Secure Global Desktop 4.40 Administration Guide > Security > Securing Connections Between Client Devices and SGD Servers
When securing connections between client devices and SGD servers, the following connections must be considered:
How you secure these connections is described in the following sections.
When SGD is first installed, the initial connection between an SGD Client client and a SGD server is secure. However, after the user has logged in, the connection is downgraded to a standard connection. To be able to use secure connections permanently, you must enable SGD security services. You do this as follows:
An X.509 certificate allows an SGD server to identify itself to an SGD Client.
Note There are important security considerations regarding the types of X.509 certificate you can use.
Use the following command:
# tarantella security start
Secure connections between an SGD Client and an SGD server use a different port to standard connections. Secure connections use TCP port 5307 by default, but the port is configurable. You might have to configure your firewall to allow network traffic on this port. Alternatively, you can configure SGD for firewall forwarding, so that all connections to an SGD server use a single port, usually TCP port 443.
SGD security services only secure the connections between an SGD Client and an SGD server. To secure the connections between a web browser and the web server on the SGD host, HTTPS connections must be enabled in the web server. This connection is used for the webtop and for authentication to SGD (when the SGD Client is operating in Webtop mode). By default, the SGD Web Server is configured to be a secure web server and use the same security certificate as the SGD server.
To enable secure connections to the SGD Web Server:
Note You can use a separate X.509 certificate for the SGD Web Server if you prefer.
Use the following command:
# tarantella webserver restart --ssl
Every web server in an array of SGD servers must use the same HTTP or HTTPS port. You must not mix HTTP and HTTPS web servers in the same SGD array.
Once you enable secure connections to a web server, the URL in the client profile must be re-configured to an HTTPS URL.
Connection definitions are used to decide whether a secure connection or a standard connection is used between an SGD Client and an SGD server. The connection type can depend on the following factors:
Note If SGD security services are not enabled on a server, secure connections to that server are not available regardless of the user's connection definitions.
By default, the processing of connection definitions is enabled. If it is disabled, you enable it as follows:
Alternatively, use the following command:
$ tarantella config edit --security-applyconnections 1
If the processing of connection definitions is enabled, you can configure the connection definitions to determine which users receive standard or secure connections. You can configure connection definitions for organization objects, organizational unit objects, or user profile objects. The connection definitions for an organization can be overridden by the definitions for an organizational unit, and the definitions for an organizational unit can be overridden by the definitions for a user profile. By default, all users can receive secure connections if Secure Global Desktop security services are enabled.
You define connection definitions as follows:
The Connection Definitions table shows the definitions that are inherited from parent objects in the organizational hierarchy. It is best to create connection definitions for organization and organizational unit objects as this configures connections for many users at once and makes administration easier.
The order of the connection definitions is important. The first matching entry is used. Make sure the most specific definitions appear before more general ones.
On the command line, use the following command to configure connection definitions:
$ tarantella object edit --name obj --conntype type_spec...
Replace type_spec with a connection type specification of the form client:server:type
, for example 192.168.5.*:*:STD
.
Use STD
or SSL
to configure a standard or secure connection. Separate each type_spec with the "pipe" character, "|".
Note Connection definitions can include the *
or ?
wildcards to match more than one DNS name or IP address.
The user profile object for Mulan Rouge has the following connection definitions:
Client Device Address | SGD Server Address | Connection Type |
---|---|---|
*.indigo-insurance.com | * | Standard |
* | * | Secure |
If Mulan logs in to SGD from her usual client device, fez.indigo-insurance.com, the first connection definition in the list matches and Mulan receives a standard connection.
If Mulan logs in to SGD from a client device that is not part of indigo-insurance.com, the second connection definition in the list matches and Mulan receives a secure connection.
If Mulan had no connection definitions, the connection type is determined by the connection definitions of a parent object in the organizational hierarchy.
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.