Proof of Concept Guide



Similar documents
Secure remote access to your applications and data. Secure Application Access

A Guide to New Features in Propalms OneGate 4.0

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

What s New in Propalms VPN 3.5?

Quick Start Guide for VMware and Windows 7

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016

Thinspace deskcloud. Quick Start Guide

Propalms TSE Deployment Guide

Quick Start Guide for Parallels Virtuozzo

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

F-Secure Messaging Security Gateway. Deployment Guide

Acronis and Acronis Secure Zone are registered trademarks of Acronis International GmbH.

Interact Intranet Version 7. Technical Requirements. August Interact

Quick Setup Guide. 2 System requirements and licensing Kerio Technologies s.r.o. All rights reserved.

VMware Identity Manager Connector Installation and Configuration

NEFSIS DEDICATED SERVER

2X SecureRemoteDesktop. Version 1.1

Server Software Installation Guide

Virtual Appliance Setup Guide

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

vrealize Air Compliance OVA Installation and Deployment Guide

Virtual Appliance Setup Guide

Server Installation ZENworks Mobile Management 2.7.x August 2013

An Analysis of Propalms TSE and Microsoft Remote Desktop Services

PHD Virtual Backup for Hyper-V

2X Cloud Portal v10.5

Virtual Web Appliance Setup Guide

I N S T A L L A T I O N M A N U A L

PROPALMS TSE 6.0 March 2008

Remote Application Server Version 14. Last updated:

RSA Authentication Manager 8.1 Setup and Configuration Guide. Revision 2

Dell One Identity Cloud Access Manager Installation Guide

Enterprise Solution for Remote Desktop Services System Administration Server Management Server Management (Continued)...

Virtual Managment Appliance Setup Guide

DameWare Server. Administrator Guide

Polycom RealPresence Capture Server - Virtual Edition Getting Started Guide

Remote Application Server Version 14. Last updated:

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

Deskpool Quick Start. Version: V2.1.x. Based on Hyper-V Server 2012 R2. Shenzhen Jieyun Technology Co., Ltd (

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Installing and Configuring vcenter Support Assistant

GRAVITYZONE UNIFIED SECURITY MANAGEMENT

Network Security Platform 7.5

F-Secure Internet Gatekeeper Virtual Appliance

Veeam Backup Enterprise Manager. Version 7.0

VMware vcenter Log Insight Getting Started Guide

Oracle Virtual Desktop Infrastructure. VDI Demo (Microsoft Remote Desktop Services) for Version 3.2

MaaS360 Mobile Enterprise Gateway

GRAVITYZONE HERE. Deployment Guide VLE Environment

Rally Installation Guide

SSL SSL VPN

Installing and Configuring vcenter Multi-Hypervisor Manager

SMART Vantage. Installation guide

Barracuda SSL VPN Administrator s Guide

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

How To Connect To Bloomerg.Com With A Network Card From A Powerline To A Powerpoint Terminal On A Microsoft Powerbook (Powerline) On A Blackberry Or Ipnet (Powerbook) On An Ipnet Box On

Ensure that the server where you install the Primary Server software meets the following requirements: Item Requirements Additional Details

Cisco IP Communicator (Softphone) Compatibility

MaaS360 Mobile Enterprise Gateway

Mobile Admin Architecture

OnCommand Performance Manager 1.1

Synergis Software 18 South 5 TH Street, Suite 100 Quakertown, PA , version

Deployment Guide Microsoft IIS 7.0

User Guide. Cloud Gateway Software Device

Configuration Guide BES12. Version 12.2

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

NetScaler VPX FAQ. Table of Contents

Installation and Upgrade Guide

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Parallels Remote Application Server

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

Using SonicWALL NetExtender to Access FTP Servers

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Endpoint Security VPN for Mac

Copyright 2013, 3CX Ltd.

Installing and Configuring vcloud Connector

How To Use Tsplashbox On A Pc Or Mac Or Mac (For A Pc) With A Windows 7 Computer (For Mac) Or Mac) With Tsplatro (For Pc) Or Ipad (For Windows) With An

CITRIX 1Y0-A14 EXAM QUESTIONS & ANSWERS

BlackBerry Enterprise Service 10. Version: Installation Guide

Introduction to the EIS Guide

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Remote Access Clients for Windows

F-SECURE MESSAGING SECURITY GATEWAY

Introduction to Mobile Access Gateway Installation

vcloud Director User's Guide

Overview of WebMux Load Balancer and Live Communications Server 2005

Ignify ecommerce. Item Requirements Notes

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

FileCloud Security FAQ

NetIQ Sentinel Quick Start Guide

SILVER PEAK ACCELERATION WITH EMC VSPEX PRIVATE CLOUD WITH RECOVERPOINT FOR VMWARE VSPHERE

EMC Data Protection Search

SANGFOR SSL VPN. Quick Start Guide

Veeam Cloud Connect. Version 8.0. Administrator Guide

Avalanche Remote Control User Guide. Version 4.1.3

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

BITDEFENDER GRAVITYZONE

Transcription:

Proof of Concept Guide Version 4.0 Published: OCT-2013 Updated:

2005-2013 Propalms Ltd. All rights reserved. The information contained in this document represents the current view of Propalms Ltd. on the issues discussed as of the date of publication. Because Propalms Ltd. must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Propalms Ltd., and Propalms Ltd. cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. PROPALMS LTD. MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) or for any purpose, without the express written permission of Propalms Ltd. Contact Propalms Ltd. Email: info@propalms.com Call: +44 (0)1904 567760 2

CONTENTS OneGate Components... 4 OneGate Gateway... 4 OneGate Management Console... 4 OneGate OS Console... 4 OneGate Access Modes... 4 Preparing for Proof of Concept... 5 OneGate Availability... 5 Deployment... 5 Physical / Virtual Hardware Requirements... 6 Evaluation License Requirements... 6 Integration Requirement... 7 Directory Services Integration... 7 Firewall Changes... 7 Proof of Concept Checklist... 8 Propalms OneGate Technical Specifications... 9 3

ONEGATE COMPONENTS ONEGATE GATEWAY This is the core gateway component of the solution. The OneGate gateway is built of web server, SSL engine, session manager, policy manager and policy database. OneGate gateway is developed as a high performance and scalable service written in C and C++ languages and it runs on a hardened Linux based OS. Mentioned below are components of OneGate gateway: Propalms OneGate core server: Proprietary OneGate server engine developed by Propalms Propalms OS: CentOS 5.0 Linux distribution (hardened), Kernel 2.6. Apache web server: To serve management pages and portal Propalms Configuration database: Configuration database OpenSSL: The SSL engine of Propalms OneGate is based on the open source OpenSSL library. ONEGATE MANAGEMENT CONSOLE Propalms OneGate provides a built-in web based management console interface. Through the management console, a OneGate administrator can do complete OneGate system management and maintenance. The OneGate management console is available only to certificate based logins of security officer and administrators. ONEGATE OS CONSOLE OneGate OS Console is the Linux menu driver interface developed by Propalms for low level maintenance of the OneGate appliance. This console is visible when a console is connected to the OneGate appliance. Using the OS Console interface administrators can set networking parameters, can reinstall the firmware and get access to full CLI mode of Propalms OS. ONEGATE ACCESS MODES OneGate s Access Modes are the different ways that users can login to Propalms OneGate and can access the corporate network resources. These modes are: 1. OneGate Portal: Propalms OneGate comes as a web portal for remote users. Users can use any browser of their choice and can login into Propalms OneGate and access network resources. The portal is enabled with a Java based plug-in that provides the enhanced security to users as well as enabling access to client-server based applications. Users logging into the web portal can access web based application as well as client-server based applications. Along with this, the web portal is enabled with Java based terminal emulators that provides a set of ready to use applications to a mobile users such as FTP, SSH, Telnet, RDP, VNC and file share. 2. OneGate Desktop Client: Propalms OneGate comes with a desktop client that a user can install on their Windows PC, Linux or Mac OS desktop removing the need to go to the browser every time. A desktop client gives a much faster connectivity to the user and is very helpful for users who stay connected to OneGate for longer times. Desktop client has an application launcher that lists all the applications the user has access to. This enhances the user experience and reduces the training time needed to train the users to access the resources over OneGate. 3. OneGate Mobile Clients: Propalms provides mobile clients for smart phones and tablets. The mobile client is called Propalms Universal Client and is currently available for ipad, iphone and Android based devices. Propalms Universal Client is a single client that can connect to different Propalms solutions and delivers applications, 4

desktops and network services. Currently only Propalms TSE, Propalms Pano VDI and RDP based applications are supported over Propalms Universal Client. Shown below is a comparison of the different access modes: Feature ONEGATE Web Portal Desktop Client Mobile Client Platform Supported Browser Supported Applications Supported Advantage Windows (Linux/MAC Support by Q1 2013) Internet Explorer 7.0 and higher Firefox Chrome Web, Thin applications, Client-Server, Any TCP/UDP application Seamless access Ease of use Zero training involved Windows MAC OSX Lion / Snow Leopard Linux: all flavors - - Web, Thin applications, Client-Server, Any TCP/UDP application Seamless access Ease of use Power users loves it ipad: 4.0/5.0 iphone Android: 2.2 and higher Propalms TSE, Propalms Pano VDI, RDP Access over tablets, smartphones Java Requirement Requires Java - - Admin Rights Require admin rights on Require admin rights on - Requirements first use only first use only Upgrades Self-upgrades Self-upgrades Via AppStore/Market PREPARING FOR PROOF OF CONCEPT ONEGATE AVAILABILITY Propalms OneGate is available as a software installer ISO image. This single click integrated ISO image installs both Propalms OS and Propalms OneGate on any custom hardware. The installer ISO can be downloaded from the Propalms Website (http://www.propalms.com). Propalms OneGate is also available in Open Virtualization Format (OVF) which is an open standard for packaging and distributing virtual appliances to be run in virtual machines. The Propalms OneGate Virtual Appliance has been verified with VMware ESXi. The Virtual Appliance is downloadable from the Propalms Website (http://www.propalms.com). Simply extract the image file and import directly into your VMware environment and you are ready to go. Propalms OS is a CentOS based platform, hence any hardware that supports the Linux distribution is supported by Propalms OS. Propalms OS is available in both 32-bit and 64-bit versions. The functionalities of the OneGate platform are the same irrespective of the underlying platform. DEPLOYMENT For a Proof of Concept (PoC), we suggest a close to real life deployment as suggested in diagram. Propalms OneGate can be setup in the DMZ network or connected to LAN switch. Only one of the interfaces of OneGate gateway needs to be connected. This is the simplest deployment and is recommended for production deployment also. 5

OneGate in DMZ or LAN Active Directory FIREWALL REMOTE USERS INTERNET SWITCH Create NAT for port 443 and DMZ/LAN IP address of OneGate Server Application Servers PHYSICAL / VIRTUAL HARDWARE REQUIREMENTS Shown below are some example server hardware requirements and approximate number of concurrent users supported. Item Up to 50 Users 100 Users 250 Users 500 Users 1000 Users CPU Any CPU 2.0 GHz Any standard Dual core CPU 2.0 GHz Any standard Dual core CPU 2.0 GHz Xeon Quad Core entry level processor 2.0 GHz Xeon Quad Core processor 2.4 GHz RAM 2 GB 2 GB 4 GB 8 GB 16 GB Hard disk Space 4 GB minimum 4 GB minimum 50 GB minimum 100 GB minimum 160 GB minimum Network Card 100 Mbps 100 Mbps 2 x 1 Gbps 2 x 1 Gbps 2 x 1 Gbps EVALUATION LICENSE REQUIREMENTS When Propalms OneGate is freshly configured, a 5 user evaluation license valid for 30 days is available by default. To test more users or to extend the evaluation period simply ask for an evaluation license key by emailing info@propalms.com. 6

INTEGRATION REQUIREMENT DIRECTORY SERVICES INTEGRATION Propalms OneGate can integrate with existing Active Directory infrastructure for applying authentication and authorization to existing users. The following details are needed to integrate active directory with OneGate: 1. IP address/hostname of domain controller 2. Distinguished Name (DN) of a domain user who is member of Account Managers group. i.e. the user should have account management rights 3. Password of this user 4. Search base in domain controller 5. If SSL is enabled on active directory or not 6. If user must be able to change their domain password via OneGate, SSL MUST be enabled on active directory. FIREWALL CHANGES Propalms OneGate must be available to users on a public IP address so that users outside the office network can access the OneGate services. The following configuration change is required on the firewall for accessing Propalms OneGate over the internet A NAT rule needs to be created on the firewall to allow HTTPS traffic (Port 443) from outside world to Propalms OneGate gateway s internal IP address. In case Propalms OneGate is deployed in DMZ, necessary firewall configuration should be created so that traffic coming from Propalms OneGate gateway IP address should be allowed to access the application servers deployed in other network segments (like LAN). Traffic coming from Propalms OneGate for the internal application servers and network segments must be permitted on firewall on DMZ port. IMPORTANT: It is recommended to refer to Propalms OneGate Quick Start Guide and Propalms OneGate Administration Guide for detailed information. Download Latest Propalms ONEGATE Documents from here http://www.propalms.com/download/documentation.php#onegate 7

PROOF OF CONCEPT CHECKLIST Use this list as a brief checklist to track and record your POC of Propalms OneGate. Not all steps are mandatory. Feature Check Propalms ONEGATE OS Installed on hardware LAN IP address assigned to Propalms ONEGATE Propalms ONEGATE bootstrap process run First security officer registered First security officer enrolled Logged into ONEGATE management console Moved ONEGATE from Configuration mode to Run Mode Created another security officer account as backup Integrated with external authentication server (AD/RADIUS) Applications created on ONEGATE Application groups created on ONEGATE Access control for application access created on ONEGATE Tested login to ONEGATE via web portal Tested login to ONEGATE via desktop client ipad/android client tested Configured SMTP settings Tested application access for - HTTP based application - HTTPS based application - RDP server - VNC server - Email access - Microsoft Exchange Server - File share - Any other applications Configure certificate based authentication for local database users Tested endpoint security for checking for AV/FW/AS Tested Device ID authentication Tested endpoint control policy by blocking Internet, etc. Tested user settings backup and restore Tested remote meeting feature Tested client preference control feature Tested One time password authentication Tested network information hiding feature 8

PROPALMS ONEGATE TECHNICAL SPECIFICATIONS MANAGEMENT Web based management console Dashboard with graphical reporting Menu driven console interface for system configuration Wizard driven installation procedure Self-signed certificate generation CLI Delegated administration Certificate based strong authentication for administrators Auto checking for configuration errors Online License service Inline help APPLICATION SUPPORT All web based, TCP and UDP based client-server applications Windows file shares and drive mapping Dynamic port based applications Publish Subnet or IP Range for network access Special support for RDP virtual channels Application server load balancing Session caching for load balanced applications Per application based compression switch My Desktop and Files for direct personal desktop and file access Propalms TSE hosted applications Propalms VDI hosted desktops AUTHENTICATION FEATURES Authentication based on user identity, endpoint identity, endpoint trust level Multiple user authentication options: static passwords, client certificates, external two factor authentication solutions Local database with full customization per user, password policies, password reset support Fully integrated client-certificate based two factor authentication server with automatic CA and certificate provisioning Email based user provisioning Authentication method based application access control Integrates with AD/LDAP/RADIUS Automatic fetching of group information from AD/LDAP/RADIUS Support for multiple authentication servers with cascading mode Support for external authorization servers Integrated OTP based Two factor authentication solution based on SMS/Email/Hardware/Voice/PKI tokens AUTHORIZATION FEATURES Publish applications rather than subnet or network Simple access control mechanism Access control based on o Device identity and profile o User Authentication method o User Role Dynamic policy evaluation based on run time information about device, authentication method and user role Display of allowed applications and availability of the application server to users Time based restriction policies Auto-detection of applications running in corporate network Scheduled account expiry Block specific groups AUDITING FEATURES Complete reporting of user logons and activity Information logged includes o Time of access o Username o MAC Address of endpoint o IP address of endpoint o Application accessed o Device profile Detailed logging of endpoint security scans results Extract logs in CSV format for feeding to third part report generation Search logs Auto-archiving of logs Monitor and disconnect live users ENDPOINT MANAGEMENT Support for checking for antivirus, firewall and antispyware products Real time status check for o Last update time o Real time protection check Support for checking for MAC ID and IP address Application control based on device profile Mandatory profile for non-avoidable policy checks on all endpoints Quarantine profile for devices that fails all other profile Option to block endpoints that fails to comply to required policies or option to allow them to login by putting them in quarantine profile Login control based on device signature Kill existing TCP connections on user machine Block Internet and restrict incoming connection policy Block access via proxy server policy DEPLOYMENT SCALABILITY Scalable to thousands of users Active-Active N+1 cluster VPN connections load balancing, multiple algorithms Application connection load balancing can distribute the connection for a specific application across multiple app servers in the LAN based on round robin function Session persistence: Users do not need to re-authenticate ISP load balancing for incoming connections Client side failover using Alternate gateways 64-bit hardware support ACCESS MODES Multiple access modes: o VPN portal with java applications o Full access client for desktops Kiosk based access mode for non-admin access No configuration required on end user machines Client platforms supported o Windows 98/XP/Vista/Windows7/Windows 8 o Windows server 2003/2008/2012 o Linux OS o MAC OS X PPC/Intel 10.4 and above o ipad / Android Access Site to site access ACCESS SECURITY FEATURES SSL 3.0 and TLS 1.0 Encryption: Strongest available: DES, 3DES, AES(256), RC4 Authentication: MD-5, SHA-1, RSA 1024, RSA 2048 4096 bit RSA key CA certificate support Internet network masking and IP address/hostname mangling Application level gateway and not layer 2 bridging Hardened gateway operating system GATEWAY FEATURES Runs on hardened Linux based platform Menu driven console interface for easy configuration Can run on any standard or custom hardware Virtual server for using VPN as HTTPS proxy Runs on virtualization platforms from VMware, XenServer, Hyper-V 9 Propalms Ltd is a global provider of application delivery and secure remote access solutions for Remote Desktop Services and Virtual Desktop Infrastructures. Delivering to Enterprises of all sizes we offer reliable, scalable and affordable solutions that simply work. Our belief is that application delivery solutions should be flexible, dynamic and above all, simple to use. 2013 Propalms Ltd. All Rights Reserved. Microsoft, Windows are registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information