About the IAG SSL Wrapper component

  • Article

Applies To: Intelligent Application Gateway (IAG)

The topic provides reference information about the Whale Communications Intelligent Application Gateway (IAG) Secure Sockets Layer (SSL) Wrapper component.

The SSL Wrapper component is one of the IAG client endpoint components. SSL Wrapper provides secure SSL connectivity for non-Web protocols, such as those used by client/server and legacy applications, from the Internet to the internal network, thus enabling IAG users to safely access back-end applications. Via the portal homepage, remote users can access a range of applications, such as native messaging applications, standard e-mail applications, collaboration tools, connectivity products, and more. The SSL Wrapper component allows granular, per-user and per-server configurations and can be used in conjunction with IAG endpoint security policies, providing for an SSL VPN experience. Multi-platform application support ensures that users can access their applications from computers running Windows, Mac OS X, and Linux operating systems by using a wide range of browsers.

In order for users to run SSL Wrapper applications, the IAG site has to be trusted by the client endpoint. When a user launches an SSL Wrapper application, the SSL Wrapper component verifies the identity of the IAG site against the site's server certificate, and it checks whether the site is on the user's Trusted Sites list; only if the site is trusted will the application launch.

Note that when working with SSL Wrapper applications via an HTTP trunk, tunneled traffic is not encrypted.

Technology overview

When supporting non-Web applications over an SSL connection, SSL Wrapper causes the application traffic at the client endpoint to be tunneled through SSL to the SSL VPN gateway, that is, IAG. The SSL VPN gateway decrypts the traffic and sends the payload to the application server in the internal network. The IAG Socket Forwarding component add-on, which is based on Layered Service Provider and Named Service Provider technologies, can be used to support a wider variety of applications, such as supporting applications that jump ports, without needing to make on-the-fly changes to the operating system.

Application traffic can be tunneled through SSL by using one of the following relay types:

  • Simple relay—Opens a port on the client endpoint and tunnels the Transmission Control Protocol (TCP) traffic to and from a specific port on the application server. Using this type of relay, in order to communicate with the application server, the application on the endpoint computer needs to communicate through the locally opened port. The SSL Wrapper component makes changes, such as changes to the application settings, registry, or hosts file, in order for the application to communicate through this tunnel.

  • HTTP Proxy and SOCKS Proxy relays—Opens a port on the client endpoint. This port acts as either an HTTP or SOCKS proxy server, and it tunnels the HTTP or SOCKS traffic to and from the application server. Using this type of relay, the application on the client endpoint can communicate through the locally opened port with multiple servers and ports. The SSL Wrapper component makes changes, such as changes to the application settings, registry, or hosts file, in order for the application to communicate through this tunnel. This type of relay enables the SSL VPN proxy to request more than one server, thus enabling the support of dynamic ports.

Note

In browsers where the Java applet is used, when multiple portals are open concurrently, only applications that are launched from the portal that was accessed first can listen on HTTP or SOCKS proxy ports. Users cannot launch applications that use HTTP proxy and SOCKS proxy relays from additional portals.

  • Transparent relay—Automatically creates a relay between the client endpoint and the application server, for every application on the client endpoint that wants to communicate with the internal network. This type of relay is only supported by the IAG Socket Forwarding component and does not require any changes on the endpoint computer.

  • Network Connector—Supports full connectivity over a virtual transparent connection, and enables you to install, run, and manage remote connections, as if they were part of the corporate network. For more information, see About VPN access to the internal network with IAG.

Note that if are running XCompress on IAG, you need to set the streaming optimization to "Low latency". You can automate the process by copying the file XCompress.js from the following location:

...\Whale-Com\e-Gap\von\samples\CustomHooks

To the following location:

...\Whale-Com\e-Gap\common\bin\CustomHooks

Open the file you copied, and follow the instructions in the file to configure it for your system.

Enabling access to SSL wrapper applications

In order for users to be able to access SSL Wrapper applications, one of the following SSL Wrapper components must run on their computer:

  • SSL Wrapper ActiveX component—This is the recommended mode of operation. In addition, some SSL Wrapper applications require users to be logged on with administrator privileges in order to use the application, in cases where changes to the hosts file or therRegistry have to be made.

    The SSL Wrapper ActiveX component is installed on a client endpoint the first time a user attempts to access an SSL Wrapper application. If an application is configured to operate in Socket Forwarding Mode and the client endpoints meets the Socket Forwarding component installation requirements, the Socket Forwarding component is installed, as well. For details, see About the IAG Socket Forwarding component.

  • SSL Wrapper Java applet—Used as a fallback for client endpoints where the SSL Wrapper ActiveX component cannot be installed or run, such as computers running Mac OS X or Linux operating systems, or Windows Internet Explorer where the download and launching of ActiveX components is disabled.

    • The Java applet is supported on the browsers that are supported by IAG, as listed in IAG client endpoint system requirements.

    • In order for the Java applet to run on the endpoint computer, the computer must meet the requirements described in SSL wrapper Java applet prerequisites.

Note that if a personal firewall is installed on the endpoint computer, the following has to be added to the firewall’s trusted applications list:

  • When working via the SSLWrapper ActiveX component—The client executable whlclnt3.exe.

  • When working via the SSL Wrapper Java applet—The browser’s executable. For example, when browsing with Firefox, add the executable firefox.exe to the list.

SSL wrapper Java applet prerequisites

The following is required in order for the SSL Wrapper Java applet to run on a client endpoint, and for the applications to be accessed via the applet, when the SSL Wrapper ActiveX component cannot be installed or run on the computer:

  • Java Runtime Environment (JRE) version 1.4 and higher must be installed on the computer.

    Java trace level 5 (can be configured in the Java Console window) is not recommended and may cause the Java applet to go into an infinite loop. For more information, see Bug ID: 5097873 at the Sun Developer Network bug database.

  • The following browsers on Mac OS X require the installation of Java Embedding Plugin for Mac OS X:

    • Mozilla

    • Mozilla Firefox

    • Mozilla Camino

    For more information, see Mozilla PlugIn Support on Mac OS X, at the mozdev.org Web site.

  • On the Windows 2000 Server operating system, in Internet Explorer, the Script ActiveX controls marked safe for scripting check box must be selected in the Security Settings of Internet Options.

  • In order for an application to be accessed via the SSL Wrapper Java applet, in the IAG Configuration console, the application's access policy should be configured with the option Enforce Policy Only when Endpoint Detection is Enabled.

    • You activate this option in the Policy Editor. For more information, see Managing IAG client endpoint policies.

    • You select an application's access policy in the Application Setup page of the Add Application Wizard. Once you add an application to the trunk, you can change the selected access policy in the General tab of the Application Properties dialog box.

  • In order to run an application where network aliases have to be created, users have to be logged on to the endpoint computer with sudo privileges for the ifconfig utility.

  • In order to run an application where changes to the hosts file have to be made, users have to be logged on to the endpoint computer with sudo privileges for the hosts file. For information about sudo privileges, see Linux Help - Sudo setup guide at the linux help Web site.

  • On Linux operating systems, console-based applications might require that the xterm application is installed on the client endpoint. If xterm is not installed on the computer, users can manually run the application by opening a terminal and connecting to the relay that was opened for the application. To display an application's relay, select the application in the Portal Activity window, and click Show Relay.

  • On Mac OS X and Linux operating systems, when running a Telnet application that the operating system opened in a Terminal application (Mac OS X) or in xterm (Linux), the user needs to configure the Telnet application to work in Character mode, by entering mode character in the Telnet window. For more information, consult the Telnet manual pages.

Monitoring the activity of applications that the SSL wrapper component runs

The Portal Activity window monitors the activity of applications that the SSL wrapper component runs. When working with the SSL Wrapper ActiveX component, one window is used to monitor all the IAG sites that are accessed from the computer. When working with the SSL wrapper Java applet, a separate windows opens for each IAG site that is accessed from the computer.

Supported applications

The SSL Wrapper component supports two types of applications:

  • Client/server and legacy applications, also known as "native" applications. Those types of applications are initiated by the SSL Wrapper component. The application's configuration data is usually stored locally, on the endpoint computer. For example: Telnet; Citrix Program Neighborhood applications, Microsoft Windows XP and Windows 2000 Terminal Services Clients, and more.

  • Browser-embedded applications are Web initiated. The application's configuration data is usually downloaded from the network at runtime. For example: Citrix NFuse, IBM Websphere Host-On-Demand, Terminal Services Web Client, and more.

Tip

  • For a list of operating systems on which an application is supported, click Help in the Server Settings tab of the Add Application Wizard or the Application Properties dialog box.

Generic applications

This group includes the enhanced generic client applications and the generic carbonized applications:

  • Enhanced generic client applications are non-web applications that run in a console environment.

  • Generic Mac OS X Carbon® Applications are non-web Mac OS X applications that run in a carbon application framework.

For each of those application-types, you can select between the following options, depending on the requirements of the application you are configuring:

  • hosts required: running the application requires the Java applet to make changes to the hosts file on the client endpoint. If changes cannot be made to the file, for example due to insufficient user privileges, the application is not launched, and the relay that was opened for the application is closed.

  • hosts optional: when the application attempts to launch, the Java applet attempts to make changes to the hosts file on the client endpoint. If changes cannot be made to the file, the application is not launched. However, the relay that was opened for the application is left open. Users are presented with a message showing the open relay, so that they can manually run the application.

  • hosts disabled: the Java applet does not have to make changes to the hosts file in order to run the application.

Configuration overview

You enable remote access to SSL Wrapper applications via a portal. You can enable an unlimited number of applications with single portal.

  • For information about creating a portal, see Publishing applications in an IAG portal.

  • For out-of-the-box applications where the Socket Forwarding component is required, socket forwarding is enabled by default. In order to enable the Socket Forwarding component for other applications, once you add the application to the trunk, select the required socket forwarding Mode in the Application Properties dialog box, in the Client Settings tab. For more information, see About the IAG Socket Forwarding component.

  • If you do not use the default portal homepage supplied with IAG, you need to add links to the applications on your custom homepage. For more information, see Creating a custom IAG portal home page.

  • Some of the applications require additional setup. For details, refer to IAG Application Aware Help.

Remote user interaction

Note

In the Session tab of the Advanced Trunk Configuration window, you determine the behavior of SSL Wrapper applications when the portal window closes without the user having logged off the site, such as when the browser crashes, or when the user accesses a non-portal page from within the portal. This is configured in the following options:

  • Prompt User to Disconnect Channel when Portal Closed without Logoff

  • Re-open Portal if User Selects to Keep Channel Open

    You can configure different settings for default and privileged sessions. For more information, see Managing client endpoints during an IAG session.

Remote users access SSL Wrapper applications via the portal homepage. You access the Portal Activity window as follows:

  • Portal trunk: when one or more SSL Wrapper applications run on a client, users can view the status and activities of the applications as follows:

    • On computers where the SSL Wrapper ActiveX component is used, a Portal Activity icon is added to the Windows System tray (to the right of the Windows taskbar). Double-clicking this icon opens the Portal Activity window.

      When the Network Connector is activated, the icon changes. For more information, see About VPN access to the internal network with IAG.

    • On computers where the SSL Wrapper Java applet is used, the Portal Activity - SSL Wrapper Java Client window opens as soon as an SSL Wrapper application is launched on the computer.

  • Webmail trunk: when an SSL Wrapper application runs on a client, a Portal Activity icon is added to the Windows System tray (to the right of the Windows taskbar). Double-clicking this icon opens the portal activity window.

Clicking the Portal Activity icon, on the portal toolbar, brings the Portal Activity window to the front of the screen.

Note

If the endpoint browser or the client Java Plugin are set to connect to the Web via a proxy, the SSL Wrapper Java applet will attempt to connect to the IAG site via the same proxy, using the applicable setting (except for Firefox browsers when the browser is set to connect to the web via proxy and the Java Plugin is set to use the browser settings).

Portal activity window

The Portal Activity window monitors the activity of the applications that are run by the SSL Wrapper client.

  • When working via the SSL Wrapper ActiveX component, one Portal Activity window is used to monitor all IAG sites that are accessed from the computer.

  • When working via the SSL Wrapper Java applet, a separate Portal Activity window opens for each IAG site that is accessed from the computer.

Tip

For a description of the Portal Activity window when the Network Connector is running on the computer, refer to Interaction on Computers Running the SSL Wrapper ActiveX Component.

Note

Closing the window disconnects all the applications that are tunneled through the SSL Wrapper Java applet.

The Portal Activity window is divided into two main areas:

  • Connections Area

  • Applications Area

Connections area

The Connections area of the Portal Activity window displays:

  • Active channel or channels between the client and the trunk or trunks to which the client is connected (one channel per portal or trunk).

  • Under each channel, the connection or connections that are currently open through the channel.

When you hover over a connection, you can see the following details regarding the connection:

  • Address: IP address and port number

  • Connection's connectivity option: SOCKS or Relay

  • Date and time when the connection was established

When you double-click a connection, you can see the number of bytes sent.

Applications area

The Applications area of the Portal Activity window displays a list of the applications that were launched since the SSL Wrapper client was started.

When you double-click an application, you can see the following details regarding the application:

  • Application name

  • Date and time when the application was launched

  • For client/server and legacy applications, the application command line.

  • For browser-embedded applications, the text "Web Application" is displayed.

Portal Activity window buttons

The following table describes the buttons of the Portal Activity window.

Button Description

Disconnect

Disconnects the item that is currently selected in the Connections area:

  • If you select a channel, this button disconnects the channel, including all the connections that are open through the channel.

  • If you select a single connection, this button disconnects it.

    Note

    Disconnecting a connection does not always completely disconnect the application. For applications that support reconnection, the tunnel listener remains open to allow reconnection if required.

Show Relay

(Java applet only)

Displays the open relay of the currently selected application.

Homepage

Takes you to the portal homepage of the selected channel or connection, without closing the Portal Activity window.

Exit

Closes all open channels and connections and exits the Portal Activity window. When using the ActiveX component, the Portal Activity icon is no longer displayed in the Windows System tray.

Hide

Hides the Portal Activity window. To show the window again:

  • When using the ActiveX component: either double-click the Portal Activity icon or right-click it and select Show Status. You can also click the Portal Activity icon on the portal homepage.

  • When using the Java applet: click the Portal Activity icon on the portal homepage.