Registered Web resource hosts and paths are listed on the Manage Web Resources page in the Manage Resource Access section of the StoneGate SSL VPN
Administrator. You can add, edit, and delete Web resource hosts and paths.
A first Web resource, the Access Point root path, is available in the Manage Web Resources section of the system by default. The Access Point root path cannot be deleted.
In addition, a number of settings can be specified globally to apply to all Web resources as well as tunnel resources. This is configured in the Manage Global Resource Settings section of Manage Resource Access. Global resource settings cover internal proxy settings, mapped DNS names, filters, and link translation.
General Settings
Configuration of a Web resource host includes settings described below.
Caution – The Web resource host Display Name is also used for link translation in the Access Point, that is as part of the translated, or rewritten, link. Because of this, Display Name cannot contain characters such as commas or semi-colons, for example. The supported characters in display names are: A-Z a-z 0-9 and . (period).
HTTP Port/HTTPS Port and Alternative Hosts
HTTP Port is set to 80 by default for Web resource hosts. Either HTTP Port or HTTPS Port is mandatory. When the Web resource uses a non-default HTTP port (other than 80) or HTTPS port other than 443, the port must be added to registered alternative hosts.
Example: www.example.com:8080
Web Resources 195 If the default port is used, make sure the alternative host contains the server name without port.
Example: www.example.com
The alternative host is registered as an IP address or DNS name.
Single-Sign On
If you have registered Single Sign-On domains, you can enable SSO for the Web resource host. Depending on the domain types of the registered SSO domains, you can select SSO domain type text or cookie (text is selected by default) and then select which SSO domain to use. If you select Adaptive SSO you can also select to create a new SSO Domain that will be used for this resource, see Adaptive Single-Sign On, on page 195
If you select domain type text and will use form-based SSO, additional configuration regarding the logon form to the resource host and the form response message is required.
The logon form is added to the resource host to enable form based SSO. Configuration of the logon form includes whether SSO should perform POST or GET when triggered, the URL to GET or POST data to, as well as form data sent to the server.
A form response message can be used to determine whether a logon was successful or not. Configuration of the form response message, that will appear when the user has logged on or failed to log on, includes a URL to which the response from the form should be sent, and a text string form response used to decide if the authentication is successful or unsuccessful.
Adaptive Single-Sign On
Adaptive SSO is a form-based SSO that does not need to be configured, but learns its configuration automatically. You only need to apply adaptive SSO on a resource and choose a SSO-domain to use (in the same way as you do with text based SSO).
Adaptive SSO differs from form-based SSO in the following ways:
• The first time a user accesses the resource, the system learns the resource’s configuration. The user never sees the standard form “Additional Authentication Required” as with Text and Form Based. Instead, the user sees the original HTML form as if there was no SSO configured.
• The second time the same user accesses a resource, he or she does not see the login page but be forwarded directly as if he/she had filled in the username/
password and pressed Submit.
• The first time a user is timed out or presented a relogin page, the system learns the new URL that is likely to be a relogin page.
• The second time a user is timed out, he/she is automatically logged in.
• The detailed configuration is automatically detected as the first user accesses the resource.
• Information is collected in a file (config/FormBasedLearning.txt). With mirrored appliances, this file is synchronized between the appliances. The file is not synchronized with the Administration Service.
• If the form contains hidden state parameters, StoneGate merges those state parameters into the POST request. This is not possible with the Form Based SSO.
For example, if a user tries to access a perl-desk URL targeting a special PD ticket, Perldesk redirects the user to a login page with a hidden parameter telling where the user was about to go before login was requested. With Adaptive SSO, this information is accounted for in the auto-generated POST request, so that the user is redirected to the requested PD ticket.
The following limitations should be considered:
• Access Point makes the best effort to find out which parameter is username, password, and domain, and stores the automatically configured parameters.
However, some HTML pages use Javascript to copy contents from one form to another or from a password field into a hidden field before the actual submit. In those cases, the automatic configuration is incorrect and the SSO may only work for one single user, or may not work at all. Test SSO by logging in with two different accounts to ensure that the automatic configuration is correct. The
FormBasedLearning.txt file can be edited manually to correct these problems. Note that if error pages are received from the server, the adaptive SSO may reset for that service, which causes the existing file to be overwritten.
• Sometimes a login form has hidden fields that are filled with client-specific information (such as screen resolution) using Javascript. These parameters are configured according to the first user that accesses the resource, and all subsequent users are forced to use the same resolution. There is no simple workaround for this. Also the form Based SSO has this limitation.
• If the user has an empty password at the backend system, Adaptive SSO does not store the credentials.
• The resources must be identified correctly. To solve problems, for example, caused by redirections, use Adaptive SSO on the resource root rather than on the resource path.
Application Portal Settings
You can select to make the Web resource host available in the Application Portal. You then specify an icon to represent the resource. An icon library provides a range of icons to choose from, but you can also browse to a desired image file. The icon must be of the type .gif, .jpeg, or .png and must not exceed 10kB in size.
In addition, you enter a link text accompanying the icon in the Application Portal. All link texts in the Application Portal are displayed alphabetically, which provides a possibility to organize the order in which the resources are presented.
For each Web resource specified to be displayed in the Application Portal, a
corresponding Application Portal item is automatically created. The Application Portal item is displayed and can be edited or deleted on the Manage Application Portal page in the Manage Resource Access section of the StoneGate SSL VPN
Administrator.
Web Resources 197 Alternative Hosts
Alternative hosts are required for link translation to function properly. You can define one or several alternative hosts for the Web resource host. The alternative host is specified as an IP address or a DNS name.
When the Web resource uses a non-default HTTP port (other than 80) or uses an HTTPS port other than 443, the port must be added as an alternative host.
Example: www.example.com:8080
If the default port is used, the alternative host must contain the server name without port.
Example: www.example.com Settings
TABLE 12.20 General Settings
Label Mandatory Description
Enable resource No Selected by default
Display Name Yes Unique name used in the system to identify the Web resource host.
Description No Describes the Web resource host.
Host Yes IP-address or a DNS name for the host.
HTTP Port (Yes) Either HTTP Port or HTTPS Port is mandatory.
Set to 80 by default.
HTTPS Port (Yes) Either HTTP Port or HTTPS Port is mandatory.
TABLE 12.21 SSO Settings
Label Mandatory Description
Enable Single
Sign-On No Not selected by default.
Access Rules
See Manage Access Rules, on page 241.
SSO Type (Yes)
Available options are:
Text Cookie Form Based Adaptive SSO
Mandatory when Enable Single Sign-On is selected.
Set to Text by default.
SSO Domain (Yes)
Lists registered SSO Domains in the system.
Mandatory when Enable Single Sign-On is selected.
If Adaptive SSO is selected, there is an additional option to create a new domain.
New SSO Domain
Name (Yes) Name of the new SSO Domain for Adaptive SSO.
Mandary when create new domain is selected.
TABLE 12.22 Application Portal Settings
Label Mandatory Description
Make resource available in
Application Portal No Selected by default.
Icon Yes
Path to the image file that symbolizes the Web resource host in the Application Portal.
Mandatory when Make resource available in Application Portal is selected.
Link Text Yes
Text that represents the Web resource host in the Application Portal.
Mandatory when Make resource available in Application Portal is selected.
TABLE 12.21 SSO Settings (Continued)
Label Mandatory Description
Web Resources 199