ApplicGate
(v12.0.9102.38162 started 2024-12-02 20:28:25 on VM2)

Autologon routing table entries (necessary for VPN Clients):
Rules with SourceIP=autologon and GatewayIP=client
Remark: The autologon client feature can be mixed with the autologon server feature, e.g. GatewayIP=R1|R2|client
ClickOnce Support for VPN Clients see here.
Local deployment of VPN Clients see here.

Hints to configure the authentication options can be found here.

There are two possible options to use the "Remote Service Platform (RSP)" functionality:
- Logon to Application Gateway via web browser, normally available only via Intranet:
... The central Application Gateway listens to a separate IP address / port combination for each connection.
... Normally these IP addresses are reachable out of the Intranet only.
- Local installation of Application Gateway with Autologon Client routing table entries (RSP functionality also available via Internet).
... The local Application Gateway listens to local addresses (usually out of the address space 127.0.0.0/8)
... and forwards connections via encrypted connections to the central Application Gateway.
... The local Application Gateway creates shortcuts for various protocols, now using local addresses.

Autologon Client rules have to identify/logon at the server using a client certificate.
Afterwards the server sends back all rules and UID names where the logged on user has access rights.
Also all active server autologon links will be reported so that the state of the links can be displayed.
The Application Gateway at the client side will insert the rules into the routing table,
ID of the new rules have the ID of the autologon rules as prefix.
The first two octets of the GatewayIP of these new rules will be replaced by "127.0" (can be overridden by keyword RULENET).
If the received GatewayIP is *, a local address will be generated starting with 127.0.100.100 (can be overridden by keyword RULENET)
UID List will be constructed accordingly.

Management of central server via autologon see here.

Shortcuts for http links, RDP, VNC, WebDAV and CIFS will be created. See keyword SHORTCUT below.
File type RDP: In order not to interfere with the local RDP service the local port will be changed from 3389 to 3390.
... See template for locally generated files.
File type VNC: In order not to interfere with the local VNC service the local port will be changed from 5900 to 5901.
... VNC files are generated for UltraVNC. See template for locally generated files.
... If the VNC file should be generated for RealVNC: The name of the shortcut must end with "-R.VNC". See template for locally generated files.
File names ending with "webdav.bat": BAT file for WebDav will be created.
... See template for locally generated files.
File names ending with ".bat": BAT file for Common Internet File System (CIFS) will be created.
... See template for locally generated files.
After initial creation of an RDP, VNC, WebDAV or CIFS shortcut: Username/password and other parameters can be changed and saved to these files.
At table load existing shortcuts will not be overwritten except the local address/port is incorrect.

Further options for shortcut definition with "cmd:", "cmdb:", "share:", "file:", "http://" and "https://" are described here.

At termination the of the autologon link the generated rules and UID entries are removed (shortcut files will remain).
Before each route table load the autologon link will be terminated.
Route table, UID list and status will be updated according to the TTL setting.

Here you can find help to install a redundant configuration for autologon clients.

Optional keywords for Autologon Client routing table entries:

Keyword CIFS ... optional information for autologon client rules: do not ignore rules with CIFS (IP port 445)
Normally rules with destination port 445 are not loaded to autologon clients because port 445 is used by the local Server service.
To use CIFS links from the client the local Server service must be disabled and the machine must be restarted to free TCP port 445.
Only for Windows:
For Lanman Server service support see here.
When rules with CIFS are loaded and the Server service is running, the Server service startup type is set to "Disabled" automatically. Then a restart of the computer is nesessary.
At table load the local IP address will be added with a PowerShell command (if it is not defined already), e.g.:
New-NetIPAddress 127.1.x.y -InterfaceIndex 1 -AddressFamily IPv4 -PrefixLength 8 -SkipAsSource $True -PolicyStore ActiveStore
All PowerShell commands that need administrative rights (e.g. New-NetIPAddress and commands to change the state of the Server service) are executed by ApplicGateHelper.exe.
If it does not run as administrator the User Account Control (UAC) prompt will be shown. Prerequisite is that ApplicGate can interact with the desktop.
Remark: If the IP address is defined by New-NetIPAddress, an RDP session to this address is no more possible. Therefore for CIFS the next subnet will be used, e.g. 127.1 instead of 127.0 !
If the local Server service is needed: Use WebDAV instead. On Windows machines WebDAV can be activated by IIS at server side.
Please also consider the browser settings.

Keyword RULENET:ipnet ... ipnet my be a B or C network (e.g. 127.12, 127.12.33), used to construct first part of local IP addresses for autologon client rules. If keyword is not specified: default for ipnet is "127.0"

Keyword SCSH ... ShortCutSHare, use shortcuts from share, if path is defined (do not generate local shortcuts).
Especially useful in combination with keyword SCST:
In this case the address within .RDP, .VNC and .BAT files will be corrected before starting the file.

Keyword SHORTCUT:"store,link" ... optional information for autologon client rules to store automatically generated shortcuts
store ... directory path where the shortcuts will by stored by the Application Gateway, if path does not start with "\" or drive letter this is a subdirectory of the default directory where AppGW is running
link ... used by Application Gateway to construct the link, e.g.
default value is "Shortcuts,http://127.0.0.2" ... Shortcuts are stored in the subdirectory "Shortcuts" of the default directory and retrieved via the link "http://127.0.0.2"

Keyword UPRF:uidprefix ... optional prefix for autologon client rules to guarantee unique UIDs for received routing entries.

For http links a web server has to be defined within the Application Gateway. See following rule using default settings of keyword SHORTCUT (see also example below):
SourceIP=*;GatewayIP=127.0.0.2;GatewayPort=80;GatewayIP2=web;Type=DIR:Shortcuts,DIRLIST,DEFCMD:*
link can also start with "file:" ... in that case the web browser accesses the file system directly, but very often local access is blocked by the web browser.

Optional keywords for routing table entries:

Keyword LDAC:mode ... mode may be yes, no or *. Specifies loading of rules to autologon clients.
For forward entries the default is yes, for all others the default is no.
To load a rule clients must be authorized via email.
Except if * is specified: The rule is loaded even if the autologon client has no email address. SourceIP must be * in that case!


For Autlogon clients the keyword SCST ... ShortCutSTart (defined in manage and status entries) is useful for shortcuts: ApplicGate starts the file (.bat, .rdp., .vnc) directly (no more a web link)


Example for Routing Table at Application Gateway at client:
SourceIP ;GatewayIP ;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                  ;UID;Comment                   ;eMail
* ;127.0.0.1 ;80 ;manage ; ; ; ;DEFCMD:uidall,FLG:true ; ;Access Application Gateway;
* ;127.0.0.2 ;80 ;web ; ; ; ;DIR:Shortcuts,DIRLIST,DEFCMD:* ; ;Web for shortcuts ;
autologon;client ; ;* ;111.11.1.4 ;443 ; ;TTL:6,SSLTARGET:NoCheck,SSLCC:user@rsp.com.cer,RETRY:2; ;Logon to RSP ;
In the example above the autologon link will be automatically started, the user is requested to enter the PIN for the smartcard or certificate (in case a PIN/password is requested),
the client rules will be loaded and the shortcuts will be created.
The user can access the "UID List (all users)" by entering the link http://127.0.0.1 into the web browser.

ApplicGate Logo  reinhold.leitner@applicgate.com (C) December 2024
www.applicgate.com