Intelligent Application Gateway User Guide
Contents
1. Remote users access to Novell NetWare Servers is enabled Intelligent Application Gateway 233 User Guide Changing the Date Format of Files and Folders The date format of files and folders that remote users view on their browsers is determined by the IAG where the File Access application is installed not by the user s local computer By default the format is M d yyy You can change the date format to d M yyy as described in this section To change the date format of files and folders 1 At the IAG where the File Access application is installed use the Registry Editor to access the following location HKEY_USERS DEFAULT Control Panel International 2 Change the Value data of SShortDate to d M yyy 0 x Registry Edit View Favorites Help HKEY_USERS 4 Name Type Data a DEFAULT ab sLanguage REG_SZ ENU AppEvents 4 nem ab sLongDate REG_SZ dddd MMMM dd yyy EIGE Accessibity SZ2 sMonDecimalsep REG_SZ E Appearance lab sMonGrouping REG_SZ 3 0 Colors ab sMonThousandSep REG_SZ a Current ab sNativeDigits REG_SZ 0123456789 E Custom Colors ab sNegativeSign REG_SZ 41 Desktop ab sPositiveSign REG_SZ E don t load REG_SZ diMiyyyy Input Method ab sThousand REG_SZ A International w 25 sTime REG_5Z 4 4 My Computer HKEY_USERS DEFAULT Control Panel International h 3 Restart the I2. Files were not modified through CustomUpdate folders e Files were modified through CcustomUpdate folders but the configuration settings are wrong File incompatibility during system upgrade Resolution Verify that all modifications to the module s default settings are performed according to the instructions provided in the IAG s documentation set 336 Appendix A Troubleshooting Event Logging Messages Warning 31 Global Out Of The Box Rules Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL The URL is blocked by the application s Out Of The Box Security Rules Cause The requested URL contains an illegal character according to the definition of the trunk s global out of the box security configuration Resolution If you wish to cancel the enforcement of global out of the box security rules for this trunk in the Configuration program take the following steps 1 Open the Advanced Trunk Configuration window of the relevant trunk and access the URL Inspection tab 2 In the Out Of The Box Security Configuration area uncheck the option Check Global Out Of The Box Rules E Note This option is global and affects all the applications in the trunk For details refer to the Intelligent Application Gateway Advanced Configuration guide to URL Inspection Tab Out
3. For information about privileged sessions refer to the Intelligent Application Gateway Advanced Configuration guide to Default and Privileged Session Settings on page 137 The lead user is the user who initiated the session The Applications tab lists all the applications for which the session users are authorized and for each application whether users are allowed to access it or only view it and whether it is launched or not The Endpoint Information tab provides information about the endpoint computer from where the session was initiated including Whale Client Components that are installed on the computer For information about the Whale Client Components refer to Whale Client Components on page 147 Other software that is installed on the computer which is related to the interaction of the computer with the IAG such as anti virus software or browser version Chapter 9 Monitoring and Control Web Monitor IP address and domain of the endpoint computer and whether it is an IAG Certified Endpoint For information about Certified Endpoints refer to Certified Endpoints on page 118 CD Tip The information provided in the Endpoint Information tab is similar to the information that is provided to the end user on the endpoint computer in the System Information window The Parameters tab lists all the session parameters including the type and value of each parameter You can view a li
4. A internet Table 36 User s Application Access Statistics Parameters Parameter Description Session ID Unique session ID Clicking the sign next to the session ID or clicking the ID itself displays a list of all the applications the user accessed during the query period For each application user access details are displayed Clicking amp HI or E expands and collapses the display for all sessions respectively Once a session s view is expanded clicking an application name or clicking the sign next to the application name displays details regarding all of the user s accesses to the specific application during the session Session Start Date Date and time when the session was started Session End Date Date and time when the session was ended For sessions that are currently active Active is displayed Duration Duration of the session from the time it was started until the time when the query was generated 292 Chapter 9 Monitoring and Control Web Monitor Event Viewer Using the event logs in the Event Viewer you can view system session security and application events and gather information about user and system activities The Event Viewer window presents you with a constantly updating snapshot of recent events that occurred in the IAG you are monitoring Figure 59 Sample Event Viewer Event Viewer All Events Server time 03 21 2006 16 55 a
5. Privileged Endpoint Policy a Default Privileged Endpoint Install Socket Forwarding Component Policy a Always Edit Policies D Prompt User when Retrieving Information from Endpoint 96 Chapter 5 Endpoint Security Endpoint Policies Note EN The selection and editing of endpoint policies in both the Create New Trunk Wizard and in the Session tab of the Advanced Trunk Configuration window is disabled when the option Disable Component Installation and Activation in the Session Configuration area of the Session tab is activated In addition you can use the Endpoint Policies area to do the following Change the selected Install Socket Forwarding Component Policy This policy is only relevant for Portal trunks it defines the conditions under which the Socket Forwarding client component can be installed on the endpoint computer in order to enable the use of the Socket Forwarding component for SSL Wrapper applications For details refer to Chapter 6 SSL Wrapper Note A If you activate the option Uninstall Socket Forwarding Component in the Endpoint Settings area of the Session tab any Socket Forwarding Client Components that are installed on endpoint computers are removed when users next accesses the site While this option is activated the Socket Forwarding component is not installed on endpoint computers regardless of a computer s conformity to the Install S
6. SMTP server information including IP Host port and if required user credentials e Mail details including the fields of the email messages issued by the mail reporter and a list of recipients for the messages The way in which you enable and configure the mail reporter is described in Enabling the Mail Reporter to Send Messages on page 246 By default even when the mail reporter is activated none of the messages that are handled by the Event Logging mechanism are sent to this reporter since it should only be used to report specific urgent or extremely important IAG related events You therefore have to determine which of the messages should be sent by email and manually configure them as described in Configuring which Messages are Sent by the Mail Reporter on page 247 Intelligent Application Gateway 245 User Guide Enabling the Mail Reporter to Send Messages 246 This section describes how you enable the mail reporter to send event messages via the SMTP server Note can Even when the mail reporter is enabled and configured the SMTP server will not send event related messages until you define which messages are sent to the mail reporter as described in Configuring which Messages are Sent by the Mail Reporter on page 247 To enable the mail reporter to send messages 1 Inthe Configuration program on the Admin menu click Event Logging The Event Logging dialog box is displayed 2 Select
7. Session Monitor Active Sessions 268 The Session Monitor Active Sessions window provides a detailed snapshot of the currently open sessions for each trunk Use it for online user access tracking and troubleshooting You select which trunk to display at the top left corner of the window The parameters that are provided for each session are listed in Table 28 Parameters of the Session Monitor Active Sessions on page 269 By default the window refreshes the data every five minutes If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Figure 43 Sample Session Monitor Active Sessions Window Session Monitor Active Sessions Server time 03 14 2006 16 57 Current Trunk portal 5 amp Bg 5 7 Session ID Lead User Repository Started At Duration Authenticated Events Terminate SESSION S B os0ss3z1 25c0 4276 8466 893F0F3BE06D whalecor rutl whalecom 03 14 2006 16 33 40 00 23 14 hi hli ht d 2 DC437D7F A3AE 4E8A AES0 8FAS5SB72A1CF whalecomieddien whalecom 03 1 4 2006 16 30 50 00 26 04 Y 3 x Ig Ig e 3 E5SC55145 3200 43F2 ACDC 1BSBB6EE0995 whalecomiezy whalecom 03 14 2006 16 30 06 00 26 48 Y x 4 2354RA22 39F3 4F14 912 25443F56D whalecomiezy whalecom 03 14 2006 16 29 57 00 26 57 Y E x 5 2F918386 E7F8
8. This installation mode is suitable for end users who have ActiveX download rights on an Internet Explorer browser and are logged in with power user or Administrator privileges In this mode as soon as users try to access the site prior to the Login stage the IAG downloads the Whale Component Manager onto their computer Once the Component Manager is installed on the endpoint computer it determines the need for the installation of the rest of the components each time the user accesses the site and installs them as follows By default the following components are installed automatically Attachment Wiper e Client Trace utility Endpoint Detection If required you can configure other components that will be installed automatically as described in Configuring the List of Automatically Installed Components on page 152 The rest of the components are installed as required For example when the user accesses a non web application for the first time the Component Manager installs the SSL Wrapper component Configuring the List of Automatically Installed Components This section describes how you can add components to the default list of components that the Component Manager installs automatically on the endpoint computer To add components to the list of automatically installed components 1 At the IAG access the following custom folder if it does not exist create it Whale Com e Gap von InternalSite inc Cus
9. Tip For a description of the Advanced tab refer to Advanced Tab on page 199 If you do change the default server resources settings once you are through troubleshooting the server in the Server Resources section of the Advanced tab click Restore Defaults Network Traffic Logs This section describes how you enable the logging of network traffic on the Network Connector server AN Caution Use network traffic logs for advanced troubleshooting purposes only since they create heavy accumulative dump files The files are not deleted automatically and may reduce the server performance considerably Tip The dump files can be written read and deleted while the Network Connector is in session To enable logging of network traffic on the Network Connector server 1 On the computer where the Network Connector server is installed access the following Registry key My Computer HKEY_LOCAL MACHINE SOFTWARE WhaleCom e Gap RemoteAccess Intelligent Application Gateway 205 User Guide 2 Under the key you accessed in step 1 create a new Registry key NetworkConnector 3 Under the key you created in step 2 create a DWORD value named log sniff and set the value data to one of the following 1 enables logging of low level network traffic to and from remote clients 2 enables logging of tunneled network traffic to and from remote clients 3 enables logging of both low level
10. Tip If a file by this name already exists you can use the existing file you do not need to create a new file in this case 3 In the file you defined in step 2 add the following lines lt SetSessionResourceParam g_cookie lt Application_ID gt RWSAuthorization lt Value gt S gt Where Application_ID is the application s ID number as can be copied from the General tab of the Application Properties dialog box Value is the value you wish to send to the application server For example To send a User_group unlimited header In the Web Settings tab name the Authorization Key User_group and select the format Header In WhalePortallPostPostValidate inc enter the value unlimited Web Server Security Tab 78 E Note This tab is not applicable for Client Server and Legacy applications Use this tab to protect the application against HTTP Request Smuggling HRS attacks Chapter 4 Application Settings Editing Application Properties Figure II Application Properties Web Server Security Tab Application Properties Webtop Documentum xi Web Servers Web Settings a Web Server Security 4 r Content Types Max HTTP Body Size 49152 bytes application x www form urlencoded multipart form data Table 12 Web Server Security Tab Parameters Parameter Activate Smuggling Protection Content Types Max HTTP Body Size Description Acti
11. To cancel the disabling of the Do not save encrypted pages to disk setting on the endpoint computer 1 At the IAG use the Registry Editor to access the following location WhaleCom e Gap common GUI 2 Create anew DWORD value named Change_NoSSLCache_Setting and set the value to 0 g Registry Editor p lO x Registry Edit View Favorites Help E WhaleCom Type Data pen e Gap fab REG_SZ value not set ae common Change_NoSSLCache_Setting REG_DWORD Ox00000000 0 ta Core il REG_5Z F Whale Com e Gap commonic dispatcher gt REG SZ Gui i a MasterReceiver REG_DWORD 0x00000000 0 Serviceming My Computer HKEY_LOCAL_MACHINE SOFTWARE WhaleCom e Gap common GUI 3 Access the Configuration program Click 0 to activate the configuration select the option Apply changes made to external configuration settings and click Activate gt Once the configuration is activated the Do not save encrypted pages to disk setting is not changed on the endpoint computer Intelligent Application Gateway 11 7 User Guide Certified Endpoints A Certified Endpoint is a computer that has been certified by the organization using a client certificate Tip You can set a policy whereby users can only access a site or an application if their computer is a Certified Endpoint For details refer to Endpoint Policies on page 93 The Certified Endpoint feature relies on PKI infrastruct
12. Aintemats ite IntemalE tror asp I Disable Component Installation and Activation T Disable Scripting Before Application Start J Use Endpoint Certification F Verify User Name Against Certificate Concurrent Sessions Threshold Max Concurrent Unauthenticated Sessions Concurrent Unauthenticated Sessions Threshold Error Message URL iV Attachment Wiper Cleans Application S pecific Temporary Files I Use DNS Suffix m Endpoint Policies Session Access Policy a Default Session Access gt Privileged Endpoint Policy a Default Privileged Endpoint Install Socket Forwarding Component Policy a Always Edit Policies J Prompt User when Retrieving Information from Endpoint ion _ Global URL Settings S URL Set amp 2 Session __ Application Customization m Default Session Settings Inactive Session Timeout Seconds 300 JZ Automatic Scheduled Logoff After 60 Minutes IV Nullify Cookies on Logoff J Avoid Browser Side Caching V Activate Attachment Wiper ActiveX IV Prompt User to Disconnect Channel when Portal is Closed without Logoff I Re open Portal if User Selects to Keep Channel Open m Privileged Session Settings Inactive Session Timeout Seconds 1800 IV Automatic Scheduled Logoff After 1440 Minutes J Nullify Cookies on Logoff I Avoid Browser Side Caching Activate Attachment Wiper Activex IV Prompt User to Disconnect Channel when Portal is Closed wit
13. Configuring the Attachment Wiper on page 112 Cleanup of items that are saved outside the cache described in Cleanup of Items That Are Saved Outside the Cache on page 1138 Scheduled cleanup which triggers a cleanup after a pre configured timeout period is described in Configuring a Scheduled Cleanup on page 115 The code that triggers the Attachment Wiper to initiate the cleanup of the browser s cache on the client is embedded in the Logoff Message page that is supplied with the IAG If however the trunk is configured to use a custom Logoff page you need to add the code in the custom page This option is described in Enabling the Attachment Wiper on a Custom Logoff Message Page on page 116 To cancel the disabling of the Do not save encrypted pages to disk setting on the endpoint computer running Internet Explorer refer to When Encrypted Pages Are Saved to a Location Other Than Temp Files on page 117 Intelligent Application Gateway 111 User Guide Configuring the Attachment Wiper You configure the Attachment Wiper in the Session tab of the Advanced Trunk Configuration window Figure 20 Configuration of the Attachment Wiper Select whether to activate the Attachment Wiper for default sessions Application Access Portal UFLin amp General 2S Authentication m Session Configuration Max Concurrent Sessions 10000 ro roo ro Session Notifications Timeout 60
14. Copy the file you accessed in step 1 into the following custom folder if the folder does not exist create it Whale Com e Gap Von Conf CustomUpdate If such a file already exists use the existing file In the file under the CcustomUpdate folder edit the cookie list under the tag lt EXCLUDE_COOKIE_LIST gt Note that cookie names are defined using regular expressions for details refer to the Intelligent Application Gateway Advanced Configuration guide to Appendix B Regex Regular Expression Syntax In addition to the cookie list the file WhlExcludeCookie xml stores a security prefix that is used in the encryption of cookie names and cookie values in the tag SECURITY_PREFIX By default the value of the security prefix is ce If required you can change the value of the prefix in the file in the custom folder Download Upload Tab 82 This tab is applicable in Portal trunks for Built In Services Web Applications and Browser Embedded Applications and in Basic trunks It defines the method by which the IAG identifies URLs in order to enforce the application s Upload and Download policies Note A If none of the options in the Download Upload Tab are activated no uploads or downloads to and from the application are blocked regardless of the settings of the application s Upload or Download policies The application s policies are defined in the General tab described in General Tab
15. DoNotRemoveProfile MyDomain Admin You can configure an unlimited number of profiles that will be left out of the deletion process by configuring one DoNotRemoveProfile parameter for each profile A Note This section is only relevant if the network includes Novell NetWare Services and you wish to enable remote access to NetWare Servers The settings you configure here are not related to the Novell Directory server which you can use for authentication and authorizing In the following procedure you determine the logon credentials that are used during the configuration of users access to the Novell NetWare Servers Note that during the configuration of the NetWare Servers only the servers and shares that are enabled to the user with which you log on will be available in the File Access window Intelligent Application Gateway 227 User Guide 228 Tip The actual configuration of remote users access to the NetWare Servers is described in Configuring Access to Domains Servers and Shares on page 229 To configure Novell logon settings 1 Access the File Access window as described in Accessing the File Access Window on page 222 2 In the left pane of the File Access window under General click Novell In the right pane the Novell Logon settings are displayed 1 ud Novel Novell Logon Reset Save Logon Logon To Novell NetWare Using Windows User Name Using Followi
16. In the domain create a group of all File Access users and grant the group local logon permissions on the IAG regardless of each user s privileges Installing a Client for Microsoft Networks This section describes how you install a Client for Microsoft Networks on the IAG during the domain setup Note EN You might be required to provide the Windows Server 2003 Installation CD during the course of this procedure To install a Client for Microsoft Networks 1 At the IAG in the Windows desktop click Start then select Settings gt Network Connections 2 In the list of connections select the Local Area Connection that is used to access the File Access resources The Local Area Connection Status dialog box is displayed 3 Click Properties Intelligent Application Gateway 217 User Guide J Local Area Connection Properties 24 x General Authentication Advanced Connect using Intel R PRO 100 S Desktop Adapter This connection uses the following items Client for Microsoft Networks 5 Network Load Balancing amp File and Printer Sharing for Microsoft Networks XF Internet Protocol TCP IP Install Uninstall Properties Description Allows your computer to access resources on a Microsoft network lt 4 J7 Show icon in notification area when connected IV Notify me when this connection has limited or no connectivity OK Cancel 4 Under t
17. Intelligent Application Gateway 155 User Guide 156 EN Note Ifthe installation detects that Whale Client Components are already installed on the computer it upgrades any of the components that are of older versions even if their installation is not enabled in the current installation configuration When using the Whale toolbar the Network Connector component only installer is always downloaded on browsers other than Internet Explorer such as Netscape Navigator or Mozilla Firefox so that the Network Connector client can run via the SSL Wrapper Java applet Installing the Whale Client Components via the Installer Once you configure the Whale Client Components Installer as described in Configuring the Whale Client Components Installer on page 154 users can download the installer onto their computer using the installer button or link on the portal homepage To install the Whale Client Components via the Installer 1 At the portal homepage click on the Whale toolbar or if the Whale toolbar is not used click the link to the installer The file that was defined during the configuration of the button or link is downloaded onto the computer When prompted select to save the file 2 Log out of the portal using the site s logout mechanism and close all the browser windows that were opened through the portal For example in sites that use the Whale toolbar click to log out of the portal 3 Run the
18. Mandatory List of trusted sites Optional End date of pilot mode While in this mode the identity of sites on the Trusted Sites list you defined here is not verified Caution Use this option for a very limited time and not during system up time Data e 1 users are prompted and can select whether to add the site to the Trusted Sites list or not 0 users are not prompted access to the site is denied If this value is not defined users are prompted Define a site as follows Schema HTTPS or HTTP Host FODN or IP Port number optional for default ports 443 and 80 Date using the following format mm dd yyyy By default no pilot period is configured The identity of trusted HTTP sites will not be verified since they do not use a server certificate Chapter 5 Endpoint Security Whale Client Components Restoring the Whale Client Components Defaults End users can restore the Whale Client Components settings on their computer to the default values in one of two ways In the System Information window which they access from the portal homepage by clicking the button Restore Whale Client Components defaults Restore Whale Client Components defaults j https Anportal microsoft com System Information 2 Microsoft Internet Explorer m x ene isles System Information Whale Communications Intelligent Application Gateway Whale Client Comp
19. Message severity Must be one of the following Information informative message denoting a normal event that might be of interest such as user login or log out lt Notice normal but significant condition such as users changing their password Warning events that might be problematic but don t result in malfunction For example an unauthorized access attempt Error a significant problem such as a failure to read the configuration Usage One and only one lt Severity gt element must be nested under lt Message gt Child Elements None lt Message gt gt lt Type gt lt Type gt Description Message type Must be one of the following System system events such as service startup and shutdown and changes to the configuration Security security events including login success or failure security policy violation or change and password change Session session events including session start or stop number of sessions and other session related events Tip In the IAG Event Manager in the Event Viewer and the Event Report this parameter is displayed in the Category column Usage One and only one lt Type gt element must be nested under lt Message gt Child Elements None 252 Chapter 9 Monitoring and Control Event Logging lt Message gt gt lt Name gt lt Name gt Description Message name Must contain only alphanumeric characters Usage One an
20. on page 19 Intelligent Application Gateway 333 User Guide Resolution Take the following steps e Verify that the correct authentication server is used to reply to the login request 1 Inthe Configuration program access the application and open the Application Properties dialog box 2 Access the Web Settings tab Verify that the authentication server that is selected for the option Automatically Reply to Application Specific Authentication Requests contains the user credentials required by the application For details refer to Application Authentication on page 74 Verify the configuration of the Form Authentication Engine for this application For details refer to the Intelligent Application Gateway Advanced Configuration guide to Appendix C Form Authentication Engine Warning 24 Application Authentication Failed Symptoms A remote user attempts to access an application The attempt fails and the following message is displayed You do not have permissions to view this Directory or page using the credentials you supplied Cause The application is configured to automatically reply to the application s authentication request HTTP 401 request The credentials supplied by the authentication server are not accepted by the application Resolution In the Configuration program verify the configuration of the authentication server for this application 1 Open the Application Prop
21. A remote user requests a page The request is processed and the user experience is unaffected Cause A cookie encryption violation was detected The cookie name is encrypted although it is listed in one or more of the cookie encryption exclude lists Resolution In order to enable the browser to send this cookie in an encrypted from you need to remove it from the list of cookies that are excluded from the cookie encryption process as follows 1 Use the IAG s trace mechanism to resolve the original name of the encrypted cookie a At the IAG access the trace configuration file Whale Com e Gap Common Conf trace ini b Add the following lines to the file Trace Wh1Filter WHLFILTSECUREREMOTE xheavy Save the file c Use a browser to request the URL that caused the Warning message as detailed in the Description field of the event in the Web Monitor s Event Viewer d At the IAG access the trace log file in the following location Whale Com e Gap logs The file is named lt Server_Name gt Wh1Filter default lt Time_Stamp gt log Intelligent Application Gateway 369 User Guide Resolve the original name of the cookie that was blocked using the EncryptedName and OrigName parameters in the log file the encrypted cookie name is indicated in the Description field of the event in the Event Viewer 2 In order to exclude the cookie from the cookie encryption process
22. For Webmail or Basic trunks in the Application Server area of the Configuration pane e Verify that the application server is running Verify that the application server is reachable from the IAG If not check the following Network connections e Verify the configuration of the ISA firewall rule that enables the connection from the IAG to the application server For details examine the ISA logs and alerts and if necessary consult ISA troubleshooting 364 Appendix A Troubleshooting Event Logging Messages Warning 81 User Failed to Change Password Symptoms A remote user attempts to change the password The attempt fails and one of the following messages is displayed in the browser window Failed to change password Or The new password you entered cannot be used since it does not comply with the password policy set by your administrator Cause The message Failed to change password indicates one of the following User entered the wrong password in the Old password field Settings of the Configuration program or the authentication server which are required in order to enable users to change their passwords are not configured correctly The message The new password you entered cannot be used since it does not comply with the password policy set by your administrator indicates that the user attempted to use a password that does not comply with the authentication
23. Handle or Ignore so that parameters are not rejected Note that if you set the value of Parameters to Handle you also have to define the parameters for this URL For details about the configuration of rulesets refer to the Intelligent Application Gateway Advanced Configuration guide to Configuring a Ruleset in the URL Set Tab on page 164 Warning 57 Unrecognized Application Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You are not authorized to access this application For assistance please contact your system administrator Cause Wrong configuration of the application in the Configuration program Resolution Take the following steps in the Configuration program 1 Use the Application Properties dialog box to locate the application according to the server configuration in the Web Servers tab Intelligent Application Gateway 357 User Guide 2 Verify the configuration of the server s addresses paths and ports for this application For details refer to Web Servers Tab on page 71 Warning 58 Unresolved Request Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window The requested URL is not associated with any configured application Cause The requested URL contains a signature that cannot be resolved to identi
24. In order to prevent unauthorized access to the IAG the IAG s configuration files are encrypted You generate an encryption key when you first access the IAG and this key is used to encrypt and decrypt the IAG configuration data This process is described in the Intelligent Application Gateway Advanced Configuration guide in the section Creating Encryption Keys on page 20 In setups where more than one IAG server is used the IAG servers have to be configured with an identical encryption key in order to Export and import configuration files between IAG servers Export and import URL inspection and File Access rulesets Use High Availability arrays Tip If you need to encrypt and decrypt any of the IAG files use the Editor For details refer to the IAG Advanced Configuration guide to Editor on page 40 Intelligent Application Gateway 21 User Guide Encryption Passphrase 22 Once the encryption key is generated every time you carry out operations that write to the disk such as saving or activating configuration files or when you import a configuration file or a set of rules into the IAG the IAG prompts you to enter the encryption passphrase You must always enter a valid passphrase this ensures that only authorized users can access the IAG s configuration files Tip In order to change the passphrase any time after the initial installation run the following command in a Command prompt
25. on page 68 Configuration of the actual policies is described in Application Endpoint Policies on page 99 Chapter 4 Application Settings Editing Application Properties The parameters of the Download Upload tab are described in Table 14 on page 84 Figure 13 Application Properties Download Upload Tab Application Properties Citrix NFuse FR2 Direct Cookie Encryption amp Download Upload Server Settings 4 m Downloads gt r Uploads IV Identify by URLs IV Identify by URLs I Identify by Extensions T Identify by Extensions Exclude Include Exclude Include Evtension List Extension List Unknown Content Type 4 Uriirsrin CortaritTy IV Identify by Size fiozs KB and above I Identify by Size fi 024 KB and aboye Help Cancel CO Tip By default the IAG identifies responses without content type as downloads If you wish downloads without content type to be considered regular responses and not downloads create the following registry key on the IAG Location WhaleCom e Gap Von UrlFilter DWORD Value name AllowResponseWithoutContentType DWORD Value data 1 After you create the key access the Configuration program activate the configuration and select the option Apply changes made to external configuration settings Intelligent Application Gateway 83 User Guide 84 Table 14 Download Upload Tab Parameters Parameter Identify by URL
26. remove it from the exclude list where it is defined Two lists define the exclusion of cookies from the process both are configured at the IAG e Per application list The cookies that are listed here are excluded from the process for this application only To edit this list in the Configuration program open the Application Properties dialog box for this application access the Cookie Encryption tab and remove the cookie from the Cookies list For details refer to Cookie Encryption Tab on page 80 Global list The cookies that are listed here are excluded from the process for all applications To edit this list access the following file Whale Com e Gap Von Conf Wh1lExcludeCookie xml Copy the file into a CustomUpdate subfolder and remove the cookie from the list under the tag lt EXCLUDE_COOKIE_LIST gt Note that cookie names are defined using regular expressions For details refer to Global Exclude List on page 82 Warning 97 Cookie Encryption Mismatch Symptoms A remote user requests a page The request is processed and the user experience is unaffected However a Cookie header in the request is blocked and is not forwarded to the server Cause A cookie encryption violation was detected The cookie name is encrypted while the cookie value is unencrypted Resolution In the browser that was used to request the page delete the cookie that was blocked The name of the cookie is pro
27. Alternate IP Host IP address or hostname of the alternate RADIUS Accounting server Alternate Port Port number of the alternate RADIUS Accounting server Secret Key Secret key that will be used to encrypt and decrypt the user password 4 Click OK IAG related events are saved to the RADIUS Accounting server you defined here Configuring the Syslog Reporter The Syslog reporter enables you to export system and security information from the IAG to an external industry standard Syslog server thus providing a greater level of network integration To configure the Syslog reporter 1 Inthe Configuration program on the Admin menu click Event Logging The Event Logging dialog box is displayed 2 Select the Syslog tab and check the Enable option x General Built In RADIUS Syslog Mail iY Enable IP Host Port 514 244 Chapter 9 Monitoring and Control Event Logging 3 Define the Syslog settings as follows Table 26 Syslog Tab Parameters Parameter Description IP Host IP address or hostname of the Syslog server Port Port number of the Syslog server Click OK IAG related events are saved to the Syslog server you defined here Configuring the Mail Reporter The mail reporter enables you to send email messages about selected event via an SMTP server In order to configure the mail reporter you have to take the following steps Enable the reporter and configure the following
28. Attachment Wiper T WY 3 7 0 12 Installation Anti virus eTrust 7 1 Updated 12 5 2006 10 09 02 PM Personal Firewall XPSP2 Version N A Operating System Windows XP Professional 5 01 2600 Service Pack 2 Browser Version Internet Explorer 6 User Agent Mozilla 4 0 compatible MSIE 6 0 Windows NT 5 1 SV1 NET CLR 2 0 50727 NET CLR 1 1 4322 Sun JRE Version N A Domain WHALECOM Certified Endpoint x Privileged Endpoint x This site is protected by the Whale Communications Intelligent Application Gateway To refresh this page please log out then log in again a Done B internet 4 Access and run an application that requires the Socket Forwarding component for example the application you tried to run when the conflict was detected The Socket Forwarding component is installed on the computer N Note The installation of the component may require a restart of the browser or of the computer Users are notified accordingly Supported Applications The SSL Wrapper supports two types of applications Client server and legacy applications also known as native applications Those types of applications are initiated by the SSL Wrapper The application s configuration data is usually stored locally on the endpoint computer For example Telnet Citrix Program Neighborhood applications Microsoft Windows XP and Windows 2000 Terminal Services Clients and more Browser embedded applications are
29. Cont d Button View Menu Description Enables you to filter the view in the Repository Users and Groups list Show all displays all users and groups in the selected folder If the option Include Subfolders is activated for the selected server subfolders are also displayed Show users only displays all users in the selected folder Show groups only displays all groups in the selected folder Show users amp groups displays all users and groups in the selected folder Subfolders are not displayed Show users amp groups including subfolders displays all users and groups in the selected folder If the option Include Subfolders is activated for the selected server subfolders are also displayed as well all users and groups in all subfolders In certain cases you may want to configure additional parameters such as Define the global Host Address Translation HAT parameters which are applied to all the trunks configured in the IAG For details refer to Configuring Global Host Address Translation on page 46 Restrict the applications in the SSL VPN Portal so that only servers within the defined subnets are enabled as described in Configuring Application Subnets on page 48 Configuring Global Host Address Translation 46 This section describes the optional configuration of HAT parameters The parameters you configure here are global and are used during link manipulation
30. If you backed up the configuration in a Command line you should restore it using a Command line you can not restore it using the Configuration interface Before you restore the backup make sure that the IAG that was backed up and the IAG to which you are restoring the configuration settings are compatible as follows Both IAG servers use the same passphrase The same application shuttles are installed on both servers Restoring the Configuration in the Configuration Program To restore the configuration in the Configuration program 1 In the Configuration program on the Admin menu click Restore from Backup Click O to activate the configuration The IAG configuration settings are restored from the backup file as defined in the file wnlbackup ini Running the Restore Utility as a Console Application You can run the Restore utility as a Console application in a Command line To run the Restore utility as a Console application 1 At the IAG open a Command line and type whlbackup exe r Still at the IAG activate the configuration by clicking O in the Configuration program The IAG configuration settings are restored from the backup file as defined in the file wnlbackup ini 306 Chapter 10 Troubleshooting Backup amp Restore Utility Error Logging and Process Tracing The error logging and tracing mechanisms are used for error logging and for tracing of a variety of IAG processes The error serve
31. Please press the lt Activate gt button to begin Cancel Click Activate gt Note an We recommend that you activate the option Back up configuration after activation so that the configuration settings are backed up For more details refer to Backup amp Restore Utility on page 303 Once the configuration is activated the following message is displayed IAG configuration activated successfully The trunk is operational All authenticated users will be able to access the applications enabled through the portal If you wish to configure authorization for any of the applications you enable through the trunk proceed to Users Setup on page 32 E Note You can duplicate a trunk including all application definitions changing only the name and the external website s IP address and port numbers Right click the trunk you wish to duplicate and select Duplicate Delete a trunk by right clicking the trunk name and selecting Delete Intelligent Application Gateway 31 User Guide Users Setup 32 Users setup determines which users are authorized to view and access each of the applications enabled through the portal When you set an application up by default all authenticated users are allowed to view and access the application If required you can change the default settings and determine which users can view and access the application Users setup affects the following Authorizati
32. Ti gi Currently installed programs IT show updates Sort by Name x Change or Remove B Java 2 Runtime Environment SE v1 4 2_10 Size 109 00MB amp Mozilla Firefox 1 0 7 Size 14 17MB g NetLimiter 1 30 remove only Size 1 04MB Programs Add New Size 5 15MB Programs D fic Whale Communications Client Components 3 5 0 g am To change this program or remove it from your computer click Change Remove Change Remove Add Remove Windows B Windows Installer 3 1 KB893803 Components Users can view the Whale Component Manager in the Downloaded Program Files folder From this location users are able to uninstall all versions of installed components as one unit F3 C WINDOWS Downloaded Program Files 10l x File Edit Yiew Favorites Tools Help Ax lt E T JO search gt Folders i E3 XxX 1 Address a C WINDOWS Downloaded Program Files Go ProgramFile Status Total Size Creation Date g Java Runtime Environment 1 4 2 Installed None 10 10 2005 4 29 E Java Runtime Environment 1 4 2 Installed None 10 10 2005 4 29 Whale Microsoft RDP Client Control redist Installed 592 KB 8 10 2002 4 16 AM Component WY whale Client Components Installed 768 KB 12 22 2005 1 21 Manager E From the portal homepage users can access the System Information window by clicking Sa where they can select to uninstall all the components uninstall t
33. To enable logs and packet dumps on the Network Connector client 1 On the endpoint computer access the following Registry key My Computer HKEY_LOCAL MACHINE SOFTWARE WhaleCom Client 2 Under the key you accessed in step 1 create a new Registry key NetworkConnector 3 Under the key you created in step 2 create one or both of the following values CD In order to enable logging create a DWORD value named log and set the value data according to the required log level Log level can be 1 4 where 4 is the most detailed log level The log file is created in the same location where the client executable resides as follows C Program Files Whale Communications Client Components 3 1 0 whlioc log Tip Set the log value to 0 to disable logging when you finish troubleshooting the client In order to enable dumping of network packets create a DWORD value named log sniff and set the value data to one of the following 1 enables logging of low level network traffic to and from the virtual network 2 enables logging of tunneled network traffic to and from the virtual network 3 enables logging of both low level and tunneled network traffic to and from the virtual network The low level and tunneled traffic dumps consist of similar information but are not necessarily the same since not all low level traffic is tunneled and vice versa The dump files are created in the same location where the client execut
34. and the Endpoint Detection component is not activated on their computer this could result in limited functionality of the site 98 Chapter 5 Endpoint Security Endpoint Policies Application Endpoint Policies Application endpoint policies include the following Access policy controls access to the application For Web and Browser Embedded applications Download policy helps prevent the spreading of sensitive data to undesired endpoints Upload policy helps prevent undesired endpoints from sending malicious data such as viruses malicious macros and more into the internal network Restricted Zone policy restrict users access to sensitive areas of the application such as administrative areas Tip The method by which the IAG enforces the selected Download and Upload policies is defined in the Application Properties dialog box in the Download Upload tab For details refer to Download Upload Tab on page 82 The Restricted Zone option is activated in the Application Properties dialog box in the Web Settings tab For details refer to Web Settings Tab on page 73 This section describes how Endpoint policies are defined for the trunk as described in Defining Application Endpoint Policies on page 99 You edit existing application endpoint policies as described in Editing Application Policies on page 100 Defining Application Endpoint Policies When you add an appli
35. in Web Monitor Layout on page 264 Provides you with helpful tips for using the Web Monitor in Tips for Using the Web Monitor on page 265 Provides detailed explanations of the Web Monitor windows and views and operations you can perform in the Web Monitor as follows Session Monitor Current Status on page 266 Session Monitor Active Sessions on page 268 Session Monitor Statistics on page 271 Application Monitor Current Status on page 275 Application Monitor Active Sessions on page 278 Application Monitor Statistics on page 279 e User Monitor Current Status on page 285 User Monitor Active Sessions on page 287 User Monitor Statistics on page 288 Event Viewer on page 293 gt Event Query on page 295 Support for sites running an IAG High Availability Array in Web Monitor High Availability Support on page 298 Intelligent Application Gateway 259 User Guide Accessing the Web Monitor 260 You can access the Web Monitor from the web browsers listed in Web Monitor Browser Support on page 264 as follows From the IAG In the Configuration program click on the toolbar or on the Admin menu click Web Monitor Or In the Windows desktop click Start then point to Programs gt Whale Communications IAG gt Additional Tools gt Web Monitor From any computer that is on the sa
36. including the prerequisites for running it on the endpoint computer is described in Chapter 6 SSL Wrapper Chapter 5 Endpoint Security Whale Client Components Note EN You can disable component installation in the Session tab of the Advanced Trunk Configuration window as follows Activating the option Disable Component Installation and Activation disables the installation and activation of all the Whale Client Components on endpoint computers including the SSL Wrapper Java applet thus disabling all the features that are enabled by those components It also disables the Certified Endpoints feature For details refer to the Intelligent Application Gateway Advanced Configuration guide to Session Configuration on page 133 Activating the option Uninstall Socket Forwarding Component disables the installation of the Socket Forwarding component on endpoint computers and removes this component from all endpoint computers when users next access the site For details refer to Endpoint Settings on page 108 This section describes The conditions under which the components are installed and run and the available installation modes in Installing and Running the Components on Endpoint Computers on page 150 How to configure users Trusted Sites lists so that the Whale Client Components can verify that the site is trusted in IAG Trusted Sites on page 160 How users can reset the Whale C
37. lt Param gt element you copy into the new file lt Message gt Description Defines an Event Logging message Usage An unlimited number of lt Message gt elements can be nested under the root lt Messages gt element 250 Chapter 9 Monitoring and Control Event Logging Child Elements lt Message gt must contain one each of the following elements e lt Id gt described on page 251 lt Severity gt described on page 252 e lt Type gt described on page 252 lt Name gt described on page 253 e lt Desc gt described on page 253 e lt DynamicDesc gt described on page 253 In addition lt Message gt can contain one each of the following optional elements e lt Params gt described on page 254 e lt Reporters gt described on page 256 E Note If no reporters are defined for a message the message is not sent to any of the Event Logging reporters It is only sent to the Web Monitor where it can be viewed in the Event Viewer but cannot be queried in the Event Query window lt Message gt gt lt Id gt lt Id gt Description Unique message ID For the default messages do not change the message ID e For custom messages use ID 10000 and up Usage One and only one lt Id gt element must be nested under lt Message gt Child Elements None Intelligent Application Gateway 251 User Guide lt Message gt gt lt Severity gt lt Severity gt Description
38. vy Sample Chart the number of concurrent sessions is sampled at the end of each interval gt Peak Chart the number of concurrent sessions reported is the highest number of sessions that were open during the interval period Select the application or applications for which to generate the query By default you can view query results for up to 15 applications If required you can change this value as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Once you submit the query the results are displayed in the window as described in Application Monitor Statistics Window Query Results View on page 281 Figure 50 Application Monitor Statistics Window Query Form Application Monitor Statistics Server time 03 23 2006 20 07 Period Week Month Quarter Year Today Last24Hours C Yesterday Start date 03 23 2006 00 00 00 ae End date 03 23 2006 21 00 00 Interval Hour X Query type eZ Sample Chart aA C Peak Chart Applications T portal S I Whale Portal I Web Monitor I whale Portal I Whale Portal Client C GFTP l E outiook I f Tenet I Whale Portal Web CT myweb I P3 Owa 2003 sptisp2 Submit Reset 280 Chapter 9 Monitoring and Control Web Monitor Di After you submit a query when you return to the query form from the query results view you can clic
39. 4504 61E1DZEE7ASE whalecomlyarivm whalecom 03 1 4 2006 16 29 41 00 27 13 Y E x 6 BA3EB6D6 ZZEC 4ESC 95FD 01152E213946 whalecomiamirm whalecom 03 14 2006 16 29 35 00 27 19 Y E 7 282235EE9 3BEB 4DCE B830 96600736452A whalecomirachel whalecom 03 14 2006 16 17 44 00 39 10 Y EJ Chapter 9 Monitoring and Control Web Monitor Table 28 Parameters of the Session Monitor Active Sessions Parameter Session ID Lead User Repository Started At Duration Authenticated Description Unique session ID Clicking the session ID opens the Session Details window described in Session Details on page 270 User who initiated the session Authentication repository of the user who initiated the session Date and time when the session was started Duration of the session Indicates whether the session is authenticated or unauthenticated A session is unauthenticated when The user s identity is unknown such as prior to the completion of the login process The session is suspended before it is closed The following example describes a sample life cycle of a session in a trunk where the Automatic Scheduled Logoff option is activated and the Logoff Scheme is triggered every 60 minutes As soon as a user accesses the site an unauthenticated session is established Once the user is authenticated the session s status changes to authenticated 60 minutes l
40. 47 46 log Error Log Files The error log files are created under Whale Com e Gap Logs lt Server_Name gt whlerrsrv error lt Time_Stamp gt log Where lt Timestamp gt represents the time and date when the file is created For example the name of an error log file created on September 25 2005 at 20 28 08 is whlerrsrv error 25 09 05 20 28 08 log Size and Quantity of Files 312 Trace Files The error server writes the reported events into the trace log file until the log file reaches the maximum file size allowed The error server then creates a new trace log file and logs events in the new file The maximum file size can be defined as follows The default maximum file size is set in the general Trace section of the trace configuration file as described in General Trace Configuration Section on page 310 Chapter 10 Troubleshooting Error Logging and Process Tracing e Youcan set a maximum file size for individual traces which overrides the default maximum file size as described in Individual Trace Sections on page 308 If the maximum file size is configured in both the individual traces and the general Trace section the individual settings take precedence In order to preserve disk space the trace log files are periodically cleaned up as described in Log File Cleanup on page 313 Tip The trace log of a process is not deleted when a process is stopped Error Log Files Entri
41. 50 MB Number of Undeleted Files Bo Cancel In the Log File Cleanup area change one or more of the default values as required as described in Table 40 Log File Cleanup Parameters on page 314 Click OX The Advanced Trunk Configuration window closes In the main window of the Configuration program click HD to save and activate the configuration The log file cleanup process will start and stop at the defined total size of files values and the error log server will retain the defined number of log files Intelligent Application Gateway 317 User Guide Excluding IIS Log Files from the Log File Cleanup Process 318 If you do not want the IIS logs to be calculated in the computation of the space allocated for log files and do not want IIS log files to be deleted during the log file cleanup process proceed as described below To exclude the IIS log files from the log file cleanup process 1 At the IAG use the Registry Editor to access the following Registry key HKEY_LOCAL_MACHIN E SYST EM CurrentControlSet Services whlerrsrv Parameters Tip If the Parameters Registry key does not exist under whlerrsrv you must create it 2 Create a new DWORD value No SLogClean 3 Change the Value data of NoIISLogClean to 1 as shown in the example below amp Registry Editor Registry Edit View Favorites Help whlegapd
42. 52 Chapter 3 Single Application Sites Optional Pre configuration of the Services To pre configure the services 1 At the IAG click Start and then point to Programs gt Whale Communications IAG gt Additional Tools gt Service Policy Manager 2 Inthe List pane of the Service Policy Manager click the sign next to Built In Services and then select the service you wish to configure HTTP Connections or HTTPS Connections The Configuration pane displays the parameters of the selected service Figure 3 Service Policy Manager Configuration Pane Service name HDDPS Connections is displayed in External Website Application Server th e titl e b ar Available IP Addresses Available IP Addresses on Add on Add Remove Remove Set As Default Set As Default Def in e Available HTTP Port Numbers Available Port Numbers D ef i ne E a o LES Applicati xterna 80 Remove All D 443 Remove All pplication Website Fane teed Rea Server parameters in Set As Default 2a Sets Default parameters this area Pyalobie HTIRS Pot Numbers Default IP Address A in this area a Default Port Number 80 443 Remove All Remove Set As Default Default IP Address Default HTTP Port Number 80 Default HTTPS Port Number 443 3 Edit the parameters in the Configuration pane as described in Table 3 on page 54 When you finish configuring the services in the Service Policy Manager click O to save and act
43. Authentication described in Chapter 4 Access Control Session settings such as the maximum number of sessions that can be concurrently open through the trunk and how you define default and privileged sessions described in Chapter 5 Session Settings Content Inspection described in Chapter 6 Content Inspection Application Customization described in Chapter 7 Application Customizers Optimizing and troubleshooting portal performance as described in Chapter 8 Optimizing Portal Performance Configuring a High Availability array as described in Chapter 9 Configuring the High Availability Array Configure the Form Authentication engine The engine handles HTML login and change password forms sent by the application as described in Appendix C Form Authentication Engine Chapter 2 SSL VPN Portals Where To Go From Here Chapter 3 Single Application Sites In addition to Portal trunks you can use the Intelligent Application Gateway IAG to create two different types of single application trunks Webmail and Basic Trunks Webmail trunks are dedicated trunks for a single Webmail application and are automatically created with authentication application customization and URL inspection rules that are optimized for the specific Webmail application you are running on this trunk Basic trunks enable you to establish a one to one connection where one IP address routes t
44. Avww myweb com User Monitor Over Time Trunk portal S Microsoft Internet Explorer Figure 54 User Monitor Over Time EE User Monitor Over Time Trunk portal S Authenticated Sessions Authenticated Unique Users a 2 S tA 3 2 2 a A 6 amp a N 0 4 23 27 PM 4 25 27 PM 4 27 27 PM Time 4 29 27 PM 4 31 27 PM 4 33 27 PM Q0 1 2 OT Applet monchart started A internet User Monitor Active Sessions This window provides a detailed snapshot of the currently open sessions for each user Use it for online user access tracking and troubleshooting You select which trunk to display at the top part of the window The parameters that are provided for each session are listed in Table 34 Window Parameters of the User Monitor Active Sessions on page 287 By default the window refreshes the data every five minutes If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Figure 55 Sample User Monitor Active Sessions Window K is Monitor Active Sessions Server time 03 21 2006 16 29 urreni Tunu oona W ox session is a Lead User Session ID E E p u Repository Started At Duration Events Terminate 7 1 whalecomirachel 9D8Z8F4A 3F69 49
45. Configuration window and access the Global URL Settings tab 2 Inthe Upload URLs list access the corresponding rule and do one of the following If required click Edit and use the Edit Upload URLs dialog box to change the URL or the method as applicable If you wish this URL to be considered an upload only if it contains attachments in the Edit Upload URLs dialog box activate the option Check for Attachments in Content Ifthe URL failed on parameters in the Edit Upload URLs dialog box either configure the rule so that parameters are not checked or change the method that is used to check parameters as applicable If you wish the URL to always be considered a regular request and not an upload remove it from the Upload URLs list For details refer to the Intelligent Application Gateway Advanced Configuration guide to Upload URLs on page 155 lt If you wish to cancel the identification of uploads by URLs for this application take the following steps 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Uploads area uncheck the option Identify by URLs Note A If none of the options in the Uploads area are activated no uploads to the application are blocked regardless of the settings of the application s Upload policy Ifyou wish to enable uploads from the submitting endpoint to the application edit the application s Upload
46. Connection s connectivity option SOCKS or Relay Date and time when the connection was established When you double click a connection you can see the number of bytes sent Chapter 6 SSL Wrapper Remote User Interaction with the SSL Wrapper Figure 27 Sample Portal Activity Window Additional Connection Details Portal Activity x Active Connections https www portal com z SOCKS session to c108 1533 Started 04 30 05 18 24 01 Client gt Server 3138 bytes Server gt Client 1149 bytes Applications Area The Applications area of the Portal Activity window displays a list of the applications that were launched since the SSL Wrapper client was started Figure 28 Sample Portal Activity Window Applications Area Launched Applications citrix to gamma Bs MS excel Power Point TM tn to cachalot Launched applications When you double click an application you can see the following details regarding the application Application name Date and time when the application was launched For client server and legacy applications the application command line For browser embedded applications the text Web Application is displayed Intelligent Application Gateway 187 User Guide Figure 29 Sample Portal Activity Window Sample Application Details Launched Applications TM tn to cacha citrix to gamma Started 04 30 05 18 55 28 Web Application Portal Ac
47. Explorer No preparation is required for other browsers Before you activate the Certified Endpoint option make sure that end users who are using Microsoft Internet Explorer prepare their endpoint computers as follows The browser needs to be configured to enable the download and launching of signed ActiveX objects e For Windows 2000 and Windows XP systems power user access level is required for the current user like any other downloaded program on Windows 2000 and Windows XP Users need to install the Microsoft Security Patch Q323172 on their computer This patch resolves the Flaw in Digital Certificate Enrollment Component Allows Certificate Deletion security vulnerability 134 Chapter 5 Endpoint Security Certified Endpoints The Q323172 security patch can be found at the following locations depending on the operating system end users are using Instruct your end users to follow the instructions on the web site to download and install the appropriate security patch Microsoft Windows 2000 http www microsoft com Downloads Release asp ReleaseID 41568 Microsoft Windows XP http www microsoft com Downloads Release asp ReleaseID 41598 Microsoft Windows XP 64 bit Edition http www microsoft com Downloads Release asp ReleaseID 41594 Adding Certified Endpoint Enrollment to the Trunk Local CA Only This section describes how you add the Certified Endpoint Enrollment application to the list of appli
48. Figure 32 Sample Access Control Tab s Network Connector Server Additional Networks Tab In this tab you can define network destinations that will be available to Network Connector clients in addition to the IP pool that you define in the IP Provisioning tab as described in IP Provisioning Tab on page 193 For example if in the IP Provisioning tab you enable access to the corporate head office use the Additional Networks tab to enable access to additional offices throughout the world which are connected to the corporate head office via the corporate gateway Intelligent Application Gateway 197 User Guide EN Note The Additional Networks option cannot be used if the Internet access level defined in the Access Control tab is non split since in this access mode all network traffic is tunneled over the virtual connection Use the Additional Networks option if the IP pool that is defined in the IP Provisioning tab is a private pool and the Internet access level defined in the Access Control tab is split or none If you do not define the corporate network as an additional network in this setup remote clients are granted access to other clients only and cannot access the corporate network For each of the networks you define here you select how to handle conflicts in case the definitions you enter here conflict with the endpoint computer s local network definitions Fail the connection a
49. Figure 48 Application Monitor Over Time oix Application Monitor Over Time Q Web Monitor portal S f Whale Portal portal S 1 0 75 a rf a amp 0 5 3 3 a 0 25 ghee 5 08 48 PM 5 10 48 PM 5 12 48 PM 5 14 48 PM 5 16 48 PM 5 18 48 PM Time OO uau OO Applet monchart started Eaa FI EO Internet a Application Monitor Active Sessions This window provides a detailed snapshot of the currently open sessions for each application Use it for online user access tracking and troubleshooting You select which trunk and application to display at the top part of the window The parameters that are provided for each session are listed in Table 31 Parameters of Application Monitor Active Sessions Window on page 279 By default the window refreshes the data every five minutes If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Figure 49 Sample Application Monitor Active Sessions Window Application Monitor Active Sessions Server time 03 21 2006 16 00 Trunk portal 5 Application Whale Portal ov amp Bg SessionID Lead User Repository Application Started At Application Duration Events Current 1 OSOD1S5C 70F5 4CD2 8B28 OBASASAFSCFS whalecom qa_admin whalecom 03 21 2006 15 47 46 00 11 22 E 2 OFD5SE6
50. Gateway 261 User Guide Tip You can quickly access the Local Users and Groups Manager via the Configuration program select Admin gt Event Logging and in the Event Logging dialog box in the General tab click the link Configure Monitor Users 2 Inthe Local Users and Groups Manager from the tree in the left pane under Local Users and Groups select Users Note that in the right pane the IAG Administrator user is disabled as indicated by a red X next to the user s name IAG Administrator is disabled hii Usergroup Console Root Local Users and Groups Local Users Kil File Action View Favorites Window Help e gt m 2 C Console Root B G Local Users and Grou Sy Users E Groups Built in account for administering the computer c Built in account for guest access to the compute Intelligent Application Gateway Administrator Local administrators to manage the Intelligent Ap zj aamini Duilk im seenunk Fae angnumane aeenne ka Tnhaun 3 In the right pane of the Local Users and Groups Manager right click the IAG Administrator user and select Properties The IAG Administrator Properties dialog box is displayed e Gap Administrator Properties 2 xi Remote control Terminal Services Profile Dial in General Member Of Profle Environment Sessions Le IAG Administrator Full name Description Local administrators to manage the Intelli
51. IAG thus the ISA Server blocks traffic from the remote LDAP server Resolution At the IAG do the following 1 Add all remote sites to the ISA Server Internal Networks For details refer to the ISA Server help system 2 Add routing entries to the Route Table to route all traffic that is sent to the remote sites to the appropriate gateway Intelligent Application Gateway 377 User Guide 378 Appendix A Troubleshooting Event Logging Messages
52. Search Anti Spyware Anti Virus Personal Firewall build number Date time double Use VBScript DateDiff d AS AV_ _LastUpdate Now lt 7 to check last update Name of domain Lower case full string of user agent OS Service Pack Number For example 4 0 Name of Windows OS logged on user name This section describes how you can optimize endpoint computer settings which might affect the experience of the remote user when working with the portal Endpoint settings are defined in the Session tab of the Advanced Trunk Configuration window in the Endpoint Settings area Endpoint Settings P Uninstall Socket Forwarding Component IV Add Site to Pop Up Blocker s Allowed Sites Endpoint settings that you can optimize include the following options Uninstall Socket Forwarding Component once this option is activated the Socket Forwarding client component is uninstalled from each endpoint computer when the user next access the site If more than one Socket Forwarding component is installed on a computer activating this option deletes only the component of the Chapter 5 Endpoint Security Endpoint Settings current IAG software version For details on the Socket Forwarding component which can be used with the SSL Wrapper refer to Chapter 6 SSL Wrapper While this option is activated the Socket Forwarding component is not installed on endpoint computers regardless of a computer s confo
53. Service for NetWare E This driver is digitally signed Keone Tell me why driver signing is important _ Cancel 7 Verify that Client for Microsoft Networks is selected in the list and click Ok If prompted insert the Windows Server 2003 Installation CD The Select Network Client dialog box closes In the Local Area Connection Properties dialog box Client for Microsoft Networks is listed 8 Make sure that the box next to Client for Microsoft Networks is checked and click to close the dialog box The installation of the Client for Microsoft Networks is complete 9 Reset the IAG as prompted Intelligent Application Gateway 219 User Guide Novell NetWare Settings In order to share Novell NetWare Server resources through the File Access application you need to install a Novell client on the IAG as described in this section cat Note While remote users interact with Novell NetWare Servers through the File Access interface temporary virtual users may be created on the IAG with the following name format whnwu_ lt hexadecimal_value gt Those users are deleted as soon as the real user closes the File Access interface To set up the IAG to enable File Access to Novell NetWare Servers 1 Install a Novell client on the IAG using a Typical installation mode 2 When prompted restart the IAG Access to Novell NetWare Servers can be enabled on the IAG Configuring F
54. The following is required in order for the SSL Wrapper Java applet to run on the endpoint computer and for the applications to be accessed via the applet when the SSL Wrapper ActiveX component cannot be installed or run on the computer JRE version 1 4 and higher must be installed on the computer Java trace level 5 can be configured in the Java Console window is not recommended and may cause the Java applet to go into an infinite loop For details see the following Sun Developer Network page http bugs sun com bugdatabase view_bug do bug_id 5097873 The following browsers on Mac OS X require the installation of JEP Java Embedding Plugin for Mac OS X e Mozilla Mozilla Firefox Mozilla Camino For details see http plugindoc mozdev org OSX html Java On Windows 2000 Professional operating systems in Internet Explorer the option Script ActiveX controls marked safe for scripting must be enabled in the Security Settings of the Internet Options In order for an application to be accessed via the SSL Wrapper Java applet in the Configuration program the application s Access policy should be configured with the option Enforce Policy Only when Endpoint Detection is Enabled 176 Chapter 6 SSL Wrapper Enabling Access to SSL Wrapper Applications You activate this option in the Policy Editor described in Basic Policy Configuration on page 103 in the General Policy Settings screen CD Tip
55. access the System Information window in order to verify your certified endpoint status There should be a checkmark next to Certified Endpoint Viewing and Processing Certificate Requests Local CA Only After a certificate is requested depending on your Certificate Authority Policy you can perform one of the following actions for the certificate request Issue a certificate for the pending request Deny a certificate for the pending request You can view requests for Certificate Authorities in the Certification Authority window To view certificate information 1 In the Windows desktop click and select Programs gt Administrative Tools gt Certification Authority The Certification Authority window is displayed 2 Select the Certification Authority and double click one of the following folders 146 Chapter 5 Endpoint Security Certified Endpoints Revoked Certificates Issued Certificates Pending Requests Failed Requests The information in the selected folder is displayed in the right pane of the Certification Authority window In the example below the Pending Requests folder was selected and all pending requests are displayed 10 x e gt S m 2 Tree Request Submissi Requester Name Taken Under Submission 17 06 2005 12 48 TAN IUSR_ADMIN IL Certification Authority Local Whale Certificate Server C Revoked Certificates E Issued Certificates 4 Pending Requ
56. and tunneled network traffic to and from remote clients The low level and tunneled traffic dumps consist of similar information but are not necessarily the same since not all low level traffic is tunneled and vice versa The dump files are created in the same location where the log files are created as described in Server Logs on page 204 with the following file names e Low level network traffic lt log_file_name gt lowlevel dmp Tunneled network traffic lt log_file_name gt tunnel dmp Tip The log sniff registry value is polled by the server executable while running and may be updated while the Network Connector is in session Set the log sniff value to 0 to disable packet dumps when you finish troubleshooting the server The dump files are written in TCPDUMP format Troubleshooting the Network Connector Client 206 This section describes how you configure the Network Connector client to create logs and packet dumps for troubleshooting purposes Tip Both log and dump files can be written read and deleted while the Network Connector is in session AN Caution It is recommended you do not enable dumps They should be used for advanced troubleshooting purposes only since they create heavy accumulative dump files The files are not deleted automatically and may reduce the server performance considerably Chapter 7 Network Connector Network Connector Troubleshooting
57. are visible in the various fields of the Configuration program This section describes the parameters that are visible and can be edited in two places The main window of the Configuration program as described in Editing in the Configuration Pane on page 59 The General tab of the Advanced Trunk Configuration window as described in Editing in the General Tab on page 61 Editing in the Configuration Pane Note EN This section applies to Webmail and Basic trunks only Portal trunks are described in Chapter 2 SSL VPN Portals This section describes the parameters that you can edit in the main pane of the Configuration program as illustrated in Figure 4 on page 60 The fields are identical in both Basic and Webmail trunks as described in Table 4 on page 60 Intelligent Application Gateway 59 User Guide N Note Once you finish editing the required parameters click to save and activate the configuration Figure 4 Configuration Pane of an Outlook Web Access Webmail Trunk QWA2007 Michosotoutook Web Access 2007 m External Website Application Server IP Address IP Address 192 168 0 119 7 HTTPS Port HTTP Port 80 X I IsSSL Public Hostname MyHost Initial Path fowar m Security amp Networking Application Properties Configure Maximum Connections 500 Advanced Trunk Configuration Configure High Availability Configure
58. as many users as required Intelligent Application Gateway 263 User Guide Web Monitor Browser Support You can access the Web Monitor using the following browsers Operating System Supported Browsers Windows 2000 Internet Explorer 6 0 Mozilla family Netscape Navigator 7 1 x 7 2 x Mozilla 1 7 x Firefox 1 0 x and higher Windows XP 2003 Internet Explorer 6 0 7 0 Mozilla family Netscape Navigator 7 1 x 7 2 x Mozilla 1 7 x Firefox 1 0 x and higher Mac OS X Mozilla family Netscape Navigator 7 1 x 7 2 x Mozilla 1 7 x Firefox 1 0 x and higher Camino 0 83 and higher On computers running Mac OS X you cannot access the Web Monitor directly from the portal homepage Access is possible from any computer that is on the same network as the IAG via port 50002 on the IAG as described in Accessing the Web Monitor on page 260 Web Monitor Layout The Web Monitor is displayed in a web browser The browser window is divided into two panes In the menu on the left a list of links enables you to select the Web Monitor window that you wish to view The links are grouped as follows Session Monitor including Current Status Active Sessions and Statistics Application Monitor including Current Status Active Sessions and Statistics User Monitor including Current Status Active Sessions and Statistics gt Event Viewer Event Query High Availability Array in sites that deploy an
59. at MB value Figure 63 describes the flow of the log file cleanup mechanism Intelligent Application Gateway 315 User Guide Figure 63 Log File Cleanup Mechanism Number of files exceeds hard coded limit Size of files exceeds Start Cleanup at MB Start Mma Next log file of files gt Number of More Undeleted Files candidates Delete oldest files until Stop Cleanup at MB reached Number of Undeleted Files not considered Delete file Reached Stop Cleanup at MBI Cleanup complete 316 Chapter 10 Troubleshooting Log File Cleanup Configuring Log File Cleanup Parameters You can change the default values of the log file cleanup parameters including The minimum and maximum amount of disk space allocated to the log files including IAG event error and trace log files and IIS log files The number of files you wish to retain E Note You can exclude IIS log files from the cleanup process as described on page 318 To configure log file cleanup parameters 1 In the Configuration program on the Admin menu click Advanced Configuration The Advanced Configuration window is displayed advanced Configuration TT x m Host Address Translation Unique Identifier Whale Encryption Key 52B20023C ABS6A9ESEEF63CE54645997 m Default Web Site Ports Log File Cleanup HTTP Port eoor Start Cleanup at 100 MB HTTPS Port e002 Stop Cleanup at
60. can also monitor user behavior over time for a selected trunk or for all active trunks In the table at the bottom of the window click a next to the trunk you wish to monitor or next to All Trunks respectively The User Monitor Over TIme window is displayed as described in User Monitor Over Time on page 286 Intelligent Application Gateway 285 User Guide Figure 53 Sample User Monitor Current Status Window User Monitor Current Status Server time 03 21 2006 16 19 an w N Sessions Unique Users portal S Trunk Name Authenticated Sessions Authenticated Unique Users portal 8 4 All Trunks a 4 User Monitor Over Time The User Monitor Over Time window is displayed when you click a in the User Monitor Current Status window Use it to monitor user behavior over time for a selected trunk or for all active trunks User behavior is displayed in a line chart showing both authenticated sessions and authenticated unique users at pre defined intervals By default the window refreshes the data at 10 second intervals If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Use the paging controls to scroll to the period of time you wish to monitor 2 QQ 286 Chapter 9 Monitoring and Control Web Monitor a https
61. changepassphrase The Passphrase prompt is shown below Passphrase i xj A Please type your passphrase Cancel When prompted enter the passphrase and click OK You can then securely carry on the operation you have started In sites where a number of IAG servers use the same encryption keys such as a High Availability array the same encryption passphrase is used for all the IAG servers at the site Tip CD When using the Configuration program the encryption passphrase you enter is valid for 10 minutes That is during the 10 minutes following an operation that requires access to the configuration files you can access the files again without having to re enter the passphrase Chapter 1 Introduction Encryption High Availability Array For high traffic sites with applications supporting a large number of simultaneous connections the IAG provides a powerful performance enhancement and traffic control solution the High Availability array Implementing central management and supporting a variety of load balancing tools the High Availability array enables you to run a server array consisting of two or more IAG servers while controlling high traffic volumes through the system The High Availability array is configured to route traffic so that it maximizes resource utilization and supports uptime For a detailed description of the High Availability array including step by step instructions on how to configure
62. communicate through this tunnel HTTP Proxy and SOCKS Proxy relays opens a port on the endpoint computer This port acts as either an HTTP or SOCKS proxy server and tunnels the HTTP or SOCKS traffic to and from the application server Using this type of relay the application on the endpoint computer can communicate through the locally opened port with multiple servers and ports The SSL Wrapper makes changes such as changes to the application settings Registry or hosts file in order for the application to communicate through this tunnel This type of relay enables the SSL VPN proxy to request more than one server thus enabling the support of dynamic ports Note A In browsers where the Java applet is used when multiple portals are open concurrently only applications that are launched from the portal that was accessed first can listen on HTTP SOCKS proxy ports Users cannot launch applications that use HTTP Proxy and SOCKS Proxy relays from additional portals For a description of when the Java applet is used refer to Enabling Access to SSL Wrapper Applications on page 175 Transparent relay automatically creates a relay between the endpoint computer and the application server for every application on the client that wants to communicate with the internal network This type of relay is only supported by the Socket Forwarding component and does not require any changes on the endpoint computer Network Connector suppor
63. configure which domains servers and shares are enabled for remote access If the network includes Novell NetWare Services and you wish to enable remote access to NetWare Servers refer to Novell Logon Settings on page 227 before you proceed Tip CD You can configure the File Access option so that users can only view the shares for which they have access permissions For details refer to Configuring Home Directory Mapped Drives and Share Permissions on page 223 To configure access to domains servers and shares 1 Access the File Access window as described in Accessing the File Access Window on page 222 File Access F ZE FileAccess Admin gy Network Sharing Domains J Servers BSc Domains Cae ee a G l a a EE M austraua E M arrica ET asia GE europe Novell GE Z SOUTH AMERICA GE T NORTH AMERICA Intelligent Application Gateway 229 User Guide Tip If you need to refresh the display at any time for instance if there have been changes in the domain structure since the last time you used the File Access window click Refresh 2 Inthe right pane of the File Access window select the domains which will be accessible to remote users through File Access and click Apply E Note If the network includes Novell NetWare Services the following services are available for selection in the Domains window Novell Directory Services NetWare Servers You can use the File Acce
64. described in Prerequisites for Installing the Whale Client Components on page 151 After the initial installation of the Socket Forwarding client users are required to restart their browser and might be required to restart the computer Once the client is installed however users do not require any privileges in order to use the application 178 Chapter 6 SSL Wrapper Enabling Access to SSL Wrapper Applications Tip When users are required to restart their browser the following message is displayed Whale Client Components x e In order to complete the update of Whale Client Components your browser must be restarted This will close all open browser windows Tl Don t show me this message again If a user selects the option Don t show me this message again this message will not be displayed again even when a restart is required In order to receive the message when applicable instruct the user to restore the default settings of the Whale Component Manager as described in Restoring the Whale Client Components Defaults on page 165 During the installation of the Socket Forwarding component the Whale Component Manager checks whether the Socket Forwarding LSP module conflicts with other LSP modules that are installed on the endpoint computer For details refer to LSP Conflict Detection on page 179 If the Socket Forwarding component is not installed on the computer but the SSL Wrapper componen
65. enables you to provide employees and partners with browser based remote access to multiple corporate applications and file systems In order to create an SSL VPN Portal you go through the following stages Portal session setup which includes the lifecycle of a session such as access IP authentication access endpoint policies and more Application setup where you set up the applications you enable through the trunk Once you set up the portal and applications the SSL VPN Portal is operational remote users can access the portal and the applications that are enabled through it Portal session setup and initial application setup are described in Creating an SSL VPN Portal on page 28 Users setup optional to determine which users are authorized to view and access each of the applications enabled through the portal By default all authenticated users are allowed access to all applications You can however configure a more granular setup and determine which users can view and access each of the applications you enable through the portal as described in Users Setup on page 32 Additional portal configuration options you may require are described in Optional Configuration on page 46 including Configuring Global Host Address Translation on page 46 Configuring Application Subnets on page 48 e Changing the Application Access Portal Port Number on page 49 If you need to make adjustments
66. file you downloaded in step 1 The Whale Client Components Installation Wizard starts 4 Follow the instructions on the screen to complete the Wizard and install the components on the computer Chapter 5 Endpoint Security Whale Client Components Offline Whale Client Components Installation This installation mode is suitable for end users who don t have ActiveX download rights on an Internet Explorer browser and are non privileged guest user users In this setup the administrator has to log in to the endpoint computer with power user or Administrator privileges and install the components before the user accesses the site In order to enable offline component installation take the following steps Configure the settings of the offline component installation as described in Configuring Offline Component Installation on page 157 Deploy the component library to end users as described in Deploying Offline Component Installation on page 158 E Note Inform users that during component installation they should not access the portal homepage or any other location within the site Ifthe installation detects that Whale Client Components are already installed on the computer it upgrades any of the components that are of older versions even if their installation is not enabled in the current installation configuration Configuring Offline Component Installation You can configure the following aspects of the of
67. for all the Portal trunks configured in the IAG Chapter 2 SSL VPN Portals Optional Configuration Note A Link manipulation is described in the Intelligent Application Gateway Advanced Configuration guide in Chapter 8 Optimizing Portal Performance Ifyou do not configure HAT parameters here the IAG automatically assigns the required parameters the first time you configure a Portal trunk You can change the configuration settings any time after the initial configuration To configure global HAT parameters 1 2 In the Configuration program on the Admin menu click Advanced Configuration The Advanced Configuration window is displayed x Host Address Translation Unique Identifier Whale Encryption Key 52B20023C ABS6A9ESEEF63CE54645997 m Default Web Site Ports Log File Cleanup HTTP Port e001 Start Cleanup at 100 MB HTTPS Pott e002 Stop Cleanup at 50 MB Number of Undeleted Files Bo Cancel In the Host Address Translation area enter the following Unique Identifier a sign that will be added to manipulated links in responses and by which the IAG will recognize the URL in the request E Note The unique identifier must contain only alphanumeric values Make sure the identifier is not a string that is contained within one of the server names in your organization For example if one of the servers in your organization is named appserver do no
68. from any device or location Highly granular access and security policy enforced at the session application and functionality levels Comprehensive basic and form based authentication through Active Directory RADIUS LDAP and SecurID Customizable identity based web portal with single sign on SSO e Handles embedded browser applications Connectivity and control for client server and legacy applications Intelligent Application Gateway 15 User Guide Protect Assets Integrated application protection helps ensure the integrity and safety of network and application infrastructure by blocking malicious traffic and attacks Application layer firewall blocks non conformant requests such as buffer overflow or SQL injection on application protocols Comprehensive protocol validation and deep content inspection with both positive and negative logic rulesets URL cloaking and full functionality for remote users through dynamic URL rewrite and HTTP parameter filtering Application Optimizers provide out of the box protection for high value applications such as SharePoint Server Microsoft Outlook Web Access SAP and WebSphere Comprehensive monitoring and reporting integrates with third party risk and policy management platforms Extensible infrastructure and tools for custom application publishing and scripting Safeguard Information Comprehensive policy enforcement helps drive compliance with l
69. general settings as described in Table 24 General Tab Parameters on page 241 240 Chapter 9 Monitoring and Control Event Logging Table 24 General Tab Parameters Parameter Description Queue Size Number of events that are displayed in the Event Viewer window of the Web Monitor as follows Number of events that are displayed each time a user opens the Event Viewer window e Maximal number of events that are added to the message list between refreshes For example if the queue size is 50 and the refresh rate is 15 seconds after a refresh no more that 50 events are added to the event list in the 15 seconds that elapse until the next refresh If in this setup 60 events are received between refreshes only the last 50 will be displayed in the event list For a description of the Event Viewer window refer to Event Viewer on page 293 Max Report Results Maximal number of events that can be fully displayed in the Web Monitor when you generate a query as follows Session Monitor Statistics window if the number of query results exceeds the number defined here Duration is not displayed Application Monitor Statistics window if the number of query results exceeds the number defined here Duration and Total Accesses are not displayed User Monitor Statistics window if the number of query results exceeds the number defined here the results are not displayed The user is notifie
70. is Collected from the End User s Computer ssssessesssrseeseerersereeerrersees 97 Application Endpoint Policies senses snecceescexctctueccanewesdnnnoeendaasranccsuamstesaetiancandeasareranneeea 99 Defining Application Endpoint Policies sseesessessseseeseesesseseeseeseesesessensenresesseesenensenseererenresee 99 Editing Application Policies s scicsccccssscasssvssssssessevsessseasnsesssasesaveescssdssnonsnconesesbasveasessaseasevaes 100 Default Policies sicsinnscsacahonnenasensienotesstutsintaseentewsiess e esr EEE E R 101 Basic Policy Configuration ssssssseessisssiasssivsesskiei ossesssseiveniesiss riveree esre ESen ineat nessi 103 Advanced Policy Configuration esesseseseseeseeeeserseresessrseeseeseeesessesseserseesreeseeseeseesereeeeess 104 Advanced Configuration Overview e e sssesseseeseesseseesesseesreresesreereresrenseerereseeseeereresreseeeene 105 Configuration in the Advanced Policy Editor seeseseesseeseeseesseresresrrsrrrereeseererresereerersensenee 106 Variable FOPMats cscvsssscsstsasssaSucoxvastovesscovsascessdnessto ERE EERE S EERTE 107 Endpoint Settings aac occcc pet haatdspsacenacmednesscbtss e R EEE R EEEa 108 Attachment Wiper ssoerrsoseeser dusteteadsasnseastudlensicecnanesednedoacwusicencteyaentessunnpnidiamies EEE 110 Configuring the Attachment Wiper eesesessssesresseresesersrereeseessersensesreneeneenseesereeneeeeeesenses 112 Cleanup of Items That Are Saved Outside the Cache ssessssesseeseerseeseesesserserseeseesess
71. is described on page 234 of the guide Once you enable cookie encryption for an application the IAG applies the encryption of Set Cookie headers in one of two modes Exclude mode all Set Cookie headers are encrypted except for the cookies that are listed in the cookie lists including both global and per application lists Include mode only headers that are listed in the cookie list are encrypted The list is applied per application only Encrypted cookie names and values are decrypted by the IAG when they are returned by the browser in the Cookie header If the cookie encryption process encounters problems when a remote user requests a page the Cookie header in the request is blocked and is not forwarded to the server The request is processed however and the user experience is unaffected In this case a Warning message is reported in the Web Monitor in the Event Viewer CD Tip Click the ID number of a message to view troubleshooting information You can also access this information in Appendix A Troubleshooting Event Logging Messages messages 94 101 You enable cookie encryption select the encryption mode and configure the per application cookie list in the Cookie Encryption tab as described in Table 13 on page 81 For a description of the global exclude list see Global Exclude List on page 82 Chapter 4 Application Settings Editing Application Properties Figure 12 Appl
72. is set to Automatic Startup mode Tip A dedicated network icon in the Windows System tray indicates that the Whale Network Connector Server service is started Intelligent Application Gateway 191 User Guide Network Segment Tab 192 Use this tab to Select the relevant corporate connection that the server should use This is normally the connection defined for the internal IP interface of the IAG Once you select a connection the fields in the Network Connection area are automatically populated with the connection information Optionally configure complementary networking data as described in Complementary Data on page 192 Figure 30 Sample Network Segment Tab s Network Connector Server x Network Segment I IP Provisioning Access Control 3 Additional Networks 3 Advanced Use the Following Connection Intel 21140 Based PCI Fast Ethemet Adapter Generi m Network Connection m Complementary Data IP Address fiszies2220000 Use the Following Data Only if Network Configuration is Missing Subnet Mask 255 255 248 0 C Always Overriding Existing Network Configuration of This Server DNS Piima fis2te7T DNS Primary f DNS Secondary 192 168 1 37 DNS Secondary ww DNS Suffix fiwhalebz DNS Sufix o WINS Primary poas WINS Primary Doo o WINS Seconday pooo WINS Seconda o Gateway fz21 Gateway i oe Complementary Data In this
73. it refer to the Intelligent Application Gateway Advanced Configuration guide to Chapter 9 Configuring the High Availability Array About This Guide This Guide is intended for the system administrator of the IAG It provides you with in depth information about the IAG s functionality and how you can best use its various components and options It includes step by step instructions on how to configure maintain monitor and control any number of IAG servers either locally or over the network This Guide provides information on the following topics Chapter 2 SSL VPN Portals explains how you use the Create New Trunk and Add Application Wizards to create SSL VPN portals to secure access to multiple applications from remote locations anywhere anytime Chapter 3 Single Application Sites describes how you can use the Service Policy Manager to pre configure the HTTP and HTTPS Connections services how you create Webmail and Basic trunks and how you use the Configuration program to edit trunks once they are created Chapter 4 Application Settings describes application specific settings you can edit and control after you add the application to the trunk or create a Webmail trunk such as the application s web and non web servers application authentication and more Chapter 5 Endpoint Security describes features that help to protect your internal network against access from non secure endpo
74. lines lt script language JavaScript gt var whaleCacheClean GetCacheCleanInstance ActivateCacheCleanDontSurf lt script gt 116 Chapter 5 Endpoint Security Attachment Wiper When Encrypted Pages Are Saved to a Location Other Than Temp Files Normally Internet Explorer browsers save encrypted SSL pages to the temp files folder However end users can enable the Do not save encrypted pages to disk setting in Internet Explorer Tools gt Internet Options gt Advanced tab and prevent the browser from saving SSL pages to the default temp files folder In this case when users download an SSL page they are prompted to provide an alternative location where it should be saved In this setup when a session ends the Attachment Wiper clears the temp files folder but cannot identify the location to which the encrypted pages are saved In order to prevent these pages from remaining on the endpoint computer at the beginning of each session the Attachment Wiper automatically disables the Do not save encrypted pages to disk setting if enabled so that encrypted pages are saved to the temp files folder At the end of the session after the Attachment Wiper stops monitoring all open sessions the Do not save encrypted pages to disk setting is reverted its original status You can cancel the disabling of the Do not save encrypted pages to disk setting as described below
75. link to the application from the portal homepage as described in Table 16 on page 88 Note EN The parameters you define in the Portal Link tab apply only if you use the Whale Portal that is the default portal homepage supplied with the IAG or the Whale toolbar In order to add the link on a custom homepage refer to the Intelligent Application Gateway Advanced Configuration guide to Using a Custom Portal Homepage on page 61 Intelligent Application Gateway 87 User Guide 88 For the File Access application you can also use this tab to hide the folder tree left pane in the remote user interface This will prevent users from browsing to any folders other than the one defined as the application URL or its subfolders For details refer to Hiding the Folder Tree in the End User Interface on page 234 Figure 16 Application Properties Portal Link Tab Application Properties Webtop Documentum xj amp Download Upload R Portal Link ES Authorization al gt IV Add Link on Portal and Toolbar Portal Application Name webtep Folder O O Application URL http localhost webtop Icon URL images Applcons w ebtop gif Short Description Description re I Startup Page T Open in New Window PCs and Handhelds PCsOnly Handhelds Only Application Supported On Parameter Add Link on Whale Portal and Toolbar Portal Application Name Table 16 Portal Link Tab Para
76. logon Display user information when the session Not Defined et eee Rd Interactive logon Do not display last user name Disabled Re Interactive logon Do not require CTRL ALT DEL Disabled Re Interactive logon Message text For users attempting to log on Rg Interactive logon Message title for users attempting to logon Not Defined Re Interactive logon Number of previous logons to cache inca 10 logons Re Interactive logon Prompt user to change password before e 14 days Re Interactive logon Require Domain Controller authentication t Disabled Re Interactive logon Require smart card Disabled Re Interactive logon Smart card removal behavior No Action RE Microsoft network client Digitally sign communications always Disabled Re Microsoft network client Digitally sign communications if ser Not Defined RE Microsoft network client Send unencrypted password to thir Not Defined Re Microsoft network server Amount of idle time required befor 15 minutes RE Microsoft network server Digitally sign communications alwa Disabled RE Microsoft network server Digitally sign communications if cli Disabled 3 Inthe right Policy pane set the Local Security Policy settings of the policies listed in Table 22 Tip To edit a policy double click it in the Local Security Policy Setting dialog box select the required setting and click OK Tabl
77. mail to the recipients you configured in Enabling the Mail Reporter to Send Messages on page 246 Note EN Message configuration is implemented in an XML file In order to edit it you need to have a working knowledge of XML technology To configure the messages that will be sent by mail 1 Create a custom message definitions file as described in Configuring Event Messages in the Message Definitions File on page 249 If such a file already exists use the existing file Intelligent Application Gateway 247 User Guide 2 For each message that you wish to send to the SMTP server under the lt Reporters gt element add a new lt Reporter gt element with the value mail as follows lt Reporter gt mail lt Reporter gt For details regarding the reporting elements refer to lt Reporters gt on page 256 For the full syntax of the message definitions file refer to Event Logging Message Definitions File on page 250 For Example To send an email message each time the number of concurrent authenticated sessions that can be opened through a trunk is exceeded access the message Number of Max Concurrent Sessions Exceeded and add the Mail reporter as shown in the example that follows Note that for the clarity of the example some of the event parameters were removed from the sample code lt Message gt lt Id gt 15 lt Id gt lt Severity gt Warning lt Severity gt lt Type gt Session lt Type gt Nam
78. more information about adding applications to a trunk refer to Creating an SSL VPN Portal on page 28 Adding the CA to the Certificate Trust List All CAs EN Note If you are using a remote CA import your server certificate into the local computer s Trusted Root Certification Authorities Certificate store before proceeding For details contact technical support The Certificate Trust List CTL is a signed list of CA certificates that have been judged reputable by the administrator In order to use a CA you have to notify the IAG that you trust the CA by adding it to the CTL for the portal To add a CA to the CTL 1 Inthe Windows desktop click and select Programs gt Administrative Tools gt Internet Information Services The Internet Information Services IIS Manager window is displayed 2 Right click on the portal and select Properties The portal Properties dialog box is displayed 3 Click the Directory Security tab 136 Chapter 5 Endpoint Security Certified Endpoints 4 5 6 portal Properties 21x Web Site Performance ISAPI Filters Home Directory Documents Directory Security HTTP Headers Custom Errors M Authentication and access control Enable anonymous access and edit the bs authentication methods for this resource MIP address and domain name restrictions Grant or deny access to this resource using A IP addresses or Internet domain names Edit M
79. of automatically installed components Response write lt Component Name SSL Wrapper ID 1 Install nq gt The following line adds the Network Connector component to the list Response write lt Component Name Network Connector TD V7 Install 4 wu gt The following line adds the Socket Forwarding component to the list Response write lt Component Name Socket Forwarding TD 8 wu Install ai gt In addition the following lines enable the Socket Forwarding activation mode Intelligent Application Gateway 153 User Guide Basic mode Response write lt Component Name Socket Forwarding activation Basic TD 33 Install 1 gt Extended mode Response write lt Component Name Socket Forwarding activation Extended ID 65 Install 1 gt VPN mode Response write lt Component Name Socket Forwarding activation VPN TD 129 Tnstall 1 gt Make sure the required Socket Forwarding Activation mode is enabled if the component is used by multiple applications in various Activation modes make sure all the applicable modes are enabled When users next access the site the automatic component installation includes the additional components you defined here Whale Client Components Installer This installation mode is suitable for end users who do not have ActiveX download rights on an I
80. on page 59 Editing the Server Settings in Webmail trunks that enable Domino iNotes Single Server and Domino iNotes Multiple Servers applications as described in Editing Webmail Trunk Server Settings on page 64 Options that are described in other chapters of this Guide include Editing any of the applications properties in the Application Properties dialog box as described in Editing Application Properties on page 67 Changing the event logging definitions as described in Event Logging on page 237 Enabling access to the Web Monitor as described in Enabling Web Monitor Access from Computers Other Than the IAG on page 261 Additional options are described in the Intelligent Application Gateway Advanced Configuration guide including Customizing the look and feel and other aspects of the HTML pages the user interacts with for example changing the company logo and the color scheme described in Chapter 3 Customizing Web Pages Authentication Server Name Translation and Initial Host Selection described in Chapter 4 Access Control Session settings such as the maximum number of sessions that can be concurrently open through the trunk and how you define default and privileged sessions described in Chapter 5 Session Settings Content Inspection described in Chapter 6 Content Inspection Application Customization described in Chapter 7 Application Customi
81. original name of the cookie that was blocked using the EncryptedName and OrigName parameters in the log file the encrypted name is indicated in the Description field of the event in the Web Monitor s Event Viewer Still at the IAG in the Configuration program open the Application Properties dialog box for this application and access the Cookie Encryption tab Add the cookie that was blocked to the Cookies list For details refer to Cookie Encryption Tab on page 80 372 Appendix A Troubleshooting Event Logging Messages Warning 101 Cookie Size Too Big Symptoms None Cause A cookie encryption violation was detected The size of the encrypted Set Cookie header exceeds the 4 KB limit Resolution In order to exclude this cookie from the cookie encryption process take the following steps 1 Use the IAG s trace mechanism to resolve the original name of the encrypted cookie a At the IAG access the trace configuration file Whale Com e Gap Common Conf trace ini b Add the following lines to the file Trace Wh1Filter WHLFILTSECUREREMOTE xheavy Save the file c Use a browser to request the URL that caused the Warning message as detailed in the Description field of the event in the Web Monitor s Event Viewer d At the IAG access the trace log file in the following location Whale Com e Gap logs The file is na
82. policies is disabled when the option Disable Component Installation and Activation in the Session tab of the Advanced Trunk Configuration window is activated Click Help for detailed information on the parameters in this tab Default Policies The IAG supplies you with pre defined default policies for all the session and application policies Those are optimized for a smooth running of the IAG while still applying security restrictions For example when you create a trunk the following policies are selected by default For Session Access Policy Default Session Access The default value of this policy is True allowing all endpoints access Intelligent Application Gateway 101 User Guide 102 For Privileged Endpoint Policy Default Privileged Endpoint The default value of this policy is False meaning that no endpoints will be considered privileged unless you edit this policy and set the criteria that will render an endpoint a privileged endpoint Note EN The Install Socket Forwarding Component Policy is set to Always by default You can view the values of the default policies and edit their definitions as well as create new policies using one of the Policy Editors as follows The Policy Editor is an easy to use basic editor you can use to create simple policies without the need for defining variables and entering complex Boolean expressions The basic editor can check the e
83. policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 346 Appendix A Troubleshooting Event Logging Messages Warning 42 Upload Policy Size Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Upload policy the requested upload is not allowed Cause The request failed since the size of the transfer data render it an upload and the application s Upload policy forbids uploads from the submitting endpoint Resolution In the Configuration program do one of the following Ifyou wish requests of this size to be considered regular requests and not uploads increase the size of data above which a request from this application is considered an upload 1 Open the Application Properties dialog box and access the Download Upload tab In the Uploads area increase the size defined in Identify by Size For details refer to Download Upload Tab on page 82 Ifyou wish to cancel the identification of uploads by size for this application uncheck the optio
84. s parameters In the following sample screen a Webmail trunk was created for the application Microsoft Outlook Web Access 2007 OWA2007 Microsoft Outlook Web Access 2007 m External Website m Application Server IP Address I IP Address 192 168 0 119 x HTTPS Port HTTP Port 80 X T IsSSL Public Hostname MyHost Initial Path owe m Security amp Networking Application Properties Configure Maximum Connections 500 Advanced Trunk Configuration Configure High Availability Configure 5 In the Configuration program click OD to save and activate the configuration The following is displayed Intelligent Application Gateway 55 User Guide 56 6 Configuration xi Po L gt j Activate Configuration We recommend that you back up the configuration settings directly after the initial configuration Following the initial backup make sure to back up the configuration settings each time you modify them in order to ensure that the backup is updated at all times Back up configuration after activation If you have made manual changes to any of the external configuration settings such as changes to XML files or to Registry settings select this option to apply the changes before activation Selecting this option will reload the configuration for all trunks I Apply changes made to external configuration settings Please press the lt Act
85. that are currently open via all the trunks of the IAG you are monitoring At the top part of the window a column chart displays each trunk in a separate column and shows the total number of sessions that are currently open through the trunk that is both authenticated and unauthenticated sessions At the bottom part of the window active trunks and open sessions are listed in a tabular format including the number of authenticated and unauthenticated sessions Clicking the number of total sessions opens the trunk s Session Monitor Active Sessions window described in Session Monitor Active Sessions on page 268 By default the window refreshes the data every 15 seconds If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 You can also monitor session behavior over time for a selected trunk or for all active trunks In the table at the bottom of the window click next to the trunk you wish to monitor or next to All Trunks respectively The Session Monitor Over Time window is displayed as described on Session Monitor Over Time on page 267 You can use the different displays to compare activity between trunks and analyze trends and variations over time Chapter 9 Monitoring and Control Web Monitor Figure 41 Sample Session Monitor Current Status Window s
86. the IAG and the application server At the IAG the following file holds the definitions of file extensions and the associated content types Whale Com e Gap von conf content types ini Applicable for downloads only when the option Identify by Extensions is activated The value you enter here should be identical to the application s unknown content type settings Identify downloads or uploads based on the size of transfer data Note GET requests are treated as downloads POST and PUT requests are treated as uploads Chapter 4 Application Settings Editing Application Properties Server Settings Tab This tab is applicable in Portal trunks only for Client Server and Legacy Applications and Browser Embedded Applications It contains the configuration of the application s non web server or servers The parameters available in this tab vary according to the application you are editing Tip In order to see a description of the parameters that are relevant to the current application click Het For SSL Wrapper applications the Help also provides a list of operating systems on which the application is supported To edit server settings for Domino iNotes non web servers in Webmail trunks see Editing Webmail Trunk Server Settings Figure 14 Application Properties Sample Server Settings Tab Application Properties Citrix NFuse FR2 Direct Eg amp Download Upload Server Settings E
87. the application prompts them to restart the computer In order to run this setup users must be logged in with Administrator privileges to enable changes to the Registry Note A This setup may decrease SMB performance no direct hosting and may impact applications that rely on SMB over TCP IP We recommend that you set this application up as follows In the Server Settings tab of the Add Application Wizard do not enable the option Launch Automatically on Start else users will be prompted to restart their computer each time they access the site In the next step Portal Link activate the option Add Link on Whale Portal and Toolbar and define the link settings so that the setup can be accessed via the portal homepage or the Whale toolbar Use the Description field to add a note telling users of Windows XP 2003 they need only run this application once in order to enable access to mapped drives Do not define this application as a prerequisite application to a Local Drive Mapping application else users will be prompted to restart their computer each time they access the mapped drive File Access File Access is a web application that enables authorized remote users to access view and download files from the organization s Windows Network and Novell NetWare file servers from any location and to upload files to the servers using a browser Via the portal File Access presents remote users with an Explorer
88. the window displays information on each of the trunks that were queried as described in Table 29 Session Monitor Statistics Window Query Results on page 274 e You can view the data that is displayed in the chart in a tabular format by clicking AE Use the paging and zooming controls to focus the view on the period of time you wish to monitor u Bp Intelligent Application Gateway 273 User Guide When you zoom out to the smallest view the window displays the entire period that is queried up to the pre defined interval limit When you zoom in to the largest view the window displays 10 intervals to view additional intervals use the paging controls To return to the query form click Show query form Figure 46 Session Monitor Statistics Window Query Results Session Monitor Statistics Server time 03 14 2006 17 27 amp Query Details Period 03 1 4 2006 00 00 00 03 14 2006 18 00 00 Interval Hour Query type nw Sample Chart Statistics available up to 03 14 2006 17 24 54 Show query form portal Ss ZAE 10 2 a8 Ss wa ge pA a 2 wa E4 2 5 o 5 o2 03 14 00 00 03 14 04 00 03 14 08 00 03 14 12 00 03 14 16 00 03 14 20 00 Time QO 1 OO omo Trunk amp Concurrent Sessions Duration Concurrent Sessions Settings Max Min Average Max Threshold Limit View portal 5 10 0 00 58 40 01 04 01 0 10000 Ez Table 29 Session Monit
89. to Windows file servers Novell NetWare Settings on page 220 describes the steps you need to take in order to enable access to Novell NetWare Servers N Note If you wish to enable access to both types of servers follow the instructions provided in both sections Windows Domain Settings Note EN In order to configure the domain settings described here you need to have a working knowledge of Windows networking This section describes the Windows domain setup required in order to share Windows Network resources through the File Access application and the trust relationships between the domains in a multiple domain environment 212 Chapter 8 Providing Access to Internal File Systems File Access You can set up the IAG Windows domain using one of two options Define the IAG as a domain controller for a new Active Directory domain as described in Setting Up the IAG as a Domain Controller on page 213 Join the IAG to an existing Windows domain for this setup refer to Joining the IAG to an Existing Domain on page 215 Setting Up the IAG as a Domain Controller In this setup you configure the IAG as the domain controller for a new Active Directory Windows 2003 domain in a new domain tree in a new forest Follow the guidelines provided below for this type of configuration During the installation of the Active Directory on the IAG make sure to select the following options Domain Controller for New Dom
90. to be considered a restricted zone only if it contains attachments click Edit and in the Edit Forbidden URLs dialog box activate the option Check for Attachments in Content Ifyou wish the URL not to be part of the restricted zone remove it from the Restricted Zone URLs list For details refer to the Intelligent Application Gateway Advanced Configuration guide to Restricted Zone URLs on page 158 If you wish to disable the Restricted Zone feature for this application take the following steps 1 Open the Application Properties dialog box and access the Web Settings tab 2 Uncheck the option Activate Restricted Zone Ifyou wish to enable access to the restricted zone from the submitting endpoint edit the application s Restricted Zone policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 376 Appendix A Troubleshooting Event Logging Messages Warning 108 Unable to Retrieve Information from LDAP Server Symptoms A remote user logs in to the site The login process is slower than usual Cause The site to site VPN is not configured in the ISA Server on the
91. unsupported environment variables in the users logon scripts the remote user will not be able to access the mapped drives as expected Intelligent Application Gateway 225 User Guide In order to examine which environment variables are supported for a typical user take the following steps at the IAG Open a Command prompt and impersonate the user by entering this command runas user lt username gt cmd exe Where lt username gt is the username as entered by the user during login In the secondary command window that opens representing the user you defined run the set command The environment variables that are displayed are the variables that are supported by the IAG for this user Deleting User Profiles When Using Mapped Drives Each time a remote user accesses mapped drives via File Access the File Access engine runs the user s logon script For each new user the operating system of the IAG creates and saves a user profile By default user profiles are not deleted from the server including old profiles that are no longer used This consumes disk space unnecessarily In addition in environments where a large number of users access mapped drives if a 10 000 profile limit is reached new profiles cannot be created and new users cannot access the drives This section describes how you can configure the IAG to delete user profiles from the IAG when required Note the following Only profiles of domain users are del
92. web initiated The application s configuration data is usually downloaded from the network at runtime For example Citrix NFuse FR2 and FR3 applications IBM Host On Demand Terminal Services Web Client and more Intelligent Application Gateway 181 User Guide Tip For a list of operating systems on which an application is supported click Help in the Server Settings tab of the Add Application Wizard or the Application Properties dialog box The SSL Wrapper open architecture enables the addition of other applications if required For details contact technical support Generic Applications 182 This group includes the enhanced generic client applications and the generic Carbonized applications Enhanced generic client applications are non web applications that run in a console environment Generic Mac OS X Carbon Applications are non web Mac OS X applications that run in a Carbon application framework For each of those application types you can select between the following options depending on the requirements of the application you are configuring hosts required running the application requires the Java applet to make changes to the hosts file on the endpoint computer If changes cannot be made to the file for example due to insufficient user privileges the application is not launched and the relay that was opened for the application is closed hosts optional when the application attempts t
93. you need to change the permissions you assign to users and groups in this repository correspondingly Figure 1 on page 39 illustrates the process of configuring users authorization permissions for an application 38 Chapter 2 SSL VPN Portals Users Setup Figure Flow of Configuring Application Authorization Application Application Properties dialog box All Users Are Authorized Select Users or Groups dialog box Choose users groups in repository Yes Application Properties dialog box Assign access permissions to chosen users groups Authorized users can access application To assign authorization for an application 1 In the Configuration program from the List pane select the trunk that enables the application you wish to edit In the Configuration pane in the Applications area select the application and click Edit or double click the application The Application Properties dialog box is displayed Select the Authorization tab Intelligent Application Gateway 39 User Guide In the Authorization tab the option All Users Are Authorized is checked Application Properties Citrix NFuse FR2 Direct kel TJ Client Settings Portal Link 2 Authorization V All Users Are Authorized Users Groups View Deny Save As Local Group Cancel 4 Uncheck the option All Users Are Authorized and click Add Th
94. 03 BCS8 D1004DFCLA77 whalecom 03 21 2006 16 26 19 00 00 59 49 x highlighted 2 whalecomiruti gt E0113476 E557 47E8 A8B2 F725545753A1 Whalecom 03 21 2006 16 22 39 00 04 39 9 x 3 whalecom qa_admin oSop18scC 70FS 4CD2 8B28 OBASASAFSCFS whalecom 03 21 2006 15 45 16 00 42 02 E5 8 4 whalecomtrachel OFDSE60D B846 40F S 99Z2A SCD458813007 whalecom 03 21 2006 15 41 04 00 46 14 9 x 5 whalecortqa_admin 237901D4 5404 4432 9C27 689B5F83A339 whalecom 03 21 2006 15 36 54 00 50 24 4 x 6 whalecomtyarivm SB6E1B23 62ER 4CES BC93 6SESA609E7F9 whalecom 03 21 2006 15 36 26 00 50 52 4 x Table 34 Parameters of the User Monitor Active Sessions Window Parameter Description Lead User User who initiated the session Intelligent Application Gateway 287 User Guide User Monitor Statistics 288 Table 34 Parameters of the User Monitor Active Sessions Window Cont d Parameter Session ID Repository Started At Duration Events Terminate Description Unique session ID Clicking the session ID opens the Session Details window described in Session Details on page 270 Authentication repository of the user who initiated the session Date and time when the session was started Duration of the session Clicking generates a report of events related to the session The report is displayed in the Event Reports window described in Event Report on page 297 Clic
95. 0D B846 40F5 992A 5CD45A813CC7 whalecomtrachel whalecom 03 21 2006 15 41 42 00 17 26 EY session Is 3 237901D4 5404 4432 9C27 689B5F83A339 whalecomga_admin whalecom 03 21 2006 15 37 15 00 21 53 E P N 4 3B6E1B23 62RE 4CES BC93 65E3A609E7F9 whalecomtyarivm whalecom 03 21 2006 15 36 57 00 22 11 highlighted gt 4B53CEES 69ED 4DB2 9218 ECC7037D2A59 whalecom ruti whalecom 03 21 2006 15 32 38 00 26 30 EJ 278 Chapter 9 Monitoring and Control Web Monitor Table 31 Parameters of Application Monitor Active Sessions Window Parameter Session ID Lead User Repository Application Started At Application Duration Events Description Unique session ID Clicking the session ID opens the Session Details window described in Session Details on page 270 User who initiated the session Authentication repository of the user who initiated the session Date and time when the application was launched Length of time during which the application was active Clicking generates a report of the session s application related events The report is displayed in the Event Reports window described in Event Report on page 297 Application Monitor Statistics This window enables you to view and analyze both the history and the current status of a selected application or any number of applications such as the number of concurrent accesses to the application e Use the query form to submit a query as d
96. 9 User Guide Warning 36 Download Policy Violation No Content Type Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Download policy the requested download is not allowed Cause The response header does not contain a content type Responses without content type are rendered a download and the application s Download policy forbids downloads to the requesting endpoint Resolution At the IAG do one of the following If you wish downloads without content type to be considered regular responses and not downloads create the following Registry key Location whale Com e Gap Von UrlFilter DWORD Value name AllowResponseWithoutContentType gt DWORD Value data 1 After you create the key access the Configuration program activate the configuration and select the option Apply changes made to external configuration settings Ifyou wish to enable downloads from the application to the requesting endpoint edit the application s Download policy in the Configuration program The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 lt Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details ref
97. A to the Certificate Trust List All CAs on page 136 Backing Up the Certificate Settings All CAs on page 140 Intelligent Application Gateway 123 User Guide Installing a Microsoft Certificate Authority Local CA Only 124 This section describes how you install the Microsoft Certificate Authority on the IAG in order to provide users with the required certificates in a local CA setup If you use a CA installed on a remote computer you have to use other means in order to provide users with the certificates To install Microsoft Certificate Authority 1 In the Windows desktop click and select Settings gt Control Panel gt Add Remove Programs The Add Remove Programs Properties dialog box is displayed 2 Click Add Remove Windows Component The Windows Components Wizard is displayed Windows Components Wizard q x Windows Components You can add or remove components of Windows To add of remove a component click the checkbox 4 shaded box means that only part of the component will be installed To see what s included in a component click Details Accessories and Utilities application Server E Certificate Services E mail Services 1 1 MB V AZA Fax Services 79MA x Description Installs a certification authority CA to issue certificates for use with public key security programs Total disk space required 5 1 MB Detail Space available on disk 4692 9 MB __Deta
98. AG When remote users view files and folders the date format is the one you set here Hiding the Folder Tree in the End User Interface By default the end users File Access interface presents users with a folder tree in the left pane The folder tree contains all the folders you enable in the File Access administration window as described in File Access Administration Settings on page 221 If you wish to restrict users access to a specific folder you can define the path of the folder as the application URL and disable the view of the folder tree Users can then access only the path that is defined as the application URL including all subfolders This procedure describes how you hide the folder tree if the trunk you are configuring uses the default portal homepage supplied with the IAG If you use a custom homepage refer to the Intelligent Application Gateway Advanced Configuration guide to Adding Links to IAG Features on a Custom Homepage on page 66 234 Chapter 8 Providing Access to Internal File Systems File Access To hide the folder tree in the end user interface 1 Inthe Configuration program s configuration pane double click the File Access application The Application Properties dialog box is displayed 2 Select the Portal Link tab E Download Upload Portal Link 82 Authorization 4 gt IV Add Link on Portal and Toolbar Portal Application Name Fie Access Folder Po Application URL
99. Altemative Path Full Name o nc lov Tip For a description of the Advanced tab refer to Advanced Tab on page 199 Logging parameters include Log Level can be 1 5 where 5 is the most detailed log level Tip Set the log level to 0 to disable logging when you finish troubleshooting the server Log Path defines the location where the log file is created Server Executable Path the log file is created in the same location where the server executable resides as follows Whale Com e Gap common bin whlios log Alternative Path the log file is created in the location you specify here Make sure to enter the full file path Tip CD The log files can be written read and deleted while the Network Connector is in session 204 Chapter 7 Network Connector Network Connector Troubleshooting Server Resources The Server Resources area of the Advanced tab of the Network Connector Server window defines the server s resource usage It is recommended you do not change the default settings they are only used for advanced troubleshooting purposes For example perform server optimizations by fine tuning its threads and memory usage Figure 36 Advanced Tab Server Resources Area Server Resources Number of Threads fi perCPU Device Timeout 20000 Miliseconds Tunnel Buffer Size fi 6 KB Service Timeout 20000 Milliseconds Device Buffer Size KB Restore Defaults
100. Apache is a service mark trademark or registered trademark of The Apache Software Foundation or its subsidiaries in the United States and other countries or both Terminal Services is a service mark trademark or registered trademark of The Regents of the University of California or its subsidiaries in the United States and other countries or both Unix is a service mark trademark or registered trademark of The Open Group or its subsidiaries in the United States and other countries or both XCompress is a service mark trademark or registered trademark of XCache Technologies Inc or its subsidiaries in the United States and other countries or both All other trademarks copyrights product and or service marks mentioned in this manual whether claimed or registered are the exclusive property of their respective owners DISCLAIMER The Company has reviewed this manual thoroughly All statements technical information and recommendations in this manual and in any guides or related documents are believed reliable but the accuracy and completeness thereof are not guaranteed or warranted and they are not intended to be nor should they be understood to be representations or warranties concerning the products described Further the Company reserves the right to make changes to the information described in this manual at any time without notice and without obligation to notify any person of such changes LIMITATION OF LIABILITY Neither t
101. Applications custeetencaticcetcoadtentatescastecabchucasbarton smamapeconcctmaateeaiaeusevesseastucttcenedtenene 182 Configuration OvervieW ccts occas ccacctencscacasttecedsestetenanckictesoagaeateadaedaretaesaucdelaeaastcaeatnneaccenines 183 Remote User Interaction with the SSL Wrapper secissscccscccscetocscassiedansstbsscesinssntestocreetsbexs 183 Portal Activity WV ING OW sccusvnsssscniucsnecesuns souccsstinasenetason tsbienssanutenses seuss SEESE Ehre Etan ison 184 Connections Areas oreste een R e Ee E e ET 186 Applications Area cssiscciscscsvecscscaasetestssctvssccavessedsssaceeestc sveveedsassncenes setepsoedvenee consesedvttctovsbesen 187 Portal Activity Window BUttONS ssessccsesecseceeseseecsscesesceeceseseseeesessesesceessseeseseneesssees 188 Chapter 7 Network Connector cccccccssscccrscscscccccccsssccceccees 89 Network Connector Technology Highlights sic ccsssscsncsecassecenecascattosieceaaseccesaascsnansecucstenbasee 189 Configuring the Network Connector s eessssesssessessesseseessreseesrsseneeeseeserseesersereenseeseeseeseeseee 190 Configuring the Network Connector Server eesessessesrereessessesseseeneeeseesersereereeeeeesesses 190 Network Sesment Tab s sic satcseesssccstestccvesucss cevseuaensies SNTE EEKE EEEE EEEE EEEE Edea SSE 192 IP Provisioning Tab wsssssssssissssecsossessssestsoausiesuassscdecsteveossessescedeeasasseseh svessnee secdeveassnssasaaess aes 193 AGGESS Control Labi vcsesicctecscevstectestic
102. Certification Policy This procedure describes how you change the pending timeout interval of the Manual certification policy To set the pending timeout interval 1 At the IAG open the following file Whale Com e Gap Von WhaleSEP inc certdat inc Note EN This file is only available on the IAG after you install the CA on the server as described in Installing a Microsoft Certificate Authority Local CA Only on page 124 Intelligent Application Gateway 131 User Guide 2 Change the value of nPendingTimeoutDays For example nPendingTimeoutDays 25 3 Save the file The pending timeout interval is updated to the new value specified It will be applied to all new requests The pending timeout interval for existing requests is the interval that prevails when the request was entered Customizing User Information Properties This section describes how you change the properties of the fields that are displayed to users requesting certificates in the Certified Endpoint Certificate User Information window The default properties are determined during the installation of the CA on the IAG in the CA Identifying Information window Figure 23 Properties That Can Be Edited in the User Information Window Qj Certified Endpoint Microsoft Internet Explorer zloj x Saag Cone nications Certified Endpoint A Microsoft Subsidiary User Information Please enter the following Name Peter Reese E Mail Compa
103. Click Help for detailed information on the parameters of the screen You select an application s Access policy in the Add Application Wizard in the Application Setup step Once you add an application to the trunk you can change the selected Access policy in the General tab of the Application Properties dialog box In order to run an application where network aliases have to be created users have to be logged on to the endpoint computer with sudo privileges for the ifconfig utility In order to run an application where changes to the hosts file have to be made users have to be logged on to the endpoint computer with sudo privileges for hosts file For a description of when changes to the hosts file might be required refer to Technology Overview on page 172 For information about sudo privileges see http www linuxhelp ca guides sudo On Linux operating systems console based applications might require that the xterm application is installed on the endpoint computer If xterm is not installed on the computer users can manually run the application by opening a terminal and connecting to the relay that was opened for the application Tip To display an application s relay select the application in the Portal Activity window and click ShowRelay For details refer to Portal Activity Window on page 184 On Mac OS X and Linux operating systems when running a Telnet application that the opera
104. Client Settings iu gt Citrix Farm Servers 192 168 78 Citrix Farm Port fi 494 Intelligent Application Gateway 85 User Guide Client Settings Tab This tab is applicable in Portal trunks only for Client Server and Legacy Applications and Browser Embedded Applications It determines the activation of the Socket Forwarding component on endpoint computers for the application you are configuring Figure 15 Application Properties Client Settings Tab Application Properties Citrix NFuse FR2 Direct x amp Download Upload Server Settings EJ Client Settings Jide Socket Forwarding Mode C Disabled Basic Extended VPN JV Bind Tunnel to Client Executable Client Executable Signatwe EF NFuse2_D exe 22EE67CD9505556386975245 Help Cancel Table 15 Client Settings Tab Parameters Parameter Description Socket Forwarding Select whether to use the SSL Wrapper s Socket Mode Forwarding component with this application and in which activation mode For details on this component including prerequisites for running it on endpoint computers refer to Chapter 6 SSL Wrapper Disabled the Socket Forwarding component is not used with the application Basic Extended and VPN activation modes are described in Socket Forwarding Activation Modes on page 174 86 Chapter 4 Application Settings Editing Application Properties Table 15 Client Settings Tab Parameters Parame
105. Complete and Cached Passwords The Attachment Wiper deletes these items only when it quits and not at the end of each session Note A All items are deleted according to the DOD 5220 22 M standard Ifthe user closes the browser without first logging out of the site the Attachment Wiper does not quit immediately in this case it quits only on the next scheduled logoff or scheduled cleanup The Attachment Wiper utility includes a built in crash recovery mechanism that ensures that all items are wiped even under extreme circumstances such as a power shutdown If under those circumstances the utility is terminated without deleting all the required items when the computer is next started the utility automatically runs and cleans up any remaining items Chapter 5 Endpoint Security Attachment Wiper The Attachment Wiper is an ActiveX component and is part of the Whale Client Components which users are prompted to download when they try to access a site prior to the Login stage It will only function if the required Whale Client Components are successfully installed on the endpoint computer For details refer to Whale Client Components on page 147 Tip You can set a policy whereby users can only access a site or an application if the Attachment Wiper is running on their computer For details refer to Endpoint Policies on page 93 This section describes the following lt How you configure the utility in
106. Concurrent Sessions field increase the number of sessions that can be open through the site simultaneously Warning 16 Number of Max Concurrent Unauthenticated Sessions Exceeded Symptoms A remote user attempts to access the site Access is denied and the following message is displayed in the browser window There are too many users on the web site at the moment Please try to access the site again in a few minutes Cause The maximal number of unauthenticated sessions that can be open through the site at the same time was reached Resolution If this event occurs on a regular basis increase the number of unauthenticated sessions that can be open through the site 1 Inthe Configuration program open the Advanced Trunk Configuration window of the relevant trunk and access the Session tab 2 Inthe Max Concurrent Unauthenticated Sessions field increase the number of unauthenticated sessions that can be open through the site simultaneously Intelligent Application Gateway 329 User Guide Warning 17 Request Too Long Symptoms A remote user requests a page The request is denied and a message is displayed in the browser window informing the user what part of the request is too long URL method HTTP version or Header section Cause The request is invalid since part of it is too long as indicated in the message The allowed length is URL 2 083 bytes e Method 32 bytes e HTTP version 16
107. Data E whlerrsrv E Security value not set ox00000001 1 Parameters winacpci WinMgmt E Winsock 4 Restart the Whale Log Server service as follows In the Windows Control Panel double click Settings gt Control Panel gt Administrative Tools then double click Services Right click the Whale Log Server and select Restart The Restart Other Services dialog box is displayed Chapter 10 Troubleshooting Log File Cleanup Restart Other Services 29 xi When Whale Log Server restarts these other services will also restart Whale File Sharing Service World Wide Web Publishing Service Whale SessionMar Whale UserMar Whale MonitorMgr Do you want to restart these services Tip D When you stop the Whale Log Server service a number of other dependent services are also stopped When you use the Restart command the Whale Log Server service is automatically stopped and restarted as are all the dependent services For this reason it is recommended that you use the Restart command and not the Stop command If you do stop the service with the Stop command make sure to manually start it and all the dependent services that were stopped 5 Click to restart all listed services The Whale Log Server service and all other services in the list are stopped and are then restarted automatically ITS log files will not be computed in the calculation of space defined in
108. Domain Admins whalecom Domain Computers whalecom Domain Guests whalecom Domain Users whalecom Enterprise Admins whalecom ERPusers whalecom E xchange Domain Ser x whalecom E xchange Enterprise VSS CEE E EE E E x 9 xx 9 Se Tip You can save your selection of users and groups as a local group using the Save As Local Group button For details on local groups refer to Local Groups on page 35 7 For each user or group click the appropriate boxes to select one of the access permission levels Allow users can view and access the application via the portal homepage View the link is displayed on the portal homepage However when users click the link they are prompted to enter additional credentials in order to access the application Deny the effect of this option depends on the type of portal homepage used with the site In sites that use the default portal homepage supplied with the IAG the link is not displayed on the portal homepage and users cannot access the application In sites that use a custom portal homepage the link is displayed on the portal homepage However when users click the link access to the application is denied In both types of portal homepages if users attempt to access the application either directly or via a different link they are denied access Chapter 2 SSL VPN Portals Users Setup Click K The Application Properties dialog box c
109. ET CLR 1 1 4322 N A WHALECOM x x This site is protected by the Whale Communications Intelligent Application Gateway To refresh this page please log out then log in again NET CLR 2 0 50727 Os Done B mremet Installing and Running the Components on Endpoint Computers 150 This section describes how users can install and run the Whale Client Components on their computer including e Prerequisites for Installing the Whale Client Components on page 151 The available installation modes including Online Whale Client Components Installation on page 152 Whale Client Components Installer on page 154 Offline Whale Client Components Installation on page 157 Prerequisites for Running the Whale Client Components on page 159 Once the Client Components are installed on the endpoint computer the Whale Component Manager updates installed components as updates become available E Note The installation and removal of the components may require a restart of the browser or of the computer Users are notified accordingly If removal of the components is not complete because a user selected not to restart the browser or computer no updates will be installed Chapter 5 Endpoint Security Whale Client Components Prerequisites for Installing the Whale Client Components Table 18 on page 151 lists the prerequisites on the e
110. Edit Limit the Applications to the Following Subnets Subnet List Subnet Address Subnet Mask Add Edit The Add subnet dialog box is displayed Chapter 2 SSL VPN Portals Optional Configuration TENE Subnet Address Subnet Mask Cancel 2 Enter the subnet address and mask then click OK The Add subnet dialog box closes The subnet you configured is added to the Subnet list Limit the applications to the following subnets Subnet Address Subnet Mask oF 192 168 1 1 255 255 0 0 H emaye 3 Repeat steps 1 2 to define additional subnets The applications will be restricted to the defined subnets Changing the Application Access Portal Port Number The port number that is assigned to the Application Access Portal when you create the trunk in the Create New Trunk Wizard is the port number of the external website In setups where remote users access a machine other than the IAG such as a load balancer enter the port number of the actual machine that is accessible to the users at the top left side of the Configuration pane in the Application Access Portal area Public Hostname IP Address myportal com Pott 443 Application Access Portal Where To Go From Here Once the SSL VPN Portal is created you can edit it using the Configuration program You can configure any of the following Optio
111. Enabling Certified Endpoint Using Microsoft CA Locally To enable the Certified Endpoint feature using Microsoft CA installed locally on the IAG perform the following steps Install Microsoft CA on the IAG For details refer to Installing a Microsoft Certificate Authority Local CA Only on page 124 Optionally define a policy for issuing the CA certificates By default a Manual policy is defined for the CA You can change the policy to either Automatic or to Automatic with Delay For details refer to Defining a Certification Authority Policy Local CA Only on page 128 Optionally edit some of the default configuration settings Refer to Editing the Default Configuration Local CA Only on page 131 Before you activate the Certified Endpoint feature make sure that end users who are using Microsoft Internet Explorer prepare their endpoint computers as described in Preparing Endpoint Computers that Use Internet Explorer Local CA Only on page 134 Enable the Certified Endpoint feature in the Configuration program in the Session tab of the Advanced Trunk Configuration window activate the option Use Endpoint Certificate For details refer to the Intelligent Application Gateway Advanced Configuration guide to Session Configuration on page 133 Add the Certified Endpoint Enrollment application to the trunk Refer to Adding Certified Endpoint Enrollment to the Trunk Local CA Only on pa
112. H AMERICA 222 Chapter 8 Providing Access to Internal File Systems File Access Configuring Home Directory Mapped Drives and Share Permissions This section describes how you use the File Access Configuration window to configure the following access and view permissions for remote users as they use the File Access interface Home Directory remote users access to their Home Directory Mapped Drives remote users access to their mapped drives Mapped drives are defined by the users logon script which is located in the organization s Domain Controller in the NETLOGON directory File Access automatically supports batch files bat exe For any other scripts such as JavaScript js or Visual Basic vbs you can do one of the following Wrap each script within a separate batch file During the configuration of users access to mapped drives specify the script engine that will be used to run the user s logon script as detailed in the configuration procedure Note A Before you configure the Mapped Drives option see the following sections Limitations of Mapped Drives on page 225 Deleting User Profiles When Using Mapped Drives on page 226 Share Permissions users permissions to view configured shares that is whether users will view all the shares that are configured for File Access or only the shares for which they have access permissions Note EN Share Per
113. IAG High Availability Array The windows are described in detail in the sections that follow 264 Chapter 9 Monitoring and Control Web Monitor DOR Tip The selected view is highlighted e Click Troubleshooting for troubleshooting guidelines and instructions for Warning and Error messages In the right pane the Web Monitor window that you selected in the left pane is displayed Figure 40 Sample Web Monitor Window E Current status Application Monitor A 0 a EE Monitor Current Status J Web Monitor Server time 03 14 2006 16 37 IF active Sessions B Statistics C3 a Current Status Active Sessions D Statistics Total Sessions N E current Status Active Sessions B Statistics o g 2 Ga au 43 system Security E session amp Application E Total Sessions Trunk Name amp Authenticated Sessions Unauthenticated Sessions portal 8 7 All Trunks 7 0 7 Tips for Using the Web Monitor Where times are displayed such as in the Statistics windows it is the time on the JAG not the remote user s computer The current time on the IAG is displayed at the top right corner of the screen For example Server time 02 23 2006 17 40 To generate reports in Microsoft Excel format click 36 You can then use Excel to manipulate the data according to your needs For example calculate the number of users that were concurrently logged ont
114. In order for users to run SSL Wrapper applications the IAG site has to be trusted When a user launches an SSL Wrapper application the SSL Wrapper Client Component verifies the identity of the IAG site against the site s server certificate and checks whether the site is on the user s Trusted Sites list only if the site is trusted will the application launch Tip For information on how the IAG site can be added to the user s Trusted Sites list refer to IAG Trusted Sites on page 160 This chapter describes The technology used by the SSL Wrapper in Technology Overview on page 172 Intelligent Application Gateway 171 User Guide The conditions under which access to SSL Wrapper applications is enabled in endpoint computers in Enabling Access to SSL Wrapper Applications on page 175 The types of applications supported by the SSL Wrapper in Supported Applications on page 181 Steps you take in order to configure SSL Wrapper applications in Configuration Overview on page 183 Remote users interaction with the SSL Wrapper on page 183 Tip Application specific settings required for some of the SSL Wrapper applications are described in the Intelligent Application Gateway Application Aware Settings guide If you are running XCompress on the IAG you need to set the streaming optimization to Low latency You can automate the process by copying the file Xcompre
115. Intelligent Application Gateway User Guide December 2006 Version 3 7 2006 Whale Communications a Microsoft subsidiary All rights reserved This manual and the information contained herein are confidential and proprietary to Whale Communications a Microsoft subsidiary its affiliates and subsidiaries hereinafter the Company All intellectual property rights including without limitation copyrights trade secrets trademarks etc evidenced by or embodied in and or attached connected related to this manual information contained herein and the Product is and shall be owned solely by the Company The Company does not convey to you an interest in or to this manual information contained herein and the Product but only a limited right of use Any unauthorized use disclosure or reproduction is a violation of the licenses and or the Company s proprietary rights and will be prosecuted to the full extent of the Law TRADEMARKS Application Aware and Attachment Wiper are service marks trademarks or registered trademarks of Whale Communications or its subsidiaries in the United States and other countries or both Netscape and Netscape Navigator are service marks trademarks or registered trademarks of America Online Inc or its subsidiaries in the United States and other countries or both Carbon Macintosh Mac OS and Safari are service marks trademarks or registered trademarks of Apple Computer Inc or its subsidiarie
116. Of The Box Security Configuration on page 147 Warning 33 Invalid Request Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window The page cannot be displayed Cause The request is invalid possibly since it contains too many headers This could be caused by an IIS bug on the requesting client Resolution Check the browser used to request the page Intelligent Application Gateway 337 User Guide Warning 34 Download Policy Size Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Download policy the requested download is not allowed Cause The response failed since the size of the transfer data renders it a download and the application s Download policy forbids downloads to the requesting endpoint Resolution In the Configuration program do one of the following If for this application you wish responses of this size to be considered regular responses and not downloads increase the size of data above which a response is considered a download as follows 1 Open the Application Properties dialog box and access the Download Upload tab 2 In the Downloads area increase the size defined in Identify by Size For details refer to Download Upload Tab on page 82 lt Ifyou wish to cance
117. Operating System Supported Browsers Mac OS X Safari 1 2 4 1 3 amp 2 0 Mozilla family Netscape Navigator 7 1 x 7 2 x Mozilla 1 7 x Firefox 1 0 x and higher Camino 0 83 and higher Linux Red Hat Mozilla family Netscape Navigator 7 1 x 7 2 x Mozilla SUSE Debian 1 7 x Firefox 1 0 x and higher Supports mobile Internet connectivity Although other browsers might also be functional for optimal performance Whale Communications extends support to these versions only Note A Some of the Whale Client Components are supported only on Windows operating systems running Internet Explorer For details refer to Whale Client Components on page 147 For those users running other operating systems or other browser versions our portal homepage has been reworked to present a stripped down page for browsers that do not support the rich environment necessary to support the entire range of IAG features such as scheduled logoffs and session timeouts The limited portal presents users with a page containing links to all applications when a user clicks a link the application opens in a new window The limited portal does not however include the Whale toolbar which enables additional IAG features such as credentials management and system information Security Management Tools The IAG provides you with security management tools that ensure strict security administration and enforcement The Service Pol
118. Personal Firewall XPSP2 Version N A Operating System Windows XP Professional 5 01 2600 Service Pack 2 Browser Version Internet Explorer 6 User Agent Mozilla 4 0 compatible MSIE 6 0 Windows NT 5 1 SV1 NET CLR 2 0 50727 NET CLR 1 1 4322 Sun JRE Version N A Domain WHALECOM Certified Endpoint x Privileged Endpoint x This site is protected by the Whale Communications Intelligent Application Gateway To refresh this page please log out then log in again Done B internet Intelligent Application Gateway 161 User Guide Remote Configuration of Users Trusted Sites Lists 162 This section describes how the domain administrator can remotely manage end users Trusted Sites list so that users are not prompted when the Whale Client Components verify that the IAG site is trusted You control the configuration of the Trusted Sites list using a Registry key that you add to the user s endpoint which you can deploy as you do any other managed configuration for example via the Windows Logon Script or as part of your Group Policy You can also use this key to control which other sites users can add on demand to their IAG Trusted Sites list To configure the Trusted Sites list 1 At the IAG access the following folder Whale Com e Gap von InternalSite samples 2 From the samples folder copy the following files to an external location make sure they reside in the same folder CheckSite ba
119. RE E R REE E EEEE EER ENEE E EER 59 Editing in the Configuration Pane sesesseseeseesessesseeseeseesersrseeureeseesesseeseseeseeuseeseesereseseeeee 59 Editing in the General Tab sessseseseessssrssesseesessresersereeureeseereresesereeeseeseesreseeseeserseeereseesees 61 Editing Webmail Trunk Server Settings essseesseeeseeseresesseseeseeseeesessrssenerseeseessesserereeeseeseesees 64 Domino iNotes Single Server e sesssessesseesesseeserserseeeenseereessesersereensresresseseeseeseeneeseesees 65 Domino iNotes Multiple Servers esseeseseseseesseserseeeeeseesesserssessrseeseeseesressesseserseesreseesees 66 Chapter 4 Application SettingsS eescsssesecosseccessssseossssecesssssessssee OF Editing Application Pr perties sxssaseoncssnsnesieassneasincvedennstoeetadsauenesesuneaonsnsanntaie eeanienabeetasennnenes 67 Accessing the Application Properties Dialog BOX sessssesesseseesesessesessesessesessensssessesesseses 68 General Tab anesicstonscaicivinna casteaenaivelated tE re Eueu ese RPE NEEE ESERE CEES eara TAER KE TEREKE SEE RENAE 68 VALESTI aaa E E E A 71 Web Settings Tab acssciict ta lope saat ornes n E Eeee erae eed E ore E Ee kE ESEE EErEE EEEa 73 Application Authentication scssssssscscsssssscsscsscssssssesssssessssscsscesessesssesceessssssessesseeenes 74 General Web Settings sscitsssciscesscocessecceasestsveesosessdessesassdectabcvssedcessscenserad sosnedseskcosseenassatsasevs 75 User Authorization Data ssssssssserser
120. RL The URL you are trying to access contains an illegal parameter Cause The URL query string or the POST data parameters of the requested URL are illegal due to one of the following reasons They contain an illegal character according to the definition of the application s Out Of The Box Security Configuration The IAG filter failed to construct a legal parameter list from the URL query string or from POST data parameters For example a parameter that contains only a value with no name Resolution Use the Configuration program to determine whether the failure was caused by an illegal character or by an illegal parameter list 1 Open the Application Properties dialog box and access the Web Settings tab 2 Uncheck the option Check Out Of The Box Rules For details refer to Web Settings Tab on page 73 3 Request the URL again and observe whether the request is accepted or not Ifthe request does not fail this time it is an indication that the failure was caused by an illegal character lt Ifthe request fails again it is an indication that the failure is caused by the filter failing to construct a legal parameter list from the URL query string or from POST data parameters According to the reason of the failure take the steps listed below to resolve the problem Before you do so in the Web Settings tab check the option Check Out Of The Box Rules so that it is activated again If t
121. SA firewall rule that enables the connection from the IAG to the application server For details examine the ISA logs and alerts and if necessary consult ISA troubleshooting Warning 26 URL Changed Symptoms During URL verification the IAG filter changes the URL The remote user s experience is not affected Intelligent Application Gateway 335 User Guide Cause The requested URL contains an illegal sequence of characters For example multiple slashes Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window of the relevant trunk and access the URL Inspection tab 2 In the Out Of The Box Security Configuration area edit the application s Legal Characters list to include the character that caused the error as reported in the message in the Reason field For details refer to the Intelligent Application Gateway Advanced Configuration guide to URL Inspection Tab Out Of The Box Security Configuration on page 147 Error 29 Failed to Read Configuration Symptoms The message is logged after you activate the Configuration program The IAG is not functioning as expected or is not functioning at all Remote users might experience problems while working with the site or might not be able to access the site at all Cause Problem with the configuration files of the module that failed This might be caused by one or more of the following
122. Secure communications Require secure communications and 5 Certificat enable client certificates when this Bates Seti Le iho resource is accessed OK Cancel Apply Help In the Secure communications area click Edt The Secure Communications dialog box is displayed Secure Communications q x mT Require secure channel SSL J Require 128 bit encryption m Client certificates Ignore client certificates C Accept client certificates Require client certificates J Enable client certificate mapping Client certificates can be mapped to Windows user accounts This allows access control to resources Edi using client certificates ai IV Enable certificate trust list Curent CTL es New Edit Cancel Help Check the option Enable certificate trust list and click New The Welcome to the Certificate Trust List Wizard screen is displayed Click Next gt Intelligent Application Gateway 137 User Guide 138 7 8 The Certificates in the CTL screen of the Certificate Trust List Wizard is displayed Certificate Trust List Wizard i E Certificates in the CTL The certificates listed in the following table are currently in the CTL Current CTL certificates Intended Purposes Add from Store Add from File Remove View Certificate cms Click Addfrom Store The Select Certificate dialog box
123. Status ca Active Sessions B Statistics Current Status 5 Active Sessions B Statistics Qa au 49 System Security g Session High Availability Application Array link enables access to all IAG High Availability Array servers in the Array Troubleshooting If you cannot access an IAG server that is part of the Array via the applicable link verify the following e The server is up and running The server is accessible from the server where you are using the Web Monitor You assigned the same users to the IAG Monitor Users group on all the IAG servers that are part of the Array For details refer to Enabling Web Monitor Access from Computers Other Than the IAG on page 261 Tip CD If access to the IAG fails while you are accessing the Web Monitor remotely via the SSL VPN portal and the failure is due to user authentication problems the following message is displayed in the Event Viewer Login On The Fly Failed Analyzing History Reports Once an IAG Server is Removed from the Array 300 Once you remove an IAG server from the High Availability Array you are no longer able to query reports of events that were recorded on the server while it was still part of the Array You can however copy the required logs onto one of the IAG servers which are part of the Array and query the reports there using the Event Query Chapter 9 Monitoring and Control Web Monitor To query reports of a
124. Table 4 Configuration Pane Parameters Webmail and Basic Trunks Parameter Description IP Addresses External Website IP address of the external website Application Server IP address of the application server Ports External Website port number of the external website The type of port HTTP or HTTPS that is displayed and that can be edited here depends on the connection type Note The other port of the external website can be edited in the General tab of the Advanced Trunk Configuration window For example for an HTTP Connections trunk the HTTP port is displayed and can be edited here while the HTTPS port is displayed and can be edited only in the General tab of the Advanced Trunk Configuration window Application Server HTTP port of the application server 60 Chapter 3 Single Application Sites Editing Trunks Table 4 Configuration Pane Parameters Webmail and Basic Trunks Cont d Parameter Public Hostname Maximum Connections Initial Path Description Optional applicable only if the application is accessed via a hostname The host through which remote users access the application enabled in this trunk external website You can enter either a domain name effective hostname or an IP address Maximal number of simultaneous connections that are permitted for this trunk Default 500 Path of the application on the application server as follows Basic trunks required onl
125. Verify that the process inetinfo exe which runs the IIS is listed in the Image Name column 322 Chapter 10 Troubleshooting Restarting the Web Service in the IIS E windows Task Manager iof xi File Options view Help Applications Processes Performance magename mo cru cpu Tme men usage al Acrobat exe 2208 0 01 28 62 932 K acrotray exe 1560 0 00 00 4 352 K Adobelm_Cleanup 944 00 0 00 00 1 316K Adobelm_Cleanup 2040 00 0 00 00 1 312 K Adobelmsvc exe 2068 00 0 00 00 1 296 K CM_camera exe 1712 00 0 00 02 2 920 K CSR55 EXE 188 00 0 00 49 4 484 K dto2k exe 1508 02 0 06 46 10 532 K Eudora exe 556 00 0 02 37 7 164K explorer exe 1348 00 0 00 34 4 444 K FrameMaker exe 1596 01 0 02 48 21 140 K hidserv exe 552 00 0 00 00 1 748 K i j 956 00 2 7 956 K L5A55 EXE 248 00 0 00 01 1 596 K msdtc exe 992 00 0 00 00 6 444 K mstask exe 620 00 0 00 00 4 472 K mstsc exe 500 00 0 00 21 14 076 K nod32krn exe 584 01 0 00 35 16 612 K nod32kui exe 1556 00 0 00 01 2 488 K hdl End Process Processes 52 CPU Usage 4 Mem Usage 433344K 1131780k 7 This is an indication that the IIS is still running Back in the Command prompt type kill w3wp Press lt Enter gt The following message is displayed in the Command prompt INDOWS system32 cmd exe C Documents and Settings Administrator gt kill w3wp exe SUCCESS Sent termination signal to the process w3wp exe with PID 2756 C Documents and Settings Administrator g
126. Ware Servers described in Novell Logon Settings on page 227 The domains servers and shares which are exposed to remote users using File Access as described in Configuring Access to Domains Servers and Shares on page 229 Intelligent Application Gateway 221 User Guide Once you configure the administration settings in the File Access window the next time you open the window the settings remain intact E Note In order to configure File Access administration settings you must be a member of the Administrators group of the IAG Accessing the File Access Window This section describes how you access the File Access window in order to configure the global File Access administration settings To access the File Access window 1 In the Configuration program on the Admin menu click File Access The Windows Enter Network Password dialog box is displayed 2 Enter User Name and Password then click OK The network is browsed and the File Access window is displayed showing all the domains in the network which are accessible from the File Access host Depending on the complexity of the network this may take a few seconds Figure 39 Sample File Access Administration Window File Access 2 FileAccess Admin E a Network Sharing Domains Servers J Shares Domains Reset Apply Refresh B General Configuration EE austratia EE D arrica E T asta E M EvRore x Novell GE SOUTH AMERICA GE T NORT
127. XML Integrity Verification Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window The page cannot be displayed The request failed the XML Integrity verification Cause The request failed the inspection of XML integrity in HTTP data Resolution If you wish to cancel the inspection of XML integrity in HTTP date for this application take the following steps in the Configuration program 1 Open the Application Properties dialog box for this application and select the Web Settings tab 2 Uncheck the option Check XML Integrity For details refer to Web Settings Tab on page 73 356 Appendix A Troubleshooting Event Logging Messages Warning 55 Parameters not Allowed with URL Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL The URL you are trying to access contains an illegal parameter Cause According to the configuration of the application s ruleset the requested URL is not allowed to contain parameters Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window and select the URL Set tab 2 Inthe URL List access the rule that caused the failure according to the details provided in the message In the Parameters column select either
128. able 10 on page 75 Table 10 Web Settings Tab General Web Settings Parameter Verify URLs Learn Mode Allow WebDAV Methods Check XML Integrity Check Out Of The Box Rules Description When this option is activated URL requests from the application are inspected against the URL Inspection rules of this application type as defined in the URL Set tab of the Advanced Trunk Configuration window For details refer to the Intelligent Application Gateway Advanced Configuration guide to Configuring a Ruleset in the URL Set Tab on page 164 Note Disabling this option disables URL inspection at the application level and affects this application only Also requests from this application will still be checked against the general rules such as the Internal Site rules If you wish to disable URL inspection altogether you need to set the IAG to Debug mode in the General tab of the Advanced Trunk Configuration window When this option is activated URL requests from the application are inspected against the URL Inspection rules of this application type but the rules are not enforced That is if a request is not accepted by one of the application rules the failure is logged in the Security log and the request is allowed Allow browsers to send HTTP data to the application in requests that use WebDAV methods Inspect XML integrity in HTTP data Check URLs against the application s Out Of The Box Rules as
129. able resides as follows C Program Files Whale Communications Client Components 3 1 0 whlioc dmp Tip The log sniff registry value is polled by the client executable while running and may be updated while the Network Connector is in session Set the log sniff value to 0 to disable packet dumps when you finish troubleshooting the client The dump files are written in TCPDUMP format Intelligent Application Gateway 207 User Guide 208 Chapter 7 Network Connector Network Connector Troubleshooting Chapter 8 Providing Access to Internal File Systems The Intelligent Application Gateway IAG provides two applications that enable remote users to access file systems on the internal network The Local Drive Mapping applications provide access to Windows shared network folders as described in Local Drive Mapping on page 209 The File Access application provides access to Windows Network and Novell NetWare file servers as described in File Access on page 211 Local Drive Mapping The Local Drive Mapping application enables you to map internal Windows shared network folders shares to network drives on remote users local computers Users can then connect to the shares directly from the remote computer and depending on policy configuration download and upload files to and from those drives Local Drive Mapping is supported on endpoint computers that run Windows XP Windows 2008 and Windows 2000 opera
130. absolute URL for example https whale com URL of the icon representing the application displayed in the portal to the left of the application name Short description of the application displayed in the portal directly under the application name Additional description displayed in the portal under the short description Intelligent Application Gateway 89 User Guide 90 Table 16 Portal Link Tab Parameters Cont d Parameter Startup Page Open in New Window Application Supported On Description A page containing startup functionality you wish to assign to this application in addition to the default functionality that is enabled by the IAG When this option is activated the page you define here is included by the default application startup page and the operations you define in your page are implemented at the beginning of the application startup process Default application startup for all applications is determined in the page StartApp asp located under Whale Com e Gap von InternalSite If you activate the Startup Page option take the following steps Place your own page in the following location Whale Com e Gap von InternalSite inc CustomUpdate Note File extension must be inc Enter the name of the page including its location under the inc folder in the Startup Page text field For example I Startup Page CustomUpdate startup inc Tip The page notes
131. ackup utility and the Restore utility During backup the IAG Backup amp Restore utility uses the Windows makecab exe utility to archive the necessary files and Registry values in a cab file It uses the Windows extract exe utility to restore them We recommend that you create backups as follows Run the Backup utility directly after the initial IAG configuration to back up the IAG s configuration settings Following the initial backup make sure to run the utility each time you modify the configuration settings in order to ensure that the backup is updated at all times Copy the backup file to a separate location whenever you make major changes to the configuration By default the backup is created under the IAG installation path whale Com e Gap Backup Intelligent Application Gateway 303 User Guide Tip If you do not see the backup file in this location the default path may have been changed Contact technical support for assistance in identifying the current path The name of the backup file that is created in the defined backup folder is whlbackup lt host_name gt cab Where host_name is the name of the IAG Instructions for using the Backup amp Restore utility are provided in Backing up the Configuration on page 304 Restoring the Configuration on page 305 Tip Each time you run the Backup amp Restore utility a log is created in the this file Whale Com e Gap Logs
132. age The request is denied and the following message is displayed in the browser window The page cannot be displayed Ruleset configuration invalid Cause The URL Inspection rule defined for this URL does not specify a method Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window and access the URL Set tab 2 Inthe URL List access the rule that caused the request to fail and in the Methods column assign a method or methods for this URL For details about the configuration of rulesets refer to the Intelligent Application Gateway Advanced Configuration guide to Configuring a Ruleset in the URL Set Tab on page 164 Warning 51 Invalid Method Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL You are trying to access the URL using an illegal method Cause According to the configuration of the application s URL Inspection ruleset the method used to send the request is not valid for requested URL Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window and access the URL Set tab 2 Inthe URL List access the rule that caused the request to fail and in the Methods column assign the appropriate method for this URL For details about the conf
133. ain New Domain Tree New Forest At the IAG verify that for the following Windows services Startup Type is set to Automatic Computer Browser optional for performance enhancement Distributed Transaction Coordinator e Workstation Still at the LAG on the Local Area Connection that is used to access File Access resources verify that a Client for Microsoft Networks is installed and activated For instructions refer to Installing a Client for Microsoft Networks on page 217 Establish domain trust relationships between the IAG and every domain one or more that holds File Access users Users can be part of a user domain or a resource domain The File Access domain must trust the domain or domains that hold the users whereas the trusted domains may not trust the File Access domain Grant local logon permissions on the IAG to all File Access users regardless of their privileges lt 5 Best Practice Create a group that will contain all File Access users from various domains Intelligent Application Gateway 213 User Guide Figure 37 on page 214 illustrates a sample File Access environment with three domain types File Access domain consisting of the IAG User domain holding all File Access users Although it is recommended that one domain holds all the File Access users there can be multiple user domains in this setup Users can also be part of a resource domain e Resource domains holding the shared r
134. ake sure you assign it a unique name that will not be used for any other purpose If the header or parameter name is unique when it is used in a request it is an indication that this is a malicious request that should be blocked To define the Source IP key header or parameter for this application take the following steps in the Configuration program 1 Open the Application Properties dialog box for this application and access the Web Settings tab 2 Under the option Source IP key assign a unique header or parameter name For details refer to Web Settings Tab on page 73 Warning 20 Attempt to Sneak Negotiate Header Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window An attempt to sneak authorization info was detected Cause The request contains a negotiate authorization header Intelligent Application Gateway 331 User Guide Resolution If you wish to cancel the blocking of negotiate authorization headers take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window of the relevant trunk and access the URL Inspection tab 2 Uncheck the option Block Negotiate Authorization Header E Note A negotiate authorization header sent by clients may contain malformed code which could cause denial of service and browser crashes This vulnerability was an
135. al Group dialog box to exclude the three users from the local group 8 Click 0K to close the Add Local Group dialog box 9 Repeat steps 2 8 to define additional groups as required Tip You can use the button in the Local Groups dialog box to duplicate an existing local group You can now use the groups you created to define application authorization as described in Defining Authorization for Portal Applications on page 38 You can also use the local groups as building blocks when defining additional local groups Intelligent Application Gateway 37 User Guide Defining Authorization for Portal Applications You can define authorization for any of the applications enabled through an SSL VPN Portal To define authorization for an application take the following steps Assign users and groups to the application In this step you select the users and user groups from any of the defined authorization repositories and assign them to the application By default the users and groups you select here have Allow and View permissions for the application e Assign authorization permissions to the users and groups you selected for the application For each user or group you can assign Allow View or Deny authorization permissions E Note If at any time after the initial configuration there are changes in the authorization repository such as a user is removed or added from the repository or user permissions are changed
136. alidate inc Name the file as follows lt Trunk_Name gt lt Secure 0 no 1 yes gt lt Hook_Name gt For example For an HTTPS trunk named WhalePortal to create a PrePostValidate hook create the file WhalePortallPrePostValidate inc If such a file already exists use the existing file In the file you defined in step 2 add the following lines lt SetSessionParam g_cookie ATTACHMENT_WIPER_CLEAR_HISTORY_PARAM lt flag gt gt de Where flag may be any combination of the following Flag Description 1 Clear History 2 Clear Web Address AutoComplete and IntelliForms 4 Clear Cached Passwords in Forms AutoComplete and Wininet s cached passwords replies to application specific authentication requests 8 Clear all fields that are saved by Forms AutoComplete except for Cached Passwords which are cleared by flag 4 For example In order to clear the browser s History Web Address AutoComplete and IntelliForms without clearing any of the other items add the lines lt oe SetSessionParam g_cookie ATTACHMENT_WIPER_CLEAR_HISTORY_PARAM 3 gt E Note For the cleanup of the Forms AutoComplete data it is recommended to use flags 4 and 8 together 12 It is not recommended to use flag 8 on its own Chapter 5 Endpoint Security Attachment Wiper Configuring a Scheduled Cleanup In addition to the automatic cleanup that is triggered at the end of a session or when a use
137. an IAG Server is Removed from the Array essees 300 DS EEE Monitoring epcatisecten esac ce dene steed succtseecdtvcaetaunsmuaasontadadenss namsras tuienetnepetucatnanpes 301 Chapter 10 Troubleshooting ccccccccscscscscsssssssssssssssssssssssses 303 Backup amp Restore Utility sscctscticucssesscesetinctencucssedsbonscunscsrossssitnsenouctocucdausespustensiseadcconesuaciibees 303 Backing tip the Config rationi sissi smersessesrisssrssseiiiese eesi aaecenuivarenmucnsnanedtevssnareteadeacnseecs 304 Backing up the Configuration in the Configuration Program s sessesessessseseeeeeseesrsereeeseeeres 304 Running the Backup Utility as a Console Application cecsesctcssseseeeseseeeeseesseseeeeseeens 305 Rest ring the Config rati n sasccstacsattcscascttccecscarsiapeialasilndesseuisil a ceiadhin Gatanteshadnaauaaetdes 305 Restoring the Configuration in the Configuration Program scscssesssescesesseecessesseseeens 306 Running the Restore Utility as a Console Application ccesscsssssesseessscessseseeseeeseseees 306 Error Logging and Process Tracing eessssesesssressseeseeseessesseserserseereessesseneeseeurensenseeseeeeseeseess 307 Error Server and Trace Configuration File eesessseseeseeeeesrssersesseresseesersrseeeeeesensesseeseese 307 Individual Trace Sections s cssssevstsscessvacvasetevnsosaveovasensssdeesdsosecdscsuaoseneessdveadnebaoda vende soeone 308 General Trace Configuration Section oo ceccscssscsssssscsecsscsee
138. andling tab select one of the following actions Intelligent Application Gateway 129 User Guide 130 e For manual mode select the option Set the certificate request status to pending The administrator must explicitly issue the certificate For automatic mode select the option Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate Properties ki xi Request Handling The Windows default policy module controls how this C4 should handle certificate requests by default Do the following when a certificate request is received C Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate Cancel Apply 6 Click OX The default action is set It will be applied to all new requests Existing requests are treated according to the policy that prevails when the request was entered Setting the Certification Policy to Automatic with Delay In addition to the policies you can select via the Certification Authority interface the IAG enables you to specify an Automatic with Delay policy This policy automatically issues the certificate but only after a defined delay interval To define an Automatic with Delay policy 1 At the IAG access the following file Whale Com e Gap Von WhaleSEP inc info inc 2 Copy the file you accessed in step 1 to the following custom folder if the folde
139. arassacsensabonnsasnantsepacoassanteosennnmsenenepsassunadenssubsannessobaebocesnnonneconasunanate 160 Remote Configuration of Users Trusted Sites Lists sesseesesseseserseeseeseseeseesrerrereeeseeeres 162 Restoring the Whale Client Components Defaults eessessessseseeseeeeseesersrrerreeesensesseesesee 165 Uninstalling the Whale Client Components sssessssseseessessessesseesereessesserseeeeneeesenseeseeseeee 167 8 Contents Chapter 6 SSL Wrap per ississsissssssnssnsaveasdonsnenstessnsssacsiassnsescenstoamiee 7 Technology Overview s essssisssesssrsissossssssisere cactecanisseashectoussebevetoactvvadensesieeeatneradicesoesaanoen 172 Socket Forwarding Activation Modes eeeseessseesessesesreseenseresreseerereenreseerenreseeseeseneesensenee 174 Enabling Access to SSL Wrapper Applications eeeseeessesseserseereersesseeserseserureneensensereeeeeseess 175 SSL Wrapper Java Applet Prerequisites cccssnsenensscatevaeadsintsncentevetonsentesnasoosnienmetssenties 176 Uninstalling the SSL Wrapper Java Applet ccccccssssssssscssssssssssssssscsessessscesssessessessasees 178 Socket Forwarding Component Installation si ecistecesceinsnsssaseuisbinesseeratnicunadasiisiasasieineas 178 LSP Conflict DEtECtiOn ssrsssissrriresssiissevessntesisi soties tita sio ts sste tessa era sst ShN roe Ensoa SN earan aeee ia 179 Supported APpliCatIONS lt jsccsseceecdacetacsestladeces neecice stati dda saat lds canes ba aaa ices ras aeaeaei aiie 181 Generic
140. as unless their computer meets the requirements of the Restricted Zone endpoint policy Once you activate this option make sure you also Define the required Restricted Zone policy for the application For details refer to Application Endpoint Policies on page 99 Define the application s Restricted Zone URLs in the Global URL Settings tab of the Advanced Trunk Configuration window For details refer to the Intelligent Application Gateway Advanced Configuration guide to Global URL Settings Tab URL Settings on page 152 Chapter 4 Application Settings Editing Application Properties User Authorization Data Use the User Authorization Data area of the Web Settings tab to configure the IAG to send data regarding the originator of the connection request to the application server User Authorization Data parameters are described in Table 11 on page 77 Table II Web Settings Tab User Authorization Data Parameter Authorization Key Format Source IP Key Format Description Name of the header or parameter that the IAG uses to send the data to the application server If you activate this option you also have to configure the value of the Authorization Key header or parameter which will be sent to the application server For details refer to Configuring Authorization Key Value on page 78 Select the format in which the IAG will send the Authorization Key to the application server Hea
141. as follows 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Uploads area edit the Extension List accordingly For details refer to Download Upload Tab on page 82 Ifyou wish to cancel the identification of uploads by extensions for this application take the following steps 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Uploads area uncheck the option Identify by Extensions Note A If none of the options in the Uploads area are activated no uploads to the application are blocked regardless of the settings of the application s Upload policy If you wish to enable uploads from the submitting endpoint to the application edit the application s Upload policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 348 Appendix A Troubleshooting Event Logging Messages Warning 44 Failed to Create Parameter List Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted U
142. ater the Scheduled Logoff is triggered the session s status changes to unauthenticated and the user is prompted to re authenticate The user re authenticates within the required timeframe and the session is authenticated again When the user finishes working with the site and logs off the status of the session changes to unauthenticated After a pre defined period of time the session closes It is no longer displayed in the Session Monitor Active Sessions window Intelligent Application Gateway 269 User Guide Table 28 Parameters of the Session Monitor Active Sessions Cont d Parameter Description Events Clicking generates a report of events related to the session The report is displayed in the Event Reports window described in Event Report on page 297 Terminate Clicking GJ terminates the session A message prompts you to verify the termination once you do the status of the session changes to unauthenticated Authenticated x Note You cannot terminate the current session or unauthenticated sessions Session Details 270 The Session Details window is displayed when you click a session s ID in any of the Web Monitor s Active Sessions windows It provides in depth session information divided into the following tabs The General tab provides general information about the session and about the users that are currently logged in to the session Note the following
143. ating policies in Script mode refer to Configuration in the Advanced Policy Editor on page 106 To configure policies and expressions in Basic mode 1 In an area where you assign policies click EditPolicies For example in the Session tab of the Advanced Trunk Configuration window The Policies dialog box is displayed Figure 18 Policies Dialog Box Policies A SharePnint 2007 Dnwnln Default Non Web Application Access Default Privileged Endpoint Default Session Access Default Web Application Access Default Web Application Download Default Web Application Restricted Za Default Web Application Upload Domino Web Access 6 5 and 7 Uploac Microsoft CRM 3 Enhanced Security Microsoft Outlook Web Access 55 Up SAP Enterprise Portal 6 Enhanced Sec SAP Enterprise Portal 6 Upload SecureView for OWA42003 SP1 SharePoint 2003 Admin Zones SharePoint 2003 Download SharePoint 2003 Enhanced Security SharePoint 2003 Upload Checkin bd gt Close Edit Remove Tip Se For a description of where you can access the Policies dialog box refer to Session Endpoint Policies on page 95 and Application Endpoint Policies on page 99 2 Do one of the following To edit an existing policy that was previously created and edited in Basic mode select the policy and click Edit To edit an existing expression click the sign to expand the Expressions group sele
144. ation Number of Last Access Avarage Total Accesses Duration Duration MyWeb 3 03 21 2006 15 41 56 00 31 39 01 34 58 m P3 Owa 2003 sptisp2 3 03 21 2006 15 42 20 00 57 54 02 53 42 E Web Monitor il 03 21 2006 12 58 05 00 33 41 00 33 41 User Access Date Duration whalecom rachel 03 21 2006 12 58 05 00 33 41 Whale Portal 5 03 21 2006 16 26 48 00 29 31 02 27 36 amp whalecomtruti 00 43 18 05 46 30 8 whalecormiyarivrn 00 41 11 02 03 34 2 Chapter 9 Monitoring and Control Web Monitor CD Tip To return to the query form click Show query form Table 35 User Monitor Statistics Window Query Results Parameter Lead User Average Session Duration Total Session Duration Accesses Description User who initiated the session Clicking the sign next to the user name or clicking the name itself displays a list of all the applications that the user accessed during the query period For each application user access details are provided Clicking H or SH expands and collapses the display for all users respectively Once a user s view is expanded clicking an application name or clicking the sign next to the application name displays details regarding all of the user s accesses to the specific application Average duration of the user s sessions during the query period Total duration of the user s sessions during the query period Number of times the user accessed the site du
145. ation Authority Refer to Viewing and Processing Certificate Requests Local CA Only on page 146 Figure 21 on page 121 illustrates the following Steps that the administrator has to perform to enable the Certified Endpoint feature when using a locally installed Microsoft CA Steps that the end user must perform in order to be recognized as a Certified Endpoint depicted in the shaded areas 120 Chapter 5 Endpoint Security Certified Endpoints Figure 21 Sample Flow for Enabling Certified Endpoint Using a Local CA Install Microsoft CA on IAG Edit default configuration optional Define policy optional Inform end users to prepare client computers if using IE Install Security Patch and prepare client computer Enable Certified Endpoint in Configuration program Add Certified Endpoint Enrollment application to trunk If using custom portal home page add link Update CTL with new CA Back up certificate settings g Submit request for Certified Endpoint status Check request status Request granted Pending In Progress Yes y Install Certificate Yes Certificate Issued Request granted No Certificate Denied ser s computer isa Certified ndpoi LEGEND Performed by end user Speak to Administrator Intelligent Application Gateway 121 User Gu
146. ation Settings Duplicating an Application Chapter 5 Endpoint Security The Intelligent Application Gateway IAG provides a number of features that help protect your internal network against access from non secure endpoint computers This chapter describes the following Endpoint security policies are used to create tiers of access by determining whether or not endpoint computers are allowed to access internal sites and applications depending on their security settings This feature is described in Endpoint Policies on page 93 e Endpoint settings help you optimize endpoint computer settings that affect the functionality of some of the IAG features as described in Endpoint Settings on page 108 The Attachment Wiper is a virtual shredder that wipes out sensitive information recorded by a web browser during an SSL VPN session such as files cookies credentials and more For details refer to Attachment Wiper on page 110 The Certified Endpoint option enables you to certify endpoint computers using client certificates This feature is described in Certified Endpoints on page 118 Whale Client Components are described in Whale Client Components on page 147 Endpoint Policies SSL VPNs are accessed from clients of differing natures company owned laptops home computers public Internet kiosks etc The IAG is equipped with technology that identifies the security level of the endpoint c
147. b Monitor on one of the IAG servers that are part of the Array the Monitor automatically maps itself to all the IAG servers in the Array 298 Chapter 9 Monitoring and Control Web Monitor Tip The list of IAG servers that are part of the Array is defined in the Configuration program in the High Availability dialog box High Availability x Enter station name 2 aa lAG1llocal Remove a Compint a Comptint OK Cancel For a full description refer to the Intelligent Application Gateway High Availability Configuration guide Accessing IAG Servers in the Array In sites that deploy a High Availability Array when you first access the Web Monitor application the High Availability Array window is displayed listing the Intelligent Application Gateway servers Web Monitor High Availability Array Please select one of the following e Gap servers e SR2 INT e SR3 INT Clicking the server you wish to monitor opens the main window of the Web Monitor Once the main window of the Web Monitor is displayed access to the IAG servers that are part of the Array is enabled via a High Availability Array link on the menu of the Web Monitor browser window clicking the link displays the High Availability Array window again Intelligent Application Gateway 299 User Guide Session Monitor E current status a Active Sessions Statistics Application Monitor a Current
148. bytes Header section 2 048 bytes Resolution Check the browser that was used to request the page Warning 18 Invalid Request Version Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window Invalid HTTP request version Cause The browser on the remote computer sent the request using an invalid HTTP protocol version Resolution Verify that the browser that was used to request the page is configured to use HTTP version 1 1 or 1 0 For example in Internet Explorer 6 0 take the following steps 1 On the Tools menu click Internet Options In the Internet Options dialog box select the Advanced tab Under HTTP 1 1 Settings verify that the option Use HTTP 1 1 is selected 330 Appendix A Troubleshooting Event Logging Messages Warning 19 Attempt to Sneak Source IP Data Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window An attempt to sneak source IP was detected Cause The request contains a header or parameter that is identical to the header or parameter that is configured as the Source IP key header or parameter for this application This could be an attempt to sneak data to the application server using this header or parameter Resolution In order to avoid a situation where the header or parameter is used in legal requests m
149. cation Gateway Advanced Configuration guide to Configuring a Ruleset in the URL Set Tab on page 164 Warning 46 Mandatory Parameter Missing from URL Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL The URL you are trying to access contains an illegal parameter Cause The requested URL was rejected by a URL Inspection rule since a mandatory parameter is missing from the URL Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window and select the URL Set tab Intelligent Application Gateway 351 User Guide 2 Inthe URL List select the rule that caused the failure according to the details provided in the message 3 Inthe Parameter List select the rule of the parameter that caused the error In the Existence column select Optional so that the missing parameter is optional not mandatory For details about the configuration of rulesets refer to the Intelligent Application Gateway Advanced Configuration guide to Configuring a Ruleset in the URL Set Tab on page 164 Warning 47 POST without Content Type not Allowed Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window The upload is blocked since the request does not contain a Content Type
150. cation name displays the Application Access Details window described in Application Access Details on page 283 Trunk through which the application is enabled Minimal and maximal number of concurrent accesses to the application during the query period Chapter 9 Monitoring and Control Table 32 Application Monitor Statistics Window Query Results Cont d Parameter Description Duration The average and maximal duration of accesses to the application during the query period Note If the number of results exceeds the number of Max Report Results as defined in the Configuration program in the General tab of the Event Logging dialog box described in Configuring General Settings on page 240 Duration is not reported Total Accesses Total number of accesses to the application during the query period Note If the number of results exceeds the number of Max Report Results the number of total accesses is not reported Application Access Details The Application Access Details window is displayed when you click an application name in the Application Monitor Statistics window in the Query Results view It provides information on the application usage as listed in Table 33 Application Access Details Parameters on page 284 Intelligent Application Gateway 283 User Guide Figure 52 Sample Application Access Details Window E https www myweb com Application Access Detail
151. cation to a trunk or define a Webmail or Basic trunk the IAG automatically assigns the applicable default application endpoint policies as follows When defining Webmail and Basic trunks and when adding an application from the Built In Services group to a Portal trunk the default application policies are selected automatically when you configure the trunk Intelligent Application Gateway 99 User Guide When you add an application to a Portal trunk the default application policies relevant for that application type are automatically selected in the Application Setup step of the Add Application Wizard You can also select other application policies in this step and edit the policies by clicking to access the Policies dialog box Add Application Wizard xi J Step 2 Application Setup Application Name Microsoft CRM 3 0 Application Type M All Users Are Authorized Access Policy Defaut Web Application Access Download Policy Default Web Application Download Upload Policy a Default Web Application Upload Restricted Zone Default Web Application Restricted Zone Acc Edit Policies lt Back Cancel The selection and editing of endpoint policies is disabled when the option Disable Component Installation and Activation in the Session tab of the Advanced Trunk Configuration window is activated For all trunk and application types you can later change and
152. cations that are enabled through the trunk Once you add the application and activate the trunk a Make this computer certified link is automatically added to the default portal homepage enabling users to request a certificate and make their computer a Certified Endpoint Note an The ability to add a Certified Endpoint is automatically available on the portal homepage only if you use the default portal homepage supplied with the IAG If you use a custom homepage you can add this functionality to your page as described in the Intelligent Application Gateway Advanced Configuration guide in Adding Links to IAG Features on a Custom Homepage on page 66 The Certified Endpoint Enrollment application is not supported on Camino browsers on Mac OS X since the underlying Microsoft application is not supported on those browsers To add the Certified Endpoint Enrollment application to the trunk 1 In the Configuration program from the List pane select the trunk for which you enabled the Certified Endpoint feature In the Applications area under the Application List click Add or double click an empty line Or In the List pane right click the trunk and select Add Application The Add Application Wizard is displayed Intelligent Application Gateway 135 User Guide 3 Select Built in Services and from the drop down list select Certified Endpoint Enrollment 4 Click Finish EN Note For
153. ccess the portal homepage or site The request is denied and the following message is displayed in the browser window Your computer does not meet the security policy requirements of this site Cause The requesting endpoint does not comply with the requirements of the trunk s Session Access Policy Resolution Instruct the user what steps have to be taken in order for the endpoint to comply with the policy You can view the definitions of the policy in the Configuration program in the Policy Editors To access the Policy Editors take the following steps in the Configuration program 1 Open the Application Properties dialog box and select the General tab 2 Inthe Endpoint Policies area click EditPolicies 3 In the Policies dialog box select the applicable policy and click Edit For more details refer to Endpoint Policies on page 93 Warning 66 Attempt to Sneak Authorization Data Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window An attempt to sneak authorization info was detected Cause The request contains a header or parameter that is identical to the header or parameter that is configured as the Authorization key header or parameter for this application This could be an attempt to sneak data to the application server using this header or parameter 360 Appendix A Troubleshooting Event Logging M
154. cdestecseeaesdiudeencoueedeevdecosdchecesdedlexdsousvaceevoeusbecbedtessecsteie 18 Tr nks the IAG Transfer Channels aaipcconsancincconenahierspsnantersannvandveiassayanteammaounamersaneee 19 S pp ted BROWSE IS sects ncpcctecvenscexaecasnscbnneeducecctecunavelch bedlbaninchpveusdegeaaphoatansndlveensestadieauicuetinecta 19 Security Management Tools sic 5 ac aiaicuckuatescacuveceaccucDsaecenadentetsedeusbisaniassecbeeiscaguenbuccesseahesedes 20 Monitoring and Control Tools and Interfaces iscccacesacccatesecosuvensscecorsecatsacsapeebsnscaprecndrenctescens 21 edoae n E E A E E T ETE 21 Encryption FASS DNASE wares chee tSocsecsaedesateniucaciamsindei are ciausacaacas se Ea EEE ESET 22 High Availability Array ctasicoscccatesites soatasutteseachasMisssuneiaseatusate lilessubaiactansmsgutacenascesetusssomataebeaye 23 About TINS Gude soiree eei oone ten rs ernen EE rea RENESSE raiot anaana n 23 Conventions Used in This Guide ssensnsessseseseesessesessensseessesessrsrssssesresrssesessesesesseseeseee 25 Chapter 2 SSL VPN Portals ecoeeeosee eoeoeoeeceece eeoeeccececee eoeecceceee ecoeeeceeeeee eoeeeceece ccoo 27 Creating ni SSL VPN Portal asrhie acsncentiesceen sons des saneauueaioutensaadanconcnbaetenteie eiS odene ati Ee Piae Et 28 Users Set eee cs eats cats cnsueetebcwsiescaseeneaednas des tac esauc cae tanateenabasttnaueeatoundax eeanuveseieeaseasaantessaaecereecint 32 Defining Authorization Repositories e sssseseeeeesesssesseseeseeseessessesee
155. ce its content type renders it a download and the application s Download policy forbids downloads to the requesting endpoint Resolution At the IAG do one of the following If you wish responses with this content type to be considered regular responses and not downloads take the following steps 1 Access the file that holds the definitions of file extensions and the associated content types Whale Com e Gap von conf content types ini In this file identify the extension associated with this content type If the file does not contain this content type add the appropriate extension content type pair to the file In the Configuration program edit the application s downloads Extension List so that the extension associated with this content type is not considered a download The list is defined in the Application Properties dialog box in the Download Upload tab in the Downloads area For details refer to Download Upload Tab on page 82 If you wish to cancel the identification of downloads by extensions for this application uncheck the option Identify by Extensions in the Downloads area of the Download Upload tab Note If none of the options in the Downloads area are activated no downloads from the application are blocked regardless of the settings of the application s Download policy 342 Appendix A Troubleshooting Event Logging Messages Ifyou wish to enable downloads
156. ch file enter the full path of the script engine in the field Script Engine Note A Before you configure the Mapped Drives option see Limitations of Mapped Drives on page 225 and Deleting User Profiles When Using Mapped Drives on page 226 You can only specify one script engine type in the Script Engine field By default users view all the shares that you configure for File Access If you wish users to view only the configured shares for which they have access permissions check the option Show only the shares a user is permitted to access When you finish configuring users access to the Home Directory and mapped drives at the top right of the File Access window click Apply In order to configure remote users access to domains servers and shares refer to Configuring Access to Domains Servers and Shares on page 229 When you finish configuring administration settings click at the bottom of the File Access window Once you activate the configuration remote users ability to access their Home Directory and mapped drives and to the shares configured for File Access is determined according to the definitions you configured here Limitations of Mapped Drives When defining mapped drives please note the following File Access supports the mapping of drives G and up Due to a Windows API limitation not all environment variables are supported by the File Access option If you use
157. ch3 exe actual disk version 3 1 0503 7 Would you like to update the files I Don t show me this message again No The browser has to be restarted after the installation of the Socket Forwarding component of the Whale Client Components Whale Client Components a x e In order to complete the update of Whale Client Components your 1 browser must be restarted This will close all open browser windows I Don t show me this message again Tip For details on the Socket Forwarding component which can be used with the SSL Wrapper refer to Chapter 6 SSL Wrapper Uninstalling the Whale Client Components Note EN Uninstalling the Client Components restores the Whale Component Manager settings on the endpoint computer to the default values as described in Restoring the Whale Client Components Defaults on page 165 For Windows 2000 Windows XP and Windows 2003 systems power user access level is required for the current user Intelligent Application Gateway 167 User Guide Once the Client Components are installed on the endpoint computer they can be uninstalled as follows In the Windows desktop click and select Settings gt Control Panel gt Add Remove Programs or Add or Remove Programs Locate the version of the Whale Client Components you wish to remove click Change Remove and follow the instructions on the screen to remove the components B Add or Remove Programs P E jol x
158. ck Add or double click an empty line The Add Application Wizard is displayed Follow the instructions on the screen to complete the wizard for details click Help When you complete the wizard click Finish The Add Application Wizard closes and the application you defined appears in the Applications list Once you activate the configuration the application will be accessible to remote users Intelligent Application Gateway 29 User Guide Applications Application Name Application Type 4 Whale Portal Whale Portal File Access File Access Sort alphabetically Add Edit Limit the Applications to the Following Subnets Subnet Address Subnet Mask Note can Some applications require additional setup For those applications when you finish adding the application to the trunk a help screen pops up informing you of the application specific requirements and providing step by step setup instructions where applicable The help is also available to you any time thereafter in the General tab of the Application Properties dialog box via the following link i Application Aware Settings You can find a description of all the IAG application specific requirements in the Intelligent Application Gateway Application Aware Settings guide 6 Repeat steps 4 5 to add more applications to the SSL VPN Portal You can also quickly add a new application to the trunk based on the definitio
159. csesssesescesseesseseeeseesseeseeees 136 Backing Up the Certificate Settings All CAS cssscsssssscssesssseessseessscesescessneseeseeessseees 140 End User Interaction Local CA Only csecesta saccat senate sccatendacenxeeteaceatenaantetancateandscnweess 140 Requesting Certified Endpoint Status essesseseesesseseeseesessesreseesenrerenseeresreseereesenreserereeresees 142 Checking the Certified Endpoint Request Status ssssssesssesesseseeerrsrrersesseeresresererrerrensenee 144 Installing the Certificate and Logging In as a Certified Endpoint User ssssssssseessrseesersesees 144 Viewing and Processing Certificate Requests Local CA Only oo seeseesessesreesseeseees 146 Whale Client Com pOme nus siccscesctsectensostaonssbarsstisisncessistdacedeseuekusseadsteameateseibsanmassseasnentssentae 147 Installing and Running the Components on Endpoint Computers cceecesssseseseeeees 150 Prerequisites for Installing the Whale Client CoMponent cccssesssesssesseseectesseseseeens 151 Online Whale Client Components Installation cccsscsssesssssscsesesseseecesssseseesseseeseseeesees 152 Whale Client Components Installer oo cccscscsssssesesseccseesseesescesssesssescsessessesssesesesseesseees 154 Offline Whale Client Components Installation ccescsssessessecseceeseseesesssseseesseseesesesessees 157 Prerequisites for Running the Whale Client Components sssscssssssesscseeseeseseeeseeeees 159 AG Trusted Sites cass
160. csessssesessesessssesssseseseseeeseseeees 310 TRACE Activation pencanedaxeaedssadseasasedesesaiucauatea eodedaensivbentendeadsoueateanseteedasdsandsdecreateave 311 12 Contents Error Server Trace and Log Files as cestccccetcct teste tects aeeceakecate a denaasaccesel oaceneentauracnesaas 311 Fil Location and Naming ccceescsceeescccedsscecutccetenwecengoulsdbeednessecstsncdscsactesnecsocescsesseobecanedee 311 Size and Quantity of PIES scvsssetiesscossssechescesscesecwagshecesssseisosscosssseconsedns sestsdcvobecsazseondes sateasoeds 312 Log File Cl an p siseses esise storisesr toc catisbs canencen vassamushaeosessseateseaectabcseecaantebees daccueneuacaedexbetts 313 Log File Cleanup Parameters ssessseesseseeseseesesssessrseesreseeesessrssereeeeeesesseesersrseeneeesensesseeseeee 314 How the Log File Cleanup Process Works sessesessessseeseessersessesseseesseesersereeneeesensenseeseeee 314 Configuring Log File Cleanup Parameters eeseseseeseesseseseeeseeseesessrseeeseesensersereereeeseeseeses 317 Excluding IIS Log Files from the Log File Cleanup Process sesesseeesereereseeseeerserseesesse 318 Support Utilities s2ccciintsnteabssaereseisbacnnadeussycasedetenuplvaccaevexmbnpatenutecdsaistaneactacaidetieasebansuanacenetuns 319 Running Support Utilities Tests eesesseeesseseeeeeeeseessessessrserseerresseesersereenreesenseeseeseeeerees 320 Running the Data Collection Utility eeseseeseesseseeeeeseesessessrseeesesseeserrssesreesenserseesereee
161. ct Users or Groups Dialog Box Select Users or Groups Eg Look in 9 lt Select repository gt a m Repository Users and Groups Users Groups In Folder sah o gaam m Selected Users and Groups Users Groups Help 7 Cancel To use the Select Users or Groups dialog box 1 In the Look in drop down list select the repository you wish to use You can select from two types of user group repositories Repositories of users and user groups based on the definition of a third party user group server described in User Group Servers on page 33 All the users and user groups in the selected repository are listed in the Repository Users and Groups list Local groups described in Local Groups on page 35 All the defined local groups are listed in the Local Groups list To add users and groups to the Selected Users and Groups list double click a user or a group in the Repository Users and Groups list or the Local Groups list respectively or select one or more users and groups and click Add For Active Directory and LDAP servers the Repository Users and Groups list contains groups and individual users groups are listed first then users If the option Include Subfolders is activated for this user group server when you configure the server in the Add Server dialog box subfolders are listed as well the path of the selec
162. ct the expression you wish to edit then click Edit To create a new policy or expression click Add Intelligent Application Gateway 103 User Guide 4 The basic Policy Editor is displayed Policy Editor Eg Policy Editor i E 7 g E a lt p General Policy seunas D Anti virus XK Browser me XK Desktop Search c XK IAG Components Policy Name XX Operating System Category Pais o J Personal Firewall Rego olicies XK Software Components I Enforce Policy Only when Endpoint Detection is Enabled x User OO YPN Client Explanatory Text Added to Access Denied Message fe Create As Script Cancel Enter general information about the policy or expression in the General Policy Settings screen Once general information is defined use the tree on the left to select and configure groups of pre defined variables which will compose the policy or expression You can select as many groups and group items as required in order to define the policy or expression Tip Click Help for detailed information on the parameters of each screen When you finish editing the policy click OK to close the Policy Editor then click to close the Policies dialog box Advanced Policy Configuration 104 This section describes The components of which policies are created in Advanced Configuration Overview on page 105 Policy configuration in the Advanced Policy Ed
163. cted Zone Ifyou wish to enable access to the restricted zone from the submitting endpoint edit the application s Restricted Zone policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 Intelligent Application Gateway 375 User Guide Warning 107 Restricted Zone Policy Upload File Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Restricted Zone policy the requested URL is not allowed Cause The request failed since this URL is defined as a restricted zone URL for this application type and the application s Restricted Zone policy forbids access to the zone from this endpoint Resolution In the Configuration program do one of the following In order for this URL not to be part of the restricted zone for this application type take the following steps 1 Open the Advanced Trunk Configuration window and access the Global URL Settings tab 2 Inthe Restricted Zone URLs list select the corresponding rule and do one of the following Ifyou wish this URL
164. ctor Double clicking the icon opens the Portal Activity window When an application is tunneled via the Network Connector it is not listed in the Active Connections area The connection of an SSL Wrapper application via the Network Connector is reported next to the application name in the Launched Applications area Portal Activity xj Active Connections https viww portal com 443 Disconnect Network Connector started 11 03 08 Homepage Launched Applications a Network Connector ee i T telnet to MyServeyfia Network Connector Applications tunneled via the Z Drive Mapping 2 rhusic via Network Conne Network Connector Exit Tip For a detailed description of the Portal Activity window refer to Portal Activity Window on page 184 Interaction on Computers Running the SSL Wrapper Java Applet On computers that run the SSL Wrapper Java applet the Network Connector application behaves like any other SSL Wrapper application 202 Chapter 7 Network Connector Remote User Interaction with the Network Connector Once the Network Connector client is running some of the non web application traffic is tunneled through the Network Connector as follows Internal applications that is applications that are part of the corporate network which are launched directly and not via the portal homepage are tunneled through the Network Connector SSL Wrapper applications that are la
165. d accordingly Event Report window if the number of query results exceeds the number defined here the number of results defined here is displayed For details refer to Web Monitor on page 258 Configure Monitor Opens the computer s Windows Local Users and Groups Users Manager and enables you to configure additional Web Monitor users For details refer to Enabling Web Monitor Access from Computers Other Than the IAG on page 261 Intelligent Application Gateway 241 User Guide Configuring the Built In Reporter 242 The built in reporter enables you to save events into a log file You can then use the Web Monitor to query the event log and to filter events according to type time and other parameters For more information see Event Query on page 295 A new event log file is saved every day Event log files are periodically deleted from the IAG as part of the log file cleanup described in Log File Cleanup on page 313 By default the built in reporter is activated and log files are saved to the Logs Events folder under the IAG installation path You can use in the Built In tab of the Event Logging dialog box to change the default settings To configure the built in reporter 1 Inthe Configuration program on the Admin menu click Event Logging The Event Logging dialog box is displayed x General Builtin RADIUS Syslog Mail v Enable Location C whale Com e Gap Logs E ven
166. d Server 3 Use the Add Server dialog box to define the server For details regarding each server type click Help 4 Repeat steps 2 3 to define all the required servers You can now use the servers you defined in order to Define local groups as described in Local Groups on page 35 Define application authorization as described in Defining Authorization for Portal Applications on page 38 34 Chapter 2 SSL VPN Portals Users Setup Local Groups A local group is a repository of users that you define once and can then reuse as many times as required when defining authorization for portal applications A local group can contain users and groups from various user group servers it can also contain other local groups An include exclude mechanism enables you to select individual users and groups that will be included in or excluded from the local group For example you can create a local group that includes selected users from three different user group servers then use this group repeatedly to define authorization for all the portal s non web applications You can use the Configuration program to define local groups in one of two ways Via the Local Groups menu item as described in this section Via the Authorization tab of the Application Properties dialog box as described in Defining Authorization for Portal Applications on page 38 To define a local group via the
167. d access to enterprise applications to unmanaged endpoints without creating risks to network integrity it avoids having to resort to tunneling at the network layer and jeopardizing back end resources In addition the gateway s underlying application intelligence provides the ability for administrators to create granular access control policies to cordon off even parts of an application or network files based on user profile The gateway incorporates a native host checker engine that can be customized to detect third party anti virus software or personal firewalls and supports integration with third party inspection tools This engine can also extend far further into the client side and detect virtually any metric or watermark used by an organization to tag an asset Broad Set of Connectivity Options In order to support a wide variety of applications the gateway supports the following connectivity options Web proxy for the support of web applications The gateway s content translation engine removes the need for a client component enabling pure browser access The SSL Wrapper and the inherent Socket Forwarding component enable access to non web applications such as Native Outlook Citrix and Telnet based on specific application knowledge It utilizes ActiveX and Java applet controls for SSL tunneling The Network Connector turns remote clients into part of the corporate network supporting full connectivity over a v
168. d by the server itself You can use the Additional Networks option to define additional network destinations which will be available to clients when connecting via the Network Connector as described in Additional Networks Tab on page 197 The Network Connector server supports static IP provisioning using either of the following types of IP pools Corporate IP pool consisting of corporate IP addresses that is IP addresses that belong to the corporate network as defined in the Network Segment tab Private IP pool consisting of private IP addresses that is IP addresses that belong to a network segment that doesn t overlap with the network segment which is defined in the Network Segment tab For example if the corporate segment is configured to 192 168 0 0 255 255 248 0 an example of a corporate pool would be 192 168 6 2 192 168 6 200 and an example of a private pool would be 10 16 16 2 10 16 16 200 Intelligent Application Gateway 193 User Guide 194 AN Caution Ifthe IP pool is a corporate pool make sure to exclude the IP range you define here from your organization s DHCP server to avoid IP conflict with Network Connector clients IP conflicts between corporate computers and endpoint computers will result in idle sessions in which remote clients launch the Network Connector application with no errors but have no access to the Network Connector server or to the resources that shou
169. d only one lt Name gt element must be nested under lt Message gt Child Elements None lt Message gt gt lt Desc gt lt Desc gt Description Short description of the message Must contain only alphanumeric characters and spaces Tip In the IAG Event Manager in the Event Viewer and the Event Report the short description is displayed in the Type column Usage One and only one lt Desc gt element must be nested under lt Message gt Child Elements None lt Message gt gt lt DynamicDesc gt lt DynamicDesc gt Description Long description of the message This description must be encoded using Base64 encoding and must not contain the CR LF carriage return line feed character Tip To view encoded text or to encode text that you enter in this element open the file in the Editor program For details refer to the Intelligent Application Gateway Advanced Configuration guide to Editor on page 40 Intelligent Application Gateway 253 User Guide You can include one or more parameters in the long description as follows Define a parameter using a lt Param gt element For details refer to lt Params gt on page 254 Include a parameter in the message using the following format lt parameter_name gt Where lt parameter_name gt is the named assigned to the parameter in the lt Name gt sub element of lt Param gt For example to add a User Name para
170. d other countries or both Novell Novell Directory Services Novell NetWare and SUSE are service marks trademarks or registered trademarks of Novell Inc or its subsidiaries in the United States and other countries or both PGP is a service mark trademark or registered trademark of PGP Corporation or its subsidiaries in the United States and other countries or both Red Hat is a service mark trademark or registered trademark of Red Hat Inc or its subsidiaries in the United States and other countries or both Resonate is a registered trademark of Resonate Inc The Resonate logo and Resonate Central Dispatch are trademarks of Resonate Inc Resonate Central Dispatch contains technology protected under U S Patent 5 774 660 ACE SecurlD RC4 and RSA SecurlD are service marks trademarks or registered trademarks of RSA Security Inc or its subsidiaries in the United States and other countries or both SAP is a service mark trademark or registered trademark of SAP AG or its subsidiaries in the United States and other countries or both Java JavaScript JRE and Sun are service marks trademarks or registered trademarks of Sun Microsystems Inc or its subsidiaries in the United States and other countries or both Enhanced HAT owned by Sun Microsystems Inc Norton and Symantec are service marks trademarks or registered trademarks of Symantec Corporation or its subsidiaries in the United States and other countries or both
171. defined in the URL Inspection tab of the Advanced Trunk Configuration window For details refer to the Intelligent Application Gateway Advanced Configuration guide to Configuration in the URL Inspection Tab on page 143 Intelligent Application Gateway 75 User Guide 76 Table 10 Web Settings Tab General Web Settings Cont d Parameter Use Variables in URLs Allow POST without Content Type Ignore Requests in Timeout Calculations Activate Restricted Zone Description Activate this option if any of the application s URLs use variables For a description of how you use variables in URLs refer to the Intelligent Application Gateway Advanced Configuration guide to Using Variables in URLs on page 173 Indicates whether POST requests without a Content Type header are handled or rejected For each out of the box application type the IAG automatically configures a list of Application Aware URLs that are ignored in the calculation of the Inactive Session Timeout when this option is activated You can access and edit the list via the Global URL Settings tab of the Advanced Trunk Configuration window For details refer to the Intelligent Application Gateway Advanced Configuration guide to Ignoring URL Requests in Inactive Session Timeout Calculations on page 162 Activate this option if you wish to restrict users access to sensitive areas of the application such as administrative are
172. der as an HTTP header Parameter as part of the URL query string Name of the header or parameter that the IAG uses to send the IP address of the originator of the connection request to the application server Select the format in which the IAG will send the Source IP Key to the application server Header as an HTTP header Parameter as part of the URL query string CD Tip If a request contains a header or parameter with an identical name to a header or parameter you define here it is blocked since it is identified as a suspected attempt to sneak data to the application server Therefore make sure you assign the headers or parameters you define here unique names that will not be used for any other purpose Intelligent Application Gateway 77 User Guide Configuring Authorization Key Value This section describes how you configure the value of the Authorization Key header or parameter which will be sent to the application server when you activate the option Authorization Key in the Web Settings tab To configure the value of Authorization Key 1 Access the following custom folder if it does not exist create it Whale Com e Gap von InternalSite inc CustomUpdate 2 Under the customUpdate folder create an inc hook as follows lt Trunk_Name gt lt Secure 0 no 1 yes gt PostPostValidate inc For example For an HTTPS trunk named WhalePortal create the file WhalePortallPostPostValidate inc
173. displayed when the event occurs Troubleshooting instructions are provided in Appendix A Troubleshooting Event Logging Messages Intelligent Application Gateway 237 User Guide Overview The IAG Event Logging mechanism logs and records IAG related events to a variety of tools and output formats Using the event logs you can gather information about system usage monitor user activities be alerted about security risks troubleshoot the IAG and assist remote users if they encounter problems while accessing the internal resources protected by the IAG Event Categories IAG related events recorded by the Event Logging mechanism are categorized as follows System events including service startup and shutdown and changes to the configuration Security events including login success or failure security policy violation or change and password change Session events including the number of sessions that are open through a trunk session start or stop and other session related items Event Logging Reporters 238 The events logged by the Event Logging mechanism can be used by various reporters The built in reporter enables you to log the events in a format that can be used by the Web Monitor In the Web Monitor you can use the Event Query window to query the events logged by the reporter and to filter events according to type time and more Tip For a description of the Event Query window of the Web Monitor
174. dress Pool From To Add Edit Remove Pool Subnet IV Activate Network Connector Cancel Using a Private Pool Additional Configuration This section describes additional steps you should take if you select to use a private IP pool that is an IP provisioning pool that consists of private IP addresses In this setup do the following Configure your corporate gateway to route the private pool s subnet from the gateway s internal network card to the IP address of the Network Connector server If your corporate firewall filters traffic on its internal interface configure the firewall to allows bi directional traffic between the private pool subnet and the corporate subnet as defined in the Network Segment tab In order to enable access to the WAN Internet configure the firewall to allows bi directional traffic between the private pool subnet and the WAN and define the private pool permissions If you are using Network Address Translation NAT in order to enable access to the WAN Internet define the subnet of the private pool as an additional internal interface Intelligent Application Gateway 195 User Guide Access Control Tab Use this tab to Define Internet access level for endpoint computers connecting via the Network Connector Split Tunneling Internet traffic on the endpoint computer is routed through the computer s original Internet connection Non Split Tunnel
175. e 22 Local Security Policy Settings Parameter Description Domain member Digitally encrypt or sign secure channel data always Disabled Domain member Require strong Windows 2000 or later session key Disabled Microsoft network client Digitally sign communications always Disabled Microsoft network server Digitally sign communications always Disabled Microsoft network server Digitally sign communications if client agrees Disabled Network Security LAN Manager Authentication Level Send LM amp NTLM responses 216 Chapter 8 Providing Access to Internal File Systems File Access Note A If you change any of the Local Security Policy settings you need to restart the IAG in order for the change to go into effect Steps you need to take for all File Access installations when joining a domain 1 At the IAG verify that for the following Windows services Startup Type is set to Automatic Computer Browser optional for performance enhancement Distributed Transaction Coordinator e Workstation 2 Still at the IAG on the Local Area Connection that is used to access File Access resources install a Client for Microsoft Networks For detailed instructions refer to Installing a Client for Microsoft Networks on page 217 3 Join the IAG to the domain that holds the File Access users and shared resources 4 Grant local logon permissions on the IAG to all File Access users regardless of their privileges Best Practice
176. e 57 Note A When using the Whale toolbar the button is only visible on endpoint computers running a Windows operating system Ifyou use a custom homepage that does not include the Whale toolbar add a link to the file on the custom page For details refer to the Intelligent Application Gateway Advanced Configuration guide to Adding Links to IAG Features on a Custom Homepage on page 66 Tip For detailed information on the customization of the portal homepage and the Whale toolbar refer to the Intelligent Application Gateway Advanced Configuration guide to Portal Homepage Configuration on page 54 The following table lists the files that can be used for the installation of the Client Components including which components are installed on the endpoint computer by each file Table 19 Whale Client Components Installer Installation Options File Whl1ClientSetup Basic exe Wh1lClientSetup NetworkConnector exe Wh1lClientSetup SocketForwarder exe Wh1ClientSetup All exe Wh1lClientSetup NetworkConnectorOnly exe Installs the following components Basic components Attachment Wiper Client Trace Utility Endpoint Detection SSL Wrapper ActiveX component Basic components Network Connector component Basic components Socket Forwarding component Basic components Network Connector component Socket Forwarding component Network Connector component only without the basic components
177. e IAG HTTP Connections and HTTPS Connections services as described in Optional Pre configuration of the Services on page 52 In the Configuration program set up the portal session using the Create New Trunk Wizard The wizard facilitates a quick auto completion of the initial portal session setup including basic portal settings session authentication setup of the website that is created on the IAG and session endpoint policies that control access to the site In the trunk you defined use the Add Application Wizard to set up the applications that will be enabled to remote users through the portal including basic application attributes such as application servers application authentication endpoint policies portal page links and more The IAG Application Aware approach insures that for the supported applications out of the box settings such as replying to application authentication requests URL inspection rulesets and more are automatically applied To create an SSL VPN Portal 1 In the Windows desktop of the IAG click Start then point to Programs gt Whale Communications IAG and click Configuration Enter your password as required In the Configuration program in the List pane select and right click HTTP Connections or HTTPS Connections then select New Trunk The Create New Trunk Wizard is displayed Chapter 2 SSL VPN Portals Creating an SSL VPN Portal 3 Follow the instructions on the screen to compl
178. e Select Users or Groups dialog box is displayed Note EN If the option All Users Are Authorized is unchecked and you do not define the users and groups that are authorized to access and view the application as described in the steps that follow all users are blocked from using the application 40 Chapter 2 SSL VPN Portals Users Setup Select Users or Groups Eg Look in 8 lt Select repository gt m Repository Users and Groups Users Groups In Folder Search i 25 iA BE m Selected Users and Groups Aad Users Groups Remove E Cancel Use the Select Users or Groups dialog box to select the users and groups to which you wish to define authorization permissions for the application For a description of how you use the Select Users or Groups dialog box refer to Selecting Users and Groups on page 43 Once you select the users and groups you wish to assign to the application close the Select Users or Groups dialog box The users and groups you selected are added to the Users Groups list in the Authorization tab of the Application Properties dialog box Intelligent Application Gateway 41 User Guide 42 Application Properties File Access x amp Download Upload 8 Portal Link 2 Authorization 4 gt P All Users Are Authorized Save As Local Group Users Groups whalecom DHCP Users whalecom DnsAdmins whalecom DnsUpdateProxy whalecom
179. e Settings guide Cleanup of Items That Are Saved Outside the Cache This section describes how you configure the Attachment Wiper to Clear the browser s History pane and empty the History folder History is cleared browser wide Clear the Web Address AutoComplete list so that no addresses are displayed in the browser s Address drop down list and clear the IntelliForms entries These items are cleared browser wide Clear Cached Passwords in Forms AutoComplete and Wininet s cached passwords replies to application specific authentication requests These items are only cleared for the specific domains that were accessed via the IAG Clear all additional fields that are saved by Forms AutoComplete These items are cleared browser wide To configure cleanup of items that are saved outside the cache Tip This procedure involves the customization of authentication pages For a full description of the pages and the customization options available to you refer to the Intelligent Application Gateway Advanced Configuration guide to Authentication Pages on page 96 Access the following custom folder if it does not exist create it Whale Com e Gap von InternalSite inc customUpdate Under the CustomUpdate folder create an inc hook which will be activated before the PostValidate asp reaches the client side Intelligent Application Gateway 113 User Guide 114 PrePostValidate inc Or PostPostV
180. e defined interval limit When you zoom in to the largest view the window displays 10 intervals to view additional intervals use the paging controls To return to the query form click Show query form Intelligent Application Gateway 281 User Guide Figure 51 Application Monitor Statistics Window Query Results View Application Monitor Statistics Server time 03 21 2006 16 14 Query Details Period 03 21 2006 00 00 00 03 21 2006 17 00 00 Interval Hour Query type py Sample Chart Statistics available up to 03 21 2006 16 11 23 Show query form FTP portal S MyWeb portal S ans E oook portal S1 O 203 stp tora St Fi Telnet portal S Web Monitor portal S T Whale Portal portal S 10 g 28 E S a ge pA A a a z4 a 5 9 5 62 0 03 21 00 00 03 21 04 00 03 21 08 00 03 21 12 00 03 21 16 00 03 21 20 00 Time Q0 11 OO omo Application amp Trunk Concurrent Accesses Duration PrE Total Accesses Max Min Average Max Sete portal S 2 jo 00 19 30 00 31 19 IE MyWeb portal S 5 0 00 27 34 00 34 21 10 outlook portal 5 3 0 00 22 24 00 34 34 Os Owa 2003 sp1 sp2 portal 5 4 0 00 36 07 01 01 39 8 Table 32 Application Monitor Statistics Window Query Results Parameter Application Trunk Concurrent Accesses 282 Web Monitor Description Application name Clicking the appli
181. e gt AuthenticatedMaxExceeded lt Name gt Desc gt Number of Max Concurrent Sessions Exceeded lt Desc gt DynamicDesc gt VGh1IG1lheG1tYWwgbnVtYmVy1IG9 lt DynamicDesc gt Params gt lt Param gt lt Name gt MaxValue lt Name gt lt Param gt lt Params gt lt Reporters gt lt Reporter gt mail lt Reporter gt lt Reporter gt syslog lt Reporter gt lt Reporter gt builtin log lt Reporter gt lt Reporters gt lt Message gt 3 When you finish editing the file still at the IAG access the Configuration program Click O to activate the configuration select the option Apply changes made to external configuration settings and click Activate gt Once the configuration is activated the messages you configured here are reported to the SMTP server and sent to the recipients you configured in Enabling the Mail Reporter to Send Messages on page 246 248 Chapter 9 Monitoring and Control Event Logging Message Configuration Note an Message configuration is implemented in an XML file In order to edit it you need to have a working knowledge of XML technology This section describes the following How you edit the default message definitions file in order to change the default event messages or to create additional custom messages in Configuring Event Messages in the Message Definitions File on page 249 The syntax of the definitions file in Event Logging Message Definiti
182. e of the following e Update the IP address port number manually in the relevant Redirect trunk e Delete the existing Redirect trunk and create a new one Redirect trunks are not monitored by the Web Monitor Sessions in Redirect trunks are not calculated in the session count of the IAG When an HTTP session is redirected to HTTPS via a Redirect trunk it is only counted as one HTTPS session To create a Redirect trunk 1 Inthe List pane of the Configuration program select and right click HTTP Connections and then select New Trunk The Create New Trunk Wizard is displayed 2 Select Redirect HTTP to HTTPS Trunk and click Next gt All HTTPS trunks for which no Redirect trunk exists are listed Chapter 3 Single Application Sites Creating a Redirect Trunk 3 Select the HTTPS trunk to which you wish to redirect HTTP requests and then click Finish Tip For additional details click Help in any of the wizard screens A new trunk with the same name as the HTTPS trunk you selected is created in the List Pane 5 amp Services B amp HTTP Connections gt E HTTPS Connections MyPortal owa2007 HTTP requests that arrive at the external website that is defined for this trunk are redirected to the HTTPS trunk you selected in the wizard Editing Trunks Once you create a trunk with the Create New Trunk Wizard the trunk values you defined in the wizard and other IAG default values
183. eatesihesuaneencbstecanes blesstaaiastogtnatatalanmetencnguasaiewies 209 Mapping Shares sassantesteeccaticntctescsacaseilacasdebstes sansa anr ebe ereen Send GEN e Ss rsen SNES es TEV Ee ECSR E Sa 210 Windows 2003 XP Support ssssessssesssesseeserssesseseeseeseeseesseseeserseesressersereeserueeesensenseeseeee 210 Fil ACCESS circensi iisen ea an e ee ee ee eE ensius eE R TEE E E E NS 211 How File Access WOrkS x5 csascnerswnvsnecencnssane casianeonsedaenaterneuaunennentaventosdentsextsosemnsnactaseniees 212 Enabling Remote Access to the File Access Application esesesssessrerseseeseseeseeseeeseeeeeees 212 Windows Domain Settings scccssssccsssssscevsccsvsseccnasacssosscsvvscecsnsssevensnsctvoocsuanacssansesevsscsbvosbess 212 Novell NetWare Settings sessirnir seot ganran osn saseceevess sbsesdoucssecdessuessobcattesueseoaucesaa tobe 220 Configuring File Access in the Configuration Program Overview e sesesersreeeeesesees 220 File Access Administration Settings eesessesesseeeeresesesseserserseeesessereensereeneeesenseeseeseeeereess 221 Accessing the File Access WiNdOW sseseesesseseesesseseeseesesseseesresrreesensenrenresessreseneesesseererreees 222 Configuring Home Directory Mapped Drives and Share Permissions cssesscseeseeee 223 Novell Logon Settings i250 sisssssctsscecsveccaccsavscassvesceossccssvessssecscoaseecbevsdasbesssessobseoe beens roai sees 227 Configuring Access to Domains Servers and Shares sssscsscssessecssscseessscss
184. ecurity Configuration on page 147 7 When you are finished with the tracing de activate the trace you activated in step 1 by deleting or commenting out the trace definition If the failure was caused by an illegal parameter list take the following steps 1 At the Web Monitor look at the description of the Warning message In the Parameter List field check whether all parameters are legal that is each parameter consists of a parameter name parameter value pair 2 Ifone or more of the parameters are illegal check the requesting browser 350 Appendix A Troubleshooting Event Logging Messages Warning 45 Bad Parameter in URL Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL The URL you are trying to access contains an illegal parameter Cause The requested URL was rejected by a URL Inspection rule since one of its parameters renders the request invalid Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window and select the URL Set tab 2 Inthe URL List select the rule that caused the failure according to the details provided in the message 3 Inthe Parameter List edit the rule of the parameter that caused the error For details about the configuration of rulesets refer to the Intelligent Appli
185. ed by one of the following When you generate a report in the Event Query window as described in Event Query on page 295 When you click in one of the Active Sessions windows The Event Report window is divided into two main areas The top part of the window displays the following Period for which the query was generated Where applicable filtering criteria such as Categories Trunk or trunks for which the query was generated Number of events that were found for the selected criteria When the report is generated from within one of the Active Sessions windows it is filtered by session ID Advanced options when used The main part of the window displays a list of reported events The parameters that are reported for each event are identical to the parameters of the Event Viewer and are described in Table 37 Event Parameters on page 294 The maximal number of results that are displayed in the window is determined in the Configuration program in the General tab of the Event Logging dialog box in Max Report Results For details refer to Configuring General Settings on page 240 Intelligent Application Gateway 297 User Guide Figure 62 Sample Event Report a https Awww myweb com Event Report Microsoft Internet Explorer Event Report Query Details Period 03 21 2006 00 00 00 03 21 2006 16 59 00 Lead User wr Click the ID number Trunka portal 8 237
186. edit the policies as described in Editing Application Policies on page 100 Editing Application Policies You edit Application Policies in the General tab of the Application Properties dialog box For Portal trunks in sites that use the default portal homepage supplied with the IAG you can also use the General tab to determine the display of the application s link on the portal homepage when the endpoint does not comply with the application s Access policy 100 Chapter 5 Endpoint Security Endpoint Policies For sites that use the default portal homepage supplied with the IAG this option determines the display of the application s link on the portal page when an endpoint does not comply with the application s Access policy Tip Application Properties Webtop Documentum xj E General F Web Servers 4P Web Settings 7 Web senal Application Name Webtop Application ID 87F596957EE441 2D 80665EFC2CCD2BCA Prerequisite Applications Number of Prerequisite Applications 0 Inactivity Period 30 Minutes m Endpoint Policies Access Default Web Application Access Portal Link on Non Complying Clients Grayed Invisible Download Default Web Application Download Upload Default Web Application Upload Restricted Zone Default Session Access Edit Policies i Application Aware Settings Cancel The selection and editing of endpoint
187. eess 321 Restarting the Web Service in the IIS eeeseeseeseseeseesesseseesreseessersrsserseeseesesseesersseeereeeseeseesee 321 Appendix A Troubleshooting Event Logging Messages 325 Intelligent Application Gateway 13 User Guide 14 Contents Chapter Introduction Overview The Whale Communications Intelligent Application Gateway IAG is a Secure Socket Layer Virtual Private Network SSL VPN that provides employees and partners with policy based secure access to applications and data from any PC or device and any location The IAG secure access solution enables remote access from diverse endpoints through a single point of entry to almost any business application and file share while enforcing user authentication and authorization over a policy defined application layer connection Endpoint security management enables granular access control and deep content inspection and application protection Running over Microsoft Internet Security and Acceleration ISA Server 2006 the IAG enables users to access line of business intranet and client server resources from a broad range of devices and locations while providing infrastructure protection and information safeguards for corporate applications and data Control Access Secure web based access to business critical applications and data Differentiated and policy driven access to network server and data resources Flexible application intelligent SSL VPN
188. egal and business guidelines that require information usage criteria to limit exposure and liability when accessing sensitive corporate data Ensures network integrity by restricting client access based on endpoint security profile Strong endpoint security management and verification helps ensure endpoint health compliance and session control Enforces policy controls over actions within an application Cache cleanup tailored to specific applications removes downloaded files and pages URLs custom caches cookies history and user credentials Detects endpoint security state Intelligent Application Gateway Architecture The IAG consists of four elements SSL VPN platform Endpoint security Application security Unified policy management framework 16 Chapter 1 Introduction Intelligent Application Gateway Architecture The IAG integrated approach rests on an architecture that functions across the client proxy and appliance tiers and is managed through a single policy engine The gateway functions at the application layer terminating both inbound and outbound communications and parsing traffic through full inspection at the application layer The ability to understand traffic flows within the context of specific applications is the foundation for the IAG application specific optimizers and underpins the gateway s ability to enforce endpoint policy at the browser This application intelligence allows the gateway to exten
189. elected during trunk trunks only configuration you can use the drop down list to select any of the certificates listed in the Certificate store installed on the IIS on the default website Certificate Hash Unique ID of the selected Server Certificate displayed HTTPS Connections automatically trunks only This parameter is defined during the creation of the trunk with the Create New Trunk Wizard Editing Webmail Trunk Server Settings Note E This section is only applicable for Webmail trunks that enable access to Domino iNotes Single Server and Domino iNotes Multiple Servers applications You initially configure the server settings for Domino iNotes applications when you create the trunk in the Create New Trunk Wizard In Webmail trunks any time after the initial configuration you can edit these settings in the Advanced Trunk Configuration window in the Server Settings tab The Server Settings tab of the Domino iNotes Single Server application is described on page 65 The Server Settings tab of the Domino iNotes Multiple Servers application is described on page 66 64 Chapter 3 Single Application Sites Editing Webmail Trunk Server Settings Domino iNotes Single Server Figure 6 Server Settings Tab Domino iNotes Single Server Advanced Trunk Configuration WebmailDominoiNotesSingle E xj General BS Authentication 2 Session Application Customization 8 Health Monitor Serv
190. ent 184 When working via the SSL Wrapper ActiveX component one Portal Activity window is used to monitor all the IAG sites that are accessed from the computer When working via the SSL Wrapper Java applet a separate Portal Activity window opens for each IAG site that is accessed from the computer Chapter 6 SSL Wrapper Remote User Interaction with the SSL Wrapper Figure 24 Portal Activity Window SSL Wrapper ActiveX Component Portal Activity x Active Connections Connections area a Applications area Anw portal com Disconnect 192 168 1 186 1494 via SOCKS start amp 192 168 1 189 23 via relay started 07 Homepage https www shai com 192 168 1 186 1494 via SOCKS start 192 168 1 186 1494 via SOCKS start l Launched Applications citrix to gamma Bx MS excel Power Point TM tn to cachalot a citrix direct Hide Ext So CD Tip For a description of the Portal Activity window when the Network Connector is running on the computer refer to Interaction on Computers Running the SSL Wrapper ActiveX Component on page 201 Figure 25 Portal Activity Window SSL Wrapper Java Applet Applications area a Connections area _ Applet client started Portal Activity Whale SSL Wrapper Java Client Ae OTM SSL Wrapper Java Client AM bsidiary Closing this window will close all listed applications Launched A
191. ent to client Intelligent Application Gateway 189 User Guide The Network Connector server provides the following features e Auto detection and manual tuning of corporate networking parameters DNS WINS gateway and domain name including support for multi connection machines e Two IP provisioning methods Internet access configuration including split tunneling non split tunneling and none Protocol filters for IP based protocols Enabling access to additional networks Configuring the Network Connector In order to enable users to connect to the corporate network via the Network Connector take the following steps Configure the Network Connector server as described in Configuring the Network Connector Server on page 190 Note EN The Windows DHCP Client service must be running on the IAG server Inthe Configuration program use the Add Application Wizard to add the Network Connector application to the portal homepage The application is an SSL Wrapper application and is part of the Client Server and Legacy Applications group in the Wizard Once you complete these steps end users can install the Network Connector client on their computer The client is part of the Whale Client Components described in Whale Client Components on page 147 E Note You cannot install the Network Connector client on the same computer where the Network Connector server is installed Configuring the Netwo
192. er to Application Endpoint Policies on page 99 Warning 37 Download Policy Content Type and Extension Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Download policy the requested download is not allowed 340 Appendix A Troubleshooting Event Logging Messages Cause The response failed since its content type and extension render it a download and the application s Download policy forbids downloads to the requesting endpoint Resolution At the IAG do one of the following If you wish responses with this content type to be considered regular responses and not downloads take the following steps 1 Access the file that holds the definitions of file extensions and the associated content types Whale Com e Gap von conf content types ini In this file identify the extension associated with this content type If the file does not contain this content type add the appropriate extension content type pair to the file 2 Inthe Configuration program edit the application s downloads Extension List so that the extension associated with this content type is not considered a download The list is defined in the Application Properties dialog box in the Download Upload tab in the Downloads area For details refer to Download Upload Tab on page 82 If you wish responses with
193. erName Translation 2 URLInspection 3 Global URL Settings 2 URL Set Server Settings JV Enable Domino iNotes Single Server iNotes DOLS Server fi 92 168 1 62 Pott fi 352 J Launch Automatically on Start Table 6 Server Settings Parameters Domino iNotes Single Server Parameter Description Enable Domino iNotes Enables offline access to Domino iNotes Single Server iNotes DOLS Server Hostname or IP address of the DOLS server We recommend that you use a hostname Note If you use a hostname to define the application use the effective hostname as defined in the Domain Name System DNS Port Port number of the DOLS server Launch Automatically Automatically launches the SSL Wrapper to enable the on Start operation of the Lotus iNotes Sync Manager on the computer For details refer to Chapter 6 SSL Wrapper Intelligent Application Gateway 65 User Guide Domino iNotes Multiple Servers Figure 7 Server Settings Tab Domino iNotes Multiple Servers General Z Authentication 2 Session _J Application Customization 3B Server Name Translation 2 URL Inspection 2 Global URL Settings Bl URL Set B Server Settings V Enable Domino iNotes Multi Servers iNotes DOLS Servers 192 168 1 73 192 168 1 63 192 168 1 53 Pott fi 352 J Launch Automatically on Start Table 7 Server Settings Parameters Domino iNotes Multiple Servers Parameter Descripti
194. ereafter is tunneled through the Network Connector This includes SSL Wrapper applications that are launched via the portal homepage Internal applications that is applications that are part of the corporate network which are launched directly and not via the portal homepage For example users can launch Microsoft Outlook on their computer directly without a link on the portal homepage and connect to the corporate Exchange server In addition while end users are connected via the Network Connector they can launch any web application directly not via the portal including applications that are not defined as portal applications and applications that are not supported by the IAG Portal web applications can still be launched from the portal as usual E Note Disconnecting the Network Connector client disconnects all the applications that are tunneled through it It does not however disconnect applications that are not tunneled through the Network Connector Intelligent Application Gateway 201 User Guide When the Network Connector client is running in this setup a Network Connector icon replaces the SSL Wrapper icon in the Windows System tray to the right of the Windows taskbar SSL Wrapper Icon Network Connector Icon Hovering over the Network Connector icon displays the statistics of the traffic that is tunneled through the Network Connector Right clicking the icon enables you to disconnect the Network Conne
195. erties dialog box and access the Web Settings tab 2 Under the option Automatically Reply to Application Specific Authentication Requests verify that the selected authentication server is valid for this application For details refer to Web Settings Tab on page 73 334 Appendix A Troubleshooting Event Logging Messages Warning 25 Failed to Send Message Symptoms The IAG s Event Logging mechanism failed to send a message to a reporter even though in the Message Definitions file the message is configured to be sent to this reporter and the reporter is activated in the Configuration program Tip For a description of the Message Definitions file refer to Event Logging Message Definitions File on page 250 Cause Reporter is not configured correctly in the Configuration program Reporter s server is not running Reporter s server is not reachable from the IAG Resolution Verify configuration of the reporter in the Configuration program on the Admin menu click Event Logging and in the relevant tab check the values of the reporter s parameters such as the server s address or user credentials For details refer to Optional Event Logging Configuration Steps on page 239 Verify that the reporter s server is running Verify that the reporter s server is reachable from the IAG If not check the following Network connections e Verify the configuration of the I
196. ertification requests Requests that were entered prior to the change will be treated according to the policy that prevails when the request was entered Selecting Between Manual and Automatic Certification Policies This procedure describes how you select between the Manual and Automatic certification policies To select a certification policy 1 In the Windows desktop click and select Programs gt Administrative Tools gt Certification Authority The Certification Authority window is displayed Chapter 5 Endpoint Security Certified Endpoints CA s home folder i Certification Authority Revoked Certificates issued Certificates Pending Requests Failed Requests Revoked Certificates Issued Certificates Pending Requests Failed Requests 2 Right click the home folder of the CA and select Properties The CA s Properties dialog box is displayed 3 Select the Policy Module tab Whale Certificate Server Properties 27 xi Storage Auditing Security General Policy Module Exit Module Extensions r Description of active policy module Name Windows default Description Specifies how to handle certificate requests for Enterprise and Stand alone CAs Version 5 2 3790 1830 Copyright Microsoft Corporation All rights reserved OK Cancel Apply 4 Click Properties The Properties dialog box is displayed 5 In the Request H
197. es 113 Configuring a Scheduled Cleanup sseessessessssssrssrseesressessersersenrenseeseesersereerereseeseeseeseeseee 115 Enabling the Attachment Wiper on a Custom Logoff Message Page sssssssseseeeees 116 When Encrypted Pages Are Saved to a Location Other Than Temp Files 117 Intelligent Application Gateway 7 User Guide Certified ENdPOiINtS cessssssnces cute peacticscnnnpalenid cos vucenaedlnntasenbvesenensensneeeacauragaauactecaesoucauteuecenacl skies 118 Certified Endpoint Configuration Overview sacesacesicscassudccnnesssnsdenaibnnsdessbeccsaisinnnnndsssess 118 Enabling Certified Endpoint Using Microsoft CA Locally oo eesssssssssessscsesceseesesessseees 119 Enabling Certified Endpoints Using a Remote CA ccecscssscsectscessesesssecsssssessseseeseseeens 122 Certified Endpoint Configuration Steps eesesessesssesrserseessessessessesensensenseesereereeneeesenses 123 Installing a Microsoft Certificate Authority Local CA Only sesseseseseeeseeseeeesesseeseseesessesses 124 Defining a Certification Authority Policy Local CA Only cescesesssssesescseesseeeeseeesneeees 128 Editing the Default Configuration Local CA Only uo escesscsscsscsccsescsesssscsessseseesesesssees 131 Preparing Endpoint Computers that Use Internet Explorer Local CA Only esses 134 Adding Certified Endpoint Enrollment to the Trunk Local CA Only ccesscsseeeeeseees 135 Adding the CA to the Certificate Trust List All CAS cescess
198. es are written into the error log file until the file reaches the maximum file size allowed The error server then creates a new log file and logs errors in the new file The maximum file size is defined in the general Trace section of the trace configuration file as described in General Trace Configuration Section on page 310 In order to preserve disk space the error log files are periodically cleaned up as described in Log File Cleanup on page 313 Log File Cleanup The cleanup of log files prevents a buildup of old log files that can in time fill up the available disk space on the JAG During cleanup old log files of the following types are deleted IAG log files including Event logs Error logs Trace logs IIS log files Note A IIS log files can be excluded from the log file cleanup process as described on page 318 This section provides the following A list of the configurable log file cleanup parameters which control when a cleanup starts and stops on page 314 Intelligent Application Gateway 313 User Guide A description of how the log file cleanup process works and of how the cleanup parameters are implemented on page 314 Instructions for configuring the cleanup parameters on page 317 Instructions for excluding IIS log files from the log file cleanup process on page 318 Log File Cleanup Parameters The following log file cleanup parameters can be configured in the Confi
199. es dialog box is displayed It is described in the following sections e In Webmail or Basic trunks In the main window of the Configuration program in the Application Server area click next to Application Properties The Application Properties dialog box is displayed It is described in the following sections General Tab 68 In the General tab you can Change the application name Copy the Application ID number In portal trunks only select prerequisite applications that is one or more applications that must be active in order for the application you are configuring here to run For example if the application you define here requires connection to an internal share add a Local Drive Mapping application that will map the required drive and define it to be a prerequisite application to the application you are configuring here Only applications of the type Client Server and Legacy Applications can serve as prerequisite applications All applications of this type that are defined in the portal s Applications list are available for selection in the Prerequisite Applications list Chapter 4 Application Settings Editing Application Properties lt gt Tip the number of applications that are defined as prerequisites to the current application is indicated below the application list in the Number of Prerequisite Applications field To define an application as a prerequisite enable it in the Pre
200. esbeseeetesccesulecvoredesouessnevadsdatevectdvnselesnssansbereosestenoure sets 196 Additional Networks Tab sscscsscsssssssessssseessscssssssessscssssssesssesessesesesceesssesssscsesesesesoees 197 AdVaNCOd Tab EE E sosteslesscdssstessansosbvotecoessssesaesadcaubeddensed sassncsovesstvascests 199 Remote User Interaction with the Network Connector s ccsjecdeccscceccecssccateetocesctevencessenvntes 200 Interaction on Computers Running the SSL Wrapper ActiveX Component 201 Interaction on Computers Running the SSL Wrapper Java Applet csssssesseeees 202 Intelligent Application Gateway J User Guide Network Connector Troubleshooting sisestcscicscescsccccecetssnpensscatiudssnccebsssseshcesspeadtvenoondhenies 203 Troubleshooting the Network Connector Server sccisssecatscocdasossceirassnnacesnssoutorseetasusione 203 Server LOS vsssicvssctecssscdsessacessseivevsccenvsccussssstevevessrssccenasssevsessabesscdsossacevsce staves copersedestbetenabecss 204 Server RESOULCES sivssesdesaecsusssabvesssnsatiacecsaansesteusesnenscossavegnesbeoseaboostabsonsa bdo veo vsensdobessoneeosdedee 205 Network Traffic LOgS cissssssssesssvsscesssecssstsessesssssczscbesasoversvensssvancssdevscosbeassoossesteevasteavasanens ss 205 Troubleshooting the Network Connector Client seiccs cicsiscedsassteceicsnvssenendssoutesnesnaansions 206 Chapter 8 Providing Access to Internal File Systems 209 Local Drive Mapping sessir ieser tacsecetvinssent
201. escribed in Application Monitor Statistics Window Query Form on page 279 e The window then displays the query results as described in Application Monitor Statistics Window Query Results View on page 281 Application Monitor Statistics Window Query Form When you first access the Application Monitor Statistics window the query form is displayed Use this form to define the query Define the period of time for which to generate the query Select a pre defined period such as Today or Last Month at the top of the Period area Or Define start and end dates at the bottom of the Period area Intelligent Application Gateway 279 User Guide Define the interval at which data is sampled at the bottom right of the Period area The intervals that are available for selection depend on the selected period For example if the selected period is a day only an Hour interval can be defined for a period of a week you can select an interval of either an hour or a day By default the maximal number of intervals that can be queried is 1 500 If required you can change this value as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Note however that a value of over 1 500 intervals is not reeommended and may slow down the monitor s performance considerably Select the query type
202. eseeneeeseesenseeseeee 244 Configuring the Mail Report r sxszecvesestcatssicteguctesatugsecatetbiesssceietionsnatetethataerstuarccmsteaboss 245 Enabling the Mail Reporter to Send Messages eessesseseesersesrerresseersresreeseresresseeresensessesees 246 Configuring which Messages are Sent by the Mail Reporter ssesesrserserseesersesessererrersesee 247 Message Configuration esc cpeecact ets ttesbesecanstsencesnceshenaace satatessasenieheceuensixpactcuansantatecdecaseete 249 Configuring Event Messages in the Message Definitions File eee cseceseeseecseseeeeneees 249 Event Logging Message Definitions File ssscsssssscsessscesescsessecesescsesssscseesesessesessssees 250 Event Messages Application Interface c cescssscsssssssssscsscesescesceesesssseesesesssseesseseeseseeens 257 Disabling Event Logging and Reporting sccscsscuaussastctencssnnsonntetsarccsnnsismuncsarensssadieeubanmevece 258 WV ee MOMICOP scissione meterinn e E E Nea PA ET ESEE 258 Accessing the Web Monitor eesssesseseseseesesseeserseesseseeseeseeseesseeseneeseeneesrenseeeeeseneeseeeseeses 260 Enabling Web Monitor Access from Computers Other Than the IAG sssssseesssesesesereese 261 Web Monitor Browser SUppOrt 0 ciccsessetcecoseccsncsooeseecotiesseobecsnanscceestebarseeossusheddesoesevenes 264 Web Monitor Layout ssccciczstaidttescatsscsanncenshatenteacbererasseatsesacbeneatuccundssbasunes denmawenenacniians 264 Tips for Using th Web Monitor sie sncscinesnctcsauns
203. eshold accordingly You define those settings at the IAG in the Configuration program as follows 1 Open the Advanced Trunk Configuration window of the relevant trunk and access the Session tab 2 Modify the required settings in the Concurrent Unauthenticated Sessions Threshold and Max Concurrent Unauthenticated Sessions fields respectively Warning 14 User Login Failed Symptoms A remote user attempts to access the site Access is denied and the following message is displayed in the browser window Failed to authenticate Intelligent Application Gateway 327 User Guide Cause The failure can be caused by e Wrong credentials entered by the remote user such as wrong user name or password the user selecting the wrong Directory authentication server in the login page and more Authentication server is not configured correctly in the Configuration program For example Invalid IP host value or invalid port Server access credentials are not strong enough Groups users search in the authentication server is defined inaccurately thus the IAG cannot find a unique instance of the user name e Authentication server is not running e Authentication server is not reachable from the IAG The cause of the login failure is reported in the message in the Error field Resolution Depending on the type of error do one or more of the following At the IAG verify the configurat
204. esources that are enabled via the File Access application Note the trust relationships between the domains in this setup Figure 37 Sample Environment with IAG as New Domain fF File Access N Domain Intelligent Application Gateway Domain Controller External IP Internal IP interface interface File Access Application User Domain File Access User File Access User File Access User File Access User File Access User File Access User Trust Trust Resource Domain Resource Domain 214 Chapter 8 Providing Access to Internal File Systems File Access Joining the IAG to an Existing Domain In this setup you join the IAG to an existing Windows domain which holds all File Access users and resources The following sections describe the steps you need to take in order to set up the IAG for this type of environment If you are joining the IAG to a domain that is not a native Active Directory domain that is a Windows NT 4 0 domain or an Active Directory Mixed Mode domain you need to go through both sets of steps described below If you are joining the IAG to a native Active Directory domain that is a Windows 2000 or Windows 2003 domain skip the first set of steps and take the steps described in Steps you need to take for all File Access installations when joining a domain on page 217 Figure 38 illus
205. ess the error server activates it Ifany of the parameters in this trace were changed since the last refresh the process applies the new parameters to the trace max_size Maximum size of the trace log file in bytes report_errors Select whether to report errors which are reported in the error log in the trace log as well This parameter can be defined in individual traces as well as in the general Trace section If it is not defined here the value in the general Trace section applies Trace Templates Following are sample templates you can use in order to create a trace as defined in the trace ini configuration file These are samples only and therefore appear in the file as comments preceded by the number sign 308 Chapter 10 Troubleshooting Error Logging and Process Tracing The last sample section Trace lists additional parameters that can either be applied to the individual trace section or if a parameter is not configured for the trace be applied from the general Trace section of the file as described in General Trace Configuration Section on page 310 Trace lt process name gt lt instance name gt lt reporter name gt lt trace level gt lt class name gt lt trace level gt Trace lt process name gt lt reporter name gt lt trace level gt lt class name gt lt trace level gt Trace lt process name gt lt trace level gt lt instance name gt lt t
206. essages Resolution In order to avoid a situation where the header or parameter is used in legal requests make sure you assign it a unique name that will not be used for any other purpose If the header or parameter name is unique when it is used in a request it is an indication that this is a malicious request that should be blocked To define the Authorization key header or parameter for this application take the following steps in the Configuration program 1 Open the Application Properties dialog box for this application and access the Web Settings tab 2 Under the option Authorization key assign a unique header or parameter name For details refer to Web Settings Tab on page 73 Warning 67 URL Path not Allowed Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL The URL you are trying to access contains an illegal path Cause The path of the requested URL was rejected by the URL Inspection engine Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window and select the URL Set tab 2 Doone of the following depending on the rule that caused the failure as specified in the Description filed of the message Ifthe rule that caused the failure is Default rule use the URL List to add a n
207. ession Monitor Current Status Server time 03 14 2006 16 37 i Total Sessions a N o g 3 t S E3 EE Trunk Name Authenticated Sessions Unauthenticated Sessions Total Sessions portal 5 ZS 7 0 i All Trunks 7 0 7 Session Monitor Over Time The Session Monitor Over Time window is displayed when you click I in the Session Monitor Current Status window Use it to monitor session behavior over time for a selected trunk or for all active trunks Session behavior is displayed in a line chart showing both authenticated and unauthenticated sessions and the total number of sessions at pre defined intervals By default the window refreshes the data at 10 second intervals If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Use the paging controls to scroll to the period of time you wish to monitor 12 Intelligent Application Gateway 267 User Guide Figure 42 Session Monitor Over Time F https Awww myweb com Session Monitor Over Time All Trunks Microsoft Internet Explorer Session Monitor Over Time All Trunks Total Sessions Authenticated Unauthenticated 3 Sessions 0 5 35 43 PM 5 37 43 PM 5 39 43 PM 5 41 43 PM 5 43 43 PM 5 45 43 PM Time 60 1 00 Applet monchart started A internet
208. ests E Failed Requests To issue a certificate from a pending request 1 Right click the pending request in the Certification Authority window and select All Tasks gt Issue The certificate is issued The pending request is moved from the Pending Requests folder to the Issued Certificates folder To deny a pending request for a certificate 1 Right click the pending request in the Certification Authority window and select All Tasks gt Deny The pending request is denied and is placed in the Failed Requests folder When the end user checks the status of the Certified Endpoint request a screen is displayed informing the end user that the request was denied Whale Client Components Whale Client Components are installed on the endpoint computer in order to enable some of the IAG features The components include the following Whale Component Manager ActiveX object which downloads installs manages and removes all the Whale Client Components Attachment Wiper ActiveX component for details refer to Attachment Wiper on page 110 Intelligent Application Gateway 147 User Guide 148 Client Trace utility used for support purposes Endpoint Detection ActiveX component for details refer to Endpoint Policies on page 98 e Non web tunneling components including SSL Wrapper ActiveX component for details refer to Chapter 6 SSL Wrapper Socket Forwarding compone
209. ete the wizard for details click Help When you complete the wizard click Finish The wizard closes The new Portal trunk you created now appears in the List pane and the Configuration pane displays the trunk s parameters 2 HTTPS Connections HTTP Connections Whale Communications Intelligent Application Gateway 2007 gt MyPortal Application Access Portal Applications Public Hostname IP Address portal site com Port 443 Application Name _ Application Type Whale Portal Whale Portal r External Website IP Address 192 168 1 5 1 HTTPS Port 443 X R r Initial Internal Application Initial Application Whale Portal X M Use Toolbar a I Sort alphabetically Add Edit Remove Limit the Applications to the Following Subnets m Security amp Networking Subnet Address Subnet Mask Maximum Connections Ea Advanced Trunk Configuration i Edit Jemove High Availability Configure Add Note EN By default the Initial Internal Application is the Whale Portal application used in conjunction with the Whale toolbar If you wish to use a different portal homepage refer to the Intelligent Application Gateway Advanced Configuration guide to Using a Custom Portal Homepage on page 61 In the List pane right click the trunk and select Add Or In the Applications area of the Configuration pane under the Application List cli
210. eted profiles of local users are not deleted Least recently used profiles are deleted first Profiles of users who are currently connected to one or more mapped drives are not deleted To delete user profiles from the IAG 1 Access the following CustomUpdate folder if it does not exist create it Whale Com e Gap von conf CustomUpdate 2 Copy the file userProfiles ini from this folder Whale Com e Gap von conf Place it in the CustomUpdate folder you accessed in step 1 If such a file already exists in the custom folder use the existing file 3 Configure the parameters in the file in the custom folder 226 Chapter 8 Providing Access to Internal File Systems File Access Table 23 Deleting User Profiles Configuration Parameters Parameter EnableProfileDeletion HighWaterMark LowWaterMark SleepPeriod DoNotRemoveProfile Novell Logon Settings Description Determines whether user profiles are deleted from the IAG or not Number of profiles above which the deletion process starts Must be equal to or greater than the LowWaterMark parameter Number of profiles that are kept on the IAG once the deletion process is complete A minimum number of 50 profiles must remain undeleted After the number of minutes defined here the process checks whether the HighWaterMark has been reached and deletes excessive profiles as required Defines a user profile that is not deleted For example
211. ew rule or edit one of the existing rules so that the requested URL is allowed Ifthe failure was caused by an existing rule and the name of the rule is specified in the message s Description field access the rule in the URL List In the URL column edit the path of the URL For details about the configuration of rulesets refer to the Intelligent Application Gateway Advanced Configuration guide to Configuring a Ruleset in the URL Set Tab on page 164 Intelligent Application Gateway 361 User Guide Error 73 Connection to Non Web Application Failed Symptoms A remote user attempts to launch an SSL Wrapper application either via the portal homepage or by logging into a site that automatically launches the application The application is launched but fails to connect to the server Cause The IAG can not establish a connection with the application server The failure can be caused by one of the following Application server is not configured correctly in the Configuration program For example an invalid IP address port or path lt Application server is not running Application server is not reachable from the IAG The cause of the login failure is reported in the message in the Error field Resolution Verify the configuration of the application server in the Configuration program in the Application Properties dialog box in the Server Settings tab For details refer to Ser
212. f various sensitive tests Running the Data Collection Utility The Data Collection utility can be configured to collect any files required as well as to automatically run any or all of the Support Utilities tests If required you will be instructed by technical support on how to do so To run the Data Collection utility 1 On the IAG open a Command prompt and type whlcollect 2 Press lt Enter gt The utility is run and an archive file is created This may take a few minutes The resulting file is named lt hostname gt whlcollect cab It is stored in whale Com e Gap Backup 3 Encrypt the file created by the Data Collection utility using an encryption utility such as PGP 4 Send the encrypted file to technical support Note For security reasons it is recommended that you delete the original and encrypted data collection files after viewing them including deletion from the Windows Recycle Bin Restarting the Web Service in the IIS The following procedures describe how you stop the Internet Information Server IIS on the IAG then restart the Web service in order to reload the Web filters filter extensions and filter libraries as required during some of the procedures described in this Guide Note During this procedure you stop the IIS then re start the Web service If any other services on the IAG such as FTP or SMTP are using the IIS you have to start them as well Intell
213. finitions 3 Verify that the association of extensions and content types is consistent for both files If you find discrepancies between the files edit the file on the IAG to match the application server s file 4 At the IAG in the Configuration program verify that the application s downloads Extension List is configured so that the extension used here is not considered a download The list is Intelligent Application Gateway 343 User Guide defined in the Application Properties dialog box in the Download Upload tab in the Downloads area For details refer to Download Upload Tab on page 82 lt If you wish to cancel the identification of downloads by extensions for this application uncheck the option Identify by Extensions in the Downloads area of the Download Upload tab N Note If none of the options in the Downloads area are activated no downloads from the application are blocked regardless of the settings of the application s Download policy Ifyou wish to enable downloads from the application to the requesting endpoint edit the application s Download policy in the Configuration program The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Pro
214. fline component installation Determine which components users will be able to install For example you can select to enable the SSL Wrapper component but not the Socket Forwarding component Replace the graphic that appears the installation screens Enable or disable Custom installation mode where users can select which of the enabled components to install If Custom mode is disabled the installation will run in Typical mode where all enabled components are installed E Note Custom mode is only applicable when you deploy the components installation in Interactive mode as described in Deploying Offline Component Installation on page 158 Intelligent Application Gateway 157 User Guide 158 To configure offline component installation 1 Copy the file ComponentsConfig xml from this location Whale Com e Gap utils OfflineClientSetup To Whale Com e Gap utils OfflineClientSetup CustomUpdate 2 In the file you copied in step 1 determine whether to enable the installation of each component or not whereas Install 1 install Install 0 don t install For example The following line enables the installation of the Network Connector component lt Component Name Network Connector ID 17 Install 1 gt 3 Still in the file you copied in step 1 determine whether to enable Custom installation mode whereas lt CustomSetup Enable 1 gt enable Custom in
215. following Request Certified Endpoint status on a remote PC Note that the certificate must be created with the option to export the private key Once the request has been approved install the certificate on the remote PC Export the certificate to the handheld device Make sure that you also export the private key Tip The endpoint enrollment pages shown in the procedures that follow are the default pages supplied with the IAG For instructions on how you can customize the look and feel of the pages refer to the Intelligent Application Gateway Advanced Configuration guide to Customizing Certified Endpoint Enrollment Pages on page 67 Intelligent Application Gateway 141 User Guide Requesting Certified Endpoint Status To submit a request to make a computer a Certified Endpoint 1 Access the portal and click the Certified Endpoint button or link The Certified Endpoint User Information window is displayed 15 x y Whale nications Certified Endpoint A Microsoft Subsidiary User Information Please enter the following Name Peter Reese E Mail Company Whale Communications Department Engineering City Tel Aviv State NA Country Region IL Submit gt 2 Enter the required user information in the text box or boxes E Note The fields available in this window may vary according to the settings defined during the configuration of the Certified Endpoint feature as described in Cus
216. for each application individually Supported Applications The SSL VPN portal supports the following groups of applications Built in Services are services that are supplied with the IAG such as File Access or Web Monitor Web Applications are applications that use HTTP HTTPS and a web interface such as Microsoft Office SharePoint Server 2007 and Outlook Web Access Client Server and Legacy Applications are applications that use non HTTP HTTPS protocols and are handled by the SSL Wrapper Examples of client server and legacy applications include Telnet Citrix MetaFrame Program Neighborhood applications Microsoft Windows Terminal Services Clients Microsoft Outlook and more Browser Embedded Applications are web initiated applications that use a web based interface to create a non HTTP HTTPS connection and are handled by the SSL Wrapper These include Citrix NFuse IBM WebSphere Host on Demand Lotus SameTime Terminal Services Web Client and others 18 Chapter 1 Introduction Intelligent Application Gateway Architecture In addition to the applications that are supported out of the box you can define your own generic applications such as a generic web application where you define all the application settings rulesets and definitions according to the application s requirements Trunks the IAG Transfer Channels Data is transferred through the gateway via transfer channels or trunks where each tr
217. from their computers 1 Atthe IAG Configuration program open the Advanced Trunk Configuration window and access the Session tab 2 Inthe Endpoint Policies area activate the option Prompt User when Retrieving Information from Endpoint When users access the site if endpoint detection is enabled on their computer they are prompted with the following page m Whale _ Communications A Microsoft Subsidiary This site is protected by the Intelligent Application Gateway In order to ensure full functionality of the site it will retrieve information from this computer including some information that may be of personal nature If you do not enable this option you will be able to access the site and use it with limited functionality only Do you wish to enable this option Enable and continue with full functionality M Dont show Continue with limited functionality Continue This site is intended only for authorized users Ifyou encounter any problems with this site please contact your system administrator at administrator server com e By selecting Enable and continue with full functionality users give their consent for the collection of information from their computers They can then continue working with site using all the functionality that is enabled by the Whale Client Components e For users who select Continue with limited functionality information is not collected from their computers
218. from the application to the requesting endpoint edit the application s Download policy in the Configuration program The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 Warning 39 Download Policy Violation File Extension Unmatched Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Download policy the requested download is not allowed Cause The response failed since its content type does not match the file extension This was discovered while checking whether the response is a download according to its file extension since the application s Download policy forbids downloads to the requesting endpoint Resolution Do one of the following lt If you wish this extension content type pair to be considered a match take the following steps 1 At the IAG access the file that holds the definitions of file extensions and the associated content types Whale Com e Gap von conf content types ini 2 At the application server access the file that holds the extension content type de
219. fy the requested application server Resolution Contact technical support Warning 59 Invalid Reroute Destination Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window The requested URL is not associated with any configured application Cause The URL that the user requested was rerouted according to a Manual URL Replacement rule and the destination server is not recognized by the IAG filter Resolution Take the following steps in the Configuration program 1 Open the Advanced Trunk Configuration window and select the Application Access Portal tab 2 Inthe Manual URL Replacement area edit the applicable rule For details refer to the Intelligent Application Gateway Advanced Configuration guide to Manual URL Replacement on page 272 358 Appendix A Troubleshooting Event Logging Messages Warning 62 Unauthorized Access Attempt Symptoms A remote user attempts to access an application from the portal homepage The request is denied and the following message is displayed in the browser window You are not authorized to access the application Cause The user is not authorized to view or access the requested application Resolution Change the authorization settings for this application If you are using the default portal homepage that is supplied with the IAG you can personalize the application so that
220. g Enter the user name using the following syntax lt domain_name gt lt user_name gt You can use the asterisk wildcard at the end of the search string to define a group of users For example to enter a query for all users of a domain named ActiveDirectory enter the following in the Lead User text box ActiveDirectory Lead User ActiveDirectory Tip You can use the asterisk wildcard atthe end ofthe string e The search is case sensitive Once you submit the query the results are displayed in the window as described in User Monitor Statistics Window Query Results View on page 290 Figure 56 User Monitor Statistics Window Query Form MF Monitor Statistics 7 Trunks Period Week Month Quarter Year Today Last24Hours Yesterday Start date 03 21 2006 00 00 00 75 End date 03 21 2006 13 04 41 Lead User Tip You can use the asterisk wildcard at the end of the string Submit Show last results Reset Intelligent Application Gateway 289 User Guide lt gt Tip After you submit a query when you return to the query form from the query results view you can click to display the results of the last query submitted regardless of any changes you might have made in the query form User Monitor Statistics Window Query Results View 290 Query results are displayed in the User Monitor Statistics wind
221. ge 135 Note the following If you use the default portal homepage supplied with the IAG adding the Certified Endpoint Enrollment application to the trunk automatically adds the required links to the end user s portal If you use a custom homepage you can manually add this functionality to your page as described in the Intelligent Application Gateway Advanced Configuration guide in Adding Links to IAG Features on a Custom Homepage on page 66 The Certified Endpoint Enrollment application is not supported on Camino browsers on Mac OS X since the underlying Microsoft application is not supported on those browsers Update the Certificate Trust List CTL with the new CA Refer to Adding the CA to the Certificate Trust List All CAs on page 136 Back up the certificate settings as described in Backing Up the Certificate Settings All CAs on page 140 Note A After the initial backup make sure to back up the certificate settings from time to time especially before any IAG software upgrade or installation or any other changes to system settings Intelligent Application Gateway 119 User Guide At this point the Certified Endpoint feature is enabled End users can obtain a certificate and turn their computers into Certified Endpoints For details refer to End User Interaction Local CA Only on page 140 Once end users request certificates you can view and manage the requests using the Certific
222. ge from where you wish to send the message add the following function SetMessage lt Message_ID gt lt Optional_param_list gt Where lt Message_ID gt is the unique message ID defined in the message definitions file in the lt Id gt element described on page 251 lt Optional_param_list gt holds the definition of message parameters as follows Ifno parameters are defined in the message null Ifthe message contains one or more parameters Array lt message_param gt lt message_param gt Where lt message_param gt is the parameter you define in the message definitions file in the lt Param gt element described on page 255 2 Ifthe message contains one or more parameters for each parameter you need to create an object in the file where the name of the parameter is identical to the name you use in the function you define in step 1 Tip You can see a sample function call in the following page Whale Com e Gap von InternalSite samples set_message asp 3 Ifyou are adding the function to your own page such as your own login page you need to include the following file in the page Whale Com e Gap von InternalSite inc MonitorMgr inc Intelligent Application Gateway 257 User Guide Disabling Event Logging and Reporting This section describes how disable and re enable event logging and reporting EN Note Disable event logging and reporting for advanced troubleshooting purposes
223. gent Applic I User must change password at next logon I User cannot change password J Password never expires IV Account is disabled gt Account is locked out Cancel Apply 4 Uncheck the option Account is disabled then click to close the dialog box 262 Chapter 9 Monitoring and Control Web Monitor In the right pane of the Local Users and Groups Manager the IAG Administrator user is now enabled IAG Administrator is now enabled tii usergroup Console Root Local Users and Groups Local Users T File Action Yiew Favorites Window Help e mB C Console Root G Local Users and G Ay Users E Groups Built in account for administering the compute Built in account for guest access to the comp Intelligent Application Gateway Administrator Local administrators to manage the Intelligent H X Ruilt in_arcount For_annnymaue accace ka Inte 5 Assign a password for the IAG Administrator user in the right pane of the Local Users and Groups Manager right click the IAG Administrator user and select Set Password The Set Password dialog box is displayed 6 Use the Set Password dialog box to assign a password The IAG Administrator user can now access the Web Monitor using the password you assigned here Tip In order to enable access to the Web Monitor by additional users access the Web Monitor Users group under Users and define
224. guration is applied and whether the computer s Trusted Sites list is managed remotely or not Optional Determines whether the user can add other sites to the Trusted Sites list on demand Optional Determines whether the user can add HTTP sites to the list on demand Applicable only when the value of CanAddSites is 1 Optional Determines behavior when a trusted site s certificate is invalid Data 1 managed 0 unmanaged Note Any number other than 1 is considered a zero 1 users can add sites to list 0 users cannot add sites to list If this value is not defined users cannot add sites to the list 1 users can add HTTP sites to Trusted Sites list 0 users cannot add HTTP sites to Trusted Sites list If this value is not defined users cannot add HTTP sites to the list 1 users are prompted and can select whether to add the site to the Trusted Sites list or not 0 users are not prompted access to the site is denied If this value is not defined users are not prompted Intelligent Application Gateway 163 User Guide Value PromptlnvalidCertUntrusted TrustedSite lt gt PilotExpirationTime 164 KK Table 2I Values of CheckSite reg Cont d Type DWORD String String Values are case insensitive Description Optional Determines whether users are prompted when an untrusted site s certificate is invalid
225. guration program Table 40 Log File Cleanup Parameters Parameter Description Start Cleanup Total size in megabytes of IAG and IIS log files that can be kept on at MB the disk before the IAG starts a log file cleanup process Tip Set this value according to the disk space you can allocate for this purpose Stop Cleanup Total size in megabytes of IAG and IIS log files that are kept on the at MB disk after the log file cleanup process Number of Optimal number of files retained after the log file cleanup process Undeleted Files as follows Event trace and IIS log files the number of files retained for each individual trace Error log files the number of files retained is twice the number configured here Tip The ratio between undeleted error log files and other log files is hardcoded and cannot be changed The deletion of IIS log files can be excluded from the log file cleanup process altogether as described on page 29 How the Log File Cleanup Process Works 314 The log file cleanup process starts when one of the following occurs The number of log files including IAG event error and trace log files and IIS log files exceeds 2 048 This parameter is hard coded and cannot be changed Chapter 10 Troubleshooting Log File Cleanup The total size of all the IAG event error and trace log files and IIS log files exceeds the Start Cleanup at MB value E Note The log f
226. h of the following are added to the page so that users can request Certified Endpoint status 140 Chapter 5 Endpoint Security Certified Endpoints The Whale toolbar where the Certified Endpoint button is automatically added For a description of how you can use the Whale toolbar with a custom homepage refer to the Intelligent Application Gateway Advanced Configuration guide to the section Using a Custom Portal Homepage to step 4 on page 62 A Certified Endpoint link which can be added as described in the Intelligent Application Gateway Advanced Configuration guide in Adding Application Links on a Custom Portal Homepage on page 68 In order for an endpoint computer to be granted Certified Endpoint status end users have to take the following steps Submit a request for a certificate to be issued as described in Requesting Certified Endpoint Status on page 142 If so defined in the certification authority policy check whether the request for Certified Endpoint status has been approved as described in Checking the Certified Endpoint Request Status on page 144 Once the Certified Endpoint status has been approved install the certificate as described in Installing the Certificate and Logging In as a Certified Endpoint User on page 144 cae Note The Certified Endpoint button is not displayed on handheld devices In order to grant Certified Endpoint status to a handheld device do the
227. he Company nor any of its worldwide subsidiaries or distributors or management or employees grants any warranties in respect to any damages or deficiencies resulting from accident alteration modification foreign attachments misuse tampering negligence improper maintenance abuse or failure to implement any updates furnished The Products must be used and maintained in strict compliance with the instructions and safety precautions of the Company contained herein in all supplements thereto or in any other written documents of the Company The products must not be altered without prior written consent of the Company The Company grants no warranties with respect to the Products either express or implied including any implied warranties of merchantability or fitness for a particular purpose The Company will have no liability for any damages whatsoever arising out of or in connection with the delivery installation use or performance of the product In no event shall the Company be liable under any legal theory including but not limited to contract negligence misrepresentation strict liability in tort or warranty of any kind for any indirect special incidental or consequential damages including but not limited to loss of profits even if the Company has notice of the possibility of damages Without limiting the effect of the preceding clauses the Company s maximum liability if any for damages including but not limited to liability arising
228. he Socket Forwarding component only or enable and disable the Socket Forwarding component 168 Chapter 5 Endpoint Security Whale Client Components ej https mportal microsoft com System Information 2 Microsoft Internet Explorer lal o ooon Whale i z rbore A System Information Whale Communications Intelligent Application Gateway Uninstall all Whale Client Whale Client Components t Whale Component Manager Y 3 7 0 12 Components Endpoint Detection w 3 70 12 SSL Wrapper W 3770 12 r SSL Wrapper Java Applet N A Uninstall Socket Forwarder LSP W 3 7 0 12 NSP W 3 7 0 12 Socket Network Connector Client W 3 7 0 12 Driver W 3 7 0 12 Not Running F di attachment Wiper TM y 3 7 0 12 orwarding Anti virus eTrust 7 1 Updated 12 5 2006 10 09 02 PM component Personal Firewall XPSP2 Version N A Operating System windows XP Professional 5 01 2600 Service Pack 2 Enable disable Browser Version Internet Explorer 6 S ki t User Agent Mozilla 4 0 compatible MSIE 6 0 Windows NT 5 1 SV1 NET CLR 2 0 50727 ocke NET CLR 1 1 4322 Sun JRE Version N A Forwarding Domain WHALECOM component Certified Endpoint x Privileged Endpoint x This site is protected by the Whale Communications Intelligent Application Gateway To refresh this page please log out then log in again Done A internet You can enforce the removal of the Socket Forwarding client component f
229. he component list This connection uses the following items check whether Client for Microsoft Networks is listed and do one of the following If Client for Microsoft Networks is listed and the box next to it is checked you do not need to take any further steps Click to close the dialog box If Chent for Microsoft Networks is listed and the box next to it is unchecked check the box then click OK You do not need to take any further steps If Client for Microsoft Networks is not listed in the Local Area Connection Properties dialog box continue with the following steps 5 In the Local Area Connection Properties dialog box under the component list click Install The Select Network Component Type dialog box is displayed 218 Chapter 8 Providing Access to Internal File Systems File Access Select Network Component Type 21x Click the type of network component you want to install B amp Service Y Protocol e 4 client provides access to computers and files on the network you are connecting to Cancel 6 Verify that Client is selected in the list and click Add The Select Network Client dialog box is displayed Select Network Client 27 xi Click the Network Client that you want to install then click OK If you have an installation disk for this component click Have Disk N etwork Client Client for Microsoft Networks By Client
230. he failure was caused by an illegal character take the following steps 1 On the IAG activate a trace that will record the IAG filter activities a Access the following file Whale Com e Gap common conf trace ini Intelligent Application Gateway 349 User Guide b Add the following section to the file Trace Wh1Filter WHLFILTRULESET xheavy Save the file 2 Use a browser to request the URL again 3 Locate the log file of the trace you activated in the following location Whale Com e Gap logs The log file is named as follows WhlFilter default lt Time_Stamp gt log 4 Inthe trace log file find the following warning message WARN CanonicalizeEscapeChar Check allowed characters after escape list in Param String lt FailedString gt failed Where lt FailedString gt is a parameter that contains one or more illegal characters which caused the failure Tip For more information on the tracing process see Error Logging and Process Tracing on page 307 5 At the Configuration program open the Advanced Trunk Configuration window and access the URL Inspection tab 6 In the Out Of The Box Security Configuration area edit the application s rule so that the list of Legal Characters includes all the characters found in the parameter that caused the error For details refer to the Intelligent Application Gateway Advanced Configuration guide to URL Inspection Tab Out Of The Box S
231. he query Select a pre defined period such as Today or Last Month at the top of the Period area Or Define start and end dates at the bottom of the Period area Define the interval at which data is sampled at the bottom right of the Period area The intervals that are available for selection depend on the selected period For example if the selected period is a day only an Hour interval can be defined for a period of a week you can select an interval of either an hour or a day By default the maximal number of intervals that can be queried is 1 500 If required you can change this value as well as the number of intervals that are displayed on a single page in the default view as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Note however that a value of over 1 500 intervals is not recommended and may slow down the monitor s performance considerably Select the query type g Sample Chart the number of concurrent sessions is sampled at the end of each interval Peak Chart the number of concurrent sessions reported is the highest number of sessions that were open during the interval period Once you submit the query the results are displayed in the window as described in Session Monitor Statistics Window Query Results on page 273 Chapter 9 Monitoring and Contro
232. he server Cause A cookie encryption violation was detected The cookie name is not encrypted and is not listed in the cookie encryption exclude lists Resolution In order to enable the browser to send this cookie in an unencrypted from you need to add it to the list of cookies that are excluded from the cookie encryption process Take the following steps in the Configuration program 1 Open the Application Properties dialog box for this application and access the Cookie Encryption tab 2 Add the cookie that was blocked to the Cookies list The name of the cookie is provided in the Description field of the event in the Web Monitor s Event Viewer For details refer to Cookie Encryption Tab on page 80 Warning 95 Cookie Name Cannot be Decrypted Symptoms A remote user requests a page The request is processed and the user experience is unaffected However a Cookie header in the request is blocked and is not forwarded to the server 368 Appendix A Troubleshooting Event Logging Messages Cause A cookie encryption violation was detected An encrypted cookie name could not be decrypted since it contains an invalid security digest Resolution In the browser that was used to request the page delete the cookie that was blocked The name of the cookie is provided in the Description field of the event in the Event Viewer Warning 96 Name of Excluded Cookie is Encrypted Symptoms
233. header Cause The request does not contains a Content Type header and the method used in the request is POST According to the configuration of the IAG POST without a Content Type header is not allowed Resolution In order to allow POST requests without a Content Type header for this application take the following steps in the Configuration program 1 Open the Application Properties dialog box for this application and select the Web Settings tab 2 Check the option Allow POST without Content Type For details refer to Web Settings Tab on page 73 Warning 48 Application Out Of The Box Rule Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL The URL is blocked by the application s Out Of The Box Security Rules Cause The requested URL contains an illegal character according to the definition of the application s out of the box security configuration 352 Appendix A Troubleshooting Event Logging Messages Resolution In the Configuration program do one of the following If you wish the character that caused the error to be considered a legal character for this application take the following steps 1 Open the Advanced Trunk Configuration window of the relevant trunk and access the URL Inspection tab 2 In the Out Of The Box Security Configuration area ed
234. hentication and User Groups Servers In the Authentication and User Group Servers dialog box select the relevant server and click Edt For details on each of the parameters in the Edit Server dialog box click Help Verify that the authentication server is running Verify that the authentication server is reachable from the IAG If not check the following Network connections Verify the configuration of the ISA firewall rule that enables the connection from the IAG to the application server For details examine the ISA logs and alerts and if necessary consult ISA troubleshooting Warning 23 Application Form Authentication Failed Symptoms A remote user attempts to access an application The attempt fails Cause Despite the fact that in the Configuration program the application is configured to automatically reply to the application server s authentication request HTML form the login attempt failed This can be caused by one of the following The credentials that were used for the authentication were not accepted by the application This can be due to one of the following reasons The authentication server used for the login does not contain the user credentials that are required by the application Incorrect configuration of the Form Authentication Engine for this application The browser used by the remote user is not supported by the IAG for a list of supported browsers refer to Supported Browsers
235. his CA _e Distinguished name suffix pe C whale DC biz Preview of distinguished name ie C iL DC whale DC biz Validity period Expiration date E Years 7 9 27 2010 1 45 PM cot e Enter the Common name for this Certificate Authority and click Next gt A cryptographic key is generated and the Certificate Database Settings window of the Windows Component Wizard is displayed Chapter 5 Endpoint Security Certified Endpoints 10 11 Windows Components Wizard xi Certificate Database Settings Enter locations for the certificate database database log and configuration information Certificate database C WINNT system32 CertLog Browse Certificate database log CAWINNT system32 CertLog Browse M Store configuration information in a shared folder Shared folder CACAConfig Browse Preserve existing certificate database coed He Do not change the default values displayed in the Certificate Database Settings window Click Next gt If the IIS is running you are prompted to stop the IIS Click to stop the IIS on your computer A progress bar appears and the Microsoft Certificate Authority is installed Click to exit the Windows Components Wizard To verify that the Certificate Authority is installed and working on your computer in the Windows desktop click and select Programs gt Administrative Tools gt Authentication Aut
236. hority The Certification Authority window with the Certificate Authority you just installed is displayed amp Certification Authority File Action view Help e Ame AR e m Certification Authority Local E A Revoked Certificates Revoked Certificates Issued Certificates 41 Issued Certificates Pending Requests Pending Requests Failed Requests E Failed Requests Intelligent Application Gateway 127 User Guide Defining a Certification Authority Policy Local CA Only 128 The Microsoft CA provides two policies for issuing certificates Manual the user s request is defined as pending until the administrator manually issues the certificate Automatic the certificate is automatically issued after the request is received When the CA is installed the default certification policy is Manual You can change this policy at any time as described in Selecting Between Manual and Automatic Certification Policies on page 128 If you select the Automatic certification policy by default the certificate is issued immediately after the certification request is received If you wish you can change the policy to Automatic with Delay whereby the certificate is issued only after the specified delay period To configure this policy refer to Setting the Certification Policy to Automatic with Delay on page 130 EN Note When you change the certification policy the change only affects new c
237. hout Logoff J Re open Portal if User Selects to Keep Channel Open m Endpoint Settings J Uninstall Socket Forwarding Component IV Add Site to Pop Up Blocker s Allowed Sites Select whether to delete application specific temporary files for all sessions where the Attachment Wiper is activated Coret Select whether to activate the Attachment Wiper for privileged sessions When you create a trunk the Attachment Wiper is automatically configured as follows 112 Chapter 5 Endpoint Security Attachment Wiper The option Activate Attachment Wiper is activated for default sessions and disabled for privileged sessions To learn more about these types of sessions refer to the Intelligent Application Gateway Advanced Configuration guide to Default and Privileged Session Settings on page 137 The option Attachment Wiper Cleans Application Specific Temporary Files is activated This option applies to all the sessions where the Attachment Wiper is activated It determines whether or not the Attachment Wiper deletes application specific temporary files for the relevant applications For a list of applications for which the Attachment Wiper deletes application specific temporary files as well as a description of the locations where the Attachment Wiper deletes files for each of these applications and what types of files are deleted refer to the Intelligent Application Gateway Application Awar
238. http localhost Auto whalefilesharing Icon URL Jimages Applcons FileAccess cif Short Description Explore Your Files Description a I Startup Page I Open in New Window Oten Carcel 3 In the Application URL field enter the following http localhost Auto WhaleFileSharing Path lt path gt amp ShowFolders False Where path is the full path of the folder users will access For example http localhost Auto WhaleFileSharing Path EUROPE NORWAY Bergen amp ShowFolders False E Note Parameter names and values are case sensitive 4 Click OK Intelligent Application Gateway 235 User Guide Once you activate the configuration end users will not be presented with a tree folder in the File Access interface In this example when users access the File Access application they will be presented with the Bergen folder and will be able to browse only this folder and its subfolders Tip gt The parameter ShowFolders can also be used with a Home Directory definition That is users will be directly presented with their Home Directory and will be able to browse only the Home Directory and its subfolders 236 Chapter 8 Providing Access to Internal File Systems File Access Chapter 9 Monitoring and Control This chapter describes the monitoring and control tools that are supplied and supported by the Intelligent Application Gateway IAG Event Logging is used to log IAG related events E
239. ibed in Editing Application Properties on page 67 It also describes how you can quickly create a new application based on an existing application in Duplicating an Application on page 91 Editing Application Properties This section describes how you can edit application properties in the Application Properties dialog box including Accessing the Application Properties Dialog Box on page 68 General Tab on page 68 Web Servers Tab on page 71 Web Settings Tab on page 73 Web Server Security Tab on page 78 Cookie Encryption Tab on page 80 Download Upload Tab on page 82 Server Settings Tab on page 85 Client Settings Tab on page 86 Portal Link Tab on page 87 Authorization Tab on page 91 Intelligent Application Gateway 67 User Guide EN Note The tabs and parameters that are available in the dialog box vary according to the application type Accessing the Application Properties Dialog Box This section describes how you access the Application Properties dialog box after you add an application to the portal or create a Webmail or Basic trunk To access the Application Properties dialog box e In Portal trunks In the main window of the Configuration program in the Applications area select and double click the application whose properties you wish to edit Or Select the application and click below the Application list The Application Properti
240. ication Properties Cookie Encryption Tab Application Properties Generic Browser Embedded App xi lt Cookie Encryption amp Download Upload 5 Server Settings 4 gt m Enable Cookie Encryption Encryption Mode Include Exclude Cookies googletalk_jid Help Cancel Table 13 Cookie Encryption Tab Parameters Parameter Description Enable Cookie Enables the Cookie Encryption option for the application Encryption Encryption Mode Exclude all cookies are encrypted except for those listed in the per application cookie list and the global exclude list Include only cookies that are listed in the per application cookie list are included in the encryption process Cookies Cookie list In an Exclude encryption mode per application list of cookies that are excluded from the encryption process In an Include encryption mode per application list of cookies that are included in the encryption process Intelligent Application Gateway 81 User Guide Global Exclude List The global list includes cookies that are excluded from the cookie encryption process of all the applications where the encryption mode is Exclude You can add cookies to the list as required A Caution Do not delete any of the cookies that are configured in the list by default To edit the global exclude list 1 Access the following file Whale Com e Gap Von Conf WhlExcludeCookie xml
241. icy Manager is where you can optionally pre configure security policies to which the configuration settings are enforced to conform The Configuration program enables robust granular configuration of all aspects of the gateway including network management content management and application control From within the Configuration 20 Chapter 1 Introduction Security Management Tools program the Create New Trunk Wizard streamlines trunk creation and configuration Application sensitive predefined rulesets and out of the box dangerous character definitions are automatically applied to the filtering mechanism as part of the configuration process The Editor enables you to easily edit sort and convert any text file including encrypted files and base64 encoded text All the tools are described in detail in the Intelligent Application Gateway Advanced Configuration guide in Chapter 2 Security Management Tools Monitoring and Control Tools and Interfaces The IAG monitoring and control tools enable network management and auditing at both the network and application levels The Event Logging mechanism logs IAG related events to a variety of tools and output formats including information about usage user activities and potential security risks The Web Monitor is a monitoring and reporting web application that enables anywhere anytime snapshot viewing of events as well as event filtering and analyzing Encryption
242. ide Enabling Certified Endpoints Using a Remote CA 122 A remote CA is any CA that is installed on a computer other than the IAG You can use Microsoft CA or any other CA When using a remote CA you have to provide end users with the necessary certificate to use the Certified Endpoint feature Note A The Certified Endpoint feature is only supported on HTTPS trunks The steps below describe how you enable Certified Endpoints for an existing trunk To enable the Certified Endpoint feature using a remote CA perform the following steps Install the certificates from the remote CA to the Trusted Root Certification Authorities Certificate store on the IAG If you require assistance with this installation contact technical support Enable the Certified Endpoint feature in the Configuration program in the Session tab of the Advanced Trunk Configuration window For details refer to the Intelligent Application Gateway Advanced Configuration guide to Session Configuration on page 138 Update the Certificate Trust List CTL with the new CA Refer to Adding the CA to the Certificate Trust List All CAs on page 136 Back up the certificate settings as described in Backing Up the Certificate Settings All CAs on page 140 Note EN After the initial backup make sure to back up the certificate settings from time to time especially before any IAG software upgrade or installation or any other changes to system setti
243. igent Application Gateway 321 User Guide Stopping the IIS This procedure describes how you stop the IIS as well as what steps to take in case the standard procedure does not stop it To stop the IIS On the IAG open a Command prompt and type net stop iisadmin y Press lt Enter gt The following messages are displayed in the Command prompt eNCA WINDOWS system32 Microsoft Windows Version 5 2 3790 lt C Copyright 1985 2663 Microsoft Corp C Documents and Settings Administrator gt net stop iisadmin y The following services are dependent on the IIS Admin Service service Stopping the IIS Admin Service service will also stop these services Whale File Sharing Service World Wide Web Publishing Service HTTP SSL Whale File Sharing Service service is stopping Whale File Sharing Service service was stopped successfully World Wide Web Publishing Service service is stopping World Wide Web Publishing Service service was stopped successfully HTTP SSL service is opping HTTP SSL service wa topped successfully IIS Admin Service service is pping IIS Admin Service service was opped successfully C Documents and Settings Administrator gt The IIS is stopped You now have to re start the Web service as described in Starting the Web Service in the IIS on page 823 If the IIS does not stop take the following steps 1 Still on the IAG open the Windows Task Manager and select the Processes tab 2
244. iguration of rulesets refer to the Intelligent Application Gateway Advanced Configuration guide to Configuring a Ruleset in the URL Set Tab on page 164 354 Appendix A Troubleshooting Event Logging Messages Warning 52 Data not Allowed with Method Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You have attempted to access a restricted URL WebDAV methods are not allowed Cause The request uses a WebDAV method while attempting to send data to the application According to the configuration of the application such requests are not allowed Resolution Take the following steps in the Configuration program 1 Open the Application Properties dialog box for this application and select the Web Settings tab 2 Activate the option Allow WebDAV Methods For details refer to Web Settings Tab on page 73 Warning 53 File Upload Forbidden Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Upload policy the requested upload is not allowed Cause The request failed since when it contains attachments it is considered an upload URL and the application s Upload policy forbids uploads from the submitting endpoint Resolution In the Configuration program do one of the following In order for this reque
245. ile Access in the Configuration Program Overview 220 The following sections describe the configuration of the File Access option in the Configuration program A Note The File Access application can only be configured and used via a Portal trunk In order to configure the option you go through the following stages You configure the File Access administration settings including Remote users access to their Home folder and mapped drives and share permissions Settings that determine how you log on to Novell Directories in order to gain access to Novell NetWare Servers Access permissions to Domains Servers Shares Administration settings are described in File Access Administration Settings on page 221 These settings apply to all trunks where File Access is enabled Chapter 8 Providing Access to Internal File Systems File Access If the network includes Novell NetWare Services and you wish to enable remote access to NetWare Servers you need to set up authentication with the Novell Directory Service NDS For details refer to Configuring Authentication with the Novell Directory Service on page 231 Add the File Access application to the trunk as described in Creating an SSL VPN Portal on page 28 Ifthe trunk uses the default portal homepage supplied with the IAG a link to the File Access application is automatically added to the page When using a custom homepage you have to manual
246. ile cleanup process is started only under one of the two conditions described above Cleanup does not start when there is a disk overflow if there is no more space on the disk the error server stops writing error and trace logs onto the disk without notification It is therefore important to configure the Start Cleanup at MB parameter according to the disk s capacity IIS log files can be excluded from the log file cleanup process as described on page 29 Once the log file cleanup starts the log files are deleted starting with the oldest files according to the file modification time not according to the file s timestamp Files are deleted until the total size of the files left on the disk reaches the value defined in Stop Cleanup at MB For each type of file the cleanup process leaves a number of files undeleted as determined by the value defined in Number of Undeleted Files If by deleting the files as described above the total size of undeleted files is down to the value defined in Stop Cleanup at MB the log file cleanup is complete If however after leaving the number of files defined in Number of Undeleted Files the size still exceeds the Stop Cleanup at MB parameter the cleanup process ignores the Number of Undeleted Files value and deletes more files starting with the oldest file until the total size of the log files in the IAG is reduced to the Stop Cleanup
247. ing Internet traffic on the endpoint computer is routed through the gateway of the corporate network You can also select to disable local area access in this mode E Note When using non split tunneling note the following The Additional Networks option is not applicable in this access mode since all network traffic passes through the Network Connector tunnel in this mode For details refer to Additional Networks Tab on page 197 If the Network Connector session on the endpoint computer is ended ungracefully for example when the computer disconnects from the Internet users are prompted to re enable their Internet connection No Internet Access endpoint computers cannot access the Internet You can also select to disable local area access in this mode Note A In this mode endpoint computers can only access their local network the network defined in the IP Provisioning tab and any other networks defined in the Additional Network tab Determine the IP Spoofing policy By default the option Disable Spoofed Traffic is selected the Network Connector server checks and validates the source IP address of each packet and tunnels only traffic from connected Network Connector clients If you wish to enable the tunnelling of other traffic uncheck this option lt Apply filtering of any of the following IP based protocols TCP UDP ICMP 196 Chapter 7 Network Connector Configuring the Network Connector
248. int computers including the definition of endpoint security policies and the Attachment Wiper and Certified Endpoint options Intelligent Application Gateway 23 User Guide 24 Chapter 6 SSL Wrapper describes how you can provide users with secured SSL connectivity via the portal homepage to various TCP IP client server applications such as native messaging applications standard email applications collaboration tools connectivity products and more It also describes how you provide users with secured SSL connectivity to Domino iNotes servers via a Webmail trunk Chapter 7 Network Connector describes the Network Connector feature which enables you to install run and manage remote connections as if they were part of the corporate network supporting full connectivity over a virtual and secure transparent connection Chapter 8 Providing Access to Internal File Systems describes how you can provide remote users with access to the organization s internal file systems including e Local Drive Mapping which provides access to Windows shared network folders File Access which provides web access to the internal Windows Network and Novell NetWare file servers Chapter 9 Monitoring and Control familiarizes you with the IAG s monitoring and control tools and interfaces and provides detailed instructions on how to access and use them Chapter 10 Troubleshooting describes how you u
249. ion belongs This field is optional and is not displayed by default You can enable the display of this field in the file that controls the Web Monitor preferences in the parameter showApplD For details refer to the Intelligent Application Gateway Advanced Configuration guide to Customizing the Web Monitor Windows on page 72 Application ID as displayed in the Configuration program in the General tab of the Application Properties dialog box Number of users currently accessing the application Clicking the number of accesses displays the trunk s Application Session Monitor Active Sessions window described in Application Monitor Active Sessions on page 278 Application Monitor Over Time The Application Monitor Over Time window is displayed when you click in the Application Monitor Current Status window Use it to monitor application behavior over time for any selected number of applications Application behavior is displayed in a line chart showing the number of accesses for each selected application By default the window refreshes the data at 10 second intervals If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 Intelligent Application Gateway 277 User Guide Use the paging controls to scroll to the period of time you wish to monitor 2 6
250. ion data described in User Authorization Data on page 77 Figure 10 Application Properties Web Settings Tab Application Properties Webtop Documentum xj a General Web Servers W W Web Settings l Web Ser f gt Application IV Automatically Reply to Application Specific Authentication Requests authentication Select Authentication Servers 1 ace Remove 401 Request C HTMLFom Both I Verify URLs F Leam Mode Application s general I Allow WebDAV Methods web settings gt TJ Check XML Integrity IV Check Out Of The Box Rules I Use Variables in URLs I Allow POST without Content Type IV Ignore Requests in Timeout Calculations I Activate Restricted Zone User authorization data J Authorization Key Format Header Parameter I Source IP Key Format Header Parameter OK Cancel Intelligent Application Gateway 73 User Guide Application Authentication 74 This portion of the Web Settings tab is only relevant for applications that request users to authenticate It defines how to authenticate against the application server as described in Table 9 on page 74 Table 9 Web Settings Tab Application Authentication Parameter Automatically Reply to Application Specific Authentication Requests Select Authentication Servers 401 Request HTML Form Both Description Reply to the application authentication requests with user credentials Whe
251. ion of the authentication server 1 Inthe Configuration program on the Admin menu click Authentication and User Groups Servers 2 Inthe Authentication and User Group Servers dialog box select the relevant server and click Edit For details on each of the parameters in the Edit Server dialog box click Help e Verify that the authentication server is running Verify that the authentication server is reachable from the IAG If not check the following Network connections Verify the configuration of the ISA firewall rule that enables the connection from the IAG to the application server For details examine the ISA logs and alerts and if necessary consult ISA troubleshooting 328 Appendix A Troubleshooting Event Logging Messages Warning 15 Number of Max Concurrent Sessions Exceeded Symptoms A remote user attempts to log in to the site Access is denied and the following message is displayed in the browser window There are too many users on the web site at the moment Please try to access the site again in a few minutes Cause The maximal number of authenticated sessions that can be open through the site at the same time was reached Resolution If this event occurs on a regular basis increase the number of sessions that can be open through the site 1 Inthe Configuration program open the Advanced Trunk Configuration window of the relevant trunk and access the Session tab 2 Inthe Max
252. ions of the new application are derived from the application from which it is copied with the following exceptions Application Name which you assign when you create the new application Application ID a unique ID is assigned to the new application by the system Portal Application Name is the name of the new application Intelligent Application Gateway 91 User Guide Custom definitions of the application customizers and application access portal SRA templates are not applied to the new application E Note You cannot duplicate the following applications Any of the applications in the Built In Services group SharePoint Portal 5 02 in the Web Applications group To duplicate an application 1 Inthe Configuration program in the Applications area select and right click the application you wish to duplicate From the drop down menu select Duplicate The Application Duplicate Wizard is displayed 2 Inthe Wizard screen assign a unique name to the application then click Finish The new application is added to the trunk in the Applications area 3 Access the Application Properties dialog box of the new application and change the application s server definitions For Web Applications in the Web Servers tab For Client Server and Legacy Applications in the Server Settings tab For Browser Embedded Applications in both the Web Servers and Server Settings tabs 92 Chapter 4 Applic
253. irtual and secure transparent connection It enables the gateway to support split tunneling configurations and afford greater network reliability and performance Intelligent Application Gateway 17 User Guide Integrated Application Firewall The gateway s deep application level filtering assessed through application behavior knowledge prevents exploits that cause unexpected application responses It blocks potentially malicious traffic using positive and negative logic rules that identify errant commands and syntax and reduces the immediacy of server software patches by providing protection from zero day attacks Application Aware Because the IAG is application aware it can address application specific issues including security concerns and functionality requirements This ability enables organizations to customize the behavior of specific applications when accessed remotely The IAG provides out of the box support for key applications to allow for rapid optimization of most popular applications in use today Out of the box application support is optimized for each application type including features such as URL Inspection rulesets and character definitions wiping out sensitive information possibly recorded by a web browser during an SSL VPN session and more In addition the application aware approach provides administrators with tools and interfaces that enable them to define features which are not supported out of the box
254. is determined when the user first accesses the site If some of the settings on the endpoint computer are changed after the login in order for the changes to affect the computer s compliance with the endpoint policies users need to log out of the site and log in again For example if an anti virus program is installed on the computer but is not running when the user logs in the computer does not comply with a policy that requires a running anti virus If the user then runs the anti virus program without re logging in to the site the computer is still not considered as complying with this requirement until the user logs out of the site and logs in again This section describes the following Endpoint Detection on page 95 Session Endpoint Policies on page 95 Application Endpoint Policies on page 99 e Default Policies on page 101 Policy configuration options are described in Basic Policy Configuration on page 103 e Advanced Policy Configuration on page 104 Chapter 5 Endpoint Security Endpoint Policies Endpoint Detection In order to be able to determine whether an endpoint complies with the endpoint policies the IAG attempts to determine which security components are installed and running on the endpoint computer as soon as the user attempts to access the site This is done by the Endpoint Detection ActiveX component of the Whale Client Components which is installed on the e
255. is _ coed _ 3 Inthe Components list check Certificate Services and click Next gt The CA Type window of the Windows Components Wizard is displayed Chapter 5 Endpoint Security Certified Endpoints Windows Components Wizard CA Type Select the type of CA you want to set up Select Stand alone root CA Check Use custom settings to generate the key pair and CA certificate and click Next gt The Public and Private Key Pair window of the Windows Components Wizard is displayed Windows Components Wizard Public and Private Key Pair Select a cryptographic service provider CSP hash algorithm and settings for the key pair Microsoft Enhanced Cryptographic Provide I Microsoft Exchange Cryptographic Provider v1 0 Microsoft Strong Cryptographic Provider Schlumberger Cryptographic Service Provider 517174E5 57D9 4B64 91E8 8F 7A97BB9EC3 848ED484 E8E7 4753 4D96 7C52D048EFF5 Microsoft Internet Information Server J Use the Intelligent Application Gateway 125 User Guide 126 Select the following In the CSP list select Microsoft Enhanced Cryptographic Provider v1 0 In the Hash algorithm list select SHA I In the Key length drop down list select 2048 Click Next gt The CA Identifying Information window of the Windows Components Wizard is displayed CA Identifying Information Enter information to identify this CA Common name for t
256. is automatically configured here for Domino iNotes and Domino Webmail applications When you activate the Startup Page option this page redirects the user to the appropriate server according to the definitions of the repository against which the user authenticated when accessing the application The notes page is located in the following location Whale Com e Gap von InternalSite ine Determines whether the application opens in a new window or not Applicable for Web Applications only Determines the type or types of computers on which the link is displayed PCs handheld devices or both Chapter 4 Application Settings Editing Application Properties Authorization Tab This tab is applicable in Portal trunks only for all application types You can use it to configure portal homepage authorization and personalization you can also use it to define local groups For details refer to Users Setup on page 32 Figure I7 Application Properties Authorization Tab Application Properties Citrix NFuse FR2 Direct TJ Client Settings Portal Link 2 Authorization gt IV All Users Are Authorized Users Groups View Deny Save As Local Group Help Cancel Duplicating an Application Duplicating an application enables you to quickly add a new application to the trunk based on the definitions of an existing application When you duplicate an application most of the definit
257. is displayed Select Certificate 21x Select the certificates you want to use symantec Root CA Symante lt All gt None C E class 3 Public Primary Certif Class 3 Secure E VeriSign C E class 2 Public Primary Certif Class 2 Secure E VeriSign c van Test ca Yan Test lt All gt None Z E Trusted Endpoint CA Trusted lt All gt None E class 3 Public Primary Certif Class 3 Secure E VeriSign ae gt pss E2 oom im gt ee 7 r OK Cancel View Certificate Select the certificate you wish to use and click 0K The Certificates in the CTL screen of the Certificate Trust List Wizard is displayed with the certificate you selected Chapter 5 Endpoint Security Certified Endpoints Certificate Trust List Wizard 9 Click Next gt The Name and Description screen of the Certificate Trust List Wizard is displayed Certificate Trust List Wizard New IIS CTL This CTL is to be used as the list of trusted roots For IIS virtual web sites 10 Enter a name and description for the new Certificate Trust List and click Next gt The Completing the Certificate Trust List Wizard screen of the Certificate Trust List Wizard with a summary of your settings is displayed Intelligent Application Gateway 139 User Guide 11 Click Finshl The Certificate Authority is added to the Certificate Trust List The configuration process is complete End
258. is required as described in Windows 2003 XP Support on page 210 To map a share to a local network drive 1 Using the Add Application Wizard from the Client Server and Legacy Applications drop down list add the applicable Local Drive Mapping application to the trunk Tip For details refer to Creating an SSL VPN Portal on page 28 2 Define mapping parameters in the step Server Settings For details click Help Once you add the application to the trunk and activate the configuration the share is accessible to remote users as soon as they log into the portal homepage The share is accessible either via Windows Explorer or as a link on the portal homepage depending on the configuration of the IAG Windows 2003 XP Support Local Drive Mapping is supported on endpoint computers that run Windows XP Windows 20038 and Windows 2000 operating systems However in order to enable Local Drive Mapping on Windows XP 2003 you must also add the application Local Drive Mapping Setup Windows XP 20038 to the site via the Add Application Wizard and run it once from the endpoint computer prior to launching the Local Drive Mapping application 210 Chapter 8 Providing Access to Internal File Systems Local Drive Mapping This setup disables SMB over TCP IP In order to enable Local Drive Mapping on Windows XP 2003 users are required to run the setup application only once at the end of which
259. is synchronized with that of the Application Monitor window Monitor an application or any number of selected applications over time Select the application or applications you wish to monitor and click A on the toolbar at the top of the window The Application Monitor Over Time window is displayed as described in Application Monitor Over Time on page 277 Figure 47 Sample Application Monitor Current Status Window Application Monitor Current Status lal Server time 03 14 2006 18 04 EAE Name M portal S V whale Portal Web Monitor whale Portal whale Portal Client m G FTP M outlook Vv al Telnet IV Whale Portal Web M Myweb M P3 owa 2003 sptisp2 lt I Type Web Monitor Whale Portal FTP Passive Mode Outlook CorporateWorkgroup Mode Telnet web Microsoft Outlook Web Access 2003 SP1 SP2 Group See Accesses I In 1o 19 19 276 Chapter 9 Monitoring and Control Web Monitor Table 30 Parameters of Application Monitor Current Status Window Parameter Name Type Group Accesses Description Application name as defined in the Configuration program in the General tab of the Application Properties dialog box and the icon representing the application Note Applications are listed under the trunk where they are configured Internal application type The group to which the applicat
260. istry settings select this option to apply the changes before activation Selecting this option will reload the configuration for all trunks I Apply changes made to external configuration settings Please press the lt Activate gt button to begin Cancel 2 Select the option Back up configuration after activation then click Activate gt The IAG configuration is activated and backed up Running the Backup Utility as a Console Application You can run the Backup utility as a Console application in a Command line Note an If you back up the configuration in a Command line you will only be able to restore it using a Command line and not via the Configuration interface To run the Backup utility as a Console application At the IAG open a Command line and type whlbackup exe b The IAG configuration is backed up Restoring the Configuration Once you back up the IAG configuration using the Backup utility you can use the Restore utility to restore the configuration settings into an installed IAG You can restore the configuration using one of the following methods From within the Configuration interface as described in Restoring the Configuration in the Configuration Program on page 306 By running a Console application in a Command line as described in Running the Restore Utility as a Console Application on page 306 Intelligent Application Gateway 305 User Guide EN Note
261. it the application s Legal Characters list to include the character that caused the error as reported in the message in the Reason field For details refer to the Intelligent Application Gateway Advanced Configuration guide to URL Inspection Tab Out Of The Box Security Configuration on page 147 lt If you wish to cancel out of the box security checks for this application take the following steps 1 Open the Application Properties dialog box and access the Web Settings tab 2 Uncheck the option Check Out Of The Box Rules For details refer to Web Settings Tab on page 73 Warning 49 Unknown Application Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window You are not authorized to access this application For assistance please contact your system administrator Cause Wrong configuration of the application in the Configuration program Resolution Take the following steps in the Configuration program 1 Use the Application Properties dialog box to locate the application according to the server configuration in the Web Servers tab 2 Verify the configuration of the server s addresses paths and ports for this application For details refer to Web Servers Tab on page 71 Intelligent Application Gateway 353 User Guide Warning 50 Method not Defined Symptoms A remote user requests a p
262. itor using Script mode in Configuration in the Advanced Policy Editor on page 106 The format of variables that can be used to create policies and expressions using the Advanced Policy Editor in Variable Formats on page 107 Chapter 5 Endpoint Security Endpoint Policies Advanced Configuration Overview An endpoint policy is made of one or more components A policy component can be A variable Variables are pre defined basic endpoint detection parameters You cannot edit variables For example the variable Anti Virus gt Symantec gt Norton gt Running checks whether the Norton anti virus is running on the endpoint computer Tip For a description of variable formats refer to Variable Formats on page 107 An expression Expressions are built from variables free VBScript text or a combination of both You can use built in expressions as is edit them or create your own expressions For example change the expression Corporate Machine from the default False to a condition that actually defines what a corporate machine is such as Network gt Domains gt NetBIOS Domain OurDomain Tip Use expressions to define multiple conditions once and apply them across several policies VBScript text Combine VBScript syntax free text with expressions and variables to parse and manipulate them in order to define a condition For example an expression that checks that the vir
263. ivate gt button to begin Cancel Click Activate gt N Note We recommend that you activate the option Back up configuration after activation so that the configuration settings are backed up For more details refer to Backup amp Restore Utility on page 303 Once the configuration is activated the following message is displayed IAG configuration activated successfully HTTP or HTTPS protocols that arrive at the port defined in the trunk will be transferred to and from the application server specified in the configuration In addition the Create New Trunk Wizard automatically creates an external website on the Internet Information Services IIS in the following location Whale Com e Gap Von Conf WebSites lt site_name gt Where lt site_name gt is the trunk name defined in the Setting the Trunk step in the Create New Trunk Wizard The website s root folder root is created under this folder Chapter 3 Single Application Sites Creating a Webmail or a Basic Trunk Where To Go From Here Once a trunk is created you can edit it in the Configuration program The items you can edit and configure are as follows Options that are described in this chapter include For HTTPS Connections trunks creating a Redirect trunk in order to redirect HTTP requests as described in Creating a Redirect Trunk on page 58 Editing general trunk parameters as described in Editing Trunks
264. ivate the Service Policy Manager configuration file The parameters you defined here are available for selection during trunk creation and configuration in the Configuration program When the Configuration program is started it reflects the parameters in the last activated Service Policy Manager configuration file If the Configuration program is already running once you activate the Service Policy Manager configuration file and return to the Configuration program the IAG prompts you to apply the new parameters Intelligent Application Gateway 53 User Guide Table 3 Pre configuration Trunk Parameters Parameter Available IP Addresses Available Port Numbers Default IP Address Default Port Numbers Description Create lists of these IP addresses External Website Application Server Tip If you want to restrict the list of IP addresses to those entered in the Service Policy Manager delete the wildcard value Create lists of these port numbers External Website HTTP and HTTPS Application Server Tip You can add a single port or a range of ports Select the IP addresses that will be displayed by default in the Configuration program Select the port numbers that will be displayed by default in the Configuration program Creating a Webmail or a Basic Trunk 54 You create a Webmail or a Basic trunk using the Create New Trunk Wizard in the Configuration program The trunk can be created unde
265. k activities when they detect that the application within which they run is on their block list When disabled in this manner the LSP and NSP modules do not enable access from this application to the corporate network CO Tip When access to an application in the corporate network is blocked because it is included in the block list users may still gain access to other application servers that reside on the local intranet or the Internet The LSP NSP modules contain two inherent application lists A block list containing applications that are known to be problematic Access to these applications from within the corporate network is always blocked regardless of the selected Socket Forwarding activation mode An allow list containing applications for which the LSP NSP will always be active regardless of the selected Socket Forwarding activation mode Blocking of additional applications depends on the Socket Forwarding activation mode defined during application configuration Basic in this mode none of applications that load the LSP NSP modules are enabled access to configured corporate resources unless the SSL Wrapper is running and at least one tunnel is open Windows services non interactive applications are not allowed access to configured corporate resources in this mode regardless of whether the SSL Wrapper is running or not Chapter 6 SSL Wrapper Technology Overview Extended this mode is identical to the Basic m
266. k to display the results of the last query submitted regardless of any changes you might have made in the query form Application Monitor Statistics Window Query Results View Query results are displayed in the Application Monitor Statistics window after you submit a query in the query form as described in Application Monitor Statistics Window Query Form on page 279 At the top of the window query details are displayed including period interval and query type as you defined in the query form If query results are available only for a part of the defined period this is also indicated under the Period field Query results are displayed in two views Aline chart displays the number of concurrent accesses to each of the applications in the query The color that represents each application on the chart is indicated in the legend to the left of the application name and icon The table at the bottom of the window displays information on each of the applications that were queried as described in Table 32 Application Monitor Statistics Window Query Results on page 282 e You can view the data that is displayed in the chart in a tabular format by clicking E Use the paging and zooming controls to focus the view on the period of time you wish to monitor 10 QOH oo CD Tip When you zoom out to the smallest view the window displays the entire period that is queried up to the pr
267. king x terminates the session the session is no longer displayed in the User Session List Tip Once you terminate a session the status of the session in the Session Monitor Active Sessions window changes to unauthenticated Authenticated x For details refer to Session Monitor Active Sessions on page 268 Note You cannot terminate the current session This window enables you to view and analyze both the history and the current status of the users of the IAG such as average session duration for each user or the currently active sessions Use the query form to submit a query as described in User Monitor Statistics Window Query Form on page 289 The User Monitor Statistics window then displays the query results as described in User Monitor Statistics Window Query Results View on page 290 Chapter 9 Monitoring and Control Web Monitor User Monitor Statistics Window Query Form When you first access the User Monitor Statistics window the query form is displayed Use this form to define the query Select the trunk for which to generate the query Define the period of time for which to generate the query Select a pre defined period such as Today or Last Month at the top of the Period area Or Define start and end dates at the bottom of the Period area Define the lead user or users for which to generate the query Note the followin
268. l Web Monitor Figure 45 Session Monitor Statistics Window Query Form Session Monitor Statistics Server time 03 14 2006 17 22 Trunks Period Week Month Quarter Year Today Last24Hours Yesterday Start date 03 14 2006 00 00 00 75 End date 037 4 2008 18 00 00 C Interval Hour v All portal 5 Query type t Sample Chart aA C Peak Chart Submit Reset o After you submit a query when you return to the query form from the query results view you can click to display the results of the last query submitted regardless of any changes you might have made in the query form Session Monitor Statistics Window Query Results Query results are displayed in the Session Monitor Statistics window after you submit a query in the query form as described in Session Monitor Statistics Window Query Form on page 272 At the top of the window query details are displayed including period interval and query type as you defined in the query form If query results are available only for a part of the defined period this is also indicated under the Period field Query results are displayed in two views Aline chart displays the number of concurrent sessions for each of the trunks in the query The color that represents each trunk on the chart is indicated in the legend to the left of the trunk name The table at the bottom of
269. l the identification of downloads by size for this application take the following steps 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Downloads area uncheck the option Identify by Size E Note If none of the options in the Downloads area are activated no downloads from the application are blocked regardless of the settings of the application s Download policy If you wish to enable downloads from the application to the requesting endpoint edit the application s Download policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 338 Appendix A Troubleshooting Event Logging Messages Warning 35 Download Policy File Extension Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Download policy the requested download is not allowed Cause The response failed since its extension renders it a download and the application s Download policy forbids downloads to the requesting endpoint Resolution In the Co
270. ld be enabled to them via the server Ifthe IP pool is a private pool and the Internet access level defined in the Access Control tab is split or none in order to enable access to the corporate network you must use the Additional Networks option to add the corporate network In this setup if you do not add the corporate network remote clients are granted access to other clients only and cannot access the corporate network For details refer to Additional Networks Tab on page 197 To define the IP pool 1 In the Pool Type area select the type of IP pool you wish to define If you select Private IP Addresses additional configuration is required as described in Using a Private Pool Additional Configuration on page 195 2 Inthe Address Pool area define the range or ranges of IP addresses that can be assigned to remote clients Note the following You can enter up to 10 ranges of IP addresses All the addresses you define here use the same subnet mask you cannot define both corporate IPs and private IPs The subnet for the IP ranges you defined in displayed in Pool Subnet Chapter 7 Network Connector Configuring the Network Connector Figure 31 Sample IP Provisioning Tab s Network Connector Server xj Network Segment 2 IP Provisioning Bl Access Control a Additional Networks a Advanced m Pool Type Private IP Addresses m Ad
271. lid application process is applicable for Portal trunks only It indicates that the executable that runs the application on the client and attempted to access the application server is not authorized to access this application In this case in the Configuration program in the Application Properties dialog box in the Client Settings tab verify the configuration of the option Bind Tunnel to Client Executable Client Executable and Signature For details refer to Client Settings Tab on page 86 Error 79 Connection to Web Application Failed Symptoms A remote user attempts to access an application from the portal homepage The request is denied and the following message is displayed in the browser window The page cannot be displayed Cause The IAG can not establish a connection with the application server The failure can be caused by one of the following Application server is not configured correctly in the Configuration program For example an invalid IP address port or path Application server is not running Application server is not reachable from the IAG The cause of the login failure is reported in the message in the Error field Resolution Verify the configuration of the application server in the Configuration program as follows e For Portal trunks in the Application Properties dialog box in the Web Servers tab For details refer to Web Servers Tab on page 71
272. like view from which all permitted file folders can be accessed This section describes How File Access works on page 212 How you enable remote access to the File Access application on page 212 Configuration of the File Access option in the Configuration program on page 220 Intelligent Application Gateway 211 User Guide How File Access Works The File Access application enables you to define the domains servers and shares which will be accessible to authorized remote users over the Internet The existing network resource definitions are used as the basis for the File Access definitions including Domains Servers Shares Individual user permissions After you define the enabled File Access resources remote users are able to view only the specific folders for which they already have access permissions within the organization These will invariably be a subset of the cross organization domains servers and shares defined for File Access However if the remote user has permission to access a certain domain server or share which was not defined as part of the File Access these locations will not be accessible regardless of such permission Enabling Remote Access to the File Access Application This section describes how you set up the IAG to enable remote access to the File Access application Windows Domain Settings on page 212 describes the steps you need to take in order to enable access
273. loses Once the trunk is activated the application is accessible to users according to the authorization permissions you defined in this procedure If you use the default portal homepage the portal is personalized according to each user s access permissions Selecting Users and Groups This section describes how you use the Select Users or Groups dialog box to select users and groups of users when you Define local groups as described in Local Groups on page 35 Define authorization for an application as described in Defining Authorization for Portal Applications on page 38 The dialog box is divided into two main areas The Repository Users and Groups area changes according to the type of item selected in the Look in drop down list If a users groups server is selected in the Look in drop down list all the users and groups in the selected repository are listed in the Repository Users and Groups area If Local Groups is selected in the Look in drop down list all the defined local groups are listed in the Repository Users and Groups area The Selected Users and Groups area lists the users and groups that you selected in the Repository Users and Groups area These are the users and groups that will be added to the local group or to the application s Authorization tab as applicable Intelligent Application Gateway 43 User Guide 44 Figure 2 Sample Sele
274. ly add the link to the page For details refer to the Intelligent Application Gateway Advanced Configuration guide to Using a Custom Portal Homepage on page 61 Optionally you can change the date format of files and folders as will be viewed on remote users browsers as described in Changing the Date Format of Files and Folders on page 234 You can also configure the File Access application so that users are not presented in the end user interface with a folder tree on the left pane This prevents users from browsing to any folders other than the one defined as the application URL or its subfolders For details refer to Hiding the Folder Tree in the End User Interface on page 234 Tip You can customize the language definitions of the end user pages as described in the Intelligent Application Gateway Advanced Configuration guide in Changing File Access Language Definitions on page 71 File Access Administration Settings You configure the File Access administration settings once for all the trunks where the File Access option is activated Administration settings include Configuring remote users access to their Home folder and to mapped drives and users view permissions to configured shares described in Configuring Home Directory Mapped Drives and Share Permissions on page 223 The settings that determine how you log on to Novell Directories in order to gain access to Novell Net
275. m is running on this computer Session Endpoint Policies When you create a trunk you assign it two session policies Session Access Policy defines access permissions to the site Only endpoints that comply with the selected policy are allowed access Intelligent Application Gateway 95 User Guide Privileged Endpoint Policy defines the conditions that render an endpoint a privileged endpoint which can enjoy session privileges For information about privileged session settings refer to the Intelligent Application Gateway Advanced Configuration guide to Default and Privileged Session Settings on page 137 You select those policies in the Endpoint Policies step of the Create New Trunk Wizard C j Step 7 Endpoint Policies Session Access Policy controls access to the trunk depending on endpoint policies a Default Session Access X Privileged Endpoint Policy defines a policy for endpoints that enjoy session privileges a Default Privileged Endpoint Edit Policies Her lt Back Cancel Note A The number of the step where you define endpoint policies for the session may vary depending on the type of trunk you are configuring Once the trunk is created you can change the selection of policies in the Session tab of the Advanced Trunk Configuration window in the Endpoint Policies area m Endpoint Policies Session Access Policy a Default Session Access
276. m gt must contain one each of the following elements lt Name gt described on page 255 lt Binary gt described on page 255 lt Message gt gt lt Params gt gt lt Param gt gt lt Name gt lt Name gt Description Child element of lt Param gt Defines the parameter name Usage One and only one lt Name gt element must be nested under lt Param gt Child Elements None lt Message gt gt lt Params gt gt lt Param gt gt lt Binary gt lt Binary gt Description Child element of lt Param gt Determines whether the parameter value is binary or not where 1 value is binary 0 value is non binary Intelligent Application Gateway 255 User Guide Usage One and only one lt Binary gt element must be nested under lt Param gt Child Elements None lt Message gt gt lt Reporters gt lt Reporters gt Description Defines the reporter or reporters to which the message is sent You can define any of the following reports builtin log IAG s built in reporter described in Configuring the Built In Reporter on page 242 radius accounting reporting to a RADIUS Accounting server as described in Configuring the RADIUS Reporter on page 243 Note A Only the messages that are configured by default to report to the RADIUS reporter can be sent to the RADIUS Accounting server No other messages can be sent to the RADIUS server regardle
277. me network as the IAG The Web Monitor application can be accessed via port 50002 on the IAG For example if the IP address of the IAG is 192 168 1 45 enter the following URL at the browser s Address bar http 192 168 1 45 50002 Remotely via the IAG SSL VPN portal To enable remote access via the portal at the Configuration program use the Add Application Wizard to add the Web Monitor application to the trunk the application is part of the Built In Services group Once you add the application to the trunk access the Authorization tab of the Application Properties dialog box and define the users that are authorized to access the application By default no users are authorized to access the application For details refer to Defining Authorization for Portal Applications on page 38 In order to enable access to the Web Monitor from computers other than the IAG you need to configure the user or users that are allowed to access it as described in Enabling Web Monitor Access from Computers Other Than the IAG on page 261 Chapter 9 Monitoring and Control Web Monitor Enabling Web Monitor Access from Computers Other Than the IAG E Note This section describes how you enable access to the Web Monitor application from computers other than the IAG this configuration procedure is required for users who access this application both locally from within the organization and remotely via the portal homepage In additio
278. med lt Server_Name gt Wh1lFilter default lt Time_Stamp gt log Resolve the original cookie name using the EncryptedName and OrigName parameters in the log file the encrypted name is indicated in the Description field of the event in the Event Viewer Still at the IAG in the Configuration program open the Application Properties dialog box for this application and access the Cookie Encryption tab In order to exclude the cookie from the cookie encryption process do one of the following Ifthe encryption mode is Include remove the cookie that was blocked from the Cookies list If the encryption mode is Exclude add the cookie that was blocked to the Cookies list For details refer to Cookie Encryption Tab on page 80 Intelligent Application Gateway 373 User Guide Warning 105 Restricted Zone Policy URL Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Restricted Zone policy the requested URL is not allowed Cause The request failed since this URL is defined as a restricted zone URL for this application type and the application s Restricted Zone policy forbids access to the zone from this endpoint Resolution In the Configuration program do one of the following In order for this URL not to be part of the restricted zone for this applicatio
279. menu bar 1 Inthe Configuration program on the Admin menu click Local Groups The Local Groups dialog box is displayed OK Cancel 2 Inthe Local Groups dialog box click Add The Name Local Group dialog box is displayed 3 Name the group then click OK The Add Local Group dialog box is displayed The name you assigned to the group is displayed in the title bar and in the left pane of the dialog box Intelligent Application Gateway 35 User Guide 36 4 Add Local Group AppGroup O M Local Group Add Local Group AppGroup O M amp AppGroup User Group Local Group Include E xclude Remove Help In the Add Local Group dialog box click Add The Select Users or Groups dialog box is displayed Select Users or Groups Look in H lt Select repository gt m m Repository Users and Groups Users Groups Search Ly Ee m Selected Users and Groups Add Users Groups Remove E Cancel Hep Use the Select Users or Groups dialog box to select the users and groups that will be included in the local group If other local groups are already defined they can also be selected as part of the current group For a description of how you use the Select Users or Groups dialog box refer to Selecting Users and Groups on page 43 Once you select the users and groups you wish to assign to the local group cl
280. message they receive if their computer does not comply with the policy and access is denied 6 Note Some of the default policies come with explanatory text which is tailored for the functionality of the policy If you change the policy make sure you also change the explanatory text so that it reflects the new or revised functionality When you finish editing the policy click to close the Advanced Policy Editor then click to close the Policies dialog box Variable Formats This section describes the format of the variables you can use when creating policies and expressions Table 17 Policy Variable Formats Variable Data Comments Type APP AS AV String Desktop Search Anti Spyware Anti PFW_ _Version_Product Virus Personal Firewall product version APP AS AV String Desktop Search Anti Spyware Anti PFW_ _Version _Engine Virus Personal Firewall engine version APP AS AV String Desktop Search Anti Spyware Anti PFW_ _ Version _Dat Virus Personal Firewall IDS definitions version Intelligent Application Gateway 107 User Guide Table I7 Policy Variable Formats Cont d Variable APP AS AV PFW_ _Version _Build APP AS AV PFW _ _LastUpdate Network_Domains_ System_Browser System_OS_ WinNTServicePackVersion System_WindowsLogged OnUser_UserName All other variables Endpoint Settings 108 Data Type String Double String String String String Boolean Comments Desktop
281. meter to the description of a successful login message define a parameter named UserName and include it in the message as follows User UserName logged in successfully Usage One and only one lt DynamicDesc gt element must be nested under lt Message gt Child Elements None lt Message gt gt lt Params gt lt Params gt Description Defines optional parameters that can be used as follows As part of the long description of the message in the lt DynamicDesc gt element For details see lt DynamicDesc gt on page 253 In the Web Monitor in the Event Query window to query events by trunk name and session ID For information on querying events in the Web Monitor refer to Event Query on page 295 E Note You cannot use custom parameters as query parameters in the Event Query Usage One and only one lt Params gt element can optionally be nested under lt Message gt 254 Chapter 9 Monitoring and Control Event Logging Child Elements lt Params gt can contain an unlimited number of lt Param gt elements described on page 255 lt Message gt gt lt Params gt gt lt Param gt lt Param gt Description Child element of lt Params gt Defines a single parameter For a description of parameter usage refer to lt Params gt on page 254 Usage An unlimited number of lt Param gt elements can be nested under lt Params gt Child Elements lt Para
282. meters Description Adds a link to this application on the Whale Portal default portal homepage supplied with the IAG and Whale toolbar Name of the application on the portal homepage and in the Whale toolbar Chapter 4 Application Settings Editing Application Properties Table 16 Portal Link Tab Parameters Cont d Parameter Folder Application URL Icon URL Short Description Description Description A folder or subfolder on the portal homepage via which users access the application Enables you to group a number of applications on the portal homepage together under one link For example you may want to create a folder called DriveMappings and to place all Local Drive Mapping applications under it Only the DriveMappings folder will be visible on the portal homepage In order to place a number of applications under one folder enter the same folder information for all the applications that will reside in the same folder Fora folder with no subfolders enter only the folder name For a subfolder use this format folder subfolder A subfolder B Note The name of the root folder in the folder structure is the name of the Whale Portal application as defined in the Portal Application Name field By default Whale Portal The folder structure is not retained in the Whale toolbar Internal entry link URL from the portal to the application Note The URL must be an
283. missions settings affect the Share level only they do not affect the way users view folders in a share To configure Home Directory mapped drives and share permissions 1 Access the File Access window as described in Accessing the File Access Window on page 222 2 In the left pane of the File Access window under General click Configuration The Configuration settings are displayed in the right pane Intelligent Application Gateway 223 User Guide E Secure File Access Administration Microsoft Internet Explorer k File Edt vew Favorites Toos Hep Googe SearchWeb go PaeFank hise blocked fEjauior E aloptins 2 Back gt amp A A Qsearch Favorites Ameda D 3 fj a Address fa http flocalhost 6001 WhaleFileSharingAdmin amp FileAccess Admin Egy Network Sharing xy HY E Domains ai m S s rcs Configuration Bascal ecm SQ General Home Directory Configuration Novell Dont Define Users Home Directories Use Domain Controller Settings for Home Directories Use the Following Template for Home Directories I User s Home Directory Will be Displayed Every Time File Access is Loaded Mapped Drives M Show Mapped Drives Script Engine Share Permissions I Show only the shares a user is permitted to access one LO T E tocel intranet 3 To configure access to the Home Directory select one of the following options Don t Define User s H
284. mit to the chart clicking 37 removes the display from the chart Application Monitor Current Status This window provides a view of all the applications that are enabled for access via the IAG in all trunks The parameters that are provided for each application are described in Table 30 Parameters of Application Monitor Current Status Window on page 277 You can select whether to display applications in a folder view or not by clicking La or at the top of the window respectively If no folders are defined the button is disabled Intelligent Application Gateway 275 User Guide By default the window refreshes the data every 15 seconds If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 You can also use the Application Monitor to View the status of an application or any number of selected applications Select the application or applications you wish to view and click HE on the toolbar at the top of the window A column chart is displayed showing the current status of the selected applications By default you can view the status of up to 15 applications If required you can change this value as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 The refresh rate of the window
285. mp Severity Time ID Type Category Trunk Description i Information 03 21 2006 16 49 48 2 User Removed from Session Session portal 6 User whalecom qa_admin A Source IP 192 168 2 51 was Click the ID removed from session 050D185C 70F5 4CD2 8828 number to view OBABASAF CFS trunk portal Secure 1 reason User H Request troubleshooting i Information 03 21 2006 16 49 48 61 Session Stopped Session portal 5 Session 050D185C 70F5 4CD2 H 8B28 0BASA9AF9CF5 was information for this speed hain A portal Secure 1 Source IP message Applicable 1921882 51 ss i Information 03 21 2006 16 45 48 61 Session Stopped Session portal S Session CCO2CCDD 7678 41E6 for Warning and A61B D50D98A8B8D8 was stopped in trunk Error messages portal Secure 1 Source IP 192 168 2 147 B aes eal 85 Web Monitor Logout Security NIA User whalecom ruti logged out of the Web Monitor A Warning 03 21 2006 16 14 User Login Failed Security portal 5 The following user failed to log into trunk portal secure 1 User whalecomirachel Source IP 192 168 2 147 Authentication Server whalecom Error Invalid Credentials Session CCO2CCDD 7678 41E6 A61B DS0D98A8B8D8 Warning 03 21 2006 16 42 13 14 User Login Failed Security portal S The following user failed to log into trunk portal secure 1 User whalecomirachel Source IP 499 16A 147 Authentication By default the wind
286. mponent installation in Interactive mode 1 Deploy the following folder including all files and subfolders Whale Com e Gap utils OfflineClientSetup Advise users to double click the file Setup exe located under this folder The Whale Client Components Installation wizard starts Users can follow the instructions on the screen to complete the wizard and install the components on their computer Prerequisites for Running the Whale Client Components Table 20 on page 159 lists the prerequisites on the endpoint computer for running the Whale Client Components once they are installed on the computer including Prerequisites for running the ActiveX components Attachment Wiper Endpoint Detection and SSL Wrapper components Prerequisites for running the Socket Forwarding component Prerequisites for running the Network Connector component both via the SSL Wrapper ActiveX component and via the SSL Wrapper Java applet There are no special prerequisites for running the Client Trace and Socket Forwarding Helper utilities Table 20 Prerequisites for Running the Client Component Prerequisite ActiveX Socket Network Network Components Forwarder Connectorvia Connector ActiveX SSL via Java SSL Wrapper Wrapper Operating system Windows 2000 Windows2000 Windows 2000 Windows 2000 or higher or higher or higher or higher Intelligent Application Gateway 159 User Guide Table 20 Prerequisites for Running the Client Compone
287. n Identify by Size in the Uploads area of the Download Upload tab Note If none of the options in the Uploads area are activated no uploads to the application are blocked regardless of the settings of the application s Upload policy If you wish to enable uploads from the requesting endpoint edit the application s Upload policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 Intelligent Application Gateway 347 User Guide Warning 43 Upload Policy File Extension Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Upload policy the requested upload is not allowed Cause The request failed since its extension renders it an upload and the application s Upload policy forbids uploads from the submitting endpoint Resolution In the Configuration program do one of the following lt If for this application you wish requests with this extension to be considered regular requests and not uploads edit the application s uploads Extension List
288. n in order to enable remote access to the Web Monitor application via the portal homepage you must also configure authorization for this application as described in Defining Authorization for Portal Applications on page 38 The Web Monitor application is protected by the Windows Local Users and Groups management tool During the installation of the IAG a dedicated group is created in the Windows Local Users and Groups Manager on the IAG This group is used for authentication against the Web Monitor application The group s default settings are Group name Web Monitor Users One user is defined as a member of this group IAG Administrator By default this user is disabled In order to enable access by this user to the Web Monitor you need to enable the user s account and assign a password as described in the procedure that follows You can also use the Local Users and Groups Manager to add other users from other groups and other domains as members of the Web Monitor Users group who are allowed to access the application Note can In an IAG High Availability Array you must assign the same users to the Web Monitor Users group on all the IAG servers that are part of the Array For details refer to Web Monitor High Availability Support on page 298 To grant the IAG Administrator user access to the Web Monitor 1 In the Configuration program access the Local Users and Groups Manager Intelligent Application
289. n 10 days Jusing the same browser you used fo requestto become a Certified Endpoint Close Close the Certified Endpoint window Your computer is not yet certified You can continue to use the available portal options as before Within the period of time specified on the Certified Endpoint window you must use the same browser to check the status of your request as described in Checking the Certified Endpoint Request Status on page 144 Intelligent Application Gateway 143 User Guide Checking the Certified Endpoint Request Status The administrator needs to approve your request for Certified Endpoint status and issue a certificate accordingly You must periodically check the status of the request and install the certificate within the period of time specified in the Certified Endpoint window E Note If you do not install the certificate within the specified time period you must re initiate the request process To check whether the request for Certified Endpoint status has been approved 1 Access the portal and click the Certified Endpoint button or link One of the following is displayed in the Certified Endpoint window Message Do This Certificate Issued Proceed to Installing the Certificate and Logging In as a Certified Endpoint User on page 144 Certified Endpoint Check again within the period of time specified on Request in Progress the Certified Endpoint window described on page 144 using the same b
290. n IAG server that is removed from the Array 1 At the IAG server whose reports you wish to query access the location where the logs of the Built In reporter are saved The location is defined in the Built In tab of the Event Logging dialog box as described in Configuring the Built In Reporter on page 242 e By default the logs are saved in the following location Whale Com e Gap logs Events Log files are saved under this folder in the following format lt computer_name gt BuiltinLog default lt time_stamp gt For example On a computer named comp1 a log file that was created on November 24 2005 at 09 06 19 is named compl BuiltinLog default 24 11 05 09 06 19 log 2 Copy the relevant file or files to one of the IAG servers that are part of the Array placing them in the location where the logs of the Built In reporter are saved on that computer and rename the files so that lt computer_name gt is the name of the computer where you are placing the file For example If you are placing the file described in step 1 on a computer named comp2 rename the file as follows comp2 BuiltinLog default 24 11 05 09 06 19 log If such a file already exists change the time stamp as well You can now query the events logged in the file or files you copied on the IAG server where you copied the files in the Event Query SSL Event Monitoring You can set the Registry settings of the IAG so that SSL connec
291. n for the selected application For information about other relevant applications see the Intelligent Application Gateway Application Aware Settings guide Intelligent Application Gateway 69 User Guide Select prerequisit applications portal trunks only Select application Endpoint Policies Application Properties Webtop Documentum x E General web Servers Web Settings Ol Web Ser 4 gt er Prerequisite Applications Figure 8 Application Properties Sample General Tab Application Type is displayed in the title bar portal trunks only Application Name Webtop Application ID 87F596957EEA412D80665EFC2CCD28 F DOLS i Number of Prerequisite Applications 0 Inactivity Period ao Minutes m Endpoint Policies Access a Default Web Application Access Portal Link on Non Complying Clients Grayed Invisible Download a Default Web Application Download Upload a Default Web Application Upload Restricted Zone Default Session Access Edit Policies i Application Aware Settings Tip For Web and Browser Embedded Applications You can copy the application ID here portal trunks only Click to open the Policy Editor Additional application specific information is available when applicable The method by which the IAG identifies URLs in order to enforce the application s Upload and Download policies is defined in the Do
292. n settings click at the bottom of the File Access window Once you activate the configuration remote users are able to access the selected domains servers and shares through the File Access interface depending on their access permissions within the organization Configuring Authentication with the Novell Directory Service E Note This section is only relevant if the network includes Novell NetWare Services and you wish to enable remote access to NetWare Servers This section describes the steps you need to take in order to enable remote access to NetWare Servers including Configure a Novell Directory authentication server Assign the Novell Directory authentication server as one of the trunk s session authentication servers To enable remote access to NetWare Servers 1 2 In the Configuration program on the Admin menu click Authentication and User Group Servers The Authentication and User Group Servers dialog box is displayed x 9 WhaleFileSharing g9 whalecom Edit Remove In the Authentication and User Group Servers dialog box click Add The Add Server dialog box is displayed Intelligent Application Gateway 231 User Guide Add Server 3 From the Type drop down list select Novell Directory and define the server For details click Help 4 When you finish defining the sever click OK to close the Add Server dialog box In the A
293. n this option is activated once users enter a set of credentials that is valid for the application for example during the initial login they do not have to authenticate again against the application server If the authentication data is not received by the application server the session is deems unauthenticated and access is denied Select a server or number of servers that will be used for authentication against the application when users access the application Select this option if the application requires users to authenticate using HTTP 401 requests Select this option if the application requires users to authenticate using an HTML form Select this option if the application might require users to authenticate using both HTTP 401 requests and HTML forms The Form Authentication Engine handles HTML authentication forms For details refer to the Intelligent Application Gateway Advanced Configuration guide to Appendix C Form Authentication Engine To add a server to the list of authentication servers 1 Double click anywhere in the Select Authentication Servers list or click Add The Authentication and User Group Servers dialog box is displayed 2 For instructions on how to use the Authentication and User Group Servers dialog box click Help Chapter 4 Application Settings Editing Application Properties General Web Settings General web settings of the application are described in T
294. n type take the following steps 1 Open the Advanced Trunk Configuration window and access the Global URL Settings tab 2 Inthe Restricted Zone URLs list select the corresponding rule and do one of the following Click Edt and use the Edit Restricted Zone URLs dialog box to change the URL or the method as applicable Ifyou wish the URL not to be part of the restricted zone remove it from the Restricted Zone URLs list For details refer to the Intelligent Application Gateway Advanced Configuration guide to Restricted Zone URLs on page 158 If you wish to disable the Restricted Zone feature for this application take the following steps 1 Open the Application Properties dialog box and access the Web Settings tab 2 Uncheck the option Activate Restricted Zone Ifyou wish to enable access to the restricted zone from the submitting endpoint edit the application s Restricted Zone policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 374 Appendix A Troubleshooting Event Logging Messages Warning 106 Restricted Zone Policy Parameters Violation Symptoms A
295. ndpoint computer Note A o For information on the Whale Client Components refer to Whale Client Components on page 147 When the option Disable Component Installation and Activation in the Session tab of the Advanced Trunk Configuration window is activated the Endpoint Detection component is not installed or activated on endpoint computers The Endpoint Detection component verifies the identity of the IAG site against the site s server certificate and checks whether the site is on the user s Trusted Sites list only if the site is trusted will the component run on the endpoint computer and collect the data that identifies which security components are installed and running on the computer Tip For information on how the IAG site can be added to the user s Trusted Sites list refer to IAG Trusted Sites on page 160 If the Endpoint Detection component is not running on the endpoint computer compliance with policies is not detected For example on computers where the Whale Client Components are not enabled or when using a browser other than Internet Explorer When detection is not functional on an endpoint computer access may be denied even though it does comply with the requirements of the policy For example if an application s policy requires a running anti virus program and such a program is running on the computer access to the application is still denied since the IAG can not detect that the progra
296. ndpoint computer for the installation of the Whale Client Components including prerequisites for each of the available installation modes Table 18 Prerequisites for Installing the Whale Client Components Prerequisite Online Component Offline Installation Installer Installation Operating system S S S Windows 2000 or higher Browser S S Ek X Internet Explorer 6 0 or higher Browser enables download of S X X signed ActiveX objects Browser enables running of S X X signed ActiveX objects On Windows 2000 XP and S S S 2003 power user privileges For the Socket Forwarding component the endpoint computer must meet the Install Socket Forwarding Component Policy set in the Session tab in the Endpoint Policies area For details refer to Endpoint Policies on page 93 For the Network Connector component any browser supported by the IAG For a list of supported browsers see Supported Browsers on page 19 For the Socket Forwarding and Network Connector components Administrator privileges Intelligent Application Gateway 151 User Guide Online Whale Client Components Installation 152 E Note The Whale Client Components are only installed on the endpoint computer in online installation mode if component installation is enabled for the trunk that is the option Disable Component Installation and Activation is not selected in the Session tab of the Advanced Trunk Configuration window
297. nel double click Administrative Tools then double click Services 2 Select and right click the applicable service then select Start Warning 8 IAG Configuration Login Failed Symptoms When attempting to log in to the Configuration program the login fails and the following message is displayed Incorrect Password Cause Incorrect password used Intelligent Application Gateway 325 User Guide Resolution Log in using the correct password If you forgot the password you can assign a new password for the Configuration program as follows At the IAG access the Service Policy Manager In the Service Policy Manager on the Admin menu click Change Passwords 3 Inthe Change Password dialog box activate the option Use same password for all applications then enter the passphrase and the new password and click E Note The password must contain at least six digits Changing the password in this manner is global and affects the Service Policy Manager as well Warning II Concurrent Sessions Threshold Reached Symptoms None Cause This is a warning that the threshold of the number of sessions that can be open through the site at the same time was reached When the threshold is reached this message is logged whenever a new session is established until the number goes below the threshold again Once the maximal number of sessions that can be open through the site at the same time is reached
298. new sessions can no longer be established Resolution If this event occurs on a regular basis do one of the following Verify that the defined threshold is not too low Increase the number of sessions that can be open through the site and raise the threshold accordingly You define those settings at the IAG in the Configuration program as follows 1 Open the Advanced Trunk Configuration window of the relevant trunk and access the Session tab 2 Modify the required settings in the Concurrent Sessions Threshold and Max Concurrent Sessions fields respectively 326 Appendix A Troubleshooting Event Logging Messages Warning 12 Concurrent Unauthenticated Sessions Threshold Reached Symptoms None Cause This is a warning that the threshold of the number of unauthenticated sessions that can be open through the site at the same time was reached When the threshold is reached this message is logged whenever a new unauthenticated session is established until the number goes below the threshold again Once the maximal number of unauthenticated sessions that can be open through the site at the same time is reached additional unauthenticated sessions can not be established Resolution If this event occurs on a regular basis do one of the following Verify that the defined threshold is not too low Increase the number of unauthenticated sessions that can be open through the site and raise the thr
299. nfiguration program do one of the following lt If for this application you wish responses with this extension to be considered regular responses and not downloads edit the application s downloads Extension List as follows 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Downloads area edit the Extension List accordingly For details refer to Download Upload Tab on page 82 lt Ifyou wish to cancel the identification of downloads by extensions for this application take the following steps 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Downloads area uncheck the option Identify by Extensions E Note If none of the options in the Downloads area are activated no downloads from the application are blocked regardless of the settings of the application s Download policy Ifyou wish to enable downloads from the application to the requesting endpoint edit the application s Download policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 Intelligent Application Gateway 33
300. ng User Name and Password Username Password Close 3 Select one of the following options Using Windows User Name use the same credentials you used when you logged onto the File Access window as described in Accessing the File Access Window on page 222 Using the Following User Name and Password enter credentials with which to log on Tip Make sure the credentials you assign here enable you to view all the NetWare Servers to which you wish to configure access such as the credentials of a Novell administrator 4 Click Save then click Logon The system logs you on to the Novell NetWare Services When you configure Novell NetWare Servers the servers and shares that are enabled to the user you define here are displayed in the File Access window Chapter 8 Providing Access to Internal File Systems File Access 5 Goon to configure remote users access to domains servers and shares as described in the procedure that follows E Note In order to log on to a different tree enter the applicable credentials and click Logon Only one set of credentials can be saved in the Novell Logon window Any time after the initial configuration in order to modify the configuration of remote users access to the NetWare Servers you need to log on to the Novell NetWare Services using the Novell Logon window Configuring Access to Domains Servers and Shares This section describes how you
301. ngs Figure 22 on page 123 illustrates the following Steps that the administrator has to perform to enable the Certified Endpoint feature when using a remote CA Steps that the end user must perform in order to be recognized as a Certified Endpoint depicted in the shaded areas Chapter 5 Endpoint Security Certified Endpoints Figure 22 Sample Flow for Enabling Certified Endpoint Using a Remote CA LEGEND Performed by end user Install CA certificate to Certificate Store on IAG Enable Certified Endpoint in Configuration program Update CTL with new CA Back up certificate settings Install certificate as D directed by the administrator User s computer is a Certified Endpoint SSE Certified Endpoint Configuration Steps Depending on the way you set up the Certified Endpoint feature refer to Certified Endpoint Configuration Overview on page 118 the following procedures are available for configuring the Certified Endpoint feature Installing a Microsoft Certificate Authority Local CA Only on page 124 Defining a Certification Authority Policy Local CA Only on page 128 Editing the Default Configuration Local CA Only on page 131 Preparing Endpoint Computers that Use Internet Explorer Local CA Only on page 134 Adding Certified Endpoint Enrollment to the Trunk Local CA Only on page 135 Adding the C
302. nloads area are activated no downloads from the application are blocked regardless of the settings of the application s Download policy Ifyou wish to enable downloads from the application to the requesting endpoint edit the application s Download policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 Warning 41 Upload Policy URL Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Upload policy the requested upload is not allowed Cause The request failed since this URL is defined as an upload URL for this application type and the application s Upload policy forbids uploads from the submitting endpoint Tip The portion of the URL that caused the failure is indicated in the message in the URL parameter Intelligent Application Gateway 345 User Guide Resolution In the Configuration program do one of the following In order for this request not to be considered an upload for this application type take the following steps 1 Open the Advanced Trunk
303. nounced in Microsoft s Security Bulletin MS04 011 as ASN 1 Double Free Vulnerability CAN 2004 0123 Warning 22 Login On The Fly Failed Symptoms A remote user attempts to add authentication credentials on the fly for example in order to access an application that requires different credentials than those used to access the site The attempt fails and the following message is displayed in the browser window Failed to authenticate Cause The failure can be caused by e Wrong credentials entered by the remote user such as wrong user name or password the user selecting the wrong Directory authentication server in the login page and more Authentication server is not configured correctly in the Configuration program For example Invalid IP host value or invalid port Server access credentials are not strong enough Groups users search in the authentication server is defined inaccurately thus the IAG cannot find a unique instance of the user name Authentication server is not running Authentication server is not reachable from the IAG The cause of the login failure is reported in the message in the Error field 332 Appendix A Troubleshooting Event Logging Messages Resolution Depending on the type of error do one or more of the following Verify configuration of the authentication server on the IAG 1 Access the Configuration program and on the Admin menu click Aut
304. ns of an existing application as described in Duplicating an Application on page 91 7 Determine in what order you wish the applications to be displayed on the portal page as follows If you want the applications to be displayed in alphabetical order activate the option Sort alphabetically If you want to arrange the applications in any other order leave the Sort alphabetically option unchecked and use the up down arrows to arrange the order of the applications in the list They will be displayed on the portal page in the order by which they are arranged in the list of applications 30 Chapter 2 SSL VPN Portals Creating an SSL VPN Portal In the main window of the Configuration program click 0 to save and activate the configuration The following is displayed J Activate Configuration We recommend that you back up the configuration settings directly after the initial configuration Following the initial backup make sure to back up the configuration settings each time you modify them in order to ensure that the backup is updated at all times Back up configuration after activation If you have made manual changes to any of the external configuration settings such as changes to XML files or to Registry settings select this option to apply the changes before activation Selecting this option will reload the configuration for all trunks I Apply changes made to external configuration settings
305. ns that are described in this Guide include Editing any of the applications properties in the Application Properties dialog box as described in Editing Application Properties on page 67 Intelligent Application Gateway 49 User Guide 50 Tip For information on the Network Connector application see Chapter 7 Network Connector For information on the Local Drive Mapping and File Access applications see Chapter 8 Providing Access to Internal File Systems For HTTPS Connections trunks creating a Redirect trunk in order to redirect HTTP requests as described in Creating a Redirect Trunk on page 58 Editing general trunk parameters as described in Editing in the General Tab on page 61 Changing the event logging definitions as described in Event Logging on page 237 Enabling access to the Web Monitor as described in Enabling Web Monitor Access from Computers Other Than the IAG on page 261 Additional advanced options described in the Intelligent Application Gateway Advanced Configuration guide including Customizing the look and feel and other aspects of the HTML pages the user interacts with for example changing the company logo and the color scheme described in Chapter 3 Customizing Web Pages This chapter also describes how you can use your own custom portal homepage if you do not wish to use the default page supplied with the IAG
306. nsctestesosnustiesdsoussacandaictaaeitisonesauttaaneiogs 265 Session Monitor Current Status ssccsscnassnerssenassnovnssinscrevnteicsnnnsenswnscaneiteubtenstntienesscosiee 266 Session Mo itor Over TIME sccoasosedasessenvonssenevsasvavsdevesseasvasunevssuseonansbvsanavvnsnasssenteveansisvesev 267 Session Monitor Active SESSIONS 3 iiss unssasidsnenseessiordsnacessissonanseseresuniiondtonwncsnannansacsuoemnens 268 SESSION Details sic scsessessengedsesessdssasedeeasadoeevesieavntincbecnsevaeonegnesheonedbeontapeopssvsonsonbocdsodeedontsuacense 270 SESSION Monitor Statistics 2 5 snpoveasuih vans evn savsnce nsnwnvvoesmrasavencnsisndvesnseoesdseospiaatoranensanarts 271 Session Monitor Statistics Window Query Form esesseeseesesseseeerrerrersesseesesresesseeseeensenee 272 Session Monitor Statistics Window Query ReSUIts ccescssscsssssscseecseseseseeeseseeseeees 273 Application Monitor Current Status ca2eistonctecscivstecetsteuesassaiatiisescaia tei xatadatitystaaaieiiess 275 Application Monitor Over Time sesssissessssssverisssssosesiseesssrossssseotsreoses siris vensko tesiak oriris 277 Application Monitor Active Sessions esseseeeseeeeseeseseeseereesressessereeseeureesenserseeserseseess 278 Intelligent Application Gateway 11 User Guide Application Monitor Statistics cancciss sete crccsncencecoeshctessassuatesspevestesdeuvd cased lievaciwendenadeenins 279 Application Monitor Statistics Window Query Form sssseeseseesesesse
307. nseserseessesseseeseeeeeseenees 33 USE A GPOUP EIE E A E E E E E 33 LOCal Groups EE E E E E 35 Intelligent Application Gateway 5 User Guide Defining Authorization for Portal Applications sssssssscsscsssessccssesssesseessesseessesens 38 Selecting Users and GROUPS sess cncsnszcccecsnuceacneussssvemus oss seeadeucnstasaudupreseatnccouuncsuapavezacnte 43 Optional Configuration assesses eetere nenene eier sE eni E EE e aTe EEE E E E ia 46 Configuring Global Host Address Translation essssssesessesssessrssrseeseessessensensrneensensensesee 46 Configuring Application Subnets sesseseseeseeserssreseseeseeseresessrserserseeesessessenerseenreeseesesseees 48 Changing the Application Access Portal Port Number sscsscssscsssssssssessseessesseees 49 Where ToGo From Here csiseccssindssmansastncnen sara ener ae eaa E EE aR E R AE a 49 Chapter 3 Single Application Sites scccccsssssssssssscccssesssees 5l Optional Pre configuration of the Services e sesessseeseeseresessrseeseeseeseesseseenerseereessessereeeeeeeee 52 Creating a Webmail or a Basic TrunK eesessessssesrseesesseeseeserseeseeseeseeseeseeserueeseereeneeeseneeseeeeee 54 Where To Go From PGE iscccsscecassanessiencovetoncsutoseenassnieunetasuntsantasennacnntesweeandenvantdeemnanceaies 57 Creating a Redirect Tine svssctay sacsscuanssnateemessentvaceusseanemuncoassiteretuacestasudonndceaceuucouunccuaspauevecedl 58 Editing TrUNKS foes acstasstty sackets rE aeeie oE EE
308. nt Cont d Prerequisite Browser Browser enables running of signed ActiveX objects User privileges Windows DHCP Client service ActiveX Components Internet Explorer 6 0 or higher Required Any NA Socket Forwarder Internet Explorer 6 0 or higher Required Any kk NA Network Connector via ActiveX SSL Wrapper Internet Explorer 6 0 or higher Required Administrator Must be running Network Connector via Java SSL Wrapper Java SSL Wrapper supported browser NA Administrator Must be running The Java applet is supported on the browsers that are supported by the IAG as listed in Supported Browsers on page 19 Some applications might require Administrator privileges For details see Technology Overview on page 172 IAG Trusted Sites This section describes how to configure the end user s Trusted Sites list The list should contain each of the IAG sites the user needs to access so that the Whale Client Components can verify it is trusted 160 Tip For a description of when the Whale Client Components verify that the IAG site is trusted refer to Endpoint Detection on page 95 SSL Wrapper on page 171 An IAG site can be added to the user s Trusted Sites list on the endpoint in one of two ways Chapter 5 Endpoint Security Whale Client Components The domain administrator can remotely add the site or a number of sites
309. nt for details refer to Technology Overview on page 172 Socket Forwarding Helper utility used for support purposes Network Connector component for details refer to Chapter 7 Network Connector Since the Whale Client Components provide a wide range of options and features when a user first accesses the site the IAG detects whether it can install the components on the endpoint computer according to the prerequisites described in Prerequisites for Installing the Whale Client Components on page 151 On endpoint computers that meet those prerequisites the Whale Component Manager installs the Client Components as required On endpoint computers that do not meet these prerequisites such as computers running non Windows operating systems or an Internet Explorer browser where the download and launching of signed ActiveX objects is disabled the Client Components are not installed In cases where the SSL Wrapper ActiveX component is not installed on the computer when the user attempts to access a non web application the SSL Wrapper Java applet runs on the endpoint computer in order to enable access to the application The Java applet provides only SSL Wrapper functionality and does not enable any of the other features that are enabled by the Whale Client Components such as endpoint policies or the Attachment Wiper The descriptions in this section do not apply to the SSL Wrapper Java applet The applet
310. nternet Explorer browser and are logged in with power user or Administrator privileges It can also be used on browsers other than Internet Explorer by end users who are logged in with Administrator privileges to install the Network Connector component In this mode users can download an auto install file onto their computer using either an installer toolbar button or a link on the portal homepage They can then log out of the site and use this file to install the components in an offline mode In order to install the Whale Client Components in this mode the following steps have to be taken You need to configure the installer as described in Configuring the Whale Client Components Installer on page 154 End users need to install the components on their computer as described in Installing the Whale Client Components via the Installer on page 156 Configuring the Whale Client Components Installer In order for end users to be able to use the Whale Client Components Installer you need to add a link to the auto install file on the portal homepage 154 Chapter 5 Endpoint Security Whale Client Components Tf you use the Whale toolbar with the portal homepage enable the Whale Client Components Installer button and define which installation file is used For details refer to the Intelligent Application Gateway Advanced Configuration guide to Content Changes in the Default Portal Homepage on pag
311. ny Whale Communications Department Engineering City Tel Aviv State NA Country Region IL Submit gt Tip 2 For information about customizing the look and feel of the Certified Endpoint Enrollment pages refer to the Intelligent Application Gateway Advanced Configuration guide to Customizing Certified Endpoint Enrollment Pages on page 67 132 Chapter 5 Endpoint Security Certified Endpoints To edit the properties of the data fields in the User Information window 1 At the IAG access the following file Whale Com e Gap Von WhaleSEP inc info inc 2 Copy the file you accessed in step 1 to the following custom folder if the folder does not exist create it Whale Com e Gap Von WhaleSEP inc CustomUpdate If such a file already exists use the existing file The file contains the definitions of the User Information data fields In the file under the CcustomUpdate folder change the properties of the data fields as required For each field you can assign a status as follows FIELD_READONLY read only A read only field is displayed in the User Information window but users cannot edit its value FIELD_EDITABLE read write A read write field is displayed in the User Information window with a text box enabling users to enter a value FIELD_HIDDEN hides the field A hidden field is not displayed in the User Information window E Note The content of all fields except the edi
312. o a single application server Each trunk is created with a combination of the parameters you enter in the Create New Trunk Wizard and of default IAG parameters and settings Once you create a trunk you can use the Configuration program to edit the trunk You configure a Webmail or Basic trunk in the following stages You can optionally use the Service Policy Manager to pre configure the IAG HTTP Connections and HTTPS Connections services as described in Optional Pre configuration of the Services on page 52 In the Configuration program you use the Create New Trunk Wizard to create a trunk under either the HTTP Connections or the HTTPS Connections service as described in Creating a Webmail or a Basic Trunk on page 54 Options you can configure once the trunk is created are described in Where To Go From Here on page 57 Intelligent Application Gateway 51 User Guide Note EN The first time you access either the Configuration program or the Service Policy Manager you are required to create an encryption key and passphrase for the IAG The key and passphrase serve both IAG applications so that this action is only required once when you subsequently access either application you use the same passphrase Additional information is available as follows For an overview of the encryption mechanism see Encryption on page 21 For details on how to create the encryption keys and passphrase refer to the In
313. o a trunk at peak time or create charts that will present comparisons patterns and trends of system usage In the Current Status Active Sessions and Event Viewer windows you can instantly refresh the data by clicking A lead user is the user who accessed the site For example when a user logs in to the site using one set of credentials and is then required to enter different credentials when accessing a specific Intelligent Application Gateway 265 User Guide application the lead user is the user who logged in to the site In unauthenticated trunks the lead user is the first user added during the session with the site Auser name is always displayed using the following syntax lt domain_name gt lt user_name gt In tables you can specify a sort order by clicking the column heading by which you want to sort the data In line charts used in the Statistics and monitor over time windows you can highlight a line in the chart by clicking it in the legend For example clicking a trunk name highlights the chart line representing that trunk Some of the Web Monitor defaults such as refresh rates the display of graphics and the appearance of charts are customizable For details refer to the Intelligent Application Gateway Advanced Configuration guide to Customizing the Web Monitor Windows on page 72 Session Monitor Current Status 266 This window provides online display of all the sessions
314. o launch the Java applet attempts to make changes to the hosts file on the endpoint computer If changes cannot be made to the file the application is not launched However the relay that was opened for the application is left open Users are presented with a message showing the open relay so that they can manually run the application hosts disabled the Java applet does not have to make changes to the hosts file in order to run the application Chapter 6 SSL Wrapper Supported Applications Configuration Overview You enable any of the SSL Wrapper applications to remote users via a Portal trunk You can enable an unlimited number of applications via a single portal For operating instructions on how to create a Portal trunk and add applications refer to Creating an SSL VPN Portal on page 28 For out of the box applications where the Socket Forwarding component is required Socket Forwarding is enabled by default In order to enable the Socket Forwarding component for other applications once you add the application to the trunk select the required Socket Forwarding Mode in the Application Properties dialog box in the Client Settings tab For a description of the available activation modes refer to Socket Forwarding Activation Modes on page 174 For a description of the Client Settings tab refer to Client Settings Tab on page 86 If you do not use the default portal homepage supplied with the IAG yo
315. ocket Forwarding Component Policy For details refer to Endpoint Settings on page 108 Notify users prior to retrieving information from their computer and receive their consent for the retrieval of such information For details refer to What Information is Collected from the End User s Computer on page 97 What Information is Collected from the End User s Computer While working with the IAG site if endpoint detection is enabled on the end user s computer the following information is collected by the Endpoint Detection component Network domains DNS and NetBIOS User information user name and user type Certificates in My certificate store certificate issuer and certificate subject This includes all client certificates on the endpoint computer not only the IAG certificate Intelligent Application Gateway 97 User Guide If required for example in order to comply with legal or corporate guidelines you can configure the gateway so that users are notified before the information is retrieved from their computer and are prompted to give their consent for the site to collect such information On endpoints where users do not give their consent detection is not performed and the functionality of the Whale Client Components is disabled Tip For information on the Whale Client Components refer to Whale Client Components on page 147 To notify and prompt users before the retrieval of information
316. ode except that Windows services are enabled access to configured corporate resources VPN in this mode the LSP NSP modules are always active in all applications that is access is enabled to configured corporate resources except for the applications listed in the block list Basic mode will enable most applications to work via the IAG and is the recommended Socket Forwarding mode For some applications however Extended mode or VPN mode is required You select the Socket Forwarding activation mode for an application when you configure the application as described in Configuration Overview on page 183 Enabling Access to SSL Wrapper Applications In order for users to be able to access SSL Wrapper applications one of the following SSL Wrapper Client Components must run on their computer SSL Wrapper ActiveX component this is the recommended mode of operation The component is part of the Whale Client Components for a description of the installation and running of the components see Installing and Running the Components on Endpoint Computers on page 150 In addition some SSL Wrapper applications require users to be logged on with Administrator privileges in order to use the application in cases where changes to the hosts file or the Registry have to be made For details refer to Technology Overview on page 172 The SSL Wrapper ActiveX component is installed on the endpoint computer the first time a user at
317. ome Directories when this option is selected the Home Directory is not accessible to remote users The My Home Directory button and tree item are not displayed in the browser Use Domain Controller Settings for Home Directories the Home Directory is accessible to remote users through a My Home Directory button and tree item Home Directory path information is taken from the domain controller Use the Following Template for Home Directories the Home Directory is accessible to remote users through a My Home Directory button and tree item Home Directory path information is taken from the template you define in the text field You can define the path to the template using one of two methods Valid UNC path For example server share dirl dir2 Valid DFS path For example domain server share dir1 dir2 In either of those path types you can use one or both of the following variables sdomain and username For example Sdomain users username 224 Chapter 8 Providing Access to Internal File Systems File Access Determine whether the browser will display the listing of the Home Directory each time a remote users accesses File Access This is controlled by the option User s Home Directory Will be Displayed Every Time File Access is Loaded To configure access to mapped drives check the option Show Mapped Drives If the users logon script is not a batch file bat exe or not wrapped within a bat
318. omponent Manager settings on their computer to the default values in Restoring the Whale Client Components Defaults on page 165 How users can remove the components from their computer and how you can enforce the removal of the Socket Forwarding component from remote computers in Uninstalling the Whale Client Components on page 167 Intelligent Application Gateway 149 User Guide lt gt Tip Users can check whether the Whale Client Components are installed on their computer in the portal s System Information window Whale Client e https mportal microsoft com System Information 2 Microsoft Internet Explorer Whale Sj Communications System Information Whale Communications Intelligent Application Gateway Components hale Client Components Endpoint Detection SSL Wrapper SSL Wrapper Java Applet Socket Forwarder Network Connector Attachment Wiper TM Anti virus Personal Firewall Operating System Browser Version User Agent Sun JRE Version Domain Certified Endpoint Privileged Endpoint Whale Component Manager Y 3 7 0 12 Y 3 7 0 12 WY 3 7 0 12 N A LSP W 3 7 0 12 NSP W 3 7 0 12 Client W 3 7 0 12 Driver YW 3 7 0 12 Not Running Y 3 7 0 12 eTrust 7 1 Updated 12 5 2006 10 09 02 PM XPSP2 Version N A Windows XP Professional 5 01 2600 Service Pack 2 Internet Explorer 6 Mozilla 4 0 compatible MSIE 6 0 Windows NT 5 1 SV1 N
319. omputer and can allow or deny access accordingly You can use endpoint security policies to create tiers of access by determining whether or not endpoint computers are allowed to access internal sites and applications depending on their security settings For example You can set up your endpoint policies so that access to internal applications is allowed as follows e From corporate laptops all applications are allowed Intelligent Application Gateway 93 User Guide 94 e From home computers all web applications are allowed From an Internet kiosk only Webmail applications are allowed When you define an endpoint policy you determine which security components must be installed on the endpoint computer in order for it to comply with the policy Security components include options such as whether a compliant anti virus program or a personal firewall are installed on the computer whether the Attachment Wiper is launched on it and more You use endpoint policies to control Access to the site for both default and privileged sessions at the trunk level Access to each application that is accessible through the site and for web applications upload and download to and from the application and access to the application s restricted zone You can use the IAG s pre defined policies or define as many additional policies as you wish E Note Endpoint compliancy with all the policies including application policies
320. on Enable Domino iNotes Enables offline access to Domino iNotes Multi Servers iNotes DOLS Servers Hostnames or IP addresses of the DOLS servers We recommend that you use hostnames Note If you use a hostname to define an application use the effective hostname as defined in the DNS Port Port of the DOLS servers Launch Automatically Automatically launches the SSL Wrapper to enable the on Start operation of the Lotus iNotes Sync Manager on the computer For details refer to Chapter 6 SSL Wrapper 66 Chapter 3 Single Application Sites Editing Webmail Trunk Server Settings Chapter 4 Application Settings The settings of an application depend on the following Application type The Application Aware approach of the Intelligent Application Gateway IAG provides application specific out of the box optimization for the supported applications including features such as URL Inspection rulesets and character definitions deleting application specific folders and cookies and more Application properties You select some of the application properties while configuring the application for access via the SSL VPN portal or while creating a Webmail or Basic trunk whereas others are automatically applied by the IAG You can change application properties for each of your applications individually via the Application Properties dialog box This chapter describes how you can later edit the application properties as descr
321. on the process by which authenticated users are given access to the portal applications Personalization the process by which different users view different application links on the same portal homepage depending on their authorization permissions E Note Personalization only works when you use the default portal homepage supplied with the IAG However even if you are using a custom portal homepage authorization works enabling users to access only those applications for which they have access permissions When you add an application to a Portal trunk using the Add Application Wizard the option All Users Are Authorized in the Application Setup step is enabled by default You can disable this option while adding the application to the trunk or at any time after the initial application configuration in the Application Properties dialog box in the Authorization tab If you disable the All Users Are Authorized option for an application you must configure authorization in order to enable access to the application through the portal Using authorization you can grant access permissions to an application to selected users and user groups while blocking access from users that should not be accessing the application In order to configure authorization you take the following steps Define the users and groups of users to which you can grant authorization permissions as described in Defining Authorization Repo
322. on page 310 Warning Edit only the individual and general trace sections of the configuration file Do not make changes to any other sections of the file The manner in which the changes you make to the trace configuration file are activated is described in Trace Activation on page 311 Intelligent Application Gateway 307 User Guide Individual Trace Sections In order to create a trace you configure a Trace section in the trace ini configuration file Each individual trace section can hold one or more of the parameters described in the following table depending on the trace level and individual trace parameters Table 38 trace ini file Individual Trace Parameters Parameter Description Trace Defines the elements that will be traced Traces can be defined at different levels of granularity including processes instances reporters and classes The parameters you need to define will be provided by technical support trace level Determines whether the trace is active as well as the trace s log level The level none indicates that the trace is not active Any level other than none indicates that the trace is active and determines the log level Available log levels are light medium heavy and xheavy refresh Refresh period of the trace in seconds After each refresh period the process checks for changes in the configuration file If anew trace was added or an inactive trace activated for this proc
323. onents Whale Component Manager W 3 7 0 12 Endpoint Detection v 3 7 0 12 SSL Wrapper W 357 0 12 SSL Wrapper Java Applet N A Socket Forwarder LSP W 3 7 0 12 NSP W 3 7 0 12 Network Connector Client W 3 7 0 12 Driver W 3 7 0 12 Not Running Attachment Wiper T WV 3 7 0 12 Anti virus eTrust 7 1 Updated 12 5 2006 10 09 02 PM Personal Firewall XPSP2 Version N A Operating System Windows XP Professional 5 01 2600 Service Pack 2 Browser Version Internet Explorer 6 User Agent Mozilla 4 0 compatible MSIE 6 0 Windows NT 5 1 SV1 NET CLR 2 0 50727 NET CLR 1 1 4322 Sun JRE Version N A Domain WHALECOM Certified Endpoint x Privileged Endpoint x This site is protected by the Whale Communications Intelligent Application Gateway To refresh this page please log out then log in again Done B internet By uninstalling the Whale Client Components from their computers as described in Uninstalling the Whale Client Components on page 167 Restoring the Whale Client Components defaults enables users to receive the following notifications even in cases where the user previously selected the option Don t show me this message again when the message was displayed Once the defaults are restored whenever applicable the user receives notifications that are displayed when Intelligent Application Gateway 165 User Guide It is necessary to add the site to the user s Trus
324. only and be sure to re enable it as soon as you finish troubleshooting the system To disable event logging and reporting At the IAG run the following command Whale Com e Gap utils MonitorMgr MonitorMgrUtil exe sms 0 Events are no longer logged to the Event Logging mechanism and event messages are not sent to any of the configured reporters To re enable event logging and reporting At the IAG run the following command Whale Com e Gap utils MonitorMgr MonitorMgrUtil exe sms 1 Events are logged to the Event Logging mechanism and event messages are sent to the configured reporters Web Monitor 258 The Web Monitor is a monitoring and reporting web application that enables you to view IAG related events both from within the organization and from remote locations using a web browser Access from remote locations is fully secured by the IAG Application Aware security mechanisms such as URL Inspection positive logic rulesets out of the box character definitions policy compliance and session timeouts In sites where an IAG High Availability Array is deployed you can monitor each of the IAG servers within the array from a single Web Monitor A constantly updating snapshot of system administrative and remote user activities can be used to assist users online and troubleshoot any problems they may encounter while accessing the internal network via the IAG You can zoom into a user s session in real time and pinpoin
325. ons File on page 250 In order to send a custom event message or in order to send event messages from custom interfaces you need to configure the page from where you wish to send the message For details refer to Event Messages Application Interface on page 257 Configuring Event Messages in the Message Definitions File This procedure describes how you configure the message definitions file which holds the definitions of all event messages To configure messages in the message definitions file 1 Access the following CustomUpdate folder if it does not exist create it Whale Com e Gap von conf CustomUpdate Copy the file MessageDefinition xml from this folder Whale Com e Gap von conf Place it in the CustomUpdate folder you accessed in step 1 If such a file already exists in the custom folder use the existing file In the MessageDefinition xml file change the existing messages or configure additional messages as required For a description of this file refer to Event Logging Message Definitions File on page 250 Note A If you add new messages to the file or if you wish to send messages from custom scripts you also need to configure the functions that will send the messages as described in Event Messages Application Interface on page 257 Intelligent Application Gateway 249 User Guide 4 When you finish editing the file still at the IAG access the Configuration program Click P
326. or Statistics Window Query Results Parameter Description Trunk Trunk name Concurrent Sessions Minimal and maximal number of sessions that were concurrently open through the trunk during the query period 274 Chapter 9 Monitoring and Control Web Monitor Table 29 Session Monitor Statistics Window Query Results Cont d Parameter Duration Concurrent Sessions Settings View Description The average and maximal duration of the sessions that were open through the trunk during the query period Note If the number of results exceeds the number of Max Report Results as defined in the Configuration program in the General tab of the Event Logging dialog box described in Configuring General Settings on page 240 Duration is not reported Settings that are defined for the trunk in the Configuration program in the Session tab of the Advanced Trunk Configuration window Threshold the threshold above which each new session that opens generates a report as defined in the Concurrent Sessions Threshold field of the Session tab Limit maximal number of sessions that can be open through the trunk at the same time as defined in the Max Concurrent Sessions field of the Session tab For details refer to the Intelligent Application Gateway Advanced Configuration guide to Session Configuration on page 133 Clicking Al adds the display of concurrent sessions threshold and li
327. or technology that is part of the Intelligent Application Gateway IAG enables you to install run and manage remote connections as if they were part of the corporate network supporting full connectivity over a virtual and secure transparent connection During a Network Connector session remote endpoint computers are part of the corporate network Depending on the Network Connector server configuration they are able to Communicate with all the computers in the network that is access and be accessed by all other network computers Access corporate servers and complex systems such as mail SMB FTP databases and VoIP applications Communicate with other remote Network Connector endpoint computers For example the system administrator can connect to endpoint computers in order to install software updates configure existing applications or help users troubleshoot their systems This chapter describes the following Network Connector Technology Highlights on page 189 Configuring the Network Connector on page 190 Remote User Interaction with the Network Connector on page 200 Network Connector Troubleshooting on page 203 Network Connector Technology Highlights The Network Connector implements a client server architecture and is integrated into the IAG s secure SSL tunnel It supports all types of IP based unicast traffic in any direction client to server server to client and cli
328. ort you define here must be identical to the port number of the Network Connector application If you change the default port defined here 6003 take the following steps in the Configuration program When you add the Network Connector application to the trunk change the port number in the Add Application Wizard in the Server Settings step accordingly If the Network Connector application is already configured in the trunk change the port number in the Application Properties dialog box in the Server Settings tab The Log and Server Resources areas are used for troubleshooting the Network Connector server For details refer to Troubleshooting the Network Connector Server on page 203 Intelligent Application Gateway 199 User Guide E Note Be sure to read the information provided in the server troubleshooting section before you change any of the settings in the Log and Server Resources areas Figure 34 Sample Advanced Tab z Network Connector Server x Network Segment 2 iP Provisioning amp Access Control i Additional Networks i Advanced m Listener Type w Port e003 r Log Log Level fi Log Path Server Executable Path C Altemative Path Full Name gt Server Resources Number of Threads fi per CPU Device Timeout 20000 Miliseconds Tunnel Buffer Size jes KB Service Timeout 20000 Milliseconds Device Buffer Size p KB Res
329. ose the Select Users or Groups dialog box The selected users and groups are added in the Add Local Group dialog box Chapter 2 SSL VPN Portals Users Setup Add Local Group SW_R amp D x E SW_R amp D User Group Local Group _Include Exclude i AppGroup AppGroup Include Chri Include _ Remove H Include Help Include Include Include Include a AD ga_admin Include j Tip If the local group you created includes other local groups the nested local groups are displayed in the left pane of the Add Local Group dialog box Add Local Group SW_R amp D AppGroup local group is nested under SW_R amp D 4 E A SW PAD AppGroup User Group Local Group AppGroup amp AD ChrisC 7 If required use the Include Exclude column to refine the definition By default when you add a user or group to the local group their status is Include double clicking an entry in the Include Exclude column toggles the status of the user or group For example if you wish to include most of the users of an Active Directory user group server in the local group but exclude three individual users from that group take the following steps a Use the Select Users or Groups dialog box to select from the Active Directory repository both the Authenticated Users group and the three users you wish to exclude from the local group b Use the Add Loc
330. out of contract negligence misrepresentation strict liability in tort or warranty of any kind shall not exceed the consideration paid to the Company for the product The Company shall under no circumstances be liable for damages arising out of any claim including but not limited to a claim for personal injury or property damage made by any third person or party Document Name Intelligent Application Gateway User Guide Document Revision 3 7 Date December 2006 Software Version No 3 7 Contents Chapter l s INCFOCUCTION cccccccsccccccccces eceocee eoeceseeee ecoeeceeeeee eeeeeceeseeee l 5 OTE E E E E E E E E E E ness 15 Control ACCESS sesssucsssuc ncevnsneensennnsinconsiencnowediawinsstausse EENE ETE EEEE ra Te AN ia saree 15 Protect ASSetS cpissecncsaicaiouwasosntsensndduasniensadacnvaateasnnsdunetesuseunnneuatnianents reusea de sieis reviure 16 Safeg ard INfOrMAtION acecatehcancatabecaaaetcenasecseencannsanstconneanrsucanusesstessnpenensecienanancaseranbsceecs 16 Intelligent Application Gateway Architecture sessssessesesersereseserssesersrereessessesseseeneeesenseseeses 16 Broad Set of Connectivity Options ssseesseseseeseeseessrssrserserseessessessrnersenseessesseseeneeeeeseenees 17 Integrated Application Firewall essssseesesseseseeseeseessessrseeseeseeesessrssessrseerreesesseserseeeeeseesees 18 Application AwareT sosise rosrerssisirsisereieneee iesire a o EEE EE sE Riean 18 Supported Applications ccssacdccesscedetc
331. ow after you submit a query in the query form as described in User Monitor Statistics Window Query Form on page 289 At the top of the window query details are displayed including the query period lead user or users and trunk or trunks as you defined in the query form If query results are available only for a part of the defined period this is also indicated under the Period field Query results are displayed in a table The information that is provided for each user is described in Table 35 User Monitor Statistics Window Query Results on page 291 The number of results that can be displayed in the window is determined in the Configuration program in the General tab of the Event Logging dialog box in Max Report Results described in Configuring General Settings on page 240 If the number of results exceeds the number of Max Report Results no results are displayed Figure 57 User Monitor Statistics Window Query Results View User Monitor Statistics Server time 03 21 2006 16 38 Query Details Period 03 21 2006 00 00 00 03 21 2006 16 35 00 Lead User w Trunk portal 5 Show query form EHIEH Ej Lead User Average Session Duration Total Session Duration Accesses whalecomamirm 01 02 14 01 02 14 a whalecomieddien 00 41 50 02 05 30 3 whalecom ezy 01 02 05 02 04 11 2 whalecomiqa_admin 00 55 17 02 45 53 3 E whalecomirachel 00 47 00 03 55 00 5 Applic
332. ow refreshes the data every 15 seconds If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 The number of events that are displayed each time you open the Event Viewer window and the maximal number of events that are added to the event list between refreshes is determined in the Configuration program in the General tab of the Event Logging dialog box in Queue Size For details refer to Configuring General Settings on page 240 To view all events in the left pane of the Web Monitor window from the Event Viewer group click Al e To view only the events that are related to a single category system security session or application click the corresponding link from the Event Viewer group For example to display only session related events click Session Intelligent Application Gateway 293 User Guide 294 Parameter Severity Time Type Category Figure 60 Selecting Which Events to View Click to view all the events Click to view a single category Security amp all 43 System E Session Application Table 37 Event Parameters Description Event severity can be one of the following Information informative message denoting a normal event that might be of interest such as user login or log out Notice normal b
333. perties dialog box For details refer to Application Endpoint Policies on page 99 Warning 40 Download Policy URL Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Download policy the requested download is not allowed Cause The response failed since this URL is defined as a download URL for this application type and the application s Download policy forbids downloads to the requesting endpoint Resolution In the Configuration program do one of the following In order for this request not to be considered a download for this application type take the following steps 1 Open the Advanced Trunk Configuration window and access the Global URL Settings tab 344 Appendix A Troubleshooting Event Logging Messages 2 Inthe URL Settings area click next to Download URLs 3 Inthe Download URLs Settings dialog box remove the corresponding rule For details refer to the Intelligent Application Gateway Advanced Configuration guide to Download URLs on page 153 If you wish to cancel the identification of downloads by URLs for this application take the following steps 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Downloads area uncheck the option Identify by URLs N Note If none of the options in the Dow
334. pplication and access the Cookie Encryption tab 2 Remove the cookie that was blocked from the Cookies list The name of the cookie is provided in the Description field of the event in the Web Monitor s Event Viewer For details refer to Cookie Encryption Tab on page 80 Intelligent Application Gateway 371 User Guide Warning 100 Encrypted Cookie Name Symptoms A remote user requests a page The request is processed and the user experience is unaffected Cause A cookie encryption violation was detected The cookie name is encrypted but is not listed in the cookie encryption include list Resolution In order to enable the browser to send this cookie in an encrypted from you need to add it to the list of cookies that are included in the cookie encryption process as follows 1 3 Use the IAG s trace mechanism to resolve the original name of the encrypted cookie a At the IAG access the trace configuration file b c d Whale Com e Gap Common Conf trace ini Add the following lines to the file Trace WhlFilter WHLFILTSECUREREMOTE xheavy Save the file Use a browser to request the URL that caused the Warning message as detailed in the Description field of the event in the Event Viewer At the IAG access the trace log file in the following location Whale Com e Gap logs The file is named lt Server_Name gt Wh1Filter default lt Time_Stamp gt log Resolve the
335. pplications Telnet http proxy sametime Disconnect Show Relay Homepage Active Connections E http talentula il whale biz 80 amp 192 168 1 7 23 via Simple Relay amp 192 168 1 7 23 via Simple Relay Intelligent Application Gateway 185 User Guide E Note Closing the window disconnects all the applications that are tunneled through the SSL Wrapper Java applet The Portal Activity window is divided into two main areas Connections Area described on page 186 Applications Area described on page 187 The Portal Activity window buttons are described on page 188 Connections Area 186 The Connections area of the Portal Activity window displays Active channel or channels between the client and the trunk or trunks to which the client is connected one channel per portal or trunk Under each channel the connection or connections that are currently open through the channel Figure 26 Sample Portal Activity Window Connections Area Portal Activity x https www portal com Active Connections Disconnect amp 192 168 1 186 1494 via SOCKS start 8 192 168 1 189 23 via relay started 07 Home Page B amp https www shai com 8 192 168 1 186 1494 via SOCKS start g 192 168 1 186 1494 via SOCKS start f Channel Connections When you hover over a connection you can see the following details regarding the connection Address IP address and port number
336. r either of the services HTTP or HTTPS Tip D You can pre configure lists of IP addresses and port numbers that you will be able to assign to the services when creating and editing trunks as described in Optional Pre configuration of the Services on page 52 Ifyou create an HTTPS trunk you can later add a Redirect trunk to automatically direct HTTP requests to that trunk as described in Creating a Redirect Trunk on page 58 e The Create New Trunk Wizard is also used to create Portal trunks For a description of Portal trunks refer to Chapter 2 SSLVPN Portals Chapter 3 Single Application Sites Creating a Webmail or a Basic Trunk To create a Webmail or a Basic trunk 1 At the IAG in the Windows desktop click Start and then point to Programs gt Whale Communications IAG gt Configuration 2 Inthe List pane select and right click HTTP Connections or HTTPS Connections and then select New Trunk The Create New Trunk Wizard is displayed 3 Depending on the type of trunk you are creating select Webmail Trunk or Basic Trunk Follow the instructions on the screen to complete the wizard for details click 9 Help Note A When creating Webmail trunks we recommend that you use the HTTPS Connections service 4 When you complete the wizard click Finish The Create New Trunk Wizard closes The trunk you created now appears in the List pane and the Configuration pane displays the trunk
337. r which controls the centralized logging and tracing mechanisms serves two purposes Tracing the error server can trace the activities of each process that is defined to report to it and create a trace log file which can be used for debugging purposes When required and depending on the aspects of the IAG you need to examine technical support will instruct you to run a trace including details of the processes you need to include in it The manner in which you define traces is described in Error Server and Trace Configuration File on page 307 The trace log file is described in Error Server Trace and Log Files on page 311 Error logging the error server receives error reports from the processes that are connected to it and logs them as well as its own errors in error logs The log files are described in Error Server Trace and Log Files on page 311 Error Server and Trace Configuration File The behavior of the trace mechanism and of the error and trace log files are controlled by the configuration file trace ini located under Whale Com e Gap Common Conf This file contains the following configurable parameters of the error server mechanism which can be edited as required Individual traces that the error server logs as described in Individual Trace Sections on page 308 General trace and error log file parameters as described in General Trace Configuration Section
338. r application either via the portal homepage or by logging into a site that automatically launches the application The request is denied and the following message is displayed Access to the requested resource denied Cause The requested server is not defined as an application in the Configuration program or the client executable is not authorized to access the server Resolution The resolution depends on the error that is displayed in the long description of the message in the Error field The message Access denied unknown server indicates that the user requested a server that is not defined as an application server in the Configuration program In this case do one of the following In the Configuration program verify the configuration of the application servers in the Application Properties dialog box in the Server Settings tab For details refer to Server Settings Tab on page 85 For Portal trunks in the Application Properties dialog box in the Server Settings tab For Webmail trunks in the Advanced Trunk Configuration window in the Server Settings tab Ifthe user attempted to connect to the application by manually entering the server address verify that the user tried to connect to the correct server On the endpoint computer verify the configuration of the server settings in the client application Intelligent Application Gateway 363 User Guide The message Inva
339. r does not exist create it Chapter 5 Endpoint Security Certified Endpoints Whale Com e Gap Von WhaleSEP inc CustomUpdate If such a file already exists use the existing file In the file under the CustomUpdate folder locate the line nAutoModeDelayInMinutes 0 Replace the value 0 with the required delay interval value Save the file The default policy is set to Automatic with Delay E Note If at a later time you change the policy to either Automatic or Manual you need to manually reset the value of nAutoModeDelayInMinutes back to 0 nAutoModeDelayInMinutes 0 Editing the Default Configuration Local CA Only The following Certified Endpoint configuration settings may be modified after installing the Microsoft CA Pending timeout interval for Manual certification policy This setting defines the interval between the time users request a certificate and the time they can receive it After the specified interval the end user can no longer request the pending certificate and must begin the certificate request process again The default pending timeout interval is 10 days To change this value refer to Setting Pending Timeout for Manual Certification Policy on page 131 The fields that are displayed to users requesting certificates in the Certified Endpoint Certificate User Information window as described in Customizing User Information Properties on page 132 Setting Pending Timeout for Manual
340. r each server Note If you define an address using a hostname use the effective hostname as defined in the DNS Define multiple addresses using a subnet by entering subnet address and subnet mask in the respective fields Define multiple addresses using the Regex regular expression syntax by entering a regular expression that defines the address range in the Addresses field For example 0O 9A Z whale com Define one or more paths on which the application resides by double clicking an empty line and entering a path Note A path must start with a slash HTTP and HTTPS port or ports Note Enter Auto to use the default port Enter A11 to enable all ports Leave the field empty to block all ports Multiple port entries are comma separated 81 82 85 86 Define a range of ports with a dash 81 86 Include the default port number 80 or 443 in the host header Activate this option only if it is required by the server Chapter 4 Application Settings Editing Application Properties Web Settings Tab This tab is applicable in Portal trunks for Built In Services Web Applications and Browser Embedded Applications and in Webmail and Basic trunks It contains the application s web settings as follows Application authentication described in Application Authentication on page 74 General web settings of the application are described in General Web Settings on page 75 User authorizat
341. r is logged out you can configure a scheduled cleanup whereby the Attachment Wiper utility automatically triggers a cleanup after the timeout period you configure You can configure the scheduled cleanup to be triggered by any of the pages that users access while browsing the applications enabled through the trunk If you configure a cleanup trigger in more than one page the timeout defined in the page that was last accessed sets the trigger For example if you configure a 900 second timeout in one of your pages once a user receives the page the timeout is set to 900 seconds However if you also configure a 300 second timeout in another page once a user accesses it the timeout is set to 300 seconds regardless of the time that elapsed since the user accessed the previous page In this example 300 seconds after the user accesses the second page the Attachment Wiper utility triggers the cleanup AN Caution Do not edit the pages that are supplied with the IAG Configure the cleanup in your own pages such as the application pages To configure a scheduled cleanup 1 In the page from where you wish to trigger the cleanup add the following line For Portal trunks lt script language JavaScript src http localhost 6001 InternalSite scripts CacheClean js gt lt script gt For Webmail and Basic trunks lt script language JavaScript src InternalSite scripts CacheClean js gt lt script gt 2 S
342. race level gt refresh lt refresh time in seconds gt max_size lt max trace file size in bytes gt report_errors lt yes no gt Trace refresh lt refresh time in seconds gt max_size lt max trace file size in bytes gt report_errors lt yes no gt Sample Individual Trace The following example shows a trace that is configured for the Whale Manager Service process with an extra heavy trace level and a refresh rate of two seconds The maximum file size is 10 MB and the trace is configured to log error reports in the error log Trace whlegapd xheavy refresh 2 max_size 10000000 report_errors yes Intelligent Application Gateway 309 User Guide General Trace Configuration Section The general configuration section Trace at the end of the trace ini configuration file holds general parameters that apply to all the configured individual traces unless these trace parameters are configured in the individual trace sections Some of the parameters also apply to the error log files The general parameters are described in the following table Table 39 trace ini file General Configuration Parameters Parameter refresh max_size high_water low_water instances_kept report_errors Description Affected Files Refresh period in seconds trace ini After each refresh period the process checks for changes in the configuration file If any new traces relevant to this process were added or ac
343. re related to the Web Monitor are described in Configuring General Settings on page 240 Configuration of the built in reporter is described in Configuring the Built In Reporter on page 242 Configuration of the RADIUS reporter is described in Configuring the RADIUS Reporter on page 243 Configuration of the Syslog reporter is described in Configuring the Syslog Reporter on page 244 Configuration of the mail reporter is described in Configuring the Mail Reporter on page 245 E Note The built in reporter is activated and configured by default In order to use any of the other reporters you have to activate and configure them as described in the corresponding sections Intelligent Application Gateway 239 User Guide Editing the default messages that are recorded by the Event Logging mechanism defining additional messages and sending messages from your own interfaces such as custom authentication pages are described in Message Configuration on page 249 Configuring General Settings This section describes how you configure general Event Logging settings To configure general event logging settings 1 2 In the Configuration program on the Admin menu click Event Logging The Event Logging dialog box is displayed ETT x General Buin RADIUS Syslog Mail Queue Size 50 Max Report Results 2000 Configure Monitor Users Use the General tab to configure
344. remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Restricted Zone policy the requested URL is not allowed Cause The request failed since this URL is defined as a restricted zone URL for this application type and the application s Restricted Zone policy forbids access to the zone from this endpoint Resolution In the Configuration program do one of the following In order for this URL not to be part of the restricted zone for this application type take the following steps 1 Open the Advanced Trunk Configuration window and access the Global URL Settings tab 2 Inthe Restricted Zone URLs list select the corresponding rule and do one of the following Click Edit and in the Edit Restricted Zone URLs dialog box either configure the rule so that parameters are not checked or change the method that is used to check parameters as applicable Ifyou wish the URL not to be part of the restricted zone remove it from the Restricted Zone URLs list For details refer to the Intelligent Application Gateway Advanced Configuration guide to Restricted Zone URLs on page 158 If you wish to disable the Restricted Zone feature for this application take the following steps 1 Open the Application Properties dialog box and access the Web Settings tab 2 Uncheck the option Activate Restri
345. reporter you cannot generate Event Query reports Use this window to define and submit a query as follows Select the trunk or trunks for which to generate the query Define the period of time for which to generate the query Select a pre defined period such as Today or Last Month at the top of the Period area Or Define start and end dates at the bottom of the Period area You can filter the query by one or more of the following event parameters category severity and type For a description of the parameters refer to Table 37 Event Parameters on page 294 When you narrow the query to a specific parameter only the related items are listed for the other parameters For example if in the Category list you select Security only security related severities and message types are displayed in the other lists At the bottom part of the Event Query window you can expand the Advanced Options area and use it to filter the query by the following Session ID specific session Intelligent Application Gateway 295 User Guide 296 Lead User according to user name You can use the asterisk wildcard at the end of the search string to define a group of users For example to enter a query for all users of a domain named ActiveDirectory enter the following in the User text box ActiveDirectory Old Trunks define a query on old trunks that is trunk
346. requisite Applications list If an application that is defined as a prerequisite application is not launched when the user attempts to access the application you define here the IAG automatically launches the prerequisite application prior to launching this application Define the application s inactivity period in order to monitor the actual usage of the application When a user does not use the application for the period of time defined here an Application Exited message is sent to the Web Monitor When the user resumes using the application an Application Accessed message is sent to the Web Monitor The user experience however is unaffected If the Inactivity Period field is set to zero inactivity period is unlimited that is the application is only exited when the user s session with the portal ends Change the selection of the application Endpoint Policies and access the Policy Editor For details refer to Application Endpoint Policies on page 99 EN Note The Endpoint Policies area is disabled when the option Disable Component Installation and Activation in the Session tab of the Advanced Trunk Configuration window is activated since endpoint computers compliance to the policies cannot be detected Access additional application specific settings or information E Note The i Application Aware Settings link appears when there are application specific settings or informatio
347. results were found to view troubleshooting p Severity Time Type Category Trunk Description info rmation for th Is i Information 03 21 2006 16 57 18 Application Application portal 5 Application Whale Portal was exited Exited Trunk portal Secure 1 User Name i whalecom ruti Session ID message Applicable 0113476 E557 47E8 A8B2 i F725545753A1 m I p 4 4 for Warning and i Information 03 21 2006 16 49 48 User Session portal S User whalecom qa_admin Source Removed from IP 192 168 2 51 was removed from Error messages Session session 050D185C 70F5 4CD2 8B28 OBA8A9AFSCFS5 trunk portal secure 1 reason User Request A Warning 03 21 2006 16 210 14 User Login Security portal 5 The following user failed to log into Failed trunk portal secure 1 User whalecom rachel Source IP 192 168 2 147 Authentication Server whalecom Error Invalid Credentials Session CCO2CCDD 7678 41E6 A61B D50D98A8B8D8 Warning 03 21 2006 16 42 13 14 User Login Security portal S The following user failed to log into Failed trunk portal secure 1 User whalecom rachel Source IP A internet Web Monitor High Availability Support In sites where an IAG High Availability Array is deployed you can monitor all the IAG servers that are part of the array from a single Web Monitor whether you access the Monitor from within the organization or remotely When you access the We
348. ring the query period Clicking the number of accesses displays the User s Application Access Statistics window described in User s Application Access Statistics on page 291 User s Application Access Statistics The User s Application Access Statistics window is displayed when you click a number of accesses in the Accesses column in the User Monitor Statistics Query Results window It provides information on the application usage as listed in Table 36 User s Application Access Statistics Parameters on page 292 Intelligent Application Gateway 291 User Guide Figure 58 Sample User s Application Access Statistics Window F https www myweb com User s Application Access Statistics Microsoft Internet Explorer User s Application Access Statistics El Lead User whalecomtruti Trunk portal 5 Start Date 03 21 2006 00 00 00 End Date 03 21 2006 13 04 41 EHIEHI Session ID Session Start Date Session End Date Current session 3F4C20EA 138A 4D7D A00D A393568977E4 03 21 2006 12 23 39 Active IS highlighted gt 50E59BB4 E8B0 4250 972B CBAAG7EZCDES 03 21 2006 12 38 09 Active 54234429 1443 4C85 9085 2DCOASD6EB 03 21 2006 11 49 26 03 21 2006 12 22 03 DCCS8A07 AlA2 46D3 SAAC E857B7384C39 03 21 2006 12 21 37 03 21 2006 12 24 03 ESCEF042 44DD 4B91 8132 B3D08CBSDEAB 03 21 2006 11 30 12 03 21 2006 12 32 33 Duration 00 41 02 00 26 32 00 32 37 00 02 26 01 02 21
349. rk Connector Server 190 This section describes how you configure the Network Connector server To configure the Network Connector server 1 In the Configuration program on the Admin menu click Network Connector Server Chapter 7 Network Connector Configuring the Network Connector 2 At the bottom left corner of the Network Connector Server window check the option Activate Network Connector E Note Unchecking the option Activate Network Connector once the Network Connector is activated disables this feature 3 Use the Network Connector Server window to configure the server For details refer to Network Segment Tab on page 192 TP Provisioning Tab on page 193 e Access Control Tab on page 196 Additional Networks Tab on page 197 Advanced Tab on page 199 Note an Configuration in the IP Provisioning tab is mandatory Configuration in the other tabs is optional and depend on your network settings and your requirements 4 Once you complete the configuration of the server click in the Network Connector Server window in order to activate the Network Connector 5 In the Configuration program click 0 to save and activate the configuration then click in the Activate Configuration screen The configuration settings you have defined are applied to the Network Connector server The Network Connector Windows service Whale Network Connector Server is started and
350. rmity to the Install Socket Forwarding Component Policy For details on this policy refer to Session Endpoint Policies on page 95 Add Site to Pop Up Blocker s Allowed Sites this option is applicable for Internet Explorer browsers running on Windows which feature a pop up blocker such as Internet Explorer on Windows XP SP2 It adds the site to the list of allowed sites in Internet Explorer s pop up blocker so that pop ups from the site are not blocked and users can continue to receive messages and notifications such as Inactive Session Timeout and Scheduled Logoff notifications The site is removed from the pop up blocker s allowed sites when the Whale Client Components are uninstalled as described in Uninstalling the Whale Client Components on page 167 Tip When the site is added to Internet Explorer s pop up blocker s allowed sites the user is notified by a message and is prompted to confirm the change Whale Client Components i xj e To ensure complete functionality with this site it is necessary to add the 1 site to the pop up blocker s allowed sites of the browser Would you like to implement the required changes I Don t show me this message again If a user selects the option Don t show me this message again the notification will not be displayed again when users access this site In order to receive the notification when applicable instruct the user to restore the default setting
351. rom all endpoint computers that access the site by activating the option Uninstall Socket Forwarding Component in the Session tab of the Advanced Trunk Configuration window For details refer to Endpoint Settings on page 108 Intelligent Application Gateway 169 User Guide 170 Chapter 5 Endpoint Security Whale Client Components Chapter 6 SSL Wrapper E Note The SSL Wrapper components are part of the Whale Client Components For details refer to Whale Client Components on page 147 When working with SSL Wrapper applications via an HTTP trunk tunneled traffic is not encrypted The SSL Wrapper provides secure SSL connectivity for non web protocols such as those used by client server and legacy applications from the Internet to the internal network thus enabling users of the Intelligent Application Gateway IAG to safely access back end applications Via the portal homepage remote users can access a range of applications such as native messaging applications standard email applications collaboration tools connectivity products and more The SSL Wrapper allows granular per user and per server configurations and can be used in conjunction with the IAG endpoint security policies providing for a secure SSL VPN experience Multi platform application support ensures that users can access their applications from computers running Windows Mac OS X and Linux operating systems using a wide range of browsers
352. rowser Certified Endpoint Speak to your administrator before requesting Request Denied Certified Endpoint status again Installing the Certificate and Logging In as a Certified Endpoint User 144 Once your Certified Endpoint status has been approved and a certificate issued you must install the certificate on your computer in order to complete the Certified Endpoint process To install the certificate and log in as a Certified Endpoint user 1 Access the portal and click the Certified Endpoint button or link The Certified Endpoint Certificate Issued window is displayed Z Certified Endpoint Microsoft Internet Explorer Certified Endpoint Whale Communications A Microsoft Subsidiary Install this certificate Chapter 5 Endpoint Security Certified Endpoints 2 Click Install this certificate to add the certificate to your computer Ifyou are using Microsoft Internet Explorer the certificate is installed on your computer Proceed to step 4 of this procedure Ifyou are using a different browser a certificate download dialog box is displayed in this example the Downloading Certificate dialog box displayed by Netscape Navigator Downloading Certificate x You have been asked to trust a new Certificate Authority CA Do you want to trust Trusted Endpoint CA For the Following purposes J Trust this CA to identify web sites J Trust this CA to identify email users J Trust this CA
353. rus Any Personal Firewall Corporate Machine Disable Citrix Client Printer Mapping Enable Domino Web Access Forward and Enable SharePoint Integration with Office Endpoint Detection is Disabled Privileged Endpoint Sygate Virtual Desktop Not Required Symantec Norton Antivirus Up To Date Se a Variables Name Default Privileged Endpoint Category Policies AND OR NOT Privileged_Endpoint Operators Rules area Ei Explanatory Text Added to Access Denied Message 3 For new policies and expressions Inthe Name field at the top right assign a name In the Category field select Policies or Expressions accordingly 106 Chapter 5 Endpoint Security Endpoint Policies You do not need to edit those fields for existing policies and expressions Define the rules of the policy or expression From the Components list at the left of the Policy Editor select a component to add it to the Rules area on the right Use the AND OR NOT and parenthesis operators to create a combination of as many components as you require or to combine VBScript syntax free text with expressions and variables The Rules area is a free text area you can edit and delete rules and rule components in this area as required At the bottom right of the Advanced Policy Editor you can enter text that will be displayed to users in the
354. s Identify by Extensions Unknown Content Type Identify by Size Description Identify URLs and methods by checking against the list of Download URLs or Upload URLs respectively You can access and edit the Download URLs and Upload URLs lists via the Global URL Settings tab of the Advanced Trunk Configuration window For details refer to the Intelligent Application Gateway Advanced Configuration guide to Global URL Settings Tab URL Settings on page 152 Identify URLs by file extensions which you define in Extension List Ifthe option Exclude is selected when an endpoint policy is enforced only files whose extensions are listed here are allowed Ifthe option Include is selected when an endpoint policy is enforced files whose extensions are listed here are blocked Note Extensions in the Extension List should not include the preceding dot For example exe and not exe You can define that downloading or uploading of files without an extension is allowed or blocked by adding a no_ext entry in the relevant Extension List GET requests are treated as downloads POST and PUT requests are treated as uploads In order to enable download blocking by extension you need to also define the application s unknown content type in the field Unknown Content Type below For the extensions in the list verify that the association of extensions and content types is identical between
355. s Microsoft Internet Explorer 7 Application Access Details Application Whale Portal Trunk portal S Period 03 21 2006 00 00 00 03 21 2006 13 00 00 Interval Hour HEH Bg Lead User whalecom amirm whalecomieddien whalecom ezy whalecomiqa_admin whalecomiachel whalecom ruti e lalam Accesses Last Accessed Duration Average Max Min Total 03 21 2006 11 33 55 00 37 51 00 37 51 00 37 51 00 37 51 03 21 2006 11 36 08 00 18 48 00 33 41 00 03 55 00 37 36 03 21 2006 12 18 21 00 30 06 00 35 30 00 24 42 01 00 12 03 21 2006 11 35 44 00 36 02 00 36 02 00 36 02 00 36 02 03 21 2006 11 30 08 00 31 38 00 31 38 00 31 38 00 31 38 03 21 2006 12 38 14 00 18 05 00 32 29 00 02 21 01 30 27 E whalecomtyarivm 1 3 2 1 T 5 2 03 21 2006 11 33 51 00 20 26 00 37 55 00 02 58 00 40 53 amp internet Table 33 Application Access Details Parameters Parameter Lead User Accesses Last Accessed Description User who initiated the session from where the application was accessed Clicking the sign next to the Lead User name or clicking the name itself expands the display and lists all of the user s accesses to the application during the query period where the user name is the name used to access the application Clicking or SH expands and collapses the display for all users respectively Number of times the user acces
356. s in the United States and other countries or both Citrix Citrix NFuse Citrix Presentation Server Citrix MetaFrame Citrix SecureGateway and ICA are service marks trademarks or registered trademarks of Citrix Systems Inc or its subsidiaries in the United States and other countries or both Debian is a service mark trademark or registered trademark of Software in the Public Interest Inc or its subsidiaries in the United States and other countries or both GNU and GZip are service marks trademarks or registered trademarks of Free Software Foundation Inc or its subsidiaries in the United States and other countries or both Domino Lotus IBM Lotus iNotes Lotus iNotes Lotus Domino Notes Sametime and WebSphere are service marks trademarks or registered trademarks of IBM Corporation or its subsidiaries in the United States and other countries or both Linux is a service mark trademark or registered trademark of Linus Torvalds or its subsidiaries in the United States and other countries or both Active Directory ActiveSync ActiveX Excel Microsoft Outlook SharePoint Visual Basic Windows Mobile Windows NT Windows Server are service marks trademarks or registered trademarks of Microsoft Corporation or its subsidiaries in the United States and other countries or both Camino Firefox and Mozilla are service marks trademarks or registered trademarks of Mozilla Foundation or its subsidiaries in the United States an
357. s of the Whale Component Manager as described in Restoring the Whale Client Components Defaults on page 165 Intelligent Application Gateway 109 User Guide Attachment Wiper 110 The Attachment Wiper utility deletes persistent browser data that is downloaded to the browser from the sites protected by the IAG or created by the browser whenever the following occurs The session ends for example when the user closes the browser When the user logs out using the site s Logoff mechanism During a scheduled logoff or scheduled cleanup The Attachment Wiper utility deletes items that are saved in the browser s cache during the session such as web pages cookies and files including application specific cached files The Attachment Wiper also deletes items that are saved in the browser s offline folder These include files that were opened from within the browser for editing by an external application such as an Office application For example a document that was opened via the browser for editing in Microsoft Word The offline folder is cleaned only when all the IAG sessions on the computer end Only items that were written to the offline folder since the Attachment Wiper was first activated during the initial login are deleted Optionally you can also configure the Attachment Wiper to delete items that are saved outside the cache including the browser s History Web Address AutoComplete IntelliForms Forms Auto
358. s that are no longer defined in the Configuration program Trunk names are comma separated HTTPS trunks are denoted by Ss For example MyTrunk MyTrunk S You can select whether the query includes the trunks that are selected in the Trunks list by enabling or disabling the option Include trunks selected in the Trunks list above respectively EN Note Generating Event Query reports uses system resources and might affect system performance Depending on the size of the logs and on the query you define report generation may take up to a few minutes It is therefore important that you fine tune the query as much as possible especially the date range Once you submit the query the results are displayed in the Event Report window described in Event Report on page 297 Figure 6l Event Query Event Query Server time 03 23 2006 19 58 amp Trunks Period Week Month Quarter Year portal S Today Last24 Hours Yesterday Start date 03 23 2006 00 00 00 CE End date 037 2312006 19 54 00 73 Message Filter Category Severity Type Application Error Administrative Password Change Security Information Application Access Policy Violation Session Notice Application Accessed System Warning Application Authentication Failed xl Advanced Options Reset Chapter 9 Monitoring and Control Web Monitor Event Report The Event Report window is displayed when a report is generat
359. scsesssessssees 229 Configuring Authentication with the Novell Directory Service cceseseeereesseeeeeees 231 Changing the Date Format of Files and Folders s czccszsscanceateadsaseceaassancececasanaxereaccsaebesee 234 Hiding the Folder Tree in the End User Interface eesssesseesseeereesseeserserscrseeeenseeseereese 234 Chapter 9 Monitoring and Control cccccccsssssssscssscesseeeesees 23 7 Event ONG oeeisie seiere aeae sete EEEE NEE a EA EEEE a EEEE EEEE EER 237 VEE VIS W sich sacs e ea EEEE un aba gas es E E E E daaneanaN Teas mb 238 Event Categories siete sciess scctnssacevseccsevec convnastestsesovscesenseacicnsssdevssedvavec consnacdosec ersa isvis 238 Event Logging REpOrters cai cvsessseasessceseaveedssdsescesshosseonoelecsencestecuensecUeosiee dobetebeastooseuusessessee 238 Event Logging Messages vessissssscsssstsesesdsoscssdesussoceocsdsneossesssscsostdeesvedeh ovsiensesecdeseasnsosbsans sass 239 10 Contents Optional Event Logging Configuration Steps w vcccscccossssesssesscctsesscusessstdcdnstensteooncabsnest 239 Configuring General Settings scutes nctescoresecsssnsauinecesd saecesceaseugeaste andes mineatennew 240 Configuring the Built In Reporter seessssessssssrssrseereessesserseserueeesenseeseesereerereseeseeseeseeeeee 242 Configuring the RADIUS Reporter seessessessseesresesreseeesessessesreseenreeseeseserseeueeeseeseeseeseeee 243 Configuring the Syslog Reporter sesseesseesessseesrseeseeseessessesseneeneensensesser
360. se the Backup amp Restore utility and how you use various diagnostics tools such as support utilities tests and error and trace logs It also provides information on how log files are cleaned up and how to restart the Web service in the Windows Server IIS Internet Information Server Appendix A Troubleshooting Event Logging Messages provides troubleshooting guidelines and instructions for Warning and Error messages that are reported by the Event Logging mechanism Tip For a description of additional advanced features and configuration settings refer to the Intelligent Application Gateway Advanced Configuration guide Chapter 1 Introduction About This Guide Conventions Used in This Guide This section explains the conventions used throughout this Guide Menu Item Menu names and menu items Buttons that you select with the mouse 7 Icons that you select with the mouse are represented graphically D P u Procedure Title of an operating procedure Computer text System files and information that you type in AN Caution A note advising you that failure to take or avoid a specific action could result in loss of data N Note Important information you should note Tip Helpful tips for working with the e Gap Appliance Intelligent Application Gateway 25 User Guide 26 Chapter 1 Introduction About This Guide Chapter 2 SSLVPN Portals An Intelligent Application Gateway IAG SSL VPN Portal
361. section of the Network Segment tab you can configure alternative network parameters and select when they are used e Only if Network Configuration is Missing data you enter in the Complementary Data area will be used only if no data is configured for the same item in the Network Connection area Always Overriding Existing Network Configuration of This Server the data in the Complementary Data area will always be used regardless of the configuration of the selected connection Fields that are left empty are ignored Chapter 7 Network Connector Configuring the Network Connector es Note If one or more of the fields are left empty in both the Network Connection and Complementary Data areas it might result in limited client session For example if no DNS is defined no DNS services will be available for users connecting via the Network Connector IP Provisioning Tab Use this tab to define the IP pool from which clients are assigned IP addresses when connecting via the Network Connector Note Make sure that your pool is sufficient for your needs and consists of enough IP addresses for your remote clients Note that IP addresses ending with zero or 255 are not used for IP assignment For example if you define the pool 192 168 0 0 192 168 0 9 the Network Connector server will be able to support up to 8 concurrent clients since 192 168 0 0 will not be used and 192 168 0 1 will be use
362. sed the application during the query period Time when the application was last accessed by the user during the query period 284 Chapter 9 Monitoring and Control Web Monitor Table 33 Application Access Details Parameters Parameter Description Duration Duration of accesses to the application by the user including average maximal and minimal duration and the total access time User Monitor Current Status The User Monitor Current Status window provides online display of all the users that are currently connected to the IAG you are monitoring At the top part of the window a column chart is displayed For each trunk two columns represent the following Number of authenticated sessions that are currently open through the trunk Number of authenticated unique users currently using the trunk For example if a user opens two concurrent sessions with the trunk two sessions are counted but only one unique user At the bottom part of the window the information is presented in a tabular format Clicking the number of authenticated sessions opens the trunk s User Monitor Active Sessions window described in User Monitor Active Sessions on page 287 By default the window refreshes the data every 15 seconds If required you can customize the refresh rate as described in the Intelligent Application Gateway Advanced Configuration guide in Customizing the Web Monitor Windows on page 72 You
363. see Event Query on page 295 The RADIUS reporter reports events to a RADIUS Accounting server either any external RADIUS Accounting server or a Windows RADIUS Accounting server installed on the IAG The Syslog reporter reports events to an external industry standard Syslog server The mail reporter sends email messages regarding specific events via an SMTP server E Note The built in reporter is activated and configured by default In order to use any of the other reporters you have to activate and configure them as described in the corresponding sections Chapter 9 Monitoring and Control Event Logging Event Logging Messages Event logging messages are defined in a message definitions file All the applicable IAG interfaces are configured to send the relevant message when required For example A message is sent each time the configuration is changed in the Configuration program A message is sent whenever a user logs into the IAG site Tip Use the messages to troubleshoot warnings and errors For details refer to Appendix A Troubleshooting Event Logging Messages If required you can edit the default messages define additional messages or send messages from your own interfaces such as custom authentication pages Optional Event Logging Configuration Steps The following Event Logging configuration options are available to you if required General event logging parameters which a
364. serssrsersesscssssscsscsnsosesacsacsaccaccascaccascansassassanooss 77 Web Server Security Tab czscectencsccatastecsedetiscesnncckbetacssccaehigeanescbieecusassabdrasbagetidencsccenstaenas 78 6 Contents Cooki Encryption Tab eter csctos sce cacausvedes cesencsaaipnanuateouspacupeccn coreuatensiaeuasedninapeusbeeteraesbetoms 80 Global Exclude Listerne a E S E RE S 82 Download Upload Tab sessesssseesesessrseerreseeesesseesessrseeuseeseesersseserseeseeseesreseesseserseeereseesees 82 Server Settings TaD sssrissireiesse roeren sesei a chien cceat Gut sdecea taint ae sos suet vecdennenabeue vsuctaivenlas 85 Client S ttings Tab tvs sss tecncpehccs cents seess sored iest ccans estetoosivineselbeateas iaecenctcenaacuabiatenaielicgtes 86 Pte Line E e a E E E E E 87 Authorization Tab sisinereisenissisesieinsere isnin ies eiieeii seereis niaii earn neresi 91 Duplicating at Applicaton taisccusssoctuatissisnnnesesnvanesnsenesvaaxestu ts nenssanaaivesssnnussvnzsccoutsounssediaananeeenl 91 Chapter 5 Endpoint Security ssiscissssacssssisssceccceessvansensneossscscssvanseasves 9S Endpoint Polities c tscivancestsiascteacamanedscesetesueakechesueceageatbechsanacabhesenseaaeseucmndsdecarebogennsadsoevocsnatenes 93 Endpoint Det ctioM ssssiseesseieriesorsessesies io isosie ii srkees ionos skep ias oksa K esses toss S raser esise sre sii iE 95 Session Endpoint POliCIES tai cesszasudssssescecsnnvacenunsearateuiios sanecsies eE ea REEERE e iekea 95 What Information
365. server s password policy such as password length complexity or history Resolution Depending on the message the user receives and the error indicated in the message do one of the following Take the steps required in order to enable users to change their passwords as detailed in the Intelligent Application Gateway Advanced Configuration guide in Change Password Requirements on page 93 Advise the user of the relevant password policy Warning 82 Unauthorized Access Attempt Symptoms A remote user attempts to launch an SSL Wrapper application either via the portal homepage or by logging into a site that automatically launches the application The request is denied and the following message is displayed Access to the requested resource denied Intelligent Application Gateway 365 User Guide Cause Internal error Resolution If this event occurs on a regular basis contact technical support Warning 83 Form Login Response Failed Symptoms A remote user attempts to access an application The attempt might fail Cause The application is configured so that the Form Authentication Engine automatically replies to the application s authentication requests The evaluation of the login attempt result failed Resolution Verify the configuration of the Form Authentication evaluator for this application For a description of the Form Authentication Engine refer to the Intelligent Applica
366. sitories on page 33 Define authorization and personalization per application as described in Defining Authorization for Portal Applications on page 38 Chapter 2 SSL VPN Portals Users Setup Defining Authorization Repositories Repositories are databases containing user and group information a user can be defined as an individual unit or associated with a group This section describes how you define repositories of users and user groups which you can then use in order to define authorization for portal applications including User Group Servers on page 33 Optional configuration of local groups described in Local Groups on page 35 User Group Servers This section describes how you define a third party user group server The servers are used as user group repositories for application authorization and can also be used to define local groups E Note User group servers are also used for session authentication as described in the Intelligent Application Gateway Advanced Configuration guide in Authentication on page 81 To define a user group server 1 In the Configuration program on the Admin menu click Authentication and User Group Servers The Authentication and User Group Servers dialog box is displayed x 2 Inthe Authentication and User Group Servers dialog box click Add The Add Server dialog box is displayed Intelligent Application Gateway 33 User Guide Ad
367. ss js from Whale Com e Gap von samples CustomHooks To Whale Com e Gap common bin CustomHooks Open the file you copied and follow the instructions in the file to configure it for your system Technology Overview 172 When supporting non web applications over an SSL connection the SSL Wrapper causes the application traffic at the endpoint to be tunneled through SSL to the SSL VPN gateway that is the e Gap Internal Server The SSL VPN gateway decrypts the traffic and sends the payload to the application server in the internal network The Socket Forwarding component add on which is based on Microsoft s Layered Service Provider LSP and Named Service Provider NSP technologies can be used to support a wider variety of applications such as supporting applications that jump ports without needing to make on the fly changes to the operating system Application traffic can be tunneled through SSL using one of the following relay types Simple relay opens a port on the endpoint computer and tunnels the TCP traffic to and from a specific port on the application server Using this type of relay in order to communicate with the application server the application on the endpoint computer needs to communicate Chapter 6 SSL Wrapper Technology Overview through the locally opened port The SSL Wrapper makes changes such as changes to the application settings Registry or hosts file in order for the application to
368. ss of the configuration of this reporter e syslog reporting to a Syslog server as described in Configuring the Syslog Reporter on page 244 mail sending an email message about the event as described in Configuring the Mail Reporter on page 245 Usage One and only one lt Reporters gt element can be nested under lt Message gt Child Elements lt Reporters gt can contain up to four lt Reporter gt elements described on page 255 one for each reporter lt Message gt gt lt Reporters gt gt lt Reporter gt lt Reporter gt 256 Description Child element of lt Reporters gt Defines a single reporter to which the message is sent For a description of the reporters you can configure here refer to lt Reporters gt on page 256 Chapter 9 Monitoring and Control Event Logging Usage Up to four lt Reporter gt elements can be nested under lt Reporters gt one for each reporter Child Elements None Event Messages Application Interface By default all the applicable IAG interfaces are configured to send the relevant event message when required If however you configure custom messages in the message definitions file or if you wish to send messages from custom interfaces such as a custom Login script in order to send the message you need to configure the page where you wish to send the message as described in this section To configure message interface 1 In the pa
369. ss window to enable access to NetWare Servers only you cannot enable access to Novell Directory Services through the File Access option 3 In the left pane of the File Access window click Servers The network is browsed In the File Access window all the servers in the domains you selected are displayed arranged under their respective domains 4 Inthe right pane of the File Access window select the servers which will be accessible to remote users through File Access and click Apply 5 In the left pane of the File Access window click Shares The network is browsed In the File Access window all the shares that are enabled on the selected servers are displayed arranged under their respective servers E Note If you have previously configured shares in this screen to be accessible to remote users and have since clicked Apply in either the Domains or the Servers screen all the shares in this screen appear unselected including shares that are accessible to remote users In order to refresh the view click Reset then click Refresh 6 Inthe right pane of the File Access window select the shares which will be accessible to remote users through File Access and click Appi 230 Chapter 8 Providing Access to Internal File Systems File Access lt gt Tip If there are no shares in a selected server the text No shares on this server appears under that server name When you finish configuring administratio
370. sseeseseeseesenersenseereeeeres 279 Application Monitor Statistics Window Query Results View cccscssscsseseeeessesseeseeees 281 Application Access Detalls 2 ccseyesceoseeaceesesncbssssiist sostieleskeotecbutsoectensedtesucedtedectosteotests capes 283 User Monitor Current Status sssscescscetacdaostacsSccacstesbenabencediaqcesitesavedebapsesnacegutoiececetaiaes 285 User Monitor Over Time wwe ccsccesccossessovseceedcevesvsccpecusdetccoteostesieosntcsteasezsecstpouts ESEE 286 User Monitor Active SESSIONS jasc sscssseudssvesesuass 0steee sd sssteenscunpasesscuuepancnatinssmtnemeenntvars 287 Us r a foe gears 1 gr en ee eee eee ee 288 User Monitor Statistics Window Query FOr sceessssesssesssecssscessssesesesesssseseseseseeees 289 User Monitor Statistics Window Query Results VieW scsccsssessscsessessssesesseseseeees 290 User s Application Access Statistics csssscssscssscssssssssscseessssesssssessssessscessneseseseseseeees 291 Be E E cect ot sen caren cua E E 293 Pe I cst spe tear care soared ee wc ce anes eect va asec pce eee 295 EVENE REDON sossccsecescieeessecsectset stiabenstedeadentssatesbectociscbebiectetstdebiessarhsassabestests stessettetrateates 297 Web Monitor High Availability Support sssisccscicccbixcttencasbcentesctbtecoisacabeaceiacesoinietdcaspens 298 Accessing IAG Servers in the Array ccscssssssssessssscesssccessssessscsessesesescsessseessscsessssensseees 299 Analyzing History Reports Once
371. st not to be considered an upload for this application type take the following steps 1 Open the Advanced Trunk Configuration window and access the Global URL Settings tab 2 Inthe URL Settings area click next to Upload URLs 3 Inthe Upload URLs Settings dialog box remove the corresponding rule Intelligent Application Gateway 355 User Guide For details refer to the Intelligent Application Gateway Advanced Configuration guide to Upload URLs on page 155 Ifyou wish to cancel the identification of uploads by URLs for this application take the following steps 1 Open the Application Properties dialog box and access the Download Upload tab 2 Inthe Uploads area uncheck the option Identify by URLs Note EN If none of the options in the Uploads area are activated no uploads to the application are blocked regardless of the settings of the application s Upload policy lt If you wish to enable uploads from the submitting endpoint to the application edit the application s Upload policy The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 Warning 54 Failed
372. st of all the session s parameters or only parameters of a selected type Figure 44 Sample Session Details Window A hittps Awww myweb com Session Details Microsoft Internet Explorer Session Details Lead User whalecom rachel Session ID 78335EE9 3BBB 4DCB B830 96600736452A Applications Endpoint Information Parameters General Session Details Session Started At 14 03 2006 16 17 44 Session Duration 00 56 46 Session Authenticated Privileged Session x User Repository Lead User whalecomirachel whalecom A internet Session Monitor Statistics This window enables you to view and analyze both the history and the current status of the IAG sessions such as the number of concurrent sessions in a trunk and compare them to the trunk s limitations as defined by the Concurrent Sessions settings Use the query form to submit a query as described in Session Monitor Statistics Window Query Form on page 272 The window then displays the query results as described in Session Monitor Statistics Window Query Results on page 273 Intelligent Application Gateway 271 User Guide Session Monitor Statistics Window Query Form 272 When you first access the Session Monitor Statistics window the query form is displayed Use this form to define the query Select the trunk or trunks for which to generate the query Define the period of time for which to generate t
373. stallation e lt CustomSetup Enable 0 gt disable Custom installation 4 In order to replace the graphic that appears in the installation screens place your graphic in the following location Whale Com e Gap utils OfflineClientSetup CustomUpdate The replacement graphic must be lt A Bitmap bmp format graphic File name logo bmp Size of the graphic must be the same size as the original graphic Width 118 x Height 238 pixels Deploying Offline Component Installation Once you configure the installation settings as required deploy the installation to end users You can deploy the installation in one of two modes Silent mode where no user intervention is required Note that when you use this deployment method Custom installation is not applicable Interactive mode where an installation wizard guides the user through the installation Both deployment methods are described in this section Chapter 5 Endpoint Security Whale Client Components To deploy the offline component installation in Silent mode 1 Use the following command line to execute component installation in Silent mode Whale Com e Gap utils OfflineClientSetup Setup exe s For example use a batch file to run this command from the offline client setup location Once this command is run on an endpoint computer the Whale Client Components are installed on the computer with no user intervention To deploy the offline co
374. t The IIS is stopped You now have to re start it as described in the following procedure Starting the Web Service in the IIS To start the Web service in the IIS In the Command prompt on the IAG type net start w3svc Press lt Enter gt The following messages are displayed in the Command prompt Intelligent Application Gateway 323 User Guide WINDOWS system32 cmd exe Microsoft Windows Version 5 2 3796 lt C Copyright 1985 2003 Microsoft Corp C Documents and Settings Administrator gt net start w3suc The World Wide Web Publishing Service service is starting The World Wide Web Publishing Service service was started successfully C Documents and Settings Administrator gt P_ The Web service in the IIS is started and the filters are reloaded 324 Chapter 10 Troubleshooting Restarting the Web Service in the IIS Appendix A Troubleshooting Event Logging Messages This appendix describes how you troubleshoot events that are reported by the Intelligent Application Gateway IAG Event Logging mechanism according to the message that is displayed when the event occurs Troubleshooting instructions are provided for Error and Warning messages Warning 4 Service Shutdown Symptoms A Windows service running on the IAG was stopped Cause A Windows service that is required in order to run the IAG is not started Resolution Start the relevant service on the IAG 1 In the Windows Control Pa
375. t CheckSite reg 3 At the location where you copied the files edit the file CheckSite reg as described in Table 21 on page 163 The file provides a sample configuration which adds the following sites to users Trusted Sites lists https www microsoft com g https www myPortal com Note the following in the sample configuration Users can add sites to the Trusted Sites list on demand they cannot however add HTTP sites to the list Users will not be prompted if a trusted site s certificate is invalid In this case detection will not be performed Users will be prompted if an untrusted site s certificate is invalid and will be able to add it to the Trusted Sites list on demand 4 Deploy the CheckSite bat file to the end users whose Trusted Sites list you wish to configure A Note Make sure the file CheckSite reg resides in the same folder as the file CheckSite bat At the endpoints where you deployed the configuration the following Registry key is added or updated according to your definitions HKEY_CURRENT_USER Software WhaleCom Client CheckSite The Trusted Sites configuration is applied on the endpoint with the settings you defined here Chapter 5 Endpoint Security Whale Client Components Value Managed CanAddSites CanAddHttpSites PromptlnvalidCertTrusted Table 21 Values of CheckSite reg Type DWORD DWORD DWORD DWORD Description Mandatory Determines whether this confi
376. t errors and situations that hinder usability Remote access via the SSL VPN portal provides you with secure anytime anywhere monitoring of system and user activities and enables you to render users assistance while away from the office Logs and queries are used to analyze usability variations and trends over time Chapter 9 Monitoring and Control Web Monitor For example a user notifies you that they cannot log into an application When you zoom into the user s session you find that the application s Access policy requires that the Attachment Wiper is installed on the endpoint computer but the user s computer does not comply with this policy You can instruct the user to download and install the Whale Client Components when they next access the site Thereafter they are able to access the application smoothly Note A The Web Monitor application is protected by the Windows Local Users and Groups management tool By default access to the application is disabled and you need to configure the user or users that are allowed to access it as described in Enabling Web Monitor Access from Computers Other Than the IAG on page 261 This section Describes how you access the Web Monitor including the configuration steps required in order to enable access from computers other than the IAG and the list of supported browsers in Accessing the Web Monitor on page 260 Describes the general Layout of the Web Monitor screen
377. t is applications that are configured to work in Socket Forwarding Mode will still function However the additional capabilities enabled by the Socket Forwarding component as described in Technology Overview on page 172 will not apply to the application in this setup LSP Conflict Detection If during the installation of the Socket Forwarding component on the endpoint computer the Whale Component Manager detects a conflict between the Socket Forwarding LSP module and other LSP modules installed on the computer it removes the Socket Forwarding component In this case the user is notified as follows Whale Client Components F The Component Manager detected a conflict between the Whale SSL YPN Socket Forwarding component and other networking components installed on your computer The Whale SSL YPN Socket Forwarding component will be removed from your computer Intelligent Application Gateway 179 User Guide N Note The removal of the component may require a restart of the browser or of the computer Users are notified accordingly The following procedure describes how you can re enable the installation of the Socket Forwarding component on the endpoint computer after a conflict is detected To re enable the installation of the Socket Forwarding component 1 Determine which components conflict with the Socket Forwarding component In the message box that is displayed when the conflict is detected click to display
378. t use the string app or ser as the unique identifier Encryption Key a key that will be used for internal encryption Click OK The Advanced Configuration window closes Intelligent Application Gateway 47 User Guide 3 In the Configuration program click O to save and activate the configuration The IAG will use the unique identifier and encryption key you entered here during link manipulation for all Portal trunks Configuring Application Subnets 48 You can restrict any of the applications in your SSL VPN Portal so that only servers within the defined subnets are enabled Once the trunk is operative when a user requests a URL the filter first checks the URL against the Application List if the application is listed here the filter goes on to check the URL against the Subnet List Only URLs that pass both checks are enabled to the user Note A For each application you add make sure that the application is listed in the IAG s DNS or Hosts file You configure subnets in the main window of the Configuration program in the Applications area as described in this procedure To configure application subnets 1 In the Applications area under the Subnets list click Add m Applications Application List p Application Name Application Type j Whale Portal Whale Portal iNotes Domino iNotes ja FTP FTP Passive Made t I Sort alphabetically Add
379. tEmail field is automatically filled in based on the certificate therefore it is recommended that these fields retain their default READONLY status A sample of how this code is implemented is provided in Sample Code info inc on page 134 For more information refer to the Intelligent Application Gateway Advanced Configuration guide to Customizing Certified Endpoint Enrollment Pages on page 67 3 Save the file When users next request a certificate the data fields in the User Information window will display according to the properties you set here Intelligent Application Gateway 133 User Guide Sample Code info inc EPAGE 65001 UTF 8 info inc global DAT a if Session INFO_INC lt gt FILE_NOT_EXIST then include Session INFO_INC else Delay between certificate request and certificate issue in automatic mode Default value should be 0 nAutoModeDelayInMinutes 0 default data fields edit status FIELD_READONLY FI EDITABLE FIELD HIDDEN editCommonName FIELD_READONLY editEmail FIELD_EDITABLE editCompany FIELD_READONLY editDepartment FIELI EADONLY editLocalCity FIELD_READONLY editState FIELD_READONLY editCountry FIELD_ READONLY end if gt Preparing Endpoint Computers that Use Internet Explorer Local CA Only E Note This section is only relevant for endpoint computers using Microsoft Internet
380. ted Sites list Security Alert xj The following site is about to launch one or more applications on your computer or retrieve security information from your computer https mportal _ microsoft com IV Trust this site Temporarily until disconnect from this site For a limited period of fi days ma e ci Note A Restoring the defaults deletes only sites that the user added to the Trusted Sites list it does not delete the administrator configured sites from the list For details on adding sites to the list refer to IAG Trusted Sites on page 160 Itis necessary to add the site to the browser s pop up blocker s allowed site Whale Client Components E x 2 To ensure complete functionality with this site it is necessary to add the lL site to the pop up blocker s allowed sites of the browser Would you like to implement the required changes T Don t show me this message again Tip For details regarding this option refer to Endpoint Settings on page 108 The Whale Component Manager detects problems with some of the Whale Client Components files on the computer 166 Chapter 5 Endpoint Security Whale Client Components Whale Client Components x Whale Component Manager detected problems with some of the Whale Client Components files on your computer Files are missing or their file version is wrong as follows File TcpDumper dll is missing on disk File WhiCa
381. ted folder is shown above the Users Groups list In order to facilitate the search for a user or a group use any of the buttons described in Table 2 on page 45 Chapter 2 SSL VPN Portals Users Setup j Tip To add all the users and groups in a users groups server select Authenticated Users When you add a local group all the users and groups that are part of the local group are selected The selected users and groups are moved to the Selected Users and Groups list 3 Repeat steps 1 2 to add users and groups from other repositories if required 4 Click at the bottom of the Select Users or Groups dialog box The dialog box closes The users and groups you selected are added to the local group or to the application s Authorization tab as applicable Table 2 Select Users or Groups User Group Search Buttons Button Description 2 Search Enter a string in the Search text box then click the Search button The search is affected by the selected View setting described in View Menu below Tip You can also select an entry in the list then start typing the user group string The display automatically moves to the relevant letter or string Up One Level Moves the display one level up in the folder tree Ei Home Returns the display to the top level folder Intelligent Application Gateway 45 User Guide Optional Configuration Table 2 Select Users or Groups User Group Search Buttons
382. telligent Application Gateway Advanced Configuration guide to Creating Encryption Keys on page 20 This chapter also describes how you Create a Redirect trunk that will automatically redirect HTTP requests to an HTTPS trunk as described in Creating a Redirect Trunk on page 58 Edit an existing trunk as described in Editing Trunks on page 59 Optional Pre configuration of the Services This section describes how you can optionally pre configure the HTTP Connections and HTTPS Connections services in the Service Policy Manager During pre configuration you define lists of external websites and application servers that can be used in the configuration of the service you can pre configure only one of the services or both service types Subsequently these are available for selection during trunk creation in the Create New Trunk Wizard and when editing the trunk in the Configuration program The parameters you can define include IP addresses and port numbers of the IAG external websites IP addresses and port numbers of the application servers that will be accessed via the IAG You pre configure these parameters separately for the HTTP Connections and the HTTPS Connections services Note A A detailed description of the Service Policy Manager including detailed procedures is available in the chapter titled Security Management Tools in the Intelligent Application Gateway Advanced Configuration guide
383. tempts to access an SSL Wrapper application If an application is configured to operate in Socket Forwarding Mode and providing that the endpoint computer meets the Socket Forwarding component installation requirements the Socket Forwarding component is installed as well For details refer to Socket Forwarding Component Installation on page 178 SSL Wrapper Java applet used as a fallback for endpoint computers where the SSL Wrapper ActiveX component cannot be installed or run such as computers running Mac OS X or Linux operating systems or an Internet Explorer browser on Windows where the download and launching of ActiveX components is disabled e The Java applet is supported on the browsers that are supported by the IAG as listed in Supported Browsers on page 19 Intelligent Application Gateway us User Guide In order for the Java applet to run on the endpoint computer the computer must meet the requirements described in SSL Wrapper Java Applet Prerequisites on page 176 Tip If a personal firewall is installed on the endpoint computer the following has to be added to the firewall s trusted applications list When working via the SSL Wrapper ActiveX component the client executable whlclnt3 exe When working via the SSL Wrapper Java applet the browser s executable For example when browsing with Firefox add the executable irefox exe to the list SSL Wrapper Java Applet Prerequisites
384. ter Bind Tunnel to Client Executable Portal Link Tab Description Applicable only when Socket Forwarding Mode is enabled for the application Activating this option restricts access to the resources of this application server IPs and ports on endpoint computers to the process or processes you define here For example when you configure a Telnet application the SSL Wrapper tunnels all communications to and from the servers and port you define for this application regardless of the process that initiates the communication Using the Bind Tunnel to Client Executable option you can restrict the tunneling to communications initiated by the Telnet process only by defining the Telnet process as the client executable for this application You can define multiple processes for an application For each process you can define the following Client Executable name of executable that runs the application on the endpoint computer Use the Add button to add an executable either by browsing and selecting a file or by manually entering the executable name in the File name field Signature optional MD5 check sum of the executable We recommend that you do not define a signature for applications whose check sum might change frequently such as Internet Explorer and other Microsoft applications This tab is applicable in Portal trunks only for all application types You can use it to control the appearance of the
385. ters defined in the Configuration program are implemented at this time Thereafter the processes examine the configuration file and activate any relevant changes at the defined refresh intervals Error Server Trace and Log Files This section describes the trace and log files that are created by the Error Server including The file location and naming conventions on page 311 The file size and the number of files retained on the server on page 312 File Location and Naming E Note The file timestamps as well as the timing of the events inside the files are derived from the local computer s clock Intelligent Application Gateway 311 User Guide Trace Files For every active trace the error server creates a trace log file under Whale Com e Gap Logs In the following format lt Server_Name gt lt Process_Name gt lt Instance_Name gt lt Time_Stamp gt log Where lt Server_Name gt represents the name of the server from which the log file originated lt Process_Name gt represents the name of the reporting process Process names as defined by the IAG lt Instance_Name gt represents the name of the reporting instance lt Timestamp gt represents the log file creation time and date For example The name of a trace file created by the server whlsrv by the service instance of the Whale Manager Service on October 1 2005 at 12 47 46 is whlsrv whlegapd service 01 10 05 12
386. the HTTPS port here and you edit the HTTP port in the main Configuration window Note Both HTTP and HTTPS ports are displayed in the General tab since you can use the same IP address for two trunks sharing the same site name one for HTTP sessions and the other for HTTPS sessions Sites with the same IP address must have matching site names sites with different IP addresses must have unique site names Name of the external website folder determined by the trunk name as defined in the Create New Trunk Wizard Enable this option if you wish the IIS to record a log of the transactions through the trunk including the source IP addresses The log is created in the location that is defined in the Microsoft Management Console MMC in the filter site Properties dialog box under the Web Site tab Select whether to add the username which the user enters during login to the IIS log you enabled in Enable Web Server Logging above This option disables all of the trunk s security features Caution This mode is intended for use only when so instructed by technical support Whenever you use this option be sure to disable it when you finish debugging the trunk Intelligent Application Gateway 63 User Guide Table 5 Advanced Trunk Configuration General Tab Cont d Parameter Description Server Certificate Server certificate used for the external website HTTPS Connections The certificate that is displayed here is s
387. the Mail tab and check the Enable option x General Built In RADIUS Syslog Mail mY Enable IP Host Port 25 From To Subject Mail From IAG System User o O Password PO Confirm Password CY 3 Define the following settings Chapter 9 Monitoring and Control Event Logging Table 27 Mail Tab Parameters Parameter Description IP Host IP address or hostname of the SMTP server Port Port number of the SMTP server From email address that appears in the email From field To email addresses to which you wish to send event logging email messages Subject Text that appears in the email Subject field User User name used to log into the SMTP server if required Password Password used to log into the SMTP server if required Confirm Password Confirmation of the password used to log into the SMTP server if required 4 Click OK 5 Goon to configure which of the AG related events will be sent to the recipients you configured here as described in Configuring which Messages are Sent by the Mail Reporter on page 247 Configuring which Messages are Sent by the Mail Reporter By default the mail server does not send any messages to the email recipients even if this option is enabled in the Event Logging dialog box so that the recipients are not flooded with all of the event logging messages This procedure describes how you configure the messages that will be sent by
388. the link to the application is not displayed on the homepage of users that are not authorized to access the application Authorization and personalization of an application are defined in the Configuration program in the Authorization tab of the Application Properties dialog box For details refer to Users Setup on page 32 Warning 64 Application Access Policy Violation Symptoms A remote user attempts to access an application from the portal homepage The request is denied and the following message is displayed in the browser window Your computer does not meet the security policy requirements of this application Cause The requesting endpoint does not comply with the requirements of the application s Access policy Resolution Instruct the user what steps have to be taken in order for the endpoint to comply with the policy You can view the definitions of the policy in the Configuration program in the Policy Editors To access the Policy Editors take the following steps in the Configuration program 1 Open the Application Properties dialog box and select the General tab 2 Inthe Endpoint Policies area click EditPolicies 3 In the Policies dialog box select the applicable policy and click Edit For more details refer to Endpoint Policies on page 93 Intelligent Application Gateway 359 User Guide Warning 65 Session Access Policy Violation Symptoms A remote user attempts to a
389. the list of conflicting components Whale Client Components k The Component Manager detected a conflict between the Whale SSL YPN Socket Forwarding component and other networking components installed on your computer The Whale SSL YPN Socket Forwarding component will be removed from your computer The following Winsock Layered Service Providers LSPs are installed over TCP NL LSP C Program Files NetLimiter nl_Isp dll Whale SSL VPN C PROGRA 1 WHALEC 1SCLIENT 1431 265D 1 O WhIL Encountered Winsock error 5 Or e Access the following file stemp SFConflictInfo txt 2 In order to remove conflicting components contact technical support 3 Once the conflicting components are removed use the System Information window which you access from the Whale toolbar on the portal homepage to re enable the installation of the Socket Forwarding component 180 Chapter 6 SSL Wrapper Enabling Access to SSL Wrapper Applications lej https mportal microsoft com System Information 2 Microsoft Internet Explorer hlr A System Information Whale Communications Intelligent Application Gateway Whale Client Components Whale Component Manager Y 3 7 0 12 Endpoint Detection o 3 7 0 12 SSL Wrapper Y 3 7 0 12 SSL Wrapper Java Applet N A Enable Socket Socket Forwarder LSP X NSP X Installation disabled Network Connector Client W 3 7 0 12 Driver W 3 7 0 12 Not Running Forwarding
390. the trace ini configuration file and will not be deleted by the log file cleanup process on the IAG Support Utilities The Support Utilities are a set of command line utilities designed for diagnostics purposes which technical support may ask you to run in order to help to diagnose problems The utilities include e Pre defined Support Utilities tests which you can run to examine the system configuration IAG functionality and other data in order to enhance diagnosing problems For instructions on how to run these tests see Running Support Utilities Tests on page 320 Intelligent Application Gateway 319 User Guide The Data Collection utility which collects and packs files of different types to be sent to technical support for offline diagnostics purposes For instructions on how to run the Data Collection Utility see Running the Data Collection Utility on page 321 Running Support Utilities Tests 320 Before running the tests note the following For some of the tests you may need to stop the Web service of the IIS as described in Restarting the Web Service in the IIS on page 321 For information on the available tests and commands you can use the following commands from the Command prompt Type whitest list fora list of the available tests Type whitest h for a list of the command options If you used the N or n command options alarms and warnings are displayed as pop up messages d
391. this extension to be considered regular responses for this application and not downloads edit the application s downloads Extension List accordingly as described in step 2 above If you wish to cancel the identification of downloads by extensions for this application uncheck the option Identify by Extensions in the Downloads area of the Download Upload tab E Note If none of the options in the Downloads area are activated no downloads from the application are blocked regardless of the settings of the application s Download policy If you wish to enable downloads from the application to the requesting endpoint edit the application s Download policy in the Configuration program The application s policies are selected in the Application Properties dialog box in the General tab For details refer to General Tab on page 68 Intelligent Application Gateway 341 User Guide Configuration of the endpoint policies is via the Policy Editors which you can access via the General tab of the Application Properties dialog box For details refer to Application Endpoint Policies on page 99 Warning 38 Download Policy Content Type Violation Symptoms A remote user requests a page The request is denied and the following message is displayed in the browser window According to your organization s Download policy the requested download is not allowed Cause The response failed sin
392. ties of the applications as follows On computers where the SSL Wrapper ActiveX component is used a Portal Activity icon is added to the Windows System tray to the right of the Windows taskbar Double clicking this icon opens the Portal Activity window When the Network Connector is activated the icon changes Fa For details refer to Remote User Interaction with the Network Connector on page 200 On computers where the SSL Wrapper Java applet is used the Portal Activity SSL Wrapper Java Client window opens as soon as an SSL Wrapper application is launched on the computer Webmail trunk when an SSL Wrapper application runs on a client a Portal Activity icon is added to the Windows System tray to the right of the Windows taskbar l Double clicking this icon opens the Portal Activity window Clicking the Portal Activity icon on the Whale toolbar brings the Portal Activity window to the front of the screen am Activity Note If the endpoint browser or the client Java Plugin are set to connect to the web via a proxy the SSL Wrapper Java applet will attempt to connect to the IAG site via the same proxy using the applicable setting except for Firefox browsers when the browser is set to connect to the web via proxy and the Java Plugin is set to use the browser settings Portal Activity Window The Portal Activity window monitors the activity of the applications that are run by the SSL Wrapper cli
393. till in the same page add the following lines lt script language JavaScript gt var whaleCacheClean GetCacheCleanInstance SetTimeoutForCacheClean Timeout lt script gt Intelligent Application Gateway 115 User Guide Where Timeout is defined in seconds For example In order to trigger a cleanup 600 seconds after the user accessed the page enter the line SetTimeoutForCacheClean 600 E Note If you set the timeout to zero the cleanup is triggered as soon as the user accesses the page Enabling the Attachment Wiper on a Custom Logoff Message Page This section describes the code you need to embed in the Logoff Message page used with the trunk if you do not use the default page supplied with the IAG The code triggers the Attachment Wiper to initiate the cleanup of the browser s cache Tip D You select the Logoff Message page used with the trunk in the Authentication tab of the Advanced Trunk Configuration window in Logoff Message For details refer to the Intelligent Application Gateway Advanced Configuration guide to Configuration in the Authentication Tab on page 82 You can find sample code in the Logoff Message page supplied with the IAG Whale Com e Gap von InternalSite LogoffMsg asp To configure a non default Logoff Message page to trigger the Attachment Wiper 1 In your Logoff Message page add the following line 2 Still in the same page add the following
394. ting system opened in a Terminal application Mac OS X or in xterm Linux the user needs to configure the Telnet application to work in Character mode by entering mode character in the Telnet window For more information consult the Telnet manual pages Intelligent Application Gateway 177 User Guide Uninstalling the SSLWrapper Java Applet E Note Do not uninstall the Java applet while it is running on the computer Once the SSL Wrapper Java applet runs on the endpoint computer users can remove it from their computer as follows 1 Clean the following applet from the Java plug in applets cache sslvpnclient jar 2 Delete the following folder Windows operating systems userprofile whalesslwrapper e Mac OS X operating systems lt username gt whalesslwrapper Or Var root whalesslwrapper e Linux operating systems lt username gt whalesslwrapper Or root whalesslwrapper E Note If the folder whalesslwrapper contains the file backupdata map this file might contain changes that were made to the system by the SSL Wrapper Java applet and were not restored when the applet stopped running For example entries added to the hosts file In this case don t delete the folder before backing it up In order to restore the settings contact technical support Socket Forwarding Component Installation The conditions for the installation of the Socket Forwarding client component on the endpoint computer are
395. ting systems E Note We recommend that you enable this feature only for endpoints that comply with your corporate endpoint policy For example only endpoints where the latest update of the corporate anti virus program is running are allowed access to internal shares For details on how you determine endpoint policies for an application refer to Endpoint Policies on page 93 You can enable access to multiple shares by adding multiple Local Drive Mapping applications to the trunk one for each share For each share you can decide how it will be accessible to remote users As soon as users log into the portal homepage the share is automatically added to the Windows Explorer shares on the endpoint computer default option Via a link on the portal homepage Intelligent Application Gateway 209 User Guide EN Note Once the drive is mapped on the endpoint computer it is displayed in Windows Explorer with the IP address of the local listener that is used as the relay to the application server If you define a share as a prerequisite application to another application the IAG automatically connects to the share prior to launching this application For details regarding prerequisite applications refer to General Tab on page 68 Mapping Shares This section describes how you map one share repeat the procedure to map multiple shares In order to enable Local Drive Mapping on Windows XP 2008 additional configuration
396. tion attempts are reported in the Windows Event Viewer You can select to view errors warning and informational and success events or any combination of these event types For details and instructions see the following Microsoft article http support microsoft com kb 260729 EN US Note EN Make sure to restart the IAG after you make changes to the Registry Intelligent Application Gateway 301 User Guide 302 Chapter 9 Monitoring and Control SSL Event Monitoring Chapter 10 Troubleshooting This chapter describes the following troubleshooting procedures Backup amp Restore Utility on page 303 provides instructions on how to back up and restore the configuration settings of the Intelligent Application Gateway IAG Error Logging and Process Tracing on page 307 describes how you run the IAG centralized logging and tracing mechanisms Log File Cleanup on page 313 describing the log file cleanup for IAG and IIS log files and the manner in which they are implemented This section also provides instructions for configuring the log file cleanup process and for excluding IIS log files from the cleanup process Support Utilities on page 319 describes how you run support utilities tests Restarting the Web Service in the IIS on page 321 is required during some of the procedures relating to the IAG filter Backup amp Restore Utility The Backup amp Restore utility is comprised of the B
397. tion Gateway Advanced Configuration guide to Appendix C Form Authentication Engine The evaluator is defined in the lt LOGIN_EVALUATOR gt element The failure is most likely caused by the lt HEADER gt sub element Warning 87 Service Policy Manager Login Failed Symptoms When attempting to log in to the Service Policy Manager program the login fails and the following message is displayed Incorrect Password Cause Incorrect password used Resolution Log in using the correct password If you forgot the password you can assign a new password for the Service Policy Manager program as follows At the IAG delete the following file Whale Com e Gap common conf auth sec 366 Appendix A Troubleshooting Event Logging Messages When you next access the Service Policy Manager you are prompted to assign a new password E Note The password must contain at least six digits Changing the password in this manner is global and affects the Configuration program as well Warning 91 Passphrase Entry Failed Symptoms The IAG administrator is prompted to enter a passphrase while working with the IAG for example when activating the configuration After submitting the passphrase a message informs the administrator that the passphrase is incorrect Cause Incorrect passphrase used Resolution Enter the correct passphrase Warning 93 HTTP Request Smuggling HRS Attempt Symptoms A remote
398. tivated since the file was last checked the process starts tracing them If any of the parameters in the existing traces were changed since the last refresh the process applies the new parameters Maximum file size in bytes Error log files Trace log files Log file cleanup parameters N A Note These parameters are defined in the Configuration program and should not be changed in the configuration file For instructions on configuring these parameters see Configuring Log File Cleanup Parameters on page 317 Select whether to report errors which are Trace log reported in the error log in the trace log files files as well If this parameter is configured in both the individual and the general Trace sections the individual settings take precedence 310 Chapter 10 Troubleshooting Error Logging and Process Tracing Sample trace ini General Configuration Section Trace refresh 60 max_size 1468006 high_water 100 low_water 50 instances_kept 3 report_errors yes E Note The high_water low_water and instances_kept parameters are derived from Configuration program definitions Trace Activation When the IAG processes are activated each of the processes examines the trace configuration file At this time any changes in the file relevant to that process such as new traces or changes to existing traces are activated In addition the general parameters and the log file cleanup parame
399. tivity Window Buttons The following table describes the buttons of the Portal Activity window Button Java applet only zl 188 Chapter 6 SSL Wrapper Description Disconnects the item that is currently selected in the Connections area If you select a channel this button disconnects the channel including all the connections that are open through the channel If you select a single connection this button disconnects it Note Disconnecting a connection does not always completely disconnect the application For applications that support reconnection the tunnel listener remains open to allow reconnection if required Displays the open relay of the currently selected application Takes you to the portal homepage of the selected channel or connection without closing the Portal Activity window Closes all open channels and connections and exits the Portal Activity window When using the Activex component the Portal Activity icon is no longer displayed in the Windows System tray Hides the Portal Activity window To show the window again When using the ActiveX component either double click the Portal Activity icon or right click it and select Show Status You can also click the Portal Activity icon on the portal homepage When using the Java applet click the Portal Activity icon on the portal homepage Remote User Interaction with the SSL Wrapper Chapter 7 Network Connector The Network Connect
400. to the user s Trusted Sites list with no user intervention For details refer to Remote Configuration of Users Trusted Sites Lists on page 162 Users can add the JAG site to their Trusted Sites list on demand as shown in the sample prompt below Security Alert x The following site is about to launch one or more applications on your computer or retrieve security information from your computer https mportal microsoft com IV Trust this site Temporarily until disconnect from this site For a limited period of fi E days ma e Once users add a site or a number of sites to the list they can remove them from the list via the System Information window by clicking the button Delete user defined Trusted Sites list this removes all the user defined sites from the list Delete user defined Trusted Sites list Ej https mportal microsoft com System Information 2 Microsoft Internet Explorer ma o ix Saag Whale ications System Information Whale Communications Intelligent Application Gateway Whale Client Components Whale Component Manager Ce leh elena Endpoint Detection VW 3 7 0 12 SSL Wrapper 3 7 0 12 SSL Wrapper Java Applet N A Socket Forwarder LSP W 3 7 0 12 NSP W 3 7 0 12 Network Connector Client W 3 7 0 12 Driver W 3 7 0 12 Not Running Attachment Wiper T W 3 7 G 12 Anti virus eTrust 7 1 Updated 12 5 2006 10 09 02 PM
401. to activate the configuration select the option Apply changes made to external configuration settings and click Activate gt Once the configuration is activated the messages you configured here are reported to the applicable reporter or reporters Event Logging Message Definitions File Note A This section describes the message definitions file For instructions on the steps you need to take in order to edit the file refer to Configuring Event Messages in the Message Definitions File on page 249 Do not make changes to the default file supplied with the IAG The message definitions file MessageDefinition xml holds the definitions of all event messages under the root lt Messages gt element Each message is defined in a dedicated lt Message gt sub element You can edit existing messages or define new messages according to the description and guidelines in lt Message gt on page 250 AN Caution Element names are case sensitive Be sure to follow the guidelines provided here Message definitions that do not follow these guidelines may result in wrong or missing reports 0 In version 2 of the file introduced in version 3 5 a new element was added under each lt Param gt element lt Binary gt described on page 255 If you are editing a version 2 file and you copy into it custom elements which were originally created or edited in a version 1 file be sure to add one lt Binary gt element under each
402. to identify software developers Before trusting this CA for any purpose you should examine its certificate and its policy and procedures if available Examine CA certificate 3 Click OK The certificate is installed on the computer Once the certificate is installed the Certified Endpoint window indicates that this computer is now certified Certified Endpoint Microsoft Internet Explorer Whale ication Certified Endpoint A Microsoft Subsidiary This computer is now Certified Your new certificate has been successfully installed In order for your changes to take effect please close all browser windows Close 4 Click to close the Certified Endpoint window Your computer is now granted Certified Endpoint privileges as set by the administrator 5 Close all open browser windows then re access the portal and log in The Client Authentication dialog box is displayed Intelligent Application Gateway 145 User Guide Client Authentication 2 xi r Identification The Web site you want to view requests identification Select the certificate to use when connecting More Info View Certificate Cancel 6 Select a certificate from the list and click 0K The login process is complete and you are logged on as a Certified Endpoint The Certified Endpoint button or link is no longer available 6s Tip If your portal homepage includes the Whale toolbar you can click to
403. to the look and feel of the portal homepage refer to the Intelligent Application Gateway Advanced Configuration guide to Portal Homepage Configuration on page 54 Some of the applications you can enable through the portal require additional configuration For details refer to the Intelligent Application Gateway Application Aware Settings guide Additional advanced configuration options which are not covered in this chapter are described in Where To Go From Here on page 49 Intelligent Application Gateway 27 User Guide Creating an SSLVPN Portal 28 E Note Before you start the configuration process log on to Windows with full administrator privileges e The first time you access either the Configuration program or the Service Policy Manager you are required to create an encryption key and passphrase for the IAG The key and passphrase serve both IAG applications so that this action is only required once when you subsequently access either application you use the same passphrase Additional information is available as follows For an overview of the encryption mechanism see Encryption on page 21 For details on how to create the encryption keys and passphrase refer to the Intelligent Application Gateway Advanced Configuration guide to Creating Encryption Keys on page 20 You create an SSL VPN Portal in these stages You can optionally use the Service Policy Manager to pre configure th
404. tomUpdate 2 Under the folder you accessed in step 1 create the following file Chapter 5 Endpoint Security Whale Client Components If you wish the changes you make to affect all trunks create the file Instal1lxml inc If you wish the changes you make to be applied to a specific trunk create the following file lt Trunk_Name gt lt Secure 0 no 1 yes gt Instal1lXml inc For example for an HTTPS trunk named MyTrunk create the file mytrunk1Installxml inc If such a file already exists use the existing file 3 Copy the following lines into the file you created in step 2 lt Response write lt Component Name SSL Wrapper ID 1 Install 1 gt Response write lt Component Name Network Connector ID 17 Install q1 n gt if uninstall_lln 0 and remove_lln 0 then Response write lt Component Name Socket Forwarding ID 8 Install wa n gt Response write lt Component Name Socket Forwarding activation Basic ID 33 n Install q n gt Response write lt Component Name Socket Forwarding activation Extended ID 65 n Install 1 n gt Response write lt Component Name Socket Forwarding activation VPN ID 129 n Install 1 n gt end if S gt 4 Comment out the lines that are not applicable by adding at beginning of the line where The following line adds the SSL Wrapper component to the list
405. tomizing User Information Properties on page 132 3 At the bottom right corner of the screen click Submit gt A message is displayed prompting you to confirm the request for a certificate 4 Click to request a certificate Depending on your organization s certification policy one of the following is displayed Ifthe certificate is issued immediately you are notified in the Certified Endpoint window that the certificate has been issued and are prompted to install the certificate on your computer 142 Chapter 5 Endpoint Security Certified Endpoints Whale nications Certified Endpoint A Microsoft Subsidiary Certificate Issued Refer to Installing the Certificate and Logging In as a Certified Endpoint User on page 144 for further details If the certificate is not issued immediately the Certified Endpoint window indicates that the Certified Endpoint request is in progress ixi ma Whale Certified Endpoint M Communications ertfie napoin A Microsoft Subsidiary Certified Endpoint Request in Progress Your request for making this computer certified has been received You must now wait for an administrator to issue the certificate In the meanwhile you can continue using all available portal options Your Request Id is 13 Please check the status of your request in a day or two using the Check your Certified Endpoint request status link on the Portal Hompage Note you must access the link withi
406. tore Defaults IV Activate Network Connector Cancel Remote User Interaction with the Network Connector Remote users launch the Network Connector client via the Network Connector application link on the portal homepage E Note Only one Network Connector client can run on a computer at a time It is recommended that while the Network Connector is active you do not access other IAG portal sites 200 Chapter 7 Network Connector Remote User Interaction with the Network Connector Once the application is launched users are connected to the internal network They can access and be accessed by other network computers They can run additional internal applications without having to launch the application from the portal homepage Users interaction with the Network Connector depends on the SSL Wrapper client component that is installed on their computer as described in Interaction on Computers Running the SSL Wrapper ActiveX Component on page 201 Interaction on Computers Running the SSL Wrapper Java Applet on page 202 Tip For a description of when a computer runs each of the SSL Wrapper clients refer to Whale Client Components on page 147 Interaction on Computers Running the SSL Wrapper ActiveX Component On computers that run the SSL Wrapper ActiveX client component once the Network Connector client is running the traffic of all non web applications that are launched th
407. trates a sample File Access environment where the IAG joins an existing domain Figure 38 Sample Environment with IAG as Part of Domain Domain File File File Access Access Access User User User Intelligent File File File Application Access Access Access Gateway User User User External IP Internal IP interface interface File Access Resource File Access Application Steps you need to take if you are joining the IAG to a Windows NT 4 0 domain or an Active Directory mixed Mode domain 1 At the IAG in the Windows desktop click Start then select Programs gt Administrative Tools gt Local Security Policy The Local Security Settings window is displayed 2 Inthe Tree pane select Local Policies gt Security Options Intelligent Application Gateway 215 User Guide hi Local Security Settings File Action view Help gt m x B Security Settings a Account Policies RSI omain member D git C Disabled E Local Policies R8 Domain member Digitally encrypt secure channel data when Not Defined Audit Policy RE Domain member Digitally sign secure channel data when po Not Defined a User Rights Assignm 8 Domain member Disable machine account password changes Not Defined T DeUEY eros Rg Domain member Maximum machine account password age Not Defined a Public Key Policies RE Domain member Require strong Windows 2000 or later ses Disabled a 2 es Pol Re Interactive
408. ts full connectivity over a virtual transparent connection and enables you to install run and manage remote connections as if they were part of the corporate network For details refer to Chapter 7 Network Connector Tip CD For a description of how the SSL Wrapper is used to handle unsigned HTTP requests generated by both web applications and non web application components refer to the Intelligent Application Gateway Advanced Configuration guide to HAT via Proxy on page 338 Intelligent Application Gateway 173 User Guide Socket Forwarding Activation Modes 174 The Socket Forwarding component comprises two modules Winsock2 Layered Service Provider LSP and Name Service Provider NSP When an application uses Winsock Windows will load either the NSP module when the application performs a name resolution and or the LSP module when the application uses sockets to connect to a remote server The NSP and LSP modules intercept every networking activity performed by the application Though this interception should not pose any problem and is completely transparent to the application there is a slight possibility that the application will not function correctly because of the NSP LSP interception To minimize the risk of potential problems certain applications are included in the LSP NSP moduleg block list Based on this list the NSP and LSP modules can completely disable themselves and stop intercepting networ
409. ts zi 2 Use the Built In tab to configure the settings of the built in reporter EN Note Ifyou disable the built in reporter you will not be able to query logs in the Web Monitor It is recommended that the location where the log files are saved is on the IAG Chapter 9 Monitoring and Control Event Logging Configuring the RADIUS Reporter The RADIUS reporter logs event information to a RADIUS Accounting server This information can then be exported in a format that any standard reporting utility can read and visual statistics about the users and applications can be generated Tip You can install a Windows RADIUS Accounting server on the IAG and log the information there To configure the RADIUS reporter 1 Inthe Configuration program on the Admin menu click Event Logging The Event Logging dialog box is displayed 2 Select the RADIUS tab and check the Enable option A Event Logging x General Built In RADIUS Syslog Mail Enable IP Host Port fi 813 Alternate IP Host Altemate Port fi 813 Secret Key 3 Define the RADIUS Accounting settings as follows Table 25 RADIUS Tab Parameters Parameter Description IP Host IP address or hostname of the RADIUS Accounting server Port Port number of the RADIUS Accounting server Intelligent Application Gateway 243 User Guide Table 25 RADIUS Tab Parameters Cont d Parameter Description
410. ttempt fails and the computer is not connected via the Network Connector Prompt prompt user to select whether to fail the connection attempt or to skip this network and connect to the other networks via the Network Connector Skip connection to this network is skipped The computer is connected to all the other networks via the Network Connector To configure additional networks 1 In the Additional Networks tab activate the option Enable Access to the Following Additional Networks 2 Click Add and use the Add Network dialog box to define the network including IP address mask and conflict handling E Note Make sure that the network s IP address and mask are valid and do not overlap with the network that is defined in the IP Provisioning tab invalid parameters may cause errors when remote users attempt to connect via the Network Connector 3 Repeat step 2 to configure additional networks You can add up to seven networks here 198 Chapter 7 Network Connector Configuring the Network Connector Figure 33 Sample Additional Networks Tab s Network Connector Server xj amp Network Segment E IP Provisioning amp l Access Control ca Additional Networks E Advanced ve Conflict Handling IV Activate Network Connector Cancel Advanced Tab Use this tab to configure advanced server settings The listener area defines the listener of the Network Connector server Note A The p
411. u need to add links to the applications on your custom homepage as described in the Intelligent Application Gateway Advanced Configuration guide in Adding Application Links on a Custom Portal Homepage on page 63 Some of the applications require additional setup For details refer to the Intelligent Application Gateway Application Aware Settings guide Remote User Interaction with the SSL Wrapper Note EN In the Session tab of the Advanced Trunk Configuration window you determine the behavior of SSL Wrapper applications when the portal window closes without the user having logged off the site such as when the browser crashes or when the user accesses a non portal page from within the portal This is configured in the following options Prompt User to Disconnect Channel when Portal Closed without Logoff Re open Portal if User Selects to Keep Channel Open You can configure different settings for default and privileged sessions For details refer to the Intelligent Application Gateway Advanced Configuration guide to Default and Privileged Session Settings on page 137 Intelligent Application Gateway 183 User Guide Remote users access SSL Wrapper applications via the portal homepage You access the Portal Activity Window described in Portal Activity Window on page 184 as follows Portal trunk when one or more SSL Wrapper applications run on a client users can view the status and activi
412. unched via the portal homepage are not tunneled through the Network Connector client in this setup In addition while end users are connected via the Network Connector they can launch any web application directly not via the portal including applications that are not defined as portal applications and applications that are not supported by the IAG Portal web applications can still be launched from the portal as usual N Note Disconnecting the Network Connector client disconnects all the applications that are tunneled through it It does not however disconnect applications that were not tunneled through the Network Connector Network Connector Troubleshooting This section describes the Network Connector troubleshooting options including Troubleshooting the Network Connector Server on page 203 Troubleshooting the Network Connector Client on page 206 Troubleshooting the Network Connector Server This section describes how you can troubleshoot the Network Connector Server as follows Server Logs on page 204 Server Resources on page 205 Network Traffic Logs on page 205 Intelligent Application Gateway 203 User Guide Server Logs The Log section of the Advanced tab of the Network Connector Server window defines the Network Connector server s logging parameters Figure 35 Advanced Tab Log Area r Log Log Level fi LogPath Server Executable Path
413. unk is related to the type of data being transferred HTTP or HTTPS Each trunk is divided into two channels one incoming and one outgoing allowing for bi directional data flow You can configure three types of trunks Portal trunk a forked one to many connection where the same IP address is used to access multiple applications Use it to enable access to any number of web and non web applications for both out of the box and generic applications e Webmail trunk a one to one connection enabling access to a single Webmail application A Webmail trunk is automatically created with authentication application customization and URL inspection rules that are optimized for the Webmail application you are running e Basic trunk a one to one straight line where one IP address routes to a single web server enabling access to any generic web application Supported Browsers On endpoint computers the following browsers are supported Table I Supported Browsers Operating System Supported Browsers Windows 2000 Internet Explorer 6 0 Mozilla family Netscape Navigator 7 1 x 7 2 x Mozilla 1 7 x Firefox 1 0 x and higher Windows XP 2003 Internet Explorer 6 0 7 0 Mozilla family Netscape Navigator 7 1 x 7 2 x Mozilla 1 7 x Firefox 1 0 x and higher Windows Mobile 2003 Pocket Internet Explorer for Pocket PC Intelligent Application Gateway 19 User Guide Table Supported Browsers Cont d
414. ure digital certificates and Certificate Authorities In order to register a computer as a Certified Endpoint end users need to install a unique certificate provided by the organization on their computers To provide users with the required certificate this feature may make use of any Certificate Authority CA installed on a remote computer any computer other than the IAG In addition for Portal trunks the IAG provides built in support for Microsoft CA installed locally on the IAG Note gi The Certified Endpoint feature is only supported on HTTPS trunks e Activating the option Disable Component Installation and Activation in the Session tab of the Advanced Trunk Configuration window disables the Certified Endpoints feature For details refer to the Intelligent Application Gateway Advanced Configuration guide to Session Configuration on page 133 Certified Endpoint Configuration Overview 118 There are two ways of setting up the Certified Endpoint feature depending on where the CA is installed Using Microsoft CA installed on the IAG This setup is only applicable for Portal trunks and is described in Enabling Certified Endpoint Using Microsoft CA Locally on page 119 Using any CA installed on a remote computer This setup can be used with any HTTPS trunk and is described in Enabling Certified Endpoints Using a Remote CA on page 122 Chapter 5 Endpoint Security Certified Endpoints
415. uring tests In the message box indicates an alarm Alarms should be handled immediately as they indicate serious IAG problems gt indicates a warning Warnings contain information you may need to take into consideration but which does not necessarily have an immediate effect on the operation of the IAG After viewing the message box click in the message box to continue running the tests To run a Support Utilities test le On the IAG open a Command prompt and enter the command string in this format whltest lt option gt lt option gt lt name gt lt name gt Where lt option gt indicates a required test option and lt name gt contains the name of the test you wish to run For example whitest n system where one test system is run with one option n Press lt Enter gt The test is run according to the parameters you entered in the command line A log file is created whenever a test is run containing any alarms or warnings as well as general information gathered during the tests The log file is named according to the IAG trace mechanism log file conventions described in File Location and Naming on page 311 Chapter 10 Troubleshooting Support Utilities Note For security reasons it is recommended that you delete the Support Utilities log files after viewing them including deletion from the Windows Recycle Bin since they are not encrypted and contain the results o
416. us definitions of the Norton anti virus were updated within the last seven days can be defined as follows DateDiff d Components_AV_Norton_LastUpdate Now lt 7 Tip To see a sample expression in the Policies dialog box select the expression Symantec Norton Anti Virus Up To Date Sample and click Edit For details refer to Configuration in the Advanced Policy Editor on page 106 Intelligent Application Gateway 105 User Guide Configuration in the Advanced Policy Editor This section describes how you use the Advanced Policy Editor to edit and create policies and expressions in Script mode For details on creating policies in Basic mode refer to Basic Policy Configuration on page 1038 To configure policies and expressions in Script mode 1 Access the Policies dialog box as described in Basic Policy Configuration on page 103 2 Do one of the following To edit an existing policy select the policy and click Edt To edit an existing expression click the sign to expand the Expressions group select the expression you wish to edit then click Edit To create a new policy or expression click Add In this case the basic Policy Editor is displayed To access the Advanced Policy Editor click Create As Script The Advanced Policy Editor is displayed Figure 19 Sample Policy Editor Advanced Policy Editor xi Components E a Expressions Any Antivi
417. user attempts to access an application from the portal homepage The request is denied and the following message is displayed in the browser window HTTP Request Smuggling HRS attempt detected Cause The request is suspected as being an HRS attack as indicated by its method content type and length Resolution To define this request as legal for this application take the following steps in Configuration program 1 Open the Application Properties dialog box for this application and access the Web Server Security tab 2 Ifthe option Activate Smuggling Protection is not already activated activate it Intelligent Application Gateway 367 User Guide AN Caution Activate this option only for servers that are vulnerable to HRS attacks such as IIS 5 0 based servers Activating this option unnecessarily or configuring it inaccurately might result in application malfunction 3 Configure the option to enable the request by doing one or both of the following Add the request s content type to the Content Types list Define the Max HTTP Body Size option to be equal to or larger than the size of the request For details refer to Web Server Security Tab on page 78 Warning 94 Unencrypted Cookie Name Symptoms A remote user requests a page The request is processed and the user experience is unaffected However a Cookie header in the request is blocked and is not forwarded to t
418. users can proceed to make their computers Certified Endpoints in one of the following ways e Local CA installation as described in End User Interaction Local CA Only on page 140 e Remote CA installation end users need to request a certificate by means determined by the administrator Backing Up the Certificate Settings All CAs Make sure that you have a backup of the private key If not create backup files via the certificate store After the initial backup make sure to back up the certificate settings from time to time especially before any IAG software upgrade or installation or any other changes to system settings CD Tip For instructions on how to back up the certificate see http 7 www thawte com ssl digital certificates hni iis6 html End User Interaction Local CA Only Note A This section is applicable only if the CA is installed locally on the IAG Once the Certified Endpoint Enrollment application is added to the trunk the appropriate tools need to be added to the end user pages The available tools depend on whether you are using the default portal homepage or your own custom page as follows Ifyou use the default portal homepage the following happens automatically The Certified Endpoint button is added to the Whale toolbar A Certified Endpoint link er Make this computer certified is added to the portal homepage Ifyou use a custom page you must ensure that one or bot
419. ut significant condition such as users changing their password Warning events that might be problematic but don t result in malfunction For example an unauthorized access attempt Error a significant problem such as a failure to read the configuration Time when the event occurred Message ID Tip For Warning and Error messages click the ID number to view troubleshooting information for the message Short description of the event Events are categorized as follows System events such as service startup and shutdown and changes to the configuration Security events including login success or failure security policy violation or change and password change Session events including session start or stop number of sessions and other session related events Application events such as access to the application Chapter 9 Monitoring and Control Web Monitor Table 37 Event Parameters Parameter Description Trunk Name of the trunk where the event was generated Description Long description of the event Event Query In the Event Query window you can query events that are recorded by the built in reporter of the Event Logging mechanism For a description of the Event Logging mechanism see Event Logging on page 237 For a description of the built in reporter including configuration instructions see Configuring the Built In Reporter on page 242 Note EX If you disable the built in
420. uthentication and User Group Servers dialog box the Novell Directory server you defined is added to the list of authentication servers 232 Chapter 8 Providing Access to Internal File Systems File Access Authentication and User Group Servers f x 9 WhaleFileSharing 9 whalecom 5 Edit of Novell __ Fat Remove Novell Directory Server Added to List Help Close Close the Authentication and User Group Servers dialog box In the main window of the Configuration program next to Advanced Trunk Configuration click to open the Advanced Trunk Configuration window Select the Authentication tab In the Authentication tab in the top left area click to the right of the Select Authentication Servers list Authenticate User on Session Login Select Authentication Servers gf whalecom Click this button o 4 The Authentication and User Group Servers dialog box is displayed In the Authentication and User Group Servers dialog box select the server you defined in step 3 then click Select The Authentication and User Group Servers dialog box closes In the Authentication tab the Novell Directory server you defined is added to the list of servers in the Authentication tab Iv Authenticate User on Session Login Select Authentication Servers g8 whalecom Add a Novel Remove t Novell Directory Server Added to List
421. vating this option protects the application against HTTP Request Smuggling attacks by blocking requests where the following conditions prevail The method is POST The content type is not listed in the content type list The length is larger than the size defined here or both Caution Activate this option only for servers that are vulnerable to HRS attacks such as IIS 5 0 based servers Activating this option unnecessarily or configuring it inaccurately might result in application malfunction POST requests of a content type other than the types listed here are blocked if they are larger than the size defined in Max HTTP Body Size POST requests of a size larger than defined here are blocked if they are not listed in the Content Types list Intelligent Application Gateway 79 User Guide Cookie Encryption Tab 80 This tab is applicable in Portal trunks only for Web Applications and Browser Embedded Applications You can use it to encrypt the application server s Set Cookie headers in order to hide cookie names and values and protect them against unauthorized changes E Note Once a cookie is encrypted it cannot be manipulated by the application customizers lt HEADER_CHANGE gt element For details refer to the Intelligent Application Gateway Advanced Configuration guide Application customizers are described in Chapter 7 Application Customizers The lt HEADER_CHANGE gt element
422. vents can be logged by several reporters including both IAG tools and third party network reporting solutions as described in Event Logging on page 237 The Web Monitor enables anywhere anytime snapshot viewing of IAG events as well as event filtering and analyzing Where an IAG High Availability Array is deployed you can use the Web Monitor to monitor all the IAG servers that are part of the Array For details refer to Web Monitor on page 258 You can monitor SSL connection attempts in the Windows Event Viewer as described in SSL Event Monitoring on page 301 Event Logging This section describes the IAG Event Logging as follows The Event Logging mechanism is described in Overview on page 238 Although by default no configuration is required in order for the Event Logging to work and IAG related events are logged and reported with no user intervention several configuration options are available to you if you wish to adapt message reporting to your needs Those are listed in Optional Event Logging Configuration Steps on page 239 and are described in detail in the subsequent sections For advanced troubleshooting purposes you can temporarily disable the Event Logging mechanism altogether as described in Disabling Event Logging and Reporting on page 258 Tip You can troubleshoot warnings and errors that are reported by the Event Logging mechanism according to the message that is
423. ver Certificate Server Certificate 2 edinburgh amp be Certificate Hash 5 AG EA 94 47 C4 9C 24 F4 68 7B 1200620515 86 F4 CE 39 The Server Certificate parameters are applicable in HTTPS Connections trunks only they do not appear in this tab in HTTP Connections trunks Cancel 3 Edit the parameters in the General tab as required as described in Advanced Trunk Configuration General Tab on page 63 4 When you complete editing all the required options for the filter click OK The Advanced Trunk Configuration window closes and you are returned to the main window of the Configuration program 5 In the main window of the Configuration program click H to save and activate the configuration The trunk will function according to the configured settings Chapter 3 Single Application Sites Editing Trunks Table 5 Advanced Trunk Configuration General Tab Parameter IP Address HTTP HTTPS Ports Site Name Enable Web Server Logging Include Username in Log Debug Mode Description Read only IP address of the external website on the IAG Tip You can edit the IP address of the external website in the main Configuration window HTTP and HTTPS ports of the external website Note The port that corresponds with the Connections type of this trunk cannot be edited here You edit it in the main Configuration window For example for an HTTP Connections trunk you edit
424. ver Settings Tab on page 85 e Verify that the application server is running e Verify that the application server is reachable from the IAG If not check the following Network connections e Verify the configuration of the ISA firewall rule that enables the connection from the IAG to the application server For details examine the ISA logs and alerts and if necessary consult ISA troubleshooting Warning 76 Failed to Start Application Symptoms A remote user attempts to launch an SSL Wrapper application either via the portal homepage or by logging into a site that automatically launches the application The request is denied and a message is displayed informing the user that the server failed to execute the application 362 Appendix A Troubleshooting Event Logging Messages Cause The IAG failed to load and initialize the application profile from the Configuration program The cause for the error is reported in the message in the Error field It can be due to incorrect configuration of the application server in the Configuration program For example an invalid IP address port or path Resolution Verify the configuration of the application server in the Configuration program in the Application Properties dialog box in the Server Settings tab For details refer to Server Settings Tab on page 85 Warning 77 Unauthorized Access Attempt Symptoms A remote user attempts to launch an SSL Wrappe
425. vided in the Description field of the event in the Web Monitor s Event Viewer 370 Appendix A Troubleshooting Event Logging Messages Warning 98 Cookie Value Cannot be Decrypted Symptoms A remote user requests a page The request is processed and the user experience is unaffected However a Cookie header in the request is blocked and is not forwarded to the server Cause A cookie encryption violation was detected An encrypted cookie value could not be decrypted since it contains an invalid security digest Resolution In the browser that was used to request the page delete the cookie that was blocked The name of the cookie is provided in the Description field of the event in the Web Monitor s Event Viewer Warning 99 Name of Included Cookie not Encrypted Symptoms A remote user requests a page The request is processed and the user experience is unaffected However a Cookie header in the request is blocked and is not forwarded to the server Cause A cookie encryption violation was detected The cookie name is not encrypted although it is listed in the cookie encryption include list Resolution In order to enable the browser to send this cookie in an unencrypted from you need to remove it from the list of cookies that are included in the cookie encryption process Take the following steps in the Configuration program 1 Open the Application Properties dialog box for this a
426. whlbackup log Backing up the Configuration You can backup the configuration in one of the following methods From within the Configuration interface as described in Backing up the Configuration in the Configuration Program on page 304 By running a Console application in a Command line as described in Running the Backup Utility as a Console Application on page 305 Note EN The BackUp utility can be run as is using the default settings or can be configured If you need to configure the utility contact technical support for further details Backing up the Configuration in the Configuration Program You can select to back up the configuration settings each time you activate the configuration in the Configuration program To back up the configuration in the Configuration program 1 Inthe Configuration program when you click O to activate the configuration the following is displayed 304 Chapter 10 Troubleshooting Backup amp Restore Utility Configuration Eg 5j Activate Configuration We recommend that you back up the configuration settings directly after the initial configuration Following the initial backup make sure to back up the configuration settings each time you modify them in order to ensure that the backup is updated at all times Back up configuration after activation If you have made manual changes to any of the external configuration settings such as changes to XML files or to Reg
427. wnload Upload tab described on page 82 The Restricted Zone option is activated in the Web Settings tab described on page 73 70 Chapter 4 Application Settings Editing Application Properties Web Servers Tab This tab is available in Portal trunks only for Built In Services Web Applications and Browser Embedded Applications It contains the configuration of the application s web server or servers The parameters of this tab are described in Table 8 on page 71 Figure 9 Application Properties Web Servers Tab Application Properties Citrix NFuse FR2 Direct xi E General 4P Web Servers web Settings Gl Web Sen4 gt Address Type P Host Subnet Regular Expression Addresses 132 168 1 56 132 168 1 69 132 168 1 73 Paths lswet HTTP Potts jeo HTTPS Ports J Add Default Port to Host Table 8 Web Servers Tab Parameters Parameter Description Address Type Select a method by which to define the address of the application server IP Host Subnet or Regular Expression Intelligent Application Gateway 71 User Guide 72 Table 8 Parameter IP Host Subnet Regular Expression Paths HTTP Ports HTTPS Ports Add Default Port to Host Web Servers Tab Parameters Cont d Description Define an address or multiple addresses using IP addresses or hostnames by double clicking an empty line in the Addresses list and entering an IP address or hostname fo
428. xistence of the most commonly used endpoint security tools such as anti virus and personal firewall as well as client configuration settings such as Whale Client Components operating system and user privilege level For configuration instructions refer to Basic Policy Configuration on page 103 Use the Advanced Policy Editor for more complex policies or attributes that are not presented in the basic editor Once you edit a policy in the Advanced Policy Editor you will only be able to open it for further editing in the Advanced Policy Editor you will not be able to revert to editing in the basic Policy Editor For detailed configuration instructions refer to Advanced Policy Configuration on page 104 Note A When you edit a policy the changes you make affect all the Whale Client Components that use this policy For example If the policy is used to control both session access and application access changes you make to the policy will affect both session and application access In order to apply changes to a specific component only create a dedicated policy and use it with the applicable component All default policies can only be edited in the Advanced Policy Editor since they contain complex expressions Chapter 5 Endpoint Security Endpoint Policies Basic Policy Configuration This section describes how you use the Policy Editor to edit and create policies and expressions in Basic mode For details on cre
429. y if the application is not located in the root folder For example if the application is located under a subfolder named MyApplication enter MyApplication in this field Webmail trunks by default the default installation path of the application for example exchange for Microsoft Outlook Web Access applications If the application resides under a different path change this field accordingly This parameter is defined during the creation of the trunk with the Create New Trunk Wizard Editing in the General Tab This section describes the parameters that you can edit in the General tab of the Advanced Configuration window as illustrated in Figure 5 on page 62 To edit parameters in the General tab 1 Inthe Configuration program select the trunk in the List pane 2 Inthe Security amp Networking area next to Advanced Trunk Configuration click Configure The Advanced Trunk Configuration window is displayed Intelligent Application Gateway 61 User Guide 62 Figure 5 Advanced Trunk Configuration General Tab 4 Server Name Translation UBL Inspection 2 Global URL Settings El URL Set 2 General as Authentication 2 Session Application Customization m External Website r Website Logging IP Address J Enable Web Server Logging F Include Username in Log HTTP Port 30 X HITPS Port S443 y r Debugging Site Name J Debug Made m Ser
430. zers Configuring a High Availability array as described in Chapter 9 Configuring the High Availability Array Intelligent Application Gateway 57 User Guide Configuring the Form Authentication engine The engine handles HTML login and change password forms sent by the application as described in Appendix C Form Authentication Engine E Note You can delete a trunk in the Configuration program by selecting the trunk in the List pane and selecting Delete from the right click menu Creating a Redirect Trunk 58 When you create an HTTPS trunk only HTTPS requests that arrive at the IAG are handled by the trunk If you want the IAG to automatically redirect HTTP requests to the HTTPS trunk you can create an additional Redirect trunk as described in the following procedure Before you create a Redirect trunk please note the following Make sure that you have already created the HTTPS trunk to which you wish to redirect HTTP requests For Webmail and Basic trunks see Creating a Webmail or a Basic Trunk on page 54 e For Portal trunks refer to Chapter 2 SSL VPN Portals Make sure to complete the definition of all the parameters of the HTTPS Connections trunk before you create the Redirect trunk including definitions you make in the Configuration program after completing the New Trunk Wizard If ata later stage you change the IP address or port number of the HTTPS Connections trunk do on
Download Pdf Manuals
Related Search