Documente Academic
Documente Profesional
Documente Cultură
HOB, Inc.
245 Saw Mill River Road, Suite # 106
Hawthorne, NY 10532
USA
E-mail: support@hobsoft.com
Internet: http://www.hobsoft.com
This symbol indicates an important tip or procedure that may have farreaching effects. Please consider carefully the consequences of any
settings or changes you make here.
Abbreviation
HOB WebSecureProxy
WSP
WSP UC
EA
Table of Contents
Symbols and Conventions ......................................................................................................................... 3
Purpose of This Manual ............................................................................................................................. 4
Table of Contents
1.
2.
3.
4.
5.
6.
Introduction
1.1.
1.2.
Installation
13
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
Uninstallation........................................................................................................................... 26
2.7.
27
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
3.7.
Authentication ......................................................................................................................... 35
3.8.
3.9.
3.10.
3.11.
51
4.1.
4.2.
61
5.1.
5.2.
65
6.1.
6.2.
6.3.
6.4.
7.
8.
9.
69
Application Scenarios
71
8.1.
8.2.
89
9.1.
9.2.
Requirements ......................................................................................................................... 90
9.3.
9.4.
97
10.1.
10.2.
Requirements ......................................................................................................................... 98
10.3.
99
101
12.1.
12.2.
105
13.1.
13.2.
13.3.
13.4.
13.5.
115
14.1.
14.2.
Firewall.................................................................................................................................. 116
14.3.
14.4.
15. Trouble-Shooting
119
15.1.
15.2.
15.3.
121
123
17.1.
17.2.
17.3.
17.4.
17.5.
129
18.1.
18.2.
18.3.
18.4.
18.5.
18.6.
18.7.
18.8.
18.9.
19. Index
151
1. Introduction
1.1. Advantages of HOB RD VPN
With HOB RD VPN (Remote Desktop Virtual Private Network), you have a
performant solution for secure remote access to the applications and data in
your enterprise network. The user has the advantage of not having to install any
software on a client. Any Internet connection point can be used to achieve this
access. The user sees the Windows desktop of the remote system on their client
computer, and can work with this as if it were locally installed on the PC.
HOB WTS Computing with the Java client HOBLink JWT for secure remote
access to Microsoft Windows Terminal Servers
HOB VDI Business for secure remote access to Windows operating systems
running as virtual machines in computer centers
HOB Terminal Emulations with HOBLink J-Term for secure remote access to
host systems
1.2.2.1.
This component provides SSL encrypted access to Web servers in the enterprise
network over the Internet.
For further information, please see Section 6.1 HOB RD VPN Web
Server Gate, page 65
1.2.2.2.
The HOB HTTP Redirector causes all HTTP queries coming from the browser
(over port 80) to be redirected automatically to the HTTPS port 443, at which the
HOB Web Server is listening.
This component is installed as an EA Server plugin (in HOB EA Administration:
menu EA Server > Configure, tab Server plugins).
Please refer to the online help for further information on the
configuration and use of the HOB HTTP Redirector.
10
11
12
2. Installation
2.1. System Requirements
2.1.1. Server System
Windows
supports all Microsoft Windows operating systems from Windows 2000 or
later
LINUX
supports LINUX 32 Bit for x86 processors and LINUX 64 Bit for
AMD64/Itanium processors
On LINUX, the kernel version 2.6.5-7 (or higher) ensures a stable
operation of HOB WebSecureProxy. The use of older kernel versions is
to be avoided, as limited functionality can result.
Solaris
HOB RD VPN can only be installed on 64 Bit machines (AMD64/SPARC
processors or better) with the Solaris 64 bit operating system installed, and
that have the 64 Bit version of Java 1.6 as a minimum.
13
Firefox
Microsoft Internet Explorer
Safari
14
2.
3.
4.
5.
6.
start image does not automatically appear then open the file start.htm in
the root directory of the DVD.
The HOB RD VPN start page opens in the browser. Click Install Software
(the link Product Information links you to data sheets on the HOB products
involved in RD VPN).
On the next page, click Install HOB RD VPN to start the installation process.
In the dialog Warning Security, click Yes or Always to accept the
certificate and continue with the installation.
Click Start Installer for Windows and follow the instructions onscreen.
Preparations for the installation are carried out automatically.
In the dialog HOB Software Product Key you have two options:
A. One is to Enter a valid key. You can find the key in the document
HOB Software License delivered along with the product CD or, if
purchased online, in the e-mail received once payment has been
confirmed.
B. Alternatively you can click Evaluation Version. This allows you to run
the software for 30 days. The time remaining in the evaluation period is
displayed. Once this has expired, you must enter a valid product key
to continue using the software.
Click OK to close this dialog box.
Read the HTML document First Steps, which opens immediately once the
installation process has been completed.
15
2. If it does not already exist, create a container with the name rdvpn one
level below the root element firm (click firm with the right mouse button >
Add item).
3. In the newly created container rdvpn, create an object with the name
websecureproxy. The objects and/or containers can be freely chosen.
When you create an object, you will be prompted to assign a
user as object manager. Select for example the user
Administrator (administrator,users,firm) as object manager.
4. Start the Startup Options Manager by clicking Utilities > Startup
options and open the file
<INSTALL_DIR>\easerver\WspAssistStartup.xml
If this file does not yet exist, create it now.
If you are making this configuration remotely (e.g. if HOB RD
VPN has been installed on a system without a GUI), proceed
as follows:
16
17
18
9. Save the file (File > Save) and close the Startup Options Manager.
10. Returning to EA Administration, right click the object websecureproxy to
open the WSP configuration program and then click
Configure > HOB RD VPN > WebSecureProxy. You will see the following
screen:
19
15. If the server plugin HOB WebSecureProxy Agent has already been
created, skip to step 24.
If the server plugin HOB WebSecureProxy Agent has not already been
created, proceed with steps 16-23.
16. Close the dialog box and EA Administration.
17. Under Windows open the Windows program Services.
(Start > Control Panel > Administrative Tools > Services)
<wsp_assistant>
<name>HOB WebSecureProxy Agent</name>
<run>Y</run>
<classname>hob.wsp.assist.wsp_assistant</classname>
</wsp_assistant>
23. Save the file hlserver.xml, start EA Server and re-open the dialog Server
Plugins in EA Administration (see step 14 above).
24. Activate the Start server plugin checkbox for the HOB WebSecureProxy
Agent.
25. Close the dialog. You will be asked when the new settings are to take
effect.
If Now is selected, the EA Server and the WebSecureProxy are restarted
automatically with the new settings. If After Restart is selected the EA
Server can be restarted manually at a later time.
26. Rename the following file:
<INSTALL_DIR>\portal.db\local.xml
to:
<INSTALL_DIR>\portal.db\remote.xml
21
23
<install_dir>/www/login/i
<install_dir>/www/i
Replace these files with a .jpg file of your choice (the .jpg file must have a size of
871 x 98 pixels).
24
25
2.6. Uninstallation
HOB RD VPN can be uninstalled via the Windows operating system uninstallation
function.
26
Folder/File
Content
.\easerver
.\portal.db
.\sslsettings
SSL-Server certificate
.\wsp\wsp.xml
.\www\lib\sslpublic
SSL-Client certificate
.\www\lib\hob\props
.\www\
Central configuration
Central administration
Central management
Inheritance of schemes and user settings
The configuration files for HOB RD VPN users can be stored locally in the HOB
Enterprise Access database, or in the LDAP database. This data is then
accessible over either the HOB Enterprise Access Server (EA Server) or the LDAP
server. HOB Enterprise Access uses a tree structure; the elements it contains
pass their properties to lower-level elements in the tree.
All user settings are placed in a database on the EA Server. As soon as you start
HOB RD VPN or HOB EA Administration (the central administration tool of HOB
RD VPN 1.4), you are connected to the EA Server.
The EA Server is installed as a Windows service that starts
automatically (Start > Control Panel > Administrative Tools > Services).
27
In this scenario, HOB RD VPN goes over the EA Server to access the user data
on the LDAP server. As default, the EA Server communicates with the LDAP
server over port 389.
For further information in the configuration of connection models,
please see the online help of the Startup Options Manager from HOB
EA Administration (Utilities > Startup options...).
Local configuration
where the administrator works only on the local system
Remote configuration
where the administrator works remotely over the network
28
With a browser, open the HOB RD VPN initial page and log in as an
administrator.
Click the link Administration Tools.
Click Start HOB EA Administration or Start HOB EA Administration from
Intranet.
If you work over the internet use the link Start HOB EA Administration. In
this case some configuration options are not available, e.g. the shutdown
of HOB WebSecureProxy. If you work in the same network, use the link
Start HOB EA Administration from Intranet. In this case a direct
connection to the EA server (port 13270) has to be available.
Security Solutions by HOB
Once the security queries have been satisfied for these configuration methods,
HOB EA Administration will open and you will see the following screen:
Configure the HOB EA Server, which administrates the user settings in the
database.
Create and administer the database elements e.g. users, groups and
containers, and their properties.
Configure the HOB EA applications.
Determine the startup options that contain the basic settings for logging onto
the database and for the connection to the EA Server.
Configure the user rights and inheritance methods.
29
database. It takes the first position in the tree structure all other elements are
on sublevels.
Container
Containers are abstract elements. They are meant to be organizational units that
make it possible to keep the database clearly structured. Therefore do not use
containers to represent real persons. Containers can be expanded. They can
contain other elements on sublevels, which in turn may be either groups or other
containers.
Object
Objects are abstract elements. Do not use objects to represent real persons.
Practical examples for using objects are to define gateways or proxies. Objects
represent the lowest level of the tree. Objects cannot be expanded or enhanced.
Therefore, they cannot accommodate other elements on sublevels the way
containers do.
Group
Use this element to represent departments in your enterprise. Groups cannot be
expanded or enhanced. Therefore, they cannot accommodate other elements on
sublevels the way containers do. However, you can assign existing users in the
tree to groups as members and thus bundle them. This is not achieved by
physically adding elements to them, but simply by configuring either the group or
user properties accordingly.
User
Use this element to represent real persons. Users represent the most basic
element of the tree. Users cannot be expanded or enhanced. Therefore, they
cannot accommodate other elements on sublevels the way containers do.
You can, however, organize existing users into groups. This is not achieved by
physically adding elements to them, but simply by configuring either the user or
group properties accordingly.
30
1. Open the HOB RD VPN initial page with a browser and log in as an
administrator.
2. Click the link Administration Tools.
3. Click the link Start HOB EA Administration and enter your credentials.
4. HOB EA Administration will open. In the menu select
Utilities > Remote Management.
5. The Remote Management Dialog will appear:
31
in the database.
4. Right-click the desired element and select Configure > HOB RD VPN > User
settings. In the diagram below the settings for a user, in this example named
guest, are shown.
32
33
The startup options determine the settings that are used when executing the
HOB Connectivity Clients as well as the connection model used for this.
The startup options can be used to configure a wide range of authorization
models for user logon, from very restrictive to very free. For example, the user
can be logged on without having to enter logon credentials by setting the HOB
Connectivity Client to start automatically. Or you could give experienced users
more room for personal decisions by allowing them to logon with various user
names and alternative logon options.
34
Start > All Programs > HOB RD VPN > Administration > Startup Options
Manager
Or alternatively:
Start > HOB EA Administration > Utilities > Startup Options Manager
3.7. Authentication
The process of verifying a persons identity on the basis of specific
characteristics is known as authentication. User names and passwords, tokens
and SmartCards, for example, are often used for authentication. With HOB RD
VPN, authentication can be carried out in various ways:
35
Local configuration
Remote configuration
The GUI window is divided into two panes (see the diagram below):
1. The tree structure on the left, in which the configuration is divided into logical
units. At the top left of the window the name of the currently selected WSP
configuration file (XML-format), including its path in the application directory,
is displayed.
36
On the tabs that are included on this GUI you can access all the settings that can
be made for the WSP. For example the Outgoing Connection tab (which
appears when you click on a connection defined in the Connections scheme)
allows you to choose and configure one of the various connection modes that
can be configured for the WSP:
1:1 Gateway
In this mode there are various connection protocols available to you (e.g.
Telnet and RDP) for connections to 3270 hosts or Windows Terminal Servers.
WSP on WTS
This mode is required for connections when the HOB WebSecureProxy is
installed on a Windows Terminal Server.
VDI (This option is only available if Support VDI mode is selected on the VDI
37
Desktop on Demand
This mode is designed for connections to remote workstations running
Windows operating systems and remote-desktop-support.
For further information, see Section 9, HOB RD VPN Desktop-on-Demand,
page 89.
Server Lists
This mode is designed exclusively for connections to the HOB Connectivity
Clients HOBLink J-Term and HOBLink JWT. By creating so-called Server
Lists, which determine the protocol as well as the terminal of a connection,
users are automatically assigned and connected to the sessions that are best
suited for their needs. These are configured on the Server configuration tab
(which appears when you click on one of the servers defined in Server Lists)
where you can choose and configure one of the above-listed connection
modes. However, under this mode, the mode WSP on WTS cannot be
selected, but instead you have the possibility to select the Integrated Web
Server mode.
For more information, see the online help for this tool.
38
Restart server to stop and then start the server again, to reload the data
Refresh to reload the data on the server, without stopping the server from
running.
39
40
4. Another dialog box will appear in which you select the EA Object class.
Select the entry HOB Gateway Schema Extension and click OK.
5. When the schema extension is carried out successfully, a confirmation
message will appear.
6. In LDAP, create a gateway for the WSP. To do this, start the program
Active Directory-Users and Computers and create a suitable structure.
7. In this description, a sample structure will be used, in which the
organizational unit HOB will contain the organizational unit Gateways,
which contains the object wspserver1:
-HOB
-Gateways
-wspserver1
The object wspserver1 represents the HOB WebSecureProxy. If several
WebSecureProxies are being used, it is recommended to name the
gateway accordingly, e.g. with the name of the server on which the WSP
is running. The gateway is created via Right mouse click > New >
hobgateway. If there is no hobgateway, the HOB gateway schema
extension was not correctly carried out.
8. Now it is possible to access LDAP with EA Administration. All of the
following steps can be made via remote logon to HOB EA Administration.
In HOB EA Administration start the Startup Options Manager
(Utilities > Startup options).
Security Solutions by HOB
41
9. Select the item EA Administration startup options file and click Open. The
Startup Options Manager will open. On the Connection model tab select
Connect to database via LDAP, as shown below.
10. Select the Connection tab (see diagram below) and enter the values for
the connection to the LDAP server.
42
11. In HOB EA Administration connect to the LDAP server (menu File >
Connect) and logon.
43
44
21. On the LDAP connection tab, enter the values for the LDAP server being
used and click OK.
45
22. Now you need to create an Administrator/Search user logon. On this next
screen, enter the relevant data and click OK to save the data and close
the dialog.
23. Click OK in the EA Server configuration window to save your settings and
close the window.
24. You will see a message stating the default password is still active. You
should create a new password for the EA Server administrator.
25. Click the Now button to apply the new settings immediately.
26. Now connect to the EA Server using HOB EA Administration. You must
use the LDAP administrator login information.
46
b. The WSP Agent accesses LDAP over the EA Server. Use this method
when the LDAP server cannot be accessed directly.
=> Follow steps 36 to 41.
29. In HOB EA Administration, open the Startup Options Manager (Utilities >
Startup options).
30. Select the connection model via EA Server and, in the installation
directory, go to the sub-directory easerver and open the file
WspAssistStartup.xml.
31. In the Startup Options Manager select the Connection model tab select
the connection model via LDAP.
32. On the Logon tab enter the logon information. The user entered must
have authorization to modify the attributes hobgwwsp and hobmonitor
in the WSP object (Recommendation: In the WSP object only authorized
administrators should have read and write authorization).
In the field Object name/Context: the context should be entered with the
base (e.g. DC=firm,DC=local).
33. On the Options tab, activate the setting Use AutoLogon (if it is not already
activated).
47
34. On the Connection tab, enter the connection data for the LDAP server.
35. Save the file and (File > Save) and close the Startup Options Manager.
Now continue from step 42.
36. If the WSP Agent is to access LDAP over the EA Server, open the Startup
Options Manager in HOB EA Administration (Utilities > Startup options).
48
37. Select the option local file and open the file WspAssistStartup.xml in the
directory easerver.
38. In the Startup Options Manager select the option Connect to database >
via EA Server on the Connection model tab.
49
40. On the Connection tab enter the data for the connection to the EA Server.
41. Save the file (File > Save) and close the Startup Options Manager.
42. In the Windows Control Panel restart the service HOB EA Server.
43. The configuration should now function. To test this, login again to HOB
Enterprise Access.
50
Windows Vista
Windows 7
Linux
Solaris
Free BSD
Mac OS
When you start the HOB PPP Tunnel under Linux, Solaris, Free BSD or
Mac OS for the first time, you must download and execute a utility that
lets you reconfigure your client system. For this procedure you need
administration rights on the client. This utility guides you through the
configuration process of HOB PPP Tunnel on your client system. For a
description of the configuration please see the following section.
The diagram below shows how the HOB PPP Tunnel works:
The only requirement on the client side is that it has one of the above listed
operating systems with a Java-capable browser. The server side requires three
components: HOB WebSecureProxy, HOB PPPT Gateway and a functioning
L2TP server (e.g. Microsoft RAS Server, Linux L2TPF, Linux XL2TPD or Cisco).
51
The program files must be copied manually onto the PC. They are located at:
install_dir\tools\ppptgate
Also included is a Readme file that includes full installation instructions.
52
4. In the area PPP Tunnel Gateway enter the Host IP address and Host port of
the server on which you have installed the PPPT Gateway. This is the IP port
at which the HOB PPPT Gateway listens for data coming from the
WebSecureProxy. The default setting is 5556.
53
To make these settings use the tabs NAT, DNS, and Exclude DNS in the
Extensions feature PPP TUNNEL.
Using NAT
On the NAT tab you can map specific IP addresses from other subnets (in the
example, Subnet 2) in the L2TP server subnet (in the example, Subnet 1). In the
L2TP server subnet you have to reserve the IP addresses used exclusively for
this purpose.
1. Click the NAT tab and then the Add button. The dialog Add NAT Entry will
open.
2. Enter in the Real Address: field the numerical IP address of the target
system where this system can be reached within the network (e.g.
170.55.22.1).
54
3. Enter in the Translated Address: field the numerical IP address where the
target computer can be reached once the HOB PPP Tunnel has been
enabled (e.g. 172.50.22.1).
4. Enter a value in the field Prefix: The (network) prefix identifies the subnet
mask used, or the address range for which the address translation is
done.
Example:
Real Address: 172.25.22.0
Translated Address: 172.22.70.0
Prefix 24
This will cause all addresses from 172.25.70.0 to 172.25.70.255 to be
mapped to the addresses from 172.22.70.0 to 172.22.20.255. These
systems are thereby accessible from the client.
Using DNS
The HOB PPP Tunnel can use its own DNS, in a similar setup to NAT. When the
tunnel is enabled, then the stated host names are assigned specific (numerical)
IP addresses.
1. Click the DNS tab and then the Add button. The dialog Add a DNS entry
will open.
2. Enter in the field DNS Name: a host name that is to be resolved and click
Add.
3. The dialog Add an IP address opens. Enter a (numerical) IP address and
then click Add & Close.
4. You can enter additional IP addresses. When one is not available the next
in the list will be used.
Exclude DNS
If certain host names should not be resolved by the HOB WebSecureProxy once
the PPP Tunnel is enabled, then enter these in the tab Exclude DNS. These
addresses will then be resolved by the DNS server in the L2TP server network.
Make sure to enter the host name of the system on which the HOB
WebSecureProxy is installed. This ensures that connections will not be
encrypted twice (double SSL).
1. Click the Exclude DNS tab and then the Add button. The dialog Add an
excluded DNS name will open.
2. Enter a host name and click Add and close to apply the changes.
55
56
3. In the tree structure at the left, select the entry Properties and select the
database element to be configured (e.g. guest,users,firm).
4. Change the entry in the field Initial page to:
/home/welcomeGate.html
5. Click Close for the changes to be accepted.
6. With the next login the initial page (the HOB Welcome Gate) will now have
a link in the Connectivity panel to start the PPP Tunnel (see 6.2 Using the
HOB Web Server Gate, page 66).
57
58
59
60
61
5.
6.
The settings that you make here will be inherited by the lower level database
elements, if they have no such configuration of their own. For example, the
element user1,users,firm will inherit the settings from users,firm.
62
To enhance the performance of Web File Access, you should use the
Bypass Feature from Web Server Gate for the Web File Access Server.
This is the default setting and should be retained.
63
64
HOB RD VPN _______________ Access to Enterprise-Internal Web Servers HOB Web Server Gate
As all browser connections are rerouted through the Web Server Gate
and therefore are not directly accessed from their server of origin, thus
violating a fundamental browser security policy, the Same Origin
Policy. In the event that one malicious server manages to establish
contact with the Web Server Gate then this server could affect the
integrity of the Web Server Gate and other trusted servers with whom
the Web Server Gate is in contact.
With this in mind, HOB strongly recommends the following steps are
implemented to resist this:
65
Access to Enterprise-Internal Web Servers HOB Web Server Gate ___________ HOB RD VPN
Enter the target server URL in the input field of the Web Server Gate. This can
also be a non-public server address (i.e. from a private IP address range) that
corresponds to the systems in the enterprise Intranet. Connection requests are
then redirected over HOB WSP, which establishes an https (SSL-encrypted)
connection to the desired Web server.
66
HOB RD VPN _______________ Access to Enterprise-Internal Web Servers HOB Web Server Gate
To make these hyperlinks accessible also for external accesses over the Internet,
the HOB RD VPN Web Server Gate methodically examines the currently open
internal HTML page for corresponding hyperlinks. The syntax is thereby
translated in such a way that the linked Intranet pages can be opened when
being accessed over the Internet.
A very wide variety of hyperlink types are used in Intranets; the number
of existing formats is very large and still growing. Therefore, it is
unlikely that all Intranet hyperlinks will be known, and there cannot be
a 100% certainty that Intranet hyperlinks will always be translated as
expected and thus cannot be resolved.
67
Access to Enterprise-Internal Web Servers HOB Web Server Gate ___________ HOB RD VPN
the user wishes to access, and the notification that a logon is desired (most
normally the Logon button on the logon dialog).
Single Sign-On is the name of the HOB auto logon facility and it works in the
following manner:
1. The user logs into HOB RD VPN and the Web Server Gate page is displayed.
2. The Web Server Gate recognizes whether the user is configured to use Single
Sign-On.
3. The user then selects a destination to go to from the Web Server Gate.
4. When redirecting to this destination, the Single Sign-On facility forwards the
user logon information provided to the destination logon page, and
automatically completes the logon process without the user needing to enter
any more information.
The Single Sign-On can be configured with the HOB WebSecureProxy
configuration tool (see the section Integrated Web Server).
More detailed information can be found in the online help of HOB
WebSecureProxy.
68
69
To activate Anti Split Tunneling you must check the box Enable at the top of this
tab.
The Name (Anti_Split_Tunnelling) and Mode (the mode is 1:1 Gateway as the Anti
Split Tunnel is used when a direct connection using certain protocols (such as
RDP or Telnet) is made) of this extension cannot be changed, but you can select
a user defined or default Network adapter to use from a drop down list.
Exceptions to Anti Split Tunneling can be configured by the administrator with
regard to the local network, DNS servers and dedicated servers or hosts. This
utility runs as a service on your PC and if activated is an essential condition for
HOB RD VPN to work, increasing the security of your system.
Before Anti Split Tunneling can be used, the Anti Split Tunnel utility
must be installed on the client. If this service is not running, the user
automatically receives information on how to install it when logging on
to HOB RD VPN. Administration rights are required for the installation
of this service on the client system.
70
8. Application Scenarios
8.1. Scenario: Default Configuration
Once HOB RD VPN has been installed, you have a default configuration that
provides you with the access as described in the illustration below:
In this scenario the WSP is the central instance for communications coming from
outside. All communications go over the (configurable) port 443.
The WSP provides you with an integrated Web Server. For the first connection
after installation the user must log on to the WSP over this Web Server via a
secure HTTPS connection. The URL required for this is contained in an HTML
document that can be found by clicking Start > All Programs > HOB RD VPN >
Info Center > First Steps After Installation. This URL uniquely identifies the port
and IP address of the Web Server.
The first time a user calls the WSP Web Server default HTML page, they must be
authenticated (see the 4-step communication model above, Step 1).
As a default, the following user names and passwords are configured:
User name: administrator
Password: adminpw
71
Alternative:
User name: guest
Password: guest
For security reasons, we recommend immediately changing the
password for the existing user administrator with which you have just
logged on.
How to change the password for the administrator (& other users)
1.
2.
3.
4.
After successfully logging on, users are forwarded to the HOB Welcome Gate
from where HOBLink J-Term or HOBLink JWT can be started by clicking the
corresponding link (see the 4-step communication model Step 2, page 71).
72
Click the Run Sessions link to open the Session Manager. This allows you to
select a session with which you want to work.
73
Using this facility, as soon as the user settings have been read by the system
(the required reading of the user settings by the EA Server is carried out in the
background and is not seen by the user - see the 4-step communication model
Step 3, page 71), you can launch the desired HOBLink J-Term/JWT sessions to
communicate with a host or Windows Terminal Server (see the 4-step
communication model Step 4, page 71).
When running HOBLink J-Term (not HOBLink JWT) as an RD VPN
applet, all sessions will be SSL encrypted and rerouted to the WSP,
even if this is not explicitly configured in the session configuration
(JWT Administration > Connection > Security > none). For the
connection, the settings that are configured in the HOB EA
Administration Startup Options Manager (see 3.6 Startup Options
Manager, page 34) are used (e.g. connection model, HOBLink J-Term
options, etc).
The advantage of this is that internal and external connections can use
the same session configuration. For internal communications, the data
are not encrypted; the connection is direct, without any redirection
over the WSP. External communications are automatically SSLencrypted and redirected over the WSP.
74
75
For more detailed information on this dialog box, see the online help.
76
The diagram below illustrates this scenario, in which the applet is downloaded
from a WSP-independent Web server to the browser and the user settings are
read from the EA Server.
8.2.1.1.
77
3. Enter a valid server name and the port that it will make available to the WSP.
We recommend using the HTTPS port 443, which is usually enabled
on Web servers.
78
8.2.2.1.
1. The diagram below shows the settings that have to be made on the HOB
WSP tab. Depending on which HOB Connectivity Client is being used, the
tab you see may differ slightly from the one shown here.
2. Click the Add button to configure a WSP over which the connection is to be
established.
3. In the dialog box Add server, enter a valid server name and the port that it
will make available to the WSP (see Scenario above).
We recommend using the HTTPS port 443, which is usually enabled
on Web servers.
4. Click Add & Close to apply the settings.
Security Solutions by HOB
79
80
8.2.3.1.
1. The dialog in the previous section shows the required settings for the HOB
WSP tab for HOBLink JWT. Depending on which HOB Connectivity Client is
being used, the tab you see may differ slightly from the one shown here.
2. Click Add to configure a WSP over which the connection is to be established.
3. In the dialog box Add enter a valid server name and the port that it will make
available to the WSP.
81
Download of the applet (HOBLink J-Term/JWT) from the WSP Web Server
Loading the user settings from the EA Server
The connection model via EA Server is used. To set this connection model,
open HOB EA Administration and click the menu Utilities > Startup options....
The Open file dialog box opens. Select the startup.hxml file where the
relevant user settings are stored, and then click via EA Server on the
Connection model tab).
82
8.2.4.1.
Passticket technology
When users logon for the first time in the work-session, the authentication to the
RADIUS server is carried out in the usual manner. The EA Server notes the
successful authentication and generates a so-called Passticket. For each
subsequent connection this user makes, this ticket confirms the authentication
that was already made and spares the user from having to make repeated
authentications to the RADIUS server. Thus a connection can be established
more quickly and conveniently.
For reasons of security, a Passticket has a limited validity period. The length of
time a Passticket is valid can be set to your individual needs.
8.2.4.2.
Open the WSP/HTTP Proxies tab in the Startup Options Manager and select the
checkbox Inherit WSP configuration from browser URL (see the diagram on page
77).
8.2.4.3.
83
Download of the applet (HOBLink J-Term/JWT) from the WSP Web Server
User management via LDAP
The connection model via EA Server is used. To set this connection model,
open HOB EA Administration and click the menu Utilities > Startup options....
The Open file dialog box opens. Select the startup.hxml file where the
relevant user settings are stored, and then click via EA Server on the
Connection model tab.
8.2.5.1.
Open the WSP/HTTP Proxies tab in the Startup Options Manager and select the
checkbox Inherit WSP Configuration from browser URL.
84
8.2.5.2.
3. Open the LDAP connection tab and configure your LDAP settings.
For more detailed information on these dialog boxes, see the online
help.
Download of the applet (HOBLink J-Term/JWT) from the WSP Web Server
Authentication to MS RADIUS, the integrated Internet Authentication Server
(IAS) from MS Active Directory
User management via MS Active Directory over the EA Server from HOB
Enterprise Access
85
8.2.6.1.
Open the WSP/HTTP Proxies tab in the Startup Options Manager and select the
checkbox Inherit WSP Configuration from browser URL.
86
8.2.6.2.
87
88
Communications over the Internet with the HOB WebSecureProxy are SSL
encrypted.
To initialize the WOL function of a computer that has been switched off, the HOB
WebSecureProxy must be provided with the IP address of the computer in the
network and the MAC address of its network card (in the following these two
pieces of information are referred to as the Desktop-on-Demand data). This
procedure is described in detail in Section 9.3.2 Retrieve Desktop-on-Demand
Data, page 91.
89
9.2. Requirements
The following requirements must be fulfilled in order to remotely access a PC:
Remote Desktop
1. Microsoft Windows as operating system
This feature is designed with a corporate network in mind, so is not
available with the MS Windows XP Home, Vista Home or 7 Home
editions.
2. Activation of the Wake-on-LAN function in the BIOS
3. Activation of the remote desktop function is performed as follows:
For MS Windows XP & Vista: click Control Panel > System > Remote
tab > Allow Users to Connect Remotely To This Computer checkbox,
And for Windows 7:
click Control Panel > System & Security > Allow Remote Access >
Remote Desktop > Select User.
Enter Desktop-on-Demand Data
The steps required to retrieve the data needed for an HOB Desktop-on-Demand
connection are described in the Section 9.3.2 Retrieve Desktop-on-Demand
Data, page 91.
Firewall 2 Must Allow Broadcasts
Firewall 2 (see the diagram on the previous page) must allow broadcasts to pass
into the Intranet in order for the Wake-on-LAN function to work properly. If this
requirement is not met, the information listed in the Section 9.4 Wake-on-LAN
Relay, page 95 applies.
HOB WebSecureProxy
HOB Desktop-on-Demand
HOBLink JWT
The configuration procedures for these solutions are described in the following
Sections.
90
2. Open the template Server List in the tree structure on the left.
3. Open the desired template in the tree structure to the left or click the Add...
button to create a new template.
4. Click Add... to add a server.
5. On the Server configuration tab at the right, enter a name for the session
under Name, e.g. Desktop-on-Demand-Session.
6. Select Desktop-on-Demand as mode.
7. Select RDP Windows Terminal Server HOB EXT-1 as the default protocol.
91
How to retrieve the data using the client by downloading the administration
tool HOB Desktop-on-Demand Configuration
92
5. In this dialog click the button Apply local values. This displays the IP and
MAC addresses, the port and the waiting time allowed for the workstation to
respond.
6. Click OK to apply the data and close the administration tool.
93
4. On the HOB WSP tab enter the name of the Desktop-on-Demand session that you
have defined as under item 5 in Section 9.3.1 How to Configure the HOB
WebSecureProxy, page 90, as the name of the server for connection, or
alternatively you can check the box Prompt user when connecting.
94
5. Click the Close button to apply the changes and close the configuration.
95
9.4.1.1.
3. Activate the checkbox Use Wake-on-LAN Relay and enter valid values for
Host IP Address and Port.
4. Close the configuration program and apply the changes.
96
97
10.2. Requirements
Each SUOS in the SUOS pool must have the HOB VDI Agent installed.
The SUOS must have one of MS Windows Professional, Enterprise, Business or
Ultimate installed as the operating system, as HOB VDI is not available with the
MS Windows XP Home, Vista Home or 7 Home editions.
98
99
100
Parameter
Description
-e Executablename
101
102
Parameter
Description
-f Monitorfilename
-s Signal
-r Rtime
-p Ptime
-h
-d
-t
-b
-- executable params
Parameter
Description
path name of the executable.
This parameter is optional.
The return value of nbipgw13 is either 0 (for a success) or an error message. This
error message is output in the terminal or logged to the syslog when running in
daemon mode.
Example 1
HOB WSP (NBIPGW08) is started in daemon mode with the Monitorfilename
parameter set to wsp.xml. Executable monitoring is switched on with a pollinginterval of 60 seconds. nbipgw13 runs as a normal process.
nbipgw13 -e NBIPGW08 -f wsp.xml -r 60 -d -- wsp.xml
Example 2
As in Example 1, but with stdout/stderr forwarding switched off.
nbipgw13 -e NBIPGW08 -f wsp.xml -r 60 -d -t -- wsp.xml
Example 3
As in Example 1, but in daemon mode
nbipgw13 -e NBIPGW08 -f wsp.xml -r 60 -b -- wsp.xml
103
104
Parameter
Description
-nXXXX
-sXXXX
-l
-v
105
provided by HOB EA Administration lets you create HOB Certificate files (SSL
client and server certificates previously known as HL Security Units) and
configure basic SSL settings.
Use the HOB SSL Security Manager to create your own certificate management
and generate SSL certificates. This HOB software is included in the scope of
delivery of HOB RD VPN.
hserver.cfg or hclient.cfg
This file holds the configuration data.
hserver.cdb or hclient.cdb
.cdb stands for certificate data base. This file contains the
certificate properties.
Alternatively, the Java HOB Connectivity clients (HOBLink J-Term, JWT, etc) can
also use the certificate databases of Java and the browser, see section 13.5
Selecting an SSL Provider, page 113.
106
used for verifying the Client Certificate, and the Server Certificate with the private
key.
To open the SSL Security Manager, click Start > Programs > HOB RD VPN >
Administration > HOB EA Administration and, in the Utilities menu, select SSL
Security Manager.
For instructions on creating different types of certificates, please see
the SSL Security Manager online help How to . items.
Use the SSL Security Manager to create and manage the HOB Server Keystore
files. From the main window of the SSL Security Manager, you may either:
Select AutoWizard. The Autowizard will show the screen displayed below
following the entry of a password, that begins the certificate generation
process:
Alternatively from the screen menu select File > New. You will see this
screen:
107
Create these files and then copy these to the following directory:
C:\Program Files\HOB\rdvpn\sslsettings
If generating Server Certificate files automatically using the AutoWizard, then the
files will automatically be written to this location. This directory contains the HOB
Certificate files for the server hserver.* and, as default, is used by both the EA
Server and HOB WSP.
For HOB WSP, this directory can be configured individually. Select the directory
for the server files by clicking Start > Programs > HOB RD VPN > Administration
> Configure HOB WebSecureProxy. You then click the Settings scheme in the
tree on the left and select the desired files on the Security tab (see the diagram
below for details).
For the EA Server, the directory used to store the HOB Server Certificate files
must be the default directory.
For more information on this subject see the Online help of HOBLink
Secure.
108
Select AutoWizard. The Autowizard will show the screen displayed here
following the entry of a password,
Alternatively from the screen menu select File > New. You will see this
screen:
109
These files can be used either for EA Server and the HOB WSP (if the servers
connect as a client to another SSL Server), or they can be used for the HOB
Connectivity Clients (HOBLink J-Term or HOBLink JWT), but the certificates
must match the Server Certificates of the server hosting the program to which
the connection is being made.
110
13.4.2.1.
The Client Keystore files must first be copied to the following directory:
<install_dir>\www\lib\sslpublic
111
This is a public directory and therefore should hold only public keys,
not private keys.
SSL Certificates are downloaded from the Web. For security reasons
we strongly recommend the download be performed only over an
https connection.
HOB Keystore files are loaded in the following order once downloaded from the
Web server:
1. In the URL <HOB RD VPN-URL>/www/lib/sslpublic,
where <HOB RD VPN-URL>/is the URL from where the HOB
connectivity clients are downloaded.
2. On the local computer in the sub-directory hob_jportal of the
<Java User Home> directory.
3. If the Keystore files are not found in the above directories, a dialog
box opens in which the user can enter a directory. This directory then
becomes the default directory for the future loading of the Keystore
files.
This directory name is saved in the file:
<Java User Home>/hob_jportal/userset.html and can be
edited or deleted there.
13.4.2.2.
When each client machine is to have its own HOB SSL Keystore files, these have
to be stored locally on the client machine. There are two ways of doing this.
1. Use the service Install HOBLink Secure certificates found in the directory
<install_dir>\tools\CertInst\InstallCertificates.html.
2. Copy the HOB SSL Keystore files to each client in the sub-directory
/hob_jportal of the User Home directory (for example to
C:/Users/username/hob_jportal, when using Windows 7).
If you do not copy the password file hclient.pwd, the user will be
prompted to enter the password for the certificate when a
connection is established.
HOB SSL Keystore files are loaded from specific directories. If these files are not
found in the first location, then the loading is continued from the next location.
112
1. When stored on the local computer the Keystore files are loaded first
from the directory <Java User Home>/hob_jportal.
Under Windows the <Java User Home> directory is
by default: C:\Documents and Settings
\your_user_name, for users of Windows 7 it is
C:\Users\username, while for users of Linux it is the
directory /home/your_user_name.
2. If the HOB SSL Keystore files are not found in the above directories, a
dialog box opens in which the user can enter a directory. This
directory then becomes the default directory for the future loading of
the Keystore files.
This directory name is saved in the file:
<Java User Home>/hob_jportal/userset.html
and can be edited or deleted there.
3. If the HOB SSL Keystore files are not found in any of the above
directories, then they can be obtained from the
<install_dir>\www\lib\sslpublic directory.
113
When the Java SSL selected is chosen, this enables the choice of which
keystore to use for authentication to be made, whether your companies own user
certificates, PKCS#11 or the MS (Microsoft) keystore that is delivered with
Microsoft Windows.
With the choice of HOB SSL Provider, you use the HOB SSL keystore of
approved certificates. This has the advantage that data compression can be
used in the communication.
Using the Java SSL Provider gives the advantages that you can use Java and
almost all Java tools or applications. Also, all certificates that have been
accepted are automatically added to the keystore, and are therefore available to
be used again. The Java keystore also uses the RSA Public Key Cryptography
Standard PKCS#11, which defines a platform-independent API to cryptographic
tokens such as Hardware Security Modules (HSM) and smart cards.
If you use the PKCS#11 User Keystore with a generic PKCS#11 library
a dialog box appears where you must enter the file path. This file path
cannot contain any spaces or brackets.
When using SSL Java Provider with Microsoft CAPI (the check box
Trust MS Keystore) this option does not run on 64 bit, it is only
available for 32 bit machines. An installation of Java Virtual Machine
version 1.5 or higher is also required for this option.
114
14.1. Server
Secure Web servers are a very important requirement for web-based
applications such as HOB RD VPN. A protected Web server configuration plays a
decisive role in your network security. Poorly configured virtual directories or
careless mistakes can facilitate unauthorized access. A forgotten authorization
can become a welcome backdoor for an attacker, or an overlooked port can
enable direct access from outside. Neglected user accounts enable attackers to
surreptitiously circumvent your security measures.
To make your server secure, you must first determine the level of security
needed. Once this has been determined, you can proceed to configuring the
desired security level. This section will help you to approach this problem
systematically. Follow the steps below to secure your server:
115
14.2. Firewall
A firewall is used to block unused ports and only allow data traffic to pass over
authorized ports, for example. To do this, it must be able to monitor incoming
queries in order to protect the Web Server from known attack types. A firewall is
a useful tool to detect and defend against attacks, and discover their source.
14.3. Ports
Services that are executed on the server use special ports to listen for incoming
queries. Close all unneeded ports and check regularly whether any new ports in
listening status are detected. These could indicate an unauthorized access and a
security risk.
To determine which ports are listening, i.e. are currently open, run the following
command in the command line:
netstat n a
This displays a list of all ports with their accompanying addresses and current
status. Make sure that you know every service listening at a port, and determine
whether these services are necessary.
While doing this, limit the number of Internet-side ports (for further information,
see the following section) and encrypt or restrict your data traffic.
116
14.3.1.1.
Internet
443
80
HTTPS
HTTP/HOB HTTP Redirector
Intranet
3389
23
1812
389
636
13270
13282
14.4. Logging
HOB RD VPN has a monitoring function in the form of a Logbook that records,
for example, faulty logins, error messages that were displayed, timed out login
attempts, etc. It can also be configured so that it can automatically inform the
administrator responsible via e-mail of any events.
To open and/or configure the logbook, click Start > All Programs > HOB RD VPN
> Administration > HOB EA Administration and then select in the menu EA
Server > View logbook....
117
118
15. Trouble-Shooting
This section contains helpful information on trouble shooting HOB WSP. The
following tips can help you to resolve minor problems with the WSP yourself,
without having to call HOB Support.
Various procedures that can help you in fault analysis and trouble-shooting are
described in the Sections below.
15.1.1. Prerequisite
The WSP logbook function has to be active. This function is active as default.
1. Start the HOB WebSecureProxy configuration program: Start > All Programs
> HOB RD VPN > Administration > Configure HOB WebSecureProxy.
2. Open the Settings tab in the left-hand pane.
3. Open the Properties tab in the right-hand pane and select Enable logging.
15.2.1. Prerequisite
The Windows Dump function in the WSP has to be active. This is active as
default. Follow the steps outlined below if this is not the case.
119
1. Start the HOB WebSecureProxy configuration program: Start > All Programs
> HOB RD VPN > Administration > Configure HOB WebSecureProxy.
2. Open the Settings tab in the left-hand pane.
3. Open the Windows Dump tab in the right-hand pane and select Enable
Windows Dump.
4. Optionally you can configure the Windows Dump to be sent as an automatic
e-mail to an address of your choice.
15.3.1. Prerequisite
1. Terminate the service HOB WebSecureProxy in Control panel >
Administrative Tools > Services.
2. In the program files folder \rdvpn\wsp run the batch file runwsp.bat to
display the console messages.
3. Restart the service HOB WebSecureProxy when you have finished consulting
the Console messages.
120
http://www.hobsoft.com
Email:
info@hobsoft.com
Telephone:
(866) 914-9970
(646) 465-7650
Fax:
(646) 437-3448
Telephone:
Phone:
Fax:
If you have any technical questions, or need technical support, then please
contact us through:
Web:
http://www.hobsoft.com/feedb.jsp
Support:
support@hobsoft.com
Telephone:
(866) 914-9970
+1 (646) 225-7260
Telephone:
Phone:
Fax:
121
122
HOB RD VPN _________________ Appendix 1- HOB WSP Universal Client and Citrix Neighborhood
Diagram 1 Connection with HOB WebSecureProxy Universal Client and HOB WebSecureProxy
123
Appendix 1- HOB WSP Universal Client and Citrix Neighborhood _____________ HOB RD VPN
Now click the Firewalls... button at the bottom to display the Firewall Settings
dialog.
In this dialog select SOCKS as the proxy type and enter a proxy address and a
port of your choice, in this example localhost as the address and 1081 as the
port. Click OK to finish and close the dialog.
124
HOB RD VPN _________________ Appendix 1- HOB WSP Universal Client and Citrix Neighborhood
To configure HOB WebSecureProxy UC on the client, click Start > All Programs
> HOB WebSecureProxy UC > Administration > Startup Options Manager.
In the Startup Options Manager, enter the IP address of the port at which HOB
WebSecureProxy can be reached. In the HOB WSP a connection must be
configured that listens for data at this port (see Section 17.4. Configure HOB
WebSecureProxy, page 126).
In the Logon options pane you can enter a user name and password. These data
are required for authentication with HOB WSP. Verification of the logon data is
carried out by HOB Enterprise Access (see Diagram 1, page 123). Further
information can be found in the HOB Enterprise Access online help.
When the option Use AutoLogon is selected, the logon data are saved to the
local client PC. If it is not selected then the data must be entered each time you
logon.
125
Appendix 1- HOB WSP Universal Client and Citrix Neighborhood _____________ HOB RD VPN
Enter a name of your choice as Gateway Name. For the Predefined port, enter
the proxy port defined as the client in Citrix Neighborhood (see Section 17.2.1
Configure Citrix Program Neighborhood, page 124). In the Outgoing Connection
field, the option Use SOCKS protocol of application must be activated.
126
HOB RD VPN _________________ Appendix 1- HOB WSP Universal Client and Citrix Neighborhood
1. Start HOB WSP administration by clicking Start > Programs > HOB RD
VPN > Administration > Configure HOB WebSecureProxy.
2. Select Extensions > SOCKS to display the SOCKS settings tab. Here you
can configure the SOCKS server for the HOB WSP UC connection.
The check box Enable must be selected in order to configure this
server for the SOCKS connection. The default is that this checkbox is
NOT selected.
127
Appendix 1- HOB WSP Universal Client and Citrix Neighborhood _____________ HOB RD VPN
You can now start Citrix Program Neighborhood and select one of the published
applications from the list.
128
</general>
<connection>
</connection>
<blade-control>
</blade-control>
</sslgate-configuration>
In the following you will find a description of the parameters and their possible
settings.
129
The <general> tag is allowed to appear only once. The <general> tag section
may contain the following parameters:
130
Parameter
Description
<prot-event-log>
<prot-syslog-log>
<reloadconfiguration>
<max-poss-workthread>
<max-active-workthread>
<prio-work-thread>
<prio-process>
<report-intv>
<wake-on-lan-relayineta>
<wake-on-lan-port>
Parameter
Description
This parameter may be used multiple times in
conjunction with multiple entries for the parameter
<wake-on-lan-relay-ineta>.
Default: 65535
<time-cache-diskfile>
<time-reload-diskfile>
<disk-file-size-max>
Specifies the maximum size for any single file. This can
be either in KB, MB or GB.
Default: Off
<disk-file-storage>
<network-statisticlevel>
<clear-used-memory>
<event-server-name>
<event-source-name>
131
Parameter
Description
of its own for HOB WSP in the Windows Event Log,
which stores the messages generated by HOB WSP.
The same name must also be defined in the Window
Registry, otherwise the messages cannot be written to
the defined event. To do this you must run
bcrtlog.exe, which is in the scope of delivery.
If this parameter is not specified the log is written to the
application protocol of the Windows Event Log as
usual.
132
<pid-file>
<listen-error>
<listen-gateway>
Parameter
Description
Enable the LGW.
NO (this is the default value):
Disable the LGW.
<usage-dn>
Description
<windows-core-dump>
<diskdirfd>
<ineta-mgw>
<email-rcpt>
<email-sender>
<password>
133
18.3. Connection
This tag defines the properties of one connection (where a connection is defined
by the listening TCP/IP port number) and the behavior of the WSP.
There may be one or several <connection> sections. The HOB WSP has a oneto-one relationship between a connection with a client (half-session), and a
connection with a corresponding server (other half-session). The design of the
HOB WSP does not allow one half-session with a client and multiple half-sessions
with one or many servers.
The section <connection> may contain all the necessary configuration data for
both half-sessions. But it is also possible that a half-session with a client is
described (and started), but the client wants to select one of many servers; these
servers would then be defined in a <server-list>. A <server-list>
contains one or many <server-entries>, each <server-entry> describing
a possible server to which the client can connect.
Thus, all parameters for a client half-session are described in <connection>,
the parameters for the server half-session may either be described in
<connection> directly, or in <server-entry> in a <server-list>, if there
is to be more than one server to which the client should be able to connect.
134
Parameter
Description
<name>
<function>
<gateport>
<backlog>
Parameter
Description
be accepted.
This is an optional parameter.
Default value: 10
<gate-in-ineta>
IP address for input to gateway (only for use on multihomed systems, i.e. on systems having more than one
network board). This parameter is an option. If you are
using dynamic DNS, do not enter this parameter, as
then the TCP/IP stack will only receive incoming
connections at this <connection>, if they come over
the INETA that was active at the start of the HOB WSP.
If this parameter is set, connection requests will be
rejected when the INETA changes, as the definition
requires.
<serverineta>
<serverport>
<authenticationradius>
<radius-name>
This is a sub-entry of the <authenticationradius> parameter. This specifies the name of the
RADIUS server definition
<configurationdesktop>
This is a sub-entry of the <authenticationradius> parameter. This specifies the location of the
desktop definition.
Possible values:
attribute-vendor-specific-1
attribute-116
This parameter can only be used for the functions
PASS-THRU-TO-DESKTOP or SELECT-SOCKS5HTTP.
<send-certificate>
<select-server>
135
Parameter
Description
only the sub-entry <server-list-name> (see
below).
<server-list-name>
This is the sub-entry of the parameter <selectserver>. The name of the server list to be used for
the <connection> in which <select-server> is a
sub-entry is specified here. Please see <serverlist> below for more information.
<user-list>
<language>
<max-session>
<SSL-config-file>
<SSL-certdb-file>
<SSL-password-file>
136
Parameter
Description
<function>
Parameter
Description
<protocol>
<serverineta>
<serverport>
<gate-out-ineta>
<wts-server-list>
<wts-server-url>
<wts-br-port>
<wts-check-name>
137
Parameter
Description
<blade-server-list>
<blade-server-url>
This parameter is a sub-entry of <blade-serverlist>. Enter the URL of the blade server here.
Example:
<blade-server-url> 123.123.123.123:4095
</blade-server-url>
<blade-br-port>
<blade-check-name>
138
<hcproxauth>
<server-data-hook>
<library-file-name>
Parameter
Description
<configurationSection>
<timeout>
Parameter
Description
<server-list>
139
Parameter
Description
to select one of several servers for the connection. The
following parameters are defined in it.
140
<name>
<server-entry>
<protocol>
<serverineta>
<serverport>
<timeout>
18.3.3.1.
The following section describes the parameters of the HOB WSP Web Server
configuration:
<server-list>
<name>SERVERLIST1</name>
<server-entry>
<name>Integrated Web Server</name>
<protocol>HTTP</protocol>
<server-data-hook>
<library-file-name>
C:\EA\wsp\plugins\web_server\wsp_webserv.dll
</library-file-name>
<configuration-Section>
<root-dir>C:\EA\www</root-dir>
<http.hostname>wts.mycompany.com</http.hostname>
<site-after-auth>
</hob_login/welcome.html
</site-after-auth>
<dll-path>C:\EA\wsp\plugins\web-server</dll-path>
<settings>0</settings>
<virtual-dir>
<alias>/inetpub1</alias>
<path>
C:\Documents and Settings\username\My Documents
</path>
</virtual-dir>
</configuration-Section>
</server-data-hook>
</server-entry>
Parameter
Description
<server-entry>
<protocol>
<server-data-hook>
<library-file-name>
141
Parameter
Description
the full path and name of the DLL to be loaded here.
The library file for the WSP Web Server must be placed
in the following directory:
<installdir>\wsp\plugins\web_server\wsp_w
ebserv.dll
<root-dir>
<http-hostname>
<site-after-auth>
<dll-path>
<settings>
<virtual-dir>
<alias>
<path>
18.3.3.2.
The following section describes the parameters of the WSP Socks Server
configuration:
<server-list>
<name>SERVERLIST1</name>
<server-entry>
<name>Socks Server</name>
<protocol>SOCKS</protocol>
142
<server-data-hook>
<library-file-name>
C:\EA\wsp\plugins\socks5\sdh_socks5.dll
</library-file-name>
<configuration-Section>
<settings>0</settings>
</configuration-Section>
</server-data-hook>
</server-entry>
Parameter
Description
<server-entry>
<protocol>
<server-data-hook>
<library-file-name>
<dll-path>
<settings>
18.3.3.3.
The following section describes the parameters of the HOB WSP authentication
library
<authentication-library>
<library-file-name>
C:\EA\wsp\plugins\wspauth\sdh-auth.dll
</library-file-name>
<configuration-Section>
<settings>0</settings>
</configuration-Section>
</authentication-library>
143
144
Parameter
Description
<library-file-name>
<settings>
Parameter
Description
<sign-on-time>
<trimming-in-ineta>
<trimming-in-port>
<trimming-twin-list>
<trimming-twin-url>
145
146
Parameter
Description
<user>
<name>
<password>
<privileges-mask>
<desktop-ineta>
<desktop-port>
<gate-out-ineta>
Parameter
Description
parameter is optional.
<mac-address>
<wait-connect>
<name>
<select-server>
<server-list-name>
This is the sub-entry of the parameter <selectserver> (see above). The name of the server list to be
used for the <connection> in which <selectserver> is a sub-entry is specified here. Please see
the <server-list> entry for more information.
18.6. RADIUS
For RADIUS authentication, the radius server definitions are in the section
<radius-server>. Below is a sample configuration of the section <radiusserver>, and following that is a table explaining the parameters that can be
specified for this section.
<radius-server>
<name>RADIUS1</name>
<gate-ineta>adapter2.mycompany.com</gate-ineta>
<radius-ineta>RADIUS.mycompany.com</radius-ineta>
<radius-port>1812</radius-port>
<timeout>5</timeout>
<shared-secret>shared_secret</shared-secret>
</radius-server>
Description
<name>
<gate-ineta>
<radius-ineta>
147
Parameter
Description
<radius-port>
<timeout>
<shared-secret>
148
Parameter
Description
<ocsp-responder>
<OCSP-URL>
URL of OCSP-responder
<gate-ineta>
<OCSP-ineta>
<OCSP-port>
<timeout>
<wait-retry>
Parameter
Description
<SSL-config-file>
<SSL-certdb-file>
<SSL-password-file>
<usage-DN>
This is an optional parameter. You can enter CHECKURL if you want to check the distinguished name of a
certificate.
149
</allow>
</target-filter>
Parameter
Description
<name>
<allow>
<deny>
<DNS-name>
<ineta>
<port>
150
19. Index
A
Authentication
Definition 35
EA Server 36
LDAP 35
MS Active Directory 85
RADIUS Server 35
Token 35, 82
via Token 82
C
Change password 72
Client System Requirements see Installation
Configuration program
WSP see WSP
Configuration Program
HOB EA Administration see HOB EA
Administration
Connection Models
EA Server (Standard) 27
Connection modes
WebProfile 80
Console Messages see Trouble-Shooting
Container see HOB EA Administration
D
Database Elements see HOB EA Administration
G
Group see HOB EA Administration
H
hclient.pwd see SSL/See
HOB Desktop-on-Demand 9, 38
IP Address 96
Port 96
Remote Desktop see HOB Desktop-onDemand
Wake-on-LAN 90
Wake-on-LAN Relay 95
HOB Desktop-on-Demand 89
HOB EA Administration
Configuration Program 28
Database Elements
Container 30
Group 30
Object 30
Database Elements 29
Firm 29
start 106
HOB Enterprise Access see User Management
HOB RD VPN
Installing see Installing
Security Check
SSL Security 105
Security-Check 115
Firewall 116
Logging 117
Ports 116
Server 115
Uninstallation see Uninstallation
EA Server 33
close 33
Service 38
start 33
EA-Server
Service 33
HOB VDI 9, 37
HOB VDI Agent 98
I
F
Firewall see HOB RD VPN
Firm see HOB EA Administration
Inheritance
User Settings 27
Installation
System Requirements
Client System 14
151
Installing
HOB RD VPN 15
IP Address for Wake-on-LAN see HOB Desktopon-Demand
L
LDAP 33, 34
User management see User management
with MS Active Directory see Authentication
Logging see HOB RD VPN
M
MS Active Directory see Authentication
O
Object see HOB EA Administration
P
Passwort ndern 72
Port for Wake-on-LAN see HOB Desktop-onDemand
Ports see HOB RD VPN
PPP 51
PPP-Tunnel 51
R
RADIUS Server see Authentication
Server
hserver.* 108
See
Client
hclient.pwd 112
SSL-Security see HOB RD VPN
start
WSP see WSP
Startup Options Manager 34
SUOS see Single-user operating system
T
Token see Authentication
Trouble-Shooting
Console Messages 120
Trouble-Shooting 119
Event Log 119
Windows Dump 119
U
Uninstallation
HOB RD VPN 26
User management
LDAP 34
User Management
HOB Enterprise Access 27
User Settings
Inheritance 27
W
Wake-on-LAN see HOB Desktop-on-Demand
S
Security-Check see HOB RD VPN
Server see HOB RD VPN
Service
EA Server 33, 38
152
WebSecureProxy 39
Windows Dump see Trouble-Shooting
Windows Service
EA Server 33
EA-Server 38
WSP
Configuration 36
start 36, 38, 39
stop 38, 39
153