Reach Gateway Security
See also: Goverlan Security
The Goverlan solution has been embraced by the Enterprise for its secure implementation. The Goverlan Reach Gateway Services now extends Goverlan to the outside, therefore security is a priority in its design. The following section lists a short set of primary security validation points implemented within Goverlan Reach Gateway Services. If you need further information, contact our Support Team.
Server Identity Verification
To guarantee the identity of the Reach Authority and prevent domain name high-jacking and service rerouting, a TLS handshake can be enforced between the client and the server.
To enable a TLS handshake, you must bind a Public Certificate issued by a Trusted Root Authority to the Reach public facing FQDN.
For assistance configuring a TLS certificate for the server, see Goverlan Reach Gateway and TLS.
This is done in the Reach Settings of the Goverlan Reach Server options:
If TLS identity verification is enabled, client machines will reject any connection to a Reach server that fails validation.
Encrypted communications
All client/server communications are encrypted using the strong AES 256bit cipher specification.
Authenticated and approved actions
Reach clients are manageable via the Goverlan Services, however, Reach does not automatically grant privileges to a machine. Goverlan uses native Windows security to authenticate the Reach Operator and requires appropriate credentials to perform any action on the local machine. If an Operator doesn’t hold explicit privileges to perform an action, then they will be prompted to provide appropriate credentials.
By default, a Reach Operator must hold Local Administrative privileges on a machine in order to remote control it. Other management actions are approved based on the required privilege of the action as configured within Windows.
Goverlan automatically authenticates operators using Microsoft’s SSPI technology (Security Service Provider Interface). Microsoft’s SSPI technology allows clients and servers to establish and maintain a secure channel, provide confidentiality, integrity, and authentication. Using SSPI, Goverlan guarantees the identification of the Operator to the client and impersonates the administrator’s credentials locally to authorize the request.
This security model does not apply during On-Demand Reach support assistance session. In such sessions, the privilege level acquired is set by the client user who initiated the session.
Auditing
Goverlan audits all remote system accesses and reports it locally in the system’s event log as well as centrally to the Goverlan Reach Server. Additionally, during On-Demand Remote Support session, the end user can review support actions performed on their system at any time.
No outside Operators Allowed
As an additional security measure, Goverlan Operators are not authorized to use Goverlan Reach Gateway Services if they are outside of the organization. A Goverlan Operator can only request Reach Services if they are within the private network where the Reach Server is installed.