Vector PC-Duo Installation Guide download pdf (Page 30)

PC-Duo Gateway Server Guide

Shared secret password: In the case that the Host does not share a domain

relationship with the PC-Duo Gateway, or if the Host is outside of the network and cannot

contact its domain controller, Windows authentication will not usually be available. Behind

the scenes, the PC-Duo Gateway and the Host will exchange a 16-byte secret password

that only they will know. As a result, in all subsequent connections, the PC-Duo Gateway

and Host will have some measure of authentication when they are not in the same

domain. If the Host belongs to the same domain as the PC-Duo Gateway, and the Host is

able to reach a domain controller, the Host will prefer to do Windows authentication

instead of shared secret password.

Endpoint Authentication

In general, this operation answers the following security question: How does the client

know it is connected to the right server? Identity authentication doesn't prohibit the client

from being fooled into connecting to a different server. In order to guarantee that

information and services are coming from the expected server, PC-Duo supports

endpoint authentication using Secure Sockets Layer (SSL).

SSL certificate authentication (PC-Duo Gateway only): PC-Duo has implemented

server endpoint authentication using SSL, which means the client will request and

validate a certificate from the server before providing requested information or services.

This ensures the client has connected to the right server. The following list describes

where SSL authentication can and cannot be used:

Peer-to-peer connections: SSL authentication is not available for peer-to-peer

connections. This would require each Host (acting as server) to carry its own

certificate, which would be unwieldy and costly to manage.

Gateway-managed connections (Host is in same domain as Gateway): SSL

authentication is available between Master (acting as client) and Gateway (acting

as server). Before connecting, the Master will request and validate a certificate

from the Gateway. In general, SSL between Master and Gateway would be most

useful when the Master is outside the LAN and/or coming in through a corporate

firewall to access the Gateway.

NOTE: SSL authentication is not available between the Gateway (acting as client) and the

Host (acting as server). As in peer-to-peer connections, this would require each Host to

carry its own certificate. SSL connections to the Host are generally not required because

the Host can be configured to use a reverse connection to the Gateway, which can use

SSL.

Gateway-managed connections (Host is not in same domain as Gateway):

When the Host is outside the LAN and/or behind a firewall or NAT-device, the Host

is the client and has responsibility to contact the Gateway. SSL authentication is

supported and would be appropriate to ensure that the Host is connecting to the

right Gateway. The Host will validate the Gateway Server certificate before

accepting the connection, ensuring that the Host is communicating with the correct

Gateway Server.

In summary, SSL can be used by the Master to authenticate a Gateway, and by a Host to

authenticate a Gateway when the Host is outside the domain:

Connection

Client

Server

SSL

Supported

Peer-to-peer

Master

Host

1 2 ... 25 26 27 28 29 30 31 32 33 34 35 ... 160 161

Comments to this Manuals

No comments

Vector PC-Duo Installation Guide Page 30

Comments to this Manuals

Related products and manuals for Servers Vector PC-Duo