Deployment
G/On makes it easier to manage secure access to applications for both employees and external partners.
|
The G/On Server is a small footprint Windows server application. It is typically installed on a dedicated server behind the main perimeter firewall together with the network’s application servers. Its primary tasks are to:
The G/On Server includes a comprehensive set of tools for connecting to different applications, and defining precisely how each user can access those applications based on different parameters. 
|
G/On Server ConfigurationConfiguring the G/On Server involves using the G/On Admin module to:
|
Application EnablementG/On is used to connect users to applications including:
Clock here for more information on how G/On adds value to specific applications. (Note: Configuring the G/On Server to access applications will typically require the services of a Giritech Certified Partner.)
|
The G/On ClientsThere are two G/On Clients: the Desktop Client and the USB Client. From the administrator view point they are basically the same and can be treated as such, when it comes to deploying applications and menus. G/On USB offers maximum mobility and can be used from any Windows PC that meets the basic technical specifications, and has a port open to the internet. It can carry its own versions of the needed clients, and is made to autolaunch when inserted, making it very user-friendly. G/On Desktop is installed on the PC hard drive as a normal application, and places an icon on the desktop for the users to activate when they want to access a remote application. G/On USB offers maximum mobility, enabling users to connect from virtually any Windows PC. The G/On Desktop client is an economical alternative for users who always connect from the same PC, as the PC effectively becomes the unique "Token" necessary for authentication. So in this case, there is no need to for a G/On USB key.
|
Deploying the ClientsThe G/On USB keys can be distributed by post or in person. G/On Desktop clients can be sent by email or pre-installed on corporate PCs. The first time users log on, the IT administrator must confirm the connection and register that the hardware device on which the G/On client is installed is now part of the system. This one-time only “adoption” process is essential for ensuring the validity of G/On’s 2-factor user authentication.
|
The G/On Connection ProcessThe G/On Server has one TCP port open for incoming connections and forwards the relevant parts of incoming connections to the applications on the network that it is configured to use. This only occurs once a connection has been established after authentication of client and user. The G/On Server first authenticates the G/On client - either G/On USB or G/On Desktop - based on the unique USB serial number or various unique identifiers about the PC that the G/On Desktop client is installed on. It then checks for connection rules, allowing or denying access to that client. If it can confirm that the G/On client belongs to its “family”, the G/On Server then authenticates the user, either against Microsoft Active Directory (AD) or if AD is not used, G/On’s own internal user directory (called EDMS), based on the user’s network username and password. The AD is not queried until the G/On Server verifies that the user exists in the EDMS. The AD is never exposed, and the passwords are never stored outside the AD. Depending on the AD groups that the user belongs to and the zones that the connection matches, specific menus with applications and/or gateways are presented to the user. The administrator can also make menu items auto-launch when the connection is established.
|
Upgrading the G/On clinetUpgrading the client software involves using the G/Update client, deployed as part of the G/On client package. G/Update implements remote updating of all client software so administration of all user software is managed by the IT administrator centrally. The G/On Server can be configured to “force” an update i.e. the user is not allowed to connect until they have received the latest software. Alternatively, the G/On client can be allowed to check for updates and download them when suitable.
|
Dynamic MenusChanges to user’s rights and privileges are typically enforced within 60 seconds of them being made in G/On Admin or after synchronization with Active Directory. This means new applications can be made available, or removed, on-the-fly with no user intervention – even during a session. |
G/On ZonesG/On uses Zones to help regulate which applications users can access as well as the level of access based on where they are logging in from (i.e. their IP address) as well as details on which PC they are using to host the connection. This means, for example, that when people connect from “trusted” networks and/or PCs it makes sense to give them full access. If they log on from an Internet café i.e. an “unknown” zone, you can configure the G/On Server to only let them read their email in a terminal session, for example. There’s no limit to the number of Zones that can be defined, or the number of rules used to define them.
|
Logon Security FeaturesTo enhance the security of the authentication process, the G/On Server can also be configured to enforce different features designed to hinder scripted log on attacks. These include:
|