1.2. DNS Names

The following are the main Domain Name System (DNS) requirements for SGD:

SGD servers can have multiple DNS names. Each SGD server has one peer DNS name, and one or more external DNS names.

Note

When configuring SGD, it is best to use fully-qualified DNS names.

A peer DNS name is the DNS name that the SGD servers in the array use to identify themselves to each other. For example, boston.example.com.

An external DNS name is the DNS name that the SGD Client uses to connect to an SGD server. For example, www.example.com.

These two types of DNS names might be associated with the same network interface on the SGD host, or they might each use a different network interface. These DNS names must be fully-qualified DNS names.

When you install SGD you are prompted for a DNS name for the SGD server. This must be the peer DNS name that is used inside the firewall. This is the DNS name that the SGD web server binds to.

After installation, you can configure each SGD server with one or more external DNS names. The external DNS name is used by the SGD Client when it connects to an SGD server. By default, the peer DNS name is also used as an external DNS name.

In a network containing a firewall, you might need to make some names usable outside the firewall, for example across the Internet, and others usable inside the firewall. For example, users outside the firewall might be able to use www.example.com, but not boston.example.com. Users inside the firewall might be able to use either name.

Caution

You do not have to make all your SGD servers available outside the firewall. However, if users log in to an SGD server from both inside and outside the firewall, they might not be able to resume some applications when logging in from outside the firewall.

If you use the SGD Gateway, client devices do connect directly to SGD, instead they connect using the DNS name of a Gateway or load balancer. External DNS names are only used for direct client connections that are not routed through the Gateway. Instructions on how to install, configure, and use the Gateway are included in the Oracle Secure Global Desktop Gateway Administration Guide for Release 4.7.

If you are using mechanisms such as an external hardware load balancer or round-robin DNS to control the SGD server that a user connects to, you must configure SGD to work with these mechanisms, see Section 7.2.1, “User Session Load Balancing”.

This section includes the following topics:

1.2.1. Configuring External DNS Names

When an SGD Client connects directly to an SGD server, it connects using the external DNS name provided by the SGD server. The actual DNS name used is determined using the IP address of the client.

If you use the SGD Gateway, external DNS names are only used for direct client connections that are not routed through an SGD Gateway.

You configure external DNS names by setting one or more filters that match client IP addresses to DNS names. Each filter has the format Client-IP-Pattern:DNS-Name

The Client-IP-Pattern can be either of the following:

  • A regular expression matching one or more client device IP addresses, for example 192.168.10.*

  • A subnet mask expressed in the number of bits to match one or more client device IP addresses, for example 192.168.10.0/22

SGD servers can be configured with several filters. The order of the filters is important because SGD uses the first matching Client-IP-Pattern.

Caution

If SGD is configured for firewall forwarding, you cannot use multiple external DNS names because SGD cannot determine the IP address of the client device. In this situation, you can configure a single external DNS name, for example *:www.example.com, and then use split DNS so that clients can resolve the name to different IP addresses, depending on whether they are inside or outside the firewall. See Section 1.5.2, “Firewall Traversal”.

The following is an example of external DNS names configuration:

$ tarantella config edit --server-dns-external \
"192.168.10.*:boston.example.com" "*:www.example.com"

With this configuration, the following applies:

  • Clients with IP addresses beginning 192.168.10 connect to boston.example.com.

  • All other clients connect to www.example.com.

If the order of the filters is reversed, all clients connect to www.example.com.

1.2.1.1. How to Configure the External DNS Names of an SGD Server

Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.

  1. In the Administration Console, go to the SGD Servers tab and select an SGD server.

    The General tab displays.

  2. In the External DNS Names field, type one or more filters for the external DNS names.

    Each filter matches client IP addresses to DNS names.

    Press the Return key after each filter.

    The format of each filter is described in Section 1.2.1, “Configuring External DNS Names”.

    The order of the filters is important. The first match is used.

  3. Click Save.

  4. Restart the SGD server.

    You must restart the SGD server for the external DNS names to take effect.

1.2.2. Changing the Peer DNS Name of an SGD Server

You can change the peer DNS name of an SGD server without having to reinstall the software, see Section 1.2.2.1, “How to Change the Peer DNS Name of an SGD Server”.

You must detach an SGD server from an array and stop SGD before changing its peer DNS name.

After changing the DNS name, the /opt/tarantella/var/log/SERVER_RENAME.log file contains the details of the changes that were made. Your existing server security certificates are backed up in the /opt/tarantella/var/tsp.OLD.number directory.

If you use an SGD server as an application server, you must manually reconfigure the application server object by changing the DNS name for the application server and, optionally, renaming the object.

If you have installed SGD printer queues on UNIX or Linux platform application servers, you might have to remove the printer queue that uses the old DNS name of the SGD server, and configure a new printer queue that uses the new DNS name of the SGD server. See Section 5.1.4, “Configuring UNIX and Linux Platform Application Servers for Printing”.

1.2.2.1. How to Change the Peer DNS Name of an SGD Server

Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.

You can only change the peer DNS name from the command line.

  1. Log in as superuser (root) on the SGD host.

  2. Detach the SGD server from the array.

    If you are changing the peer DNS name of the primary SGD server, first make another server the primary server and then detach the server.

    # tarantella array detach --secondary serv
    

    Run the tarantella status command on the detached server to check that is detached from the array.

  3. Stop the SGD server.

  4. Ensure that the DNS name change for the SGD host has taken effect.

    Check your DNS configuration and ensure that the other SGD servers can resolve the new DNS name. You might also have to edit the /etc/hosts and the /etc/resolv.conf files on the SGD host.

  5. Change the DNS name of the SGD server.

    Use the following command:

    # tarantella serverrename --peerdns newname [ --extdns newname ]
    

    It is best to use fully-qualified DNS names.

    Use the --extdns option to change the external DNS name of the server. This option only works if the SGD server has a single external DNS name. If the server has more than one external DNS name, you must manually update the external DNS names. See Section 1.2.1, “Configuring External DNS Names”.

    When prompted, type Y to proceed with the name change.

  6. Regenerate the certificates used for secure intra-array communication.

    # tarantella security keystoregen

    For details about secure intra-array communication, see Section 7.1.4, “Secure Intra-Array Communication”.

  7. (Optional) Replace the server SSL certificate.

    If the new peer DNS name is not included in the SSL certificate used by the SGD server you must replace the certificate, see Section 1.5.1.5, “How to Replace a Server SSL Certificate”.

  8. Restart the SGD web server and SGD server.

  9. Join the SGD server to the array.

    The clock on the server joining the array must be in synchronization with the clocks on the other servers in the array. If the time difference is more than one minute, the array join operation fails.

    # tarantella array join --primary p-serv --secondary s-serv
    
  10. (Optional) Reconfigure your SGD Gateway deployment.

    If you are using the SGD Gateway, you might need to do the following:

    • Install the SGD server SSL certificate on each SGD Gateway. This is only required if you replaced the server SSL certificate in Step 7.

    • Install the new peer Certificate Authority (CA) certificate generated in Step 6 on each SGD Gateway. This is only required when you change the peer DNS name for the primary SGD server in the array.

    For more information about reconfiguring your Gateway deployment, see Appendix D of the Oracle Secure Global Desktop Gateway Administration Guide for Release 4.7.