- 3.1.1. AppGate Client
- 3.1.2. AppGate Connect and Applet
- 3.1.3. AppGate Mobile client
- 3.1.4. Clients for Citrix and Terminal Servers
- 3.1.5. Operating System support of AppGate clients
- 3.1.6. AppGate IP Tunneling Driver
- 3.1.7. AppGate Hosts File Writer
- 3.1.8. AppGate Device Firewall
- 3.1.9. Deployment of AppGate clients
The AppGate system includes a number of different client modules. When deploying an AppGate system, one of the decisions which must be made is which modules to use and how to deploy them. There are mainly three aspects to consider:
Type of user interface. What type of user interface is desired? There are three AppGate clients available: "AppGate Client", "AppGate Connect" and "AppGate Mobile Client". The main difference between the first two clients is the graphical user interface. AppGate Client has a fuller interface where the user may browse the services easily, while AppGate Connect is more geared towards the simple case where all needed services are auto-started. The mobile client is for mobile units like smartphones and PDAs.
Types of applications to use. What type of functionality, in terms of applications and protocols, should be available to the users? This determines if any additional modules, like IP tunneling and Device Firewall, needs to be installed.
How to deploy the clients. There are different ways to deploy the clients. They can be installed locally, be managed with Java Web Start or run as an applet (AppGate Connect only). Note that the IP tunneling (IPTD) and Device Firewall modules only support direct installation on the user's machine.
Table 3.1. Feature support matrix
| Client | Client + IPTD | Connect (applet) | Connect (applet) + IPTD | Mobile | Console | |
|---|---|---|---|---|---|---|
| Admin access | n/a | n/a | n/a | n/a | n/a | Yes |
| Client command | Yes | Yes | Yes | Yes | Yes[4] | No |
| FTP proxy | Yes[1] | Yes[2] | Yes[1] | Yes[2] | No | No |
| ICMP access | No | Yes | No | Yes | No | No |
| IP access | Yes[1] | Yes | Yes[1] | Yes | Yes | No |
| Log access | n/a | n/a | n/a | n/a | n/a | Yes |
| Message component | Yes | Yes | Yes | Yes | No | No |
| Reverse IP access | No | Yes | No | Yes | No | No |
| Server command | Yes | Yes | Yes | Yes | No | Yes |
| Share access | Yes[3] | Yes[2,3] | Yes[3] | Yes[2,3] | No | No |
| Web access | Yes[1] | Yes[2] | Yes[1] | Yes[2] | Yes | No |
[1] To be able to use host names, the client must be able to write to the hosts file.
[2] Does not use IP tunneling.
[3] Requires that the client can update lmhosts.
[4] A limited subset of built in client commands
AppGate Client is the name of the most complete and most widely used of the different clients. AppGate Client is written mostly in Java, with some native code components. These native code components handle interfacing with the local operating system, PKI authentication, fast encryption and compression. AppGate Client is the standard and recommended client.
- User interface
Full graphical user interface. Icon-based portal style view of the available services, as well as a more technical view of ports, IP-numbers and such. It has many user-configurable options.
- Functionality
It can be used to connect to multiple AppGate servers simultaneously.
- Deployment
It can be deployed as an installed client or using Java Web Start. As an installed client it is possible to repackage it with different default configurations, host keys etc. The Java Web Start version will automatically download all needed settings from the AppGate server.
Note that the AppGate Connect client and applet are deprecated and will dissappear in a future version of AppGate. There will be a new applet based on the full AppGate client.
AppGate Connect is the name of the simpler client. It is, just like AppGate Client, written mostly in Java and with some native code components. These native code components handle interfacing with the local operating system, PKI authentication, fast encryption and compression.
The main differences between AppGate Client and AppGate Connect is the GUI and the fact that AppGate Connect is also available as a java applet. The AppGate Applet client is just AppGate Connect started as an applet.
- User interface
AppGate Connect is a simpler and more compact version of AppGate Client. It is best suited for users who need only run one or two applications, normally auto-started. AppGate Connect does not provide an interface for the user to modify the local IP access port numbers. Once Connect has established a connection to the AppGate server, it automatically shrinks itself to a smaller window, thus becoming less apparent to the user.
- Functionality
AppGate Connect Is capable of almost all functionality, except of simultaneous connections to more than one AppGate Server.
- Deployment
It is possible to run the Connect client as an applet; install it or deploy it using Java Web Start. As an applet or Java Web Start client it requires no installation on the user's system. The applet is cached locally on the client machine and is automatically updated when the applet program on the server is updated.
The AppGate Mobile Client is a client specifically geared towards mobile devices. Currently it supports Windows Mobile, Sony Ericsson UIQ3 based phones and Nokia S60 3rd edition devices.
The Citrix and Terminal server clients are special versions of AppGate Client and AppGate Connect. These are meant to be used when the user's computer is a Citrix or Terminal Server client. That is; the user runs the AppGate client on a Citrix or Terminal server system to access a remote AppGate server. These clients have nothing to do with accessing Citrix or terminal servers behind an AppGate server.
These clients use a special program, called
agmud, to handle IP access components. This
program runs as administrator and is able to
differentiate between users, so that each user utilizes the
right AppGate connection. That is; this program manages the
separation between the users on the Citrix or Terminal server. For
instance, say that users A and B, running on the same Citrix or
Terminal server, have both launched AppGate clients. The agmud
program makes sure that only user A may access the services
provided by user A's AppGate client, that is; user B or C may not
access the opened ports. agmud will also manage port conflicts so
that both A and B can start the same IP access but the traffic
from user A ends up in the tunnel opened by A and vice
versa.
These clients must be installed by an administrator on the Citrix or Terminal server. To the users the clients will look and behave like the ordinary AppGate clients.
Note that IP tunneling and Device Firewall integration is not available on Citrix and Terminal server.
The AppGate clients (Client and Connect) have been tested on Windows 2000/XP/2003/Vista, Linux, Mac OS X and Solaris. The clients should work on any OS which has a proper Java implementation. The mobile client should work on any Windows Mobile device as well as Nokia S60 3rd edition and Sony Ericsson UIQ3 devices.
The AppGate IP Tunneling Driver (IPTD) is complementary software and will work with both Client and Connect, regardless of how they are deployed. When any of the AppGate clients starts, it will detect whether the IP Tunneling Driver is installed, and use it.
The AppGate IP Tunneling Driver consists of a service and a virtual network adapter which will tunnel IP traffic to and from the AppGate server over the SSH connection. The AppGate IP Tunneling Driver is optional, but must be installed if any of the following functionality is needed:
UDP traffic
Applications where clients needs to connect directly to each other.
Applications that use dynamic port assignment such as DCOM RPCs (E.g Outlook to Exchange communication).
Applications where servers behind the AppGate server need to initiate connections to the client computer.
When the AppGate IP Tunneling Driver is installed, it will also handle hosts file writing and forward DNS queries to DNS servers behind the AppGate server. Installing the tunneling driver requires administrative privileges. However, when the driver is installed, any user starting an AppGate client will take advantage of the driver.
The AppGate IP Tunneling Driver is currently supported on Windows 2000, Windows XP, 32-bit Windows Vista, Mac OS X, Linux and Solaris.
The AppGate Hosts File Writer (aghostsd) is complementary software for Windows 2000, XP, Vista, Linux and Mac OS X. It works with both Client and Connect, regardless of how they are deployed. When any of the AppGate clients starts, it will detect whether the Hosts File Writer is installed, and use it.
The Java Web Start versions of the Linux and Mac OS X clients includes the hosts file writer and will ask the user for the superuser password in order to be able to install it if needed.
The hosts file writer adds and removes entries in the windows hosts file and the lmhosts file on behalf of the AppGate client. The hosts file writer runs as a windows service with administrator rights and may thus be used when it isn't possible or desirable to let ordinary users write to the hosts file or the lmhosts file.
On the Windows platform it is possible to integrate the AppGate clients with the AppGate Device Firewall (DFW). The DFW has the unique feature of a near zero user interface, which makes it ideal when rule sets are to be enforced on sensitive VPN connections.
The DFW is a separate product, but if installed, the AppGate clients will detect it and may dynamically load rules into it. The rules will be fetched from the AppGate Security Server and be in effect during an AppGate session.
The AppGate clients will report the status of the DFW back to the AppGate Security Server, so that access rules can take this into account.
There are three different ways of deploying the AppGate Java based clients. They can be deployed using Java Web Start, installed on the user's PC or launched as applets. This section explains those methods and the issues surrounding them. Deployment of mobile clients is discussed in Section 3.2.9, “Over the air provisioning of mobile clients”.
- Java Web Start
Java Web Start (JWS) is a way to deploy applications over the web. It has been included in Sun Java since version 1.3. To launch a JWS application, the user clicks on a link on a webpage. The link leads to a
.jnlp-file which defines the application. JWS will parse this file and download all needed files before launching the application. The application files are cached on the user's PC to speed up future starts. JWS may also optionally, controlled by the user, place an icon on the desktop so that the application is easy to launch in the future. The JWS system will check that the application files are up to date each time the application is started, and it will update them if new versions are available. All files downloaded through JWS are signed by AppGate Network Security AB and users may get a security question the first time the application is launched.- Installed clients
Installation packages are available for Windows, Mac OS X and Solaris. Linux clients are available as compressed tar-files. The linux files can also be used to install on other operating systems. The windows install packages includes a complete Java environment while the others assume that java is already available on the users PC. All the installation packages can be downloaded from the web server which is built into the AppGate server. The installation packages are also included on the CD distributed with the AppGate server.
- Applet
AppGate Connect is also available as an applet. An applet is a java program which is run inside the browser. The main difference between using an applet and JWS is that the applet works with older java versions and that only the AppGate Connect client is available as an applet. Also the applet is run inside the browser which means that it will be killed whenever the browser window holding it is closed or when the user goes somewhere else. The AppGate applet is divided into two parts, one loader which is downloaded each time the applet is launched and one part which is cached on the client PC.
Both Java Web Start and applet will make sure that the local client is always up to date. That is any updates done on the AppGate server are automatically downloaded. The installed client has no auto-update feature.
Both Java Web Start and the installed client are able to place an icon on the desktop automatically. The JWS client can also be started by clicking on a link on a webpage.
The clients have the ability to update the hosts file with names of servers reachable through the AppGate server. The hosts file may be updated in either of the following two ways:
If the Hosts File Writer or IP tunnel driver has been installed on the client computer, the client requests that it updates the hosts file.
The client itself writes directly to the hosts file. For this to work the client must have write permission to the hosts file. This is no problem if the user runs with administrator privileges, but often the user does not. Therefore the installation packages have the option of changing the permissions to the hosts file so that anybody may update it. This is an optional step during the installation and requires administrator privileges. The AppGate clients will check whether hosts file writing is possible when they are launched. A warning dialog will pop up if hosts file writing is disabled and the Hosts File Writer isn't running. This warning dialog has a button which lets the user fix the permissions if the user has access to the administrator password.
On Unix systems the client may not listen to ports under 1024 (unless running as root). The Mac and Linux installation packages includes a small port mover program which is installed setuid root which allows the client to listen on low ports. This port mover also handles writing to the hosts file. The Java Web Start clients also includes the port mover and will ask the user if they wish to install it if needed. The user will have to enter the superuser password in order to be able to install it.