Secure access to the ESRF network - SSL Gateway - User's Manual

last modified 18-11-2009 17:11

The SSL gateway allows a secured access to the ESRF network from home or from anywhere over an Internet connection.

Technical terms or abreviations are explained in the Glossary.

Contents:

Categories of users and client computers
Email proxy
Access modes explained
Supported client platforms
Troubleshooting
Glossary

Categories of users and client computers

Need = either VPN (the user requires to makes its computer an internal host on the network for various reasons), or Intranet (access to the Intranet, Pleiades, etc.). To the latter can be added a request for securing the site password (user concerned by keyloggers) or not.

New: the VPN mode is now split into VPN (requires a hardware token for the one-time password feature) and NC (relies on the LDAP password, a.k.a. the site password).

Need	Client-computer	Access-mode	Requirements
Intranet (unprotected passwords)	Any	Basic	LDAP-password
VPN (protected passwords)	ESRF-compliant Windows PC	VPN	Token+Secret+LDAP-group
VPN (protected passwords)	Mac or Linux	VPN	Token+Secret+LDAP-group
VPN (unprotected passwords)	ESRF-compliant Windows PC	NC	LDAP-password+Secret+LDAP-group
VPN (unprotected passwords)	Mac or Linux	NC	LDAP-password+Secret+LDAP-group
Intranet with protected passwords	Any	Virtual-Desktop	LDAP-password

Requirements = LDAP-password = site password, Hardware token, Secret = secret file on the hard disk, LDAP-group = requires the user to belong to a given group in the LDAP directory.

Note that VPN mode from a Non-ESRF-compliant Windows PC - i.e. potentially compromized - makes no sense, the Virtual-Desktop Access mode should always be used instead.

Email proxy

In addition to the Access modes described below, the SSL gateway also acts as an email proxy (POPS, IMAPS and SMTPS) . Configure your email client program (e.g. Thunderbird, Outlook) to use ssl.esrf.fr as the IMAP/POP server (in SSL mode), and ssl.esrf.fr as the SMTP server (also in SSL mode). When using the proxy, you will be prompted for your password once for reading email (IMAP/POP) and once for sending email (SMTP).

Access modes explained

Access modes are selected by entering a suffix after the URL https://ssl.esrf.fr . An access mode gives particular privileges to the user.

The SSL gateway offers three different methods for accessing the internal resources: Basic, VPN / NC, and VD (Virtual Desktop)

Basic Access mode (blue banner) https://ssl.esrf.fr/esrfbasic allows for Web browsing, simple SSH access, and Windows applications.
The site password is used for authentication.

This mode should only be used from secure computers! Computers infected with malicious software (keylogger programs) could send your site password to a remote recipient. In case of doubt, prefer the Virtual Desktop mode to access the ESRF.

Would you need to access the Intranet, another internal Web server, or Windows file sharing or Windows remote desktop, the Basic Access mode is sufficient.

The email proxy described above allows to access email without even entering the Basic Access mode.

https://ssl.esrf.fr/esrfbasicprio provides the same service but with an insurance that the service will not be saturated (no message like "too many users")> Of course, the user must belong to a pre-defined list of high-priority users.

https://ssl.esrf.fr/esrfbasicadmin provides the same service but for the system administrators only.
VPN mode (red banner)
- VPN mode with hardware token (red banner) https://ssl.esrf.fr/esrfvpn allows to turn your computer into an internal host of the ESRF network.
  The Basic Access mode is now sufficient, even for Windows applications.
  
  The VPN mode requires a hardware token for generating a one-time password for authentication (token to be requested from the CS Hotline). In addition, the SSL gateway will perform various checks on your computer, and will let in only ESRF-compliant Windows computers, and MAC or Linux computers with a secret file on disk.
  
  The SSL Gateway launches a feature named Network Connect, which has different behaviours depending on the client's platform:
  - Windows: the client PC is transformed into an internal host, exactly as if the PC is in an ESRF office.
  - Linux: only the Web browser has access to the internal resources of the ESRF network. Any other program (even a second instance of the browser) will not benefit from this connection settings.
  A client computer which does not pass the checks should use the Basic Access mode instead.
  
  Even if your computer is ESRF-compliant, it may be infected with malicious software (keylogger programs). If you prefer avoiding any risk, prefer the Virtual Desktop mode to access the ESRF.
- VPN mode without hardware token (red banner) https://ssl.esrf.fr/esrfnc is the same as VPN, but with a LDAP authentication (site password) instead of relying on a hardware token.
  https://ssl.esrf.fr/esrfncadmin is reserved for system administrators.
Virtual Desktop mode (green banner) https://ssl.esrf.fr/esrfvd allows to use the Basic Access mode in safe condition - you are protected against keyloggers.
The site password is used for authentication.

With the Virtual Desktop, local files on your computer become unreachable. It must be noted that USB storage devices cannot be used.

Supported client platforms

Virtual Desktop mode:
- Tested: Windows XP, Vista
Basic mode:
- Tested: Windows XP with both InternetExplorer and Firefox
- Tested: MacOS X with both Firefox and Safari
- Not tested but should be supported: any combination, provided the Web browser has a recent version
VPN mode:
- Tested: Windows XP with InternetExplorer and Firefox
- Tested: Windows Vista with InternetExplorer and Firefox
- Tested: MacOS X with Safari (Firefox is not supported)

Troubleshooting

In case of failure, always close then restart your Web browser (for cleaning cookies and cache).
Always sign out any SSL mode when leaving, and preferably close your Web browser.
Sometimes the client Windows PC must be restarted in order to forget about a previously loaded Juniper applet.
When using the VPN mode, if the Network Connect fails and a blue banner is obtained (i.e. Basic mode), then this is because the user does not belong to the correct LDAP group. Please contact the CS hotline.

Glossary

applet: small program installed via a Web browser and executing code on your computer.
host: a computer connected to a network, i.e. addressable on this network.
IMAP: protocol used for reading emails on a server, while keeping the emails on the server's disk. See also: POP and SMTP.
IMAPS: secured (encrypted) IMAP.
Juniper: the manufacturer of this SSL Gateway.
keylogger: program capturing what you type on your keyboard, and silently sending the data to a remote location.
LDAP: enterprise-wide directory of users, database containing various fields such as the phone number.
Network Connect: mode allowing the PC to become a host connected to the internal network.
POP: protocol used for transfering emails from a server to your hard disk. See also: IMAP and SMTP.
POPS: secured (encrypted) POP.
proxy: device acting as if it were the target server, e.g. a Web server, and relaying all traffic to/from the target server.
SMTP: protocol used for sending emails to a server. See also: POP and IMAP.
SMTPS: secured (encrypted) SMTP.
SSH: encrypted remote line terminal, allows to access UNIX computers at the ESRF (NICE, beamlines, etc.)
SSL: encrypted communication allowing to tunnel
SSL Gateway: offers a Web server (HTTPS mode, i.e. encrypted) providing SSL and proxying services.
Sygate: the supplier of the Virtual Desktop. In the future, Juniper will use its own version of this feature.
Virtual Desktop: a program building an environment where all local files are not accessible, in order to protect the target environment from the propagation of viruses. The Sygate Virtual Desktop also integrates a protection against keyloggers.
VPN: Virtual Private Network, usually used for integrating a computer into a remote network.