Beruflich Dokumente
Kultur Dokumente
SSL VPN is used for Client/Server and Legacy applications and for
Browser-embedded applications
SSL VPN ensures secure traffic between the client machine and the IAG
by encrypting the TCP traffic with SSL and sending this traffic over the
already established and authenticated connection between the endpoint
and the IAG server
No new IP addresses or TCP ports are used, the encrypted traffic is sent
over to the IAG Portal on port 443 (or any other configured port for the
Portal trunk)
Socket Forwarding
SSL Wrapper Network Connector
(all modes)
he SSL VPN gateway decrypts the traffic and forwards the payload to the
application server in the internal networ
In order for the client traffic to reach the SSL Wrapper, the Wrapper
performs the following actions:
There are three methods by which the SSL Wrapper tunnels the client traffic, depending on the
client application capabilities:
Si ple Relay
Listener established on random loopback address and usually on the regular TCP port
used by the application server (e.g. 127.0.0.156:3389)
HTTP Pr xy (must be supported by the client)
Listener established on 127.0.0.1:10081
This method enables access to multiple application servers
SOCKS Pr xy (must be supported by the client)
Listener established on 127.0.0.1:1081
This method enables access to multiple application servers
Operating System Windows 98 and Windows 98 and Windows 98 and Windows Server
higher higher higher 2003, Windows 2000
Browser Internet Explorer 5 - 7 Java SSL Wrapper Internet Explorer 6, 7 Internet Explorer 6, 7
supported browser
Troubleshooting tools include a log file; dynamic packet dumps; and a ³repair´
utility for extreme cases of application¶s violent hangs.
The installation
whlios.exe (server executable)
process copies
whlvaw_srv.dll (device installer library)
the following files whlvaw.exe (device installer executable)
to whlioapi.dll (UI interface library)
...\common\bin:
o Stand-alone installations,
which do not include the e-
Gap Configuration
application, will have a
³Network Connector
Server Configuration´
application, available
through a Start menu
shortcut (same dialog).
o Dynamic IP provisioning is
scheduled for the next major
version.
ámportant Notes:
While running, the server will use the first available address
from the address pool and assign it to itself.
All other addresses will be assigned to remote clients, until the pool is
exhausted.
ánvalid áP pools result in idle sessions, in which remote clients get connected
with no errors, but with no access as well. Common examples include:
Setting overlapping address ranges
Using IP addresses that are already taken, or may be taken by other corporate machines
Using pools consisting of both private and corporate addresses
When using a private pool, IT managers may need to configure the corporate
network accordingly, if they wish to grant clients access to corporate resources/
internet:
Gateway: route traffic that is destined to the private pool network through the NC server
Firewall: allow traffic to and from the private pool network
NAT: add the private pool network to the NAT internal interface (non-split mode)
Setting the server to work in Non-Split mode passes all client WAN traffic through the
corporate gateway machine
You can set the Additional Networks tab with singular IP addresses simply by
specifying network destinations with 255.255.255.255 masks
You cannot use sniffing applications while running an NC session (client and server)
If, for some reason, you have to use the packet dump mechanism, be sure to disable
the dumping mechanism as soon as you¶re done
The NC sessions do not have a private encryption mechanism, but utilize the existing
SSLVPN tunnel. Therefore, using an http portal produces an insecure virtual network
SSL VPN
Theory
SSL Wrapper
Socket Forwarder
Network Connector
Client Prerequisites
Whale IAG Client Activity Display and Tools
Using Generic Templates
Drive Mapping