Thursday, October 25, 2007

SSGD, external/peer dns names and IP-addresses

When looking at the documentation and the configuration of Sun Secure Global Desktop it can be confusing to see several references to DNS names and sometimes IP-addresses. I hope this post will bring some light on which is which and help to understand when to use which name or IP-address.

The following picture shows the naming of the different Network Interfaces. The "External" refers to the connection between the client and the SGD server and the "Peer" to the connection between the SGD server and the other SGD server within the SGD Array.


First the DNS names. There are two important DNS-entries, the Peer DNS Name and the External DNS Name. These can be the same in a simple installation, but mostly they will be different.

  • Peer DNS Name
    "A Peer DNS Name is the DNS name that the Secure Global Desktop servers in the array use to identify themselves and each other."

    This is the main DNS entry of the SGD server and specified during installation. This DNS-entry is also used during the communication with other SSGD servers in a SSGD Array. (Both forward and reverse DNS-entries should be available on all SSGD Servers in the SSGD Array). The Peer DNS name can not be changed after installation.

  • External DNS Name
    "An external DNS name is the DNS name that the client devices use."

    The External DNS name is used at the client, therefor the client must be able to resolve the external DNS name. This is also the name for the SSL certificate (when using secure connections). The External DNS name is not used at the SSGD server or within the SSGD Array.

    The external DNS name can be changed via the Array Manager or via the command:
    /opt/tarantella/bin/tarantella config edit \
    --server-dns-external "*:<external dns name>"


Besides the Peer DNS name and External DNS name there are also the Peer Bind IP-Address and the External Bind-IP-Address. After installing the Sun Secure Global Desktop the Peer Bind IP-Address and the External Bind-IP-Address is set to all available IP-Addresses ("*") of the system. For complex installations it is advisable to change this to the IP-addresses of the different Network Interfaces.

  • Peer Bind IP-Address
    This IP-address is the IP-address of the Secure Global Desktop server. When the Peer DNS Name is resolved it should resolve to this IP-address and visa versa. It is possible to bind the SSGD software to multiple IP-addresses, one of these addresses should resolve to the Peer DNS Name. Use the following command to change the Peer Bind IP-Address:
    /opt/tarantella/bin/tarantella config edit \
    --tarantella-config-server-bindaddresses-peer \
    <Peer Bind-IP-Address>



  • External Bind-IP-Address
    The SGD software will listen on this IP-address(es) for the client connections. This IP-address can be different from the IP-address after resolving the external-dns-name, since there might be a Load Balancer or SSL-offloader between the client and the SGD server. To change the External Bind-IP-Address use the following command:
    /opt/tarantella/bin/tarantella config edit \
    --tarantella-config-server-bindaddresses-external
    <External Bind-IP-Address>


When using the SGD Server in Firewall Forwarding Mode a good practice is to change the External Bind-IP-Addresses with the following command:
/opt/tarantella/bin/tarantella config edit \
--tarantella-config-server-bindaddresses-external
"!127.0.0.1"

The SGD Web erver tries to bind to port 443 (the array-portencrypted) on localhost as well. Excluding this 127.0.0.1:443 for the SGD server changes the dependency of the web server being started before the SGD server.

I hope this enlightens the different DNS names and IP-Addresses a bit, if not let me know :)

3 comments:

Mari said...

Hi, I cannot connect the clients, I configured the same ip for peer and external, what could it be, the error is that the address is not found in the browser with /sgd, and without /sgd I receive the wellcome page for Apache.
Can you help me?
Thanks!
Marisabel.

Remold Krol said...

Without trying to make the configuration to complex this post does not contain the configuration of the web-server.

The combination of Apache and Tomcat provide the web-pages, which include the webtop.

Mari: your problem can be resolved by correcting the httpd.conf in the directory /opt/tarantella/webserver/apache/<version>/conf
Please take a look at the Listen-directive at:
http://httpd.apache.org/docs/2.0/mod/mpm_common.html#listen

Mari said...

Hi!
But what should you add to the http.conf configuration?
Thanks!