Organizations were looking to utilize the global connectivity aspects of the internet to provide access to corporate resources. It started with customers and, of course, employees traveling to do business between national or international sites, as the productivity gains were both obvious and immediate.

There were few technologies that could provide this functionality.

The first to arrive was dial-up access, which was rather costly. Dial-up is sometimes the only choice available for most rural or remote areas where broadband provision is unlikely due to low population and demand. Low access speeds mean that users have a limited remote access experience connected to the corporate servers.

Next, there was a wave of reverse proxies, publishing Web-based applications to the outside world. An example of this would be the ISA Firewall’s Web Publishing feature set. This delivered value but was limited to Web-based applications. However, it did add an additional layer of defense and encryption compared to previous remote access solutions.

There followed a wave of IP security (IPsec) VPN solutions that transitioned from the normal site to site solution to an encrypted client/server VPN. Employees got complete access to the company network, as they had when sitting in front of their corporate desktops. When connected over a faster Internet connection (for example, an ISDN 128 Kbps line), the connected experience was immensely superior to dial-up modem connections. End user experiences improved again when high-speed Internet connections (broadband, cable Internet, leased lines) from 1 Mbps upwards became available from home, hotels, and conference centers across the world.

The IPsec VPN solutions had its limitations; for one, it lacked security. The other significant problem was that the IPsec VPN client required to connect to the VPN became large and difficult to roll out. This was due to its requirement for client firewalls and antivirus inspection in order to make up for the lack in security. IPsec VPNs, while widely implemented, rarely gets used for end-to-end protection of application protocols. It is mainly used today as an “all or nothing” protection for a VPN.

One of the things that SSL VPN brings to the table is taking all of these current solutions and consolidating them into one platform. SSL VPN means access for:

The current wave is focused on application intelligence; this is what is needed to ensure access for any user from any location to any application stays secure without the very large IPSEC VPN client tool. This has led to the current generation of SSL VPN features that are present in every SSL gateway. All these features are implemented at both the client and gateway:

The IAG Configuration page is where most of the SSL VPN creation and configuration takes place. This is also where application access and endpoint policies are configured. From this configuration window, portals can be created, applications added, and necessary security changes made (see Figure 8.2).

Figure 8.2. Intelligent Application Gateway Configuration Screen

This page and all configuration changes made on this page are secured by a passphrase, which is set up during the initial IAG configuration procedures.

From here, additional changes can be made. For example, you can create a highly available IAG portal when expanding an existing SSL VPN implementation and make the necessary advanced trunk configuration changes when security policies need to be altered. Examples of changes to security policies include changing the Web server certificate, making authentication changes, changing session settings, tweaking URL inspection, and customizing an application.

From here, the portal backup can also be run, procedures restored, and IAG user access completely monitored.

Application Access Portal

End users will connect to a privately developed and owned, closed-system architecture, a Web-based application access portal to a variety of centralized resources, ranging from traditional client/server applications to Web and intranet applications by using the following URL based on Figure 8.3: https://syngress.local.

Figure 8.3. Application Access Portal

All transmissions between IAG and the local machine are encrypted using SSL (secure socket layer) technology, while site authenticity is assured through built-in digital certificate support. End users will only be able to see and log in to this page based on endpoint policies defined on the Web portal or application. The port defined here is the port number of the external Web site.

External Web Site

Figure 8.4 shows the external Web site where the open port and the IP address are configured and changed to connect to the Web portal. This is typically the external network cards IP address of IAG appliance. This IP address is configured during the portal trunk configuration.

Figure 8.4. External Website

A list of IP addresses and port numbers can be created by using the Service Policy Manager to control the IP addresses and port numbers that are used to access the internal network This step is needed to enforce the selection of predefined IP addresses and port numbers during trunk configuration.

Note

For details of the Intelligent Application Gateway Service Policy Manager, refer to the section at the end of this chapter titled “Intelligent Application Gateway Service Policy Manager.”

Initial Internal Application

Figure 8.5 shows the initial internal application section on the configuration page. This is where the internal application to be displayed on the Web portal can be specified after the user has successfully logged on. The default setting is “Web Portal,” which will display a list of available applications published by the organization.

Figure 8.5. Initial Internal Application

However, any of the applications published can be selected to be the initial internal application; when choosing anything other than the default, the Use Toolbar tick box will become available. In the scenario where the administrator selects OWA to be the initial internal application and to the Use Toolbar option, the end user would have the following toolbar when logged on to the Web portal (see Figure 8.6).

Figure 8.6. Web Portal

The result would be that when an end user logs on to the Web portal, the first thing to be loaded will be the end user’s OWA. To continue the user can choose from any of the available published applications on the toolbar.

This will be the only way that the user will be able to navigate around the Web portal. The “Whale Portal” will no longer be available. In this scenario, when clicking on the IAG homepage icon on the toolbar, OWA will open as it is in the initial internal application.

Security and Networking

Figure 8.7 shows the Security and Networking section on the configuration page, where advanced trunk configuration and high availability can be modified. More high availability servers can be added to the configuration by navigating to the Admin High availability servers menu in the menu bar of the IAG Configuration page.

Figure 8.7. Security and Networking

The advanced trunk configuration section allows the SSL VPN administrator to configure options otherwise left unconfigured by default. These options include:

• Server Certificate. Certificate issued to the external site.

• Website Logging. Enable detailed Web portal logging.

• Authenticate User on Session Login. What type of authentication used.

• Logoff Scheme. Logoff URL, message, and session termination.

• Session Configuration. Session limits and attachment wiper.

• Endpoint Policies. Web portal endpoint policies.

• Application Customization. Allows IAG to customize published applications.

• Application Access Portal. The intelligent application portal.

• URL Inspection. See host address translation (HAT).

The major technical challenge SSL VPN administrators face regarding providing access to internal applications across the Internet is within the applications internal references. IAG 2007’s host address translation (HAT) engine encrypts and translates any number of internal host names to a single external host name. End users will never have the ability to launch attacks based on what they see in the Web portal. In other words, http://internalservername:80/application will become https://external.hostname/whalecom/whalecom0/application.

IAG 2007 delivers data over a standard browser for end users to securely access sensitive information by overlaying industry-standard 128-bit encryption SSL. This prevents hackers intercepting and reading data. Only one-time authentication or one certificate is necessary, despite the user accessing a number of different published applications and server resources.

To prevent logon credentials or any other information from being cached on managed or unmanaged devices, IAG 2007 utilizes patent-pending Secure Logoff technology. This proprietary and innovative mechanism eliminates the possibility of malicious users reinstating user sessions.

Applications

Publishing internal applications is in the center of the new application intelligence wave of SSL VPNs. Microsoft’s IAG 2007, together with ISA 2006, has made publishing an internal application one of the easiest processes.

Exercise: Adding a published application to the Web portal.

1. In the Application section in the IAG portal click Add, which will bring up the Add Application Wizard (Figure 8.8), giving you the choice of what kind of application you want to publish.

   

   Figure 8.8. Add Application

2. In this example we are going to add Microsoft Outlook Web Access 2007 Web Application. Click Next. In the wizard (Figure 8.9), name the application “OWA 2007”. You can specify whether all users are authorized and you can set endpoint policies. Click Next.

   

   Figure 8.9. Application Setup

3. Add the name of the internal exchange server, choose port numbers (Figure 8.10).

   

   Figure 8.10. Web Servers

4. Choose the Authentication Servers (Figure 8.11).

   

   Figure 8.11. Authentication

5. Add the link to the portal and toolbar and click Finish (see Figure 8.12).

   

   Figure 8.12. Portal Link

Figure 8.13 shows a typical list of Web portal published applications. From this window the SSL VPN administrator can add or remove applications. This window is also where the sort order for applications listed on the Web portal can be chosen.

Figure 8.13. List of Published Applications

Limiting Applications on Subnets

Figure 8.14 shows where the SSL VPN administrator can restrict any of the applications made available on the SSL VPN Web portal so that only servers within the defined subnets are enabled for use from the Web portal. Once the trunk is activated and an end user requests a URL from the Web portal, the filter will first check the URL against the application list. If the application is listed, then the filter will check on the URL against the subnet list. Only if the URL passes both checks will the application be enabled to the user.

Figure 8.14. Subnets

Note

For each application added, make sure that the application is listed in the IAGs DNS or HOSTS file.

Subnets are configured in the main window of the Configuration program, in the “Applications” area.

When a new trunk gets created, the Configuration program activates the Create New Trunk Wizard (see Figure 8.15). This enables the administrator quick auto-complete of the initial trunk setup, external Web site, authentication, application customization, and URL inspection rules. A trunk can be made under the HTTP and the HTTPS services.

Figure 8.15. Create New Trunk Wizard

Redirect HTTP to HTTPS Truck

It is very easy for an end user to use HTTP instead of HTTPS by accident. The SSL VPN administrator has to make sure that HTTP requests made to the Web portal are redirected to HTTPS by the organization and not by a third party with malicious intentions. When an HTTPS request is made to the Web portal, the request will be handled by the HTTPS trunk. If the requirement is there to redirect HTTP requests to the HTTPS trunk, it can be done by creating an additional redirect trunk.

The redirect HTTP to HTTPS Trunk option in Figure 8.16 will only become available if you select to create a new trunk by right-clicking on HTTP connections.

Figure 8.16. Activate Configuration

Note

A trunk can be deleted in the Configuration program by selecting the trunk in the list pane, and then selecting DELETE from the right-click menu.

Configuration changes on the IAG need to be implemented in various scenarios. Starting with when IAG is being set up in the initial stages of SSL VPN rollout. In the scenario where large organizational security policy changes or a small configuration change to the IAG configuration needs to be implemented, the configuration needs to be activated.

Saving and activating an IAG configuration enable the changes in the Web portal. This step also provides you with the option to back up the configuration and to apply the changes to external configuration settings (see Figure 8.16).

Backing up the IAG configuration can be done from this window so that configuration settings are backed up and changes are activated in one step. During a backup procedure, the IAG will make use of the Windows makeab.exe utility to archive the necessary files and Registry values in a .cab file. By default, the backup is created under the IAG installation path: ...whale-Come-GapBackup.

The name of the backup file that is created in the defined backup folder is whlbackup.<host_name>.cab, where host_name is the name of the IAG.

Restore from Backup in the IAG Configuration program from uses the Windows extract.exe utility to restore the files.

To restore the configuration in the configuration program:

Once the configuration is activated, the following message is displayed: IAG configuration activated successfully.

The trunk is now operational. All users who authenticate to the Web portal will be able to access the applications published through it.

With the IAG and ISA server so closely joined together, Microsoft has made creating a portal with published applications and the related firewall changes in ISA server into one process. When the IAG configuration is changed and the configuration activated, IAG will update the related firewall rules in ISA.

The first thirteen rules allowed in ISA were created during the installation of IAG. Figure 8.13 shows the list of firewall rules created in ISA server by the IAG after the configuration was activated. For example, rule 11 shows protocol UDP on port 53 is allowed to enter the firewall and go through to an internal server for all users.

The portal trunk configuration “allow” rules were created when the portal trunk was activated. After portal trunk activation, testing can start and the portal Web page can be used.

The second of the two allow rules is the Whale::Auth#001 rule (see Figure 8.18). This is the rule that allows connection to the Domain Controller, which in turn allows the Active Directory to authenticate the session. This rule is also the rule that will be used for whatever authentication setup during the configuration of the portal.

Figure 8.18. ISA Server

A Web portal provides a service to end users. These services are made available depending on the Web portal needs of the organization. This opens up more possibilities of problems that can arise from the use of the Web portal. These services could be a list of defined applications made available to employees on the road, and even customers. The SSL VPN administrator could use the Web portal in order to resolve a number of problems.

The end user experience on the IAG Web portal can be improved. Some tools are made available to the end user to utilize during an active session on the Web portal. The main goal of these tools is to eliminate a large portion of support calls that can potentially be made to a support desk.

System Information

The system information window can be accessed from the Web portal by the end user. The information on the page will give the end user a better idea of what has been installed on the managed or unmanaged device (see Figure 8.19).

Figure 8.19. System Information

If the end user is experiencing difficulty doing something in particular on the Web portal, the system information will aid the SSL VPN administrator when supporting the end user and the certified endpoint status determination.

End users can check whether the Whale client components are installed on their system. They can also:

• Uninstall Whale client components. 

• Restore component defaults. End users can restore the Whale client components settings on their computer to the default values.

• Delete the user-defined trusted sites list. Once users add a site or a number of sites to the list, they can remove them from the list via the System Information window.

If wanting to encrypt or decrypt any of the IAG files that are encrypted during day-to-day operation, the editor is the interface to use (see Figure 8.20). It enables easy editing, sorting, and conversion of any text file, including encrypted files and Base 64–encoded text. The editor can be opened by navigating to Start | All Programs | Whale Communications IAG | Additional Tools | Editor.

Figure 8.20. Editor

Using the Editor program, it is possible to:

A list of IP addresses and port numbers can be created by using the Service Policy Manager. This is done to preconfigure the IP addresses and port numbers for HTTP and HTTPS connection services, which are used to access the internal network. This is needed to enforce the selection of preconfigured IP address and port number during trunk configuration.

The Service Policy Manager can be opened by navigating to Start | All Programs | Whale Communications IAG | Additional Tools | Service Policy Manager (see Figure 8.21).

Figure 8.21. Service Policy Manager

The Web Monitor is a complete solution for the SSL VPN administrator to monitor all user session events (see Figure 8.22). It is integrated within the system as a SSL VPN–supported application with its own Intelligent Application Optimizer. It allows the administrator to zoom into a user’s Web portal session in real-time. Users with application access problems will be easily identified and solved with IAG working at the application level. The Web Monitor is essential in the administrators day-to-day support functionalities. The Web Monitor also gives the administrator event filtering and analyzing capabilities.

Figure 8.22. Web Monitor

The Web Monitor can be opened by navigating to Start | All Programs | Whale Communications IAG | Additional Tools | Web Monitor.

If an IAG high availability array is deployed in an organization, one can make use of the Web Monitor to monitor all the IAG servers that are part of the array.

Redirect trunks are not monitored by the Web Monitor.

Microsoft’s Intelligent Application Gateway 2007 (IAG) is a hardware appliance that integrates technology purchased from Whale Communications in the summer of 2006 and the vendor’s own Internet Security and Acceleration (ISA) Server.

IAG 2007 is ideal for IT managers, network administrators, and information security professionals who are concerned about the security, performance, manageability, and cost of network operations.

IAG 2007 combines an SSL VPN with endpoint security checks and firewall features, enabling the creation of policy-based remote access controls to a network and its individual applications. This “access portal” features three levels of policy-based traffic filtering at both the packet and application layers. End users access the platform through their Web browsers with communications being protected via SSL encryption; and policies can be defined specifying which users and/or machines are enabled access to which network resources.

Access to the IAG appliance from remote locations is accomplished with any Web browser. Microsoft lists multiple browsers as compatible; however, Internet Explorer has components that enable specific features of the gateway that are available only as ActiveX controls. Therefore, full functionality requires a Windows and Internet Explorer based endpoint.

The IAG 2007 provides a means to create an access portal to corporate network applications, accessible by a Web browser, which allows end users to authenticate their credentials and access only those applications and features that their administrators’ defined policies allow. IAG 2007 supports an unlimited number of users, and up to 64 IAG nodes can be combined in a high-availability configuration, thus meeting corporate needs.

Access to corporate applications is assisted through the use of specialized “application optimizers,” which are available from several Microsoft and third-party software offerings, including Microsoft Exchange server and Microsoft SharePoint portal server. These application optimizers consist of integrated software modules with preconfigured settings designed to allow access to the target applications through the IAG portal. Features provided by the optimizers to the target applications include single-sign-on support with the ability to apply certain granular rights assignments per user policy, and support for “attachment wiper,” which removes and scrubs temporary session data from the client, including browser history files and pages, auto complete form contents, temp files, cookies, history, browser closure, and system shutdowns such as logoff and browser failure. Last but not least, the optimizers also even blocking file uploads if an approved virus scanner is not present on the endpoint machine. For example, the systems administrator could define a policy that if a remote user does not have the latest version of the corporate anti-virus solution, the user(s) will not be allowed to upload any attachment to their mailboxes.

IAG Server simply eliminates the risk of network attacks and operating system vulnerabilities as it only provides a means to access specific applications (or some of the features only) to approved users from approved machines.

Another notable feature includes the capability to have individual client tools that can be downloaded to the endpoint, enabling additional features of the portal. (Again, many of these features require a Windows-based endpoint and browser.)

Some of these features include:

Together these technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations, including kiosks, PCs, and mobile devices anywhere the road warrior or remote user is based.