Configuring the properties of applications published by IAG

  • Article

Applies To: Intelligent Application Gateway (IAG)

This section describes how to modify the properties of applications published by Whale Communications Intelligent Application Gateway (IAG) 2007. Settings you can configure include the following:

  • Adding or removing applications in a portal.

  • Configuring external Web site settings. For instructions about configuring external Web settings for directly published applications, see Configuring Web site settings for an application published directly by IAG. For instructions about configuration external Web settings for portals, see Configuring IAG portal Web site settings.

  • Configuring general application properties, including an application name, an inactivity period after which the application is automatically closed, and prerequisite applications for applications published in a portal.

  • Configuring server addresses and ports for Web applications and non-Web applications published in a portal.

  • Configuring authentication settings for published application servers that require users to authenticate.

  • Configure content inspection settings for requests to published application servers

  • Specify how the IAG Socket Forwarding component is activated on client endoints for client/server, legacy, and browser-embedded applications published in a portal.

  • Configure protection against HTTP request smuggling for client/server and legacy

  • Configure cookie encryption settings for Web applications and browser-embedded applications in order to hide cookie names and values.

  • Restrict access to specific parts of a public application.

  • Configure authorization settings to control user access to specific applications published in a portal.

  • Set client endpoint policies for application access

  • Specify download and upload policies for an application

  • Specify how application links appear in a portal

Adding and removing portal applications

To add an application to a portal

  1. In the IAG Configuration console, click the required trunk.

  2. Below the Applications list, click Add to add a new application to the portal. Then follow the instructions in the Add Application Wizard. Click the Help link to read more about the options available on the wizard pages.

  3. To delete a portal application, click the required application, and then click Remove.

Modifying general application properties

To configure general application properties

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application, and then click Edit.

  2. Configure the application properties as required.

  3. In portal trunks only, enable the required legacy applications in the Prerequisite Applications list. The number of prerequisite applications available is indicated in Number of Prerequisite Applications. IAG automatically launches prerequisite applications before starting a dependent application.

    Only client/server and legacy applications can serve as prerequisite applications. For example, if an application requires a connection to an internal share, add a Local Drive Mapping application that maps the required drive, and define it as a prerequisite application.

Notes

  • If an application inactivity period is set to 0, the application is only closed when a portal session ends.

  • Application endpoint policies are disabled if the setting Disable Component Installation and Activation is selected on the Sessions tab of the portal properties. With this setting selected, client endpoint policy compliance cannot be evaluated.

  • If there are application-specific settings for a specific application, the Application Aware Settings link is available.

Configuring published server settings

Configuring server settings for Web applications

To configure server settings for built-in services, Web applications, and browser-embedded applications published in a portal; and for directly published Web applications, do the following:

To configure server addresses and ports for applications published in a portal

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Web Servers tab.

  2. Specify the address for each server, and specify subnet information if required. To specify an IP address or hostname, select IP/Host and then for each server you want to define, double-click an empty line in the Addresses list and specify the IP address or DNS hostname. To specify an address by using a regular expression, select Regular Expression and define multiple addresses using the Regex++ syntax by entering a regular expression that defines the address range in Addresses. For example: [0-9A-Z-]+\.whale\.com.

  3. In Paths, specify the path on which the application resides. A path must start with a slash (/).

  4. In HTTP Ports and HTTPS ports, specify the application port numbers.

    If you want to use the default HTTP or HTTPS ports, type Auto.

    If you want to enable all ports, type All.

    If you want to block all ports, do not specify a value.

    Specify multiple port entries with a comma. For example 81,82,83. Define a port range with a dash (-). For example 81-83.

  5. Select Add Default Port to Host to add the default port number (80 or 443) to the host header. You should only enable this setting if required by the published application server.

Configuring server settings for non-Web applications

You can configure server settings for client/server, and legacy application published in a portal. Note that the server properties you need to configure vary depending upon the application. To configure server settings, do the following:

To configure server addresses and ports for non-Web applications published in a portal

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Server Settings tab.

  2. Specify the address, port and other information about the published non-Web server.

Configuring authentication to published servers

For built-in services, Web applications, and browser-embedded applications published by a portal, and directly published Web applications, you can configure authentication settings for application servers that require users to authenticate.

To configure authentication for published servers

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Web Settings tab.

  2. Select Automatically Reply to Application-Specific Authentication Requests to enable single sign-on using credentials presented by the user. With this setting enabled and after users enter credentials that are valid for the application, for example, during the portal logon, they do not have to authenticate again against the published application server. If this setting is enabled and authentication data is not validated by the application server, access is denied.

  3. Enable Select Authentication Servers to select the authentication servers against which user credentials will be evaluated for the published application server. To add an authentication server, click Add. In the Authentication and User/Group Servers dialog box, add the required servers. Click Help for more information.

  4. Select Use Kerberos Constrained Delegation to specify Kerberos constrained delegation as the single-sign on authentication method. In Application SPN, type in the service principal name (SPN) of the application. If you use Kerberos constrained delegation, you can only select the 401 Request authentication method.

    Each instance of a service that uses Kerberos constrained delegation authentication needs to have an SPN defined for it so that clients can identify that instance of the service on the network. The SPN is registered in the Active Directory Service-Principal-Name attribute of the Windows account under which the instance of the service is running. This way, the SPN is associated with the account under which the instance of the service specified by the SPN is running. When a service needs to authenticate to another service running on a specific computer, it uses that service's SPN in order to differentiate it from other services running on that computer. You can set the SPN explicitly, or you can use the wildcard *, for example: owa/*. If you choose to use a wildcard, the addresses for all the servers of this application (defined in the Web Servers tab) cannot be IP addresses and must be host names. (The wildcard is translated to each of the host names defined in Web Servers tab.)

  5. Select an authentication method. Select Both to require users to authenticate using both an HTTP 401 request and an HTML form. HTML form authentication is handled by the Form Authentication Engine.

Note

If you select to use an HTTP 401 request and you want to forward authentication using NLTM and not Basic, you must add a registry key, as follows: Click Start, and then type Regedit to open Registry Editor. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von. Right-click UrlFilter, click New, and then click Value. Add the string FullAuthPassthru as a DWORD value, and set it to 1.

Important

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Configuring content inspection for published applications

You can specify how content is inspected for published applications.

To configure application inspection

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Web Settings tab.

  2. Select Verify URLs to inspect URL requests from the application against the URL inspection rules configured for the application-type. Application-type settings are configured on the URL Set tab of the trunk properties.

    If you do not enable Verify URLs, URL inspection is disabled for the specific application only. Application requests are still checked against general rules, such as internal site rules. To completely disable URL inspection, you must enable Debug Mode on the General tab of the trunk properties.

  3. Select Learn Mode to specify that URL requests from the application are inspected against URL inspection rules for this application rule but are not enforced. With this setting enabled, if a request is not accepted by one of the application rules, the failure is logged in the security log, but the request is allowed.

  4. Select Allow WebDAVMethods to allow browsers to send HTTP data to the application, in requests that use WebDAV methods.

  5. Select Check XML Integrity to inspect XML integrity in HTTP data.

  6. Select Check Out-Of-The-Box-Rules to verify URLs against out-of-the-box rules configured for the application-type. Application-type settings are configured on the URL Inspection tab of the trunk properties.

  7. Select Use Variables in URLS if any of the application's URLs use variables.

  8. Select Allow POST without Content-Type to specify that HTTP POST requests without a "content-type" header are handled. If this setting is not enabled, such requests are rejected.

  9. Select Ignore Requests in Timeout Calculations to specify that for each out-of-the-box application type, IAG automatically configures a list of application-aware URLs that are ignored in the calculation of the inactive session timeout. The list can be edited on the Global URL Settings tab of the trunk properties.

Configuring client settings for client/server and legacy applications

For client/server, legacy, and browser-embedded applications published in a portal you can specify how the IAG Socket Forwarding component is activated on client endpoints, as follows:

To configure the Socket Forwarding component

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Client Settings tab.

  2. In Socket Forward Mode, click the required option. Disabled indicates that the Socket Forwarding component is not used with the application. For more information about the other modes, see the section "Socket forwarding activation modes" in About the IAG Socket Forwarding component.

  3. Select Bind Tunnel to Client Executable to restrict client endpoint access to the server IP addresses and ports of the application to the processes or processes you define in the Client Executable list.

Configuring HTTP request smuggling protection

You can protect applications against HTTP request smuggling (HRS). Note that you cannot configure HRS for client/server and legacy applications.

To configure HTTP request smuggling protection

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Web Security tab.

  2. Click Activate Smuggling Protection to protect the application against HTTP request smuggling attacks by blocking requests where the following conditions apply:

    • The method is POST

    • The content-type is not listed in the content-type list

    • The length is larger than the specified maximum length

    This option should be enabled only for servers that are vulnerable to HRS attacks. If you enable this option when it is not required, applications may not behave as expected.

  3. In Content-Types, specify content-types that are allowed. POST requests of content-types that are not listed are blocked if they are larger than the size defined in Max HTTP Body Size.

  4. In Max HTTP Body Size, specify the maximum size of a POST request. Requests larger than the specified maximum are blocked.

You can encrypt Set-Cookie headers for Web applications and browser-embedded applications in order to hide cookie names and values, and thus protect them against unauthorized changes. Note that after a cookie is encrypted, it cannot be manipulated by the <HEADER_CHANGE> element of an application customizer.

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Cookie Encryption tab.

  2. Select Enable Cookie Encryption to turn encryption on.

    If you want to specify that all Set-Cookie headers are encrypted, except for those defined in the global and per-application cookie lists, select Exclude.

    If you want to specify that only Set-Cookie headers specified in the per-application cookie list are encrypted, select Include.

Note

Encrypted cookie names and values are decrypted by IAG when they are returned by the browser in the "Cookie" header. If the cookie encryption process encounters problems when a remote user requests a page, the "Cookie" header in the request is blocked and is not forwarded to the server. The request is processed, however, and the user experience is unaffected. In this case, a Warning message is reported in the Event Viewer.

The global list includes cookies that are excluded from the cookie encryption process of all the applications where the encryption mode is "Exclude". You can add cookies to the list as required. Do not delete any of the default cookies that appear in the list.

To edit the global exclude list:

  1. Open the following location:

    \Whale-Com\e-Gap\Von\Conf\

  2. Copy the file WhlExcludeCookie.xml into the following folder:

    \Whale-Com\e-Gap\Von\Conf\CustomUpdate

    If this folder does not exist, create it.

  3. In the WhlExcludeCookie.xml file in the CustomUpdate folder, edit the cookie list under the tag <EXCLUDE_COOKIE_LIST>. Note that cookie names are defined using regular expressions; for details, refer to IAG_Appendix B: Regex++, regular expression syntax.

  4. In addition to the cookie list, the file WhlExcludeCookie.xml stores a security prefix that is used in the encryption of cookie names and cookie values, in the tag "SECURITY_PREFIX". By default, the value of the security prefix is "ce". If required, you can change the value of the prefix in the file in the custom folder.

Restricting access to parts of an application

You can restrict user access to sensitive areas of an application. In addition, you can specify user authorization settings for an application.

To configure user access and authorization for an application

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Web Settings tab.

  2. Select Activate Restricted Zone to specify that only client endpoints complying with the Restricted Zone endpoint policy can access sensitive areas of the application, such as administrative areas. The restricted zone URLs of an application are configured in the Global URL Settings tab of the trunk properties.

  3. Select Authorization Key and specify the header or parameter that IAG uses to send data to the application server about the originator of the connector requests.. In Format, select whether the authorization key will be sent as an HTTP header or as a parameter that is part of the URL query string. In Source IP Key, specify the name of the header or parameter that IAG uses to send the IP address of the connection request originator to the application server. In Format, specify the Source IP Key format.

Important

If a request contains a header or parameter with an identical name to a header or parameter you define here, it is blocked, because it is identified as a suspected attempt to sneak data to the application server. Therefore, make sure you assign the headers or parameters you define here unique names that will not be used for any other purpose.

Configuring authorization key value

If you have selected the Authorization Key check box in the Web Settings tab to specify that an authorization key header or parameter should be sent to the application server, you must define an authorization key value as follows:

To configure the value of authorization key

  1. Open the following folder:

    \Whale-Com\e-Gap\Von\InternalSite\inc\CustomUpdate

    If this folder does not exist, create it.

  2. Under the customUpdate folder, create an inc "hook" as follows:

    <Trunk_Name><Secure(0=no/1=yes)>PostPostValidate.inc

    For example:

    For an HTTPS trunk named "WhalePortal", create the file:

    WhalePortal1PostPostValidate.inc

    If a file by this name already exists, you can use the existing file; you do not need to create a new file in this case.

  3. In the file you defined in step 2, add the following lines:

    <%

    SetSessionResourceParam g_cookie,

    "< Application_ID >","RWSAuthorization","< Value >"

    %>

    Where:

    • Application_ID is the application's ID number, as can be copied from the General tab of the Application Properties dialog box.

    • Value is the value you wish to send to the application server.

    For example

    To send a User_group: unlimited header:

    • In the Web Settings tab, name the Authorization Key User_group and select the format "Header"

    • In WhalePortal1PostPostValidate.inc , enter the value unlimited.

Configuring authorization for portal applications

You can configure granular user access to portal applications, as follows:

To configure authorization for portal applications

  1. In the IAG Configuration console, click the required trunk. In the Applications In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Authorization tab. Using this tab, you can configure authorization settings for all applications published in the portal.

  2. If you want to specify that any user connecting to the portal can access the application, leave the default All Users Are Authorized selected.

    If you want to specify that only specific users and groups can access an application in the portal, clear the All Users Are Authorized check box. Then click Add. On the Select Users and Groups dialog box, in Look In, select the user and group repository server. In the Repository Users and Groups list, select the required user or group, and then click Add. Click OK to close the Select Users and Groups dialog box.

  3. In the Authorization tab, select the group and click the Allow, View and Deny columns to set the application authorization permission for the user or group.

  4. Click Save As Local Group to save the user or group defined on the repository server as a local group. For more information about local groups, see Configuring users and groups for application authorization in IAG.

  5. To save the authorization settings, click OK.

Configuring client endpoint policies for published applications

You can specify IAG client endpoint policies that are applied to an application.

To modify application client endpoint policies

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Endpoint Policy Settings tab.

  2. Select endpoint policies as required.

Configuring download and upload policies for published applications

You can specify the method by which IAG identifies URLs to enforce an upload and download policy for an application. It applies to built-in services, Web applications, and browser-embedded applications published by the portal. Note that if none of the options in the Download/Upload tab are activated, no uploads to or downloads from the application are blocked, regardless of the settings of the application's Upload or Download policies.

To configure a download and upload policy

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Download/Upload tab.

  2. If you want to specify that URLs should be identified by checking against the Download URL and Upload URL lists, click Identify by URLs. These lists can be viewed and modified in the Global URL Settings tab of the trunk properties.

    If you want to specify that URLs should be identified by checking file extensions, click Identify by Extensions, and then do one of the following:

    • To specify that only files whose extensions are listed here are allowed when an endpoint policy is enforced, click Exclude.

    • To specify that file extensions listed are blocked, click Include.

    Note that extensions should not include the preceding dot (.). For example, you should specify exe and not .exe. To allow or block uploading or downloading of files without an extension, specify no ext in the relevant extension list. Ensure that for extensions in the list, the association between the extensions and content-types should be the same on IAG and on the application server. On the IAG server, definitions of file extensions and associated content types are stored in the \Whale-Com\e-Gap\von\conf\content-types.ini file.

  3. In Unknown Content-Type, specify the unknown content type settings of an application. This is required to block downloads by extension.

  4. Click Identify by Size to specify that URLs should be identified based on the size of transfer data. Specify a size limit in kilobytes.

Note

HTTP GET requests are treated as downloads. HTTP POST and PUT requests are treated as uploads.

Identifying responses without content types as regular responses

By default, IAG identifies responses without content-types as downloads. You can change this default setting.

To change settings for responses without content-types

  1. Click Start, and type Regedit to open the registry editor.

  2. Navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Whale\e-Gap\Von\UrlFilter

  3. Create the following registry key AllowResponseWithoutContentType with a DWORD value of 1.

  4. Activate the configuration, and select the Apply changes made to external configuration settings check box.

Warning

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

You can control the link format on the portal homepage for applications published in a portal. Note that portal link settings are only applied if you use the IAG default portal homepage. For information about customizing a portal homepage, see Modifying the default IAG portal home page.

  1. In the IAG Configuration console, click the required trunk. In the Applications list, select the required application. Click Edit, and then click the Portal Link tab.

  2. Select Add Link on Whale Portal and Toolbar to specify that a link to the application appears on the default portal homepage and toolbar.

  3. In Portal Application Name, specify the name of the application as it appears on the default homepage and toolbar.

  4. In Folder, specify a folder or subfolder on the portal homepage from which users access the application. This allows you to group a number of applications under one folder. For example, you can create a folder called DriveMappings and place all Local Drive Mapping applications under it. Only the DriveMappings folder will be visible on the portal homepage. Specify the same folder information for all applications that will reside under the folder. If there are no subfolders, specify only the folder name. For a subfolder, use the format: folder/subfolder A/subfolder B.

    The name of the root folder in the folder structure is the name of the Whale Portal application, as defined in the Portal Application Name field. The default is "Whale Portal". The folder structure is not retained in the IAG toolbar.

  5. In Application URL, specify the internal entry link URL from the portal to the application. You must specify an absolute URL. For example: https://whale.com

  6. In Icon URL, specify the location of the icon representing the application. The icon is displayed together with the application name in the portal.

  7. In Short Description and Description, specify more information about the application. The descriptions are displayed adjacent to the application name in the portal.

  8. In Startup Page, specify a page to assign to the application. Place your own page in the following location:

    Whale-Com\e-gap\von\InternalSite\inc\CustomUpdate\

    The file extension must be .inc. For example:

    Whale-Com\e-gap\von\InternalSite\Inc\CustomUpdate\MyPage.inc. Note that the startup page contains functionality you want to assign to the application in addition to the default functionality enabled by IAG. When this setting is enabled, the defined page is included by the default application startup page, and operations defined in the page are implemented at the beginning of the application startup process.

    Default application startup for all applications is set in the StartApp.asp page, located in the Whale-Com\e-gap\von\InternalSite folder. For Domino iNotes and Domain Webmail applications, the page "notes" is automatically configured. When you select the Startup Page check box, this page redirects the user to the appropriate server, according to the definitions of the repository against which the user authenticated when accessing the application. The "notes" page is located in the following location: Whale-Com\e-gap\von\InternalSite\Inc.

  9. Enable Open in New Window to specify that the application opens in a new window.

  10. In Application Supported On select the type of device on which the link is displayed. This setting only applies to Web applications.

  11. In Portal Link on clients that do not comply with access application policy, specify whether the application link should be unavailable or not shown for these client endpoints.