ApplicGate
(v12.0.9111.30500 started 2024-12-11 16:09:49 on VM2)

Logon to Application Gateway:


Implemented via rule where GatewayIP2 is "logon", see schema.
In order to allow access control independent of fixed source IP addresses proceed as follows:
Specify the email address of the user (lowercase!) within the route table (SourceIP): List of email addresses or group tables that contain email addresses.
Email addresses may contain one or more * as wildcard, e.g. a*@x.com, *@* (means all logged on users)
The user must logon to ApplicGate via routing entry where GatewayIP2 is "logon" (see below).
This can be done using any web browser using his/her smartcard or client certificate (email address must be stored within the certificate) or One-Time Password (OTP or TOTP).
A session context is kept by ApplicGate
Now routing entries with matching email addresses and matching IP addresses may be used.
(Source IP address of the logon session must be the same as the source address of the new session.)
The session must be a direct session between the client and the server, intermediate web proxies are not allowed!
If different users log on using the same source address (e.g. via a NAT device): all users will be checked/authorized
In that case the logon user is not unique and the users are listed separated by "|".

Remarks:
For logon sessions the default time to live value is 180 seconds. It can be overwritten by the keyword TTL.
TINT+30 seconds before the session times out a keep alive messsage will be sent by the browser (via AJAX, JavaScript must be enabled at the browser!).
(If TTL has been changed: Any active logon page must be refreshed manually in order to use the new TTL value.)
As a session context is kept by ApplicGate the browser may terminate the logon session at any time. In that case the keep alive message will be sent via a new session.
The logon function supports favicon.ico. Details can be found here.

Optional keywords for all types of logon routing entries:
CKGRP:cookiegroup[$domain] ... cookie handling
MSG:messagegroups ... messagegroups is a list of groups (separated by | ) that contain text to be displayed in the logon window or to be transmitted to the remote system.
STATP ... allows sending of status commands via the existing logon session.
- In this case following keywords for status routing entries are supported: GRPUPD, REFRH, REFRU and TST

Concept of Login Groups:
Email addresses specified in SourceIP can have a trailing login group e.g. mymail@comp.cc#group1.
The login group can be specified during logon (field myGroup transmitted at logon, see below).
When a user has specified a login-group during logon, following entries within the route table are accessible:
- Rules with email specified.
- Rules with email#login-group specified.
This allows reuse of gateway IP addresses dependent of actual login-group.

Logon using https with client certificates:

The keywords SSL and CCR are required.
The https request can be constructed using a "web" page with a hidden form within default.htm.
To support login-groups, https requests must be e.g. "GET /logon_?myGroup=Test"
To support a logon parameter, the request must be e.g. "GET /logon_?myParam=param1" or "GET /logon_?myGroup=Test&myParam=param1"
- The logon parameter is used when the keyword UDDEST is specified.
Optional keywords:
ISS, ROO, RVS, RDR, CKGRP, MSG and STATP

See also Notes on certificate issuer

Example:
 SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type               ;UID  ;Comment      ;eMail
* ;1.1.1.1 ;80 ;web ;* ;* ;* ;DIR:LoginWeb,TTL:5 ;* ;Web for login;mike@x.com
* ;1.1.1.1 ;443 ;logon ;* ;* ;* ;SSL:mycert.cer,CCR ;Logon;Logon by Cert;mike@x.com

Logon with One Time Password (OTP or TOTP):

The keywords SSL and OTPR are required.
Depending on the type of authentication at least one of the following keywords must be specified:
TOTPM (OTP via mail), SENDOTP (OTP via SMS), TOTP (TOTP with Authenticator)
Logon parameter and login groups are not supported so far.
Optional keywords:
OTPU, CKGRP, MSG and STATP

Example:
 SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                      ;UID ;Comment   ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OTPR:OTP,TOTPM,SENDOTP:OTP\SendOTP.bat,TOTP;OTP ;myComment ;mike@x.com

Logon with OAuth 2.0:

The keywords SSL, OA2 and OA2REDIR are required.
Logon parameter and login groups are not supported so far.
Optional keywords:
OA2U, CKGRP, MSG and STATP

Example (without OAuth provider selection by the user):
 SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                                         ;UID  ;Comment   ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OA2:O_MS,OA2REDIR:https://www.company.com, OA2U:*@company.com ;OAUTH;myComment ;mike@x.com

Logon with FIDO2:

The keywords SSL, OTPR and FIDO2 are required.
Logon parameter and login groups are not supported so far.
Optional keywords:
NOSM, OTPU, CKGRP, MSG and STATP

Example (with registering FIDO2 token via email or SMS):
 SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                                                         ;UID  ;Comment   ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OTPR:OTP,TOTPM,NOSM,SENDOTP:OTP\SendOTP.bat,FIDO2:company.com!usb|nfc|internal;FIDO2;myComment ;mike@x.com

Logon with RADIUS:

The keywords SSL, OTPR and RADIUS are required.
Logon parameter and login groups are not supported so far.
Optional keywords:
OTPU, CKGRP, MSG and STATP

Example:
 SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type                                                   ;UID ;Comment   ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OTPR:OTP,RADIUS:R_X, OTPU:*@company.com ;RADI;myComment ;mike@x.com
Note:
Logon with OTP, TOTP, OAuth 2.0, FIDO2 and RADIUS can be combined within one routing entry, details can be found here.

ApplicGate Logo  reinhold.leitner@applicgate.com (C) December 2024
www.applicgate.com