user manual...1.2.5 trusted network detection (tnd) if enabled in your permissions, sina workstation...

Workstation

Version 3.3.2

User manual

Release 1

S40.037

secunet Security Networks AG

Copyright © 2015 by secunet Security Networks AG

All rights reserved. These operating instructions are for the sole use of the principal. Information contained in this user manual is protected by copyright. secunet Security Networks AG has made every effort to ensure that all information in this user manu-al is correct and complete. However, we will accept no liability for errors or missing information, insofar as this is permitted by law. The content of this user manual may not be copied or published, except with the prior written consent of secunet Security Networks AG. All information and specifications contained in this user manual may be changed by secunet Security Networks AG without any prior notification.

2 Release 1

Workstation 3.3.2 Contents

Contents

Preface .................................................................................................................................. 7

1 About SINA Workstation ................................................................................................ 8

1.1 SINA environment .................................................................................................. 8

1.2 Operation of SINA Workstation .............................................................................. 9

1.2.1 The SINA OS operating system .................................................................... 9

1.2.2 Workplaces ................................................................................................... 9

1.2.3 Secure network connections ........................................................................10

1.2.4 Quarantine mode .........................................................................................10

1.2.5 Trusted Network Detection (TND) ................................................................10

1.2.6 Accessing terminal servers ..........................................................................11

1.2.7 Security domains .........................................................................................11

1.3 Use of mobile devices and touch displays .............................................................13

2 Working with SINA Workstation ....................................................................................15

2.1 Starting SINA Workstation ....................................................................................15

2.2 Shutting down SINA Workstation ..........................................................................16

3 Understanding the user interface ..................................................................................17

3.1 Modules ................................................................................................................18

3.2 Status area ...........................................................................................................19

3.3 Menu area of the status area ................................................................................21

4 The "Lobby" module .....................................................................................................23

5 The "Quickstart" module ...............................................................................................25

Release 1 3

Contents Workstation 3.3.2

6 The "Workplaces" module .............................................................................................27

6.1 Managing workplaces ...........................................................................................28

6.2 Using Thin Client workplaces ................................................................................29

6.2.1 Starting Thin Client workplace type ..............................................................29

6.2.2 Closing Thin Client workplaces ....................................................................30

6.3 Using virtual machines ..........................................................................................31

6.3.1 Creating a virtual machine ...........................................................................31

6.3.2 Managing virtual machines ..........................................................................34

6.3.3 Starting a virtual machine ............................................................................34

6.3.4 Closing virtual machines ..............................................................................34

6.3.5 Using the Host key .......................................................................................35

6.4 Using media workplaces .......................................................................................36

6.4.1 User interface of the media workplace .........................................................36

6.4.2 Starting media workplaces ...........................................................................37

6.4.3 Using media workplaces ..............................................................................37

6.4.4 Managing bookmarks ...................................................................................38

6.4.5 Closing media workplaces ...........................................................................39

6.5 Using VoIP workplaces .........................................................................................39

6.5.1 Starting VoIP workplaces .............................................................................39

6.5.2 Closing VoIP workplaces .............................................................................40

6.5.3 User interface of the VoIP workplace ...........................................................40

6.5.4 Using the VoIP telephone ............................................................................41

6.5.5 Managing VoIP workplaces..........................................................................42

6.6 Using SINA Workstation as a mobile user .............................................................46

6.6.1 Setting up a mobile network connection .......................................................46

6.6.2 Starting an unrestricted workplace ...............................................................47

6.6.3 Starting a secure workplace .........................................................................47

4 Release 1

Workstation 3.3.2 Contents

6.7 Allocating hotplug devices manually .....................................................................48

6.7.1 Using USB devices in SINA Workstation......................................................48

6.7.2 Assigning a USB device to a workplace .......................................................48

7 The "Network" module ..................................................................................................50

7.1 Managing network profiles ....................................................................................50

7.2 Setting up a network connection ...........................................................................51

7.3 Terminating a network connection ........................................................................52

7.4 Setting up a wireless network profile .....................................................................53

7.4.1 WWAN connection data ...............................................................................53

7.4.2 WLAN connection options ............................................................................54

7.5 Setting up certificate-based authentication ............................................................55

8 The "Administration" area .............................................................................................57

8.1 Volumes ................................................................................................................57

8.2 Backup ..................................................................................................................57

8.2.1 Backing up a crypto file system ....................................................................58

8.2.2 Restoring a crypto file system ......................................................................59

8.3 Hotplug .................................................................................................................60

8.4 Devices .................................................................................................................62

8.5 Security .................................................................................................................63

8.5.1 Updating signature certificates .....................................................................64

8.5.2 Updating encryption certificates ...................................................................64

8.6 System ..................................................................................................................65

8.6.1 Mixer ............................................................................................................65

8.6.2 Language .....................................................................................................66

8.6.3 Configuration Update ...................................................................................66

8.6.4 Screen .........................................................................................................67

8.6.5 Input devices ...............................................................................................67

Release 1 5

Contents Workstation 3.3.2

8.6.6 Misc settings ................................................................................................68

8.6.7 Import/Export ...............................................................................................69

8.6.8 Time ............................................................................................................70

8.6.9 Restore default settings ...............................................................................70

9 Locking and suspending SINA Workstation ..................................................................71

9.1 Locking SINA Workstation ....................................................................................71

9.2 Suspending SINA Workstation in memory ............................................................72

10 Updating software .........................................................................................................73

Appendix ..............................................................................................................................74

List of figures ................................................................................................................74

Glossary .......................................................................................................................76

Useful key combinations ...............................................................................................77

FAQs ............................................................................................................................78

6 Release 1

Workstation 3.3.2 Preface

Preface

Who should read this document?

This manual is intended for users of SINA Workstation.

Required prior knowledge

This manual assumes that you have a basic working knowledge of the interfaces of operating systems and other software.

Conventions

This manual uses the following conventions:

User interface terms are shown bold.

Command lines and code examples use Courier New.

Warnings are marked with .

Notes are marked with .

References

For further information about SINA Workstation, see:

SINA Workstation – Administrator manual

SINA Management – User Manual

www.secunet.de

Release 1 7

About SINA Workstation Workstation 3.3.2

1 About SINA Workstation

SINA Workstation is an application component of the SINA environment1. Through the use of advanced virtualisation technology, SINA Workstation provides a secure working environment within protected work areas.

1.1 SINA environment

SINA is a concept used to protect IP-based networks using cryptographic security mechanisms. Using an IT security architecture developed by the Federal Office for Information Security (BSI) as its basis, SINA supports the protected processing and controlled exchange of data in non-secure infrastructures.

The SINA concept differentiates between two types of networks:

Secure networks that are protected against unauthorised access by third parties

Non-secure networks that are not protected or are only partially protected and are therefore classified as untrustworthy

SINA Box is a cryptographic gateway that enables mobile and stationary users in non-secure networks (for example, over the Internet) to access secure network are-as.

Figure 1: Communication with SINA

1 Secure Inter-Network Architecture

Secure network

SINA L3 Box

SINA Workstation

Non-secure network (Internet)

8 Release 1

Workstation 3.3.2 About SINA Workstation

1.2 Operation of SINA Workstation

Depending on the network environment, SINA Workstation provides different func-tions for operation in secure and non-secure networks.

1.2.1 The SINA OS operating system

SINA Workstation is based on the highly secure SINA OS operating system that has been modified by secunet so that classified data can be processed and saved local-ly. The security philosophy implemented in SINA Workstation is based on the total isolation of all components that come into contact with confidential data.

The virtualisation technology of SINA Workstation enables the secure operation of virtual machines to which local crypto file systems are assigned within an isolated operating environment. This enables users to work with a familiar operating system and to process confidential data locally. If a computer is lost or stolen, data saved locally cannot be read by a third party.

All virtual workplaces are configured individually and can be classified with different levels of confidentiality.

1.2.2 Workplaces

Virtual workplaces provide users with several working environments, depending on the users' authorisation:

Thin Clients allow accessing terminal servers in a secure network.

Virtual machines enable you to run a guest operating system in a virtual working environment and to use local crypto file systems. In this way, data can be processed and saved offline without compromising security. External storage media and peripheral devices can also be used while user access to resources can be controlled specifically by the system administration.

For accessing media data and network-based telephony, you can use media and VoIP workplaces.

SINA Workstation enables you to run different types of virtual workplaces in parallel without compromising security.

Release 1 9


1.2.3 Secure network connections

To access external networks, SINA OS established a secure connection to a SINA Box component over a virtual private network (VPN). Secure networks can be ac-cessed over wired or wireless connections such as GPRS, UMTS or WLAN.

Figure 2: Secure network connections that use SINA Workstation

1.2.4 Quarantine mode

For non-persistent data processing, virtual machines can be run in quarantine mode. This means that non-secure or unknown data, such as data on an available mass storage device, can be accessed without compromising the security of the work-place. After closing the workplace, the workplace is restored to its original state.

1.2.5 Trusted Network Detection (TND)

If enabled in your permissions, SINA Workstation automatically recognizes when you are located within a predefined secure network (trusted network). You then have direct, unrestricted access to the network over a network bridge. This function is on-ly supported for access over Ethernet (LAN) and is automatically ended when the connection to the TND server is lost.

VPN 2

Secure network 2

SINA L3 Box

SINA Linux

Secure network 1

SINA L3 Box VPN 1

Workplace 1

Workplace 2

10 Release 1


1.2.6 Accessing terminal servers

Using Thin Client workplaces, SINA Workstation allows you to set up connections to external terminal servers in the secure network.

Figure 3: Access to the application server

1.2.7 Security domains

Security domains define secure (red) network areas, each with its designated secu-rity level. Each security domain is identified by an internal name.

Within the SINA architecture, all data is assigned to security domains:

The security domain of secure networks is determined by the red interface of the assigned SINA L3 Boxes

The security domain of crypto file systems are defined by the ACLs of the associated user

Classified data with the security level RESTRICTED or VS - VERTRAULICH is only allowed to be processed offline in SINA Workstation 3.3.2. Classified data with higher security levels is not allowed to be processed in SINA Workstation 3.3.2.

Secure network

SINA L3 Box

Terminal server

SINA OS VPN

Thin client workplace

Terminal servers

Release 1 11


1.2.7.1 Overview of security levels

Security level

German classification English equivalent

OFFEN UNCLASSIFIED

VS - NUR FÜR DEN DIENSTGEBRAUCH RESTRICTED

VS - VERTRAULICH CONFIDENTIAL

GEHEIM SECRET

STRENG GEHEIM TOP SECRET

1.2.7.2 Colour allocation

Each security domain has two colour allocations:

The primary colour is used for identifying the allocated security level:

(Black) UNCLASSIFIED

(Yellow) RESTRICTED

(Blue) CONFIDENTIAL

(Red) SECRET

(Green) TOP SECRET

The secondary colour is used for internal identification, and can be selected by the system administration as required. As a result, security domains with different security levels can be distinguished from one another visually.

12 Release 1


1.3 Use of mobile devices and touch displays

Using mobile devices

Often, mobile devices have a very high screen resolution because they are opti-mised for close-up viewing. The display of the status area can be adapted accordingly in the system settings (see chapter 8.6.6).

Additionally, it is possible to assign various functions to the on/off button (power but-ton) in the system settings. To trigger the allocated function, it is necessary to press the button for a few seconds on most devices.

Use of touch displays

From version 3.3.2, SINA Workstation supports the use of devices with touch dis-plays.

These devices allow entries to be made by touching screen elements using your fin-gers or by using a suitable stylus (a type of pen). Styluses are practical above all with very small screen elements or high-resolution screens, as a way of facilitating operation.

It is recommended to use Windows 8.1 when using devices with a touch display. Windows 8 is not supported by SINA Workstation.

Gestures In addition to normal touching, which is the equivalent to clicking with the mouse, touch displays also recognise gestures; this involves making a swiping movement with your fingers while touching the screen. SINA Workstation supports the following gestures in addition to those recognised by the guest operating system:

Two fingers in the direction of the upper edge of the screen

Hides the status area in overlapping dis-play (see chapter 3.2, only in running workplaces)

Two fingers from the top edge of the screen downwards

Shows the status area again in overlap-ping display

Release 1 13


Overview of some frequently used gestures in Windows 8.1:

1. Shut down opened app

2. Show the side bar for changing between opened apps

3. Display the app running in the background in parallel to the currently opened app

4. Display overview of all installed apps

5. Show charms bar for controlling system functions

Start

1

2

4

5

3

14 Release 1

Workstation 3.3.2 Working with SINA Workstation

2 Working with SINA Workstation

To use SINA Workstation, authenticate yourself with your SINA ID token (smartcard or USB token). This contains all the permissions and configuration data allocated by the network management, and regulates which networks you have access to.

2.1 Starting SINA Workstation

Keep your SINA ID token ready for starting SINA Workstation. If you have any ques-tions relating to authentication, installation or configuration, contact the system administration.

SINA Workstation automatically starts when the computer is switched on.

If there are other operating systems on the computer, select SINA-VW_3.3.2 in the option menu of the boot loader.

If your SINA ID token is configured with a device PIN, the text message Please enter Device PIN prompts you to enter the device PIN during the boot procedure.

Connect your SINA ID token. SINA Workstation starts and you are asked to authenticate yourself.

Enter your user PIN and click Confirm or press ENTER.

Figure 4: Entering user PIN

Release 1 15

Working with SINA Workstation Workstation 3.3.2

To prevent your user PIN from being recorded in a hidden log, enter your user PIN on the number pad in the window by using the mouse.

2.2 Shutting down SINA Workstation

Virtual machines that are still running are automatically suspended when SINA Workstation is shut down. Thin Client workplaces are quit and, depending on the configuration of the application server, can be continued later if this is supported by the work environment.

To shut down SINA Workstation:

In the status area, right-click the SINA menu.

Select Shutdown.

Figure 5: Shutting down SINA Workstation

16 Release 1

Workstation 3.3.2 Understanding the user interface

3 Understanding the user interface

The user interface of SINA Workstation is divided into the following areas:

1. Modules (see chapter 3.1) By default, those modules that are used most frequently are displayed. Click Administration to display further SINA Workstation management modules.

2. Display and input area Depending on module, here you see information or input options.

3. Status area (see chapter 3.2) The status area is the central control element of SINA Workstation.

4. Menu area of the status area (see chapter 3.3) From this menu area, you can see an overview of running workplaces and network connections, and you can quickly access frequently used features.

Figure 6: SINA Workstation user interface

Release 1 17

Understanding the user interface Workstation 3.3.2

3.1 Modules

The available modules are shown in the left area of the window:

Lobby This module displays system messages and information about current activities (see chapter 4)

Quickstart In this module, you manage quickstart profiles (see chapter 5).

Workplaces In this module, you manage virtual workplaces (see chapter 6).

Network In this module, you manage network profiles (see chapter 7).

Modules of the Administration area:

Volumes In this module, you manage crypto file systems (see Administrator Manual).

Backup / Restore In this module, you back up or restore file systems (see chapter 8.2).

Hotplug

In this module, you configure rules for using USB devices (see chapter 8.3).

Devices In this module, information about the computer's hardware is displayed (see chapter 8.4).

Credentials In this module, you can change PINs and update certificates if required (see chapter 8.5).

System

In this module, you can configure system settings (see chapter 8.6).

18 Release 1


Click a module to open it. If you see a list (for example in the Workplaces module), click an item in the window to edit it.

Input options are then shown at the item's right side. If the input area is higher than the screen, this is indicated by darkened scroll bars.

To scroll up or down, move the mouse over a scroll bar.

Figure 7: Working in input areas

3.2 Status area

In running workplaces, the status area displays the name as well as the primary and secondary colours of the security domain (see chapter 1.2.7.2).

Contact the system administration if the security domain is displayed as Unknown in the status area.

You can adjust the display mode of the status area in the system settings (see chap-ter 8.6.4). The status area can be shown or hidden in workplaces by clicking the mouse or using the CTRL + ALT + O keyboard shortcut, and on touch displays by means of gestures (see chapter 1.3).

Release 1 19


The following features are on the left of the status area:

Screen resolution Move the mouse over the icon to displays the resolutions of the connected screens.

By clicking, you can open a menu for changing the display mode for a second externally connected monitor:

Primary only (only use built-in screen) Secondary only (only use external screen) Clone primary (duplicate built-in screen) Clone secondary (duplicate external screen)

Changes only take effect if an external monitor has been detected by the sys-tem. The selected setting is stored separately for each workplace.

Connection status

(Grey) Network is not connected

(Red) No active connection

(Green) At least one active connection

(Blue) Open networking (unsecured network access)

(Yellow) Trusted network (only for virtual machines)

(Red/blue) Inactive open networking because of currently active trusted network

When you move the mouse over the icon, your current IP address and active VPN connections are displayed:

In workplaces, only the connections used in the particular workplace in question are displayed

The SINA Workstation user interface displays all connections.

Drive size is increased automatically

The warning message is displayed if there is insufficient free storage space (see administrator manual).

20 Release 1


3.3 Menu area of the status area

In the status area, several features and displays are accessible; some icons display a menu by right-clicking it or by left-clicking it for approximately a second.

Active workplaces Currently running workplaces are indicated as icons (see chapter 6). For each workplace, its type is displayed and, for virtual machines, additionally the crypto file system. You can switch between workplaces by clicking their icons.

Workplace profiles Right-click to start a workplace profile (see chapter 6). Only workplace profiles that can currently be started are dis-played.

Split clipboard If you have sufficient permissions, this function enables data to be transferred between virtual machines. Right-click and select the workplace from which the clip-board should be copied; then you can paste the content from the clipboard in the guest operating system in the usual way. Texts (UTF8 and ANSI) up to a size of 1 MB and bitmap graphics can be copied in this way.

Battery status The icon colour indicates the current battery status (green/yellow/red). When you move the mouse over the icon, the battery status and remaining charging time are displayed.

Sound volume A mouse click switches the loudspeaker and any other selected audio devices on or off; using the right mouse button, you can adjust the global audio controller and any other audio controllers (see chapter 8.6.1).

Release 1 21


Network connection

Connections can be established and dropped by clicking the right mouse button. Only network profiles that can be started are displayed (see chapter 7).

SINA menu If you have a workplace open, you can switch back to the SINA Workstation user interface by clicking the menu icon. Right-click the menu icon to open the SINA menu:

Lock SINA workstation (see chapter 9.1)

Suspend to RAM

Reboot

Shut down

System messages The number of unread system messages, if there are any, is displayed on the SINA logo. Right-click the menu icon to display the messages or open the Lobby module (see chapter 4).

Software updates If any software updates are available, they are also dis-played in the SINA menu (see chapter 10).

Virtual keyboard Shows a virtual keyboard for entering texts on devices with a touch display.

If open networks are available and it is permitted for them to be used in the work-place then they are displayed in the status area. To connect an open WLAN, click this icon and select the WLAN from the list that opens. It is automatically created as a network profile (see chapter 7).

22 Release 1

Workstation 3.3.2 The "Lobby" module

4 The "Lobby" module

This module displays current system information.

Figure 8: The "Lobby" module

Network status of the workstation In this area, you can check the status of the components involved if there are connection problems:

Network adapter of the device Remote terminal (router) Connection to the public network Target system in the secure network

Running activities Activities not yet completed by the system appear in processing order. This includes for example:

Creating or changing crypto file systems Backup and restore Rekeying and checking file systems

Release 1 23

The "Lobby" module Workstation 3.3.2

Running sessions This area shows an overview of the status displays of the workplaces. The colour display corresponds to the display in the status area (see chapter 3.2).

Notifications

Click the icon to delete notifications. Notifications about mounted devices disappear automatically as soon as you access the devices.

You can export notifications that are displayed in the Lobby into log files (see chapter 8.6.7), for example, to send them to an administrator for troubleshooting purposes.

24 Release 1

Workstation 3.3.2 The "Quickstart" module

5 The "Quickstart" module In quickstart profiles, you combine network connections and workplaces which can then be either started automatically at system start or started manually by clicking the Workplaces icon in the status area.

Figure 9: The "Quickstart" module To create a quickstart profile:

Click + Add item.

Enter a name for the quickstart profile.

Select a network connection or alternatively Don’t change network for the profile to start without a network; in this case, SINA Workstation may start a network profile (see chapter 7).

If a network connection was selected for the quickstart profile and automatically starting network profiles have been configured as well, precedence is given to starting the network connection of the quickstart profile.

If automatically starting network profiles should be used for the network connection, select the Do not change network option when configuring the quickstart profile.

Release 1 25

The "Quickstart" module Workstation 3.3.2

Select one or more workplaces.

If you assign several workplaces to a quickstart profile, the check whether parallel operation is possible without conflicts.

Click Create.

To automatically start quickstart profiles after the next SINA Workstation start, you drag the profiles into the automatic area.

If there are several profiles, they are started in the displayed order during system start. SINA Workstation checks whether the necessary resources are available (for example, a network connection) and starts the first executable profile.

If there are problems during the start of quickstart profiles (for example, due to not available network connections or missing workplace resources), corresponding messages are displayed in the respective workplace or network profile (see chapters 6 and 7).

26 Release 1

Workstation 3.3.2 The "Workplaces" module

6 The "Workplaces" module

With SINA Workstation, you can use up to six different workplaces simultaneously. Which types of workplaces are available depends on your permissions.

Thin Client workplaces

NX protocol

RD protocol

ICA protocol

X11 protocol

Virtual machine

Guest operating system in a virtual work environment

Media workplace

Media playback

VoIP workplace

Communication using Voice-over-IP (VoIP)

SINA app

Non-persistent workplace (for example when logging onto public hotspots with the browser), must be set up on your device in advance by the system administra-tion (see Administrator Manual)

You can switch between running workplaces at any time using the assigned host keys.

If you use several screens, you can switch between them by using the status area (see chapter 3.3), by pressing the Windows key + P, and, for Lenovo devices, by pressing Fn+F7.

Release 1 27

The "Workplaces" module Workstation 3.3.2

6.1 Managing workplaces

The Workplaces module displays the available workplaces. Active workplaces are highlighted yellow.

Figure 10: Managing workplaces

You have the following options:

You can rearrange the displayed order by drag-and-drop. Drag a workplace to the wanted position.

To start a workplace, select it and click Start. Alternatively, you can start workplaces using the status area. To do so, click the corresponding icon.

To switch between running workplaces, click their icon in the status area or press their key combination.

You can see the key combination of a workplace when you move the mouse over its icon in the status area. To display further options, right-click the icon of a running workplace in the status area (see chapter 4).

28 Release 1


To assign connected peripheral devices to a workplace, right-click the workplace icon and select the needed device.

Figure 11: Assigning peripheral devices

All hotplug devices are assigned to one workplace exclusively. Access cannot be shared; for example, multiple Thin Clients cannot access a single chip card reader at the same time.

6.2 Using Thin Client workplaces SINA Workstation supports different transfer protocols for Thin Client workplaces. Available workplaces and assigned terminal servers have been pre-configured on your SINA ID token by the system administration.

6.2.1 Starting Thin Client workplace type

In the Workplaces module, select a Thin Client workplace. You have the following options:

Display layout If you use multiple screens, you can choose the layout.

Session hotkey For quick access, you can assign a key combination to the workplace.

Create hotplug rules for frequently used smartcard readers (see chapter 8.3) so that they can be detected by the system and used for logging on.

Release 1 29


Click Launch. Depending on workplace type, an additional login to the terminal server may be necessary.

Figure 12: Login dialog of an NX workplace

6.2.2 Closing Thin Client workplaces

To prevent data loss always shut down the applications running in a Thin Client workplace before you quit the workplace or lock SINA Workstation.

To quit the workplace, log off from the terminal server.

To force a workplace to exit without logging off:

In the status area, right-click the workplace icon.

Click Exit.

Confirm the security query.

Alternatively, you can close workplaces by using the SINA Workstation user inter-face:

In the Workplaces module, select a workplace.

Click Stop.

Confirm the security query.

30 Release 1


6.3 Using virtual machines

Unlike Thin Clients workplaces, virtual machines are not preconfigured in your SINA ID token's user data; they are created locally in SINA Workstation. Depending on your permissions, you can configure virtual machines yourself or you can use work-places that have been created for you by the device's administrator.

For creating a virtual machine workplace, a crypto file system (CFS) must have been created previously in which a guest operating system is installed.

You can install multiple virtual machine workplaces with different settings on one guest operating system. This means that you can use the guest operating system in different working environments. For example, you can create two virtual machines, one with and one without audio devices assigned, so you can use a VoIP workplace and a virtual machine at the same time.

6.3.1 Creating a virtual machine

Proceed as follows:

In the Workplaces module, click the + Add item button. The input fields are displayed. Mandatory fields are indicated by red legends.

Enter a name for the virtual machine.

Select the required guest operating system. The displayed parameters vary according to the chosen operating system. Common values are preselected. Check these values.

Adjust the workplace settings. The available options depend on your permissions. Discuss these permissions with the responsible administrator, if necessary.

Release 1 31



Quarantine After shutting down the workplace, the workplace is restored to its original state (see chapter 1.2.4). This option is only available if the file system has been pre-pared for it by the administrator.

Network mode

- No network (offline) - Secure network (see chapter 7) - Open network for using a public network

(see chapter 6.6)

Display layout. If you use multiple screens, you can choose the layout.

Session hotkey. Assign a keyboard shortcut for quick ac-cess.

Audio mode Choose whether audio playback and/or re-cording is enabled.

Boot order Defines the order in which the guest operat-ing system boots from different media. These media may have to be allowed as boot media in your permissions.

IP / MAC to claim The IP and MAC addresses, if necessary.

OS type Choose the operating system type. By se-lecting the operating system type, the detailed settings (see below) are preconfig-ured accordingly. For Windows operating systems that have been created with previous SINA Work-station versions, select SINA Legacy.

32 Release 1


Enable Detailed settings to assign any further system resources to the workplace:

Memory Define the amount of RAM available to the guest operating system. The necessary size is based on the requirements of the guest operating system and the applications. A red note indicates that more memory is assigned than is actually available

Network device Audio device Storage device Select the appropriate system devices for the workplace,

IO APIC. Enable this function only after consulting your administrator. IO APIC is needed, for example, to assign multiple CPU cores or to make the workplace compatible with certain guest operating systems. For Windows XP guest operating systems that were started once with the IO APIC op-tion, this option must remain permanently enabled to avoid malfunctions.

Number of CPUs Set the CUP core number for the workplace according to performance requirements. For this, the CPU of the host system must sup-port virtualisation functions (for example VT-x for Intel CPUs) and these must also be enabled in the BIOS. For stability reasons it is recommended to assign one CPU only.

Video memory Set the video memory for the workplace ac-cording to graphics requirements.

Release 1 33


6.3.2 Managing virtual machines

You can also adjust the settings of the configured virtual machines to your require-ments later.

In the Workplaces module, select a workplace.

Click Settings. Which parameters you can change depends on the workplace type.

Guest operating systems should neither be opened (status active) nor suspended when you want to change their profile.

6.3.3 Starting a virtual machine

To start a virtual machine:

Open the Workplaces module.

Click an available virtual machine.

Click Launch.

6.3.4 Closing virtual machines

Closing a virtual machine by using the SINA Workstation user interface can lead to data loss. Therefore, always shut down the guest operating system in the regular way.

If you cannot shut down the guest operating system, you can perform a forced shut-down:

In the status area, right-click the workplace icon and select Exit. Confirm the security query.

Alternatively, you can shut down the workplace in the Workplaces module (see chapter 6.3.2).

34 Release 1


6.3.5 Using the Host key

By using the Host key, which you can define individually (see chapter 8.6.6), you can use the following functions in a running workplace:

Host key + H: Shut down guest operating system This function is only available if the guest operating system supports it. For this, Windows 7 guest operating systems must be configured for the processing of ACPI events; contact your administrator.

Host key + R: Reset guest operating system, for example, when an optical drive has been detected too late by the system

Release 1 35


6.4 Using media workplaces

In a media workplace you can access media files such as videos. These are availa-ble on servers in the secure network or – if released – on local resources (for example USB or CD). Available media workplaces and available terminal servers have been pre-configured on your SINA ID token by the system administration.

6.4.1 User interface of the media workplace

1. Media display

2. Bookmark management

3. Control elements

4. Progress bar

5. Single frame function

6. Volume control

Figure 13: User interface of the media workplace

You can adjust the size of the display area by holding the mouse button.

36 Release 1


6.4.2 Starting media workplaces

Proceed as follows:


Select a media workplace and click Launch.

In the status area, an icon for this workplace is displayed after the start; it provides access to further options.

6.4.3 Using media workplaces


Opens a media file.

In the media directory, you can see all mounted drives:

Files in the network are displayed in the network directory. Files on storage devices are displayed in the integrated directories,

for example sdb1.

Figure 14: Open medium

Release 1 37


Closes the media file.

Starts or pauses the media file.

Ends playback.

Saves a snap shot of the current frame as a PNG file. If you have the required write-permissions, you can save the snap shot to one of the assigned drives.

You can navigate to certain passages of the media file by using the scrubber. The single frame function displays the next and previous frames of the media file. The availability of this function depends on the file format.

6.4.4 Managing bookmarks

By using bookmarks, you can highlight specific positions of the media file to find them more easily later or to pass them on to other employees.

Inserts a bookmark of the current position in the media file. To name this bookmark, right-click next to the time display and enter a name.

Figure 15: Creating a bookmark

38 Release 1


If you select one or more bookmarks in the bookmark list, you have the following op-tions:

Removes the selected bookmarks.

Exports the selected bookmarks to one of the assigned drives if you have the required write-permissions. The bookmarks are saved in ASCII format in a file with the extension BKM.

Imports bookmarks from a file. Search for and open a media file with the ex-tension BKM.

6.4.5 Closing media workplaces

To close a media workplace, click Quit in the bottom-right corner of the screen.

6.5 Using VoIP workplaces

By using a VoIP workplace, you can use network-based telecommunication over the Session Initiation Protocol (SIP). You need to be logged in to SIP telecommunica-tions equipment (SIP Registry) to do this.

The VoIP workplace can save data and user settings optionally in a crypto file sys-tem if the system has been configured by the administrator. Call lists, local telephone books and configuration, and user settings are saved in the workplace. In addition, if set up, a global LDAP-based telephone book is available.

6.5.1 Starting VoIP workplaces

To use network-based telecommunication, a network connection must be available (see chapter 7). The workplace itself, however, can be started without a network.


Click a VoiP workplace.

Click Launch.

In the status area, an icon for this workplace is displayed after the start; it provides access to further options (see chapter 3.2).

Release 1 39


Additionally, the icon displays the state of the VoIP workplace and, for incoming and current calls, information about the conversation partner:

Registered / Incoming call

Ongoing call

No VoIP connection

When multiple workplaces with audio are used, ensure that no audio information can be transmitted between the workplaces.

6.5.2 Closing VoIP workplaces

To close the VoIP workplace, click the icon in the toolbar.

6.5.3 User interface of the VoIP workplace

The user interface of the VoIP workplace is divided into the following areas:

1. Toolbar (hold mouse button to move)

2. Status line (displays the version status of the application)

3. Virtual telephone

4. Function area (see chapter 6.5.5); hold the mouse button to adjust the width

You can adjust the volume in the status area.

40 Release 1


Figure 16: VoIP workplace user interface

6.5.4 Using the VoIP telephone

Using the keypad, you operate the telephone as you would a normal telephone:

- Dialling numbers - Answering and hanging up - Putting calls on hold or resume calls - Turning the telephone to silent mode

You can see the status of the telephone in the display:

- Login status to the SIP registry (ready is displayed when successful; otherwise, an error message is displayed)

- Call mode: Call active, call on hold ( icon) - Number and name of conversation partner (if saved in the phone book) - Call duration - If you click the icon, without having previously entered a

number, the call list for redialling appears.

Release 1 41


6.5.5 Managing VoIP workplaces

The function area is divided into the phone book, calls, settings and configura-tion tabs.

6.5.5.1 Phone Book tab On this tab, you manage the local phone book and, if available, the settings of the global LDAP-based phone book.

The system administration manages the global phone book.

In the local phone book, you can save your entries or copy those from the LDAP phone book.

Entries from the local phone book are indicated with the icon.

Figure 17: Phone book

42 Release 1



To display only entries with a specific letter sequence in the name, enter this letter sequence in the Search field.

Next to the Search box click the icon to reset the search filter and display all entries.

To dial a number, right-click a telephone entry and, in the context menu, select dial.

To copy an entry from the global phone book to the local phone book, right-click the entry and select add to local phone book.

To remove an entry from the local phone book, right-click it and select delete from local phone book.

6.5.5.2 Calls tab A list of the previous calls is displayed on this tab with the time, number and name. Answered, dialled and missed calls are displayed.

Figure 18: Call list

Release 1 43


To dial a number, right-click the entry and select dial.

6.5.5.3 Settings tab On the Settings tab, you can adjust the virtual phone to the available bandwidth. This setting influences the selection of voice-codecs when a voice connection is es-tablished.

The Live search option means participants are not just searched for in the local phone book but also automatically in the LDAP phone book.

Figure 19: Selecting bandwidth

6.5.5.4 Configuration tab On this tab, you can configure the login to the SIP registrar and access to the LDAP phone book.

Change the configuration only after consulting your administrator.

44 Release 1


SIP login Enter the identity and password for the login. The Registrar field cannot be changed; it is pre-configured by the administrator.

LDAP phone book Configure the search base and, optionally (depending on the configuration of the LDAP server), user identification and password. The Server field cannot be changed; it is pre-configured by the administrator.

To save the configuration, click OK.

To delete your entries, click Reset. This deletes the contents of the text boxes, or assigns the default settings stored for the text boxes on your SINA ID token, if appropriate.

Figure 20: Configuring VoIP workplaces

Release 1 45


6.6 Using SINA Workstation as a mobile user

To use SINA Workstation over a public WLAN (for example, at an airport), first start a virtual machine with the OPEN security level. This means you can log on using the provider's authentication portal; next, start a second virtual machine in which you es-tablish a connection to a secure network.

Figure 21: Using a public network

The following prerequisites must be met:

You have the permissions required for mobile use.

The system administration must have already installed the required crypto file system and the guest operating system.

If you have any questions, contact the system administration.

Some of the following settings only need to be configured once. To simplify later use, you can store both virtual machines in a common quickstart profile (see chapter 5).

6.6.1 Setting up a mobile network connection

Set up a connection to the public network:

Open the Network module.

Click + Add item and select the WLAN network type.

SINA L3 Box

VPN

WLAN portal

Authentication

Secure network SINA OS

Virtual ma-chine

(secure)

Virtual ma-chine (open)

46 Release 1


Select the network that should be connected (see chapter 7.4.2).

If the network is encrypted, enter the login data which you have received from the provider.

6.6.2 Starting an unrestricted workplace

To log in to a portal of the public network, start an unrestricted workplace.

For security reasons, the unrestricted workplace cannot be used with the Trusted Network Detection function (see chapter 1.2.5).

If there is no appropriately configured virtual machine, add a new one or adjust an existing virtual machine (see chapter 6.3.1):

Choose a guest operating system with the security domain 1.

Set the network mode to the Open Networking option.

Click Launch.

You can now log on to the guest operating system by using the authentication por-tal. You get the logon data from the provider (for example, local providers at airports or in hotels).

6.6.3 Starting a secure workplace

A network connection is created after you have entered the authentication data over the unrestricted workplace. You can now start a secure workplace as usual (see chapter 6).

Release 1 47


6.7 Allocating hotplug devices manually

If use of the USB interface is included in your permissions, hotplug devices are de-tected automatically during operation, unless their use is prohibited by the hotplug rules (see chapter 8.3).

When you plug in a hotplug device, a system message is displayed in the status ar-ea which shows information on the manufacturer, product name and USB port. This message disappears as soon as you assign the hotplug device to a workplace or use it in SINA Workstation.

In guest operating systems only USB 2.0 standard is supported. For SINA Workstation management (for example, backup), USB 3.0-devices are supported as well.

USB 3.0 devices can be used at USB 2.0 ports and in guest operating systems. Depending on the devices, installing appropriate drivers in the guest operating system may be required. USB 3.0 devices cannot be used at USB 3.0 ports.

6.7.1 Using USB devices in SINA Workstation

If connected USB devices are not assigned to a workplace, they are available for use in SINA Workstation. If you start an action using the USB device, the USB de-vice becomes available for workplace assignment only when the action has been terminated.

6.7.2 Assigning a USB device to a workplace

You can assign a USB device to a workplace, if it is not already being used by an-other workplace or by SINA Workstation. Assignment means exclusive access rights to this device.

Whether you can assign a USB device depends on your permissions.

In the status area, right-click the workplace icon

All detected and available peripheral devices are displayed.

Select a device.

Figure 22: Assigning a USB device to a workplace

48 Release 1


USB devices in use are highlighted grey and a tooltip informs about the current use.

To stop using a USB device, you deactivate it in the list.

Note that this can lead to data loss if the USB device is still being used by the assigned workplace.

Release 1 49

The "Network" module Workstation 3.3.2

7 The "Network" module

In the Network module you create and configure network connections.

7.1 Managing network profiles

Profiles for wired networks are pre-configured in the user data of your SINA ID to-ken; however, profiles for wireless networks you must configure yourself before you using them for the first time (see chapter 7.2).

Depending on your permissions, the following network profiles are available:

LAN You connect to a wired network by using a LAN profile.

WWAN

You connect to an available radio network by using a WWAN profile. SINA Workstation supports UMTS, GPRS and LTE. In the Administration - Security module, enter the PIN of your SIM card (see chapter 8.5).

WLAN

You connect to an available wireless network by using a WLAN profile. It may be necessary to enter a network key. Either a static IP address is used or the IP address is obtained over DHCP. SINA Workstation supports open, WPA/WPA2 encrypted LAN connections.

If they have been configured (see chapter 7.5), LAN and WLAN profiles will also be available for certificate-based authentication. These are indicated visually by an addi-tional symbol.

50 Release 1

Workstation 3.3.2 The "Network" module

7.2 Setting up a network connection

Note: An established network connection is disconnected on establishing a new connection.

To use a pre-configured network connection, select it and click Connect.

To configure a new network connection:

Click + Add item and select the network type.

Depending on network type, you must enter additional login data.

Click Connect to save the settings.

The connected network profile has a coloured background. You can check the cur-rent status of the network connection in the status area (see chapter 3.2).

Figure 23: Connected network profile

To automatically start network profiles after the system start or when leaving the suspension status, click and drag the profiles into the automatic area.

Release 1 51


If several profiles are stored in the automatic area, SINA Workstation starts the first runnable profile according to defined priorities:

1. LAN profile 2. WLAN profiles in the specified order 3. WWAN profile

Only a single LAN profile can be moved to the automatic area.

7.3 Terminating a network connection

First, quit running Thin Clients to avoid data loss (see chapter 6.2.2).

Next to the active network profile, click Disconnect.

52 Release 1


7.4 Setting up a wireless network profile

Proceed as follows:

In the Network module, click + Add item.

Select a connection type. Depending on your selection, some input fields are filled with known values or completed. For example, the profile name for WLAN connections is determined according to the chosen WLAN access point.

Fill in the connection data.

7.4.1 WWAN connection data

Select network automatically Activates the automatic connection when the network is available. Otherwise, click the network profile and select Net-work search to carry out the connection manually.

Login / Passphrase Login data of the radio network provider.

APN Access point (Access Point Name, APN) When the SIM card is changed (for example, change of provider), the access point must be changed ac-cordingly.

Start sequence The start command of the modem (for example, AT)

MTU Determines the maximum packet size (Maximum Transmission Unit).

Allow roaming If there is no network connection, automatically switches to another available network.

Release 1 53


7.4.2 WLAN connection options

Select from available access points Displays a list of currently available wireless networks. If you disable this option, you can man-ually enter a network name. Thus, you can configure a network which is cur-rently not reachable or is hidden.

WLAN access point Choose a wireless network for the con-nection. If the searched-for network has not yet been found, you can update the display by clicking Rescan.

Authentication method Displays the network's encryption meth-od. SINA Workstation supports open networks and networks with WPA/WPA2 encryption, as well as certificate-based logon (see chapter 7.5).

Passphrase Enter the password required for en-crypted networks.

MTU Determines the maximum packet size (Maximum Transmission Unit).

If there are network problems, a new connection is established within a configurable time period when the WLAN is accessible once again (see chapter 8.6.6).

54 Release 1


7.5 Setting up certificate-based authentication

As an option, SINA Workstation supports certificate-based authentication for LAN and WLAN network profiles using the Extensible Authentication Protocol (EAP).

In the System module, open the Import/Export area and click Import certificates.

In the Source drive field, select the drive from which you want to import. The certificates found on the drive are displayed.

Select the certificate to be imported and enter the corresponding password if necessary.

Click Import.

This imports the certificate. To check the characteristics of the certificate and its cer-tificate string, click User certificate in the Administration area of the Credentials module. In this dialog box, you can also delete imported certificates if required.

Figure 24: Displaying properties of an imported certificate

Release 1 55


Then create a network connection (see chapter 7.2 or 7.4):

In the Network module, click + Add item.

Select the connection type (WLAN or LAN).

Select the certificate-based authentication according to the network type:

- Select the WPA EAP TLS authentication method with a WLAN con-nection.

- Activate the Use authentication option with a LAN connection.

Now define the displayed authentication settings:

EAP identify The user's identity for logging onto the network.

Certificate Select which certificate to use from the imported certifi-cates.

Network profiles with certificate-based authentication are indicated in the Network module by a modified icon (see chapter 7.1).

56 Release 1

Workstation 3.3.2 The "Administration" area

8 The "Administration" area

In this area you find modules for SINA Workstation management. Some tasks you can execute only with corresponding permissions.

Prerequisites for creating a virtual machine are an existing virtual drive and an im-ported guest operating system. The Administration Manual describes how to manage volumes.

8.1 Volumes

In this area you create and manage file systems. For more information about this topic, see the Administrator Manual.

8.2 Backup

In this area, you back up and restore crypto file systems. To the left you see current-ly existing tasks, if such have been started.

Before backing up, quit all running workplaces that use the crypto file system that you want to back up.

Figure 25: "Administration" module, "Backup" tab

Release 1 57

The "Administration" area Workstation 3.3.2

8.2.1 Backing up a crypto file system

Proceed as follows:

In the Administration module, click Backup.

Click + Add item.

Click Backup.

The following options are displayed:

Name Name of the backup task.

Virtual drive Select the file system you want to back up.

Select backup type You have the following options:

Local Select a storage device from the Device list. The Postpone device selection option al-lows you to select the device at the task start.

Remote Under Destination file enter the desti-nation address. The following transfer protocols are supported:

ftp:// and ftps:// http:// and https://

For this, you need a network connection and appropriate security associations configured on your SINA ID token.

The backup task is created and can be started at any time. The crypto file system is backed up as image with the extension .backup.

58 Release 1


8.2.2 Restoring a crypto file system

Proceed as follows:

In the Administration module, click Backup.

Click + Add item.

Click Restore.

The following options are displayed:

Select restore type


Local backup Select a connected storage device and one of the available images on the de-vice.

Remote backup In the Backup file field, enter the ad-dress from which to load the image.

For this, you need a network connection and appropriate security associations configured on your SINA ID token.

Target memory area Select a target partition. If a file system of the same name already exists on the selected partition, you are asked for confirmation.

Unlike a backup task, the restore task starts immediately; it is not necessary to start it manually.

Release 1 59


8.3 Hotplug

In this area, you manage rules for controlling the availability of USB devices in workplaces. These rules are used after the system start or when leaving the sus-pension status.

Hotplug rules can relate to individual devices or device classes, in which case de-vice rules take precedence over device class rules. A device can only be covered by one device rule.

Figure 26: "Administration" module, "Hotplug" tab

Click + Add item to create a new rule.

The detected USB devices are displayed; choose the required device or choose a device class.

Click Hide to prevent the use of the device or device class. This means devices are no longer displayed in the status area, and cannot be manually assigned to a workplace any longer either.

Click Assign to assign the device or device class to a workplace. A list of workplaces is displayed in which using is possible. Select the required workplace.

60 Release 1


- Use the Assign exclusively option to prevent the USB device from subsequently being displayed for use in other workplaces.

- Click Create.

Note:

An exclusive assignment takes effect as soon as the hotplug rule is created. Manually removing and reconnecting devices causes immediate assignment to the configured workplace

In a normal assignment, on the other hand, a hotplug rule exclusively takes effect when workplaces are started or continued. Manually removing and reconnecting devices does not cause immediate assignment to the configured workplace. As a result, connected USB devices can also be used in other workplaces in spite of being assigned using a hotplug rule; this is done by removing them manually and reassigning them using the Hotplug menu in the status area.

Hotplug rules simplify the use of frequently used USB devices if they are always needed in the same workplace.

To do this, create rules for persistent assignment as well as quickstart profiles for automatically starting the workplaces (see chapter 5); if the user connects the required USB devices before the system starts, they will automatically be assigned to the started workplaces.

Release 1 61


8.4 Devices

Here you find information about system hardware.

Figure 27: "Administration" module, "Devices" tab

USB devices For each connected USB device, the name, type and num-ber of the port to which the device is connected are displayed.

Mass storage Here you see physical hard disks, CD drives and virtual volume groups holding your CFS and ISO volumes. The name, the size and the used disk space is shown depend-ing on the device type.

CPU For each CPU core, the current clock frequency and free computing capacity is displayed.

RAM Here you see the memory size, usable by the system, and the percentage of currently used RAM.

Battery The charge state of the system battery. You find further in-formation in the tooltip of the battery icon in the status area.

Workstation Here you see the overall used memory. The entry sinavw shows the space available on the volume group of the in-ternal disk and how much of it is being used.

62 Release 1


8.5 Security

Here you manage PINs and certificates.

Note: To change a PIN, the current PIN must be entered as well. If you enter a wrong PIN, the system is locked.

Figure 28: "Administration" module, "Security" tab

You can manage the following PINs and passwords:

Device PIN You can define a device PIN to protect the device configuration that is stored on your SINA ID token. Device PINs are used only in special cases. If you are using a device PIN, you must also enter the device PIN during the authentication procedure.

User PIN You can change your user PIN at any time. This consists of a string of numbers that you select; however, the system administration can put restrictions on the PIN format.

Release 1 63


WPA password The WPA password is needed for the secured WLAN connection (see chapter 7.2) and can be changed here, if necessary.

SIM PIN This PIN unlocks the SIM card of a UMTS network card. If a UMTS network profile is set and WWAN has not been deactivated, SINA Workstation checks the connection to the UMTS modem after the system start and displays the signal strength. The last used PIN is used automatically for establishing the connection.

If you got another SIM card or if an error occurred concerning the PIN, click Unlock and enter a valid PIN.

8.5.1 Updating signature certificates

Signature certificates are used for both network traffic encryption and authentication in the network. If the current certificate is valid for less than 30 days, a message is displayed (see chapter 4).

Click the certificate to display the validity period.

If applicable, click Initiate update to renew the certificate manually. Signature certificates are usually updated automatically. A manual update is only necessary in special cases.

8.5.2 Updating encryption certificates

Encryption certificate are used to encrypt file systems. You can update these certifi-cates only manually. If the current certificate is valid for less than 30 days, a message is displayed (see chapter 4).

Click Initiate update to renew the certificate.

When an encryption certificate has been updated, SINA Workstation automatically rekeys the header data in all available file systems to ensure their further usability.

It is recommended that data should be backed up after the encryption certificate has been updated (see chapter 8.1).

64 Release 1


8.6 System

You can adapt system settings in this area.

Figure 29: "Administration" module, "System" tab

8.6.1 Mixer

Depending on your audio hardware, in the Mixer you can choose capture and play-back devices and set the volume levels.

On virtual machines, recordings must be made from line-in devices, even if you are using a microphone. In virtual machines, you cannot swap recording devices.


To display the volume slider of an audio device in the status area, enable Show in panel.

Using the Switch on/off by clicking applet function, you can mute audio devices by clicking the audio icon in the status area.

To activate individual channels, click on them.

Release 1 65


In Mixer test, you can test the recording and/or the playback level.

Due to security reasons, audio recording can only be used in one workplace at a time.

8.6.2 Language

Here you set the language for user interface and keyboard layout.

Under Language, select the user interface language.

Under Keyboard, select the language for the keyboard layout. To test the settings, enter a test text in the Test current keymap field.

8.6.3 Configuration Update

If prepared by the system administration, you can update the media ACL stored on your SINA ID token over the network.

The updated media ACL is then stored permanently on the user's system CFS, if available. Otherwise, the update is stored temporarily only and downloaded automatically anew after restart.

Ensure that a network connection is established.

Click Configuration update. The version of your current configuration (media ACL) and available updates are displayed.

Figure 30: "Administration" module, "Configuration" tab

If SINA Workstation has not detected a new update, click Force check to start a new search. When detected, the update is done automatically.

66 Release 1


8.6.4 Screen

Under Screen saver mode you set the screen behaviour after a certain time of inactivity:

None (no screen saver) Blank Lock Lock and blank

Under Timeout you set the time after which the screen saver is on. The maximum time you can set may be limited in your permissions.

Status area mode Defines the position of the status area:

Fixed The status area is outside the display area; its size is reduced accord-ingly.

Overlapping The status area overlaps running programs.

Automatic Automatic selection depending on the screen size.

Status area size The status area can be shown in two different sizes for display on screens with different resolutions. In addition, you can select the Automatic option to have to choice made automatically depending on the screen size.

8.6.5 Input devices

Touchpad The touchpad of the device can be activated or deactivated as required. This does not affect the touchpad's mouse buttons.

Unknown USB input devices With this setting, you control the use of HIDs (Human Interface Devices) that were not already connected on the same port after the system start or when leaving the suspension status.

Release 1 67


This can be used for safeguarding against attacks from USB devices that identify themselves as HID devices and can compromise system security.


Block Connected HID devices are not active; to do this, start the system again or suspend it briefly.

Notify A warning message is displayed when HID devices are connected; the connected devices are active.

Allow access HID devices are active when connected, no warning is displayed.

8.6.6 Misc settings

Here you configure system-related settings:

Action on exit of last workplace Depending on the setting, the system shuts down automatically or reboots after you have exited the last workplace.

Action on lid close SINA Workstation can automatically lock or suspend when you close the laptop lid.

Action for power button Assigns one of the following functions to the on/off button of mobile devices:

No action Lock Suspend Shut down

Host key Defines keys that can be used to return control of the mouse to the host system if the mouse pointer is used by a guest operating system. (see chapter 6.3.5).

Time limit for automatic connection to WLAN Defines the time period within which a new network connection to a WLAN network is established automatically if there are network problems.

68 Release 1


USB video Adjust the settings for connected webcams if necessary:

Frames per second (FPS) Buffer size

Audible PIN input signal Specifies whether an audible signal sounds before entering a PIN or after PIN verification.

Visibility of external system CFS By default, the management of file systems only displays their own system CFS; activate this setting if required so as to display other users' system CFS as well.

Reset Resets the MAC address to the original device MAC address. Only use this function following consultation.

8.6.7 Import/Export

Export logfiles To make troubleshooting easier for administrators, you can export the system logs for analysis:

In the Target device field, choose the storage medium for saving your log files.

Click Start export.

All log files are deleted automatically at system restart.

Import certificates Imports certificates for certificate-based authentication (see chapter 7.5).

Import app configuration Imports SINA apps (see Administrator Manual).

In all import functions, files are searched for in all the subfolders of the selected source drive.

Only VFAT, ext2, ext3 and ext4 file systems are supported.

Release 1 69


8.6.8 Time

You can adapt system time in this area. The time is displayed in Universal Time Co-ordinated (UTC) format. Clicking the selection arrow next to the date display shows a calendar for selection.

8.6.9 Restore default settings

This function resets all system settings to factory settings.

70 Release 1

Workstation 3.3.2 Locking and suspending SINA Workstation

9 Locking and suspending SINA Workstation

9.1 Locking SINA Workstation

Locking the system can result in an interruption of the network connection. For running Thin Client workplaces, this can lead to data loss.

To lock the system, you have the following options:

In the status area, right-click the SINA menu and choose Lock workstation.

Crypto file systems are still available and running workplaces stay active. As long as the SINA ID token is inserted, the existing security associations are valid.

You use this function for example, when you take a short break without tak-ing the SINA ID token with you (low security).

In the status area, right-click the SINA menu and choose Lock workstation. Then remove the SINA ID token.

The secure network connection is maintained for a limited time. Virtual ma-chines are paused and crypto file systems are locked. Access is not granted by inserting another SINA ID token.

You use this function when you take a short break and you do take the SINA ID token with you (high security).

Remove your SINA ID token without prior locking.

The secure network connection ends, the crypto file system is locked and the virtual machines are suspended.

Use this function when no Thin Client workplace is in use (very high securi-ty).

Release 1 71

Locking and suspending SINA Workstation Workstation 3.3.2

9.2 Suspending SINA Workstation in memory

This function suspends SINA Workstation temporarily and allows the user to take a short break without leaving the workplace. Active virtual machines are temporarily saved in the main memory and are available for reuse when you resume work.

The network connections are ended for security reasons and must be restored.

In the status area, right-click the SINA menu and choose Suspend to RAM.

When in the suspended state, power consumption is reduced but not eliminated. If the battery runs empty when in the suspended state, this may lead to data loss. We therefore recommend that you save your data in the virtual workplaces prior to extended periods of suspension.

72 Release 1

Workstation 3.3.2 Updating software

10 Updating software

Available software updates are indicated in the SINA menu, if this has been config-ured by the system administration for your client. SINA Workstation checks the availability of software updates when a network connection is started and then every 60 minutes, as long as the network is connected.

Figure 31: Indication of an available software update


To download a software update, click .

While the downloading the data, you can continue to work in SINA Workstation. The download progress is shown in the Lobby module and the SINA menu.

To stop the download, click . You can continue it later.

To cancel the download, click .

When the download is finished, you can install the update:

Close all workplaces.

Connect the device to the power supply.

In the SINA menu, click .

Release 1 73

Appendix Workstation 3.3.2

Appendix

List of figures

Figure 1: Communication with SINA ...................................................................................... 8

Figure 2: Secure network connections that use SINA Workstation .......................................10

Figure 3: Access to the application server ............................................................................11

Figure 4: Entering user PIN ..................................................................................................15

Figure 5: Shutting down SINA Workstation ...........................................................................16

Figure 6: SINA Workstation user interface ............................................................................17

Figure 7: Working in input areas ...........................................................................................19

Figure 8: The "Lobby" module ..............................................................................................23

Figure 9: The "Quickstart" module ........................................................................................25

Figure 10: Managing workplaces ..........................................................................................28

Figure 11: Assigning peripheral devices ...............................................................................29

Figure 12: Login dialog of an NX workplace .........................................................................30

Figure 13: User interface of the media workplace .................................................................36

Figure 14: Open medium ......................................................................................................37

Figure 15: Creating a bookmark ...........................................................................................38

Figure 16: VoIP workplace user interface .............................................................................41

Figure 17: Phone book .........................................................................................................42

Figure 18: Call list .................................................................................................................43

Figure 19: Selecting bandwidth ............................................................................................44

Figure 20: Configuring VoIP workplaces ...............................................................................45

Figure 21: Using a public network ........................................................................................46

Figure 22: Assigning a USB device to a workplace ...............................................................48

Figure 23: Connected network profile ...................................................................................51

Figure 24: Displaying properties of an imported certificate ...................................................55

Figure 25: "Administration" module, "Backup" tab ................................................................57

Figure 26: "Administration" module, "Hotplug" tab ................................................................60

Figure 27: "Administration" module, "Devices" tab ................................................................62

Figure 28: "Administration" module, "Security" tab ...............................................................63

Figure 29: "Administration" module, "System" tab ................................................................65

Figure 30: "Administration" module, "Configuration" tab .......................................................66

74 Release 1

Workstation 3.3.2 Appendix

Figure 31: Indication of an available software update ...........................................................73 List of abbreviations APN Access Point Name

BSI Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security)

DHCP Dynamic Host Configuration Protocol

ICA Independent Computing Architecture

IP Internet Protocol

IPsec Internet Protocol Security

IT Information Technology

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

MTU Maximum Transmission Unit

PIN Personal Identity Number

SINA Secure Inter-Network Architecture

TCP Transmission Control Protocol

UMTS Universal Mobile Telecommunications System

URL Uniform Resource Locator

USB Universal Serial Bus

VPN Virtual Private Network

WLAN Wireless Local Area Network

WPA Wi-Fi Protected Access

Release 1 75


Glossary

Workplace Work environment (Thin Client workplace, virtual machine, media workplace or VoIP workplace)

SINA ID token contains configuration and related security settings as well as encryption methods for the respective user; credit card-sized smart card or USB token with integrated smart card; created by the system administration using SINA Management

User PIN part of the authentication process; consists of a multi-digit code

Client program that communicates with a server

Ethernet cable network technology for local data networks

Guest operating system Operating system that runs on a virtual machine

Device PIN Multi-digit code used for additional protection against unau-thorised use of a SINA ID token

IP address numerical address that uniquely identifies nodes on a network

IPsec Functions for encrypting packets that are to be transferred via IP networks; ensures secure communication between sub-nets, hosts and clients

Status area status display showing the security domain and other infor-mation about virtual workplaces

tcpdump Program for monitoring and evaluating network traffic; through access to routers and gateways, monitors communication be-tween different network participants

wi-fi most commonly used WLAN standard

WPA encryption method used for a WLAN

76 Release 1


Useful key combinations

If SINA Workstation was provided as a hardware bundle when you purchased a Lenovo ThinkPad notebook, you can use key combinations to access many functions.

Some examples (these may vary for different devices):

CTRL + Alt + L Locking SINA Workstation

CTRL + Alt + O Shows or hides the status area (see chapter 3.2).

Fn + 4 Suspending SINA Workstation (on older devices Fn + F4)

Fn + F5 Activate/deactivate WLAN

Fn + F7, Windows + P

Switch screen settings

Fn + volume Pressing Fn together with the notebook's volume key enables the volume of the master controller to be changed using the + and - keys.

Fn + speaker mute Mute loudspeaker

Fn + mike mute Mute microphone

CTRL+ Alt + F1 Switch to the first workplace (if active)

CTRL + Alt + F2 Switch to the second workplace (if active)

CTRL + Alt + F3 Switch to the third workplace (if active)

CTRL + Alt + F4 Switch to the fourth workplace (if active)

CTRL + Alt + F5 Switch to the fifth workplace (if active)

CTRL + Alt + F6 Switch to the sixth workplace (if active)

CTRL + Alt + F8 Open card reader menu

CTRL + Alt + F9 Return to the SINA Workstation user interface

CTRL+ALT+F11 Open Admin menu (see Administrator Manual)

CTRL+ALT+F12 Display log messages (see Administrator Manual)

Release 1 77


FAQs

Question Cause Solution

Why do some applications running on one virtual ma-chine stop running when I work on another virtual machine?

For security reasons, the virtual machine is suspend-ed according to the defined security classification when you change to another virtu-al machine.

Close applications in the workplace that is running.

Which factor determines the number of workplaces that can be used simulta-neously?

The number of workplaces that can be used at the same time depends on the available disk space and the configuration of the internal subnet (see SINA Manage-ment user manual).

The subnet can be configured with the following subnet masks:

/28 for up to six workplaces

/29 for up to five workplaces

If Ipv6 is used, this corre-sponds to the subnet masks /124 and / 125.

Why is the VPN status displayed as active (green) although the network sta-tus is displayed as disconnected?

As soon as a VPN connec-tion has been established, SINA Workstation checks its availability regularly. The network status display reacts to changes immediately (for example, if you move out of range of a wireless network), while the connection status display might have a de-layed reaction to changes.

Reconnect to the network (see chapter 7.2).

78 Release 1


Why am I unable to con-nect to a non-secure network (Internet) even though the Open Net-working function is enabled and the workplace is classified as unrestrict-ed?

The Open Networking func-tion connects the virtual machine without using en-cryption to the network. The IP configuration in the virtual machine is only made par-tially available by SINA Workstation.

Contact your system administrator.

WINS servers might require manual configuration.

Release 1 79

user manual...1.2.5 trusted network detection (tnd) if enabled in your permissions, sina workstation...

Documents