Transcript
Secure Business Connectivity
HOB RD VPN 1.4 Central Data and Applications on Demand Flexible, Secure, Cost-Effective
Edition 10/11
HOB RD VPN 1.4 – Central Data and Applications on Demand Flexible, Secure, Cost-Effective...........................3 Secure Remote Access – Why?������������������������ 3 Secure Remote Access with HOB – Your Competitive Advantage!����������������������������������� 3 HOB RD VPN: Work Where You Want, When You Want – All You Need is a Browser!�������������������������������� 3 Worldwide Flexibility!���������������������������������������� 3 Technical Excellence!��������������������������������������� 4 Excellent Cost Savings!������������������������������������ 4 Common Criteria Certified!�������������������������������� 4
HOB RD VPN 1.4 – Key Components for Secure Remote Access.......................................7
2
HOB MacGate – Access to Apple Mac OS X����������������������������� 10
Background Technology........................11 HOB WebSecureProxy – The Central Server Component.................................................11 Advantages at a Glance �������������������������������� 11 Security and Performance������������������������������ 11 High Performance on Standard Hardware��������� 11 Supports Tokens for Authentication������������������ 11 Supports Client-Side SSL Certificates, e.g., on SmartCards�������������������������������������������������� 11 Secure E-Mail on Mobile Devices��������������������� 11 Central Administration via HOB Enterprise Access Administration������������������������������������ 12 Only One TCP Port is Required����������������������� 12 Anti Split Tunneling���������������������������������������� 12 Supports IPv6����������������������������������������������� 12
Advantages at a Glance����������������������������������� 7 WTS Computing – Windows Terminal Server Access���������������������������������������������������������� 7 Web File Access – File Access via Web Browser��������������������������������������������������������� 7 HOB Web Server Gate – Intranet Access������������ 7 HOB PPP Tunnel – Access to the Corporate Network................................������������������������� 7 Universal Client – Access for Remotely Installed 3rd Party Applications�������������������������� 8
HOBLink JWT – The Java RDP Client...........12 Advantages of HOBLink JWT at a Glance��������� 12 Virtual Channel Support for Third Party Applications ..........................����������������������� 13 Immediately Online Again! .......����������������������� 13 Universal Printer Support with EasyPrint����������� 13 Enhanced Local Drive Mapping����������������������� 13 Supports International Keyboard Layouts���������� 13 Technical Details ...................����������������������� 13
Optional Products...................................8
Product Assortment ....................................14
HOB Desktop-on-Demand – Remote Access to Workstation PC’s����������������������������������������� 8 HOB VDI-Business – Access to Virtual Windows Desktops����������������������������������������� 8 Legacy Access – Dialog-Oriented/Host Application Access������������������������������������������ 8 Enhanced Terminal Services����������������������������� 8 True Windows ������������������������������������������������ 9 Enhanced Load Balancing�������������������������������� 9 Enhanced Local Drive Mapping������������������������� 9 HOB SCS – Unix-based Operating System �������� 9 HOB X11 Gate – Gateway for Access to Graphical Unix/Linux Applications�������������������� 10
System Requirements .................................15 Things To Come .........................................15
Company Profile ....................................16 Contact Information ..............................16
HOB Remote Desktop VPN 1.4
HOB RD VPN 1.4 – Central Data and Applications on Demand Flexible, Secure, Cost-Effective JJ
Secure Remote Access – Why?
Today’s enterprises are facing a bigger challenge than ever before: Highest possible efficiency in all areas. In the area of IT, this is done primarily through the implementation of two measures: Centralization of the applications while at the same time de-centralizing the workstations. Especially the supplementation or even partial replacement of traditional office workplaces with home offices helps not only the enterprise, but also accommodates the workforce: According to a recent survey, around two-thirds of a country’s workforce prefer to work at home on a regular basis. Managers on business trips and sales representatives or service personnel also have to work outside of the company premises. In addition to this, many enterprises want or need to integrate customers or partners into their corporate networks in order to ensure even faster and better service performance. JJ
Secure Remote Access with HOB – Your Competitive Advantage!
The ability to securely, economically, and reliably access all of the most widely varying enterprise resources from diverse platforms and terminals is, now and in the future, a notto-be underestimated competitive advantage. JJ
HOB RD VPN: Work Where You Want, When You Want – All You Need is a Browser!
Turn this challenge to your advantage ‑ with HOB RD VPN! This innovative software solution enables fast and secure access to all your business data and applications. It delivers to you and your employees – at the push of a button – your Intranet, enterprise servers or office PC to your house, hotel or airport. And if your computer is turned off?- No problem: This HOB software lets you start it remotely! JJ
Worldwide Flexibility!
The HOB RD VPN software solution is specially designed for secure remote access over TCP/IP networks, i.e., Internet, WiFi / WLAN or UMTS, to diverse resources in enterprise networks. This is a universal software-based solution for secure remote access from the corporate network all the way through to the front end. It makes absolutely no difference whether your data and applications are on a Windows Terminal Server, virtualized windows systems, Unix/Linux servers, a traditional host, or even a personal computer. Depending on the configuration and the user‘s authorization level, you and your staff can access and edit files, exchange them with the target system and print them. And they can do this anywhere, just as if they were sitting in the office at their company PC! With HOB RD VPN you can also secure all communication over WLAN/WiFi or within the enterprise network.
3
JJ
Technical Excellence!
HOB RD VPN can be used to replace traditional, rather inflexible hardware appliance solutions with a flexible and quickly adaptable „software appliance“ – in light of increasing virtualization, this advantage is not to be underestimated! HOB has in HOB RD VPN a first-rate technical achievement: On standard mid-sized servers this solution has been tested successfully with 10,000 concurrent sessions. JJ
Excellent Cost Savings!
One unique aspect of HOB RD VPN is that it only needs to be installed once on a central server in the enterprise network. Once this is done, any authorized user can use virtually any Internet-capable client machine (PC, Laptop, etc.) to access their data via an Internet browser. Printing, with remote solutions often a source of aggravation, is no problem with HOB RD VPN. Users can simply print remotely-accessed files from their local printer. There is no need to have each individual printer‘s driver installed on the server. High administration costs and the necessity of constantly updating clients are now a thing of the past! JJ
Common Criteria Certified!
HOB has merged the advantages of conventional SSL- and IPSec-VPN’s and created a solution that fulfils the highest security and compliance requirements. This is done through encrypted connections and accepted authentication methods such as tokens, SmartCards (also via PKCS#11) and SSL client certificates. Furthermore, HOB RD VPN can be so configured that a connection to the enterprise network is only established after it has detected that the connecting terminal has active and up-to-date antivirus software. In light of this comprehensive security design, it is no wonder that HOB RD VPN has been certified in accordance with the Common Criteria by the German Federal Office for Information Security (BSI Certificate BSI-DSZ-CC-0260-2004).
HOB RD VPN – Key Components for Remote Access •• WTS Computing Access to Windows Terminal Servers •• Web File Access For remote access to file servers •• Web Server Gate For access to Web applications •• PPP Tunnel For remote access to the complete enterprise network •• Universal Client Enables remote access for locally installed “third party applications”
4
HOB Remote Desktop VPN 1.4
HOB Remote Desktop Virtual Private Network
Clients with Internet Access
SSL
HOB RD VPN 1.4
Mainframe Company PC Midrange
Unix/Linux
Virtualized Windows Windows Terminal Server
Mac Mail Server Web Server
Enterprise Network
File Server
5
Optional Products •• Desktop on Demand For remote access to personal workstation computers •• VDI Business Remote access to virtual Windows machines •• Legacy Access For remote access to all Host-based data and applications •• Enhanced Terminal Services Enhanced Load Balancing Enhanced Local Drive Mapping incl. Virus scanning, True Windows •• HOB SCS (Secure Communication Server) Hardened operating system with HOB RD VPN as a software appliance •• HOB X11 Gate Gateway for remote access to graphical systems under Unix/Linux •• MacGate For remote access to Apple Mac OS X
6
HOB Remote Desktop VPN 1.4
HOB RD VPN 1.4 – Key Components for Secure Remote Access Advantages at a Glance •• Browser-based solution •• Neither software installation nor administrator rights are needed on the client •• Three authentication methods: User-ID/Password, Token, Client SSL certificate •• High security via an integrity-check on the client •• Centralized solution: Updates are only installed in the computer center JJ
WTS Computing – Windows Terminal Server Access
HOB WTS Computing is the solution for remotely accessing Microsoft Remote Desktop Services (RDS) via a browser and the Internet. This platform-independent solution enables you to use the full range of Windows applications on the RDS server, regardless of the software on the client computer. JJ
Web File Access – File Access via Web Browser
Regardless from which client platform access is being made: With this functionality, files can be exchanged with the enterprise network over a Web browser. Windows networks and SAMBA shares can be accessed. JJ
HOB Web Server Gate – Intranet Access
With HOB Web-Server-Gate (WSG) internal company Web servers and Web services can be securely accessible from outside over HTTPS. The company’s internal Web servers are thus protected. Access to these servers can only be granted after successful authentication with HOB RD VPN. All links on the Web pages (HTML or Javascript-generated links) are converted by the HOB WSP Web-Server-Gate automatically. The target filter integrated into the HOB WSP WebServer-Gate allows users to access only those Web servers for which they are authorized. To increase security, caching data in the browser cache can be blocked. JJ
HOB PPP Tunnel – Access to the Corporate Network
This HOB solution combines the advantages of IPSec VPN access with the simplicity of an SSL-VPN. The new procedure (patent pending) developed by HOB on the basis of the Point-to-Point-Protocol (PPP) enables complete network access over all protocols, such as TCP, UDP, and ICMP, to all resources in the internal network. No drivers nor any additional software need be installed on the client device in order to get this access. The PPP Tunnel is currently available for clients running Microsoft Windows Vista, Windows 7, Linux/Unix, Mac OS X, FreeBSD and Solaris.
7
JJ
Universal Client – Access for Remotely Installed 3rd Party Applications
HOB WebSecureProxy Universal Client (HOB WSP UC) is a gateway. It enables locally installed third party applications, e.g., SAP-GUI, to exchange data securely (SSL-encrypted) over the Internet. It is currently available in Java and .NET technology.
Optional Products JJ
HOB Desktop-on-Demand – Remote Access to Workstation PC’s
HOB Desktop-on-Demand stands for access to Windows XP/Vista/Windows 7 workstations over the Internet — the ideal solution for remote users wanting to access data and applications in the office, whether from a home office or anywhere else with an Internet connection. A computer can even be accessed if it is shut off. To do this, the Windows PC’s “Wake-onLAN” function is called into action, enabling a remote booting. JJ
HOB VDI-Business – Access to Virtual Windows Desktops
HOB VDI provides the user with access to a virtualized remote Windows Desktop. The user can work with all applications installed on the virtual Windows machine. If a connection is inadvertently interrupted, the OS remains for a specified time in a “disconnected” state and when the connection is re-established, the user is returned to the same session. Supported VMware guest systems include Windows XP, Windows Vista and Windows 7. This solution also enables you to run applications that require enormous resources or that can’t run on the WTS itself, for example, CAD applications. Differently than with the WTS, the user always has 100% of the virtual machine’s capacity at his/her disposal. JJ
Legacy Access – Dialog-Oriented/Host Application Access
As an option, HOB RD VPN 1.4 provides SSL-encrypted remote access to host or “legacy” applications. It supports the following protocols: 3270, 5250, VT, HP-700, Siemens 9750, Siemens 97801, SSH. JJ
Enhanced Terminal Services
The HOB Enhanced Terminal Services, in short, HOB ETS, are a software component from HOB that enhance the Microsoft Terminal Server functionality with more granular configuration possibilities and features that Microsoft does not provide. HOB ETS consists of several modules that have to be installed on the terminal server in order to obtain these functions: •• True Windows •• Enhanced Load Balancing •• Enhanced Local Drive Mapping
8
HOB Remote Desktop VPN 1.4
JJ
True Windows
True Windows enables you to completely integrate remote applications into the client machine. The user sees no difference between locally installed applications and those residing on the Windows Terminal Server. Even the user-specific tray icons are displayed on the client machine. Session-sharing is supported, which spares resources by letting several server applications run in a single session. With the True Windows Application Manager all applications in a WTS farm can be displayed and, if desired, terminated – just as with the Windows Task Manager. With Application Serving, when the user logs on to the Terminal Server a specific application is started automatically, so that only this application and not the entire Windows desktop is available to the user. Application Publishing enables you to “publish” individual applications, i.e., make them available to all users. Hereby, each Windows Terminal Server can be configured individually. JJ
Enhanced Load Balancing
The load balancing function included in the standard scope of delivery distributes the load evenly to all machines in a server farm. With the “Enhanced Load Balancing” component, the administrator can more finely distribute the load and set criteria with which the load is calculated, e.g., CPU and network load, swap activity and memory utilization, or the number of active sessions. JJ
Enhanced Local Drive Mapping
With Local Drive Mapping, Terminal Server applications can access the client’s local drives. Access can be made to local drives such as hard disks, memory cards, CD ROM drives, USB storage devices, etc. To protect the remote system from being contaminated by a virus from the client, HOB RD VPN also has an interface to a virus scanner. JJ
HOB SCS – Unix-based Operating System
HOB SCS (Secure Communications Server) is a hardened, stabile Unix-based operating system using tried and proven Open Source Technology. When used as the platform for HOB RD VPN, HOB SCS is a full-fledged software appliance. Installation, maintenance and administration are minimal. When used as a software appliance in conjunction with the HOB SCS platform, HOB RD VPN benefits from real advantages in security, stability, performance and scalability.
9
JJ
HOB X11 Gate – Gateway for Access to Graphical Unix/Linux Applications
Up until now, X11-based applications could only be used remotely with restricted functionality and under considerable performance limitations. The HOB X11 Gate revolutionizes remote access to graphical Linux and Unix applications. The HOB X11 Gate, in connection with the Remote Desktop Protocol (RDP), enables full Web-based access over a lean protocol with maximum performance. JJ
HOB MacGate – Access to Apple Mac OS X
With the HOB MacGate users can easily and securely remotely access a Mac desktop, even over the Internet. This can be done over any Java-capable browser, even when the connection is started from a Windows PC.
10
HOB Remote Desktop VPN 1.4
Background Technology HOB WebSecureProxy – The Central Server Component Advantages at a Glance •• Highly scalable •• Successfully tested with 10,000 concurrent sessions •• Interfaces to Radius and OCSP •• 10 platform-specific versions JJ
Security and Performance
The HOB WebSecureProxy (WSP) is the core security component of the HOB RD VPN solution. It is installed on a server in the DMZ and enables the SSL-encrypted client-queries to the servers and applications inside the corporate network. All current encryption methods are supported, including AES with up to 256-bit key lengths. The HOB WSP has an integrated Web server, which provides HTML logon pages and the access software for the client machine (e.g. HOBLink JWT, see below) as a Java applet. Authentication is already carried out before the applet is loaded, further increasing security. The HOB WSP can be deployed on many platforms, is highly scalable and thus well-suited for small and large installations. Even in very large and comprehensive IT infrastructures only a few performant servers are required. This reduces the susceptibility to failure as compared to conventional SSL appliances and is also cost-effective. JJ
High Performance on Standard Hardware
High performance is guaranteed even for very large numbers of users: Tests with up to 10,000 concurrent sessions on a mid-sized server have proven this. JJ
Supports Tokens for Authentication
Additional security can be achieved through the use of authentication systems, so-called tokens. A system with RADIUS interfaces are supported, e.g., RSA SecurID, SafeWord PremierAccess and Vasco Digipass. JJ
Supports Client-Side SSL Certificates, e.g., on SmartCards
HOB RD VPN supports the use of client certificates that are read-out during the establishment of an SSL connection. JJ
Secure E-Mail on Mobile Devices
The HOB WebSecureProxy can also be used to shield an e-mail server from direct access over the Internet. Communications between the e-mail client and the HOB WSP travel over POP3S, IMAPS and/or SMTPS.
11
JJ
Central Administration via HOB Enterprise Access Administration
With HOB Enterprise Access, the central user administration program, the administrator can centrally manage all user and configuration data. HOB Enterprise Access supports LDAP or uses this interface to access directory services such as Microsoft Active Directory or OpenDS. JJ
Only One TCP Port is Required
All communications into the enterprise network can be directed over just one TCP port; usually the standard HTTPS port 443. JJ
Anti Split Tunneling
With HOB Anti Split Tunneling, you can prevent a user from accessng unauthorized networks while working with HOB RD VPN. This greatly increases system security. JJ
Supports IPv6
The HOB WebSecureProxy supports connections with the client over IPv6.
HOBLink JWT – The Java RDP Client Advantages of HOBLink JWT at a Glance •• Browser-based access to Windows applications •• Connection of all clients, e.g., Windows, Linux, Unix, Apple Macintosh, NC’s, handheld PC’s, etc. •• No additional server components required (in the basic configuration) •• No software installation on the clients •• Windows applications can be used on all platforms •• Optimal utilization of the existing network infrastructure •• Scalable solution for central installation and administration •• Access to local drives via Enhanced Local Drive Mapping •• Flexible functions for printing on all network printers as well as local printers HOBLink JWT is a Java-based RDP client, which provides platform-independent remote access from anywhere to applications via Remote Desktop Services. HOBLink JWT is installed on the Web server integrated in HOB RD VPN. No local installation of any HOB remote client system on the client machine is required. The first time a client machine makes access, the client’s browser downloads the Java applet and starts the application. With this RDP client people can use all the advantages of server-based computing for Windows applications. This innovative solution provides enterprises, specifically their IT administration, with numerous additional advantages in installation, administration, operability and security.
12
HOB Remote Desktop VPN 1.4
JJ
Virtual Channel Support for Third Party Applications
Virtual Channel Support enables 3rd party applications to communicate with the WTS over the RDP connection. Additionally, specific channels can be prioritized. JJ
Immediately Online Again!
Client sessions that have been disconnected – e.g., by the user or due to network problems – can be re-established immediately. This can also be done when accessing a server farm. The user can continue working at the place where the session was disconnected. JJ
Universal Printer Support with EasyPrint
In addition to the usual Terminal Services print functionalities, HOBLink JWT with EasyPrint delivers a definite added value. Regardless whether you want to print to local or network printers, you do not need to have the specific printer driver installed, nor is a manual intervention required. Advantage: There are no performance or stability problems on the server side and administrative work is greatly simplified. JJ
Enhanced Local Drive Mapping
Via the HOB Local Drive Mapping the WTS can access files on the client. The “Enhanced Local Drive Mapping” ensures access to local drives such as hard disks, memory cards, CD ROM drives, USB storage devices, etc. To protect the remote system from being contaminated by a virus from the client, HOB RD VPN also has an interface to a virus scanner. JJ
Supports International Keyboard Layouts
In addition to supporting US English keyboards, many other keyboard layouts are supported. The following languages/keyboard layouts are supported: US English, French, Dutch, Spanish, Portuguese and as new additions, Japanese and Chinese. Under Windows HOBLink JWT has a native keyboard support, i.e., independent of Java. JJ
Strong Performance with RDP
RDP is the leading industry standard for the transmission of graphical user interfaces. RDP is very powerful and offers a multitude of useful functions.In a large-scale benchmark test, none of the many other protocols being tested against the latest version of RDP were superior or even comparable in functionality or performance. In realistic benchmark tests between RDP and VNC protocol (RFB – Remote Framebuffer Protocol), VNC exchanged seven-times the amount of data. Also the comparison of RDP to the proven X-Protocol (X11, MIT) delivered results of a similar magnitude. The comparison of the exchanged data volume corresponds approximately to the ratio of the responsetimes, i.e., the amount of time the user waits, e.g., for the image to be refreshed.
13
JJ
Technical Details
•• No HOB software need be installed on the WTS to get the connectivity functionalities (in the basic configuration) •• Dual monitor support •• Supports the protocols RDP 4 to RDP 7 •• Flexible printer functions for local and network printing •• Supports wheelmouse use (w. non-Windows clients, only from Java 1.4 up) •• Client-connection over LAN and WAN, Dial-up, ISDN, xDSL, UMTS, VPN possible •• “Copy and Paste” between client and server •• Keypad for the definition of Windows hotkeys •• Access to locally connected devices (e.g., scanners) via TWAIN ports •• Automatic reconnect after a disconnected session •• Application Serving: direct connection to an application •• Virtual Channel Support •• Automatic version control (Smart Update) •• Java Web Start •• Full Screen Mode •• Session Shadowing: Administrator can monitor all current client sessions •• Supports Microsoft encryption with key lengths of up to 128 bits •• SmartCard Redirection supports logging in to WTS •• Clients can be pre-configured with IP addresses, server names and other connection settings •• Configurable RAM- and hard-disk-cache •• XML-based storage of configuration data The following features require optional components: •• Access to local drives via “Enhanced Local Drive Mapping” (under Windows 2000 Server or Windows Server 2003/2008/2008 R2) •• True Windows •• Application Publishing •• Enhanced Load Balancing The following features are possible under Microsoft Windows Server 2003/2008/2008 R2: •• Configurable color depth: 8-, 15-, 16-, 24- or 32-bit •• Streaming support •• Local Port Mapping: locale COM and LPT ports
Product Assortment HOB RD VPN is also available ain a compact version. In HOB RD VPN Compact, HOB provides a product that is especially well-suited for smaller installations. Enterprise Access is not a part of this – the configuration data and user credentials are stored in the WebSecureProxy’s XML configuration file.
14
HOB Remote Desktop VPN 1.4
Another product variant is HOB RD VPN NetAccess. Usually, SSL VPN solutions are much more expensive to purchase than IPsec VPNs. SSL VPNs more than compensate for this disadvantage with cost-savings in operation. HOB RD VPN 1.4 NetAccess, however, is available at a price similar to that of IPsec VPNs. Thus, companies that deploy HOB RD VPN 1.4 NetAccess profit greatly from this solution’s lower total cost. HOB RD VPN 1.4 NetAccess has the full performance of IPsec VPNs, but contains no drivers and is much easier to install, maintain and use.
System Requirements The HOB WebSecureProxy is available for: •• Windows (x86, EM64T, Itanium) •• Sun Solaris (Sparc, x86-EM64T) •• IBM AIX •• HP-UX (Itanium) •• Linux (x86, EM64T, Itanium)
Any Clients On the client side any browser with full Java support (1.4.2 or higher) can be used.
Things To Come User Roles The user receives privileges that are dependent on certain conditions. Example: If the client‘s virus definitions are out of date, the user can only obtain access to specific applcations.
Support for Complex Networks The administrator can define realms for Kerberos/LDAP, so that complex networks,e.g., in which there are several Active Directory Domains, are supported.
High Availability Through Clustering To increase fail-safety, several HOB WebSecureProxies can be grouped into a cluster. Every active session is known to each WSP, so that in the event that one should fail, smooth continued operation is still ensured. To the remote user the cluster appears as a single object.
HOBPhone This Java-based SIP client enables the user to call into the enterprise telephone central using a Voice-over-IP connection.
15
Company Profile HOB GmbH & Co. KG is a German medium-sized company, developing innovative software solutions that are marketed worldwide. The core competencies of HOB, founded in 1964, comprise server-based computing, secure remote access, VoIP and virtualization. HOB products are deployed in small, midsized and large enterprises. HOB remote access solutions received the quality mark “IT Security Made in Germany” from the German Federation for IT Security “TeleTrust.” HOB currently employs about 120 employees in its headquarters in Cadolzburg and its branch offices. More than half of these employees work in the development department. HOB has branch offices in Malta and the USA as well as a partner company in Mexico. HOB, Inc. is a fully owned subsidiary of HOB GmbH & Co. KG. It was founded in New Jersey in April 2000 and is currently headquartered in Hawthorne, NY.
Contact Information HOB GmbH & Co. KG
HOB Inc.
Schwadermuehlstr. 3 90556 Cadolzburg Phone +49 9103 715 0 Telefax +49 9103 715 271
NY Headquarters 245 Saw Mill River Road Suite # 106 Hawthorne, NY 10532 USA
E-mail
[email protected] [email protected] Phone hotline +49 9103 715 3161 Fax hotline +49 9103 715 299
Branch offices abroad
E-mail
[email protected] [email protected] Phone (Toll free) (866) 914-9970 Phone (646) 465-7650 Fax (646) 437-3448
Malta, New York Visit us on the World Wide Web: http://www.hob.de http://www.hobsoft.com
Information in this document is subject to change without notice. HOB is not liable for any omissions or errors which may be contained in this document. Product information contained herein is from Sept. 2010. Any trademarks in this document are the property of their owners.
16