How it works
Topology design
The ABC-DP Web Distribution point works as a proxy and can get/put ABC-Deploy data on behalf of a client, and the WEB Distribution point is available to clients on the LAN and to clients on the Internet.
On the LAN side we have the resource servers that ABC-Deploy use to store it’s data. These servers are the first priority for the client computers when they ask data or when they deliver data back. If resource servers are not directly available, then the clients will contact the ABC-DP Web Distribution point and ask get/put of the data.
About security
All communication with the ABC-DP is SSL encrypted.
Security of the system is based on the use of digital certificates for authentication.
Client certificates are automatically distributed to the clients when they first access the ABC-DP from the private interface (LAN), and the clients use the certificates to identify themselves when they later access the public interface from the Internet.
How certificates are distributed
When an ABC-Deploy agent start on a client, it is detected if it has a ROOT certificate from the ABC-DP, and also if it has a valid client certificate issued by the ABC-DP.
If this is not the case then these certificates are requested and delivered to the client.
Obtaining a ROOT certificate to trust the ABC-DP
1) Client starting on LAN
2) Client check if it has a valid root certificate from the ABC-DP.
3) If a valid ROOT certificate is not present, then it is requested from the private interface .
4) Client authenticate against Windows AD using it’s machine account when it connect.
5) If authentication is OK; then request is evaluated by the ABC-DP and the ROOT certificate is delivered.
6) Client install the received certificate into the Computer/Trusted Roots certificate store.
Obtaining a client certificate to authenticate to the ABC-DP
1) Client starting on LAN
2) Client check if it has a valid client certificate issued by the ABC-DP
3) If valid client certificate is not present;
a. Client generate a long password
b. Client request the certificate, and provide the password in a SSL encrypted request to the private interface .
4) Client authenticate against Windows AD using it’s machine account when it connect.
5) If authentication is OK; request is evaluated by the server, and if client ask a certificate subject that match the name it used for authentication, then ABC-DP will create a client certificate with private key and subject equal to requesting machines X500 name.
6) Client certificate is password protected with password received from client and sent back to the requesting client machine
7) Requesting client unpack the certificate, and it is installed it into the Computer/MY certificate store.
The certificate only lives encrypted in memory and is never written to the file system. The private key is not exportable, meaning that the client certificate is bound to the physical machine and cannot be copied.
How is access from the Internet controlled
Public interface answer port #443
SSL encryption and mutual authentication.
A valid client certificate issued and trusted by the ABC-DP is required to allow connection.
All other connection attempts are discarded.
Used by Internet based clients to get/put data.
How is access from the LAN controlled
Private interface answer Port #443
SSL encryption and mutual authentication.
A valid client certificate issued and trusted by the ABC-DP itself is required to allow connection.
All other connection attempts are discarded.
Used by LAN based clients to get/put data.
Private interface answer Port #4444
SSL encryption and mutual authentication.
Windows Authentication is required – Meaning only trusted users and computers from the AD Forest can connect.
Used by LAN based clients for
-
Certificate distribution to clients.
-
Management interface and activity monitoring.
Installation Guide & Download
Download Software
Installation Guide