Wednesday Dec 19, 2012

Oracle Secure Global Desktop - Business Continuity During Snowstorm!

Capgemini, one of the world's largest management consulting, outsourcing and professional services companies, is an Oracle Secure Global Desktop customer and uses it to provide secure, remote access to 1) corporate applications centralized in the datacenter and 2) desktops hosted on Oracle Virtual Desktop Infrastructure.

Earlier this month, one of Capgemini's government customers in Holland were advised to avoid traveling to work, due to a heavy snowstorm. This resulted in a lot of employees working from home. Thankfully due to their deployment of the Oracle Secure Global Desktop gateway, employees were able to easily access their corporate applications and desktops from home and anywhere outside of their office. Capgemini reports that during the days of the snowstorm, a record number of users leveraged Oracle Secure Global Desktop (servers and gateway). Despite this record usage, Oracle Secure Global Desktop remained perfectly stable and allowed users to seamlessly access their applications and desktops.

This is a great example of how Oracle Secure Global Desktop allows employee productivity and business continuity even during severe weather conditions such as snowstorms. We are delighted to have enabled business continuity for Capgemini's customers, and look forward to our continued relationship with Capgemini.

This blog has been approved for posting by Capgemini.

Friday Dec 14, 2012

Friday Tips #6, Part 1

We have a two parter this week, with this post focusing on desktop virtualization and the next one on server virtualization.


Question:
Why would I use the Oracle Secure Global Desktop Secure Gateway?

Answer by Rick Butland, Principal Sales Consultant, Oracle Desktop Virtualization:
Well, for the benefit of those who might not be familiar with client connections in Oracle Secure Global Desktop (SGD), let me back up and briefly explain. An SGD client connects to an SGD server using two distinct protocols, which, by default, require two distinct TCP ports. The first is the HTTP protocol, used by the web browser to connect to the SGD webserver on TCP port 80, or if secure connections are enabled (SSL/TLS), then TCP port 443, commonly identified as the "HTTPS" port, that is, "SSL encrypted HTTP." The second protocol from the client to the server is the Adaptive Internet Protocol, or AIP, which is used for displaying applications, transferring drive mapping data, print jobs, and so on. By default, AIP uses the TCP port 3104, or port 5307 when SSL is enabled.

When SGD clients need to access SGD over a firewall, the ports that AIP requires are typically "closed"; and most administrators are reluctant, to put it mildly, to change their firewall configurations to allow AIP traffic on 3144/5307.  

To avoid this problem, SGD introduced "Firewall Forwarding", a technique where, in effect, both http and AIP traffic are "multiplexed" onto a single "well-known" TCP port, that is port 443, the https port.  This is also known as single-port firewall traversal.  This technique takes advantage of the fact that, as a "well-known service", port 443 is usually "open",   allowing (encrypted) traffic to pass. At the target SGD server, the two protocols are de-multiplexed and routed appropriately.

The Secure Gateway was developed in response to requirements from customers for SGD to support multi-stage DMZ's, and to avoid exposing SGD servers and the information they contain directly to connections from the Internet. The Secure Gateway acts as a reverse-proxy in the first-tier of the DMZ, accepting, authenticating, and terminating incoming client connections, and then re-encrypting the connections, and proxying them, routing them on to SGD servers, deeper in the network. The client no longer needs to know the name/IP address of the SGD servers in their network, they connect to the gateway, only. The gateway takes care of those internal network details.    

The Secure Gateway supports the same "single-port firewall" capability as does "Firewall Forwarding", but offers the additional advantage of load-balancing incoming client connections amongst SGD array members, which could be cumbersome without a forward-deployed secure gateway. Load-balancing weights and policies can be monitored and tuned using the "Balancer Manager" application, and Apache mod_proxy_balancer directives.  

Going forward, our architects recommend the use of the Secure Gateway over "Firewall Forwarding" for single-port firewall traversal, due to its architectural advantages, its greater flexibility and enhanced features. 

Finally, it should be noted that the Secure Gateway is not separately priced; any licensed SGD customer may use the Secure Gateway component at no additional cost.  

For more information, see the "Secure Gateway Administrator's Guide".

Thursday Aug 09, 2012

Oracle Secure Global Desktop Gateway Enables 'Anywhere Access'

A few weeks back, I wrote a blog post on how Catholic Education South Australia leverages Oracle Secure Global Desktop to provide services anytime, anywhere. One of the questions I get asked is what enables Oracle Secure Global Desktop to allow access to applications or services 'anywhere'. The answer lies in one of Oracle Secure Global Desktop's most popular features - the Oracle Secure Global Desktop Gateway (SGD Gateway).

The SGD Gateway comes included (at no additional cost) with purchase of Oracle Secure Global Desktop. The SGD Gateway is a proxy server designed to be deployed in a demilitarized zone (DMZ), which in turn connects to an array of Oracle Secure Global Desktop servers located on the internal network of an organization. Additionally, all connections can be authenticated in the DMZ before any connections are made to the Oracle Secure Global Desktop servers in the array. Connections between client devices and SGD Gateway use port 443. Hence, this does not require administrators to obtain additional approvals for use of non-standard ports in the DMZ. 

The SGD Gateway consists of the following components:

  • Routing proxy: A Java technology-based application that routes Adaptive Internet Protocol (AIP) data connections to an Oracle Secure Global Desktop server. Keystores in the routing proxy contain the certificates and private keys used to secure connections for the SGD Gateway. The routing proxy uses routing tokens to manage AIP connections. A routing token is a signed, encrypted message that identifies the origin and destination Oracle Secure Global Desktop server for a route.
  • Reverse proxy: An Apache web server, configured to operate in reverse proxy mode. The reverse proxy also performs load balancing of HTTP connections.


To learn more about the SGD Gateway, please refer to the Oracle Secure Global Desktop Gateway Administration Guide.
About

Get the latest scoop on products, strategy, events, news, and more, from Oracle's virtualization experts

Twitter

Facebook

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
5
6
7
8
9
10
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today