Sabre VPN 2.0 The Sabre (SVPN) VPN solution allows Sabre customers to connect directly to OFEP and NOFEP (HSSP) front ends over the Internet, using a secured Virtual Private Network connection. The SVPN solution provides MySabre customers with fast, persistent connections to Sabre eliminating slower polling methods normally used with Portal connections. The SVPN client is a Java Web Start application and is comprised of the following modules: VPN Client Module Starts and manages all other modules associated with the SVPN solution. It can be started via a number of methods. o MySabre will launch the client automatically if not already running and will use the same credentials as the MySabre portal. o Manually from the Sabre VPN icon located on the desktop. Requires a separate or multiple authentications from the agent when used with MySabre. o Automatically if placed in the Startup group. Requires a separate or multiple authentications from the agent when used with MySabre. GUI Module Represented by the VPN icon located in the System Tray. Responsible for providing the agent with the status of the SVPN connections and also provides configuration options including Proxy Servers, Logging, and Ports for the GUI. VPN Authentication Module Responsible for posting the agents credentials to the Nortel 3050 gateways. The credentials are posted using HTTPS and use the Java Secure Socket Extensions (JSSE) library to handle the HTTPS communications with the VPN servers. Port Forwarder Module Responsible for retrieving the VPN client configuration information from the VPN servers, for setting up the TCP listeners, and for handling the TCP traffic between the client and the VPN servers. Logging Module Responsible for providing status to the GUI and logging information to a log file for troubleshooting purposes. Sun JVM requirements for the SVPN solution are: JRE 1.3.1 for Windows 95 and Italian operating systems. o Java Secure Socket Extensions (JSSE) and Java Web Start (JWS) must be installed separately. o Windows 9X also requires a separate registry patch supplied by Sabre. o Windows XP SP2 requires Microsoft patch KB 884020
JRE 1.4.2_06 for Windows 98 and above. This is the Sabre preferred JRE that is currently deployed with MySabre. JRE 5.0 has been certified by Sabre for MySabre but is not being deployed at this time. o Windows 9X also requires a separate registry patch supplied by Sabre. o Windows XP SP2 requires Microsoft patch KB884020 Brief overview of operation: The Sabre VPN (SVPN) solution is a Java Web Start application that provides a VPN tunnel to Sabre through port 443. The use of this tunnel allows Sabre applications such as MySabre, Turbo Sabre, and the Sabre Print Module to connect to Sabre resources via a SOCKS connection on port 443. When the agent starts the SVPN client: Note: MySabre will start the client automatically if configured to use the Sabre Virtual Private Network protocol. 1. The client will check for updated JNLP and Jar file from the https://sabrevpn.sabre.com servers. Note: Both http (port 80) and https (port 443) requests are made to https://sabrevpn.sabre.com Note: The Jar files are maintained in the JRE cache while the JNLP files are maintained in the Java Web Start cache. 2. The client will launch the Port Forwarder module. 3. The Port Forwarder updates the LMHOST/HOST files with the necessary information from the VPN servers to resolve Sabre resources through the Local Host addresses. Note: The LMHOST/HOST files maps the following resources to the Local Host(s). config.sea.eds.com LDAP server on port 389 hsspconfig.sabre.com LDAP server on port 389 lb1.dcs.amrcorp.com on port 12001 lb2.dcs.amrcorp.com on port 12002 res.sabre.com on ports 30030, 30031, 30032, 30051 access.sabre.com ports 30030, 30031, 30032, 30051 ofepxx.dcs.amrorp.com (xx = 01 through 35) on ports 13001 through 13005 and 12001 Note: All ports mentioned above are TCP and bi-directional
4. The tunnel is created. 5. A request for a Sabre resource (LNIATA) from either the MySabre, Turbo Sabre, or the Sabre Print Module is made. 6. The request for either access.sabre.com or lb1.dcs.amrcorp.com is resolved at the Local Host via the LMHOST/HOST files. 7. The LMHOST/HOST will be responsible for the name resolution of Sabre resources and the Port Forwarder will be responsible for transmitting those requests across port 443 to the VPN servers. 8. All Sabre traffic (emulator and printing) will be managed by the Port Forwarder applet through a socket connection on port 443. Note: This is a SOCKS request and not a HTTPS request. 9. The SSL VPN servers will then forward the request to the resource required and return the response through the VPN tunnel on port 443 to the requesting application. Other considerations for implementing the SSL VPN solution. The installs.sabre.com and the sabrevpn.sabre.com web servers will perform initial installation of the SSL VPN solution. Sun JRE 1.4.2_06 is the current JVM supported by Sabre o Has been tested with Sun JRE 1.5 o Windows 95 or Italian agencies using Sun JRE 1.3.X are required and will be prompted to install the Java Web Start platform. Sabre agents will be required to have the necessary rights to the LMHOST and Host files so that the Port Forwarder applet will be able to append the same files. The Sabre resources will use the local host addresses 127.0.0.1 and above. Windows XP utilizing SP2 will require a Windows Update KB884020 to use the addresses above 127.0.0.1. Windows 98 will require a registry patch found on the my.sabre.com web site installation pages to adjust the number of tcp connections. The Windows default is 100 or 256 and the patch will add a registry key and increase it to 1536. Sessions currently will timeout after 75 minutes of inactivity.
o The VPN client will attempt to re-establish a session automatically but if unable to do so will prompt the user for authentication. o Subject to change based on operational needs and server(s) capacity o Devices configured in SPM have a heartbeat connection when configured for OFEP and will retain a tunnel for longer periods of time until the heartbeat is interrupted. Each workstation or user should use their own Sabre sine-in for authenticating the SVPN client to the VPN servers.
Sabre VPN Client GUI Application The application makes a request to Sabre as normal. Example: access.sabre.com on port 30031 WS TCP/IP Local Host The Local Host resolves access.sabre.com to 127.0.0.1 Mapping were provided by the SSL VPN gateways to the LMHOST/HOST Port Forwarder Port Forwarder listens on the Local Host for Sabre traffic and send it to Sabre on port 443 using a Secure Socket Layer connection Status of the Port Forwarder is provided to the SVPN GUI located in the System Tray WWW Using port 443 does not imply a HTTP connection. The Port Forwarder uses a Socket connection on port 443 to the SSL VPN gateway Sabre Infrastucture SSL VPN Gateway The SSL VPN Gateway forwards the request for access.sabre.com on port 30031 to the Sabre resource Sabre
Additional Notes for Proxy Servers: Note: Sabre VPN does not work with NTLM proxy servers. Currently working with Nortel Networks on resolution. Since SVPN is a Java Web Start Application and makes both HTTPS and Socks connections there are a couple of considerations when using the SVPN with a proxy server. The SVPN Client provides a proxy configuration utility from the VPN icon located in the System Tray. Proxy settings can also be applied at the Java Web Start application but the SVPN settings will take precedence over these settings.
The Java Web Start also offers the ability to use the Browser settings but since the SVPN also makes Socks connections, it would have to be used in conjunction with the SVPN Proxy Configuration settings. Sabre recommends that None be selected in the Java Web Start properties and use the proxy settings provided by the SVPN client. Both the MySabre Emulator and the Sabre VPN solutions are Java based applications and considerations must be made to allow the Java applications and not just Internet Explorer to communicate through proxy or firewall servers.