Archive for SGD

SGD on home server – set up to traverse a firewall.

I guess most employers will have a pretty robust firewall setup. Since by default SGD uses a load of non-standard  ports a corporate firewall will not allow you to run the client at work and access your SGD server at home. There are two options 1) open holes in the firewall or 2) modify the SGD installation to confine all the traffic to a standard port so that it will traverse a corporate firewall.

A nice post on the subject can be found here http://macrae.wordpress.com/2008/07/02/sun-secure-global-desktop-firewall-friendly/ this post gives the background to the problem but in fact these instructions are out of date for SGD version 4.5.

There is a whole section in the manual that now provides the information neede to setup a SGD server to perform firewall traversal http://docs.sun.com/source/820-6689/chapter1.html#Z400003e1312957.

I’ve reproduced the steps here (in case I need to do it again).

1. Create a selfsigned certificate

shs$pfexec /opt/tarantella/bin/tarantella security certrequest --country UK --state war --orgname "Nobody Puts Baby in a corner"
shs$pfexec /opt/tarantella/bin/tarantella security selfsign

2. Enable security on SGD server

shs$ pfexec /opt/tarantella/bin/tarantella security start

3. Edit apache .conf file

shs$ pfexec vi /opt/tarantella/webserver/apache/2.2.10_openssl‑0.9.8i_jk1.2.27/conf/httpd.conf

replace the section
<IfDefine SSL>
443

with

<IfDefine SSL>
127.0.0.1:443

4. Configure the SGD server to use 443 port
shs$ pfexec /opt/tarantella/bin/tarantella config edit --array-port-encrypted 443
shs$ pfexec /opt/tarantella/bin/tarantella config edit --array --security-firewallurl https://127.0.0.1:443

5. Restart the SGD server

I followed these instructions and when I first accessed it it asked to to confirm the use of the temporary certificate. Straight away I can access my (unix) desktop straight out of the box. More work seems to be needed to access a windows desktop using rdesktop or uttsc (the sun ray windows connector) but I guess it must be relatively straight forward (right?).

What the instructions in the manual about enabling firewall traversal don’t do is setup the server to be accessed by https rather than plain old http – I guess this is a security hole but I decided to stop while

Comments (90)