2.1. Desktop Access Layer

2.1.1. Sun Ray Clients
2.1.2. RDP Clients and the Oracle VDI RDP Broker
2.1.3. Web Services Clients
2.1.4. Oracle Secure Global Desktop

This section describes security properties of the methods used to access Oracle VDI desktops. For further details on aspects of desktop access that are not directly related to security, see Desktop Access in the Oracle Virtual Desktop Infrastructure Administrator's Guide.

2.1.1. Sun Ray Clients

Oracle VDI embeds and configures Sun Ray Software, including the Sun Ray Windows connector, to enable the use of Sun Ray Clients and the Oracle Virtual Desktop Client for access to virtual desktops. Oracle VDI does not increase Sun Ray connection security requirements beyond the Sun Ray Software defaults.

2.1.1.1. Client Connection

Sun Ray Clients use the Appliance Link Protocol (ALP) to connect to a Sun Ray server running on an Oracle VDI host. ALP provides some limited security features, which can be administered at the Sun Ray server level. For example, ALP can encrypt keystroke and display traffic between the Sun Ray Client and the Sun Ray server, but it does not encrypt USB device traffic. For information on enabling and disabling USB devices, see How to Enable or Disable USB Device Services in the Sun Ray Software Administration Guide.

After the Client is authenticated and connected to the Sun Ray Server via ALP, the Sun Ray Windows connector provides access to the virtual desktop via RDP. The RDP connection can and should occur entirely within the data center.

Sun Ray Clients can be located anywhere. If they are located outside the corporate network, their built-in VPN capabilities make it more difficult for network traffic to be intercepted. For more information, see
 VPN Support in the Sun Ray Software Administration Guide.

The OVDC does not have built-in VPN capabilities. Use of OVDC in a configuration that requires VPN for remote access requires that VPN client software be installed on the host operating system (OS).

2.1.1.2. Kiosk Mode

Sun Ray Software kiosk mode bypasses traditional UNIX user authentication, typically to provide controlled access to a Windows session hosted on a Remote Desktop Services Host without requiring extra login steps for users. Oracle VDI uses kiosk mode to provide access to virtual desktops from traditional Sun Ray Clients, with or without smart cards, and from Oracle Virtual Desktop Client clients.

The Oracle VDI kiosk session runs under an anonymous UNIX account. It authenticates users against the configured User Directory rather than the local UNIX passwd name service, presenting the user with an Oracle VDI login screen instead of a Sun Ray login screen.

Once authenticated to Oracle VDI, users can access their assigned virtual desktops. User credentials are retained in memory for the duration of the kiosk session so that credentials can be passed between processes, when needed, via UNIX pipes; however, credentials are never stored in a database, on a disk, or in any other persistent fashion.

If client-side authentication is disabled in Oracle VDI, no authentication is performed on the Oracle VDI host, and login is deferred to the virtual desktop.

Kiosk mode and sessions are described more fully in Kiosk Mode in the Sun Ray Software Administration Guide.

2.1.1.3. Desktop Selector

Before gaining access to any desktop, each user normally goes through some kind of authentication mechanism. Oracle VDI comes with its own Desktop Login screen, which enforces a simple user name/password authentication against a configured user directory. Upon successful authentication, the user is presented with a Desktop Selector screen. The Desktop Selector displays a list of the desired desktops on the Sun Ray Client or Oracle Virtual Desktop Client. The desktop selection step can be skipped if the user is not assigned multiple desktops.

You can fine-tune and modify the behavior of the Desktop Selector two ways: by using the Oracle VDI command-line interface to modify global configuration settings or by using the Sun Ray Administration tool (Admin GUI) to modify arguments and parameters for the Oracle VDI kiosk session. Several of these settings also affect system security, as described below.

You can switch Oracle VDI authentication off completely, for instance, to support some other authentication mechanism or to hide the Oracle VDI Desktop Login and Desktop Selector screens. In such a scenario, it is highly recommended that you make sure authentication is enforced on the desktop operating system (OS) itself. For example, the desktop should be configured to bring up its own standard login screen before allowing access to any sensitive data.

When the Desktop Selector is used and authentication is enabled, desktops are typically configured for single sign-on (auto login). In this scenario, after successfully passing the initial Oracle VDI login screen, the user can access all assigned desktops without having to pass through any other login screens that might otherwise be presented by the desktop OS.

Oracle VDI automatically forwards any initially entered user name/password information to the selected desktop. This is convenient for the user, but it also implies a potential security risk. If the user leaves the Sun Ray session open without logging out explicitly, a different user could sit down at the Sun Ray Client and access all of the previous user's desktops without passing any kind of authentication. To minimize this risk:

  • Instruct users either to log out explicitly before leaving a Sun Ray Client or to bring up the Oracle VDI screen lock (see Section 2.1.1.4, “Screen Locks” in the Oracle Virtual Desktop Infrastructure Administrator's Guide).

  • Configure a reasonably short session idle timeout interval, so that a user who does not select a desktop within a given amount of time is automatically logged out by the system (see How to Change the Admin GUI Timeout in the Sun Ray Software Administration Guide).

2.1.1.4. Screen Locks

Most desktop operating systems provide their own screen locking mechanism, which automatically locks the screen after a certain period of inactivity. Automatic screen locking, however, may give Oracle VDI users a false feeling of security. For instance, it is easy to use the Sun Ray Windows connector menu to disconnect from a desktop that displays a locked screen while remaining logged in to the Oracle VDI system and able access assigned desktops. To avoid this possibility, you can enforce a logout always policy, so that the user is logged out of Oracle VDI completely when any displayed desktop is disconnected (see About the Oracle VDI Sun Ray Kiosk Session in the Oracle Virtual Desktop Infrastructure Administrator's Guide).

The drawback of this policy is that it prevents users from switching between multiple desktops without having to re-enter a user name/password pair. You can disable this default logout behavior in order to improve user experience but should consider the security implications before doing so.

Oracle VDI also provides its own built-in screen locking mechanism, which is disabled by default. Once you switch it on explicitly (see Enabling a Desktop Screen Lock for Sun Ray Clients in the Oracle Virtual Desktop Infrastructure Administrator's Guide), the screen locks whenever a Sun Ray session is disconnected, such as when a user removes a smart card. The user must then re-enter a password to access the selected/displayed desktop.

2.1.1.5. Smart Cards

Oracle VDI supports smart cards, which associate a Sun Ray session with a user by means of a token (see Tokens in the Sun Ray Software Administration Guide). It is possible to restrict the system access to registered tokens, and tokens can be registered for specific users. The Desktop Login screen implementation takes this information into account and presents the user name in the Desktop Login screen. The user name is read-only by default, so that when a smart card is inserted, a user cannot assume a different identity by changing the user name on the Desktop Login screen. The default behavior is recommended.

2.1.2. RDP Clients and the Oracle VDI RDP Broker

The Oracle VDI RDP Broker is bundled with Oracle VDI to provide access to RDP-based Oracle VDI desktops for generic RDP clients (see About the Oracle VDI RDP Broker in the Oracle Virtual Desktop Infrastructure Administrator's Guide). It first submits client requests and user credentials to the Oracle VDI Service for authentication, after which the Oracle VDI Service locates and starts the requested desktop. It then redirects the RDP client to connect directly either to the desktop host or to the Oracle VDI RDP Proxy service.

The Oracle VDI RDP Broker communicates over secure RDP connections.

The Oracle VDI RDP Broker supports Standard RDP Security at the Client-Compatible Encryption Level. This means that it uses bidirectional RC4 encryption with a key-size of up to 128 bits (see Encryption Levels). It cannot use FIPS-compliant encryption.

RDP clients cannot use Enhanced RDP Security (TLS/SSL or CredSSP/NLA) when accessing the Oracle VDI RDP Broker.

2.1.2.1. Oracle VM VirtualBox VRDP

The Oracle VM VirtualBox Remote Display Protocol (VRDP) is a backward-compatible extension to RDP that supports the use of any standard RDP client to control remote virtual desktops. When an RDP client accesses VirtualBox desktops through VRDP, the client remains connected to the Oracle VDI RDP Proxy service, which is part of the Oracle VDI RDP Broker. The Oracle VDI RDP Proxy then relays RDP messages to the Oracle VDI desktop based on routing information contained in the routing token.

The routing token is sent to the RDP Proxy unencrypted. RDP connection security for connections through the Oracle VDI RDP Proxy is negotiated directly between the client and the virtual machine. VirtualBox supports Standard RDP Security at the Client-Compatible Encryption Level.

Although enhanced RDP security (TLS/SSL) is supported for direct access to VirtualBox VRDP, it cannot be used for connections through the Oracle VDI RDP Proxy.

2.1.2.2. Microsoft RDP

When an RDP client accesses Windows desktops through Microsoft RDP, the Oracle VDI RDP Broker redirects it to the Remote Desktop Services (RDS) server farm or to the individual desktop, which requires direct access from the client PC to the desktop host.

RDP connection security for these connections is negotiated directly between the client and the desktop host. The exact combination of RDP encryption and security options for connections depends on the configuration of the virtual machine or RDS server and client capabilities.

2.1.3. Web Services Clients

The Oracle VDI web service API enables the creation of custom clients. It uses the same web server as the Oracle VDI Manager and shares the same certificates.

The web service API also enables queries of desktop access information for a given Oracle VDI user and control of that user's desktop. Any such user must be registered in the User Directory and must present authentication credentials in order for a client to connect to the web service API. Web service API connections use secure HTTPS connections. Web services clients must be set up to accept the server certificates, which by default are self-signed.

To access the desktops managed through the web services API, web services clients require direct RDP access to the desktop host.

2.1.4. Oracle Secure Global Desktop

Oracle Secure Global Desktop (SGD) provides access to Oracle VDI desktops from the SGD webtop. Access methods have evolved over time, and are described in the following paragraphs. All use the Adaptive Internet Protocol (AIP) for access from the client PC to SGD and are described in Desktop Access Using Oracle Secure Global Desktop in the Oracle Virtual Desktop Infrastructure Administrator's Guide. See SGD documentation for more information about AIP security and configuration.

SGD 4.6 includes a Virtual Server Broker that acts as an Oracle VDI client. If Oracle VDI and SGD are installed on the same host, the Virtual Server Broker can establish a connection from the SGD RDP client to the user's Oracle VDI desktop.

SGD 4.7 also includes an add-on Virtual Server Broker, which uses the web services API. With SGD 4.7, SGD and Oracle VDI do not need to be co-located.

The web service security properties described in Section 2.1.3, “Web Services Clients” apply between the SGD server and the Oracle VDI and desktop hosts.

You may choose to set up a SGD Windows Object to access Oracle VDI through the Oracle VDI RDP Broker. In this case, the RDP client security properties described in Section 2.1.2, “RDP Clients and the Oracle VDI RDP Broker” apply between the SGD server and the Oracle VDI and desktop hosts.

SGD supports the encryption levels listed under Section 2.1.2, “RDP Clients and the Oracle VDI RDP Broker”. SGD does not support:

  • Federal Information Processing Standards (FIPS) encryption level

  • Transport Layer Security (TLS) for server authentication

  • Terminal Server communication encryption