HOB RD VPN Security Powered by HOB

Präsentation zum Thema: "HOB RD VPN Security Powered by HOB"—  Präsentation transkript:

1 HOB RD VPN Security Powered by HOB
The Leading Remote Access Solution Comprehensive and Highly Secure Referent: Name Stellenbezeichnung

2 About HOB Founded: 1964 Industry: Software Development, ISV
About HOB Founded: 1964 Industry: Software Development, ISV Employees: 160 worldwide Branches: USA, Malta Customers: more than 2,000 Headquarters: Cadolzburg, Germany

3 IT-Security made in Germany
Several federal and industry agencies confirm the security of HOB software. Among them the German Federal Office for Information Security and the IT Security Association Germany. The Common Criteria EAL 4+ Certification confirms that our software products are “methodically designed, tested, and reviewed”.

4 11/26/2019 HOB Awards

5 11/26/2019 Product Range

6 11/26/2019 Satisfied Customers

7 HOB RD VPN Remote Desktop Virtual Private Network
HOB RD VPN Remote Desktop Virtual Private Network HOB presents to you a new dimension of remote access solutions for all companies that would like to link their: worldwide, flexible, multifunctional, uncomplicated and secure to your company network. sales representatives branch offices home offices business travelers partners suppliers customers private devices

8 HOB RD VPN Disaster Recovery HOB helps you in case of a catastrophe
HOB RD VPN Disaster Recovery HOB helps you in case of a catastrophe Your employees can not come to work? Free temporary license expansion Home office keeps employees productive cut off employees are supplied with free temporary client licenses

9 HOB RD VPN Why Remote Access? More and more users are going mobile
HOB RD VPN Why Remote Access? More and more users are going mobile Globalization of employees and partners Flexibility ensures competitiveness Applications can be published in a private cloud Fast responsiveness to market changes IT must be able to react with appropriate concepts

10 HOB RD VPN is a software-based solution for secure remote access
The Solution HOB RD VPN offers you flexible, comfortable and secure remote access. HOB RD VPN is a software-based solution for secure remote access with any device (desktop, laptop, tablet, smartphone) anytime. anywhere.

11 HOB RD VPN Idea All employees should be able to work with every device from anywhere in the world as securely and efficiently as if they were sitting at their workstation.

12 HOB RD VPN Flexible Vorteile Individual configuration
Optimized for web and cloud services Centralized installation and administration Easy to use: Fast user acceptance Direct access to files and programs, independent of your devices Browser = Thin-Client

13 HOB RD VPN Overview Connection Targets

14 HOB RD VPN Main Components (1)
HOB RD VPN Main Components (1) HOB WebSecureProxy – central security component HOBPhone – integrated VoIP client Remote Desktop Services – access to Windows and Citrix server HOB Desktop on Demand – access to workstations (also virtual) HOB VDI – virtual desktops HOB PPP Tunnel – full network access HOBLink DASH – synchronized Data Sharing HOB Web File Access – data access

15 HOB RD VPN Main Components (2)
HOB RD VPN Main Components (2) HOB WebTerm RDP – purely HTML5 based RDP access HOB Web Server Gate – connection to internal web servers HOB WSP Universal Client – access to individual applications HOB MacGate – access to Mac OS X machines HOB X11Gate – access to Linux machines HOB Legacy Access with HOBLink J-Term – optional terminal emulations HOB SCS – optional software appliance

16 HOB RD VPN HOB Technology HOB SSL TCP Tuner RDP Accelerator
HOB RD VPN HOB Technology HOB SSL TCP Tuner RDP Accelerator SSL Identifier VNC-Bridge Cluster Multi-tenant capability Roles and Rights End-to-End Flow Control Security Authentication Kerberos SSO

17 HOB RD VPN Specifications
HOB RD VPN Specifications Available for the following platforms (server side): Microsoft Windows (x86, EM64T) Linux (x86, EM64T) HOB SCS* Available for the following platforms (client side): Microsoft Windows Apple Mac OS Linux FreeBSD Solaris Geplant Auch Tablets werden unterstützt mit WFA und WSG Available in various editions *in preparation

18 HOB RD VPN Connection Targets
Easy linking to your internal server structure Access to various server types Windows server Desktops in the office (Windows/Mac/Linux) Virtual desktops Unix server Web server Legacy server/mainframes (e.g., 3270, 5250, VT) File server Wake-on-LAN-functionality Start and access your desktop via internet

19 HOB RD VPN Summary Pure software solution
Highly scalable and performant – tested and working with over 100,000 simultaneous RDP sessions on a single server Responsive controls → increased productivity. Work anywhere, at any time, with any device. Sensitive data stay on the company’s servers Up-to-date security mechanisms – complete SSL support and strong authentication Optimized for client access without administration rights nor installation. No setup on client-side required

20 HOB RD VPN HOB WSP (1) The HOB WebSecureProxy (WSP) – the central component – as an access gateway guarantees for highest security. It enables an SSL-encrypted communication of client-inquiries to applications and servers. No matter how much the requirements differ, with HOB WebSecureProxy they are met. Encryption and integrity of data Protection of application server/web-services High performance High reliability HOB WebSecureProxy

21 HOB RD VPN HOB WSP (2) Core component of HOB RD VPN
HOB RD VPN HOB WSP (2) Core component of HOB RD VPN Available for Windows, Linux, Unix and for many other platforms HOB WebSecureProxy uses SSL encryption for the whole communication SSL-support with all common encryption logarithms Authentication, for example: Username and password Token, one-time password User certificates

22 HOB RD VPN HOB WSP (3) – Admin Page

23 HOB RD VPN HOB SSL (1) HOB SSL is based on HOB’s own development and implementation in accordance with existing RFCs HOB SSL uses no Open Source components HOB SSL supports modern algorithms and authentication methods (e.g. AES 256, Perfect Forward Secrecy PFS) HOB Security Manager is available for certificate creation and management Easy creation, import and export of certificates with HOB Security Manager To confirm the required security, this SSL implementation has been tested and certified in accordance with CC EAL 4+ (BSI-DSZ-CC ) -          HOB SSL beruht auf HOB-eigener Entwicklung und Implementation anhand bestehender RFCs -          HOB SSL verwendet keine OpenSource Komponenten -          HOB SSL unterstützt modernste Algorithmen und Authentifizierungsmethoden (z.B. AES 256, Perfect Forward Secrecy  PFS) -          Für Zertifikatserstellung und Verwaltung steht der HOB Security Manager zu Verfügung -          Einfaches Erstellen, Importieren und Exportieren von Zertifikaten mit HOB Security Manager -          Zum Nachweis der erforderlichen Sicherheit wurde u.a. die SSL-Implementierung nach CC EAL 4+ geprüft und zertifiziert (BSI-DSZ-CC )

24 HOB RD VPN HOB SSL (2) HOB SSL uses higher entropy for the random number generation than any other SSL product HOB SSL surpasses many requirements that are found in relevant norms or demanded by certification authorities HOB only implements SSL mechanisms that have been proven to be secure Thus HOB had no Heartbleed errors, as this function is not supported There can be no BEAST Attack nor an RC4 attack, as HOB supports the CBC mode with AES under TLS v1.1 and v1.2 -          HOB SSL zeichnet sich unter anderem durch eine ausreichend hohe Entropie bei der Zufallszahlengenerierung aus, die auch durch Tests geprüft wird und in dieser Form in anderen Produkten nicht implementiert ist -          HOB SSL erfüllt teilweise höhere Anforderungen (z.B. Zufallszahlengenerator), als sie in bestimmten Normen oder von Zertifizierungsstellen gefordert werden (z.B. FIPS 140-2) -          HOB verzichtet auf die Implementation von angreifbaren SSL-Mechanismen bzw. implementiert diese erst bei nachgewiesener Sicherheit o   So gab es keinen Heartbleed-Fehler ( da diese Funktion nicht unterstützt wird. o   !! weg,  dies ist ja bereits 4 Zeilen oben diskutiert (((höhere Entropie bei Zufallszahlengenerierung))) o   Es gibt keinen BEAST-Attack ( und keinen RC4-Attack ( da HOB den CBC-Mode mit AES unter TLS v1.1 und v1.2 unterstützt

25 HOB RD VPN HOBLink JWT Flexible Java client No installation required
HOB RD VPN HOBLink JWT Flexible Java client No installation required Always up-to-date Remote printing Fast reconnect Compatible with VMWare Horizon View

26 HOB RD VPN HOBPhone (1) HOBPhone is the integrated VoIP client of HOB RD VPN Make secure calls with Voice-over-IP over the Internet No client installation needed, solely web-based (on PC) No administration rights and no configuration needed on the client-side Connect using your company’s SIP telephone system Use of MS Exchange phonebook Supports Windows, Mac, Linux, iOS, Android

27 HOB RD VPN HOBPhone (2) Call, hold, forward, conference, disconnect calls Call lists Echo reduction SRTP or SSL encryption SIP 2.0 compatible No local configuration 5 accounts can be configured 5 Konten : z.B. 5 Telefonnummern oder verschiedene Telefonanlagen

28 HOB RD VPN HOB Remote Desktop Connections (1)
HOB RD VPN HOB Remote Desktop Connections (1) Connect to your remote desktop targets via web Use the integrated HOB Remote Desktop Client in Java (HOBLink JWT) Work fast and highly performant over the Internet Start your remote desktop session without any local installations, solely using any desired, HTML5-capable browser. Use the HOB Load Balancing function for your remote desktop server HOB supports the Citrix Receiver in Java

29 HOB RD VPN HOB Remote Desktop Connections (2)
HOB RD VPN HOB Remote Desktop Connections (2) Connecting to Windows servers with HOB Load Balancing: Microsoft Windows Remote Desktop Services 80% Load HOB WebSecureProxy load balancing not only by CPU load measurement HOBLink JWT 55% Load LDAP / Active Directory Database 70% Load

30 HOB RD VPN HOB Remote Desktop Connections (3) HOBLink WebTerm
HOB RD VPN HOB Remote Desktop Connections (3) HOBLink WebTerm HTML5 RDP Client for HOB RD VPN Only 1 requirement: HTML5 capable browser Regarding browser compatibility, I have tested HOBLink Webterm on the following browsers and confirmed it works as expected: Latest version of Chrome (version 45) Latest version of Firefox (version 40) Latest version of Opera (version 32) Internet Explorer 11 Microsoft Edge (latest Microsoft Browser) version 12 Safari 8 iOS Safari 7.1 and 8 In theory however, HOBLink Webterm will work on any browser supporting Websockets except Internet Explorer 10 ( there is an issue with a particular data structure used during drawing ). You can find the complete list of browsers supporting Websockets here:

31 HOB RD VPN HOB Remote Desktop Connections (4)
HOB RD VPN HOB Remote Desktop Connections (4) Strong performance with RDP powerful many features low latency superior to all other protocols e.g. VNC (with RFB): needs the 7-fold data volume of RDP HOB concludes: RDP is the best protocol strong performance with RDP → HOB uses it

32 Citrix XenApp Citrix Xen Desktop LDAP / Active Directory Database
HOB RD VPN Citrix Connectivity Connecting to Windows servers with Citrix XenApp or XenDesktop: Citrix XenApp Citrix Xen Desktop HOB WebSecureProxy Citrix Receiver LDAP / Active Directory Database

33 HOB RD VPN HOB Desktop-on-Demand (1)
An authorized user can access – SSL-encrypted – their own PC in the company The access is even possible when the PC is completely turned off (Wake-on-LAN) The user can access various other PCs as well No client-side installation needed Desktop PC RDP HOB WebSecureProxy SSL/HTTPS Desktop PC HOBLink JWT Desktop PC

34 HOB RD VPN HOB Desktop-on-Demand (2) Benefits of HOB Desktop-on-Demand
HOB RD VPN HOB Desktop-on-Demand (2) Benefits of HOB Desktop-on-Demand You can access your own windows workstation flexibly and cost-effectively A secure connection is guaranteed Use the integrated Wake-on-LAN-function Reach even multiple work stations Save energy due to switching off workstations Maintain control of security (no external provider)

35 HOB RD VPN HOB VDI WSP (1) Reach your virtual desktop infrastructure (VDI) via the Internet Ideal for your private or public cloud Cost-effective due to an effective, integrated solution in HOB RD VPN You can design your secure remote VDI solution flexibly, easily and quickly

36 as SSL-Proxy/Connection Broker
HOB RD VPN HOB VDI WSP (2) – Architecture HOB VDI agents report the status to the WSP If a new client logs on, it is connected to a free virtual machine automatically Easy administration due to HOB VDI control Windows virtualized VDI Agent 1: busy HOB VDI Agents (installiert auf jedem virtuellen Desktop) melden Status an den WSP Meldet sich ein neuer Client am WSP an, wird er automatisch mit einer freien virtuellen Maschine verbunden. Jeder Benutzer hat seinen eigenen Desktop HOB WebSecureProxy as SSL-Proxy/Connection Broker VDI Agent 2: free HOBLink JWT VDI Agent 3: busy

37 HOB RD VPN HOB VDI WSP (3) – Desktop-on-Demand
HOB RD VPN HOB VDI WSP (3) – Desktop-on-Demand Via VMware VIX API, virtual desktops are switched on Individual, virtual desktop structure Windows virtualized Über VMware VIX API werden virtuelle Desktops eingeschaltet. Dadurch sind individuelle, virtuelle Desktopstrukturen möglich DoD HOBLink JWT HOB WebSecureProxy as SSL-Proxy/Connection Broker with user assignment function Switch on guest HOBLink JWT

38 HOB RD VPN HOB PPP Tunnel (1) - Idea
Easy provision of full network access for your users – if needed! Unique concept No administration rights needed on client side No installation needed on client side No additional drivers needed Target filter available Configurable access to network addresses Definable for groups, users or roles

39 HOB RD VPN HOB PPP Tunnel (2) – Previous Solutions
HOB RD VPN HOB PPP Tunnel (2) – Previous Solutions With VPN solutions so far: Critical driver installation on client-side needed Administration rights on client-side needed Configuration has to take place on client-side and needs to be saved there Tied to network adapter Specified end-device – not flexible High costs due to role complexity Updates and upgrades need to be installed on client-side – great administrative costs Egal bei welcher Netzwerkanbindung sollte der transparente Netzwerkzugriff funktionieren, Schwierigkeiten bei bestimmten Hotspots, anderen Netzen, bei denen IPsec verboten ist (z.B. IPsec über Hotelhotspot)

40 HOB RD VPN HOB PPP Tunnel (3) - Requirements
HOB RD VPN HOB PPP Tunnel (3) - Requirements “Virtual Private Network” requirements: Secure Site-to-Site or Site-to-End connection Strong authentication Low costs Easy rollout Easy, central administration No matter which network connection, the network access needs to work

41 Full company network access
HOB RD VPN HOB PPP Tunnel (4) – The solution Fully access your company network via Windows (Vista and later), Mac OS X, Linux, FreeBSD and Solaris devices! Cost-effective, since without software installation and without administration rights You receive a flexible connection in both directions: Client Company You receive extremely performant access due to efficient compression Network access with all protocols such as TCP, UDP and ICMP - Aussage HOB:    der HOB PPP-Tunnel, durch den TCP-Tuner so schnell wie IPsec.     Und durch bessere Komprimierung sogar noch schneller.      Das Ganze ohne die Nachteile von IPsec. Download der PPP Tunnel Komponenten vom WebSecureProxy Am Client wird die Konfiguration initialisiert Aufbau des SSL gesicherten PPP Tunnels zum HOB WebSecureProxy Der HOB WebSecureProxy leitet die entschlüsselten PPP Daten an ein HOB Gateway weiter (xbipgw16), dieses setzt die PPP Daten von TCP in UDP/L2TP um Diese L2TP Pakete gehen dann zu einer Hardware / Software Komponente, die die Pakete ins Netzwerk einspeist. (Microsoft Windows RRAS, Linux mit L2TP Server wie z.B. OpenSwan, Router mit integriertem L2TP Server, HOB SCS) Oder direkt mit TUN Treiber SSL HOB WebSecureProxy HOB RD VPN PPP-Tunnel Full company network access The US Patent Office has granted a patent for HOB PPP T1, the patent number is US B2.

42 HOB RD VPN HOB PPP Tunnel (5) - Practice 26.11.2019
Der HOB WSP Version 2.2 hat keine speziellen Funktionen für den PPP Tunnel, die Daten des PPP Tunnels werden nur ver- und entschlüsselt. Im Firmen-Netz läuft das HOB Programm xbipgw16 welches die TCP-Verbindung zum Client aufsplittet und zu L2TP über UDP umsetzt. Diese L2TP Pakete gehen dann zu einer Hardware / Software Komponente die nicht von HOB geliefert wird und die Pakete ins Netzwerk einspeist. Diese L2TP Funktionalität ist ein Industrie-Standard und entsprechend in vielen Komponenten eingebaut. Solche Komponenten können z.B. sein: Microsoft Windows RRAS Linux mit L2TP Server wie z.B. OpenSwan Router mit integrierten L2TP Server Es kann vorteilhaft sein, die Netzwerk-Pakete aus dem PPP Tunnel direkt im Firmen-Netzwerk einzuspeisen, nicht in der DMZ. Die Security wird bei dieser Lösung weiterhin in der DMZ terminiert. Der Client bekommt über PPP eine IP-Adresse und routet Pakete aus diesem Adressbereich über den PPP Tunnel. Bekommt der Client eine IP-Adresse aus der DMZ, so kann er alle Geräte in der DMZ erreichen, Geräte im eigentlichen Firmennetz nur über optionales NAT (Network Address Translation). Bekommt der Client aber eine IP-Adresse aus dem Firmen-Netzwerk, so können alle Geräte direkt erreicht werden. Teil des HOB PPP Tunnels ist eine Komponente welche NAT im IP-Header und in DNS-UDP-Paketen durchführt. Dadurch können mit dem PPP Tunnel im Firmen-Netzwerk mehrere von einander getrennte Netzwerke (Sub-Netze) erreicht werden. Diese Komponente ist xl-sdh-ppp-pf-01 welche als Zusatz (Server-Data-Hook) im WebsecureProxy läuft. Diese Komponente dient optional auch als DNS-Server; bestimmte URLs können über diesen integrierten DNS-Server aufgelöst werden was die Adressen aus dem DNS-Server im Firmen-Netzwerk überschreibt. Grund für diesen DNS-Server ist es dass bestimmte URLs, welche sowohl eine Adresse im public Internet als auch (unterschiedlich) im Firmen-Netzwerk haben, so aufgelöst werden dass andere Komponenten des HOB RD VPN die Verbindung nicht über den PPP Tunnel aufbauen sondern weiterhin direkt über das public Internet.

43 HOB RD VPN HOB PPP Tunnel (6) - Practice 26.11.2019
Der HOB WSP Version 2.2 hat keine speziellen Funktionen für den PPP Tunnel, die Daten des PPP Tunnels werden nur ver- und entschlüsselt. Im Firmen-Netz läuft das HOB Programm xbipgw16 welches die TCP-Verbindung zum Client aufsplittet und zu L2TP über UDP umsetzt. Diese L2TP Pakete gehen dann zu einer Hardware / Software Komponente die nicht von HOB geliefert wird und die Pakete ins Netzwerk einspeist. Diese L2TP Funktionalität ist ein Industrie-Standard und entsprechend in vielen Komponenten eingebaut. Solche Komponenten können z.B. sein: Microsoft Windows RRAS Linux mit L2TP Server wie z.B. OpenSwan Router mit integrierten L2TP Server Es kann vorteilhaft sein, die Netzwerk-Pakete aus dem PPP Tunnel direkt im Firmen-Netzwerk einzuspeisen, nicht in der DMZ. Die Security wird bei dieser Lösung weiterhin in der DMZ terminiert. Der Client bekommt über PPP eine IP-Adresse und routet Pakete aus diesem Adressbereich über den PPP Tunnel. Bekommt der Client eine IP-Adresse aus der DMZ, so kann er alle Geräte in der DMZ erreichen, Geräte im eigentlichen Firmennetz nur über optionales NAT (Network Address Translation). Bekommt der Client aber eine IP-Adresse aus dem Firmen-Netzwerk, so können alle Geräte direkt erreicht werden. Teil des HOB PPP Tunnels ist eine Komponente welche NAT im IP-Header und in DNS-UDP-Paketen durchführt. Dadurch können mit dem PPP Tunnel im Firmen-Netzwerk mehrere von einander getrennte Netzwerke (Sub-Netze) erreicht werden. Diese Komponente ist xl-sdh-ppp-pf-01 welche als Zusatz (Server-Data-Hook) im WebsecureProxy läuft. Diese Komponente dient optional auch als DNS-Server; bestimmte URLs können über diesen integrierten DNS-Server aufgelöst werden was die Adressen aus dem DNS-Server im Firmen-Netzwerk überschreibt. Grund für diesen DNS-Server ist es dass bestimmte URLs, welche sowohl eine Adresse im public Internet als auch (unterschiedlich) im Firmen-Netzwerk haben, so aufgelöst werden dass andere Komponenten des HOB RD VPN die Verbindung nicht über den PPP Tunnel aufbauen sondern weiterhin direkt über das public Internet.

44 HOB RD VPN HOB PPP Tunnel (7) - Security
HOB RD VPN HOB PPP Tunnel (7) - Security Transparent network access secured via SSL (256-bit AES) Client security due to Compliance Check Target Filter Anti Split Tunneling Assignment of private, internal IP addresses for every single user Strong authentication User ID and password Token with one-time password Certificate for client authentication via SSL (e.g. stored on a smart-card) TUN-Treiber Der WebSecureProxy verwendet jetzt optional TUN-Treiber für verschiedene Funktionen. Einfach gesagt stellen TUN-Treiber einen virtuellen Netzwerkadapter zur Verfügung. Interne IP Adresse Mit HOB RD VPN kann jetzt jedem Nutzer eine persönliche interne IP- Adresse zugeordnet werden. Neue HOB PPP Tunnel Konfigurationen Der HOB PPP Tunnel kann unterschiedlich terminiert werden. Konfigurierbar sind Verbindungen mit einem externem RAS-Server über UDP/L2TP oder mit TCP/L2TP über ein HOB Gateway (xbipgw16) zu einem externem RAS-Server und/oder direkt im WebSecureProxy über den TUN-Treiber. HOB RD VPN PPP Tunnel als Desktopapplikation Der HOB PPP Tunnel kann als lokale Applikation ausgeführt werden. Die Anmeldung und der Download an der RD VPN Webseite sind nicht mehr erforderlich. Es kommt dabei die Java Web Start Technologie zum Einsatz. Targetfilter Zieladressen können definiert werden die mit dem HOB PPP Tunnel erreicht werden. So kann der Anwender nur auf die für ihn erlaubten Ziele zugreifen.

45 HOB RD VPN HOB PPP Tunnel (8) - Benefits
HOB RD VPN HOB PPP Tunnel (8) - Benefits Little roll-out effort, since no installation is needed on the client side extremely flexible fields of application save time Configure all settings centrally and reduce administrative efforts Quickly connect to your company‘s network via a standard TCP port and enjoy the freedom to work from home, at a hotel or using public hotspots New releases or updates are installed centrally, which is very cost effective as the administrative effort is reduced - Aussage HOB:    der HOB PPP-Tunnel, durch den TCP-Tuner so schnell wie IPsec.     Und durch bessere Komprimierung sogar noch schneller.      Das Ganze ohne die Nachteile von IPsec. TUN-Treiber Der WebSecureProxy verwendet jetzt optional TUN-Treiber für verschiedene Funktionen. Einfach gesagt stellen TUN-Treiber einen virtuellen Netzwerkadapter zur Verfügung. Interne IP Adresse Mit HOB RD VPN kann jetzt jedem Nutzer eine persönliche interne IP- Adresse zugeordnet werden. Für diese Funktion wird ein TUN-Treiber verwendet. Neue HOB PPP Tunnel Konfigurationen Der HOB PPP Tunnel kann unterschiedlich terminiert werden. Konfigurierbar sind Verbindungen mit einem externem RAS-Server über UDP/L2TP oder mit TCP/L2TP über ein HOB Gateway (xbipgw16) zu einem externem RAS-Server und/oder direkt im WebSecureProxy über den TUN-Treiber. HOB RD VPN PPP Tunnel als Desktopapplikation Der HOB PPP Tunnel kann als lokale Applikation ausgeführt werden. Die Anmeldung und der Download an der RD VPN Webseite sind nicht mehr erforderlich. Es kommt dabei die Java Web Start Technologie zum Einsatz. Targetfilter Zieladressen können definiert werden die mit dem HOB PPP Tunnel erreicht werden. So kann der Anwender nur auf die für ihn erlaubten Ziele zugreifen. The US Patent Office has granted a patent for HOB PPP T1, the patent number is US B2.

46 HOB RD VPN HOBLink DASH (1) – Data Sharing HOBLink DASH – Features
Data transmission with SSL encryption Configurable file compression Configurable synchronization direction Configurable synchronization rules Secure connection to Windows file servers (SMB2 protocol) Virus scanning Detailed settings via file control Client available for Windows and iOS

47 HOB RD VPN HOBLink DASH (2) – How It Works
Synchronize, rename, edit, copy, delete files Determine the synchronization direction (both/single direction) Configure which files are to be compressed before transfer Smartphone SMB2 HOBLink JWT HOB RD VPN SSL Laptop File server Desktop PC

48 HOB RD VPN HOB Web File Access
HOB RD VPN HOB Web File Access Securely and flexibly access your data via browser-based access to the file system Store your data on various servers on the company network Data must only be stored on volatile storage

49 HOB RD VPN HOB Web Server Gate (1)
Secure access to web applications and the intranet Your benefit: websites that are not encrypted will be encrypted dynamically Reduction of administrative expense Your internal web server securely can be integrated into the LAN

50 HOB RD VPN HOB Web Server Gate (2)
Access to web server (HTTP + HTTPS), target filter to access own intranet (example) Web server HOB WebSecureProxy SSL Browser client Web applications e.g.: – OWA – ERP/ SAP Netweaver – Network management tool

51 HOB RD VPN HOB WSP Universal Client
Universal Client – Access via locally installed “3rd party applications” The HOB WebSecureProxy Universal Client (HOB WSP UC) is a client gateway Your locally installed “3rd party applications” (e.g. SAP-GUI) can be accessed via a secure, SSL encrypted data access over the internet

52 HOB RD VPN Option HOB MacGate (1)
Access your Mac via remote desktop access over the network, just like LAN or the internet – anytime, anywhere Your access is possible via any client platform, such as Windows, Linux, Thin-clients and other Macs – great flexibility The desktop contents of your Mac are hidden when accessing it (hidden screen) – protection from eavesdropping Guaranteed high-resolution desktop view Configure access rights for your Mac

53 HOB RD VPN Option HOB MacGate (2) - View
Copy and paste of text, graphics and rich text formats Keyboard assignment Flexible printing option without additional drivers

54 HOB RD VPN Option HOB X11Gate
Enjoy extraordinary performance when accessing Linux and Unix desktops You receive fast, SSL-encrypted and web-based access to X Windows applications of Linux/Unix systems – anytime and anywhere Feel the increase in speed when using the remote desktop protocol You do not need an X Windows terminal for access over the Internet – cost-effective

55 LDAP / Active Directory Database
HOB RD VPN Legacy Access – HOBLink J-Term IBM System z (S/390) IBM System I (AS/400) ACSII Host SINIX RM/400/600 HP3000/9000 BS2000 TN3270 TN5250 VT525 SINIX97801 HP700 Siemens 9750 HOB WebSecureProxy HOBLink J-Term LDAP / Active Directory Database

56 HOB RD VPN Software + Virtual SSL VPN Appliance Option HOB SCS
The HOB Secure Communications Server (HOB SCS) broadens the comprehensive security solution HOB RD VPN and adds a stable, hardened operating system. Easy to install and administer Universally usable Even as a virtual appliance for VMware Infrastructure 3.5 or higher Software + Virtual SSL VPN Appliance HOB SCS HOB RD VPN

57 HOB RD VPN Technology: TCP Tuner
HOB RD VPN Technology: TCP Tuner Unique: Prevents the TCP meltdown effect Increased performance for the HOB PPP Tunnel Dynamic NAT now optionally configurable Enables SSTP connections over the HOB WebSecureProxy without TCP meltdown effect A patent application has been filed for this technology Patentanmeldung dieser Technologie mit dem Titel: A communication system for transmitting data under a tunnel protocol between at least two computers via a wide area network and a method for running such a communication system

58 HOB RD VPN Technology: RDP Hook Administrated by WSP
HOB RD VPN Technology: RDP Hook Administrated by WSP Special functionality for local drive mapping (enable/disable) Virus scan can lock local drive mapping RDP Accelerator edits all RDP packages Decrypts RDP Data Decompresses data Scans data for viruses Compresses and encrypts data again RDP Hook Windows Terminal Server Virus scan

59 HOB RD VPN Technology: SSL Identifier (1)
HOB RD VPN Technology: SSL Identifier (1) Users of HOB RD VPN receive a preconfigured, personal IP address Instead of the IP address of the SSL gateway, the personal IP address in the company’s network is used When executing netstat on a server on the company network, the personal IP address is displayed  user can be identified The usage of a fixedly assigned IP address is sometimes needed for license management or 3rd party products shared user account, with different user rights

60 HOB RD VPN Technology: SSL Identifier (2) IP 223.1.1.1 HOB RD VPN
Assigned virtual IP: IP HOBLink JWT HOB RD VPN HOB RD VPN IP: Assigned virtual IP: IP Desktop PC

61 HOB RD VPN Technology: VNC-Bridge (1)
HOB RD VPN Technology: VNC-Bridge (1) Employ the VNC-Bridge for flexible, clientless access to VNC targets: No matter which client you want to use for your access (Mac, Windows, Linux), you can securely reach your systems over encrypted connections Totally flexible and easy access via a Java-capable browsers – saves time and increases productivity

62 HOB RD VPN Technology: VNC-Bridge (2)
VNC-Bridge is a component of HOB RD VPN: VNC-Bridge translates the internally used VNC-protocol into RDP For access to VNC server-targets, the same client as the one for RDP-access is used Due to the application of the RDP protocol via the Internet, the downsides of slow VNC-connections via the Internet are eliminated Connection to Macs, Intel Active Management Technology (AMT) or any desired systems via VNC-Server e.g. production machines Computers with Windows, Linux, Mac OS, etc.

63 HOB RD VPN Technology: Cluster (1)
Specific Demands on HOB RD VPN Clustering: Interconnecting multiple HOB RD VPNs to a single cluster Goal of clustering: Increased performance and higher availability Evenly distributed loads through load balancing Cluster nodes can be added or deleted at any time

64 HOB RD VPN Technology: Cluster (2) - Differences
No additional other middleware, hardware or load balancer needed Cluster nodes can stand in different data centers or sub networks Better utilization of hardware than with active/passive or hot/cold-standby cluster No single point of failure, as is possible in master/slave architectures No failures, as is possible when switching in an active/passive cluster (for example, if an off-beat cluster node becomes active again)

65 HOB RD VPN Technology: Cluster (3) - Schema Load Balancing
HOB RD VPN Technology: Cluster (3) - Schema Load Balancing Synchronization of internal data If a client logs in at a WebSecureProxy, it is automatically logged into all WSPs WSP Cluster

66 HOB RD VPN Technology: Cluster (4) - Features
Clustering with HOB offers: High availability and load balancing Works without additional hardware All cluster-nodes (cluster members) have equal rights Always active/active Synchronization of cluster nodes Cluster nodes can be added while system is running Cluster function is implemented in HOB RD VPN by default

67 HOB RD VPN Technology: Cluster (5) - Functionality
Clustering with HOB works as described below: Every HOB RD VPN cluster node has two IP addresses One IP address of every cluster node is needed for the DNS entry, under which the whole cluster is accessible Selection of cluster nodes takes place with help of the DNS entry Connection to a cluster node is determined via the first IP address of the DNS entry The connection is then redirected to the second IP address Advantage: When the server is fully occupied, no additional connection is accepted from the first IP address Users can carry on working via the connection of the second IP address

68 HOB RD VPN Technology: Cluster (6)
HOB RD VPN Technology: Cluster (6) The cluster nodes constantly synchronize the parameterized server loads and the connection details If one server is fully occupied, no more connections are accepted and this is reported to the other cluster nodes Maintenance and subtraction of a cluster node is possible even when the system is running For the flexible set-up of geo-clusters, synchronization over firewalls is possible If a cluster node is fully occupied, another HOB RD VPN in the cluster accepts the connection

69 HOB RD VPN Technology: Cluster (7) - Functionality 26.11.2019
Cluster-Node1: rdvpn1.example.com HOB WebSecureProxy Node 1: rdvpn.example.com Node 2: HOBLink JWT How HOB RD VPN Cluster works In HOB RD VPN every cluster member needs at least 2 configured IP-addresses. The first IP address is for the initial connect of the client. It shares the same offical DNS Name with the other Cluster Nodes. After the initial connect the client is redirected to the second IP address of the cluster node, where the work is done. Example: Scenario: Cluster Node CommonDNS Name IP 1 own DNS Name IP 2 Node 1 rdvpn.example.com rdvpn1.example.com Node 2 rdvpn.example.com rdvpn2.example.com One of the two above IP Addresses or a third one is used to synchronize the state of the HOB RD VPN Cluster nodes to each other. The clients connects to rdvpn.example.com and gets from the DNS Server the three configured IP adresses ( , ). The order is calculated by the DNS Server and is generally based on round robin (so the next query will get , ,). The client tries now to connect to the first IP address in the response. If this system is unavailable, the client tries the second one, and so on till he gets a response or he has tried all configured IP Addresses (in this case the connection will fail). After a successful connect to one of the ip addresses, the HOB RD VPN Cluster node will redirect this client to his second IP address ( in case for Node 1). The Client will now use this IP Address all following requests. This functionality implements High Availability and Load Balancing for the first connect. The following problems can now occur: Since the round robin behavior doesn't know which workload the client generate nor how long the client will connect to HOB RD VPN, it could happen, that one of the Cluster Nodes has a low workload, where others have a high workload. Since the Nodes synchronize their state the high workload Node will stop listening on the initial IP address, which means that new clients could no longer connect to this Node, they will connect to other nodes with low workload. The same behavior of different workload could happen if one node was new in the cluster (New Node, reboot ...). The same mechanism will occur, means the other Nodes could stop listening on their initial IP address if they have a high workload. The Cluster Node stops working while some clients are connected. In this scenario the client no longer gets responses from the Cluster Node. The client should now try to connect to another cluster Node without any intervention of the user (fail over). Client enters URL Cluster-Node 2: rdvpn2.example.com HOB WebSecureProxy

70 HOB RD VPN Technology: Cluster (8) - Benefits
HOB RD VPN Technology: Cluster (8) - Benefits Higher productivity and great availability due to the equality of cluster nodes when system is running Easy to do and highly time-saving due to simple configuration and setup of the cluster with HOB RD VPN Optimized maintenance intervals guaranteed due to easy adding of new cluster nodes Increased productivity and security due to performant synchronization between the cluster nodes

71 HOB RD VPN Technology: Cluster (9) - Summary
HOB RD VPN Technology: Cluster (9) - Summary With the HOB RD VPN cluster concept you obtain a highly available solution that guarantees great reliability and increased productivity. With HOB RD VPN clustering you are on the safe side when demands increase. With HOB RD VPN clustering you do not need any additional licenses.

72 HOB RD VPN Technology: Multi-Tenancy (1) Multi-Tenancy
HOB RD VPN Technology: Multi-Tenancy (1) Multi-Tenancy You can employ different groups of users, domain members or various customers in a single HOB RD VPN installation at the same time Configure individual roles and rights for your clients Data and applications of one user cannot be seen by another user

73 HOB RD VPN Technology: Multi-Tenancy (2)
HOB RD VPN Technology: Multi-Tenancy (2) Where should the user be logged on? Branch A HOB WebSecureProxy Branch B Branch C

74 HOB RD VPN Technology: Multi-Tenancy (3)
HOB RD VPN Technology: Multi-Tenancy (3) Domain Groups Users Roles Rights Targets

75 HOB RD VPN Technology: Multi-Tenancy (4) - Types Kerberos RADIUS LDAP
HOB RD VPN Technology: Multi-Tenancy (4) - Types Kerberos For example Microsoft Domain Controller RADIUS Often used for one-time password solutions LDAP For example Microsoft Active Directory Standard LDAP is the directory integrated in HOB RD VPN

76 HOB RD VPN Technology: Roles and Rights
HOB RD VPN Technology: Roles and Rights A role is a configuration package of “conditions” and “privileges” Roles are assigned to users, groups or LDAP tree elements Condition roles: Multi-tenancy Compliance check Anti split tunneling Virus scan Workstation check

77 HOB RD VPN Technology: Roles - Compliance Check
The compliance check denies access if the virus scanner on the client side is not up to date. over 50 supported virus scanners Verification: Current version of virus signature Date of last scan

78 HOB RD VPN Technology: Roles – Privileges
Setting of assigned portlets and functionalities Remote Desktop, WebFileAccess Configuration of various server lists Connection targets, server farms, parts of network Assignment of target filters Allowed or denied services, IP address More settings Configuration of session timing limits, browser caching etc. Specification of GUI Background color, title banner etc.

79 HOB RD VPN Technology: End-to-End Flow Control
HOB RD VPN Technology: End-to-End Flow Control End-to-end flow control optimizes your network connection between client, HOB RD VPN and the internal network Significant increase in performance by controlling and adapting of the IP packages to the speed of your connection enables you to work effectively, even if the Internet connection is slow HOB RD VPN installation is stable and therefore more productive End-to-end flow control is a fundamental component of HOB RD VPN Internet LAN TCP/IP TCP/IP

80 HOB RD VPN Technology: Security User log-in to HOB RD VPN
HOB RD VPN Technology: Security User log-in to HOB RD VPN Support of various authentication methods Compliance check  assignment of roles Individual configuration of security settings enables an adaptation to your company’s guidelines Support of secure single sign-on (SSO) with Kerberos

81 HOB RD VPN Technology: Authentication LDAP RADIUS Kerberos
HOB RD VPN Technology: Authentication LDAP RADIUS Kerberos HOB RD VPN supports different domains and connection to different KDCs Single sign-on options for specific functions KDC - Key Distribution Center

82 HOB RD VPN Technology: Kerberos Single Sign-on
Example: Kerberos Single Sign-on to Outlook Web Access Authentication Kerberos Key Distribution Center Authentication granted with ticket Give me ticket for exchange Exchange Outlook Web Access Authentication with service ticket

83 HOB RD VPN Editions – Names Following editions are available:
HOB RD VPN Editions – Names Following editions are available: HOB RD VPN blue edition HOB RD VPN red edition HOB RD VPN green edition HOB RD VPN NetAccess HOB RD VPN Express* * in preparation

84 HOB RD VPN Contents of Editions – NetAccess Complete network access
HOB RD VPN Contents of Editions – NetAccess Complete network access Contains only the PPP Tunnel functionality Main benefit: Clientless – no installations needed on client-side, communicates via SSL (port 443) No drivers needed on client-side Cost-effective Easier to install, maintain and use than IPsec VPNs Multi-tenant-capable, roles and rights, compliance check Target filter Ehemals SSL-Edition, Cluster ab 100 Lizenzen, HOB RD VPN NetAccess ist die leichte und agile Edtition und basiert auf den regulären HOB RD VPN Komponentnen Kleinste Version in der Reihe HOB RD VPN NetAccess HOB RD VPN green edition HOB RD VPN red edition HOB RD vPN blue edition Eine weitere Produkt-Variante ist HOB RD VPN NetAccess. Normalerweise sind SSL VPN Lösungen in der Anschaffung wesentlich teurer als IPsec VPNs. Dieser Nachteil wird von den SSL VPNs durch Einsparungen im Betrieb mehr als kompensiert. HOB RD VPN NetAccess dagegen ist zu einem ähnlichen Preis erhältlich wie IPsec VPNs. Deshalb haben Unternehmen, die HOB RD VPN NetAccess einsetzen einen großen Vorteil durch die geringeren Gesamtkosten der Lösung. HOB RD VPN NetAccess bietet den vollen Leistungsumfang von IPsec VPNs, enthält aber keine Treiber und ist wesentlich einfacher in Installation, Wartung und Benutzung. Hauptvorteil: Clientless – keine Installation am Client benötigt, Kommunikation über SSL (Port 443)

85 HOB RD VPN Contents of Editions – green edition
HOB RD VPN Contents of Editions – green edition Slim solution for customers who need classic SSL VPN functionalities Contains Web Server Gate, WebFileAccess, WSP Universal Client and Support for ICA, PPP Tunnel Does not contain HOB’s proprietary connectivity solutions HOBLink JWT and HOBLink J-Term Ehemals SSL-Edition, Cluster ab 100 Lizenzen

86 HOB RD VPN Contents of Editions – red edition
HOB RD VPN Contents of Editions – red edition Universal solution that allows customers full remote access support Combines all functions and benefits of HOB RD VPN NetAccess and HOB RD VPN green edition Additionally contains the HOB connectivity clients HOBLink JWT, WebTerm and HOBLink J-Term Ehemals „Standard“, Cluster ab 100 Lizenzen

87 HOB RD VPN Contents of Editions – blue edition
HOB RD VPN Contents of Editions – blue edition HOB RD VPN blue edition offers all functionalities of HOB RD VPN, including: HOBPhone Cluster support Virus scan for local drive mapping of HOBLink JWT SSL identifier Ehemals Enterprise Edition

88 HOB RD VPN Contents of Editions – Comparison (1) 26.11.2019
HOB RD VPN Portlets NetAccess green edition red blue HOBLink JWT/J-Term • HOBLink WebTerm Web Server Gate HOB Web File Access HOB PPP Tunnel HOB Phone HOB Universal Client User Settings Administration [1] Needs additional license

89 HOB RD VPN Contents of Editions – Comparison (2) 26.11.2019
HOB Access Clients NetAccess green edition red blue HOBLink JWT • Desktop on Demand HOBLink WebTerm HOBLink J-Term - Telnet 3270 •² - Telnet 5250 - Telnet VT - SSH - FTP/SFTP - HP 700 - Siemens 9750 - Siemens 97801 HOBLink DASH ² Needs additional licence

90 HOB RD VPN Contents of Editions – Comparison (3) Other Access Clients
NetAccess green edition red blue VNC Bridge • Citrix Receiver support User Administration NetAccess green edition red blue Multi Tenant • LDAP HOB LDAP Scheme Extension Kerberos Radius Integrated User Configuration

91 HOB RD VPN Contents of Editions – Comparison (4) 26.11.2019
Integrated Features NetAccess green edition red blue Virus Scanning² • Cluster Support •⁴ Socks SSL Identifier ³ Compliance Check TCP Tuner Other Client Software NetAccess green edition red blue Anti Split Tunnel • Other Server Software NetAccess green edition red blue HOBlink Security Manager • HOB Remote Desktop Services Load Balancing HOB Wake On LAN Relay HOB VDI Agent (VDI-WSP) HOB Virtual WOL Agent ² Local drive mapping with HOBLink JWT & HOBLink DASH ³ Private IP address Note: PPP Tunnel Private IP Address is always included ⁴ Included for more than 100 users

92 HOB RD VPN Questions? More information at

93 Contact Information HOB GmbH & Co. KG Schwadermuehlstraße 3 90556 Cadolzburg GERMANY

94 Legal Notice HOB GmbH & CO. KG. KG Schwadermuehlstr. 3
90556 Cadolzburg Represented by: Klaus Brandstätter, Zoran Adamovic Contact: Phone: Fax: Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA 5180 Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter, Zoran Adamovic, Schwadermuehlstr. 3, Cadolzburg References for all images and graphics used: All pictures and images included in this publication to which HOB does not hold the copyright must be credited to the current copyright holders. See section Picture Sources Disclaimer: Liability for content The contents of this publication were created with great care and diligence. While we keep it as up-to-date as practicable, we cannot take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we are responsible for our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG. According to Chapters 8 to 10 of the TMG we are not obliged as a service provider to monitor transmitted or stored information not created by us, or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information under the general laws remain unaffected. Liability is only possible however from the date of a specific infringement being made known to us. Upon notification of such violations, the content will be removed immediately. Liability for links This publication may contain links to external websites over which we have no control. Therefore we can not accept any responsibility for their content. The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages. The linked sites were checked at the time of linking for possible violations of the law. At the time the link was created in this publication, no illegal or harmful contents had been identified. A continuous and on-going examination of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of any violations, such links will be removed immediately. Copyright The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying, modifying, adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written consent of the respective author or creator. The downloading of, and making copies of, these materials is only permitted for private, non-commercial use. Where contents of this publication have not been created by the author, the copyright of the third parties responsible for these contents shall be upheld. In particular any contents created by a third party are marked as such. If you become aware of any copyright infringement within this publication, we kindly ask to be provided with this information. Upon notification of any such violation, the concerned content will be removed immediately.