Secure-IT SSL Gateway backdoor

Hello Floris,

In the next release of vWorkspace, version 7.5, we will be introducing support for Two Factor Authentication directly from the client device without the need to go via Web Access, as mentioned in this blog posting http://en.community.dell.com/techcenter/virtualization/vworkspace/b/vworkspace-blog/archive/2011/10/18/what-39-s-next-for-vworkspace-part-2-project-hadron

Regards

David

Hello David,

That's a good step for better support on Ipad en Android devices and support for Two Factor Authentication on the Broker.

Only the reason that we are not using Quest Webaccess two factor authentication is because we are using SMS One Time Password. With Novell Access Manager you must fill in your Username and Password and after that you get a One Time Password sended to your mobile. In a second form you can fill this One Time Password code and then you are logged in. Quest Webaccess only provides a login screen with username/password and Two factor code in 1 html form. That works fine with RSA dongles but not with SMS OTP.

Regards,

Floris

I found the following for Citrix and VMware

Citrix:

http://forums.citrix.com/message.jspa?messageID=409496#409496

VMware:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006042

Is this possible with Quest vWorkspace? I don't want that users can make a direct-rdp connection trough the SSL gateway.

I want to force them to use the vWorkspace webaccess to run published applications or desktops.

Hello,

If I understand you correctly, you don't want your users to be able to use PNTSC to launch a connection through the SSL Gatway to the Terminal Servers.

When connecting via Web Access, do you publish a full desktop to your Users or just Seamless apps ?

I think "Backdoor" isn't really fair as it is by design as an alternative way of connecting Users to Desktops/Apps . So as it was designed to allow this, one of the best options at the moment would be obscurity.

Eg, How are your Users going to know the SSL Gateway name/port for the RDP over SSL connection? Instead of matching this to your Website, you could have an alternate SSL Gateway so they wouldn't be able to guess the name.

And/Or you could change the port that your RDP proxy listens on so that this isn't the standard 443.

All of this wouldn't close the door, but it would make it a backdoor instead of a neon lit entrance way

Thanks, Andrew.

Hello,

The problem is, the Web Access launches the PIT file via PNTSC, it just gives you a prettier interface so we can't simply block the use of PNTSC.

I don't understand the full details yet. Eg, Why are students and employees using the same machine? Surely the student machines should be locked down so their can't install tools and they shouldn't have vWorkspace Client installed.

Can any student add their machine to your network?

Are you talking about public areas full of thin clients that are used to acces vWorkspace ?

Maybe if you could give us some more background, we could come up with a way to make this more secure.

Hmm, thinking about this:

The 100% way of getting what you're asking for right now is to not install the Web Connector on any machines and instead use the Java Connector. The Java Connector does not come with the User interface that you see with PNTSC so they only way to use it is via Web Access which should allow you to force the use of a OTP.

Thanks, Andrew

Hi Andrew,

I idd don't want users to be able to use PNTSC to launch a connection through the SSL Gatway to the Terminal Servers. I publish a full desktop via Web Access.

Obscurity is not an option. I have a seperate url for the SSL Gateway. But if you turn on the debug log for de quest vworkspace client you will get a pop-up with the ssl gateway dns address and port number. Or you can use "netstat -n".

This is too easy for the IT students on our University. I really want that our employees must login with username, password and OTP. So when a username and password is known by students that they still can't login directly on the RDS server through the ssl gateway.

Thanks,

Floris

Hi Floris,

Yeah, if this isn't in a locked down, internal only environment, I agree the Java Connector won't help.

Raising a support case could be a good idea because, at the least, they could raise an enhancement request for you. Let me know the case id and I'll keep an eye on it.

I think 2 farms, with seperate web servers and SSl Gateways, would be the way forward. This way, the students won't know any way of getting the SSL Gateway details for the staff farm and, even if the log into the student farm with the staff details, you can make sure the student farm/gateway doesn't have access to the staff RDS servers.

The 2 seperate farms will also be helpful for when 7.5 comes along and brings the feature David mentioned above.

Thanks, Andrew.

Hi Andrew,

We want that all our students and employees can use RDS Desktop sessions from home (DSL/Cable) or on campus (WiFi). Only our employees must login on Web Access with OTP. We have solved that with Novell Access Manager. So at this time Students only have to use there username and password. Our employees use username, password and OTP.

We provide 2 Managed Applications: 1 RDS desktop for employees and 1 RDS desktop for students. Both are almost the same but for students we have multiple RDS servers on a other network segment than the RDS servers employees are using. On the RDS servers for students you are not able to connect to business critical systems (financial, hrm, etc).

But for students and employees we use the same Quest SSL Gateway. Yes sure we can create another Quest SSL Gateway for employees with a bogus dns name an non-standard port number. But i prefer that when i use OTP in my environment that it isn't possible to bypass the webbased OTP solution we have.

Your last idea is possible. But it is not so hard to get a vWorkspace client for Windows, Mac OS X and Linux :-). And the Java client isn't so good as the native Windows client.

I can make a support call for this. Is it possible that they have a solution for this?

Hi Andrew,

I opened a Case. ID: 973675

Thanks!

Floris