Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices
Sun Ray Clients are able to provide a VPN solution for remote users. The IPsec capability in the Sun Ray Client firmware enables the Sun Ray Client to act as a VPN endpoint device. The most commonly used encryption, authentication, and key exchange mechanisms are supported, along with Cisco extensions that enable a Sun Ray Client to interoperate with Cisco gateways that support the Cisco EzVPN protocol. Sun Ray Clients currently support IPsec VPN concentrators from Cisco and Netscreen (Juniper).
The security model is identical to that of the Cisco software VPN client. Using a common group name and key for the initial IKE phase one authentication exchange, the client authenticates the user individually with the Cisco Xauth protocol, either by presenting a fixed user name and password stored in flash memory or by requiring the entry of a user name and one-time password generated by a token card.
VPN support relies on the Configuration GUI and the following implementations are supported:
Cisco Hybrid authentication
Certificates using OpenSSL
Cisco PSK hash for Hybrid authentication
Cisco gateway load balancing redirection from first connection
Gateway setting that allows or disallows stored passwords
Cisco Profile Configuration File (.pcf)
files, including decrypting the encrypted group password
Ability to load certificates and .pcf
files over the network
Gateway setting for Perfect Forward Secrecy (PFS)
Configuration of authentication mode (preshared, Hybrid, or XAUTH)
IKE fragmentation for large negotiation packets
To protect the use of stored authentication information, the VPN configuration includes a PIN entry. This feature enables two-factor authentication for Sun Ray at Home VPN deployments.
You can also copy VPN configuration and certificate files to the firmware by using the file copy entry in a remote configuration file. See Table 14.3, “Remote Configuration File Key Values” for details.
This procedures describes the steps to modify the Configuration GUI to use Cisco Hybrid authentication.
The procedure assumes that the Sun Ray Client has access to an appropriate server supplying the necessary configuration files.
Press Stop-M or Ctrl-Pause-M to open the Configuration GUI.
Choose Certificates > Load Certificate File.
Enter the URL of a file containing the root certificate in PEM format, which is used to sign the gateway certificates.
Exit the menu.
Choose VPN Profiles > Load Profile File.
Load any appropriate Cisco .pcf
files.
Exit the menu.
Choose VPN Setup > Import VPN profile.
Cycle through the existing .pcf
files by hitting Enter until the desired profile is
selected. The values from this file will be populated
into the submenu entries, but they will not be stored
until the values are saved. Cycling back to the initial
entry with no .pcf file selected will restore the
initial values.
Set more values in the VPN-Setup menu.
Set Enable to on.
Set any other VPN values desired, such as Username.
Save the VPN settings.
(Optional) Choose Advanced > Download Configuration to download the VPN settings
The new Auth method is specified in the configuration file as "vpn.authmethod", and the valid values are case-insensitive "xauth", "preshared", and "hybrid".
Enter ESC from the main menu and save the Configuration GUI settings.
The Sun Ray Client will reboot and try to make the VPN connection.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices