Secure Business Connectivity HOB RD VPN 1.4 Central Data and Applications on Demand. Flexible, Secure, Cost-Effective Edition 09/10
HOB RD VPN 1.4 Central Data and Applications on Demand. Flexible, Secure, Cost-Effective 3 Secure Remote Access Why? 3 Secure Remote Access with HOB Your Competitive Advantage! 3 HOB RD VPN: Work Where You Want, When You Want All You Need is a Browser! 3 Worldwide Flexibility! 3 Technical Excellence! 4 Excellent Cost Savings! 4 Common Criteria Certified! 4 HOB RD VPN 1.4 Key Components for Secure Remote Access 7 Advantages at a Glance 7 WTS Computing Windows Terminal Server Access 7 Web File Access File Access via Web Browser 7 HOB Web Server Gate Intranet Access 7 HOB PPP Tunnel Access to the Corporate Network 8 Universal Client Access for Remotely Installed 3rd Party Applications 8 Optional Products 8 HOB Desktop-on-Demand Remote Access to Workstation PC s 8 HOB VDI-Business Access to Virtual Windows Desktops 8 Legacy Access Dialog-Oriented/Host Application Access 9 Enhanced Terminal Services 9 True Windows 9 Enhanced Load Balancing 10 Enhanced Local Drive Mapping 10 HOB SCS Unix-based Operating System 10 HOB X11 Gate Gateway for Access to Graphical Unix/Linux Applications 10 HOB MacGate Access to Apple Mac OS X 10 Background Technology 11 HOB WebSecureProxy The Central Server Component 11 Advantages at a Glance 11 Security and Performance 11 High Performance on Standard Hardware 11 Supports Tokens for Authentication 11 Supports Client-Side SSL Certificates, e.g., on SmartCards 12 Secure E-Mail on Mobile Devices 12 Central Administration via HOB Enterprise Access Administration 12 Only One TCP Port is Required 12 Anti Split Tunneling 12 Supports IPv6 12 HOBLink JWT The Java RDP Client 12 Advantages of HOBLink JWT at a Glance 12 Virtual Channel Support for Third Party Applications 13 Immediately Online Again! 13 Universal Printer Support with EasyPrint 13 Enhanced Local Drive Mapping 14 Supports International Keyboard Layouts 14 Technical Details 14 Product Assortment 15 System Requirements 15 Things To Come 16 Company Profile 17 Contact Information 17 2
HOB Remote Desktop VPN 1.4 HOB RD VPN 1.4 Central Data and Applications on Demand. Flexible, Secure, Cost-Effective Secure Remote Access Why? Today s enterprises are facing a bigger challenge than ever before: Highest possible efficiency in all areas. In the area of IT, this is done primarily through the implementation of two measures: Centralization of the applications while at the same time de-centralizing the workstations. Especially the supplementation or even partial replacement of traditional office workplaces with home offices helps not only the enterprise, but also accommodates the workforce: According to a recent survey, around two-thirds of a country s workforce prefer to work at home on a regular basis. Managers on business trips and sales representatives or service personnel also have to work outside of the company premises. In addition to this, many enterprises want or need to integrate customers or partners into their corporate networks in order to ensure even faster and better service performance. Secure Remote Access with HOB Your Competitive Advantage! The ability to securely, economically, and reliably access all of the most widely varying enterprise resources from diverse platforms and terminals is, now and in the future, a notto-be underestimated competitive advantage. HOB RD VPN: Work Where You Want, When You Want All You Need is a Browser! Turn this challenge to your advantage with HOB RD VPN! This innovative software solution enables fast and secure access to all your business data and applications. It delivers to you and your employees at the push of a button your Intranet, enterprise servers or office PC to your house, hotel or airport. And if your computer is turned off?- No problem: This HOB software lets you start it remotely! Worldwide Flexibility! The HOB RD VPN software solution is specially designed for secure remote access over TCP/IP networks, i.e., Internet, WiFi / WLAN or UMTS, to diverse resources in enterprise networks. This is a universal software-based solution for secure remote access from the corporate network all the way through to the front end. 3
It makes absolutely no difference whether your data and applications are on a Windows Terminal Server, virtualized windows systems, Unix/Linux servers, a traditional host, or even a personal computer. Depending on the configuration and the user s authorization level, you and your staff can access and edit files, exchange them with the target system and print them. And they can do this anywhere, just as if they were sitting in the office at their company PC! With HOB RD VPN you can also secure all communication over WLAN/WiFi or within the enterprise network. Technical Excellence! HOB RD VPN can be used to replace traditional, rather inflexible hardware appliance solutions with a flexible and quickly adaptable software appliance in light of increasing virtualization, this advantage is not to be underestimated! HOB has in HOB RD VPN a first-rate technical achievement: On standard mid-sized servers this solution has been tested successfully with 10,000 concurrent sessions. Excellent Cost Savings! One unique aspect of HOB RD VPN is that it only needs to be installed once on a central server in the enterprise network. Once this is done, any authorized user can use virtually any Internet-capable client machine (PC, Laptop, etc.) to access their data an Internet browser. Printing, with remote solutions often a source of aggravation, is no problem with HOB RD VPN. Users can simply print remotely-accessed files from their local printer, and with HOB s easy-print solution there is no need to have each individual printer s driver installed on the server. High administration costs and the necessity of constantly updating clients are now a thing of the past! Common Criteria Certified! HOB has merged the advantages of conventional SSL- and IPSec-VPN s and created a solution that fulfils the highest security and compliance requirements. This is done through encrypted connections and accepted authentication methods such as tokens, SmartCards and SSL client certificates. Furthermore, HOB RD VPN can be so configured that a connection to the enterprise network is only established after it has detected that the connecting terminal has active and up-to-date antivirus software. In light of this comprehensive security design, it is no wonder that HOB RD VPN has been certified in accordance with the Common Criteria by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik BSI). 4
HOB Remote Desktop VPN 1.4 HOB Remote Desktop Virtual Private Network Clients with Internet Access SSL HOB RD VPN 1.4 Mainframe Company PC Midrange Unix/Linux Virtualized Windows Windows Terminal Server Mac Mail Server Web Server Enterprise Network File Server 5
HOB RD VPN Key Components for Remote Access WTS Computing Access to Windows Terminal Servers Web File Access For remote access to file servers Web Server Gate For access to Web applications PPP Tunnel For remote access to the complete enterprise network Universal Client Enables remote access for locally installed third party applications Optional Products Desktop on Demand For remote access to personal workstation computers VDI Business Remote access to virtual Windows machines Legacy Access For remote access to all Host-based data and applications Enhanced Terminal Services Enhanced Load Balancing Enhanced Local Drive Mapping incl. Virus scanning, True Windows HOB SCS (Secure Communication Server) Hardened operating system with HOB RD VPN as a software appliance HOB X11 Gate Gateway for remote access to graphical systems under Unix/Linux MacGate For remote access to Apple Mac OS X 6
HOB Remote Desktop VPN 1.4 HOB RD VPN 1.4 Key Components for Secure Remote Access Advantages at a Glance Browser-based solution Neither software installation nor administrator rights are needed on the client Three authentication methods: User-ID/Password, Token, Client SSL certificate High security via an integrity-check on the client Centralized solution: Updates are only installed in the computer center WTS Computing Windows Terminal Server Access HOB WTS Computing is the solution for remotely accessing MS Windows Terminal Servers via a browser and the Internet. This platform-independent solution enables you to use the full range of Windows applications on the WTS, regardless of the software on the client computer. Web File Access File Access via Web Browser Regardless from which client platform access is being made: With this functionality, files can be exchanged with the enterprise network over a Web browser. Windows networks and SAMBA shares can be accessed. HOB Web Server Gate Intranet Access With HOB WSP Web-Server-Gate internal company Web servers and Web services can be securely accessible from outside over HTTPS. The company s internal Web servers are thus protected. The company s internal Web servers are thus protected. Access to these servers can only be granted after successful authentication with HOB RD VPN. All links on the Web pages (HTML or Javascript-generated links) are converted by the HOB WSP Web-Server-Gate automatically. The target filter integrated into the HOB WSP Web-Server-Gate allows users to access only those Web servers for which they are authorized. 7
HOB PPP Tunnel Access to the Corporate Network This HOB solution combines the advantages of IPSec VPN access with the simplicity of an SSL-VPN. The new procedure (patent pending) developed by HOB on the basis of the Point-to-Point-Protocol (PPP) enables complete network access over all protocols, such as TCP, UDP, and ICMP, to all resources in the internal network. No drivers nor any additional software need be installed on the client device in order to get this access. The PPP Tunnel is currently available for clients running Microsoft Windows Vista. Versions for Linux/Unix and Mac OS X clients are under development. Universal Client Access for Remotely Installed 3rd Party Applications HOB WebSecureProxy Universal Client (HOB WSP UC) is a gateway. It enables locally installed third party applications to exchange data securely (SSL-encrypted) over the Internet. The HOB WSP UC is Web-based, requires no administrator rights and can be installed locally. It is currently available in Java,.NET and in native Windows Mobile. Optional Products HOB Desktop-on-Demand Remote Access to Workstation PC s HOB Desktop-on-Demand stands for access to Windows XP / Vista workstations over the Internet the ideal solution for remote users wanting to access data and applications in the office, whether from a home office or anywhere else with an Internet connection. A computer equipped with Windows XP Pro/Vista can be accessed even if it is shut off. To do this, the PC s Wake-on-LAN function is called into action, enabling a remote booting. HOB VDI-Business Access to Virtual Windows Desktops HOB VDI provides the user with access to a virtualized remote Windows Desktop. The user can work with all applications installed on the virtual Windows machine. With the VDI technology, single-user operating systems such as Windows XP or Windows Vista do not run on the user s workstation, but in the computer center. There, the operating systems run as virtual machines in a server. Supported VMware guest systems include Windows XP and Windows Vista. 8
HOB Remote Desktop VPN 1.4 This solution also enables you to run applications that require enormous resources or that can t run on the WTS itself, for example, CAD applications. Differently as with the WTS, the user always has 100% of the virtual machine s capacity at his/her disposal. Legacy Access Dialog-Oriented/Host Application Access HOBLink J-Term, HOB s host/legacy application client, provides SSL-encrypted remote access to host or legacy applications. It supports the following protocols: 3270, 5250, VT, HP-700, Siemens 9750, Siemens 97801, SSH. Enhanced Terminal Services The HOB Enhanced Terminal Services, in short, HOB ETS, are a software component from HOB that enhance the Microsoft Terminal Server functionality with more granular configuration possibilities and features that Microsoft does not provide. HOB ETS consists of several modules that have to be installed on the terminal server in order to obtain these functions: True Windows Enhanced Load Balancing Enhanced Local Drive Mapping True Windows True Windows enables you to completely integrate remote applications into the client machine. The user sees no difference between locally installed applications and those residing on the Windows Terminal Server. Even the user-specific tray icons are displayed on the client machine. Session-sharing is supported, which spares resources by letting several server applications run in a single session. With the True Windows Application Manager all applications in a WTS farm can be displayed and, if desired, terminated just as with the Windows Task Manager. With Application Serving, when the user logs on to the Terminal Server a specific application is started automatically, so that only this application and not the entire Windows desktop is available to the user. Application Publishing enables you to publish individual applications, i.e., make them available to all users. Hereby, each Windows Terminal Server can be configured individually. 9
Enhanced Load Balancing The load balancing function included in the standard scope of delivery distributes the load evenly to all machines in a server farm. With the Enhanced Load Balancing component, the administrator can more finely distribute the load and set criteria with which the load is calculated, e.g., CPU and network load, swap activity and memory utilization, or the number of active sessions. Enhanced Local Drive Mapping With Local Drive Mapping, Terminal Server applications can access the client s local drives. Access can be made to local drives such as hard disks, memory cards, CD ROM drives, USB storage devices, etc. To protect the remote system from being contaminated by a virus from the client, HOB RD VPN also has an interface to a virus scanner. HOB SCS Unix-based Operating System HOB SCS (Secure Communications Server) is a hardened, stabile Linux operating system that can be used as the platform for HOB RD VPN. This is an easy and efficient way to ensure secure remote access via HOB RD VPN. HOB SCS uses tried and proven Open Source Technology. When used as a software appliance in conjunction with the HOB SCS platform, HOB RD VPN benefits from real advantages in security, stability, performance and scalability. HOB X11 Gate Gateway for Access to Graphical Unix/Linux Applications Up until now, X11-based applications could only be used remotely with restricted functionality and under considerable performance limitations. The HOB X11 Gate revolutionizes remote access to graphical Linux and Unix applications. The HOB X11 Gate, in connection with the Remote Desktop Protocol (RDP), enables full Web-based access over a lean protocol with maximum performance. HOB MacGate Access to Apple Mac OS X With the HOB MacGate users can easily and securely remotely access a Mac desktop, even over the Internet. This can be done over any Java-capable browser, even when the connection is started from a Windows PC. 10
HOB Remote Desktop VPN 1.4 Background Technology HOB WebSecureProxy The Central Server Component Advantages at a Glance Highly scalable Successfully tested with 10,000 concurrent sessions Interfaces to Radius and OCSP 11 platform-specific versions Security and Performance The HOB WebSecureProxy (WSP) is the core security component of the HOB RD VPN solution. It is installed on a server in the DMZ and enables the SSL-encrypted client-queries to the servers and applications inside the corporate network. All current encryption methods are supported, including AES with up to 256-bit key lengths. The HOB WSP has an integrated Web server, which provides HTML logon pages and the access software for the client machine (e.g. HOBLink JWT, see below) as a Java applet. Authentication is already carried out before the applet is loaded, further increasing security. The HOB WSP can be deployed on many platforms, is highly scalable and thus well-suited for small and large installations. Even in very large and comprehensive IT infrastructures only a few performant servers are required. This reduces the susceptibility to failure as compared to conventional SSL appliances and is also cost-effective. High Performance on Standard Hardware High performance is guaranteed even for very large numbers of users: Tests with up to 10,000 concurrent sessions on a mid-sized server have proven this. Supports Tokens for Authentication Additional security can be achieved through the use of authentication systems, so-called tokens. A system with RADIUS interfaces are supported, e.g., RSA SecurID, SafeWord PremierAccess and Vasco Digipass. 11
Supports Client-Side SSL Certificates, e.g., on SmartCards HOB RD VPN supports the use of client certificates that are read-out during the establishment of an SSL connection. Secure E-Mail on Mobile Devices The HOB WebSecureProxy can also be used to shield an e-mail server from direct access over the Internet. Communications between the e-mail client and the HOB WSP travel over POP3S, IMAPS and/or SMTPS. Central Administration via HOB Enterprise Access Administration With HOB Enterprise Access, the central user administration program, the administrator can centrally manage all user and configuration data. HOB Enterprise Access supports LDAP or uses this interface to access directory services such as Microsoft Active Directory. Only One TCP Port is Required All communications into the enterprise network can be directed over just one TCP port; usually the standard HTTPS port 443. Anti Split Tunneling With HOB Anti Split Tunneling, you can prevent a user from accessng unauthorized networks while working with HOB RD VPN. This greatly increases system security. Supports IPv6 The HOB WebSecureProxy supports connections with the client over IPv6. HOBLink JWT The Java RDP Client Advantages of HOBLink JWT at a Glance Browser-based access to Windows applications Connection of all clients, e.g., Windows, Linux, Unix, Apple Macintosh, NC s, handheld PC s, etc. No additional server components required (in the basic configuration) No software installation on the clients 12
HOB Remote Desktop VPN 1.4 Windows applications can be used on all platforms Optimal utilization of the existing network infrastructure Scalable solution for central installation and administration Access to local drives via Enhanced Local Drive Mapping Flexible functions for printing on all network printers as well as local printers HOBLink JWT is a Java-based RDP client, which provides platform-independent remote access from anywhere to applications centrally installed on Windows Terminal Servers (WTS). HOBLink JWT is installed on the Web server integrated in HOB RD VPN. No local installation of any HOB RD VPN component on the client machine is required. The first time a client machine accesses HOB RD VPN, the client s browser downloads the Java applet and starts the application. With this Java client people can use all the advantages of server-based computing for Windows applications. This innovative solution provides enterprises, specifically their IT administration, with numerous additional advantages in installation, administration, operability and security. Virtual Channel Support for Third Party Applications Virtual Channel Support enables 3rd party applications to communicate with the WTS over the RDP connection. Additionally, specific channels can be prioritized. Immediately Online Again! Client sessions that have been disconnected e.g., by the user or due to network problems can be re-established immediately. This can also be done when accessing a server farm. The user can continue working at the place where the session was disconnected. Universal Printer Support with EasyPrint In addition to the usual Terminal Services print functionalities, HOBLink JWT with EasyPrint delivers a definite added value. Regardless whether you want to print to local or network printers, you do not need to have the specific printer driver installed, nor is a manual intervention required. Advantage: There are no performance or stability problems on the server side and administrative work is greatly simplified. 13
Enhanced Local Drive Mapping Via the HOB Local Drive Mapping files can be copied from the client to the remote PC and vice versa. The Enhanced Local Drive Mapping ensures access to local drives such as hard disks, memory cards, CD ROM drives, USB storage devices, etc. To protect the remote system from being contaminated by a virus from the client, HOB RD VPN also has an interface to a virus scanner. Supports International Keyboard Layouts In addition to supporting US English keyboards, many other keyboard layouts are supported. The following languages/keyboard layouts are supported: US English, French, Dutch, Spanish, Portuguese and as new additions, Japanese and Chinese. Under Windows HOBLink JWT has a native keyboard support, i.e., independent of Java. Technical Details No HOB software need be installed on the WTS to get the connectivity functionalities (in the basic configuration) Dual monitor support Supports the protocols RDP 4 to RDP 6 Flexible printer functions for local and network printing Supports wheelmouse use (w. non-windows clients, only from Java 1.4 up) Client-connection over LAN and WAN, Dial-up, ISDN, xdsl, UMTS, VPN possible Copy and Paste between client and server Keypad for the definition of Windows hotkeys Automatic reconnect after a disconnected session Application Serving: direct connection to an application Virtual Channel Support Automatic version control (Smart Update) Java Web Start Full Screen Mode Session Shadowing: Administrator can monitor all current client sessions Supports Microsoft encryption with key lengths of up to 256 bits SmartCard Redirection supports logging in to WTS Clients can be pre-configured with IP addresses, server names and other connection settings Configurable RAM- and hard-disk-cache XML-based storage of configuration data The following features require optional components: 14
HOB Remote Desktop VPN 1.4 Access to local drives via Enhanced Local Drive Mapping (under Windows 2000 Server or Windows Server 2003/2008) True Windows Application Publishing Enhanced Load Balancing The following features are possible under Microsoft Windows Server 2003/2008: Configurable color depth: 8-, 15-, 16-, 24- or 32-bit Streaming support Local Port Mapping: locale COM and LPT ports Product Assortment HOB RD VPN is also available ain a compact version. In HOB RD VPN Compact, HOB provides a product that is especially well-suited for smaller installations. Enterprise Access is not a part of this the configuration data and user credentials are stored in the WebSecureProxy s XML configuration file. Another product variant is HOB RD VPN NetAccess. Usually, SSL VPN solutions are much more expensive to purchase than IPsec VPNs. SSL VPNs more than compensate for this disadvantage with cost-savings in operation. HOB RD VPN 1.4 NetAccess, however, is available at a price similar to that of IPsec VPNs. Thus, companies that deploy HOB RD VPN 1.4 NetAccess profit greatly from this solution s lower total cost. HOB RD VPN 1.4 NetAccess has the full performance of IPsec VPNs, but contains no drivers and is much easier to install, maintain and use. System Requirements The HOB WebSecureProxy is available for: Windows (x86, EM64T, Itanium) Sun Solaris (Sparc, x86-em64t) IBM AIX HP-UX (Itanium) Linux (x86, EM64T, Itanium) Any Clients On the client side any browser with full Java support (1.4.2 or higher) can be used. 15
Things To Come User Roles The user receives privileges that are dependent on certain conditions. Example: If the client s virus definitions are out of date, the user can only obtain access to specific applcations. Support for Complex Networks The administrator can define realms for Kerberos/LDAP, so that complex networks,e.g., in which there are several Active Directory Domains, are supported. High Availability Through Clustering To increase fail-safety, several HOB WebSecureProxies can be grouped into a cluster. Every active session is known to each WSP, so that in the event that one should fail, smooth continued operation is still ensured. To the remote user the cluster appears as a single object. HOBPhone This Java-based SIP client enables the user to call into the enterprise telephone central using a Voice-over-IP connection. 16
HOB Remote Desktop VPN 1.4 Company Profile HOB GmbH & Co. KG is a mid-sized German software enterprise that develops and markets innovative network solutions worldwide. The core competencies of this successful company, founded in 1964, comprise serverbased computing, secure remote access as well as VoIP and virtualization solutions, which are deployed in small-, mid- and large-scale enterprises. Products are certified by the German BSI (Bundesamt für Sicherheit in der Informationstechnik = German Federal Office for Information security) in acc. w. the Common Criteria. HOB currently employs in its central offices in Cadolzburg, Germany and in its branch offices approx. 120 people, half of them in the development departments. HOB has branch offices in France, Malta, the Netherlands, the USA and Mexico. Contact Information HOB GmbH & Co. KG Schwadermuehlstr. 3 90556 Cadolzburg Phone +49 9103 715 0 Telefax +49 9103 715 271 E-mail marketing@hobsoft.com support@hobsoft.com Phone hotline +49 9103 715 161 Fax hotline +49 9103 715 299 Branch offices abroad Eindhoven, Malta, New York, Paris, Vienna Visit us on the World Wide Web: http://www.hob.de http://www.hobsoft.com HOB Inc. NY Headquarters 245 Saw Mill River Road Suite # 106 Hawthorne, NY 10532 USA E-mail sales@hobsoft.com support@hobsoft.com Phone (Toll free) (866) 914-9970 Phone (646) 465-7650 Fax (646) 437-3448 Information in this document is subject to change without notice. HOB is not liable for any omissions or errors which may be contained in this document. Product information contained herein is from Sept. 2010. Any trademarks in this document are the property of their owners. 17