Applies To:

Show Versions Show Versions

Manual Chapter: FirePass Controller Administrator Guide: 6 - Configuring Application Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


6

Configuring Application Access


Introducing Application Access

The FirePass Applications Access features provide remote users with web-based remote access to a wide variety of network applications and resources, including email servers, intranet servers, file servers, terminal services, and legacy mainframe, IBM iSeries and AS/400, Telnet character-based terminal applications.

Application Access enables users to use an existing client to access the server application through App Tunnels, or they can have the FirePass controller supply the browser-based Legacy Hosts and Terminal Servers ActiveX components or Java client.

Application Access consists of three main types of access:

  • App Tunnel access
    Provides remote users with browser-based access to a backend server. App Tunnels provide secure, application-level TCP/IP connections from the client into a specified set of IP addresses and ports on the LAN.
  • Legacy host access
    Provides remote users with browser-based, character-driven terminal access to legacy VT100, VT320, Telnet, SSH, and IBM 3270 and IBM 5250 applications without any modifications to the applications or application servers.
  • Terminal services access
    Provides remote users with browser-based, graphical terminal interfaces for Microsoft® Terminal Servers, Citrix® MetaFrame applications, and VNC servers.

Application Access does not require any application modifications or any third-party software to enable the interaction with the application.

The connection process automatically downloads and installs all components required on the client system. You can also preinstall the components, if your company security policy prohibits ActiveX component installation by the end user.

Legacy Host access supports TN5250 and IBM iSeries and AS/400 connections through an ActiveX control for Internet Explorer®, and a self-installed plug-in for Netscape Navigator® and Mozilla® browsers on Microsoft® Windows® operating system-based client computers to interpret the terminal data stream. Legacy Host access provides support through Java for VT100/320 for UNIX, and TN3270 for mainframes.

Understanding App Tunnels

Application Tunnels, or App Tunnels, provide much the same functionality as Network Access, but they allow additional control over which application a user can access through the FirePass controller.

Using App Tunnels, you can configure secure, application-level TCP/IP connections from the client to a specific set of IP addresses and ports on the network. On the remote end, the browser loads an ActiveX control in Internet Explorer, and a self-installed plug-in for Netscape or Mozilla browsers on Windows platforms. After the process establishes a connection, the user-defined applications that use these connections can be started automatically.

Unlike a traditional IPsec VPN client that exposes the entire network, App Tunnels only create connections to the specific resources used by the configured application. You can also restrict users to the particular application they need to use.

You can configure the following applications for use with App Tunnels:

  • Applications that are accessed using HTTP or HTTPS
  • Terminal emulators, including SSH
  • Internet Mail (POP/IMAP/SMTP)
  • LDAP-enabled clients
  • Network drive mapping
  • Custom applications
Note

App Tunnels do not support UDP application traffic.

Figure 6.1 shows a comparison of the flow of application data in a traditional environment and with the FirePass controller App Tunnels.

 

Figure 6.1 Comparison of application data flow without and with the FirePass controller

Choosing a static or dynamic App Tunnel

The FirePass controller supports two types of App Tunnels: static and dynamic. The system creates static tunnels when the client clicks to run a favorite, before the application starts. The system creates dynamic tunnels in response to an application request.

Note

You can configure a combination of dynamic and static tunnels for a single App Tunnel definition.

You use static App Tunnels support connections to a specific set of IP addresses and ports on the network. You can configure static App Tunnels to work without requiring the user to have administrative rights on the client system.

The following cases represent examples of when to use static App Tunnels:

  • Applications that are accessed using HTTP or HTTPS
  • Custom applications
  • Applications that do not allow more than one instance, but there might be an instance running and you do not want to halt the existing instance
  • Internet Mail (POP/IMAP/SMTP)
  • LDAP-enabled clients
  • Network drive mapping
  • Windows file sharing (because this application uses the operating system kernel to provide network communication or server, not the Windows socket API)
  • Terminal emulators, including SSH

Dynamic App Tunnels support applications that require dynamic IP addressees and ports. The following are examples of candidates for dynamic App Tunnels.

  • A web application that uses ActiveX controls or Java-based plug-ins to open a network socket directly to the application server
  • A web application that uses XML to embed a hard-coded IP address or hard-coded port number of the application server
  • A custom (nonbrowser-based) application that does not communicate using the HTTP protocol
  • Applications that do not allow more than one instance, but there might be an instance running and it is acceptable to halt the existing instance

Dynamic App Tunnels work best with applications that support multiple instances. To determine whether an application supports multiple instances, on a Windows computer, right-click the Windows Taskbar, select the Task Manager item, and click the Processes tab. Then start an application several times to see if more than one process of this application appears in the list on the Processes screen. If the application does not support multiple instances, there is always only one process in the list.

You can still use dynamic App Tunnels with these types of applications if you enable the Terminate existing option when you configure the dynamic App Tunnel favorite. When you enable this option, when the user starts an App Tunnel that would result in an additional instance being created, the system prompts the user to close the existing instance before starting the additional one.

When you use dynamic App Tunnels, the system creates a tunnel when the client application needs to communicate with the server. Therefore, dynamic App Tunnels are also a good choice in cases in which you do not want all ports created at the same time, for example, when you have a number of servers performing load balancing.

Important

Running dynamic App Tunnels requires that the user has power user rights.

You configure dynamic App Tunnels on the following screens:

  • In a specific definition on the Application Access: App Tunnels : Resources screen under the Application Tunnels tab
  • On the Application Access: App Tunnels: Master Groups Settings screen on the Dynamic Tunnels/Web Application Tunnels tab
Note

If you have legacy App Tunnels that are working for you, there is no need for reconfiguration. The system automatically uses static App Tunnels.

Defining a web application tunnel

A web application App Tunnel is a dynamic App Tunnel designed specifically for a web browser-based application. To configure a Web Application Tunnel, you use URLs to specify the location of the application. In this case, the system creates the tunnel when the user clicks a link (that is, dynamically).

Note

Although you can configure the same application using a dynamic App Tunnel, the process for configuring web application App Tunnels is simpler.

Web applications are perfect candidate for using dynamic App Tunnels as long as they do not use reverse proxy. If an application uses reverse proxy, you can still try configuring it for dynamic App Tunnels. If the application does not work through dynamic App Tunnels, you should use Portal Access instead to configure the connection.

Web App Tunnels require a browser that supports multiple instances. Windows Internet Explorer supports multiple instances. Mozilla and FireFox support multiple processes within the same instance, but not multiple instances. Therefore, even if the user's default browser is not Internet Explorer, all dynamic App Tunnels start an instance of Internet Explorer or a custom minibrowser developed specifically to support dynamic App Tunnels.

Use of the minibrowser provides additional security in that users cannot copy text from the minibrowser window, print when the minibrowser is the active application, or drag and drop to the minibrowser window. In addition, the minibrowser does not allow the running of plug-ins or extensions.

Tip


You can configure this additional security for Internet Explorer users as well by enabling the Locked Browser option when you create a Web Application Tunnel favorite.

You configure web application App Tunnels on the following screens:

Understanding access restrictions for App Tunnels

You can configure an access control list (ACL) to restrict access for a static or dynamic App Tunnel. ACLs define locations the App Tunnel users can access from within the App Tunnel. Defining ACLs prevents users from navigating to locations outside the ones you specifically define for the App Tunnels that access your network. For procedures for defining ACLs, see Restricting access to App Tunnels .

Static and dynamic App Tunnels and web application App Tunnels share access control lists for the duration of a FirePass controller session. To change which ACLs govern a session, users must halt the connection and start it again.

You can configure ACLs in the following areas:

  • On the Application Access : App Tunnels : Master Group Settings screen under the Common tab
  • On the Application Access : App Tunnels : Resources screen under the Application Tunnels tab
  • On the Application Access : App Tunnels : Resources screen under the Web Application Tunnels tab
  • In the Allow list box specific to the App Tunnel you define on the Application Access : App Tunnels : Resources screen under the Application Tunnels tab or the Web Application Tunnels.

The location of the ACL definition does not matter. The system combines all ACLs to use during the session. The system combines entries in ACLs from definitions in the following locations:

  • At the master group level
  • At the resource group level
  • In the specific App Tunnel favorite definition

ACLs defined on the Master Group Settings screen cover the entire master group, but you can specify additional resource-level ACLs on the Resources screen. In addition, ACLs defined on the Resources screen cover the entire resource group, but you can specify App Tunnel-specific ACLs in the Allow list box for the App Tunnel.

Important

For dynamic App Tunnels, if you do not specifically allow access, the system disallows it.

Defining App Tunnel favorites

You can create favorites and aliases to favorites on the Resources screen. A favorite is a named and saved set of options. An alias to a favorite is a named link to an existing favorite in another resource group. Favorites and aliases to favorites appear as links on the user's webtop. When a user clicks a favorite or an alias, the system establishes the static App Tunnel and starts the application specified.

To create an App Tunnel favorite or alias

  1. In the navigation pane, click Application Access.
    The Application Access : App Tunnels : Resources screen opens.
  2. From the Resource Group list in the upper left, select the resource group you want to contain the favorite.
  3. Click the Add New Favorite link.
    The screen refreshes to reveal additional options.
  4. From the Type list, select from the following types:
  5. Alias: Represents an association with a existing favorite from a different resource group. If there are no other groups available, or if you have not defined other connections, the system does not present the Alias option.
    When you select Alias, the screen refreshes to reveal additional options, as described in To complete the alias definition .

To complete the favorite definition

First, complete the procedure, To create an App Tunnel favorite or alias , preceding, selecting Favorite from the Type list in step 4.

  1. In the Name box, type the identifying label you want to use.
    The FirePass controller displays this name as a label for the App Tunnels favorite on the user's webtop.
  2. In Allow List, specify a host name or IP address and ports in the following format:
    host_name:ports or IP_address/mask:ports
  3. For example:
    *.siterequest.com:80 or 172.30.11.0/24:80,443

    Note: For more information about specifying ACLs, see To specify ACLs for favorites or aliases .
  4. If you want to restrict access based on a defined protected configuration, from the Endpoint protection required list, select the protected configuration. To add endpoint protection, you must first define it. For more information about protected configurations, see Creating protected configurations, in Chapter 3 .
  5. Click the Add Favorite button.
    The new favorite appears in the list.
  6. To add a dynamic App Tunnel, click the Add New Dynamic App Tunnel button, and continue with the following procedure.
  7. To add a static App Tunnel, click the Add button to the left of the Static Tunnels heading, and continue with the procedure To complete the static App Tunnel definition .

To complete the dynamic App Tunnel definition

First, complete the procedure, To complete the favorite definition , preceding, electing to configure a dynamic App Tunnel.

  1. From the list of clients, select a type of application you want the client to use. You can select one of the following types of applications:
    • Custom
    • Citrix Neighborhood Agent.
    • Microsoft Outlook
    • Microsoft Outlook Express
    • Microsoft Telnet client
    • Microsoft Terminal Server Client
    • PuTTY
    • SecureCRT
    • Private Shell
    • For more information on each of these client options, see Table 6.1, in Chapter 6.

  2. In the accompanying Name box, specify the user-friendly name for the system to use when presenting the name to the user in a dialog box. For example, one instance in which a dialog box might be presented to the user occurs when the system detects a running instance of an application, and the system prompts the user to close it.
  3. In the Application box, specify a string that starts an application transparently for the user.
    For example:
  4. telnet 127.10.10.10 putty -ssh 127.10.10.10 "%SYSTEMROOT%/SYSTEM32/mstsc.exe"
    Note: The system searches the path for the application, so you do not have to specify the complete path if the path is already set. If you do not specify a path, the FirePass controller searches the Windows registry. If an application registers itself in the Windows registry, like Microsoft Outlook does, for example, the FirePass controller can run it.
  5. Check or clear the Terminate Existing box, if the application you are starting does not support multiple instances, or when you want the system to prompt the user for confirmation in halting the existing instance.
  6. Click the Add New Dynamic Tunnel button.
    You can modify any existing setting by changing it and clicking the Update All button.
Note

When you create a new favorite, the user must log out and log on again to have the favorite available.

When you select one of the options in the list of clients, the FirePass controller populates the associated fields with common values, as described in Table 6.1 .

Table 6.1 Values associated with each type of client
item
description
Custom
When you select Custom, you can specify the application name and path, including any environment variables in the format %envvarname%, enclosing the string in quotation marks when the path contains spaces. The variables resolve to the value representing the environment variable on the client computer. For example, to configure for the Microsoft Service Terminal client, specify the following string in Application:
"%SystemRoot%\system32\mstsc.exe" /v: mysite
For more information about creating custom App Tunnels, see Creating custom App Tunnels .
Citrix Neighborhood Agent
When you select Citrix Neighborhood Agent, the system populates the Name field with the value Citrix Neighborhood Agent, places the value "%ProgramFiles%/Citrix/ICA Client/pnagent.exe" in the Application field, and enables the Terminate Existing box. These are default values that you can change.
Microsoft Outlook
When you select Microsoft Outlook, the system populates the Name field with the value Microsoft Outlook, places the value outlook.exe in the Application field, and enables the Terminate Existing box. These are default values that you can change.
Microsoft Outlook Express
When you select Microsoft Outlook Express, the system populates the Name field with the value Microsoft Outlook Express, places the value msimn.exe in the Application field, and enables the Terminate Existing box. These are default values that you can change.
Microsoft Telnet client
When you select Microsoft Telnet client, the system populates the Name field with the value Microsoft Telnet client, and places the value "%SYSTEMROOT%/SYSTEM32/telnet.exe" in the Application field. These are default values that you can change.
Microsoft Terminal Server Client
When you select Microsoft Terminal Server Client, the system populates the Name field with the value Microsoft Terminal Server Client, and places the value "%SYSTEMROOT%/SYSTEM32/mstsc.exe" in the Application field. These are default values that you can change.
PuTTY
When you select PuTTY, the system populates the Name field with the value PuTTY, and places the value "%ProgramFiles%/PuTTY/putty.exe" in the Application field. These are default values that you can change.
SecureCRT
When you select SecureCRT, the system populates the Name field with the value SecureCRT, and places the value "%ProgramFiles%/SecureCRT/SecureCRT.exe" in the Application field. These are default values that you can change.
Private Shell
When you select Private Shell, the system populates the Name field with the value Private Shell, and places the value "%ProgramFiles%/Private Shell/pshell.exe" in the Application field. These are default values that you can change.

 

To complete the static App Tunnel definition

First, complete the procedure, To complete the favorite definition , preceding, electing to configure a static App Tunnel.

  1. From the list of clients, select a type of application you want the client to use. You can select one of the following types of applications:
    • Custom client
      For more information about creating custom App Tunnels, see Creating custom App Tunnels .
    • Exchange
    • Internet EMail (POP + SMTP)
    • Internet EMail (IMAP + SMTP)
    • LDAP
    • http
    • https
    • Telnet
    • SSH
    • VNC
    • Front Page/WebDAV
    • MS Terminal Services
    • Citrix
    • RPC port mapper
    • FTP (Passive)
    • MS File Shares
    • Exchange Client/Server Comm.
    • When you select an option, the system adds fields, if necessary, and populates those fields with common settings. For more information, see Example of system response , following.

  2. In the Application box, specify a string that starts an application transparently for the user. For example:
  3. iexplore http://127.10.10.80/sales/automation.pl telnet 127.10.10.10 putty -ssh 127.10.10.10
  4. Check or clear the Keep Alive box.
  5. Note: Checking Keep Alive turns on the TCP-based Keep Alive setting on both the client-to-FirePass controller connection and the FirePass controller-to-target-host connection. Checking Keep Alive does not prevent the user's session from timing out.
  6. Click the Add New Static Tunnel button.
    You can modify any existing setting by changing it and clicking the Update All button.
Note

When you create a new favorite, the user must log out and log on again to have the favorite available.

Example of system response

When you select an option in step 1 of the preceding procedure, the system adds fields, if necessary, and populates those fields with common settings. For example, you select Internet EMail (POP and SMTP) as the application class, the FirePass controller adds a definition row, and populates the two rows with common application settings. In the first row, the system places a port number of 110 in the Remote Host : Port or Range box.

The FirePass controller next generates an IP address from the 127.0.0.0/255.0.0.0 subnet, and places that generated value, along with 110, in the Local Host : Port or Range boxes. This is the IP address and port combination the client connects to when accessing the App Tunnel.

Finally, the system generates another IP address from the same subnet, and places that generated value, along with 25, in the Local Host : Port or Range boxes. This is the IP address that the system uses for SMTP exchanges. You can change these values to match those of your local network, when they differ from the defaults.

To complete the alias definition

First complete the procedure, To create an App Tunnel favorite or alias , selecting Alias from the Type list in step 4.

  1. From the Group list, select the resource group containing the existing favorite you want to use as the source for the alias.
  2. From the Favorite list, select the favorite you want to use as the source for the alias.
  3. Check Inherit Allow List to use the defined ACLs from the source, or clear the box to reveal an Allow List you can configure specifically for this alias.
  4. If you want to restrict access based on a defined protected configuration, from the Endpoint protection required list, select the protected configuration.
    To add endpoint protection, you must first define access rules.
    For more information about protected configurations, see Creating protected configurations, in Chapter 3 .
  5. Click the Add Favorite button.
    The new alias appears in the list.
  6. Note: The alias uses the dynamic or static application tunnel definition from the source favorite.

Creating web application App Tunnel favorites

To make dynamic web applications tunnels available to users, you create favorites that access your internal web sites. When the user clicks a web application tunnel favorite, the FirePass controller starts a web browser, which opens the specified URL The system dynamically creates all TCP tunnels required to download the page.

To create a web application App Tunnel

  1. In the navigation pane, click Application Access.
    The Resources screen opens.
  2. Click the Web Application Tunnels tab.
    The Web Application Tunnels screen opens.
  3. From the Resource Group list in the upper left, select the resource group you want to contain the web application App Tunnel.
  4. Click the Add New Favorite link.
    The screen refreshes to reveal additional options.
  5. From the Type list, select from the following types:
  6. Alias: Represents an association with a existing favorite from a different resource group. If there are no other groups available, or if you have not defined other connections, the system does not present the Alias option.
    When you select Alias, the screen refreshes to reveal additional options, as described in the following procedure.

To complete the web application alias definition

First, complete the preceding procedure, To create a web application App Tunnel , selecting Alias from the Type list in step 5.

  1. From the From group list, select the resource group containing the existing favorite you want to use as the source for the alias.
  2. From the Favorite list, select the favorite you want to use as the source for the alias.
  3. Check Inherit ACL to use the defined ACLs from the source, or clear the box to enable the Local ACL box, where you can specify ACLs for this alias.
  4. Click the Add New button.
    The new alias appears in the list.
  5. Note: The alias uses the endpoint protection setting from the source favorite.

To complete the web application favorite definition

First, complete the preceding procedure, To create a web application App Tunnel , selecting Favorite from the Type list in step 5.

  1. In the Name box, type the identifying label you want to use.
    The FirePass controller displays this name as a label for the App Tunnels favorite on the user's webtop.
  2. In URL, type the intranet web server that serves the application. For example: http://server.siterequest.com/index.html
  3. Note: You can click the Add to allow list link to add the URL to Allow list automatically.
  4. In URL variables, type the arguments to be either appended to the GET request or sent as data in a POST request to the specified URL.
  5. Check Use POST for URL variables to have the system include the variables in the POST request, or clear the box to prevent sending of the variables.
  6. Check Locked Browser to prevent certain user functionality, including:
    • Typing URLs in the browser's address box.
    • Selecting text on the page.
    • Saving web pages.
    • Printing web pages.
  7. In Allow List, specify a host name or IP address in the following format:
    host_name:ports or IP_address/mask:ports
  8. For example:
    *.siterequest.com:80 or 172.30.11.0/24:80,443

    Note: For more information about specifying ACLs, see To specify ACLs for favorites or aliases .
  9. If you want to restrict access based on a defined protected configuration, from the Endpoint protection required list, select the protected configuration. To add endpoint protection, you must first define access rules.
    For more information about protected configurations, see Creating protected configurations, in Chapter 3 .
  10. Click the Add New button.
    The new favorite appears in the list.

Once you configure a favorite, you can select one to start automatically by selecting it from the Default box, and clicking Update.

You can also define resource-group level ACLs for web application App Tunnels. For more information, see To specify a resource-group level ACL .

Configuring Remote Host and Local Host settings: important considerations

If you specify a network name (that is, a DNS name, a WINS name, or a static host name) instead of an IP address in Remote Host or Local Host, the App Tunnel or Terminal Servers connection operation changes the hosts file on the client computer during the connection. If you define the remote hosts with IP addresses, then the system does not modify the hosts file.

On Windows systems, you can find the hosts file in <drive>\<windowsdir>\system32\drivers\etc\hosts.

The temporary patch allows the App Tunnel or Terminal Server connection to override the network name settings, while preserving the existing network name settings for the applications. The App Tunnel or Terminal Server connection restores the original hosts file when it ends the session.

Important

For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow nonadministrative modification.

Static App Tunnels support forwarding ranges of TCP ports. To do so, specify the range in the Remote Host : Port or Range and Local Host : Port or Range boxes as port1-port2,port3,port4-port5, and so on. App Tunnels limits the maximum number to 50. If you use port ranges, the range you specify in local and remote must match.

Creating custom App Tunnels

You can create a custom tunnel by specifying the values you want for the connection in the Remote Host : Port or Range and Local Host : Port or Range boxes.

In general, F5 Networks recommends that you specify the port number of the remote host, unless the client's computer is already running a service on that port. You can specify a port range containing a maximum of 50 ports. If you specify a port range is used, the local and remote ranges must match.

We also recommend that the IP addresses you specify be associated with the DNS name of the service the clients need in either the local hosts file or on the DNS server. For example:
telnet.siterequest.com 127.10.10.10

Important

For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow nonadministrative modification.

In custom App Tunnels, you can specify environment variables in the format %variable%. The system replaces the variable with the appropriate value when it creates the tunnel. Use quotation marks to enclose any application strings that contain spaces.

The system supports the following variables:

  • %envvarname%
    Represents the value of the environment variable on the client computer.
  • %group%
    Represents the master group name of the user who is logging on.
  • %username%
    Represents the name of the user who is logging on.
  • %firstname%
    Represents the user's first name.
  • %lastname%
    Represents the user's last name.
  • %fullname%
    Represents the combination of the user's first and last name.

The system also supports the following variables for mapping Microsoft Windows network shares.

  • %envvarname%
    Represents the value of the environment variable on the client computer.
  • %password%
    Resolves to the user's password when you enable the master group option Auto-logon to applicable AppTunnels using FirePass user logon credentials.
  • %host%
    Represents the host address, which the system resolves to the loopback host address.
  • %port%
    Indicates the loopback port.
    The %port% variable is useful when original local port changes because of conflicts with other software.

The following entries illustrate valid strings for various App Tunnels.

iexplore http://%host%:%port%/sales/automation.pl?u=%username%

telnet 127.3.54.34

%SystemRoot%\System32\mstsc.exe /v:127.107.93.167 /f

Configuring App Tunnels that open automatically

You can configure an App Tunnel to open automatically. You can have the system restrict automatic opening of App Tunnels depending on the assigned protected configuration.

To configure App Tunnel auto-open

  1. Create an App Tunnel favorite, as described in Defining App Tunnel favorites , making sure to select a defined protected configuration from the Endpoint protection required list.
  2. Check the Autolaunch based on endpoint protection check box.
    The screen changes to reveal additional options.
  3. From the endpoint list, select the endpoint protection you want to require, or select Any endpoint configuration to have the system open the App Tunnels based on any security you have configured for the clients.
  4. In the Autolaunch tunnels section, check the box to the left of each tunnels you want the system to automatically open for clients that pass the configured endpoint security requirements.
  5. Click the Apply button.

Now, when users who log on have the endpoint protection you require, the FirePass controller automatically opens the associated App Tunnel and provides the user access.

Creating static App Tunnels to network file shares

You can configure a static App Tunnel to map to network file shares. You can have the tunnel open automatically, depending on the assigned protected configuration, like other App Tunnels.

To map a network drive

  1. Create a static App Tunnel, and select MS File Shares.
    For more information about creating application tunnels, see Defining App Tunnel favorites .
  2. Retain the default value of 139 in Remote Host : Port or Range and Local Host : Port or Range.
  3. In Command Line, type a string for the process to use to mount the drive.
    You can use the following templates, substituting your network information in the appropriate places.

mount <drive_name> \\<network_computer_name>\<shared_folder_name>

mount <drive_name> \\<automatically_generated_IP_address>\<shared_folder_name>

For example, if you want to map the H drive on the client computer to the sales share, which is located on the corporate_presentations computer, type:

mount H: \\corporate_presentations\sales mount H: \\127.31.21.233\sales
    Note: You can use the syntax specified in the second example when the client operating system is Windows NT, Windows 2000, Windows SP, or Windows Me.

For drive mapping to work, the FirePass controller must have a valid certificate signed by a Certificate Authority accepted by the client's browser. Otherwise, a security warning could prevent the drive from being mapped successfully.

Tip


When you configure App Tunnels for mapping drives, you can have clients use their FirePass controller logon credentials by selecting the option Auto-logon to applicable AppTunnels using FirePass controller user logon credentials on the Application Access : App Tunnels : Master Group Settings screen. This option applies only to App Tunnels configured to map a network drive. If you select this option, you can also provide a domain or workgroup name to be used when logging on to the mapped drive.

Restricting access to App Tunnels

Sometimes called Allow Lists, ACLs control access within App Tunnels at three levels, each level's ACLs being combined to govern the entire session. You define ACLs when you want to prevent the user from accessing locations outside the ones you specifically define for the App Tunnels that access your network. You can specify ACLs in the following locations.

  • In all App Tunnels in a specific master group
    You define master-group level ACLs on the Master Group Settings screen, available under Application Access : App Tunnels. For specific procedures, see To specify ACLs for a master group .
  • For an entire resource-group
    You define resource-group level ACLs on the Application Tunnels or Web Application Tunnels tabs, available from the Application Access : App Tunnels : Resources screen. For specific procedures, see To specify a resource-group level ACL .
  • Within specific favorites or aliases you define
    You define favorite- or alias-level ACLs in the favorite or alias directly. For specific procedures, see To specify ACLs for favorites or aliases .

One FirePass controller session for a user shares all ACLs you define for the master group that contains the resource groups, those for all static and dynamic App Tunnels and web application App Tunnels in a specific resource group, and ACLs you specify for favorites or aliases within a resource group. For a description of ACLs, see Understanding access restrictions for App Tunnels .

Important

For App Tunnels, if you do not specifically allow access, the system disallows it.

Specifying ACLs

When you specify an ACL, you use a specific format, consisting of various elements. This section describes each element of an ACL and presents specific examples of how to define an ACL entry in the list.

When you specify an ACL, use the following format:

hostname:port | :port_range

ip_address/mask:port | :port_range

Separate each entry with a return. Separate multiple ports and port ranges with a comma. If you do not specify a port or range of ports, the system allows access from every port.

  • hostname or ip_address
    Represents the host name or IP address that you want the user to have access to, for example:
  • siterequest.com

    192.168.200.216:80-8080

    You can use the asterisk when specifying hostname. The asterisk matches any number of characters, for example:

    *.siterequest.com:80

    *.site*quest.com:23,80,443

    *.siterequest*:23-25

    You cannot specify a protocol or a URI in any ACL.

  • mask
    Represents the subnet mask for the IP address, specified as a number of bits or in dotted-quad notation, for example:
  • 172.30.11.0/24:80,443

    172.30.11.0/255.255.255.0:1-65535

  • port or port_range
    Represents one or more port numbers, ranges of ports, or a combination of individual ports and port ranges, specified in accordance with the following guidelines:
    • Every port number or range is a number from 1 through 65535.
    • The port range is represented by a dash between two ascending numbers, for example, 1-10 or 500-600.
    • Each instance of a port or port range is separated by commas.
    • No instance of a port or port range overlaps another, that is, one specified port or port range cannot be contained in another port range, so it is not valid to specify 24,22-25.
    • You must specify port numbers in ascending order, for example:
      www.siterequest.com:22-25,80,443
    • If you do not specify a port, the system substitutes a port range of 1-65535, which represents all ports.
Important

If you specify a fully qualified domain name (FQDN) as the host name in the ACL, the user must specify the FQDN to access the host.

To specify ACLs for a master group

  1. In the navigation pane, click Application Access, expand App Tunnels, and click Master Group Settings.
    The Master Group Settings screen opens with the Common tab active.
  2. From the Master Group list near the upper left of the screen, select the master group you want to affect.
    The screen changes to reveal the existing App Tunnels defined for the selected master group.
  3. In the Allow List box in the Access Control List area of the screen, type the host name or IP address you want the client to be able to access. For example:
  4. *.siterequest.com:80

    Separate multiple entries with a return. Separate multiple ports and port ranges with a comma. If you do not specify a port or range of ports, the system allows access from every port. For more information about ACLs, see Specifying ACLs .

  5. Click Update.
Important

Make sure you click Update to save your ACLs. If you select a different master group before you click Update, the system discards any ACLs you have specified.

You can specify ACLs on a per-resource-group basis.

To specify a resource-group level ACL

  1. In the navigation pane, click Application Access, expand App Tunnels, and click Resources.
    The App Tunnels Resources screen opens with the Application Tunnels tab active.
  2. From the Resource Group list near the upper left of the screen, select the resource group you want to affect.
    The screen changes to reveal the existing App Tunnels defined for the selected resource group.
  3. In the Allow List box in the Access Control List area of the screen, type the host name or IP address you want the client to be able to access.
  4. *.siterequest.com:80

    Separate multiple entries with a return. Separate multiple ports and port ranges with a comma. If you do not specify a port or range of ports, the system allows access from every port. For more information about ACL elements, see Specifying ACLs .

  5. Click Update.
Important

Make sure you click Update to save your ACLs. If you select a different master group before you click Update, the system discards any ACLs you have specified.

ACLs specified at the resource-group level are combined with those set at the master-group level. You can specify additional ACLs in the favorite or alias itself.

To specify ACLs for favorites or aliases

  1. In the navigation pane, click Application Access, expand App Tunnels, and click Resources.
    The App Tunnels Resources screen opens with the Application Tunnels tab active.
  2. From the Resource Group list near the upper left of the screen, select the resource group you want to affect.
    The screen changes to reveal the existing App Tunnels defined for the selected resource group.
  3. Click the Add new favorite link to create a new favorite or alias.
    For associated procedures, see To create an App Tunnel favorite or alias .
  4. In the Allow List for the favorite or alias, specify the ACLs, for example:
  5. *.siterequest.com:80

    Separate multiple entries with a return. Separate multiple ports and port ranges with a comma. If you do not specify a port or range of ports, the system allows access from every port. For more information about ACL elements, see Specifying ACLs .

  6. Click Update.
Important

Make sure you click Update to save your ACLs. If you select a different master group before you click Update, the system discards any ACLs you have specified.

ACLs specified at the favorite or alias level are combined with those set at the resource-group level and the master-group level.

Configuring master group settings for App Tunnels

You can specify master-group based settings that apply whenever a user who belongs to a specific master group clicks a favorite in the App Tunnels section of the webtop. You set master group settings on the Application Access : App Tunnels : Master Group Settings screen. The screen provides two tabs: Common and Dynamic Tunnels/Web Application Tunnels.

Understanding common master group settings for all App Tunnels

General master group-based settings for App Tunnels govern the App Tunnels type of Application Access connections. You can find general master group settings on the Common tab on the Application Access : App Tunnels : Master Group Settings screen.

On the Common screen, you can specify the following master-group-based settings.

  • Show administrator-defined favorites only
    Restricts client access to App Tunnels that are defined and listed in the favorites section of the user's webtop. When you disable this option, the system removes the Direct Connect link from the user's webtop as well as prevents users from creating their own favorites.
  • Use gzip compression
    Compresses all traffic between the client and the FirePass controller, using the gzip deflate method.
  • Auto-logon to applicable AppTunnels using FirePass user logon credentials
    Allows logon using the FirePass controller logon credentials. Use this option when users' FirePass controller name and password match their Windows logon credentials. This feature permits the user to access a file share without having to logon again.
  • Access control list
    Restricts user access to host and port combinations specified. For more information about specifying ACLs for master-group-level access restriction, see To specify ACLs for a master group .

For general information about master groups, see Introducing master groups and resource groups, in Chapter 2 .

Configuring Customization settings on the Master Group Settings screen

Settings in the Customization section affect all App Tunnels types of Application Access connections in the master group specified in the Master Group list at the top of the screen.

  • Present the user with a message box after successfully creating Static Tunnel
    Lets the user know that the static App Tunnel was successfully created.
  • Minimize window after successfully creating Static Tunnel
    Minimizes the user's App Tunnel control window after the App Tunnel opens.
  • Use Tray icon instead of Taskbar entry when minimized
    Minimizes the connection window as an icon in the Windows system tray. By default, when a user establishes an App Tunnel, the FirePass controller displays a connection window to users notifying them that they have successfully established a connection. When you enable this feature, the system closes the window and shows the connection as an icon in the Windows system tray at the lower right of the Taskbar. Users can use the icon in the Windows system tray to restore or maximize the connection window, or to terminate their connection.
  • Do not show remote server address in AppTunnel window
    Cleans the user's URL so that the actual server address does not appear in the browser's address field.

Configuring settings for the AppTunnels webifyer status in the group <groupname> section of the Master Group Settings screen

The final section of the Master Group Settings screen contains a message, for example:

AppTunnels is presented at the Beginner level, always visible to a user in the group <groupname>.

The User Experience screen, accessible by clicking Click to change the status and/or webifyer position on the webtop, provides some options for customizing what the user sees.

Understanding master group settings for dynamic and web application tunnels

You can use options on the Dynamic Tunnels/Web Application Tunnels tab of the Master Group Settings screen to configure split tunneling. Split tunneling of traffic provides control over exactly what traffic is sent over the App Tunnel connection to the internal network and which is not. Configuring split tunneling results in better client application performance by allowing direct routing of connections destined for the public Internet, rather than routing the request through the App Tunnel and then out to the public Internet.

You can set options on the Dynamic Tunnels/Web Application Tunnels screen for each master group. To specify the master group you want to affect, select the name from the Master Group list at the upper left of the of the screen.

The Dynamic Tunnels/Web Application Tunnels screen contains the following options:

  • Force all traffic through tunnel
    Sends all traffic to or from the local subnet through the dynamic and web application tunnels.
  • Use split tunneling for traffic
    Routes through dynamic and web application tunnels only the traffic that meets the specified criteria.
    When you select this feature, the screen refreshes to reveal additional options:
    • DNS address space
      Provides a list of names describing the target local network DNS addresses.
      Some applications use the FirePass controller DNS server settings for hosts in the DNS address space, and the local client DNS server for others. You can elect to use the DNS servers specified on the DNS tab, available on the Device Management : Configuration : Network Configuration screen, or you can specify which DNS server to use, in the DNS address space box. You can use spaces to separate multiple items. DNS address space supports the asterisk, which represents any number of characters, for example, type the following to help the application determine which DNS server to use for resolving a host name:
      *.sales.siterequest.com *.engineering.siterequest.com
    • LAN address space
      Provides a list of addresses or address/mask pairs describing the target LAN.
      When using split tunneling, the system passes through the configured tunnel only the traffic to these addresses and network segments, and traffic to any hosts specified in DNS address space. You can use spaces to separate multiple items. You can use the following format to configure this option:
      192.168.10.0/255.255.255.0
      192.168.10.0/24
      192.168.10.0/24 192.168.20.0/24
Important

When you finish specifying entries in DNS address space and LAN address space, make sure you click the Update button. If you make changes, and then select a different master group from the Master Group list before clicking the Update button, the system discards the changes.

Understanding Legacy Host connections

You can configure access to legacy, or green screen, systems on mainframes, and other traditional text consoles, using the Legacy Hosts option. To set master-group-level policies and behaviors, use the Application Access : Master Group Settings screen. For more information, see Configuring master group settings for terminal server connections .

The Application Access : Legacy Hosts feature supports the following terminal types:

  • Tn3270, 80x24 in Java
  • Tn3270, 80x32 in Java
  • Tn3270, 80x43 in Java
  • Tn3270, 132x27 in Java
  • Tn5250, 80x32 as ActiveX control
  • Tn5250, 132x27 as ActiveX control
  • Vt-100 Telnet in Java
  • Vt-100, 80x25 in Java
  • Vt-100, 80x32 in Java
  • Vt-100, 132x24 in Java
  • Vt-100,132x32 in Java
  • Vt-220 Telnet in Java
  • Vt-220, 80x25 in Java
  • Vt-220, 80x32 in Java
  • Vt-220, 132x24 in Java
  • Vt-220, 132x32 in Java
  • Vt-320 HTML
  • Vt-320 Telnet in Java
  • Vt-320, 80x25 Telnet in Java
  • Vt-320, 80x32 Telnet in Java
  • Vt-320, 132x24 Telnet in Java
  • Vt-320, 132x32 Telnet in Java

Password-based SSH connection (v2.0) is optional. You can find additional information in the online help for the Application Access : Legacy Hosts : Resources screen.

Defining legacy host favorites

You can create favorites for legacy host connections. A favorite is a named and saved set of options. A favorite appears as a link on the user's webtop. When a user clicks the link, the system establishes a connection to the legacy host configured.

To create a Legacy Host favorite or alias

  1. In the navigation pane, click Application Access, and click Legacy Host.
    The Application Access : Legacy Hosts : Resources screen opens.
  2. From the Resource Group list in the upper left, select the resource group you want to contain the favorite.
  3. Click the Add New Favorite link.
    The screen refreshes to reveal additional options.
  4. From the Type list, select from the following types:
    • Favorite: Represents a new connection definition.
      To create a new favorite, select Favorite, and skip to step 5 .
    • Alias: Represents an association with a existing favorite from a different group. If there are no other groups available, or no other connections have been defined, the Alias option is not available.
      When you select Alias, the screen refreshes to reveal additional options. Continue with these steps:
    • From the From group list, select the resource group containing the existing favorite you want to use as the source.
    • From the Favorite list, select the favorite.
    • Click the Add New button.
      The new Alias appears in the list.
  5. To continue creating a new favorite, in Name, type the identifying label you want to use.
    The FirePass controller displays this name as a label for the Legacy Host favorite in the user's web browser.
  6. In Host, type the legacy host for the connection.
  7. In Port, type the port you want the connection to use.
  8. Check the Use SSH check box to use SSH, or leave the box empty.
  9. Check Open in a separate window to have the connection open in a new instance of the browser window.
  10. Note: This option is always on for 5250 sessions.
  11. From the Term-type list, select the type of terminal the connection is for,
  12. In Session name, specify the name for the terminal session.
  13. Note: Session name is available for 5250 sessions only.
  14. Check the Keep Alive check box to prevent the session from ending, or leave the box empty to permit the sessions to end.
  15. Note: Session name is available for 5250 sessions only.
  16. From the Column separators list, select the type of column separators for 5250 terminals.
  17. From the Default charset list, select the character set to use for the session. The FirePass controller provides several choices:
    • DEC Supplemental Graphic Set
    • MS-DOS Codepage 850 (Multilingual Latin 1)
    • IBM Codepage 850
    • ISO 8859-1 (Latin-1)
    • Unicode
  18. From the 3270 language list, select the language supported by the 3270 terminal.
  19. From the Default font size list, select the default font size to use for Java-based terminals.
  20. From the Unicode encoding list, select the encoding. The FirePass controller provides several choices:
    • UTF-8
    • UTF-16 little-endian
    • UTF-16 big-endian
    • UTF-32 little-endian
    • UTF-32 big-endian
  21. If you want to restrict access based on a defined protected configuration, from the Endpoint protection required list, select the protected configuration.
    For more information about protected configurations, see Creating protected configurations, in Chapter 3 .
  22. Click the Add New button.

You can change any of these settings by clicking the link representing the favorite, modifying the setting, and clicking the Update button.

Configuring legacy hosts keyboard mapping

A keyboard map contains mapping instructions for associating one keystroke or key sequence on the client, to another keystroke or key sequence. For example, you can map Esc+Shift+1 to the F1 key if the client keyboard does not have function (F) keys on it.

The FirePass controller provides default keyboard mappings for the listed terminal types. However, you can override one or all key mappings. Using keyboard mapping, you can customize legacy hosts favorites to use non-standard keyboards or other code pages, and to add custom commands and shortcuts.

The Legacy Hosts Keyboard Map section of the Legacy Hosts screen contains the table of defined keyboard mappings that becomes the default for the legacy hosts favorite you are configuring. You can debug user-side keyboard mapping issues for specific devices and sessions by specifying a keystroke in the table, and then invoking that keystroke when connected to a legacy hosts session.

To modify or add to the mapping table

  1. In the navigation pane, click Application Access, and click Legacy Hosts.
    The Legacy Hosts : Resources screen opens.
  2. From the list to the left of the Load button, select the terminal type you want to configure a keyboard map for.
  3. Click the Load button.
    The FirePass controller loads the saved mapping table into the box. If no saved table exists, the FirePass controller uses the default mapping table.
  4. Edit the table as needed to override the mappings you need to change, or to add key sequences to be translated into application commands. For more information about the structure of the mapping table, see Understanding the mapping table , following.
  5. When you specify the settings you want, click the Save button.

Understanding the mapping table

Each line in the keyboard mapping table list contains one mapping rule for a single key. You can type directly in the table to specify entries. The first column in the table contains any modifiers, which represent the Ctrl, Alt, and Shift keys on the keyboard. The second column contains the key, such as F12 or Tab. The third column contains the action command. The first and second columns must be separated only by blank spaces. At least one tab character is required between the second and third columns. You can omit content in the first and second columns to create a map for modifiers only, or for keys only.

Commands are specific to one application or terminal type. You can supply command arguments within the parentheses. A command with no arguments ends with an pair of empty parentheses.

The default keyboard mapping contains default commands for standard terminal types. You can add commands that act as application shortcuts. These shortcuts can send commonly-used strings to your host applications using the Send("String") command.

For example, if you want a specific key combination to send a text command plus a program function key whenever the user presses Ctrl and Alt and Shift and F12, the mapping rule might look like this:

Ctrl+Alt+Shift F12 Send("MY COMMAND"); PF1();

You can map the number pad keys divide ( / ), multiply ( * ), and minus ( - ) differently from the keyboard keys slash ( / ), asterisk ( * ), and hyphen ( - ). In addition, you can map the Num Lock key to a command.

You can find additional information in the online help for the Application Access : Legacy Hosts : Resources screen.

Configuring master group settings for legacy hosts connections

You can specify master-group based settings that apply whenever a user who belongs to a specific master group clicks a favorite in the Legacy Hosts section of the webtop. You set master group settings on the Application Access : Legacy Hosts : Master Group Settings screen.

Understanding general master group settings for legacy host connections

General master group-based settings for legacy host connections govern the legacy host type of Application Access connections. You can specify the following master-group-based settings.

  • Limit Legacy Hosts Access to Favorites only (for Extranets, partner and customer access, etc.)
    Removes the Direct Connect link from the user's webtop, and prohibits the user from creating custom favorites, which limits client access to Legacy Hosts that are defined and listed in the favorites section.
  • Restart the Legacy Hosts Server
    When clicked, restarts a subsystem on the FirePass controller, which can correct a problem without causing disruption to other FirePass controller users.

Configuring settings for the Legacy Hosts webifyer status in the group <groupname>section of the Master Group Settings screen

The final section of the Master Group Settings screen contains a message, for example:

Legacy Hosts is presented at the Beginner level, always visible to a user in the group <groupname>.

The User Experience screen, accessible by clicking Click to change the status and/or webifyer position on the webtop, provides a some options for customizing what the user sees.

Configuring terminal server favorites

You can create favorites for terminal server connections. A favorite is a named and saved set of options. A favorite appears as a link on the user's webtop. When a user clicks the link, the system establishes a connection to the terminal server configured.

You can provide users access to internal Microsoft Terminal Servers, Windows XP® desktops, Citrix MetaFrame® servers, and VNC servers. To specify group-level settings for Terminal Servers, use the Application Access : Terminal Services : Master Group Settings screen. For more information, see Configuring master group settings for terminal server connections .

To create a Terminal Servers favorite or alias

  1. In the navigation pane, click Application Access, expand Terminal Servers, and click Resources.
    The Application Access : Terminal Servers : Resources screen opens.
  2. From the Resource Group list in the upper left, select the resource group you want to contain the favorite.
  3. Click the Add New Favorite link.
    The screen refreshes to reveal additional options.
  4. From the Type list, select from the following types.
    • Favorite: Represents a new terminal server connection.
      To create a new favorite, select Favorite, and skip to step 5 .
    • Alias: Represents an association with a existing favorite from a different group. If there are no other groups available, or no other connections have been defined, the Alias option is not available.
      When you select Alias, the screen refreshes to reveal additional options. Continue with these steps:
    • From the From group list, select the resource group containing the existing favorite you want to use as the source.
    • From the Favorite list, select the favorite.
    • Click the Add New button.
      The new Alias appears in the list.
  5. To continue creating a new favorite, in Name, type the identifying label you want to use.
    The FirePass controller displays this name as a label for the favorite under Terminal Servers in the user's web browser.
  6. In Host, specify name or IP address.
    You can enter a list here for MetaFrame and VNC hosts. The FirePass controller shuffles the entries, then tries to use the first one in the list. If connection fails, the FirePass controller tries the next one in the list, and so on, until a working server is found. You can use this simple technique for high availability solutions.
  7. In Port, type a number to use for the port.
    To automatically populate Port with the appropriate default value, select from the adjacent list. Options are:
    • Microsoft Terminal Server - default value 3389.
    • Citrix MetaFrame - default value 1494.
    • VNC - default value 5900.
    • Citrix MetaFrame Browser - default value 80.
      This option is useful for accessing Citrix server farms, and for resolving application names to IP:port.
    • Citrix MetaFrame Portal
      Populates Port with the value 80.
      This option provides functionality similar to Citrix NFuse web portal. In this case, the FirePass controller contacts the Citrix master browser using the supplied user credentials, and obtains a list of published applications configured for that specified user.
    Note: Citrix MetaFrame Browser relies on the Citrix XML Service, which must be enabled on the target server.
  8. In Select a program, type the full path to the application on the target server to limit terminal access to a single program, restricting access to the whole system.
    For Citrix, always precede the application name with a pound sign
    ( # ) for published applications, for example, #app_name
    This can be a path to Clarify on the Crete MS Terminal Server.
  9. In Working Dir, specify the working directory for the application you specified in the preceding step.
  10. Check the Open in new window check box to have the favorite run in a new browser window, or leave the box clear to have the favorite to run in the current browser session, replacing content of the user's webtop.
  11. Check the Redirect local resources (drives, printers, COM ports) check box to have the target server's local resources available to the client after the application starts, or leave the box clear to have users retain the resources on their computers.
  12. In Encryption (Citrix-only), select the encryption level for Citrix MetaFrame connections.
    This setting specifies an internal Citrix parameter, which must match the MetaFrame server setting. Connection from the client to the FirePass controller is made using SSL, regardless of this setting. Options are:
    • Basic
      This is the default.
    • RC5 128 bit-logon only
    • RC5 40 bit
    • RC5 56 bit
    • RC5 128 bit
  13. From Color Depth, select the number of colors the display on the target server supports. Options are:
    • 16 Colors
    • 256 Colors
      This is the default.
    • High Color (16 bit)
    • True Color (24 bit)
    • True Color (32 bit)
  14. If you want to restrict access based on a defined protected configuration, from the Endpoint protection required list, select the protected configuration.
    For more information about protected configurations, see Creating protected configurations, in Chapter 3 .
  15. Click the Add New button.

You can change any of these settings by clicking the link representing the favorite, modifying the setting, and clicking the Update button.

Configuring master group settings for terminal server connections

You can specify master-group based settings that apply whenever a user who belongs to a specific master group clicks a favorite in the Terminal Servers section of the webtop. You set master group settings on the Application Access : Terminal Servers : Master Group Settings screen.

When you enable master group policy routing for a particular master group, you should not allow users of the master group to create terminal server favorites for accessing servers that are not part of the VLAN defined for that master group.

Understanding general master group settings for terminal server connections

General master group-based settings for terminal server connections govern the terminal server type of Application Access connections. You can specify the following master-group-based settings.

  • Screen resolution
    Sets the initial screen resolution for Terminal Servers and Citrix MetaFrame content, which users can override. Although users can change screen resolution if they wish, you should set the initial resolution sufficiently large to accommodate the application window. For example, if you select 640x480, users cannot start Ethereal® applications because there is no access to the OK button.
  • Limit Terminal Servers Access to Favorites only (for Extranets, partner and customer access, etc.)
    Removes the Direct Connect link from the user's webtop, and prohibits the user from creating custom favorites, which limits client access to Terminal Servers that are defined and listed in the favorites section.
  • Auto-logon to applicable Terminal Services using FirePass controller user logon credentials
    Uses the user's FirePass controller user name and password to access Terminal Servers. You can also enter an optional domain or workgroup name for the FirePass controller to use when users log on to Terminal Servers. In situations in which the user's FirePass controller user name and password match the Windows Domain credentials, this feature permits the user to access a Terminal Servers connection without having to logon again.

Citrix ICA client location

The FirePass controller dynamically loads the Citrix client onto the user's system, at runtime. If your site requires a version of the Citrix Web Client that is different from what the FirePass controller provides, you can use the options described in this section to specify the location of the Citrix client to be downloaded. You can specify this setting on the Application Access : Terminal Servers : Master Group Settings screen.

  • Embedded
    If the end-user does not have a Citrix client installed, or if the installed version does not match the number displayed in the Version box, downloads and installs the Citrix client supplied on the FirePass controller.
  • Citrix web-site
    If the end-user does not have a Citrix client installed, or if the installed version does not match the number displayed in the Version box, obtains the client from the Citrix web site. You can also specify the target version number you want to download.
  • Custom URL
    If the end-user does not have a Citrix client installed, or if the installed version does not match the number displayed in the Version box, obtains the client from the location entered. You can specify the source URL and the target version number you want to download.

Configuring keyboard redirection for Microsoft Terminal Servers

The keyboard redirection setting specifies how and when to apply Windows key combinations, for example, Alt+Tab. On the Master Group Settings screen for Application Access, you can configure to apply key combinations only locally on the client computer, always, and only when the client is running in full-screen mode.

Table 6.2 presents the Microsoft Terminal Servers shortcut keys that this setting affects.

 

Table 6.2 Microsoft Terminal Servers shortcut keys
Key combination
Description
Alt+Page Up
Switches between programs from left to right.
Alt+Page Down
Switches between programs for right to left.
Alt+Insert
Cycles through the programs in the order they were started.
Alt+Home
Displays the Start menu.
Ctrl+Alt+Break
Switches the client between window and full-screen mode.
Ctrl+Alt+Break is F12 on NEC98.
Ctrl+Alt+End
Brings up the Windows Security dialog box.
Ctrl+Alt+End is F15 on NEC98.
Alt+Delete
Displays the Windows menu.
Ctrl+Alt+minus ( - )
Places a snapshot of the active window, within the client, on the Terminal Server clipboard (provides the same functionality as pressing Print Scrn on the local computer).
Ctrl+Alt+plus ( + )
Places a snapshot of the entire client windows area on the Terminal Server clipboard (provides the same functionality as pressing Alt+Print Scrn on the local computer).

 

Configuring Terminal Servers webifyer status in the group <groupname> section of the Master Group Settings screen

The final section of the Master Group Settings screen contains a message, for example:

Terminal Servers is presented at the Beginner level, always visible to a user in the group <groupname>.

The User Experience screen, accessible by clicking Click to change the status and/or webifyer position on the webtop, provides a some options for customizing what the user sees.

For information on how to set User Experience options, see the online help for the User Experience tab, available on the Users : Groups : Master Groups screen.

Configuring global settings for Application Access

You can configure global settings that apply to all Application Access connections. You set global settings on the Application Access : Global Settings screen.

Handling Windows power-management events

You can select one of the following power-management settings to apply to Windows-based App Tunnels, Terminal Servers, and the ActiveX version of 5250 Legacy Hosts Access. This setting specifies what should occur when Windows enters the standby, or hibernate, mode.

  • Do nothing: Ignore power management events
  • Prevent Windows from entering standby/hibernate mode while a connection exists
  • Terminate connection if Windows enters standby/hibernate mode

Configuring client messages for Windows loopback

There is an issue introduced in Windows XP SP2 in which an error occurs when attempting to connect to IP addresses in the loopback range. You can read more about the issue by clicking the KB884020 link on the Application Access : Global Settings screen.

The FirePass controller displays a message when it encounters a computer that has not received the loopback fix. By default, the FirePass controller displays the following message:

Your computer requires an update to run this application. Click here or enter the following link into your web browser to install the required update from Microsoft (KB884020).
http://support.microsoft.com/default.aspx?kbid=884020

You can change the message by modifying the text in the box in the Customization section, and clicking the Update button. The message can contain any valid HTML.




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)