Topics ² SSL VPN

Theory Whale IAG

‡ SSL Wrapper Client Client Activity
‡ Socket Forwarder Prerequisites Display and
‡ Network Connector Tools

LAB: Adding Using Generic

Remote Templates
Drive Mapping
Desktop and ‡ LAB: Adding a
TSWeb Apps Generic Client App

30 November 2010 2007 Celestix Networks

SSL VPN Overview

SSL VPN is used for Client/Server and Legacy applications and for
Browser-embedded applications

SSL VPN ensures secure traffic between the client machine and the IAG
by encrypting the TCP traffic with SSL and sending this traffic over the
already established and authenticated connection between the endpoint
and the IAG server

No new IP addresses or TCP ports are used, the encrypted traffic is sent
over to the IAG Portal on port 443 (or any other configured port for the
Portal trunk)

30 November 2010 2007 Celestix Networks

SSL VPN Theory

There are three methods by

which IAG can achieve
SSL VPN functionality:

Socket Forwarding
SSL Wrapper Network Connector
(all modes)

˜equires dynamic changes to client A component is dynamically installed

applications· configuration files. This
is the least intrusive method by
which to achieve the tunneling of
non-HTTP protocols, from the client·s
perspective.
on the client machine which hooks
into the client·s Winsock stack and
intercepts the desired TCP traffic.
This is transparent to the client
applications.
The client machine virtually becomes
a node on the Corporate network by
means of a virtual NIC dynamically
installed on the client computer.

30 November 2010 2007 Celestix Networks

SSL Wrapper
The SSL Wrapper component receives the client traffic at the endpoint,
encrypts it using SSL and then tunnels it to the SSL VPN gateway ± the
IAG Server

he SSL VPN gateway decrypts the traffic and forwards the payload to the
application server in the internal networ

In order for the client traffic to reach the SSL Wrapper, the Wrapper
performs the following actions:

‡ Establishes a listener on the loopbac address at the client on different ports

(127.0.0.nnn:yyy) depending on the client needs
‡ Changes the configuration of the client in order to cause its traffic to be sent
to the SSL Wrapper listener. How? See next slide«

30 November 2010 2007 Celestix Networ s

SSL Wrapper
The SSL Wrapper uses a ³Host file rewrite´ technique to resolve names and route TCP traffic to
its listener. ³Host file rewrite´ is a generic term, the actual client configuration changes may be
inserting an entry in the local Hosts file, or changing an .INI file, or .RDP file, or making a change
in the endpoint¶s Windows Registry

There are three methods by which the SSL Wrapper tunnels the client traffic, depending on the
client application capabilities:

‡ Si ple Relay
‡ Listener established on random loopback address and usually on the regular TCP port
used by the application server (e.g. 127.0.0.156:3389)
‡ HTTP Pr xy (must be supported by the client)
‡ Listener established on 127.0.0.1:10081
‡ This method enables access to multiple application servers
‡ SOCKS Pr xy (must be supported by the client)
‡ Listener established on 127.0.0.1:1081
‡ This method enables access to multiple application servers

30 November 2010 2007 Celestix Networks

Socket Forwarding

The Socket Forwarding component add-on is based on Microsoft¶s Layered

Service Provider (LSP) and Named Service Provider (NSP) technologies

SF transparently intercepts the client traffic, by binding itself at the Winsock

layer of the OS

Usage of the SF eliminates the need to make on-the-fly changes to client

application settings or to the Hosts or Registry

SF is used to support a wider variety of applications, such as supporting

applications that jump ports

30 November 2010 2007 Celestix Networks

 Client Computer Prerequisites
Prerequisite ActiveX Components Socket Forwarder Socket Forwarder Network Connector
(Disabled mode) ² (Basic, Extended, and using ActiveX SSL
Using Java VPN modes) Wrapper

Operating System Windows 98 and Windows 98 and Windows 98 and Windows Server
higher higher higher 2003, Windows 2000

Browser Internet Explorer 5 - 7 Java SSL Wrapper Internet Explorer 6, 7 Internet Explorer 6, 7
supported browser

Browser enables ˜equired Not required ˜equired N/A

running of signed
Active X objects

User Privileges Any Power User Administrator Administrator

Windows DHCP Client N/A N/A Must be running Must be ˜unning

Service

30 November 2010 2007 Celestix Networks

 Supported Client Browsers
Minimum ˜equirements
Operating System Supported Browsers
Microsoft Windows 2000 Microsoft Internet Explorer 6

Mozilla family: Netscape Navigator 7.1.x, Netscape

Navigator 7.2.x; Mozilla 1.7.x; Firefox 1.0.x
Windows XP, Windows Server 2003 Internet Explorer 6, Internet Explorer 7

Mozilla family: Netscape Navigator 7.1.x, Netscape

Navigator 7.2.x; Mozilla 1.7.x; Firefox 1.0.x
Windows Mobile 2003 for Pocket PC * Pocket Internet Explorer

Mac OS X Safari 1.2.4, Safari 1.3, and Safari 2.0

Mozilla family: Netscape Navigator 7.1.x, Netscape

Navigator 7.2.x; Mozilla 1.7.x; Firefox 1.0.x; Camino
0.83
Linux (˜ed Hat, SUSE, Debian) Mozilla family: Netscape Navigator 7.1.x, Netscape
Navigator 7.2.x; Mozilla 1.7.x; Firefox 1.0.x
* For those users running other operating systems or other browser versions, the IAG 2007 portal home page has been
reworked to present a stripped-down page for browsers that do not support the rich environment necessary for the entire
range of IAG features, such as scheduled logoffs and session time-outs.
30 November 2010 2007 Celestix Networks
Network Connector
Topics ² Network Connector

NC Server Configuring the

Overview
Installation NC Server

Configuring the Troubleshooting

LAB
NC Application Tools and Tips

30 November 2010 2007 Celestix Networks

Network Connector Overview
The Network Connector (NC) offers the ability to run and manage remote
connections, as if they were part of the office network.
No network topology / architecture prerequisites; may be installed as part of the
IAG server or on a stand-alone machine
Auto-detection and manual tuning of office networking parameters (DNS, WINS,
Gateway, DNS Suffix), including support for multi-connections machines.

Two IP provisioning methods

Internet access configuration, including Split / Non-Split tunneling, and None.

Protocols filters for IP based protocols (exclusive blockers)

Optional setting of additional session networks.

30 November 2010 2007 Celestix Networks

Network Connector Client Overview

Supports Windows 2000, Windows XP and Windows 2003 operating systems

‡ Currently, administrator privileges are required on the client machine in order to use the NC client.
Non-administrator client support is scheduled for next version

Integrated with the IAG automatic detection / installation / update modules,

including an offline option.
‡ Installation does not require reboot.

Session icon with statistics, and a ³Disconnect´ option

Full IP-based unicast functionality, in any direction: client to server, server to

client, client to client

Troubleshooting tools include a log file; dynamic packet dumps; and a ³repair´
utility for extreme cases of application¶s violent hangs.

30 November 2010 2007 Celestix Networks

NC Server Installation

The installation
‡ whlios.exe (server executable)
process copies
‡ whlvaw_srv.dll (device installer library)
the following files ‡ whlvaw.exe (device installer executable)
to ‡ whlioapi.dll (UI interface library)
...\common\bin:

Once files are

copied, the ‡ Installs a virtual network device
installer performs ‡ Installs a Windows manual service
the following
actions:

30 November 2010 2007 Celestix Networks

NC Server ² Virtual Network
Device
The device name is Whale Network Connector

The virtual network device appears like any other

NIC. Therefore, you can see it in the Windows
Device Manager, Network control panel, and in the
Windows system tray

Once installed, a popup balloon above the Whale

Network Connector system tray icon indicates an
unplugged status

The device status changes to Connected whenever

the server¶s service is running

30 November 2010 2007 Celestix Networks

NC Server ² Windows Service

Service name is Whale Network Connector Server

Service is installed in Manual Startup mode The

service¶s Startup mode is changed to Automatic the
first time the NC server is configured and started

Service can be seen in the Windows¶ Services

manager, via Start -> Programs -> Administrative
Tools -> Services

30 November 2010 2007 Celestix Networks

NC Server Configuration
o NC Server configuration is
available through the e-
Gap Configuration
application, under the
Admin menu (settings are
global, and not per trunk).

o Stand-alone installations,
which do not include the e-
Gap Configuration
application, will have a
³Network Connector
Server Configuration´
application, available
through a Start menu
shortcut (same dialog).

30 November 2010 2007 Celestix Networks

NC Server Configuration

The NC Server configuration consists

of five tabs:
Net r
A iti al
Se e t:
Net r :
used to configure
IP Pr vi i i : used to configure
the appropriate
used to configure A e C tr l: additional A va e :
connection for
the IP used to configure network used to configure
multi-connection
provisioning WAN access and destinations that advanced
machines, and
type, pool, and protocol blockers will be available options
enables manual
pool mask to clients through
setting of various
the virtual NC
networking
connection
parameters

30 November 2010 2007 Celestix Networks

Configuration / Network Segment
o Select from the Network
Connection drop-down list if
re tha e i available.

o Set the Complementary Data

fields if some networking
parameters are missing from
your connection¶s
configuration, or if you wish to
manually set specific values.

o Note: missing networking

parameters yield limited NC
sessions.

30 November 2010 2007 Celestix Networks

Configuration / Network Segment (contd.)

o Complementary Data is set

by default to ³Only if...´,
meaning ± use the data below
only if missing from the
machine¶s configuration.

o If you select the non-default

option ³Always..´, the NC
server ignores the real
connection¶s configuration
whenever they conflict with the
manual complementary
settings (not recommended).

30 November 2010 2007 Celestix Networks

Configuration / IP Provisioning
o The IP Provisioning tab is
used to configure the IP pool
type, address range(s), and
mask.

o Currently, the pool supports

only two provisioning methods:
o A static corporate pool
o A static private pool

o Dynamic IP provisioning is
scheduled for the next major
version.

30 November 2010 2007 Celestix Networks

Configuration / IP Provisioning (cont.)
o The Address Pool table can
hold up to seven static IP
address range

o The Pool Mask should be

configured when the pool is
made of private (non-
corporate) IP addresses

o The server determines the

pool¶s type by the values of
the address pool ranges

30 November 2010 2007 Celestix Networks

Configuration / IP Provisioning (cont.)

ámportant Notes:

The pool, as defined in this tab,

determines the virtual network
(IP & mask) to which remote
clients are joint each session.

Therefore - using a corporate

pool for remote clients will
automatically grant them access
to office resources, while a
private pool will grant them
automatic access to other
remote clients only.

30 November 2010 2007 Celestix Networks

Configuration / IP Provisioning (cont.)
ámportant Notes (cont.):

If you set a private pool, and wish remote clients to have

access to your corporate segment as well, use the
Additional Networks configuration (as shown later).
‡ Note: such a configuration may require further configurations on the
corporate Firewall / Gateway machines.

While running, the server will use the first available address
from the address pool and assign it to itself.

‡ All other addresses will be assigned to remote clients, until the pool is
exhausted.

Make sure that the IP address ranges do not collide with

other machines !

30 November 2010 2007 Celestix Networks

Configuration / Access Control

o The Access Control tab is

used to configure the
desired WAN access level:
o Split tunneling
o Non- Split tunneling
o None

o In addition, you can use

this tab to enable one or
more protocol filters
(blockers), which drop all
traffic to and from clients,
according to protocol type.

30 November 2010 2007 Celestix Networks

Configuration / Access Control (cont.)
o In SPLáT mode, each
connected client is configured
to keep its original WAN
routes. This means that the
virtual connection will be
utilized only for the virtual
networks, as set in the IP
Provisioning and Additional
Networks tabs

o In NON-SPLáT mode, clients

are configured to pass all
traffic onto the virtual
connection, with the exception
of local networks and the IAG
portal address.

30 November 2010 2007 Celestix Networks

Configuration / Access Control (cont.)

o In NONE mode, clients are

configured to have no WAN
access, with the exception of
local networks, the IAG portal
address, and the networks
which were configured on the
Additional Networks tab.

o As for proxy clients: a full

Proxy support is scheduled for
the next major version. For the
time being, local and remote
proxy clients should be able to
work in most cases.

30 November 2010 2007 Celestix Networks

Configuration / Additional Networks
o The Additional Networks tab is
used to configure network
destinations (up to five) that
will be available to clients
every session, besides the
virtual network as set In the IP
Provisioning tab.

o Each network destination

consists of an IP, Mask, and a
Conflict Handling action.

30 November 2010 2007 Celestix Networks

Configuration / Additional Networks
(cont.)
o When working with corporate
pool provisioning, this feature
is used to grant clients access
to various network
destinations that are only
available through your
corporate gateway.

o If your pool is a private pool,

this feature is usually used to
grant remote clients access to
the corporate network.

30 November 2010 2007 Celestix Networks

Configuration / Additional Networks
(cont.)
o The Conflict Handling field
determines which action
should the taken if the network
conflicts with a client¶s
network:
o Skip (network is not added)
o Fail (client session cancelled)
o Prompt: vuser is prompted to
choose whether to skip/abort)

o Please note that the server

does not check the integrity
and sanity of the networks
specified in this tab, therefore
you have to be very careful
when setting them.

30 November 2010 2007 Celestix Networks

Configuration / Advanced
o The Advanced tab is used to
set the following:

o Listener type and port

o Logging and Dump options
o Object resources

30 November 2010 2007 Celestix Networks

Configuration / Advanced (cont.)
o The Listener area allows
the administrator to set the
listener characteristics for
the server.

o It is strongly advisable NOT

to change the default
listener settings.

o Changing the default Port

value affects the NC
application configuration,
as explained later.

o The listener Type is TCP,

and cannot be changed.

30 November 2010 2007 Celestix Networks

Configuration / Advanced (cont.)
o The Log area allows the
administrator to set the
desired logging policy.

o A log level of 0 (zero)

produces no logs, and a log
level of 5 produces the most
comprehensive logs. It is
strongly advised not to use a
log level higher than 4.

o By default, the log file path is

..\common\bin\whlios.log. You
may, however, manually set a
full path name of your own.

30 November 2010 2007 Celestix Networks

Configuration / Advanced (cont.)
o In the Log area, you can also
enable packet dumps of two
kinds:
o Low Level (traffic to and from
the server¶s virtual device)
o Tunnel (traffic to and from the
server¶s connected clients)

o The low level and tunnel

dumps are written in tcpdump
format, and differ according to
the server¶s filtering.

o The dump files are named as

the log file, with a ³low level´/
³tunnel´ .dmp extension.

30 November 2010 2007 Celestix Networks

Configuration / Advanced (cont.)
o Both log and dump files may
be opened/deleted while the
server is running.

o Enabling the packet dumps is

not recommended ! (see
troubleshooting for more
details)

30 November 2010 2007 Celestix Networks

Configuration / Advanced (cont.)
o The Server Resources area
offers various options for
tuning the server¶s
performance.

o Like the packet dumps

options, these settings should
not be changes, and are used
only for advanced
troubleshooting scenarios.

o For more details, see

troubleshooting later.

30 November 2010 2007 Celestix Networks

NC Troubleshooting Tips

ánvalid áP pools result in idle sessions, in which remote clients get connected
with no errors, but with no access as well. Common examples include:
‡ Setting overlapping address ranges
‡ Using IP addresses that are already taken, or may be taken by other corporate machines
‡ Using pools consisting of both private and corporate addresses

When using a private pool, IT managers may need to configure the corporate
network accordingly, if they wish to grant clients access to corporate resources/
internet:
‡ Gateway: route traffic that is destined to the private pool network through the NC server
‡ Firewall: allow traffic to and from the private pool network
‡ NAT: add the private pool network to the NAT internal interface (non-split mode)

Using a private pool can be useful if an IT manager wishes to specify special

rules for remote clients, for example ± dropping/allowing traffic by port

30 November 2010 2007 Celestix Networks

NC Troubleshooting Tips

Setting the server to work in Non-Split mode passes all client WAN traffic through the
corporate gateway machine

You can set the Additional Networks tab with singular IP addresses simply by
specifying network destinations with 255.255.255.255 masks

You cannot use sniffing applications while running an NC session (client and server)

If, for some reason, you have to use the packet dump mechanism, be sure to disable
the dumping mechanism as soon as you¶re done

The NC sessions do not have a private encryption mechanism, but utilize the existing
SSLVPN tunnel. Therefore, using an http portal produces an insecure virtual network

30 November 2010 2007 Celestix Networks

Summary

SSL VPN

‡ Theory
‡ SSL Wrapper
‡ Socket Forwarder
‡ Network Connector
‡ Client Prerequisites
‡ Whale IAG Client Activity Display and Tools
‡ Using Generic Templates
‡ Drive Mapping

30 November 2010 2007 Celestix Networks

Next Topic


it ri
 a


Debui


30 November 2010 2007 Celestix Networks