ApplicGate

ApplicGate

(v12.0.8874.35714 started 2024-04-18 18:00:37 on VM2)

List of keywords within Type field (Caution: Not all combinations are allowed!):

Remarks:
- All keywords are upper case (case sensitive). These strings must not be part of values of keywords such as webroot or login-groups. Otherwise unexpected behaviour may occur!
- Keywords must be separated by comma (,). If keyword values contain commas, the whole keyword value must be surrounded by quotation marks (").
- If a keyword value surrounded by quotation marks should contain quotation marks: The quotation marks must be doubled.
- Keyword values must not contain semicolons (;).
- If a keyword has a leading # it is treated as comment and not processed, but the syntax check by chktyp will be done.

Examples:
KEYW1:abc, KEYW2:"a,b,c", KEYW3:abc"def, KEYW4:"abc""def" , KEYW5:"a b c ", KEYW6:a b c , KEYW7

Keywords in group "Settings":
- These keywords are valid only in routing entries where GatewayIP2=manage.
- They should be specified only once (except keyword PROXY) and they are valid system-wide.
- They are processed independent of state (PRM, BCK, BCS, BCA), except keyword PROXY.
- The keyword PROXY is processed only if the routing entry is active.

Number of keywords: x

ACT ... if this routing entry has been expired, it may be activated for 5 minutes by clients that have DestinationIP as address, allow incoming connections to themselves (mails will not be sent upon expiration of this rule)
ADDH:param ... add http response headers.
AGMQ:loc1|loc2...~rem1|rem2... ... ApplicGate Message Queue, send messages and files asynchronously
APATH:apath ... Absolute paths for http and https sessions must start with one of the strings specified (list separated by | ), case sensitive, keyword RDRA is supported
APPC:appcookie ... optional for OTPR, appcookie is the name of the cookie used by the application.
AUTOH to generate http headers for function SIGNRQ
BACKLOG:number ... only if GatewayIP2=manage: Set the maximum length of the pending connections queue in Socket.Listen method (default is 10).
BCA ... entry for backup active only, see also Backup configuration
BCK ... entry for backup only (active and standby mode), see also Backup configuration
BCKUPD ... allow update of backup (hot standby) configuration via web interface for manage connections when not accessed via loopback address.
BCS ... entry for backup standby only, see also Backup configuration
BPRI:priority ... only if GatewayIP2=manage: Set BasePriority of process, valid values of priority: BelowNormal, Normal, AboveNormal, High ... all other values will be ignored
C$SSLCC:certfile[/parameter] ... same function as the keyword SSLCC ... provide a client certificate for autologon clients
C$SSLCC2:parameter ... same function as the keyword SSLCC2 ... alternative authentication for autologon clients
C$SSLTARGET:targetHost ... same function as the keyword SSLTARGET ... initiate TLS connection for autologon clients
C$UDP:IN same function as the keyword UDP:IN ... UDP tunneling for autologon clients
CCNRQ ... Client Cerificate Not ReQuired, in combination with keyword CCR: session continues even if client does not offer a certificate (mainly for test purposes), if client sends a certificate normal checks will be made
CCR:EmailAddresses ... Client Certificate Required, optional for TLS connection, EmailAddresses (optional) is a list of email addresses that are allowed.
CCRBLK:EmailAddresses ... block list (only in combination with keyword CCR): Email addresses to be blocked.
CCR2:parameter ... on server used for alternative (or additional) authentication
CCRE:EmailAddresses ... to check email forwarded in http header Email by FWCC
CCRF:EmailAddresses ... to check a client certificate forwarded by FWCC
CCRI:EmailAddresses ... to check authentication at incoming routing entries.
CERTMATCH:type ... check logon to Exchange (match certificate with Exchange user) or check NTLM logon
CHK+x ... accept link only if a link with routing ID "thisID+x" is active with same SourceIP, x={1,2,3,4,5}
CHK-x ... accept link only if a link with routing ID "thisID-x" is active with same SourceIP, x={1,2,3,4,5}
rCHK ... in combination with rPort: accept link for opposite direction only if primary direction is active
CHKCC ... when looking for reverselogon entries during forward processing, email names must be specified and must match (this is the default).
CHKEUID:uid ... experimental feature for routing entries loaded to autologon clients: link with specified UID must be active and email must match
CHKFROM:whitelist ... Subkeyword of SMTP, check if mail domain in FROM command is valid.
CIFS ... optional information for autologon client rules: do not ignore CIFS (port 445)
CKGRP:cookiegroup[$domain] ... to configure cookie handling for OTP, TOTP and OAuth 2.0
CNT:ss ... Connect Timeout in seconds, for SAPR specify 9 to allow gateway to timeout earlier than SAP-GUI, Windows default is 20 seconds
CONNECT:address:port ... sends connect phrase after link to target address has been established (implements source routing)
DBGLG ... only if GatewayIP2=manage: Write log data to console also (only for debugging!)
DEFCMD:url ... url is the default command, if no path is given when accessing manage or status rules, e.g "uidall" to get "UID List (all users)" as default, only if GatewayIP2=manage, status or web
DELETE:EmailAddresses ... Email adresses who are allowed to delete files e.g. for file synchronization.
DELLOG:numberofdays ... only if GatewayIP2=manage: automatic deletion of old log files
DHEL:domainlist ... optional for SMTP: domain of HELO/EHLO must be in domainlist (names separated by | , each name my contain one or more * as wildcard and can be prefixed with ! for negation).
DIR:"webroot" ... webroot is the root directory when acting as web server (optional).
DIRLIST:parameter ...Support of directory listing when acting as web server, with optional deletion of files.
DISABLED ... to disable autologon entries at table load, entries can be enabled via Listening entry within route table.
DOCURL:url ... only if GatewayIP2=manage: link to documentation
EAS:mode[:OUlist][!OUposition[!ou1name[!ou2name]]] ... monitor Exchange Active Sync (EAS) connections (user and device information)
EASACL:grouplist ... to define access for managing EAS users and devices
EASBLK:grouplist ... to define EAS DeviceTypes to be blocked
EASMDD:numberOfDays ... minumum number of days to allow mass delete
EASNDA:NumberofDevicesAllowed ... sets the initial number of devices allowed (default is 1).
ECHO:data ... for echo function
EHLO:exts ... Subkeyword of SMTP, exts is optional. Supported extensions are: SIZE,ENHANCEDSTATUSCODES,DSN,8BITMIME.
EPMAP:type ... special processing for RPC endpoint mapper (port 135 or 134)
FAX:dom ... Subkeyword of SMTP. Translates recipients to Exchange fax syntax.
FIDO2:RelyingPartyID[![transport][!userVerification]] ... Web Authentication (WebAuthn), FIDO2.
FIRSTE ... in combination with keyword SSL and CCR: For a new link a client certificate will not be requested, if there is an existing link with same rule ID, source IP and validated client certificate/email. The keywort FIRSTE is especially useful for connections to SharePoint when checking out files. If FIRSTE is not specified: At checkout additional prompts for certificates will occur.
FIRSTO ... in combination with keyword SSL and OTPR: match on SessionID also based on SourceIP.
FIRSTT ... in combination with keyword SSL and CCR: For the first link from a specific source IP to this rule a client certificate will be requested and a session object (SessionID) will be created. This session object has the same TTL as the link. If another link from the same source IP to this rule is established, no client certificate will be requested if a matching SessionID has been found. This keyword overrides the keyword FIRSTE.
FIXED:fill ... when acting as web server (optional), returns default.htm (if it exists) independent of requested path. Within default.htm the string %Request% will be replaced by requested path. The optional fill string will be inserted into the replaced data.
FLG:state ... only if GatewayIP2=manage: state may be: nolog ... logging disabled, true ... logging with autoflash enabled, all other values: logging with autoflush disabled (default).
FTP ... FTP active (server opens data connections)
FTP:data ... FTP honeypot (for echo function)
FWCC to forward a client certificate (Base64 encoded CER) in http header SSL_CLIENT_CERT.
FWD:htmlfile ... optional for OTPR, file for response after successful authentication
GENINC:destination ... for autologon routing entries to generate incoming routing entries automatically.
GETMON ... retrieve performance data via manage and status links.
GRPUPD ... enables creation and update of group table entries via web interface for manage and status connections.
HELO:domain ... Subkeyword of SMTP. Replace domain (fully-qualified domain name of the SMTP client) within HELO and EHLO commands.
HLP ... for status: only help is accessible (independent of URL specified)
HOST:newhost ... replace Host in http requests by newhost, useful if host addressed by web explorer is not the real target
HSTS:param ... set "Strict Transport Security Policy".
HTTP:data ... accept HTTP requests (for echo function)
IGNORE:method ... sub-switch for SIP processing
IPMAP:sourceIP>email ... used to provide email based on SourceIP.
IPSTART:IPv4address ... only if GatewayIP2=manage: Start address for new routes generated by RSP wizard.
ISS:"issuer" ... List of Names of issuers (separated by | ) of the certificate to check for keyword CCR: Name of the root of the certificate must start with one of the specified names ("CN=" at start of string is optional), optional, e.g "MyCompany Root-CA V1". See also Notes on certificate issuer
ISSI:"issuer" ... to check authentication at incoming routing entries.
ISSLG:"issuer" ... List of Names of issuers (separated by | ), when email is specified within SourceIP: Issuer of certificate of logged on user must match an issuer specified in this keyword, name of the issuer of the certificate must start with one of the specified names ("CN=" at start of string is optional), optional, e.g "mycompany Issuing CA EE Auth". See also Notes on certificate issuer
KEEPALIVE:time!interval ... KeepAliveTime and KeepAliveInterval in seconds.
KILLS ... for autologon routing entries: If an autologon client session terminates, the dependent sessions will be terminated.
LDAC:mode ... mode may be yes, no or *. Specifies loading of rules to autologon clients. For forward entries the default is yes, for all others the default is no.
LDB ... load balancing if secondary destination address is specified.
LDLD:filter!email!template ... log downloaded files, filter is a list of filenames separated by |, * as wildcard is supported. email and template are optional and used for notification
LGC:v ... for SIP to log phone call duration, v is optional and may be 0,1,2 or 3 (default is 0), details see here.
LGD ... Start data logging automatically when route table is loaded.
LGS ... only if GatewayIP2=manage: log some data on session termination to file yyyy-mm-dd_hhmmss_Sessions.csv, only for routing entries where UID is specified
LGU:true ... only if GatewayIP2=manage: log incoming UDP traffic, values other than true: no logging (default)
LISTEN ... Listening for this rule (overrides NOFWDLISTEN, NOLISTEN and STOPLISTEN).
LLP ... sub-switch for SIP processing
LOCATEIP:url ... only if GatewayIP2=manage: url to forward to site to display location of IP
LOG:v ... log to general logfile, v may be 0-4: 0 ... no logging, 1 ... minimum logging, ..., 4 ... maximum loging
MAXBS:bytes ... only if GatewayIP2=manage: Maximum buffer size (byte) for configuration data upload in manage sessions (optional, default is 500000).
MAXS:maxsessions ... only if GatewayIP2=manage: Maximum number of sessions allowed (optional, default is 500).
MIM:parameter ... man-in-the-middle for proxy sessions (keyword PRX).
MIMCA:certfile[/parameter] ... only if GatewayIP2=manage: define CA certificate for certificate generation.
MSG:messagegroups ... only if GatewayIP2=logon or GatewayIP2=reverselogon: To display messages in logon windows or to transmit messages to the remote ApplicGate systems.
NALT ... sub-switch for SIP processing
NOCHECK to disable certificate check to destination when using the keyword MIM.
NOCHKCC ... when looking for reverselogon entries during forward processing, email names will not be checked.
NODE:nodelist ... rule will be activated only if COMPUTERNAME is listed in nodelist (names separated by | , each name my contain one or more * as wildcard and can be prefixed with ! for negation).
NODELAY ... only if GatewayIP2=manage: Disables the Nagle algorithm on all TCP connections.
NOECHO ... for echo function
NOFWDLISTEN ... only if GatewayIP2=manage: do not listen at "forward" rules.
NOLISTEN ... No listening for this rule.
NOMON ... in combination with PERFMON: do not count traffic of this rule
NONEG ... remove "WWW-Authenticate: Negotiate" from "HTTP/1.1 401 Unauthorized" responses to force NTLM authentication (if offered by server)
NOSENC ... remove "a=crypto" in SDP section of SIP command INVITE to server
NOSM ... do not show SMS or email selection at initial logon window (otp.htm).
NOTIFYS:email ... to send notification when link starts (for forward and incoming entries).
NOTIFYT:email ... to send notification when link terminates (for forward and incoming entries) and when devices are blocked (for entries with keyword EAS).
NOUMON ... to disable recording of last usage of a routing entry within the UID list
NRR ... sub-switch for SIP processing
OA2:grouplist ... authentication by OAuth 2.0
OA2:provider ... autologon authentication by OAuth 2.0 (for autologon)
OA2REDIR:uri ... redirect uri for OAuth 2.0 authentication
OA2U:EmailAddresses ... Users who may use OAuth 2.0 authentication (optional), same as OTPU.
ORA ... allows Oracle connections
OTPF:filename ... optional, select start web page for OTP, TOTP and OAuth 2.0.
OTPR:otprdir ... One Time Password Request, otprdir is the directory where the necessary files must be stored
OTPU:EmailAddresses ... Users who may use One Time Password (optional), same as OA2U.
OTPUPD ... enables creation and update of OTP entries via web interface for manage and status connections.
PASSR:password ... Password to read from web server, also for ApplicGate Message Queue (optional).
PASSW:password ... ApplicGate Message Queue: Password on receiver side (optional).
PASV ... FTP passive (client opens data connections)
PERFMON:"minutes,AppGWname,LOGdir,MRTGdir,Workdir" ... only if GatewayIP2=manage: write performance monitoring file
POST:string ... only if GatewayIP2=echo and keyword HTTP (log POST data) or if GatewayIP2=web
POSTR:filename ... specify html file to be returned after successful post
PRJSET:UIDprefixes!remoteEmail!MCHKvalue ... settings for the RSP wizard.
PRJUPD:grouplist ... to define access to the RSP wizard.
PRM ... entry for primary only, see also Backup configuration
PROXY:address:port ... only if GatewayIP2=manage: proxy to be used when loading OAuth 2.0 keys
PRTG... PRTG monitoring via HTTP (for echo function)
PRTP ... sub-switch for SIP processing
PRX ... acts as forward or reverse web proxy: CONNECT phrase (for https tunneling) and http requests are implemented, allowed target nodes and node mapping: see field DestinationIP in the routing table
RDPD:drives ... for manage entries: modify drive redirection for RDP shortcuts
RDR:filename ... for TLS connection with CCR, sends filename (must be html coded) if client is not authenticated accordingly, the string %ClientCertError% will be replaced by an error message. If filenname is not specified the default template will be used.
RDRA:filename[|fill] ... sends file (must be html coded) if absolute path is not allowed (see keyword APATH), the string %APATHError% will be replaced by the requested path. fill is optional: The string fill will be inserted between all characters of the shown path. If filenname is not specified: The default template will be used.
RDRF:filename ... only if GatewayIP2=forward: sends filename (must be html coded) if an active DestinationIP could not be found, the string %ClientCertError% will be replaced by an error message. If filenname is not specified the default template will be used.
RDRW:filename ... only if GatewayIP2=web: sends filename (must be html coded) if the requested file could not be found. An example for redirection can be found here.
RDRX:filename[|fill] ... sends file (must be html coded) if reverse proxy destination could not be mapped (see keyword PRX), the string %Error% will be replaced by an error message. The optional fill string will be inserted into the echoed data. If filenname is not specified the default template will be used.
RADIUS:grouplist ... RADIUS authentication, grouplist is a list of RADIUS groups (names must start with "R_") separated by |
REFRH:seconds ... only if GatewayIP2=manage or status, parameter seconds is optional. Refresh home page every specified number of seconds (data will be transmitted via AJAX). If seconds are not specified: refresh every TINT interval.
REFRU:seconds ... only if GatewayIP2=manage or status, parameter seconds is optional. Refresh uidall and uidlog every specified number of seconds (data will be transmitted via AJAX). If seconds are not specified: refresh every TINT interval.
REFRQ:seconds ... only if GatewayIP2=manage or status, parameter seconds is optional. Refresh agmqsa every specified number of seconds (data will be transmitted via AJAX). If seconds are not specified: refresh every TINT interval.
REPM ... replace URL specified by keyword REPU only if client is a mobile device
REPR:ReplaceRecipient ... Subkeyword of SMTP. List of entries OldRecipient>NewRecipient[,NewRecipient2] (separated by | ).
REPS:ReplaceSender ... Subkeyword of SMTP. List of entries OldSender>NewSender (separated by | ).
REPU:URLreplace ... List of entries string1>string2 (separated by | ), if first part of URL in GET or POST command matches string1, it will be replaced by string2.
RETRY:timespan ... interval in minutes or seconds to retry autologon sessions in case of error.
REVPR ... reverse proxy for http(s) links (shortcuts) within UID.
RGS ... for status: output of list of registered SIP users only
ROO:"root" ... List of Names of roots (separated by | ) of the certificate to check for keyword CCR: Name of the root of the certificate must start with one of the specified names ("CN=" at start of string is optional), optional, e.g "MyCompany Root-CA V1" (not valid for incoming entries)
RSL ... switch for SIP processing
RTG:rtglist ... used to restrict display of routing entries.
RTUPD ... enables creation and update of routing table entries via web interface for manage connections.
RULENET:ipnet ... used to construct local IP addresses for autologon client rules. If keyword is not specified: default for ipnet is "127.0"
RVM2:X509RevocationMode ... specifies type of CRL checking for Alternative Authentication, optional, valid values: NoCheck, Offline, Online (default)
RVS ... check client certificate revocation when SSL and CCR are specified (default: no check)
SAPR ... implements a SAP router
SCSH ... for autologon routing entries: use documentation and shortcuts via file shares (if available)
SCST ... for manage and status entries: when clicking a shortcut ApplicGate starts the file (.bat, .rdp., .vnc) directly (no more a web link)
SELACC ... forces account selection during OAuth 2.0 authentication
SENDOTP:processfile ... processfile is the path for the process to start to send one time password
SESAM:comx ... raw access to se.SAM
SETPWD:domaincontroller[:port] ... for web page to set the domain password of a user
SHORTCUT:"store,link" ... optional information for autologon client rules to store automatically generated shortcuts
SIGNRQ:respOk|respErr and SIGNRESP... request and check user certificates via TLS sessions. Helper for web sites to request client certificates.
SIP ... acts as stateless SIP proxy
SIZE:size ... sub-switch for SIP processing
SMTP:server ... SMTP honeypot (for echo function).
SMTP:smtpcommands ... SMTP Processing, subkeywords are CHKFROM, DHEL, EHLO, FAX, HELO, REPR, REPS, SPAM and SPAMR.
SPAM:block ... Spam processing for SMTP.
SPAMR ... Spam processing for recipients, prerequisite is keyword SPAM.
SRVM:EmailAddresses ... grants manage rights for autologon clients
SRVS:EmailAddresses ... grants status rights for autologon clients
SSL:certfile[/parameter] ... path to server certificate, thumbprint of certificate etc. for TLS for connection to source (TLS server). See also certificate loading.
SSLCC:certfile[/parameter] ... path to client certificate, thumbprint of certificate etc. for TLS client authentication when connecting to TLS server, used for SSLTARGET. See also certificate loading.
SSLCC2:parameter ... on client used for alternative (or additional) authentication
SSLTARGET:targetHost[!issuer[!clientcert[/parameter]]] ... use TLS for connection to destination (as client), CONNECT keywords may be mixed with SSLTARGET keywords and they are processed from left to right.
SSRP:response ... SQL Server Resolution Protocol (for echo function)
START:filename[!M]... for echo function with keyword SMTP: start process (filename) after completion of mail storage.
START:filename[!M] ... for web entries with keyword POST: start process (filename) after completion of file upload.
STARTG:parameterlist ... implements a Common Gateway Interface (CGI) for GET
STARTLISTEN ... restart listening when it has been stopped by keyword STOPLISTEN
STARTP:parameterlist ... implements a Common Gateway Interface (CGI) for POST
STATP ... only with logon: Allows sending of status commands via the existing logon session
STICKY ... sticky menu, no scroll bars within table windows, scroll bars of the browser window are used. For manage and status connections.
STO:time .... time (specified in seconds) is the interval to wait for send completion on TCP sessions. On timeout the session will be terminated.
STOPLISTEN ... This rule and all following rules will not listen.
STYLE:style ... only if GatewayIP2=manage: style to display the web interface of Application Gateway using different colors, may be 0, 1, 2, 3 (default) or higher.
TELNET:data ... Telnet honeypot (for echo function)
TINT:interval ... only if GatewayIP2=manage: internal timer interval for processing time based functions
TLS:protocols ... When acting as server: list of supported encryption protocols : TLS10, TLS11, TLS12 or TLS13 (separated by | ). If not specified: TLS 1.2 or TLS 1.3 will be used.
TLSC:protocols ... When acting as client: list of supported encryption protocols : TLS10, TLS11, TLS12 or TLS13 (separated by | ). If not specified: TLS 1.2 or TLS 1.3 will be used.
TOTP ... optional for OTPR, to select authentication by Authenticator (TOTP)
TOTP:[email][!SecurityID] ... for autologon and reverselogon routing entries to support TOTP authentication.
TOTPC:certfile[/parameter] ... only if GatewayIP2=manage: path to certificate file or thumbprint of certificate used to encrypt/decrypt the TOTP shared secret (optional)
TOTPM:filename Filename of template to send OTP via internal mail thread (optional), if filename is not specified the default template will be used.
TST ... allows testing of connections. For status routing entries.
TTL:ttl ... specific maximum idle time, Time To Live (TTL) of link in minutes or seconds.
TTLDEF:ttldef ... only if GatewayIP2=manage: Default maximum idle time (TTL) of any link in minutes, if not set: TTLDEF is 60.
UDDEST ... User Defined DESTination
UIDN:uidname!AuthorizedUsers!linkToDocumentation!ManagementLocation ... used to build UID lists
UDP:option ... implements UDP routing and tunneling
UPDATE:version ... for autologon entries to update the Application Gateway to the newest version.
UPRF:uidprefix ... optional prefix for autologon client rules to guarantee unique UIDs for received routing entries
VID:n ... sub-switch for SIP processing, n specifies the size of the receive buffer to be used for the RTP video stream, n is optional, 8000 <= n <= 100000, default is 32000.
WIDTH:width ... sub-switch for SIP processing
X11 ... allows backward X11 connection (Port 6000)

reinhold.leitner@applicgate.com (C) April 2024
www.applicgate.com