Crystal Point - The Leader in Connectivity Software for NonStop

HTTPS Tunneling

When providing employees or business partners remote access to host applications various network infrastructures and security policies must be considered. For example, policies may enforce that only certain applications can initiate outgoing traffic, or firewalls may allow outgoing traffic only on defined ports. The HTTPS tunneling architecture takes advantage of the SSL capabilities of client browsers and the web server to achieve secure transport with no changes to existing client-side or corporate network structures or policies.

All Crystal Point Web products (OutsideViewWEB, AppView, and AppViewXS) can use the host servers security capabilities. If your web servers support HTTPS, our software can use it to secure a communication circuit between the workstation and the web/web application server.

Web servers installed within the NonStop that are configured as https-capable already provide secure communications circuits from end-to-end.

Https-capable web servers installed on intermediate platforms may require added security to provide end-to-end encryption. With this configuration, the communications segment between the end-user and the web server is secure, however traffic 'upstream' between the web sever and the host is usually via unsecured Telnet. Therefore if your organization requires end to end secure communications between the web server and host either a hardware security device (such as firewalls and routers) or security software is necessary.

Crystal Point offers a software solution. We offer a tunneling capability that receives the workstation data from the web server, re-encrypting it within a secure protocol for transport via either SSL or SSH2. Just as the https protocol secures the communications between the end-user and the web server, the tunneling capability secures the communications between the web server and the host. This provides complete, end-to-end security.

NOTE: Host systems must be able to process encrypted traffic. This functionality can be added on NonStop systems, by our NSSL or NSSH products.

If end-to-end encryption is required, the tunneling servlet can provide this via the SSL or SSH2 protocols (if the tunneling servlet is installed at a web server residing on the host system) even when using Telnet.

Some of the advantages of this technology are:

If the user's browser can communicate with your web site via HTTPS then the host connection/tunnel will also work.
Host access may be more easily coordinated with the security personnel. No additional ports have to be opened in the exterior firewalls or web proxies as the default HTTPS web access ports are used.
Access is easier from the client workstation. The browser is responsible for proxy traversal and, in the case of IE, can handle proxy servers that require "NTLM" login, etc.
Access controls for the web server can automatically be applied to further enhance security (e.g., client side certificates).
Any infrastructure enhancements for security on the web server/client can be automatically supported (smart cards, access tokens, etc).

Since tunneling makes heavy use of HTTPS, some web server tuning considerations may come into effect depending on the size of your remote population.