Secure Gateway

From Frog Knowledge Base
Jump to: navigation, search

Secure Gateway provides access to applications remotely. This allows users at home to login to a PC within a school, by making standard Remote Desktop services available.

Over Remote Desktop, users use a PC outside school as if they were actually sat down in front of it. Users login using their normal Windows username and password, and use the software available on that machine as if they were at school.

Users and Access

Whilst Secure Gateway provides access to applications remotely, it also allows users outside of school to be easily and securely given access to just about any internal services. The only requirement for Secure Gateway is that the service works over a normal TCP connection. Remote Desktop is simply a special example of a normal service made available through Secure Gateway.

Once a user has requested access over Secure Gateway, the Frogserver acts as a simple router for the user, passing traffic between the user and the internal service. As Frog does not directly intercept the traffic, it can make almost any service available.

Every service that is published has it's own list of users who are permitted to use the service, ensuring services can be appropriately restricted.

Secure Gateway Pools

When a user requests a connection to a Secure Gateway Pool, Frog will dynamically find the first PC within the Pool that is available and has no-one already logged on. This allows normal Windows XP, Vista and 7 PCs to act as a Terminal Server and avoid the need for specific Terminal Server licenses.

Configuring and Using Secure Gateway

Configuring the Frog Server

Secure Gateway must be configured in several places. Initially the settings for the Frog server need specifying within the toolkit under Admin > Server Configuration > Secure Gateway.

ServerConfig.png

The options in this dialog are as follows:

Secure Gateway Configuration Fields:
External Host – The external IP address of the Frog server.
Internal Host – The internal IP address of the Frog server.
External Port – The port to be used for Secure Gateway traffic from the user to the Frog server and vice versa.

Once the Frog server is configured, we must then configure a network for use with Secure Gateway. If you have more than one network you can configure Secure Gateway to work over both. Configuring networks is carried out through the Windows Application section.

Windows Application:
In order for Secure Gateway machine pools to function with Windows 7, the WMI Query service must be installed so that Secure Gateway can determine whether or not a PC is in use. In order for ANY gateways to function, single or pool, at least one network must be configured. The WMI Query service can be downloaded by clicking here.

Windows Application fields:

Name* – The name of the network being used (this is to differentiate between split networks if you are using SG over 2 physical networks).

Mapped Gateway IP* – The IP address of the gateway we use to access the network. In the case of a single network this will be the internal IP of the Frog server.

WMI Port – The port the WMI service is running on, 8888 by default.

WMI Host – The IP or hostname of the server running the query service.

Use WMI* – Do we use the WMI query service for this network or not?

Default – Is this the default network to use?

  • The minimum required fields needed to be configured for Secure Gateway to function.

The FrogTrade WMI Query Service

What is in the installer?

The installer contains a setup.exe, an MSI and a readme file. The MSI file is the one that is needed for installation purposes.

What is the WMI Query service?

Secure Gateway was originally designed to be used in conjunction with a physical room of PCs or rooms of PCs that a user could access from home. As a result, the Secure Gateway system needed a way to determine whether or not a PC was in use. Originally this could be determined using the Messenger Service - this service allowed the Secure Gateway system to perform lookups on PCs and work out whether a user was logged in or out. With the release of Windows Vista (and then 7), the Messenger Service was removed from the Windows OS and this meant a new mechanism was required to determine whether or not PCs are in use. The WMI Query Service is this new mechanism.

So how does it work?

The Service itself must be installed on a server that can contact all PCs or servers that a user wishes to use Secure Gateway with - this would generally be a Domain Controller. The service will also require the username and password of an account that can carry out WMI queries on network.

When a user triggers a pool gateway, the Frog server requests information on the PCs in the pool from the WMI service, this then passes this information back to Frog which then directs the user accordingly. The information gathered is then cached for up to a minute in the event that the same or another user then accesses the same pool again so that WMI queries are kept to a minimum.

By default the query service operates on port 8888, though this port can be altered should another service on your server already be using it.

The Frogtrade WMI Query Service can be downloaded from here.

Configuring Gateways

Gateways themselves are configured via a Frog brick by administrators of the Frog platform. The Secure Gateway brick is user sensitive and will display configuration options to administrators but not to normal users.

The Secure Gateway Frog brick can be found under the Admin tab of the page editor. If you can't see the Secure Gateway Frog brick in this section, please contact the technical support team on 01422 395939 or by sending an email to servicedesk@frogtrade.com.

Administrators will see the following menu above the gateway listing when viewing the brick in a live page:

AdminMenu.png

The gateway listing appears as follows:

GatewayList.png

New Gateways are created by selecting the New Single Gateway and New Pool Gateway options, these then present the user with the following dialogs:

Single Gateways require:

SingleGateway.png

Description – The text that will appear in the Gateway Listing.
Target Machine Name/IP Address – The hostname or IP address of the target machine.
Type – The type of gateway connection.
Port – The port to connect to the machine on. This will be preset based on the gateway connection type.
Mapped IP Address – The network to use as configured in the toolkit.


Pool Gateways require:

PoolConfig.png

Description – The text that will appear in the Gateway Listing.
Network name – The network to use as configured in the toolkit.
Windows Machine names of Pool Members – The FQDNs of machines in the pool. In the case of split networks, the IP addresses may need to be used for the secondary network, for example (192.168.0.34 rather than workstation.network.local).

Once a single or pool gateway has been configured it can be edited from the Gateway Listing as well as having gateway access configured to control who can use the gateway. By default a gateway will be visible to administrators only but a gateway can be assigned to profiles, groups or individual users.


Launching a Secure Gateway Session AFTER BUILD 13_10_03

To launch a Secure Gateway session a user should log into Frog as normal and browse to a page containing a Secure Gateway Frog brick. Double clicking a gateway will open the launch window.

The user will then see a Windows-style prompt similar to the following:

SGprompt.png

The user must enter their network credentials into this prompt to be authenticated and logged into the recipient machine. PLEASE NOTE it may be required to include the domain name as a prefix, thus: MYDOMAIN\Username rather than just username.

This change has been introduced with the release of Windows 8. Windows 8 can not use the previous method of pre-authentication and so the user has to enter their credentials prior to the connection being established.

Once the user selects OK they may see a further prompt similar to the following:

SGprompt1.png

This prompt is due to MSTSC checking the SSL status of the machine and identifying that it does not have a valid SSL attached. This SSL on client machines is normally controlled by a wildcard SSL contained in AD and is not related to the SSL certificate on the Frog server.

If an SSL cannot be applied to the machine through the network set up we recommend users select the "Don't ask me again for connections to this computer" option and select OK. As the Frog server only acts as a router for Secure Gateway connections unfortunately this message cannot be suppressed by Frog.

Launching a Secure Gateway Session PRE-13_10_03

To launch a Secure Gateway session a user should log in and browse to a page containing a Secure Gateway Frog brick. Double clicking a gateway will open the launch window. If the user is accessing the platform using Internet Explorer an ActiveX plug-in will launch MSTSC and connect the user to the gateway.

If the user is not using Internet Explorer, or is connecting to a service other than Remote Desktop, they should select the option “If you are not using Internet Explorer, please click here for instructions on connecting manually” to initialise the gateway connection. The user will need a Remote Desktop client that can connect to Microsoft Terminal Services clients or the appropriate client for the service they are connecting to.

Once a user has connected to the gateway any permissions or abilities they have are based on those applied by the service or network the user has connected to.

In the case of Remote Desktop a user should select the option to Log Off from the workstation when they have finished their session on a pool gateway they rather than simply closing or disconnecting the session. If a user does not log off, the workstation will maintain their session (unless the network is configured to log out inactive users) which will prevent other users from accessing this workstation if it is in a machine pool.

Secure Gateway Requirements

In order for Secure Gateway to work, Frog must be able to determine the IP address of the user. If Frog is behind a Reverse Proxy, or is published through a Microsoft ISA Server, it is likely that Secure Gateway will not function as these servers will prevent Frog from seeing a user's IP address.

TCP Port Forward

For Secure Gateway to work, it requires that a port is forwarded from an Internet facing IP address to the Frogserver. Port 2001 is typically used, though this can be almost any port.

Secure Gateway uses the user's IP address as an identifier, as source based NAT means the user's IP address is not passed along to the Frogserver it cannot be used.

Remote Desktop

Remote Desktop connections through Secure Gateway use the standard Microsoft Terminal Services functionality. The PC the user is logging into must support Remote Desktop connections, and be configured to allow users to login remotely. If Windows Firewall is enabled, there must be an exception to allow Remote Desktop connections.

Windows XP, Vista and Windows 7 all support Remote Desktop connections as standard.

If you have any queries regarding the security or use of Microsoft Terminal Services, please see the Microsoft TechNet and support articles for Remote Desktop and Terminal Services.


Secure Gateway Troubleshooter

Which web browser are you using?

Internet Explorer

In the bottom right hand corner of your VLE window, what "zone" is it using?

  • Internet

The VLE should be added to your 'Trusted sites' zone to load Remote Desktop automatically.

On the top menubar of Internet Explorer, please click 'Tools' and 'Internet Options'. Choose the 'Security' tab along the top, then select 'Trusted sites'. Click the 'Sites' button. In the top input box, please type in the address of your VLE, eg: http://vle.frogteacher.com/, then click 'Add'. Ensure the 'Require server verification...' option is unticked. Then click 'OK' and 'OK' again.

You should then reopen the Secure Gateway connection.

  • Local Intranet

Unfortunately you have reached the limits of this troubleshooter.

See below for instructions on loading your connection manually.

  • Trusted Sites

Unfortunately you have reached the limits of this troubleshooter.

See below for instructions on loading your connection manually.

  • Restricted Sites

The VLE must be removed from the 'Restricted sites' zone to load Remote Desktop automatically.

On the top menubar of Internet Explorer, please click 'Tools' and 'Internet Options'. Choose the 'Security' tab along the top, then select 'Restricted sites'. Click the 'Sites' button. In the list of sites find the one referencing your VLE, select it, and then click 'Remove'. Then click 'OK' and 'OK' again.

You should then reopen the Secure Gateway connection.

Not Internet Explorer

The Remote Desktop client can only load automatically using Internet Explorer.

Please either retry using Internet Explorer, or see below for instructions on loading your connection manually.

Manual Connection

Are you running Windows XP or later?

Yes:

You can connect manually by clicking on your Start Menu, choosing 'Run', and entering 'mstsc'. This will launch the Remote Desktop client.

You should then enter EXTERNALHOST:EXTERNALPORT as the computer and click 'Connect'. Your external host is your frog server external IP - this can be found by pinging your external URL from a workstation. The port is usually 2001.

No:

You will need to ensure you have the Microsoft Remote Desktop Client installed on your system to connect to the remote computer.

There is a remote desktop client that you can use on a Mac. This is installed by default on a full install of office but you can also download it here: http://www.microsoft.com/mac/remote-desktop-client

Once this has been downloaded and installed, follow the manual instructions above.

FAQ

Q: Why does the WMI Query need to go on a domain controller?

A: Actually, it does not always have to. We recommend installing the service onto a Domain Controller as they are always set up to be able to talk to machines on the network AND the Frog server. In actual fact, the service could be installed on a member server but it must be able to talk out to the machines that you are setting up as pools AND the Frog server

Q: What do I need to run?

A: The zip file contains a setup.exe and an MSI file – run the MSI file and follow the steps contained within


Q: What does the MSI actually do?

A: The MSI installs the service onto the server in question and sets it up to run automatically in the background


Q: What effect does it have on the system? Will I notice slowdowns?

A: No slowdowns should be noticed – the service contacts the clients mentioned in the machine pool when requested – although calls and responses may be made at certain periods outside of this time, traffic as a result is minimal and no negative effects will be experienced


Q: Is Secure Gateway on Windows 8 supported?

A: At present, we don't officially support connecting to Windows 8 machines via Secure Gateway - this is something that our development team are aware of and we will update this knowledge base article as soon as have further information. However, Windows 8 machines wanting to use Secure Gateway to connect to Windows 7 or XP machines can do so by enabling compatibility view and using the desktop version of IE10.