This chapter presents an overview on how to access Inuvika OVD securely from outside the network. The Inuvika Enterprise Secure Gateway (ESG) provides secure access to Inuvika OVD using SSL tunneling technology and is required when accessing OVD from an Enterprise Client or using the Java Applet within the browser via the Internet. It may also be used with the HTML5 client but is not required since the OWA may be configured to provide access via SSL. In this example, the ESG will be configured to work with the HTML5 client.
The ESG is specifically tailored to provide secure access to an OVD server farm and offers a secure entry point to OVD from outside the firewall. The ESG requires the use of port 443 only and firewalls will normally have the TCP 443 port open so no further firewall configuration is required.
The Inuvika Enterprise Secure Gateway (ESG) requires a dedicated Linux server (physical or virtual). In this guide, we will use an Ubuntu 14.04.x Linux server to deploy the ESG.
Figure 28: Evaluation Platform
5.1 PRE-REQUISITES
The Enterprise Secure Gateway is a component to be installed on a new separate Linux instance.
1. Download the server ISO from Ubuntu available at:
http://www.ubuntu.com/download/server. Inuvika OVD 1.x is supported on Ubuntu 14.04.x LTS.
2. Set-up an incoming TCP rule on your firewall. This rule must allow incoming TCP 443 traffic and forward the traffic to the ESG server. Inuvika OVD requires TCP 443 to be open on the firewall. Consult your system administrator to enable/activate this rule.
5.2 VIRTUAL MACHINE SETUP
The ESG server will be installed on an Ubuntu 14.04.x server. Assuming your evaluation is on Virtual Box, please follow the steps laid out in section 5.2.1. Adjust the steps to match your virtual host environment (eg VMWare workstation/ESXI).
Note: If you prefer using RHEL/CentOS, contact your sales representative at Inuvika.
5.2.1 CREATE A VIRTUAL BOX VM
From the Virtual Box GUI, create a new virtual machine.
1. Name and Operating System
Name: ESG or any name you prefer
Accept the default (create a virtual hard drive now with 8GB)
Select “VDI” as the hard drive type (or your preferred one)
Select “dynamically allocated”
File location and size: accept the default
4. Select the newly created VM and click the settings button
“Storage”:
o Select the CD/DVD icon from the left Storage tree
o Click the CD/DVD icon from the “Attributes” menu and browse for the Ubuntu ISO
“Network”: Set the “Adapter 1” to “Bridge Adapter” (“NAT” by default)
5.2.2 INSTALLING AN UBUNTU SERVER
Follow the steps below to install the Ubuntu server.
1. Select the ESG VM then click Start from the Virtual Box GUI 2. Select your preferred language then press “enter”
3. Select “Install Ubuntu Server”
4. Select the installation language 5. Select the location
6. Skip keyboard detection unless you need it 7. Select the appropriate keyboard from the list 8. Configure the network settings
Enter the hostname. We will use esg in our example
Enter a username for your account. We will use inuvika in our example
Enter a password. We will use inuvika in our example
Accept weak password: Select yes unless you set a strong password
Encrypt your home directory: Select no
Accept the time zone 9. Partition the disks
Accept the default (guided – use entire disk and set up LVM)
Press enter for the disk partition that is displayed
“Write changes to the disks and configure LVM?”: Select yes (use TAB key) and press enter
For the partition size, accept the default and press ENTER.
“Write changes to disks”: Select yes (using the TAB key) then press ENTER 10. Configure package manager
HTTP proxy: Put in relevant configuration if required and select continue using the TAB key
Automatic updates: Accept the default no automatic updates and press ENTER
Software selection: Check OpenSSH server only (using the SPACE bar) and use the TAB key to select continue
Install “GRUB” boot manager: Default yes, press ENTER
Finish Installation
The server will be rebooted automatically.
5.2.3 CONFIGURING THE UBUNTU SERVER
By default, the Ubuntu server is configured to use an IP from the DHCP server (if available). If you are ok with this IP, continue to next.
1. Login to the Ubuntu server console
Login: inuvika
Password: Inuvika 2. Run the following command:
sudo edit /etc/network/interfaces
Enter the password inuvika when requested
3. Change:
To:
Your configuration will be different, change your network settings accordingly 4. Reboot the server for changes to take effect by entering the following command:
5.3 INSTALLING THE ENTERPRISE SECURE GATEWAY ROLE
1. Login to the Ubuntu server console:
Login: inuvika
Password: inuvika
2. Edit/create the repository file:
sudo nano /etc/apt/sources.list.d/ovd.list
Enter the password inuvika when requested.
3. Add the following repository:
# The primary network interface auto eth0
iface eth0 inet dhcp
# The primary network interface auto eth0
4. Save the edits and exit the editor
5. Install the keyring for the OVD packages:
sudo wget -O- "http://archive.inuvika.com/ovd/1.2/keyring" | apt-key add -
Enter the password inuvika if requested 6. Update the package database:
apt-get update
7. Install the ESG server role
sudo apt-get install inuvika-ovd-slaveserver-role-gateway
8. Enter the Session Manager FQDN or IP address. In this example we are using 10.9.0.157.
The ESG Gateway is now installed but does not have a link to the OWA.
5.3.1 CONFIGURING ESG FOR USE WITH INUVIKA OWA
This section describes the configuration required for using the OWA through the ESG.
1. Edit the gateway configuration file
sudo nano /etc/ovd/slaveserver/slaveserver.conf
2. In the Gateway section, add the lines below where http://10.1.1.110 is the address of the OWA server. Replace this address with the address in your environment. This is the IP of the OVD Demo Appliance.
[Gateway]
# web_client = http[s]://ip[:port]/
web_client = http://10.1.1.110/
3. Save the changes and exit the editor.
4. Restart the ESG service
sudo /etc/init.d/ovd-slaveserver restart
Enter your password if requested
Note: The Inuvika ESG runs with an auto-generated SSL certificate. In a production environment, a signed certificate should be installed.
5.4 CONNECTING TO THE INUVIKA OVD ENVIRONMENT VIA THE INTERNET
Inuvika OVD access from the Internet requires that the ESG server be accessible through TCP 443. OVD clients (Web Access, Enterprise client, tablet clients…) will connect to the FQDN/Public IP address of the ESG server over HTTPS.
Web Access portal: https://fqdn_or_Public-IP/ovd
Enterprise Client & Tablet Clients: In the server field, enter the public IP address or FQDN of the ESG server.
Note: For user convenience, it is best to associate the public IP address with a properly registered fully qualified domain name (FQDN).
Note: Users will have a certificate warning similar to the one below, as the certificate is not signed by a public certification authority (a self-signed certificate).
Figure 29: Untrusted Connection