Download

Enterprise Secure Gateway Guide

Preface

The purpose of this document is to describe how to install the Inuvika Enterprise Secure Gateway (ESG) on each of the operating systems supported by Inuvika OVD.

History

Version Date Comments
1.6 2017-10-30 Update for OVD 2.5; Add Ubuntu 16.04 support / CentOS/RHEL 7 only
1.5 2017-07-18 Update for OVD 2.4; Reformatting
1.4 2016-01-20 Update paths for OVD
1.3.1 2015-10-11 Update paths for OVD 1.3
1.3 2015-08-10 Corrections and clarifications
1.2 2015-08-13 Documentation for OVD 1.2

Introduction

The purpose of this document is to describe how to install the Inuvika Enterprise Secure Gateway (ESG) on each of the operating systems supported by Inuvika OVD.

Pre-Requisites

The Enterprise Secure Gateway must be installed on a dedicated server system without any other OVD software or other systems on that server. The server must have access to the Internet. A valid Subscription Key is required to use the ESG.

Firewall and Ports

Ensure that the following ports are open on the ESG:

  • 1112 (HTTP): for communication with the OVD Session Manager
  • 443 (HTTPS): for communication with an end user's browser
  • 3389 (RDP): for communication with an OVD Application Server

Installation

The following sections describe the installation of the ESG on each supported OS. Later chapters describe further configuration details.

Ubuntu LTS

Sudo

On an Ubuntu system, each command must be prefixed with sudo or you may login as root. To log in as root, enter the following command:

$ sudo -s

Configure the Repository

Ubuntu is a Debian-based system which uses the same packaging system and tools as Debian. Before starting the installation, add the Inuvika Debian repository to the ESG system.

  • Create and edit the file /etc/apt/sources.list.d/ovd.list to add the following line:

    • For Ubuntu 16.04 LTS (Xenial Xerus):

      deb http://archive.inuvika.com/ovd/latest/ubuntu xenial main
    • For Ubuntu 14.04 LTS (Trusty Tahr):

      deb http://archive.inuvika.com/ovd/latest/ubuntu trusty main
  • Next add the keyring key to ensure the repository can be validated:

    # wget -O- "https://archive.inuvika.com/ovd/latest/keyring" | apt-key add -
  • Update the package database:

    # apt-get update

ESG Package Installation

  • Install the ESG package using the following command. Enter the host/IP address of the OVD Session Manager (OSM) when prompted:
    # apt-get install inuvika-ovd-slaveserver-role-gateway

The installation of the ESG is now complete. The installation process automatically starts the ovd-slaveserver service and the ESG server will appear in the Unregistered Servers page in the Administration Console. If the server is not listed but the installation was successful, then there may be a firewall issue.

RHEL and CentOS 7

Selinux

Inuvika OVD is not compatible with SELinux. If SELinux is installed and enabled on your system, perform the following steps to disable it.

  • Edit the file /etc/selinux/config and set the SELINUX variable to disabled as follows.

    SELINUX=disabled
  • Reboot the system

    # reboot
  • Check that SELinux is now disabled

    # sestatus SELinux status: disabled

Configure the Repository

RHEL and CentOS use the RPM packaging system. Before starting the installation, add the Inuvika RPM repository to the ESG system. The first step is to configure yum to enable the Inuvika rpm repository.

  • Create the file /etc/yum.repos.d/ovd.repo with the corresponding content that matches the version of the OS on the ESG:
    [ovd]
    name=Inuvika OVD
    baseurl=http://archive.inuvika.com/ovd/latest/rhel/7/
    enabled=1
    gpgcheck=1
    gpgkey=http://archive.inuvika.com/ovd/latest/keyring

ESG Package Installation

  • Install the ESG package using the following command.

    # yum install inuvika-ovd-slaveserver-role-gateway
  • Launch the configuration tool to enter the host/IP address of the OVD Session Manager:

    # ovd-slaveserver-config --sm-address sm.test.demo
  • Configure and start the ovd-slaveserver service

    # chkconfig ovd-slaveserver on
    # service ovd-slaveserver restart

The installation of the ESG is now complete. The ovd-slaveserver service has been started and the ESG server will appear in the Unregistered Servers page in the Administration Console. If the server is not listed but the installation was successful, then there may be a firewall issue.

SSL Certificate

During the ESG installation process, an auto-generated SSL certificate (non-signed) is created and installed. For production use, this certificate should be replaced with a commercial SSL certificate to avoid any security prompts. Follow the steps below to install the SSL certificate:

  • The file containing the certificate must be a base64 encoded PEM file. Typically, this file will have an extension of pem or crt.
  • The order of the data in the PEM file must be in the following order:
    • Private key
    • Server certificate
    • Intermediary CA certificate +1
    • Intermediary CA certificate +x
    • Root CA
  • Create a copy of the PEM file used during the installation process as a backup:

    # cp /etc/ovd/slaveserver/gateway.pem /etc/ovd/slaveserver/gateway.pem.orig
  • Copy the file containing the new certificate to the file /etc/ovd/slaveserver/gateway.pem

  • Restart the ESG service to activate the new SSL certificate
    # /etc/init.d/ovd-slaveserver restart

OVD Web Access Configuration

For security reasons, the ESG isn't configured to allow communication to the OVD Web Access (OWA) by default. The configuration can be changed to allow access. This will allow you to then provide a single secure (SSL) connection point for all clients (EDC, EMC, OWA).

Note

The OWA itself may be configured to provide secure access to users outside the LAN. This requires the use of a third party network component, such as a Reverse Proxy and/or a Firewall (NAT redirection).

In such cases, the ESG is not mandatory to provide a WAN access, but this is only for the OWA! An ESG is required for WAN access from EDC / EMC.

To enable the OWA access in the ESG:

  • Edit the configuration file /etc/ovd/slaveserver/slaveserver.conf and locate the line:

    # web_client = http[s]://ip[:port]/
  • Uncomment the variable and set the value to the URL of your OWA. For example:

    web_client = http://webaccess.test.demo/
  • Save the file and restart the slaveserver service.

    # /etc/init.d/ovd-slaveserver restart

Advances Configuration Settings

The ESG configuration is stored in the file /etc/ovd/slaveserver/slaveserver.conf. The configuration may be adjusted by editing the file and changing the contents of the Gateway section as described below:

  • address: 0.0.0.0 (default). Defines the IP address of network interface on which the ESG should bind. By default, the ESG binds on all the network interfaces
  • port: 443 (default). Defines the port to use.
  • max_process: 10 (default). Defines the maximum number of processes to run on the ESG server.
  • max_connection: 100 (default). Defines the maximum number of connections that can be opened on the ESG server.
  • process_timeout: 60 (default). Defines the timeout in seconds per process
  • connection_timeout: 10 (default). Defines the timeout in seconds per connection
  • admin_redirection: true or false (default). Use this setting to allow access to the OVD Administration Console through the ESG
  • root_redirection: Use this setting to define the root path for the Gateway. For example, enter the value /ovd to automatically redirect a connection request for https://gw.demo to https://gw.demo/ovd
  • http_keep_alive: true (default) or false. Enable or disable session keep alive.
  • disable_sslv2: true or false (default). Enable or disable SSLv2 support.