The AppGate USB client is designed to be used on personal computers when connecting to an AppGate Security Server. It is a client that does not rely on, or use, the ordinary operating system on the machine. It will execute in a secure and trusted environment regardless of the configuration of the original operating system on the computer. In addition, it does not access or store any data on the local hard disks on the PC and will therefore not leave any traces or residues when the session to the AppGate server is closed.
The AppGate USB client has a small encrypted area where local configuration data is stored. This includes things like which AppGate server to connect to and different network configurations. The user must unlock this area with a password before the stick can be used.
The AppGate USB client is available as a separate product.
The USB client is built on Ubuntu Linux. The USB client contains everything needed to boot Linux and run the AppGate client. The other storage devices in the computer are not accessed. They will not be used to store any data and it will not be possible to read any data from them.
The Linux version running on the USB stick has been stripped so that only the most necessary daemons are started. The USB client also includes a firewall for extra protection.
Most of the USB-stick is mounted read-only [1]. The only persistent storage is the users home-directory. The home-directory is stored in an encrypted part of the file system. The first time the stick is used the user must provide a new password which will be used to protect the home directory. This password must then be entered each time the stick is booted.
The first time the stick is used it will ask for a password. This password will be used to protect the encrypted home-directory stored on the stick. This password must then be entered each time the stick is used.
There is no way of recovering the user password if it is lost. But it is possible to remove the encrypted portion which will cause the stick to ask for a new password the next time it is started. All files which were located in the encrypted area will disappear as part of this process.
The encrypted area can easily be cleared from any Linux
machine. The USB stick contains two partitions and the second
partition (named 'home-rw') contains the encrypted area. All the
encrypted files are stored in
/ubuntu.enc. Removing this directory and
its content will cause the stick to ask for a new password the
next time it is booted.
The Appgate USB client will set the id field of the platform
triplet to agusb. This means that it can be
recognized with an access rule which looks like this:
attribute{platform="^unix\.linux\.agusb"}
The AppGate USB client version 1.5 includes the following applications:
Table 3.7. Included applications
| Application name | Description | Version |
|---|---|---|
| agclient | AppGate client | 8.0.3++ |
| ag_iptd | AppGate IP-tunneling driver | 8.0.3++ |
| firefox | The Firefox web browser | 3.0.8 |
| rdesktop | A Microsoft Terminal Server client | 1.6.0 |
| thunderbird | The Tunderbird email client | 2.0.0.21 |
| acroread | Adobe PDF document reader | 9.1.0 |
| openoffice | office suite | 3.0.1 |
| x3270 | IBM 3270 terminal emulator | 3.3.7p1 |
| tn5250 | IBM 5250 terminal emulator | 0.17.3 |
| xvnc4viewer | Virtual network computing client software | 4.1.1 |
These are started automatically when the USB stick is booted. The AppGate client will store its settings in the encrypted home directory so it will remember the server it connected to the last time.
There are three ways to start the Firefox web browser:
By launching a web-access component. The AppGate client will launch Firefox and open the provided start URL (if any).
By having a client command which launches
/ag/firefox. It is of course possible
to append an URL to this command as well.
Manually by the user from the start menu.
Rdesktop can be used to connect to Terminal Servers and to other shared windows desktops. The way to utilize it is to the the AppGate client start it automatically with an RDP access component.
Thunderbird is a full-featured email client. It can be started
by having a client command run /ag/thunderbird.
The Adobe acrobat reader is not something which usually needs to be started manually. It is usually used to either render PDF documents in the web browser or launched to view PDF-attachments in the mail client.
The OpenOffice suite can be used to read office documents
locally. These are typically either downloaded from the web or
received as attachments. It is possible to just start
openoffice by having a client command start
/ag/openoffice.
This is a fairly accurate representation of an IBM 3278 and 3279 terminal. It runs over a telnet connection. If the client will get an IP-address and thus use IP-tunneling then it can go directly to the server. Otherwise it will have to go through an IP-access component. Note that the local port of such an IP-access component should be larger than 1024.
A typical way to use this would be to create an IP-access
component which uses local port 2001. The a client command
could launch /ag/x3270
localhost:2001.
There are many options which can be given to this terminal emulator. They are documented at the emulators home page (under the Documentation link) at http://x3270.bgp.nu/.
This is a terminal emulator which emulates an IBM 5250
terminal. It works very much like the x3270 terminal
emulator. It also uses a telnet connection. The relevant
client command could be something like:
/ag/xt5250 localhost:2001.
There are many options which can be given to this terminal emulator. They as well as a HOWTO-documented are referenced from the emulators homepage at: http://tn5250.sourceforge.net/.
This is a client for the vnc protocol which makes it possible
to see the 'desktop' from a remote machine running a vnc
server. There are vnc servers available for a number of
different environments. The relevant
client command could be something like:
/ag/vncviewer localhost.
This command will make a connection to localhost on port 5900
so there must be a matching IP-access component active.
[1] The root file system looks writable but all writes go to a memory file system and will disappear when the computer is shut down.