Manuals / Brands / Computer Equipment / Server / Sun Microsystems / Computer Equipment / Server

Sun Microsystems 2005Q1 Netlet and Application Integration, Split Tunneling

1 192

Download 192 pages, 1.3 Mb

Netlet

Chapter 2 Portal Server Secure Remote Access Architecture 43

Netlet and Application Integration

Netlet works with many third parties such as Graphon, Citrix, and pcAnywhere.

Each of these products provides secure access to the user’s Portal Desktop from a

remote machine using Netlet.

Split Tunneling

Split tunneling allows a VPN client to connect to both secure sites and non-secure

sites, without having to connect or disconnect the VPN—in this case, the

Netlet—connection. The client determines whether to send the information over

the encrypted path, or to send it by using the non-encrypted path. The concern

over split tunneling is that you could have a direct connection from the non-secure

Internet to your VPN-secured network, via the client. Turning off split tunneling

(not allowing both connections simultaneously) reduces the vulnerability of the

VPN (or in the case of Netlet) connection to Internet intrusion.

Though Portal Server does not prohibit nor shut down multiple network

connections while attached to the portal site, it does prevent unauthorized users

from “piggybacking” on other users’s sessions in the following ways:

• Netlet is an application specific VPN and not a general purpose IP router.

Netlet only forwards packets that have been defined by a Netlet rule. This

differs from the standard VPN approach that gives you complete LAN access

once you’ve connected to the network.

• Only an authenticated portal user can run the Netlet. No portal application can

be run until the user has been successfully authenticated, and no new

connections can be made if an authenticated session does not exist.

• All access controls in place on the application side are still in effect so that an

attacker would also have to break in to the back-end application.

• Every Netlet connection results in a dialog box posted by the Netlet (running

in the authenticated user’s JVM™) to the authenticated user’s display. The

dialog box asks for verification and acknowledgement to permit the new

connection. For attackers to be able to utilize a Netlet connection, attackers

would need to know that the Netlet was running, the port number it was

listening on, how to break the back-end application, and convince the user to

approve the connection.

Contents

Main Page Contents Page Page Page Page Page List of Figures Page List of Tables Page Preface Before You Read This Book Who Should Read This Book How This Book Is Organized Conventions Used in This Book Typographic Conventions Related Documentation Books in This Documentation Set Other Portal Server Documentation Other Server Documentation Accessing Sun Resources Online Contacting Sun Technical Support Related Third-Party Web Site References Sun Welcomes Your Comments Page Chapter 1 Portal Server Architecture What is a Portal? Types of Portals Collaborative Portals Business Intelligence Portals Portal Server Capabilities Sun Java System Portal Server Secure Remote Access Portal Sever in Open Mode Portal Server in Secure Mode Portal Server Applications Security, Encryption, and Authentication Portal Server Deployment Components Portal Server Architecture Identity Management Portal Server Software Deployment Software Packaging Software Categories Compatibility With Java Software A Typical Portal Server Installation Page Page Page Chapter 2 Portal Server Secure Remote Access Architecture SRA Gateway Multiple Gateway Instances Multiple Portal Server Instances Proxy Configuration Gateway and HTTP Basic Authentication Gateway and SSL Support Gateway Access Control Gateway Logging Using Accelerators with the Gateway Netlet Static and Dynamic Port Applications Page Netlet and Application Integration Split Tunneling Netlet Proxy NetFile Components Initialization Validating Credentials Access Control Security Special Operations NetFile and Multithreading Rewriter Rewriter Proxy Proxylet Page Chapter 3 Identifying and Evaluating Your Business and Technical Requirements Business Objectives Page Technical Goals Mapping Portal Server Features to Your Business Needs Identity Management Table 3 -1 Identity Management Features and Benefits (Continued) SRA Table 3 -2 SRA Features and Benefits Search Engine Table 3 -3 Search Features and Benefits Personalization Aggregation and Integration Table 3 -4 Personalization Features and Benefits Table 3 -3 Search Features and Benefits (Continued) Table 3-5 shows the aggregation and integration features and their benefits. Understanding User Behaviors and Patterns Table 3 -5 Aggregation Features and Benefits Page Chapter 4 Pre-Deployment Considerations Determine Your Tuning Goals Portal Sizing Tips Establish Performance Methodology Portal Sizing Establish Baseline Sizing Figures Peak Numbers Average Time Between Page Requests Concurrent Users Average Session Time Search Engine Factors Portal Desktop Configuration Hardware and Applications Back-End Servers Transaction Time Workload Conditions Customize the Baseline Sizing Figures LDAP Transaction Numbers Application Server Requirements Validate Baseline Sizing Figures Refine Baseline Sizing Figures Validate Your Final Figures SRA Sizing Identifying Gateway Key Performance Requirements Session Characteristics Netlet Usage Characteristics Advanced Gateway Settings Page Configuration Scalability Secure Portal Pilot Measured Numbers SRA Gateway and SSL Hardware Accelerators SRA and Sun Enterprise Midframe Line Page Chapter 5 Creating Your Portal Design Portal Design Approach Overview of High-Level Portal Design Overview of Low-Level Portal Design Logical Portal Architecture Page Portal Server and Scalability Vertical Scaling Horizontal Scaling Portal Server and High Availability System Availability Degrees of High Availability Achieving High Availability for Portal Server Portal Server System Communication Links Page Page Working with Portal Server Building Modules Building Modules and High Availability Scenarios Page Best Effort No Single Point of Failure Page Page Transparent Failover Building Module Constraints Deploying Your Building Module Solution Deployment Guidelines Directory Server Requirements Search Engine Structure Designing Portal Use Case Scenarios Elements of Portal Use Cases Example Use Case: Authenticate Portal User Table 5-2 describes a use case for a portal user to authenticate with the portal. Table 5 -2 Use Case: Authenticate Portal User Designing Portal Security Strategies Securing the Operating Environment Using Platform Security UNIX User Installation Limiting Access Control Using a Demilitarized Zone (DMZ) Portal Server and Access Manager on Different Nodes Page Page Page Page Page Designing SRA Deployment Scenarios Basic SRA Configuration Disable Netlet NetFile Proxylet Multiple Gateway Instances Netlet and Rewriter Proxies NetFile Rewriter Proxy Rewriter Proxy Netlet and Rewriter Proxies on Separate Nodes Using Two Gateways and Netlet Proxy Client NetFile Netlet Using an Accelerator Netlet with 3rd Party Proxy Application Web Server Application Reverse Proxy DMZ Designing for Localization Content and Design Implementation Placement of Static Portal Content Integration Design Creating a Custom Access Manager Service Integrating Applications Independent Software Vendors Integrating Microsoft Exchange Identity and Directory Structure Design Implementing Single Sign-On Portal Desktop Design Choosing and Implementing the Correct Aggregration Strategy Working with Providers Page Client Support Page Chapter 6 The Production Environment Moving to a Production Environment Monitoring and Tuning Documenting the Portal Monitoring Portal Server Memory Consumption and Garbage Collection CPU Utilization Access Manager Cache and Sessions Thread Usage Portal Usage Information Appendix A Installed Product Layout Directories Installed for Portal Server Directories Installed for SRA Configuration Files Page Appendix B Analysis Tools mpstat Output Page iostat Output netstat netstat -I hme0 10 netstat -sP tcp Output Considerations: Consider the following: Tuning Parameters for /etc/system Page Page Appendix C Portal Server and Application Servers Introduction to Application Server Support in Portal Server Portal Server on an Application Server Cluster Overview of Application Server Enterprise Edition Overview of BEA WebLogic Server Clusters Page Overview of IBM WebSphere Application Server Page Appendix D Troubleshooting Your Portal Deployment Troubleshooting Portal Server UNIX Processes Log Files Recovering the Search Database Working with the Display Profile High CPU Utilization for Portal Server Instance Configuring a Sun Java System Portal Server Instance to Use an HTTP Proxy Troubleshooting SRA Debugging the Gateway Introduction to shooter Using shooter shooter.sh gctool.pl memfoot.sh SRA Log Files Page Appendix E Portal Deployment Worksheets Portal Assessment Worksheets Table E -2 Organizational Questions Table E -1 General Questions Table E -3 Business Service-level Expectations Questions Table E -4 Content Management Questions Table E -5 User Management and Security Questions Table E -6 Business Intelligence Questions Table E -7 Architecture Questions Portal Design Task List 2. Design Table E -8 Design Task List (2 of 7) 3. Develop and Integrate Java System Table E -8 Design Task List (3 of 7) Sun Java System Portal Server, Sun Java System Table E -8 Design Task List (4 of 7) Table E -8 Design Task List (5 of 7) 4. Deployment Production Table E -8 Design Task List (6 of 7) Table E -8 Design Task List (7 of 7) Page Appendix F Portal Server on the Linux Platform Limitations Using Linux Comparison of Solaris and Linux Path Names Page Page Page Index SYMBOLS A B C D E F G H I J L M N O P Q R S T U V