AppGate Security Server
   Next

AppGate Security Server

Version 10.0.1

Copyright © 2004 - 2011 Cryptzone Group AB

AppGate and MindTerm are trademarks of Cryptzone AB. Other brands and product names may be trademarks of their respective companies or organizations.

The contents of this document are subject to revision and can be changed without notice. Cryptzone Group AB shall have no liability for any error or damage resulting from the usage of this document.

Table of Contents

1. About this guide
1.1. Who Should Use This Guide
2. Functional Overview
2.1. Introduction
2.2. An AppGate Session
2.2.1. Starting a client
2.2.2. Session establishment
2.2.3. Account establishment
2.2.4. Authentication
2.2.5. Attributes
2.2.6. Client Check
2.2.7. Authorization
2.2.8. Role selection
2.2.9. Service presentation
2.2.10. Service activation
2.2.11. Session termination
2.3. Features
2.4. Satellites
2.5. FIPS mode
2.6. Integration with the network infrastructure
2.6.1. Firewall considerations
2.6.2. Routing considerations
2.7. Alarms
3. Clients
3.1. Client Overview
3.1.1. AppGate Client
3.1.2. AppGate Connect client
3.1.3. AppGate Mobile Client
3.1.4. Clients for Citrix and Terminal Servers
3.1.5. Operating System support of AppGate clients
3.1.6. AppGate IP Tunneling Driver
3.1.7. AppGate Hosts File Writer
3.1.8. AppGate Device Firewall
3.1.9. Deployment of AppGate client
3.2. Client Installation
3.2.1. Installation on Windows
3.2.2. Installation on Mac OS X
3.2.3. Installation on Solaris
3.2.4. Installation on Linux
3.2.5. Installation From the Web Server
3.2.6. AppGate IP Tunneling Driver Installation
3.2.7. AppGate Hosts File Writer Installation
3.2.8. Repackaging the AppGate clients
3.2.9. Over the air provisioning of mobile clients
3.3. Client Usage
3.3.1. Launching clients
3.3.2. Open connection dialog
3.3.3. First time connection
3.3.4. The connection process
3.3.5. Roaming (Suspend/Resume)
3.3.6. Selecting a role
3.3.7. Starting services
3.3.8. Disconnecting
3.3.9. File access
3.3.10. Advanced features
3.3.11. Local print
3.3.12. TCP forwarding proxy
3.3.13. Host certificate considerations
3.3.14. Using certificate authentication
3.3.15. Integrating with screen locker on Linux thin clients
3.3.16. Share access considerations
3.4. Client configuration
3.4.1. Configuration files
3.4.2. Notes on some advanced configuration options
3.4.3. Configuring AppGate Applet
3.4.4. IP Tunneling configuration
3.5. Using other clients
3.5.1. Starting a server command automatically
3.6. AppGate USB client
3.6.1. How it works
3.6.2. How to clear the encrypted area
3.6.3. How to recognize
3.6.4. Included applications
4. Administration
4.1. Using AppGate Console
4.1.1. Database issues
4.1.2. General System/Cluster Status
4.1.3. Run commands
4.2. User accounts
4.2.1. Local accounts
4.2.2. LDAP/AD
4.2.3. Virtual User Accounts
4.3. Authentication Methods
4.3.1. Certificate
4.3.2. Password
4.3.3. Radius
4.3.4. SecurID
4.3.5. Public Key
4.3.6. Kerberos
4.3.7. Chained
4.3.8. Cryptzone OTP
4.4. Access rules
4.4.1. Access rules
4.4.2. Client checks
4.4.3. Setting attributes with a server-side script
4.4.4. Net groups
4.5. Roles, folders and services
4.5.1. Roles
4.5.2. Searching
4.5.3. Folders
4.5.4. Services
4.6. Components
4.6.1. Administration access
4.6.2. Client command
4.6.3. FTP proxy
4.6.4. ICMP access
4.6.5. IP access
4.6.6. Log access
4.6.7. Reverse IP access
4.6.8. Server command
4.6.9. Share access
4.6.10. File access
4.6.11. User Message
4.6.12. Web access
4.6.13. RDP access
4.6.14. Capabilities
4.7. Satellites
4.7.1. How satellites work
4.7.2. The AppGate Satellite hardware
4.7.3. Virtual AppGate Satellites
4.7.4. Deployment
4.7.5. Network Address Translation
4.7.6. Name resolution
4.7.7. Direct access rules
4.7.8. Other routing issues
4.7.9. Troubleshooting
4.7.10. Managing satellites
4.7.11. Satellite status
4.8. Monitor and Status
4.8.1. Active Sessions
4.8.2. System status screen
4.8.3. Notifications
4.8.4. Actions
4.8.5. Monitoring conditions
4.9. Client Configuration
4.9.1. Configuration file
4.9.2. Device Firewall rules
4.9.3. Mobile Client Configuration
4.10. System Maintenance
4.10.1. Firewall
4.10.2. Backup & Restore
4.10.3. Connection Settings
4.10.4. File transfer
4.10.5. L2TP/IPsec Access
4.10.6. License Management
4.10.7. Local Print
4.10.8. Logging
4.10.9. Daemons
4.10.10. File System Manager
4.10.11. File System Manager (conversion mode)
4.10.12. Software Update
4.10.13. SSL Access
4.10.14. Time Synchronization
4.11. Network/Cluster Management
4.11.1. Destinations
4.11.2. Systems
4.11.3. IP Tunneling pools
4.11.4. Load balancing
4.11.5. Clustering
4.12. Command line administration
4.12.1. File locations
4.12.2. Updating the database with ag_visdb
4.12.3. Using sdb_query to examine database
4.12.4. Using licadmin to manage licenses
4.12.5. The nano editor
5. Customization
6. Traffic Capture
6.1. Introduction
6.2. Port Forward
6.2.1. TCP socket basics
6.2.2. Port forward and TCP sockets
6.2.3. Port forward and 127.0.0.x
6.3. Web Access
6.4. IP Tunneling
6.4.1. IP Networks used for IP tunneling
6.4.2. Name resolution
6.4.3. Performance Considerations
6.4.4. Connecting to multiple AppGate servers
6.5. Hostname resolution
7. AppGate Logging
7.1. Background
7.1.1. Time zone issues
7.1.2. Log severities
7.1.3. Log files
7.1.4. Log rotation
7.2. Graphical interface to logs
7.2.1. Logs information panel
7.2.2. Log panels
7.2.3. Live panel
7.2.4. Events selection panel
7.2.5. Event list panel
7.2.6. Sessions selection panel
7.2.7. Session list panel
7.2.8. User selection panel
7.2.9. User report panel
7.2.10. Roles/services report selection panel
7.2.11. Roles/services list panel
7.2.12. Role and service report panel
7.2.13. Graph selection panel
7.2.14. Graphs panel
7.3. Exporting logs and reports as CSV-files
7.4. Command line tools
7.4.1. logcat
7.4.2. loggen
7.4.3. ag_log_snarf
8. AppGate Licensing
8.1. License Management
8.2. licadmin
9. Single Sign On features
9.1. HTTP based authentication
9.2. Web Agents Overview
9.3. Web agents details
9.3.1. Example
10. Local Print
10.1. How it works
10.2. Configuration
10.2.1. Printing PDF-files and other document types
10.2.2. Case sensitive user names
10.2.3. Maximum number of connections
11. Server side configuration for iPhone and Android clients
12. Troubleshooting and System Recovery
12.1. Troubleshooting an unresponsive system
12.1.1. Baseline testing
12.2. Reset the system to Factory defaults
12.2.1. The GRUB menu
12.2.2. Factory default shell
12.3. Howtos
12.3.1. Getting debug files from the web proxy or SSL gateway
12.3.2. Provide a siteinfo
12.3.3. Capture debug output from the AppGate Client
12.3.4. Getting debug files from the RDP proxy
13. Reference
13.1. Web access
13.1.1. How to filter URLs
13.1.2. How Web Access works
13.1.3. AGUSER header
13.1.4. Technical Details
13.1.5. Benefits of the web proxy
13.2. Programs and daemons
13.2.1. Programs
13.2.2. Daemons
13.2.3. Configuration files
13.3. The Database
13.3.1. Defining Components
13.3.2. sdbmeta.db
13.4. Attributes
13.4.1. Attributes set by the AppGate client
13.4.2. Attributes set by the AppGate server
13.5. IP Filter
13.5.1. IP Filter configuration
13.5.2. IP traffic logging
13.5.3. NAT configuration
13.5.4. For further information...
13.6. SNMP Traps
13.7. IP filter reference
13.7.1. IP Filter grammar in BNF
13.7.2. IP Filter tools
13.8. Logcat reference
13.9. Loggen reference
13.10. ag_cfggetset reference
13.10.1. Synopsis
13.10.2. Description
13.10.3. Options
13.10.4. BNF
13.10.5. Examples
13.11. Ag_dbadmin reference
13.11.1. Synopsis
13.11.2. Description
13.11.3. Formal DTD
13.12. Regular Expressions Reference
13.13. Device Firewall rule syntax
13.13.1. Version
13.13.2. Summary of High-Level Rules
13.13.3. Macros
13.13.4. Low-Level Rule Syntax
13.13.5. High-Level Rule Expansion
13.13.6. "opt" settings
13.13.7. ICMP types and codes
13.14. IP Tunneling - Additional configuration
13.15. Hardware Platforms
13.15.1. AppGate A1 and A2 - The Sun V100 based servers.
13.15.2. AppGate A4 - The Sun V210 based servers.
13.15.3. Connecting to the Serial Console on the A1,A2 & A4
13.15.4. AppGate Ax1 and Ax2 on Sun x2100 based servers.
13.15.5. AppGate Ax1 and Ax2 on Sun x2100m2 based servers.
13.15.6. AppGate Ax1 on Dell PowerEdge R210 based servers.
13.15.7. AppGate Ax2 on Dell PowerEdge R410 based servers.
13.15.8. AppGate Ax4 on Sun X4100 and x4100m2 based servers.
13.15.9. AppGate Ax4 on Sun X4140 and x4240 based servers.
13.15.10. AppGate Ax4 on Dell PowerEdge R610 based servers.
13.15.11. Disk mirroring
14. Copyright Notices
14.1. CrystalSVG icons from KDE
14.2. curl
14.3. GLIB
14.4. ipfilter
14.5. javahelp
14.6. jgraph
14.7. Java 2 SE Runtime Environment
14.8. Java Service Wrapper
14.9. libident
14.10. OpenLDAP
14.11. OpenSSH
14.12. OpenSSL
14.13. prngd
14.14. Swing
14.15. tun
14.16. UCD-SNMP
14.17. zlib
14.18. ProperJavaRDP
14.19. Log4j
14.20. GNU Getopt for Java
14.21. GNU Lesser General Public License
14.22. GNU General Public License
14.23. Apache License, Version 2.0
Index

List of Figures

2.1. An AppGate session
4.1. Tree structure in database
4.2. Firewall example network
6.1. TCP connections involved in a Port forward
6.2. TCP connections involved in a web access
6.3. Proxy ARP example
6.4. Routed example
10.1. Local print data flow
13.1. The Back Panel of the V100
13.2. The Back Panel of the V210
13.3. The Back Panel of the x2100
13.4. The Back Panel of the x2100m2
13.5. The Back Panel of the R210
13.6. The Back Panel of the R410
13.7. The Back Panel of the x4100 and x4100m2
13.8. The Back Panel of the x4140
13.9. The Back Panel of the x4240
13.10. The Back Panel of the R610

List of Tables

3.1. Feature support matrix
3.2. Authentication methods supported on each operating system
3.3. Client features vs deployment method
3.4. Supported operations
3.5. Rules for merging configuration options of an AppGate client
3.6. Client configuration options
3.7. Included applications
4.1. Predefined attributes
4.2. RDP Client Selection
4.3. Mobile client provisioning parameters
6.1. Hostname resolution with port forwarding
6.2. Hostname resolution with IP Tunneling
7.1. Log event CSV definition
7.2. Sessions list CSV definition
7.3. Roles/Services report CSV definition
7.4. Role/Service report CSV definition
11.1. Firewall configuration
13.1. The correct values for all settings in this window are as shown below.
   Next
   Chapter 1. About this guide