By: Hob  09-12-2011
Keywords: Remote Access, vpn, Comprehensive Security Solution

HOB Desktop-on-Demand

Your Desktop to Go! Anywhere, Anytime!

HOB Desktop-on-Demand is part of the comprehensive security solution HOB RD VPN and HOB RD VPN Compact.

With HOB Desktop-on-Demand, an authenticated user can have secure, SSL-encrypted remote access over a standard browser to his or her workplace PC. If  the PC has been switched off, it will be turned on automatically. The user remotely accesses, for example, his workplace PC via the integrated Java RDP client HOBLink JWT (Java Windows Terminal), usually over the Internet, from home, a hotel, a business partner’s location or from a laptop. Access from Internet Cafes is also possible, if desired (can be disabled).

When someone wants to use HOB Desktop-on-Demand, he does not have to install anything on the local PC, nor are administrator rights required. This browser-based solution is platform independent, i.e.,  access is available from Windows, Linux or Apple MAC machines to enterprise-internal PCs.

HOB Desktop-on-Demand: Functional Principle

HOB Desktop-on-Demand is not a third-party service; rather, the components are installed in the enterprise network, preferably in the DMZ (Demilitarized Zone). Opposed to third-party services, the HOB solution has the advantage that the data are sent only once over the Internet, performance is higher and the response times shorter.

The core component of HOB RD VPN is the server component, HOB WebSecureProxy. The current version of the WebSecureProxy or, in short, WSP, is 2.2, which is available for Windows, Linux and Unix in a total of 11 different platform-specific versions. The WSP can also run in HOB SCS, the open-source Unix-based server-operating system from HOB. HOB SCS stands for Secure Communications Server.

The WSP works with SSL-encryption. HOB SSL supports all current encryption algorithms, including AES (Advanced Encryption Standard) with up to 256-Bit key lengths.

The HOB WSP has a built-in Web server; components of the Java RDP client HOBLink JWT are preferably downloaded from this integrated Web server. It is also possible to perform a Java installation from the WSP’s built-in Web server.

For server authentication over SSL, the WSP requires an X.509 certificate, which e.g., is also used in Web servers with SSL / HTTPS.

A user can be authenticated in one of three different ways, depending on the settings made during installation:

  • Token with a one-time-password, e.g., RSA SecurID,  Premier Access or VASCO DigiPass
  • Certificate for client-authentication over SSL

Authentication is made over a browser with an SSL / HTTPS connection to the WSP. Thus, the authentication itself is encrypted and secure.

 The HOB WSP has an integrated Radius interface so that authentication can be made to all conventional Radius servers.

 As of HOB RD VPN 1.3 the client can also be inspected  according to specified criteria before access to enterprise-internal data is allowed. When desired, this is determined during installation in the corporate network.

 After a user has successfully authenticated himself to the WSP over a browser, and wants to (after an optional selection of the target server) access his desktop PC, the WSP will send a Wake-on-LAN packet to the user’s desktop PC. Wake-on-LAN is a technology that has been around since 1995 and today is integrated into almost all PCs (e.g., in the network card). Wake-on-LAN packets have to be sent as a UDP broadcast. If the WSP is in the DMZ, it could be that broadcast packets are blocked by the firewall from entering the internal network. There is also a solution for this: The WSP can also send IP unicast packets, which easily pass the firewall and are then re-formed into broadcast packets by a Wake-on-LAN relay. Wake-on-LAN relays are available as platform-independent software (Java) for installation on any server in the corporate network. This server should then be kept running all the time. HOB also can provide a hardware solution for the Wake-on-LAN relay; this is a small, energy-efficient embedded Linux machine.

When a PC is booted over Wake-on-LAN, it takes a certain amount of time after the computer is booted for the RDP services to run up. The Java RDP client, HOBLink JWT, waits until the WSP has established a session to the desktop PC. The user is kept informed of the progress.

 With Windows XP it takes about 1.5 minutes until the PC has booted, the OS has run up and the RDP server component is ready. If the user wants faster access, then he doesn’t turn the desktop PC all the way off, but uses the Windows function SUSPEND. All applications remain active, but the PC doesn’t draw any more current. When in this state the network card receives the Wake-on-LAN packet, then Windows switches to the state RESUME and the user can more quickly resume working where he had previously left off.

 If the desktop PC was left running, the user gets a session immediately. 

The WSP requires some data about the desktop PC in order to switch on the corresponding, user-specific PC and connect to it. Required are the client’s Internet address and the network card’s MAC address. This data, together with the user ID and password, are saved in either the XML file of the WSP configuration (HOB RD VPN Compact) or in the HOB Enterprise Access component.

HOB Desktop-on-Demand: Typical Deployment Scenario

HOB Enterprise Access uses either an integrated database or the data are saved to an LDAP server. HOB Enterprise Access supports all conventional LDAP servers as well as Microsoft Active Directory. If HOB Enterprise Access is to save data to an LDAP server, the corresponding structures have to be created via a scheme extension.

In HOB Desktop-on-Demand there is also an integrated component with which the Internet address and MAC address easily can be read out of the Desktop PC; this data is then entered into the configuration.

When the user has an active connection via the HOB JAVA RDP client HOBLink JWT to his desktop, he can do anything he could do at his local workstation. Thanks to the resource-sparing RDP protocol, this remote access is highly performant.

The user can copy & paste between the local client and the desktop PC over the RDP protocol and the clipboard. The user can also print on the local client; this is made easy via HOB EasyPrint, which works driver-independently. Sound, i.e., audio from the desktop PC can be output on the local client. The integrated local-drive-mapping makes it possible to exchange data between the local client and desktop PC. HOB Desktop-on-Demand is suited for access to desktop PCs running Windows XP Pro or Windows Vista. The corresponding home versions are not supported, as the integrated Microsoft RDP server on them is not completely enabled.

If one wants to access Linux machines using HOB Desktop-on-Demand, HOB has the add-on component X11Gate. HOB X11Gate translates X11 or X-Windows into RDP.

Under development, HOB has the HOB MAC-Gate, a solution for Apple MAC OS X. If the  HOB MAC-Gate component is installed on a MAC OS X PC, then HOB Desktop-on-Demand will function with it just as described above. HOB Desktop-on-Demand is a part of the comprehensive security solution HOB RD VPN. HOB RD VPN is certified by the BSI (Bundesamt für Sicherheit in der Informationstechnik) in conformance with the Common Criteria. In larger installations, all HOB RD VPN components can be redundantly laid out in the corporate network. This prevents the problem of having a single-point-of failure, helping ensure uninterrupted operations.

JR 01.07.11

Keywords: Comprehensive Security Solution, Remote Access, vpn,

Other products and services from Hob


HOB MacGate

All components and elements of the Mac user interface such as the menu list, dock, icons and the program windows are fully functional in the Remote Desktop session. It requires only the HOB remote access solution HOB RD VPN (Remote Desktop Virtual Private Network) and the HOB WebSecureProxy. This access is possible from every client platform: Windows PC, Linux PC, Thin-Client or even from another Mac.



HOB RD VPN can be used to replace traditional, rather inflexible hardware appliance solutions with a flexible and quickly adaptable "software appliance" - in light of increasing virtualization, this advantage is not to be underestimated. It makes absolutely no difference whether your data and applications are on a Windows Terminal Server, virtualized windows systems, Unix/Linux servers, a traditional host, or even a personal computer.


HOB PPP Tunnel

HOB RD VPN NetAccess is part of the comprehensive security solution HOB RD VPN and uses the HOB PPP Tunnel to provide complete network access to all resources in the central corporate network.This access is also bi-directional. The HOB WSP has a built-in Web server, the HOB PPP Tunnel components are downloaded from this Web server.Approximately 300 kilobytes are downloaded.


Kerberos Authentication 3270

Different than other "Single Sign-On" solutions, with which the passwords are stored locally and, when desired, are entered automatically without user intervention, with Kerberos no passwords are stored locally. The IBM Mainframe, in many enterprises still an indispensable pillar of the IT structure, can now be integrated with its 3270-applications into a Kerberos environment.