Propalms OneGate comes with a brand new user interface. This interface is both modern and light on the web browser.
User can login into OneGate web portal using kiosk mode from a locked down machine. Application proxy support without requiring local administrator rights feature is added in this release. Supported applications are Terminal Services (RDP), VNC, File Share, My Desktop & Files, Telnet, SSH and Web applications (limited).
In previous versions of VPN, access controls were only based on application groups – Allowing application group access to user groups. OneGate’s new improved access control management interface will allow creating access controls with added access control methods.
Newly added access control Methods are:
The Administrator can now specify certain client configuration settings for the OneGate client and also optionally control deployment of Propalms TSE client for integration and capability for users to launch applications published on Propalms TSE Server.
VPN Client Settings:
TSE Client Settings:
Propalms OneGate now supports inbound connection load balancing. OneGate server can be accessible from multiple Internet service providers configured in the management console. When end user connects to OneGate server it will check load on the Links and send login requests to less loaded ISP. This feature will be helpful if customers have multiple internet connections and wish that incoming users should be equally distributed across the internet connections.
In the new OneGate server, the administrator can publish multiple IP addresses or a range of network IP addresses with single or multiple port access. This feature will allow enabling a set of ports or network access to security user group/s in a single click.
In Access Management > Applications create an application with type as Network and select from the following:
New search capability has been added to the management console in the Users, Applications and Access Controls pages.
In previous versions, Propalms VPN had an option for sending Passphrase to users Email IDs. This feature has been enhanced now with support of SMTP Authentication.
Administrator can select applications to start automatically (only applications which supports portal based access) when end user logs in. Auto launching of applications can be enabled from OneGate Management Console > Access Management > Applications > Add / Modify Application.
OneGate client can access multiple gateways and will automatically connect to alternate gateways if primary gateway is not available.
End users can save their user name and password by selecting Remember Me and Remember Password options from Propalms OneGate Desktop Client.
In the latest OneGate Desktop Client users can change the following preferences:
OneGate administrators can configure multiple VPN Domains for user authentication.
Administrator can add, modify and delete VPN Domain. When adding a new VPN Domain, administrators can configure different authentication servers and turn endpoint security on or off.
Administrator can configure SMS gateway details in OneGate server so that users can get their passphrase via SMS during successful user creation or if administrator resets the passphrase. Administrator can also modify the contents of SMS message.
NTP settings can be administered under Host Configuration > Global Settings. Administrator can start or stop NTP server, verify status and check for last update time from this page. Primary and Secondary NTP Servers can be configured.
PROID is a two factor authentication solution that provides One Time Passwords delivered via multiple mechanisms including hard tokens, soft tokens, email, SMS, PKI tokens and web tokens. OneGate can authenticate user’s with PROID server by calling its authentication API running over HTTPS rather than using plain text UDP based RADIUS protocol.
Administrator can enable single sign on for NTLM enabled web based applications, for e.g. MS OWA, SharePoint. This option is available only for web based applications. SSO options are available when you add specific web based applications in the console.
Cipher settings can be administered under Host Configuration > Global Settings. Cipher support has been improved. Now administrator can select any cipher but to change the cipher setting OneGate server should be in configuration state.
OneGate Client can run if user has set proxy setting with hostname of the proxy server. We have also added support of PAC file, SOCKs 4 and 5 proxies. In these following proxy environments user is able to login into OneGate client and access the hosted applications.
This release support compression for http application type. It will improve the http application access time.
New application type My Desktop and Files had been added. As well as Personal Desktop access, now administrator can create one file share application in which you can map one user to specific file share location. Single application can handle up to 300 entries.
In desktop client, Administrator can change the text message for user and label of user name/password. This can be configured when you configure AD as Authentication Server under User Interface Configuration.
Security officer will get the email notification when device registration is pending. At the time device id access control creation if auto approve check box is unchecked then Security officer will get the email notification.
Single sign on option (form and NTLM base) for http/https application type had been added.
Now administrator can generate SSL certificate CSR with three different key length options (1024, 2048, and 4096).
Administrator can edit the email templates from OneGate management console under Host Configuration > Global Settings. The different email templates can be edited under Email Formats.
Multiple ports support had been added for every applications type. Now administrator can publish max 5 ports in a single application.
When setting an Application Rule, if there is no application group configured in OneGate, Admin can create application group from application page itself. Admin should click on add application to application group then they will get the option to add application group.
On the user creation page an additional 2 options have been added for sending information about user creation/reset passphrase/change password to user specified email address or user mobile number.
Add Virtual Server to use OneGate server as HTTPS reverse proxy server. Admin can create a unique DNS name and then create a virtual server for this DNS name. This will not require user to download the VPN java client modules.
For more information go to http://www.propalms.com/products/propalms_onegate.php
The new TSE Desktop Client (TSE-DC) offers users a browser-less way to access, manage and configure TSE published applications. The TSE-DC removes browser dependency but offers a user experience and capability similar to that of the TSE Launchpad web portal. TSE-DC is included with the standard v7 TSE Client installation and requires Microsoft .NET 4.0 client profile framework installed on the client machine. TSE v7 client installation will verify if .NET 4.0 is available on the client machine, if not it will prompt for approval and also install .NET 4.0 client profile framework. The installation package for .NET 4.0 is downloadable from the TSE Launchpad portal – Download client page and can be installed manually. Alternately the TSE v7 client will prompt the user for a download from MS download site if it does not detect .NET v4 client profile framework installed. This needs internet connection.
The TSE installation experience has been improved to make the install on Windows 2008, 2008 R2 and 2012 a smooth and easy procedure. The new installation will auto install the required Windows components for TSE like IIS, ASP, ASP.NET, COM+ , DTC and RDS as part of the TSE installation routine. This will make installing and configuring a TSE server a hassle free install.
Administrators won’t have to worry about getting the required Windows pre-requisites installed before starting the TSE installation. The pre-requisite auto install will also work for all subsequent servers added in TSE team, either using the Join Team option or the ADD Server option from TSE Management Console. In short, administrators can take a freshly installed Windows server and run the v7 TSE installer to make it a fully functional TSE WEB with Windows IIS, TSE APP with RDS and TSE Load Balancer server with a single installation.
TSE v7 Server is fully compatible and functional on Windows Server 2012. All TSE features are supported on Windows Server 2012 along with backwards compatibility for previous Windows Server versions including Windows 2003, 2008 and 2008 R2.
Active Directory 2012 is supported and also SQL 2012 running on Windows 2012. TSE v7 installation supports auto install of Windows pre-requisites (IIS, RDS, COM, DTC,.NET) on Windows 2012 ,making it easier to build TSE v7- 2012 server and add it to an existing team of 2008 ,2008 R2 and 2003 servers for evaluation and migration purpose.
Windows 8 as a client OS is supported for TSE v7 client and all client side features are supported. IE10 browser which is default on Windows 8 is supported as well for TSEv7 Launchpad and Console portal.
TSE v7 introduces the TSE Notification feature that allows TSE Administrators to enable Email Notification Alerts based on certain TSE System Events. An email notification will be sent to the specified Email accounts, notifying the occurrence of certain TSE System Events.
TSE Notifications can be enabled and configured in TSE Management Console, under Options – TSE Notifications page.
Notifications are part of the TSE WEB server configuration. If there is more than one TSE WEB server in the team, only one TSE WEB server is responsible for sending TSE notifications. In the event of a Web server going down, another TSE WEB server takes up the Notifications job. If there is only one TSE WEB configured in the team, notifications will not be sent if the only TSE WEB server goes offline. TSE checks for its system/components status every 5 minute. In case a TSE system or component state changes and reverts back to its original state between the 5 minute intervals, it can go undetected by the TSE Notification System. This is likely when TSE Services are restarted which usually only takes less than a minute.
TSE v7 has the provision to export its TSE Team Objects and Settings (Applications, Connection Settings, Groups/OUs, and Lockdown Policies) in a XML format. This XML can then be used to import to either create or restore a TSE team with the same Objects and Settings.
This will help in easy duplication of Application list, Connection Settings, Lockdown settings and Group/OU across multiple TSE teams. Group/OUs are tied to the Active directory. Hence they should only be imported if the TSE team belongs to the same AD as the original TSE team.
In TSE v7, TSE admin can create a list of Network printers that are available on the network where TSE is installed and assign these network printers to AD groups, OUs and client groups in TSE. This eliminates the headache for admins to create custom login scripts that map network print queues to a user’s terminal server profile at logon. Network printers can be assigned based on AD Group and OU membership and also client groups based on IP address, hostname and other criteria. Wherever possible, it is recommended to have all printing done through Network printers mapped directly to users TSE App session running on TSE App server. It eliminates re-direction of client side printers on server, saving server resources, print driver management efforts and network bandwidth as all print jobs go directly to the network print queue instead of TSE client machine.
Propalms Server lockdown policy in previous TSE releases could only be linked to TSE App servers. Any one Propalms lockdown policy could be set per App server. In v7 Propalms lockdown policies can now be linked directly to an AD Group or AD OU added in TSE. This allows better control and allocation of lockdown based on end user AD membership. If a TSE user is a member of multiple AD groups or OUs which have different Lockdown settings TSE calculates a cumulative, most restricted lockdown settings for the TSE user. The most restrictive setting is calculated and enforced on the TSE User app session. Note: that TSE lockdown policy does not overwrite or block AD Group Policies.
In TSE v7, Connection settings template has been re-organized for better management and usability. Connection parameters pertaining to different aspects of TSE and RDP have been grouped together. Also connection parameters that are of specific interest to end users are grouped together as client settings. These settings are now also configurable by TSE users through the TSE Desktop Client or TSE Launchpad Client settings page.
In TSE Connection Settings, there is a new option “User Choice” added in drop down for settings that can be set by a TSE end user/client. TSE admin should keep the required setting to “User Choice” if the TSE admin wants the client choice for the specific setting to take effect. This is particularly helpful for printer and local drive redirection as keeping them ON always forces re-direction of client side resources even if the user does not intend to use them for the particular session. This will save server resources, faster app launch time and avoid potential problems with printer and drive redirection.
MS introduced support for Seamless via RemoteApp in Windows 2008 server and has made some significant performance improvements with it in 2008 R2 & Server 2012. In TSE v7, TSE Seamless leverages the native seamless available on Windows 2008 & above to give better performance and usability of applications in seamless mode. It utilizes native RDP enhancements like RemoteFx and True MultiMonitor support.
When publishing applications on TSE for load balancing, it is required that the application install directory and path be the same on all the TSE App servers for it to work.
There is a common problem of publishing x32 applications on TSE x32 and x64 App servers, where the install path for x32 apps on x64 server is …\program files(x86)\… whereas on x32 server it is …\Program Files\… In TSE v7, publishing the same app on x32 and x64 is possible without worrying about %program files(x86)% directory for x64 servers. The application is loaded from the correct program files directory based on the server being x32 or x64.
In some instances, Applications are installed on different drives or the default system drive letter is different. To accommodate such scenarios, TSE Admin can use the new Application Host Drive option in v7.
There are 3 options available:
The TSE Monitor Load-Balancer page has been enhanced for better viewing and displays additional information pertaining to Load Balancing:.
Monitor Connections page shows if the connection is over SPR, DMZ SPR or TSE App server.
TSE Management Console and Launchpad have been given a makeover with new color scheme, clearer and bigger fonts, giving it a contemporary look and feel.
The Action item menus on the LHS of the pages have been made collapsible to better utilize the screen area. Simply mouse-over the arrow icon to expand the Action Menu.
In TSE v7 the app launch user experience has been improved. Users now see a consistent launch experience with the launch dialog showing a progress animation, name and icon of the application being launched. The animation progress logo changes depending on whether it is direct App launch or over SPR/DMZ-SPR.
A number of end user notifications have been added to the TSE Client to show the current activity or status change by TSE client.
With v7, the Propalms logo, Banner text and footer images for TSE Launchpad and Console Portals can be changed. This allows some level of customization and re-branding of TSE portal and the new TSE Desktop client.
TSE published applications can be launched over MS TS Gateway server. TS Gateway server information can be configured in TSE Console > Options > TS Gateway page and TS Gateway feature should be enabled in the relevant TSE Connection Settings for the application. TS Gateway works for TSE Launch and also the Native launch (clientless).
If using the Windows TSE Native client (On Launchpad Download client page, use the Native Client option), TSE Apps published on Windows 2008 and above can be launched in Seamless mode. The minimum RDP client version required is RDC 6.1 for this to work.
For more information go to http://www.propalms.com/products/propalms_tse.php
The new VPN runs on CentOS based Linux distribution. CentOS is the most commonly used free distribution derived from RHEL distributions. The new 3.7 VPN ISO contains the new hardened OS with an improved graphical installer.
The new VPN ISO based on CentOS is available for both 32bit as well as 64bit hardware platforms. There are two different ISOs available and the customer must install the correct ISO on their specific hardware. The ISO for 32bit hardware can be installed on 64bit hardware though. With support for 64bit platform a large amount of RAM and CPU power can be made available to VPN gateway for scalable deployments.
Propalms VPN 3.7 gets a new portal for clientless access. Users can use a browser to login into VPN and access the applications listed on the portal. The following types of applications are listed on the portal:
New application templates are added on management console to help administrator create standard applications as well as define additional parameters. The following new templates are added:
Kiosk mode is a new mode on the VPN portal such that users can access applications without requiring installation of the VPN client which requires user to have admin rights for first time.
Kiosk mode supports following type of applications published over VPN Portal:-
MyDesktop feature provides direct access to your office PC via Propalms VPN. Administrator can create a ‘MyDesktop’ application type and upload a list of usernames along with their desktop hostnames/IP addresses. When users login into VPN an application with the name ‘MyDesktop’ is displayed on the VPN Portal. User can access their desktop by simply clicking the icon in the VPN Portal or Application Launcher.
Propalms VPN works in conjunction with Propalms TSE solution to deliver a highly efficient application delivery solution to enterprises. Propalms TSE provides presentation virtualization and VPN provides secure remote access. Propalms VPN enables single sign-on, Web Portal & Desktop integration features for Propalms TSE enabled applications.
Propalms VPN integrates with Propalms VDI to deliver a seamless access mode to VDI managed virtual desktops. VPN administrator can publish the Propalms VDI setup for roaming users by simply creating an application with a target as the Propalms VDI connection broker. Propalms VPN talks to the Propalms VDI connection broker and publishes user’s allocated virtual desktop on the Propalms VPN portal.
The remote meetings feature offers authorized VPN users the ability to perform remote web meetings for the purpose or sharing presentations, text chat, file transfer or just use as a helpdesk facility. Remote meeting feature is available in both VPN Portal and VPN desktop client. A user can select “give support” to connect to another VPN user. User can select “get support” to request support from another VPN user.
The Application launcher of VPN Client is improved to add more applications with a better user interface. After login, the Application Launcher is shown to the user with the list of applications the user has access to. Following applications are shown to the user:
A new online license activation service is added in this release. Now license acquisition is a real time, secure automated system.
With the VPN software image/virtual appliance, the customer will get a Serial Key which will be used to retrieve the actual license. Before the administrator can use the Serial Key to get a new license, the administrator must register himself/herself and the organization with Propalms License Server. After registration is successful, administrator can click on “Retrieve License” to retrieve the license details from Propalms License Server.
For more information go to http://www.propalms.com/products/propalms_vpn.php
New Load Balancer ranking scheme – % Utilization based
Currently Propalms Load Balancer computes a rank for each online App server based on the available resources (by default only CPU and memory.) The new LB design will not assign a rank to each server merely based on the available resources it has; it will assign rank based on the % utilization of resources available on it. Therefore at any time the % of available resources utilized on each server, will be the same. This scheme should be used when App servers are of different Memory and CPU specs. It will help in even distribution of sessions across servers.
TSE Web, TSE SPR and TSE DMZ-SPR redundancy using auto failover feature in Propalms client
A new feature in TSE, where Propalms TSE Client will automatically switch over communication to other WEB, SPR or DMZ-SPR servers in the TSE team in the event of a failure in communication with an existing Web, SPR or DMZ-SPR server. This will facilitate redundancy, fault tolerance and fall back mechanism of the WEB, SPR and DMZ-SPR server roles.
Browser less access to applications using Propalms client
Configurable Launchpad address and application launch from System Tray. A user may configure Propalms Launchpad settings and retrieve and launch applications without having to go the Launchpad Web page. User can also set the primary and secondary web server to use, based on site location.
Publish multiple applications simultaneously
Allow publishing multiple applications simultaneously with identical settings. Up to 6 applications can be configured at a time and published to users saving Administrative effort.
Publish Common Applications with single click
Predefined single click publishing of common applications such as Microsoft Office, Windows Explorer, Control Panel Applets etc… An editable xml file on the Web server is read to populate the Common application list. This file can be re-used at multiple TSE locations to quickly add common set of applications.
Allow Single instance of App per User
Administrator can limit user to only allow launch of single instance of published Application.
Disallow simultaneous logon from multiple clients with same user name
Prevent simultaneous logins from multiple client devices with same user name.
Set maximum TSE Session limit on TSE App servers to prevent session overload
TSE Admin can set a maximum limit of TSE sessions supported for each TSE App server. Once the maximum session limit is reached, Load Balancing will direct app launch to the other available servers.
Enable Disable HyperPrint Printer for users from Connection setting
TSE Admin can prevent user access to HyperPrint printer in user session by enabling /disabling this option in Connection setting.
Force HyperPrint Printer as default printer for users from Connection settings
TSE Admin can force the Propalms HyperPrint printer as the default printer for TSE user session.
Ability to Save, Save & Print or just Print, HyperPrint PDF files on TSE App server
Useful for thin client printing, print to file option, or saving a copy of printed document. The pdf files are saved in Users profile My Documents\App Data\PdfFiles folder.
Support for more PDF readers with HyperPrint
Alternative Pdf readers such as Foxit, nitroPDF are supported along with Acrobat Reader.
HyperPrint client side print options
Return Internal or External IP to connect
Force client to connect on Internal or External IP address of App server through Connection settings.
Hide App server IP address during App launch
This feature shows Application name in connection box instead of IP address of connecting server.
TSE Client Upgrade, forced or optional when a newer client version is available
This option allows administrator to update the Console with a new client version and have client’s auto-upgrade when they connect. User is alerted via System tray icon and notification on Launchpad or administrator force upgrade.
Removal of User Lockdown when Server Lockdown is removed for TSE APP server
Clean-up of User profile lockdown after Server lockdown has been disabled for the App server. The clean-up can be enabled /disabled from Connection settings.
Monitor – Connection page enhancement
Additional field shows the idle time for Active /Disconnected session state.
Direct RDP to server from Console-Manage-Server page
Admins can connect to TSE servers via RDP from Console -Server page.
Logoff option added on Launchpad and Console Web page
Launchpad: When the user or administrator performs this action then the web session and any applications open will be logged off.
Console: When the administrator logs off, all of the web session data will be deleted and there will be no cached logons.
Added support for .pdf in Content Redirection
With this enabled, Pdf files in TSE sessions will be opened using local client PDF reader.
New Windows Explorer and TS policies in Propalms Server lockdown
New Windows Explorer and TS Policies have been added to existing Propalms Server Lockdown Policy templates.
Use of better quality images for Application Desktop and Start Menu shortcuts
Sharper and better quality images will be extracted for creating application shortcuts for desktop and Start Menu.
New Console UI, Color scheme and Style
There is a new look and feel to the Console and Launchpad portal for better readability and ease of access.
Easy navigation between Console Dashboard and Console Summary page
Hyperlink button is available to switch between the graphical and statistical representation of TSE system info.
TSE Admin can set the Console Home Page
TSE admin can set the home page for the Console site on Logon. Can be set to Dashboard, Summary, Server, Connection or LoadBalancer page.
TSE Console-Home –About page will show the Hotfix version
Admin can enter the hot fix version applied to Propalms Web server in Console –Admin page. This will be shown in the Home-About page.
Smaller and larger values available for Disconnected, Session time out and Console page refresh rate
In connection settings, for Idle and Disconnect session timeout more values are made available for refined control. Similarly for the Console page refresh rate.
New TSE Clients
New TSE client packages will be available for Windows, Mac OS and Linux. Any enhanced RDP (rdesktop) features available at time of development will be included.
After an intense development cycle over the last few months, we are pleased to announce that we have just released the latest version of our VPN solution, Propalms VPN 3.5
This release sees the end of the free 10 user give-away, however you are getting some great enterprise features within the VPN product at a very attractive price. Contact us at firstname.lastname@example.org for more information on pricing.
The VPN management console GUI is simplified and improved now. The left navigation tree has a new organization with more logical grouping of configuration screens.
Context sensitive help is added to management console to facilitate quick reference to configuration options.
A new graphical dashboard is added to management console showing live users, license usage, resource usage and important VPN information.
It is now possible to add and use more than 1 external authentication servers. There is a new authentication server management screen where multiple servers can be configured. These servers can be then configured in cascading mode. This means, if user can not be found in highest priority server, the user is will searched in the lower priority servers also.
In case the authentication server cannot provide role/group information for an incoming user, a separate authorization server can be specified which will be used to provide user role information. Authentication servers like OTP tokens or RSA SecureID servers may not provide role information to VPN gateway. VPN gateway requires user’s role to assign applications to the user. With such servers an additional external authentication server or native groups can be used to decide the role of the user.
The authentication is done with the external authentication server and then the username is searched in the configured external authorization server.
A new screen is added to management console to define the authentication and authorization scheme for the VPN, termed as VPN domain. In future versions, it will be possible to add multiple VPN domains each with own AAA scheme. The global authentication scheme includes the authentication servers to be used for authentication, any external authentication server(s) and group list which needs to be denied login to VPN.
The licensing mechanism is improved to include a system default license, endpoint security feature control based on license as well as making the license key tied to a particular hardware.
VPN gateway can run in 3 license states:
1. System default (5 users for 30 day evaluation)
2. Evaluation license (time bound)
3. Production license
A newly installed VPN gateway can be started in system default license which is valid for 5 concurrent users for 30 days. Alternatively administrator can choose to put a license key at the time of pre-boot stage.
A license key can be added from management console after the VPN is configured.
To get a license key, administrator must send the “product key” displayed on management console to email@example.com. The new license key will be valid only for the hardware from which product key was taken.
The new license can enable endpoint security feature on the appliance.
The VPN gateway will send notification emails to all registered security officers and administrators before 5 days and 2 days from expiry of the license. The VPN gateway will send a last notification email 24 hours before expiry of the license.
With v3.5, administrators can back up the configuration and restore the same in case of a disaster.
The backup file is stored on administrator’s desktop which can be uploaded back to gateway for restoration.
There are two back options available: User settings backup or full system backup.
This backup will export the settings configured by administrator to the desktop.
This backup enables administrators to regularly back up the settings and use them in case the administrator needs to revert back to old state or the old system has to be replicated to a new one.
The backup includes following settings:
This backup does not include any certificate and system information hence is portable across various VPN gateways located at difference locations.
This backup exports everything including the certificates related configuration. This backup is useful to rebuild a whole system by reinstalling the firmware and then restoring it to the last backed-up state again.
This backup includes the following information:
It is important to make sure the hostname of the system should be set to same as what it was when the backup was taken from the system. If the hostname is different, an error will be prompted to the administrator. It will also give the name of the expected hostname.
This backup type can be used to restore a whole system. In both cases, VPN must be in configuration state and the VPN services will restart after restore process is over.
All the administration changes are logged and viewable through the management console. The logs are achieved on the gateway with capacity to store more than 200,000 log entries.
An option is added to VPN console to reset security officer/administration’s account. The feature resets the administrator’s certificate on VPN management console and sends a new passphrase to the registered email ID of the administrator. This feature can be used in case administrator’s certificate is lost or administrator forgets her password.
A new option is added to the management console so that IP address, DNS and host file modifications can be done from management console. Administrators can change IP address related settings as well as configure the DNS options. It is also possible to create host file entries on VPN gateway to resolve the names.
A new option is added to the management console so static route configuration can be done from within the console itself.
A new option is added to the management console providing the capability to reboot and shutdown the appliance.
At the time of creating local user accounts, administrator can set a date when the account will automatically expire. After the given date the user account is set to “disabled”. This option is applicable only for basic authentication and certificate users. This option is not applicable to security officers and administrators.
While creating new applications, it is common to set a hostname for Application server or the URL which is not resolvable from VPN gateway. This can happen either the hostname typed is not correct or the DNS server is not configured correctly or there is no DNS server at all. In v3.5 when creating applications, the VPN will check if the hostname specified as Application Server hostname and the hostname/domain name in the Web URL is resolvable from VPN gateway or not. An error is displayed if the name cannot be resolved. The Administrator can fix the hostname or they can create host file entry for the hostname.
VPN Clients for Linux and MAC OS X are now available for download from VPN portal. Users can choose to download the correct VPN client for their platform.
Until version 3.4, SSO for Propalms TSE was supported only for basic authentication users. In v3.5, SSO is supported for users authenticating with certificate also. The username is fetched from the client certificate’s ‘issued to’ field. The user must have same username and password on the Propalms TSE server also.
In v3.5, when using Propalms OS Console menu, user needs to authenticate to console using a built-in account. The account name is ‘consoleadmin’. The password for the account is ‘adminconsole’.
The Administrator has the option to change the password for ‘consoleadmin’ user.
Root access to Propalms OS is blocked completely.
For more information go to http://www.propalms.com/products/propalms_vpn.php
Finally the new homepage is live now! And more importantly, the new VDI product is also up on the website.
Quoting virtualizationinfo.com guys, “Yes we also want a piece of the VDI pie”.
You may ask what is new this time. With Propalms TSE 6.0 released early 2008 we delivered an integrated VDI solution for VMWare server 2.0. And it may not surprise you that not many people have implemented our VDI solution also. We were anyway busy migrating customers to TSE 6.0 and adding lot more new customers for TSE 6.0.
We started working on a new VDI solution by end of 2008 where the new product takes the lead to deliver virtual desktops and then deliver applications to virtual desktops. The new solution was supposed to be more flexible to add support for new virtualization platforms quickly with an easy and simple management interface. We choose Parallels Virtuozzo Container technology as our first virtualization platform to host virtual desktops.
We choose parallels because its an excellent platform for hosting virtual desktops:
Propalms VDI v1.1 includes
I agree to Brian Madden that it will be year 2010 for VDI, so we are preparing for it. We do not intend to develop all the pieces from scratch. But we plan to bring in technologies existing today and currently in development together, marry them through our management framework and deliver a practically affordable VDI solution.
If you want to try the product, please register or send an email to us at mailto:firstname.lastname@example.org.
We listed some of the interesting features of Propalms VPN in the last post. This post is focused on why TSE users should look into implementing Propalms VPN into their network.
Propalms VPN is a new addition to Propalms Team of products. It is a complete enterprise ready SSL based secure remote access product that not only makes remote access seamless to any type of application from any device but also makes sure that the endpoints connecting to corporate network are healthy.
Listed below are some of new functionalities Propalms VPN bring to the table for Propalms TSE users.
1. Highly scalable SSL Gateway
The TSE product has a built-in SSL server known as “DMZ SPR”. Its an out-of-the-box solution for securing access to TSE portal and TSE published applications. The DMZ SPR has been very effective in supporting SMB customers of TSE where no. of concurrent users doesn’t go beyond 50 or so. But over the time customers have been coming back to us reporting some of the below mentioned issues:
1. DMZ SPR needs a persistent connection with Propalms Web server. If the web server goes offline or there is a network connectivity loss, it brings the DMZ SPR down. To fix this, DMZ services need to be restarted.
2. There is no automatic failover between DMZ SPR servers. Customers need to depend on external Load balancing schemes.
3. DMZ SPR does not support/integrate with multiple factor authentication solutions like RSA, CryptoCard, etc.
4. Implementing DMZ SPR creates some administration overheads in TSE, like Enabling DMZ SPR in connection setting, filtering Clients using Client groups, etc.
With Propalms VPN, all these issues are gone.
Propalms VPN is a highly scalable SSL gateway running on a hardened Linux platform. It can support thousands of users on a single hardware device and can support tens of thousands when configured as a cluster. Propalms VPN can be deployed in-front of Propalms TSE server team with no additional configuration required in Propalms TSE servers. Propalms VPN supports active-active HA cluster out of the box. It provides built-in client certificate based and biometric multiple factor authentication as well as it supports OTP token based solutions. Like DMZ SPR, Propalms VPN supports SSO for TSE launchpad and published applications.
2. Web server loadbalancing
Propalms VPN natively support load balancing for applications published over VPN. Imagine you have multiple TSE web servers and you want to distribute the load equally on the two web-servers. You can now do that using Propalms VPN by publishing one web-application on VPN and pointing to all of your web servers. Propalms VPN gateway then distributes the user requests in a round robin method to the web servers. It can tag the session caching so that a user is always redirected to same web server during a particular session.
3. Stronger authentication
Currently Propalms TSE supports only authentication methods which are based on domain logins. With Propalms VPN, you can implement stronger multi-factor authentication solutions like client certificate based or any OTP token solution.
4. Simple TSE deployment and configuration
In distributed users scenario where some users are on LAN and some users are on WAN, Propalms TSE need to be cofigured to know both the local LAN IP address as well as the WAN published IP address. This is no problems unless you start using DMZ SPR which will require you to do some more DMZ SPR specific configurations. When deployed with Propalms VPN, the Propalms TSE deployment becomes much simpler. In this case, Propalms TSE needs to be configured for local LAN access only. There is no special configuration needs to be done on Propalms TSE for remote users to connect via Propalms VPN. Since its a SSL based VPN, it act as a single port relay by default.
5. Seamless access to TSE as well as non-TSE applications
Since Propalms VPN can support any TCP/IP application, you now have a choice to remove some applications especially browser based applications out of your TSE team and directly publish over Propalms VPN. This will enhance the overall performance of the applications as well as now you do not need to depend on two or multiple remote access methods. Propalms VPN will become single point of entry into the corporate network for both TSE applications and non-TSE applications.
6. Endpoint Security
If you are familier with Citrix feature “Smart Access”, Propalms VPN will provide similar features for just any application. When a user connects to corporate data center to access any applications, her machine is scanned for valid, updated and active AntiVirus, Firewall and Anti-spyware products. If the machine is not found compliant to the endpoint security policies, the enduser machine can be remediated automatically. Users’s access to specified VPN applications can be allowed or denied based on the set of endpoint security policies that user has passed. We will soon be integrating TSE connection policies with VPN policies so that users’s TSE sessions can be applied much more granular control, like disabling drive sharing if user fails the antivirus policies.
This is the one question everyone asks when you go and try to sell something on top of existing infrastructure. Although getting a new server seems to be additional cost, if you analyze further, it is going to pay for it self very fast.
a) Since DMZ SPR runs over Windows, you need Microsoft CAL licenses for the number of users going to connect to TSE. You don’t need any CALs for Propalms VPN as it runs over customized Linux.
b) You do not need to worry about Antivirus, firewall for Propalms VPN. You can save on annual subscription for the same.
c) Propalms VPN does not require regular patching and updates like any Windows based server
d) Propalms VPN is available as both Software VPN and Hardware VPN. You can use the same hardware running DMZ SPR and install Propalms VPN over it and get better, faster and scalable SSL gateway
e) Two factor authentication is built-in in Propalms VPN so you do not invest more for strong authentication. It comes with a built-in CA and hence no need to buy costly certificates for implementing client certificate based authentication.
Lastly, Propalms VPN comes with a very attractive pricing for existing and new TSE customers
The long waiting for Propalms VPN has come to an end now. The good old vFortress VPN technology is now available with new features matching the current secure remote access demands. The Propalms VPN is currently available as a software VPN with version no 3.4. It can be downloaded from link (http://www.propalms.com/freevpn) which is a free VPN instance upto 10 users. By end of next month, Propalms VPN will be available on proprietary hardware platforms for SMB as well as Enterprise customers. Till then you can run Propalms VPN on any x86 based hardware or virtualize it.
Just to give some background, Propalms VPN (earlier vFortress VPN) was first release in 2004. vFortress VPN was well accepted in India when it was first released and there are still more than 30 customers using the vFortress VPN even when they did not have any support for 3 years after vFortress had to close down operations in 2006. The largest installation for vFortress VPN was 30,000 concurrent users. Currently the largest installation of Propalms VPN has 4000 concurrent users.
Propalms VPN is a SSL based clientless (agent based) as well as client based VPN solution. Although all the features are generic for any type of TCP/IP application, we made sure that we make VPN integration simple for Propalms TSE customers. Propalms VPN provides SSO for Propalms TSE launchpad portal which means users need to authenticate only one time to VPN gateway. VPN then takes care of authenticating the user with Propalms TSE. This will enable customers to enable more stronger multi-factor authentication policies for Propalms TSE server and just any other application published over TSE or directly over VPN.
It should be interesting to know that Propalms VPN has a built-in client certificate based two factor authentication solution that supports automatic provisioning and revocation of digital certificates for users. Here is (http://www.networkworld.com/community/node/31124) an article from NetworkWorld that explains in detail why client certificate based two factor solution is the most secure two factor authentication solution and in fact is the only solution that can thwart MITM attacks. Propalms VPN had this feature tightly integrated in the solution since 2005. And if you go through the comments on the Network World article (http://www.networkworld.com/community/node/31124), Propalms VPN client certificate authentication has it all to make it completely secure; it does not send keys over network, generate key pair on end user machine, a lost laptop can be denied access by revoking the certificate from VPN console on a single click, built-in CA, etc, etc.. Just like client certificate based authentication, Propalms VPN has built-in biometric authentication support which will enable customers implement third factor of authentication.
Endpoint security is a core element of remote access solution and so is for Propalms VPN. We have integrated the best-in-class endpoint security features which are on par with likes of Juniper, Cisco or Aventail (now SonicWall).
The unique thing about Propalms VPN is that its a “application” access gateway rather than a “network” extension VPN. Even though there is a client involved, it does not bridge enduser network with corporate network while still supporting any type of TCP and UDP based application. There are obvious threats involved which needs more detailed explaination which will require another article. Propalms VPN delivers traffic only for a configured application from enduser machine to corporate network. That gives administrators the much needed control and visibility to make sure authorized users accesses only “authorized” applications. It might just involve a bit more of administration but it is worth taking effort publishing individual application rather than simply publishing a whole subnet or generally the whole corporate network.
There are more features like application load balancing, Active-Active high availability, fake private network IP addresses, multiple ISP failover which will interest customers of all sizes, verticles and markets.
I am sure Propalms TSE customers would be first to try Propalms VPN as they would like to get a faster and scalable SSL encryption platform compared to the Windows based DMZ SPR.
For more information go to http://www.propalms.com/products/propalms_vpn.php
Propalms is a leading global provider of application delivery, desktop virtualization and remote access solution. Interact and discuss Propalms Product internals and strategies with Propalms core team via this blog.