A.1 Overview

Sun Ray Software supports Internet Protocol security (IPsec) to provide high quality, cryptographically-based security between Sun Ray Clients and Sun Ray servers. The security services offered with IPsec include access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and upper-layer protocols.

The Sun Ray Software implementation of IPsec is incorporated into the Sun Ray Client firmware and is derived from an Open Source implementation provided at http://ipsec-tools.sourceforge.net. There are no IPsec implementation changes needed on the Sun Ray server, but the Sun Ray server requires the same general capabilities to configure IPsec, such as an IKE implementation and a tool to manage the security policy. The IPsec implementation is composed of three parts: the network stack implementation of IPsec itself that provides the security of the actual traffic; the Internet Key Exchange (IKE) implementation that manages the dynamic generation of keying material and authentication of the endpoints; and the policy management, through the Security Policy Database (SPD), that specifies which traffic should be protected and how.

After configuring and enabling IPsec on the Sun Ray server and the Sun Ray Client, the Sun Ray Client will negotiate a secure end-to-end IPsec tunnel with the Sun Ray server before interacting with Sun Ray services on the server. The Sun Ray Client will always be the initiator of a connection, so it does not have to respond to inbound connection requests. This type of negotiation is similar to the current IPsec VPN behavior, where IPsec is established with a VPN gateway before Sun Ray services are invoked. However, both IPsec implementations require different configurations.