Ray @Home howto part 1 (quick and dirty)

This part will cover how I accomplished getting a Sun Ray to run at home over a DSL and Cable modem. This is using SRSS 3.1. (Part 2 which I will do later is for SRSS 2.0 and 3.0) This is a quick and dirty howto, and assumes that you already have SRSS 3.1 up and running on your local network and have some understanding of DNS, ipfilter, cisco access lists, (or equivelent)

Here is a quick overview

1. Make sure specific ports are open to the server2. Turn on LAN connections3. Make sure the Sun Ray has the latest firmware for SRSS 3.1 that is available4. Add DNS entries5. Configure Home network6. Enjoy Sun Ray from Home

More Detailed Instructions

Configure Network to allow Specific ports to Sun Ray Server

These are the rules I used on my Cisco router (10.10.10.101 is the Public IP address of the server, just changed to hide it's real ip) :

access-list 16 permit tcp any host 10.10.10.101 eq 7007access-list 16 permit tcp any host 10.10.10.101 eq 7008access-list 16 permit tcp any host 10.10.10.101 eq 7009access-list 16 permit udp any host 10.10.10.101 eq 7009access-list 16 permit tcp any host 10.10.10.101 eq 7010access-list 16 permit tcp any host 10.10.10.101 eq 7011access-list 16 permit tcp any host 10.10.10.101 eq 7012access-list 16 permit tcp any host 10.10.10.101 eq 7013access-list 16 permit udp any host 10.10.10.101 eq 7013access-list 16 permit udp any host 10.10.10.101 range 40000 42000access-list 16 permit tcp any host 10.10.10.101 eq 80

Now that I have these ACL's setup, ANY machine/Sun Ray on the Internet can get to the Sun Ray server. So to fix this I did the following:

Setup a Web server that runs on the Sun Ray server (or some place else if you wish). The purpose of this web server is to allow your users to "register" their Sun Ray to use the server. When I say "register" what I mean is this:

1. By default I have IPFilter configured (the machine is running Solaris 10) to deny all incoming traffic except for port 80

2. The User then must go to the web server and log in with their username and password and on the web page it will ask them if their IP is correct, if it is not then they can update it. Once they update it a cron job runs in the background that creates new IPFilter rules and reloads the ipfilter firewall.

3. User can then power on their Sun Ray, they will then get the Secured Login where they have to have either a registered Java Card, or they can register their Java Card if they have a valid username and password on the box.

4. User should now be able to log in

The reason I did it this way was I did not want any one in the world to be able to configure their Sun Ray to see my Sun Ray server. This way I am only allowing "known" people to get to it.

The way I store the IP's is in a mysql db on the SunRay server. To reload the firewall I run this script as a cronjob that runs every minute:

#!/bin/ksh#purpose is to reload the ipfilter firewall rules for when a new sunray needs access to the server#Runs every minute from a cron jobrm -f /root/ipf.conf.tmp/usr/local/bin/php /root/exportipf > /root/ipf.conf.tmp

FILESIZE="`wc -l /root/ipf.conf.tmp |awk '{print $1}'`"if [[ ${FILESIZE} -gt 0 ]]; then        rm -f /etc/ipf/ipf.conf        cat /etc/ipf/ipf.conf.head > /etc/ipf/ipf.conf        cat /root/ipf.conf.tmp >> /etc/ipf/ipf.conf        ipf -Fa -f /etc/ipf/ipf.conf        rm -f /root/ipf.conf.tmpfi

The contents of the ipf.conf.head file look like this:

block in log on ge0 allpass out quick on ge0 all keep statepass in quick on ge0 proto tcp from any to any port = 80 flags S keep state

The exportipf file is a php script that looks like this:

< ?mysql_connect("localhost","root");mysql_select_db("sunray");$result=mysql_query("select count(*) as count from homeusers where active='N'");$num=mysql_result($result,0,"count");if ($num > 0) {        //New IP address has shown up, create new set of rules        $result=mysql_query("select ipaddress,who from homeusers order by ipaddress");        $num=mysql_num_rows($result);        $i=0;        while ($i < $num) {                $ipaddress[$i]=mysql_result($result,$i,"ipaddress");                $who[$i]=mysql_result($result,$i,"who");

                echo "#$who[$i]\n";                echo "pass in quick on ge0 proto tcp from $ipaddress[$i]/32 to any port = 7007 flags S keep state\n";                echo "pass in quick on ge0 proto tcp from $ipaddress[$i]/32 to any port = 7008 flags S keep state\n";                echo "pass in quick on ge0 proto tcp from $ipaddress[$i]/32 to any port = 7009 flags S keep state\n";                echo "pass in quick on ge0 proto udp from $ipaddress[$i]/32 to any port = 7009 flags S keep state\n";                echo "pass in quick on ge0 proto tcp from $ipaddress[$i]/32 to any port = 7010 flags S keep state\n";                echo "pass in quick on ge0 proto tcp from $ipaddress[$i]/32 to any port = 7011 flags S keep state\n";                echo "pass in quick on ge0 proto tcp from $ipaddress[$i]/32 to any port = 7012 flags S keep state\n";                echo "pass in quick on ge0 proto tcp from $ipaddress[$i]/32 to any port = 7013 flags S keep state\n";                echo "pass in quick on ge0 proto udp from $ipaddress[$i]/32 to any port = 7013 flags S keep state\n";                echo "pass in quick on ge0 proto udp from $ipaddress[$i]/32 to any port 40000 >< 42000 flags S keep state\n";                echo "\n\n";                mysql_query("update homeusers set active='Y' where ipaddress='$ipaddress[$i]'");                $i++;        }}?>

Now that the ports are "open", we need to make sure the Sun Ray's can connect, to do this we need to turn on Lan connections:

/opt/SUNWut/sbin/utadm -L on

Now, add the following entries in to your DNS for the domain you want the Sun Ray's to query:

sunray-config-servers   IN      A       10.10.10.101sunray-servers            IN      A       10.10.10.101

So we would now have FQDN of sunray-config-servers.someplace.net and sunray-servers.someplace.net.

Now it is time to take the Sun Ray home and configure your home network. I am going to assume that you have some sort of "firewall/router" device, such as a Linksys Broadband router, etc.. The key thing you need to do is configure the DNS Domain that is handed to your DHCP clients to be the same as what you made your DNS host entries as. So in our case, I would configure the DNS domain to be someplace.net. Now you should be able to boot your Sun Ray and get a "login screen" or some other response codes from the server. I have noticed that some time's the Sun Ray will stay on a 26B, if this happens, you can insert your Java Card, and a login screen should come up. I have not quite figured out what causes it.

Hopefully this will help those running SRSS 3.1.. I will put the instructions for version 2 and 3.0 up later, as they are extremely more involved and requires more hardware to do. But since 3.1 is now "free" everyone should be using it, or moving to it soon!

Some Notes about using a Sun Ray at home:

1. USB Thumbdrives/cdroms/harddrives do not work if you are behind a NAT device2. Depending on your connection speed, you may want to disable all background images, and any

"fancy" items such as anti-aliased fonts, shadows, network connection app, etc3. Streaming Audio will start out a little shaky, but "will" work if nothing else is happening. (This is

based on trying it with a cable modem and dsl modem4. I have not tried to upgrade the firmware remotely on the Sun Ray's, currently I have just have the

users bring it back in to the office to have the firmware upgraded

http://blogs.sungeek.net/unixwiz/2006/03/22/sun-ray-home-howto-part-1/

http://scn.sap.com/community/netweaver-administrator/blog/2012/05/22/whats-new-in-sap-netweaver-73--a-basis-perspective

http://scn.sap.com/community/netweaver-administrator/blog/2012/05/22/whats-new-in-sap-netweaver-73--a-basis-perspective-part-ii

http://constantin.glez.de/blog/2011/03/how-set-zfs-root-pool-mirror-oracle-solaris-11-express

Sun Ray 270 with Wireless VPN Access

We were challenged recently to demonstrate the capabilities of our Sun Ray 2 technology with the embedded VPN feature to several customers that required wireless networking.  So here is what was done to showcase this technology.

We had on hand a Sun Ray 270 thin client which had the latest firmware that allows configuration of the integrated VPN.  We employed the help of a LinkSys Wireless-G Access Point  model number WAP54G revision 3.1 with firmware version  V3.04, dated December 27, 2007.  The WAP was configured via the web interface to function as a "access point client" prior to connection to the Sun Ray 270.   By doing so it allows a hard wired Ethernet device to plug in and participate on a wireless network.  To put the WAP in "access point client" mode a MAC address of the remote access point is required.  The LinkSys WAP web interface has the facility to conduct a site survey to determine existing access points and allows for the selection of a remote access point.

Here are the steps taken to get connected.

Insure you have a Sun Ray 2 or 270 thin client with the latest firmware with VPN capabilities.

Get and configure a wireless access point (WAP) via another computer. Verify connection to the wireless network with that computer.  Connect the WAP to the Sun Ray. Power on the Sun Ray.  If previously configured to access a VPN you will be prompted for a username and

a one time password generated via a secure id device.

Your internal login screen will be displayed. If you have deployed smart cards insert it at this point.

If a previous session exists you will be displayed a lock screen, Enter your password.

The Sun Ray should come to life and your desktop through the VPN should be displayed with the applications you had previously started.

Sun Ray Server Software 5 Administrator's Guide http://easysolutionforall.blogspot.com/2013/01/sunray-server-53-two-node-fail-over.html

http://techsupportpk.blogspot.com/2013/01/sunray-server-53-two-node-fail-over.html

http://techsupportpk.blogspot.com/2012/12/blog-post_19.html