There can be only one (port in a firewall)

In the last blog we explored how to make the connections secure, which is essential if you want to use SGD in a secure, remote environment where users are outside and apps are inside the corporate network boundary. But an equally important pre-requisite is to work "nicely" with firewalls.

Many organizations have a policy which allows ports 80 and 443 (http/https) to remain open. So can SGD operate over these ports or do we need to spend weeks with the Security guys convincing them to open up other ports?

The answer is that SGD can work entirely over a single port and this blog explains how.

SGD, or a component thereof, is made to sit on the external 443 port as shown in this diagram

Thru a magical technique, SGD can discover if the traffic arriving on the port is AIP or https traffic, without needing to decrypt the traffic, and is then able to forward the stream to the web server or the SGD server as it deems fit. In this way only one port needs to be opened in the firewall.

Here's how to set up SGD in this way:

  1. Set up the webserver to listen on localhost:443
  2. You'll need to edit the webserver configuration file /opt/tarantella/webserver/apache/\*/conf/httpd.conf and change the port it listens on from:
    Listen 443
    to...
    Listen 127.0.0.1:443

  3. Set up SGD to listen on external-dns:443
  4. # /opt/tarantella/bin/tarantella config edit --array-port-encrypted 443
  5. Tell SGD where to send non-AIP traffic
  6. # /opt/tarantella/bin/tarantella config edit --security-firewallurl https://127.0.0.1:443 
  7. Finally, restart the web server and the SGD server
  8. # /opt/tarantella/bin/tarantella webserver restart --ssl 
    # /opt/tarantella/bin/tarantella restart

And now you're only using one port. Voila!

-FB

Comments:

Interesting. Do you know what the open sourcing status on the Sun Global Desktop product is?

Posted by Mikael Gueck on August 20, 2007 at 03:36 AM BST #

Mikael,
Some components of SGD are constrained by license agreements which prevent them from being open sourced.
But you can expect to see other components being open sourced in the future.

-FB

Posted by Fat Bloke on August 23, 2007 at 10:06 PM BST #

Dear Fat,

I am new to SGD( setup, config and deployment ). Here i have questions for you.

1) In the diagram, what is SGD proxy ? Is it a proxy server or other HW ?

2) What is external dns ? Is it a DMZ external DNS server ? If yes what do i need to configure on it ?

Appreciate any advise.

Thanks.

Posted by Mohamed Ali on September 20, 2007 at 01:51 AM BST #

Mohamed,

1. In the diagram, the boxes representing the SGD server and SGD proxy are logical representations of different components of the system.
In practice, the SGD Server and SGD Proxy are processes that operate on the same SGD server platform.
So no new hardware needed!

2. Again, in the diagram, "external dns:443" means the DNS name of the server that is located in the DMZ, as resolved by machines outside the network.
i.e. this is what that you type into your client machine's browser.

Hope that clears things up a little.

-FB

Posted by Fat Bloke on September 20, 2007 at 02:13 AM BST #

Dear Fat,

Thank you for the fast respond.

Based on your blog guide, i have setup secure connection from sgd client to sgd server. I have setup sgd server to use single FW port( 443 ). Also have integrated with AD.

I am setting the demo for my management to look and feel.

Here are my setup:
1) 1x SFV240 server Solaris 10

2) Installed SunRay software in Global zone.

3) Created and setup 2x SGD local zone, primary and secondary. Hostname portal-01 & portal-02. SGD server config as per above( Secure ).

Internally, user can login to SGD. Now my mgmt wants to login to SGD from outside office( Home or cafe ).

Notes:
1. My SGD servers is behind a Cisco FW.

2. I decided to use DNS round-robin to load balance both SGD servers. Basically user type http://portal.sda.com and its directed to either portal-01 or portal-02 servers.

3. Currently my mgmt is using VPN to access to internal network

Question:
1. How to allow my mgmt to access SGD from home in a secure way ? Pls specify if you have more than 1 soluton.

2. Based on question #1, pls let me know what i need to configure in both SGD servers?

2. Where is the best place to put the SGD servers ? DMZ or Internal Network ?

Thanks in advance.

Regards,
Mohamed Ali

Posted by Mohamed Ali on September 24, 2007 at 01:06 AM BST #

Mohamed,
If you're mgmt use a VPN aren't they on the internal network anyway and so can't they reach your internal SGD servers?

-FB

Posted by Fat Bloke on September 27, 2007 at 04:47 AM BST #

Back to the diagram... Is there any way to install just the SGD Proxy on a box in the dmz? (or install all of SGD but disable all but the proxy routing part?)

Our general policy is to terminate all external connections in the DMZ and then reverse proxy (if needed) to internal resources. Putting all of SGD in the DMZ would require us to blow open so many holes through the firewall it is not even funny.

Posted by john on September 27, 2007 at 04:44 PM BST #

John,

No way of doing this today, but there's a plan ;-)

It would be good to ensure the plan met your requirements, so can we hook up directly?

Drop me a mail at thefatbloke.at.googlemail.com

Cheers,

-FB

Posted by Fat Bloke on September 28, 2007 at 02:01 AM BST #

Hi Fat Bloke,

I have a query related to the SGD security settings you provided.

I have configured SGD 4.31 on a Suse 9 linux machine.
Enabled SGD security in FF Mode and webserver in secure mode.

Then I started a vpn client on the SGD server connecting it to SWAN. I recieved a dynamic IP address during this.

I provided this IP address to a client machine (on SWAN) in /etc/hosts and connected to the SGD server.

During this the tcc gets downloaded and shows connected but no webtop is displayed . I see the loading screen being displayed forever. Can i get to see the webtop in any way ?

Thanks,
Saju

Posted by saju on December 27, 2007 at 09:19 PM GMT #

Is there any way current SGD works with Reverse-Proxy or behind the Load Balancer?

Posted by sanjay on June 03, 2008 at 10:21 AM BST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Fat Bloke

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today