Planning for IAG client endpoint policies
Applies To: Intelligent Application Gateway (IAG)
Whale Communication Intelligent Application Gateway (IAG) 2007 client endpoint policies make it possible for you to create tiers of access by determining whether or not client endpoint devices are allowed to access internal sites and applications or perform certain operations on the application servers, depending on the security settings of the endpoint devices.
For example, you can set up your endpoint policies so that access to internal applications is allowed as follows:
From corporate laptops—All applications are accessible.
From home computers—All Web applications are accessible.
From an Internet kiosk—Only Microsoft Office Outlook Web Access is accessible.
You use endpoint policies to control the following:
Access to IAG sites for default and privileged sessions. For more information, see Managing client endpoints during an IAG session, and Applying endpoint policies for an IAG session.
Access to specific applications. For more information, see the section "Configuring application client endpoint policies", in Configuring the properties of applications published by IAG.
When you publish a portal or Web application, an IAG trunk is created. When you add an application to a trunk, you assign the trunk or application the relevant endpoint policies. An endpoint policy encompasses the conditions that apply to all endpoint devices and is interpreted according to the operating system that the computer runs, such as Windows or Linux operating systems; different conditions can apply to different platforms, according to the policies that you define.
An endpoint policy can be made up of either of the following:
Platform-specific policies—Platform-specific policies are enforced according to the platform of the endpoint device from which the user accesses the IAG site. The available choices are Windows, Mac OS, Linux, or any other platform.
Expressions—Expressions are conditions that are made up of variables, free VBScript text, or a combination of both. Each expression encompasses platform-specific expressions, which are enforced according to the platform of the endpoint device from which the user accesses the IAG site. Use expressions in order to define an endpoint policy in deployments where you don't have to address platform-specific issues. You can also use expressions, including platform-specific expressions, in order to define multiple conditions once and then use them in several policies.
You can use the endpoint policies and expressions that are provided with IAG, edit the provided policies and expressions, or define additional policies and expressions, as required. You can use endpoint policies to define multiple conditions once and apply them to the IAG site and across several applications.
Note
It is recommended that you tailor the default endpoint policies to your organization's security needs. For example, edit all platform-specific Default Web Application Access policies in order to check for the antivirus software that your corporate endpoint computers are running.
For more information about creating, editing, and removing policies and expressions, see Managing IAG client endpoint policies.
Session endpoint policies
When you create a trunk, you assign it both of the following session policies:
Session Access Policy defines access permissions to the site. Only endpoints that comply with the selected policy are allowed access.
Privileged Endpoint Policy defines the conditions that render an endpoint a privileged endpoint, which can enjoy session privileges.
You first select the session policies when you create a trunk. The following are the two locations where one can access the endpoint policies:
To access the policy from the Create Trunk Wizard, on the EndpointPolicies page, select the corresponding policy.
To access the policy from the Configuration console, next to Advanced Trunk Configuration, click Configure, and then on the Advanced Trunk Configuration dialog box, click the Session tab.
Application endpoint policies
Application endpoint policies include the following:
Access policy to control access to an application
Download policy to help prevent the spreading of sensitive data to undesirable endpoints (For Web applications and browser-embedded applications only)
Upload policy to help prevent undesirable endpoints from sending malicious data, such a viruses, into the internal network (For Web applications and browser-embedded applications only)
Restricted zone policy to restrict user access to sensitive areas of an application (for Web applications and browser-embedded applications only)
The initial selection of application endpoint policies depends on the type of trunk that you configure, as follows:
For portal trunks, you first select the application endpoint policies when you add the application to the trunk. In the Add Application Wizard, on the Endpoint Policies page, select the relevant policy.
For basic and Web mail trunks, you first select the application endpoint policies when you create a trunk. In the Create Trunk Wizard, on the EndpointPolicies page, select the relevant policy.
For all trunk types, you can then change the selection in the Configuration console, on the Application Properties dialog box, on the Endpoint Policies tab.
Endpoint detection
To assess the compliance of an endpoint computer to the IAG endpoint policies, IAG attempts to determine which security components are installed and running on the endpoint computer, as soon as the user attempts to access the site. This is done by the Endpoint Detection ActiveX component of the IAG Client Components, which is installed on the endpoint computer. The Endpoint Detection component verifies the identity of the IAG site against the site’s server certificate and checks whether the site is on the user’s Trusted Sites list; only if the site is trusted will the component run on the endpoint computer and collect the data that identifies which security components are installed and running on the computer. When detection is not functional on an endpoint computer, access may be denied even though it does comply with the requirements of the policy. For example, if an application’s policy requires a running antivirus program and such a program is running on the computer, access to the application is still denied, because IAG can not detect that the program is running on this computer.
IAG provides a default endpoint detection script (WhaleDetection.vbs). You can also create customized detection scripts. For instructions, see Customizing the IAG Client Endpoint Detection component.
Compliance with IAG endpoint policies is determined when a client endpoint computer first accesses the site. If client computer's settings that affect compliance are changed after the login, users need to log in again to apply the changes.
Information collected from client endpoints
While working with the IAG site, if endpoint detection is enabled on the client computer, the following information is collected by the Endpoint Detection component:
Network domains: Domain Name System (DNS) and NetBIOS.
User information: user name and user type.
Certificates in “My certificate store”: certificate issuer and certificate subject. This includes all client certificates on the endpoint computer, not only the IAG certificate.
If required (for example, in order to comply with legal or corporate guidelines), you can configure the gateway so that users are notified before the information is retrieved from their computer and users are prompted to give their consent for the site to collect such information. On endpoints where users do not give their consent, detection is not performed, and the functionality of the Whale Client Components is disabled.
For instructions about notifying client endpoints before information is retrieved, see Managing client endpoints during an IAG session.