Administration Guide HOB RD VPN blue edition Software version: 2.2 Issue: February 2017 HOB RD VPN Software and Documentation - Legal Notice Contact: HOB GmbH & Co. KG Schwadermuehlstr. 3 90556 Cadolzburg Germany Represented by: Klaus Brandstätter, Zoran Adamovic Phone: + 49 9103 715 0 Fax: + 49 9103 715 271 E-mail: [email protected] Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA 5180 Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE 132 747 002 Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter, Zoran Adamovic, Schwadermuehlstr. 3, 90556 Cadolzburg, Germany. Disclaimer All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited. HOB RD VPN software and documentation have been tested and reviewed. Nevertheless, HOB will not be liable for any loss or damage whatsoever arising from the use of any information or particulars in, or any error in, or omission from this document. All of the information in this document is subject to change without notice, and does not represent a commitment on the part of HOB. Liability for content The contents of this publication were created with great care and diligence. While we keep it as up-to-date as practicable, we cannot take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we are responsible for our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG. According to Chapters 8 to 10 of the TMG we are not obliged as a service provider to monitor transmitted or stored information not created by us, or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information under the general laws remain unaffected. Liability is only possible however from the date of a specific infringement being made known to us. Upon notification of such violations, the content will be removed immediately. Liability for links This publication may contain links to external websites over which we have no control. Therefore we cannot accept any responsibility for their content. The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages. The linked sites were checked at the time of linking for possible violations of the law. At the time the link was created in this publication, no illegal or harmful contents had been identified. A continuous and on-going examination of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of any violations, such links will be removed immediately. Copyright The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying, modifying, adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written consent of the respective author or creator. The downloading of, and making copies of, these materials is only permitted for the intended use. Where contents of this publication have not been created by the author, the copyright of the third parties responsible for these contents shall be upheld. In particular any contents created by a third party are marked as such. If you become aware of any copyright infringement within this publication, we kindly ask to be provided with this information. Upon notification of any such violation, the concerned content will be removed immediately. Trademarks Microsoft Windows is a trademark of Microsoft Corporation. Linux® is the registered trademark of Linux Torvalds in the U.S. and other countries. UNIX is a registered trademark of The Open Group. Mac, OS X and Apple are trademarks of Apple Inc., registered in the U.S. and other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Citrix, Citrix ICA, Citrix XenApp, Citrix Receiver for Java and other products are trademarks or registered trademarks of Citrix Systems, Inc. VMware Horizon® View™ is a registered trademark in the United States and certain other countries. All other product names, company names and service names may be trademarks, registered trademarks or service marks of their respective corporations or owners, even if they are not specifically marked as such. Issued: December 8, 2016 2 Purpose of this Guide This guide is designed to provide system administrators with detailed information concerning HOB RD VPN and to help them decide where and when this product can be most effectively deployed in their enterprise network. This documentation contains descriptions of numerous possible scenarios and explains required conditions. The procedures for configuring the individual software components are documented in detail with step-by-step instructions. Symbols and Conventions This guide uses certain conventions and abbreviations which are explained here: This symbol indicates additional informative and otherwise helpful text. This symbol indicates an important tip, procedure or warning. This may have far-reaching effects, so please consider carefully the consequences of any changes and settings made here. Instructions, options and button names are printed in Bold, for example: select the command  Open. Cross-references to section headings and figures with numbers are marked in color as follows:  Chapter 1 Introducing HOB RD VPN on page 15.  Filenames and text to be entered by the user are printed in Courier New. This input is – unless otherwise mentioned – case sensitive. Keys or key combinations are displayed in square brackets, e.g. [Space].  In this documentation, HOB-specific terminology is abbreviated as follows:  HOB-specific Terminology Abbreviation HOB WebSecureProxy HOB WSP HOBLink Java Windows Terminal HOBLink JWT HOB Remote Desktop Virtual Private Network HOB RD VPN HOB WebSecureProxy Universal Client HOB WSP UC 3 Other abbreviations commonly used in this documentation are as follows: Full Name Abbreviation Common Criteria CC Demilitarized Zone (location between two firewalls) DMZ Evaluation Assurance Level EAL Remote Desktop RD Security Target ST 4 Contents About This Documentation 13 Common Criteria Evaluation of HOB RD VPN 14 1. Introducing HOB RD VPN 15 1.1. Features.................................................................................................................15 1.2. Components..........................................................................................................16 2. Basic Concepts 21 2.1. HOB RD VPN Navigation Screen..........................................................................21 2.2. HOB Administration Portal.....................................................................................23 2.3. User Control...........................................................................................................24 2.4. HOB RD VPN Domains.........................................................................................25 2.5. Multi-Tenancy........................................................................................................27 2.6. Roles......................................................................................................................28 2.7. Global Administrator vs. Domain Administrator.....................................................29 2.8. HOB WebSecureProxy..........................................................................................30 2.9. HOB RD VPN Computer Cluster...........................................................................31 3. Deployment Scenarios 33 3.1. Default Deployment Configuration.........................................................................33 3.2. Cluster Deployment Configuration.........................................................................34 4. Installing HOB RD VPN 39 4.1. System Requirements...........................................................................................39 4.2. Prerequisites for Installing .....................................................................................41 4.3. Starting the HOB RD VPN Installer .......................................................................43 4.4. Installing the First Node.........................................................................................43 4.5. Installing a New Cluster Member...........................................................................53 4.6. Customizing HOB RD VPN User Pages................................................................65 4.7. Testing the Installation...........................................................................................68 4.8. Uninstalling HOB RD VPN.....................................................................................70 5. Navigating in HOB RD VPN 71 5.1. Portlets...................................................................................................................72 5.2. User Settings.........................................................................................................73 6. Administering HOB RD VPN 79 6.1. Administration Access as a Domain Administrator................................................79 6.2. Administration Access as a Global Administrator..................................................81 5 6.3. Creating a New Global Administrator ....................................................................93 6.4. Logging and Error Messages.................................................................................97 7. Multi-Tenancy 103 7.1. Default Domain Configuration..............................................................................103 7.2. Using the Integrated Directory Service as the Authentication Service ................106 7.3. Using an External Directory Service as the Authentication Service.....................112 7.4. Using Kerberos as the Authentication Service ....................................................122 7.5. Using RADIUS Access Servers as the Authentication Service............................130 7.6. HOB LDAP Scheme Extension............................................................................139 8. Roles and Users 141 8.1. Configuring Roles in the HOB WebSecureProxy.................................................142 8.2. Configuring Roles in HOB RDVPN Administration.............................................153 8.3. Configuring Resources........................................................................................158 8.4. Configuring Sessions...........................................................................................169 8.5. Configuring Utilities..............................................................................................170 9. Administering the HOB WebSecureProxy 175 9.1. Configuring HOB WSP Servers...........................................................................176 9.2. Configuring Individual HOB WSP Servers...........................................................195 9.3. Main Connection..................................................................................................208 9.4. Primary Connection.............................................................................................211 9.5. Direct Connections ..............................................................................................215 9.6. Raw Packet Interface...........................................................................................220 9.7. WSP Servers in Other Locations.........................................................................223 10. Defining Targets in the HOB WSP 225 10.1. Configuring an RDP Target.................................................................................225 10.2. Configuring Other Targets...................................................................................235 10.3. Assigning Targets to Roles..................................................................................238 10.4. Configuring the RDP Hook..................................................................................239 11. Remote Desktop Access Using HOBLink J - Term / JWT 241 11.1. Configuring Connections in HOBLink J-Term/JWT..............................................241 11.2. Configuring HOBLink JWT...................................................................................245 11.3. Configuring Schemes..........................................................................................250 11.4. Configuring Sessions...........................................................................................278 11.5. Running Sessions................................................................................................280 11.6. Load Balancing....................................................................................................281 6 12. Remote Desktop Access Using HOBLink JWT Webstart 287 12.1. Configuring the HOB WebSecureProxy...............................................................287 12.2. Client Configuration Provider...............................................................................289 12.3. Configuring HOBLink JWT Webstart...................................................................290 12.4. Configuring a Session..........................................................................................292 12.5. Configuring a Scheme.........................................................................................293 12.6. Mac OS X Security Issue – Unidentified Developer Application..........................307 12.7. Run Sessions.......................................................................................................308 13. Remote Desktop Access Using HOBLink WebTerm 309 13.1. Configuring HOBLink WebTerm in the HOB WSP ..............................................309 13.2. Using HOBLink WebTerm ...................................................................................317 14. Remote Desktop Access Using HOB RD VPN Desktop-on-Demand 321 14.1. Configuring HOB Desktop-on-Demand ...............................................................321 14.2. HOB Wake-on-LAN Relay...................................................................................332 15. Remote Desktop Access Using Virtual Desktop Integration 339 15.1. HOB VDI..............................................................................................................339 15.2. The HOB VDI Agent............................................................................................340 15.3. The HOB VDI Control..........................................................................................340 15.4. Requirements for HOB VDI.................................................................................341 15.5. Installing HOB VDI...............................................................................................341 15.6. Configuring HOB VDI...........................................................................................344 15.7. Adding HOB VDI to a Role..................................................................................348 16. Remote Desktop Access Using VNC 351 16.1. Configuring VNC Targets.....................................................................................351 16.2. Configuring a Dynamic VNC Bridge Connection.................................................353 16.3. Configuring a Static VNC Bridge Connection......................................................356 16.4. Adding HOB VNC to a Role.................................................................................358 16.5. Using the HOB VNC Bridge.................................................................................359 17. Remote Desktop Access Using Terminal Emulations 361 17.1. Configuring the HOB WebSecureProxy...............................................................361 17.2. Assigning the Terminal Emulation Configuration to a Role .................................367 17.3. Configuring HOBLink J-Term...............................................................................368 17.4. Configuring TN3270 Targets...............................................................................376 17.5. Configuring TN5250 Targets...............................................................................377 17.6. Configuring Telnet Targets..................................................................................381 7 18. Remote Desktop Access Using SSH 385 18.1. SSH Targets........................................................................................................385 18.2. Adding SSH Targets to a Role.............................................................................389 18.3. Using SSH...........................................................................................................389 19. Remote Intranet Access Using HOB RD VPN Web Server Gate 391 19.1. Configuring the HOB RD VPN Web Server Gate................................................393 19.2. Single Sign-on.....................................................................................................400 20. Remote Desktop Access Using ICA 405 20.1. Installing Remote Desktop Access Using ICA.....................................................405 20.2. Configuring Remote Desktop Access Using ICA.................................................405 20.3. Configuring Single Sign-on for Access................................................................411 20.4. Using Remote Desktop Access with ICA.............................................................413 21. Remote Access to Files Using HOB RDVPN Web File Access 415 21.1. Configuring HOB RD VPN Web File Access.......................................................415 21.2. Using HOB RD VPN Web File Access ................................................................417 22. Remote Data Sharing Using HOBLink DASH 421 22.1. Installing HOBLink DASH Components...............................................................421 22.2. Configuring HOBLink DASH Components...........................................................422 22.3. Configuring HOBLink DASH in the HOB WSP....................................................423 22.4. Using HOBLink DASH.........................................................................................428 22.5. Rules in HOBLink DASH.....................................................................................430 22.6. Configuring Rules in HOBLink DASH..................................................................431 22.7. Processing Rules in HOBLink DASH...................................................................434 22.8. Using HOBLink DASH Rules - Examples............................................................436 22.9. Using Regular Expressions.................................................................................442 22.10. Creating Profile Files...........................................................................................443 23. Remote Access Using Virus Scanning 447 23.1. Installing Virus Scanning .....................................................................................447 23.2. Configuring Virus Scanning in the HOB WSP .....................................................447 23.3. RDP Hook............................................................................................................452 24. Remote Access to Microsoft Exchange Server 455 24.1. Configuring Remote Access to Microsoft Exchange Server................................455 24.2. Configuring Microsoft Exchange Server..............................................................460 25. Remote Desktop Access Using the Internal Network Adapter 461 25.1. Installing the Internal Network Adapter and HOB TUN Driver.............................461 8 25.2. Configuring the Internal Network Adapter............................................................462 26. Network Access Using the HOB PPP Tunnel 467 26.1. Network Address Translation...............................................................................467 26.2. Configuring User Settings....................................................................................469 26.3. Configuring the HOB PPP Tunnel.......................................................................471 26.4. Configuring an L2TP Gateway.............................................................................472 26.5. Configuring a Raw Packet Interface....................................................................473 26.6. Configuring the HOB PPP Tunnel in the HOB WSP............................................477 26.7. Configuring Dynamic NAT...................................................................................480 26.8. Configuring the HOB TCP Tuner.........................................................................484 26.9. Configuring the HOB TCP Tuner II......................................................................490 26.10. Assigning the Server List.....................................................................................498 26.11. Creating a HOB PPP Tunnel Portlet....................................................................499 26.12. Using the HOB PPP Tunnel.................................................................................500 27. Network Access Using Microsoft SSTP Clients 503 27.1. Configuring Targets for SSTP..............................................................................503 28. HOBPhone 507 28.1. Configuring HOBPhone in HOB RD VPN............................................................507 28.2. Configuring the HOB WSP for HOBPhone..........................................................507 28.3. Configuring the User Accounts in HOBPhone.....................................................519 28.4. Using HOBPhone................................................................................................530 29. HOB WSP Universal Client 541 29.1. Configuring HOB WSP Universal Client..............................................................542 29.2. Configuring the HOB WSP for SOCKS................................................................546 29.3. Configuring the Client Application........................................................................548 30. HOB Compliance Check 553 30.1. Configuring the HOB Compliance Check............................................................553 30.2. Assigning the HOB Compliance Check to a Role................................................563 30.3. Using the HOB Compliance Check......................................................................564 31. HOB Target Filters 565 31.1. Configuring HOB Target Filters ...........................................................................565 31.2. Assigning HOB Target Filters to a Role...............................................................569 32. SSL Identifier 571 32.1. Configuring the SSL Identifier for the User..........................................................571 32.2. Configuring the SSL Identifier for the HOB WSP.................................................573 9 32.3. Using the SSL Identifier.......................................................................................576 33. Configuring Extensions 577 33.1. Integrated Web Server.........................................................................................578 33.2. HOB PPP Tunnel.................................................................................................582 33.3. SSTP...................................................................................................................586 33.4. Protocol Plugins...................................................................................................588 33.5. Dynamic NAT.......................................................................................................589 33.6. TCP Tuner...........................................................................................................593 33.7. TCP Tuner II........................................................................................................599 33.8. RDP Hook............................................................................................................606 33.9. L2TP Gateways...................................................................................................608 33.10. SOCKS................................................................................................................610 33.11. HOBPhone...........................................................................................................611 33.12. Desktop-on-Demand............................................................................................614 34. Additional HOB Solutions 617 34.1. HOB Remote Desktop Enhanced Services.........................................................617 34.2. HOB X11Gate......................................................................................................618 34.3. HOB MacGate.....................................................................................................619 35. Security Checks 621 35.1. Web Server..........................................................................................................621 35.2. Firewall................................................................................................................622 35.3. Ports....................................................................................................................622 35.4. Logging................................................................................................................623 36. HOB RD VPN Evaluated for Common Criteria 625 36.1. Information on Common Criteria..........................................................................625 36.2. Security Objectives for the Operational Environment..........................................627 36.3. Delivery Accuracy Check.....................................................................................630 36.4. Consequences of Misconfiguration......................................................................634 36.5. System Requirements.........................................................................................636 36.6. Configuration Tasks.............................................................................................638 36.7. User Workshops and Schooling ..........................................................................640 36.8. Achieving Trustworthy Encryption.......................................................................642 36.9. Using Certificates in HOB RD VPN.....................................................................645 37. Flaw Remediation 647 37.1. Aspects of Flaw Remediation..............................................................................648 10