (%USERNAME%@ %USERDNSDOMAI N%)" AUTOMAPPRT = all / default For system printer -AUTOMAPPRT = all / default 433 XML Configuration for HOBLink JWT HOBPPMHIDESE Specifies if the SSIONID session ID should be a part of the printer name yes - Hides the session ID to keep the printer name constant no - Assigns the session ID to the printer name in the session EASYPRINTIMPL Specifies the default Easy print implementation auto - Uses auto automatic detection for the implementation used native - Uses the native implementation (if supported) java2d - Uses the standard Java printing API java2d_img - Uses the standard Java printing API with complete images (slow and high memory usage) CLIPBOARD 434 HOB RD VPN Enables clipboard 0 - Disabled support 1 - Text only 2 - Full support (Windows only) no 1 Full support on Windows OS only with native extension (JNI) NATIVECLIPBOA Use native RD clipboard (for complete format support) yes - Uses the native yes clipboard extension no - Uses the Java clipboard Windows OS only with native extension (JNI) CLIPBOARDAUTO Specifies if the MAPDRIVE dynamic mapping of a local drive for file clipping support is allowed never - Never allows a dynamic drive to be mapped always - Maps all dynamic drives without prompting never - if AUTOLDM = no always - if AUTOLDM = yes TWAUTOMAPDRI Specifies if the VE dynamic mapping of a local drive (in a running session) is allowed never - Never allows a dynamic drive to be mapped ask - Asks the user to map a dynamic drive always - Maps all dynamic drives without prompting never - if AUTOLDM = no ask - if AUTOLDM = yes LDMREDIRECTO Specifies the R default redirector for local drive mapping hob - HOB Enhanced ms Local Drive Mapping ms - Standard Local Drive Mapping PRTREDIRECTO Specifies the R default redirector for printer port mapping ms hob - HOB Printer Port Mapping ms - Standard Printer Port Mapping Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT PRINTDLGMODE Specifies the system - Uses the default print dialog system default print for Easy Print dialog limited - Uses a limited print dialog AUTOLDM limited Automatically map yes - Maps all drives no local drives with the redirector specified in LDMREDIRECTOR ms - Maps all drives via Standard Local Drive Mapping hob - Maps all drives via HOB Enhanced Local Drive Mapping no – Does not map any drives LDMSTRICTCASE Use strict caseSENSITIVITY sensitivity on casesensitive file systems in Local Drive Mapping yes - Enables strict case-sensitivity (some server applications may have problems) no - Use an eased case-sensitivity no Unix based OS only (includes Mac OS) TWAIN yes - Enables TWAIN no Enables the TWAIN redirection no - Disables TWAIN to support scanners Windows OS only with native extension (JNI). HOB Enhanced Terminal Services on WTS SANEIP The IP address of the SANE daemon TWAINT = yes SANEPORT The IP port of the SANE daemon [0 ... 65535] - An 6566 integer that specifies the IP port TWAINT = yes SMARTCARD Enables the Smartcard redirection yes - Enables access no to local Smartcards no - Disables access to local Smartcards Windows OS only with native extension (JNI) Security Solutions by HOB "localhost" 435 XML Configuration for HOBLink JWT 436 HOB RD VPN DEVICELIST A definition of redirected devices (printers, drives and ports) Syntax: DEVTYPE = "[prt]" | "[com]" | "[lpr] " | "[pcl]" | "[ipp]" |"[dr v]" | "[par]" DEVPARAM = KEY=VALUE DEVPARAMLIST = [DEVPARAM[,DEVP ARAMLIST]] DEVICELIST = DEVTYPE[DEVPAR AMLIST][DEVICELIS T] Example: "[drv]localpath=C: [pcl]name=SamplePri nter, driver="HP DeskJet 1120C", printer=default" AUDIODEVOUT Specifies the audio rdpsound - Uses the rdpsound output system standard RDP audio (playback) hobaudio - Uses HOB audio no - Disables audio AUDIODEVIN no Specifies the audio rdpsound - Uses input system standard RDP audio (recording) hobaudio - Uses HOB audio no - Disables audio RDPSOUNDCHAN Specifies if audio NEL data are sent with UDP or as a virtual channel over a normal RDP connection udp - Uses UDP to transport the audio data vc - Uses a channel within the RDP connection to transport the audio data VCFILENAMES Syntax: FILENAME = DLLFILE|CLASSFIL E VCFILENAMES = [FILENAME[,VCFILE NAMES]] Example: C:\Virtual Channels\vc.dll, com.company.produc t.vc.VC.class A commaseparated list of DLLs and Java Classes supporting either the MS Virtual Channel interface or the HOB Java Virtual Channel interface udp AUDIODEVOUT = rdpsound MS Virtual Channels on Windows OS only with native extension (JNI). Java Virtual Channels must be accessible by class path Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT VCWEBLIBS A commaseparated list of virtual channel key names for the WEB mode Syntax: VCWEBLIBS = [KEYNAME[,VCWEB LIBS]] Example: hob.hltc.vc.speechmi ke VCREADREG Tells if registry should be read to retrieve virtual channels yes - Loads MS Virtual Channels registered in the Windows registry no - Does not load such channels VCOPT A parameter used Syntax: as a prefix for a VCOPT.<channel>.< virtual channel option>=<value> option JARFILEFILTER A list of filename filters to specify the resources that should be loaded via a JAR file Syntax: FILEPATTERN = A file name or a pattern. JARFILEFILTER = [FILEPATTERN[;JAR FILEFILTER]] Example: "*.jpg; *.xml" HTML Applet tag parameter. Web mode of JWT only (Applet) LOOKANDFEEL Specifies the used Example: Swing Look & Feel "javax.swing.plaf.met al.MetalLookAndFeel " HTML Applet tag parameter. Web mode of JWT only (Applet) Web mode of JWT only. MS Virtual Channels on Windows OS only with native extension (JNI). Java Virtual Channels must be accessible by class path no Windows OS only with native extension (JNI) Swing Look & Feel must be available in Java runtime Security Solutions by HOB 437 XML Configuration for HOBLink JWT HOB RD VPN 35.9 Logging parameters The following are the HOBLink JWT XML configuration parameters used for Logging settings. Name Description Values/Syntax Default Value DOTRACE Creates an encrypted trace file with all connection data yes - Writes a trace no file to "$USERHOME$/hob/ jwt/ jwt_$PROFILE$.log. hcrypt" no - Disables tracing TRACEFILE Specifies the pathname of the trace file The file can be an absolute or relative pathname. It is possible to insert patterns for environment variables. Example: "%TEMP%/ jwt_trace.log.hcrypt" METERINGIP Name or IP address of metering server Requirements/ Limitations "$USERHOME$/ DOTRACE=yes hob/jwt/ jwt_$PROFILE$. log.hcrypt" 13270 METERINGPORT IP port of metering [0 ... 65535] - An server integer that specifies the IP port METERINGTYPE The type of the metering protocol tcp - Uses TCP udp based protocol udp - Uses UDP based protocol both - Uses TCP and UDP TRACELEVEL Trace level used in [0 ... 10] - A higher debug versions value increases the and for audio traced amount of data no TRACEKEYBOAR Enables the D keyboard trace. The output messages are directed to the session trace file no DEBUGHOBAUDI Enables debugging yes - Enables O for HOB audio debugging options no - Disables debugging options 438 0 DEBUGKEYBOAR Enables keyboard yes - Enables D debugging debugging options no - Disables debugging options yes - Enables keyboard trace messages no - Disables keyboard trace messages METERINGIP DOTRACE = yes no Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT TRACEKEYBOAR Traces the DFILE downloaded keyboard file. The output messages are directed to the session trace file yes - Enables trace option no - Disables trace option MEASURETRAFFI Specifies whether C to write a CSV file with information about bytes sent and received yes - Writes a file no containing statistical information to "$USERHOME$/hob/ jwt/ jwt_$PROFILE$.csv" no - Does nothing MEASURETRAFFI Specifies an CTIME interval in seconds to create a further entry in the CSV file [1 ... MAXINT] - An 60 integer that specifies the interval in seconds Security Solutions by HOB no DOTRACE = yes MEASURETRAFFI C = yes 439 XML Configuration for HOBLink JWT HOB RD VPN 35.10 Control parameters The following are the HOBLink JWT XML configuration parameters used for Control settings. Name Description Values/Syntax ADJUSTMENT Limits the parameters that can be changed by the user all - All options all enabled minimal - Enables the options KEYBOARD, KEYBOARDHOOK, SESSIONWIDTH, SESSIONHEIGHT, SCREENRATIO, SCREENRATIOX and SCREENRATIOY. no - No options enabled ADJUSTMENTOP A commaTIONS separated list of parameters that can be adjusted by the user. It can be used in combination with the parameter ADJUSTMENT. 440 Default Value Requirements/ Limitations These prefixes can be used to control a single option: "+": enables adjustment "-": disables adjustment "!": enables adjustment without caching "*": enables an open editable choice These postfixes can be used to control a single option: "[VALUE,...]" Syntax: VARIABLE = [+||!|*]KEY[VALUE,...] ADJUSTMENTOPTI ONS = [VARIABLE[,ADJUS TMENTOPTIONS]] Example: "+KEYBOARD, COLORDEPTH, !WINDOW, USERID[Administrat or, Demo1, User2], *DOMAIN[DOM1, DOM2]" Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT SHUTDOWN Executes a system shutdown after the last session has been finished and exits the current process HOMEDIR Name of home directory (which is the default path for SSL files, traces, DLLs, etc.) PROFILEBASE Alternative URL of the profile base directory yes - Executes the no shutdown command after session end no - Does nothing Administrative privileges for shutdown are required Windows OS (NT based) - executes 'shutdown.exe /L / Y /T:0' or 'shutdown.exe /s /f /t 0' Windows OS (9x) executes 'RUNDLL32 SHELL32.DLL,SH ExitWindowsEx 5' Unix - executes 'shutdown -h' The codebase of HTML Applet tag the applet parameter. Web mode of JWT only (Applet) EXECUTEAFTERJ Controls the use of WT the JavaScript function ExecuteAfterJWT no yes - Executes function "ExecuteAfterJWT" after all sessions are closed no - Does nothing HTML Applet tag parameter. Web mode of JWT only (Applet) JAVASCRIPTEVE Controls the use of NTHANDLER the JavaScript function EventHandlerJWT yes - Passes JWT no events to the function "EventHandlerJWT" no - Does nothing HTML Applet tag parameter. Web mode of JWT only (Applet) DISKCACHEPATH Directory of the persistent bitmap cache EXPERTS "$USERHOME$/ hob/jwt" Allows all parameters to be set in a single string ALLOWCLOSEWI Controls if closing yes - Allows the user yes N of the session to disconnect the window is allowed session no - Prevents the user disconnecting the session to force a session logoff RDPAUTORECON Controls the ask - Asks the user to ask NECT automatic reconnect reconnect function no - Disables automatic reconnect Security Solutions by HOB 441 XML Configuration for HOBLink JWT 442 HOB RD VPN ENVMENTVARIAB Comma separated LES commands to set environments values if not yet existing. Optionally a "+" to append a value, "-" to delete a value and "!" to overwrite an existing value can be assigned Syntax: VARIABLE = [+||!]KEY[=VALUE] ENVMENTVARIABL ES = [VARIABLE[,ENVME NTVARIABLES]] RDPOPTIONS Enables the UI panel to change RDP specific options yes - Allows the user to change some RDP options no - Disables this UI VERIFYLOGIN Verifies that the login credentials specified for an automatic login are correct yes - Aborts the RDP no session if the login fails no - Uses the default behavior Windows OS only with native extension (JNI) yes - if CONNTYPE = direct and AUTOCON = no no - Otherwise Requires SP1 for Windows Server 2003. Requires CredSSP support for Windows Server 2008. AUTOLOGON = yes SSLDIR, SSLFILE, SSLFILERDP Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT 35.11 Optimization parameters The following are the HOBLink JWT XML configuration parameters used for Optimization settings. Name Description Values/Syntax Default Value QUEUE_EVENTS Queue mouse and keyboard events rather than sending each in a separate block yes - Collects up to no 10 input events within a time window of 50 milliseconds no - Disables event queue MOUSEMOVES Send mouse motion events to the WTS yes - Sends all yes mouse events to the server no - Sends only mouse click events to the server REFRESHRATE Specifies the time in which at least one screen update will be made [0 ... 10000] - An 150 integer that specifies the time in milliseconds HARDDISKCACH Size of the ESIZE persistent bitmap cache [0 ... MAXINT] - An 0 integer that specifies the maximum size in KBytes CACHE0SIZE Number of entries in memory 0 cache (up to 16x16 pixels) [0 ... MAXINT] - An integer that specifies the cache size in elements CACHE1SIZE Number of entries in memory 1 cache (up to 32x32 pixels) [0 ... MAXINT] - An integer that specifies the cache size in elements CACHE2SIZE Number of entries in memory 2 cache (up to 64x64 pixels) [0 ... MAXINT] - An integer that specifies the cache size in elements NOSHAREDEVIAT The threshold that [0 ... 100] - An integer 0 ION specifies when to that specifies a threshold in percent use session sharing or when to start a new true windows session HOBPPMCOMPR Enables ESSION compression for the HOB Printer Port Mapping yes - Enables ZLIB compression no - Disables compression Requirements/ Limitations CONNTYPE = loadbalancing / wsplb / wspsocks yes MEMORYCACHE Specifies the size 0 - Uses default 8000 SIZE of the RDP bitmap settings cache [1 ... MAXINT] - An integer that specifies the size in KBytes Security Solutions by HOB 443 XML Configuration for HOBLink JWT HOB RD VPN OFFSCREENCAC Specifies the size HESIZE of the RDP offscreen bitmap cache 0 - Uses default 2560 settings [1 ... MAXINT] - An integer that specifies the size in KBytes NINEGRIDCACHE Specifies the size SIZE of the RDP ninegrid bitmap cache 0 - Uses default 2560 settings [1 ... MAXINT] - An integer that specifies the size in KBytes CONFIGVERSION Integer containing the configuration version number 444 HOBAUDIORATE Specifies the OUT bandwidth available for HOB audio for data transmission from server to client 0 - Automatic 0 detection [1 ... MAXINT] - An integer that specifies the bandwidth in bytes per second AUDIODEVOUT = hobaudio HOBAUDIORATE Specifies the OUTMIN minimum bandwidth available for HOB audio for data transmission from server to client [0 ... MAXINT] - An 0 integer that specifies the bandwidth in bytes per second HOBAUDIORATE OUT = 0 HOBAUDIORATE Specifies the OUTMAX maximum bandwidth available for HOB audio for data transmission from server to client. [0 ... MAXINT] - An MAXINT integer that specifies the bandwidth in bytes per second HOBAUDIORATE OUT = 0 HOBAUDIORATEI Specifies the N bandwidth available for HOB audio for data transmission from client to server [0 ... MAXINT] - An Automatic integer that specifies detection the bandwidth in bytes per second AUDIODEVIN = hobaudio HOBAUDIORATEI Specifies the NMIN minimum bandwidth available for HOB audio for data transmission from client to server [0 ... MAXINT] - An 0 integer that specifies the bandwidth in bytes per second HOBAUDIORATEI N=0 HOBAUDIORATEI Specifies the NMAX maximum bandwidth available for HOB audio for data transmission from client to server [0 ... MAXINT] - An MAXINT integer that specifies the bandwidth in bytes per second HOBAUDIORATEI N=0 Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT VCFREELIBRARY Specifies whether a virtual channel library should be unloaded after a session disconnect. Some third-party channels are not designed to be unloaded yes - Unloads the yes channel from the JWT process no - Does not unload the library Native MS Virtual Channel support VCSENDPRIORIT Specifies the Y thread priority of the thread used in a virtual channel extension to send data to the WTS 0 - System default 1 - Lowest 2 - Below normal 3 - Normal 4 - Above normal 5 - Highest 0 Native MS Virtual Channel support CACHEIMMEDIAT Controls ELY immediate bitmap caching in RDP yes - Enables immediate bitmap caching no - Cache bitmaps only if used more than once no RESETBITMAPCA Resets the bitmap CHE cache after each capability exchange. Such capability exchanges occur between logon session and user session or when session shadowing takes place. This option solves some caching problems when connecting to Windows XP Professional that are typically shown in the form of a flashing black rectangle. yes - Resets the bitmap cache no - Bitmap cache remains unaffected no BETATEST Controls the beta features to be tested yes - Enables new no features that are not released until now. no - Uses only released features COLORREDUCTI Controls dynamic ON color fidelity yes - Uses color no space conversion to reduce the bandwidth no - Does not change the colors Security Solutions by HOB 445 XML Configuration for HOBLink JWT 446 HOB RD VPN COLORSUBSAMP Controls color subLING sampling if dynamic color fidelity is enabled. The color values of bitmaps are reduced to half the resolution yes - Uses color sub- no sampling to reduce the bandwidth no - Does not change the resolution COLORREDUCTI ON = yes RDPNINEGRID yes - Enables RDP NineGrid bitmaps no - Disables RDP NineGrid bitmaps yes Ninegrid bitmaps can cause problems when used in a remote control session on Windows Server 2003 (Error 7025) RDPFRAMEMARK Controls the ER redirection of RDP frame markers. An enabled redirection may reduce flickering and results in a better look and feel yes - Enables RDP frame markers no - Disables RDP frame markers yes - If BETATEST = yes no - Otherwise Requires Windows Server 2008 or higher RDPNETWORKC Specifies the type ONNTYPE of network connection used by the client 0 - unspecified 1 - modem 2 - broadband low 3 - satellite 4 - broadband high 5 - WAN 6 - LAN 0 AUDIOQUALITYO The audio output UT quality (playback) max - Uses the audio auto format with the highest bandwidth high - Enables audio formats greater than 22050 bytes/s medium - Enables audio formats between 8000 and 22050 bytes/s low - Enables audio formats of less than 8001 bytes/s min - Uses the audio format with the lowest bandwidth auto - Enables all audio formats Controls the redirection of NineGrid bitmaps. An enabled redirection results in bandwidth reduction, but increases client CPU/GPU requirements AUDIODEVIN = rdpsound / hobaudio Security Solutions by HOB HOB RD VPN XML Configuration for HOBLink JWT AUDIOQUALITYIN The audio input max - Uses the audio auto quality (recording) format with the highest bandwidth high - Enables audio formats greater than 22050 bytes/s medium - Enables audio formats between 8000 and 22050 bytes/s low - Enables audio formats of less than 8001 bytes/s min - Uses the audio format with the lowest bandwidth auto - Enables all audio formats AUDIODEVIN = rdpsound / hobaudio AUDIOQUALITYO Value of the UTMIN minimum bandwidth for supported audio formats (playback) [0 ... MAXINT] - An integer that specifies the average number of bytes per second AUDIODEVIN = rdpsound / hobaudio AUDIOQUALITYO Value of the UTMAX maximum bandwidth for supported audio formats (playback) [0 ... MAXINT] - An integer that specifies the average number of bytes per second AUDIODEVIN = rdpsound / hobaudio AUDIOQUALITYIN Value of the MIN minimum bandwidth for supported audio formats (recording) [0 ... MAXINT] - An integer that specifies the average number of bytes per second AUDIODEVIN = rdpsound / hobaudio AUDIOQUALITYIN Value of the MAX maximum bandwidth for supported audio formats (recording) [0 ... MAXINT] - An integer that specifies the average number of bytes per second AUDIODEVIN = rdpsound / hobaudio Security Solutions by HOB 447 XML Configuration for HOBLink JWT 448 HOB RD VPN Security Solutions by HOB HOB RD VPN XML Configuration for the 36 XML Configuration for the HOB WebSecureProxy HOB WebSecureProxy is the heart of HOB RD VPN. The configuration of the HOB WSP, and therefore also HOB RD VPN, is done with XML, a markup language that defines a set of rules for encoding documents in a format that is both human readable and machine readable. The design goals of XML emphasize simplicity, generality, and usability. The HOB WebSecureProxy can be configured by changing the settings in one of two XML files, wsp.xml and manual.xml. When the HOB WSP starts it reads by default the configuration from a file called wsp.xml. HOB RD VPN by default sets a higher priority for manual.xml than wsp.xml, so once you start using manual.xml for your configuration the wsp.xml will not be referenced again, and all future changes to the configuration settings must be done manually. The file wsp.xml is automatically generated by HOB RD VPN itself, all entries to this file are made through the HOB WSP GUI. Every time the configuration settings are saved (through clicking Save on the main menu), the wsp.xml is overwritten with the current settings. This results in the HOB WSP configuration automatically being changed in your configuration storage. The file manual.xml is the configuration file that you manually generate using any standard XML editor. Using a manual configuration rather than the HOB WSP GUI allows you more control of each parameter of the configuration. The manual.xml file must be manually reviewed and maintained for any possible changes to the configuration. Please note that the configuration file of the HOB WebSecureProxy contains sensitive security relevant data such as passwords or shared secrets. For a Common Criteria compliant configuration, it is necessary that the manual.xml file be used. The current configuration must always be available as the XML configuration file manual.xml. If changes to the configuration are made through the HOB WSP GUI, the resulting configuration needs to be exported from the integrated directory service. The configuration file or the changes must then be transferred to the manual.xml, which must now be reviewed manually. For a description of the effects of a change to the HOB WSP configuration, see Section 33.3 Configuration Changes and their Effectiveness and Impact. If this configuration is identified as valid and correct in this review, then it can be used as the new configuration for the HOB WSP. To enable this newly updated manual.xml, the HOB WSP must be stopped and restarted. This stopping and restarting process may however lead to the loss of some or all of the current user connections. For information on how to manually stop and restart the HOB WSP see Section 33.2 Manually Stopping and Starting the HOB WSP. Security Solutions by HOB 449 XML Configuration for the HOB WebSecureProxy HOB RD VPN This chapter now describes the syntax, parameters and valid values for the configuration file for HOB WSP, and how these parameters are used. 36.1 Configuring XML parameters for the HOB WSP To configure the XML parameters for the HOB WSP, follow these steps: 1. Open the HOB EA Administration interface. 2. Select the HOB WebSecureProxy object from the network structure. 3. Click the Properties button on the bottom left. Figure 1: HOB EA Administration Interface You will now see the following dialog: 450 Security Solutions by HOB HOB RD VPN XML Configuration for the Figure 2: HOB RD VPN Administration - Properties 4. Click the LDAP details button and you will see the following dialog: Figure 3: HOB RD VPN Administration – Properties – LDAP Details 5. Select the attribute you wish to edit, in this case the HOB WSP (here referred to as hobgwwsp for HOB Gateway WSP). 6. Click the Edit button at the bottom and you will see the following dialog: Security Solutions by HOB 451 XML Configuration for the HOB WebSecureProxy HOB RD VPN Figure 4: HOB RD VPN Administration – Properties – LDAP Attributes This displays the XML parameters for the selected attribute, the HOB WSP. You can use the buttons at the bottom of the dialog for editing. 452 Import – click this button to bring up another dialog allowing you to import a selected parameter to this attribute. Export – click this button to bring up another dialog allowing you to export the selected parameters to another attribute. Save – save any changes but do not close the dialog. Close – close the dialog without saving any changes. Help – access the help available for this topic. Security Solutions by HOB HOB RD VPN XML Configuration for the 36.2 Root Element and XML declaration The HOB WSP configuration file starts with a XML declaration as a prolog with the following content: <?xml version="1.0" encoding="UTF-8"?> The configuration itself starts with the <sslgate-configuration> Root Element. This generic tag in the WSP configuration file represents the root of the configuration tree. This tag appears only once and opens at the beginning and closes at the end of the configuration. All other parameters are found in between these tags: <sslgate-configuration> … All configuration parameters </sslgate-configuration> All of the following base objects: general, connection, authenticationlibrary, server-list, etc. explained here are objects of the root element. The following is an example HOB RD VPN wsp.xml configuration file. It is included here to help you create your own XML configuration or configurations, by showing how such a file should be constructed: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <sslgate-configuration> <general> <max-poss-work-thread>32</max-poss-work-thread> <max-active-work-thread>16</max-active-work-thread> <report-intv>1200</report-intv> <time-cache-disk-file>5</time-cache-disk-file> <time-reload-disk-file>5</time-reload-disk-file> <network-statistic-level>4</network-statistic-level> <clear-used-memory>NO</clear-used-memory> <memory-log-size>4194304</memory-log-size> <suppress-warning-LDAP-template-not-referenced>YES</suppress-warning-LDAPtemplate-not-referenced> <prot-syslog>YES</prot-syslog> </general> <connection> <name>User Portal</name> <language>en</language> <function>SELECT-SOCKS5-HTTP</function> <gateport>443</gateport> <conn-type>secondary</conn-type> Security Solutions by HOB 453 XML Configuration for the HOB WebSecureProxy HOB RD VPN <permanently-moved-from-port>80</permanently-moved-from-port> <permanently-moved-to-port>443</permanently-moved-to-port> <permanently-moved-URL>rdvpn.exsample.local</permanently-moved-URL> <gate-in-ineta>100.100.100.1</gate-in-ineta> <SSL-config-file>../sslsettings/corporate/hserver.cfg</SSL-config-file> <SSL-certdb-file>../sslsettings/corporate/hserver.cdb</SSL-certdb-file> <SSL-password-file>../sslsettings/corporate/hserver.pwd </SSL-passwordfile> <max-session>1000</max-session> <do-not-close-by-load-balancing>YES</do-not-close-by-load-balancing> <select-server> <server-list-name>Compliance Check</server-list-name> <server-list-name>HOBWebServer</server-list-name> <server-list-name>EA-LDAP</server-list-name> <server-list-name>KerberosTicketService</server-list-name> </select-server> <authentication-library> <library-file-name>plugins/web_server/xl-sdh-webserver-01.dll</libraryfile-name> <configuration-section> <allow-multiple-login>YES</allow-multiple-login> <close-sessions-at-logout>YES</close-sessions-at-logout> <check-client-ineta>NO</check-client-ineta> <domains> <show-list>YES</show-list> <domain> <name>LDAP 1</name> <type>LDAP</type> <corresponding-LDAP-service>LDAP 1</corresponding-LDAP-service> <auto-user-create>NO</auto-user-create> </domain> <domain> <name>rdvpn</name> <type>LDAP</type> <corresponding-LDAP-service>rdvpn</corresponding-LDAPservice> <base>dc=hobsoft</base> <admin-group>cn=domainAdministrators,dc=hobsoft, dc=internal,dc=root</admin-group> 454 Security Solutions by HOB HOB RD VPN XML Configuration for the <auto-user-create>NO</auto-user-create> </domain> <domain> <name>OpenLDAP</name> <type>LDAP</type> <display-name>test</display-name> <corresponding-LDAP-service>rdvpn</corresponding-LDAPservice> <base>dc=OpenLDAP</base> <admin-dn>cn=admin,ou=users,dc=internal,dc=root</admin-dn> <admin-password>password</admin-password> <auto-user-create>YES</auto-user-create> </domain> <domain> <name>LDAP 1</name> <type>LDAP</type> <display-name>LDAP Service</display-name> <corresponding-LDAP-service>rdvpn</corresponding-LDAPservice> <base>dc=LDAP 1</base> <admin-dn>cn=admin,ou=users,dc=internal,dc=root</admin-dn> <admin-password>password</admin-password> <auto-user-create>YES</auto-user-create> </domain> <domain> <name>Kerberos Domain 1</name> <type>Kerberos</type> <corresponding-LDAP-service>rdvpn</corresponding-LDAPservice> <base>dc=Kerberos Domain 1</base> <auto-user-create>NO</auto-user-create> </domain> </domains> <roles> <role> <name>User</name> <priority>1</priority> <high-entropy>YES</high-entropy> <session-time-limits> <idle-period>1800</idle-period> Security Solutions by HOB 455 XML Configuration for the HOB WebSecureProxy HOB RD VPN <maximal-period>28800</maximal-period> </session-time-limits> <site-after-auth/> <compliancecheck>Compliance Check 1</compliancecheck> <target-filter>Target Filter 1</target-filter> <portlets> <portlet> <name>jterm</name> <open>YES</open> </portlet> <portlet> <name>wsg</name> <open>YES</open> </portlet> </portlets> <allow-browser-caching>YES</allow-browser-caching> <allow-configuration> <wsg-bookmarks>YES</wsg-bookmarks> <wfa-bookmarks>YES</wfa-bookmarks> <desktop-on-demand>NO</desktop-on-demand> <others>YES</others> </allow-configuration> <gui-skin>default</gui-skin> <members> <member> <type>ou</type> <dn>dc=hobsoft,dc=root</dn> </member> </members> <select-server> <server-list-name>PPPTunnel</server-list-name> */(crosswiseNAT internal L2TP) <server-list-name>Socks5</server-list-name> <server-list-name>Desktop-On-Demand</server-list-name> <server-list-name>Windows Terminal Servers</server-list-name> <server-list-name>Windows Terminal Server 2</server-list-name> </select-server> </role> <role> 456 Security Solutions by HOB HOB RD VPN XML Configuration for the <name>PowerUser</name> <priority>50</priority> <session-time-limits> <idle-period>1800</idle-period> <maximal-period>28800</maximal-period> </session-time-limits> <site-after-auth/> <compliancecheck/> <portlets> <portlet> <name>jterm</name> <open>YES</open> </portlet> <portlet> <name>wsg</name> <open>YES</open> </portlet> <portlet> <name>wfa</name> <open>YES</open> </portlet> <portlet> <name>settings</name> <open>YES</open> </portlet> </portlets> <allow-browser-caching>YES</allow-browser-caching> <allow-configuration> <wsg-bookmarks>YES</wsg-bookmarks> <wfa-bookmarks>YES</wfa-bookmarks> <desktop-on-demand>NO</desktop-on-demand> <others>YES</others> </allow-configuration> <gui-skin>default</gui-skin> <members> <member> <type>ou</type> <dn>CN=Users,dc=example,dc=local</dn> </member> Security Solutions by HOB 457 XML Configuration for the HOB WebSecureProxy HOB RD VPN <member> <type>ou</type> <dn>OU=external,DC=example,DC=local</dn> </member> <member> <type>ou</type> <dn>dc=hobsoft,dc=root</dn> </member> <member> <type>ou</type> <dn>dc=root</dn> </member> </members> <select-server> <server-list-name>PPPTunnel </server-list-name> */(crosswiseNAT internal L2TP) <server-list-name>Socks5</server-list-name> <server-list-name>Windows Terminal Servers</server-list-name> </select-server> </role> <role> <name>DomainAdministrator</name> <priority>100</priority> <session-time-limits> <idle-period>1800</idle-period> <maximal-period>28800</maximal-period> </session-time-limits> <site-after-auth/> <compliancecheck/> <portlets> <portlet> <name>admin</name> <open>YES</open> </portlet> <portlet> <name>jterm</name> <open>YES</open> </portlet> <portlet> 458 Security Solutions by HOB HOB RD VPN XML Configuration for the <name>wsg</name> <open>YES</open> </portlet> <portlet> <name>wfa</name> <open>YES</open> </portlet> <portlet> <name>settings</name> <open>YES</open> </portlet> </portlets> <allow-browser-caching>YES</allow-browser-caching> <allow-configuration> <wsg-bookmarks>YES</wsg-bookmarks> <wfa-bookmarks>YES</wfa-bookmarks> <desktop-on-demand>YES</desktop-on-demand> <others>YES</others> </allow-configuration> <gui-skin>default</gui-skin> <members> <member> <type>ou</type> <dn>dc=hobsoft,dc=root</dn> </member> </members> <select-server> <server-list-name>Windows Terminal Servers</server-list-name> </select-server> </role> </roles> </configuration-section> </authentication-library> <dynamic-LDAP>YES</dynamic-LDAP> <dynamic-Kerberos-5-KDC>YES</dynamic-Kerberos-5-KDC> </connection> <connection> <name>Administration Access</name> <language>en</language> Security Solutions by HOB 459 XML Configuration for the HOB WebSecureProxy HOB RD VPN <function>SELECT-SOCKS5-HTTP</function> <gateport>10000</gateport> <conn-type>admin</conn-type> <gate-in-ineta>100.100.100.1</gate-in-ineta> <SSL-config-file>../sslsettings/admin/hserver.cfg</SSL-config-file> <SSL-certdb-file>../sslsettings/admin/hserver.cdb</SSL-certdb-file> <SSL-password-file>../sslsettings/admin/hserver.pwd</SSL-passwordfile> <max-session>100</max-session> <do-not-close-by-load-balancing>YES</do-not-close-by-load-balancing> <select-server> <server-list-name>AdminWebServer</server-list-name> <server-list-name>EA-LDAP</server-list-name> </select-server> <authentication-library> <library-file-name>plugins/web_server/xl-sdh-webserver-01.dll </libraryfile-name> <configuration-section> <allow-multiple-login>YES</allow-multiple-login> <close-sessions-at-logout>YES</close-sessions-at-logout> <check-client-ineta>NO</check-client-ineta> <domains> <show-list>NO</show-list> <domain> <type>ldap</type> <name>rdvpn</name> <display-name>AdminAccess</display-name> <corresponding-LDAP-service>rdvpn</corresponding-LDAP-service> <base>dc=internal</base> <auto-user-create>NO</auto-user-create> </domain> </domains> <roles> <role> <name>Global Administrator</name> <priority>1</priority> <portlets> <portlet> <name>globaladmin</name> 460 Security Solutions by HOB HOB RD VPN XML Configuration for the <open>YES</open> </portlet> <portlet> <name>wsg</name> <open>YES</open> </portlet> </portlets> <session-time-limits> <idle-period>1800</idle-period> <maximal-period>28800</maximal-period> </session-time-limits> <allow-browser-caching>NO</allow-browser-caching> <allow-configuration> <wsg-bookmarks>YES</wsg-bookmarks> <wfa-bookmarks>YES</wfa-bookmarks> <desktop-on-demand>YES</desktop-on-demand> <others>YES</others> </allow-configuration> <gui-skin>No-banner</gui-skin> <members> <member> <type>group</type> <dn>cn=globalAdministrators,ou=groups,dc=internal,dc=root</dn> </member> </members> <select-server> <server-list-name>Windows Terminal Servers</server-list-name> </select-server> </role> </roles> </configuration-section> </authentication-library> <dynamic-LDAP>YES</dynamic-LDAP> </connection> <LDAP-service> <name>rdvpn</name> <internal>YES</internal> <trace-level>0</trace-level> <LDAP-entry> Security Solutions by HOB 461 XML Configuration for the HOB WebSecureProxy HOB RD VPN <name>OpenDS</name> <comment>OpenDS</comment> <LDAP-template>OpenDS</LDAP-template> <serverineta>127.0.0.1</serverineta> <serverport>389</serverport> <wait-connect>20</wait-connect> <timeout-search>20</timeout-search> <search-result-buffer-size>2048</search-result-buffer-size> <max-session>10</max-session> <base-dn>dc=root</base-dn> <dn>cn=websecureproxy,ou=servers,dc=internal,dc=root</dn> <password>password</password> </LDAP-entry> </LDAP-service> <LDAP-template> <editable>NO</editable> <name>OpenDS</name> <user-attribute>person</user-attribute> <group-attribute>groupofuniquenames</group-attribute> <member-attribute>uniqueMember</member-attribute> <user-prefix>cn</user-prefix> <search-default-attribute>cn</search-default-attribute> </LDAP-template> <LDAP-template> <editable>NO</editable> <name>OpenLDAP</name> <user-attribute>person</user-attribute> <group-attribute>posixGroup</group-attribute> <member-attribute>memberUid</member-attribute> <user-prefix>uid</user-prefix> <search-default-attribute>uid</search-default-attribute> </LDAP-template> <LDAP-template> <editable>NO</editable> <name>IBM Directory Server</name> <user-attribute>person</user-attribute> <group-attribute>groupOfNames</group-attribute> <member-attribute>member</member-attribute> <user-prefix>cn</user-prefix> 462 Security Solutions by HOB HOB RD VPN XML Configuration for the <search-default-attribute>uid</search-default-attribute> </LDAP-template> <LDAP-template> <editable>NO</editable> <name>Microsoft Active Directory</name> <user-attribute>person</user-attribute> <group-attribute>group</group-attribute> <member-attribute>member</member-attribute> <membership-attribute>memberOf</membership-attribute> <user-prefix>cn</user-prefix> <search-default-attribute>samAccountName</search-default-attribute> </LDAP-template> <LDAP-template> <editable>NO</editable> <name>iPlanet Directory Server</name> <user-attribute>person</user-attribute> <group-attribute>groupofuniquenames</group-attribute> <member-attribute>uniquemember</member-attribute> <user-prefix>cn</user-prefix> <search-default-attribute>uid</search-default-attribute> </LDAP-template> <LDAP-template> <editable>NO</editable> <name>Novell Directory Server</name> <user-attribute>person</user-attribute> <group-attribute>groupOfUniqueNames</group-attribute> <member-attribute>member</member-attribute> <membership-attribute>groupMembership</membership-attribute> <user-prefix>cn</user-prefix> <search-default-attribute>uid</search-default-attribute> </LDAP-template> <LDAP-template> <editable>NO</editable> <name>Siemens DirX LDAP</name> <user-attribute>person</user-attribute> <group-attribute>groupofuniquenames</group-attribute> <member-attribute>uniquemember</member-attribute> <user-prefix>cn</user-prefix> <search-default-attribute>cn</search-default-attribute> Security Solutions by HOB 463 XML Configuration for the HOB WebSecureProxy HOB RD VPN </LDAP-template> <server-list> <name>HOBWebServer</name> <server-entry> <name>Integrated Web Server</name> <protocol>HTTP</protocol> <option-connect-other-server>YES</option-connect-other-server> <server-data-hook> <library-file-name>plugins/web_server/xl-sdh-webserver-01.dll</ library-file-name> <configuration-section> <root-dir>../www</root-dir> <http-hostname>rdvpn.exsample.local</http-hostname> <settings>0</settings> <flags>0</flags> <compression>NO</compression> <site-after-auth>/protected/welcome.hsl</site-after-auth> <show-site-after-auth-checkbox>NO</show-site-after-auth-checkbox> <gui-skin>Default</gui-skin> <virtual-link> <alias>/WebFileAccess</alias> <url>/http://100.0.0.1:8080/WebFileAccess</url> </virtual-link> <HOB-PPP-Tunnel> <enabled>YES</enabled> <server-entry-name>crosswiseNAT PPPTunnel</server-entry-name> */ (internal L2TP) <address/> <localhost>100.0.0.2</localhost> <system-parameters> <windows>rasdial HOB-L2TP-01 %TEXT:wsp_userid; %TEXT:wsp_password; / PHONEBOOK:HOB-PPP-T1-01.pbk</windows> <mac>-detach refuse-chap lock passive : ipcp-accept-local ipcp-acceptremote crtscts usepeerdns noccp novj idle 1800 mtu 1410 mru 1410 debug dump connect-delay 5000 nodefaultroute call hobppptunnel ipparam hob%%TEXT:snw_ineta;-%%text:snw_mask; user %TEXT:wsp_userid; password %TEXT:wsp_password;</mac> <freebsd>-detach refuse-chap lock passive : ipcp-accept-local ipcp-acceptremote crtscts noccp novj idle 1800 mtu 1410 mru 1410 debug nodefaultroute call hobppptunnel ipparam hob-%%TEXT:snw_ineta;-%%text:snw_mask; user %TEXT:wsp_userid;</freebsd> 464 Security Solutions by HOB HOB RD VPN XML Configuration for the <solaris>-detach refuse-chap lock passive : ipcp-accept-local ipcp-acceptremote crtscts usepeerdns noccp novj idle 1800 mtu 1410 mru 1410 debug dump connect-delay 5000 nodefaultroute call hobppptunnel ipparam hob%%TEXT:snw_ineta;-%%text:snw_mask; user %TEXT:wsp_userid; password %TEXT:wsp_password;</solaris> <linux>-detach refuse-chap refuse-eap lock passive : ipcp-accept-local ipcp-accept-remote crtscts usepeerdns noccp novj idle 1800 mtu 1410 mru 1410 debug dump connect-delay 5000 nodefaultroute call hobppptunnel ipparam hob-%%TEXT:snw_ineta;-%%text:snw_mask; user %TEXT:wsp_userid; password %TEXT:wsp_password;</linux> </system-parameters> </HOB-PPP-Tunnel> </configuration-section> </server-data-hook> </server-entry> </server-list> <server-list> <name>AdminWebServer</name> <server-entry> <name>Integrated Web Server</name> <protocol>HTTP</protocol> <option-connect-other-server>YES</option-connect-other-server> <server-data-hook> <library-file-name>plugins/web_server/xl-sdh-webserver-01.dll</ library-file-name> <configuration-section> <root-dir>../www</root-dir> <http-hostname>rdvpn.exsample.local</http-hostname> <settings>0</settings> <flags>0</flags> <compression>NO</compression> <virtual-link> <alias>/RDVPNCertificateManager</alias> <url>/http://100.0.0.1:8080/RDVPNCertificateManager</url> </virtual-link> <virtual-link> <alias>/RDVPNDirectoryServices</alias> <url>/http://100.0.0.1:8080/RDVPNDirectoryServices</url> </virtual-link> <virtual-link> <alias>/RDVPNPluginManager</alias> <url>/http://100.0.0.1:8080/RDVPNPluginManager</url> Security Solutions by HOB 465 XML Configuration for the HOB WebSecureProxy HOB RD VPN </virtual-link> <virtual-link> <alias>/RDVPNUpdater</alias> <url>/http://100.0.0.1:8080/RDVPNUpdater</url> </virtual-link> <site-after-auth>/protected/portlets/globaladmin/status.hsl </ site-after-auth> <show-site-after-auth-checkbox>NO</show-site-after-auth-checkbox> <gui-skin>Default</gui-skin> </configuration-section> </server-data-hook> </server-entry> </server-list> <server-list> <name>Socks5</name> <server-entry> <name>SOCKS</name> <protocol>SOCKS</protocol> <option-connect-other-server>YES</option-connect-other-server> <server-data-hook> <library-file-name>plugins/socks5/xl-sdh-sock5-01.dll</libraryfile-name> <configuration-section> <settings>0</settings> <flags>0</flags> </configuration-section> </server-data-hook> </server-entry> </server-list> <server-list> <name>Compliance Check</name> <server-entry> <name>Compliance Check</name> <protocol>COMPL_CHECK</protocol> <server-data-hook> <library-file-name>plugins/compliance-check/xl-sdh-compl-check01.dll</library-file-name> <configuration-section> <compliancelist> 466 Security Solutions by HOB HOB RD VPN XML Configuration for the <compliancecheck> <name>Compliance Check 1</name> <integrity-check> <version>3</version> <enable>YES</enable> <policy> <name>Policy(1)</name> <age-def-file>24</age-def-file> <last-scan>24</last-scan> <antivirus> <win> <vendor> <product> <name>Simulacrum Internet Security 2008</name> <version>12.x</version> </product> <product> <name>Simulacrum Internet Security 2009</name> <version>14.x</version> </product> <product> <name>Simulacrum Internet Security 2010</name> <version>15.x</version> </product> <product> <name>Simulacrum Internet Security 2011</name> <version>16.x</version> </product> </vendor> </win> <linux> <vendor> <name>Panda Software</name> <product> <name>Panda Antivirus</name> <version>9.x</version> </product> <product> <name>Simulacrum Security for Linux</name> Security Solutions by HOB 467 XML Configuration for the HOB WebSecureProxy HOB RD VPN <version>1.x</version> </product> </vendor> </linux> <mac> <vendor> <name>Simulacrum Security</name> <product> <name>Simulacrum Antivirus</name> <version>1.x</version> </product> </vendor> </mac> </antivirus> </policy> </integrity-check> <anti-split-tunnel> <enable>NO</enable> <command> <type/> <mode/> <success>YES</success> <result_string/> </command> <parameters> <wsp/> <disable-local-networks>NO</disable-local-networks> <set-local-dns>YES</set-local-dns> <interval-wsp>60</interval-wsp> <interval-ast>10</interval-ast> </parameters> <allow/> </anti-split-tunnel> <rules/> </compliancecheck> </compliancelist> </configuration-section> </server-data-hook> </server-entry> 468 Security Solutions by HOB HOB RD VPN XML Configuration for the </server-list> <server-list> <name>EA-LDAP</name> <server-entry> <name>EA-LDAP</name> <protocol>HOBEA</protocol> <option-connect-other-server>YES</option-connect-other-server> <server-data-hook> <library-file-name>plugins/ea_ldap/xl-sdh-ea-ldap-01.dll</libraryfile-name> <configuration-section> <reload-path>../management/plugins/wsp_admin_plugin.port </reloadpath> <domainadministrator-group> <rdn>cn=domainAdministrators,ou=groups</rdn> <autocreate>YES</autocreate> </domainadministrator-group> </configuration-section> </server-data-hook> </server-entry> </server-list> <server-list> <name>KerberosTicketService</name> <server-entry> <name>Kerberos-5-Ticket-Services</name> <protocol>HOB-KRB5TS1</protocol> <server-data-hook> <library-file-name>plugins/krb5ts/xl-sdh-krb5ts1-01.dll </library-filename> <configuration-section> <trace-krb5-api>NO</trace-krb5-api> <trace-network>NO</trace-network> </configuration-section> </server-data-hook> </server-entry> </server-list> <server-list> <name>Desktop-On-Demand</name> <server-entry> <name>Desktop-On-Demand</name> Security Solutions by HOB 469 XML Configuration for the HOB WebSecureProxy HOB RD VPN <function>PASS-THRU-TO-DESKTOP</function> <protocol>HOB-RDP-EXT1</protocol> </server-entry> </server-list> <client-side-SSL> <SSL-config-file>../sslsettings/hclient.cfg</SSL-config-file> <SSL-certdb-file>../sslsettings/hclient.cdb</SSL-certdb-file> <SSL-password-file>../sslsettings/hclient.pwd</SSL-password-file> <usage-DN>NOTHING</usage-DN> </client-side-SSL> <server-list> <name>Windows Terminal Servers</name> <server-entry> <name>RDP Server 1a</name> <function>DIRECT</function> <protocol>HOB-RDP-EXT1</protocol> <serverineta>rdp1a.example.local</serverineta> <serverport>3389</serverport> </server-entry> <server-entry> <name>RDP Server 1b</name> <function>DIRECT</function> <protocol>HOB-RDP-EXT1</protocol> <serverineta>rdp1b.example.local</serverineta> <serverport>3389</serverport> </server-entry> </server-list> <LDAP-service> <LDAP-entry> <name>LDAP Server(1)</name> <serverineta>100.100.102.10</serverineta> <serverport>389</serverport> <LDAP-template>Microsoft Active Directory</LDAP-template> <base-dn>DC=example,DC=local</base-dn> <dn>cn=Administrator,cn=Users,DC=example,DC=local</dn> <password>password</password> <timeout-search>10</timeout-search> <wait-connect>10</wait-connect> </LDAP-entry> 470 Security Solutions by HOB HOB RD VPN XML Configuration for the <name>LDAP 1</name> <trace-level>3</trace-level> </LDAP-service> <LDAP-template> <name>LDAP Template(1)</name> <user-attribute>person</user-attribute> <group-attribute>group</group-attribute> <member-attribute>member</member-attribute> <user-prefix>cn</user-prefix> <search-default-attribute>SamAccountName</search-default-attribute> <membership-attribute>memberOf</membership-attribute> </LDAP-template> <raw-packet-interface> <TUN-adapter-ineta>100.100.200.1</TUN-adapter-ineta> <TUN-adapter-use-interface-ineta>100.100.100.1</TUN-adapter-use-interfaceineta> <PPP-server> <DNS-ineta-IPV4-1>100.100.12.1</DNS-ineta-IPV4-1> <DNS-ineta-IPV4-2>100.100.12.2</DNS-ineta-IPV4-2> </PPP-server> <PPP-ineta-pool> <ineta-start>100.100.50.100</ineta-start> <ineta-end>100.100.50.150</ineta-end> </PPP-ineta-pool> </raw-packet-interface> <server-list> <name>PPPTunnel</name> */(crosswiseNAT - internal L2TP) <server-entry> <name>crosswiseNAT PPPTunnel (internal L2TP)</name> <function>HOB-PPP-T1</function> <PPP-authentication-method>none</PPP-authentication-method> <server-data-hook> <library-file-name>plugins/tunnel/xl-sdh-ppp-pf-04.dll</libraryfile-name> <configuration-section> <ALG-SIP>YES</ALG-SIP> <crosswise-NAT> <real-network-ineta/> <translated-network-ineta/> <prefix/> Security Solutions by HOB 471 XML Configuration for the HOB WebSecureProxy HOB RD VPN </crosswise-NAT> </configuration-section> </server-data-hook> <server-network>100.100.10.0/24</server-network> </server-entry> </server-list> <LDAP-service> <LDAP-entry> <name>OpenLDAP Server</name> <serverineta>openldap.example.locale</serverineta> <serverport>389</serverport> <LDAP-template>OpenLDAP</LDAP-template> <base-dn>dc=openldap,dc=local</base-dn> <dn>cn=admin,dc=openldap,dc=local</dn> <password>password</password> <timeout-search>10</timeout-search> <wait-connect>10</wait-connect> </LDAP-entry> <name>OpenLDAP</name> </LDAP-service> <target-filter> <name>Target Filter 1</name> <deny> <DNS-name>private.example.com</DNS-name> <protocol>TCP</protocol> <TCP-port>80</TCP-port> <TCP-port>443</TCP-port> </deny> <deny> <DNS-name>secret.example.com</DNS-name> <protocol>TCP</protocol> <TCP-port>80</TCP-port> <TCP-port>443</TCP-port> </deny> <allow> <protocol>TCP</protocol> <TCP-port>80</TCP-port> <TCP-port>443</TCP-port> </allow> 472 Security Solutions by HOB HOB RD VPN XML Configuration for the </target-filter> <target-filter> <name>Target Filter 2</name> <allow> <ineta>100.100.10.1</ineta> </allow> <allow> <ineta>100.100.11.0/24</ineta> </allow> </target-filter> <Kerberos-5-KDC> <server-entry> <name>Kerberos Server 1</name> <serverineta>100.100.10.1</serverineta> <serverport>88</serverport> <timeout>60</timeout> <retry-after-error>120</retry-after-error> <max-ticketsize>2048</max-ticketsize> <max-session>10</max-session> </server-entry> <server-entry> <name>Kerberos Server 2</name> <serverineta>100.100.1.2</serverineta> <serverport>88</serverport> <timeout>60</timeout> <retry-after-error>120</retry-after-error> <max-ticketsize>2048</max-ticketsize> <max-session>10</max-session> </server-entry> <name>Kerberos Domain 1</name> <comment/> <default-realm>EXAMPLE.LOC</default-realm> <clockskew>300</clockskew> <ticket-lifetime>36000</ticket-lifetime> <renewable-lifetime>36000</renewable-lifetime> <allow-initial-ticket>YES</allow-initial-ticket> </Kerberos-5-KDC> <server-list> <server-entry> Security Solutions by HOB 473 XML Configuration for the HOB WebSecureProxy HOB RD VPN <name>RDP Server 2</name> <function>DIRECT</function> <protocol>HOB-RDP-EXT1</protocol> <serverineta>rdp2.example.local</serverineta> <serverport>3389</serverport> </server-entry> <name>Windows Terminal Server 2</name> </server-list> </sslgate-configuration> <server-entry> <name>HOBVOIP1</name> <protocol>HOB-VOIP-1</protocol> <server-data-hook> <library-file-name>plugins/hobphone/xl-sdh-hobphone-01.dll</ library-file-name> <configuration-section> <use-UDP-gw-name>RTP-UDP</use-UDP-gw-name> <UDP-gate-timeout-ms>3000</UDP-gate-timeout-ms> <UDP-gate-keepalive-sec>10</UDP-gate-keepalive-sec> <addressbook> <name> addressbook1</name> <type>msexchange</type> <url>https://hobphoneexample.company.com/ews/exchange.asmx</ url> <connection-mode>WSG</connection-mode> <gate-url>https://hobphoneexample.company.com:54321</gate-url> <domain>local</domain> </addressbook> <addressbook> <name>default</name> <type>msexchange</type> <url>https://addressbookexample.company.com/ews/ exchange.asmx</url> <connection-mode>WSG</connection-mode> <gate-url> https://addressbookexample.company.com:54321</gateurl> </addressbook> <addressbook> <name>addressbook2</name> <type>msexchange</type> 474 Security Solutions by HOB HOB RD VPN XML Configuration for the <url>https://addressbookexample2.company.com/ews/ exchange.asmx</url> <connection-mode>WSG</connection-mode> <gate-url>https://addressbookexample2.company.com:54321</gateurl> <domain>hobc02p</domain> </addressbook> </configuration-section> </server-data-hook> </server-entry> Security Solutions by HOB 475 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.3 The <general> element The <general> element encloses configuration parameters that are valid for the basic workflow of the HOB WSP. The <general> tag is optional, but it is mostly used. The <general> element can appear only once in the configuration file. The <general> tag holds different elements for Windows and Unix/Linux versions of the HOB WSP 36.3.1 Common (Windows and Linux/Unix) elements: Element Description Valid Values alert-subsystemconfiguration SNMP for future use allow-wsp-trace Allows the WSP Tracing functionality clear-used-memory This parameter clears the YES/NO, default is NO memory before releasing it to the operating system disk-file-size-max Maximum size of one single file X KB, X MB, X GB, default is 0 disk-file-storage Maximum size of cache X KB, X MB, X GB, default is 0 enable-sign-on-nopassword User login without password YES/NO, default is NO ignore-PTTD-connecterror-host-unreachable Ignore host unreachable message for DOD YES/NO, default is NO max-poss-work-thread Maximum number of work 4 – 1024 threads The default is not set (calculated based on CPU Cores found) max-active-work-thread Maximum number of active work threads YES/NO, default is NO 4 – the value set in maxposs-work-thread The default is not set (calculated based on CPU Cores found) 476 memory-log-size Memory size for internal logging X KB, X MB, X GB, default is 0 memory-threshold SNMP for future use network-statistic-level Reports statistics of 0-9 network usage. The higher the values the more information will be reported prio-work-thread Optional. Priority of work threads. Higher values have higher priority. 1-5, default is 3 Security Solutions by HOB HOB RD VPN XML Configuration for the prio-process Optional. Priority of process. Higher values have higher priority. 1-5, default is 3 reload-configuration If enabled then the WSP YES/NO, default is NO checks the configuration file for modifications and reloads the configuration if needed. For Linux/Unix this will start another WSP process. report-intv Optional. Interval in Seconds seconds to report statistics for use of threats, memory, connections, etc. SIP-local-ineta Internal IP Address to communicate with SIP Gateway Own IP address SIP-use-UDP-port-5060 Opens Port 5060 for SIP communications YES/NO, default is NO suppress-warning-LDAP- Suppress warning if YES/NO, default is NO template-not-referenced available LDAP templates are not referenced SNMP-configuration Has only child elements for SNMP configuration trap-send-level SNMP for future use trap-target Contains the following child elements Child Elements of traptarget Description gate-out-ineta SNMP for future use target-ineta SNMP for future use target-port SNMP for future use comment SNMP for future use TCP-sndbuf Optional. Sendbuffer for all X KB, X MB, X GB sessions, a socket option for optimization. TCP-rcvbuf Optional. Receive buffer for all sessions, a socket option for optimization. X KB, X MB, X GB time-cache-disk-file Time in seconds a file remains in cache Seconds, default is 900 time-reload-disk-file Time in seconds to check Seconds, default is 300 for modifications of files in cache time-repeat-delay-alert SNMP for future use Valid Values UDP-gate Security Solutions by HOB 477 XML Configuration for the HOB WebSecureProxy HOB RD VPN Child Element of UDPgate Description Valid Values gate-ineta Internal IP Address IP Address UDP-port Port Port number UDP-gw-ineta Child Elements of UDP- Description gw-ineta Valid Values gate-ineta Internal IP Address for communication with SIP Gateway IP Address name Name of this UDP-gwineta String VDI-sign-on-time The amount of time the Default is 10 seconds VDI target is locked while waiting for the login procedure wake-on-lan-port Optional. Port of WOL Relay Agent, if not in wake-on-lan-relay-ineta A Port number. Default is 65535 wake-on-lan-relay-ineta Optional. May be used multiple times. Wake-onLAN relay agent IP Address, FQDN, IP Address:Port, FQDN:Port 36.3.2 Windows specific elements: Element Description Valid Values event-server-name Optional. Server Name of IP or FQDN the server to send the event log. If not set, the local machine is used event-source-name Optional. Source Name for event log events. If not set, logs are written to the application event log. Used names have to be registered previously in Windows prot-event-log Optional. Commands WSP to create log to Windows Event Log YES/NO Child Elements of windows-core-dump Description Valid Values diskdirfd Disk-directory for core dumps Directory windows-core-dump 478 Security Solutions by HOB HOB RD VPN XML Configuration for the ineta-mgw Optional. Mail-gateway, to IP or FQDN use for sending dumps email-rcpt Optional. E-mail recipient E-mail address for sending core dumps email-sender Optional. E-mail sender of E-mail address the core dump email password Optional. Password for encrypting the core dump file 36.3.3 Unix/Linux specific elements: Element Description listen-error Actions performed for a WAIT, IGNORE, ABEND listen error. WAIT WSP tries to open the Port over and over again. IGNORE WSP ignores the error and ABEND stops WSP pid-file Name of file to write PID (process Id) to prot-syslog Optional. Sets if WSP is to YES/NO log to syslog listen-gateway Configure child objects or YES/NO, default is NO enable the listen-gateway with default values. The listen gateway is used for example to open ports if the WSP is not started with root rights Child elements of listen- Description gateway domain-socket-name Name of FIFO for communication with the listen gateway shared-secret Shared secret for communication with the listen gateway Security Solutions by HOB Valid Values Filename Valid Values 479 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.4 The <connection> element The <connection> tag is responsible for the configuration of the opened ports that are listening for connections. Without a <connection> tag the HOB WSP is not listening for incoming connections. The HOB WSP handles two half-sessions, one from the client to the HOB WSP and one from the HOB WSP to the target server. The <connection> tags can be used to configure both half-sessions, but for the half session from the client <connection> is required. The half session to the target server is in general configured within a <server-entry> tag. 36.4.1 Client to WSP half-session: 480 Element Description Valid Values name Internal Name of the connection. Mandatory function Special keyword to describe the functional behavior of the connection. In general if you use the <function> tag in the <connection> tag to forward to server-lists, then SELECT-SOCKS5HTTP is always used in connection tag. DIRECT, RDP, ICA, WTSGATE, VDI-WSPGATE, PASS-THRU-TODESKTOP, SELECTSOCKS5-HTTP, HOBPPP-T1, SSTP, L2TP. language Language used in authentication dialogue English, German only. Spanish, French, Italian and Dutch to be supported. gateport Mandatory. Listen port for The default configuration: incoming connections is 443 gate-in-ineta IP address for the listen IP Address port to open. Used on multi-homed systems and also cluster configurations. serverineta IP Address of the server to which the connection is made, may only be used when the function DIRECT/function is used serverport Port of the server to which the connection is made, may only used when function DIRECT/function is used RDP and ICA are not valid in a Unix environment Default is DIRECT Security Solutions by HOB HOB RD VPN XML Configuration for the backlog Number of connections requests that are queued by OS/TCP-Stack, when they cannot be accepted immediately. timeout May be specified in connection and/or serverlist for both half-sessions. Specifies the timeout in seconds of inactivity, after which the connection is ended. If defined also in server-list the lower value is chosen conn-type Used to identify the connection Number of connections, default is 10 Primary, secondary, admin permanently-moved-from- Configuration of the HTTP port Redirector, listens on incoming connections and redirects to: permanentlymoved-to-port permanently-moved-toport Specifies the Port to redirect to permanently-moved-URL Specifies the URL to redirect to SSL-config-file Mandatory. Specifies the configuration file of the HOB Security Units Path and filename SSL-certdb-file Mandatory. Specifies the database file of the HOB Security Units Path and filename SSL-password-file Mandatory. Specifies the password file of the HOB Security Units Path and filename max-session Maximum number of concurrently open connections Any number, by default there is No limit do-not-close-by-loadbalancing Used in cluster YES/NO, default is NO configuration, this session should stay open select-server Holds the child entries for valid server-lists server-list-name (see section server-list) Name of server-list Security Solutions by HOB 481 XML Configuration for the HOB WebSecureProxy HOB RD VPN authentication-library Holds the child elements for the authentication library, see section the authentication-library element. It is possible to use authentication-library or authentication-libraryobject as child object of a connection, see authentication-libraryobject authentication-libraryobject References a valid The name of a valid authentication library, see authentication-librarysection The object authentication-libraryobject element. It is possible to use authentication-library or authentication-libraryobject as child object of a connection, see authentication-library dynamic-radius All radius domains are valid YES/NO dynamic-Kerberos-5-KDC All Kerberos domains are YES/NO valid 482 dynamic-LDAP All LDAP domains are valid YES/NO DNS-lookup-beforeconnect DNS lookup before each connect YES/NO, default is NO library-file-name Filename for the authentication library xl-sdh-webserver-01.dll disable-naegle-send-client Disable the naegle algorithms for any connection to the client Automatic, YES, NO disable-naegle-sendserver Disable the naegle algorithms for any connection to the server Automatic, YES, NO Default is Automatic authentication-radius Holds child objects for valid radius servers Child Element of authentication-radius Description Valid Values radius-name Name of Radius server entry configured name of a valid radius server entry user-list Holds child elements for valid user groups for authentication Default is Automatic Security Solutions by HOB HOB RD VPN XML Configuration for the Child Element of userlist Description user-group-name Name of valid user group Valid Values 36.4.2 WSP to Target Server half-session: Element Description Valid Values function Special keyword to describe the functional behavior of the connection. DIRECT, RDP, ICA, WTSGATE, VDI-WSPGATE, PASS-THRU-TODESKTOP, SELECTSOCKS5-HTTP, HOBPPP-T1, SSTP, L2TP. RDP and ICA are not valid in a Unix environment Default is DIRECT use-ineta-appl Use SSL Identifier connect-round-robin If there are multiple targets YES/NO. The default is for DNS-lookup, do the Sequential, starting from connect in random order first protocol Protocol of this server, optional or mandatory serverineta IP or FQDN of Target serverport Port of Target gate-out-ineta Used for multihomed configurations server-data-hook Used server data hook, if any. See server data hook section for more details library-file-name Filename of server data hook option-connect-otherserver Allows target servers other YES/NO, default is NO than those configured on server ineta to be used Security Solutions by HOB YES/NO 483 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.5 The <authentication-library-object> element The <authentication-library-object> tag is used to configure an <authentication-library> section. This <authentication-library> configuration could then be used in more than one <connection> tag. This tag is used with the following elements: Element Description name The name of the <authentication-libraryobject. This name could be referenced in the <authentication-libraryobject> tag of a connection. This means one could configure <authentication-library> settings in a <authentication-libraryobject> and use the <name tag to reference it in any <connection> tag authentication-library The <authenticationlibrary> element is a child element of the <connection> tag. To use the same <authenticationlibrary> settings in more than one connection, the <authentication-libraryobject> tag can be used library-file-name Path and name to the used WSP-AT3 Library. Valid Values Path and Filename For all valid configuration parameters, see the <authentication-library> element description in the list above. 484 Security Solutions by HOB HOB RD VPN XML Configuration for the 36.6 The <server-list> element This element is used to hold the details of the servers to be made available to the current connection. Element Description name Internal name of the server list. Mandatory. server-entry Holds the child elements of one server entry. Child Elements of server-entry Description name Name of the server entry. Mandatory. function Function of this server entry protocol Protocol of this server entry serverineta IP address or DNS name of the target system serverport Port of the target system option-connect-otherserver Determines whether this server entry is allowed to dynamically change the target use-ineta-appl Use the SSL Identifier for this server entry L2TP-gateway Name of the L2TP Server entry server-data-hook SDH library filename, holds only the following child elements Child Elements of server-data-hook Description library-file-name Filename of the server data hook configuration-section Configuration section for this server data hook, see Chapter 37 Server Data Hook Configurations for the valid configuration section of the chosen server data hook Security Solutions by HOB Valid Values Valid Values Valid Values 485 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.7 The <L2TP-gateway> element This element is used to hold the configuration of the gateway for the L2TP server that controls the connection. 486 Element Description Valid Values name Internal name for this L2TP Gateway. Mandatory serverineta IP address or DNS name of the L2TP gateway serverport Port of the L2TP Gateway gate-ineta IP address of the outgoing interface authenticate-use-userid User ID if authentication is required authenticate-usepassword-plain Password if authentication is required authenticate-usepassword-encrypted Password in base64 if authentication is required PPP-charset Character set used for ASCII-850, ANSI-819, communication with L2TP UTF-8 Gateway Security Solutions by HOB HOB RD VPN XML Configuration for the 36.8 The <raw-packet-interface> element The <raw-packet-interface> is required for the communication with the TUN Adapter and is needed for SSL Identifier and PPP Tunnels with an internal Tunnel Endpoint. Element Description Valid Values TUN-adapter-ineta INETA for TUN Adapter. Required also for SSL Identifier configuration Any unused IP Address for use for the TUN Adapter TUN-adapter-useinterface-ineta Use real interface with the IP Address of the network TUN Adapter. Required interface card also for SSL Identifier configuration Appl-use-random-tcpsource-port Required for SSL Identifier YES/NO configuration only PPP-server Has only child elements for PPP Tunnel configuration Child Elements of PPPServer Description DNS-ineta-IPV4-1 IP Address of first DNS server DNS-ineta-IPV4-2 IP Address of second DNS server PPP-ineta-pool Has only child elements for PPP-ineta-pool Child Elements of PPPineta-pool Description Valid Values ineta-start Start IP address of IP address pool for PPP Tunnel clients Values must be from the same network containing the IP Address of the network interface card ineta-end End IP address of IP address pool for PPP Tunnel clients Values must be from the same network containing the IP Address of the network interface card Security Solutions by HOB Valid Values 487 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.9 The <service> element This element is used to hold the details of the services used in creating the connection. 488 Element Description Valid Values name Name of the service entry type Supported Service Type name server-group Holds only sub elements Child Elements of server-group Description name Name of the server-group element server-entry Holds only the following child elements Child Elements of server-entry Description name Internal server name vendor Virus Checking vendor serverineta IP address of this ICAP server serverport Port of the ICAP service Virus-Checking-ICAPHTTP Valid Values Valid Values c-icap Security Solutions by HOB HOB RD VPN XML Configuration for the 36.10 The <Kerberos-5-KDC> element This element is used to hold the configuration details for the Kerberos server for this connection. Element Description name Internal name, mandatory comment Comment if any is needed default-realm Name of the REALM clockskew Allowed clock differences ticket-lifetime Kerberos settings renewable-lifetime Kerberos settings allow-initial-ticket Kerberos settings server-entry Holds only the following child elements Child Elements of Server-entry Description name Internal name serverineta IP or DNS of KDC serverport Port for KDC timeout Connection timeout retry-after-error Specifies when to connect again after an error max-ticketsize Maximum size of tickets that can be sent max-session Maximum number of simultaneous connections to Server Security Solutions by HOB Valid Values Valid Values 489 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.11 The <radius-group> element The <radius-group> element holds the necessary data for a specific RADIUS domain for authentication. The <radius-group> element is optional and can be configured multiple times if you have more than one radius domain for authentication. 490 Element Description Valid Values name Name of the radius domain, used as reference option Enable additional radius options, at the moment only MS-CHAP-V2 is supported. charset Describes the charset UTF-8 used to communicate with the radius server timeout Specifies how long the HOB WSP waits for an answer from the radius server retry-after-error Specifies when HOB WSP seconds is to communicate with this radius domain again comment Any comment the administrator wants to add radius-server Holds only child elements for the configuration of a radius server. Can be configured multiple times Child Elements of radius-server Description Valid Values name Unique name of the Radius server Text radius-ineta IP Address or FQHN of the IP Address or FQHN Radius Server UDP-port Port for communication with the Radius server shared-secret-plain Shared secret of the Radius server shared-secret-encrypted Shared secret of the Radius server encrypted in base64 comment Comment for this Radius server gate-ineta Interface for communication with the radius server. Optional MS-CHAP-V2 seconds Security Solutions by HOB HOB RD VPN XML Configuration for the 36.12 The <LDAP-service> element The <LDAP-service> element holds the necessary data for a specific LDAP domain for authentication. The <LDAP-service> element is optional and can be configured multiple times if you have more than one LDAP domain for authentication. Element Description name Unique Name of LDAP domain LDAP-entry Holds only Child entries for the configuration of an LDAP Server Child Elements of LDAP- Description entry Valid Values Valid Values name unique Name of LDAP Server serverineta IP Address or FQHN of LDAP server IP Address or FQHN serverport Port for Access to LDAP Server Portnumber LDAP-template Reference to LDAP Template. To get the required LDAP settings. base-dn Base Distinguished Name (DN) of LDAP Server dn Distinguished Name (DN) of LDAP User for search requests password Password of LDAP User for search requests timeout-search Timeout for access to LDAP Server wait-connect Specifies how long to wait seconds for a successful connect retry-after-error Specifies when to connect again after an error max-session Max number of simultaneous connections to server comment Any comment if required gate-out-ineta WSP Network Interface for communication with LDAP Server global-directory Check to see if the LDAP Server a Microsoft Global directory Security Solutions by HOB seconds 491 XML Configuration for the HOB WebSecureProxy 492 search-nested-groupslevel For future use search-default-attribute Attribute name, used for LDAP search SSL-config-file Configuration file of HOB Security units for LDAPS SSL-certdb-file Database file of HOB Security units for LDAPS SSL-password-file Password file of HOB Security units for LDAPS HOB RD VPN Security Solutions by HOB HOB RD VPN XML Configuration for the 36.13 The <LDAP-template> element This element is used to hold the configuration for the LDAP Template. This is optional and can be added multiple times. Element Description editable Specifies if this template is YES/NO editable within the GUI name Name of template for reference user-attribute Name of user attribute group-attribute Name of group attribute member-attribute Name of member attribute membership-attribute Name of membership attribute user-prefix User-prefix used in LDAP, for example cn search-default-attribute Attribute to search for, for example uid Security Solutions by HOB Valid Values 493 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.14 The <target-filter> element This element is used to hold the necessary data for the HOB Target Filter. This is optional, and multiple target filters may be configured. 494 Element Description name Name of target filter, for reference allow Holds child elements that allow connections deny Holds child elements that deny connections Valid Values Child Elements of Allow Description Valid Values DNS-name Specifies the connection target DNS Name DNS Name ineta Specifies the IP Address or IP Network of the connection target IP Address Network in CIDR notation (e.g. 10.1.1.0/24) protocol Specifies the IP Protocol used for the connection TCP, UDP, ICMP or valid protocol numbers in hexadecimal notation (e.g. 0x3a for IPv6 ICMP) TCP-port Specifies the TCP Port used for the connection UDP-port Specifies the UDP Port used for the connection Child Elements of Deny Description Valid Values DNS-name Specifies the connection target DNS Name DNS Name ineta Specifies the IP Address or IP Network of the connection target IP Address Network in CIDR notation (e.g. 10.1.1.0/24) protocol Specifies the IP Protocol used for the connection TCP, UDP, ICMP or valid protocol numbers in hexadecimal notation ((e.g. 0x3a for IPv6 ICMP) TCP-port Specifies the TCP Port used for the connection UDP-port Specifies the UDP Port used for the connection Security Solutions by HOB HOB RD VPN XML Configuration for the 36.15 The <cluster> element This element is used to hold the required data for you to configure a cluster in your network. Element Description Valid Values load-balancing-diff Difference of the calculated load for load balancing 1-10000 load-balancing-formula Formula to calculate the current load of a cluster node interval-load-balancingprobe Interval how often the current load is measured seconds time-retry-connect Retry connect if connection is not established seconds cluster-entry Contains child objects, which represents the cluster members name Name used in messages type Describes the position of the <cluster-entry> TCP-port Type=LOCAL: used for listen LOCAL or REMOTE Type=REMOTE: used for connect gate-ineta Type=LOCAL: used IP Address remote-ineta Type=REMOTE: used for connection to cluster node timeout-millisec Type=REMOTE: timeout if milliseconds cluster node is not available Security Solutions by HOB 495 XML Configuration for the HOB WebSecureProxy HOB RD VPN 36.16 The <client-side-ssl> element This element configures HOBLink Security Units for use by client side SSL if the HOB WSP acts as the client for an SSL-enabled connection. 496 Element Description Valid Values SSL-config-file Full Path to HOBLink Security Unit configuration file for client side SSL SSL-certdb-file Full Path to HOBLink Security Unit database file for client side SSL SSL-password-file Full Path to HOBLink Security Unit password file for client side SSL usage-DN optional, parameter to NOTHING/CHECK-URL check distinguished name from certificate Security Solutions by HOB HOB RD VPN XML Configuration for the 36.17 The <OCSP-section> element This section is used for setting the configuration of the Online Certificate Status Protocol (OCSP). Use of the OCSP is optional. Element Description Valid Values OCSP-responder This element has only child elements for the configuration of an OCSP responder. An OCSPresponder can be configured multiple times. Child Elements of OCSP- Description responder Valid Values gate-ineta Optional, used to assign the outgoing network adapter IP Address OCSP-URL URL of the OCSPresponder URL OCSP-ineta Used to overwrite the IP Address or FQHN of OCSP-responder IP Address or FQHN OCSP-port Overwrite the OCSPresponder Port Port Number timeout Timeout for the connection seconds to the OCSP responder wait-retry Timeout in seconds to retry a male OCSresponder seconds 36.18 The <configuration-parameters> element This section is used only to hold parameters for the WSP Configuration GUI. It is ignored by the HOB WebSecureProxy. Security Solutions by HOB 497 XML Configuration for the HOB WebSecureProxy 498 HOB RD VPN Security Solutions by HOB HOB RD VPN Server Data Hook Configurations 37 Server Data Hook Configurations The HOB WebSecureProxy functionality is easily extended by using Server Data Hooks (SDH), configured through the use of the <server-data-hook> (SDH) element. A SDH can be referenced in the HOB WebSecureProxy configuration. If a SDH is referenced in the HOB WebSecureProxy configuration file, the HOB WebSecureProxy can call the libraries and use their additional functionality. HOB RD VPN includes many such SDHs for different functionalities. Any of these SDHs can use their own settings, which are configured in their own <configuration-section> within the WebSecureProxy configuration file. This section gives a short overview of the included SDHs, their functionality and their configuration settings in their <configuration-section>. 37.1 The Authentication Library (xl-sdh-webserver-01.dll) The Authentication Library SDH is a basic SDH, and is needed in almost any configuration. It is responsible for authenticating the users, checking their requirements and privileges and assigning the users to each specific role. The Authentication Library is a special SDH and is therefore not referenced inside a <server-data-hook> element, but is referenced inside a <authentication-library-object> or the <authenticationlibrary>. The following configuration settings are possible. Element Description Valid Values allow-multiple-login Indicates if a user could logon multiple times YES/NO close-sessions-at-logout Indicates if all sessions YES/NO should be terminated, if a user logs out domains Configuration of domain mappings. Has only child elements Child Elements of domains Description show-list Determines if a dropdown YES/NO list of the configured domains is to be shown; if not shown then the user has to insert the domain. domain Inside the <domain> tag a valid domain is described. Domain could occur multiple times inside the <domains> tag. Child Elements of domain Description Security Solutions by HOB Valid Values Valid Values 499 Server Data Hook Configurations 500 HOB RD VPN type Describes the Authentication Service Type for this domain Kerberos, Radius or LDAP name The reference name for the configured domain in <Kerberos-5-KDC>, <radius-group> or <LDAPservice>, depending on the <type> tag. corresponding-LDAPservice The reference name of the used configuration storage in <LDAP-service> base Not mandatory. Relative Distinguished Name (RDN) to the base DN of the <LDAP-service> Definition. auto-user-create Determines whether a YES/NO successfully authenticated user should be automatically created in the configuration storage or not. Not available for all domain configurations. admin-dn Administrative Account for access to LDAP, if a different Authentication Service is used for write access to LDAP, for example own user settings (if allowed) or domain administrator access. admin-password Password of the <admindn> account admin-group Group of domain administrators. All members of this group are valid domain administrators. roles The configuration of the roles take place inside the <roles> tag Child Element of roles Description role The <role> tag configures a role. The <role> tag can occur multiple times inside the <roles> tag Child Elements of role Description name Name of the role Valid Values Valid Values Security Solutions by HOB HOB RD VPN Server Data Hook Configurations priority Sets the roles priority. The 1-100 role with the highest priority is chosen for a user if the requirements for more than one role are fulfilled. session-time-limits Sets the time limitations that a session is valid idle-period After this time an idle session is invalid Seconds maximal-period After this time a valid session has to use new security settings Seconds site-after-auth Overwrite the default login page from the webserver configuration compliancecheck Referenced name of a compliance check, if any is used allow-browser-caching Sets if browser caching is YES/NO allowed or not target-filter Referenced name of a target-filter, if any is used high-entropy YES/NO, default is YES The entry ”Yes“ means that before the encrypted connections of the JWT stand-alone can be made, an additional dialog is shown that processes the user input in order to strengthen the entropy of the random generator. The random generator is used by all cryptographic functions. For a configuration compliant with the CC, this value may not be set to “NO”. portlets Configuration of the valid portlets for this role Child Elements of portlets Description portlet Configuration of the available portlet, can occur multiple times Child Elements of portlet Description Security Solutions by HOB Valid Values Valid Values 501 Server Data Hook Configurations HOB RD VPN name Name of the portlet open Indicates if this portlet YES/NO should be open or closed as default allow-configuration Holds child notes for user controlled configuration settings Child Elements of allow- Description configuration 502 Admin, jterm, wsg, wfa, settings, hobphone, ppptunnel, wspuc Valid Values wsg-bookmarks Sets if the user is allowed YES/NO to save Web Server Gate Bookmarks or not wfa-bookmarks Sets if the user is allowed YES/NO to save Web File Access Bookmarks or not desktop-on-demand Sets if the user is allowed YES/NO to save Desktop on Demand Bookmarks or not others Sets if the user allowed to YES/NO change other settings (for example language settings) or not gui-skin Sets the GUI skin to be used Members Holds child elements for the configuration of the valid users this role could be assigned to Child Elements of members Description member The <member> tag configures a valid member for this role. Can occur multiple times inside the <members> tag Child Elements of member Description Valid Values type Type of the LDAP object Group, User, OU dn DN for these valid members select-server Displays the valid server lists server-list-name Name of a valid server list that should be accessible to this role Default, dark-blue, green, maroon, no-banner Valid Values Security Solutions by HOB HOB RD VPN Server Data Hook Configurations 37.2 The Web Server Gate SDH (xl-sdh-webserver-01) The parameters for the Web server and Web Server Gate SDH are set inside the <configuration-section> of a <server-data-hook> entry with the xl-sdhwebserver-01 <library-file-name>. Element Description root-dir Sets the root directory of the integrated webserver. This should point to: ../ www. http-hostname The http host header name for which this webserver is responsible settings Must be set to: 0 0 flags Must be set to: 0 0 compression This sets if compression is YES/NO On or Off virtual-link Use the virtual link entry to create virtual links inside the webserver alias The webserver listens for this name and forwards the request to the URL tag url The URL belonging to the virtual link site-after-auth The website that is displayed after a successful authentication gui-skin The default GUI skin of the webserver show-site-after-authcheckbox Checkbox to force the redirect to the <site-afterauth> Security Solutions by HOB Valid Values 503 Server Data Hook Configurations HOB RD VPN 37.3 The Kerberos Ticket Service SDH (xl-sdh-krb5ts1-01) The parameters for the Kerberos Ticket Service are set inside the <configuration-section> of a <server-data-hook> entry that has the xl-sdhkrb5ts1-01 <library-file-name>. Element Description Valid Values trace-krb5-api Used only for debugging, YES/NO, default is NO should be always set to no trace-network Used only for debugging, YES/NO, default is NO should be always set to no 37.4 The EA to LDAP SDH (xl-sdh-ea-ldap-01) The parameters for the EA to LDAP SDH are set inside the <configurationsection> of a <server-data-hook> entry with the xl-sdh-ea-ldap-01 <library-file-name>. 504 Element Description reload-path Gives the path to a file with the random port for the administration interface Valid Values Security Solutions by HOB HOB RD VPN Server Data Hook Configurations 37.5 The Compliance Check SDH (xl-sdh-compl-check-01) The parameters for the Compliance Check SDH are set inside the <configuration-section> of a <server-data-hook> entry with the xl-sdhcompl-check-01 <library-file-name>. Element Description compliancelist Holds all compliance check sub entries compliancecheck Holds values of a dedicated compliance check. name Name of the compliance check, for reference integrity-check Only compliance check sub-nodes are held here version Compliance check version, currently version 3 enable Sets if the compliance check is enabled or not policy Sub-nodes with settings for the compliance check Valid Values Yes/No The following is an example of a possible configuration of the Compliance Check SDH, also known as xl-sdh-compl-check-01, using the parameters shown above. <configuration-section> <compliancelist> <compliancecheck> <name>ExampleComplianceCheck</name> <integrity-check> <version>3</version> <enable>YES</enable> <policy> <name>ExamplePolicy</name> <age-def-file>24</age-def-file> <last-scan>24</last-scan> <antivirus> <win> <vendor> <name>24-7Safe.com</name> <product> Security Solutions by HOB 505 Server Data Hook Configurations HOB RD VPN <name>24-7Antivirus</name> <version>1.x</version> </product> </vendor> </win> </antivirus> </policy> </integrity-check> <anti-split-tunnel> <enable>NO</enable> <command> <type/> <mode/> <success>YES</success> <result_string/> </command> <parameters> <wsp/> <disable-local-networks>NO</disable-localnetworks> <set-local-dns>YES</set-local-dns> <interval-wsp>60</interval-wsp> <interval-ast>10</interval-ast> </parameters> </anti-split-tunnel> </compliancecheck> </compliancelist> </configuration-section> 506 Security Solutions by HOB HOB RD VPN Server Data Hook Configurations 37.6 The Dynamic NAT PPP Tunnel SDH (xl-sdh-ppp-pf05) The parameters for the Dynamic NAT PPP Tunnel SDH are set inside the <configuration-section> of a <server-data-hook> entry with the xl-sdhppp-pf-01 <library-file-name>. Element Description Valid Values ALG-SIP This determines whether the SIP Application Level Gateway should be enabled or not YES/NO NAT-control Contains only sub-nodes ineta-use-1 First private IP address range for dynamic NAT ineta-use-2 Second private IP address range for dynamic NAT, if a collision is detected for the first range DNS-name Holds sub-nodes for the DNS Servers ineta IP Address of the DNS Servers 37.7 The HOBPhone SDH (xl-sdh-hobphone-01) This is an example of a possible configuration of the HOBPhone SDH, also known as xl-sdh-hobphone-01. The parameters for HOBPhone are set inside the configuration section of a <server-data-hook> entry with the xl-sdh-hobphone <library-file-name>. Element Description use-UDP-gw-name Name of the configured UDP Gateway, if any UDP-gate-timeout-ms Timeout for the configured Enter a value in UDP Gateway, if any milliseconds UDP-gate-keepalive-sec Keepalive duration of the Enter a value in seconds configured UDP Gateway, if any Security Solutions by HOB Valid Values 507 Server Data Hook Configurations HOB RD VPN 37.8 The VNC Bridge SDH (xl-rdps-rfbc-1) This is an example of a possible configuration of the VNC Bridge SDH, also known as xl-sdh-rfbc-1. The parameters for the VNC Bridge are set inside the configuration section of a <server-data-hook> entry with the xl-rdps-rfbc-1 <library-file-name>. Element Description Valid Values vnc-shared-flag Sets the VNC-shared-flag. If YES/NO, default is NO the VNC-shared flag is set, more VNC-clients can connect to the same session. Note: Sharing a session might not work, because it is forbidden in the settings of the VNC-server. vnc-password-plain Sets the VNC-password. Not required if authentication works without password. Dynamic VNC sessions set the password in JWT. vnc-password-encrypted Same as <vnc-passwordplain> but password is coded in base64. vnc-version Sets the maximum used VNC-version. Protocol Version e.g. 3.3. host-user Sets the VNC user if authentication works with user/password. host-password-plain Sets the password if authentication works with user/password. host-password-encrypted Sets the password coded in base64 if authentication works with user/password. encryption 508 This sets the encryptionlevel, similar to real-vnc. prefer-off, prefer-on, always-on, alwaysmaximum, let-vncserver-choose. Security Solutions by HOB HOB RD VPN use-local-cursor Server Data Hook Configurations YES: The server sends the YES/NO, default is YES cursor only once in the Cursor pseudo-encoding if able to do so, thus the screen is not updated each the time the cursor is moved. The user cannot see where the cursor is if another user moves it. NO: The cursor is painted by the server all the time and sent as part of the screen. If more users are connected to the session, all can see the actual position of the cursor, but the server cannot send the position of the cursor if another user moves it, as in RDP. server-maps-keys NO: The VNC Bridge maps YES/NO, default is NO the keys to the keyboard set on the client side (can also be set to system standard). Note: For best results, set the server keyboard to that set on the client, as it can be that some characters are not displayable if there is a different keyboard set. For example: if there is a German keyboard on the client side, and an English keyboard on server side: é may not be displayable, depending on the system) YES: Is only needed for some VNC servers that map the keys on their own. Now the client keyboard setting is ignored as the keys are mapped to the keyboard set on the server. A need for this is only found out by trial and error, unless there is an option on the VNC server. Try this option if characters specific to your local keyboard, such as öäüéß on a German keyboard, cannot be displayed. Security Solutions by HOB 509 Server Data Hook Configurations server-maps-capslock HOB RD VPN NO: As specified in the RFB-Protocol, the server ignores the pressing of the Capslock key. Instead the VNC-Bridge sends capitalized characters if capslock is pressed. YES/NO, default is NO YES: This setting is only needed for servers that do not ignore capslock. The capslock on the client side is ignored in this case. You can determine if this setting is needed if the wrong behavior is seen when capslock is pressed. The need of this setting can only be found out by trial and error, except when there is an option on the VNCserver. If there is an option on the server, the best results are when the server ignores capslock and <server-maps-capslock> is set to NO. use-clipboard YES: The clipboard is used. YES/NO, default is YES Note: VNC only allows text to be copied. NO: The clipboard is turned off max-cut-text 510 The maximum size (in kb) of 0-256, default is 256 the text that can be copied. Note: VNC works differently to RDP. In VNC every text that is copied on the server is sent to the VNC-client, regardless of if it is used on the VNC-client, or the copyand-paste-operation is just happening on the serverside. The text is than stored in the VNC-bridge, until the RDP-client requests it. Security Solutions by HOB HOB RD VPN authentication show-splash-screen Server Data Hook Configurations This decides where the authentication credentials are taken from. If RD-VPNcredentials is set, the settings <vnc-password>, <hostpassword> and <hostuser> are ignored. In case the server requires a VNCPassword and RD-VPNcredentials is set, the userpassword is taken as the VNC-Password. WSP-configuration, RDVPN-credentials Default is WSPconfiguration Used only for debugON/OFF, default is OFF reasons. Waits the given amount of seconds after the initialization-phase, so that the user can read the messages on the splashscreen. 37.9 The SOCKS SDH (xl-sdh-sock5-01) This is an example of a possible configuration of the SOCKS SDH, also known as xl-sdh-socks-01. The parameters for the SOCKS SDH are set inside the <configuration-section> of a <server-data-hook> entry with the xl-sdhsock5-01 <library-file-name>. Element Description Valid Values settings Must be set to: 0 0 flags Must be set to: 0 0 Security Solutions by HOB 511 Server Data Hook Configurations 512 HOB RD VPN Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions 38 HOB LDAP Scheme Extensions The HOB LDAP Scheme Extension allows you to define and expand on the attributes and classes used in your directory services. The base scheme that is included the system contains a set of class definitions such as user, computer, and organizationalUnit, and attribute definitions such as userName, telephoneNumber, and objectSid. The existing set of classes and attributes provided by HOB is sufficient for most applications. However, the scheme is extensible, which means that you can define new classes and attributes. If the existing classes and attributes do not fit with the type of data you want to store, you need to extend the scheme, using the HOB LDAP Scheme Extension to add attributes and object classes to the scheme of your existing LDAP system. By means of the object classes, data can be linked to a user object. The attributes represent references to the respective data set, which are linked to a user object within the object class. If an external directory service is used the scheme extension has to be applied. The HOB scheme extensions are located in: \INSTALLDIR\LDAP-schemaextensions. As an LDAP Scheme Extension is a security critical operation, it usually requires certain administrator rights on the server systems. This chapter contains the necessary information for making a scheme extension. Scheme additions are permanent; you can disable classes and attributes, but you can never remove them from the scheme. In the course of the LDAP Scheme Extension attributes and object classes are added to the scheme of an existing LDAP system. By means of the object classes, data can be linked to a user object. The attributes represent references to the respective data set, which are linked to a user object within the object class. Scheme extensions are available for the following directory services: Microsoft Active Directory OpenDJ OpenLDAP IBM SecureWay Directory Server 38.1 Scheme Extension for Microsoft Active Directory To run the LDAP schema extension for Microsoft Active Directory, Windows 2008 Server or Windows Server 2003 must be completely installed, including all extensions for the Active Directory Services. To use all software tools required to operate Active Directory Services, you may be required to additionally install the relevant Windows Administration Tools from the Windows 2008 Server or Windows Server 2003 installation (from the delivered Security Solutions by HOB 513 HOB LDAP Scheme Extensions HOB RD VPN file ADMINPAK.MSI). Windows 2008 R2 Server and Windows 2012 Server usually do not require any additional subsequent installations. The schema extension must always be run on the server where Microsoft Active Directory is installed. The schema extension cannot be run using a "remote" connection. You must be logged on as an administrator to the relevant Microsoft Windows Server with full rights for data access and for Microsoft Active Directory. This administrator, whose account you have used for your current logon, must be a group member of the Schema administrators. If this requires a modification of the user account, you must log on again or reboot the system. Microsoft themselves say the following concerning these operations: “To modify the schema, you must use an account that is a member of the Schema Admins group and has the necessary rights. By default, the only member in that security group is the Administrator account in the root domain of the enterprise. If you want to add other accounts, you have to add them explicitly. Membership in the Schema Admins group must be highly restricted to prevent unauthorized access to the schema because modifying the schema improperly can have serious consequences.” 38.1.1 General issues with Microsoft Active Directory on Windows Servers To avoid unexpected problems with the schema extensions, please read and follow the instructions below. Due to the gravity of the system intervention when changing the Microsoft Active Directory schema, Microsoft has implemented certain security barriers which must be overcome or taken into consideration before extending the schema with the HOB entries. The scheme extension must be executed on the primary Microsoft Active Directory server first. If the Microsoft Active Directory installation is distributed over a server cluster, one of these servers will be the "primary" Microsoft Active Directory Server. The actions described in the section below must be performed manually; however, HOB has written a batch file to simplify this task. In the \INSTALLDIR\LDAP-schema-extensions\MS-ActiveDirectory directory you will find the batch file prepare.bat. In this batch file, the 2 actions described below are carried out: 514 A registration call is carried out to display the Active Directory schema in the Microsoft Management Console. To do this the DLL file Schmmgmt.dll is registered in your system via the program Regsvr32.exe, contained in Windows. Authorization for a schema extension must be activated in the Active Directory Schema Console. The Active Directory Schema Console is opened in a Microsoft Management Console (MMC). Here, as administrator, you may have to manually activate the schema change in the Operations Master of the Active Directory Schema Console. Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions To perform these actions proceed as follows: 1. Copy the prepare.bat batch file from \INSTALLDIR\LDAP-schemaextensions\MS-ActiveDirectory to a directory on the Microsoft Active Directory Server. 2. Open a console window for command line entry and go to the directory on the Microsoft Active Directory Server. 3. Start the batch file with the following entry in the console window: prepare [ENTER]. 4. The DLL registration is terminated when the following message appears: DLLRegistryServer in Schmmgmt.dll succeeded. 5. Click OK. 6. Start the Microsoft Management Console (MMC) window with the following entry in the console window: mmc [ENTER]. 7. The MMC starts. Select Add/Remove Snap-in... from the File menu of the MMC window. 8. Now select Active Directory Schema from the list of Available snap-ins and add it to the Selected snap-ins. 9. Click OK. 10. Select the entry Active Directory Schema in the Console Root pane of the MMC window. 11. Right-click the text Active Directory Schema, and in the displayed menu select Operations Master.... Figure 1: MS Active Directory MMC - Active Directory Schema options menu 12. The Change Schema Master dialog opens. Verify that it is allowed to modify and extend the Microsoft Active Directory Schema and to activate schema changes to be made on this Domain Controller if it is not already activated. 13. Click OK to close the dialog. Security Solutions by HOB 515 HOB LDAP Scheme Extensions HOB RD VPN 14. In the main menu select Console > Save to save the changes. You can use the Active Directory Schema MMC later to verify the schema extension. 15. Close the Microsoft Management Console. This procedure must be done only once. 38.1.2 Running LDAP Scheme extensions 1. To run the LDAP scheme extension copy all files from the sub-directory \INSTALLDIR\LDAP-schema-extensions\MS-ActiveDirectory to a directory on the Microsoft Active Directory Server. 2. From this directory run the tool HOB_AD_Util.exe. 3. Click the button Extend Schema for HOB EA in the dialog program window that is displayed. Figure 2: HOB EA Utility for MS Active Directory 4. This shows the Select HOB EA Objectclasses dialog: Figure 3: Select HOB EA Objectclasses 516 5. From this dialog select HOB EA Scheme Extension and click OK. 6. Following a successful LDAP scheme extension the dialog below is displayed: Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions Figure 4: Result of the HOB LDAP Scheme Extension 7. Click OK to close this screen and return to the Select HOB EA Objectclasses dialog, where you can now select the HOB Scheme Extension for any other extension that you want to make, for example HOBPhone. 8. Close the window of the HOB LDAP Scheme Extension tool. 38.1.3 Verifying the LDAP Scheme extension You can use the Active Directory Schema MMC window as explained in Section 38.1.1 General issues with Microsoft Active Directory on Windows Servers to verify the schema extension. 1. Open the MMC window again and expand the hierarchy tree in the Console Root pane of this window. 2. If you select Classes or Attributes in the Console Root pane, the object classes and attributes in the schema are displayed in the center pane of the window. 3. You can find HOB specific entries in each list of available object classes or attributes depending on the selected item. The list of HOB specific attributes can be found in Section 38.5 Adding HOB Specific Object Classes. Security Solutions by HOB 517 HOB LDAP Scheme Extensions HOB RD VPN Figure 5: Microsoft Active Directory MMC - Active Directory Schema Attributes 38.1.4 Assigning HOB Specific Attributes to Microsoft Active Directory Objects After the scheme extension in Microsoft Active Directory is performed, it is necessary to give the necessary authorization to the Microsoft Active Directory objects created for the HOB specific configurations. This way it is possible to save a HOB specific configuration using a HOB specific attribute for an Microsoft Active Directory object. For more information on this topic, see Section 38.5 Adding HOB Specific Object Classes. The HOB-specific attributes (from the schema extension) are mandatory for configuring some HOB products. This assignment must be performed manually. You need to carefully decide to which Microsoft Active Directory objects (Users, Groups, Containers, for example) this assignment is to be added. In the following section the figures refer to a group item that is used as an example. 1. 518 Open the snap-in Active Directory Users and Computers in a Microsoft Management Console (MMC) window. Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions Figure 6: Microsoft Active Directory Users and Computers 2. Activate the Advanced Features item from the View menu. 3. Select an item from the available Microsoft Active Directory objects (User, Group, Container) and open the corresponding context menu. Figure 7: Microsoft Active Directory Users and Computers - Object context menu 4. Open the Properties dialog of the selected item from the context menu. Security Solutions by HOB 519 HOB LDAP Scheme Extensions HOB RD VPN Figure 8: Microsoft Active Directory Users and Computers - Group properties 5. From the resulting dialog (above), select the tab Attribute Editor and the following dialog is displayed: 6. Scroll down and select the attribute objectClass from the list of attributes and click the Edit button to edit this selected attribute. Figure 9: Microsoft Active Directory Users and Computers Properties - Attribute Editor 'objectClass' 7. 520 In the Edit Attribute dialog (below) enter the HOB specific object class hoboc to the selected attribute objectClass by entering it in the Value to Add field. Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions Figure 10: Microsoft Active Directory Attribute Editor - Add hoboc in Edit dialog 8. Click Add to add this value to the objectClass attribute. Figure 11: Microsoft Active Directory Attribute Editor - hoboc Added to ObjectClass 9. Now that the object class hoboc has been added to the attribute objectClass for the selected object, HOB-specific configuration data can be stored in an attribute that belongs to the object class hoboc for this object (a group object is used in this example). Security Solutions by HOB 521 HOB LDAP Scheme Extensions HOB RD VPN Figure 12: Microsoft Active Directory - Properties Dialog after Assignment These steps must be repeated for all objects that are to be configured for HOB products. 38.2 Scheme Extensions for OpenDJ To make the HOB LDAP Scheme Extension for OpenDJ you must copy a single specific .ldif file across into the relevant directory. This file, 90-hobschema.ldif is currently located in the directories of the server installation: INSTALLDIR\LDAP-schema-extensions\openDS Locate this file and copy it to the following target directory on the external directory server: INSTALLDIR_of_OpenDJ\config\schema. When the file has been copied to the directory restart OpenDJ. At this point the scheme extension is completed. The new entries in the LDAP scheme will only take effect once the LDAP Server has been restarted. 522 Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions 38.3 Scheme Extensions for OpenLDAP The OpenLDAP Server can be deployed on any of the following UNIX systems: Apple MACOS X Be BeOS FreeBSD Hewlett Packard HP-UX Hewlett Packard Tru64 UNIX IBM AIX Linux OpenBSD Silicon Graphics IRIX Sun Microsystems Solaris Sun Microsystems SunOS A recommended and competent point of reference providing comprehensive knowledge and assistance for OpenLDAP is provided by the web site www.openldap.org. This site contains detailed information about installing OpenLDAP and also provides a detailed FAQ section that can answer many questions. 38.3.1 Make the HOB LDAP scheme extension available to the Server To make the HOB LDAP Scheme Extension for OpenLDAP you must copy the file hob.schema across into the relevant directory. This file hob.schema is currently located in the directories of the server installation: INSTALLDIR\LDAP-schema-extensions\openLDAP Locate this file and copy it to the relevant target directory on the external directory server. 38.3.2 Set Include path of the HOB scheme extension After the installation of OpenLDAP (depending on the individual installation parameters) the following file can be found in the configuration directory of OpenLDAP: /etc/openldap/slapd.conf This file includes the Include directives. These provide additional configuration information and can be used to improve the structure of your configuration file. In the referenced file set the include path to the HOB scheme extension, as follows: include /etc/openldap/schema/hob.schema. The new entries in the LDAP scheme will only take effect once the LDAP server has been restarted. Security Solutions by HOB 523 HOB LDAP Scheme Extensions HOB RD VPN 38.4 Scheme Extensions for IBM SecureWAY Directory Server To make the HOB LDAP Scheme Extension for IBM SecureWay Directory Server you must copy the following files across into the relevant directory: V3.ibmhob.at (contains HOB specific attributes) V3.ibmhob.oc (contains HOB specific object classes) These files are currently located in the directories of the server installation: INSTALLDIR\LDAP-schema-extensions\IBM-DirectoryServer. If you are the authorized system administrator you must now customize the LDAP configuration file. On the AS400 you will find a sub-directory name DirSrv. This directory holds files describing attributes and object classes of the LDAP Directory Service. This is the destination directory where you need to paste the files V3.ibmhob.at and V3.ibmhob.oc from the directory referenced above. Locate these files and copy them to the following target directory on the external directory server: /QIBM/UserData/OS400/DirSrv/. The sub directory DirSrv also contains the file slapd.conf. This file includes a list of all attributes and object classes files that are available to the LDAP. All files must be included in the LDAP system using the key word includeSchema. Use this key word to add the file names V3.ibmhob.at and V3.ibmhob.oc to the slapd.conf file along with their complete paths. The lines added might look as follows: includeSchema /QIBM/UserData/OS400/DirSrv/V3.ibmhob.at includeSchema /QIBM/UserData/OS400/DirSrv/V3.ibmhob.oc Add the entry of the attribute file V3.ibmhob.at before you add the object class file V3.ibmhob.oc, as the attributes must be known to the system before any object classes can be included. Usually the file slapd.conf is already sorted by attribute files and object class files. The above referenced files should be placed on a new line after the last file of the respective type. The new entries in the LDAP scheme will only take effect once the LDAP Server has been restarted. 524 Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions 38.5 Adding HOB Specific Object Classes To conduct the HOB LDAP Scheme Extension on other LDAP systems, you must manually register the relevant HOB object classes. For HOB RD VPN the applicable object class is hoboc For HOBPhone the applicable object class is hobphone For HOBCOM the applicable object class is hobcom For versions of the HOB WebSecureProxy in previous versions of HOB RD VPN and certain versions of HOBLink VPN the applicable object class is hobgateway. Adding the object class hoboc is mandatory, whereas the object classes hobphone is only needed for HOBPhone and hobcom is needed only for HOBCOM. The object class hobgateway is contained here but is not required for this edition of HOB RD VPN. For the registration of the object classes use the Scheme Management tool that is provided by the LDAP system. The IDs used in the HOB Scheme Extension are officially registered and can be found under: http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers. HOB specific attributes Attributes can be generated by indicating the attribute name and its ASN1-ID (OID number) according to the following tables: Security Solutions by HOB 525 HOB LDAP Scheme Extensions HOB RD VPN 38.5.1 Attributes for the HOB Object Class hoboc: 526 Attribute Name OID Number Description Objectclass hobhlserver 1.3.6.1.4.1.6275.2 HOB Enterprise Access Settings hoboc hobhobte 1.3.6.1.4.1.6275.3 HOB EA Terminal hoboc Emulation Settings hobvpn 1.3.6.1.4.1.6275.4 HOBLink VPN Settings hobmonitor 1.3.6.1.4.1.6275.5 HOB EA Monitoring hoboc Settings hobproxy 1.3.6.1.4.1.6275.6 HOB EA Proxy Settings hoboc hobjwt 1.3.6.1.4.1.6275.7 HOB EA JWT Settings hoboc hobalias 1.3.6.1.4.1.6275.9 HOB EA Alias Name Settings hoboc hobx11 1.3.6.1.4.1.6275.11 HOB X11 Settings hoboc hobb 1.3.6.1.4.1.6275.12 HOBLink VPN BM hoboc Settings hobc 1.3.6.1.4.1.6275.13 HOBLink VPN NAT hoboc Settings hobd 1.3.6.1.4.1.6275.14 HOBLink VPN Management Settings hobe 1.3.6.1.4.1.6275.15 HOBLink SSH hoboc Configuration (not a hxml file) as property file hobf 1.3.6.1.4.1.6275.16 HOBLink SSH hoboc Known Hosts (not a hxml file) hobg 1.3.6.1.4.1.6275.17 HOB LogView Settings hoboc hobh 1.3.6.1.4.1.6275.18 FTP Browser hoboc hobi 1.3.6.1.4.1.6275.19 HOBLink VPN hoboc NameSpaceProvid er Settings hobj 1.3.6.1.4.1.6275.20 WSP Desktop-On- hoboc Demand hobk 1.3.6.1.4.1.6275.21 HOB WSP UC Settings hoboc hobl 1.3.6.1.4.1.6275.22 WSP WebServer hoboc hobm 1.3.6.1.4.1.6275.23 HOB EA Integrity Check hoboc hoboc hoboc Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions hobn 1.3.6.1.4.1.6275.24 HOB EA reserve n hoboc Settings hobo 1.3.6.1.4.1.6275.25 HOB EA reserve o hoboc Settings hobp 1.3.6.1.4.1.6275.26 HOB-Track hoboc hobq 1.3.6.1.4.1.6275.27 HOB Workplace Settings hoboc hobr 1.3.6.1.4.1.6275.28 Telnet Resource Manager (not a hxml file) hoboc hobs 1.3.6.1.4.1.6275.29 HOB HOBLink Secure Settings (SSL) hoboc hobt 1.3.6.1.4.1.6275.30 HOBLink VPN Startup Rules hoboc hobvpnprop 1.3.6.1.4.1.6275.31 HOBLink VPN Property Settings hoboc hobcert (*) 1.3.6.1.4.1.6275.32 HOB Certificate Identification hoboc hobcookies 1.3.6.1.4.1.6275.33 HOB RD VPN User hoboc Cookies hobverification (*) 1.3.6.1.4.1.6275.34 HOB RD VPN Verification IDs hobrdvpnuser 1.3.6.1.4.1.6275.35 HOB RD VPN User hoboc Settings hobrdvpnlog 1.3.6.1.4.1.6275.36 HOB RD VPN Log hoboc Settings hobreservec 1.3.6.1.4.1.6275.37 HOB reserve c Settings hoboc hobreserved 1.3.6.1.4.1.6275.38 HOB reserve d Settings hoboc hobreservee 1.3.6.1.4.1.6275.39 HOB reserve e Settings hoboc hobreservef 1.3.6.1.4.1.6275.40 HOB reserve f Settings hoboc hobreserveg 1.3.6.1.4.1.6275.41 HOB reserve g Settings hoboc hobreserveh 1.3.6.1.4.1.6275.42 HOB reserve j Settings hoboc hobreservei 1.3.6.1.4.1.6275.43 HOB reserve j Settings hoboc hobreservej 1.3.6.1.4.1.6275.44 HOB reserve j Settings hoboc Extensions: Security Solutions by HOB hoboc 527 HOB LDAP Scheme Extensions HOB RD VPN hobrdvpnbmwfa 1.3.6.1.4.1.6275.45 HOB RD VPN User hoboc Bookmarks WFA hobrdvpnbmwsg 1.3.6.1.4.1.6275.46 HOB RD VPN User hoboc Bookmarks WSG hobrdvpnbmsess 1.3.6.1.4.1.6275.47 HOB RD VPN User hoboc Bookmarks Session hobrdvpndod 1.3.6.1.4.1.6275.48 HOB RD VPN Desktop-OnDemand Settings hoboc hobrdvpnpi 1.3.6.1.4.1.6275.49 HOB RD VPN Personal IPs hoboc hobrdvpnmsg 1.3.6.1.4.1.6275.50 HOB RD VPN User hoboc Messages hobuserhistory (*) 1.3.6.1.4.1.6275.51 HOB RD VPN User hoboc History racfid 1.3.6.1.4.1.6275.52 IBM RACF ID (used hoboc by W&W, IBM Tivoli only) racfpassticket 1.3.6.1.4.1.6275.53 RACF Passticket (IBM Tivoli only) hobica 1.3.6.1.4.1.6275.54 HOB RD VPN Citrix hoboc ICA Settings hobmstsc 1.3.6.1.4.1.6275.55 HOB RD VPN MS RDP Settings hoboc hobsid 1.3.6.1.4.1.6275.56 HOB RD VPN External Security Identifier hoboc hobjwtsa 1.3.6.1.4.1.6275.57 HOB HL JWT Standalone Webstart Configuration hoboc hoboc Table 1: Attributes for the HOB Object Class hoboc All attributes are single-valued, except for those marked (*), which are multi-valued. 528 Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions 38.5.2 Attributes for the HOB Object Class hobphone: Attribute Name OID Number Description Objectclass hobphoneconfig 1.3.6.1.4.1.1636.201 HOBPhone Configuration hobphone hobphonelog 1.3.6.1.4.1.1636.202 HOBPhone Logs hobphone hobphonepbx 1.3.6.1.4.1.1636.203 HOBPhone PBX Configuration hobphone hobphonereserva 1.3.6.1.4.1.1636.204 HOBPhone Reserved A hobphone hobphonereservb 1.3.6.1.4.1.1636.205 HOBPhone Reserved B hobphone hobphonereservc 1.3.6.1.4.1.1636.206 HOBPhone Reserved C hobphone hobphonereservd 1.3.6.1.4.1.1636.207 HOBPhone Reserved D hobphone hobphonereserve 1.3.6.1.4.1.1636.208 HOBPhone Reserved E hobphone hobphonereservf 1.3.6.1.4.1.1636.209 HOBPhone Reserved F hobphone hobphonereservg 1.3.6.1.4.1.1636.210 HOBPhone Reserved G hobphone Table 2: Attributes for the HOB Object Class hobphone Security Solutions by HOB 529 HOB LDAP Scheme Extensions HOB RD VPN 38.5.3 Attributes for the HOB Object Class hobcom: Attribute Name OID Number Description Objectclass hcCoMask 1.3.6.1.4.1.1636.10 HOBCOM hobcom authorization mask hcEnFull 1.3.6.1.4.1.1636.11 HOBCOM encryption range hobcom hcEnKey 1.3.6.1.4.1.1636.12 HOBCOM encryption key hobcom hcEnKeyHex 1.3.6.1.4.1.1636.13 HOBCOM hobcom encryption hex key hcGroup 1.3.6.1.4.1.1636.14 HOBCOM group number hobcom hcName 1.3.6.1.4.1.1636.15 HOBCOM user name hobcom hcNo 1.3.6.1.4.1.1636.16 HOBCOM personal hobcom number hcPassword 1.3.6.1.4.1.1636.17 HOBCOM user password hcTegro 1.3.6.1.4.1.1636.18 HOBCOM terminal hobcom group name hcType 1.3.6.1.4.1.1636.19 HOBCOM entry hobcom type (user / printer) hcUserID 1.3.6.1.4.1.1636.20 HOBCOM RACF UserID hcSessMan (*)(*) 1.3.6.1.4.1.1636.21 HOBCOM session hobcom manager entries hcSession 1.3.6.1.4.1.1636.22 HOBCOM session hobcom count hcBtList (*) 1.3.6.1.4.1.1636.23 HOBCOM batch task list entries as property file hcUserList (*) (*) 1.3.6.1.4.1.1636.24 HOBCOM sub user hobcom entries as property file hobcom hobcom hobcom Table 3: Attributes for the HOB Object Class hobcom All attributes are single-valued, except for those marked (*), which are multi-valued. 530 Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions 38.5.4 Attributes for the HOB Object Class hobgateway: Attribute Name OID Number Description Objectclass hobgwwsp 1.3.6.1.4.1.6275.101 HOB Gateway Attributes Web Secure Proxy hobgateway hobgwa 1.3.6.1.4.1.6275.102 HOB Gateway Attributes 1 Settings hobgateway hobgwb 1.3.6.1.4.1.6275.103 HOB Gateway Attributes 2 Settings hobgateway hobgwc 1.3.6.1.4.1.6275.104 HOB Gateway Attributes 3 Settings hobgateway hobgwd 1.3.6.1.4.1.6275.105 HOB Gateway Attributes 4 Settings hobgateway hobgwe 1.3.6.1.4.1.6275.106 HOB Gateway Attributes 5 Settings hobgateway hobgwf 1.3.6.1.4.1.6275.107 HOB Gateway Attributes 6 Settings hobgateway hobgwg 1.3.6.1.4.1.6275.108 HOB Gateway Attributes 7 Settings hobgateway hobgwh 1.3.6.1.4.1.6275.109 HOB Gateway Attributes 8 Settings hobgateway hobgwi 1.3.6.1.4.1.6275.110 HOB Gateway Attributes 9 Settings hobgateway hobgwcert (*) 1.3.6.1.4.1.6275.111 HOB Gateway Certificate hobgateway Table 4: Attributes for the HOB Object Class hobgateway All attributes are single-valued, except for those marked (*), which are multi-valued. Security Solutions by HOB 531 HOB LDAP Scheme Extensions HOB RD VPN 38.5.5 Applicable Attribute Syntax Select the applicable attribute syntax according to the following table. Object class Attribute Syntax hoboc For all attributes from the Attribute names column of Table 1, and that use the object class hoboc. All attributes are of type binary octets and use the attribute syntax BINARY. They are of type single value except where stated otherwise. hobphone For all attributes from the Attribute names column of Table 2, and that use the object class hobphone. All attributes are of type binary octets and use the attribute syntax BINARY. They are of type single value. hobcom For all attributes from the Attribute names column of Table 3, and that use the object class hobcom. All attributes are of type IA5String (1.3.6.1.4.1.1466.115.121.1.26) They are of type single value except where stated otherwise. hobgateway For all attributes from the Attribute names column of Table 4, and that use the object class hobgateway. All attributes are of type binary octets and use the attribute syntax BINARY. They are of type single value except where stated otherwise. Table 5: Attribute types for the HOB Object Classes 38.5.6 Object Classes Generate object class names and ASN1-ID (OID number) according to the following table: Object Class ASN.1-ID hoboc 1.3.6.1.4.1.6275.1 hobphone 1.3.6.1.4.1.1636.200 hobcom 1.3.6.1.4.1.1636.1 hobgateway 1.3.6.1.4.1.6275.100 Table 6: HOB Object Class ID numbers To the object class names you now add the MAY attributes to the object class required for the respective LDAP system (see Tables 1- 4 above). You can also add MUST attributes if they are required by the LDAP system. These are dependent on the LDAP system in use. 532 Security Solutions by HOB HOB RD VPN HOB LDAP Scheme Extensions 38.6 LDAP Attributes / Options LDAP-related key terms for the selected LDAP server system are displayed here. If you have specified LDAP Server System: Generic, you can make valid entries for your LDAP server. Applicable LDAP Attributes are: User (object name) – this attribute name identifies the object as a user. Group (object name) – this attribute name identifies the object as a group. Member (membership attribute) – the group attribute is part of the group properties and identifies users as members of groups. Attribute Value of Member – Enter an attribute name (for example uid) in this field that characterizes the value of the attribute that settles the group membership (for example member). When a user logs on, HOB RD VPN determines which groups this user is a member of. If the membership information is not stored with the user, all groups have to be examined to see whether the user logging on is configured as a member of the group. To do this, the group attribute is normally checked to see if it contains the DN (distinguished name) of the user. In this case, as is the same with most LDAP systems, leave the value of the Attribute Value of Member field empty. However, if your LDAP system is configured in such a manner that the group attribute is not a DN, but instead a different attribute (uid, for example) is used for characterizing the group membership, this is not possible. In this case enter the name of this attribute (uid) in the Attribute Value of Member field. Membership (User attribute) – membership is part of the properties of the user. The user attribute indicates the membership of users in groups. Timeout (in sec) – this determines the time limit in seconds for the LDAP server to respond. If there is no response within the specified period, an error message occurs. User prefix – determines the key word required for the LDAP Server. Depending on the LDAP Server System that has been configured on the Connection tab, this field will contain a pre-defined value, such as cn= for IBM Tivoli Directory Server. For more information refer to the user guide of your LDAP Server System. LDAP System Type The type of LDAP system is configured under the attribute <LDAP-template> in the <LDAP-service> element in the HOB WebSecureProxy configuration. Timeout can be configured under the attribute <timeout-search> in the <LDAPservice> element in the HOB WebSecureProxy configuration. For more information see Section 36.12 The <LDAP-service> element. Security Solutions by HOB 533 HOB LDAP Scheme Extensions HOB RD VPN Other LDAP Attributes The other LDAP attributes defined above can be configured under the <LDAPtemplate> element in the HOB WebSecureProxy configuration. For more information see Section 36.13 The <LDAP-template> element. 534 Security Solutions by HOB HOB RD VPN 39 Information and Support If you would like further information about HOB RD VPN, other products from HOB, HOB Inc, HOB GmbH & Co. KG, or if you need product support, please contact us through the following numbers and addresses: U.S.A. and Canada General Enquiries: Phone: + 1 866 914 9970 Fax: + 49 9103 715 3299 E-mail: [email protected] Web: www.hobsoft.com Technical Support: Phone: + 1 866 914 9970 Fax: + 49 9103 715 3299 E-mail: [email protected] Germany General Enquiries: Phone: + 49 9103 715 0 Fax: + 49 9103 715 3271 E-mail: [email protected] Web: www.hob.de Technical Support: Phone: + 49 9103 715 3161 Fax: + 49 9103 715 3299 E-mail: [email protected] Other Countries General Enquiries: Phone: + 49 9103 715 3103 Fax: + 49 9103 715 3299 E-mail: [email protected] Web: www.hobsoft.com Technical Support: Phone: + 49 9103 715 3103 Fax: + 49 9103 715 3299 E-mail: [email protected] Security Solutions by HOB 535 HOB RD VPN 536 Security Solutions by HOB