sgd-users  

Re: [SGD-Users] Proxy web/AIP data via another server

Richard Butland
Sat, 31 Oct 2009 10:42:34 -0700
I guess I'm a little confused about what your situation is - as I understand it, you have two servers:
1. intranet.domain.com - running SSL, etc - I take it this is a reverse-proxy device, also capable for port-forwarding? 
2.  sgdserver.domain.com - not running security
It's possible to use the same certificate for two different "destinations", using wildcard certificates (e.g. "*.domain.com") or SubjectAltName certificates (e.g. "CN=intranet.domain.com, SubjectAltName=sgdserver.domain.com") - it's possible your CA could re-issue your existing server certificate with a new SubectjAltName without any additional expense. That way, when a user enters https://intranet.domain.com:port, gets port-forwarded to sgdserver.domain.com:port, with the server certificate allowing either name, there won't be any complaints about server name mismatches. 
http://docs.sun.com/source/820-6689/chapter1.html#Z400003e1299821
Port-forwarding port 443 (or another port) with firewall traversal enabled will work fine, except, perhaps, for the SSL server name issue. If an external user enters https://intranet.domain.com, but the connection is port-forwarded to the actual servername is sgd.domain.com, then SSL will complain to the user. It might be possible for the CA to re-issue the certificate with a SubjAltName.
So, basically, the SSL certificate will be installed on your SGD server, the edge device 'intranet.domain.com' will port-forward any SGD-destined traffic to the sgdserver. You'd configure firewall traversal to de-multiplex the HTTPS+AIPS packet stream. If possible, I'd use 443 for this, but I gather you have other SSL destinations, so this may not be possible. If you only have a single SGD server, it's possible to use a reverse-proxy server if it also has a SOCKS proxy capability for the AIP stream: http://docs.sun.com/source/820-6689/chapter1.html#Z400003e1303435 





Jonathan C. Bailey wrote:

I don't know about a gateway... I don't have any machines running RHEL (or 
OpenSolaris) exposed to the outside world.. I also wanted to re-use my SSL 
certificate.

I just had another thought... What about port forwarding a single non-standard 
encrypted port and using the firewall transversal options (so HTTPS and AIP are 
on the same port). Would there be an issue with the server answering as 
intranet.domain.com rather than sgdserver.domain.com? Any way to run a 
different SSL certificate internally (maybe even on the standard SSL port)?

-Jon

----- Original Message -----
From: "Richard Butland" <richard.butl...@sun.com>
To: "Sun Secure Global Desktop Users mailing list" <sgd-users@filibeto.org>
Sent: Friday, October 30, 2009 6:30:21 PM GMT -05:00 Colombia
Subject: Re: [SGD-Users] Proxy web/AIP data via another server
Have you looked at the Secure Gateway? Basically, that's what it's built to do - proxy both the http(s) traffic, and the AIP(s) traffic.
If you want to do it yourself, well, you *can* put up a reverse proxy, and the AIP traffic can be routed through a SOCKS proxy, but I really can't recommend it. For internal connections, you simply connect to sgdserver.domain.com - you don't *have* to go through the gateway.
The Secure Gateway isn't separately priced, and this is what it was designed for, so this is what I'd recommend. 

http://docs.sun.com/source/820-6691/index.html

hth,
Rick

Jonathan C. Bailey wrote:

I'm a bit of an SGD newbie, implementing it as part of our VDI3 install.

Anyway, we have an existing intranet server (intranet.domain.com). The server 
provides HTTP/HTTPS access to intranet resources. We also have a SGD server at 
sgdserver.domain.com (running HTTP only, not public). We'd like to proxy 
requests to /sgd/ via intranet.domain.com with Apache (using ProxyPass and 
ProxyPassReverse), and port forward the secure AIP port to the internal SGD 
server (the port forward being the easy part).

Anyway, is what I'm looking for possible? Anything specific I should be looking 
at in the manual?

Also, we'd like to keep HTTP/unencrypted AIP communications for internal access 
to SGD...


Thanks!

-Jon
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users

_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users

_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users