I guess I'm a little confused about what your situation is - as I
understand it, you have two servers:
1. intranet.domain.com - running SSL, etc - I take it this is a
reverse-proxy device, also capable for port-forwarding?
2. sgdserver.domain.com - not running security
It's possible to use the same certificate for two different
"destinations", using wildcard certificates (e.g. "*.domain.com") or
SubjectAltName certificates (e.g. "CN=intranet.domain.com,
SubjectAltName=sgdserver.domain.com") - it's possible your CA could
re-issue your existing server certificate with a new SubectjAltName
without any additional expense.
That way, when a user enters https://intranet.domain.com:port, gets
port-forwarded to sgdserver.domain.com:port, with the server certificate
allowing either name, there won't be any complaints about server name
mismatches.
http://docs.sun.com/source/820-6689/chapter1.html#Z400003e1299821
Port-forwarding port 443 (or another port) with firewall traversal
enabled will work fine, except, perhaps, for the SSL server name
issue. If an external user enters https://intranet.domain.com, but the
connection is port-forwarded to the actual servername is sgd.domain.com,
then SSL will complain to the user. It might be possible for the CA to
re-issue the certificate with a SubjAltName.
So, basically, the SSL certificate will be installed on your SGD server,
the edge device 'intranet.domain.com' will port-forward any SGD-destined
traffic to the sgdserver. You'd configure firewall traversal to
de-multiplex the HTTPS+AIPS packet stream. If possible, I'd use 443 for
this, but I gather you have other SSL destinations, so this may not be
possible.
If you only have a single SGD server, it's possible to use a
reverse-proxy server if it also has a SOCKS proxy capability for the
AIP stream:
http://docs.sun.com/source/820-6689/chapter1.html#Z400003e1303435
Jonathan C. Bailey wrote:
I don't know about a gateway... I don't have any machines running RHEL (or
OpenSolaris) exposed to the outside world.. I also wanted to re-use my SSL
certificate.
I just had another thought... What about port forwarding a single non-standard
encrypted port and using the firewall transversal options (so HTTPS and AIP are
on the same port). Would there be an issue with the server answering as
intranet.domain.com rather than sgdserver.domain.com? Any way to run a
different SSL certificate internally (maybe even on the standard SSL port)?
-Jon
----- Original Message -----
From: "Richard Butland" <richard.butl...@sun.com>
To: "Sun Secure Global Desktop Users mailing list" <sgd-users@filibeto.org>
Sent: Friday, October 30, 2009 6:30:21 PM GMT -05:00 Colombia
Subject: Re: [SGD-Users] Proxy web/AIP data via another server
Have you looked at the Secure Gateway? Basically, that's what it's
built to do - proxy both the http(s) traffic, and the AIP(s) traffic.
If you want to do it yourself, well, you *can* put up a reverse proxy,
and the AIP traffic can be routed through a SOCKS proxy, but I really
can't recommend it.
For internal connections, you simply connect to sgdserver.domain.com -
you don't *have* to go through the gateway.
The Secure Gateway isn't separately priced, and this is what it was
designed for, so this is what I'd recommend.
http://docs.sun.com/source/820-6691/index.html
hth,
Rick
Jonathan C. Bailey wrote:
I'm a bit of an SGD newbie, implementing it as part of our VDI3 install.
Anyway, we have an existing intranet server (intranet.domain.com). The server
provides HTTP/HTTPS access to intranet resources. We also have a SGD server at
sgdserver.domain.com (running HTTP only, not public). We'd like to proxy
requests to /sgd/ via intranet.domain.com with Apache (using ProxyPass and
ProxyPassReverse), and port forward the secure AIP port to the internal SGD
server (the port forward being the easy part).
Anyway, is what I'm looking for possible? Anything specific I should be looking
at in the manual?
Also, we'd like to keep HTTP/unencrypted AIP communications for internal access
to SGD...
Thanks!
-Jon
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users