AppGate Security Server

Before a session can be initiated, the user must first launch an AppGate client. The user may then be presented with a connection dialog and asked to give the name of the AppGate Security Server he/she wishes to connect to. For the Java Web start version of the client all the configuration data is filled in automatically.

It is also possible to connect to the AppGate server using a standard SSH2 client, but the functionality available will be limited to port forwards and server commands.

The AppGate client establishes an encrypted communication channel to the AppGate server. All traffic between the client and the AppGate server is sent through this encrypted channel. The traffic may also be compressed if desired. This channel consists of a single TCP connection which normally runs on port 22 (SSH), other ports can also be used if needed.

The session establishment is done using the standard SSH2 protocol. It involves a Diffie-Hellman key exchange to negotiate session encryption keys. If the client has previously connected to the server or if it has been pre-configured with its public SSH keys it will verify that the keys match to protect against man-in-the-middle attacks. If the keys are not known to the client then the user will have to confirm that it is the first connection to the server.

The AppGate Security Sever consults its user account sources to find out whether the user has an account. The two most common account databases are LDAP (Active Directory) and the local AppGate server database. It is possible to use multiple account sources.

If an account is found, the system will proceed to authentication. As part of the connection dialog, the user chooses authentication method. The AppGate server checks with the account information whether that authentication method is available.

Several methods may be available at the same time for the same user. The user may already have given the credentials or will now be prompted to do so. The AppGate Security Server will use the credentials and consult the appropriate subsystem to authenticate the user.

When logging on, the AppGate client sets a number of attributes, for instance the IP address of the client, and which AppGate client is used. These attributes can later be used in access rules or client commands. See Section 11.3, “Attributes” for details.

If the user is authenticated, the AppGate server will now instruct the AppGate client to perform all defined Client Checks and ask whether an AppGate Device Firewall is available.

The results of all Client Checks and DFW presence checks are fed back to the AppGate server. Client Check result strings are set as attribute values. Access rules can later on use those attribute values to control which services the user should have access to during this session.

The AppGate server will now perform the authorization decision. Authorization is done by evaluating all applicable Access rules which are defined for the user.

All Access rules will evaluate to either true or false. Access rules can be attached to Roles and to references to Services and will govern whether those Roles and Services shall be allowed for this session.

If the user has access to only one role or if all the roles are combinable then, by default, the role selection will happen automatically without user intervention.

If not all of the roles the user has access to are combinable or if combinable merging has been turned off then the user must manually select which role/roles the session should use. The role selection can not be changed during a session. If no roles are available, for example due to access rule restrictions, then the session is terminated.

Along with the Role there may be an AppGate Device Firewall rule set defined. If so, that rule set is transferred to the client and activated.

As soon as the roles have been selected, the AppGate server will inform the AppGate client of all the Services which are part of the roles.

The different Services are presented to the user. Depending on which AppGate client the user is running and how it is configured, the Services will be presented in different ways. Perhaps the most common, and very user friendly, is the portal-like icon view of the AppGate Client.

When using a web browser for client-less access using SSL, web services will be immediately available and the discussion below will not be applicable.

In the icon view, the user can start a Service by double-clicking on its icon.

When a Service is started, all its Components are activated. The most common Component type is the IP access rule. An IP access rule enables access to the specified IP addresses / host names and port numbers.

When the client activates an IP access rule, it asks the AppGate server to prepare to handle traffic. The client will also make the necessary preparation on the client computer to make sure that the relevant application protocols and data traffic will flow through the AppGate system - this is called traffic capture.

There are two methods that can be used for traffic capture: Port Forward and IP tunneling.

There are a number of other components that all can be combined into a Service, Client commands, Server commands, proxies etc.

When the user closes the connection to the AppGate server the session is terminated, all traffic flows are stopped and the user is logged out.

If the Roaming feature is used, the session may be temporarily Suspended but still active. Later on it may be Resumed. This is very useful for mobile applications. See Section 3.3.5, “Roaming (Suspend/Resume)” for details.

When setting up an AppGate system, the most common problem is to get any surrounding firewalls to allow the necessary traffic.

All application traffic from the client to the AppGate server will go through the SSH tunnel. On the AppGate server it will be decrypted and travel onwards as clear text.

Allow traffic to the AppGate server

The AppGate Security Server is by default using port 22 for incoming connections for SSH2. This port number can be changed and other ports can be added using the AppGate Console.

The AppGate Security Server also acts as a web server to allow for downloading of the various clients, the AppGate Applet and the Java Web Start files. The web server listens on port 80 by default. This can be changed from the configuration files. The web server can also be configured for HTTPS/SSL and will then normally listen on port 443.

If the AppGate server is connected on a DMZ, the firewall rules must allow for the clients to reach the SSH port (22) and for the web server port 80 and/or port 443 (SSL).

Allow traffic from the AppGate server

From the AppGate server to the application servers the traffic will be using the normal application port numbers and protocols. Therefore, any firewall in between must allow for the application data to flow accordingly.

When the Port Forward method is used, the source IP address of the traffic to the application server will be the IP address of the AppGate server.

If IP tunneling is used, the source IP address of traffic going to the application servers will be an address from the configured IP tunneling address pool.

The AppGate Security Server can use one or more Ethernet interfaces. The AppGate server can have one or more IP addresses on each interface. It will normally not forward traffic between interfaces. In terms of routing, the following should be considered.

Default route

If one of the interfaces is connected to the Internet, or possibly any large routed internal network with many IP networks, it is probably a good idea to use the default route for that interface. It is only possible to define one default route for the whole AppGate server.

Additional routes may be added as static routes for any interface.

It is possible to use the AppGate server as a simple firewall and let it forward normal non-encrypted traffic between interfaces. This can be useful to allow for traffic from a protected application server to reach the outside. In this case, static routing entries are probably needed on the application server and on the hosts it is communicating with. Those static routes should point to the AppGate server as the gateway.

IP tunneling address pool

There are two approaches when defining an IP tunneling address pool.

AppGate Client is the name of the most complete and most widely used of the different clients. AppGate Client is written mostly in Java, with some native code components. These native code components handle interfacing with the local operating system, PKI authentication, fast encryption and compression. AppGate Client is the standard and recommended client.

Note that the AppGate Connect client and applet are deprecated and will dissappear in a future version of AppGate. There will be a new applet based on the full AppGate client.

AppGate Connect is the name of the simpler client. It is, just like AppGate Client, written mostly in Java and with some native code components. These native code components handle interfacing with the local operating system, PKI authentication, fast encryption and compression.

The main differences between AppGate Client and AppGate Connect is the GUI and the fact that AppGate Connect is also available as a java applet. The AppGate Applet client is just AppGate Connect started as an applet.

The AppGate Mobile Client is a client specifically geared towards mobile devices. Currently it supports Windows Mobile, Sony Ericsson UIQ3 based phones and Nokia S60 3rd edition devices.

The Citrix and Terminal server clients are special versions of AppGate Client and AppGate Connect. These are meant to be used when the user's computer is a Citrix or Terminal Server client. That is; the user runs the AppGate client on a Citrix or Terminal server system to access a remote AppGate server. These clients have nothing to do with accessing Citrix or terminal servers behind an AppGate server.

These clients use a special program, called agmud, to handle IP access components. This program runs as administrator and is able to differentiate between users, so that each user utilizes the right AppGate connection. That is; this program manages the separation between the users on the Citrix or Terminal server. For instance, say that users A and B, running on the same Citrix or Terminal server, have both launched AppGate clients. The agmud program makes sure that only user A may access the services provided by user A's AppGate client, that is; user B or C may not access the opened ports. agmud will also manage port conflicts so that both A and B can start the same IP access but the traffic from user A ends up in the tunnel opened by A and vice versa.

These clients must be installed by an administrator on the Citrix or Terminal server. To the users the clients will look and behave like the ordinary AppGate clients.

Note that IP tunneling and Device Firewall integration is not available on Citrix and Terminal server.

The AppGate clients (Client and Connect) have been tested on Windows 2000/XP/2003/Vista, Linux, Mac OS X and Solaris. The clients should work on any OS which has a proper Java implementation. The mobile client should work on any Windows Mobile device as well as Nokia S60 3rd edition and Sony Ericsson UIQ3 devices.

The AppGate IP Tunneling Driver (IPTD) is complementary software and will work with both Client and Connect, regardless of how they are deployed. When any of the AppGate clients starts, it will detect whether the IP Tunneling Driver is installed, and use it.

The AppGate IP Tunneling Driver consists of a service and a virtual network adapter which will tunnel IP traffic to and from the AppGate server over the SSH connection. The AppGate IP Tunneling Driver is optional, but must be installed if any of the following functionality is needed:

When the AppGate IP Tunneling Driver is installed, it will also handle hosts file writing and forward DNS queries to DNS servers behind the AppGate server. Installing the tunneling driver requires administrative privileges. However, when the driver is installed, any user starting an AppGate client will take advantage of the driver.

The AppGate IP Tunneling Driver is currently supported on Windows 2000, Windows XP, 32-bit Windows Vista, Mac OS X, Linux and Solaris.

The AppGate Hosts File Writer (aghostsd) is complementary software for Windows 2000, XP, Vista, Linux and Mac OS X. It works with both Client and Connect, regardless of how they are deployed. When any of the AppGate clients starts, it will detect whether the Hosts File Writer is installed, and use it.

The Java Web Start versions of the Linux and Mac OS X clients includes the hosts file writer and will ask the user for the superuser password in order to be able to install it if needed.

The hosts file writer adds and removes entries in the windows hosts file and the lmhosts file on behalf of the AppGate client. The hosts file writer runs as a windows service with administrator rights and may thus be used when it isn't possible or desirable to let ordinary users write to the hosts file or the lmhosts file.

On the Windows platform it is possible to integrate the AppGate clients with the AppGate Device Firewall (DFW). The DFW has the unique feature of a near zero user interface, which makes it ideal when rule sets are to be enforced on sensitive VPN connections.

The DFW is a separate product, but if installed, the AppGate clients will detect it and may dynamically load rules into it. The rules will be fetched from the AppGate Security Server and be in effect during an AppGate session.

The AppGate clients will report the status of the DFW back to the AppGate Security Server, so that access rules can take this into account.

There are three different ways of deploying the AppGate Java based clients. They can be deployed using Java Web Start, installed on the user's PC or launched as applets. This section explains those methods and the issues surrounding them. Deployment of mobile clients is discussed in Section 3.2.9, “Over the air provisioning of mobile clients”.

Both Java Web Start and applet will make sure that the local client is always up to date. That is any updates done on the AppGate server are automatically downloaded. The installed client has no auto-update feature.

Both Java Web Start and the installed client are able to place an icon on the desktop automatically. The JWS client can also be started by clicking on a link on a webpage.

The clients have the ability to update the hosts file with names of servers reachable through the AppGate server. The hosts file may be updated in either of the following two ways:

On Unix systems the client may not listen to ports under 1024 (unless running as root). The Mac and Linux installation packages includes a small port mover program which is installed setuid root which allows the client to listen on low ports. This port mover also handles writing to the hosts file. The Java Web Start clients also includes the port mover and will ask the user if they wish to install it if needed. The user will have to enter the superuser password in order to be able to install it.

The AppGate clients for Mac OS X are distributed as disk images. To install one, open the disk image and install the meta package in the top level directory. This will install the client and the AppGate Local Forwarder. The default installation path for the client is the system-wide Applications directory, but it is possible to select another path during installation.

Administrator privileges are required to install the meta packages, since they include the AppGate Local Forwarder. If the AppGate Local Forwarder should not be installed, it is possible to install the client package from the 'packages' directory. This does not require administrator privileges, but automatic hosts file writing and forwarding of privileged ports will not be available.

All AppGate clients require that Java is installed on the client machine to be able to run.

The client software for the Solaris platform is found on the USB in the AppGate/client/SunOS directory. The directory contains several packages with manual pages and executables. For instance, to install the AppGate Client package, run

 cd /usb_mountpoint/appgate/AppGate/client/SunOS/`uname -p`
 cp APPGclnt.pkg.gz /tmp
 cd /tmp
 gunzip APPGclnt.pkg.gz
 pkgadd -d APPGclnt.pkg APPGclnt
    

Installing the client places the files of this package in /opt/APPGclnt. A bin directory and a man directory will be created to hold the executables and the manual pages. Start the AppGate Client by executing /opt/APPGclnt/bin/agclient.

No further configuration of this package should be necessary.

All AppGate clients require that Java is installed on the client machine to be able to run.

The client software for the Linux platform is found on the USB in the AppGate/client/Linux directory. The AppGate Client can be extracted/installed by executing the following command:

 bzip2 -cd /path_to/agclient.i386.tar.bz2 | tar xf - 

A subdirectory structure called opt/APPGclnt will then be created in the current directory. Start the AppGate Client by executing the file opt/APPGclnt/bin/agclient

The AppGate client may be distributed to users through the AppGate web server. If this method is used, each user needs to connect to the AppGate server with a web browser. Once connected, the user will be presented with a screen similar to the following.

The user may then click on the platform they are installing on. A File Download dialog box will then appear asking whether the user would like to run agclient.exe from its current location or save the file to disk. The user must select one of the two options and click OK for the download and installation to begin.

If the user chooses to run agclient.exe from its current location, the executable will automatically self-extract the package and begin the installation. If the user saves the file to disk, he must double-click on agclient.exe after it has finished downloading in order for the extraction and installation to begin.

From that point onward, the installation will behave identically to a generic USB installation (or a distributed installation package with no pre-configuration).

The AppGate IP Tunneling Driver can only be installed on computers running Windows XP or later, Linux, Mac OS X or Solaris. Administrator privileges are required for the installation.

If the AppGate IP tunneling driver should be upgraded, the previous version has to be uninstalled first.

The AppGate Hosts File Writer can only be installed on computers running Windows 2000, Windows XP or Windows 2003. Administrator privileges are required for the installation. The installation file is named aghostsd.exe.

It is possible to wrap the AppGate clients for Windows into a new installation package. This is usually done to achieve one of the following goals:

Please refer to the AppGate Support Web for detailed instructions regarding the necessary components.

Over the air provisioning is a way to install and configure the AppGate client on a mobile phone over the air. The administrator can make the AppGate server send SMSes to the mobile phone. The first SMS contains a link to the client installation package and once installed the client will use the second SMS to configure itself. It is also possible to automatically setup email accounts on the phone.

The net effect is making it easy for the mobile phone user to get started. They just need to press Ok a couple of times and enter their password before they are set up and can read their email. The whole goal of this is to make it as easy as possible for users to get started using Appgate to access their email from a mobile phone.

    mailaccount [-domain MAILDOMAIN] [-launch]

    browse http://appgate_server_addr/agmobile?asclient

    syncaccount [-domain MAILDOMAIN] [-launch]

As soon as the AppGate client is started, it looks for a configuration file, and, if one exists, reads it. The Java Web Start client will also download configuration from the server, which allows the administrator to configure the first screens as well. The client will then display the Open connection dialog.

To open a connection to an AppGate server:

It is also possible to open the Connection properties dialog by pressing the 'Properties...' button. There is normally no need to do this.

When the AppGate client connects to an AppGate server for the first time, and the installation software has not installed a server host key, a dialog box may be shown.

This box asks the user to acknowledge that he is connecting to a new server. Pressing the details button will show the key fingerprint for the server. The key fingerprint will be the same for any user who connects to the same server. Therefore, the user may check the fingerprint against another installation to verify its validity before accepting it. This provides additional protection against man-in-the-middle attacks. The user must click OK in order to accept the host key and continue with the connection.

It is possible to view the host key for a server which the client is connected to. This is done by right-clicking on the server name and selecting 'Properties...' in the menu.

If the received server key does not match the stored key, the connection will fail. This is usually due to one of two events: the server software has been reinstalled and a new server key has been created, or someone is pretending to be the AppGate server (i.e. someone tries to act as a man in the middle that relays and controls the traffic to the server). Under both circumstances, please contact a system administrator to make sure nothing suspicious is going on! If there are absolutely no doubts that the server key has changed, the locally stored key can be deleted. The host keys can be found in the following directories:

The first step when connecting is to authenticate the server. Depending on the configuration, the client may present the server host key to the user for verification at the first connection (see Section 3.3.3, “First time connection”).

The server authentication process is followed by user authentication. Depending on the selected authentication method, additional dialog boxes asking for authentication information may be displayed.

When a user logs on to an AppGate server, the server checks the status of the account. If the user is already logged in, a message saying "You are already logged in" may be displayed (see Section 4.9.3, “Connection Settings” for details on how to enable/disable this message).

When the user has been successfully authenticated, information about accessible Roles, Services and server configuration parameters is downloaded.

Access to each service and role on the protected network is given, based on the evaluation of Access Rules. In other words, the services a user is granted access to during a specific session depends on the access rules that have been configured for each protected service/role and which of these rules are matched by the user at that time. The services/roles accessible to the user may therefore vary from session to session.

Roaming is a feature which allows clients to suspend the connection to the AppGate server and later to resume it again. The user does not need to re-authenticate when reconnecting. Indeed, the entire process can be completely automated and nearly invisible to the user. All established connections will remain alive while roaming. This feature is intended for mobile users who move around much in the network.

The user may change network location while roaming. The only requirement is that the user can reconnect to the AppGate server using the same name when resuming. For instance, a salesman may begin the day by logging on from his home network over a DSL connection. Then he suspends the connection and goes to the day's first customer, where he reconnects using a public wireless hot-spot. Later in the day, he may reconnect using a 3G card in his laptop. Another example is a user using the mobile client on his smartphone. Since coverage may be spotty, the phone loses network connectivity often, but roaming hides this from the user. In both cases, it is a great convenience for the users to not have to re-authenticate each time they want to resume the session.

Technically, roaming is accomplished by closing the TCP tunnel when the connection is suspended. When resuming, a new TCP connection is made to the server and the SSH data stream is redirected to this new connection. The user does not need to authenticate again, instead the client authenticates to the server, without user interaction, with the help of a random password which was made up when the user authenticated at the start of the session. In addition to knowing this password, the client must also know the encryption keys and encryption state to be able to reconnect. It is therefore impossible for a third party to break in and take over a suspended session.

To be able to use roaming, the user must have access to the roaming capability. That is, one service which the user has access to must include the roaming capability. It is also up to the administrator to set how long time a roaming user may be roaming.

Roaming can be more or less automatic. The exact level of automation is controlled by the client. The client will automatically enter the suspended state if the connection to the server is lost, assuming roaming is available. Also, the Windows client will do a suspend/resume cycle whenever the machines network configuration changes. The client may also be configured to automatically suspend the connection if no data has been sent for 60 seconds. Resuming can be manual or happen automatically when new data is sent by the client. Note that it is only the client which may resume a session. Automatic suspend/resume can be configured in the Connection properties dialog.

The maximum roaming time can be configured from AppGate Console, see Section 4.9.3, “Connection Settings”.

After the client connects to the AppGate server and the user is authenticated, the