Basic principles and requirements

The Secure Shadowing option can be enabled subject to the following requirements being met:

Basic technical principles:

Unlike with "normal" shadowing, the connection between the VNC viewer and the VNC server (on the client) is not established directly during secure shadowing. Instead, it runs via two proxies – one for the UMS console and one for the VNC server on the client. These proxies communicate via a TLS/SSL-encrypted channel, while the local communication, e.g. between the VNC viewer application and the UMS proxy, takes place in the conventional unencrypted manner. As a result, a secure connection can also be established with external VNC programs that do not support TLS/SSL connections.

The two proxies (UMS console and client) communicate with TLS/SSL encryption via the same port as the "normal" VNC connection: 5900. As a result, no special rules for firewalls need to be configured in order to perform secure shadowing.

If secure shadowing is active for a client under Setup > System > Shadowing > Secure Shadowing), the cliet generates a certificate in accordance with the X.509 standard and transfers it to the UMS Server when the system is next started. The UMS server checks subsequent requests for a secure VNC connection using the certificate. The certificate in PEM format can be found in the /wfs/ca-certs/tc_ca.crt directory on the client. The validity of the certificate can be checked on the (Linux) client using the command: x11vnc -sslCertInfo /wfs/ca-certs/tc_ca.crt

Thin client certificate for secure shadowing

If a UMS administrator calls up the Shadowing function in the UMS Console for the client, the console receives a signed request from the UMS Server which is then passed on to the client to be shadowed. This in turn passes on the request to the UMS server which checks the validity of the request using the original certificate. If this check is successful, the console reports that the channel for the connection between the proxies can be established. The UMS proxy on the console connects to the server proxy on the client, and the server proxy in turn establishes on the client the connection to its VNC server.

Only when these connections have been established does the console call up the VNC viewer which then connects to the console proxy. The VNC client and VNC server are now connected via the two proxies which transfer data with TLS/SSL encryption.

lock2

 

Secure shadowing can be enforced independently of the client configuration for all clients that support this function: UMS Administration > Global Configuration > Remote Access > Activate Global Secure VNC.