Logon to Application Gateway:
Implemented via rule where GatewayIP2 is "logon", see schema.
In order to allow access control independent of fixed source IP addresses proceed as follows:
Specify the email address of the user (lowercase!) within the route table (SourceIP): List of email addresses or group tables that contain email addresses.
Email addresses may contain one or more * as wildcard, e.g. a*@x.com, *@* (means all logged on users)
The user must logon to ApplicGate via routing entry where GatewayIP2 is "logon" (see below).
This can be done using any web browser using his/her smartcard or client certificate (email address must be stored within the certificate) or One-Time Password (OTP or TOTP).
A session context is kept by ApplicGate
Now routing entries with matching email addresses and matching IP addresses may be used.
(Source IP address of the logon session must be the same as the source address of the new session.)
The session must be a direct session between the client and the server, intermediate web proxies are not allowed!
If different users log on using the same source address (e.g. via a NAT device): all users will be checked/authorized
In that case the logon user is not unique and the users are listed separated by "|".
Remarks:
For logon sessions the default time to live value is 180 seconds. It can be overwritten by the keyword TTL.
TINT+30 seconds before the session times out a keep alive messsage will be sent by the browser (via AJAX, JavaScript must be enabled at the browser!).
(If TTL has been changed: Any active logon page must be refreshed manually in order to use the new TTL value.)
As a session context is kept by ApplicGate the browser may terminate the logon session at any time. In that case the keep alive message will be sent via a new session.
The logon function supports favicon.ico. Details can be found here.
Optional keywords for all types of logon routing entries:
CKGRP:cookiegroup[$domain] ... cookie handling
MSG:messagegroups ... messagegroups is a list of groups (separated by | ) that contain text to be displayed in the logon window or to be transmitted to the remote system.
STATP ... allows sending of status commands via the existing logon session.
- In this case following keywords for status routing entries are supported: GRPUPD, REFRH, REFRU and TST
Concept of Login Groups:
Email addresses specified in SourceIP can have a trailing login group e.g. mymail@comp.cc#group1.
The login group can be specified during logon (field myGroup transmitted at logon, see below).
When a user has specified a login-group during logon, following entries within the route table are accessible:
- Rules with email specified.
- Rules with email#login-group specified.
This allows reuse of gateway IP addresses dependent of actual login-group.
Logon using https with client certificates:
The keywords SSL and CCR are required.
The https request can be constructed using a "web" page with a hidden form within default.htm.
To support login-groups, https requests must be e.g. "GET /logon_?myGroup=Test"
To support a logon parameter, the request must be e.g. "GET /logon_?myParam=param1" or "GET /logon_?myGroup=Test&myParam=param1"
- The logon parameter is used when the keyword UDDEST is specified.
Optional keywords:
ISS, ROO, RVS, RDR, CKGRP, MSG and STATP
See also Notes on certificate issuer
Example: SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment ;eMail
* ;1.1.1.1 ;80 ;web ;* ;* ;* ;DIR:LoginWeb,TTL:5 ;* ;Web for login;mike@x.com
* ;1.1.1.1 ;443 ;logon ;* ;* ;* ;SSL:mycert.cer,CCR ;Logon;Logon by Cert;mike@x.com
Logon with One Time Password (OTP or TOTP):
The keywords SSL and OTPR are required.
Depending on the type of authentication at least one of the following keywords must be specified:
TOTPM (OTP via mail), SENDOTP (OTP via SMS), TOTP (TOTP with Authenticator)
Logon parameter and login groups are not supported so far.
Optional keywords:
OTPU, CKGRP, MSG and STATP
Example: SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OTPR:OTP,TOTPM,SENDOTP:OTP\SendOTP.bat,TOTP;OTP ;myComment ;mike@x.com
Logon with OAuth 2.0:
The keywords SSL, OA2 and OA2REDIR are required.
Logon parameter and login groups are not supported so far.
Optional keywords:
OA2U, CKGRP, MSG and STATP
Example (without OAuth provider selection by the user): SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OA2:O_MS,OA2REDIR:https://www.company.com, OA2U:*@company.com ;OAUTH;myComment ;mike@x.com
Logon with FIDO2:
The keywords SSL, OTPR and FIDO2 are required.
Logon parameter and login groups are not supported so far.
Optional keywords:
NOSM, OTPU, CKGRP, MSG and STATP
Example (with registering FIDO2 token via email or SMS): SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OTPR:OTP,TOTPM,NOSM,SENDOTP:OTP\SendOTP.bat,FIDO2:company.com!usb|nfc|internal;FIDO2;myComment ;mike@x.com
Logon with RADIUS:
The keywords SSL, OTPR and RADIUS are required.
Logon parameter and login groups are not supported so far.
Optional keywords:
OTPU, CKGRP, MSG and STATP
Example: SourceIP;GatewayIP;GatewayPort;GatewayIP2;DestinationIP;DestinationPort;Expiration;Type ;UID ;Comment ;eMail
* ;1.1.1.1 ;443 ;logon ;* ;* ; ;SSL:mycert.cer,OTPR:OTP,RADIUS:R_X, OTPU:*@company.com ;RADI;myComment ;mike@x.com
Note:
Logon with OTP, TOTP, OAuth 2.0, FIDO2 and RADIUS can be combined within one routing entry, details can be found here.
