Rendezvous – a DIY VPN (profiting from mobile access to the enterprise) Rendezvous Server ET...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
2
Transcript of Rendezvous – a DIY VPN (profiting from mobile access to the enterprise) Rendezvous Server ET...
Rendezvous – a DIY VPN(profiting from mobile access to the enterprise)
Rendezvous Server
ETbjec valuO
04/18/23 2
AppGate
AppGate Network Security specialises in providing extremely secure network solutions, such as application VPNs, personal
firewalls and application access control systems.
AppGate Network Security ties together all the pieces of security technology in one easy-to-use system. AppGate
solutions work in both fixed and wireless network environments, with a broad range of client systems. It scales from small organisations up to enterprise-level customers,
supporting thousands of users.
That is why AppGate Network Security has customers among the largest and most prestigious corporations in the world.
04/18/23 3
Zühlke Engineering Genuine Breadth and Depth in IT & Technology Consultancy
Bespoke Systems Developments Coaching and Mentoring Project Resources Consulting Training
Iterative Development Methods System Architecture Design & Realisation Enterprise Application Integration (EAI) Web Services Mobile Computing Information Security Technical Reviews Software Audits Evaluation of Methods, Tools and Components
Disciplines
Services
04/18/23 4
ObjectValue Ltd.
• One-man wireless and IT consultancy
• Worked as a partner of AppGate to develop and test the Rendezvous concept
• Company still exists, but staff working full-time for Zühlke
• http://www.objectvalue.com/
04/18/23 5
The Problem
• Hypothesis: equipping knowledge workers with mobile access to enterprise applications leads to better productivity
E-mail Scheduling Contacts Intranet Web servers ERP CRM Custom applications etc.
• People need proof: a user trial lasting at least a few weeks provides the clearest evidence of Return on Investment (ROI)
• Technology trailblazers depend on expensive infrastructure upgrades to connect their mobile devices to the company network
• How can users be empowered to try the technology without having to justify the business case in advance and wait for the IT dept.?
04/18/23 6
Rendezvous concept
Using an AppGate, companies can already give their mobile workers secure, always-on, remote access to services such as corporate email, CRM systems, etc.
The Rendezvous concept takes a standard AppGate server and re-uses it in a new way to give smaller companies/teams the same benefits, but without the need to invest in an AppGate server themselves.
The rendezvous software has been developed by one of AppGate’s partners, ObjectValue Ltd., and supports the same range of platforms as the AppGate client (Windows, MacOS, Linux, etc.)
04/18/23 7
AppGate Rendezvous Server
Hosted outside a company’s firewall, the Rendezvous Server gives individual users working outside the office secure access to chosen services within the office.
appGATEserver
ProtectedNetworkRemote
Worker
Applicationservers
Data
GPRS
Secured connectionSecured connection
Rendezvous
Server
04/18/23 8
AppGate Rendezvous Server
Typical office user connected to office services (such as email server)
Applicationservers
Data
ProtectedNetwork
xxxx
04/18/23 9
ProtectedNetwork
AppGate Rendezvous Server
User opens connection to AppGate using the normal client (via proxy if required), selected ports are forwarded and the Rendezvous client is started automatically
appGATEserver
Applicationservers
Data
xxxx
04/18/23 10
ProtectedNetwork
AppGate Rendezvous Server Ports in the range 2xxxx on the client are forwarded to
the same port number on the AppGate itself. This is the port number on which the Rendezvous Server listens for connections from its office client.
appGATEserver
Applicationservers
Data
Rendezvous
Server
xxxx
04/18/23 11
ProtectedNetwork
AppGate Rendezvous Server Rendezvous Server and client together act as a virtual
firewall router, relaying connection requests from the mobile device to office services (such as the email server)
appGATEserver
Applicationservers
Data
xxxx
Rendezvous
Server
04/18/23 12
AppGate Rendezvous Server
Leaving the office client running, the user later connects to AppGate from a remote location with the same ID, and so establishes the second of a pair of connections
Ports in the range xxxx on the client are forwarded to 1xxxx on the AppGate itself – so for sending mail via SMTP, local port 25 on the mobile device would be forwarded to port 10025 on the AppGate
appGATEserver
RemoteWorker
GPRS
04/18/23 13
AppGate Rendezvous Server The Rendezvous Server associates the corresponding
1xxxx and 2xxxx ports internally based on the user ID, establishing a fully secured end-to-end tunnel from the mobile user via the PC in the office to the application server.
appGATEserver
RemoteWorker
Applicationservers
Data
GPRS1xxxx 2xxxx Protected
Network
RendezvousServer
xxxx xxxx
04/18/23 14
Demonstration
QuickTime™ and aH.263 decompressor
are needed to see this picture.
If you cannot see the movie above, make sure you have the free
QuickTime player installed (see www.apple.com) and then click here.
04/18/23 15
Working at the application layer
AppGate client opens just one secure tunnel through the firewall to the server on port 22 (normally)
The connections for each service are multiplexed through this tunnel – by default 5 connections are allowed
Each connection simply lets the client see a remote port on the AppGate server – The AppGate server can not look back into the network
The AppGate client can link only the 5 default connections to the AppGate server, e.g. 20025 to 20025, 20110 to 20110 etc.
Using the Rendezvous client, users choose which of the default connections they need
pop3
smtp
intranet
Application tunneling
Port 22
04/18/23 16
Accessing intranet Web servers To resolve intranet URLs, DNS lookups must be made
within the office network, so a proxy server is used. The mobile browser is configured to use localhost:8080 as its proxy.
Rendezvous relays HTTP requests to the real proxy server in the office.
appGATEserver
RemoteWorker
Webservers
Proxyserver
GPRS18080 28080 Protected
Network
RendezvousServer
8080 80
8080
04/18/23 17
Sharing a Rendezvous Client Where it is not desirable to leave the office PC switched
on, the Rendezvous Client and Appgate Client can be set up to run on an office server (e.g. NT, Linux)
Multiple mobile users from the same office can connect to the same Rendezvous Server and hence Rendezvous client using the same AppGate user ID
All will access the same set of services, but because they will sign in with different network user IDs they will not receive identical information or gain unauthorised access to data
Users sharing a single instance of the Rendezvous client can connect consecutively or at the same time without interfering with each other
Security – wherever your business needs it
AppGate Network Security AB
www.appgate.com