Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

Overview of Networks and Security

Connections Between Client Devices and SGD Servers

Connections Between SGD Servers and Application Servers

UNIX or Linux System Application Servers

Microsoft Windows Application Servers

Web Application Servers

Connections Between SGD Servers in an Array

DNS Names

Configuring External DNS Names

How to Configure the External DNS Names of an SGD Server

Changing the Peer DNS Name of an SGD Server

How to Change the Peer DNS Name of an SGD Server

Proxy Servers

Supported Proxy Servers

Configuring Client Proxy Settings

HTTP Connections

AIP Connections

Determining Proxy Settings From a Browser

Specifying Proxy Settings in the Client Profile

Using Proxy Server Automatic Configuration Scripts

Proxy Server Exception Lists

Proxy Server Timeouts

Configuring Server-Side Proxy Servers

How to Configure Array Routes

Firewalls

Firewalls Between Client Devices and SGD Servers

Firewalls Between SGD Servers

Firewalls Between SGD Servers and Application Servers

Other Firewalls

Secure Connections to SGD Servers

SSL Certificates

Supported Certificate Authorities

Self-Signed SSL Certificates

Using an SSL Certificate Obtained for Another Product

How to Generate a Certificate Signing Request

How to Replace a Server SSL Certificate

Firewall Traversal

The SGD Gateway

Using Firewall Forwarding

Enabling Secure Connections (Automatic Configuration)

How to Enable Secure Connections (Automatic Configuration)

Enabling Secure Connections (Manual Configuration)

How to Install a Server SSL Certificate

How to Install the CA Certificate for an Unsupported CA

How to Install a CA Certificate Chain

How to Configure Firewall Forwarding

How to Enable SGD Security Services for an SGD Server

Secure Connections and Security Warnings

Browser and Java Plugin Tool Security Warnings

SGD Server SSL Certificate Security Warnings

Untrusted Initial Connection Warnings

Using a Preconfigured hostsvisited File

Avoiding Issuer Unknown Security Warnings

Tuning Secure Connections to SGD Servers

Tuning the SSL Daemon

How to Tune SSL Daemon Processes

How to Change SSL Daemon Log Filters

How to Change SSL Daemon Maximum Restart Attempts

Using External SSL Accelerators

How to Enable External SSL Accelerator Support

Selecting a Cipher Suite for Secure Connections

How to Change the Cipher Suite for Secure Client Connections

Using Connection Definitions

How to Enable Connection Definition Processing

How to Configure Connection Definitions

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

DNS Names

The following are the main Domain Name System (DNS) requirements for SGD:

SGD servers can have multiple DNS names. Each SGD server has one peer DNS name, and one or more external DNS names.


Note - When configuring SGD, it is best to use fully-qualified DNS names.


A peer DNS name is the DNS name that the SGD servers in the array use to identify themselves to each other. For example, boston.example.com.

An external DNS name is the DNS name that the SGD Client uses to connect to an SGD server. For example, www.example.com.

These two types of DNS names might be associated with the same network interface on the SGD host, or they might each use a different network interface. These DNS names must be fully-qualified DNS names.

When you install SGD you are prompted for a DNS name for the SGD server. This must be the peer DNS name that is used inside the firewall. This is the DNS name that the SGD web server binds to.

After installation, you can configure each SGD server with one or more external DNS names. The external DNS name is used by the SGD Client when it connects to an SGD server. By default, the peer DNS name is also used as an external DNS name.

In a network containing a firewall, you might need to make some names usable outside the firewall, for example across the Internet, and others usable inside the firewall. For example, users outside the firewall might be able to use www.example.com, but not boston.example.com. Users inside the firewall might be able to use either name.


Caution

Caution - You do not have to make all your SGD servers available outside the firewall. However, if users log in to an SGD server from both inside and outside the firewall, they might not be able to resume some applications when logging in from outside the firewall.


If you use the SGD Gateway, client devices do connect directly to SGD, instead they connect using the DNS name of a Gateway or load balancer. External DNS names are only used for direct client connections that are not routed through the Gateway. Instructions on how to install, configure, and use the Gateway are included in the Oracle Secure Global Desktop 4.6 Gateway Administration Guide.

If you are using mechanisms such as an external hardware load balancer or round-robin DNS to control the SGD server that a user connects to, you must configure SGD to work with these mechanisms, see User Session Load Balancing.

This section includes the following topics:

Configuring External DNS Names

When an SGD Client connects directly to an SGD server, it connects using the external DNS name provided by the SGD server. The actual DNS name used is determined using the Internet Protocol (IP) address of the client.

If you use the SGD Gateway, external DNS names are only used for direct client connections that are not routed through an SGD Gateway.

You configure external DNS names by setting one or more filters that match client IP addresses to DNS names. Each filter has the format Client-IP-Pattern:DNS-Name

The Client-IP-Pattern can be either of the following:

SGD servers can be configured with several filters. The order of the filters is important because SGD uses the first matching Client-IP-Pattern.


Caution

Caution - If SGD is configured for firewall forwarding, you cannot use multiple external DNS names because SGD cannot determine the IP address of the client device. In this situation, you can configure a single external DNS name, for example *:www.example.com, and then use split DNS so that clients can resolve the name to different IP addresses, depending on whether they are inside or outside the firewall. See Firewall Traversal.


The following is an example of external DNS names configuration:

"192.168.10.*:boston.example.com,*:www.example.com"

With this configuration, the following applies:

If the order of the filters is reversed, all clients connect to www.example.com.

How to Configure the External DNS Names of an SGD Server

Before You Begin

Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.

  1. In the Administration Console, go to the SGD Servers tab and select an SGD server.

    The General tab displays.

  2. In the External DNS Names field, type one or more filters for the external DNS names.

    Each filter matches client IP addresses to DNS names.

    Press the Return key after each filter.

    The format of each filter is described in Configuring External DNS Names.

    The order of the filters is important. The first match is used.

  3. Click Save.
  4. Restart the SGD server.

    You must restart the SGD server for the external DNS names to take effect.

Changing the Peer DNS Name of an SGD Server

You can change the peer DNS name of an SGD server without having to reinstall the software, see How to Change the Peer DNS Name of an SGD Server.

You must detach an SGD server from an array and stop SGD before changing its peer DNS name.

After changing the DNS name, the /opt/tarantella/var/log/SERVER_RENAME.log file contains the details of the changes that were made. Your existing server security certificates are backed up in the /opt/tarantella/var/tsp.OLD.number directory.

If you use an SGD server as an application server, you must manually reconfigure the application server object by changing the DNS name for the application server and, optionally, renaming the object.

If you have installed SGD printer queues on UNIX or Linux platform application servers, you might have to remove the printer queue that uses the old DNS name of the SGD server, and configure a new printer queue that uses the new DNS name of the SGD server. See Configuring UNIX and Linux Platform Application Servers for Printing.

How to Change the Peer DNS Name of an SGD Server

Before You Begin

Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.

You can only change the peer DNS name from the command line.

  1. Log in as superuser (root) on the SGD host.
  2. Detach the SGD server from the array.

    If you are changing the peer DNS name of the primary SGD server, first make another server the primary server and then detach the server.

    # tarantella array detach --secondary serv

    Run the tarantella status command on the detached server to check that is detached from the array.

  3. Stop the SGD server.
  4. Ensure that the DNS name change for the SGD host has taken effect.

    Check your DNS configuration and ensure that the other SGD servers can resolve the new DNS name. You might also have to edit the /etc/hosts and the /etc/resolv.cnf files on the SGD host.

  5. Change the DNS name of the SGD server.

    Use the following command:

    # tarantella serverrename --peerdns newname [ --extdns newname ]

    It is best to use fully-qualified DNS names.

    Use the --extdns option to change the external DNS name of the server. This option only works if the SGD server has a single external DNS name. If the server has more than one external DNS name, you must manually update the external DNS names. See Configuring External DNS Names.

    When prompted, type Y to proceed with the name change.

  6. Regenerate the certificates used for secure intra-array communication.
    # tarantella security keystoregen

    For details about secure intra-array communication, see Secure Intra-Array Communication.

    If you are using the SGD Gateway, you must install the new peer Certificate Authority (CA) certificate on each SGD Gateway.

  7. (Optional) Replace the server SSL certificate.

    If the new peer DNS name is not included in the SSL certificate used by the SGD server you must replace the certificate, see How to Replace a Server SSL Certificate.

    If you are using the SGD Gateway, you must install the new server SSL certificate on each SGD Gateway.

  8. Restart the SGD web server and SGD server.
  9. Join the SGD server to the array.

    The clock on the server joining the array must be in synchronization with the clocks on the other servers in the array. If the time difference is more than one minute, the array join operation fails.

    # tarantella array join --primary p-serv --secondary s-serv