Proponere

Ask Me Anything #3

I want to make sure my users are logging into Sun Secure Global Desktop Software securely and I've heard about a separate security pack. Do I need to install this to enable security with SGD?

Thanks,
A reader

Both a little architecture and a little history are necessary to answer this question. First, have a look at this diagram:

It's a zoomed in view of the first two tiers of last week's diagram, but turned on its side. The client tier is the machine that the user is sitting in front of and the access tier is the machine (or machines) in the data center that are acting as the Secure Global Desktop server array.

You'll notice that there are two lines connecting the two tiers, one labeled "HTTP" and the other labeled "AIP". This is because accessing an application with SGD is really made up of two very separate steps:

1. User tells server who they are and server responds with a list of applications available to them.
2. User requests an application and server starts the application and displays it on user's system. 

These two functions are handled by the two different data connections. There is more detail here, for sure, but that's the basic gist.

For the first step, the user needs to know where an SGD server "lives" in order to access it. For example, our live demo server can be reached at https://sgddemo.sun.com. Using just a web browser, the user can login to the server at that address and be given a list of applications they can run. Out of the box, that connection is a standard HTTP connection, but with just a few steps it can be modified so that the secure HTTPS protocol is used instead. This is the preferred way to access an SGD server and should be considered mandatory for most deployments.

Once a user clicks the link of an application, we're on to step two and a separate connection is established to service the user's request. But this time it's not using HTTP or HTTPS, it's using our own AIP (Adaptive Internet Protocol) protocol. This is where a lot of the value in SGD is because we can do some clever things in AIP to ensure a good application experience on all kinds of different devices and with varying amounts of available bandwidth. However, simply enabling security on the web browser does not secure this separate AIP connection.

To solve this problem, a security pack was created that sets everything up properly so both types of connections (the web connection that is normally over HTTP and the AIP connection) can be secured. In earlier versions of the product this security pack was a separate installation, but as of version 4.3 it is now included as part of the base installation. And this ability to secure the client/server connections in SGD is not licensed separately, it is included when standard licenses are purchased.

Here are some links to more in-depth information:

• Sun Secure Global Desktop Software Security Considerations white paper
• SGD 4.3 Docs: Enabling security for application sessions
• SGD 4.3 Docs: Sharing that same certificate setup with the web server to secure the web connection
• SGD 4.3 Docs: Installing X.509 certificates

And remember, send your questions in to askchrisanything at Google's mail service. By default, I'm assuming each question is anonymous, but if you'd like your name displayed please let me know!

Posted at 07:38AM Feb 09, 2007 by Chris in Ask Me Anything  |