The following are the main Domain Name System (DNS) requirements for SGD:
Hosts must have DNS entries that can be resolved by all clients.
DNS lookups and reverse lookups for a host must always succeed.
All client devices must use DNS.
SGD servers can have multiple DNS names. Each SGD server has one peer DNS name, and one or more external DNS names.
When configuring SGD, it is best to use fully qualified domain names.
A peer DNS name is the DNS name that the
SGD servers in the array use to identify themselves
to each other. For example, boston.example.com.
An external DNS name is the DNS name that the
SGD Client uses to connect to an SGD
server. For example, www.example.com.
These two types of DNS names might be associated with the same network interface on the SGD host, or they might each use a different network interface. These DNS names must be fully qualified DNS names.
When you install SGD you are prompted for a DNS name for the SGD server. This must be the peer DNS name that is used inside the firewall. This is the DNS name that the SGD web server binds to.
After installation, you can configure each SGD server with one or more external DNS names. The external DNS name is used by the SGD Client when it connects to an SGD server. By default, the peer DNS name is also used as an external DNS name.
In a network containing a firewall, you might need to make some
names usable outside the firewall, for example across the
Internet, and others usable inside the firewall. For example,
users outside the firewall might be able to use
www.example.com, but not
boston.example.com. Users inside the firewall
might be able to use either name.
You do not have to make all your SGD servers available outside the firewall. However, if users log in to an SGD server from both inside and outside the firewall, they might not be able to resume some applications when logging in from outside the firewall.
If you use the SGD Gateway, client devices do not connect directly to SGD, instead they connect using the DNS name of a Gateway or load balancer. External DNS names are only used for direct client connections that are not routed through the Gateway. Instructions on how to install, configure, and use the Gateway are included in the Oracle Secure Global Desktop Gateway Administration Guide.
If you are using mechanisms such as an external hardware load balancer or round-robin DNS to control the SGD server that a user connects to, you must configure SGD to work with these mechanisms, see Section 7.2.1, “User Session Load Balancing”.
This section includes the following topics:
For a standard installation, the external DNS name of an SGD server is the same as the peer DNS name of the server. You are prompted to enter the peer DNS name when you install SGD.
You can change the external DNS name of an SGD server without having to reinstall the software, see Section 1.2.1.1, “How to Change the External DNS Name of an SGD Server”.
You must detach an SGD server from an array and stop SGD before changing its external DNS name.
After changing the DNS name, the
/opt/tarantella/var/log/SERVER_RENAMED.log
file contains the details of the changes that were made. Your
existing server security certificates are backed up in the
/opt/tarantella/var/info/certs/external.OLD.
directory.
number
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
You can only change the external DNS name from the command line.
Log in as superuser (root) on the SGD host.
Detach the SGD server from the array.
If you are changing the external DNS name of the primary SGD server, first make another server the primary server and then detach the server.
# tarantella array detach --secondary
servRun the tarantella status command on the detached server to check that is detached from the array.
Stop the SGD server.
Ensure that the DNS name change for the SGD host has taken effect.
Check your DNS configuration and ensure that the other SGD servers can resolve the new DNS name. You might also have to edit the
/etc/hostsand the/etc/resolv.conffiles on the SGD host.Change the external DNS name of the SGD server.
Use the following command:
# tarantella serverrename --extdns
newnameIt is best to use a fully qualified DNS name.
The --extdns option only works if the SGD server has a single external DNS name. If the server has more than one external DNS name, you must manually update the external DNS names. See Section 1.2.3, “Configuring External DNS Name Connection Filters”.
When prompted, enter Y to proceed with the name change.
SGD regenerates the following SSL certificates:
Certificates used for secure intra-array communication.
For details about secure intra-array communication, see Section 7.1.4, “Secure Intra-Array Communication”.
The SSL certificate for the SGD server.
Because the new DNS name is not included in the SSL certificate used by the SGD server, a new server SSL certificate is regenerated.
Restart the SGD web server and SGD server.
Join the SGD server to the array.
The clock on the server joining the array must be in synchronization with the clocks on the other servers in the array. If the time difference is more than one minute, the array join operation fails.
# tarantella array join --primary
p-serv--secondarys-serv(Optional) Reconfigure your SGD Gateway deployment.
If you are using the SGD Gateway, you might need to do the following:
Install the SGD server SSL certificate on each SGD Gateway. This is required because you regenerated the server SSL certificate in Step 5.
Install the new peer Certificate Authority (CA) certificate generated in Step 5 on each SGD Gateway. This is only required when you change the peer DNS name for the primary SGD server in the array.
For more information about reconfiguring your Gateway deployment, see the Oracle Secure Global Desktop Gateway Administration Guide.
You can change the peer DNS name of an SGD server without having to reinstall the software, see Section 1.2.2.1, “How to Change the Peer DNS Name of an SGD Server”.
You must detach an SGD server from an array and stop SGD before changing its peer DNS name.
After changing the DNS name, the
/opt/tarantella/var/log/SERVER_RENAMED.log
file contains the details of the changes that were made. Your
existing server security certificates are backed up in the
/opt/tarantella/var/info/certs/external.OLD.
directory.
number
If you have installed SGD printer queues on UNIX or Linux platform application servers, you might have to remove the printer queue that uses the old DNS name of the SGD server, and configure a new printer queue that uses the new DNS name of the SGD server. See Section 5.1.4, “Configuring UNIX and Linux Platform Application Servers for Printing”.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
You can only change the peer DNS name from the command line.
Log in as superuser (root) on the SGD host.
Detach the SGD server from the array.
If you are changing the peer DNS name of the primary SGD server, first make another server the primary server and then detach the server.
# tarantella array detach --secondary
servRun the tarantella status command on the detached server to check that is detached from the array.
Stop the SGD server.
Ensure that the DNS name change for the SGD host has taken effect.
Check your DNS configuration and ensure that the other SGD servers can resolve the new DNS name. You might also have to edit the
/etc/hostsand the/etc/resolv.conffiles on the SGD host.Change the peer DNS name of the SGD server.
Use the following command:
# tarantella serverrename --peerdns
newnameIt is best to use a fully qualified DNS name.
When prompted, enter Y to proceed with the name change.
If you use the SGD server as an application server, enter Y when prompted to rename default objects. This means the application server object is reconfigured automatically to use the new DNS name.
SGD regenerates the following SSL certificates:
Certificates used for secure intra-array communication.
For details about secure intra-array communication, see Section 7.1.4, “Secure Intra-Array Communication”.
The SSL certificate for the SGD server.
Because the new DNS name is not included in the SSL certificate used by the SGD server, a new server SSL certificate is regenerated.
Restart the SGD web server and SGD server.
Join the SGD server to the array.
The clock on the server joining the array must be in synchronization with the clocks on the other servers in the array. If the time difference is more than one minute, the array join operation fails.
# tarantella array join --primary
p-serv--secondarys-serv(Optional) Reconfigure your SGD Gateway deployment.
If you are using the SGD Gateway, you might need to do the following:
Install the SGD server SSL certificate on each SGD Gateway. This is required because you regenerated the server SSL certificate in Step 5.
Install the new peer Certificate Authority (CA) certificate generated in Step 5 on each SGD Gateway. This is only required when you change the peer DNS name for the primary SGD server in the array.
For more information about reconfiguring your Gateway deployment, see Changing the Peer DNS Name of an SGD Server in the Oracle Secure Global Desktop Gateway Administration Guide.
When an SGD Client connects directly to an SGD server, it connects using the external DNS name provided by the SGD server. The actual DNS name used is determined using the IP address of the client.
If you use the SGD Gateway, external DNS names are only used for direct client connections that are not routed through an SGD Gateway.
You configure external DNS names by setting one or more
filters that match client IP addresses to
DNS names. Each filter has the format
Client-IP-Pattern:DNS-Name
The Client-IP-Pattern can be either
of the following:
A regular expression matching one or more client device IP addresses, for example
192.168.10.*A subnet mask expressed in the number of bits to match one or more client device IP addresses, for example
192.168.10.0/22
SGD servers can be configured with several filters.
The order of the filters is important because SGD
uses the first matching
Client-IP-Pattern.
If SGD is configured for firewall forwarding, you
cannot use multiple external DNS names because
SGD cannot determine the IP address of the client
device. In this situation, you can configure a single external
DNS name, for example *:www.example.com,
and then use split DNS so that clients can resolve the name to
different IP addresses, depending on whether they are inside
or outside the firewall. See
Section 1.5.2, “Firewall Traversal”.
The following is an example of external DNS name connection filter configuration:
$ tarantella config edit --server-dns-external \ "192.168.10.*:boston.example.com" "*:www.example.com"
With this configuration, the following applies:
Clients with IP addresses beginning
192.168.10connect toboston.example.com.All other clients connect to
www.example.com.
If the order of the filters is reversed, all clients connect to
www.example.com.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
In the Administration Console, go to the SGD Servers tab and select an SGD server.
The General tab displays.
In the External DNS Names field, type one or more filters for the external DNS names.
Each filter matches client IP addresses to DNS names.
Press the Return key after each filter.
The format of each filter is described in Section 1.2.3, “Configuring External DNS Name Connection Filters”.
The order of the filters is important. The first match is used.
Click Save.
Restart the SGD server.
You must restart the SGD server for the external DNS names to take effect.