Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

Overview of Networks and Security

Connections Between Client Devices and SGD Servers

Connections Between SGD Servers and Application Servers

UNIX or Linux System Application Servers

Microsoft Windows Application Servers

Web Application Servers

Connections Between SGD Servers in an Array

DNS Names

Configuring External DNS Names

How to Configure the External DNS Names of an SGD Server

Changing the Peer DNS Name of an SGD Server

How to Change the Peer DNS Name of an SGD Server

Proxy Servers

Supported Proxy Servers

Configuring Client Proxy Settings

HTTP Connections

AIP Connections

Determining Proxy Settings From a Browser

Specifying Proxy Settings in the Client Profile

Using Proxy Server Automatic Configuration Scripts

Proxy Server Exception Lists

Proxy Server Timeouts

Configuring Server-Side Proxy Servers

How to Configure Array Routes

Firewalls

Firewalls Between Client Devices and SGD Servers

Firewalls Between SGD Servers

Firewalls Between SGD Servers and Application Servers

Other Firewalls

Secure Connections to SGD Servers

SSL Certificates

Supported Certificate Authorities

Self-Signed SSL Certificates

Using an SSL Certificate Obtained for Another Product

How to Generate a Certificate Signing Request

How to Replace a Server SSL Certificate

Firewall Traversal

The SGD Gateway

Using Firewall Forwarding

Enabling Secure Connections (Automatic Configuration)

How to Enable Secure Connections (Automatic Configuration)

Enabling Secure Connections (Manual Configuration)

How to Install a Server SSL Certificate

How to Install the CA Certificate for an Unsupported CA

How to Install a CA Certificate Chain

How to Configure Firewall Forwarding

How to Enable SGD Security Services for an SGD Server

Secure Connections and Security Warnings

Browser and Java Plugin Tool Security Warnings

SGD Server SSL Certificate Security Warnings

Untrusted Initial Connection Warnings

Using a Preconfigured hostsvisited File

Avoiding Issuer Unknown Security Warnings

Tuning Secure Connections to SGD Servers

Tuning the SSL Daemon

How to Tune SSL Daemon Processes

How to Change SSL Daemon Log Filters

How to Change SSL Daemon Maximum Restart Attempts

Using External SSL Accelerators

How to Enable External SSL Accelerator Support

Selecting a Cipher Suite for Secure Connections

How to Change the Cipher Suite for Secure Client Connections

Using Connection Definitions

How to Enable Connection Definition Processing

How to Configure Connection Definitions

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Firewalls

Firewalls can be used to protect various parts of a network and must be configured to allow the connections required by SGD.

This section includes the following topics:

Firewalls Between Client Devices and SGD Servers

Client devices must be able to make HTTP and AIP connections to any SGD server in the array. This is because a user’s SGD session and a user’s application sessions can be hosted on different SGD servers.

The following table lists the ports you might need to open to allow connections between client devices and SGD servers.

Source
Destination
Port
Protocol
Purpose
Client
SGD web server
80
TCP
Standard, unencrypted HTTP requests and responses.

Used to display webtops and for web services.

Client
SGD web server
443
TCP
Secure, encrypted HTTPS requests and responses.

Used to display webtops and for web services.

Client
SGD server
3144
TCP
Standard, unencrypted AIP connections.

Used for control and application display updates.

Client
SGD server
5307
TCP
SSL-based secure, encrypted AIP connections.

Used for control and application display updates.

Transmission Control Ports (TCP) 80 and 443 are the Internet-standard ports for HTTP and HTTPS. Port 443 is only used if HTTPS is enabled on the SGD web server. You can configure the SGD web server to use any port.

In a default installation, ports 3144 and 5307 must both be open in the firewall. The SGD Client initially makes a secure connection on port 5307, but once the user has authenticated, the connection is downgraded to a standard connection on port 3144. See Firewall Traversal for how to configure SGD when these ports cannot be opened.

If you enable SGD security services and use only HTTPS, only ports 443 and 5307 must be open in the firewall.

Ports 3144 and 5307 are registered with the Internet Assigned Numbers Authority (IANA) and are reserved for use only by SGD.

Firewalls Between SGD Servers

A network might contain firewalls between the SGD servers in an array, for example if you have multiple offices each containing an SGD server. The SGD servers in an array must be able to connect to any other member of the array.

The following table lists the ports you might need to open to allow connections between SGD Servers.

Source
Destination
Port
Protocol
Purpose
SGD server
Another SGD server
515
TCP
Used when moving print jobs from one SGD server to another using the tarantella print move command.
SGD server
Another SGD server
1024 and above
TCP
Used to support audio, smart cards and serial ports for Windows applications.
SGD server
Another SGD server
5427
TCP
Used for connections between SGD servers to allow array replication, and sharing of both static and dynamic data across the array.

Port 5427 is registered with IANA and is reserved for use only by SGD.

If you enable support for audio, smart cards, or serial ports for Windows applications, your firewall must allow connections between SGD servers on TCP port 1024 and above. The protocol engines that manage these features run on the SGD server that hosts the user session and this might be a different server to the one that hosts the application session. If you do not use these features, it is best to disable support for them in SGD. See the following for more information:

Firewalls Between SGD Servers and Application Servers

An SGD server must be able to connect to an application server in order to run applications.

The ports used for connections between SGD servers and application servers depends on the application type and the connection method used to log in to the application server. Other ports are needed to provide support while using applications.

The following table lists the ports you might need to open to allow connections between SGD Servers and application servers.

Source
Destination
Port
Protocol
Purpose
SGD server
Application server
22
TCP
Used to connect to X and character applications using SSH.
SGD server
Application server
23
TCP
Used to connect to Windows, X, and character applications using Telnet.
Application server
SGD server
139
TCP
Used for UNIX and Linux platform client drive mapping services. The server binds to this port at start-up, whether or not client drive mapping services are enabled.
SGD server
Application server
512
TCP
Used to connect to X applications using rexec.
Application server
SGD server
515
TCP
Used to send print jobs from the application server to an SGD server.
SGD server
Application server
3389
TCP
Used to connect to Windows applications that use the Microsoft RDP protocol.
SGD server
Application server
3579
TCP
Used for connections between the primary SGD server and the SGD load balancing service on an application server.
Application server
SGD server
3579
UDP
Used for connections between the SGD load balancing service on an application server and the primary SGD server.
SGD server
Application server
5999
TCP
Used to connect to Windows applications, if the application is configured to use the Wincenter protocol and the connection method is Telnet. The Wincenter protocol is no longer supported but might be used by legacy Windows application objects.
Application server
SGD server
6010 and above
TCP
Used to connect X applications to the protocol engines on the SGD server.

For X applications, ports 6010 and above are only used if the connection method for X applications is Telnet or rexec. If the connection method is SSH, the connections use port 22. If you enable audio for X applications, all ports must be open between the application server and SGD. This is because the SGD audio daemon connects to the SGD server on random ports. This applies even if the connection method is SSH. See Audio for details.

Port 3579 is registered with IANA and is reserved for use only by SGD. You only need to open these ports if you are using SGD Advanced Load Management. See Application Load Balancing for details.

Other Firewalls

SGD needs to make connections to any authentication services and directory services you might be using.

The following table lists the ports you might need to open to allow connections between SGD Servers and other services.

Source
Destination
Port
Protocol
Purpose
SGD server
Windows server
88
TCP or UDP
Used to authenticate users in an Active Directory forest.
SGD server
Windows server
137
UDP
Used to authenticate users in a Microsoft Windows domain.
SGD server
Windows server
139
TCP
Used to authenticate users in a Microsoft Windows domain.
SGD server
LDAP directory server
389
TCP
Used to authenticate users, or to assign applications to users, using a Lightweight Directory Access Protocol (LDAP) directory.
SGD server
Windows server
464
TCP or UDP
Used to enable users to change their password if it has expired.
SGD server
LDAP directory server
636
TCP
Used to authenticate users, or to assign applications to users, using a secure connection (LDAPS) to an LDAP directory.
SecurID Authentication Manager
SGD server
1024 to

65535

UDP
Used to authenticate users using SecurID.
SGD server
Windows server
3268
TCP
Used to authenticate users in an Active Directory forest.
SGD server
Windows server
3269
TCP
Used to authenticate users in an Active Directory forest.
SGD server
SecurID Authentication Manager
5500
UDP
Used to authenticate users using SecurID.

Ports 88, 464, 3268, 3269 are only required if you are using Active Directory authentication. Ports 88 and 464 can use either the TCP or UDP protocol depending on the packet size and your Kerberos configuration. See Configuring SGD for Kerberos Authentication for details. Ports 3268 and 3269 are only used for SSL connections to Active Directory, see SSL Connections to Active Directory for details.

Ports 137 and 139 are only required if you are using a domain controller for authentication. See Windows Domain Authentication for details.

Ports 389 and 636 are only required if you are using an LDAP directory to establish a user’s identity or to assign applications to users. This applies to the following authentication mechanisms:

Ports 1024 to 65535 are only required if you are using SecurID Authentication. For the RSA SecurID Authentication Manager to communicate with an SGD server acting as an Agent Host, all ports from 1024 to 65535 must be open from the IP addresses of the Master and Slave Authentication Managers to the IP addresses of all Agent Hosts. See SecurID Authentication for details.

Port 5500 is only required if you are using SecurID authentication. For the RSA SecurID Authentication Manager to communicate with an SGD server acting as an Agent Host, port 5500 must be open from the IP addresses of the Host Agents to the IP addresses of the Master and Slave Authentication Managers.