Skip to content

Opencloud DaaS - External Access

Enterprise Desktop Clients

In order to give enterprise desktop client users access to the DaaS farm from the internet, all you need to do is forward TCP port 443 (HTTPS) to the Enterprise Security Gateway.

Important

You may also use port 80 (HTTP) if desired, though this may not be advisable from a security standpoint as that traffic is not natively encrypted end-to-end

Web Access

In US Signal-provisioned deployments, the Session Manager also has the web access server role installed on it. If you want to access that through the same port forward as above, please follow these steps to configure the web_client parameter.

Enterprise Security Gateway

The following traffic needs to be allowed in order for connectivity through the Enterprise Security Gateway to be successful:

Source Destination Dest. Port Type
ESG Application Servers 3389 TCP/RDP
ESG Session Manager 443 TCP/HTTPS
Session Manager ESG 1112 TCP/HTTP
ESG Session Manager 1111 TCP/HTTP
ESG File Server 1113 TCP/HTTP

TLS/SSL Server Certificate

The ESG requires the use of an X.509 certificate for secure communication.

A self-signed certificate is generated during the installation, but this is only designed for evaluation purposes. Self-signed certificates are not for production use.

Without a signed certificate installed, all users will receive a security warning in their browsers preventing them from accessing the service.

Warning

Before switching your OVD service to production or even deploying to a significant number of users, you **must** replace the self-signed certificate with a signed certificate obtained from a **Certificate issuer**.

Identify the service access point

The certificate issuer will ask for a Common Name (CN). This information is critical as failure to provide the correct name will result in an unusable certificate.

For an OVD environment the CN of the certificate is the ESG service access point, also called the fully qualified domain name (FQDN). For example, if your ESG service is available at ovd.example.com and you expect all your users to use this name to access OVD, this is the FQDN you must provide as the certificate CN.

Warning

In digital certificates **a CN can not be an IP - it must be a name** (as DNS). Alternative access points, such as DNS entries and / or IP addresses, can be configured using the **Subject Alternative Name (SAN)** extension.

For multiple service access points or more complex configurations, please contact your certificate issuer.

Install the issued certificate

Once your certificate issuer has received your information, you will be given the certificate attached to a private key file, as well as a number of Intermediary CA certificates used by your provider. Please download all these X.509 certificates in PEM representation.

Once you have downloaded all the X.509 files, they must be concatenated in a single PEM file in a specific order. Use a text editor to create a file named ovd-esg-issued.pem and copy the content of each file into it in this exact order:

  • Private key
  • Server certificate
  • Intermediary CA certificate +1
  • Intermediary CA certificate +x

Once this is done you may install the certificate on the ESG:

  • Copy the ovd-esg-issued.pem file to the ESG host

  • Create a copy of the self-signed PEM file as a backup:

    cp /etc/ovd/slaveserver/gateway.pem /etc/ovd/slaveserver/gateway.pem.orig

  • Copy the file containing the new certificate to the file

    cp ovd-esg-issued.pem /etc/ovd/slaveserver/gateway.pem

  • Reload/restart the ESG service to activate the new SSL certificate

    systemctl reload ovd-slaveserver

Use a web browser to go to your ESG service access point using HTTPS (in our example: https://ovd.example.com/) and verify that the communication is secure and the given certificate is the one you received from your issuer.

OVD Web Access Configuration

The ESG is not be configured to allow communication to the OVD Web Access (OWA) by default. The configuration can be changed to allow access. This will allow you to then provide a single secure (SSL) connection point for all clients (EDC, EMC, OWA).

Note

The OWA itself may be configured to provide secure access to users outside the LAN. This requires the use of a third party network component, such as a Reverse Proxy and/or a Firewall (NAT redirection). In such cases, the ESG is not mandatory to provide a WAN access, but this is only for the OWA! An ESG **is required** for WAN access from EDC / EMC.

To enable the OWA access in the ESG:

  • Edit the configuration file /etc/ovd/slaveserver/slaveserver.conf and locate the line:

    # web_client = http[s]://ip[:port]/

  • Uncomment the variable and set the value to the URL of your OWA as it is resolvable by your ESG. For example:

    web_client = http://webaccess.test.demo/

  • Save the file and restart the slaveserver service.

    systemctl restart ovd-slaveserver

Advanced Configuration Settings

The ESG configuration is stored in the file /etc/ovd/slaveserver/slaveserver.conf. The configuration may be adjusted by editing the file and changing the contents of the Gateway section as described below:

  • address: 0.0.0.0 (default). Defines the IP address of network interface on which the ESG should bind. By default, the ESG binds on all the network interfaces

  • port: 443 (default). Defines the port to use.

  • max_process: 10 (default). Defines the maximum number of processes to run on the ESG server.

  • max_connection: 100 (default). Defines the maximum number of connections that can be opened on the ESG server.

  • process_timeout: 60 (default). Defines the timeout in seconds per process

  • connection_timeout: 10 (default). Defines the timeout in seconds per connection

  • admin_redirection: true or false (default). Use this setting to allow access to the OVD Administration Console through the ESG. This parameter is deprecated with ovd 2.9. It is replaced by admin_host

  • admin_host: hostname, ip address or url. Use this setting to allow access to the OVD Administration Console through the ESG. It replace the parameter admin_redirection

  • web_client: hostname, ip address or url. Use this setting to allow access to the OVD Web access through the ESG.

  • root_redirection: Use this setting to define the root path for the Gateway. For example, enter the value /ovd to automatically redirect a connection request for https://gw.demo to https://gw.demo/ovd

  • http_keep_alive: true (default) or false. Enable or disable session keep alive.

  • certificate_path: gateway.pem (default). Location to the TLS/SSL server certificate file to use for the ESG.

Important

Don't forget to restart the slaveserver service after any configuration change.

sudo systemctl restart ovd-slaveserver