You can get what you desire by requiring registered mode for non-card access and *not* allowing self registration. The users can open a support request with their client ID and the adminstrator can register it for them, and capture all the real details of who/what/where that OVDC is running.
A good compromise, especially if you take physical Sun Ray security so seriously. Otherwise a "liberal" use policy that would allow access from almost any type of client when the same isn't allowed for arguably far more secure physical Sun Rays doesn't make sense. On Jul 6, 2011, at 8:18 AM, James Kissler <[email protected]> wrote: > Aaron, I can understand where you are coming from. I have a good > number of Sunrays deployed. We require the use of smartcard and pin > for authentication on both PCs and Sunrays (used for terminal > services). This is a hard requirement for all users, with the > exception of admin personnel, the only people to use OVDC. It would > be nice to be able to enforce smartcard authentication for physical > clients while allowing a more liberal access policy for OVDC > connections. > > On Wed, Jul 6, 2011 at 7:51 AM, Aaron Wilson <[email protected]> > wrote: >> DTU requires cards. >> OVDC doesn't require a card. >> >> Be nice to be able to log into our Sun Ray servers in our other >> office remotely. >> >> On Fri, Jul 1, 2011 at 4:51 AM, Jörg Barfurth <[email protected] >> m> wrote: >>> Aaron Wilson schrieb: >>>> >>>> Our default setup requires smart cards to get a login prompt on a >>>> DTU. >>>> We want to keep that the way it is. >>>> I'd like to make it so OVDC connections don't require a smart card. >>>> Which options need to be enabled/setup in the Admin GUI to do this? >>>> >>> >>> This is not supported by Sun Ray Server software. >>> >>> There is a global policy controlling session access with or >>> without cards. >>> >>> If session access is allowed by that policy you can separately >>> decide >>> whether OVDC access is allowed or not. This was implemented, >>> because some >>> customers feel that a software client is less secure. >>> >>>> Currently we have the Card Users section setup with "Users with >>>> Registered Tokens" and "Self-Registration Allowed" checked. >>>> >>> >>> From a security perspective it seems to make little sense to >>> restrict access >>> to users with cards on one kind of client, if anyone can use a >>> laptop with >>> OVDC to get access without a card. >>> >>> Can you explain what you want to achieve with your desired policy? >>> >>> Best Regards >>> >>> -- >>> Jörg Barfurth http://blogs.oracle.com/joergb >>> >>> Disclaimer: I am employed by Oracle. The statements and opinions >>> expressed here are my own and do not necessarily represent those >>> of Oracle Corporation. >>> _______________________________________________ >>> SunRay-Users mailing list >>> [email protected] >>> http://www.filibeto.org/mailman/listinfo/sunray-users >>> >> _______________________________________________ >> SunRay-Users mailing list >> [email protected] >> http://www.filibeto.org/mailman/listinfo/sunray-users >> > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
