Chapter 1 Introduction to Sun ONE Portal Server, Secure Remote Access

This chapter describes the Sun™ ONE Portal Server, Secure Remote Access product and the relationship between the Sun™ ONE Portal Server product and Secure Remote Access components. It also provides information on administering and configuring Secure Remote Access.

Overview of Secure Remote Access

Secure Remote Access enables remote users to securely access their organization’s network and its services over the Internet. Additionally, it gives your organization a secure internet portal, providing access to content, applications, and data to any targeted audience—employees, business partners, or the general public.

Secure Remote Access offers browser-based secure remote access to portal content and services from any remote device. It is a cost-effective, secure access solution that is accessible to users from any device with a Java technology-enabled browser, eliminating the need for client software. Integration with the Sun™ ONE Portal Server software ensures that users receive secure encrypted access to the content and services that they have permission to access.

Secure Remote Access is targeted towards enterprises deploying highly secure remote access portals. These portals emphasize security, protection, and privacy of intranet resources. The Secure Remote Access architecture is well suited to these types of portals. The Gateway, NetFile, and Netlet components of Secure Remote Access enable users to securely access intranet resources through the Internet without exposing these resources to the Internet.

The Gateway, residing in the Demilitarized Zone (DMZ), provides a single secure access point to all intranet URLs, file systems and applications. All other non-Secure Remote Access services such as Session, Authentication, and the PortalDesktop reside behind the DMZ in the secured intranet. Communication from the client browser to the Gateway is encrypted using HTTPS. Communication from the Gateway to the server and intranet resources can be either HTTP or HTTPS.

The Netlet and NetFile applets are downloaded to the client machine, while the support files may reside either on the Gateway or on the Portal Server host.

Open Mode

Secure Mode

Open Mode

In open mode, Portal Server is installed without Secure Remote Access. Although HTTPS communication is possible in this mode, secure remote access is not possible. This means that users cannot access secure remote file systems and applications.

The main difference between an open portal and a secure portal is that the services presented by the open portal typically reside within the demilitarized zone (DMZ) and not within the secured intranet. A DMZ is a small protected network between the public Internet and a private intranet, usually demarcated with firewalls on both ends.

If the portal does not contain sensitive information (deploying public information and allowing access to free applications), then responses to access requests by a large number of users is faster than using secure mode.

Figure 1-1 shows the Portal Server in open mode. Here, the Portal Server is installed on a single server behind the firewall. Multiple clients access the Portal Server across the Internet through the single firewall.

Secure Mode

Secure mode provides users with secure remote access to required intranet file systems and applications.

The Gateway resides in the demilitarized zone (DMZ). The Gateway provides a single secure access point to all intranet URLs and applications, thus reducing the number of ports to be opened in the firewall. All other Portal Server services such as Session, Authentication, and the Portal Desktop reside behind the DMZ in the secured intranet. Communication from the client browser to the Gateway is encrypted using HTTP over Secure Sockets Layer (SSL). Communication from the Gateway to the server and intranet resources can be either HTTP or HTTPS.

Figure 1-2 shows the Portal Server with Secure Remote Access. SSL is used to encrypt the connection between the client and the Portal Server gateway over the Internet. SSL can also be used to encrypt the connection between the gateway and the server. The presence of a gateway between the intranet and the Internet extends the secure path between the client and the Portal Server.

Additional servers and gateways can be added for site expansion. The components of Secure Remote Access can be configured in various ways based on the business requirement.

Secure Remote Access Components

The Gateway

The Secure Remote Access Gateway provides the interface and security barrier between remote user sessions originating from the Internet and your corporate intranet. The Gateway presents content securely from internal web servers and application servers through a single interface to a remote user.

The web servers use web-based resources such as HTML, JavaScript and XML to communicate between the client and the Gateway. The Rewriter is the Gateway component used to make web content available.

The application servers use binary protocol such as telnet and FTP to communicate between the client and the Gateway. The Netlet which resides on the Gateway is used for this purpose. See Chapter 2, "The Gateway" for more detail.

The Rewriter

The Rewriter enables end-users to browse the intranet and makes links and other URL references on those pages operate correctly. The Rewriter prepends the Gateway URL in the location field of the web browser, thereby redirecting content requests through the Gateway. See Chapter 3, "The Rewriter" for details.

The NetFile

The NetFile is a file manager application that allows remote access and operation of file systems and directories. The NetFile includes NetFile Java™, a Java-based user interface. This is available for Java 1 and Java 2. See Chapter 4, "The NetFile" for details.

The Netlet

The Netlet facilitates the running of popular or company-specific applications on remote desktops in a secure manner. After you implement Netlet at your site, users can securely run common TCP/IP services, such as Telnet and SMTP, and HTTP-based applications such as pcANYWHERE or Lotus Notes. See Chapter 5, "The Netlet" for details.

Administering Secure Remote Access

Sun™ ONE Identity Server administration console

the command-line

Most administration tasks are performed through the web-based Sun™ ONE Identity Server administration console. The administration console can be accessed locally or remotely from a web browser. However, tasks such as file modification must be administered through the UNIX command-line interface.

Configuring Secure Remote Access Attributes

You can configure attributes related to Secure Remote Access at the organization, role, and user levels, with the following exceptions:

Conflict Resolution Level cannot be set at the user level. It is also not available from the Service Configuration tab. See "Setting Conflict Resolution".

MIME-types Configuration File Location attribute can be set only at the organization level. See "Specify the MIME-types Configuration File Location".

Values set at the organization level are inherited by all roles and users under that organization. Values set at the user level override the values set at the organization or role levels.

Most attributes can be set from either the Identity Server tab or the Service Configuration tab on the Identity Server. The attributes set at the Service Configuration level serve as a template. Any new organization or user that is created inherits these values by default.

You can make changes to the attribute values at the Service Configuration level. These new values are reflected only when new organizations are added. Changes in the attribute values at the Service Configuration tab do not affect existing organizations or users. See the Sun ONE Identity Server Administration Guide for details.

You configure Secure Remote Access attributes on the Identity Server administration console under SRA Configuration using the following services:

Access List

This service allows you to allow or restrict access to specific URLs and to manage the single sign-on feature. See Chapter 8, "Configuring URL Access Control" for more information.

Gateway

This service allows you to configure all Gateway related attributes such as proxy management, cookie management, logging, rewriter management, and ciphers. See Chapter 9, "Configuring the Gateway" for more information.

NetFile

This service allows you to configure all NetFile related attributes such as common hosts, MIME-types, and access to different types of hosts. See Chapter 10, "Configuring the NetFile" for more information.

Netlet

This service allows you to configure all Netlet related attributes such as Netlet rules, access to required rules, organizations and hosts, and the default algorithm. See Chapter 11, "Configuring the Netlet" for more information.



Caution	Gateway does not receive notifications for attribute changes that are made while Gateway is running. Restart Gateway to ensure that updated profile attributes (belonging to Gateway or any other service) are used by the Gateway. See "Using Authentication Chaining".

Setting Conflict Resolution

To Set the Conflict Resolution Level

Select the Identity Management tab.

Select Organizations from the View drop-down list.

Click the required organization name. The selected organization name is reflected as the location in the top left corner of the administration console.

Select Services from the View drop-down list.

Click the arrow next to appropriate service (Access List, NetFile, or Netlet) under SRA Configuration.

Select the required level from the Conflict Resolution Level field drop-down list.

Click Save at the top or bottom of the NetFile page to record the change.