When the AppGate client is started, it reads its configuration from several sources, depending on which client is used.
Each user will have his own copy of the current configuration
settings. On Windows systems these settings are located in the file
agclient.properties in the subdirectory
appgate\8.2.3 in the user's profile directory.
On Unix systems
agclient.properties is located in a directory called
.appgate/8.2.3 in the user's home directory.
When starting the installed versions of the client
it will first check whether the user has a personal configuration file,
if not it will try to read a preinstalled configuration file. On
Windows the preinstalled configuration file is typically located
in the directory
C:\Program Files\AppGate\preinstalled\.
On Unix it is typically in /opt/APPGclnt/etc.
The installed client may also use preinstalled hostkeys. This is useful
to gain some security and avoid the user being prompted to accept
a new host key at the very first connection.
On Windows any preinstalled hostkey file should typically go
into the directory
C:\Program Files\AppGate\preinstalled\hostkeys.
When the installed client has successfully connected to an AppGate server,
the client downloads the system-wide configuration settings from the
AppGate server, which are normally located in the server file
/var/opt/appgate/conf/agclient.properties, and
merges these
settings with the user's current settings.
The Web Start clients first read the user's configuration, then
the configuration file from the AppGate server that provides the
Web Start
client, and merges these settings with the user's current settings.
The Web Start client configuration file is normally located in the file
/var/opt/appgate/webroot.local/webstart/agclient.properties.
The configuration file is a plain text file, and consists of statements in the form of:
key = value
Lines starting with '#' are interpreted as comments and ignored.
The key part actually consists of three parts:
server.option.type
where server and type might be
optional,
depending on the context.
server is the name of the AppGate server, for instance
"demo.appgate.com".
In system-wide configuration files,
the server part should
not be specified (since the setting is for a specific system), but in the
user's local configuration file the server part must be
specified to
differentiate settings between different servers.
option is the name of the option to set, for instance
'ag_authmethod'.
type can be empty, 'locked' or 'local'. 'local' is used
by the
AppGate clients to indicate that the user has changed this value locally.
By using
'locked' it indicates that the value can not be changed by the user, so
if one for instance uses
ag_authmethod.locked = password
in a system-wide configuration file, the user will always have the authentication method 'Password' selected by default, regardless of whether or not the user changes it temporarily.
On the other hand, if type is not used, the client
treats the option from the server as a suggestion. For instance,
ag_authmethod = password
will set the authentication method to 'Password' only if the user
does not already have any setting for ag_authmethod.
When the client merges the configurations from different sources, it is using these rules:
The options' values can be changed by substitution of environment
variables. For example, on a Windows client machine, this line
entrust_inifile=${USERPROFILE}\\appgate\\entrust.ini
will be substituted to entrust_inifile=C\:\\Documents and
Settings\\User Name\\appgate\\entrust.ini by an AppGate
client. If the environment variable doesn't exists, the expression
will be substituted with an empty string,
entrust_inifile=\\appgate\\entrust.ini.
Table 3.5. Client configuration options
| Option | Default value | Description |
|---|---|---|
| ag_atendbaseport | 48624 | Base port number for atend callbacks. |
| ag_attributes | (null) | Static attributes to send |
| ag_authmethod | password | The selected authentication method, see gui_authmethods for a list of selectables. |
| ag_clientid | "" | The client identifier sent to the server to receive the appropriate local configuration. |
| ag_debuglevel | 0 | Debug level |
| ag_hostkeyhandling | simple | Specifies how host keys should be handled by the client. Valid options are: 'accept' - accept all host keys, 'simple' - the user is notified when connecting to a new host, 'verify' - the user is requested to decide whether a new host key should be accepted or not, and 'refuse' - refuse all new host keys. |
| ag_hostsdirpath | "" | (Windows only) The path of the directory where the hosts and lmhosts files are located. If not set the files are located through the registry. |
| ag_language | "" | The language sent to the server to receive the appropriate local configuration. If nothing is specified the server will choose the default language. |
| ag_locallistenaddress | 127.0.0.1 | (Windows & Linux only) The IP address to open local listeners on. |
| ag_modifyieproxy | no | (Windows only) The client adds itself as a proxy for Internet Explorer. |
| ag_osname | (null) | The operating system identifier sent to the server to receive the appropriate local configuration. If nothing is specified the client will autodetect the operating system used. |
| ag_platform | (null) | The platform identifier sent to the server to receive the appropriate local configuration. If nothing is specified the client will autodetect the platform used. |
| ag_startupportcheck | (null) | List of port numbers to try to connect to while starting up, to see if they are used by another application |
| ag_reusepassforshares | yes | Set to 'yes' to reuse the password entered by the user when mapping shares. |
| ag_runclientchecks | yes | When set to 'no', disables the running of any client checks - this option can not be overridden once set to 'no' |
| ag_saveusername | yes | If set to 'no' the user name won't be saved in configuration file. |
| ag_servername | (null) | Use this server name instead of the one implied by the URL when downloading the properties file. This os only valid for applet and webstart clients. |
| ag_useident | no | Set to 'yes' to make the AppGate client query the IDENT daemon each time a connection to an IP access is made. If the user of the AppGate client does not match that of the connecting application the connection will be denied. |
| ag_username | "" | The specified user name. |
| ag_useuniqueips | yes | (Windows & Linux only) If set to 'yes' the client uses a new unique localhost IP address for each remote host, allowing for multiple IP access components listening on the same port. |
| ag_webbrowser | (null) | Command to run to start web browser on other platforms than Windows and MacOS X. |
| ag_writetohostsfile | yes | (Windows only) Tells the AppGate client whether it should write to the hosts file or not. If set to 'no' all client applications must be manually configured to connect to 'localhost'. |
| ag_share_diagnostics | yes | (Windows only) If set to 'yes' the client runs some diagnostic checks to see if it is able to mount netbios shares. If set to 'no' these checks are disabled. |
| ca_securid | no | If set to 'yes' the client use the SecurID customization for CA |
| entrust_inifile | (null) | The path to Entrust init file. May also be an http URL. |
| entrust_ldaphost | localhost | The LDAP host name that should be used for the Entrust IP access if 'AppGate' has been selected as the Entrust access method. |
| entrust_ldapport | 389 | The LDAP local port that should be used for the Entrust IP access if 'AppGate' has been selected as the Entrust access method. |
| entrust_mgmthost | localhost | The management host name that should be used for the Entrust IP access if 'AppGate' has been selected as the Entrust access method. |
| entrust_mgmtport | 709 | The management local port that should be used for the Entrust IP access if 'AppGate' has been selected as the Entrust access method. |
| entrust_authhost | localhost | The Authority host name that should be used for the Entrust IP access if 'AppGate' has been selected as the Entrust access method. |
| entrust_authport | 829 | The Authority local port that should be used for the Entrust IP access if 'AppGate' has been selected as the Entrust access method. |
| entrust_offline | no | Set to 'yes' to use Entrust in offline mode. |
| entrust_profile | (null) | The path to the Entrust profile. |
| entrust_thruappgate | yes | If set to 'yes' the Entrust mode is set to 'AppGate', i.e. the Entrust server is accessed via the AppGate server. |
| entrust_inirewrite | yes | If set to 'yes' and the client isn't able to write to the hostsfile, then the AppGate client will always rewrite the entrust.ini file when using Entrust through AppGate. |
| fwdproxy_port | 0 | If set to non-zero this enables ans set the local port number for the TCP forwarding proxy. |
| fwdproxy_prompt | (null) | Prompt to present to client connecting to the TCP forwarding proxy. |
| gui_accessdetails | no | If set to 'yes' the IP access details tab will be shown. |
| gui_authmethods | (null) | Comma separated list of authentication methods allowed by the server, allowed values are: password,certificate,securid,radius,entrust,cryptocard (Deprecated, should only be used for backwards compability with old clients. New clients should use 'gui_authmethod_names' instead.) |
| gui_authmethod_names | (null) | Comma separated list of authentication methods allowed by the server. Each entry is of the type '<name>:<desc>' where <name> is the type of authentication and <desc> is a description of the name. Allowed values for <name> are: password,certificate,securid,radius,entrust,cryptocard. |
| gui_changepassword | yes | Set to 'no' to disable the 'Change password' checkbox. |
| gui_ciphers | (null) | List of cipher methods allowed by the server. |
| gui_clientstrings | (null) | Client string resources. |
| gui_detailsopen | no | (Applet/Connect only) If set to 'yes' the details tab will be opened after a connection has been successfully made. |
| gui_expertmode | no | If set to 'yes', a minimum of confirmation dialogs will be shown. |
| gui_extraprompts | (null) | Set this to have the client ask for additional information in the login dialog - this informations is transferred as attributes to the AppGate server upon a successful login. The format is attr1,prompt1,echo1,attr2,prompt2,echo2... where 'attr' is the attribute to set, 'prompt' is the value to prompt for, and 'echo' is whether the valued should be echoed ('yes') or not ('no'). |
| gui_fillwindow | no | (Applet/Connect only) Is set to 'yes' the services panel will fill up the window and not use a scrollbar. |
| gui_helpurl | (null) | If set this URL will be used when accessing the built-in help in the AppGate client. |
| gui_hiddenservices | no | If set to 'yes' those services marked as invisible will be shown as well. |
| gui_hideabout | no | Set to 'yes' to hide the About/Help button in the login dialog window. |
| gui_hideafterconnect | no | Set to 'yes' to hide the entire window after a connection has been successfully made. |
| gui_hidechangepassword | no | Set to 'yes' to hide/disable the Change password checkbox/menu alternative. |
| gui_hideconnect | no | Set to 'yes' to hide the Connect/Ok button in the login dialog window. |
| gui_hidedebug | no | (Applet/Connect only) Set to 'yes' to hide the Debug button. |
| gui_hidedetails | no | (Applet/Connect only) Set to 'yes' to hide the Details button. |
| gui_hideexit | no | Set to 'yes' to hide the Exit/Cancel button in the login dialog window. |
| gui_hideinfo | no | (Applet/Connect only) Set to 'yes' to hide the Info button. |
| gui_hidemainwindow | no | (Full Client and on Windows only) Set to 'yes' to hide main window when starting up |
| gui_hidemethod | no | Set to 'yes' to hide the Method selection box in the login dialog window. |
| gui_hidemenuhelpabout | no | (Full Client only) Set to 'yes' to hide Help --> About menu |
| gui_hidemenuhelpcontents | no | (Full Client only) Set to 'yes' to hide Help --> Contents menu |
| gui_hidemenuopen | no | (Full Client only) Set to 'yes' to hide Connection --> Open connection... menu |
| gui_hidemenuresume | no | (Full Client only) Set to 'yes' to hide Connection --> Resume connection menu |
| gui_hidemenususpend | no | (Full Client only) Set to 'yes' to hide Connection --> Suspend connection menu |
| gui_hidemenuclose | no | (Full Client only) Set to 'yes' to hide Connection --> Close connection menu |
| gui_hidemenurecently | no | (Full Client only) Set to 'yes' to hide Connection --> Recently connected servers menu |
| gui_hidemenupreferences | no | (Full Client only) Set to 'yes' to hide Connection --> Preferences... menu |
| gui_hidemenuexit | no | (Full Client only) Set to 'yes' to hide Connection --> Exit menu |
| gui_hidemenutabsuspend | no | (Full Client only) Set to 'yes' to hide Tab right click --> Suspend menu |
| gui_hidemenutabresume | no | (Full Client only) Set to 'yes' to hide Tab right click --> Resume menu |
| gui_hidemenutabchangepassword | no | (Full Client only) Set to 'yes' to hide Tab right click --> Change password menu |
| gui_hidemenutabinfo | no | (Full Client only) Set to 'yes' to hide Tab right click --> Info menu |
| gui_hidemenutabclose | no | (Full Client only) Set to 'yes' to hide Tab right click --> Close menu |
| gui_hidemenurightrun | no | (Full Client only) Set to 'yes' to hide service/folder right click --> Run menu |
| gui_hidemenurightstop | no | (Full Client only) Set to 'yes' to hide service/folder right click --> Stop menu |
| gui_hidemenurightenable | no | (Full Client only) Set to 'yes' to hide service/folder right click --> Enable traffic... menu |
| gui_hidemenurightauto | no | (Full Client only) Set to 'yes' to hide service/folder right click --> Autostart menu |
| gui_hidemenurightprops | no | (Full Client only) Set to 'yes' to hide service/folder right click --> Properties... menu |
| gui_hidepassword | no | Set to 'yes' to hide the Password field in the login dialog window. |
| gui_hideproperties | no | Set to 'yes' to hide the Properties button in the login dialog window. |
| gui_hideroaming | no | (Applet/Connect only) Set to 'yes' to hide the Resume/Suspend button. |
| gui_hideserver | no | Set to 'yes' to hide the Server selection box in the login dialog window. |
| gui_hidesplash | no | (Full Client only) Set to 'yes' to hide the Splash window. |
| gui_hideusername | no | Set to 'yes' to hide the User name field in the login dialog window. |
| gui_hidesharemap | no | If set to 'yes', no info dialog will be shown when a windows share is mapped |
| gui_hideshareunmap | no | If set to 'yes', no info dialog will be shown when a windows share is unmapped |
| gui_hidesharediagnostics | no | If set to 'yes', no warning dialog will be shown when netbios share diagnositc tests fail. |
| gui_hideinstallappgatefwd | no | If set to 'yes', the client will not suggest to install appgatefwd. |
| gui_locale | (null) | locale, by default it gets the locale from the environment. |
| gui_lookandfeel | (null) | Look & Feel of GUI |
| gui_mainwintitle | (null) | (Applet/Connect only) The title displayed in the title bar of the client window. |
| gui_minimizetosystemtray | true | Whether we should play hide & seek in system tray if possible |
| gui_opendebug | no | Set to 'yes' to automatically open the debug window on startup |
| gui_position | "0 0 500 400" | The desktop location and size (x y w h) of the client login window. The size information is ignored by the AppGate Applet/Connect. |
| gui_radiuspassword | yes | Set to 'yes' to allow the user to enter the RADIUS password directly. |
| gui_savesettings | yes | If set to 'no' the client will not save any settings on the local machine. |
| gui_securid_maxpinlength | -1 | For SecurID, sets the maximum length of the Pin field. |
| gui_securid_separatepinprompt | yes | Whether the SecurID pin should be prompted for separately or not. |
| gui_securid_password | yes | Set to 'yes' to allow the user to enter the SecurID password directly. |
| gui_serviceview | icon | Controls how services are presented to the user. It can be either the default view of 'icon', or the tree-based view of 'tree'. |
| gui_showcryptocard | no | Set to 'yes' to show the CryptoCard authentication method. |
| gui_showproxy | no | (Applet/Connect only) Set to 'yes' to show the Proxy button in the connection dialog. |
| gui_splashdelay | -1 | (Full Client only) How long splash should be displayed. |
| gui_terminalsettings | (null) | Terminal settings. |
| gui_unavailservices | no | If set to 'yes' those services listed as unavailable will be shown as well. |
| gui_unavailroles | no | If set to 'yes' those roles listed as unavailable will be shown as well. |
| gui_usesplash | (null) | (Full Client only) Resource to use instead of normal splash screen. |
| gui_winbgcolor | (null) | (Applet/Connect only) RGB value (#rrggbb) of the background color for the client. |
| gui_winfgcolor | (null) | (Applet/Connect only) RGB value (#rrggbb) of the foreground color for the client. |
| hostcert_cadevice | (null) | Device where to look for CA host certificates. |
| hostcert_cafiles | (null) | List of files containing CA root certificates. Used for host certificate authentication. |
| hostcert_crldistpoints | (null) | List of URIs (http:// or file://) for CRL retrievals. Used to verify host certificates. |
| hostcert_crlproxyhost | (null) | Proxy host to use for CRL retrieval. |
| hostcert_crlproxyport | 0 | Proxy port to use for CRL retrieval. |
| hostcert_subcafiles | (null) | List of files containing sub CA certificates. Used for host certificate authentication. |
| ipt_baseport | 48524 | Base port number for IP tunneling callbacks. |
| ipt_enable | yes | Set to 'no' to disable use of IP tunneling. |
| ipt_port | 7270 | The port number to contact IP tunneling daemon on. |
| krb5_kdc | (null) | The KDC to use for Kerberos authentication. |
| krb5_realm | (null) | The realm to use for Kerberos authentication. |
| merge_combinable_roles | yes | Present all the combinable roles as one pseudo-role in the role selection dialog<indexterm><primary>Roles</primary><secondary>Combinable</secondary></indexterm> |
| last_selected_roles | (null) | Roles selected the last time the user manually selected shareable roles |
| mud_port | 7893 | The port number to contact agmud on. |
| pfw_enable | yes | Set to 'no' disable use of Personal Firewall. |
| pfw_pollinterval | 30 | How often (seconds) to poll the Personal Firewall for changes. 0 means don't poll. |
| pfw_port | 7271 | The port number to contact Personal Firewall on. |
| pki_certid | (null) | Identifies the certicate used for authenticating. The format is 'certsrc,certid,certfriendlyname'. |
| pki_certsources | (null) | List of certificate sources. |
| pki_checkforcard | yes | If set to 'yes' the client will continously check if the certificate used for authentication is valid, and disconnect the client if not. |
| pki_filename | (null) | Name of PKCS#12 file containing certificate. |
| pki_pkcs11lib | (null) | The name of the third party PKCS#11 library to load for generic PKCS#11 PKI support. |
| pki_usingfile | no | Is set to 'yes', fetch certificate from PKCS#12 file. |
| print_autoprint | no | Set to 'yes' to print document automatically when they are received. |
| print_commands | (null) | List of available printer commands. |
| print_defaultcommand | (null) | Default printer command. |
| print_defaultdevice | (null) | Default printer device. |
| print_defaultprinter | (null) | Default printer. |
| print_devices | (null) | List of available printer devices. |
| print_pollint | 0 | Poll interval (seconds) for printing. |
| proxy_authdata | "" | Proxy authentication password. |
| proxy_id | "" | Proxy identity |
| proxy_authuser | "" | Proxy authentication username. |
| proxy_port | 0 | Proxy server port number. |
| proxy_server | "" | Proxy server name. |
| proxy_type | auto | Proxy server type, one of 'none', 'auto', 'http', 'socks4' or 'socks5'. |
| rdp_usejavardp | no | Always use the built-in java RDP client, and don't bother to look for a native one |
| rdp_experience | 2 | Set the level of RDP protocol optimizations for different bandwidhts. '0' and '1' is for GPRS and modem types of connection, '2' is for Cable Modem and ADSL connections and '2' is for LANor High-speed DSL. |
| rdp_redirect_disks | no | Redirect local disks to the remote computer |
| rdp_redirect_printers | no | Redirect local disks to the remote computer |
| rdp_redirect_sound | off | Control how sounds should be played. Set to 'off' for no sound, 'local' to play on the local computer and 'remote' for playing the sound at the server. |
| rdp_colour_depth | 16 | The colour depth that should be used for RDP connections. Set it to either '8', '16' or '24'. |
| roaming_autosuspendtimeout | 60 | The timeout in seconds for the auto suspend feature. |
| roaming_enableautosuspend | no | Set to 'yes' to enable the auto suspend feature. |
| roaming_inhibit | no | Set to 'yes' to inhibit the client roaming feature. |
| roaming_inhibitautoresume | no | Set to 'yes' to inhibit auto resume. |
| roaming_reconnect_interval | 0 | Always try to reconnect periodically. If the connection is lost then we try to reconnect with this many seconds between the attempts. A value of 0 inhibits this behavior and is the default value. |
| ssh_altports | 22 | List of alternative ports for server. |
| ssh_altservers | "" | Lists all servers in a cluster, along with their load balancing weight, if load balancing is used. Syntax is weight:[ip-address|fqdn]:ssh-port[, ....]. Note that this entry is generated automatically by the client from data specified in the console Load balancing panel. |
| ssh_cipher | AES-128 | The selected cipher method. |
| ssh_compression | no | Set to 'yes' to enabled compression. |
| ssh_keepalive | 0 | Set to non-zero to enable the ssh keep-alive option. |
| ssh_privatekey | (null) | The file containing the private key for public-key authentication. |
| ssh_serverport | 22 | The server port. |
| ssh_x11 | no | Controls whether X11 forwarding will be set up or not. |
| starturl_frame | (null) | (Applet only) Open the 'starturl' web page from in this frame. |
| starturl_url | (null) | (Applet only) Open this web page when connected. |
| tcp_keepalive | -1 | Controls the TCP keep-alive option. Set to '1' to enable. |
| tcp_nodelay | -1 | Controls the TCP no-delay option. Set to '1' to enable. On Windows the default os to enable TCP no-delay, on other platforms it is disabled. |
| tcp_recvbufsize | -1 | Controls the TCP receive buffer size. |
| tcp_sendbufsize | -1 | Controls the TCP send buffer size. |
| tcp_solinger | -1 | Controls the socket 'linger on close' timeout (in seconds). |
| tcp_sotimeout | -1 | Controls the socket timeout (in milliseconds). |
| autoclose_ports | (null) | List of ports to watch. When the last connection over these ports is closed then the autoclose dialog is shown |
| autoclose_delay | 30 | How many seconds to show the autoclose dialog before the application is closed anyway. 0 means foreever and -1 means close without showing the dialog |
Using unique local IP addresses is useful if there is more
than one server for a certain protocol on the inside which needs
to be accessed by the client at the same time. The problem is
that every IP access normally listens on 127.0.0.1 for its local
port. This implies that only one port forwarding for each port
number can be active at a time. However, on Windows and Linux,
it is possible to listen on other IP-numbers than 127.0.0.1.
These are
127.0.0.2, 127.0.0.3 and so on. This feature is only
available on Windows and Linux, and clients will use it by
default if available.
It is possible to turn this off by setting the option
ag_useuniqueips to 'no'.
For this to be useful, the client must be able to write to the hosts file. The client checks this automatically and will not use the feature if it can not write to the hosts file.
The client can be configured to automatically close when the last port forward on a given set of ports is closed. This can be used to automatically close the client when the user for example closes the Citrix client.
Normally when this triggers the client shows a dialog that it is about to close and lets the user have a chance to not close the client. The dialog will time out after a configurable number of seconds and the client will close if the user did not make any choice. It is also possible to configure this so that the dialog is not shown or that the dialog has no timeout.
This feature only works if IP-tunneling is not used. This is because the client does not keep track of the users connections when using IP-tunneling. The feature is also poorly suited to applications which make many short connections to the server, like web browsers. To be useful this feature needs to watch a service where the TCP tunnel is open all the time, like Citrix.
This feature is configured by a couple of client
configuration options. The first
autoclose_ports is a list of local port
numbers to watch. The feature will trigger when the last open
connection over any of these ports is closed. That is if there
are no more open connections on any of the watched ports. The
second option autoclose_delay controls the
timeout. Positive values give the timeout in seconds. A value of
0 means that the dialog will never time
out. And a negative value makes the feature disconnect
immediately without showing the dialog at all.
AppGate Applet is designed to be loaded from the web server integrated with the AppGate server. The applet is also designed to download its configuration file and any hostkeys from the same web server. Therefore, a properly configured HTML page must be on the AppGate system containing the appropriate HTML tags to load the applet with the required parameters.
AppGate Applet is designed to be self-caching. This means that the first time the applet is accessed by a user, the applet is downloaded from the AppGate server and then stored in the local file system. The next time the applet is accessed, the copy in the local file system is used, thus eliminating the time it takes to download the applet. AppGate uses a special applet called 'agappletloader' to handle the caching of the applet and to ensure that the cached copy of the applet is up to date. Therefore, when the appropriate web page is accessed, 'agappletloader' is loaded first. It determines whether there is an up-to-date cached copy of 'agapplet' on the local file system. If not, it downloads a fresh copy 'agapplet' to the local file system and loads it.
AppGate provides a default HTML page for loading the
applet, and some customers might want to customize this page. The
default HTML page resides in the
/var/opt/appgate/webroot.local/applet
subdirectory. By default, 'agappletloader' expects the files
agapplet.jar.zip,
agappletnative_linux.jar.zip,
agappletnative_sunos_sparc.jar.zip,
agappletnative_sunos_i386.jar.zip,
agappletnative_win32.jar.zip,
agappletloader.jar and
agappletloader.cab to be in the applet
subdirectory.
The basic required HTML to load the applet is as follows:
<P ALIGN="CENTER">
<APPLET CODE="se.appgate.appletloader.Loader"
ARCHIVE="agappletloader.jar" WIDTH=300 HEIGHT=100>
<PARAM NAME="boxbgcolor" VALUE="255,255,204">
<PARAM NAME="boxfgcolor" VALUE="0,0,0">
<PARAM NAME="background" VALUE="FFFFCCC">
<PARAM NAME="foreground" VALUE="000000">
<PARAM NAME="cabinets" VALUE="agappletloader.cab">
<PARAM NAME="configurl" VALUE="../applet.properties">
<PARAM NAME="hostkeybase" VALUE="hostkeys">
</APPLET>
</P>
The first line specifies the applet loader with
settings for height and width. The boxbgcolor,
boxfgcolor, background, and
foreground variables set the color attributes for
the applet loader. Color attributes for
AppGate Applet itself are set in the applet.properties
file, see next section. The cabinets parameter is
required to support Internet Explorer, and to indicate that
Internet Explorer must load the corresponding .cab file instead of
the default .jar file specified in the first line. The
configurl parameter points to the file
applet.properties.
The last parameter, hostkeybase,
specifies the path to the directory where the SSH server hostkeys
are stored. Hostkeys should be stored as .pub files in the
specified directory.
When AppGate Applet runs, it pops up its own window but it actually resides in the page in the browser that launched it (the page with the <APPLET> section). This web page must remain 'active' and viewed in the browser for the duration of the AppGate session. If the user changes this page to browse to another page, like pressing the Back button or go to another URL, the applet will immediately be killed by the Java engine of the browser.
To avoid having this web page occupy a seemingly unused browser window, the applet can be embedded into a frame within a frameset. The frameset can then contain two frames: one which is used to view the protected web pages, and one very small where the applet runs.
To accomplish this, the option starturl_frame
specifying the name of the frame in which the web page specified by
starturl_url will be opened, must be added to the
file applet.properties.
Note that the applet will terminate if a web page is
opened in the same frame in which the applet is running. The main
applet may also be configured to hide itself by adding the
gui_hideafterconnect option to the
applet.properties file.
One very important link in the AppGate security mechanism is the hostkey system. Hostkeys are used by the AppGate server to prove its identity to the client. This is needed so that the client knows that it is communicating with the correct server, not an imposter. That the hostkeys must be stored on the client machine is a vulnerability. Normally, we recommend that the server hostkeys are included in the client installation packages. However, that does not apply to AppGate Applet, since it has no installation package.
Instead, AppGate Applet has been made so that it can download the needed hostkeys from the server. This method still leaves the problem of trusting the hostkeys it downloaded from the server, since there could be an imposter waging a man-in-the-middle attack during the download. The solution to this is to use HTTPS with a server certificate. Unfortunately, it is not enough to be able to talk HTTPS to the web server. One must also be able to verify the identity of the web server. The only way to do this is for the web browser to trust the root Certificate Authority (CA), which has issued the certificate of the web server.
There are two ways of obtaining a certificate for the web server in the AppGate server. One is to build your own with a toolkit such as OpenSSL. The problem with this approach is that you have to sign it yourself and import that signing certificate manually in all web browsers accessing your site. The other solution is to buy a commercial web server certificate from a publicly recognized CA, such as Verisign, which already has its CA-key in the browsers. In this case, the browser already has the root CA certificate and can verify that the server is who it claims to be.
It is important to consider that web pages may be cached on the local computer by the web browser. This means that sensitive information may be left in the browser cache. This applies for all web-based services (e.g web mail). This is of even higher importance when sensitive information is accessed by using AppGate Applet on a public computer.
It is possible to configure AppGate Applet to clear the Internet Explorer cache on Windows when the AppGate session ends. This is done by creating a client command which uses the agstart special command with command line 'agstart atend clearcache'.
The applet will run as long as the web page that launched it is visible. What happens when the user leaves the web page depends on the browser. Most browsers will terminate the applet immediately, others may wait a little while. The web pages installed by default on the AppGate server display a warning about this. The administrator may choose to use these pages as a template.
Using the starturl_url configuration option in the
applet
configuration file, the applet may be forced to open a new
browser window with a specified URL as soon as the connection
to the AppGate server has been established.
Once the AppGate IP tunneling driver has been installed, it should
normally not be necessary to configure it. However, there is a number of
windows registry keys that may be useful to change in rare cases.
These keys are found under the
HKEY_LOCAL_MACHINE\Software\AppGate\AppGate IP Tunneling
Driver key:
The level of verbosity of debug messages from the IP tunneling driver. Default is '0' and means that no debug messages are written.
The file where debug messages are written to. Defaults
to C:\Program Files\AppGate\AppGate IP Tunneling
Driver\debug.log.
If a WINS server should be set on the AppGate IP Tunneling Driver virtual interface. A WINS server is only set if it also has been specified on the AppGate server. Default is '1' (enabled).
The file to write host entries to. If not
specified the file hosts in the folder
specified by the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
is used.
The file to write lmhost entries to (used for
NetBIOS shares). If not specified the file
lmhosts in the folder specified by the
registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
is used.
Note that hosts and lmhosts should normally not refer to the same file. If they do then it is important that the file names match exactly, including capitalization.