StoneGate SSL VPN Technical Note 2076. Setting Up Sygate On-Demand



Similar documents
StoneGate SSL VPN Technical Note Setting Up SSO with Citrix Presentation Server

StoneGate SSL VPN Technical Note Adding Bundled Certificates

StoneGate SSL VPN Technical Note Setting Up WPA Authentication

StoneGate SSL VPN Technical Note Setting Up BankID

Remote Firewall Deployment

StoneGate SSL VPN Technical Note Setting up ActiveSync

Using Microsoft Active Directory Server and IAS Authentication

StoneGate Firewall/VPN How-To Evaluating StoneGate FW/VPN in VMware Workstation

VPNC Interoperability Profile

StoneGate IPsec VPN Client Release Notes for Version 4.3.0

Release Notes for Version

RELEASE NOTES. StoneGate Firewall/VPN v for IBM zseries

Strong Authentication for Juniper Networks SSL VPN

VPN CLIENT USER S GUIDE

Strong Authentication for Juniper Networks

Omniquad Exchange Archiving

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

Business Process Management IBM Business Process Manager V7.5

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

CA Nimsoft Service Desk

Accessing the Media General SSL VPN

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

Business Portal for Microsoft Dynamics GP. Electronic Document Delivery Release 10.0

Strong Authentication for Cisco ASA 5500 Series

Clearview Customer Web Access

Symantec On-Demand 2.6/ Juniper IVE SSL VPN 5.2 Integration Guide Addendum

Pulse Redundancy. User Guide

Archiving User Guide Outlook Plugin. Manual version 3.1

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

SafeNet Cisco AnyConnect Client. Configuration Guide

Business Portal for Microsoft Dynamics GP. Key Performance Indicators Release 10.0

Strong Authentication for Microsoft TS Web / RD Web

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

RedBlack CyBake Online Customer Service Desk

Microsoft Dynamics GP Release

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Check Point FDE integration with Digipass Key devices

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Business Portal for Microsoft Dynamics GP. Project Time and Expense Administrator s Guide Release 10.0

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

formerly Help Desk Authority HDAccess Administrator Guide

Lepide Exchange Recovery Manager

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Business Portal for Microsoft Dynamics GP Field Service Suite

Third Party System Management Integration Solution

How to install and use the File Sharing Outlook Plugin

Microsoft Dynamics GP SQL Server Reporting Services Guide

Setting Up and Using the Funambol Outlook Plug-in v7

Self Help Guides. Create a New User in a Domain

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

Symantec On-Demand Protection 2.6 Juniper IVE SSL VPN 5.2 Integration Guide

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

AvePoint Record Rollback for Microsoft Dynamics CRM

IDGo 800 Minidriver for Windows. User Guide

Configuring Active Directory with AD FS and SAML for Brainloop Secure Dataroom Setup Guide

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

2.0 HOW-TO GUIDELINES

DIGIPASS CertiID. Getting Started 3.1.0

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

Symantec Backup Exec 2010 R2. Quick Installation Guide

ACT! by Sage. Premium for Workgroups 2007 (9.0) Administrator s Guide to the ACT! Reader Utility

VERITAS Backup Exec TM 10.0 for Windows Servers

NetMotion Mobility XE

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

SSL VPN Client Installation Guide Version 9

Juniper SSL VPN Authentication QUICKStart Guide

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Setting Up Resources in VMware Identity Manager

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

TIBCO Spotfire Automation Services Installation and Configuration

Spam Manager. Quarantine Administrator Guide

Contents Notice to Users

Strong Authentication for Microsoft SharePoint

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Configuring and Monitoring Event Logs

Using Internet or Windows Explorer to Upload Your Site

Web Remote Access. User Guide

Deploying the Workspace Application for Microsoft SharePoint Online

Classroom Management, part of Intel Education User Manual

Embedded Document Accounting Solution (edas) for Cost Recovery. Administrator's Guide

BlackBerry Web Desktop Manager. User Guide

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

NetVault : Backup. for Exchange Server. Recovery Manager Integration Guide. Application Plugin Module (APM) version 4.5 MEG

MetaMorph Microscopy Automation & Image Analysis Software Super-Resolution Module

Foglight Experience Monitor and Foglight Experience Viewer

Symantec Backup Exec TM 10d for Windows Servers

VPN CLIENT ADMINISTRATOR S GUIDE

Citrix Systems, Inc.

Backup Exec Cloud Storage for Nirvanix Installation Guide. Release 2.0

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

TIBCO Spotfire Automation Services 6.5. Installation and Deployment Manual

Installation Guide Installing / Licensing / Unlocking Kepware Products

Transcription:

StoneGate SSL VPN Technical Note 2076 Setting Up Sygate On-Demand

Table of Contents Introduction................................... page 3 Overview..................................... page 3 Sygate On-Demand and StoneGate SSL VPN........... page 3 Configuring Sygate On-Demand..................... page 4 Copying Sygate Configuration to StoneGate............ page 5 Configuring StoneGate Access Point Default Page........ page 5 Configuring End-Point Integrity Client Scan............. page 5 Creating Customized Start Page.................... page 7 Configuring StoneGate SSL VPN Logout Page........... page 7 Publishing Configuration.......................... page 8 Feedback..................................... page 8 Table of Contents 2

Introduction This technical note covers all aspects of configuring StoneGate SSL VPN and Sygate On-Demand Manager for the purpose of using Sygate On-Demand Virtual Desktop with StoneGate SSL VPN. Changes since the previous revision (SG_SVTN_2076_20070629) are marked in the left margin with a change bar as seen here to the left of this paragraph. Note This technical note does not cover installation and general configuration of Sygate On-Demand. For information on installation and general configuration, please read the documentation provided with Sygate On- Demand. Prerequisites This technical note assumes a thorough understanding of StoneGate SSL VPN administration and of Sygate On- Demand. HTML proficiency is also required. Use the further reading to gain the required knowledge. Further Reading More information on StoneGate SSL VPN administration can be found in the StoneGate SSL VPN Administrator s Guide, the Online Help, and the Technical Note repository provided with the product. Another source of information is the Stonesoft Support site, which can be found at http://www.stonesoft.com/support/. For more information on related subjects, visit http://www.sygate.com/products/sygate-on-demand.htm. Overview The Sygate On-Demand application consists of two modules: the Sygate On-Demand Manager and the Sygate On- Demand Agent (SODA). All settings and configurations are specified in the Sygate On-Demand Manager. The Sygate On-Demand Agent reads the settings from the Manager and acts like the secure desktop for the client. The files and settings generated from the Sygate On-Demand Manager are saved in a file system catalog in the SODA installation directory. The files include HTML pages, applets, configurations, components, and libraries. Sygate On-Demand and StoneGate SSL VPN The purpose of using Sygate On-Demand in combination with StoneGate SSL VPN is to take advantage of Sygate On-Demands secure desktop solution, while maintaining the authentication and authorization functionality of StoneGate SSL VPN. The End-Point Integrity solution of StoneGate SSL VPN is enabled to ensure that the Sygate On-Demand Agent is used on the clients. To achieve a secure integration between StoneGate SSL VPN and Sygate On-Demand, the following configuration is required: 1. Configure Sygate On-Demand The Sygate On-Demand Agent is configured to display a customized start page when started successfully and settings for the virtual desktop are specified. 2. Copy Sygate On-Demand Agent files to Administration Service To enable all Access Points to access the Sygate On-Demand Manager configuration, Sygate On-Demand Agent files are copied to the Administration Service. 3. Configure StoneGate SSL VPN Access Point Default page To automatically launch the Sygate On-Demand Agent when users access the Access Point, the default page for the Access Point is configured to correspond to the file that launches the Sygate On-Demand Agent. 4. Configuring End-Point Integrity Client Scan A client scan is configured to verify that the Sygate On-Demand Agent is running when resources are accessed. Introduction 3

5. Creating Authentication Method Access Rule An access rule is created to include the authentication methods that will be used to protect the resources. 6. Protect resources Applicable authentication methods are applied to your resources. To eliminate the possibility of users accessing resources directly without launching the Sygate On-Demand Agent, applicable resources are also protected by the End-Point Integrity client scan. 7. Create customized start page A customized start page is created in order to launch the StoneGate SSL VPN Portal in the Sygate On- Demand Agent. 8. Configure StoneGate SSL VPN logout Page The StoneGate SSL VPN logout page is configured to either close the browser or to redirect to the customized start page when users log off from the Application Portal. By utilizing this configuration the end user will have access to the configured StoneGate SSL VPN installation via the Sygate On-Demand Agent. The first contact with the system launches the Sygate On-Demand Agent. The Agent launches a browser displaying the End-Point Integrity scan page. The user clicks the scan button to initiate the client scan. Only if the client scan finds a running SODA process on the client, is the authentication page displayed. The page lists available authentication methods for the user, who then makes a selection and proceeds with authentication as usual. Note Due to the nature of Sygate On-Demand, it is not possible to use dynamic tunnels. Only static tunnels are supported. Please keep that in mind when setting up your system. The steps required are detailed in the following sections. Configuring Sygate On-Demand Use the Sygate On-Demand Manager to configure the Sygate On-Demand Agent to display a customized start page when started successfully. This process will also allow you to specify settings for the virtual desktop. Note Here you specify the URL for a customized start page. The start page is created later (refer to section Create Customized Start Page). In the examples we use the file name /soda/wa_default.html. If you use another file name, remember to enter this name when following the instructions for creating the start page. To configure Sygate On-Demand 1. In Sygate On-Demand Manager configure the following settings for the Virtual Desktop: Enable automatic switch: Select the checkbox Enable back and forward switch: Deselect the checkbox Terminate the Virtual Desktop upon closing the browser that launched the Success URL: Select the checkbox if you want SODA to shutdown automatically when the user closes the Application Portal. If the checkbox is deselected, SODA will still be running when the Application Portal is closed and the user must terminate SODA manually. 2. On the URL tab enter the URL to the client scan logon page: Example URL: https://<access Point host>/soda/wa_default.html Using this configuration the Sygate On-Demand Agent will automatically launch a browser with the start page loaded when it is started successfully. Configuring Sygate On-Demand 4

Copying Sygate Configuration to StoneGate To copy files and configurations produced by the Sygate On-Demand Manager to the Administration service 1. Create a folder called soda for the SODA files in the folder /data/portwise/administration-service/files/access-point/custom-files/wwwroot/soda/ 2. Copy the contents of the folder <Sygate installation folder>\sygate On-Demand\On-DemandAgent 3. Place the copied files in the folder you created When you publish the configuration in the StoneGate SSL VPN Administrator the Sygate On-Demand Manager captures the files and the configurations are automatically published to all StoneGate SSL VPN Access Points in the network. Configuring StoneGate Access Point Default Page Follow the instructions below to configure the StoneGate SSL VPN Access Point default page with correspond to the file in the previously created soda folder on the StoneGate SSL VPN Administration Service. This is the file that will launch the Sygate On-Demand Agent. To configure the Access Point default page 1. In the StoneGate SSL VPN Administrator, select Manage System in the main menu and click Access Points in the left-hand menu 2. Click the Manage Global Access Point Settings link 3. On the Client Access tab enter the following in Client Access Settings: Default Page: <location and file name of file that launches Sygate On-Demand Agent> Example /soda/index.htm 4. Click Save Using this configuration, the Sygate On-Demand Agent will automatically be launched when the user accesses the StoneGate SSL VPN Access Point. Configuring End-Point Integrity Client Scan You have now configured the Access Point default page to launch the Sygate On-Demand Agent. To protect all resources and authentication methods configured in the system, use a Global Access Rule defining that SODA must be running on the client. To verify that SODA is running, use a Sygate On-Demand Assessment Plug- In. Creating End-Point Integrity Access Rule To create a access rule defining that clients must have a running SODA process to access resources. 1. In StoneGate SSL VPN Administrator select Manage Resource Access in the main menu and click Access Rules in the left-hand menu 2. Click the Add Access Rule link 3. Enter a display name that describes what the End-Point Integrity scan will check Example Display Name: Sygate On-Demand 4. Click the Add Rule link 5. Select Assessment in the list and click Next Copying Sygate Configuration to StoneGate 5

6. Click Upload Plug-In and browse to the SygateOnDemand.jar file bundled with the installation 7. Click Upload Plug-In 8. Click Previous 9. Select the Sygate On-Demand Plug-In in the list of available plug-ins and click Next 10.If a newer version of the Sygate On-Demand client software is installed, verify the Process digest, otherwise use the supplied value 11.Define a customized error message or use the Default Message 12.Click Next and finish the wizard Creating Authentication Method Access Rule Follow the instructions below to create an access rule that contains the authentication methods your users may employ after the client scan has been performed. 1. In StoneGate SSL VPN Administrator select Manage Resource Access in the main menu and click Access Rules in the left-hand menu 2. Click the Add Access Rule link 3. Enter a display name that describes that the access rule contains available authentication methods Example Display Name: Authentication methods 4. Click the Add Rule link. 5. Select Authentication methods in the list and click Next. 6. Select the authentication methods you will use in the Available Authentication Methods list. Note Do not select the authentication method Client scan. 7. Click Add. The authentication methods are added to the Selected Authentication Methods list 8. Click Next. A confirmation page is displayed. The access rule is Allow user access when authenticated with <selected authentication methods> 9. Click Next. The rule Allow user access when authenticated with <selected authentication methods> is added to the Authentication methods access rule and displayed on the first page of the wizard 10.Click Next. A confirmation page is displayed for the access rule Authentication methods with the rule Allow user access when authenticated with <selected authentication methods> 11.Click Finish Wizard The access rule Authentication methods is displayed in the Registered Access Rules list on the Manage Access Rules page The next step is to protect your resources with the End-Point Integrity client scan as well as with your authentication methods using Global Access Rules. Protecting Resources Follow the instructions below to protect a resource with the End-Point Integrity Client Scan as well as with the applicable authentication methods. 1. In StoneGate SSL VPN Administrator select Manage Resource Access in the main menu and click Access Rules in the left-hand menu 2. Click the Manage Global Access Rule link 3. Select the Sygate On-Demand rule and the Authentication Access Rule in the list of available access rules 4. Click Add 5. Click Save to save the Global Access Rule The resource is now protected by the End-Point Integrity Client Scan and selected authentication methods. Configuring End-Point Integrity Client Scan 6

Creating Customized Start Page The next step is to create a customized HTML start page. When Sygate On-Demand is launched successfully, a browser will be started that displays the customized start page. To create a customized start page 1. Copy the default page from the folder /data/portwise/administration-service/files/access-point/built-in-files/wwwroot/ wa_default.html 2. Paste the copied file in to the newly created soda directory /data/portwise/administration-service/files/access-point/custom-files/wwwroot/soda/ 3. Open the copied HTML file using your preferred HTML editor. 4. Locate this section: <frame src= [$x:welcomepage] id= LoginArea name= LoginArea marginheight= 0 marginwidth= 0 frameborder= 0 /> 5. Replace it with this section: <frame src= /wa/_welcome.html id= LoginArea name= LoginArea marginheight= 0 marginwidth= 0 frameborder= 0 /> 6. Save and close the file. Configuring StoneGate SSL VPN Logout Page The logout page can be configured in one of two ways: either to close the browser when the user logs off from the Application Portal or to redirect the user to the customized start page. Configure Logout Page to Close Browser To configure the logout page to close the browser when the user logs off from the Application Portal 1. Copy the file _logoutpage.html found in the folder /data/portwise/administration-service/files/access-point/built-in-files/wwwroot/wa/ 2. Paste the file in the corresponding custom-files folder depending on your operating system: /data/portwise/administration-service/files/access-point/custom-files/wwwroot/wa/ 3. Open the file _logoutpage.html in your preferred HTML editor 4. Locate this section: function redirect() { window.location.href = / ; } 5. Replace it with this section: function redirect() { window.opener = top; window.close(); } 6. Save and close the file Note When using the line window.opener = top, the browser will close without informing the user. You can exclude the line from the code if you want a message to be displayed, asking the user whether the browser should be closed or not. Creating Customized Start Page 7

Configuring Logout Page to Redirect To configure the logout page to redirect the user to the customized start page previously configured. 1. Copy the file _logoutpage.html from the folder /data/portwise/administration-service/files/access-point/custom-files/wwwroot/wa/ 2. Paste the file in the corresponding custom-files folder /data/portwise/administration-service/files/access-point/custom-files/wwwroot/wa/ 3. Open the file _logoutpage.html in your preferred HTML editor. 4. Locate this row: window.location.href = / ; 5. Replace it with this row: window.location.href = /soda/wa_default.html ; 6. Save and close the file. Publishing Configuration For StoneGate SSL VPN Access Point and other services in the StoneGate network to receive the configuration in StoneGate SSL VPN Administrator, and to be able to access the Sygate On-Demand files copied to the StoneGate SSL VPN Administration Service, a publish is required. Publish the configuration by clicking the Publish button in the top menu in StoneGate SSL VPN Administrator. When the configuration has been successfully published it is distributed to all StoneGate services in the network. Note If you perform changes in the Sygate On-Demand Manager configuration in the future, you need to repeat the procedure of copying the Sygate On-Demand files to the StoneGate SSL VPN Administration Service. Remember that a Publish is required in StoneGate SSL VPN Administrator for the StoneGate SSL VPN Access Point to receive the configuration. Feedback Stonesoft is always interested in feedback from our users. For comments regarding Stonesoft s products, contact feedback@stonesoft.com. For comments regarding this technical note, contact documentation@stonesoft.com. Publishing Configuration 8

Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. SSL VPN Powered by PortWise Copyright and Disclaimer Copyright 2000 2008 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. SG_SVTN_2076_20081022 www.stonesoft.com Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information