Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.3 R6) Content Page Introduction 2 Platform support 2 Cross Platform support 2 Web and file browsing 2 Client-side Applets 3 Secure Terminal Access 3 -Secure Application Manager (J-SAM) 3 Network Connect, NC 3 Junos Pulse 3 Host Checker 4 Cache Cleaner 4 only support 6 Secure Application Manager (W-SAM) 6 Terminal Services 6 Secure Virtual Workspace 6 Adaptive delivery for client applications 8 Juniper Installer Service 8 Mobile Devices 9 Web and file browsing (SSL-VPN) 9 Junos Pulse for iphone (VPN-client) 9 Host Checker 10 Network requirements 11 Required rights to run and install applications 12 Secure Application Manager (WSAM) 12 Secure Application Manager (JSAM) 13 Network Connect 14 Terminal Services Component 14 Citrix Terminal Services Component 15 Host Checker (includes Secure Virtual Desktop) 15 Cache Cleaner 15 TSP-2657_1-1010
2 (15) Introduction In this document we describe requirements on terminals that are to be used together with the service Telia Secure Remote User, TSRU. The document also describes requirements regarding the customer s network that must be fulfilled to be able to use different types of functions and clients in Telia Secure Remote User. There is also a chapter focusing on required rights to run and install applications on different platforms. Platform support All browsers are 32-bit browsers unless otherwise specified. Vista or Vista refers to Vista Enterprise/Ultimate/ Business/Home Basic/Home Premium 7: Refers to 7 Enterprise/Ultimate/Business/Home Basic/Home Premium 8: Refers to 8 normal-edition/pro/enterprise/ RT Cross Platform support In this section we describe technical requirements that must be supported to use different functions and client softwares in Telia Secure Remote User. In this chapter we give a short description of each function and in the end you ll find a chart that describes supported platforms for: Web and File Browsing Secure Client-side Applets Secure Terminal Access -Secure Application Manager (J-SAM) Network Connect Junos Pulse Host Checker and Cache Cleaner Web and file browsing This function is SSL-VPN using your web browser to access local resources on your network after a successful login via Telia Secure Remote User to the company s intranet. (No specific VPN-client is needed by the user). The user will end up on a web portal from which different services can be reached like e.g. web applications and files.
3 (15) Client-side Applets If you want to enable users to browse to Web pages containing client-side applets. Telia Secure Remote User appears to the application server as a browser over SSL. Telia Secure Remote User transparently handles any HTTP requests and TCP connections initiated by a applet and handles signed applets. Secure Terminal Access This function is used mainly to establish terminal access for e.g. VT100 and can only establish Telnet or SSH connection into the local network. The Telnet/SSH option enables users to connect to internal server hosts in the clear using Telnet protocols or to communicate over an encrypted Secure Shell (SSH) session through a Web-based terminal session emulation. This feature supports the following applications and protocols: Network Protocols Supported network protocols include Telnet and SSH. Terminal Settings Supported terminal settings include VT100, VT320, and derivatives and screen buffers. Security Supported security mechanisms include Web/client security using SSL and host security (such as SSH if desired). -Secure Application Manager (J-SAM) The version of the Secure Application Manager provides support for static TCP port client/server applications, including enhanced support for Microsoft MAPI, Lotus Notes, and Citrix NFuse. JSAM also provides NetBIOS support, which enables users to map drives to specified protected resources. JSAM works well in many network configurations but does not support dynamic port TCP-based client/server applications, server-initiated connections, or UDP traffic. Network Connect, NC Network Connect is a VPN-client available for, Mac and Unix computers. The standard to handle the delivery of this client in Telia Secure Remote User is that it is automatically distributed and installed on the users terminal when it is required from the user (this automated provisioning requires that the user has admin rights in the terminal). This automated feature is also used to upgrade installed VPN-clients. In a seamless way for the user. The client can also as an option be distributed by the IT department separately or packaged together with other applications that are to be used by the user. Junos Pulse Junos Pulse is next generation VPN client for and Mac OS computers. Pulse client is also available for mobile devices (smartphones). Users of mobile device can install the Pulse client app from the respective app stores.
4 (15) Host Checker Host Checker is an optional component in Telia Secure remote User that you can use to perform endpoint checks on hosts that connect to the Telia Secure Remote User. Host Checker checks for third party applications, files, process, ports, registry keys, and custom DLLs as well as the NetBIOS name, MAC address, or certificate of the client machine and denies or enables access based on the results of the checks. When a user s computer does not meet the requirements you specify, you can display remediation instructions to users so they can bring their computers into compliance. For example, you may choose to check for virus detection before allowing a user access to any of the IVE realms, launch the software on the user s system if necessary, map the user to roles based on individual policies defined in your own DLL, and then further restrict access to individual resources based on the existence of spyware detection software. To implement Host Checker Consultancy time from Telia is needed. There is also a specific document which lists the different security software s that are supported and which can be used. No other security software is supported by Telia. You can download this document at www.telia.se/supportsecureremoteuser. Cache Cleaner Cache Cleaner is a client-side agent that removes residual data, such as temporary files or application caches, left on a user s machine after the SSL- VPN session (web browser based session). For example, when a user signs in to Telia Secure Remote User from an Internet kiosk and opens a Microsoft Word document using a browser plug-in, Cache Cleaner can remove the temporary copy of the Word file stored in the browser cache ( folder) when the session terminates. By removing the copy, Cache Cleaner prevents other kiosk users from finding and opening the Word document after the user concludes the session. Cache Cleaner can also prevent Web browsers from permanently storing the usernames, passwords, and Web addresses that users enter in Web forms. By preventing browsers from improperly caching this information, Cache Cleaner keeps confidential user information from being stored on untrusted systems.
5 (15) Supported platforms: Platform Operating System Browsers and Environment 8 on 32-bit or 64- bit platforms. 8 Enterprise on 32-bit. 7 on 32-bit or 64- bit platforms 7 SP1 Enterprise on 32-bit Vista on 32-bit or 64-bit platforms XP with SP3 on 32 bit Internet Explorer 10 (Only Desktop mode) Internet Explorer 9.0 Internet Explorer 8.0 Internet Explorer 7.0 Firefox 3.0 and above including FF10 Oracle JRE 6 and above Mac Mac OS X 10.6.x, 32 bit and 64 bit Mac OS X 10.7.x, 32 bit Mac OS X 10.8.x, 32 bit Safari 6.0 Sun JRE 6 Safari 5.1 Sun JRE 6 Safari 5.0 Sun JRE 6 Platform Operating System Browsers and Environment Linux OpenSuse 10.x and 11.x Ubuntu 9.10, 10.x and 11.x Firefox 3.0 and above Oracle JRE 6 and above Red Hat Enterprise Linux 5 Solaris* Solaris 10, 32 bit only Mozilla 2.0 and above * Only for J-SAM For Mac, Linux, and Solaris J-SAM implementations: Automatic editing of hosts file is only available for root users Ports less than 1024 are only available for root users
6 (15) only support In this section we describe technical requirements on features and software that only is possible to run on operating system. In this chapter we give a short description of each function and in the end you ll find a chart that describes supported platforms for: Secure Application Manager WSAM Terminal Services Enhanced Endpoint Security o Note: Requires administrator privileges or Juniper Installer Service o Note: EES is not supported only on 64bit XP and 8 Secure Virtual Workspace o Note: Secure virtual workspace is supported only on 32bit Operating systems and is not supported on 8 Secure Application Manager (W-SAM) WSAM is a -based solution that enables you to secure traffic to individual client/server applications such as Lotus Notes, Microsoft Outlook, Citrix, and NetBIOS file browsing as well as application servers. You can download and launch WSAM using an ActiveX control hosted by Telia Secure Remote User, a delivery mechanism, or the WSAM launcher pre-installed on the client. Terminal Services Use the Terminal Services feature to enable a terminal emulation session on a terminal server, Citrix NFuse server, or Citrix Metaframe server. You can also use this feature to deliver the terminal services through Telia Secure remote User, eliminating the need to use another Web server to host the clients. Secure Virtual Workspace Secure Virtual Workspace makes it possible to connect to the company network securely from a not secured computer from e.g. an Internet café or other places with none trusted computers. On the actual computer a secure workspace is created and everything that thereafter is done on the computer is then protected and erased when the session is ended. All work is encrypted and not traces are to be found (American standard 5220.M).
7 (15) Supported platforms: Platform Operating System Browsers and Environment 8 Enterprise 32-bit. 8 on 32-bit or 64-bit Platforms. 7 on 32-bit or 64-bit platforms 7 SP1 Enterprise on 32-bit Vista on 32-bit or 64- bit platforms XP with SP3 on 32 bit Internet Explorer 10 (Only Desktop mode) Internet Explorer 9.0 Internet Explorer 8.0 Internet Explorer 7.0 Firefox 3.0 and above, including FF10 Oracle JRE 6 and above
8 (15) Adaptive delivery for client applications Adaptive delivery of client applications means that Telia Secure remote User is able to recognise which terminal type that is trying to use a certain function and deliver a Mac OS version of e.g. Network Connect if the user wants to use that function for the first time. In case where ActiveX is disabled or is nor available due to platform or privilege limitations, the client application is installed using. Adaptive delivery is available for Host Checker, Enhanced Endpoint Security, WSAM, Network Connect and Terminal Services. Installing Sun JRE 6 or greater might improve the user experience for adaptive delivery for Juniper client applications. Juniper Installer Service Juniper Installer Services enables easy installation of client applications on computers that requires administrator rights on the actual computer. It enables Telia to easily initiate upgrades when agreed with the customer. Juniper Installer Service is supported for the following client applications: Network Connect, Secure Application Manager (W-SAM), Host Checker, Cache Cleaner and Terminal Services. Supported platforms - Juniper Installer Services: Platform Operating System Browsers and Environment 8 on 32-bit or 64-bit Platforms. 8 Enterprise 32-bit. 7 on 32-bit or 64-bit platforms 7 SP1 Enterprise on 32-bit Vista on 32-bit or 64- bit platforms XP with SP3 on 32 bit Internet Explorer 10 2 Internet Explorer 9.0 Internet Explorer 8.0 Internet Explorer 7.0 Firefox 3.0 and above including FF10 Oracle JRE 6 and above
9 (15) Mobile Devices Web and file browsing (SSL-VPN) Supported platforms: Mobile OS Qualified Versions Compatible Android 2.3, 3.1, 3.2 and 4.0 2.1, 2.2 ios (iphone, ipad and ipod) 5.1.1 4.3.1, 4.3.3, 4.3.5* and 5.0.1 6.5 6.1 and 6.0 Supported Features for IPv4: Feature Android ios VPN Yes (ICS)** Yes Yes(WSAM) HC Yes Yes Yes Secure No Yes No meeting Active Sync Yes Yes Yes Rewriting Yes Yes Yes ** VPN support is available for Android ICS 4.0 version. For supported versions prior to ICS, Android platform build should be used or VPN drivers should be installed. Junos Pulse for iphone (VPN-client) Junos Pulse can create an authenticated Layer 3 SSL VPN session between an Apple iphone or Apple ipod Touch and Telia Secure Remote User. Junos Pulse enables secure connectivity to corporate applications and data. Junos Pulse is available for download from the itunes App Store. Junos Pulse for iphone (and ipod Touch) requires Apple ios 4.1 or higher. The Junos Pulse VPN app supports the following features: Full Layer 3 tunneling of packets UDP/ESP and NCP/SSL modes All types of authentication, including client certificate authentication Split tunneling modes: o Split tunneling disabled with access to local subnet o Split tunneling enabled Platform Qualified Compatible Version Devices Version Devices ios 7.0, 6.0 iphone 5, iphone 4 and 4S ipad2, ipad3, ipad 4, ipad Mini ipod Touch (running ios6 and above)
10 (15) Android 2.3.3, 3.0, 4.0, 4.1, 4.2, 4.3 Kindle Fire HD, HTC Thunderbolt, Samsung Galaxy S, S2, S3, 10 Tablet, Galaxy Note Google Nexus (S), HTC Incredible S710, Motorolla Atrix 3.1, 2.3.5,2.3.4 Various Host Checker Host Checker is an optional component in Telia Secure Remote User that you can use to perform endpoint checks on hosts that connect to the Telia Secure Remote User. To implement Host Checker Consultancy time from Telia is needed. Note: For non-qualified mobile platforms, customers may need to provide Telia with an activated device if the issue is not reproducible on any of the qualified platforms. WSAM supports TCP-based, client-initiated applications only
11 (15) Network requirements General requirements to use and access the customer s internal network via Telia Secure Remote User. General requirements are: Terminal must have access to Internet. Terminal must have access to a DNS server so that domain names can be translated to IP-addresses. TCP port 443 (https) must be open in the firewall if there is a firewall between the user and Internet. Network Connect Optimized mode requires UDP port 4500 to be open but works also with reduced performance if only TCP port 443 is open.
12 (15) Required rights to run and install applications The following tables outline the rights that are required to install and run the following client-side components in Telia Secure remote User using ActiveX, ActiveX installer service, and mechanisms: Secure Application Manager (WSAM) Secure Application Manager (JSAM) Network Connect Junos Pulse Terminal Services Component Citrix Terminal Services Component Host Checker (includes Secure Virtual Workspace) Cache Cleaner Secure Application Manager (WSAM) Client/Action ActiveX ActiveX: Installer Service Mac/Linux More Information Install Power User, or Not Applicable Run Standard User Standard User Standard User NOTE: Restricted users can perform the initial installation of WSAM with the installer service only if they start the installation by clicking the WSAM link in the user's portal page. The ActiveX installer requires users to reboot their systems after an installation or upgrade ( Mobile only). Users must have ActiveX components or enabled through their browsers to use the WSAM installers.
13 (15) Secure Application Manager (JSAM) Client/Action ActiveX ActiveX: Installer Service Mac/Linux Run User Power User, or Run /Root NOTE: Client system asks for the administrator password when JSAM launches. NOTE: JSAM XP/2000: o Automatic host mapping: you must have the rights to run regedit.exe in read-only" mode, and the rights to modify the hosts file. o Outlook and NetBIOS applications: you must have the rights to run regedit.exe in "read/write" mode. JSAM Vista and 7: o Automatic host mapping: you must have the rights to install jsamtool.exe on the system and run it. o Outlook and NetBIOS applications: you must have the rights to install jsamtool.exe on the system and run it. JSAM Mac OS X: o Automatic host mapping: you must provide the administrator password when JSAM prompts for it at launch. o Any applications that listen on ports below 1024: you must provide the administrator password when JSAM prompts for it at launch. JSAM Linux: o Automatic host mapping: you must be the root user. o Any applications that listen on ports below 1024: you must be the root user.
14 (15) Network Connect Client/Action ActiveX ActiveX: Installer Service Mac/Linux Install Power User, or Run Standard Standard User User Standard User * Standard User * Linux also requires rights to upgrade or downgrade Network Connect. Macintosh does not have this restriction. NOTE: Restricted users can perform the initial installation of Network Connect with the installer service only if they start the installation by clicking the Network Connect link in the user's portal page. (Mac only) When Network Connect is first installed (before ncinstallhelper exists on the system), you must provide the administrator password when prompted during the installation. On subsequent launches no special privileges are required. When the installer service is running, uninstalling Network Connect as a restricted user should be done from the user browser s preference page. Terminal Services Component Client/Action ActiveX ActiveX: Installer Service Mac/Linux Install Run Power User, or Power User, or Power User, or Power User, or Power User, or Power User, or
15 (15) Citrix Terminal Services Component Client/Action ActiveX ActiveX: Installer Service Mac/Linux Citrix Client Install Run Power User, or Power User, or Power User, or Power User, or Power User, or Power User, or Power User, or Power User, or Host Checker (includes Secure Virtual Desktop) Client/Action ActiveX ActiveX: Installer Service Mac/Linux Install Run Power User, or Power User, or Power User, or Power User, or Power User, or Power User, or NOTE: If you implement Secure Virtual Workspace (SVW) through Host Checker, note that restricted users, power users, and admins all have adequate rights to install and run SVW. Cache Cleaner Client/Action ActiveX ActiveX: Installer Service Mac/Linux Install Run Power User, or Power User, or Power User, or Power User, or Power User, or Power User, or