Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

caleb.grant-ohi

90 Posts

5731

October 6th, 2011 08:00

SSL Secure-IT Setup

Hi guys,

I've read the manual, looked at some examples on this site but am still having problems setting up Secure-IT.

Maybe I've got he whole idea wrong but what I require is a single SSL gateway for users to connect to vWorkspace sessions from using the Web Access site, i.e. users browse to the secure https://vworkspace.domain.tld website, logon using their credentials then click the Desktop app and they are securely connected over SSL to the backend.

The requirement come sabout as as some of our staff use another network which *only* uses RIPE addresses, and we're on 10.x.x.x addresses, so we have NAT rules to present out environment to their network. Without using a secure GW we'd need to create a lof of NAT rules, which isn't supportable.

As a POC I've installed the Secure-IT role on a test server, internal on our 10.x.x.x network, which is the same network as the vWorkspace farm, brokers, web access etc, and tried getting the system to work on this network only.

No Joy...

Questions

Now do I check the RDP session is secured via the Secure-IT server?

When I secure the vWorkspace Web Access site in IISm the pit files cannot be downloaded... ??

Essentially I need help...

Thought I'd ask here before logging a suport ticket.

Kind regards,

Caleb

rmack1

48 Posts

October 6th, 2011 10:00

Hi Caleb,

Like most things Secure-IT (Secure gateway) is really easy to set up once you've done it at least one time.

You are correct in deciding that the Secure Gateway will handle your NATing a lot more easily.

However there are some traps.

For your test scenario, the most critical thing is that you have a valid SSL certificate. Self-generated SSL certs can be a real pain unless you remember that the CA root certificate has to be installed on both the Secure gateway server and on the client. Also the friendly name and FQDN have to match and of course the FQDN the client uses to connect to Secure GAteway has to match the FQDN of the SSL certificate.

The next piece, assuming the Secure Gateway is set up properly and has a valid certificate, is to make sure the client browser (IE etc) is configured properly. When you launch a managed app via web access and the secure gateway, you will be downloading 2 separate encrypted files (PIT files) and launching an application (vWorkspace client) from your browser. That's not going to work unless the web access site is trusted (gets worse as IE version increases), and stuff like "do not save encrypted files to disk" is disabled.

The quickest way to sort this stuff out is to have someone helping so if this doesn't help you get going, call support to get more focussed help.

regards,

Rick

and the

caleb.grant-ohi

90 Posts

October 6th, 2011 12:00

Hi David...

The Certificate isn't a problem as I've got a wildcard cert from a well-known public CA...

It's simply the configuration at the backend... which I'm looking at the suggestions you've posted as a guide

I'm sure it's simple once you've done it but seems a liitle wierd sitting here with people breathing down my neck asking me if it's done yet

I'll take a look and report back

DELL-David Y

228 Posts

October 6th, 2011 12:00

Hi Caleb,

We have some information on how to configure the Secure-IT (SSL gateway) available on our SupportLink site. The configuration is done in 2 parts. Firstly you are required to obtain and import a certificate as per Rick's post. You then need to apply this to the Secure-IT applet in the Windows Control Panel and configure the relevant proxy services. If using web access you will want to enable the RDP Proxy and the Web Proxy, if you require AppPortal access from the Internet then add the Connection Broker Proxy as well.

The second part of the setup is within the web access Admin, were you will need to configure the Firewall/SSL VPN page with the appropriate settings.

Please follow this link to a video clip showing how to configure Secure-IT https://support.quest.com/Search/SolutionDetail.aspx?id=SOL58849&category=Solutions&SKB=1

If you are using our Secure-It to provide SSL access then you will not need to secure web access using IIS. IIS should be left on port 80, as our Secure-IT will provide the https front end connectivity to web access.

If you have any more specific questions on the setup or configuration, let us know.

Regards

David

caleb.grant-ohi

90 Posts

October 6th, 2011 12:00

Go on then..

I don't even see a listerner on port 443 on the server with the Secure-IT installed...

DELL-David Y

228 Posts

October 6th, 2011 12:00

Caleb,

If you really need to get this done then I'd be happy to jump on a webex session with you.

David

caleb.grant-ohi

90 Posts

October 6th, 2011 14:00

Well that was simple in hindsight!

Well done David, best support guy ever!

View More

View All

No Events found!

Top