VII. Corente Services SSL Client

Transcription

1 VII. Corente Services SSL Client Corente Release 9.1 Manual Copyright 2014, Oracle and/or its affiliates. All rights reserved.

2 Table of Contents Preface... 5 I. Introduction... 6 Chapter 1. Requirements... 7 On the LAN of the Corente Virtual Services Gateway... 7 On Each User s Computer... 7 Chapter 2. Pre-Configured SSL Services Desktop Access (VNC Applet) File Browsing Local Web Browsing (HTTP) Protocols (IMAP, POP3, and SMTP) Telnet Secure Shell (SSH) Partner Access Additional Services II. Configuring the SSL Client Chapter 1. SSL Client Settings in App Net Manager Chapter 2. SSL Services Configuring Custom SSL Services Adding a New Custom Service Modifying an SSL Service Deleting an SSL Service Chapter 3. Creating SSL Client Accounts for Users External Server Authentication (RADIUS and LDAP) Local Authentication Adding a New SSL Client Account in App Net Manager Viewing or Modifying an SSL Client Account Configuration Deleting an SSL Client Account Chapter 4. SSL Client Groups Adding a New SSL Client Group Modifying an SSL Client Group Deleting an SSL Client Group Chapter 5. Configuring SSL Client Access to a LAN Chapter 6. SSL Services Chapter 7. System Homepage and Bookmarks Specify an SSL Client Homepage Create Bookmarks for Intranet Browsing Chapter 8. SSL Authorized Groups Copyright 2014, Oracle and/or its affiliates. 2 Corente Services SSL Client

3 Chapter 9. External Authentication (RADIUS or LDAP) RADIUS Authentication LDAP Authentication Chapter 10. Configuring SSL Client Access to Partners Allow SSL Client Access III. Configuring Corente Virtual Services Gateways for Use with the SSL Client SSL Admin Chapter 1. SSL Certificate SSL Certificate Obtaining an SSL Certificate Signed by a CA Install an SSL Certificate on Your Location Gateway Create a Self-Signed Certificate SSL Chain Certificate CA Client Certificate Chapter 2. SSL Log Chapter 3. SSL User Report IV. Using the SSL Client Chapter 1. Supply Users with Login Information Chapter 2. Logging In Homepage Session Expiration Chapter 3. Browse Web Pages Accessing Web Sites System Bookmarks Pages That Cannot Be Accessed Applets and Plug-Ins on Web Pages Chapter 4. Browse File Corente Network Access Permissions Logging Into Servers Browsing Servers Downloading Files Uploading Files Creating New Folders Deleting Files and Folders Chapter 5. Browse File Shortcuts Adding Shortcuts Accessing Shortcuts Deleting Shortcuts Chapter 6. Services Viewing the Services Using the Services Host Properties Dialog Box Copyright 2014, Oracle and/or its affiliates. 3 Corente Services SSL Client

4 Command Line Strings for Specific Programs Accessing via the SSL Client Chapter 7. User Preferences Changing a Password Bookmarks Creating New Personal Bookmarks V. Configuring Programs for use with the SSL Client Chapter 1. Setting up Outlook 2003 for use with the SSL Client Chapter 2. Setting up Outlook 2007 for Use With the SSL Client Chapter 3. Setting up Outlook Express for use with the SSL Client VI. Appendix: Template for to New Users Template Index Additional Support Oracle Legal Notices Copyright 2014, Oracle and/or its affiliates. 4 Corente Services SSL Client

5 Preface This manual provides a detailed, step-by-step explanation of the administration procedures that are performed to provide remote users with secure web access to Corente Virtual Services Gateways (also known as Locations ) via SSL. The purpose of this manual is to provide all the necessary information to partners or customers who want to configure and use the Corente SSL Client. Conventions All hyperlinks are shown in blue, underlined text. They can be used to navigate through the guide or the procedures related to an overall activity, or to jump to a cross-referenced topic or Internet URL. Systems supported This guide supports Corente, version 9.1. Technical Support For technical support to assist you with any problems or to answer any questions pertaining to function, installation, and management of the Corente Services, please go to Related reading Corente provides several additional manuals: I. Corente Services Planning II A. Corente Virtual Services Gateway Hardware Preparation and Deployment II B. Corente Services Policy Definition and Provisioning III. Corente Services Administration IV. Corente Services Troubleshooting Guide V. Corente Virtual Services Gateway Virtual Edition VI. Corente Services Client VIII. Corente Services Mobile User To obtain these manuals, please visit the Corente web site at Copyright 2014, Oracle and/or its affiliates. 5 Corente Services SSL Client

6 I. Introduction The Corente SSL Client provides a secure method for remote users to access the corporate network using a web browser and a connection to the Internet. Corente offers two basic types of Corente network access for remote users: the SSL Client and the software-based IPSec Corente Client. The SSL Client provides more limited access than the Corente Client, but the SSL Client does not require specialized software to be installed on users computers. While the Corente Client can handle all types of traffic between remote users and computers at a central site, the SSL Client allows users to use only the services that have been specifically enabled or disabled per Location and per user group by the network administrator. Services include the ability to retrieve and send via your company s IMAP, POP3, and/or SMTP mail servers, browse secure intranet web sites, download and upload files onto SMB servers, use VNC for remote desktop access, and use telnet or SSH for text-based server access (see Chapter 2. Pre-Configured SSL Services, p. 10, for more detailed descriptions of these services). In most cases, these flexible services provide sufficient access for remote users. Corente Client SSL Client X X File Share X X Web (HTTP) X X Desktop Access (VNC) X X Telnet X X SSH X X Client-Server X X* Databases Terminal X X *Only TCP-based applications that employ single connection protocols and do not use imbedded IP addresses. For more information on how these remote access solutions compare, please refer to the document entitled Choosing a Corente Remote Access Solution. This document can be requested from Corente Customer Care. Copyright 2014, Oracle and/or its affiliates. 6 Corente Services SSL Client

7 Chapter 1. Requirements The SSL Client may require simple configuration to be performed on the Corente Virtual Services Gateway, on the LAN of the Corente Virtual Services Gateway, and on the user s computer that will be used to access the network. The following are the requirements for operating the SSL Client. On the Corente Virtual Services Gateway: In App Net Manager, complete the configuration for SSL Clients on the User Remote Access tab of the Location form. This form can be accessed for a Location by using the Edit function to edit the personality file for that Location. An SSL certificate must be installed via the SSL Certificate page in Gateway Viewer (see Chapter 1. SSL Certificate, p. 44) On the LAN of the Corente Virtual Services Gateway In addition to the standard mandatory firewall rules, Corente requires the following rules be implemented on any firewall that protects the Location gateway when SSL Clients are in use: Inbound Rules Permit TCP Source Port from ANY IP address to TCP Destination Port 443* of Corente Virtual Services Gateway IP address. * 443 is the default SSL Port that remote computers will use to connect to the login for the SSL Client. If a different port is going to be used for the SSL Port, then the inbound firewall rule must reflect the appropriate port (see Chapter 5. Configuring SSL Client Access to a LAN, p. 26, for more information about the SSL Port). On Each User s Computer The SSL Client is compatible with the following Java-enabled web browsers: Internet Explorer 9 or later Firefox 25.0 or later Chrome 34.0 or later Safari 7.0 or later Important: SSL Client users must be using Sun Microsystem's JVM. Furthermore, make sure version 1.5.0_10 or later of the Sun Java Runtime Environment (JRE) is installed on the user s computer. Note that version of the JRE may not be compatible with older versions of Linux. If a user s OS does not support or does not appear to be compatible, the user must manually download an earlier version (1.5.0_10 or 1.5.0_11). If you are using Internet Explorer, the URL of the SSL Client must be added as a trusted site in your web browser in order for you to access it. To add the URL: Copyright 2014, Oracle and/or its affiliates. 7 Corente Services SSL Client

8 1. In Internet Explorer, open the Tools menu and select Internet Options. 2. Select the Security tab. 3. Select Trusted Sites. 4. Select Sites to open the trusted websites interface. 5. Enter the URL of the SSL Client and select Add. 6. Select Close to close the interface, then select OK to save your changes to the Security tab. The SSL Client will be added to the Trusted Websites list. When using Internet Explorer, the highest browser security setting supported is Medium. The security setting of the browser can be changed by accessing the Tools menu, selecting Internet Options, and clicking on the Security tab. If users connect to the Internet via a proxy server, this proxy server must be a web proxy or they will not be able to connect to the SSL Client. The IP address and port number of this proxy must be specified in the browser and not automatically detected. If users connect using Internet Explorer, the entry for the Secure proxy server must be the same as HTTP. To ensure that this is true: 1. On the Tools menu of Internet Explorer, access Internet Options. 2. Click the Connections tab. 3. Click the LAN Settings button. 4. If the Use a Proxy Server selection box is selected, then either: Entries should appear in the Address and Port fields underneath this option. If these fields are gray, click the Advanced button. On the Proxy Settings screen, under the Servers section, HTTP and Secure must have the same entries for Proxy address to use and Port. Note: Users that access the Internet via a proxy server will not be able to connect to the SSL Client when the Require Client Certificate option is selected for two-way authentication (for more information, see Chapter 5. Configuring SSL Client Access to a LAN, p. 26). To retrieve from an SMTP, IMAP, and/or POP3 mail server on the remote network using SSL, there are several requirements: The Corente Virtual Services Gateway must be accessed using the Visible DNS Name of the Location (see Chapter 5. Configuring SSL Client Access to a LAN, p. 26, for more information). If the DNS name will not be available via a public DNS server, you should add Copyright 2014, Oracle and/or its affiliates. 8 Corente Services SSL Client

9 this name to the DNS server at each remote user's location or add an entry to the hosts file of each user's computer so that this name can be resolved. JAVA must be enabled on the user's web browser. The user must leave the browser window open to an active SSL Client session when accessing , so that the request is correctly routed via SSL. The user's program must be configured to access via: Protocol: either POP, IMAP, and/or SMTP IP Address: localhost Port Number: the port number that you will specify for the particular mail server on the SSL Client Settings interface in App Net Manager (see Chapter 6. Services, p. 68, for important exceptions) Note: The protocol and port number information is provided to users on the Services interface of the SSL Client. Copyright 2014, Oracle and/or its affiliates. 9 Corente Services SSL Client

10 Chapter 2. Pre-Configured SSL Services If you would like, the SSL Client can provide users with the pre-configured services described in this section. For information on enabling these services, refer to Chapter 3. Creating SSL Client Accounts for Users (p. 19) and Chapter 6. SSL Services (p. 31). Information on using these services with the SSL Client interface is available in IV. Using the SSL (p. 53). Desktop Access (VNC Applet) SSL Client users can use Virtual Network Computing (VNC) to connect securely to remote computers. VNC is a remote display system that allows you to view a remote computer's desktop environment on your own computer, from anywhere on the Internet. To access a remote computer's desktop with VNC, the VNC server software must be running on that remote computer. By default, the SSL Client automatically downloads VNC viewer software onto users' systems the first time that they use the VNC service. They will use this software each subsequent session for desktop access. However, if they do not want to use this software, they can provide their own VNC viewer software. Due to performance issues, Corente requires VNC version or later for PCs for both the viewer and server software. For more information and to obtain copies of the free VNC software, refer to this website: File Browsing Users can browse share resources and access files on servers with the Browse File interface (see Chapter 4. Browse File, p. 60). Depending on the configuration of each server, users may have to provide a username and password to login to each server before they are granted access. After login, access permission is based on the privileges configured for that username on that server (i.e., the user's ability to download, upload, and delete files). Tip: If File Browsing is enabled, users can use the Browse File interface to view the DNS/WINS names or IP addresses of the computers that can be accessed with any service provided by the SSL Client. Local Web Browsing (HTTP) Users can browse private web pages located within your intranet (see Chapter 3. Browse Web Pages, p. 57). By default, this option is enabled on each Location when the SSL Client is enabled. A local DNS server must be in place on this Corente Virtual Services Gateway's LAN to provide name resolution for these intranet web pages. The server's IP address must be specified as the Copyright 2014, Oracle and/or its affiliates. 10 Corente Services SSL Client

11 Primary DNS Server (this can be modified on the Network tab of the Location s Location form, with the Network Interfaces section). The server itself should be configured to forward lookups to a public DNS server. Protocols (IMAP, POP3, and SMTP) Users can send or retrieve from an Internet Message Access Protocol (IMAP), Post Office Protocol 3 (POP3), and/or Simple Mail Transfer Protocol (SMTP) mail server in a Location s LAN via the SSL Client (see Accessing via the SSL Client, p. 71). Telnet Users can connect to remote servers with telnet. Telnet is a program that allows you to log into another computer over a network or the Internet and execute commands on the remote computer using a textbased interface. The remote computer must be running a telnet server in order for an SSL Client user to connect to it. By default, the SSL Client automatically downloads telnet software onto users' systems the first time that they use this service. You will use this software for each subsequent telnet session. If you do not want to use this software, you can use the built-in telnet program for Windows (only available if you are using Internet Explorer on a Windows computer) or download and install another type of telnet software on your computer. There are many popular terminal emulation programs for telnet that are available on the Internet. Corente recommends TeraTerm, a free telnet client program, which is available at After download, instruct users to unzip the file and run the setup.exe file to install. Secure Shell (SSH) In addition to telnet, users can connect to servers on the LAN with Secure Shell (SSH). SSH is a program that allows you to log into another computer over a network or the Internet and execute commands on the remote computer using a text-based interface. It is similar to telnet, but provides encryption on both ends to secure the connection between computers. The host computer must be running an SSH server in order for an SSL Client user to connect to it. To connect to a remote computer with SSH, an SSH server must be running on the remote computer. By default, the SSL Client automatically downloads SSH software onto users' systems the first time that they use the SSH service. They will use this software each subsequent session for desktop access. However, if they do not want to use this software, they can provide their own SSH software. Corente recommends TeraTerm, a free telnet client program, to connect to remote computers using SSH. However, to use TeraTerm with SSH, users must also install a special SSH package on their computers. TeraTerm is available at After download, instruct users to unzip the file and run the setup.exe file to install. Copyright 2014, Oracle and/or its affiliates. 11 Corente Services SSL Client

12 An SSH package for TeraTerm is available at After download, unzip the file into the location of the TeraTerm program directory (c:\program files\ttermpro). Partner Access To access the SSL Client, users log into a single Corente Virtual Services Gateway. This Location functions as the host Location and provides access to all servers on the LAN in a User Group. When Partner Access is enabled, users can use any service that is enabled for them to connect to the partners of the host Location. Users can connect to both Location and Corente Client partners of this Corente Virtual Services Gateway. The Location partners must explicitly allow SSL Client users of this Location to connect to them (see Chapter 10. Configuring SSL Client Access to Partners, p. 40, for more information). SSL Client users will have access to machines that are in the Default User Group of the partner. Additional Services You can define custom services for users with the SSL Services feature in App Net Manager. This tool is described in Configuring Custom SSL Services (p. 16). Copyright 2014, Oracle and/or its affiliates. 12 Corente Services SSL Client

13 II. Configuring the SSL Client After ordering the SSL Client service, you must configure this service on your Corente application network by completing the activities outlined in this section. This section explains step by step how to create SSL Client accounts and how to administer SSL Client permissions on each Corente Virtual Services Gateway. Copyright 2014, Oracle and/or its affiliates. 13 Corente Services SSL Client

14 Chapter 1. SSL Client Settings in App Net Manager In App Net Manager, you must begin by configuring domain-wide SSL Client settings that will be used for controlling SSL Client access to each Corente Virtual Services Gateway in your domain. These settings are accessed in the domain directory, by opening the Global Intranet Settings category, then opening the User Remote Access subcategory, and then opening the SSL Administration subcategory. Figure 1: SSL Administration Category in the Domain Directory When the SSL Administration branch in the domain directory is opened, the following features are displayed: SSL Services SSL Clients SSL Client Groups Copyright 2014, Oracle and/or its affiliates. 14 Corente Services SSL Client

15 Chapter 2. SSL Services When you enable access by SSL Clients to a Corente Virtual Services Gateway, you can identify specific programs and services that each SSL Client user has permission to use with machines on the Location s LAN. The permissions for these programs and services can be set per Location (for all users that access this Location) as well as per user group (for all Locations that the user group accesses), to provide finegrained access control. (Permissions for SSL Services can only be defined per user group when Local Authentication is used for the SSL Client. For more information, refer to Chapter 3. Creating SSL Client Accounts for Users, p. 19). By default, App Net Manager provides several pre-defined SSL services that can be enabled or disabled when establishing SSL Client permissions. (For more information about each of these Default SSL Services, refer to Chapter 2. Pre-Configured SSL Services, p. 10). These services are read-only and cannot be deleted. If you would like to define additional services, select the SSL Services tool from the SSL Administration category of the domain directory. The SSL Services that are currently defined in your domain will be displayed in the table on the right side of the App Net Manager interface. Figure 2: SSL Services Copyright 2014, Oracle and/or its affiliates. 15 Corente Services SSL Client

16 Configuring Custom SSL Services When SSL Client access is enabled on a Corente Virtual Services Gateway, the Location gateway will act as an application layer gateway that intermediates access between SSL Client users on the public Internet and resources on internal corporate servers. All requests to the Location gateway for access to internal servers are secured using SSL. These requests are secured using SSL in one of two ways: by the browser or by the Corente SSL Applet. The browser encrypts all requests via the File Browsing or Local Web Browsing (HTTP) services, while the Corente SSL Applet secures all other requests. The browser or applet forwards packets on behalf of the end user to the SSL port on the Location gateway, while the Location gateway does the actual connection to the server and pretends to be the end user. The SSL Client works with user applications in the following manner: 1. Upon user authentication, the Corente SSL Applet opens an HTTPS/SSL connection across the Internet to the Corente Virtual Services Gateway. 2. The application (for example, telnet) makes a TCP connection to the applet using the loopback address of (e.g., localhost). 3. The applet notifies the Location gateway to open a TCP connection to the server to which the application wishes to connect. 4. The applet then takes the data portion of all packets from the application and sends the data to the Location gateway via the previously established SSL connection. 5. The Location gateway passes the data inside a new packet to the server through the TCP connection that was established on the application s behalf. If a user uses an application with the SSL Client, keep in mind that traffic to and from the application must be routed through the Corente SSL Applet so that it is encrypted by SSL. This means that the application (including any applets or plug-ins on web pages that users may access with the SSL Client) must be configured to route traffic to localhost and the port number that the application uses to contact the server. You must create a custom SSL service (described in the next section) that informs the Location gateway of the appropriate IP address and port number of the server that must be contacted for this application. When choosing applications to use with the SSL Client, ensure that they meet the following criteria: The application must use TCP (not UDP). The application must employ single connection protocols. The application must not utilize protocols containing imbedded IP addresses (for example, FTP). Such programs will not work with the SSL Client. The application must be able to be configured to route to localhost. Copyright 2014, Oracle and/or its affiliates. 16 Corente Services SSL Client

17 Remember that the SSL Client does not secure all traffic between the user s computer and the LAN of the Corente Virtual Services Gateway. Rather, it acts as an application proxy that encrypts only certain traffic in SSL to the Location gateway. All applications that connect to the Corente SSL Applet will have their traffic sent over the Internet encrypted with SSL, regardless of the insecurities of the protocol in use. Adding a New Custom Service To create a new SSL Service to use with the SSL Client, make sure SSL Services is selected in the domain directory and: Select the New button in the tool bar. From the File menu, select Add SSL Service. Right-click SSL Services in the domain directory and select Add SSL Service. You will be taken to a blank Add SSL Service window. Figure 3: Add SSL Service Complete the following steps: 1. Complete the following fields and options: Name: Enter a name for your new SSL Service in this field. This is the name that will be used to identify this service in App Net Manager, and for the users on the SSL Client interface. The name may contain up to 30 characters. Protocol: Select the name of the protocol that will be used by this service. If the protocol is not listed on this pull-down menu, select Custom. Default Port: Enter the default port number to be used by this service. This is the port number that a Corente Virtual Services Gateway will use to contact the appropriate server(s) when a user attempts to use this service over the secure SSL connection. This will be the default port, but if necessary, it can be modified on the Location form for each Location that has enabled SSL Client access. Copyright 2014, Oracle and/or its affiliates. 17 Corente Services SSL Client

18 Specify Server IP address or DNS Name: If this service is associated with a specific server, select this checkbox. It will be associated with a single server on the LAN of each Location gateway that has this service enabled. This means that when you enable this service on the Location form for a Location, you must also specify the IP address or DNS name of the server providing this service. Users will only be able to use the service with that server. When this option is not selected, this service is not associated with a single server. Users can use this service to connect to any computer that you have permitted them to contact. When using this service, users will be required to supply the DNS name, WINS name, or IP address of the computer to which they would like to connect. 2. After you have completed these fields, click OK to add the new SSL Service to your SSL Services list. Use the Save button to save your changes. 3. Once you have saved your new SSL Service, you can enable the new service for an SSL Client Group (see Chapter 4. SSL Client Groups, p. 23) and/or on a Location (see Chapter 6. SSL Services, p. 31). Until it is specifically enabled for the appropriate Location(s), the new service is not active. You may return to this screen at any time to define new custom services. Modifying an SSL Service To modify an existing SSL Service, select the service and use the Edit feature. After you have made your changes to the SSL Service, click OK to store your additions or Cancel to close the window without storing any of your changes. Once Saved, your changes will be downloaded automatically by the Location gateways where the service is in use and will go into effect immediately. You cannot modify a default SSL Service. Deleting an SSL Service To delete an SSL Service, select the service and use the Delete feature. If you delete an SSL Service that is currently enabled on any of your Locations, the Locations will no longer support this service. Once Saved, your changes will be downloaded automatically by the Location gateways and will go into effect immediately. You cannot delete a default SSL Service. Copyright 2014, Oracle and/or its affiliates. 18 Corente Services SSL Client

19 Chapter 3. Creating SSL Client Accounts for Users Each user must have a user account to log into the SSL Client. Depending on how you would like to authenticate users, user account creation will vary. Corente recommends the use of a RADIUS or LDAP server for authentication, but can also provide its own local authentication for users via a username and password combination. When local authentication is used, the SSL Client provides several additional permission controls: Access on the Location gateway s LAN can be limited to a specific group of machines (i.e., a User Group ) for each group of users. SSL services and features can be limited for each group of users. A user can change his/her own password. External Server Authentication (RADIUS and LDAP) When you use a RADIUS or LDAP server to authenticate remote users to a Location, you must configure user names and passwords for users on the RADIUS or LDAP server itself. Refer to the documentation for RADIUS or LDAP to determine how to create the accounts on your server. After creating the accounts, you will capture information in the Location form regarding your server and the RADIUS/LDAP implementation on your network. This allows the Location gateway to query the server correctly when a user attempts to log into the SSL Client. For information about these screens, refer to Chapter 9. External Authentication (RADIUS or LDAP) (p. 37). When external authentication is used, configuration of user accounts in App Net Manager is not required. Move to the next section, Chapter 5. Configuring SSL Client Access to a LAN (p. 26). Local Authentication If you are not going to use an external server for user authentication, you must use App Net Manager to create an account for each SSL Client user. This is accomplished with the SSL Clients feature, selectable in the domain directory of App Net Manager. User account information will be stored in the Corente Virtual Services Gateway database. To create and manage SSL Client accounts, open the SSL Clients category in the domain directory. Copyright 2014, Oracle and/or its affiliates. 19 Corente Services SSL Client

20 Figure 4: SSL Clients You can create, modify, and delete SSL Client accounts with this feature. Adding a New SSL Client Account in App Net Manager To add a new SSL Client account to your domain, make sure SSL Clients is selected in the domain directory and: Select the New button in the tool bar. From the File menu, select Add SSL Client. Right-click SSL Clients in the domain directory and select Add SSL Client. You will be taken to a blank Add SSL Client window. Copyright 2014, Oracle and/or its affiliates. 20 Corente Services SSL Client

21 Figure 5: Add SSL Client 2. On this screen, complete the following fields and selections: SSL Client Name: Enter the alphanumeric identifier for the SSL Client account that you are creating. You may use up to 15 alphanumeric characters. Do not use tabs, spaces, or punctuation marks when creating this name. (If you have created a Corente Client account for this user, the User Names for both accounts can be the same. For more information about Corente Clients, refer to the VI. Corente Services Client manual.) Password: Create an alphanumeric password for this SSL Client account. (The minimum and maximum number of characters for this password is set with the Domain Preferences tool in App Net Manager.) For security purposes, Corente requires that this password contain one each of the following: An upper-case character A lower-case character A numeric character Confirm Password: Re-enter the password you created in the Password field to avoid any mistakes. 3. SSL Client accounts are combined into groups to make administration easier. All SSL Client Groups that have been configured for this domain will be displayed in the SSL Client Group Membership of SSL Client list. Select the checkbox beside each group that you would like this SSL Client to join. You may add an SSL Client to as many groups as you would like. To create a new group, use the Chapter 4. SSL Client Groups feature (p. 23). Copyright 2014, Oracle and/or its affiliates. 21 Corente Services SSL Client

22 4. When you have completed this form, click OK to store your changes or Cancel to close the window and discard your changes. You must also Save your changes in App Net Manager in order for them to take effect. The new SSL Client name will now appear in your SSL Client list. You should repeat this process to add other SSL Client accounts to your domain. 5. After you have added SSL Client accounts, you must remember to supply the users with their user names and passwords. Additionally, if you have not associated SSL Client Groups with any Location, you should partner them via the User Remote Access tab in the appropriate Location s Location form. Viewing or Modifying an SSL Client Account Configuration If you would like to modify the configuration of an existing SSL Client, you can use the Edit feature. After you have made your changes to the SSL Client, click OK to store your additions or Cancel to close the window and discard your changes. Once Saved, your changes will go into effect immediately. Deleting an SSL Client Account If you would like to delete an SSL Client from your domain, you can use the Delete feature. This command will remove the SSL Client from App Net Manager, remove it from any SSL Client Groups it was associated with, and destroy any current connections between it and a Location. The user will no longer be able to access your Location(s) unless you add a new SSL Client account for the user. Once Saved, your changes will go into effect immediately. Copyright 2014, Oracle and/or its affiliates. 22 Corente Services SSL Client

23 Chapter 4. SSL Client Groups SSL Clients are combined into groups to make partner and permissions administration easier. The SSL Client Groups feature allows you to assign partners and SSL Service permissions to an entire group of SSL Clients at once. Figure 6: SSL Client Groups Adding a New SSL Client Group To create a new SSL Client Group, make sure SSL Client Groups is selected in the domain directory and: Select the New button in the tool bar. From the File menu, select Add SSL Client Group. Right-click SSL Client Groups in the domain directory and select Add SSL Client Group. You will be taken to a blank Add SSL Client Group window. Copyright 2014, Oracle and/or its affiliates. 23 Corente Services SSL Client

24 MyCompany : Add SSL Client Group Fill out this window as follows: Figure 7: Add SSL Client Group Name: Enter a new group name. SSL Services Permitted for Group Members: You can limit the services that are available to members of this SSL Client Group. Choose from the following options: Specified SSL Services Permitted: Select this option to choose the services that this group will be allowed to use. In the list below this option, you must select the checkboxes of the permitted SSL Services for this group. For more information about the default SSL Services that appear in the list, refer to Chapter 2. Pre-Configured SSL Services (p. 10) All SSL Services Permitted: Select this option to allow members of this group to use any SSL Service that has been enabled for use on a Location to which the group is partnered. No Services Permitted: Select this option to prevent members of this group from using any SSL Service. Copyright 2014, Oracle and/or its affiliates. 24 Corente Services SSL Client

25 When you have completed this form, click OK to store your changes or Cancel to close the window and discard your changes. Once Saved, your new SSL Client Group will appear in the list of SSL Client Groups. To add members to a group, select that group while configuring an SSL Client with the SSL Clients feature (Chapter 3. Creating SSL Client Accounts for Users, p. 19). Note: The ability for an SSL Client user to use an SSL Service through a Location gateway depends on both (a) the SSL Service being permitted in the SSL Client s group and (b) the SSL Service being permitted by the Location. When you enable SSL Services for a Location (Chapter 6. SSL Services, p. 31), make sure the permissions for that Location and for the SSL Client Group partnered with the Location allow the correct SSL Services to be used. Modifying an SSL Client Group If you would like to modify the configuration of an existing SSL Client Group, you can use the Edit feature. If the SSL Client Group contains any members, these SSL Clients will be listed in the Group Members of SSL Client Group list. After you have made your changes to the SSL Client Group, click OK to store your additions or Cancel to close the window and discard your changes. Once Saved, your changes will go into effect immediately. Deleting an SSL Client Group To delete an SSL Client Group, you can use the Delete feature. Once Saved, the SSL Client Group will be removed from your domain. Copyright 2014, Oracle and/or its affiliates. 25 Corente Services SSL Client

26 Chapter 5. Configuring SSL Client Access to a LAN After creating accounts for SSL Client users, you must enable SSL Client access on at least one of your Corente Virtual Services Gateways and configure the access permissions that users will be given on the Location gateway s LAN. To enable and configure SSL Client access to a Location, complete the following steps: 1. Access the Location form for the Location in App Net Manager: Right-click on the Location icon in the map or domain directory and select Edit. Double-click the Location name in the domain directory Select the Location name in the domain directory and then select the Edit option from the tool bar or the Edit menu. When the Location form is displayed, select the User Remote Access tab. Copyright 2014, Oracle and/or its affiliates. 26 Corente Services SSL Client

27 Figure 8: User Remote Access tab 2. Select the option labeled Allow SSL Client Access to the Network. Until this checkbox is selected, SSL Client access through the Location gateway to local LAN is disabled, even if you have ordered the service and it has been provisioned (turned on) by Corente. 3. Select the Require Client Certificate option if you are supplying digital certificates on SSL clients and you have installed a CA Certificate for this Location gateway on the SSL Certificate page of Gateway Viewer (for more information, see Chapter 1. SSL Certificate, p. 44). This feature provides two-factor authentication. Note: Users that access the Internet via a proxy server will not be able to connect to the SSL Client when this option is selected. 4. Fill out the settings as follows to control the behavior of SSL Client sessions: Copyright 2014, Oracle and/or its affiliates. 27 Corente Services SSL Client

28 Inactive Session Timeout (min): Enter the amount of time in minutes that an SSL Client session will remain connected to the Location if the SSL Client is left idle by the user. The default timeout is 15 minutes. WARNING: The session timeout period may conflict with users programs when they have been set to check automatically for new messages from the mail server. Remind users to configure their programs so that the length of time between message checks is more frequent than the session timeout period. This will prevent the users from having to re-login to the SSL Client each time their program attempts to look for new messages. Failed Login Attempts: Enter the number of login attempts that a user will be allowed before the user is locked out of the SSL Client for the amount of time that you specify in the Lockout Time field (see below). The user will be unable to login successfully (even with a correct username and password) until the Lockout Time period has completed. The default number of attempts is 5. Lockout Time (minutes): Enter the number of minutes that a user will be locked out of the SSL Client after exceeding the total number of Failed Login Attempts that you have specified (see above). After this time period has completed, the user will have the number of Login Attempts that you have specified above until the user is locked out again for the period that you specify in this field. The default lockout time is 1 minute. SSL Port: Enter the port number on the Corente Virtual Services Gateway that remote computers will use to access the SSL Client login. The default port is 443, but should be changed if this port number is already being used. If you change the port number, SSL Client users must connect directly to that port number. (For example, if the Visible DNS Name of Location is chicago.acme.com and the SSL Port is 999, to access the SSL Client interface for this Location, users would type Important: This port number must be opened in any firewalls shielding this Corente Virtual Services Gateway. 5. In the Visible DNS Name of Location field, enter the DNS name that SSL Client users will use to access this Corente Virtual Services Gateway from the WAN. This name should be formed using three levels, i.e. chicago.acme.com (where acme.com is the domain name that has been registered by your company). Users will enter and this name in the location bar of their web browser to access the SSL Client interface ( Note: If this DNS name will not be available via a public DNS server, you should add this name to the DNS server at each remote user's location or add an entry to the hosts file of each user's computer so that this name can be resolved. 6. Click the Configure button adjacent to SSL Services. The SSL Services screen will be displayed. Complete this screen to identify the services that will be available on the LAN for SSL Client users. This screen is described in Chapter 6. SSL Services (p. 31) Copyright 2014, Oracle and/or its affiliates. 28 Corente Services SSL Client

29 7. Click the Configure button adjacent to System Homepage and Bookmarks. The Homepage Bookmarks screen will be displayed. This screen allows you to enter URLs and bookmark names that all users will be able to access from the SSL Client interface for this Location. This screen is described in Chapter 7. System Homepage and Bookmarks (p. 33). 8. Click the Configure button adjacent to SSL Authorized Groups. The SSL Authorized Groups screen will be displayed. Complete this screen to identify the SSL Client Groups that will be allowed to connect to this Location. You only need to fill out this screen if you are using Local Authentication (see Step 9). This screen is described in Chapter 8. SSL Authorized Groups (p. 35). 9. The Authentication Type section allows you to specify how SSL Client users will be authenticated to the Location. If you are using an External Authentication method, you must capture configuration information about the RADIUS or LDAP server (see Step 10). Local Authentication (Password): Select this option to authenticate users to the Corente Virtual Services Gateway via the standard login interface (user name and password). When this option is selected, you must use the SSL Client feature to set up SSL Client accounts for each user (see Chapter 3. Creating SSL Client Accounts for Users, p. 19). Then, you must select the SSL Client Groups that will be allowed to access this Corente Virtual Services Gateway and specify the User Group that they will be permitted to access in the Authorized SSL Client Groups section (see Step 8). External Authentication (RADIUS): Select this option if you would like to use a RADIUS server on your LAN to authenticate SSL Client users to the Corente Virtual Services Gateway. This option will be selectable when you have enabled a RADIUS server in the SSL Client Authentication section of this screen and configured its settings. If you use a RADIUS server for authentication, you must configure SSL Client accounts for users on the RADIUS server. External Authentication (LDAP): Select this option if you would like to use an LDAP server on your LAN to authenticate SSL Client users to the Corente Virtual Services Gateway. This option will be selectable when you have enabled an LDAP server in the SSL Client Authentication section and configured its settings. If you use an LDAP server for authentication, you must configure SSL Client accounts for users on the LDAP server. 10. The External Authentication Servers section allows you to specify the methods of authentication that are available on your LAN for use by remote access clients. (The settings that you capture for RADIUS and LDAP servers will apply for both Corente Clients and SSL Client users.) Enable RADIUS Server: Select this option to enable RADIUS server authentication for SSL Client users. When this option is selected, you must click the Configure button to configure the RADIUS server authentication settings. The RADIUS Server Authentication screen is described in RADIUS Authentication (p. 37). In order to use this server to authenticate SSL Client users, you must select External Authentication (RADIUS) in the Authentication Method section of this screen. Copyright 2014, Oracle and/or its affiliates. 29 Corente Services SSL Client

30 Enable LDAP Server: Select this option to enable LDAP server authentication for SSL Client users. When this option is selected, you must click the Configure button to configure the RADIUS server authentication settings. The LDAP Server Authentication screen is described in LDAP Authentication (p. 38). In order to use this server to authenticate SSL Client users, you must select External Authentication (LDAP) in the Authentication Method section of this screen. 11. After configuration on this screen is complete, click OK to close the Location form. Select the Save feature from the File menu or the toolbar to save your changes. Copyright 2014, Oracle and/or its affiliates. 30 Corente Services SSL Client

31 Chapter 6. SSL Services This screen allows you to select the services that the Location will allow all of its SSL Clients to use on the Location s LAN. Note: When Local Authentication is being used, you can enable or disable SSL Services for groups of SSL Client users with the SSL Client Groups feature (see Chapter 4. SSL Client Groups, p. 23). This means that different SSL Client Groups that are authorized to communicate with this Location can have different permissions on the Location's LAN. Of course, for a group to use a permitted service on this LAN, the service must also be enabled on this screen. Figure 9: SSL Services screen This screen lists all the SSL Services that you have already enabled for SSL Client users that communicate with this Location. You can Edit any of these services to modify how SSL Clients can use it or you can Delete a service to prohibit SSL Clients from using it. To enable a new service, click the Add button. The Edit SSL Service screen will be displayed. Copyright 2014, Oracle and/or its affiliates. 31 Corente Services SSL Client

32 Figure 10: Edit SSL Service Fill out this screen as follows: SSL Service: Select the SSL Service that you would like to enable from this pull-down menu. This screen lists all the SSL Services (both default and custom defined) that have been defined for your domain. You can define custom services with the SSL Services feature (see Chapter 2. SSL Services, p. 15). Protocol: If applicable, select the protocol that this service will use from the pull-down menu. Port: If applicable, enter a port number that this Location gateway will use to contact the server providing the service. The standard default ports for each service will be displayed in this field when a service is selected. Specify Server IP Address or DNS Name: If applicable, use this section to associate a specific server with this service. SSL Clients of this Location can use the service to connect to this specified server only. Select either Server IP Address (and specify the IP address of the server) or Server DNS Name (and specify the DNS name of the server) Note: The IP address of the server must be included in the Default User Group of the Location. Click OK to save your changes to this addition. Click OK again to close the SSL Services window. For more information on the services available to enable or disable on this screen, refer to Chapter 2. Pre-Configured SSL Services (p. 10) and Configuring Custom SSL Services (p. 16). Copyright 2014, Oracle and/or its affiliates. 32 Corente Services SSL Client

33 Chapter 7. System Homepage and Bookmarks The System Homepage and Bookmarks screen allows you to choose a homepage that will display when users log into the SSL Client for this Location. You can also use this screen to create bookmarks for intranet web browsing that will appear as System Bookmarks in the Bookmarks list on the user interface. Users will also be able to create their own bookmarks on their personal SSL Client interface. Figure 11: System homepage and Bookmarks You can edit or delete any bookmark in this list. You will not be able to delete the System Homepage entry. Specify an SSL Client Homepage To specify a homepage that will appear when users log into the SSL Client for this Location, select the System Homepage entry and click the Edit button. Figure 12: System Homepage Choose http or https and enter the URL of the intranet web page that will display when users first log into the SSL Client. Click OK. Copyright 2014, Oracle and/or its affiliates. 33 Corente Services SSL Client

34 Create Bookmarks for Intranet Browsing To create a bookmark that will be available for SSL Client users of this Location, click the Add button. Complete the fields as follows: Figure 13: Add Bookmark Bookmark Name: Enter the name that will be displayed to users as the name of the bookmark. URL: Choose http or https and enter the URL of the bookmark. Click OK. Copyright 2014, Oracle and/or its affiliates. 34 Corente Services SSL Client

35 Chapter 8. SSL Authorized Groups This screen allows you to authorize certain SSL Client Groups to connect to this Location (when Local Authentication is being used). SSL Client Groups are groups of SSL Client accounts and are created with the SSL Client Groups feature (see Chapter 4. SSL Client Groups, p. 23). Figure 14: SSL Authorized Groups This screen displays the SSL Client Groups in your domain that have been authorized to access this Location, the local User Group to which the SSL Group can connect, a summary of the permissions that this group has been assigned, and the number of SSL Services that members of this group can use. You can Edit or Delete any of the existing entries on this screen. To authorize an SSL Client Group to communicate with this Location, click the Add button. The Add SSL Authorized Group screen will be displayed. Copyright 2014, Oracle and/or its affiliates. 35 Corente Services SSL Client

36 Figure 15: Add SSL Authorized Group Fill out the fields as follows: Name: Select the SSL Client Group that you are allowing to access this Location. (Note that an SSL Client Group can be associated with multiple Locations.) User Group: Select the local User Group of this Location that the selected SSL Client Group will be allowed to communicate with. User Groups are groups of IP addresses on the Location s LAN and are created on the User Groups tab of the Location form. This screen also displays the permissions that the selected SSL Client Group has been assigned. You cannot change these permissions on this screen, but you can modify them for the group with the SSL Client Groups feature. When you have finished, click the OK button to store your changes or the Cancel button to discard your changes. Copyright 2014, Oracle and/or its affiliates. 36 Corente Services SSL Client

37 Chapter 9. External Authentication (RADIUS or LDAP) If you are going to use an external server (either RADIUS or LDAP) for authentication of SSL Client users, you must enter information about this server into a screen in the Location form. Complete this configuration after you have created user accounts on the server. On the User Remote Access page, click the Configure button for either RADIUS or LDAP in the External Authentication Servers section to display the appropriate External Authentication screen. Note: You can capture only one set of information per Location for a RADIUS server and one set of information for an LDAP server. RADIUS Authentication When you click the Configure button to configure a RADIUS Server, the Edit RADIUS Server screen will appear. Use this screen to capture the settings that the Corente Virtual Services Gateway will use to contact the RADIUS server on your LAN for authentication of SSL Client users. Figure 16: RADIUS Server Authentication Settings RADIUS is an authentication protocol commonly used to provide secure authentication for users. It is often used to provide centralized authentication, authorization, and accounting. Copyright 2014, Oracle and/or its affiliates. 37 Corente Services SSL Client

38 To configure your Corente Virtual Services Gateway to contact the RADIUS server, complete the following options and fields: Enable RADIUS Server: Select this option to enable the RADIUS server. IP Address: Enter the IP address of the RADIUS server on your LAN. This address must be included in the Default User Group of this Corente Virtual Services Gateway. Port: Enter the port number on the RADIUS server that the Corente Virtual Services Gateway will contact to authenticate remote users. The default port number used will be 1831, but this number can be changed if the port is already in use. Secret: Enter the secret that the Corente Virtual Services Gateway will use to authenticate itself with the RADIUS server. Confirm Secret: Re-enter the secret you entered in the Secret field to avoid any mistakes. Timeout: Select the timeout interval for how long the Corente Virtual Services Gateway will wait for the RADIUS server to respond to its request to authenticate a remote user. You may select any interval between 1 and 30 seconds. The default interval is 4 seconds. Retries: Select how many retries the Corente Virtual Services Gateway will attempt in order to contact the RADIUS server for an authentication. For each attempt, the Corente Virtual Services Gateway will wait for the interval you have selected with the Timeout option. You may select between 1 and 10 retries. The default number of retries is 2. Login Prompt: Enter the login prompt for users. Password Prompt: Enter the password prompt for users. Click OK once you have provided the appropriate information. LDAP Authentication When you click the Configure button to configure LDAP Server settings, the Edit LDAP Server screen will be displayed. Use this interface to specify the settings that the Corente Virtual Services Gateway will use to authenticate remote access users with the Lightweight Directory Access Protocol (LDAP) server on your LAN. Copyright 2014, Oracle and/or its affiliates. 38 Corente Services SSL Client

39 Figure 17: LDAP Access LDAP is an open-standard protocol for accessing X.500 directory services. A directory is a specialized database optimized for reading, browsing and searching. LDAP is used to authenticate users based on entries in the directory. Corente uses the standard implementation of Open LDAP. To configure your Corente Virtual Services Gateway to contact the LDAP server, complete the following fields: Enable LDAP Server: Select this option to enable the LDAP server. LDAP Server IP Address or DNS Name: Select the appropriate option and enter either the IP address or DNS name of the LDAP server on your LAN. This address must be included in the Default User Group of this Corente Virtual Services Gateway. LDAP Server Port: Enter the port number on the LDAP server that the Corente Virtual Services Gateway will contact to authenticate remote users. The default port number used will be 389, but this number can be changed if the port is already in use. Backup LDAP Server IP Address or DNS Name: (optional) Select the appropriate option and enter either the IP address or DNS name of the backup LDAP server on your LAN. This address must be included in the Default User Group of this Corente Virtual Services Gateway. Backup LDAP Server Port: (optional) Enter the port number on the backup LDAP server that the Corente Virtual Services Gateway will contact to authenticate remote users. User Name: Enter the username that this Corente Virtual Services Gateway will use to log into the LDAP server in order to authenticate remote users. Copyright 2014, Oracle and/or its affiliates. 39 Corente Services SSL Client

40 Password: Enter the password that this Corente Virtual Services Gateway will use to log into the LDAP server in order to authenticate remote users. Timeout: Select the timeout interval for how long the Corente Virtual Services Gateway will wait for the LDAP server to respond to its request to authenticate a remote user. You may select any interval between 1 and 30 seconds. The default interval is 4 seconds. Base: Enter the user name at which to start the directory search. This setting provides controls on how a query to the LDAP server is performed. Scope: Select the integer that will indicate the scope of the directory search. Options available in the pull-down menu are LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL, and LDAP_SCOPE_SUBTREE. This setting provides controls on how a query to the LDAP server is performed. Filter: Enter a filter string for the search. This setting provides controls on how a query to the LDAP server is performed. Attributes: Enter the sub-fields that you would like retrieved from the database. Each entry in this field should be space-separated. This setting provides controls on how a query to the LDAP server is performed. Click OK once you have provided the appropriate information. For more information about any of the fields or options on this screen, refer to the LDAP documentation. Copyright 2014, Oracle and/or its affiliates. 40 Corente Services SSL Client

41 Chapter 10. Configuring SSL Client Access to Partners By default, SSL Client users are able to access computers on the LAN of the Corente Virtual Services Gateway that they log into. If you have enabled Partner Access on the SSL Services page for the Location (see Partner Access, p. 12, and Chapter 6. SSL Services, p. 31), you can allow the SSL Client users of that Location to connect to the Location s partners. SSL Client users will automatically be able to connect to the Corente Client partners of the Location. However, each of the Location s Location partners must explicitly allow the Location s SSL Client users to access computers within the Default User Group. Allow SSL Client Access To allow SSL Client access to partners, perform the following steps. 1. Enable Partner Access on the SSL Services window (via the User Remote Access tab) of the Location providing the SSL Client interface. This Location is known as the SSL host Location. 2. Click OK to save changes on the Location form for the SSL host Location. 3. Now, choose the SSL host Location s partner that you would like users to be allowed to access. Open this Location s Location form. 4. Access the Partners tab in the Location form, and Edit the partner entry for the SSL Host Location. Figure 18: Partners Tab Copyright 2014, Oracle and/or its affiliates. 41 Corente Services SSL Client

42 6. The Add Partner window is displayed. In the Connection Settings section, select Allow Partner SSL Clients access to LAN. Figure 19: Add Partner 7. Click the OK button to save your changes to the Location form, and save your changes with the Save button in the App Net Manager tool bar. SSL Client users of the SSL host Location will now be able to access computers within the Default User Group of the Location partner. The NAT settings that were enabled for the SSL host Location on the partner s Partner tab will also apply to the SSL Client users. For security reasons, you cannot use this option to allow SSL Client users of an Extranet Location to connect to this Location. Copyright 2014, Oracle and/or its affiliates. 42 Corente Services SSL Client

43 III. Configuring Corente Virtual Services Gateways for Use with the SSL Client Once you have enabled the Allow SSL Client access to the Network option on a Corente Virtual Services Gateway and configured the other appropriate settings on the Location form, the Gateway Viewer application must be accessed for that Location in order to install a signed digital certificate. This certificate will encrypt each user s session with SSL. Even if you decide not to provide two-way authentication with client-side certificates and a Location gateway-side CA certificate, you must install an SSL certificate on the Location gateway. The Gateway Viewer also includes two interfaces that allow you to view current and historical SSL Client user activity. SSL Admin When you access Gateway Viewer, all of the options for SSL are located in the SSL Admin menu. SSL Admin: This button contains three options. All of these options are password-protected. SSL Certificate allows you to upload or define a new certificate that will be used to encrypt users' sessions with SSL. SSL Log allows you to view the history of logins and logouts to this Corente Virtual Services Gateway via the SSL Client. SSL User Report lists all active SSL Client sessions to this Corente Virtual Services Gateway. Copyright 2014, Oracle and/or its affiliates. 43 Corente Services SSL Client

44 Chapter 1. SSL Certificate Note: This page will be unavailable until SSL Client access has been enabled to this Corente Virtual Services Gateway in App Net Manager. The Corente Gateway SSL Certificate Administration page is used to define and/or upload the necessary SSL certificates that will be used to encrypt each user s session with SSL. Figure 20: SSL Certificate Administration This screen can be used to access information for three different types of certificates. SSL Certificate: This certificate is required for the SSL Client. It is the certificate that is used to encrypt each user s session with SSL. On this interface, you can generate a Certificate Signing Request (CSR) to obtain a signed certificate from a trusted Certificate Authority (CA), install a signed certificate, or create a self-signed certificate. SSL Certificate Chain: If you have obtained your SSL Certificate from a CA, an intermediate certificate may need to be installed on the Location gateway when you install the SSL Certificate. Your CA will inform you if this extra certificate is needed. CA Client Certificate: If you would like to provide users with two-way authentication for SSL, you can install a CA certificate on your Location gateway and personal certificates on each user s computer. The installation status of each certificate on your Location gateway will be indicated in the table. To upload, delete, or change any of these listed certificates, click the Modify button for the appropriate certificate. When you click the hyperlink labeled Status at the top of the page, the Corente Gateway SSL Certificate Administration: Manage Certificate Status screen will be displayed. This screen displays the last recorded status of the SSL certificates that are installed on your Location gateway. You can use this screen to determine if a new SSL certificate has been installed correctly on the Location gateway. Copyright 2014, Oracle and/or its affiliates. 44 Corente Services SSL Client

45 Figure 21: SSL Certificate Status SSL Certificate The SSL Certificate page is used to define the certificate and private key that will be used to encrypt each SSL Client session with SSL. The certificate authenticates the Corente Virtual Services Gateway with each connecting SSL Client. You can create a CSR to send to a trusted CA, upload the digitallysigned SSL certificate that you have obtained from a CA, or create a new, self-signed certificate. Until a certificate is installed, the SSL Client will be inaccessible at this Location. Figure 22: SSL Certificate Administration It is strongly recommended that you generate a CSR and import the SSL certificate that you obtain from a trusted CA (such as VeriSign). When obtaining your SSL certificates, it may be useful to note that the Corente Virtual Services Gateway runs an Apache server with mod_ssl and open_ssl on Linux. If an SSL certificate is already in use, the information for that certificate will be displayed in the Installed SSL Certificate Information section on this interface. Copyright 2014, Oracle and/or its affiliates. 45 Corente Services SSL Client

46 All certificate and private key files used by the Corente Virtual Services Gateway are BASE64 encoded X.509 format. This format is also called Privacy Enhanced Mail (PEM) format. If the Corente Virtual Services Gateway Visible DNS Name is changed in App Net Manager, you must import or create a new certificate for this Location gateway. Obtaining an SSL Certificate Signed by a CA To obtain a signed SSL certificate from a trusted CA (such as VeriSign), you will need to generate a Certificate Signing Request (CSR). Complete the following steps: 1. To generate a CSR for the Location, click the Generate a Certificate Signing Request (CSR) button. On the Generate Certificate Signing Request (CSR) page that is displayed, fill out any of the following optional fields: Valid for: Enter the number of days that this certificate will be valid. When the certificate expires, you must create or import a new certificate. Users sessions can still be encrypted with SSL after certificate expiration, but they will be notified that the certificate has expired and may not be trustworthy. Country Name: Enter the two-letter abbreviation for the country in which this certificate is originating. State or Province Name: Enter the name of the state or province in which this certificate is originating. Locality Name: Enter the name of the city or town in which this certificate is originating. Organization Name: Enter the name of your company or organization. Organizational Unit Name: Enter the name of the department of your company or organization that is providing this certificate. Address: Enter the address for users to contact about this certificate. Pass Phrase: Enter a pass phrase that will be used to encrypt the private key for this certificate. Pass Phrase (again): Re-enter the pass phrase to avoid mistakes. 2. Click the Generate button. A ZIP file will be downloaded to your browser. This ZIP file contains two files: a Certificate Signing Request (CSR) and the corresponding Private Key (KEY). 3. Unzip this file and send the CSR to a trusted CA such as VeriSign to be digitally signed. 4. When you receive the signed certificate, use the Import SSL Certificate option to upload the certificate and private key. Copyright 2014, Oracle and/or its affiliates. 46 Corente Services SSL Client

47 If your CA requires that you install an Intermediate Certificate on this Location gateway as well, use the SSL Chain Certificate page (see SSL Chain Certificate, p. 48). Install an SSL Certificate on Your Location Gateway Once you have obtained a signed SSL certificate from a trusted CA (such as VeriSign), install this certificate on your Location gateway. Complete the following steps: 1. To import an SSL certificate and/or SSL private key file that were signed by a trusted CA (such as VeriSign), click the Import SSL Certificate button. On the Import SSL Certificate page that is displayed, enter the following information: Pathname to SSL certificate file: Enter the complete path and file name of the SSL certificate that is stored on your system or use the Browse button to locate this certificate. Pathname to SSL private key file: If a private key is not included in your SSL certificate file, specify the key file in this field. Enter the complete path and file name of the SSL private key that is stored on your system or use the Browse button to locate this file. Pass phrase: If the private key that you are importing is encoded with a pass phrase, enter this phrase in the field provided. 2. Click Install to save this certificate to the Location gateway. The Location gateway will restart, and will now encrypt each SSL Client user's session with this certificate and the private key. Create a Self-Signed Certificate If you do not want to obtain a signed SSL certificate from a trusted CA, you can create a self-signed certificate on this interface and use it for SSL encryption. Complete the following steps: 1. To create a new, self-signed SSL certificate, click the Create a self-signed SSL Certificate button. On the Create a Self-Signed SSL Certificate page that is displayed, you can fill out the following optional fields: Valid for: Enter the number of days that this certificate will be valid. When the certificate expires, you must create or import a new certificate. Users sessions can still be encrypted with SSL after certificate expiration, but they will be notified that the certificate has expired and may not be trustworthy. Country Name: Enter the two-letter abbreviation for the country in which this certificate is originating. State or Province Name: Enter the name of the state or province in which this certificate is originating. Locality Name: Enter the name of the city or town in which this certificate is originating. Copyright 2014, Oracle and/or its affiliates. 47 Corente Services SSL Client

48 Organization Name: Enter the name of your company or organization. Organizational Unit Name: Enter the name of the department of your company or organization that is providing this certificate. Address: Enter the address for users to contact about this certificate. All of these fields are optional. The information that you enter here will be presented to SSL Client users when they are asked to accept the certificate to encrypt their session with SSL. 2. When you have entered information in the fields of your choice, click Install to save this certificate to the Location gateway. The Location gateway will restart, and will now encrypt each user's SSL Client session with this certificate and a private key. No validation of this information is performed. Note: If you create a certificate and an SSL Client user immediately attempts to connect to the Location, the certificate may appear to be expired. This occurs because the time on the user's computer may be slightly earlier than the time on the Corente Virtual Services Gateway where the certificate was created and installed. The certificate will appear valid once the time on the user's computer has passed the time of the certificate's creation. SSL Chain Certificate If your CA requires that you install an SSL Chain Certificate (Intermediate Certificate) in addition to the SSL certificate that the CA has digitally signed, the SSL Certificate Chain page allows you to install this certificate on your Corente Virtual Services Gateway. Figure 23: SSL Chain Certificate Administration Your CA may distribute an SSL Chain Certificate to you along with the signed SSL Certificate. Installing both of these certificates creates a hierarchical SSL certificate chain for validation. The purpose of this chain is to provide a replacement for the CA s root certificate. Certain CAs do not want to distribute their root certificate to you. SSL validation through the chain is accomplished first by validating the SSL Certificate through the SSL Chain Certificate, and then through the corresponding root certificate that is owned by the CA (and not installed on your Location gateway). Copyright 2014, Oracle and/or its affiliates. 48 Corente Services SSL Client

49 Remember that your CA will inform you if an SSL Chain Certificate is needed. To install the certificate, complete the following steps: 1. Click the IMPORT SSL Chain Certificate button to install the SSL Chain Certificate. On the Import SSL Chain Certificate page that is displayed, enter the complete path and file name of the SSL Chain certificate that is stored on your system or use the Browse button to locate this certificate. 2. Click the Install button. The SSL Services provided by this Location gateway will be momentarily disrupted while the server is restarted. To delete this certificate in so that you can install a new one, click the Delete button on the main SSL Chain Certificate page. CA Client Certificate If you are providing two-way digital certificate authentication between the Corente Virtual Services Gateway and its SSL Client users, you must install a CA certificate on this Corente Virtual Services Gateway in addition to the SSL certificate. This CA Certificate can be self-signed or obtained from a trusted CA such as VeriSign (recommended). Figure 24: CA Client Certificate Administration The CA Client Certificate page allows you to install a CA Certificate on your Location gateway. To install a CA Client Certificate, complete the following steps: 1. Click the IMPORT CA Client Certificate button to install the CA Client Certificate. On the Import CA Client Certificate page that is displayed, enter the complete path and file name of the CA Client Certificate that is stored on your system or use the Browse button to locate this certificate. 2. Click the Install button. The SSL Services provided by this Location will be momentarily disrupted while the server is restarted. Copyright 2014, Oracle and/or its affiliates. 49 Corente Services SSL Client

50 Only one CA certificate may be installed on a Location gateway at a time. Information about this certificate will appear on the CA Client Certificate page. To delete this certificate in so that you can install a new one, click the Delete button on the main CA Client Certificate page. Two-way authentication also requires personal certificates to be imported into the browser of each SSL client. (These certificates can also be obtained from a trusted CA). The certificates imported into the client browsers may be in different formats than the Location certificates (i.e., PKCS12). Additionally, the Require Client Certificate option must be selected on the User Remote Access tab of the Location form for this Corente Virtual Services Gateway. For more information about enabling this option, refer to Chapter 5. Configuring SSL Client Access to a LAN (p. 26). Copyright 2014, Oracle and/or its affiliates. 50 Corente Services SSL Client

51 Chapter 2. SSL Log Note: This page will be unavailable until SSL Client access has been enabled to this Corente Virtual Services Gateway in App Net Manager. The Corente Gateway SSL Log page allows you to view the history (up to five days) of logins and logouts to this Corente Virtual Services Gateway via the SSL Client. Figure 25: SSL Log Each entry in this log will present the date and time, the user name that was entered, the IP address of the computer, and one of the following potential statuses: Authenticate: The user successfully logged into the SSL Client. timed out: The SSL Client was left idle by the user and the session expired. session terminated: The user successfully logged out of the SSL Client. authentication failure: The login attempt failed due to incorrect user name or password. Copyright 2014, Oracle and/or its affiliates. 51 Corente Services SSL Client

52 Chapter 3. SSL User Report Note: This page will be unavailable until SSL Client access has been enabled to this Corente Virtual Services Gateway in App Net Manager. The Corente Gateway SSL User Report page lists all active SSL Client sessions to this Corente Virtual Services Gateway. This interface is useful for keeping track of the users that are currently accessing the Corente Virtual Services Gateway. Figure 26: SSL User Report Each entry provides the following information: User ID: The user name of the SSL Client user. Source Address: The IP address of the computer connecting via the SSL Client. Session Duration (HH:MM:SS): The total duration of the current SSL Client session. Additionally, the total number of current users is displayed at the top of the Active SSL Users section. Copyright 2014, Oracle and/or its affiliates. 52 Corente Services SSL Client

53 IV. Using the SSL Client This chapter contains information that details how to use the SSL Client. Similar information is provided to users in the help file that is accessible in this interface. Copyright 2014, Oracle and/or its affiliates. 53 Corente Services SSL Client

54 Chapter 1. Supply Users with Login Information After you have enabled the SSL Client on a Corente Virtual Services Gateway, granted permissions to SSL Client users of this Location, and installed an SSL Certificate on this Location gateway, you must supply each of the users with the following: the login information that you have created for that user (username/password, RADIUS, or LDAP login information) the Visible DNS Name that you have chosen for the Location(s) and the port number (if applicable) that they will access the appropriate permissions for the usernames and passwords on the servers that they will access on the LAN instructions for configuring their program to access and send messages over SSL Additionally, you should make sure that each remote user can connect to the SSL Client with the Visible DNS Name of Location. If this DNS name will not be available via a public DNS server, you should add this name to the DNS server at each remote user's location or add an entry to the hosts file of each user's computer so that this name can be resolved. For an template that can be used to supply users with this necessary information, refer to VI. Appendix: Template for to New Users (p. 95). Copyright 2014, Oracle and/or its affiliates. 54 Corente Services SSL Client

55 Chapter 2. Logging In The SSL Client uses SSL encryption for secure access to the Corente Virtual Services Gateway. When a user opens the SSL Client by typing and the Visible DNS Name of the Location into their web browsers (and the SSL Port number, if applicable see Chapter 5. Configuring SSL Client Access to a LAN, p. 26), the user may be asked to accept a certificate if the browser does not recognize the certificate s source. This certificate has been provided by you via the SSL Certificate interface in the Gateway Viewer application (see Chapter 1. SSL Certificate, p. 44). The user should confirm the information that is presented about this certificate and accept it to provide SSL encryption to the Location gateway. Additionally, users will be asked to validate a signed applet from Corente during the initial login if you have enabled certain services for them on the SSL Client Services page (see Chapter 6. SSL Services, p. 31). Corente provides the ability to certain services via this JAVA applet. The user should verify the information that is presented and accept the applet. Note: If the user is using Internet Explorer 7.0 or later, the user will be alerted that the certificate does not appear to be valid. The user should select Continue Anyway to access the SSL Client. Homepage By default, the SSL Client displays a blank homepage upon login. If you have configured another homepage for users on the Location form, this homepage will be displayed instead (see Chapter 7. System Homepage and Bookmarks, p. 33, for more information). Figure 27: SSL Client Default Homepage Other areas in the application are accessible via buttons displayed across the top of the browser window. Copyright 2014, Oracle and/or its affiliates. 55 Corente Services SSL Client

56 Session Expiration The session will expire if the users leave the SSL Client window idle, depending on the session timeout that you have specified (see Chapter 5. Configuring SSL Client Access to a LAN, p. 26). If the session expires, the user should simply re-login to continue using the SSL Client. Copyright 2014, Oracle and/or its affiliates. 56 Corente Services SSL Client

57 Chapter 3. Browse Web Pages The SSL Client can be used for secure access to websites within your corporate intranet. Accessing Web Sites There are two methods to access a web site via the SSL Client: In the field labeled Browse, type the URL of the web site. Click Go. Figure 28: Browse field While still logged into the SSL Client, the user can type an address directly in the address bar of the web browser. However, to access the web site, the address must be constructed in the following way so that the request is routed through the Corente Virtual Services Gateway: + Location DNS name + /t/ website address Therefore, if a user is accessing via a Corente Virtual Services Gateway with the DNS name of miami.acme.com: System Bookmarks If you have configured special bookmarks for users on the System Homepage and Bookmarks screen in the Location form (see Chapter 7. System Homepage and Bookmarks, p. 33), these bookmarks will appear in the Bookmarks pull-down menu for each SSL Client user. To access the URL of a bookmark, users must simply select the appropriate bookmark from the menu. Figure 29: Select a Bookmark Users can also create their own personal bookmarks that will appear in this menu. For more information, refer to Creating New Personal Bookmarks (p. 74). Copyright 2014, Oracle and/or its affiliates. 57 Corente Services SSL Client

58 Pages That Cannot Be Accessed To provide secure browsing of intranet websites, the SSL Client identifies any non-secure URLs that the user accesses and rewrites them into secure URLs. The Corente SSL Rewrite Engine looks at each return page and rewrites the URLs on the page to the URL of the secure SSL host. This occurs for private URLs as well as public URLs. (Note that while it is possible to access public web pages via the SSL Client, users are recommended to open a new browser window that is not logged in and access public web pages outside of thessl Client.) There are certain cases when the rewrite engine cannot rewrite a page. Users may not be able to access pages via the SSL Client that use the following: Ill-formed HTML pages If there are mistakes in the HTML of the web page, the rewrite engine may fail to rewrite the URL. This may result in: Pop-up windows warning that the browser is switching to a non-secure site The page is displayed as broken, with missing icons or text Client-side scripts This includes such scripts as Visual Basic Script (VBScript), Java applets, and certain JavaScripts. Attempting to access a site that uses these scripts may result in: Pop-up windows warning that the browser is switching to a non-secure site The page is displayed as broken, with missing icons or text Plug-ins (Shockwave, Flash, etc.) If the user inputs a URL via a plug-in such as Shockwave or Flash, the rewrite engine will have no knowledge these URL parameters and therefore will not try to rewrite them when the URL loads. The plug-in objects will try to access the file outside of the SSL Client. This may cause the browser to seem like it never finished rendering the page or loading the file. Client-side cookies Extended Stylesheet Translation Language (XSTL) Pages that are larger than 150,000 bytes Due to memory constraints, files that are larger than 150,000 bytes will be loaded into the user s browser without SSL encryption. Generally, if the user is attempting to load an intranet web page that contains any of these, the page will be inaccessible from a remote location. If the user is attempting to load a public web page, the page will be sent to the browser outside of the SSL Client. Additionally, if there is a problem (such as a script error) caused by the SSL Client tool bar that displays in a frame across the top of the window, the user can display pages without the frame by typing the modified SSL URL directly in the address bar of the web browser (see Accessing Web Sites, p. 57) for information on how to form this URL). The user can also try displaying the page in another type of browser (such as Netscape) to see if the browser was causing the errors. Copyright 2014, Oracle and/or its affiliates. 58 Corente Services SSL Client

59 Applets and Plug-Ins on Web Pages Even though a user s browser is able to access an intranet web page over SSL, this does not guarantee that any applets or plug-ins on the web page will be routed through SSL correctly. If you would like any applets or plug-ins on pages that SSL Client users will access to be routed correctly over SSL, you must make sure that the applets are configured to route to localhost. This will ensure that requests made to the applet or plug-in will be routed via the Corente Virtual Services Gateway and then proxied to the correct server on the Location gateway s LAN. For more information on how the SSL Client routes traffic to the Corente Virtual Services Gateway, refer to Configuring Custom SSL Services (p. 16). Copyright 2014, Oracle and/or its affiliates. 59 Corente Services SSL Client

60 Chapter 4. Browse File The Browse File interface allows the user to browse the contents of remote networks via a web browser. If you have not enabled File Browsing for the SSL Client on this Location or for a user group, users will receive an error message when they attempt to access this page (see Chapter 6. SSL Services, p. 31, for information on enabling services for users). Note: The SSL Client does not support file browsing on Windows Vista servers. Corente Network Access Permissions The initial Browse File page that is displayed will vary for users depending on whether or not you have enabled Partner Access for them (see Partner Access, p. 12, and Chapter 10. Configuring SSL Client Access to Partners, p. 41). The Partner Access service allows the SSL Client users to access the partners of their host Location. If you have enabled Partner Access for users, the initial Browse File page will display for them as shown below. The users will have access to their host Location s partners. Figure 30: Browse File (Partner Access) All Corente Virtual Services Gateways and Corente Clients that the user has been given permission to access will appear on this interface. The Corente Virtual Services Gateway to which the user has connected will be highlighted in gray. Click on the link for a Location ( ). The computers that are accessible to the user on the Location s network will be displayed on a new screen. For an example of how each Location s network is displayed, see Figure 22. Click on the link for a client ( ) to browse its shared resources. If you have not enabled Partner Access for users, the initial Browse File page will display for them as shown in Figure 22. The users will only be able to access computers on their host Location s LAN. Copyright 2014, Oracle and/or its affiliates. 60 Corente Services SSL Client

61 Figure 34: Browse File (no Partner Access) Windows servers and non-windows machines running as SMB servers (e.g., Samba) within the remote network will be displayed with hyperlinks. Computers with hyperlinks will be listed before the computers without hyperlinks. A machine whose name is not known, e.g., it does not register in DNS, will be listed by its IP address at the end of the list. Browse File can only be used to browse files on servers that are listed with hyperlinks. Logging Into Servers The user s web browser will serve as the client that sends all requests to the remote server. This means that authentication to remote servers will be independent of the user s SSL Client login or the login that the user uses to access the local machine. Depending on each server's configuration, the user may be requested to log in when trying to access a server or a share resource on the server. After login, access permission to shared folders and files is based on the privileges that the user has been permitted on that server. Figure 35: Login Request for Server Copyright 2014, Oracle and/or its affiliates. 61 Corente Services SSL Client

62 Login to the remote servers is persistent. It will be valid for multiple SSL Client sessions, as long as the server's configuration does not change. As long as the user successfully logs into a server once, the user can repeatedly connect to the same server without having to log in again, even after logging out of this SSL Client session and starting a new session. Some servers allow a user to make connection without a login (i.e., you can connect as an anonymous user). Nevertheless, an anonymous user may have very limited access permission. The Login button can be used to explicitly login to such a server as a valid user. This button is available in the upper right corner of the page that lists the share resources on a server. Additionally, the user can use the Login button at any time to change the existing login that is currently being used for a server. If the second login is successful, the new username and password will be used to connect to the server thereafter, until the user requests to login again. Browsing Servers To browse the contents of a server, the user will simply click the hyperlink of the server and login (if required). The share resources on this server will be listed in the browser window. The user can click on a share to view its contents. Figure 36: Shared Folders on Remote Server If the user clicks on a folder, the contents of the folder will be listed and the folder will become the current directory. Figure 37: Contents of Remote Share Copyright 2014, Oracle and/or its affiliates. 62 Corente Services SSL Client

63 By default, the list of files and folders in a directory will be sorted alphabetically by Name, but the user can click on any of the headings to sort the list by Size, Type, or Date Modified. Folders will always be listed before files. The name of the current directory is always displayed as the title of the page at top of the browser window. To return to a previous directory, the user can click on that directory's name in the current title. The user can also use the Back folder icon at the top of the page to return to the directory that is immediately previous to the current directory. To select a new server to explore, click Browse File again to return to the main Browse File interface. Figure 38: Returning to a Previous Directory Note: Computers that have been disconnected from the network will not be removed from the server list for 30 to 45 minutes. If the user attempts to connect a server that has just disconnected, the user may receive an error message indicating that the computer is not available. If this occurs, the user can simply try to connect to the server at a later time. Downloading Files The user can open a file within a folder by clicking a file name. Depending on the browser and file type, the browser may automatically open the file using the appropriate application (e.g., Acrobat Reader for a.pdf file), or the user may be prompted for further action. If the user right-clicks the file name, other actions for use with the file will be presented, such as opening the file in a new window or saving the file to the local disk. Notes: If a user clicks a file name and the file does not open, the user should try opening the file in a new window. If the user opens a file in the browser window and receives a Security Alert indicating that the Certificate Issuer for the site is untrusted or unknown, the user should view the certificate to verify its information and accept it in order to proceed. To avoid the alert in the future, the user can install the certificate in the browser and add it to the root store. If the user opens a file in the browser window, the user s session may expire while the user is reading the file. This occurs because the SSL Client interface has been left idle. The session timeout value that you have set controls how long the interface can be left idle before the user is automatically logged out. If this occurs, the user should simply re-login to the SSL Client to continue using it. Copyright 2014, Oracle and/or its affiliates. 63 Corente Services SSL Client

64 Uploading Files To upload a file onto the server, browse to the directory on the server where the file should be uploaded. Click the Upload button on the upper right corner of the window. A new interface will be displayed for uploading files. Type the path and name of the file that is being uploaded in the field labeled File Name or use the Browse button to browse for the file on the system. Then, in the field labeled Save As, type the name to save this file as on the server. Click the Submit button. If the user has the appropriate permissions on the server and the operation is successful, the contents of the current directory (including the new uploaded file) will be displayed. Otherwise, an error message describing the problem will be displayed. The user can click the Reset button to delete any text that has been entered in the fields on this interface. Note: If the user is uploading a file and it is taking a long time (e.g., the user is uploading a large file via a slow connection), the user s session may expire after the file transfer has been completed. This depends on the session timeout value set that you have set on the User Remote Access tab of the Location form for this Location. If this occurs, the user should simply re-login to the SSL Client to continue using it. The file should have been successfully uploaded. Creating New Folders To create a new folder on the server, browse to the directory where the new folder should be added. Click the New button on the upper right corner of the window. On the interface that is displayed, type a name for the folder that is being creating in the field labeled New Folder. Click Submit. If the user has the appropriate permissions on the server and the operation is successful, the contents of the current directory (including the new folder) will be displayed. Otherwise, an error message describing the problem will be displayed. The user can click the Reset button to delete any text that has been entered in the field on this interface. Deleting Files and Folders To delete a folder or file, browse to the directory on the server where the folder/file that should be deleted is located. Click the Delete button on the upper right corner of the window. A new interface will be displayed that presents a checkbox beside each folder and file name located within this directory. Select the checkbox of the item(s) that are being deleted and click the Submit button. If the user has the appropriate permissions on the server and the operation is successful, the contents of the current directory will be updated. Otherwise, an error message describing the problem will be displayed. Copyright 2014, Oracle and/or its affiliates. 64 Corente Services SSL Client

65 While choosing items to delete, the user can click the Reset button to deselect the items that have been chosen. Copyright 2014, Oracle and/or its affiliates. 65 Corente Services SSL Client

66 Chapter 5. Browse File Shortcuts If there are shared folders on servers within your company's Corente network that a user accesses often, the user can save these shares on the Shortcuts page. Shortcuts displays a users favorite shares on a single page to save time each time that the user needs to access these shares. Figure 39: Shortcuts Adding Shortcuts To add a shared folder to a Shortcuts page, browse to the server where the shared folder is located. Click the Add button in the upper right corner of the window. A new page will be displayed that presents a checkbox beside each shared folder name that is located on this server. Figure 40: Add Shortcuts Select the checkbox of the shared folders to add and click the Submit button. The Reset button will clear any checkboxes that have been selected. The Cancel button will return to the previous page without saving any selections. A list of Shortcuts is persistent and valid across multiple SSL sessions. It is stored centrally, and is therefore available from any computer that used by a user to log into the SSL Client. A share will stay in the Shortcuts list until it is explicitly deleted. Accessing Shortcuts To access the Shortcuts page, a Shortcuts link is available on the main page of Browse File as well as on the subsequent pages that list the servers on each local Corente network. When the link for a server Copyright 2014, Oracle and/or its affiliates. 66 Corente Services SSL Client

67 is clicked, a Shortcuts button will be displayed on the server page that will also open the Shortcuts page. The Shortcuts page displays all of the shared files that have been saved as Shortcuts by a user. Because different servers can have the same shared folder names, the name of the server that provides the share is listed in the Comment field. The list is sorted alphabetically by server name. Click on the link for any Shortcut to display a page that lists the shared resources in that shared folder. Deleting Shortcuts To remove a shared folder from the Shortcuts page, click the Delete button on the upper right corner of the Shortcuts page. A new page will be displayed that presents a checkbox beside each shared folder name that was added to the Shortcuts page. To avoid confusion, as shares on different servers can have the same name, each shared folder will also list the server on which it is located. Select the checkbox of the shared folder(s) to remove from the Shortcuts page and click the Submit button. The Reset button will clear any checkboxes that have been selected. The Cancel button will return to the previous page without deleting any selections. Copyright 2014, Oracle and/or its affiliates. 67 Corente Services SSL Client

68 Chapter 6. Services The SSL Services interface allows users to view the services that you have enabled for them on the SSL Services window of the Location form for this Location (see Chapter 6. SSL Services, p. 31). When accessing any of these services using another program, the user should leave the browser window open so that requests are correctly routed via the Corente Applet and SSL. If the session expires, the user should re-login and repeat the request with the program. Tip: If File Browsing is enabled, users can use the Browse File interface to view the DNS/WINS names or IP addresses of the computers that can be accessed with any service provided by the SSL Client. Figure 41: SSL Services Viewing the Services The SSL Services interface displays the services that are currently enabled for the user. Service Name: This is the name of the service. Service Status: This indicates whether or not the service has been enabled for you by your network administrator. Listening Port: If the service is enabled for the user, this is the port number on the server providing this service that will handle requests from the user. The port number will be shown only if it applies for this service (for example, a port number does not apply for the Local Web Browsing (HTTP) or File Browsing services.) Using the Services Each default service available via the Services screen is described in Chapter 2. Pre-Configured SSL Services (p. 10). If you create custom services for users (see Configuring Custom SSL Services, p. 16), Copyright 2014, Oracle and/or its affiliates. 68 Corente Services SSL Client

69 they will be listed on this screen as well. You must inform your users how to use custom services and provide software for the particular service (if necessary). To use a service listed on this interface, the user must sign into the SSL Client (leaving the browser window open) and launch the program that uses this service from the desktop. To route requests from this program via the SSL Client, the user must initially connect to localhost and the Listening Port number that is specified for this service on the Services page. By connecting to localhost, the user connects first to the Corente Applet, which connects to the Corente Virtual Services Gateway at the remote site, which will in turn route all of the requests from the program to the appropriate server on its LAN. This method must be used if there is no hyperlink available for this service. When a hyperlink is available, the user can use the Host Properties dialog box to launch a program. Host Properties Dialog Box When a hyperlink is provided for a service, users can launch this service directly from the SSL Client interface by clicking the hyperlink. A Host Properties dialog box will be displayed that allows the user to connect to a specified IP address or DNS name. When connecting to a remote machine by its DNS name, remind users to type "//" before the DNS name. Figure 42: Host Properties Dialog Box If the user would like to connect to a machine to which he has connected previously, a history of the last 10 machines that have been used to access the particular service can be displayed by clicking the History button. The user can simply select a machine from this list and click Open. If a user would like to configure the Host Properties dialog box to connect using software other than the default software for a service, click the Advanced button. Figure 43: Host Properties Dialog Box Advanced Copyright 2014, Oracle and/or its affiliates. 69 Corente Services SSL Client

70 The Advanced preferences allows the user to choose the program that will be launched when he enters a WINS/DNS name or IP address and clicks Open to access a remote computer with the service. Select the Use Custom Application option to specify the new program. In the field below this option, enter a command line string that will open the program for this service. The text that is entered in this field is persistent and will be saved over multiple SSL Client sessions, until it is changed again by the user. Figure 44: Host Properties Dialog Box Advanced Use Custom Application To create a command line string to open a program, follow these steps: 1. Start with the full pathname to the executable (for example, if opening the TeraTerm SSH program when it is stored in the Program Files folder on C:, c:\program files\ttermpro\ttssh). 2. Include any options that the command requires (for example, -ssh hostname.domain:22, where -ssh instructs the TeraTerm program to use SSH to secure the connection and hostname.domain:22 instructs the program to access the remote machine by using a specific hostname and domain, on port 22). Note that the command line string must always explicitly supply the hostname/ip and port address. 3. Replace the hostname/ip with #HOST# and the port number with #PORT# (for example, c:\program files\ttermpro\ttssh -ssh hostname.domain:22 becomes c:\program files\ttermpro\ttssh - ssh #HOST#:#PORT#, where #HOST#:#PORT# informs the program that input is needed for certain variables (it will use the port number settings that your administrator has set for VNC, and the IP address that is entered in the Open a connection to field). The SSL Client can supply the value for the following variables in the command line string: #HOST#, PORT#, #REMOTE_HOST#, and #REMOTE_PORT#. All variables must be surrounded by the pound sign (#). If you specify another variable in the string, you will be prompted to input the value for this variable as the connection is made. 4. Surround the command line string in quotation marks (") if any directories or files within the pathname contain space(s) (for example, because the program is stored in the Program Files folder, you would enter "c:\program files\ttermpro\ttssh -ssh #HOST#:#PORT#"). Note: If the command is incorrect or the program not found, when the user clicks Open to open the program, the user will be re-prompted with the Host Properties dialog box and must click the Advanced button again to correct the command line string. Copyright 2014, Oracle and/or its affiliates. 70 Corente Services SSL Client

71 Remember that the command line string placed in the Use Custom Application field will be run on the system with the permissions that are granted to the local system login. Make sure the user understands the command line string that is created and the program that is being launched, so that the proper outcome will be produced. In general, if the user does not understand how to form the string, the user should not use the Advanced preferences to open the program. Corente provides default software for VNC, telnet, and SSH. When using a custom service, the Use Custom Application option will be selected by default and cannot be unselected. The user must supply a command line string if he would like to open the program directly from the SSL Client interface. Command Line Strings for Specific Programs The following are examples of command line strings for default services provided by the SSL Client. In general, it is a good idea to install the software that will be used with the SSL Client in the Program Files folder of the system so that the command line strings are simple to form. VNC Viewer software for Desktop Access: If the user downloads the VNC viewer software only (and not the server software), there is no installation process to load it onto the system. The user may want to move the program to c:\program files\realvnc\vncviewer.exe, so that the following example command line string can be used to open the program: "c:\program files\realvnc\vncviewer" #HOST#:#PORT#. TeraTerm software for Telnet: If the user uses TeraTerm for telnet and installs the program in the Program Files folder, an example of the command line string used to open the program would be: "c:\program files\ttermpro\ttermpro" #HOST#:#PORT#. TeraTerm software for SSH: If the user uses TeraTerm for SSH and installs both the program and the SSH component in the Program Files folder, an example of a string that can be entered in this field is: "c:\program files\ttermpro\ttssh" -ssh #HOST#:#PORT#. Accessing via the SSL Client The SSL Client can be used to retrieve from an SMTP, IMAP, and/or POP3 mail server on the remote network. The chapter titled V. Configuring Programs for use with the SSL Client (p. 76) contains step-by-step procedures for configuring three popular programs for use with the SSL Client. When accessing with an program, the user should leave the browser window open so that requests are correctly routed via SSL. If the session expires, the user should re-login and repeat the request. If users configure their programs to automatically check for new messages from the mail server, they should make sure that the interval for checking for messages is less than the session timeout period that you have administered for the SSL Client (see Chapter 5. Configuring SSL Client Access to a LAN, p. 26). In general, users programs should be configured to retrieve via: Copyright 2014, Oracle and/or its affiliates. 71 Corente Services SSL Client

72 Protocol: either IMAP, POP3, and/or SMTP IP Address: localhost Port Number: the Listening Port number of the protocol The programs should be configured to send via: Protocol: SMTP IP Address: localhost Port Number: the SMTP Listening Port number Copyright 2014, Oracle and/or its affiliates. 72 Corente Services SSL Client

73 Chapter 7. User Preferences The User Preferences interface allows users to create their own intranet web site bookmarks for facilitated browsing and (if applicable) change their SSL Client password. Figure 45: User Preferences Changing a Password If you have enabled Local Authentication for users (see Chapter 3. Creating SSL Client Accounts for Users, p. 19), the Change Password page will be available. Users will not be able to change their password via the SSL Client when External Authentication is used. If you have configured both a Corente Client account and an SSL Client account for this user using the same username and password, this interface will change the password for the SSL Client account only. Figure 46: Change Password The Change Password page allows the user to change the password for his/her SSL Client account. Old Password: For verification purposes, type the current password in this field. New Password: Type a new password in this field. The required length of the password will vary depending how certain settings have been configured by your administrator, but it must contain at least one each of the following: one numeric character one uppercase letter Copyright 2014, Oracle and/or its affiliates. 73 Corente Services SSL Client

74 one lowercase letter Confirm New Password: To avoid mistakes, type the new password again in this field. Click Change to save changes to the password. The Reset button will clear any text that has been entered into the fields on this page. Bookmarks The Bookmarks page will display all of the intranet web page bookmarks that have been saved for an account. Figure 47: Bookmarks The Personal Bookmarks section displays all of the bookmarks that have been created by that user. For more information on how users can create new bookmarks, refer to the Creating New Personal Bookmarks section below. If you have configured bookmarks for users (see Chapter 7. System Homepage and Bookmarks, p. 33), these bookmarks will appear in the System Bookmarks section. Users can access any of the bookmarks on this screen by clicking the appropriate bookmark's link. These bookmarks are also available on the Bookmarks pull-down menu that is available on all pages of the SSL Client. Creating New Personal Bookmarks If users access the same intranet web sites repeatedly via the SSL Client that you have not saved for them as System Bookmarks, they can create their own bookmarks on this interface and save them for future use. To define a new bookmark, complete the following steps: Copyright 2014, Oracle and/or its affiliates. 74 Corente Services SSL Client

75 1. Click the link labeled Enter New Bookmark. The Bookmark Entry interface will be displayed. Figure 48: Enter New Bookmark 2. Enter a name for the new bookmark in the field labeled Bookmark Name and an http address in the field labeled URL. 3. Click Submit. The new bookmark will now appear in the Personal Bookmarks section of the Bookmarks page. Simply click the bookmark link to be taken to the web page. The bookmark will also appear in the Bookmarks pull-down menu. To delete an existing personal bookmark, click the link labeled (delete) that appears next to it in the SSL Web Bookmarks section. Copyright 2014, Oracle and/or its affiliates. 75 Corente Services SSL Client

76 V. Configuring Programs for use with the SSL Client The information in this section can be used to walk users step-by-step through setting up several programs for use with the SSL Client. Instructions are provided for the following programs: Outlook 2003 Outlook 2007 Outlook Express Copyright 2014, Oracle and/or its affiliates. 76 Corente Services SSL Client

77 Chapter 1. Setting up Outlook 2003 for use with the SSL Client To use Microsoft Outlook 2003 with the SSL Client, users will need to set up a new account that will access their on the remote server. You should provide users with an account name and password (if they will be accessing a new account). Instruct the user to complete the following: 1. Open Outlook. Under the Tools menu, select Accounts. 2. On the interface that is displayed, select the Add button. On the menu that appears, select Mail. 3. On the first screen, enter your name and click Next. Figure 49: Your Name Copyright 2014, Oracle and/or its affiliates. 77 Corente Services SSL Client

78 4. Enter the address that will be seen by others as your reply-to address and click Next. Figure 50: Internet Address Copyright 2014, Oracle and/or its affiliates. 78 Corente Services SSL Client

79 5. Select the protocol that your company uses for incoming mail. If you are not certain which is used, ask your administrator. In the field labeled Incoming mail (POP3 or IMAP), enter localhost. In the field labeled Outgoing mail (SMTP) server, enter localhost. Click Next. Figure 51: Server Names 6. In the field labeled Account name, enter the login name for your account. In the field labeled Password, enter the password for your account. Select whether or not you would like Outlook to remember this information. Leave Log on using Secure Password Authentication unchecked, unless it is required by your local ISP. Click Next. Copyright 2014, Oracle and/or its affiliates. 79 Corente Services SSL Client

80 Figure 52: Internet Mail Logon 7. Select the method that you are using to connect to the Internet and click Next. Figure 53: Internet Connection 8. Click Finish. Copyright 2014, Oracle and/or its affiliates. 80 Corente Services SSL Client

81 Figure 54: Finish 9. You will now see an entry on the Internet Accounts screen for your new account. Figure 55: New Account Note: If your network administrator has informed you that your company s mail server is using a nonstandard port number to listen for requests, complete the following configuration to your new account: 10. Select the account that you just created and click the Properties button. Then select the Advanced tab. Copyright 2014, Oracle and/or its affiliates. 81 Corente Services SSL Client

82 11. In the section labeled Server Port Numbers, enter the new port number in either the Outgoing mail field (for SMTP) or the Incoming mail field (for POP3 or IMAP). 12. Click OK. Figure 56: Changing Port Numbers Copyright 2014, Oracle and/or its affiliates. 82 Corente Services SSL Client

83 Chapter 2. Setting up Outlook 2007 for Use With the SSL Client To use Microsoft Outlook 2007 with the SSL Client, users will need to set up a new account that will access their on the remote server. You should provide users with an account name and password (if they will be accessing a new account). Instruct the user to complete the following: 1. Open Outlook Under the Tools menu, select Account Settings. 2. Under the tab on the interface that is displayed, select the New button. 3. On the first screen, make sure Microsoft Exchange, POP3, IMAP, or HTTP is chosen. Click Next. Figure 57: Choose Service 4. Select Manually configure server settings or additional server types and click Next. Copyright 2014, Oracle and/or its affiliates. 83 Corente Services SSL Client

84 Figure 58: Auto Account Setup Copyright 2014, Oracle and/or its affiliates. 84 Corente Services SSL Client

85 5. Make sure Internet is selected and click Next. Figure 59: Choose Service 6. On the next screen, fill out the fields as follows: Your Name: Enter your name. Address: Enter the address that will be seen by others as your reply-to address. Account Type: Select the protocol that your company uses for incoming mail. If you are not certain which is used, ask your administrator. Incoming mail server: Enter localhost. Outgoing mail server (SMTP): Enter localhost. User Name: Enter the login name for your account. Password: Enter the password for your account. Select whether or not you would like Outlook to remember this password. Require logon using Secure Password Authentication (SPA): Leave unchecked, unless it is required by your local ISP. Click Next. Copyright 2014, Oracle and/or its affiliates. 85 Corente Services SSL Client

86 Figure 60: Internet Settings 7. Click Finish. Figure 61: Finish Copyright 2014, Oracle and/or its affiliates. 86 Corente Services SSL Client

87 8. You will now see an entry on the Internet Accounts screen for your new account. Figure 62: New Account Note: If your network administrator has informed you that your company s mail server is using a nonstandard port number to listen for requests, complete the following configuration to your new account: 9. Select the account that you just created and click the Change button. Then select the More Settings button. On the window that is displayed, select the Advanced tab. 10. In the section labeled Server Port Numbers, enter the new port number in either the Incoming mail field (for POP3 or IMAP) or the Outgoing mail field (for SMTP). Copyright 2014, Oracle and/or its affiliates. 87 Corente Services SSL Client

88 Figure 63: Internet Settings 11. Click OK. Copyright 2014, Oracle and/or its affiliates. 88 Corente Services SSL Client

89 Chapter 3. Setting up Outlook Express for use with the SSL Client To use Microsoft Outlook Express with the SSL Client, users will need to set up a new account that will access their on the remote server. You should provide users with an account name and password (if they will be accessing a new account). Instruct the user to complete the following: 1. Open Outlook. Under the Tools menu, select Accounts. 2. On the interface that is displayed, select the Add button. On the menu that appears, select Mail. 3. On the first screen, enter your name and click Next. Figure 64: Your Name Copyright 2014, Oracle and/or its affiliates. 89 Corente Services SSL Client

90 4. Select the first option. Enter the address that will be seen by others as your reply-to address and click Next. Figure 65: Internet Address Copyright 2014, Oracle and/or its affiliates. 90 Corente Services SSL Client

91 5. Select the protocol that your company uses for incoming mail. If you are not certain which is used, ask your administrator. In the field labeled Incoming mail (POP3, IMAP, or HTTP), enter localhost. In the field labeled Outgoing mail (SMTP) server, enter localhost. Click Next. Figure 66: Server Names Copyright 2014, Oracle and/or its affiliates. 91 Corente Services SSL Client

92 6. In the field labeled Account name, enter the login name for your account. In the field labeled Password, enter the password for your account. Select whether or not you would like Outlook to remember this information. Leave Log on using Secure Password Authentication unchecked, unless it is required by your local ISP. Click Next. Figure 67: Internet Mail Logon 7. Click Finish. Copyright 2014, Oracle and/or its affiliates. 92 Corente Services SSL Client

93 Figure 68: Finish 8. You will now see an entry on the Internet Accounts screen for your new account. Figure 69: New Account Note: If your network administrator has informed you that your company s mail server is using a nonstandard port number to listen for requests, complete the following configuration to your new account: Copyright 2014, Oracle and/or its affiliates. 93 Corente Services SSL Client