|
The G/On Server is the key
component in the G/On virtual access solution. To provide an overview, it acts as an integrated:
- Network access controller
Unlike a VPN tunnel, the G/On Server is by default closed for all
traffic. It only accepts connectivity and authentication attempts from
known devices and all communication is constantly challenged on device
and user authentication as well as data integrity.
- Authentication and Application
level firewall.
In addition to device and user
authentication, connectivity is only accepted for individually authorized
applications and only those specifically launched by the user or by the
G/On Server itself.
- Security policy enforcer
It’s the role of an organization’s security policy to decide who is
allowed access to what under what circumstances. G/On enables organizations
to not only specify these rules but also directly implement the rules.
G/On Zones enables you to include properties and characteristics of
the remote PC and its environment as part of the application
authorization. G/On’s integrated authentication of users and devices
along with the authorization of applications provides the enforcement
of the rules as well as detailed logging for compliance audit.
- Application access and user
identity manager
The integration of G/On with a user directory, like Microsoft Active
Directory, will provide G/On with the user domain credentials and will
allow single sign on to a number of applications. After successful
login, G/On presents to the user a menu of applications authorized as
a result of the entire end-to-end connectivity, authentication, and
authorization process.
The G/On Server runs as a
service on a Windows server. Depending on the number of users and workload
in general it is recommended to install the service on a dedicated machine.
For large scale implementations, multiple servers can be installed and
configured for load balancing and fall back. The G/On Server is installed
behind the main perimeter firewall with access to the user directory for
authentication and with access to the relevant application servers.
All G/On communication goes
through a single port. Consequently, only a single port is required to be
open in the firewall for remote access via G/On. All communication through
this single port goes to the G/On Server and the G/On Server ignores any
connection attempts unless it comes from adopted and approved devices.
From a networking standpoint,
the G/On solution operates as a distributed port forwarding proxy. The appl
ication client connection is
forwarded to the local loopback on the remote PC where the G/On Client
creates an encrypted data stream and sends it to the G/On Server via a
single port. This encrypted connection from the G/On Client terminates on
the G/On Server which recreates and distributes the originally application
connections and forwards them to the application server. This approach
effectively isolates the remote PC from the company network and prevents
any direct communication between the network and PC and any applications on
the PC.
The G/On Server has a number
of configuration options that allow for the specification of application
client and application server connectivity, integration into the
network infrastructure and for scaling and fall back.
The G/On configuration, data
about the adopted hardware authentication devices, and the application
access rules are stored in a central database. G/On offers its own
proprietary database for single server deployments whereas multiple servers
require an external database like Microsoft SQL Server.
|
