Configuring certified IAG client endpoints

Applies To: Intelligent Application Gateway (IAG)

A Whale Communications Intelligent Application Gateway (IAG) 2007 certified endpoint is a client endpoint that has been certified by the IAG server by using a client certificate. You can deploy client certificates to client endpoints as follows:

  • For portal trunks, from a certification authority (CA) installed locally on the IAG server

  • By setting up a remote CA

Note that the certified endpoint feature is only supported on HTTPS trunks.

Setting up certified endpoints requires actions on both the IAG server and on the client endpoint. To configure a certified endpoint do the following:

  1. Prepare a CA. If you do not have a CA in your organization, install and configure a local or remote CA to issue client certificates. For more information, see Setting up a CA on the IAG server and Setting up a remote CA for IAG.

  2. Prepare client endpoints running Windows Internet Explorer. Before activating the certified endpoint feature, ensure that client endpoints using Internet Explorer prepare their endpoint computers.

  3. Add the certified endpoint enrolment application to the trunk publishing the portal or single application.

  4. Enable the certified endpoints for a portal or application session.

  5. End users should submit a request to make a client endpoint certified. For an organization policy that does not issue certificates immediately, clients should check certified endpoint status. After a certificate is issued, client endpoints can install the certificate and logon as a certified endpoint user.

Preparing client endpoints that use Internet Explorer

This section is only relevant for client endpoints using Internet Explorer. No preparation is required for other browsers. Before you activate the certified endpoint option, make sure that end users who are using Internet Explorer prepare their endpoints as follows.

To prepare Internet Explorer browsers for client endpoint certification

  1. Configure the browser to enable downloading and launching of signed ActiveX objects.

  2. For computers running Windows 2000 Server or Windows XP, power-user permissions are required for the current user (this applies to all programs downloaded on the computer running Windows 2000 Server or Windows XP).

  3. Install Microsoft security update 323172. This patch resolves the “Flaw in Digital Certificate Enrollment Component Allows Certificate Deletion” security vulnerability. The update can be downloaded from the following locations:

Adding certificate endpoint applications to a portal or single published application

This section describes how you add the Certified Endpoint Enrollment application to the list of applications that are enabled through the trunk. Once you add the application and activate the trunk, a “Make this computer certified” link is automatically added to the default portal homepage, enabling users to request a certificate and make their computer a Certified Endpoint.

To add the Certified Endpoint Enrollment application to the trunk

  1. In the Configuration program, from the List pane, select the trunk for which you enabled the Certified Endpoint feature.

  2. Do one of the following:

    • In the “Applications” area, under the Application List, click Add, or double-click an empty line

    • In the List pane, right-click the trunk, and select Add Application.

    The Add Application Wizard is displayed.

  3. Select “Built-in Services” and, from the drop-down list, select Certified Endpoint Enrollment.

  4. Click Finish.

    Note

    For more information about adding applications to a trunk, refer to Creating an SSL VPN Portal.

Notes

  • If you use the default If you use the default portal homepage supplied with IAG, adding the Certified Endpoint Enrollment application to the trunk automatically adds the required links to the end-user’s portal. If you use a custom homepage, you can manually add this functionality to your page, as described in "Adding Links to IAG Features on a Custom Homepage" in Using a Custom Portal Homepage.

  • The “Certified Endpoint Enrollment” application is not supported on Camino browsers on Mac OS X, because the underlying Microsoft application is not supported on those browsers.

Enabling certified endpoints

Enable certified endpoints for a portal or application session as follows:

To enable certified endpoints for a session

  1. In the IAG Configuration console, click the published portal or application node in the console tree.

  2. On the properties page, click Configure in Advanced Trunk Configuration.

  3. On the Session tab, select Use Endpoint Certificate.

Note

If the option Disable Component Installation and Activation is selected in the Sessions tab, certified endpoints are disabled.

Submitting a request to make an endpoint certified

Submit a request as follows:

To submit a request to make a computer a Certified Endpoint

  1. Access the portal and click the Certified Endpoint button or link. The Certified Endpoint - User Information window is displayed.

  2. Enter the required user information in the text box or boxes.

    Note

    The fields available in this window may vary, according to the settings defined during the configuration of the Certified Endpoint feature, as described in Customizing User Information Properties.

  3. At the bottom right corner, click Submit. A message is displayed, prompting you to confirm the request. If your organization’s certification policy is set to issue certificates immediately, you will be notified that the certificate has been issued and be prompted to install it. Otherwise, you will be notified that the request is in progress. In this case, close the Certified Endpoint dialog box and continue to use the same portal options as before, until your request is verified.

Checking the certified endpoint request status

The administrator needs to approve your request for Certified Endpoint status and issue a certificate accordingly. You must periodically check the status of the request and install the certificate, within the period of time specified in the Certified Endpoint window. Do this as follows:

To check whether the request for Certified Endpoint status has been approved

  1. Access the portal and click the Certified Endpoint button or link.

  2. The status of your request will be displayed. If the request is still in progress, check again within the time period specified in the Certified Endpoint dialog box by using the same browser. If the request is denied, contact the certificates administrator. If the certificate has been issued, you can install the certificate and log in as a certified endpoint user.

Installing the client certificate and logging in as a certified endpoint user

After your certified endpoint status has been approved and a certificate has been issued, you must install the certificate on your computer in order to complete the process.

To install the certificate and log in as a Certified Endpoint user

  1. Access the portal and click the Certified Endpoint button or link. The Certified Endpoint - Certificate Issued window is displayed.

  2. Click “Install this certificate” to add the certificate to your computer.

    If you are using Internet Explorer, the certificate is installed on your computer. Proceed to step 4 of this procedure.

    If you are using a different browser, a certificate download dialog box is displayed, in this example, the Downloading Certificate dialog box displayed by Netscape Navigator. After the certificate is installed, a message confirms that the client endpoint is now certified. Click Close to close the Certified Endpoint dialog box. The client endpoint is now granted certified endpoint privileges in accordance with privilege settings.

  3. Close all open browsers, then re-access the portal and log in.

  4. In the Client Authentication dialog box, select the required certificate from the list, and then click OK. This completes the certified endpoint logon process. Your computer is now granted Certified Endpoint privileges, as set by the administrator.

  5. Close all open browser windows, then re-access the portal and log in.

    The Client Authentication dialog box is displayed.

  6. Select a certificate from the list and click OK. The login process is complete, and you are logged on as a Certified Endpoint. The Certified Endpoint button or link is no longer available.

    Tip

    If your portal homepage includes the IAG toolbar, you can click the System Information button to access the System Information window, in order to verify your certified endpoint status. There should be a checkmark next to “Certified Endpoint”.