HOB Remote Desktop VPN

Transcription

1 Administration Guide HOB Remote Desktop VPN green edition Document Version: 1.1 Issue: September 2012 HOB GmbH & Co. KG Schwadermühlstraße Cadolzburg Germany Phone: Fax: Web: support@hob.de HOB, Inc. Headquarters NY 245 Saw Mill River Road Suite # 106 Hawthorne, NY 10532, USA Phone: Fax: Web: support@hobsoft.com

2 HOB RD VPN Software and Documentation Disclaimer All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited. HOBLink RD VPN software and documentation have been tested and reviewed. Nevertheless, HOB will not be liable for any loss or damage whatsoever arising from the use of any information or particulars in, or any error in, or omission from this document. All information in this document is subject to change without notice, and does not represent a commitment on the part of HOB. Trademarks Microsoft Windows is a trademark of Microsoft Corporation. Linux is licensed under the GNU General Public License (GPL). In the United States, the name Linux is a trademark registered to Linus Torvalds. The trademark Linux is represented by Linux Trademark Institute within the Linux Foundation. Most Linux distributions sign under the Free Software Foundation (see and UNIX is a registered trademark of The Open Group (see Oracle and Java are registered trademarks of Oracle and/or its affiliates. Citrix, Citrix ICA, Citrix XenApp, Citrix Receiver for Java and other products are trademarks or registered trademarks of Citrix Systems, Inc. Mac OS and Apple are trademarks of Apple Inc., registered in the U.S. and other countries. All other product names, company names and service names may be trademarks, registered trademarks or service marks of their respective corporations or owners, even if they are not specifically marked as such. 2 Connectivity Solutions by HOB

3 Purpose of this Guide This manual is designed to provide system administrators with detailed information about HOB RD VPN to help them decide where and when this product can be most effectively deployed in their enterprise network. This documentation contains descriptions of numerous possible scenarios, and explains the required conditions. The procedures for configuring the individual software components are documented in detail with step-by-step instructions. Symbols and Conventions This guide uses certain symbols and conventions to help the reader. These are explained below: This symbol indicates useful tips that can make your work easier. This symbol indicates paragraphs with additional informative text. This symbol indicates an important tip or procedure that may result in major changes. Please consider carefully the consequences of any changes and settings you make here and make sure that the results will correspond with your intentions. Keys or key combinations are displayed in square brackets, for example [Space]. References to HOB RD VPN program commands and dialog boxes are printed in bold type, for example Select the command Open. Options and push buttons that are selectable in a dialog box are printed in bold, for example user defined. Cross-references to Section headings with numbers are marked in color as follows: Section 1 Introducing HOB RD VPN. Screen displays, file names, text and IP addresses to be entered by the user are displayed in the font Courier New. This input is unless otherwise mentioned - case sensitive. In this documentation, product names are abbreviated as follows: Product name HOB Remote Desktop Virtual Private Network HOB WebSecureProxy Abbreviation HOB RD VPN HOB WSP Connectivity Solutions by HOB 3

4 4 Connectivity Solutions by HOB

5 Contents About This Documentation 9 1. Introducing HOB RD VPN Features of HOB RD VPN green edition Components of HOB RD VPN HOB RD VPN Basic Concepts HOB RD VPN Navigation Screen HOB Administration Portal User Control HOB RD VPN Domains Multi-Tenancy Roles Global Administrator vs. Domain Administrator HOB WebSecureProxy Computer Cluster Deployment Scenarios Default Deployment Configuration Cluster Deployment Configuration HOB RD VPN Installation System Requirements for Installation Prerequisites for Installation - Single Node and Cluster Starting the HOB RD VPN Installer - Single Node and Cluster HOB RD VPN Installation - Single Node and Cluster Cluster Member Installation Testing the Installation Uninstallation HOB RD VPN Navigation Screen Portlets User Settings HOB RD VPN Administration Administration Access as a Domain Administrator Administration Access as a Global Administrator Multi-Tenancy Default Domain Configuration after Installation Connectivity Solutions by HOB 5

6 7.2. Using an Integrated Directory Service Using an External Directory Service Using Remote Access Servers as the Authentication Service Using Kerberos as the Authentication Service Kerberos Single Sign-on HOB LDAP Scheme Extension Roles and Users Configuring Roles and Users in HOB WebSecureProxy Configuring Roles and Users in HOB RD VPN Administration Using the Configure Button HOB RD VPN Web Server Gate - Intranet Access Configuring the HOB RD VPN Web Server Gate Using the HOB RD VPN Web Server Gate HOB Single Sign-on - Auto Logon to Intranet Servers Remote Desktop Access using ICA Installing HOB RD VPN for Remote Desktop Access with ICA Configuring Remote Desktop Access with ICA Implementing Single Sign-on for access using ICA Using ICA for Remote Desktop Access HOB RD VPN Web File Access Configuring HOB RD VPN Web File Access Using HOB RD VPN Web File Access Internal Network Adapter Installing the Internal Network Adapter / TUN Driver Configuring the Internal Network Adapter Network Access using the HOB PPP Tunnel Installing the HOB PPP Tunnel Network Address Translation Configuring the HOB PPP Tunnel using Crosswise NAT Configuring the HOB PPP Tunnel using Dynamic NAT DNS Exclude DNS Assigning the Server List Creating a HOB PPP Tunnel Portlet on the Navigation Screen Using the HOB PPP Tunnel Connectivity Solutions by HOB

7 14. HOB Compliance Check Configuring the HOB Compliance Check Using the HOB Compliance Check HOB Target Filters Configuring Target Filters Using Target Filters Security Checks Server Firewall Ports Logging Standards, Acronyms & Frequently Asked Questions Standards used in HOB RD VPN green edition Acronyms used in HOB RD VPN green edition FAQ - Frequently Asked Questions XML Configuration for HOB Web Server Gate Example HOB Web Server Gate Configuration XML Configuration for the HOB WebSecureProxy Root Element and XML declaration Objects of the Root Element - the <general> element The <connection> element The <authentication-library-object> element The <server-list> element The <L2TP-gateway> element The <raw-packet-interface> element The <service> element The <user-group> element The <Kerberos-5-KDC> element The <radius-group> element The <LDAP-service> element The <LDAP-template> element The <target-filter> element The <cluster> element The <client-side-ssl> element The <OCSP-section> element The <configuration-parameters> element Connectivity Solutions by HOB 7

8 The <background-task> element The <server-data-hook> (SDH) element Appendix: Examples of Server Data Hook Configurations The Webserver and WebServerGate SDH (xl-sdh-webserver-01) The Kerberos Ticket Service SDH (xl-sdh-krb5ts1-01) The EA to LDAP SDH (xl-sdh-ea-ldap-01) The Compliance Check SDH (xl-sdh-compl-check-01) The Dynamic NAT PPP Tunnel SDH (xl-sdh-ppp-pf-05) The SOCKS SDH (xl-sdh-sock5-01) Information and Support Connectivity Solutions by HOB

9 HOB RD VPN About This Documentation About This Documentation This is a comprehensive product documentation created to describe all of the procedures involved in installing, configuring and handling the HOB RD VPN software. It does not contain descriptions of functions that are not part of the HOB RD VPN package. Information concerning functions of third-party products may be obtained from the corresponding user manuals of those products. It is assumed that you, the reader of this manual, are an experienced IT administrator, familiar with the concepts of network administration and have elementary knowledge of the JAVA technology. This document describes all topics of HOB RD VPN that are related to the installation, the administration and the configuration aspects and descriptions. Chapters 1 and 2 give an introduction to HOB RD VPN, a description of the basic concepts, and the features and components that it contains. Following this, there are 4 main areas: The first section provides a detailed systematic guidance for the installation of the product (chapters 3 and 4). The second section is a reference manual that describes the administration and advanced features of HOB RD VPN (chapters 5 to 8). The third section provides information on establishing connections to other computers and networks and using the features of HOB RD VPN (chapters 9 to 16). The fourth section provides additional information on security checks (chapter 17). There is also an FAQ section and XML configuration parameters, with examples and an appendix (chapters 18 to 21). This product documentation is automatically installed together with the main component of HOB RD VPN, the HOB WebSecureProxy. We recommend that you print this document on color printers only, or to view it in zoom mode (150% or more), as it contains reproductions of display icons. As the administrator of HOB RD VPN for your company, you must ensure that all potential users have been successfully authenticated before allowing any action that HOB RD VPN has defined to be for authenticated users only. The security functions you use must control the access of subjects or users to the resources of all Web and Remote Desktop servers based on identity of the resource. The security functions must also allow you and the other administrators to specify the users or subjects that are allowed access a specific named object in that access mode. Please bear in mind that HOB cannot prepare a solution that is applicable to every possible system configuration or environment. For this reason HOB can certify only the components of this product, meaning that HOB cannot be held liable for situations that are outside the scope of this product, and therefore out of the control of HOB. Connectivity Solutions by HOB 9

10 About This Documentation HOB RD VPN 10 Connectivity Solutions by HOB

11 HOB RD VPN Introducing HOB RD VPN 1. Introducing HOB RD VPN HOB RD VPN green edition is a software solution that is specially designed to give you secure remote access over the Internet to the resources in your corporate network. This innovative HOB RD VPN software solution enables fast and secure access to all your business data and applications from any place in the world. It delivers your Intranet, enterprise servers or office PC to you and your employees at the push of a button whether you are at your house, a hotel or the airport Features of HOB RD VPN green edition The special features have been developed for HOB RD VPN green edition: Clustering Support for 100 users Clustering support is available for HOB RD VPN green edition. Clustering support includes both High Availability and Load Balancing across the servers of your enterprise, for up to 100 simultaneous users. Multi-Tenancy HOB RD VPN supports more than one authentication service and configuration storage, allowing multiple domains to be used simultaneously on the same machines. Access and Rights These include a Compliance Check and Role Assignment for your users. HOB RD VPN introduces a role based concept with advanced Compliance Check functionality and a flexible concept for user authentication and configuration. PPP Tunnel The HOB PPP Tunnel supports dynamic mode, private IP Addresses and includes all required components. An external L2TP service is not required. Third party software support HOB RD VPN supports connections to the ICA WebPortal with the Citrix Receiver for Java Components of HOB RD VPN The scope of delivery of HOB RD VPN consists of a range of different complementary components and features: HOB Integrated Components These are the software components that are integral to the functioning of HOB RD VPN and are installed automatically. Connectivity Solutions by HOB 11

12 Introducing HOB RD VPN HOB RD VPN HOB WebSecureProxy HOB WebSecureProxy (WSP) is the server component of HOB RD VPN. It is the central configuration point for all features and functionality of HOB RD VPN. Integrated Directory Service This component manages the central user management. You can use this integrated directory service or your own established directory service for the storage of all configuration data and as the authentication service for all those users and resources using HOB RD VPN. After installation the integrated directory service is used as the default service HOB Portlets Portlets are the applications that HOB RD VPN uses to execute the required tasks. They are installed automatically. HOB RD VPN Web Server Gate The HOB RD VPN Web Server Gate provides secure access to the intranet servers and can be used to access any available web service. HOB RD VPN Web File Access This component enables remote access to file servers. HOB RD VPN Web File Access is a browser based file manager that is used to connect over SMB/CIFS to any available share in the internal network. HOB PPP Tunnel The HOB PPP Tunnel provides secure transparent network access to the complete enterprise network. User Settings This Portlet allows the configuration of bookmarks and other settings for the users. Administration This Portlet allows quick and direct access to the HOB RD VPN administration interface HOB Integrated Features These features are also included with the install of HOB RD VPN, and provide added functionality to complement that of the core components. Compliance Check This is a further security measure designed to verify the state of the connecting clients and can be used to verify that only clients that verify the central security requirements can connect to the internal network. ICA Support HOB RD VPN can be used to secure remote ICA Connections. HOB RD VPN allows the use of the Citrix WebPortal and the Citrix Receiver for Java in a secure way. 12 Connectivity Solutions by HOB

13 HOB RD VPN Introducing HOB RD VPN Optional Components The following components are also delivered as part of the HOB RD VPN, but are not part of the RD VPN Installation. These components add extended functionality and can be installed on your target server, on the client system or installed separately Target Server Components HOBLink Security manager This component utilizes the HOB Certification Authority to administer security certificates for your system (this component should not be installed on the target server) Client System Components Anti Split Tunneling This extra security feature restricts systems to using only specified, known connections. It is most often used in conjunction with the HOB PPP Tunnel, where it restricts connections to locations outside the HOB PPP Tunnel Additional HOB Solutions The following are HOB Solutions that are not delivered with HOB RD VPN but can be purchased additionally. These solutions add extra functionality and usability, as set out by the needs of your enterprise. They integrate perfectly with all other components of HOB RD VPN. HOB Secure Communication Server HOB SCS is the propriety operating system that is designed exclusively for use with HOB RD VPN. It is a stable, hardened platform that provides a simple, secure and efficient way to implement the HOB RD VPN security solution. Connectivity Solutions by HOB 13

14 HOB RD VPN 14 Connectivity Solutions by HOB

15 HOB RD VPN HOB RD VPN Basic Concepts 2. HOB RD VPN Basic Concepts HOB RD VPN allows you to connect from a client machine over the web to an access gateway, and this gateway then permits you to access your desired target system and servers. This process is shown graphically here: Figure 1: HOB RD VPN Access to Target System You can access HOB RD VPN with any standard browser (some integrated components need a Java-enabled browser) HOB RD VPN Navigation Screen After a successful logon, as a user you have access to the HOB RD VPN Navigation Screen. The HOB RD VPN Navigation Screen consists of different portlets, each of which enables different applications or functionalities. Connectivity Solutions by HOB 15

16 HOB RD VPN Basic Concepts HOB RD VPN Figure 2: HOB RD VPN Navigation Screen 2.2. HOB Administration Portal The HOB Administration Portal allows you, as the Global Administrator, access to the administration interface and to configure the whole HOB RD VPN installation. Only Global Administrators can access the Administration Portal and administer the HOB WebSecureProxy, the domain administrators have only a more limited access to administration in that they can administer only their own domains, not the full HOB RD VPN installation User Control HOB RD VPN introduces much tighter definitions of what a user really is, and what their roles should be. Each user has different tasks, objectives and responsibilities. As such, each user has different requirements for the network, and so different permissions for using resources to achieve these objectives. No enterprise can function without its users, and these users cannot function without clearly defined tasks or roles within the enterprise. HOB RD VPN not only gives you a means to manage all of these items, but also allows you to administer the elements of your network to better suit your users. 16 Connectivity Solutions by HOB

17 HOB RD VPN HOB RD VPN Basic Concepts Figure 3: HOB RD VPN User Control A modern enterprise network is made up of multiple servers, numerous workstations, and innumerable other hardware and software devices. The administration of all of these entities is a priority of any enterprise wishing to maximize efficiency. These resources, as well as the users, are administered together as Domains HOB RD VPN Domains A domain is the organization of which your system and the data within that system are members. The data in your system can be organized into domains according to the needs of the enterprise, and each enterprise can have multiple domains depending on what they want from their data and what they want to achieve with that data. Multiple client organizations (or tenants) are served by a single instance of the HOB RD VPN software, in a form of software architecture that is also often referred to as Multi-Tenancy. In HOB RD VPN multiple users share the same application, running on the same operating system, on the same hardware, with the same data-storage mechanism. The distinction between the users is achieved during application design, thus users of one domain cannot share or see data from another domain, as each domain works with a customized virtual application instance. HOB RD VPN introduces a multi tenant capability, where each domain in HOB RD VPN stands for an independent tenant. Each HOB RD VPN domain consists of two elements: Authentication Service The authentication service defines the backend which is used to authenticate the users for a specific domain. The Authentication Service can use Kerberos, integrated directory service, external (LDAP-compliant) directory service or RADIUS servers. Configuration Storage The configuration storage is used to store the configuration information of the domain users. The configuration storage can use the integrated directory service or an external (LDAP-compliant) directory service. If an external directory service is used to store the HOB RD VPN configuration you need to add the HOB Scheme Extension to the service. Connectivity Solutions by HOB 17

18 HOB RD VPN Basic Concepts HOB RD VPN This table shows the possible combinations for authentication service and configuration storage: Authentication Service Configuration Storage Note Integrated Directory Service Kerberos Kerberos External directory service External directory service RADIUS RADIUS Integrated directory service Integrated directory service External directory service Integrated directory service Same external directory service Integrated directory service External directory service Default after installation HOB scheme extension required HOB scheme extension required HOB scheme extension required Table 1: Possible Authentication Service and Configuration Storage combinations Integrated Directory Services A directory service that is a fully LDAP compliant is included in HOB RD VPN. This directory service is used by HOB RD VPN to store internally all the HOB RD VPN settings and configurations used by your network (this is done in the dc=internal,dc=root tree). The integrated directory service can also be used as the authentication service and configuration storage (see next chapter for more information). Immediately after installation the integrated directory service is used as the authentication service and configuration storage for the users created during installation. Therefore a domain is automatically created on installation where these users are stored, this is the domain dc=hobsoft,dc=root. The Global Administrator can add additional domains to the integrated directory service (e.g. dc=example,dc=root) or use the integrated directory service only as authentication service or configuration storage. If it is used as configuration storage the domain part is automatically created. It is also possible to enable an auto-creation feature, where every successfully authenticated user is automatically created in the domain tree of the integrated directory server. This is also true for the groups that belong to the user even when an external LDAP server is being used as the authentication service. This component handles all of the central user management and integrates the HOB software into your existing enterprise infrastructure. This dedicated directory service object management server is included as a constituent part of HOB RD VPN to make the management and administration of access rights and permissions of workstation and users much simpler HOB Directory Services Scheme Extension The directory services scheme defines the attributes and classes used in your directory services. The base scheme included in the system contains a set of 18 Connectivity Solutions by HOB

19 HOB RD VPN HOB RD VPN Basic Concepts class definitions such as user, computer, and organizationalunit, and attribute definitions such as username, telephonenumber, and objectsid. The existing set of classes and attributes will be sufficient for most applications. However, the scheme is extensible, which means that you can define new classes and attributes. If the existing classes and attributes do not fit with the type of data you want to store, you should extend this scheme. If an external LDAP directory service is used as the configuration storage then the scheme extension has to be applied. The HOB scheme extensions are located in: INSTALLDIR\HOB\RD VPN-\LDAP-schema-extensions. Scheme additions are permanent; you can disable classes and attributes, but you can never remove them from the scheme Multi-Tenancy HOB RD VPN can be configured to use multiple Domains, so it is possible to use one HOB RD VPN installation to successfully authenticate users from different domains. Because of this HOB RD VPN introduces a multi-tenant capability, where each domain in HOB RD VPN stands for an independent tenant. It is possible to completely separate these domains so that every domain uses different configurations (e.g. domain 1 can only access resources assigned to domain 1, domain 2 can only access resources assigned to domain 2, for users of either domain it is not possible to access resources assigned to the other domain). If required, configurations can also used from more than one domain (e.g. different domains may be assigned access to the same target system). There can be many different reasons for using the multi-tenancy feature besides connecting to different companies. Multi-tenancy could also be used to support different departments within a company, or it can be used to allow customers or suppliers access to special services without needing to add them to the integrated user directory service. Multi-tenancy refers to a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants). Multi-tenancy is contrasted with a multi-instance architecture where separate software instances (or hardware systems) are set up for different client organizations. With a multitenant architecture, a software application is designed to virtually partition its data and configuration, and each client organization works with a customized virtual application instance. Multi-tenancy is also regarded as one of the essential attributes of Cloud Computing Roles A role is the set of tasks each user and each hardware or software item is assigned to do. As with a domain, users have different roles within the enterprise. The logon determines the roles to which each user is assigned, within that domain. There Connectivity Solutions by HOB 19

20 HOB RD VPN Basic Concepts HOB RD VPN are requirements for each role that must be fulfilled in order to be authenticated for the role (not just enter a username and password). These requirements might be the selected domain, user name, group membership or positive compliance check, etc. Once authenticated for the role, having therefore fulfilled the requirements, the user is authorized to carry out certain pre-assigned functions using the resources within the system. Features that can be assigned to the roles include: List of portlets that each user can access Access to list of servers (Server List) that each user can access Selection of a target filter Session timing limits before an automatic log out GUI scheme display, background color, title banner, etc. Other settings such as browser-caching etc. Each user has a role, and specified under this role is their permissions and capabilities within the system. These can be configured through the User Roles configuration dialog, shown here: Figure 4: HOB WSP Administration User Roles - Normal User Role Priority Users can have several roles assigned to them. Roles are prioritized (from 1 to 100, with 100 has the highest priority) so that when a user logs in, HOB RD VPN tries to assign the highest role to the user. If it cannot assign the role with the highest priority to the user, then it moves to the role with the next highest priority. 20 Connectivity Solutions by HOB

21 HOB RD VPN HOB RD VPN Basic Concepts 2.7. Global Administrator vs. Domain Administrator A clear distinction must be made between the administrator of the complete system where HOB RD VPN is installed (this is the Global Administrator) and an administrator who has rights to administer only one domain (the Domain Administrator) Global Administrator During installation you have to create a global administrator. This global administrator has full access rights to the whole HOB RD VPN installation. After installation additional global administrators can be added. Global administrators are the only users that can administer and configure HOB RD VPN itself. After installation: Global administrators are the only users that can log on to the global administration interface. Global administrators can configure all resources and users in the complete system (dc=internal,dc=root) as well as users in the default domain (dc=hobsoft,dc=root). Global administrators cannot log on to the HOB RD VPN User Portal Domain Administrator A domain administrator cannot configure the HOB RD VPN installation itself. The domain administrator can configure user settings within their own domain. If you are using the tenant functionality the global administrator can delegate the user configuration to the domain administrators within the domains. After installation: Domain administrators can configure users in the default domain (dc=hobsoft,dc=root). Domain administrators can logon to the HOB RD VPN portal and access the administration portlet. Domain administrators cannot logon to the global administration interface HOB WebSecureProxy The HOB WebSecureProxy (WSP) is the integrated server component of HOB RD VPN. It is the central collection point for queries coming over the Internet from clients and is installed automatically as part of the HOB RD VPN installation process. The HOB WSP is located in the DMZ to protect your servers effectively from direct access over the Internet and to forward the queries to the target server. Authentication is performed over a browser with an SSL / HTTPS connection to the HOB WSP. This means that the authentication process itself is encrypted and secure. HOB WSP also has an integrated OCSP (Online Certificate Status Protocol) interface enabling client SSL certificates to be inspected for validity. Connectivity Solutions by HOB 21

22 HOB RD VPN Basic Concepts HOB RD VPN The HOB WSP ensures the security of access is implemented taking the following criteria into account: Confidentiality - the data cannot be read by anyone who is unauthorized Integrity - the data cannot be manipulated by anyone who is unauthorized Authenticity - before any exchange of data, each participant in the exchange must prove their identity during logon. Access is denied to any that are not authorized. All communication between the HOB WSP and the client is SSL encrypted, while the WSP communicates to the server side without using SSL. Data traffic takes place over the configurable Port 443, which is enabled as default in most firewalls. A connection to the HOB WSP automatically redirects Port 80 to Port 443 (these are the default ports, you may choose to use other ports if you wish). Where your system consists of multiple HOB WSP servers in a cluster, these can be plugged and unplugged into the cluster according to your needs. All internal data is distributed across the cluster with load balancing, so that when a client logs on to any HOB WSP in the network, they are automatically registered to all network HOB WSPs, and none are overloaded. The Web Secure Proxy should be installed on a separate machine that does not allow direct access to the machine for unprivileged users and that does not host any productive relevant services such as database servers or alternative web servers (in addition to the integrated server components of the WSP). The logical access to this machine is restricted to authorized administrators Computer Cluster A computer cluster is a group of linked computers, working together closely to effectively form a single server. The cluster members (commonly called nodes) are connected to each other through the local area network of your enterprise. The cluster is generally deployed to improve performance and availability over that of a single computer, while typically being much more cost effective than single computers of comparable speed or availability. High availability (or failover) clusters are implemented primarily for the purpose of improving the availability of services that the cluster provides. They operate by having redundant nodes, which are then used to provide service when system components fail. The most common size for a high availability cluster is two nodes, the minimum requirement to provide redundancy. Load balancing is the distribution of the computer workload over a number of linked computers that function as a single virtual computer. Requests initiated from the user are managed by and distributed among all the standalone computers to form a cluster. This results in balanced computational work among different machines, improving the performance of the cluster systems. With HOB RD VPN the advantages obtained from clustering are gained by implementing several servers to together act as WebSecureProxies, avoiding the problem of having a single-point-of-failure for the central component Advantages of the HOB RD VPN Cluster The following are some of the advantages that accrue through the employment of a computer cluster: 22 Connectivity Solutions by HOB

23 HOB RD VPN HOB RD VPN Basic Concepts All nodes are members with equal status, so a cluster is reliable because there are no state switches (active/passive, master/slave). No additional hardware is required. A cluster is easy to deploy, only the DNS records and HOB RD VPN require configuration A Geo-cluster is possible, where the linked computers need not be in the same geographical location Very fail-safe Easy to add and remove cluster members Very efficient Load Balancing Small overhead for synchronization Uses High Availability mechanisms that are integrated in the browser itself. Connectivity Solutions by HOB 23

24 HOB RD VPN 24 Connectivity Solutions by HOB

25 HOB RD VPN Deployment Scenarios 3. Deployment Scenarios HOB RD VPN is designed to be installed in the DMZ between the Internet and the internal network. It can also be deployed in a number of different configurations to take account of the differing infrastructures. The most common deployments are described here Default Deployment Configuration HOB RD VPN has a default deployment that is described in the illustration below: Figure 5: Default Deployment Configuration Scenario Clients connect over the Internet to HOB RD VPN using a secure SSL encrypted connection (typically a browser-based HTTPS connection), with HOB RD VPN acting as a Gateway for this connection. Once this (external) connection has been established, one or more internal connections are also created. This then gives the client the possibility to reach their configured targets (e.g. Windows Remote Desktop Services, Web File Access). You must deploy a server inside the DMZ where HOB RD VPN can be installed. Additionally you need to have two ports configured. One port is used for the connections from the clients, and is by default port number 443 (this port used as standard for all HTTPS connections). The second port is used for the administration interface and is the default port number This server cannot have any other connections on the network ports 389, 4444, 8080 and For the default scenario illustrated above you need to allow connections on port 443 from the internet to the server where HOB RD VPN is installed. You also need to allow connections from the HOB RD VPN server to the targets inside your private network. Connectivity Solutions by HOB 25

26 Deployment Scenarios HOB RD VPN 3.2. Cluster Deployment Configuration A cluster consists of a collection of interconnected computers used to create a common resource pool of servers for the computing needs of your enterprise. To set up a cluster, install more than one HOB RD VPN server in the DMZ between the Internet and the internal network. The HOB RD VPN Cluster feature supports both High Availability (HA) and Load Balancing. Figure 6: Example Cluster Deployment Configuration Scenario For this deployment you will need two official IP address for each cluster member or node, one address for the connection to the cluster (the primary connection) and one address for the user portal (the secondary connection). Once these have been created, other networks can use either of these network adapters. You have to configure the external DNS Server accordingly to this scenario. Example of IP Address assignments: Cluster Node Cluster DNS Name Cluster IP Address Cluster Node DNS name User Portal IP Address cluster node 1 cluster node 2 cluster node 3 rdvpn.example.com rdvpn1.example.com rdvpn.example.com rdvpn2.example.com rdvpn.example.com rdvpn3.example.com Table 2: Example Cluster Deployment IP Address Configuration For best practice, at least three networks interfaces should be configured: a user portal, a cluster connection and a synchronization connection. An administration connection can also be created (this administration connection may also be published in the internet, if necessary, but only if it abides by the security conventions of your company). For the synchronization of the data, either of the two IP addresses of each node or another address that you set aside for this purpose can be used to synchronize the state of the HOB RD VPN nodes to each other. 26 Connectivity Solutions by HOB

27 HOB RD VPN Deployment Scenarios Following the example cluster deployment above, the cluster uses the URL rdvpn.example.com as its location, and this URL points to the three cluster member IP addresses , , Figure 7: Example Cluster Deployment Configuration Scenario In this diagram you can see how the components of a cluster interact with one another (three cluster components are shown for clarity). The user wishes to access the computer cluster over the internet using the address rdvpn.example.com. This address connects to the servers present in the cluster, rdvpn1.example.com, rdvpn2.example.com and rdvpn3.example.com, all of which are located in the DMZ. The computer rdvpn1.example.com can be accessed through the cluster and also directly over the user portal from the internet using rdvpn1.example.com as the address. There must also be a direct connection between each member of the cluster for synchronization purposes. This connection can use either the IP address of the cluster members or an IP address set aside for this purpose. The following table shows this external example DNS configuration: DNS Entry IP Address Entry rdvpn.example.com , , rdvpn1.example.com rdvpn2.example.com rdvpn3.example.com Table 3: Example Cluster Deployment IP Address Configuration The process is as follows: 1. The client connects to e.g. rdvpn.example.com and receives a configured IP address for each node in the cluster. The client receives these configured IP addresses (e.g , , ) in Connectivity Solutions by HOB 27

28 Deployment Scenarios HOB RD VPN a specific order as set by the DNS server, generally on a round robin basis. 2. HOB RD VPN now connects the client to the first of these IP addresses. If this system is unavailable, then the second IP address is tried, and so on until a connection is made. Only in the exceptional circumstance of no IP address being available, or no response being obtained, will the connection fail. 3. When a connection is successful, the HOB RD VPN cluster node redirects this client to the second IP address of that node. In our example, if the first cluster node is unavailable but the second responds, then the connection is made from: rdvpn.example.com with the IP of , which then redirects to rdvpn2.example.com and an IP of , where the work is done. 4. This is the IP address that the client can now use for all following requests. The format of the names used for the cluster is optional, depending on the requirements of the system in use. For example, according to the conventions of your company, cluster1.example.com could point to: cl1.hobrdvpn.example.com, member1.example.com or another.hobrdvpn.example.com. 28 Connectivity Solutions by HOB

29 HOB RD VPN HOB RD VPN Installation 4. HOB RD VPN Installation This section outlines the requirements necessary before HOB RD VPN green edition can be installed, and also the installation process itself System Requirements for Installation HOB RD VPN green edition is available for the following platforms: Microsoft Windows (x86, EM64T) HOB RD VPN green edition is also designed to be used with other client operating systems that have a Java 1.6 or newer enabled browser (it is possible to use Java 1.5 but this is not recommended). This is the ONLY requirement on the client side. System Requirements At least 512 MB RAM At least 1 GHz CPU Approximately 450 MB of hard disk space (this value is for a typical installation and depends on the operating system in use) It is the responsibility of the server administrator to ensure that the operating system in use is adequately configured and updated with the latest patches and releases to the most efficient operation, and to minimize the risks from exploitation or attacks from external sources Prerequisites for Installation - Single Node and Cluster The following prerequisites are required to install HOB RD VPN green edition on your network system: Preparing the Base Operating System The operating system has to have the latest available security patches applied. The internal/external Firewalls have to be properly configured. The DNS System must also be configured for HOB RD VPN. As HOB RD VPN needs certain ports to be open for communication with the connecting clients, you must ensure that these are not currently also in use on the target operating system. Additionally some internal ports will also be opened for inter-process communication between the components of HOB RD VPN. The following table lists the required ports. Connectivity Solutions by HOB 29

30 HOB RD VPN Installation HOB RD VPN Port Environment Function Note External Administration access to Intranet Connection to the administration portal. The port is configurable during installation. 443 External User Portal Clients from the internet connect to this port. The port is configurable during installation. 80 External HTTP Redirector If clients from the internet connect to this port, they will be redirected to the secure internet access port, and SSL will be used External Synchronization with integrated database 8989 External Synchronization with integrated database 389 Internal Integrated directory service Synchronization with the integrated directory service. Required for cluster installations. Synchronization with the integrated directory service. Required for cluster installations. This port allows communication with the integrated directory service over TCP Internal Web File Access Inter-process communication for Web File Access. Table 5: External and Internal Port Configuration All ports labeled as Internal are accessible only from within the HOB RD VPN server network. Ports labeled as External are accessible over the public network. For cluster installations, the Integrated Directory Service must run on the default port 389 for ALL cluster members Starting the HOB RD VPN Installer - Single Node and Cluster The installation of HOB RD VPN is a very straightforward process that has been designed to be as simple as possible. The first steps of this process are identical for both installation types, then you simply need to select whether you are installing: 30 Connectivity Solutions by HOB

31 HOB RD VPN HOB RD VPN Installation A standalone deployment of HOB RD VPN (single installation) or the first node of a Cluster Installation or: An additional cluster member installation. If this is your desired deployment installation, please see section 4.5 Cluster Member Installation, page 38. The instructions given here apply to installing HOB RD VPN on a Windows operating system only. 5. If installing from a CD/DVD, insert the HOB RD VPN DVD into the CD- ROM/DVD-ROM drive. If the DVD start image does not automatically appear then open the file start.htm in the root directory of the DVD. 6. The HOB RD VPN start page opens in the browser. Click Install Software. 7. On the next page, click Install HOB RD VPN to start the installation process. 8. In the dialog Warning Security, click Yes or Always to accept the certificate and continue with the installation. 9. If installing from a download, then select the downloaded file install.exe and follow the instructions. 10. Click Start Installer for Windows and follow the instructions onscreen. The first steps of the installation are the same regardless of whether you are installing a single instance of HOB RD VPN or installing a cluster deployment HOB RD VPN Installation - Single Node and Cluster Once the installer is running you need to follow the instruction on each screen, then click either Next to proceed to the next screen, Previous to return to the previous screen, or Cancel to end the installation process. Figure 8: Select Installation Directory Screen Connectivity Solutions by HOB 31

32 HOB RD VPN Installation HOB RD VPN 1. Here you determine the installation directory where the HOB RD VPN Installation is to be installed on your system. It is safe to use the default setting here (by default it will be installed in C:\Program Files\HOB\rdvpn), but you should install it according to the conventions of your system. Figure 9: Select TUN Driver Installation Screen 11. On this screen you select to install a TUN Driver, a software component necessary for the SSL Identifier to function. Due to the advantages brought by the HOB PPP Tunnel and by the SSL Identifier, it is strongly recommended you install the TUN Driver. For more information on this subject, please see Section 4.5 Cluster Member Installation on page 38. Figure 10: Choose Installation Type Screen 32 Connectivity Solutions by HOB

33 HOB RD VPN HOB RD VPN Installation 12. In this screen you need to select between: A Single Installation (standalone deployment) of HOB RD VPN or the first node of a Cluster Installation or: An Additional cluster member installation. If this is your desired deployment installation, please go to section 4.5 Cluster Member Installation, page 38. To install a standalone deployment or a first cluster node installation, select this option and click Next. If you have already deployed a standalone installation, you can decide at any time to upgrade to a cluster configuration. 13. If you want to install an additional cluster member click Additional node for a Cluster Installation and refer to the cluster member installation, section 4.5 Cluster Member Installation on page The HOB RD VPN installer checks the availability of the required ports. Depending on your operating system and your settings you may get a warning at this point in the installation from your firewall, which can bring the following dialog on-screen: Figure 11: Enter Default Host Name and Port Screen 15. Select the networks where you wish access to be allowed and click Allow access to let the installer perform these checks. Connectivity Solutions by HOB 33

34 HOB RD VPN Installation HOB RD VPN Figure 12: Enter Default Host Name and Port Numbers Screen 16. In this screen you need to specify the full qualified hostname and port numbers of the connection that is to be used for Administration Access, and where the HOB RD VPN installation accesses the internal network. You can use the port number as a default value. The information entered here is used for administration and configuration tasks. 17. Here you also need to enter the hostname of the User Portal, which is also the HOB RD VPN navigation screen. This is the full qualified hostname of the machine from which the clients in the internet access your HOB RD VPN. You should use 443 as the port number for this. 18. A green check mark appears when these details have been correctly entered. The other details on the screen are completed automatically. Click Next when you have entered this information. Keep in mind that this qualified hostname may differ from the name by which the system is accessible from the internal network. 34 Connectivity Solutions by HOB

35 HOB RD VPN HOB RD VPN Installation Figure 13: Global Administrator Setup Screen 19. In this screen you have to create a Global Administrator. The global administrator has full administration rights for the whole HOB RD VPN Installation and full access to all RD VPN related tasks. Figure 14: User Account Setup Screen 20. In this screen you can add up to three HOB RD VPN Users. These users enable you to access HOB RD VPN immediately after installation. You can choose different roles for these users from the drop down box, whether Domain Administrator, Power User or User (you may of course assign other roles and role names according to the conventions of your company once the installation is completed). Domain administrators set up at this stage of the install process have rights to administer only the Default domain, which is named Hobsoft. After installation Connectivity Solutions by HOB 35

36 HOB RD VPN Installation HOB RD VPN you can add additional users to the Hobsoft domain (all global and domain administrators can do this). 21. You need also to create a certificate of identification, which is used to establish the validity of the installation on your client. The default period of validity is 1 year, if you wish to change this select the required duration from the drop down box. Complete the fields on this screen and click Next. Figure 15: Create Certificate Screen 22. Once all the settings are configured you will see a screen summarizing the data required for the installation. Figure 16: Installation Summary Screen 23. If everything is in order, click Install to proceed with the HOB RD VPN installation process. The HOB Software Product Key dialog is displayed. 36 Connectivity Solutions by HOB

37 HOB RD VPN HOB RD VPN Installation Figure 17: Software Product Key Screen 24. In the Product key field you have to enter a valid Product License Key to register your edition of HOB RD VPN. You can find the key in the document HOB Software License that is delivered along with the product CD or, if purchased online, in the received once payment has been confirmed. 25. Alternatively you can choose to test it by clicking the Evaluation Version button. This will create a temporary license file that will be valid for 30 days. The time remaining in the evaluation period is displayed each time you log in. Once this has expired, you must enter a valid product key to continue using the software. 26. Click OK to close this dialog box and finish the installation process. Figure 18: Installation Complete Screen 27. Once the installation is complete you can close the installer by clicking Done. To check if the installation was successful, please read Section 4.6 Testing the Installation on page 45. Connectivity Solutions by HOB 37

38 HOB RD VPN Installation HOB RD VPN To install the individual components, and to set up the configuration of these individual components, please see their corresponding chapters in this Administration Guide Cluster Member Installation To install a cluster deployment in your system you need one installation of HOB RD VPN to hold the base settings. You can use a new server installation with an empty configuration or use a server that is already installed and use an already configured system. If you are installing a new cluster installation then you must start by installing the first node of the cluster. See 4.4 HOB RD VPN Installation on page 31. If you already have a HOB RD VPN Installation you can proceed with the following steps for the second and subsequent nodes. Make sure that your base installation and your new cluster member are configured with at least two different IP Addresses. See Table 5: External and Internal Port Configuration in section 4.2 Prerequisites for Installation - Single Node and Cluster on page 29 and make sure that the ports marked as external are accessible for all cluster members Base Configuration for a Cluster 1. To set up the base configuration for a cluster, use the installed first node (where HOB RD VPN has been installed) to logon to HOB RD VPN via a browser using the following URL: 2. This opens the Logon screen for HOB RD VPN green edition, where you enter your username and password as the global administrator. Figure 19: HOB RD VPN Logon Screen The HOB RD VPN Administration Portal opens once you successfully logon. 38 Connectivity Solutions by HOB

39 HOB RD VPN HOB RD VPN Installation Figure 20: HOB RD VPN Administration Screen System 3. Here you select EA Admin to start the HOB RD VPN Administration configuration program and select the desired resource in the database, which in this case is the HOB RD VPN central component, the HOB WebSecureProxy. Figure 21: HOB RD VPN Administration Start Screen 4. Now use the buttons at the bottom to select HOB RD VPN > WebSecureProxy > Configure, as shown above. 5. This opens the WebSecureProxy configuration screen. Select the element WSP Servers from the list of the list and the following screen is displayed. Connectivity Solutions by HOB 39

40 HOB RD VPN Installation HOB RD VPN Figure 22: WSP Servers Configuration Screen 6. On this opening Network Adapters tab you enter the full qualified hostname and IP address of this server on the internet as the User Portal Hostname and IP Address. See Section 3.2 Cluster Deployment Configuration on page 26 for more detail on the data to be entered here. The User Portal is the connection created by the users to access HOB RD VPN; it is also referred to as the navigation screen. Figure 23: Configure WSP Servers Screen Single Node 7. Now enter the required IP address information for the HOB RD VPN administration access. Keep in mind that the user portal and administration access must use different IP addresses, while the Network Adapter could use one of these two or a third unique address. 40 Connectivity Solutions by HOB

41 HOB RD VPN HOB RD VPN Installation 8. Select WSP Servers and click Add at the bottom of the hierarchy tree to add a second node to the cluster configuration. In addition to entry fields appearing on the screen for the information for the new cluster node, two extra columns of entry fields also appear. In these fields you need to enter the Cluster Access IP Address and the Synchronization IP Address for each cluster node. This data must be entered for both nodes, as both are to be members of the cluster. 9. Under Network Adapter Name you should enter a name for the network adapter you want to use for access for each of the administration, cluster and synchronization IP addresses. Figure 24: Configure WSP Servers Screen - Cluster 10. Select the first node you want to configure. 11. Now click the Cluster connections tab and the following is shown on screen: Figure 25: Clusters Connection Tab 12. Enter the Port to use for the cluster synchronization connection (in this case 13290), and set the required Timeout period, in milliseconds. By default this is 1000, you may change this as desired. Connectivity Solutions by HOB 41

42 HOB RD VPN Installation HOB RD VPN 13. If it is not already, change the port for the Cluster Access information to Perform this step with the same settings for all cluster members Installing Cluster Members Now that the system has been configured to accept new additions to the computer cluster, you need to install these. The installation of an HOB RD VPN cluster is a very straightforward process that has been designed to be as simple as possible. Follow these instructions for each server. Start the HOB RD VPN installer, as shown in section 4.4 HOB RD VPN Installation on page 31. Installation up to this point is identical as that for a single node installation. From this stage of the installation process the installation is specifically for a cluster node installation only. Figure 26: Select Installation Type Screen 1. Select Additional node for a cluster installation to start the installation of a new cluster member. 42 Connectivity Solutions by HOB

43 HOB RD VPN HOB RD VPN Installation Figure 27: Cluster Installation Screen 2. Click Next to start the installation process. After installation of the new cluster node, the installer needs some additional information to enable the synchronization and to synchronize the data with the already installed cluster node. Figure 28: Cluster Global Administrator Data Screen 3. Here you enter the settings of the already installed cluster member. The new cluster member must be able to access this system over the network, to enable synchronization and synchronize the data. If more than one cluster member is already installed, you can select any of these to be the Master node. Synchronization of the cluster retrieves the data of all cluster nodes and shares this to all members. Connectivity Solutions by HOB 43

44 HOB RD VPN Installation HOB RD VPN 4. Enter the Hostname or IP address of this master cluster member and enter the credentials of the Global administrator. 5. Click Next for the installation to authenticate these credentials. Figure 29: Cluster Connection Password Screen 6. In this screen you need to insert the cluster connection password. This is a freely selectable password to be used for the synchronization of your whole cluster. If you already have a working cluster you must choose the password that you are already using for the cluster. Make sure you remember this password! 7. Click Next for the installer to perform the synchronization. This may take some time, depending of the size of your integrated directory service. Figure 30: Enter Product License Key Screen 8. In the Product key field you have to enter a valid Product License Key to register your edition of HOB RD VPN. You can find the key in the document HOB Software License that is delivered along with the product CD or, if purchased online, in the received once payment has been confirmed. 9. Alternatively you can choose to test it by clicking the Evaluation Version button. This will create a temporary license file that will be valid for Connectivity Solutions by HOB

45 HOB RD VPN HOB RD VPN Installation days. The time remaining in the evaluation period is displayed each time you log in. Once this has expired, you must enter a valid product key to continue using the software. The installation is now ready and you can successfully use the cluster installation 4.6. Testing the Installation To test whether the installation has been successful, perform the following steps: Testing as a Domain Administrator or User Once the installation is done you can test the installation by pointing your browser to the HOB RD VPN URL (in our example this is: The logon screen will appear. You can now logon as a domain administrator, power user or user with any valid domain username and password that you have created during the installation. If you are member of either the administrator or power user roles you can also test the RDP connections this way. You cannot use your Global Administrator logon to test in this case. Figure 31: HOB RD VPN Logon Screen If the logon has been successful, as a domain administrator or user you will see the following HOB RD VPN navigation screen appear: Connectivity Solutions by HOB 45

46 HOB RD VPN Installation HOB RD VPN Figure 32: HOB RD VPN Navigation Screen This screen shows that user1 (the user name is shown above the title banner) has logged in as Domain Administrator, so this has been a successful installation Testing as the Global Administrator To test the administration features you should point your browser to the administration interface URL created during installation. In our example this is: In the Logon screen (above) enter your username and password as Global Administrator. The following screen appears: Figure 33: HOB RD VPN Administration Access You can now use the links on this screen to access the administration interface for testing Uninstallation HOB RD VPN green edition can be uninstalled via the Windows operating system uninstallation function. 46 Connectivity Solutions by HOB

47 HOB RD VPN HOB RD VPN Installation For example, on Windows operating systems: Click Start > Control Panel > Software > HOB RD VPN > Change/Remove and then click Uninstall. After carrying out the step above, you may have to restart your system to complete the uninstallation. Connectivity Solutions by HOB 47

48 HOB RD VPN 48 Connectivity Solutions by HOB

49 HOB RD VPN HOB RD VPN Navigation Screen 5. HOB RD VPN Navigation Screen HOB RD VPN can be accessed immediately after installation by pointing your browser to the HOB RD VPN URL (in our example this is: You can also use the HTTP URL which redirects your browser to a secure https connection, You can logon to the navigation screen with the users you have created during installation, but not with the Global Administrator created during installation. Depending on the role that is assigned to the user when their settings are configured, different portlets (links to different functionalities) will be available to them after a successful logon. Figure 34: HOB RD VPN Domain Administrator Navigation Screen Here you can see the navigation screen for the user user1, after a successful logon with the domain administrator role (this information is shown above the banner). Depending on the user configuration set up during installation, this user can successfully connect to RDP Targets, Legacy Protocol targets, use Web-based applications and intranet services. The user can also access Windows shares by using Web File Access, and modify their User Settings Portlets Portlets are essentially bookmarks to the features and applications within HOB RD VPN. They greatly speed up the access and usability of these features. Instead of new websites being created to access these applications, portlets can be configured by the administrator or by the users themselves (e.g. for organization, usability and appearance). Portlets are completely configurable & customizable to suit the requirements of your company and your users. Connectivity Solutions by HOB 49

50 HOB RD VPN Navigation Screen HOB RD VPN The following table lists the possible portlets, the required HOB component for that portlet, and the functionality that the portlet provides. Portlet Component/Application Functionality User Configuration Access to Web Applications and Intranet Access to File Systems PPP Tunnel User Settings Table 6: Portlets in HOB RD VPN HOB EA Administration Web Server Gate Web File Access HOB PPP Tunnel Perform administrative tasks Allows access to any kind of web server including Outlook Web Access and Citrix Web Portal Access CIFS/SMB capable shares in your network Network level access to internal resources Modify own user settings The following table shows the portlets that are already configured according to the roles available on installation: Portlet Domain Administrator Power User User Administration X Access to Web Applications X Access to File Systems X User Settings X Table 7: Portlet Assignments It is up to the domain administrator (who is assigned all portlets by default) to decide as to which portlets are assigned to the other users depending on their role, in accordance to the conventions of the company User Settings This portlet allows domain administrators and users to personalize the look and feel of the navigation screen. There are three sets of links here: User Settings - here you can expand or collapse the required portlet, and arrange the portlets as desired. Cookies - here you can save and organize any cookies. 50 Connectivity Solutions by HOB

51 HOB RD VPN HOB RD VPN Navigation Screen Change password - here you or your users can change their access password User Settings - Web Server Gate Bookmarks Here you can set any bookmarks that you want to appear on the navigation screen. Figure 35: HOB User Settings Screen - Web Server Gate Bookmarks Enter a Name and a URL for each bookmark you wish to add to the navigation screen. Use the green Plus symbol to add new bookmarks (or the red X symbol to delete them), and the Up and Down arrows to adjust the order in which they are displayed on the Navigation Screen. Click Save All to save your changes when you are satisfied with your bookmarks User Settings - Portlets To change the look of the navigation screen, and to set the portlets available to your users: Connectivity Solutions by HOB 51

52 HOB RD VPN Navigation Screen HOB RD VPN Figure 36: HOB User Settings Screen - Portlets Enable the radio buttons for each portlet that you want displayed on the navigation screen, and then use the Up and Down arrows to adjust the order in which they are displayed User Settings - Others Here on this screen you can set the display language to be used by HOB RD VPN, and whether the Web Server Gate flyer is shown. Figure 37: HOB User Settings Screen - Others Language - select from the drop down box to set the display language. 52 Connectivity Solutions by HOB

53 HOB RD VPN HOB RD VPN Navigation Screen Web Server Gate Flyer - click hide or show to have the Web Server Gate Flyer displayed or not Cookies This screen allows you to review your current cookie list. Figure 38: HOB User Settings Screen - Cookies Use the Delete button to remove any cookie from this list Change Password This screen allows each user to change their password, if desired. Figure 39: HOB User Settings Screen Change Password Enter your old password, then the new password. Enter your new password again to confirm, and click Change Password to make the change. Connectivity Solutions by HOB 53

54 HOB RD VPN 54 Connectivity Solutions by HOB

55 HOB RD VPN HOB RD VPN Administration 6. HOB RD VPN Administration The administration portal is the set of Graphical User Interfaces (GUIs) that the administrator of HOB RD VPN can use to manage, monitor and adapt the software to account for changes in the system. Users and resources can be added, edited or deleted, permissions set and users and resources assigned into their respective administration groups. The administration interface is named Enterprise Access Administration (EA Admin) and is delivered as an integral part of the HOB RD VPN software solution. HOB RD VPN Administration can be started using a browser or the Start Menu of your workstation. To start HOB RD VPN Administration from a browser, open the HOB RD VPN default page with a browser and logon, either: As a domain administrator using: As global administrator using: Administration Access as a Domain Administrator To access the administration interface from a browser: 1. The HOB Navigation Screen opens. 2. Click the User Configuration link. 3. Click Start HOB EA Administration. You will need to authenticate again when the HOB EA Administration program opens. From the Start menu of your workstation: 4. Click on the Start Menu of your workstation 5. Locate the Application icon HOB EA Administration and click to start. 6. You will find shortcuts for this program in the following directories: - under Windows: Start/Program Files/HOB RD VPN/ Administration - under Linux/Unix: /home/your_username/hob RD VPN/ Administration 7. You will need to authenticate when the HOB EA Administration program opens. Connectivity Solutions by HOB 55

56 HOB RD VPN Administration HOB RD VPN Figure 40: HOB RD VPN Administration Screen Logon Once you have successfully logged on, the following screen is displayed. Here you can administer and configure the resources with your domain. Figure 41: HOB RD VPN Administration Screen The HOB RD VPN Administration screen contains the resources that are present in your organization hierarchy in the left hand panel and the constituent elements (users, groups, containers and objects) present in the highlighted element in the right hand panel. The name of the selected resource is always shown in the title of the right-hand panel. Select from the domain list displayed on the left the domain that you wish to administer. The elements or resources contained within each domain are shown in the panel on the right. In the example shown here there is one domain, dc=hobsoft, with two elements, ou=groups and ou=users. Use the following buttons to manage the resources in your enterprise. 56 Connectivity Solutions by HOB

57 HOB RD VPN HOB RD VPN Administration Connect - establish a connection to your resource management database Disconnect - end the connection to the database Add Item - add a new item (user, group, object or container) to the database Edit Item - edit the selected item Delete Item - delete the selected item Configure - configure the selected part of the database Search - search for a specific element in the database At the bottom of the screen there are two buttons and a drop down box. These are: Properties - use this button to display the properties of the selected resource. for the selected resource. Configure - use this to open the configuration tool - in this drop down box you select the part of the Database that you want to access for editing, whether User Settings, WebSecureProxy, Utilities, etc. User Settings is selected by default Administration Access as a Global Administrator Once you logon to a browser using the global administrator logon the administration portal opens directly. The following applications are available for the global administrator only; they are not available to a domain administrator and are not displayed on the domain administrator interface HOB RD VPN Administration Screen - System This screen shows information about the currently installed edition of HOB WebSecureProxy. Connectivity Solutions by HOB 57

58 HOB RD VPN Administration HOB RD VPN Figure 42: HOB RD VPN Administration Screen System As well as the installed version of the HOB WebSecureProxy, this screen shows the process ID of the current installation and for how long the current connection has been running HOB RD VPN Administration Screen - Gateways Here you can see the currently configured gateways for the current connections. Figure 43: HOB RD VPN Administration Screen Gateways This screen shows details about the gateways for the administration access and for the user portal. The information shown includes the numbers of the ports they are using, their configurations and the status of the connections to the gateways HOB RD VPN Administration Screen - Users Here you can display all of the users that are currently logged on to the system. 58 Connectivity Solutions by HOB

59 HOB RD VPN HOB RD VPN Administration Figure 44: HOB RD VPN Administration Screen Users Using the fields at the top of this screen, you can choose to display users according a set number per page, or according to user name. In the list of users you can see their roles and IP addresses, and how long they have been logged on. Previous and Next - use these arrow buttons to navigate between users when not all can be displayed on the screen at the same time. Display users named - you can insert the username into the field to bring up the required user directly. Logout Selected Users - use this button to log out those users that you have selected from the list of current users HOB RD VPN Administration Screen - Connections This dialog is used to review the currently established connections, and to disconnect those that are not in use. Figure 45: HOB RD VPN Administration Screen Connections Previous and Next - use these arrow buttons to navigate between users to see their connections. Connectivity Solutions by HOB 59

60 HOB RD VPN Administration HOB RD VPN Display users named: - you can insert the username into the field to bring up the required user directly. Disconnect selected connections - use this button to disconnect those connections that you have selected from the list shown HOB RD VPN Administration Screen - Logs This dialog displays the log of activity for the connections that were recently or are currently active. Figure 46: HOB RD VPN Administration Screen Logs Previous and Next - use these arrow buttons to navigate between entries in the logfiles. Autorefresh - click this to automatically update the logfile that is displayed. When clicked, this button performs a refresh and counts down 30 seconds when it will refresh again. This continues until you leave this screen. Refresh - click this to update the logfile that is displayed. Search - use this to find and display a specific logfile. RegExp (Regular Expressions) - allow a search of the logs for known regular expressions, such as a specific application name. Start at - use this field to enter a starting date for your search Global Administration Screen - Services This dialog displays the installed Plugins and them to be monitored. Plugins are enhancements to existing software applications, adding specific abilities. Plugins usually cannot be run independently of the main application, and in most cases can be stopped and restarted if necessary. 60 Connectivity Solutions by HOB

61 HOB RD VPN HOB RD VPN Administration Figure 47: Global Administration Screen Services Plugin - the names of the plugins are listed in this column. Status - the current status of the plugins are shown here. Options - the options are either to stop (click the black X for this) or to restart (click the arrow). The field at the bottom shows a log of the activity for the selected plugin Global Administration Screen - EA-Admin There is no interface for this as part of the administration portal. Use this link instead to launch the EA Administration interface where you can administer the domains and their resources, and also administer the HOB WebSecureProxy Global Administration Screen - Backup This feature allows the data contained within the system Directory Service to be exported to a backup file location, or imported back from that backup location. For a backup the data stored in the directory service must first be converted to LDIF (LDAP Data Interchange Format), which is a standard plain text data interchange format used for representing directory content and update requests. LDIF conveys directory content as a set of records, one record for each object (or entry), and one record per update requests, such as Add, Modify, Delete, and Rename. Connectivity Solutions by HOB 61

62 HOB RD VPN Administration HOB RD VPN Figure 48: Global Administration Screen Backup - Export LDIF Export LDIF - export the data in LDIF format to the backup location. This button brings the Username and Password fields on screen, where you need to authenticate. Once you have authenticated, click Export for this operation to be carried out. Input Credentials - this shows a log of all entries into this screen. Figure 49: Global Administration Screen - Backup Import LDIF Import LDIF - extract the data from the backup location to the current servers for use. This button also brings the Username and Password fields on screen (as shown above), where you need to authenticate using you HOB RD VPN credentials. Once you have authenticated, use the Browse button to locate the desired LDIF file. 62 Connectivity Solutions by HOB

63 HOB RD VPN HOB RD VPN Administration Once it is selected, you have to specify whether the file being imported should overwrite the existing data or be appended to it. Upload & Import - click for this import operation to be carried out. Input Credentials - this shows a log of all entries into this screen Global Administration Screen - Certificates This feature is where the system certificates are managed. These are the security certificates that are used to authenticate each element of the system. Access is not allowed from workstations or machines that do not possess current valid certificates. For each type of certificate these symbols on the right hand side have the same functions. They are active only when the mouse moves over them: Upload - click to upload a certificate into the certificate directory. directory. Download - click to download a certificate from the certificate New Certificate - click to create a new certificate Upload Certificate Use this screen to upload a certificate. Figure 50: Global Administration Screen Upload Certificate Connectivity Solutions by HOB 63

64 HOB RD VPN Administration HOB RD VPN PWD (Password) - use the Browse button to enter the path to the password certificate file here. CFG (Configuration) - use the Browse button to enter the path to the configuration certificate file here. CDB (Certificate database) - use the Browse button to enter the path to the certificate database file here. Import to External Client Certificates - check this box to import the current certificate to the list of external client certificates. Upload - click to perform the upload Download Certificate Use this screen to download a certificate. Figure 51: Global Administration Screen Download Certificate Download Certificate Package - click on this link to download all of the current certificates (in this example the certificates required for administrator access) Create New Certificate Use this screen to create a new certificate. 64 Connectivity Solutions by HOB

65 HOB RD VPN HOB RD VPN Administration Figure 52: Global Administration Screen Create New Certificate Import to External Client Certificates - check this box to import the current certificate to the list of external client certificates. Create - click to create the new certificate Global Administration Screen - Updater This feature is where updated versions of existing files can be uploaded and installed. Backup files can also be uploaded this way. Connectivity Solutions by HOB 65

66 HOB RD VPN Administration HOB RD VPN Figure 53: Global Administration Screen - Updater Browse - use this to locate the desired update file. Upload & Install - click this button to perform the update. Status - this field shows the current log of activity on this screen. Update Packages - this list shows the recent update activity, with the current status of uploaded packages as well as their upload date Global Administration Screen - Extensions This feature allows you to install the extensions available for HOB RD VPN. Extensions are extra features or functionality that are delivered with this installation of HOB RD VPN, but are optional in that they need not be activated. Figure 54: Global Administration Screen Extensions See the relevant section in this documentation for more information. Anti Split Tunnel - see Section Anti Split Tunneling. PPP Tunnel for Unix - see Section 13 Network Access using the HOB PPP Tunnel. 66 Connectivity Solutions by HOB

67 HOB RD VPN Multi-Tenancy 7. Multi-Tenancy HOB RD VPN can be configured to use multiple domains, so it is possible to use one HOB RD VPN installation to successfully authenticate users from different domains. Because of this, HOB RD VPN introduces a multi-tenant capability, where each domain in HOB RD VPN stands for an independent tenant. It is possible to completely separate these domains so that every domain uses different configurations (for example domain 1 can only access resources assigned to domain 1, domain 2 can only access resources assigned to domain 2, for users of either domain it is not possible to access resources assigned to the other domain). If required, configurations can also be used from more than one domain (e.g. different domains may be assigned access to the same target system). There can be many different reasons for using the multi-tenancy feature besides connecting to different companies. Multi-tenancy could also be used to support different departments within a company, or it can be used to allow customers or suppliers access to special services without needing to add them to the integrated user directory service. Multi-tenancy refers to a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants). Multi-tenancy is contrasted with a multi-instance architecture where separate software instances (or hardware systems) are set up for different client organizations. With a multitenant architecture, a software application is designed to virtually partition its data and configuration, and each client organization works with a customized virtual application instance. Multi-tenancy is also regarded as one of the essential attributes of Cloud Computing HOB RD VPN can be configured to use a wide range of different tenants using different domain configurations. A domain in HOB RD VPN consists of two components, an Authentication Service and a Configuration Storage Default Domain Configuration after Installation After installation, HOB RD VPN uses the integrated directory service for both authentication service and configuration storage. For this, the HOB RD VPN installation creates a default domain named hobsoft. This domain resides in the directory service under dc=hobsoft,dc=root. Connectivity Solutions by HOB 67

68 Multi-Tenancy HOB RD VPN Figure 55: WSP Configuration - LDAP Domains You can use the administration interface to perform additional administration tasks for this domain as the global administrator or as the domain administrator of the hobsoft domain. With the administration interface you can administer both the users and their configurations Using an Integrated Directory Service After installation, HOB RD VPN uses the integrated directory service for both authentication service and configuration storage. The tree of the integrated DS contains two domain components (dc), dc=internal,dc=root and dc=hobsoft,dc=root Domain Component dc=internal,dc=root Internal objects located in this component include: The WebSecureProxy (WSP) Object On installation there is a default random password set for this object that is unique for each installation. This object holds the configuration of the WSP and is also used as a read-only search user for the integrated directory service. System Admin This user is also created at installation with a freely selectable username (that must not be "System Admin" itself) and a password. This user has administrative rights to the whole integrated directory service. Additional system administrators (with the same rights) can be created later in RD VPN Administration Domain Component dc=hobsoft,dc=root After installation dc=hobsoft,dc=root is the default domain used as authentication service and configuration storage. On installation it is possible to add users and select suitable groups for them. Users in the group 68 Connectivity Solutions by HOB

69 HOB RD VPN Multi-Tenancy cn=administrators,ou=groups,dc=hobsoft,dc=root have only administrative rights to the elements below the dc=hobsoft,dc=root part of the tree. Figure 56: Default Integrated Directory Structure Adding another domain for authentication service and configuration storage is the equivalent of adding a copy of the initial dc=hobsoft,dc=root but with another name, e.g., dc=customer1,dc=root Configuring an Integrated Directory Service 1. Log in with global administrator credentials to the HOB RD VPN administration page and, in the column on the left, select EA-Admin. Now log in to EA Admin with your global administrator credentials. 2. In HOB EA Admin, select ou=servers (organizational unit=servers) in dc=internal (domain component=internal) and then click on the directory content item cn=websecureproxy. Now click the > button to the right of the Configure button and select HOB RD VPN 2.1 > WebSecureProxy. Then click Configure. 3. In the HOB WSP screen that now opens, select Domains > LDAP > LDAP Domains from the tree structure at the left (you may have to scroll down to find these items). Click Add. Connectivity Solutions by HOB 69

70 Multi-Tenancy HOB RD VPN 4. The LDAP Domain tab opens in the pane on the right. Here you can either accept the default name of the new domain, or enter a name of your choosing. 5. Click the Add button again and the LDAP Server tab opens in the pane on the right. Figure 57: LDAP Server tab Here you must enter the information of the LDAP server to be used in this domain. The data fields are: Name - A default LDAP server name appears here. You can accept this or enter a new name. IP address - Enter here the IP address of your LDAP server. Port - Port number 389 is set here as default. If you set the LDAP server to use SSL (see below), the port will be set to the default SSL port number 636. LDAP template - Select here the type of LDAP server you are using. You can choose from the following: OpenDS, OpenLDAP, IBM Directory Server, Microsoft Active Directory, iplanet Directory Server, Novel Directory Server or Siemens DirX LDAP. Use network adapter - This is set as default to Any. Base DN - Set here the base DN (domain Name) for your LDAP server. Click the (Browse) button to select from the available base DNs. Search administrator DN - Enter here the administrator s distinguished name (full path) for this domain. This information must be the exact path as it is in the LDAP directory. Search administrator PW - Enter here the administrator s corresponding password. Timeout search (sec) - Here you can set the time in seconds for the system search timeout. Default is ten seconds. Wait connect (sec) - Here you can set the time in seconds for the system to wait for a server connection. Default is ten seconds. 70 Connectivity Solutions by HOB

71 HOB RD VPN Multi-Tenancy Use SSL - If the LDAP server is to use SSL, this must be activated by clicking this checkbox. If activated, the LDAP server port (see above) will change from 389 to the standard SSL port 636. Search nested group level - Here you can set the number of organizational levels (nested groups) to search through for user settings. The higher the number, the more levels will be searched. If you have a high level setting here, you may need to increase your Timeout search. Global directory - Can only be used with Microsoft Active Directory as LDAP Template. Activate this service by clicking this checkbox. If you select to use a global directory, the server port will change to 3268 (or 3269 for an SSL connection). Then only the Microsoft Global Directory indexed entries will be used. 6. Now click the Domains item in the tree structure and click the Add button in the Domains pane on the right. Figure 58: Add Domain dialog box 7. In the Add Domain dialog box, add the name of the domain just created to be used for Authentication Service and add the name to be used for Configuration Storage. 8. Now you have to add/assign a role to the users who are to use this domain. 9. To add a role, click Roles towards the top of the tree structure and then click the Add button at the bottom left. 10. In the Settings pane on the right that now opens, select the tab Members, then select the tab with the name of your LDAP domain (in this example LDAP Domain(1)) and then click the Add button on the right. Connectivity Solutions by HOB 71

72 Multi-Tenancy HOB RD VPN Figure 59: Add Domain to Roles dialog box 11. In the Select member dialog box that now opens, select the organizational unit, user or user group who are to have authorization to use domain you just created and add this entry to the Members list by clicking Select at the lower left. Figure 60: Add Organizational Unit to Domain Members dialog box 7.3. Using an External Directory Service An external directory service can be used: In conjunction with the same external directory service In this scenario the integrated directory service is not involved. The global administrator of HOB RD VPN has to provide the necessary credentials for the domain (a directory service-based authentication service and a directory service-based configuration service) in the WSP configuration file. This can be done using the WSP configuration. Note that the authentication service and the configuration storage must be the same directory service. In conjunction with the integrated directory service In this scenario a new domain component under dc=root is created. The 72 Connectivity Solutions by HOB

73 HOB RD VPN Multi-Tenancy name is the same as the domain name in the WSP configuration, in this case external LDAP (see the diagram below): Figure 61: Default External Directory Structure The structure of the internal domain component should mirror the original directory service structure of the external directory service. To have a valid administrator user for this domain in the directory server, a randomly named administrator user is generated during the creation of this domain. The global administrator sets the password for this administrator user during creation as a "Masterpassword." Every user in a special group of the configuration storage is mapped to this randomly named user when accessing the configuration storage Configuring an External Directory Service The following steps show the procedure required to use an external directory service as the authentication service and configuration storage. 1. Add the HOB scheme extension to your directory service. After installation you can find the HOB scheme extension in the HOB Scheme Extensions folder of your HOB RD VPN Installation. Connectivity Solutions by HOB 73

74 Multi-Tenancy HOB RD VPN 2. Log in with global administrator credentials to the HOB RD VPN administration page and in the column on the left, select EA-Admin, then log in to EA Admin with global administrator credentials. 3. In HOB EA Admin, select ou=servers (organizational unit=servers) in dc=internal (domain component=internal) and then click on the directory content item cn=websecureproxy. Now click the > button to the right of the Configure button and select HOB RD VPN 2.1 > WebSecureProxy. Then click Configure. 4. In the HOB WSP screen that now opens, select Domains > LDAP > LDAP Domains from the tree structure at the left (you may have to scroll down to find these items). Click Add. 5. The LDAP Domain tab opens in the pane on the right. Here you can either accept the default name of the new domain, or enter a name of your choosing (in the example External LDAP is used). Figure 62: WSP Administration Screen - Add External LDAP Domains 6. Once the domain has been added, a server must be added to this domain. Click Add to add at least one directory server instance. 74 Connectivity Solutions by HOB

75 HOB RD VPN Multi-Tenancy Figure 63: WSP Administration Screen - LDAP Server configuration Here you must enter the information of the LDAP server to be used in this domain. The fields are as follows: Name - A default LDAP server name appears here. You can accept this or enter a new name. IP address - Enter here the IP address of your LDAP server. Port - Port number 389 is set here as default. If you set the LDAP server to use SSL (see below), the port will be set to the default SSL port number 636. LDAP template - Select here the type of LDAP server you are using. You can choose from the following: OpenDS, OpenLDAP, IBM Directory Server, Microsoft Active Directory, iplanet Directory Server, Novel Directory Server or Siemens DirX LDAP. Use network adapter - This is set as default to Any. Base DN - Set here the base DN (Domain Name) for your LDAP server. Click the button to select from the available base DNs. Search administrator DN - Enter here the administrator s distinguished name (full path) for this domain. This information must be the exact path as it is in the LDAP directory. Search administrator PW - Enter here the administrator s corresponding password. Timeout search (sec) - Here you can set the time in seconds for the system s search timeout. Default is ten seconds. Wait connect (sec) - Here you can set the time in seconds for the system to wait for a server connection. Default is ten seconds. Use SSL - If the LDAP server is to use SSL, this must be activated by clicking this checkbox. If activated, the LDAP server port (see above) will change from 389 to the standard SSL port 636. Search nested group level - Here you can set the number of organizational levels (nested groups) to search through for user settings. The higher the Connectivity Solutions by HOB 75

76 Multi-Tenancy HOB RD VPN number, the more levels will be searched. If you have a high level setting here, you may need to increase your Timeout search. Global directory - Can only be used with Microsoft Active Directory as LDAP Template. Activate this service by clicking this checkbox. If you select to use a global directory, the server port will change to 3268 (or 3269 for an SSL connection). Then only the Microsoft Global Directory indexed entries will be used. 7. Now click the Domains item in the tree structure and click the Add button in the Domains pane on the right. 8. In the Add Domain dialog box, add the name of the domain just created to be used for Authentication Service and for Configuration. 9. Now the users that are allowed to logon to HOB RD VPN need to have a role assigned to them. 10. To add a role, click Roles towards the top of the tree structure and then click the Add button at the bottom left. 11. In the Settings pane on the right that now opens, select the tab Members, then select the tab with the name of your LDAP domain (in this example External LDAP) and then click the Add button on the right. 12. In the Select member dialog box that now opens, select the organizational unit, user or user group who are to have authorization to use domain you just created and add this entry to the Members list by clicking Select at the lower left Using Remote Access Servers as the Authentication Service Remote Authentication Dial In User Service (RADIUS) is a standard networking protocol that provides centralized authentication, authorization, and accounting management for computers to connect and use a network service. It is often used to manage access to the Internet or internal networks, wireless networks, and integrated services. Used in conjunction with an external directory service: In this scenario the integrated directory service is not involved. The RD VPN administrator has to provide the necessary credentials for the domain (a RADIUS-based authentication service and a directory-service-based configuration service) in the WSP configuration file. This can be done in the WSP configuration. Used in conjunction with the integrated directory service: In this scenario a new domain component under dc=root is created. The name is the same as the domain name in the WSP configuration. 76 Connectivity Solutions by HOB

77 HOB RD VPN Multi-Tenancy Figure 64: Default Directory Structure with RADIUS To have a valid administrator user for this domain in the directory server a randomly named administrator user is generated during the creation of this domain. The administrator sets the password for this administrator user during creation as a "Master password." Every user in a special group of the configuration storage is mapped to this randomly named administrator user when accessing the configuration storage Configuring HOB RD VPN for RADIUS To use RADIUS authentication in HOB RD VPN you have to configure a RADIUS domain and a RADIUS server in the HOB WebSecureProxy configuration. The following configuration steps show the configuration of RADIUS in HOB RD VPN. 1. Open the HOB RD VPN WebSecureProxy configuration program. 2. Expand the Domains knot of the left-hand tree and click the Radius item. 3. Click the Add button to create a new Radius domain and enter a name of your choice, for example Radius Domain. Connectivity Solutions by HOB 77

78 Multi-Tenancy HOB RD VPN Figure 65: Configuring a Radius Domain 4. Click the new Radius Domain item and then the Add button to create a new Radius server. Enter a name of your choice for this server, for example Radius Server 1. Figure 66: Configuring a Radius Server 5. Enter the values that specify this Radius server in the Radius Server tab and how to connect it. Use Network Adapter - select the network adapter to be used for the connection with this Radius server from the drop down box. Host IP Address enter the IP address of the Radius server. Port enter the port under which the Radius server is available. 78 Connectivity Solutions by HOB

79 HOB RD VPN Multi-Tenancy Shared Secret the RADIUS protocol requires the use of a shared secret a text string that is available only to the RADIUS client (HOB RD VPN in this case) and the Radius server against which it authenticates. Use same shared secret this checkbox is relevant only if you are configuring a cluster installation. Leave the checkbox activated if you want to use the same shared secret for all members of the cluster. If you deactivate this checkbox a list appears where you can enter different shared secrets for each member of the HOB RD VPN cluster. Comment This field can be used to enter comments for this Radius server Using Kerberos as the Authentication Service Kerberos is a computer network authentication protocol that works on the basis of issuing identity tickets for nodes communicating over a non-secure network to allow them to prove their identity to one another in a secure manner. Used in conjunction with an external directory service: In this scenario the integrated directory service is not involved. The Administrator of HOB RD VPN has to provide the necessary credentials for the domain (a Kerberos-based authentication service and a directoryservice-based configuration service) in the WSP configuration file. This can be done in the WSP configuration. Used in conjunction with the integrated directory service: In this scenario a new domain component under dc=root is created. The name is the same as the domain name in the WSP configuration. Connectivity Solutions by HOB 79

80 Multi-Tenancy HOB RD VPN Figure 67: Default Directory Structure with Kerberos To have a valid administrative user for this domain in the directory server a randomly named administrative user is generated during the creation of this domain. The administrator sets the password for this administrative user during creation as a "Master password." Every user in a special group of the configuration storage is mapped to this randomly named user when accessing the configuration storage Kerberos Single Sign-on This setting allows the use of the Kerberos Single Sign-on (a standard computer network authentication) protocol to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It provides mutual authentication both the user and the server verify each other's identity through the use of Kerberos Tickets. With this feature a user logs on once to the network through an initial system log in and gains access to all systems on that network without being prompted to log on again to each of them. 80 Connectivity Solutions by HOB

81 HOB RD VPN Multi-Tenancy Additional software applications requiring authentication ( clients, wikis, revision control systems, etc.) use the ticket-granting ticket to acquire service tickets that prove the identity of the user to the server, wiki server, etc., without prompting the user to re-enter credentials. In a Windows environment your logon fetches the Kerberos ticket-granting ticket (TGT). Directory service-aware applications fetch service tickets, so the user is not prompted to re-authenticate. In a UNIX/Linux environment you logon via Kerberos fetches the TGT, which is stored within the HOB WSP. Kerberized client applications such as Evolution, Firefox, and SVN and many other use service tickets, so the user need not re-authenticate. The Kerberos protocol uses Port 88 by default HOB LDAP Scheme Extension The HOB LDAP Scheme extension allows you to expand on the attributes and classes used in your directory services. The base scheme that is included the system contains a set of class definitions such as user, computer, and organizationalunit, and attribute definitions such as username, telephonenumber, and objectsid. The existing set of classes and attributes will be sufficient for most applications. However, the scheme is extensible, which means that you can define new classes and attributes. If the existing classes and attributes do not fit with the type of data you want to store, you should extend the scheme. If an external LDAP directory service is used the scheme extension has to be applied. The HOB scheme extensions are located in: INSTALLDIR\HOB\RD VPN-\LDAP-schema-extensions. Scheme additions are permanent; you can disable classes and attributes, but you can never remove them from the scheme. Connectivity Solutions by HOB 81

82 HOB RD VPN 82 Connectivity Solutions by HOB

83 HOB RD VPN Roles and Users 8. Roles and Users Each enterprise consists of many different resources. These must be configured to work together is the appropriate manner. HOB RD VPN organizes these resources into roles. Membership of these roles is then assigned as the individual resources are added to the system. These roles can be grouped, and the properties of the group can be inherited by all the members of that group. System resources can only use one role at any one time, but may be configured for multiple roles or groups simultaneously. The role that governs that resource is determined by the priority that is assigned to that role. The user management of HOB RD VPN is carried out by the directory service user database, so this directory service is used to administer the users and resources in the network. All roles and users must be configured in two places: In the HOB WebSecureProxy so that the system itself has a configuration that recognizes the roles and users and their properties In the HOB RD VPN Administration, so that the administrator can set up the roles and users to be accepted by the system Configuring Roles and Users in HOB WebSecureProxy To configure Users and their roles in the HOB WebSecureProxy you need to open the HOB RD VPN administration portal. The HOB administration portal is opened as described in the chapters above: As a global administrator, open a browser and logon to HOB RD VPN. In the global administrator navigation screen select EA-Admin and the administration portal opens directly. You will need to authenticate again when the HOB EA Administration program opens. Or you can go to the Start Menu of your workstation (e.g., a Windows 7 workstation), click on the Start Menu of your workstation and then click the application icon HOB EA Administration. Now select WebSecureProxy > Configure, and once the WSP Administration portal has opened select Roles. There are three defaults settings here (User, Power User and Domain Administrator) for initial use, but these may be edited as you wish. You may also define as many as you wish according to the conventions of your company. Select from the list of roles here the role you wish to configure. The examples shown below are for a standard User Role. Under the Settings screen there are two main tabs for this Role: Requirements Privileges Configuring Roles - Requirements Tab Under HOB WSP > Requirements there are two tabs: General Connectivity Solutions by HOB 83

84 Roles and Users HOB RD VPN Members Requirements - General Tab Here you can enter the following information for this role: Figure 68: Roles - Users - Requirements - General Name - the name of the role is entered here. Compliance Check - select the desired Compliance check from the list of available configured compliance checks in the drop down box Priority - this is the priority (from 1-100) assigned to the role. The available role with the highest priority is assigned to the user on logon Requirements - Members Tab Here you can enter the following membership information for this role: 84 Connectivity Solutions by HOB

85 HOB RD VPN Roles and Users Figure 69: Roles - Users - Settings Members Add - here you add a new membership for all users with this role. Edit - click this to edit the selected membership. Remove - use this button to remove the selected membership for the list Configuring Roles - Privileges Tab Under the Privileges tab there are five sub-tabs: Properties Portlets Server Lists Target Filters User Settings Privileges Tab - Properties Using this tab you can assign the properties to the selected role. Connectivity Solutions by HOB 85

86 Roles and Users HOB RD VPN Figure 70: Roles - Users Privileges - Properties GUI Scheme - here you can decide on the color of the user portal and navigation screens, and whether the banner is shown. Page After Login - here you set which page the user goes to directly after a successful login. Minimum Idle Time (min) - set the amount of time in minutes the session can remain idle before it is timed out and closed. The default time is 30 minutes. Maximum Relogin Time (min) - here you set the maximum allowable time the session can be open before the user must login again to keep the session open. The default time is 480 minutes. Browser caching - check to allow caching of browser use for this role Privileges Tab - Portlets Here you can determine the portlets that are to be available to each role. 86 Connectivity Solutions by HOB

87 HOB RD VPN Roles and Users Figure 71: Roles - Users Privileges - Portlets Add - here you add a new portlet (enter the name and the state, whether opened or closed) for all users with this role. Edit - click this to edit the selected portlet. Remove - use this button to remove the selected portlet for the list. Up, Down arrows - these allow you to set the order in which the portlets appear on the navigation screen for this role Privileges Tab - Server Lists Here you set which server lists are available to the users assigned to this role. Figure 72: Roles - Users - Privileges - Server Lists Check All - this selects all available server lists. Connectivity Solutions by HOB 87

88 Roles and Users HOB RD VPN Clear All - this deselects all available server lists Privileges Tab - Target Filters Here the target filters that are to be assigned to the role can be selected. Figure 73: Roles - Users - Privileges - Target Filters Target Filter - select the target filter for this role from list of those target filters that have been configured from the drop down box. See Section 0 HOB Target Filters on page 143 for more information Privileges Tab - User Settings Here the bookmarks and other user settings are set for the users that are to be assigned this role. Figure 74: Roles - Users - Privileges - User Settings 88 Connectivity Solutions by HOB

89 HOB RD VPN Roles and Users Bookmarks for WebServerGate - check to activate Web Server Gate bookmarks for this role. Bookmarks for WebFileAccess - check to activate Web File Access bookmarks for this role. Other Settings - check to allow other settings for this role Configuring Roles and Users in HOB RD VPN Administration In the HOB RD VPN administration interface you can configure each role and user individually. The properties of each domain resource, including users, can also be viewed through the HOB RD VPN administration interface using the Properties button. Go to HOB EA Administration and select a domain resource that you wish to manage. Figure 75: HOB RD VPN Administration Start Screen Now click the Properties button. In the dialog below that is now displayed you can see the two tabs containing the data stored for the domain resource that you have selected. Connectivity Solutions by HOB 89

90 Roles and Users HOB RD VPN Figure 76: HOB RD VPN Administration - Properties Account - this holds the name of the resource you wish to see. Set the password - check to enable a password for any edits to this resource. Click the LDAP Details button to see the directory service entry for this resource, and the following dialog is displayed. Figure 77: HOB RD VPN Administration Properties LDAP Details Here you can see the Attribute Name and Attribute Value for this resource. Use the buttons at the bottom of the screen to manage the details for this resource. The second tab allows you to manage memberships for the resources in this domain: 90 Connectivity Solutions by HOB

91 HOB RD VPN Roles and Users Figure 78: HOB RD VPN Domain Administration Membership Here you see each membership for this resource. Use the Add Membership and Delete Membership buttons to add your users and objects to groups, or delete memberships that are no longer suitable for this resource Using the Configure Button What you can configure depends on what elements are currently selected in your hierarchy. For example, User Settings can only be configured if an element of type User is selected, the WebSecureProxy can only be configured if you are logged on as a Global Administrator and an element of the type Object is selected. Select the resource area you wish to configure from the drop down box (see figure below) and click Configure. Figure 79: HOB RD VPN Administration Start Screen Resource Areas The resources of HOB RD VPN can be configured according to the following areas: HOB RD VPN 2.1 Connectivity Solutions by HOB 91

92 Roles and Users HOB RD VPN Sessions Utilities Configuring HOB RD VPN 2.1 Under this heading, the following can be configured: User Settings WebSecureProxy Configuring User Settings Under User Settings you can create bookmarks, configure Desktop-on- Demand, create Personalized IP addresses and more. To edit a User, for example, select User Settings from the drop down box and click Configure. The following screen shows the settings that can be configured for the element of the default Hobsoft domain: ou=users,dc=hobsoft,dc=root: Figure 80: HOB RD VPN - User Settings Administration Screen Select the setting you wish to add and click the Add button at the bottom. This opens the specific dialog page for that element. Elements that have already been added for this user are shown in the panel on the left and can be freely selected from there for further editing or removal. Use the Save button to save your changes and continue, and the Close button to finish making changes and exit when you are finished with the User Settings dialog. These are standard buttons on each screen of this portal. Bookmarks WebServerGate A bookmark is a locally stored Uniform Resource Identifier (URI) to a required or requested internet location. The WebServerGate is the initial start page for all users that is displayed following a successful log on, and consists of links to the features and application for which the user has access rights and permissions. Bookmarks can be added to the HOB WebServerGate page of the user to be accessed each time they log on. 92 Connectivity Solutions by HOB

93 HOB RD VPN Roles and Users Figure 81: HOB RD VPN - User Settings Bookmarks WebServerGate Name - Enter a name for the bookmark here. URL - enter the desired URL here. Test the URL - click this to test if the URL exists. There is no guarantee that this URL can be reached by HOB RD VPN. Up, Down - these buttons move the bookmark within the list. Bookmarks WebFileAccess HOB WebFileAccess allocates remote access to file servers, and the path used for this access can be stored as a bookmark for ease of use. Figure 82: HOB RD VPN - User Settings Bookmarks - WebFileAccess Name - Enter a name for the bookmark here. Connectivity Solutions by HOB 93

94 Roles and Users HOB RD VPN URL - enter the desired URL here. Up, Down - these buttons move the bookmark within the list. Personalized IP Addresses Here you manage specific IP Addresses for HOB PPP Tunnel Endpoints and the HOB SSL Identifier. Personalized IP Addresses - Tunnel Endpoints Figure 83: HOB RD VPN - User Settings - Personalized IP Addresses Add - here you add the desired IP address to the list of those available. Remove - use this to remove the desired IP address from the list. See Section 13 Network Access using the HOB PPP Tunnel on page 121 for more information. Messages Under Messages you can specify any messages that you wish to be shown to the users each time they make a logon to the system. 94 Connectivity Solutions by HOB

95 HOB RD VPN Roles and Users Figure 84: HOB RD VPN - User Settings - Messages Message: - Enter the desired message in the text field. This message will be displayed to all users with this role when they logon. Others There are two settings you can set on this screen for your users. Figure 85: HOB RD VPN - User Settings - Others Activate the flyer - check this box to enable the flyer. Language - select the language for the interface from the drop down box Configuring Utilities Here you can manage user certificates: Connectivity Solutions by HOB 95

96 Roles and Users HOB RD VPN User Certificates This utility allows you to manage the certificates used to authenticate your users. There are three tabs on this dialog: X.509 Certificates Certificate Identification Create Certificate Identification User Certificates - X.509 Certificates This dialog displays the Subject and Issuer DN. This is the information contained in the X. 509 certificate that you use to authenticate your users. Figure 86: Utilities Administration Screen - X.509 Certificates Import - use this button to import a certificate into the list of certificates used by the network. Export - this button lets you export the selected certificate to the directory service holding the authentication service. View - this shows the selected certificate in more detail, with version number, date of issue, and more. Delete - this button allows you to delete the selected certificate. Help - use this button to call up the HOB RD VPN Help on this topic. Close - click to save any changes, close this dialog and return to the previous screen. User Certificates - Certificate Identification This dialog displays the Subject and Issuer DN. This is the information about the issuer of the certificate that you use to authenticate the certificate. 96 Connectivity Solutions by HOB

97 HOB RD VPN Roles and Users Figure 87: Utilities Administration Screen - Certificate Identification Add - use this to add a new certificate to those in you network. Edit - this allows you to update the selected certificate. Delete - this button allows you to delete the selected certificate. Get from X.509 Certificates - this button allows you to retrieve a certificate from those X.509 certificates that are currently used by your network. Help - use this button to call up the HOB RD VPN Help on this topic. Close - click to save any changes, close this dialog and return to the previous screen. User Certificates - Create Certificate Identification This dialog displays the details about the current configuration that you can extract to create a new authentication certificate. Figure 88: Utilities Administration Screen - Create Certificate Identification Include sublevels - check this box to include all sublevels of the current configuration under the current root configuration. Extract - click to take the required information from the selected configuration file to create a new certificate. Help - use this button to call up the HOB RD VPN Help on this topic. Close - click to save any changes, close this dialog and return to the previous screen. Connectivity Solutions by HOB 97

98 HOB RD VPN 98 Connectivity Solutions by HOB

99 HOB RD VPN HOB RD VPN Web Server Gate - Intranet Access 9. HOB RD VPN Web Server Gate - Intranet Access The HOB RD VPN Web Server Gate component provides your enterprise with secure access from remote locations over the Internet to web servers and pages that are internal to the enterprise. Enterprise-internal Web servers are normally protected by firewalls and therefore cannot be accessed over the Internet. The HOB RD VPN Web Server Gate enables the user to specify a server to contact. Any data then sent to this server comes first to the HOB RD VPN Web Server Gate, which then reroutes the SSL encrypted data over the HOB WSP to the desired server. Authorized users can thus remotely access web-based services inside the corporate network from anywhere in the world. access over the Outlook Web Access front end of the MS Exchange Server is also possible. Figure 89: HOB RD VPN Web Server Gate - Standard Scenario Remote access with HOB RD VPN is secured via HTTPS. Only after successfully authenticating at the HOB RD VPN Web Server Gate can a user communicate with an internal server. The scenario shows a connection to an internal web server that is set up to use the HOB RD VPN Web Server Gate. All of the browser connections are routed over the HOB RD VPN Web Server Gate and then relayed by this to the web server. As all browser connections are rerouted through the Web Server Gate and therefore are not directly accessed from their server of origin, they violate the Same Origin Policy, a fundamental browser security policy. In the event that one malicious server manages to establish contact with the HOB RD VPN Web Server Gate then this could affect the integrity of the HOB RD VPN Web Server Gate and other trusted servers with whom the HOB RD VPN Web Server Gate is in contact. With this in mind, HOB strongly recommends that the following steps are implemented to resist this: Prohibit or restrict access to external web servers through using the HOB RD VPN Web Server Gate (this can be done by using a target filter, a firewall or a whitewall, for example) Control internal web servers, making sure they are free of fraudulent Connectivity Solutions by HOB 99

100 HOB RD VPN Web Server Gate - Intranet Access HOB RD VPN code. Reduce the period of validity for cookies, so that a hacker has less time to abuse the captured session (this can however be inconvenient). Close any web application with a true termination, meaning that a proper logout must be completed and not just the window closed Configuring the HOB RD VPN Web Server Gate The HOB RD VPN Web Server Gate must be configured through the use of the HOB WebSecureProxy configuration interface Enabling Bookmarks for the HOB Navigation Screen To enable bookmarks to be created, open the administration interface and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. Now select Roles and choose the individual role for which you wish to configure the HOB Web Server Gate. The Settings tab for this role is then brought onscreen. From the tabs on this dialog select Privileges > User Settings, as shown here: Figure 90: Roles - User Settings Screen - Privileges - Web Server Gate Bookmarks Name - this field contains the name that you assign to this particular role. On the tab itself you can select which settings or bookmarks you wish to enable. Select Bookmarks for Web Server Gate. Close the screen and users with this role can now set their own bookmarks that will show permanently on the navigation screen of HOB RD VPN. 100 Connectivity Solutions by HOB

101 HOB RD VPN HOB RD VPN Web Server Gate - Intranet Access 9.2. Using the HOB RD VPN Web Server Gate Intranet Hyperlinks on HTML Pages of Internal Web Servers A special task for the HOB RD VPN Web Server Gate is to establish connections between hyperlinks within the Intranet to other internal Web servers, as illustrated in the figure below. Figure 91: HOB RD VPN Web Server Gate - Sub-network Scenario To make these hyperlinks also accessible for external accesses over the Internet, the HOB RD VPN Web Server Gate methodically examines the currently open internal HTML page for corresponding hyperlinks. The syntax is thereby translated in such a way that the linked Intranet pages can be opened when being accessed over the Internet. A wide variety of hyperlink types are used in Intranets; the number of existing formats is very large and still growing. It is therefore unlikely that all Intranet hyperlinks will be known, and as there cannot be a 100% certainty that Intranet hyperlinks will always be translated as expected, some cannot be resolved Creating Bookmarks for the HOB Navigation Screen There are two methods of creating permanent bookmarks (or hyperlinks) on the navigation screen for the HOB RD VPN Web Server Gate. The global administrator can create bookmarks that will appear for all users of a certain role, and the users themselves can create their own bookmarks Creating Bookmarks - Global Administrator 1. Open the administration interface of HOB RD VPN and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. 2. Select Bookmarks > Web Server Gate and you will see this screen: Connectivity Solutions by HOB 101

102 HOB RD VPN Web Server Gate - Intranet Access HOB RD VPN Figure 92: WSP Bookmarks - Web Server Gate 3. Now click Add to create a new bookmark. The following dialog is shown: Figure 93: WSP Bookmarks - Web Server Gate Name - here you enter the name you wish to use for this bookmark. URL - enter the URL that you want associated with this name. Test the URL - click to test that the URL has been entered correctly, and that a connection to this location can be made. This does NOT establish a connection, only that a connection can be made. Up, Down - use these to arrange the order of the bookmarks on the navigation screen. The bookmarks that have been created in this way appear on the navigation screen for all users associated with the assigned role Creating Bookmarks - User 1. Start the navigation screen and then select User Settings. 102 Connectivity Solutions by HOB

103 HOB RD VPN HOB RD VPN Web Server Gate - Intranet Access 2. Now select the Settings bookmark. This will show the dialog below: Figure 94: User Settings - WSG Bookmarks 3. You can use the green Plus symbol to add new bookmarks, by entering a Name and a URL for each bookmark you wish to add. To remove an unwanted bookmark, select it and use the red X symbol to delete it. 4. Use the Up and Down arrows to adjust the order in which the bookmarks are displayed on the navigation screen, as shown in the screen below. Figure 95: HOB RD VPN - Navigation Screen 5. When you are satisfied with your bookmarks click Save All to save and return to the navigation screen. Connectivity Solutions by HOB 103

104 HOB RD VPN Web Server Gate - Intranet Access HOB RD VPN 9.3. HOB Single Sign-on - Auto Logon to Intranet Servers HOB RD VPN Web Server Gate contains an Auto Logon function, the HOB Single Sign-on. With this function users of HOB RD VPN Web Server Gate do not need to authenticate several times over many logon pages. Only one authentication is required - when a user is initially logging on to HOB RD VPN. When setting up the HOB Single Sign-on, certain important pieces of information must be specified. These are generally the user name, the user password, the location (normally in the form of a URL) of the site the user wishes to access, and the notification that a logon is desired (most normally the Logon button on the logon dialog). Single Sign-on is the name of the HOB auto logon facility and it works in the following manner: 1. The user logs into HOB RD VPN and the HOB RD VPN Web Server Gate page is displayed. 2. The HOB RD VPN Web Server Gate recognizes whether the user is configured to use Single Sign-on. 3. The user then selects a destination to go to from the HOB RD VPN Web Server Gate. 4. When redirecting to this destination, the Single Sign-on facility forwards the user logon information provided to the destination logon page, and automatically completes the logon process without the user needing to enter any more information. The Single Sign-on can be configured with the HOB WebSecureProxy configuration tool, as follows: 5. Open the administration interface of HOB RD VPN and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. 6. Select Integrated Web Server > Single Sign-on and the following is shown: Figure 96: HOB WSP Integrated Web Server - Single Sign-on Add - add a new Single Sign-on configuration to the list. The following dialog is then displayed on screen. 104 Connectivity Solutions by HOB

105 HOB RD VPN HOB RD VPN Web Server Gate - Intranet Access Edit - edit the selected Single Sign-on configuration. Remove - delete the selected Single Sign-on configuration from the list. Figure 97: HOB WSP Integrated Web Server - Add Single Sign-on Page Name - here you enter a name for this Single Sign-on configuration. URL - here you add the URL for which these use are given an auto logon. Components - this table lists the components you have added to this Single Sign-on. These components are the notification of how the user authentication is passed on to the destination for automatic authentication there. Add, Edit & Remove - these buttons allow you to add a new component, to edit or to delete a selected component through the following dialog: Figure 98: HOB WSP Integrated Web Server - Add Single Sign-on Component Name - here you enter a name for the component you wish to add. Type - here you specify from the drop down box the type of component you wish to add to the Single Sign-on, either an Input (either username or password), and action or a form. Value - here you select either a User Name or a User Password for this component. The following buttons are common to both dialogs and have the same functions: Add - add a new page or component to the list. Add & Close - add a new page or component to the list and close this dialog, saving the changes. Cancel - close this dialog without adding a new page or component. No changes are saved. Connectivity Solutions by HOB 105

106 HOB RD VPN 106 Connectivity Solutions by HOB

107 HOB RD VPN Remote Desktop Access using ICA 10. Remote Desktop Access using ICA Independent Computing Architecture (ICA) is a proprietary protocol for an application server system that lays down a specification for passing data between server and clients, but is not bound to any one platform. The ICA protocol permits ordinary Windows applications to be run on a suitable Windows server, and for any supported client to gain access to those applications. ICA is also supported on a number of Unix server platforms and can be used to deliver access to applications running on these platforms. ICA client software is also built into various thin client platforms Installing HOB RD VPN for Remote Desktop Access with ICA The HOB implementation for ICA is an integrated component of HOB RD VPN, and is installed automatically. It need only be enabled in the configuration of HOB RD VPN for it to be available for use. The HOB implementation for ICA uses the Web Server Gate functionality to access the Citrix XenApp Web Interface. In order to make this access, The HOB implementation for ICA uses the Citrix Receiver, therefore the XenApp Web Interface must also be configured for the Citrix Receiver. The HOB Socks5 Extension is needed to route the ICA traffic over a secure SSL connection through HOB RD VPN to the target system. Additionally the administrator or the user can create a bookmark for the HOB Web Server Gate to have easy access to Citrix XenApp Web Interface Configuring Remote Desktop Access with ICA To provide Remote Desktop Access via ICA you have to perform the following configuration steps: Configure an Outgoing Connection for ICA Enable ICA for a User Role Create a WebServerGate Bookmark These configuration steps are described in the following sections Configuring an Outgoing Connection for ICA 1. Start the HOB WebSecureProxy configuration program. 2. Open the Outgoing connections knot in the left-hand tree and select the ICA Targets item. 3. Click the Add button to create a new server list and enter a name for this server list, for example ICA. 4. Click the new ICA sever list item in the tree and click the Add button to create a new server. Connectivity Solutions by HOB 107

108 Remote Desktop Access using ICA HOB RD VPN 5. Change the automatically created name (ICA_Server(1)) if desired. 6. In the Server configuration tab enter the URL under which the Citrix server is available. The administrator of the Citrix server will provide this URL. Make sure to use the complete URL including the path. Figure 99: Configuring ICA Server Enabling ICA for a User Role The next step is to enable ICA usage for the role or roles which are allowed to use this connection. 1. Open the HOB RD VPN WebSecureProxy configuration program if this not already done. 2. Select a Role from the Roles item in the left-hand tree, e.g. Power User. 3. Click the Privileges tab in the right pane and then in the second level click the Server Lists tab. 4. Activate the options Socks5 and ICA from the list of those available. Figure 100: Configuring ICA Settings for a User Role 108 Connectivity Solutions by HOB

109 HOB RD VPN Remote Desktop Access using ICA Create a WebServerGate Bookmark The final step is to add a WebServerGate bookmark for the ICA connection. This bookmark will appear in the start screen of the user. 1. Open the HOB EA Administration program. 2. Right-click the desired user or user group and choose Configure > HOB RD VPN > User Settings. 3. Select Bookmarks > WebServerGate in the left-hand tree and click the Add button. 4. Enter a name for the new bookmark, e.g. ICA Web Interface. 5. Enter the URL under which the Citrix server is available. 6. Click the Test the URL button to check whether the Citrix server is available under this URL. Figure 101: HOB RD VPN Administration - Internal User Settings 7. Click the Save button and then Close to close this dialog. Connectivity Solutions by HOB 109

110 Remote Desktop Access using ICA HOB RD VPN Implementing Single Sign-on for access using ICA You can also set up HOB RD VPN to provide Single Sign-on functionality when accessing remote desktops with ICA. Figure 102: HOB RD VPN Administration Internal - User Settings 1. Select RD VPN Configuration > Integrated Web Server > Single Signon and use the Add button to enter the required settings: Name - here you enter a name for this Single Sign-on configuration. URL - here you add the URL for which these use are given an auto logon. The URL value that you enter must be the webpage requesting the URL. Components - this table lists the components you have added to this Single Sign-on. These components are the notification of how the user authentication is passed on to the destination for automatic authentication there. As the component, select the component type Form from the drop down box, and enter the name of the form tag from the website. Figure 103: HOB RD VPN Administration Internal - User Settings Name - here you enter a name for the component you wish to add. Type - here you specify from the drop down box the type of component you wish to add to the Single Sign-on, either an Input (either username or password), and action or a form. 110 Connectivity Solutions by HOB

111 HOB RD VPN Remote Desktop Access using ICA Value - here you select either a User Name or a User Password for this component. 2. For a component of type Input, add the name of the input field where the username is requested. Enter the value of the username. Figure 104: HOB RD VPN Administration Internal - User Settings 3. For an input component where a password is required, you need to add the name of the input field where the password is requested and enter the value of the password. Figure 105: HOB RD VPN Administration Internal - User Settings 4. For an input component where the domain name is required, add the name of the input field where the domain is requested and manually insert the domain name you are using. 5. Click Add & Close to save your changes and close this dialog or click Cancel to close the dialog without saving any changes. Connectivity Solutions by HOB 111

112 Remote Desktop Access using ICA HOB RD VPN Using ICA for Remote Desktop Access Once ICA has been successfully configured for HOB RD VPN your users can log on to the HOB RD VPN portal and access your applications using the ICA protocol. Figure 106: HOB RD VPN Administration User Settings You can now access the Citrix XenApp Web Interface by entering its URL in the Web Server Gate URL field or by selecting the configured bookmark under the Access to Web Applications and Intranet bookmarks. 112 Connectivity Solutions by HOB

113 HOB RD VPN HOB RD VPN Web File Access 11. HOB RD VPN Web File Access HOB RD VPN Web File Access is the component of HOB RD VPN that allows authorized users to access files on servers within the enterprise network over an SSL-encrypted, browser-based connection. The file system is displayed in a tree structure similar to that of Windows Explorer. HOB RD VPN Web File Access is a plug-in and can be deactivated when it is not needed. This solution is based on a web server that uses the SMB protocol to access the corresponding file server. HOB RD VPN Web File Access is an integrated component of HOB RD VPN, and is installed automatically. It is also configurable as a portlet Configuring HOB RD VPN Web File Access Take the following steps to set up and use HOB RD VPN Web File Access: 1. Logon and start HOB RD VPN Administration. 2. Having selected the ou=users element of your internal hierarchy, select an individual user (in this example User1) and then User Settings > Configure. Figure 107: HOB RD VPN Administration Internal - User Settings 3. In the User Settings screen as shown below select Bookmarks > Web File Access and click Add. Connectivity Solutions by HOB 113

114 HOB RD VPN Web File Access HOB RD VPN Figure 108: HOB RD VPN User Settings - Web File Access Name - enter the name of the Web File Access configuration to be assigned to the selected user. URL - enter the URL for the user to access the internal servers where they can work with the system data and applications. You can enter this URL in IP Address notation or in the server name form. 4. Use the Up and Down buttons to modify the order in which the Web File Access bookmark appears on the HOB RD VPN Welcome Gate screen. 5. Click Save to save the configuration and Close to close the User Settings dialog, and this user now has a HOB RD VPN Web File Access bookmark for access to the system. Depending on the element originally selected, HOB RD VPN Web File Access can now be automatically inherited by all of its sub elements (Users, Groups or Objects). Thus, the administrator need not configure all the user settings individually. The administrator can also determine how the user logon is carried out: By entering the domain, user name and password Re-using the HOB RD VPN logon data Storing logon data in the configuration The administrator can additionally determine the servers to be made available for this access, which are those servers that are listed in the HOB RD VPN Web File Access tree structure Using HOB RD VPN Web File Access To start HOB RD VPN Web File Access click the Web File Access bookmark on your HOB RD VPN navigation screen and the Web File Access Logon dialog (below) appears. 114 Connectivity Solutions by HOB

115 HOB RD VPN HOB RD VPN Web File Access Figure 109: HOB Web File Access - Logon URL - here you enter the URL of the servers you wish to access, thus opening a path to give you a share of the servers at this location. Enter the path according to the format shown, \\server\share. Reconnect at Logon - check this box so that this connection is automatically created the next time you logon. Connect with Different Credentials - by default HOB Web File Access uses your HOB RD VPN logon credentials to access your server shares. Check this box to enable you to authenticate with different credentials, most often to create access to a new share or a share to a server that is not in the specified domain. Map Share - click this button to map a path to a shared server. Cancel - click to exit without saving any changes. After a successful authentication the Web File Access window below opens. The two columns display the servers and directories on the left, and on the right the files contained in the sub-directories selected from the left-hand column are shown. Figure 110: HOB Web File Access - File Hierarchy Connectivity Solutions by HOB 115

116 HOB RD VPN Web File Access HOB RD VPN When working in HOB RD VPN, you can use the following on screen icons (in the title bar) to assist your work. They have the following functionality: - Map Share - allows you to map a connection to a shared drive. - Select a Share for Disconnection - allows you to disconnect an already mapped share. - New Folder - allows you to create a new folder in a directory. - Select One File to Rename - allows you to rename the selected file. - Select One File to Delete - allows you to delete the selected file. - Upload File - allows you to upload a file to your present location. - Select One File to Download - allows you to download a file to the chosen directory. - Download as Zip - allows you to download zipped files. - Open a New Tab - you can open a new tab onscreen with this icon. - Close Other Tabs - this icon allows you to close all tabs other than that on which you are currently working. - Search - use this icon to start the search feature that will allow you to locate the files you wish to work with. This icon brings up the following dialog: Figure 111: HOB Web File Access - Add Server Enter your search in the Query field, enabling the check box File Contents to also search the contents or each file for the query string and the Recursive check box to apply recursion to the search. 116 Connectivity Solutions by HOB

117 HOB RD VPN HOB RD VPN Web File Access You can now add more servers to those that you can access. Do this by using the Map Share icon in the Main Menu bar. This brings up the following dialog: Figure 112: HOB Web File Access - Add Server URL - here you enter the URL of the server to which you want to create a share. Use the format shown, \\server\share. Reconnect at Logon - check this box so that this connection is automatically created the next time you logon. Connect with Different Credentials - by default HOB Web File Access uses your HOB RD VPN logon credentials to access your server shares. Check this box to enable you to authenticate with different credentials, most often to create access to a new share or a share to a server that is not in the specified domain. Map Share - click this button to map a path to this server. Cancel - click to exit without saving any changes. Connectivity Solutions by HOB 117

118 HOB RD VPN Web File Access HOB RD VPN 118 Connectivity Solutions by HOB

119 HOB RD VPN Internal Network Adapter 12. Internal Network Adapter The Internal Network Adapter is a virtual network device inside HOB RD VPN. It is a required component if you want to use the HOB PPP Tunnel without an internal L2TP server Installing the Internal Network Adapter / TUN Driver To use the Internal Network Adapter you need to install the HOB TUN Driver during the installation procedure. The installation of the HOB TUN driver is an option during the installation process of HOB RD VPN. Currently the HOB TUN driver is in experimental state. That means that it is delivered with HOB RD VPN for testing purposes only and should not be used in a productive environment. It will be installed only if you specifically choose this option during the installation Configuring the Internal Network Adapter To use the Internal Network Adapter the following configuration steps are necessary: 1. Open the HOB RD VPN WebSecureProxy configuration program. 2. Expand the Extensions node of the left-hand tree and click the item Internal Network Adapter. 3. Enter the necessary values for the configuration. As you are using the HOB PPP Tunnel (without an internal L2TP server) you must specify values for the DNS Servers for the PPP client and the PPP Tunnel IP Address Pool Range. Figure 113: Configuring the Internal Network Adapter Connectivity Solutions by HOB 119

120 Internal Network Adapter HOB RD VPN Internal Network Adapter IP Address here you enter an IP address that identifies the Internal Network Adapter. Make sure that the IP address used is not part of the HOB RD VPN server network and is not used otherwise. The last block of this IP address can be any number except for 0 or 3 (for example ). Use network adapter Choose Any or one of the network adapters from the list. This network adapter is used as an interface into the internal network. You can configure the adapters in the WSP Servers area of the HOB RD VPN WebSecureProxy configuration. DNS Servers for the PPP Client enter the IP addresses of the DNS servers that the PPP Tunnel client is to use for the DNS resolution of host names from the internal network. PPP Tunnel IP Address Pool Range When using the HOB PPP Tunnel, an IP address is assigned to the PPP client when it connects. With the help of the Start and End field you can specify the range from which this IP address can come. 120 Connectivity Solutions by HOB

121 HOB RD VPN Network Access using the HOB PPP Tunnel 13. Network Access using the HOB PPP Tunnel The HOB PPP Tunnel is a feature of HOB RD VPN that enables a remote user to connect to the enterprise network over the Internet, giving the remote user full access to all network resources via HOB RD VPN as if they are working directly on a machine within the enterprise network. The HOB PPP Tunnel gives the user complete network access to all of the resources in the central network, and all communication protocols such as TCP, UDP or ICMP also go through the HOB PPP Tunnel. This access works bi-directionally, in that a user can also access all resources on the client from the central network. The HOB PPP Tunnel uses the PPP and L2TP protocols to transmit data through the VPN without restriction from special software requirements or firewall problems. These protocols are already integrated into the operating systems of the VPN client computer, and so no separate VPN software need be installed on the client. The data that is transferred through the HOB PPP Tunnel undergoes compression, making this access highly performant, and SSL encryption, supported by all network devices, with strong authentication ensure that the access is secure. Currently the operating systems on the client that support and are supported by the HOB PPP Tunnel include: Windows Vista, Windows 7, Apple MAC, Linux, FreeBSD and Solaris Installing the HOB PPP Tunnel No software needs to be installed on the client in order to use the HOB PPP Tunnel, and the user need not have any administrator rights. There is also no requirement to install any special device drivers on the client either Network Address Translation Network Address Translation (NAT) is the process of modifying IP address information in IP packet headers that are in transit across a traffic routing device. This most often happens when a computer maps a private (unregistered) IP address within a local network to a (registered) public IP address. It is very common to use a single public IP address as a gateway to the many private IP addresses that can exist on your network. NAT allows an internal host such as a web server to have an unregistered (private) IP address and still be reachable over the Internet. A look up table of all registered IP addresses must be maintained to ensure correct routing of communications. NAT can also act as a firewall by preventing outside computers from connecting with the local network, unless it is a connection initiated from within the local network. When queries for the database server arrive from a client, the NAT rewrites the headers of IP packages, and forwards them to the database server with the least load. The reply packets are then returned to the client and it appears the information came from one database server and only one IP address. Connectivity Solutions by HOB 121

122 Network Access using the HOB PPP Tunnel HOB RD VPN When connecting with the HOB PPP Tunnel to addresses within your computer network from outside the system, a secure connection from the client to the server that is not affected by NAT or Domain Name System (DNS) issues is built. This is also the case when you want to use the HOB PPP Tunnel to access systems that are in different sub-networks to the addressed L2TP server. There are currently two types of NAT in HOB RD VPN: Crosswise Dynamic Crosswise NAT is used when the client and server are both members of identical networks. This can happen when a company has multiple offices using the same setup for their network system, but that are in different locations. This should only be used for your own server network, not external networks. Dynamic NAT is used in cases where the user would like to communicate across multiple company networks, not just the network in which they are located. In the sample scenario depicted below the servers in subnet 1 are directly accessible from the remote client, while those in subnet 2 are not directly accessible from the client, so in this case NAT or DNS issues would normally arise. Figure 114: Connecting Remotely to a Server in a Sub Network As the configurations for the various networks can be stored on different servers, and you can be working across different networks, you also need to specify whether an HOB-TUN or an external L2TP server is to be used Configuring the HOB PPP Tunnel using Crosswise NAT Crosswise NAT is used when the client and server are both members of identical networks (i.e. the local network of the client computer is identical to that of the company network). A problem arises when a protocol (e.g. SIP or FTP) is used that contains an internet address already in use on another network (internal or external), and so cannot be translated. NAT normally 122 Connectivity Solutions by HOB

123 HOB RD VPN Network Access using the HOB PPP Tunnel rewrites the headers of IP packages and forwards them to the server, but this cannot be done when the headers are also required for other networks. This process works in the following manner: The sender of a message sends the communication to the HOB WSP. The HOB WSP translates the network element of the IP address to suit the current network, while the Host element remains unchanged. When the client initiates the communication it is the destination address that is translated, when the server initiates the communication it is the sender IP address that is translated. When starting, the client machine informs the HOB WSP about the network where it is located. Only if this matches the intranet (server network) is Crosswise NAT performed. The network part of the IP address is translated while the host part is not translated. The following IP addresses are translated: IP addresses in the PPP protocol IP addresses in DNS replies IP addresses in normal data packets, where from the client to the server the destination address is translated, while from the server to the client the sender address is translated The first step is to enable the HOB PPP Tunnel in the configuration program of the HOB WebSecureProxy. 1. Start the HOB WebSecureProxy configuration program. 2. Open the Extensions > PPP Tunnel scheme at the left of the tree structure. 3. Click the Add button and a small list pops up, see the dialog below. Figure 115: HOB WSP Configuration - Extensions - HOB PPP Tunnel Connectivity Solutions by HOB 123

124 Network Access using the HOB PPP Tunnel HOB RD VPN 4. Select from this list the type of configuration that you require, either Crosswise or Dynamic NAT, with either an internal or external L2TP server configuration Configuring Crosswise NAT PPP Tunnel (External L2TP) When Crosswise NAT PPP Tunnel (external L2TP) is selected you see the following screen: Figure 116: HOB PPP Tunnel Settings - Crosswise NAT with an External L2TP Server 5. You need to enter the following information: Name - here you enter a name you wish to use for this HOB PPP Tunnel configuration. Mode - this connection mode will always be PPP Tunnel. Use Network Adapter - select from the drop down list the adapter you want to use. ALG-SIP - check to activate the Application Level Gateway (ALG) to allow it to use the SIP protocol for the transmissions. NAT - this is automatically selected depending on the configuration setup you have chosen. Server Network - enter here the server network for which the HOB PPP Tunnel is to be configured. If you require flexibility and want to specify an IP block using a CIDR (Classless Inter Domain Routing) subnet mask notation, enter the suffix in the small field on the right. L2TP Gateway settings: Use Internal L2TP server - check to use the internal L2TP server. This is disabled if an external L2TP configuration has been selected. Host IP Address - here you enter the address of the machine that hosts the L2TP gateway. Host IP Port - here you enter the port of the machine that hosts the L2TP gateway. 6. Now that the Settings have been configured, you need to set the parameters for the connection to the WSP. Select the PPP tab on this screen. 124 Connectivity Solutions by HOB

125 HOB RD VPN Network Access using the HOB PPP Tunnel Figure 117: HOB PPP Tunnel PPP Tab Here you have two fields: IP Number:Port - here you can enter the IP address and port for the HOB PPP Tunnel connection to the WSP. System Parameters - here you can see the parameters, such as user name, server name, etc. that are to be assigned to the selected HOB PPP Tunnel connection. This field contains tabs for the parameters to be used for the different operating systems (Windows, Mac, FreeBSD, Solaris and Linux). The Undo button will cancel any changes done to these parameters, while the Default button takes the default parameters from the configuration of the machine you are currently using. 7. Once these settings have also been configured, you need to set up the translation from the actual (real) addresses to their NAT (translated) addresses. To do this you need to open the NAT Tab on this dialog. You then see the following: Figure 118: HOB PPP Tunnel Settings - NAT Tab - Add NAT Entry Connectivity Solutions by HOB 125

126 Network Access using the HOB PPP Tunnel HOB RD VPN This screen allows you to set up the list of how the real addresses translate. Use the Add, Edit and Remove buttons to manage this list. 8. Clicking Add will bring up the Add NAT Entry dialog (as shown above), where you enter the required addresses, with the prefix for the Subnet Mask. 9. In the Real Address: field you enter the numerical IP address of the target system where this system can be reached within the network (e.g ). 10. In the Translated Address: field you enter the numerical IP address where the target computer can be reached once the HOB PPP Tunnel has been enabled (e.g ). 11. Enter a value in the Prefix: field so that the (network) prefix identifies the subnet mask (the address range for which the address translation is done) used. For example, using a prefix of 24 will cause all addresses from to to be mapped to the addresses from to These systems are thereby accessible from the client. 12. Use the Add button here to enter the address and clear the fields to enter another address, Add & Close to add this entry to the list and close this dialog, and Cancel to close this dialog without adding to the list. 13. Now the addresses have been entered you need to assign the networks that will use crosswise NAT. Select the Crosswise NAT tab and the next screen appears: Figure 119: HOB PPP Tunnel Settings - Crosswise NAT Tab 14. On this screen you enter the real network where your machines are located, with the mask, and the network to where these addresses are to be translated. Once this is done, the required configuration of the HOB PPP Tunnel connection is complete. 126 Connectivity Solutions by HOB

127 HOB RD VPN Network Access using the HOB PPP Tunnel Configuring Crosswise NAT PPP Tunnel (Internal L2TP) When you use an internal L2TP server then you not need to configure an L2TP gateway. The L2TP fields are therefore disabled in the configuration screen. Once the configuration entries are complete in this screen, you will still need to complete the configuration in both the PPP, NAT and Crosswise NAT tabs. When Crosswise NAT PPP Tunnel (internal L2TP) is selected you see the following screen: Figure 120: HOB PPP Tunnel Settings - Crosswise NAT with an Internal L2TP Server Enter the information as required as shown in the section above Configuring the HOB PPP Tunnel using Dynamic NAT Dynamic NAT is used where a private (unregistered) IP address is mapped to a (registered) public IP address drawn from a pool of registered (public) IP addresses the client wishes to communicate with addresses that are not part of the corporate network, but are external to the system. This pool can be used when the client is communicating with a private network consisting of a large number of both private and public workstations and IP addresses. The network could be, for example, a large hotel with an address pool, typically in the range 10.x.x.x, or a large industry convention. Dynamic NAT is used where the user would like to communicate across multiple company networks, not just that where they are currently located. Dynamic NAT gives access to any networks that are behind the HOB WSP and so cannot prevent an intruder accessing any of these networks that are behind the HOB WSP, and so for this reason it is often seen as insecure. It does help however to secure a network layout as it masks the internal configuration of a private network. When the network layout is secured it makes it more difficult for someone outside the network to monitor individual usage patterns or target a specific location. Dynamic NAT also allows a private network to use private IP addresses that are invalid on the Internet but useful as internal addresses. Connectivity Solutions by HOB 127

128 Network Access using the HOB PPP Tunnel HOB RD VPN Configuring Dynamic NAT PPP Tunnel (External L2TP) When Crosswise NAT cannot be used, HOB RD VPN uses Dynamic NAT instead. The main difference in the configuration is that for Dynamic NAT there is no NAT tab to configure, as there are no fixed addresses to which the private addresses can be translated, the addresses instead coming from a dynamic pool of available addresses. 1. When Dynamic NAT PPP Tunnel (External L2TP) is selected you see the following screen: Figure 121: HOB PPP Tunnel Settings - Dynamic NAT with an External L2TP Server 2. Enter the required information as shown above under Crosswise NAT (External L2TP). 3. The PPP tab must also be configured, again see above under Crosswise NAT (External L2TP) for an explanation of the data to be entered. Once this is done, click the Dynamic NAT tab. 128 Connectivity Solutions by HOB

129 HOB RD VPN Network Access using the HOB PPP Tunnel Figure 122: HOB PPP Tunnel Settings - Dynamic NAT Tab 4. On this screen you enter the network, along with the subnet mask, to where your IP Addresses are translated into the two fields Configuring Dynamic NAT PPP Tunnel (Internal L2TP) The configuration of a PPP Tunnel with dynamic NAT for an internal L2TP server is performed similarly to those configurations described above. An External L2TP server need not be configured, and individual IP addresses need not be configured for NAT. Figure 123: HOB PPP Tunnel Settings - Dynamic NAT with an Internal L2TP Server Here you can see that the settings for the L2TP server have been disabled. Enter the other required information as instructed in the sections above. Now go to the PPP tab and enter the required information there as described in the above section. Connectivity Solutions by HOB 129

130 Network Access using the HOB PPP Tunnel HOB RD VPN DNS Domain Name System (DNS) is the naming system for computers, services, or any resource connected to the Internet or a private network. It associates domain names assigned to each of the participating entities with the various system-specific information held by the system. A Domain Name Service translates queries for domain names into IP addresses for the purpose of locating computer services and devices worldwide. The HOB PPP Tunnel can use its own DNS, in a similar setup to NAT. When the tunnel is enabled, you can assign specific (numerical) IP addresses to stated host names. When configuring the HOB PPP Tunnel, follow these steps: Figure 124: HOB PPP Tunnel DNS Tab 1. Click the DNS tab and then the Add button. The dialog Add a DNS entry will open. 2. Enter in the field DNS Name: a host name that is to be resolved and click Add. 3. The dialog Add an IP address opens. Enter a (numerical) IP address and then click Add & Close. 4. You can enter additional IP addresses. When one is not available the next in the list will be used Exclude DNS If certain IP Addresses or host names should not be resolved by the HOB WSP once the HOB PPP Tunnel is enabled, then you should use Exclude DNS. Make sure to enter the host name of the system on which the HOB WebSecureProxy is installed. This ensures that connections will not be encrypted twice (double SSL). 130 Connectivity Solutions by HOB

131 HOB RD VPN Network Access using the HOB PPP Tunnel Figure 125: HOB PPP Tunnel Exclude DNS Tab 1. Click the Exclude DNS tab and then the Add button. The dialog Add Excluded DNS Name will open. 2. Enter the host name or names of those that are to be excluded. 3. Click Add & Close to apply the changes Assigning the Server List The final step in the configuration is to assign the HOB PPP Tunnel Server List to the WSP itself, for the WSP to use when creating connections. 1. In the WSP configuration interface select WSP Servers. 2. Select the tab Unique Access. 3. Check the server list you wish to use from the list of those already configured. If you have configured more than one list for the HOB PPP Tunnel, you may select all of these for use. Connectivity Solutions by HOB 131

132 Network Access using the HOB PPP Tunnel HOB RD VPN Figure 126: HOB WSP Administration - WSP Server Settings - Unique Access 4. Save the configuration and close Creating a HOB PPP Tunnel Portlet on the Navigation Screen Now that the HOB PPP Tunnel has been configured, you can create the portlet on the HOB RD VPN navigation screen that will allow the user to easily enable the HOB PPP Tunnel for their sessions. To create the portlet you have to select the role for which the portlet is to be assigned in the WSP configuration interface. In the example shown below the User role has been selected. 1. Select the tab Privileges > Portlets. 2. Click Add to add the new portlet to the list of those available already to this role, and the Add Portlet dialog is displayed. 3. Select HOB PPP Tunnel from the drop down list, and its State (to appear either Open (expanded) or Closed (collapsed) on the HOB RD VPN navigation screen). 4. Click Add & Close and this portlet is added to the list. This dialog also closes. 132 Connectivity Solutions by HOB

133 HOB RD VPN Network Access using the HOB PPP Tunnel Figure 127: HOB WSP Administration - Role Settings - Privileges - Portlets 5. Save the changes to the WSP configuration and close. The new portlet for the HOB PPP Tunnel is now available Using the HOB PPP Tunnel Open the HOB RD VPN start page and click the Start PPP Tunnel menu item that is displayed on this page, if it has been configured by the administrator. Once this menu item is selected the HOB PPP Tunnel starts and a tray icon appears in the Windows taskbar. Click on the tray icon to open a status dialog of the HOB PPP Tunnel, which you can also use to terminate the connection. Other resources on the Internet can still be visited with the same browser once the HOB PPP Tunnel has started. This does not affect the HOB PPP Tunnel, nor will closing the browser disconnect or close the HOB PPP Tunnel. This is not the case if Anti Split Tunneling has been enabled Anti Split Tunnel It is possible for users to still have access to other HOB RD VPN functions when using the HOB PPP Tunnel; once they are properly installed and configured in the central network, these connections can be configured for access without using the HOB PPP Tunnel. This is known as a Split Tunnel. Many companies consider that a split tunnel creates a security risk, so HOB have also developed an Anti-Split Tunnel feature to restrict the use of the Split Tunnel. Please see Section Anti Split Tunneling on page 136 for more information Reconnect After a Short Interruption of the Connection If there is a temporary network interruption and the client loses its connection, the user does not need to restart the HOB PPP Tunnel. Instead, the HOB PPP Tunnel automatically resynchronizes itself with the network as soon as the Connectivity Solutions by HOB 133

134 Network Access using the HOB PPP Tunnel HOB RD VPN interruption is remedied. In almost all cases, the applications continue running on the client without any problems. The network connection of the client can be broken when, for example, the provider temporarily interrupts the DSL line and then re-establishes the connection. 134 Connectivity Solutions by HOB

135 HOB RD VPN HOB Compliance Check 14. HOB Compliance Check The HOB Compliance Check is an optional function that consists of a further security step carried out on each user that accesses, or tries to access the network. The HOB Compliance Check is a more in depth analysis of the user identity and the client configuration. This analysis is used to more precisely determine access rights to sensitive data in the network Configuring the HOB Compliance Check To configure the HOB Compliance Check, you need to open the HOB WSP administration interface and select WebSecureProxy > Configure. This opens the HOB WebSecureProxy configuration screen. Now select Compliance Check from the pane on the left and you see the following: Figure 128: WSP Configuration HOB Compliance Check Name - here you insert a name for the Compliance Check that is being created, for example Company Compliance Check. Mode - here you specify the connection mode to be used for this particular Compliance Check. You use the other tabs to configure the settings for the HOB Compliance Check: Integrity Check Anti Split Tunneling Rules Integrity Check The Integrity Check is a security measure that examines the client machine making a connection to the system. The integrity check looks at the anti virus software currently installed on the client and the status of that software. Connectivity Solutions by HOB 135

136 HOB Compliance Check HOB RD VPN Figure 129: WSP Configuration HOB Compliance Check - Integrity Check Enable - here you activate the compliance check for each authentication attempt for this user. Name - here you assign a name to the integrity check to be added to this particular compliance check. Antivirus - here you set which anti virus programs are to be used with the compliance check for this user. You may select anti virus programs for Windows, Linux and Mac OS X systems, with a tab for each. Use the two arrow buttons to move the chosen anti virus programs to the selected list, or to remove them from this list. Settings - here the settings are used to determine how up to date the anti virus program needs to be for the compliance check and how often an antivirus scan needs to be performed. These settings are not supported by all anti virus products Anti Split Tunneling The Anti Split Tunnel is a security measure that prevents a user that is connected to the system from simultaneously using another connection to the Internet. As a result there is no chance of an unauthorized user entering the system by using an already established connection to gain access. 136 Connectivity Solutions by HOB

137 HOB RD VPN HOB Compliance Check Figure 130: WSP Configuration HOB Compliance Check - Anti Split Tunneling Enable - check this box to activate Anti Split Tunneling. Disable local network - check this box to disconnect this client from the local network, meaning they can connect only to the servers of your system. Set local DNS - check this box to set up a DNS on the local client. Address - enter the address of the networks that this client may connect to. Mask Bit Length - here you set the bit length for the Mask of the client. Use the Add, Edit and Remove button to manage the list of allowed networks to which the user may connect Rules Rules are used to determine the connection to the system and the access levels to be granted to the users for these rules. Rules can be created for the following: Port File Mac IP Process Rules for Port Here you enter the rules to be used for the ports for the connection for this user to the system. Connectivity Solutions by HOB 137

138 HOB Compliance Check HOB RD VPN Figure 131: WSP Configuration - Compliance Check - Rules for Port Use the Add, Edit and Remove buttons to maintain this list. When you use these buttons to add or edit a rule a dialog appears with the following fields: Name - the name to be used for this port rule. Access - the level of access to be granted over the port. The options here are Must (access must be granted) or Deny (access denied). Port - the number of the selected port Rules for File Here you specify how a user can connect to the files that available to this user, if required. Figure 132: WSP Configuration - Compliance Check - Rules for File Use the Add, Edit and Remove buttons to maintain this list. When you use these buttons to add or edit a rule a dialog appears with the following fields: Name - the name to be used for the rule. 138 Connectivity Solutions by HOB

139 HOB RD VPN HOB Compliance Check Access - the level of access to be granted over the port. The options here are Must (access must be granted) or Deny (access denied). File - the location of the file that the user can access. Use the Browse ( ) button to locate the desired file. Hash - here the hash of the selected file is entered, if desired. Use the Create button to enter the hash. Modified Date and Time - here you specify the date and time to assign to the File rule. Date condition - here you specify the allowable age for the file, is it to be older, newer or the same age (equal) than the modified date and time Rules for Mac Here you specify the rules to be used when connecting via a Mac address. Figure 133: WSP Configuration - Compliance Check - Rules for Mac Use the Add, Edit and Remove buttons to maintain this list. When you use these buttons to add or edit a rule a dialog appears with the following fields: Name - the name to be used for this rule. Access - the level of access to be granted over the port. The options here are Must (access must be granted) or Deny (access denied). Mac Address - the Mac address for the selected rule Rules for IP Here you specify the IP addresses that the user can connect to and those to which access is denied. Connectivity Solutions by HOB 139

140 HOB Compliance Check HOB RD VPN Figure 134: WSP Configuration - Compliance Check - Rules for IP Use the Add, Edit and Remove buttons to maintain this list. When you use these buttons to add or edit a rule a dialog appears with the following fields: Name - the name of the IP Rule to be used. Access - the level of access to be granted over the port. The options here are Must (access must be granted) or Deny (access denied). IP Network - the IP network (subnet mask) to be used with this rule Rules for Process Here you can specify the processes that can be set for this user. Figure 135: WSP Configuration - Compliance Check - Rules for Process Use the Add, Edit and Remove buttons to maintain this list. When you use these buttons to add or edit a rule a dialog appears with the following fields: Name - the name of the process to be used. 140 Connectivity Solutions by HOB

141 HOB RD VPN HOB Compliance Check Access - the level of access to be granted over the port. The options here are Must (access must be granted) or Deny (access denied). Process Name - the name of the process used with this rule Using the HOB Compliance Check The HOB Compliance Check is an extra layer of security that can be added to the authentication of the user. It is also used when authorizing a user to their role and their permissions within the system Anti Split Tunnel The Anti Split Tunnel restricts systems to using connections that go exclusively through the PPP Tunnel, all other connections being blocked from access. Administrators can also configure resources and functions of HOB RD VPN on security grounds to use only the HOB PPP Tunnel, via the Windows Firewall on the client. This is not a function of HOB RD VPN, so this must be done manually For access to a public network, the user must first close the connection to the corporate network. For those users who require access to a public network while working in their local network, the Anti Split Tunnel is not enabled by default. This must be enabled by the administrators. Anti Split Tunnelling is a utility that functions only with Microsoft Windows. Exceptions to Anti Split Tunneling can be configured by the administrator with regard to the local network, DNS servers and dedicated servers or hosts. This utility runs as a service on your PC and if activated is an essential condition for HOB RD VPN to work, increasing the security of your system. Before Anti Split Tunneling can be used, the Anti Split Tunnel utility must be installed on the client. If this service is not running, the user automatically receives information on how to install it when logging on to HOB RD VPN. Administration rights are required for the installation of this service on the client system. Connectivity Solutions by HOB 141

142 HOB RD VPN 142 Connectivity Solutions by HOB

143 HOB RD VPN HOB Target Filters 15. HOB Target Filters Target filters give the administrator of HOB RD VPN a flexible and granular means of access control. A target filter in HOB RD VPN is a combination of one or more Allow or Deny rules that enable you to restrict the access of the users to certain connection targets in the corporate network. After configuring a target filter you can assign the target filter to a role. Target filters have an effect on the following connections: HOB Web Server Gate HOB PPP Tunnel SOCKS Any connections that are defined in the Outgoing Connections of HOB WebSecureProxy are not affected by the Target Filters. Figure 136: Using Target Filters - a Typical Scenario Configuring Target Filters To configure a target filter, it must first be added or created and then the target filter rule must be assigned to a user role for it to be used Adding a Target Filter The following steps show you how to add a new target filter: 1. Start the HOB RD VPN WebSecureProxy configuration program. 2. Click the Target Filters item in the left-hand pane. 3. Click the Add button. A new target filter scheme called Target Filter is created. Connectivity Solutions by HOB 143

144 HOB Target Filters HOB RD VPN Figure 137: Adding a New Target Filter 4. Enter a name of your choice for the new target filter in the Name field, for example Target Filter. Every new target filter already contains one default rule. The default rule denies all connections, meaning that no connection targets are currently accessible with this target filter. You have to create at least one additional rule. 5. Create a new rule by clicking the Add button in the right-hand pane. The Add rule dialog appears. Figure 138: WSP Configuration - Adding a Rule The Add Rule dialog consists of the following fields: Allow/Deny - The first step of creating a rule is to decide if you want an Allow or a Deny rule. Allow rules (symbolized by green traffic lights) makes the connection to a connection target possible, specified by DNS name, IP address, protocol or port; Deny rules (symbolized by red traffic lights) prevent a connection. A combination of several Allow and Deny rules allows you to create a target filter which accurately controls access to your network resources. Whenever HOB RD VPN is requested to open a connection, the rules stack is processed beginning with the first rule. As soon as a request matches a filter rule, the rule is executed (Allow or Deny) and the execution of the rule stack stops. If the rule does not match, the next rule in the stack is checked and so on. When no rule matches, the default Deny rule at the bottom of the stack is performed. 144 Connectivity Solutions by HOB

145 HOB RD VPN HOB Target Filters DNS name - In the DNS name field you can enter the DNS name, for example of a connection target. If flexibility is required and it is intended to specify an IP block, leave this edit field empty and enter the desired data in the IP network field. IP network - In the IP network field you can enter either a single IP address in dotted decimal notation, for example , or an IP block in IP/CIDR notation, for example /32 (enter the suffix in the small field on the right). Protocol - The protocol drop down list specifies the protocol to which the current filter refers. Every rule allows the setting of only one protocol. If you want to allow/deny another protocol you have to create an additional rule. Ports - You can create a list of ports that are allowed or denied for the connection by this rule. To add a port number to the list enter a port number with the Arrow button. To remove an existing port from the list mark this port and then click the Delete button. It is recommended that not only single-port TCP and UDP ports are released. It may also be useful to allow ICMP / ICMPv6. 6. Click Add to add the currently edited rule to the list of Target filter rules. The default rule always remains the lowest rule and is not editable. 7. If desired, you can change the order of the rules by using the Up or Down buttons on the right side of the Target Filter panel. Note that you cannot move the default rule from the lowest position of the filter rule stack. 8. If desired, edit an existing rule by clicking the rule and then the Edit button. 9. To save the changes made so far in the configuration, select File > Save from the menu. When you have added all the filter rules desired, you need to assign the new target filter to a user role (see the following section) Using Target Filters After you have configured a target filter you can assign it to a user role. Note that you can assign only one target filter to one user role. To assign a target filter: 1. Start the HOB RD VPN WebSecureProxy configuration program. 2. Double-click the Roles item in the left-hand pane to display the user schemes. 3. Click the desired role, for example User. 4. Click the Privileges tab in the right-hand pane. 5. Click the Target Filters tab. Connectivity Solutions by HOB 145

146 HOB Target Filters HOB RD VPN Figure 139: Assigning a Target Filter to the User Role 6. The Target Filter drop down list contains all target filters that you have already configured. Choose the desired target filter from this list. 7. Select File > Save from the menu to save the changes in the configuration. 146 Connectivity Solutions by HOB