Transcript
A Guide to New Features in Propalms OneGate 4.0 Propalms Ltd. Published April 2013
Overview This document covers the new features, enhancements and changes introduced in Propalms OneGate 4.0 Server (previously known as Propalms VPN Server).
1. New User Interface Propalms OneGate comes with a brand new user interface. This interface is both modern and light on the web browser.
Desktop Client
2. Kiosk Mode in OneGate Portal User can login into OneGate web portal using kiosk mode from a locked down machine. Application proxy support without requiring local administrator rights feature is added in this release. Supported applications are Terminal Services (RDP), VNC, File Share, My Desktop & Files, Telnet, SSH and Web applications (limited).
3. New Access Control Management In previous versions of VPN, access controls were only based on application groups – Allowing application group access to user groups. OneGate’s new improved access control management interface will allow creating access controls with added access control methods. Newly added access control Methods are: a. b.
Device ID fingerprinting based access control to User groups – Device ID access controls will restrict access of VPN gateway to user groups based on matched criteria of end user machine device finger prints. Endpoint Connectivity Based Access Controls to User groups - Based on this policy, Administrator can control Internet access, and close all active connections if users are connected to VPN gateway.
Device ID based Fingerprinting Device ID based finger printing feature added in this release will capture necessary details from the client machine running the OneGate client software. The Device ID is a unique set of numbers and letters generated and allotted by hardware manufacturers for identifying their device. Administrator can create access control for user groups based on Device ID fingerprinting. Parameters covered under device fingerprint:
OS type – Client Operating System details
Mother Board ID - ID of Mother board
CPU ID - ID of CPU
MAC ID - MAC Address of LAN card
Hard disk ID - ID of Hard disk
IMEI number - IMEI Number of the device (For Android and iOS based Devices),
Received WAN IP Address – WAN IP address received on Server sent by client. This can be different than original IP address if client browser is proxy configured. This option can be disabled using preference on the server side.
Detected WAN IP address – WAN IP address detected by server where WAN packets are terminating at Firewall or Router. This is the WAN IP address SSL VPN client is receiving from SSL connection.
Region - Client machine regional Settings
Time zone – Time zone of end user machine
Locale – Language which sets on client machine.
Default gateway – Default gateway address of Client machine
Network Card Manufacturer – Name of NIC card manufacturer
Device ID Based Access Controls Administrators can create Device ID based access controls from Propalms OneGate Management Console > Access Management > Access controls > Create access controls > Select access control type as Device ID. When a user logs in to OneGate server for the first time, OneGate client will scan device finger prints and will send them to server. Administrator can select single or multiple Device ID parameters for creating access control. Administrator can also mention number of per user device ID signatures. For instance, if administrator selected 3 device ID signatures, User can login into OneGate server from maximum of three different End user machines / devices. Automatically approve devices: Administrator can control allowing device access by manual process or automatically. All scanned Device ID details are stored in database and administrators can allow or deny access. Captured Device ID details can be found under Management console > End point Protection > Device Management.
Endpoint Protection Based Access Controls With end point protection based access controls, Administrator will have more control over client network traffic by using OneGate VPN client. Administrator can disable Internet access, Deny VPN access if proxy is enabled or disconnect all active connections if client is connected to OneGate server.
For creating Endpoint Protection based access control, go to Propalms OneGate management console > Access control management and create an Access control type as Endpoint Protection.
Close all Existing connections and Keep VPN Session Safe In access control management, create access control type Endpoint Protection. If close existing connections is enabled, when the user logs in previously connected external packets will be disconnected. If continue to block all external connections other than VPN is also turned ON, then no external connections are allowed. OneGate VPN client will keep checking for applications that are connected to external servers and will kill those applications. Disable Internet for end users In access control management, create access control with Endpoint Protection policy type. If Block Internet is enabled for the user, Internet access will be disabled for the user after login. Do not allow login through internet proxies If proxy is enabled on client machine’s browser, end user will not to be allowed to login to OneGate VPN Gateway.
4. Client Settings Configuration The Administrator can now specify certain client configuration settings for the OneGate client and also optionally control deployment of Propalms TSE client for integration and capability for users to launch applications published on Propalms TSE Server. These client settings can be accessed from the OneGate management console under Host Configuration > Client Settings.
VPN Client Settings
Option for users ability to save username and password on OneGate desktop client
Specify whether OneGate client checks for valid SSL certificate
Set OneGate desktop client to automatically start on Windows logon
Override default name resolution via OneGate and use local client side
Disable user login if user is connecting through a proxy
Enable collection of device fingerprint details
Enable detection of real WAN IP address if user is behind a proxy
Edit comma separated list of alternate gateways that client can connect to
If using Alternate Gateways feature, you can specify that client randomly picks gateway from specified list
Enable upgrade notification for users when a new OneGate client version is available
Enable OneGate client upgrade when version is equal to or below specified version
TSE Client Settings
Administrator can choose to leave the TSE Client upgrade process to TSE Client rather than OneGate client
Enable TSE client upgrade when version is equal to or below specified version
TSE client installation can be forced without user confirmation
Specify the version of TSE client you wish to deploy
Specify the URL from where TSE client will be downloaded on demand
5. ISP Load Balancing Propalms OneGate now supports inbound connection load balancing. OneGate server can be accessible from multiple Internet service providers configured in the management console. When end user connects to OneGate server it will check load on the Links and send login requests to less loaded ISP. This feature will be helpful if customers have multiple internet connections and wish that incoming users should be equally distributed across the internet connections. ISP Load balancing feature can be configured under Host Configuration > ISP Management > Add
Enter ISP IP address in IP Address field.
Add weight of server.
Click to Enable
For example, if we specify weight of 2 on first ISP and weight of 3 on second ISP, ratio of load balancing of ISP is 2:3, i.e. Out of three connections, two connections will be in first ISP and three connections will be in second ISP. Total sum of the weight should not exceed 20. In other word, we can configure maximum number of 20 ISPs with weight value is 1 for each ISPs.
6. Log File Settings Newly added Log file settings allows for more flexibility for creating log files. OneGate administrators can select log archiving frequency by Daily, Weekly or Monthly basis. They can also set size of log files and maximum number of archived log files. These options are available under Monitoring and Reporting > Log Settings. Administrators can download archived log files from Log file settings page.
7. Publish Network/Subnet or IP range In the new OneGate server, the administrator can publish multiple IP addresses or a range of network IP addresses with single or multiple port access. This feature will allow enabling a set of ports or network access to security user group/s in a single click. In Access Management > Applications create an application with type as Network and select from the following:
Multiple IP Addresses - administrator can allow specific port /ports access to set of devices by adding IP addresses to IP address field with comma separator.
IP Address Range - administrator can select network IP range by entering starting and ending IP address details and assign specific port / ports access.
Subnet Number – administrator can specify network address and subnet number and assign specific port/ports access.
For allowing full access to network or selected network IP Addresses, add port number range 1-65000 under Application Port field.
8. New Search Filters New search capability has been added to the management console in the following screens:
Users Administrators can filter user details by selecting User ID, Email, Role, Class and Disabled users.
Applications More filters have been added for searching applications such as Application Name, Application Address, Ports and Application type
Access Controls Access Controls can be searched by filter types: Access Control name, Authentication server, User group and Type of Policy.
9. SMTP Authentication In previous versions, Propalms VPN had an option for sending Passphrase to users Email IDs. This feature has been enhanced now with support of SMTP Authentication. SMTP Authentication details can be changed from Management Console > Host Configuration > SMTP Server
10. Auto-Launch Applications Administrator can select applications to start automatically (only applications which supports portal based access) when end user logs in. Auto launching of applications can be enabled from OneGate Management Console > Access Management > Applications > Add / Modify Application
11. Desktop Client - Alternate Gateways OneGate client can access multiple gateways and will automatically connect to alternate gateways if primary gateway is not available. The settings can be enabled in the management console under Host Configuration > Client Settings
The list of alternate gateways can be viewed on the desktop client by clicking Actions > Preferences before logging in or Options > Preferences after login.
12. Desktop Client – Save Username and Password End users can save their user name and password by selecting Remember Me and Remember Password options from Propalms OneGate Desktop Client.
13. Desktop Client – User Preferences In the latest OneGate Desktop Client users can change the following preferences from Action > Preferences
Enable SSL Certificate Warning Dialog – If this option enabled and OneGate is not using signed SSL Certificate, trusted authority warning dialog box will be displayed
Start on windows Logon – OneGate client will automatically start with windows login
Login automatically (if Password is saved) – Basic Authentication users can save user name and password and login automatically with windows login
Keep always ON - Client will keep on trying to reconnect server if network connectivity is interrupted and automatically connect when connectivity is available
Do not launch applications automatically on logon - if any applications are configured to auto-launch and users want to disable this option, they can choose it from here
Use hosts file for name resolution – client will use local hosts for name resolution
Do not use load balanced VPN host received from VPN gateway - If load balancing is enabled on OneGate servers and user wants to disable this option, they can do this from here
Do not connect alternate gateways - users can disable searching for alternate gateways which are configured on server
Clear Alternate Gateway List – removes list of alternate gateways received from OneGate server
14. Multiple VPN Domain Configuration OneGate administrators can configure multiple VPN Domains for user authentication. Administrator can add, modify and delete VPN Domain. When adding a new VPN Domain, administrators can configure different authentication servers and turn endpoint security on or off.
If multiple VPN domains are configured on OneGate server then at the time of login a new option will be shown to choose VPN domain in desktop client and web portal.
15. SMS Gateway Integration for Passphrase Delivery Administrator can configure SMS gateway details in OneGate server so that users can get their passphrase via SMS during successful user creation or if administrator resets the passphrase. Administrator can also modify the contents of SMS message. You configure SMS settings in OneGate Management Console > Host Configuration > Global Settings > Configure SMS Settings
16. NTP Support Improved NTP settings can be administered under Host Configuration > Global Settings. Administrator can start or stop NTP server, verify status and check for last update time from this page. Primary and Secondary NTP Servers can be configured.
17. Integrated ProID based Two Factor Authentication ProID provides an integrated end-user 2-factor authentication option for customers who would like users to login using their domain credentials as well provide another dynamic credential for greater security. For e.g. customer would expect users to enter their domain credentials and an OTP generated by SMS, Email, Hardware token or Software token. ProID requires a separate server to be provisioned for this feature.
18. NTLM Application SSO Administrator can enable single sign on for NTLM enabled web based applications, for e.g. MS OWA, SharePoint. This option is available only for web based applications. SSO options are available when you add specific web based applications in the console.
19. Cipher Support Improved Cipher settings can be administered under Host Configuration > Global Settings. Cipher support has been improved. Now administrator can select any cipher but to change the cipher setting OneGate server should be in configuration state.
20. Proxy Support Improved OneGate Client can run if user has set proxy setting with hostname of the proxy server. We have also added support of PAC file, SOCKs 4 and 5 proxies. In these following proxy environments user is able to login into OneGate client and access the hosted applications.
21. Compression Support for HTTP Application This release support compression for http application type. It will improve the http application access time.
22. New Application Template – My Desktop and Files New application type My Desktop and Files had been added. Now administrator can create one file share application in which you can map one user to specific files hare location. Single application can handle up to 300 entries.
23. Customizable UI for User Authentication In desktop client, Administrator can change the text message for user and label of user name/password. This can be configured when you configure AD as Authentication Server under User Interface Configuration.
24. Email notification for Device ID Registration Security officer will get the email notification when device registration is pending. At the time device id access control creation if auto approve check box is unchecked then Security officer will get the email notification.
25. Form Based SSO for http and https Applications Single sign on option (form and NTLM base) for http/https application type had been added.
26. CSR Key Length Increased Now administrator can generate SSL certificate CSR with three different key length options (1024, 2048, and 4096).
27. Edit Email Templates Administrator can edit the email templates from OneGate management console under Host Configuration > Global Settings. The different email templates can be edited under Email Formats.
28. Multiple Ports Support for Single App Multiple ports support had been added for every applications type. Now administrator can publish max 5 ports in a single application.
29. Create App Group from App Creation Page When setting an Application Rule, if there is no application group configured in OneGate, Admin can create application group from application page itself. Admin should click on add application to application group then they will get the option to add application group.
30. New Search Options for Logs Search option added in Admin, Activity, User and EPS logs.
31. Two New Options for Sending User Information On the user creation page an additional 2 options have been added for sending information about user creation/reset passphrase/change password to user specified email address or user mobile number.
Send details via email
Send details on mobile
32. New Virtual Server Option Add Virtual Server to use OneGate server as HTTPS reverse proxy server. Admin can create a unique DNS name and then create a virtual server for this DNS name. This will not require user to download the VPN java client modules.
33. Compression available for all Application Types Now administrator can enable or disable compression for every application type. If compression is enabled for specific application then application access will become faster.
34. Extended Radius Configuration Options Radius server configuration now includes user interface configuration option. So Administrator user can configure User interface like user message for user, user name label and password label.
35. Licensing Changes Existing Propalms VPN 3.7 keys are not reusable for Propalms OneGate 4.0. If administrator wants to license OneGate 4.0 then they should contact Propalms for a new serial key for OneGate 4.0. Customers with valid maintenance will be entitled to an upgrade from Propalms 3.7 to OneGate version 4.0. If administrator applies the upgrade patch for OneGate 4.0 to Propalms VPN 3.7 gateway then after upgrade the existing license is reset and a default evaluation license applied. Customers need to enter a valid Onegate 4.0 license to reactivate their system.
Propalms Ltd is a global provider of application delivery and secure remote access solutions for Remote Desktop Services and Virtual Desktop Infrastructures. Delivering to Enterprises of all sizes we offer reliable, scalable and affordable solutions that simply work. Our belief is that application delivery solutions should be flexible, dynamic and above all, simple to use. © 2013 Propalms Ltd. All Rights Reserved. Microsoft®, Windows® are registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners.