VII. Corente Services SSL Client - docs.oracle.com€¦ · SSL Certificate.....44 SSL Certificate...

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

VII. Corente Services SSL Client Corente Release 9.1

Manual 9.1.1

Copyright © 2014, Oracle and/or its affiliates. 2 Corente Services SSL Client

Table of Contents

Preface .................................................................................................... 5

I. Introduction ............................................................................................ 6

Chapter 1. Requirements ....................................................................................... 7 On the LAN of the Corente Virtual Services Gateway .................................................. 7 On Each User’s Computer .................................................................................. 7

Chapter 2. Pre-Configured SSL Services ................................................................. 10 Desktop Access (VNC Applet) ............................................................................ 10 File Browsing ................................................................................................ 10 Local Web Browsing (HTTP) .............................................................................. 10 Email Protocols (IMAP, POP3, and SMTP)............................................................. 11 Telnet ......................................................................................................... 11 Secure Shell (SSH) ......................................................................................... 11 Partner Access .............................................................................................. 12 Additional Services ......................................................................................... 12

II. Configuring the SSL Client ...................................................................... 13

Chapter 1. SSL Client Settings in App Net Manager ................................................... 14

Chapter 2. SSL Services ...................................................................................... 15 Configuring Custom SSL Services ....................................................................... 16 Adding a New Custom Service ........................................................................... 17 Modifying an SSL Service ................................................................................. 18 Deleting an SSL Service ................................................................................... 18

Chapter 3. Creating SSL Client Accounts for Users ................................................... 19 External Server Authentication (RADIUS and LDAP) ................................................. 19 Local Authentication ........................................................................................ 19 Adding a New SSL Client Account in App Net Manager ............................................. 20 Viewing or Modifying an SSL Client Account Configuration ......................................... 22 Deleting an SSL Client Account .......................................................................... 22

Chapter 4. SSL Client Groups ............................................................................... 23 Adding a New SSL Client Group ......................................................................... 23 Modifying an SSL Client Group ........................................................................... 25 Deleting an SSL Client Group ............................................................................ 25

Chapter 5. Configuring SSL Client Access to a LAN .................................................. 26

Chapter 6. SSL Services ...................................................................................... 31

Chapter 7. System Homepage and Bookmarks ......................................................... 33 Specify an SSL Client Homepage ........................................................................ 33 Create Bookmarks for Intranet Browsing ............................................................... 34

Chapter 8. SSL Authorized Groups ........................................................................ 35


Chapter 9. External Authentication (RADIUS or LDAP) ............................................... 37 RADIUS Authentication .................................................................................... 37 LDAP Authentication ....................................................................................... 38

Chapter 10. Configuring SSL Client Access to Partners.............................................. 41 Allow SSL Client Access................................................................................... 41

III. Configuring Corente Virtual Services Gateways for Use with the SSL Client ...... 43

SSL Admin ................................................................................................... 43

Chapter 1. SSL Certificate .................................................................................... 44 SSL Certificate .............................................................................................. 45 Obtaining an SSL Certificate Signed by a CA .......................................................... 46 Install an SSL Certificate on Your Location Gateway ................................................. 47 Create a Self-Signed Certificate .......................................................................... 47 SSL Chain Certificate ...................................................................................... 48 CA Client Certificate ........................................................................................ 49

Chapter 2. SSL Log ............................................................................................ 51

Chapter 3. SSL User Report ................................................................................. 52

IV. Using the SSL Client ............................................................................. 53

Chapter 1. Supply Users with Login Information ....................................................... 54

Chapter 2. Logging In ......................................................................................... 55 Homepage ................................................................................................... 55 Session Expiration .......................................................................................... 56

Chapter 3. Browse Web Pages .............................................................................. 57 Accessing Web Sites ....................................................................................... 57 System Bookmarks ......................................................................................... 57 Pages That Cannot Be Accessed ........................................................................ 58 Applets and Plug-Ins on Web Pages .................................................................... 59

Chapter 4. Browse File ........................................................................................ 60 Corente Network Access Permissions .................................................................. 60 Logging Into Servers ....................................................................................... 61 Browsing Servers ........................................................................................... 62 Downloading Files .......................................................................................... 63 Uploading Files .............................................................................................. 64 Creating New Folders ...................................................................................... 64 Deleting Files and Folders................................................................................. 64

Chapter 5. Browse File – Shortcuts ........................................................................ 66 Adding Shortcuts ............................................................................................ 66 Accessing Shortcuts ........................................................................................ 66 Deleting Shortcuts .......................................................................................... 67

Chapter 6. Services ............................................................................................ 68 Viewing the Services ....................................................................................... 68 Using the Services .......................................................................................... 68 Host Properties Dialog Box................................................................................ 69


Command Line Strings for Specific Programs ......................................................... 71 Accessing Email via the SSL Client ...................................................................... 71

Chapter 7. User Preferences................................................................................. 73 Changing a Password ...................................................................................... 73 Bookmarks ................................................................................................... 74 Creating New Personal Bookmarks ...................................................................... 74

V. Configuring Email Programs for use with the SSL Client ............................... 76

Chapter 1. Setting up Outlook 2003 for use with the SSL Client .................................... 77

Chapter 2. Setting up Outlook 2007 for Use With the SSL Client ................................... 83

Chapter 3. Setting up Outlook Express for use with the SSL Client ............................... 89

VI. Appendix: Template for Email to New Users ........................................................ 95 Email Template.............................................................................................. 95

Index ..................................................................................................... 96

Additional Support ................................................................................... 98

Oracle Legal Notices ................................................................................. 99


Preface

This manual provides a detailed, step-by-step explanation of the administration procedures that are

performed to provide remote users with secure web access to Corente Virtual Services Gateways (also

known as ―Locations‖) via SSL. The purpose of this manual is to provide all the necessary information to

partners or customers who want to configure and use the Corente SSL Client.

Conventions

All hyperlinks are shown in blue, underlined text. They can be used to navigate through the guide or the

procedures related to an overall activity, or to jump to a cross-referenced topic or Internet URL.

Systems supported

This guide supports Corente, version 9.1.

Technical Support

For technical support to assist you with any problems or to answer any questions pertaining to function,

installation, and management of the Corente Services, please go to http://www.oracle.com/support.

Related reading

Corente provides several additional manuals:

I. Corente Services Planning

II A. Corente Virtual Services Gateway Hardware Preparation and Deployment

II B. Corente Services Policy Definition and Provisioning

III. Corente Services Administration

IV. Corente Services Troubleshooting Guide

V. Corente Virtual Services Gateway – Virtual Edition

VI. Corente Services Client

VIII. Corente Services Mobile User

To obtain these manuals, please visit the Corente web site at http://www.corente.com/documentation.

http://www.oracle.com/support

http://www.corente.com/documentation


I. Introduction

The Corente SSL Client provides a secure method for remote users to access the corporate network

using a web browser and a connection to the Internet.

Corente offers two basic types of Corente network access for remote users: the SSL Client and the

software-based IPSec Corente Client. The SSL Client provides more limited access than the Corente

Client, but the SSL Client does not require specialized software to be installed on users’ computers.

While the Corente Client can handle all types of traffic between remote users and computers at a central

site, the SSL Client allows users to use only the services that have been specifically enabled or disabled

per Location and per user group by the network administrator. Services include the ability to retrieve and

send email via your company’s IMAP, POP3, and/or SMTP mail servers, browse secure intranet web

sites, download and upload files onto SMB servers, use VNC for remote desktop access, and use telnet

or SSH for text-based server access (see Chapter 2. Pre-Configured SSL Services, p. 10, for more

detailed descriptions of these services). In most cases, these flexible services provide sufficient access

for remote users.

Corente Client SSL Client

E-mail X X

File Share X X

Web (HTTP) X X

Desktop Access (VNC) X X

Telnet X X

SSH X X

Client-Server X X*

Databases X

Terminal X

*Only TCP-based applications that employ single connection protocols and do not use imbedded IP

addresses.

For more information on how these remote access solutions compare, please refer to the document

entitled Choosing a Corente Remote Access Solution. This document can be requested from Corente

Customer Care.


Chapter 1. Requirements

The SSL Client may require simple configuration to be performed on the Corente Virtual Services

Gateway, on the LAN of the Corente Virtual Services Gateway, and on the user’s computer that will be

used to access the network. The following are the requirements for operating the SSL Client.

On the Corente Virtual Services Gateway:

In App Net Manager, complete the configuration for SSL Clients on the User Remote Access

tab of the Location form. This form can be accessed for a Location by using the Edit function to

edit the personality file for that Location.

An SSL certificate must be installed via the SSL Certificate page in Gateway Viewer (see

Chapter 1. SSL Certificate, p. 44)

On the LAN of the Corente Virtual Services Gateway

In addition to the standard mandatory firewall rules, Corente requires the following rules be implemented

on any firewall that protects the Location gateway when SSL Clients are in use:

Inbound Rules

Permit TCP Source Port 1025 – 65535 from ANY IP address to TCP Destination Port 443* of

Corente Virtual Services Gateway IP address.

* 443 is the default SSL Port that remote computers will use to connect to the login for the SSL Client. If

a different port is going to be used for the SSL Port, then the inbound firewall rule must reflect the

appropriate port (see Chapter 5. Configuring SSL Client Access to a LAN, p. 26, for more information

about the SSL Port).

On Each User’s Computer

The SSL Client is compatible with the following Java-enabled web browsers:

Internet Explorer 9 or later

Firefox 25.0 or later

Chrome 34.0 or later

Safari 7.0 or later

Important: SSL Client users must be using Sun Microsystem's® JVM. Furthermore, make sure

version 1.5.0_10 or later of the Sun Java Runtime Environment (JRE) is installed on the user’s

computer. Note that version 1.6.0 of the JRE may not be compatible with older versions of Linux.

If a user’s OS does not support 1.6.0 or does not appear to be compatible, the user must

manually download an earlier version (1.5.0_10 or 1.5.0_11).

If you are using Internet Explorer, the URL of the SSL Client must be added as a trusted site in

your web browser in order for you to access it. To add the URL:


1. In Internet Explorer, open the Tools menu and select Internet Options.

2. Select the Security tab.

3. Select Trusted Sites.

4. Select Sites to open the trusted websites interface.

5. Enter the URL of the SSL Client and select Add.

6. Select Close to close the interface, then select OK to save your changes to the Security

tab. The SSL Client will be added to the Trusted Websites list.

When using Internet Explorer, the highest browser security setting supported is Medium. The

security setting of the browser can be changed by accessing the Tools menu, selecting Internet

Options, and clicking on the Security tab.

If users connect to the Internet via a proxy server, this proxy server must be a web proxy or they

will not be able to connect to the SSL Client. The IP address and port number of this proxy must

be specified in the browser and not automatically detected.

If users connect using Internet Explorer, the entry for the Secure proxy server must be the same

as HTTP. To ensure that this is true:

1. On the Tools menu of Internet Explorer, access Internet Options.

2. Click the Connections tab.

3. Click the LAN Settings button.

4. If the Use a Proxy Server selection box is selected, then either:

Entries should appear in the Address and Port fields underneath this option.

If these fields are gray, click the Advanced button. On the Proxy Settings screen,

under the Servers section, HTTP and Secure must have the same entries for Proxy

address to use and Port.

Note: Users that access the Internet via a proxy server will not be able to connect to the SSL

Client when the Require Client Certificate option is selected for two-way authentication

(for more information, see Chapter 5. Configuring SSL Client Access to a LAN, p. 26).

To retrieve email from an SMTP, IMAP, and/or POP3 mail server on the remote network using

SSL, there are several requirements:

The Corente Virtual Services Gateway must be accessed using the Visible DNS Name of

the Location (see Chapter 5. Configuring SSL Client Access to a LAN, p. 26, for more

information). If the DNS name will not be available via a public DNS server, you should add


this name to the DNS server at each remote user's location or add an entry to the hosts file

of each user's computer so that this name can be resolved.

JAVA must be enabled on the user's web browser.

The user must leave the browser window open to an active SSL Client session when

accessing email, so that the request is correctly routed via SSL.

The user's email program must be configured to access email via:

Protocol: either POP, IMAP, and/or SMTP

IP Address: localhost

Port Number: the port number that you will specify for the particular mail server on the

SSL Client Settings interface in App Net Manager (see Chapter 6. Services, p. 68, for

important exceptions)

Note: The protocol and port number information is provided to users on the Services interface of the

SSL Client.


Chapter 2. Pre-Configured SSL Services

If you would like, the SSL Client can provide users with the pre-configured services described in this

section.

For information on enabling these services, refer to Chapter 3. Creating SSL Client Accounts for Users

(p. 19) and Chapter 6. SSL Services (p. 31).

Information on using these services with the SSL Client interface is available in IV. Using the SSL (p. 53).

Desktop Access (VNC Applet)

SSL Client users can use Virtual Network Computing (VNC) to connect securely to remote computers.

VNC is a remote display system that allows you to view a remote computer's desktop environment on

your own computer, from anywhere on the Internet. To access a remote computer's desktop with VNC,

the VNC server software must be running on that remote computer.

By default, the SSL Client automatically downloads VNC viewer software onto users' systems the first

time that they use the VNC service. They will use this software each subsequent session for desktop

access. However, if they do not want to use this software, they can provide their own VNC viewer

software.

Due to performance issues, Corente requires VNC version 3.3.5 or later for PCs for both the viewer and server software.

For more information and to obtain copies of the free VNC software, refer to this website: http://www.realvnc.com/download.html.

File Browsing

Users can browse share resources and access files on servers with the Browse File interface (see

Chapter 4. Browse File, p. 60). Depending on the configuration of each server, users may have to

provide a username and password to login to each server before they are granted access. After login,

access permission is based on the privileges configured for that username on that server (i.e., the user's

ability to download, upload, and delete files).

Tip: If File Browsing is enabled, users can use the Browse File interface to view the DNS/WINS

names or IP addresses of the computers that can be accessed with any service provided by the

SSL Client.

Local Web Browsing (HTTP)

Users can browse private web pages located within your intranet (see Chapter 3. Browse Web Pages,

p. 57). By default, this option is enabled on each Location when the SSL Client is enabled.

A local DNS server must be in place on this Corente Virtual Services Gateway's LAN to provide name resolution for these intranet web pages. The server's IP address must be specified as the

http://www.realvnc.com/download.html


Primary DNS Server (this can be modified on the Network tab of the Location’s Location form, with the Network Interfaces section). The server itself should be configured to forward lookups to a public DNS server.

Email Protocols (IMAP, POP3, and SMTP)

Users can send or retrieve email from an Internet Message Access Protocol (IMAP), Post Office Protocol

3 (POP3), and/or Simple Mail Transfer Protocol (SMTP) mail server in a Location’s LAN via the SSL

Client (see Accessing Email via the SSL Client, p. 71).

Telnet

Users can connect to remote servers with telnet. Telnet is a program that allows you to log into another

computer over a network or the Internet and execute commands on the remote computer using a text-

based interface. The remote computer must be running a telnet server in order for an SSL Client user to

connect to it.

By default, the SSL Client automatically downloads telnet software onto users' systems the first time that

they use this service. You will use this software for each subsequent telnet session. If you do not want to

use this software, you can use the built-in telnet program for Windows (only available if you are using

Internet Explorer on a Windows computer) or download and install another type of telnet software on your

computer.

There are many popular terminal emulation programs for telnet that are available on the Internet. Corente

recommends TeraTerm, a free telnet client program, which is available at

http://hp.vector.co.jp/authors/VA002416/ttermp23.zip. After download, instruct users to unzip the file and

run the setup.exe file to install.

Secure Shell (SSH)

In addition to telnet, users can connect to servers on the LAN with Secure Shell (SSH). SSH is a program

that allows you to log into another computer over a network or the Internet and execute commands on

the remote computer using a text-based interface. It is similar to telnet, but provides encryption on both

ends to secure the connection between computers. The host computer must be running an SSH server in

order for an SSL Client user to connect to it. To connect to a remote computer with SSH, an SSH server

must be running on the remote computer.

By default, the SSL Client automatically downloads SSH software onto users' systems the first time that

they use the SSH service. They will use this software each subsequent session for desktop access.

However, if they do not want to use this software, they can provide their own SSH software.

Corente recommends TeraTerm, a free telnet client program, to connect to remote computers using

SSH. However, to use TeraTerm with SSH, users must also install a special SSH package on their

computers. TeraTerm is available at http://hp.vector.co.jp/authors/VA002416/ttermp23.zip. After

download, instruct users to unzip the file and run the setup.exe file to install.

http://hp.vector.co.jp/authors/VA002416/ttermp23.zip



An SSH package for TeraTerm is available at http://www.cs.cmu.edu/~roc/ttssh154.zip. After download,

unzip the file into the location of the TeraTerm program directory (c:\program files\ttermpro).

Partner Access

To access the SSL Client, users log into a single Corente Virtual Services Gateway. This Location

functions as the host Location and provides access to all servers on the LAN in a User Group.

When Partner Access is enabled, users can use any service that is enabled for them to connect to the

partners of the host Location. Users can connect to both Location and Corente Client partners of this

Corente Virtual Services Gateway.

The Location partners must explicitly allow SSL Client users of this Location to connect to them (see

Chapter 10. Configuring SSL Client Access to Partners, p. 40, for more information). SSL Client users will

have access to machines that are in the Default User Group of the partner.

Additional Services

You can define custom services for users with the SSL Services feature in App Net Manager. This tool is

described in Configuring Custom SSL Services (p. 16).



II. Configuring the SSL Client

After ordering the SSL Client service, you must configure this service on your Corente application

network by completing the activities outlined in this section. This section explains step by step how to

create SSL Client accounts and how to administer SSL Client permissions on each Corente Virtual

Services Gateway.


Chapter 1. SSL Client Settings in App Net Manager

In App Net Manager, you must begin by configuring domain-wide SSL Client settings that will be used for

controlling SSL Client access to each Corente Virtual Services Gateway in your domain.

These settings are accessed in the domain directory, by opening the Global Intranet Settings category,

then opening the User Remote Access subcategory, and then opening the SSL Administration

subcategory.

Figure 1: SSL Administration Category in the Domain Directory

When the SSL Administration branch in the domain directory is opened, the following features are

displayed:

SSL Services

SSL Clients

SSL Client Groups


Chapter 2. SSL Services

When you enable access by SSL Clients to a Corente Virtual Services Gateway, you can identify specific

programs and services that each SSL Client user has permission to use with machines on the Location’s

LAN. The permissions for these programs and services can be set per Location (for all users that access

this Location) as well as per user group (for all Locations that the user group accesses), to provide fine-

grained access control. (Permissions for SSL Services can only be defined per user group when Local

Authentication is used for the SSL Client. For more information, refer to Chapter 3. Creating SSL Client

Accounts for Users, p. 19).

By default, App Net Manager provides several pre-defined SSL services that can be enabled or disabled

when establishing SSL Client permissions. (For more information about each of these Default SSL

Services, refer to Chapter 2. Pre-Configured SSL Services, p. 10). These services are read-only and

cannot be deleted.

If you would like to define additional services, select the SSL Services tool from the SSL Administration

category of the domain directory. The SSL Services that are currently defined in your domain will be

displayed in the table on the right side of the App Net Manager interface.

Figure 2: SSL Services


Configuring Custom SSL Services

When SSL Client access is enabled on a Corente Virtual Services Gateway, the Location gateway will

act as an application layer gateway that intermediates access between SSL Client users on the public

Internet and resources on internal corporate servers. All requests to the Location gateway for access to

internal servers are secured using SSL.

These requests are secured using SSL in one of two ways: by the browser or by the Corente SSL

Applet. The browser encrypts all requests via the File Browsing or Local Web Browsing (HTTP)

services, while the Corente SSL Applet secures all other requests. The browser or applet forwards

packets on behalf of the end user to the SSL port on the Location gateway, while the Location gateway

does the actual connection to the server and pretends to be the end user.

The SSL Client works with user applications in the following manner:

1. Upon user authentication, the Corente SSL Applet opens an HTTPS/SSL connection across the

Internet to the Corente Virtual Services Gateway.

2. The application (for example, telnet) makes a TCP connection to the applet using the loopback

address of 127.0.0.1 (e.g., localhost).

3. The applet notifies the Location gateway to open a TCP connection to the server to which the

application wishes to connect.

4. The applet then takes the data portion of all packets from the application and sends the data to

the Location gateway via the previously established SSL connection.

5. The Location gateway passes the data inside a new packet to the server through the TCP

connection that was established on the application’s behalf.

If a user uses an application with the SSL Client, keep in mind that traffic to and from the application must

be routed through the Corente SSL Applet so that it is encrypted by SSL. This means that the application

(including any applets or plug-ins on web pages that users may access with the SSL Client) must be

configured to route traffic to localhost and the port number that the application uses to contact the server.

You must create a custom SSL service (described in the next section) that informs the Location gateway

of the appropriate IP address and port number of the server that must be contacted for this application.

When choosing applications to use with the SSL Client, ensure that they meet the following criteria:

The application must use TCP (not UDP).

The application must employ single connection protocols.

The application must not utilize protocols containing imbedded IP addresses (for example, FTP).

Such programs will not work with the SSL Client.

The application must be able to be configured to route to localhost.


Remember that the SSL Client does not secure all traffic between the user’s computer and the LAN of

the Corente Virtual Services Gateway. Rather, it acts as an application proxy that encrypts only certain

traffic in SSL to the Location gateway. All applications that connect to the Corente SSL Applet will have

their traffic sent over the Internet encrypted with SSL, regardless of the ―insecurities‖ of the protocol in

use.

Adding a New Custom Service

To create a new SSL Service to use with the SSL Client, make sure SSL Services is selected in the

domain directory and:

Select the New button in the tool bar.

From the File menu, select Add SSL Service.

Right-click SSL Services in the domain directory and select Add SSL Service.

You will be taken to a blank Add SSL Service window.

Figure 3: Add SSL Service

Complete the following steps:

1. Complete the following fields and options:

Name: Enter a name for your new SSL Service in this field. This is the name that will be used

to identify this service in App Net Manager, and for the users on the SSL Client interface. The

name may contain up to 30 characters.

Protocol: Select the name of the protocol that will be used by this service. If the protocol is not

listed on this pull-down menu, select Custom.

Default Port: Enter the default port number to be used by this service. This is the port number

that a Corente Virtual Services Gateway will use to contact the appropriate server(s) when a

user attempts to use this service over the secure SSL connection. This will be the default port,

but if necessary, it can be modified on the Location form for each Location that has enabled

SSL Client access.


Specify Server IP address or DNS Name: If this service is associated with a specific server,

select this checkbox. It will be associated with a single server on the LAN of each Location

gateway that has this service enabled. This means that when you enable this service on the

Location form for a Location, you must also specify the IP address or DNS name of the server

providing this service. Users will only be able to use the service with that server.

When this option is not selected, this service is not associated with a single server. Users can

use this service to connect to any computer that you have permitted them to contact. When

using this service, users will be required to supply the DNS name, WINS name, or IP address

of the computer to which they would like to connect.

2. After you have completed these fields, click OK to add the new SSL Service to your SSL Services

list. Use the Save button to save your changes.

3. Once you have saved your new SSL Service, you can enable the new service for an SSL Client

Group (see Chapter 4. SSL Client Groups, p. 23) and/or on a Location (see Chapter 6. SSL

Services, p. 31). Until it is specifically enabled for the appropriate Location(s), the new service is

not active.

You may return to this screen at any time to define new custom services.

Modifying an SSL Service

To modify an existing SSL Service, select the service and use the Edit feature.

After you have made your changes to the SSL Service, click OK to store your additions or Cancel to

close the window without storing any of your changes. Once Saved, your changes will be downloaded

automatically by the Location gateways where the service is in use and will go into effect immediately.

You cannot modify a default SSL Service.

Deleting an SSL Service

To delete an SSL Service, select the service and use the Delete feature.

If you delete an SSL Service that is currently enabled on any of your Locations, the Locations will no

longer support this service. Once Saved, your changes will be downloaded automatically by the Location

gateways and will go into effect immediately. You cannot delete a default SSL Service.


Chapter 3. Creating SSL Client Accounts for Users

Each user must have a user account to log into the SSL Client. Depending on how you would like to

authenticate users, user account creation will vary.

Corente recommends the use of a RADIUS or LDAP server for authentication, but can also provide its

own local authentication for users via a username and password combination. When local authentication

is used, the SSL Client provides several additional permission controls:

Access on the Location gateway’s LAN can be limited to a specific group of machines (i.e., a

―User Group‖) for each group of users.

SSL services and features can be limited for each group of users.

A user can change his/her own password.

External Server Authentication (RADIUS and LDAP)

When you use a RADIUS or LDAP server to authenticate remote users to a Location, you must configure

user names and passwords for users on the RADIUS or LDAP server itself. Refer to the documentation

for RADIUS or LDAP to determine how to create the accounts on your server.

After creating the accounts, you will capture information in the Location form regarding your server and

the RADIUS/LDAP implementation on your network. This allows the Location gateway to query the

server correctly when a user attempts to log into the SSL Client. For information about these screens,

refer to Chapter 9. External Authentication (RADIUS or LDAP) (p. 37).

When external authentication is used, configuration of user accounts in App Net Manager is not required.

Move to the next section, Chapter 5. Configuring SSL Client Access to a LAN (p. 26).

Local Authentication

If you are not going to use an external server for user authentication, you must use App Net Manager to

create an account for each SSL Client user. This is accomplished with the SSL Clients feature,

selectable in the domain directory of App Net Manager. User account information will be stored in the

Corente Virtual Services Gateway database.

To create and manage SSL Client accounts, open the SSL Clients category in the domain directory.


Figure 4: SSL Clients

You can create, modify, and delete SSL Client accounts with this feature.

Adding a New SSL Client Account in App Net Manager

To add a new SSL Client account to your domain, make sure SSL Clients is selected in the domain

directory and:


From the File menu, select Add SSL Client.

Right-click SSL Clients in the domain directory and select Add SSL Client.

You will be taken to a blank Add SSL Client window.


Figure 5: Add SSL Client

2. On this screen, complete the following fields and selections:

SSL Client Name: Enter the alphanumeric identifier for the SSL Client account that you are

creating. You may use up to 15 alphanumeric characters. Do not use tabs, spaces, or

punctuation marks when creating this name. (If you have created a Corente Client account

for this user, the User Names for both accounts can be the same. For more information

about Corente Clients, refer to the VI. Corente Services Client manual.)

Password: Create an alphanumeric password for this SSL Client account. (The minimum

and maximum number of characters for this password is set with the Domain Preferences

tool in App Net Manager.)

For security purposes, Corente requires that this password contain one each of the following:

An upper-case character

A lower-case character

A numeric character

Confirm Password: Re-enter the password you created in the Password field to avoid any

mistakes.

3. SSL Client accounts are combined into groups to make administration easier. All SSL Client

Groups that have been configured for this domain will be displayed in the SSL Client Group

Membership of SSL Client list. Select the checkbox beside each group that you would like this

SSL Client to join. You may add an SSL Client to as many groups as you would like.

To create a new group, use the Chapter 4. SSL Client Groups feature (p. 23).


4. When you have completed this form, click OK to store your changes or Cancel to close the

window and discard your changes. You must also Save your changes in App Net Manager in order

for them to take effect.

The new SSL Client name will now appear in your SSL Client list. You should repeat this process

to add other SSL Client accounts to your domain.

5. After you have added SSL Client accounts, you must remember to supply the users with their user

names and passwords. Additionally, if you have not associated SSL Client Groups with any

Location, you should partner them via the User Remote Access tab in the appropriate Location ’s

Location form.

Viewing or Modifying an SSL Client Account Configuration

If you would like to modify the configuration of an existing SSL Client, you can use the Edit feature.

After you have made your changes to the SSL Client, click OK to store your additions or Cancel to close

the window and discard your changes. Once Saved, your changes will go into effect immediately.

Deleting an SSL Client Account

If you would like to delete an SSL Client from your domain, you can use the Delete feature.

This command will remove the SSL Client from App Net Manager, remove it from any SSL Client Groups

it was associated with, and destroy any current connections between it and a Location. The user will no

longer be able to access your Location(s) unless you add a new SSL Client account for the user.

Once Saved, your changes will go into effect immediately.


Chapter 4. SSL Client Groups

SSL Clients are combined into groups to make partner and permissions administration easier. The SSL

Client Groups feature allows you to assign partners and SSL Service permissions to an entire group of

SSL Clients at once.

Figure 6: SSL Client Groups

Adding a New SSL Client Group

To create a new SSL Client Group, make sure SSL Client Groups is selected in the domain directory

and:


From the File menu, select Add SSL Client Group.

Right-click SSL Client Groups in the domain directory and select Add SSL Client Group.

You will be taken to a blank Add SSL Client Group window.


Figure 7: Add SSL Client Group

Fill out this window as follows:

Name: Enter a new group name.

SSL Services Permitted for Group Members: You can limit the services that are available to

members of this SSL Client Group. Choose from the following options:

▪ Specified SSL Services Permitted: Select this option to choose the services that this

group will be allowed to use. In the list below this option, you must select the checkboxes

of the permitted SSL Services for this group. For more information about the default SSL

Services that appear in the list, refer to Chapter 2. Pre-Configured SSL Services (p. 10)

▪ All SSL Services Permitted: Select this option to allow members of this group to use

any SSL Service that has been enabled for use on a Location to which the group is

partnered.

▪ No Services Permitted: Select this option to prevent members of this group from using

any SSL Service.

MyCompany : Add SSL Client Group


When you have completed this form, click OK to store your changes or Cancel to close the window and

discard your changes. Once Saved, your new SSL Client Group will appear in the list of SSL Client

Groups.

To add members to a group, select that group while configuring an SSL Client with the SSL Clients

feature (Chapter 3. Creating SSL Client Accounts for Users, p. 19).

Note: The ability for an SSL Client user to use an SSL Service through a Location gateway depends

on both (a) the SSL Service being permitted in the SSL Client’s group and (b) the SSL Service being

permitted by the Location. When you enable SSL Services for a Location (Chapter 6. SSL Services,

p. 31), make sure the permissions for that Location and for the SSL Client Group partnered with the

Location allow the correct SSL Services to be used.

Modifying an SSL Client Group

If you would like to modify the configuration of an existing SSL Client Group, you can use the Edit

feature.

If the SSL Client Group contains any members, these SSL Clients will be listed in the Group Members

of SSL Client Group list.

After you have made your changes to the SSL Client Group, click OK to store your additions or Cancel to

close the window and discard your changes. Once Saved, your changes will go into effect immediately.

Deleting an SSL Client Group

To delete an SSL Client Group, you can use the Delete feature.

Once Saved, the SSL Client Group will be removed from your domain.


Chapter 5. Configuring SSL Client Access to a LAN

After creating accounts for SSL Client users, you must enable SSL Client access on at least one of your

Corente Virtual Services Gateways and configure the access permissions that users will be given on the

Location gateway’s LAN.

To enable and configure SSL Client access to a Location, complete the following steps:

1. Access the Location form for the Location in App Net Manager:

Right-click on the Location icon in the map or domain directory and select Edit.

Double-click the Location name in the domain directory

Select the Location name in the domain directory and then select the Edit option from the

tool bar or the Edit menu.

When the Location form is displayed, select the User Remote Access tab.


Figure 8: User Remote Access tab

2. Select the option labeled Allow SSL Client Access to the Network. Until this checkbox is

selected, SSL Client access through the Location gateway to local LAN is disabled, even if you

have ordered the service and it has been provisioned (turned on) by Corente.

3. Select the Require Client Certificate option if you are supplying digital certificates on SSL clients

and you have installed a CA Certificate for this Location gateway on the SSL Certificate page of

Gateway Viewer (for more information, see Chapter 1. SSL Certificate, p. 44). This feature

provides two-factor authentication.

Note: Users that access the Internet via a proxy server will not be able to connect to the

SSL Client when this option is selected.

4. Fill out the settings as follows to control the behavior of SSL Client sessions:


Inactive Session Timeout (min): Enter the amount of time in minutes that an SSL Client

session will remain connected to the Location if the SSL Client is left idle by the user. The

default timeout is 15 minutes.

WARNING: The session timeout period may conflict with users’ email programs when

they have been set to check automatically for new messages from the mail

server. Remind users to configure their email programs so that the length of

time between message checks is more frequent than the session timeout

period. This will prevent the users from having to re-login to the SSL Client

each time their email program attempts to look for new messages.

Failed Login Attempts: Enter the number of login attempts that a user will be allowed

before the user is locked out of the SSL Client for the amount of time that you specify in the

Lockout Time field (see below). The user will be unable to login successfully (even with a

correct username and password) until the Lockout Time period has completed. The default

number of attempts is 5.

Lockout Time (minutes): Enter the number of minutes that a user will be locked out of the

SSL Client after exceeding the total number of Failed Login Attempts that you have

specified (see above). After this time period has completed, the user will have the number of

Login Attempts that you have specified above until the user is locked out again for the

period that you specify in this field. The default lockout time is 1 minute.

SSL Port: Enter the port number on the Corente Virtual Services Gateway that remote

computers will use to access the SSL Client login. The default port is 443, but should be

changed if this port number is already being used. If you change the port number, SSL

Client users must connect directly to that port number. (For example, if the Visible DNS

Name of Location is chicago.acme.com and the SSL Port is 999, to access the SSL Client

interface for this Location, users would type https://chicago.acme.com:999).

Important: This port number must be opened in any firewalls shielding this Corente Virtual

Services Gateway.

5. In the Visible DNS Name of Location field, enter the DNS name that SSL Client users will use to

access this Corente Virtual Services Gateway from the WAN. This name should be formed using

three levels, i.e. chicago.acme.com (where acme.com is the domain name that has been

registered by your company). Users will enter https:// and this name in the location bar of their web

browser to access the SSL Client interface (https://chicago.acme.com).

Note: If this DNS name will not be available via a public DNS server, you should add this

name to the DNS server at each remote user's location or add an entry to the hosts

file of each user's computer so that this name can be resolved.

6. Click the Configure button adjacent to SSL Services. The SSL Services screen will be displayed.

Complete this screen to identify the services that will be available on the LAN for SSL Client users.

This screen is described in Chapter 6. SSL Services (p. 31)


7. Click the Configure button adjacent to System Homepage and Bookmarks. The Homepage

Bookmarks screen will be displayed. This screen allows you to enter URLs and bookmark names

that all users will be able to access from the SSL Client interface for this Location. This screen is

described in Chapter 7. System Homepage and Bookmarks (p. 33).

8. Click the Configure button adjacent to SSL Authorized Groups. The SSL Authorized Groups

screen will be displayed. Complete this screen to identify the SSL Client Groups that will be

allowed to connect to this Location. You only need to fill out this screen if you are using Local

Authentication (see Step 9). This screen is described in Chapter 8. SSL Authorized Groups (p.

35).

9. The Authentication Type section allows you to specify how SSL Client users will be authenticated

to the Location. If you are using an External Authentication method, you must capture configuration

information about the RADIUS or LDAP server (see Step 10).

Local Authentication (Password): Select this option to authenticate users to the Corente

Virtual Services Gateway via the standard login interface (user name and password). When

this option is selected, you must use the SSL Client feature to set up SSL Client accounts

for each user (see Chapter 3. Creating SSL Client Accounts for Users, p. 19). Then, you

must select the SSL Client Groups that will be allowed to access this Corente Virtual

Services Gateway and specify the User Group that they will be permitted to access in the

Authorized SSL Client Groups section (see Step 8).

External Authentication (RADIUS): Select this option if you would like to use a RADIUS

server on your LAN to authenticate SSL Client users to the Corente Virtual Services

Gateway. This option will be selectable when you have enabled a RADIUS server in the SSL

Client Authentication section of this screen and configured its settings. If you use a

RADIUS server for authentication, you must configure SSL Client accounts for users on the

RADIUS server.

External Authentication (LDAP): Select this option if you would like to use an LDAP server

on your LAN to authenticate SSL Client users to the Corente Virtual Services Gateway. This

option will be selectable when you have enabled an LDAP server in the SSL Client

Authentication section and configured its settings. If you use an LDAP server for

authentication, you must configure SSL Client accounts for users on the LDAP server.

10. The External Authentication Servers section allows you to specify the methods of authentication

that are available on your LAN for use by remote access clients. (The settings that you capture for

RADIUS and LDAP servers will apply for both Corente Clients and SSL Client users.)

Enable RADIUS Server: Select this option to enable RADIUS server authentication for SSL

Client users. When this option is selected, you must click the Configure button to configure

the RADIUS server authentication settings. The RADIUS Server Authentication screen is

described in RADIUS Authentication (p. 37).

In order to use this server to authenticate SSL Client users, you must select External

Authentication (RADIUS) in the Authentication Method section of this screen.


Enable LDAP Server: Select this option to enable LDAP server authentication for SSL

Client users. When this option is selected, you must click the Configure button to configure

the RADIUS server authentication settings. The LDAP Server Authentication screen is

described in LDAP Authentication (p. 38).

In order to use this server to authenticate SSL Client users, you must select External

Authentication (LDAP) in the Authentication Method section of this screen.

11. After configuration on this screen is complete, click OK to close the Location form. Select the Save

feature from the File menu or the toolbar to save your changes.


Chapter 6. SSL Services

This screen allows you to select the services that the Location will allow all of its SSL Clients to use on

the Location’s LAN.

Note: When Local Authentication is being used, you can enable or disable SSL Services for

groups of SSL Client users with the SSL Client Groups feature (see Chapter 4. SSL Client Groups,

p. 23). This means that different SSL Client Groups that are authorized to communicate with this

Location can have different permissions on the Location's LAN. Of course, for a group to use a

permitted service on this LAN, the service must also be enabled on this screen.

Figure 9: SSL Services screen

This screen lists all the SSL Services that you have already enabled for SSL Client users that

communicate with this Location. You can Edit any of these services to modify how SSL Clients can use it

or you can Delete a service to prohibit SSL Clients from using it.

To enable a new service, click the Add button. The Edit SSL Service screen will be displayed.


Figure 10: Edit SSL Service

Fill out this screen as follows:

SSL Service: Select the SSL Service that you would like to enable from this pull-down menu.

This screen lists all the SSL Services (both default and custom defined) that have been defined

for your domain. You can define custom services with the SSL Services feature (see Chapter 2.

SSL Services, p. 15).

Protocol: If applicable, select the protocol that this service will use from the pull-down menu.

Port: If applicable, enter a port number that this Location gateway will use to contact the server

providing the service. The standard default ports for each service will be displayed in this field

when a service is selected.

Specify Server IP Address or DNS Name: If applicable, use this section to associate a specific

server with this service. SSL Clients of this Location can use the service to connect to this

specified server only. Select either Server IP Address (and specify the IP address of the

server) or Server DNS Name (and specify the DNS name of the server)

Note: The IP address of the server must be included in the Default User Group of the

Location.

Click OK to save your changes to this addition. Click OK again to close the SSL Services window.

For more information on the services available to enable or disable on this screen, refer to Chapter 2.

Pre-Configured SSL Services (p. 10) and Configuring Custom SSL Services (p. 16).


Chapter 7. System Homepage and Bookmarks

The System Homepage and Bookmarks screen allows you to choose a homepage that will display

when users log into the SSL Client for this Location. You can also use this screen to create bookmarks

for intranet web browsing that will appear as System Bookmarks in the Bookmarks list on the user

interface. Users will also be able to create their own bookmarks on their personal SSL Client interface.

Figure 11: System homepage and Bookmarks

You can edit or delete any bookmark in this list. You will not be able to delete the System Homepage

entry.

Specify an SSL Client Homepage

To specify a homepage that will appear when users log into the SSL Client for this Location, select the

System Homepage entry and click the Edit button.

Figure 12: System Homepage

Choose http or https and enter the URL of the intranet web page that will display when users first log

into the SSL Client. Click OK.


Create Bookmarks for Intranet Browsing

To create a bookmark that will be available for SSL Client users of this Location, click the Add button.

Figure 13: Add Bookmark

Complete the fields as follows:

Bookmark Name: Enter the name that will be displayed to users as the name of the bookmark.

URL: Choose http or https and enter the URL of the bookmark.

Click OK.


Chapter 8. SSL Authorized Groups

This screen allows you to authorize certain SSL Client Groups to connect to this Location (when Local

Authentication is being used). SSL Client Groups are groups of SSL Client accounts and are created

with the SSL Client Groups feature (see Chapter 4. SSL Client Groups, p. 23).

Figure 14: SSL Authorized Groups

This screen displays the SSL Client Groups in your domain that have been authorized to access this

Location, the local User Group to which the SSL Group can connect, a summary of the permissions that

this group has been assigned, and the number of SSL Services that members of this group can use. You

can Edit or Delete any of the existing entries on this screen.

To authorize an SSL Client Group to communicate with this Location, click the Add button. The Add SSL

Authorized Group screen will be displayed.


Figure 15: Add SSL Authorized Group

Fill out the fields as follows:

Name: Select the SSL Client Group that you are allowing to access this Location. (Note that an

SSL Client Group can be associated with multiple Locations.)

User Group: Select the local User Group of this Location that the selected SSL Client Group will

be allowed to communicate with. User Groups are groups of IP addresses on the Location’s LAN

and are created on the User Groups tab of the Location form.

This screen also displays the permissions that the selected SSL Client Group has been assigned. You

cannot change these permissions on this screen, but you can modify them for the group with the SSL

Client Groups feature.

When you have finished, click the OK button to store your changes or the Cancel button to discard your

changes.


Chapter 9. External Authentication (RADIUS or LDAP)

If you are going to use an external server (either RADIUS or LDAP) for authentication of SSL Client

users, you must enter information about this server into a screen in the Location form. Complete this

configuration after you have created user accounts on the server.

On the User Remote Access page, click the Configure button for either RADIUS or LDAP in the

External Authentication Servers section to display the appropriate External Authentication screen.

Note: You can capture only one set of information per Location for a RADIUS server and one set of

information for an LDAP server.

RADIUS Authentication

When you click the Configure button to configure a RADIUS Server, the Edit RADIUS Server screen

will appear. Use this screen to capture the settings that the Corente Virtual Services Gateway will use to

contact the RADIUS server on your LAN for authentication of SSL Client users.

Figure 16: RADIUS Server Authentication Settings

RADIUS is an authentication protocol commonly used to provide secure authentication for users. It is

often used to provide centralized authentication, authorization, and accounting.


To configure your Corente Virtual Services Gateway to contact the RADIUS server, complete the

following options and fields:

Enable RADIUS Server: Select this option to enable the RADIUS server.

IP Address: Enter the IP address of the RADIUS server on your LAN. This address must be

included in the Default User Group of this Corente Virtual Services Gateway.

Port: Enter the port number on the RADIUS server that the Corente Virtual Services Gateway

will contact to authenticate remote users. The default port number used will be 1831, but this

number can be changed if the port is already in use.

Secret: Enter the secret that the Corente Virtual Services Gateway will use to authenticate itself

with the RADIUS server.

Confirm Secret: Re-enter the secret you entered in the Secret field to avoid any mistakes.

Timeout: Select the timeout interval for how long the Corente Virtual Services Gateway will wait

for the RADIUS server to respond to its request to authenticate a remote user. You may select

any interval between 1 and 30 seconds. The default interval is 4 seconds.

Retries: Select how many retries the Corente Virtual Services Gateway will attempt in order to

contact the RADIUS server for an authentication. For each attempt, the Corente Virtual Services

Gateway will wait for the interval you have selected with the Timeout option. You may select

between 1 and 10 retries. The default number of retries is 2.

Login Prompt: Enter the login prompt for users.

Password Prompt: Enter the password prompt for users.

Click OK once you have provided the appropriate information.

LDAP Authentication

When you click the Configure button to configure LDAP Server settings, the Edit LDAP Server screen

will be displayed. Use this interface to specify the settings that the Corente Virtual Services Gateway will

use to authenticate remote access users with the Lightweight Directory Access Protocol (LDAP) server

on your LAN.


Figure 17: LDAP Access

LDAP is an open-standard protocol for accessing X.500 directory services. A directory is a specialized

database optimized for reading, browsing and searching. LDAP is used to authenticate users based on

entries in the directory. Corente uses the standard implementation of Open LDAP.

To configure your Corente Virtual Services Gateway to contact the LDAP server, complete the following

fields:

Enable LDAP Server: Select this option to enable the LDAP server.

LDAP Server IP Address or DNS Name: Select the appropriate option and enter either the IP

address or DNS name of the LDAP server on your LAN. This address must be included in the

Default User Group of this Corente Virtual Services Gateway.

LDAP Server Port: Enter the port number on the LDAP server that the Corente Virtual Services

Gateway will contact to authenticate remote users. The default port number used will be 389, but

this number can be changed if the port is already in use.

Backup LDAP Server IP Address or DNS Name: (optional) Select the appropriate option and

enter either the IP address or DNS name of the backup LDAP server on your LAN. This address

must be included in the Default User Group of this Corente Virtual Services Gateway.

Backup LDAP Server Port: (optional) Enter the port number on the backup LDAP server that

the Corente Virtual Services Gateway will contact to authenticate remote users.

User Name: Enter the username that this Corente Virtual Services Gateway will use to log into

the LDAP server in order to authenticate remote users.


Password: Enter the password that this Corente Virtual Services Gateway will use to log into the

LDAP server in order to authenticate remote users.

Timeout: Select the timeout interval for how long the Corente Virtual Services Gateway will wait

for the LDAP server to respond to its request to authenticate a remote user. You may select any

interval between 1 and 30 seconds. The default interval is 4 seconds.

Base: Enter the user name at which to start the directory search. This setting provides controls

on how a query to the LDAP server is performed.

Scope: Select the integer that will indicate the scope of the directory search. Options available in

the pull-down menu are LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL, and

LDAP_SCOPE_SUBTREE. This setting provides controls on how a query to the LDAP server is

performed.

Filter: Enter a filter string for the search. This setting provides controls on how a query to the

LDAP server is performed.

Attributes: Enter the sub-fields that you would like retrieved from the database. Each entry in

this field should be space-separated. This setting provides controls on how a query to the LDAP

server is performed.

Click OK once you have provided the appropriate information.

For more information about any of the fields or options on this screen, refer to the LDAP documentation.


Chapter 10. Configuring SSL Client Access to Partners

By default, SSL Client users are able to access computers on the LAN of the Corente Virtual Services

Gateway that they log into. If you have enabled Partner Access on the SSL Services page for the

Location (see Partner Access, p. 12, and Chapter 6. SSL Services, p. 31), you can allow the SSL Client

users of that Location to connect to the Location’s partners.

SSL Client users will automatically be able to connect to the Corente Client partners of the Location.

However, each of the Location’s Location partners must explicitly allow the Location’s SSL Client users to

access computers within the Default User Group.

Allow SSL Client Access

To allow SSL Client access to partners, perform the following steps.

1. Enable Partner Access on the SSL Services window (via the User Remote Access tab) of the

Location providing the SSL Client interface. This Location is known as the SSL host Location.

2. Click OK to save changes on the Location form for the SSL host Location.

3. Now, choose the SSL host Location’s partner that you would like users to be allowed to access.

Open this Location’s Location form.

4. Access the Partners tab in the Location form, and Edit the partner entry for the SSL Host

Location.

Figure 18: Partners Tab


6. The Add Partner window is displayed. In the Connection Settings section, select Allow Partner

SSL Clients access to LAN.

Figure 19: Add Partner

7. Click the OK button to save your changes to the Location form, and save your changes with the

Save button in the App Net Manager tool bar.

SSL Client users of the SSL host Location will now be able to access computers within the Default User

Group of the Location partner. The NAT settings that were enabled for the SSL host Location on the

partner’s Partner tab will also apply to the SSL Client users.

For security reasons, you cannot use this option to allow SSL Client users of an Extranet Location to

connect to this Location.


III. Configuring Corente Virtual Services Gateways for Use with the SSL Client

Once you have enabled the Allow SSL Client access to the Network option on a Corente Virtual

Services Gateway and configured the other appropriate settings on the Location form, the Gateway

Viewer application must be accessed for that Location in order to install a signed digital certificate. This

certificate will encrypt each user’s session with SSL.

Even if you decide not to provide two-way authentication with client-side certificates and a Location

gateway-side CA certificate, you must install an SSL certificate on the Location gateway. The Gateway

Viewer also includes two interfaces that allow you to view current and historical SSL Client user activity.

SSL Admin

When you access Gateway Viewer, all of the options for SSL are located in the SSL Admin menu.

SSL Admin: This button contains three options. All of these options are password-protected.

SSL Certificate allows you to upload or define a new certificate that will be used to encrypt users' sessions with SSL.

SSL Log allows you to view the history of logins and logouts to this Corente Virtual Services Gateway via the SSL Client.

SSL User Report lists all active SSL Client sessions to this Corente Virtual Services Gateway.


Chapter 1. SSL Certificate

Note: This page will be unavailable until SSL Client access has been enabled to this Corente

Virtual Services Gateway in App Net Manager.

The Corente Gateway SSL Certificate Administration page is used to define and/or upload the

necessary SSL certificates that will be used to encrypt each user’s session with SSL.

Figure 20: SSL Certificate Administration

This screen can be used to access information for three different types of certificates.

SSL Certificate: This certificate is required for the SSL Client. It is the certificate that is used to

encrypt each user’s session with SSL. On this interface, you can generate a Certificate Signing

Request (CSR) to obtain a signed certificate from a trusted Certificate Authority (CA), install a

signed certificate, or create a self-signed certificate.

SSL Certificate Chain: If you have obtained your SSL Certificate from a CA, an intermediate

certificate may need to be installed on the Location gateway when you install the SSL Certificate.

Your CA will inform you if this extra certificate is needed.

CA Client Certificate: If you would like to provide users with two-way authentication for SSL,

you can install a CA certificate on your Location gateway and personal certificates on each user’s

computer.

The installation status of each certificate on your Location gateway will be indicated in the table. To

upload, delete, or change any of these listed certificates, click the Modify button for the appropriate

certificate.

When you click the hyperlink labeled Status at the top of the page, the Corente Gateway SSL

Certificate Administration: Manage Certificate Status screen will be displayed. This screen displays

the last recorded status of the SSL certificates that are installed on your Location gateway. You can use

this screen to determine if a new SSL certificate has been installed correctly on the Location gateway.


Figure 21: SSL Certificate Status

SSL Certificate

The SSL Certificate page is used to define the certificate and private key that will be used to encrypt

each SSL Client session with SSL. The certificate authenticates the Corente Virtual Services Gateway

with each connecting SSL Client. You can create a CSR to send to a trusted CA, upload the digitally-

signed SSL certificate that you have obtained from a CA, or create a new, self-signed certificate. Until a

certificate is installed, the SSL Client will be inaccessible at this Location.

Figure 22: SSL Certificate Administration

It is strongly recommended that you generate a CSR and import the SSL certificate that you obtain

from a trusted CA (such as VeriSign). When obtaining your SSL certificates, it may be useful to note that

the Corente Virtual Services Gateway runs an Apache server with mod_ssl and open_ssl on Linux.

If an SSL certificate is already in use, the information for that certificate will be displayed in the Installed

SSL Certificate Information section on this interface.


All certificate and private key files used by the Corente Virtual Services Gateway are BASE64 encoded

X.509 format. This format is also called Privacy Enhanced Mail (PEM) format.

If the Corente Virtual Services Gateway Visible DNS Name is changed in App Net Manager, you must

import or create a new certificate for this Location gateway.

Obtaining an SSL Certificate Signed by a CA

To obtain a signed SSL certificate from a trusted CA (such as VeriSign), you will need to generate a

Certificate Signing Request (CSR). Complete the following steps:

1. To generate a CSR for the Location, click the Generate a Certificate Signing Request (CSR)

button. On the Generate Certificate Signing Request (CSR) page that is displayed, fill out any of

the following optional fields:

Valid for: Enter the number of days that this certificate will be valid. When the certificate

expires, you must create or import a new certificate. Users sessions can still be encrypted

with SSL after certificate expiration, but they will be notified that the certificate has expired

and may not be trustworthy.

Country Name: Enter the two-letter abbreviation for the country in which this certificate is

originating.

State or Province Name: Enter the name of the state or province in which this certificate is

originating.

Locality Name: Enter the name of the city or town in which this certificate is originating.

Organization Name: Enter the name of your company or organization.

Organizational Unit Name: Enter the name of the department of your company or

organization that is providing this certificate.

E-mail Address: Enter the e-mail address for users to contact about this certificate.

Pass Phrase: Enter a pass phrase that will be used to encrypt the private key for this

certificate.

Pass Phrase (again): Re-enter the pass phrase to avoid mistakes.

2. Click the Generate button. A ZIP file will be downloaded to your browser. This ZIP file contains two

files: a Certificate Signing Request (CSR) and the corresponding Private Key (KEY).

3. Unzip this file and send the CSR to a trusted CA such as VeriSign to be digitally signed.

4. When you receive the signed certificate, use the Import SSL Certificate option to upload the

certificate and private key.


If your CA requires that you install an Intermediate Certificate on this Location gateway as well,

use the SSL Chain Certificate page (see SSL Chain Certificate, p. 48).

Install an SSL Certificate on Your Location Gateway

Once you have obtained a signed SSL certificate from a trusted CA (such as VeriSign), install this

certificate on your Location gateway. Complete the following steps:

1. To import an SSL certificate and/or SSL private key file that were signed by a trusted CA (such as

VeriSign), click the Import SSL Certificate button. On the Import SSL Certificate page that is

displayed, enter the following information:

Pathname to SSL certificate file: Enter the complete path and file name of the SSL

certificate that is stored on your system or use the Browse button to locate this certificate.

Pathname to SSL private key file: If a private key is not included in your SSL certificate

file, specify the key file in this field. Enter the complete path and file name of the SSL private

key that is stored on your system or use the Browse button to locate this file.

Pass phrase: If the private key that you are importing is encoded with a pass phrase, enter

this phrase in the field provided.

2. Click Install to save this certificate to the Location gateway. The Location gateway will restart, and

will now encrypt each SSL Client user's session with this certificate and the private key.

Create a Self-Signed Certificate

If you do not want to obtain a signed SSL certificate from a trusted CA, you can create a self-signed

certificate on this interface and use it for SSL encryption. Complete the following steps:

1. To create a new, self-signed SSL certificate, click the Create a self-signed SSL Certificate

button. On the Create a Self-Signed SSL Certificate page that is displayed, you can fill out the

following optional fields:

Valid for: Enter the number of days that this certificate will be valid. When the certificate

expires, you must create or import a new certificate. Users sessions can still be encrypted

with SSL after certificate expiration, but they will be notified that the certificate has expired

and may not be trustworthy.

Country Name: Enter the two-letter abbreviation for the country in which this certificate is

originating.

State or Province Name: Enter the name of the state or province in which this certificate is

originating.

Locality Name: Enter the name of the city or town in which this certificate is originating.


Organization Name: Enter the name of your company or organization.

Organizational Unit Name: Enter the name of the department of your company or

organization that is providing this certificate.

E-mail Address: Enter the e-mail address for users to contact about this certificate.

All of these fields are optional. The information that you enter here will be presented to SSL Client

users when they are asked to accept the certificate to encrypt their session with SSL.

2. When you have entered information in the fields of your choice, click Install to save this certificate

to the Location gateway. The Location gateway will restart, and will now encrypt each user's SSL

Client session with this certificate and a private key. No validation of this information is performed.

Note: If you create a certificate and an SSL Client user immediately attempts to connect to the

Location, the certificate may appear to be expired. This occurs because the time on the

user's computer may be slightly earlier than the time on the Corente Virtual Services

Gateway where the certificate was created and installed. The certificate will appear valid

once the time on the user's computer has passed the time of the certificate's creation.‖

SSL Chain Certificate

If your CA requires that you install an SSL Chain Certificate (Intermediate Certificate) in addition to the

SSL certificate that the CA has digitally signed, the SSL Certificate Chain page allows you to install this

certificate on your Corente Virtual Services Gateway.

Figure 23: SSL Chain Certificate Administration

Your CA may distribute an SSL Chain Certificate to you along with the signed SSL Certificate. Installing

both of these certificates creates a hierarchical SSL certificate chain for validation.

The purpose of this chain is to provide a replacement for the CA’s root certificate. Certain CAs do not

want to distribute their root certificate to you. SSL validation through the chain is accomplished first by

validating the SSL Certificate through the SSL Chain Certificate, and then through the corresponding root

certificate that is owned by the CA (and not installed on your Location gateway).


Remember that your CA will inform you if an SSL Chain Certificate is needed. To install the certificate,

complete the following steps:

1. Click the IMPORT SSL Chain Certificate button to install the SSL Chain Certificate. On the

Import SSL Chain Certificate page that is displayed, enter the complete path and file name of the

SSL Chain certificate that is stored on your system or use the Browse button to locate this

certificate.

2. Click the Install button. The SSL Services provided by this Location gateway will be momentarily

disrupted while the server is restarted.

To delete this certificate in so that you can install a new one, click the Delete button on the main SSL

Chain Certificate page.

CA Client Certificate

If you are providing two-way digital certificate authentication between the Corente Virtual Services

Gateway and its SSL Client users, you must install a CA certificate on this Corente Virtual Services

Gateway in addition to the SSL certificate. This CA Certificate can be self-signed or obtained from a

trusted CA such as VeriSign (recommended).

Figure 24: CA Client Certificate Administration

The CA Client Certificate page allows you to install a CA Certificate on your Location gateway.

To install a CA Client Certificate, complete the following steps:

1. Click the IMPORT CA Client Certificate button to install the CA Client Certificate. On the Import

CA Client Certificate page that is displayed, enter the complete path and file name of the CA

Client Certificate that is stored on your system or use the Browse button to locate this certificate.

2. Click the Install button. The SSL Services provided by this Location will be momentarily disrupted

while the server is restarted.


Only one CA certificate may be installed on a Location gateway at a time. Information about this

certificate will appear on the CA Client Certificate page.

To delete this certificate in so that you can install a new one, click the Delete button on the main CA

Client Certificate page.

Two-way authentication also requires personal certificates to be imported into the browser of each SSL

client. (These certificates can also be obtained from a trusted CA). The certificates imported into the

client browsers may be in different formats than the Location certificates (i.e., PKCS12).

Additionally, the Require Client Certificate option must be selected on the User Remote Access tab of

the Location form for this Corente Virtual Services Gateway. For more information about enabling this

option, refer to Chapter 5. Configuring SSL Client Access to a LAN (p. 26).


Chapter 2. SSL Log



The Corente Gateway SSL Log page allows you to view the history (up to five days) of logins and

logouts to this Corente Virtual Services Gateway via the SSL Client.

Figure 25: SSL Log

Each entry in this log will present the date and time, the user name that was entered, the IP address of

the computer, and one of the following potential statuses:

Authenticate: The user successfully logged into the SSL Client.

timed out: The SSL Client was left idle by the user and the session expired.

session terminated: The user successfully logged out of the SSL Client.

authentication failure: The login attempt failed due to incorrect user name or password.


Chapter 3. SSL User Report



The Corente Gateway SSL User Report page lists all active SSL Client sessions to this Corente Virtual

Services Gateway. This interface is useful for keeping track of the users that are currently accessing the

Corente Virtual Services Gateway.

Figure 26: SSL User Report

Each entry provides the following information:

User ID: The user name of the SSL Client user.

Source Address: The IP address of the computer connecting via the SSL Client.

Session Duration (HH:MM:SS): The total duration of the current SSL Client session.

Additionally, the total number of current users is displayed at the top of the Active SSL Users section.


IV. Using the SSL Client

This chapter contains information that details how to use the SSL Client. Similar information is provided

to users in the help file that is accessible in this interface.


Chapter 1. Supply Users with Login Information

After you have enabled the SSL Client on a Corente Virtual Services Gateway, granted permissions to

SSL Client users of this Location, and installed an SSL Certificate on this Location gateway, you must

supply each of the users with the following:

the login information that you have created for that user (username/password, RADIUS, or LDAP

login information)

the Visible DNS Name that you have chosen for the Location(s) and the port number (if

applicable) that they will access

the appropriate permissions for the usernames and passwords on the servers that they will

access on the LAN

instructions for configuring their email program to access and send messages over SSL

Additionally, you should make sure that each remote user can connect to the SSL Client with the Visible

DNS Name of Location. If this DNS name will not be available via a public DNS server, you should add

this name to the DNS server at each remote user's location or add an entry to the hosts file of each

user's computer so that this name can be resolved.

For an email template that can be used to supply users with this necessary information, refer to VI.

Appendix: Template for Email to New Users (p. 95).


Chapter 2. Logging In

The SSL Client uses SSL encryption for secure access to the Corente Virtual Services Gateway. When a

user opens the SSL Client by typing https:// and the Visible DNS Name of the Location into their web

browsers (and the SSL Port number, if applicable—see Chapter 5. Configuring SSL Client Access to a

LAN, p. 26), the user may be asked to accept a certificate if the browser does not recognize the

certificate’s source. This certificate has been provided by you via the SSL Certificate interface in the

Gateway Viewer application (see Chapter 1. SSL Certificate, p. 44). The user should confirm the

information that is presented about this certificate and accept it to provide SSL encryption to the Location

gateway.

Additionally, users will be asked to validate a signed applet from Corente during the initial login if you

have enabled certain services for them on the SSL Client Services page (see Chapter 6. SSL Services,

p. 31). Corente provides the ability to certain services via this JAVA applet. The user should verify the

information that is presented and accept the applet.

Note: If the user is using Internet Explorer 7.0 or later, the user will be alerted that the certificate

does not appear to be valid. The user should select Continue Anyway to access the SSL Client.

Homepage

By default, the SSL Client displays a blank homepage upon login. If you have configured another

homepage for users on the Location form, this homepage will be displayed instead (see Chapter 7.

System Homepage and Bookmarks, p. 33, for more information).

Figure 27: SSL Client Default Homepage

Other areas in the application are accessible via buttons displayed across the top of the browser window.


Session Expiration

The session will expire if the users leave the SSL Client window idle, depending on the session timeout

that you have specified (see Chapter 5. Configuring SSL Client Access to a LAN, p. 26). If the session

expires, the user should simply re-login to continue using the SSL Client.


Chapter 3. Browse Web Pages

The SSL Client can be used for secure access to websites within your corporate intranet.

Accessing Web Sites

There are two methods to access a web site via the SSL Client:

In the field labeled Browse, type the URL of the web site. Click Go.

Figure 28: Browse field

While still logged into the SSL Client, the user can type an address directly in the address bar of

the web browser. However, to access the web site, the address must be constructed in the

following way so that the request is routed through the Corente Virtual Services Gateway:

https:// + Location DNS name + /t/ + http:// + website address

Therefore, if a user is accessing http://finances.miami.com via a Corente Virtual Services

Gateway with the DNS name of miami.acme.com:

https://miami.acme.com/t/http://finances.acme.com

System Bookmarks

If you have configured special bookmarks for users on the System Homepage and Bookmarks screen

in the Location form (see Chapter 7. System Homepage and Bookmarks, p. 33), these bookmarks will

appear in the Bookmarks pull-down menu for each SSL Client user. To access the URL of a bookmark,

users must simply select the appropriate bookmark from the menu.

Figure 29: Select a Bookmark

Users can also create their own personal bookmarks that will appear in this menu. For more information,

refer to Creating New Personal Bookmarks (p. 74).


Pages That Cannot Be Accessed

To provide secure browsing of intranet websites, the SSL Client identifies any non-secure URLs that the

user accesses and rewrites them into secure URLs. The Corente SSL Rewrite Engine looks at each

return page and rewrites the URLs on the page to the URL of the secure SSL host. This occurs for

private URLs as well as public URLs. (Note that while it is possible to access public web pages via the

SSL Client, users are recommended to open a new browser window that is not logged in and access

public web pages outside of theSSL Client.)

There are certain cases when the rewrite engine cannot rewrite a page. Users may not be able to access

pages via the SSL Client that use the following:

Ill-formed HTML pages

If there are mistakes in the HTML of the web page, the rewrite engine may fail to rewrite the

URL. This may result in:

Pop-up windows warning that the browser is switching to a non-secure site

The page is displayed as broken, with missing icons or text

Client-side scripts

This includes such scripts as Visual Basic Script (VBScript), Java applets, and certain

JavaScripts. Attempting to access a site that uses these scripts may result in:

Pop-up windows warning that the browser is switching to a non-secure site

The page is displayed as broken, with missing icons or text

Plug-ins (Shockwave, Flash, etc.)

If the user inputs a URL via a plug-in such as Shockwave or Flash, the rewrite engine will have

no knowledge these URL parameters and therefore will not try to rewrite them when the URL

loads. The plug-in objects will try to access the file outside of the SSL Client. This may cause the

browser to seem like it never finished rendering the page or loading the file.

Client-side cookies

Extended Stylesheet Translation Language (XSTL)

Pages that are larger than 150,000 bytes

Due to memory constraints, files that are larger than 150,000 bytes will be loaded into the user’s

browser without SSL encryption.

Generally, if the user is attempting to load an intranet web page that contains any of these, the page will

be inaccessible from a remote location. If the user is attempting to load a public web page, the page will

be sent to the browser outside of the SSL Client.

Additionally, if there is a problem (such as a script error) caused by the SSL Client tool bar that displays

in a frame across the top of the window, the user can display pages without the frame by typing the

modified SSL URL directly in the address bar of the web browser (see Accessing Web Sites, p. 57) for

information on how to form this URL). The user can also try displaying the page in another type of

browser (such as Netscape) to see if the browser was causing the errors.


Applets and Plug-Ins on Web Pages

Even though a user’s browser is able to access an intranet web page over SSL, this does not guarantee

that any applets or plug-ins on the web page will be routed through SSL correctly. If you would like any

applets or plug-ins on pages that SSL Client users will access to be routed correctly over SSL, you must

make sure that the applets are configured to route to localhost. This will ensure that requests made to the

applet or plug-in will be routed via the Corente Virtual Services Gateway and then proxied to the correct

server on the Location gateway’s LAN. For more information on how the SSL Client routes traffic to the

Corente Virtual Services Gateway, refer to Configuring Custom SSL Services (p. 16).


Chapter 4. Browse File

The Browse File interface allows the user to browse the contents of remote networks via a web browser.

If you have not enabled File Browsing for the SSL Client on this Location or for a user group, users will

receive an error message when they attempt to access this page (see Chapter 6. SSL Services, p. 31, for

information on enabling services for users).

Note: The SSL Client does not support file browsing on Windows Vista servers.

Corente Network Access Permissions

The initial Browse File page that is displayed will vary for users depending on whether or not you have

enabled Partner Access for them (see Partner Access, p. 12, and Chapter 10. Configuring SSL Client

Access to Partners, p. 41). The Partner Access service allows the SSL Client users to access the

partners of their host Location.

If you have enabled Partner Access for users, the initial Browse File page will display for them

as shown below. The users will have access to their host Location’s partners.

Figure 30: Browse File (Partner Access)

All Corente Virtual Services Gateways and Corente Clients that the user has been given

permission to access will appear on this interface. The Corente Virtual Services Gateway to

which the user has connected will be highlighted in gray.

Click on the link for a Location ( ). The computers that are accessible to the user on

the Location’s network will be displayed on a new screen. For an example of how each

Location’s network is displayed, see Figure 22.

Click on the link for a client ( ) to browse its shared resources.

If you have not enabled Partner Access for users, the initial Browse File page will display for

them as shown in Figure 22. The users will only be able to access computers on their host

Location’s LAN.


Figure 34: Browse File (no Partner Access)

Windows servers and non-Windows machines running as SMB servers (e.g., Samba) within the

remote network will be displayed with hyperlinks. Computers with hyperlinks will be listed before

the computers without hyperlinks. A machine whose name is not known, e.g., it does not register

in DNS, will be listed by its IP address at the end of the list.

Browse File can only be used to browse files on servers that are listed with hyperlinks.

Logging Into Servers

The user’s web browser will serve as the client that sends all requests to the remote server. This means

that authentication to remote servers will be independent of the user’s SSL Client login or the login that

the user uses to access the local machine.

Depending on each server's configuration, the user may be requested to log in when trying to access a

server or a share resource on the server. After login, access permission to shared folders and files is

based on the privileges that the user has been permitted on that server.

Figure 35: Login Request for Server


Login to the remote servers is persistent. It will be valid for multiple SSL Client sessions, as long as the

server's configuration does not change. As long as the user successfully logs into a server once, the user

can repeatedly connect to the same server without having to log in again, even after logging out of this

SSL Client session and starting a new session.

Some servers allow a user to make connection without a login (i.e., you can connect as an anonymous

user). Nevertheless, an anonymous user may have very limited access permission. The Login button

can be used to explicitly login to such a server as a valid user. This button is available in the upper right

corner of the page that lists the share resources on a server. Additionally, the user can use the Login

button at any time to change the existing login that is currently being used for a server. If the second login

is successful, the new username and password will be used to connect to the server thereafter, until the

user requests to login again.

Browsing Servers

To browse the contents of a server, the user will simply click the hyperlink of the server and login (if

required). The share resources on this server will be listed in the browser window. The user can click on

a share to view its contents.

Figure 36: Shared Folders on Remote Server

If the user clicks on a folder, the contents of the folder will be listed and the folder will become the current

directory.

Figure 37: Contents of Remote Share


By default, the list of files and folders in a directory will be sorted alphabetically by Name, but the user

can click on any of the headings to sort the list by Size, Type, or Date Modified. Folders will always be

listed before files.

The name of the current directory is always displayed as the title of the page at top of the browser

window. To return to a previous directory, the user can click on that directory's name in the current title.

The user can also use the Back folder icon at the top of the page to return to the directory that is

immediately previous to the current directory. To select a new server to explore, click Browse File again

to return to the main Browse File interface.

Figure 38: Returning to a Previous Directory

Note: Computers that have been disconnected from the network will not be removed from the

server list for 30 to 45 minutes. If the user attempts to connect a server that has just

disconnected, the user may receive an error message indicating that the computer is not

available. If this occurs, the user can simply try to connect to the server at a later time.

Downloading Files

The user can open a file within a folder by clicking a file name. Depending on the browser and file type,

the browser may automatically open the file using the appropriate application (e.g., Acrobat Reader for a

.pdf file), or the user may be prompted for further action.

If the user right-clicks the file name, other actions for use with the file will be presented, such as opening

the file in a new window or saving the file to the local disk.

Notes:

If a user clicks a file name and the file does not open, the user should try opening the file in a

new window.

If the user opens a file in the browser window and receives a Security Alert indicating that

the Certificate Issuer for the site is untrusted or unknown, the user should view the certificate

to verify its information and accept it in order to proceed. To avoid the alert in the future, the

user can install the certificate in the browser and add it to the root store.

If the user opens a file in the browser window, the user’s session may expire while the user

is reading the file. This occurs because the SSL Client interface has been left idle. The

session timeout value that you have set controls how long the interface can be left idle

before the user is automatically logged out. If this occurs, the user should simply re-login to

the SSL Client to continue using it.


Uploading Files

To upload a file onto the server, browse to the directory on the server where the file should be uploaded.

Click the Upload button on the upper right corner of the window. A new interface will be displayed for

uploading files.

Type the path and name of the file that is being uploaded in the field labeled File Name or use the

Browse button to browse for the file on the system. Then, in the field labeled Save As, type the name to

save this file as on the server. Click the Submit button.

If the user has the appropriate permissions on the server and the operation is successful, the contents of

the current directory (including the new uploaded file) will be displayed. Otherwise, an error message

describing the problem will be displayed.

The user can click the Reset button to delete any text that has been entered in the fields on this

interface.

Note: If the user is uploading a file and it is taking a long time (e.g., the user is uploading a large

file via a slow connection), the user’s session may expire after the file transfer has been

completed. This depends on the session timeout value set that you have set on the User

Remote Access tab of the Location form for this Location.

If this occurs, the user should simply re-login to the SSL Client to continue using it. The file

should have been successfully uploaded.

Creating New Folders

To create a new folder on the server, browse to the directory where the new folder should be added.

Click the New button on the upper right corner of the window. On the interface that is displayed, type a

name for the folder that is being creating in the field labeled New Folder. Click Submit.


the current directory (including the new folder) will be displayed. Otherwise, an error message describing

the problem will be displayed.

The user can click the Reset button to delete any text that has been entered in the field on this interface.

Deleting Files and Folders

To delete a folder or file, browse to the directory on the server where the folder/file that should be deleted

is located. Click the Delete button on the upper right corner of the window. A new interface will be

displayed that presents a checkbox beside each folder and file name located within this directory. Select

the checkbox of the item(s) that are being deleted and click the Submit button.


the current directory will be updated. Otherwise, an error message describing the problem will be

displayed.


While choosing items to delete, the user can click the Reset button to deselect the items that have been

chosen.


Chapter 5. Browse File – Shortcuts

If there are shared folders on servers within your company's Corente network that a user accesses often,

the user can save these shares on the Shortcuts page. Shortcuts displays a users’ favorite shares on a

single page to save time each time that the user needs to access these shares.

Figure 39: Shortcuts

Adding Shortcuts

To add a shared folder to a Shortcuts page, browse to the server where the shared folder is located.

Click the Add button in the upper right corner of the window. A new page will be displayed that presents

a checkbox beside each shared folder name that is located on this server.

Figure 40: Add Shortcuts

Select the checkbox of the shared folders to add and click the Submit button.

The Reset button will clear any checkboxes that have been selected. The Cancel button will return to the

previous page without saving any selections.

A list of Shortcuts is persistent and valid across multiple SSL sessions. It is stored centrally, and is

therefore available from any computer that used by a user to log into the SSL Client. A share will stay in

the Shortcuts list until it is explicitly deleted.

Accessing Shortcuts

To access the Shortcuts page, a Shortcuts link is available on the main page of Browse File as well as

on the subsequent pages that list the servers on each local Corente network. When the link for a server


is clicked, a Shortcuts button will be displayed on the server page that will also open the Shortcuts

page.

The Shortcuts page displays all of the shared files that have been saved as Shortcuts by a user.

Because different servers can have the same shared folder names, the name of the server that provides

the share is listed in the Comment field. The list is sorted alphabetically by server name.

Click on the link for any Shortcut to display a page that lists the shared resources in that shared folder.

Deleting Shortcuts

To remove a shared folder from the Shortcuts page, click the Delete button on the upper right corner of

the Shortcuts page. A new page will be displayed that presents a checkbox beside each shared folder

name that was added to the Shortcuts page. To avoid confusion, as shares on different servers can

have the same name, each shared folder will also list the server on which it is located. Select the

checkbox of the shared folder(s) to remove from the Shortcuts page and click the Submit button.

The Reset button will clear any checkboxes that have been selected. The Cancel button will return to the

previous page without deleting any selections.


Chapter 6. Services

The SSL Services interface allows users to view the services that you have enabled for them on the SSL

Services window of the Location form for this Location (see Chapter 6. SSL Services, p. 31).

When accessing any of these services using another program, the user should leave the browser window

open so that requests are correctly routed via the Corente Applet and SSL. If the session expires, the

user should re-login and repeat the request with the program.

Tip: If File Browsing is enabled, users can use the Browse File interface to view the DNS/WINS

names or IP addresses of the computers that can be accessed with any service provided by

the SSL Client.

Figure 41: SSL Services

Viewing the Services

The SSL Services interface displays the services that are currently enabled for the user.

Service Name: This is the name of the service.

Service Status: This indicates whether or not the service has been enabled for you by your

network administrator.

Listening Port: If the service is enabled for the user, this is the port number on the server

providing this service that will handle requests from the user. The port number will be shown only

if it applies for this service (for example, a port number does not apply for the Local Web

Browsing (HTTP) or File Browsing services.)

Using the Services

Each default service available via the Services screen is described in Chapter 2. Pre-Configured SSL

Services (p. 10). If you create custom services for users (see Configuring Custom SSL Services, p. 16),


they will be listed on this screen as well. You must inform your users how to use custom services and

provide software for the particular service (if necessary).

To use a service listed on this interface, the user must sign into the SSL Client (leaving the browser

window open) and launch the program that uses this service from the desktop. To route requests from

this program via the SSL Client, the user must initially connect to localhost and the Listening Port

number that is specified for this service on the Services page. By connecting to localhost, the user

connects first to the Corente Applet, which connects to the Corente Virtual Services Gateway at the

remote site, which will in turn route all of the requests from the program to the appropriate server on its

LAN.

This method must be used if there is no hyperlink available for this service. When a hyperlink is available,

the user can use the Host Properties dialog box to launch a program.

Host Properties Dialog Box

When a hyperlink is provided for a service, users can launch this service directly from the SSL Client

interface by clicking the hyperlink. A Host Properties dialog box will be displayed that allows the user to

connect to a specified IP address or DNS name. When connecting to a remote machine by its DNS

name, remind users to type "//" before the DNS name.

Figure 42: Host Properties Dialog Box

If the user would like to connect to a machine to which he has connected previously, a history of the last

10 machines that have been used to access the particular service can be displayed by clicking the

History button. The user can simply select a machine from this list and click Open.

If a user would like to configure the Host Properties dialog box to connect using software other than the

default software for a service, click the Advanced button.

Figure 43: Host Properties Dialog Box – Advanced


The Advanced preferences allows the user to choose the program that will be launched when he enters

a WINS/DNS name or IP address and clicks Open to access a remote computer with the service. Select

the Use Custom Application option to specify the new program.

In the field below this option, enter a command line string that will open the program for this service. The

text that is entered in this field is persistent and will be saved over multiple SSL Client sessions, until it is

changed again by the user.

Figure 44: Host Properties Dialog Box – Advanced – Use Custom Application

To create a command line string to open a program, follow these steps:

1. Start with the full pathname to the executable (for example, if opening the TeraTerm SSH program

when it is stored in the Program Files folder on C:, c:\program files\ttermpro\ttssh).

2. Include any options that the command requires (for example, -ssh hostname.domain:22, where

-ssh instructs the TeraTerm program to use SSH to secure the connection and

hostname.domain:22 instructs the program to access the remote machine by using a specific

hostname and domain, on port 22). Note that the command line string must always explicitly

supply the hostname/IP and port address.

3. Replace the hostname/IP with #HOST# and the port number with #PORT# (for example,

c:\program files\ttermpro\ttssh -ssh hostname.domain:22 becomes c:\program files\ttermpro\ttssh -

ssh #HOST#:#PORT#, where #HOST#:#PORT# informs the program that input is needed for

certain variables (it will use the port number settings that your administrator has set for VNC, and

the IP address that is entered in the Open a connection to field).

The SSL Client can supply the value for the following variables in the command line string:

#HOST#, PORT#, #REMOTE_HOST#, and #REMOTE_PORT#. All variables must be surrounded

by the pound sign (#). If you specify another variable in the string, you will be prompted to input the

value for this variable as the connection is made.

4. Surround the command line string in quotation marks (") if any directories or files within the

pathname contain space(s) (for example, because the program is stored in the Program Files

folder, you would enter "c:\program files\ttermpro\ttssh -ssh #HOST#:#PORT#").

Note: If the command is incorrect or the program not found, when the user clicks Open to open the

program, the user will be re-prompted with the Host Properties dialog box and must click the

Advanced button again to correct the command line string.


Remember that the command line string placed in the Use Custom Application field will be run on the

system with the permissions that are granted to the local system login. Make sure the user understands

the command line string that is created and the program that is being launched, so that the proper

outcome will be produced. In general, if the user does not understand how to form the string, the user

should not use the Advanced preferences to open the program.

Corente provides default software for VNC, telnet, and SSH. When using a custom service, the Use

Custom Application option will be selected by default and cannot be unselected. The user must supply

a command line string if he would like to open the program directly from the SSL Client interface.

Command Line Strings for Specific Programs

The following are examples of command line strings for default services provided by the SSL Client. In

general, it is a good idea to install the software that will be used with the SSL Client in the Program Files

folder of the system so that the command line strings are simple to form.

VNC Viewer software for Desktop Access: If the user downloads the VNC viewer software

only (and not the server software), there is no installation process to load it onto the system. The

user may want to move the program to c:\program files\realvnc\vncviewer.exe, so that the

following example command line string can be used to open the program: "c:\program

files\realvnc\vncviewer" #HOST#:#PORT#.

TeraTerm software for Telnet: If the user uses TeraTerm for telnet and installs the program in

the Program Files folder, an example of the command line string used to open the program

would be: "c:\program files\ttermpro\ttermpro" #HOST#:#PORT#.

TeraTerm software for SSH: If the user uses TeraTerm for SSH and installs both the program

and the SSH component in the Program Files folder, an example of a string that can be entered

in this field is: "c:\program files\ttermpro\ttssh" -ssh #HOST#:#PORT#.

Accessing Email via the SSL Client

The SSL Client can be used to retrieve email from an SMTP, IMAP, and/or POP3 mail server on the

remote network. The chapter titled V. Configuring Email Programs for use with the SSL Client (p. 76)

contains step-by-step procedures for configuring three popular email programs for use with the SSL

Client.

When accessing email with an email program, the user should leave the browser window open so that

email requests are correctly routed via SSL. If the session expires, the user should re-login and repeat

the email request.

If users configure their email programs to automatically check for new messages from the mail server,

they should make sure that the interval for checking for messages is less than the session timeout period

that you have administered for the SSL Client (see Chapter 5. Configuring SSL Client Access to a LAN,

p. 26).

In general, users’ email programs should be configured to retrieve email via:


Protocol: either IMAP, POP3, and/or SMTP


Port Number: the Listening Port number of the protocol

The email programs should be configured to send email via:

Protocol: SMTP


Port Number: the SMTP Listening Port number


Chapter 7. User Preferences

The User Preferences interface allows users to create their own intranet web site bookmarks for

facilitated browsing and (if applicable) change their SSL Client password.

Figure 45: User Preferences

Changing a Password

If you have enabled Local Authentication for users (see Chapter 3. Creating SSL Client Accounts for

Users, p. 19), the Change Password page will be available. Users will not be able to change their

password via the SSL Client when External Authentication is used. If you have configured both a

Corente Client account and an SSL Client account for this user using the same username and password,

this interface will change the password for the SSL Client account only.

Figure 46: Change Password

The Change Password page allows the user to change the password for his/her SSL Client account.

Old Password: For verification purposes, type the current password in this field.

New Password: Type a new password in this field. The required length of the password will vary

depending how certain settings have been configured by your administrator, but it must contain

at least one each of the following:

one numeric character

one uppercase letter


one lowercase letter

Confirm New Password: To avoid mistakes, type the new password again in this field.

Click Change to save changes to the password. The Reset button will clear any text that has been

entered into the fields on this page.

Bookmarks

The Bookmarks page will display all of the intranet web page bookmarks that have been saved for an

account.

Figure 47: Bookmarks

The Personal Bookmarks section displays all of the bookmarks that have been created by that user. For

more information on how users can create new bookmarks, refer to the Creating New Personal

Bookmarks section below.

If you have configured bookmarks for users (see Chapter 7. System Homepage and Bookmarks, p. 33),

these bookmarks will appear in the System Bookmarks section.

Users can access any of the bookmarks on this screen by clicking the appropriate bookmark's link.

These bookmarks are also available on the Bookmarks pull-down menu that is available on all pages of

the SSL Client.

Creating New Personal Bookmarks

If users access the same intranet web sites repeatedly via the SSL Client that you have not saved for

them as System Bookmarks, they can create their own bookmarks on this interface and save them for

future use.

To define a new bookmark, complete the following steps:


1. Click the link labeled Enter New Bookmark. The Bookmark Entry interface will be displayed.

Figure 48: Enter New Bookmark

2. Enter a name for the new bookmark in the field labeled Bookmark Name and an http address in

the field labeled URL.

3. Click Submit.

The new bookmark will now appear in the Personal Bookmarks section of the Bookmarks page.

Simply click the bookmark link to be taken to the web page. The bookmark will also appear in the

Bookmarks pull-down menu.

To delete an existing personal bookmark, click the link labeled (delete) that appears next to it in the SSL

Web Bookmarks section.


V. Configuring Email Programs for use with the SSL Client

The information in this section can be used to walk users step-by-step through setting up several email

programs for use with the SSL Client. Instructions are provided for the following programs:

Outlook 2003

Outlook 2007

Outlook Express


Chapter 1. Setting up Outlook 2003 for use with the SSL Client

To use Microsoft Outlook 2003 with the SSL Client, users will need to set up a new account that will

access their email on the remote server. You should provide users with an account name and password

(if they will be accessing a new account).

Instruct the user to complete the following:

1. Open Outlook. Under the Tools menu, select Accounts.

2. On the interface that is displayed, select the Add button. On the menu that appears, select Mail.

3. On the first screen, enter your name and click Next.

Figure 49: Your Name


4. Enter the email address that will be seen by others as your reply-to address and click Next.

Figure 50: Internet E-mail Address


5. Select the protocol that your company uses for incoming mail. If you are not certain which is

used, ask your administrator.

In the field labeled Incoming mail (POP3 or IMAP), enter localhost.

In the field labeled Outgoing mail (SMTP) server, enter localhost.

Click Next.

Figure 51: E-mail Server Names

6. In the field labeled Account name, enter the login name for your email account.

In the field labeled Password, enter the password for your email account.

Select whether or not you would like Outlook to remember this information.

Leave Log on using Secure Password Authentication unchecked, unless it is required by

your local ISP.

Click Next.


Figure 52: Internet Mail Logon

7. Select the method that you are using to connect to the Internet and click Next.

Figure 53: Internet Connection

8. Click Finish.


Figure 54: Finish

9. You will now see an entry on the Internet Accounts screen for your new account.

Figure 55: New Account

Note: If your network administrator has informed you that your company’s mail server is using a non-

standard port number to listen for email requests, complete the following configuration to your

new email account:

10. Select the account that you just created and click the Properties button. Then select the

Advanced tab.


11. In the section labeled Server Port Numbers, enter the new port number in either the Outgoing

mail field (for SMTP) or the Incoming mail field (for POP3 or IMAP).

12. Click OK.

Figure 56: Changing Port Numbers


Chapter 2. Setting up Outlook 2007 for Use With the SSL Client

To use Microsoft Outlook 2007 with the SSL Client, users will need to set up a new account that will




1. Open Outlook 2007. Under the Tools menu, select Account Settings.

2. Under the Email tab on the interface that is displayed, select the New button.

3. On the first screen, make sure Microsoft Exchange, POP3, IMAP, or HTTP is chosen. Click

Next.

Figure 57: Choose Email Service

4. Select Manually configure server settings or additional server types and click Next.


Figure 58: Auto Account Setup


5. Make sure Internet E-mail is selected and click Next.

Figure 59: Choose E-mail Service

6. On the next screen, fill out the fields as follows:

Your Name: Enter your name.

E-mail Address: Enter the email address that will be seen by others as your reply-to

address.

Account Type: Select the protocol that your company uses for incoming mail. If you are not

certain which is used, ask your administrator.

Incoming mail server: Enter localhost.

Outgoing mail server (SMTP): Enter localhost.

User Name: Enter the login name for your email account.

Password: Enter the password for your email account. Select whether or not you would like

Outlook to remember this password.

Require logon using Secure Password Authentication (SPA): Leave unchecked, unless

it is required by your local ISP.

Click Next.


Figure 60: Internet E-mail Settings

7. Click Finish.

Figure 61: Finish






new email account:

9. Select the account that you just created and click the Change… button. Then select the More

Settings button. On the window that is displayed, select the Advanced tab.

10. In the section labeled Server Port Numbers, enter the new port number in either the Incoming

mail field (for POP3 or IMAP) or the Outgoing mail field (for SMTP).


Figure 63: Internet Email Settings

11. Click OK.


Chapter 3. Setting up Outlook Express for use with the SSL

Client

To use Microsoft Outlook Express with the SSL Client, users will need to set up a new account that will




1. Open Outlook. Under the Tools menu, select Accounts.

2. On the interface that is displayed, select the Add button. On the menu that appears, select Mail.

3. On the first screen, enter your name and click Next.

Figure 64: Your Name


4. Select the first option. Enter the email address that will be seen by others as your reply-to

address and click Next.

Figure 65: Internet E-mail Address


5. Select the protocol that your company uses for incoming mail. If you are not certain which is

used, ask your administrator.

In the field labeled Incoming mail (POP3, IMAP, or HTTP), enter localhost.

In the field labeled Outgoing mail (SMTP) server, enter localhost.

Click Next.

Figure 66: E-mail Server Names


6. In the field labeled Account name, enter the login name for your email account.

In the field labeled Password, enter the password for your email account.

Select whether or not you would like Outlook to remember this information.

Leave Log on using Secure Password Authentication unchecked, unless it is required by

your local ISP.

Click Next.

Figure 67: Internet Mail Logon

7. Click Finish.


Figure 68: Finish





new email account:


9. Select the account that you just created and click the Properties button. Then select the

Advanced tab.

10. In the section labeled Server Port Numbers, enter the new port number in either the Outgoing

mail field (for SMTP) or the Incoming mail field (for POP3 or IMAP).

11. Click OK.

Figure 70: Changing Port Numbers


VI. Appendix: Template for Email to New Users

Corente recommends that you send emails to new users that notify them when you have created SSL

Client accounts for them. This email should contain all the necessary information that will allow them to

connect via the SSL Client and use the services on the LAN that you have enabled for them.

An email template is provided below that can be used for new user notification. In addition, you can cut

and paste the instructions from the chapter of this titled V. Configuring Email Programs for use with the

SSL Client (p. 76) if you would like to provide users with detailed information on how to configure their

email program(s) to access email via the SSL Client.

Email Template

Greetings! Your network administrator has created an SSL Client account for you. This account can

allow you to browse the contents of servers, access your corporate desktop, connect to intranet websites,

and access your corporate email using a secure SSL connection to the Corente Virtual Services Gateway

located on your office network. All you will need is a web browser with JAVA enabled and a connection to

the Internet.

1. To access the LAN to which you have been granted permission, type the following in the address bar

of your web browser:

https://

2. You may be asked to accept a certificate in order to proceed to the SSL-encrypted SSL Client

interface. Verify the information for this certificate and accept it in order to login.

3. When the login interface appears, enter the following information:

Your Username:

Your Password:

4. If your administrator has enabled access to certain services for you, you may be asked to accept an

applet upon login to the SSL Client. Please accept the applet in order to access the services that have

been enabled for you via the SSL Client.

5. Once you have logged in, click the Services button to learn what services your administrator has

allowed you to use with the SSL Client. Click the Help button to learn how to use these services. The

help file also provides instructions on how to configure your email program to access your email via SSL.

6. If you have any problems, contact your administrator.


Index

App Net Manager, 7, 14 Location form. See Location form

applications how the SSL Client works with user applications,

16

authentication configuring, 29–30, 40 LDAP, 29, 38–40 local, 29, 31 RADIUS, 29, 37–38

bookmarks, 33–34, 57 Browse File. See file browsing Browse Web. See local web browsing CA certificates, 27 CA client certificates, 49–50 Corente Client, 6 Corente Services Gateway

enabling SSL Client access to, 26–30 Corente SSL applet, 16, 55 custom SSL services, 15–18

deleting, 18 modifying, 18 requirements, 16

email, 11 enabling SSL Client access, 26–30 failed login attempts, 28 file browsing, 10, 60–65

browsing servers, 62–63 creating new folders, 64 deleting files and folders, 64 downloading files, 63 logging into servers, 61–62 shortcuts, 66–67 uploading files, 64

firewalls, third-party, 28 Gateway Viewer, 43

SSL Certificates, 44–50 SSL Log, 51 SSL User Report, 52

homepage, 33–34, 55 Internet Explorer 7.0, 55 Java, 7 LDAP authentication, 29

configuring, 38–40

local authentication, 29, 31 local web browsing, 10–11, 57–59

applets and plugins, 59 pages that cannot be accessed, 58

Location form User Remote Access tab, 41

log of active SSL Client connections to the gateway, 52

log of SSL Client connections, 51 Partner access, 12, 41–42, 60 partners

configuring SSL Client access to partners, 41–42 proxy server, 8 RADIUS authentication, 29

configuring, 37–38

requirements, 7–9 mail servers, 8 on the LAN of the Location gateway, 7 on user's computer, 9

session timeout, 28, 56 shortcuts, 66–67 SSH, 11 SSL authorized groups, 35–36 SSL certificates, 7, 44–50, 55

chain certificates, 48–49 creating a self-signed certificate, 47–48 generating a CSR, 46 installing CA client certificates, 49–50 installing on the gateway, 44–50 obtaining a CA-signed certificate, 46

SSL Client homepage, 33–34, 55 logging in, 55 requirements, 7–9

SSL client groups, 21, 23–25 creating, modifying, and deleting, 23–25

SSL Log, 51 SSL Services, 10–12, 15–18, 28

configuring permissions for on a Location, 31–32 creating, modifying, and deleting custom services,

15–18 email, 11 file browsing, 10, 60–65 local web browsing, 10–11, 57–59

applets and plugins, 59 pages that cannot be accessed, 58

Partner access, 12 screen on SSL Client interface, 68–72 SSH, 11 telnet, 11 VNC, 10

SSL User Report, 52 System Homepage and Bookmarks, 29, 33–34 telnet, 11 TeraTerm, 11 user accounts, 19–22 User Remote Access tab, 41


Visible DNS Name of Location, 8, 28, 46, 54 VNC, 10

Windows Vista, 60


Additional Support

For additional support for Corente:

Access the Corente Documentation webpage Go to http://www.corente.com/documentation to download any of the Corente manuals for the current release.

Contact Corente Customer Operations Go to http://www.oracle.com/support for information about ways to obtain support for Corente

Services in your area.

http://www.corente.com/documentation

http://www.oracle.com/support


Oracle Legal Notices

Copyright Notice

Copyright © 2014, Oracle and/or its affiliates. All rights reserved.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

License Restrictions Warranty/Consequential Damages Disclaimer

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Warranty Disclaimer

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

Restricted Rights Notice

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.


Hazardous Applications Notice

This software or hardware is developed for general use in a variety of information management appl ications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Third-Party Content, Products, and Services Disclaimer

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Alpha and Beta Draft Documentation Notice Disclaimer

If this document is in preproduction status: This documentation is in preproduction status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

www.corente.com

http://www.corente.com/

VII. Corente Services SSL Client - docs.oracle.com€¦ · SSL Certificate.....44 SSL Certificate...

Documents

Transcript of VII. Corente Services SSL Client - docs.oracle.com€¦ · SSL Certificate.....44 SSL Certificate...