Configuring client endpoints to trust IAG sites

Applies To: Intelligent Application Gateway (IAG)

When installing Whale Communications Intelligent Application Gateway (IAG) 2007 client endpoint components, the IAG Endpoint Detection component verifies the identify of the IAG site against the server certificate for the site, and checks that the site is on the Trusted Sites list of the client endpoint. The Endpoint Detection component only runs if the site is trusted.

This topic describes how to configure the end-user’s Trusted Sites list. The list should contain each of the IAG sites the user needs to access, so that the IAG Endpoint Detection component can verify that it is trusted.

An IAG site can be added to the user’s Trusted Sites list on the client endpoint in one of two ways:

• The domain administrator can remotely add the site or a number of sites to the user’s Trusted Sites list with no user intervention. For details, see the procedure below.

• Users can add the IAG site to their Trusted Sites list on demand.

  After users add a site or a number of sites to the list, users connecting to a portal can remove them from the list by clicking Delete user-defined Trusted Sites list in the System Information window. This removes all the user-defined sites from the list.

The following procedure describes how the domain administrator can remotely manage end-users’ Trusted Sites list, so that users are not prompted when the Endpoint Detection component verifies that the IAG site is trusted.

Configuring the Trusted Sites list

You control the configuration of the Trusted Sites list by using a registry key that you add to the user’s endpoint, which you can deploy as you do any other managed configuration, for example via the Windows Logon Script or as part of your Group Policy. You can also use this key to control which other sites users can add on demand to their IAG Trusted Sites list.

To configure the Trusted Sites list

1. On the IAG server, access the following folder:

   …\Whale-Com\e-Gap\von\InternalSite\samples

2. From the samples folder, copy the following files to an external location; make sure they reside in the same folder:

   CheckSite.bat

   CheckSite.reg

3. At the location where you copied the files, edit the file CheckSite.reg, as described in the table below.

   The file provides a sample configuration, which adds the following sites to users’ Trusted Sites lists:

   • https://www.microsoft.com

   • https://www.myPortal.com

   Note the following in the sample configuration:

   • Users can add sites to the Trusted Sites list on demand; they cannot, however, add HTTP sites to the list.

   • Users will not be prompted if a trusted site’s certificate is invalid. In this case, detection will not be performed.

   • Users will be prompted if an untrusted site’s certificate is invalid, and will be able to add it to the Trusted Sites list on demand.

4. Deploy the CheckSite.bat file to the end-users whose Trusted Sites list you wish to configure.

   Note

   Make sure the file CheckSite.reg resides in the same folder as the file CheckSite.bat.

   At the endpoints where you deployed the configuration, the following Registry key is added or updated according to your definitions:

   HKEY_CURRENT_USER\Software\WhaleCom\Client\CheckSite

   The Trusted Sites configuration is applied on the endpoint, with the settings you defined here.

Values of CheckSite.reg

Value	Type	Description	Data
Managed	DWORD	Mandatory. Determines whether this configuration is applied and whether the computer’s Trusted Sites list is managed remotely or not.	1: managed. 0: unmanaged. Note Any number other than 1 is considered a zero.
CanAddSites	DWORD	Optional. Determines whether the user can add other sites to the Trusted Sites list on demand.	1: users can add sites to list. 0: users cannot add sites to list. If this value is not defined, users cannot add sites to the list.
CanAddHttpSites	DWORD	Optional. Determines whether the user can add HTTP sites to the list on demand. Applicable only when the value of “CanAddSites” is 1.	1: users can add HTTP sites to Trusted Sites list. 0: users cannot add HTTP sites to Trusted Sites list. If this value is not defined, users cannot add HTTP sites to the list.
PromptInvalidCertTrusted	DWORD	Optional. Determines behavior when a trusted site’s certificate is invalid.	1: users are prompted and can select whether to add the site to the Trusted Sites list or not. 0: users are not prompted; access to the site is denied. If this value is not defined, users are not prompted.
PromptInvalidCertUntrusted	DWORD	Optional. Determines whether users are prompted when an untrusted site’s certificate is invalid.	1: users are prompted and can select whether to add the site to the Trusted Sites list or not. 0: users are not prompted; access to the site is denied. If this value is not defined, users are prompted.
TrustedSite<#>	String	Mandatory. List of trusted sites.	Define a site as follows: * Schema: HTTPS or HTTP** Host: FQDN or IP Port number; optional for default ports (443 and 80).
PilotExpirationTime	String	Optional. End date of “pilot” mode. While in this mode, the identity of sites on the Trusted Sites list you defined here is not verified. Warning Use this option for a very limited time and not while the system is in production.	Date, using the following format: mm/dd/yyyy By default, no pilot period is configured.

* Values are case-insensitive.

** The identity of trusted HTTP sites will not be verified, since they do not use a server certificate.