200 likes | 215 Views
O. T. E. bjec. valu. Rendezvous – a DIY VPN (profiting from mobile access to the enterprise). Rendezvous Server. AppGate.
E N D
O T E bjec valu Rendezvous – a DIY VPN(profiting from mobile access to the enterprise) Rendezvous Server
AppGate • AppGate Network Security specialises in providing extremely secure network solutions, such as application VPNs, personal firewalls and application access control systems. • AppGate Network Security ties together all the pieces of security technology in one easy-to-use system. AppGate solutions work in both fixed and wireless network environments, with a broad range of client systems. It scales from small organisations up to enterprise-level customers, supporting thousands of users. • That is why AppGate Network Security has customers among the largest and most prestigious corporations in the world.
Zühlke Engineering Genuine Breadth and Depth in IT & Technology Consultancy • Bespoke Systems Developments • Coaching and Mentoring • Project Resources • Consulting • Training • Iterative Development Methods • System Architecture Design & Realisation • Enterprise Application Integration (EAI) • Web Services • Mobile Computing • Information Security • Technical Reviews • Software Audits • Evaluation of Methods, Tools and Components Services Disciplines
ObjectValue Ltd. • One-man wireless and IT consultancy • Worked as a partner of AppGate to develop and test the Rendezvous concept • Company still exists, but staff working full-time for Zühlke • http://www.objectvalue.com/
The Problem • Hypothesis: equipping knowledge workers with mobile access to enterprise applications leads to better productivity • E-mail • Scheduling • Contacts • Intranet Web servers • ERP • CRM • Custom applications etc. • People need proof: a user trial lasting at least a few weeks provides the clearest evidence of Return on Investment (ROI) • Technology trailblazers depend on expensive infrastructure upgrades to connect their mobile devices to the company network • How can users be empowered to try the technology without having to justify the business case in advance and wait for the IT dept.?
Rendezvous concept • Using an AppGate, companies can already give their mobile workers secure, always-on, remote access to services such as corporate email, CRM systems, etc. • The Rendezvous concept takes a standard AppGate server and re-uses it in a new way to give smaller companies/teams the same benefits, but without the need to invest in an AppGate server themselves. • The rendezvous software has been developed by one of AppGate’s partners, ObjectValue Ltd., and supports the same range of platforms as the AppGate client (Windows, MacOS, Linux, etc.)
AppGate Rendezvous Server • Hosted outside a company’s firewall, the Rendezvous Server gives individual users working outside the office secure access to chosen services within the office. Rendezvous Server appGATE server Data Application servers Protected Network GPRS Remote Worker Secured connection Secured connection
AppGate Rendezvous Server • Typical office user connected to office services (such as email server) Data xxxx Application servers Protected Network
AppGate Rendezvous Server • User opens connection to AppGate using the normal client (via proxy if required), selected ports are forwarded and the Rendezvous client is started automatically appGATE server Data xxxx Application servers Protected Network
AppGate Rendezvous Server • Ports in the range 2xxxx on the client are forwarded to the same port number on the AppGate itself. This is the port number on which the Rendezvous Server listens for connections from its office client. Rendezvous Server appGATE server Data xxxx Application servers Protected Network
AppGate Rendezvous Server • Rendezvous Server and client together act as a virtual firewall router, relaying connection requests from the mobile device to office services (such as the email server) Rendezvous Server appGATE server Data xxxx Application servers Protected Network
AppGate Rendezvous Server • Leaving the office client running, the user later connects to AppGate from a remote location with the same ID, and so establishes the second of a pair of connections • Ports in the range xxxx on the client are forwarded to 1xxxx on the AppGate itself – so for sending mail via SMTP, local port 25 on the mobile device would be forwarded to port 10025 on the AppGate appGATE server GPRS Remote Worker
AppGate Rendezvous Server • The Rendezvous Server associates the corresponding 1xxxx and 2xxxx ports internally based on the user ID, establishing a fully secured end-to-end tunnel from the mobile user via the PC in the office to the application server. Rendezvous Server appGATE server Data xxxx xxxx Application servers 1xxxx 2xxxx Protected Network GPRS Remote Worker
Demonstration If you cannot see the movie above, make sure you have the free QuickTime player installed (see www.apple.com) and then click here.
Working at the application layer • AppGate client opens just one secure tunnel through the firewall to the server on port 22 (normally) • The connections for each service are multiplexed through this tunnel – by default 5 connections are allowed • Each connection simply lets the client see a remote port on the AppGate server – The AppGate server can not look back into the network • The AppGate client can link only the 5 default connections to the AppGate server, e.g. 20025 to 20025, 20110 to 20110 etc. • Using the Rendezvous client, users choose which of the default connections they need Application tunneling pop3 smtp Port 22 intranet
Accessing intranet Web servers • To resolve intranet URLs, DNS lookups must be made within the office network, so a proxy server is used. • The mobile browser is configured to use localhost:8080 as its proxy. Rendezvous relays HTTP requests to the real proxy server in the office. Rendezvous Server 8080 Proxy server appGATE server 8080 80 Web servers 18080 28080 Protected Network GPRS Remote Worker
Sharing a Rendezvous Client • Where it is not desirable to leave the office PC switched on, the Rendezvous Client and Appgate Client can be set up to run on an office server (e.g. NT, Linux) • Multiple mobile users from the same office can connect to the same Rendezvous Server and hence Rendezvous client using the same AppGate user ID • All will access the same set of services, but because they will sign in with different network user IDs they will not receive identical information or gain unauthorised access to data • Users sharing a single instance of the Rendezvous client can connect consecutively or at the same time without interfering with each other
Security – wherever your business needs it AppGate Network Security AB www.appgate.com jamie@appgate.com