Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

Overview of Networks and Security

Connections Between Client Devices and SGD Servers

Connections Between SGD Servers and Application Servers

UNIX or Linux System Application Servers

Microsoft Windows Application Servers

Web Application Servers

Connections Between SGD Servers in an Array

DNS Names

Configuring External DNS Names

How to Configure the External DNS Names of an SGD Server

Changing the Peer DNS Name of an SGD Server

How to Change the Peer DNS Name of an SGD Server

Proxy Servers

Supported Proxy Servers

Configuring Client Proxy Settings

HTTP Connections

AIP Connections

Determining Proxy Settings From a Browser

Specifying Proxy Settings in the Client Profile

Using Proxy Server Automatic Configuration Scripts

Proxy Server Exception Lists

Proxy Server Timeouts

Configuring Server-Side Proxy Servers

How to Configure Array Routes

Firewalls

Firewalls Between Client Devices and SGD Servers

Firewalls Between SGD Servers

Firewalls Between SGD Servers and Application Servers

Other Firewalls

Secure Connections to SGD Servers

SSL Certificates

Supported Certificate Authorities

Self-Signed SSL Certificates

Using an SSL Certificate Obtained for Another Product

How to Generate a Certificate Signing Request

How to Replace a Server SSL Certificate

Firewall Traversal

The SGD Gateway

Using Firewall Forwarding

Enabling Secure Connections (Automatic Configuration)

How to Enable Secure Connections (Automatic Configuration)

Enabling Secure Connections (Manual Configuration)

How to Install a Server SSL Certificate

How to Install the CA Certificate for an Unsupported CA

How to Install a CA Certificate Chain

How to Configure Firewall Forwarding

How to Enable SGD Security Services for an SGD Server

Secure Connections and Security Warnings

Browser and Java Plugin Tool Security Warnings

SGD Server SSL Certificate Security Warnings

Untrusted Initial Connection Warnings

Using a Preconfigured hostsvisited File

Avoiding Issuer Unknown Security Warnings

Tuning Secure Connections to SGD Servers

Tuning the SSL Daemon

How to Tune SSL Daemon Processes

How to Change SSL Daemon Log Filters

How to Change SSL Daemon Maximum Restart Attempts

Using External SSL Accelerators

How to Enable External SSL Accelerator Support

Selecting a Cipher Suite for Secure Connections

How to Change the Cipher Suite for Secure Client Connections

Using Connection Definitions

How to Enable Connection Definition Processing

How to Configure Connection Definitions

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Proxy Servers

To be able to connect to SGD through a proxy server, client devices might need to be configured with the address and port number of the proxy servers. You might also need to configure SGD to give clients information about server-side proxy servers.

This section includes the following topics:

Supported Proxy Servers

The supported proxy servers are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

Configuring Client Proxy Settings

To configure client proxy settings, you must configure proxy settings for both the HTTP connections and the AIP connections. How you do this is described in the following sections.

HTTP Connections

HTTP connections are the connections between the user’s browser and the SGD web server, for example to display a webtop. These connections always use the proxy settings configured for the browser.

AIP Connections

AIP connections are the connections between the SGD Client and the SGD server used to display applications. For these connections, the settings in the client profile control whether the SGD Client determines the proxy settings from a browser or from the client profile itself.

The SGD Client always stores the last proxy settings it used in the client profile cache. See About the Profile Cache for details.


Note - You can only configure a SOCKS proxy for the AIP connection by specifying an array route, see Configuring Server-Side Proxy Servers for details.


Determining Proxy Settings From a Browser

If the Use Default Web Browser Settings check box is selected in the client profile, the proxy server settings are determined from the user’s default browser. The SGD Client stores the proxy settings in the profile cache on the client device and uses these settings when it next starts.

If Establish Proxy Settings on Session Start is selected in the client profile, the SGD Client obtains the proxy settings from the browser every time it starts. The stored proxy settings are not used. If Automatic Client Login is selected in the client profile, the Establish Proxy Settings on Session Start setting is disabled.

If the SGD Client is Integrated mode, and there are no proxy settings in the profile cache, the SGD Client attempts to make a direct connection.

To be able to determine the proxy settings from a browser, the browser must have Java technology enabled. If Java technology is not available, or it is disabled in the browser, the proxy settings must be manually specified in the client profile.


Note - If proxy server settings are defined in the Java Control Panel for the Sun Java Plugin tool, these settings are used instead of the browser settings.


Specifying Proxy Settings in the Client Profile

If the Manual Proxy Settings check box is selected in the client profile, you can specify either an HTTP or an SSL proxy server in the client profile itself.

Using Proxy Server Automatic Configuration Scripts

Whenever client proxy server configuration is determined from a browser, you can use an automatic configuration script to automatically configure the proxy settings.

You specify the Uniform Resource Locator (URL) of the configuration script in the connection settings for the browser. The automatic configuration script must be written in the JavaScript programming language and have either a .pac file extension or no file extension. See Proxy Auto-Config File for details.


Note - Use this format for all browsers supported by SGD.


Proxy Server Exception Lists

You can use proxy server exception lists to control the connections that are not proxied. Proxy exception lists can only be used if the proxy settings are determined from a browser. You cannot configure exception lists in the client profile. The exception list can be configured in the browser or Sun Java Plugin tool.

An exception list is a list of DNS host names. For Internet Explorer, the list is a semicolon-separated list. For Mozilla-based browsers, the list is a comma-separated list. Exception lists can include the * wildcard.

There is no translation between DNS host names and IP addresses in exception lists. For example, with an exception list of *.example.com, connections to chicago.example.com and detroit.example.com do not use a proxy server, but connections that use the IP addresses for these hosts do use a proxy server.

Exception lists must always include the following entries:

localhost; 127.0.0.1

Proxy Server Timeouts

Proxy servers can drop a connection after a short period of time if there is no activity on the connection. By default, SGD sends AIP keepalive packets every 100 seconds to keep the connection open.

If you find that applications disappear after a short while, you might have to increase the frequency at which AIP keepalive packets are sent.

In the Administration Console, go to the Global Settings -> Communication tab and decrease the AIP Keepalive Frequency. Alternatively, use the following command:

$ tarantella config edit --sessions-aipkeepalive secs

Note - You must restart every SGD server in the array for changes to this attribute to take effect.


Configuring Server-Side Proxy Servers

SGD can be configured so that the SGD Client connects through a server-side SOCKS version 5 proxy server. The actual proxy server used is determined using the IP address of the client. This known as an array route.

If you use the SGD Gateway, array routes are only used for client connections that are not routed through an SGD Gateway.

You configure array routes by setting one or more filters that match client IP addresses to server-side proxy servers. Each filter has the format Client-IP-Pattern:type:host:port.

The Client-IP-Pattern can be either of the following:

The type is a connection type. Use CTSOCKS for a SOCKS version 5 connection. Use CTDIRECT to connect directly without using a proxy server.

The host and port are the DNS name or IP address and port of the proxy server to use for the connection.

SGD can be configured with several filters. The order of the filters is important because SGD uses the first matching Client-IP-Pattern.

If you use an external SSL accelerator instead of SGD to handle SSL processing, append the array route with :ssl, see the following example. This instructs the SGD Client to use SSL on that connection before continuing with the SOCKS connection. See Using External SSL Accelerators for details.


Caution

Caution - If SGD is configured for firewall forwarding, you cannot use multiple array routes because SGD cannot determine the IP address of the client device. You can configure a single array route, for example *:CTSOCKS:taurus.example.com:8080. See Firewall Traversal.


The following is an example of array routes configuration:

192.168.5.*:CTDIRECT: \
192.168.10.*.*:CTSOCKS:taurus.example.com:8080 \
*:CTSOCKS:draco.example.com:8080:ssl

With this configuration, the following applies:

How to Configure Array Routes

Before You Begin

You can only configure array routes from the command line.

Ensure that no users are logged in to the SGD servers in the array, and that there are no running application sessions, including suspended application sessions.

  1. Configure the filters for array routes.

    Use the following command:

    $ tarantella config edit \
    --tarantella-config-array-netservice-proxy-routes routes

    Enclose routes in quotes and separate each filter with a comma, for example "filter1,filter2,filter3".

    The format of each filter is described in Configuring Server-Side Proxy Servers.

    The order of the filters is important. The first match is used.

  2. Restart every SGD server in the array.

    You must restart every server in the array for array routes to take effect.