Policy

The Policy tab (under the Advanced tab) enables the definition of high-level access rules either for users with smart cards or for users without smart cards (the latter automatically take advantage of pseudo-tokens, see Tokens help page). For example, you can allow only users with registered smart cards (tokens) to access Sun Ray sessions. Or, you might or might not want to allow users to self-register their tokens.

Additionally, you may allow session access from Sun Desktop Access Clients in addition to Sun Ray DTUs. Such access, if allowed at all, is still subject to all policies that apply to DTUs.

Some check boxes or radio buttons in the Admin GUI are enabled or disabled, based on your selections, to prevent invalid policies from being specified.

Additional settings that, may be offered, depending on your operating system and Sun Ray Server Software configuration, include:

When Client Authentication is enabled in the Security tab, a DTU whose key has not been confirmed as valid for the given DTU will still be allowed access to Sun Ray sessions by default, unless there is a conflict when the DTU identifier (the MAC address) has been used with multiple keys. If you want to deny access to all DTUs whose key has not been explicitly confirmed as valid, then you must set the Client Key Confirmation Required option. Once checked, any new DTU will be denied a regular session when first used. To allow session access, you must first inspect and confirm the submitted key as valid. When you set the Client Key Confirmation Required option, you should also set the Client Authentication Security Mode to 'hard' in the security configuration, so that clients that do not participate in client authentication at all are rejected as well.

By default all users must pass an authentication dialog when hotdesking, i.e., upon reconnection to an existing session using any DTU on their network. After successful authentication, the Sun Ray DTU is connected directly to the user's session. This security policy feature, called remote hotdesk authentication (RHA) can be turned off if desired. This allows to bypass the Sun Ray authentication and enables direct session access, but may weaken the system security.


Note – Changes to system policy require a Cold Restart of Sun Ray services.