Your Desktop to Go! Anywhere, Anytime!
HOB Desktop-on-Demand is part of the comprehensive security solution HOB RD
VPN and HOB RD VPN Compact.
With HOB Desktop-on-Demand, an authenticated user can have secure,
SSL-encrypted remote access over a standard browser to his or her workplace PC.
If the PC has been switched off, it will be turned on automatically. The user
remotely accesses, for example, his workplace PC via the integrated Java RDP
client HOBLink JWT (Java Windows Terminal), usually over the Internet, from
home, a hotel, a business partner’s location or from a laptop. Access from
Internet Cafes is also possible, if desired (can be disabled).
When someone wants to use HOB Desktop-on-Demand, he does not have to install
anything on the local PC, nor are administrator rights required. This
browser-based solution is platform independent, i.e., access is available from
Windows, Linux or Apple MAC machines to enterprise-internal PCs.
HOB Desktop-on-Demand: Functional Principle
HOB Desktop-on-Demand is not a third-party service; rather, the components
are installed in the enterprise network, preferably in the DMZ (Demilitarized
Zone). Opposed to third-party services, the HOB solution has the advantage that
the data are sent only once over the Internet, performance is higher and the
response times shorter.
The core component of HOB RD VPN is the server component,
HOB WebSecureProxy. The current version of the WebSecureProxy or, in short, WSP,
is 2.2, which is available for Windows, Linux and Unix in a total of 11
different platform-specific versions. The WSP can also run in HOB SCS, the
open-source Unix-based server-operating system from HOB. HOB SCS stands for
Secure Communications Server.
The WSP works with SSL-encryption. HOB SSL supports all
current encryption algorithms, including AES (Advanced Encryption Standard) with
up to 256-Bit key lengths.
The HOB WSP has a built-in Web server; components of the
Java RDP client HOBLink JWT are preferably downloaded from this integrated Web
server. It is also possible to perform a Java installation from the WSP’s
built-in Web server.
For server authentication over SSL, the WSP requires an
X.509 certificate, which e.g., is also used in Web servers with SSL / HTTPS.
A user can be authenticated in one of three different ways,
depending on the settings made during installation:
- Token with a one-time-password, e.g., RSA SecurID,
Premier Access or VASCO DigiPass
- Certificate for client-authentication over SSL
Authentication is made over a browser with an SSL / HTTPS
connection to the WSP. Thus, the authentication itself is encrypted and secure.
The HOB WSP has an integrated Radius interface so that
authentication can be made to all conventional Radius servers.
As of HOB RD VPN 1.3 the client can also be inspected
according to specified criteria before access to enterprise-internal data is
allowed. When desired, this is determined during installation in the corporate
After a user has successfully authenticated himself to the
WSP over a browser, and wants to (after an optional selection of the target
server) access his desktop PC, the WSP will send a Wake-on-LAN packet to the
user’s desktop PC. Wake-on-LAN is a technology that has been around since 1995
and today is integrated into almost all PCs (e.g., in the network card).
Wake-on-LAN packets have to be sent as a UDP broadcast. If the WSP is in the
DMZ, it could be that broadcast packets are blocked by the firewall from
entering the internal network. There is also a solution for this: The WSP can
also send IP unicast packets, which easily pass the firewall and are then
re-formed into broadcast packets by a Wake-on-LAN relay. Wake-on-LAN relays are
available as platform-independent software (Java) for installation on any server
in the corporate network. This server should then be kept running all the time.
HOB also can provide a hardware solution for the Wake-on-LAN relay; this is a
small, energy-efficient embedded Linux machine.
When a PC is booted over Wake-on-LAN, it takes a certain
amount of time after the computer is booted for the RDP services to run up. The
Java RDP client, HOBLink JWT, waits until the WSP has established a session to
the desktop PC. The user is kept informed of the progress.
With Windows XP it takes about 1.5 minutes until the PC
has booted, the OS has run up and the RDP server component is ready. If the user
wants faster access, then he doesn’t turn the desktop PC all the way off, but
uses the Windows function SUSPEND. All applications remain active, but the PC
doesn’t draw any more current. When in this state the network card receives the
Wake-on-LAN packet, then Windows switches to the state RESUME and the user can
more quickly resume working where he had previously left off.
If the desktop PC was left running, the user gets a
The WSP requires some data about the desktop PC in order to
switch on the corresponding, user-specific PC and connect to it. Required are
the client’s Internet address and the network card’s MAC address. This data,
together with the user ID and password, are saved in either the XML file of the
WSP configuration (HOB RD VPN Compact) or in the HOB Enterprise Access
HOB Desktop-on-Demand: Typical Deployment
HOB Enterprise Access uses either an integrated database or
the data are saved to an LDAP server. HOB Enterprise Access supports all
conventional LDAP servers as well as Microsoft Active Directory. If HOB
Enterprise Access is to save data to an LDAP server, the corresponding
structures have to be created via a scheme extension.
In HOB Desktop-on-Demand there is also an integrated
component with which the Internet address and MAC address easily can be read out
of the Desktop PC; this data is then entered into the configuration.
When the user has an active connection via the HOB JAVA RDP
client HOBLink JWT to his desktop, he can do anything he could do at his local
workstation. Thanks to the resource-sparing RDP protocol, this remote access is
The user can copy & paste between the local client and the
desktop PC over the RDP protocol and the clipboard. The user can also print on
the local client; this is made easy via HOB EasyPrint, which works
driver-independently. Sound, i.e., audio from the desktop PC can be output on
the local client. The integrated local-drive-mapping makes it possible to
exchange data between the local client and desktop PC. HOB Desktop-on-Demand is
suited for access to desktop PCs running Windows XP Pro or Windows Vista. The
corresponding home versions are not supported, as the integrated Microsoft RDP
server on them is not completely enabled.
If one wants to access Linux machines using HOB
Desktop-on-Demand, HOB has the add-on component X11Gate. HOB X11Gate translates
X11 or X-Windows into RDP.
Under development, HOB has the HOB MAC-Gate, a solution for
Apple MAC OS X. If the HOB MAC-Gate component is installed on a MAC OS X PC,
then HOB Desktop-on-Demand will function with it just as described above. HOB
Desktop-on-Demand is a part of the comprehensive security solution HOB RD VPN.
HOB RD VPN is certified by the BSI (Bundesamt für Sicherheit in der
Informationstechnik) in conformance with the Common Criteria. In larger
installations, all HOB RD VPN components can be redundantly laid out in the
corporate network. This prevents the problem of having a single-point-of
failure, helping ensure uninterrupted operations.