Skip past navigation linksSecure Global Desktop 4.40 Administration Guide > Getting Started > Users and Trusted SGD Servers

Users and Trusted SGD Servers

Read This Topic to...
  • Understand the security implications of connecting to an SGD server
  • Understand how to use the hostsvisited file for additional security

When SGD is first installed, the initial connection between an SGD Client and an SGD server is secured with SSL. However, after the user has logged in, the connection is downgraded to a standard connection. To be able to use SSL permanently for connections to SGD, you must enable SGD security services.

In addition to using SSL, SGD also requires users to authorize their connections to SGD so that they only connect to trusted servers. The first time a user connects to an SGD server, they see an Untrusted Initial Connection message advising that they are connecting to a server for the first time.

Screen capture of Untrusted Initial Connection dialog

Note If there is a problem with the server's security certificate, a security warning displays before the Untrusted Initial Connection message.

Users must check these details before clicking Yes. Show users how to check the details as follows:

  1. Check that the name of the server displayed in the message matches the name of the server to which the user is connecting.
  2. Check that the certificate is correct. Click View Certificate. The Certificate Details dialog displays.

    Screen capture of Certificate Details dialog

  3. Check that the Validity and Subject details are correct.
  4. Click Close.

If the details are correct, users can click Yes to agree to the connection.

Once a user has agreed to the connection, the host name and the fingerprint of the certificate are added to the hostsvisited file on the client device. The hostsvisited file is stored in the same location as the user's client profile cache.

The user is not prompted again about the connection unless there is a problem.

If there is a problem with the connection, for example because the fingerprint of the server certificate has changed, a Potentially Unsafe Connection message displays.

Screen capture of the Potentially Unsafe Connection message

To ensure that users only connect to SGD servers that are trusted, Secure Global Desktop Administrators can do the following:

Using the hostsvisited File for Additional Security

You can use use a pre-configured hostsvisited file to restrict the SGD servers that the Sun Secure Global Desktop Client can connect to. To do this you need to install the pre-configured hostsvisited file on the client device. The easiest way to create a pre-configured hostsvisited file is to copy and edit an existing hostsvisited file. You also have to add a <allowhostoverride> line manually to the hostsvisited file, as shown in the following example:

Skip past preformatted text<?xml version="1.0" encoding="UTF-8" ?>
  <server peername="">

If you omit <allowhostoverride> line, this only stops users from being prompted when they connect to any of the SGD servers listed in the hostsvisited file. It does not prevent the SGD Client from connecting to other servers.

Related Topics