An access rule defines a restriction, or under what circumstances a service or role should be granted.
An access rule may be thoroughly customized using boolean operators.
The 'Access rule' interface provides a series of buttons for use when
writing a rule (and,
or, not,
(, ),
true and
false). Using these buttons, one can for
instance define a service which is only available to two specific clients
connecting to one specific server, only during office hours or on
holidays, and only to users authenticated with smart cards.
When access rules are saved, a sanity check is done on the expression. If the expression is not valid, the access rule will not be saved to the database, and a detailed error report will be shown to the administrator.
Access rules consist of the following types of statements:
- Boolean operators and primitives
Boolean operators (
and,or,not,(and)) are used to group other checks together. The boolean primitives (trueandfalse) can be used to create short access rules which are always true or false.The operator
andhas precedence overor, so thatA and B or C and Dis the same as(A and B) or (C and D).- Attribute
Attributes are key/value pairs which are set from either the client machines or from an LDAP server, such as Microsoft Active Directory. An Attribute statement looks at the attribute value and matches it against another value. The match can be made as a regular expression match (=) or as normal relational operators (<, >, <=, >= or !=). The match is done numerically if both values are numbers (decimal numbers are accepted) otherwise string comparison is used.
This allows the AppGate server to restrict access based on information from outside the server. More information about regular expressions can be found at Section 12.11, “Regular Expressions Reference”.
- Predefined attributes
A number of predefined attributes are set automatically when the user logs on. This includes information about the session, the client and other environment variables.
Table 4.1. Predefined attributes
Attribute name Description client.firewall "true" if the client is using AppGate's DFW, "false" otherwise client.identd "true" if the client is using an identd daemon, "false" otherwise client.iptunneling "true" if the client is using AppGate's IP tunneling driver, "false" otherwise client.java The version of the user's JRE. client.hosts "true" if the client can write to the hosts file, "false" otherwise. client.lmhosts "true" if the client can write to the LMHOSTS file, "false" otherwise. On platforms other than Windows, this attribute is always "false". client.platform A string with three parts: platform,os,id client.shares "true" if the client can use the share component, "false" otherwise. On platforms other than Windows, this attribute is not set. client.type What kind of client the user used when connecting to the AppGate Server. Possible values are "full", "connect", "applet", "ssl", "console", "generic ssh" and "mobile". client.user_agent The User-Agent string from the user's browser, when connecting through the SSL module. client.version This version is the "offical" version number of the connecting client. Values are "8.1", "7.1.5" etc client.webstart "true" if the client was started as an Java Web Start application, "false" otherwise. iptunneling.ip The client's IP tunneling address, set only if IP tunneling is used. iptunneling.user_ip The user's static IP tunneling address, set only if it exists. iptunneling.no_pool Set to "true" if the server failed to allocate an IP tunneling address for the client because there was no suitable address pool, otherwise not set. iptunneling.pool_busy Set to "true" if the server failed to allocate an IP tunneling address for the client because all suitable address pools were busy, otherwise not set. iptunneling.arpd_error Set to "true" if the server failed to allocate an IP tunneling address for the client because of an error at the ARP daemon, otherwise not set. login.account_source The name of the account source that this user was found in. login.authentication The name of the used authentication method. login.client_ip The user's IP address as seen by the AppGate Server. login.client_name The user's fully qualified host name. login.crypto The name of the cipher which encrypts the connection. login.date The date at which the user logged in, in YYYYMMDD format. login.forward_name Normally the same as the "login.username" attribute, but it can be changed to facilitate Single Sign On. login.protocol_version This version number is used in the protocol between the AppGate Client and Server. This attribute can be used to select different services depending on the version of the AppGate Client. login.role The name of the selected role, or a comma-separated list of selected combinable roles. login.search_name The user name found in the account source when this user logged in, this is normally the same as the "login.username" attribute. login.server_ip The IP address of the AppGate Server's incoming interface login.server_name The fully qualified host name of the AppGate Server's incoming interface. login.time The time at which the user logged in, in 24-hour HHMMSS format. login.username The login name the user typed in or the distinguished name from a certificate login.weekday The weekday at which the user logged in, one of "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", and "Saturday". - Attributes from clients
The value of the attribute is set by the client by executing a 'client check' command at the start of the session. This may for instance be used to run a small program that checks whether an anti virus software is running on the client computer and restrict access based on this information. Another way to set attributes from the client is to use the
gui_extrapromptsconfiguration option. See the section called “User-provided credentials” for an example of this.- Attributes from LDAP/AD servers
When an LDAP user database is used, it is possible to map attributes in the LDAP database to attributes that the AppGate server can use (see Section 4.2.2, “LDAP/AD” for details). This can be used to , for instance, enable access to a Microsoft Exchange server only if the user has an e-mail address defined in Active Directory.
- Time
Defines a time period. The choices are 'All days', 'Work days', and 'Weekends' (may specify times of day for any of these. For instance, "Work days 8.00-17.00" or "All days at any time".
- From
This statement can be used to detect from where the client is connecting. It is expressed as an IP address, or as a whole range of addresses, or as a subnet or supernet. For instance,
from{*.appgate.com}matches any user connecting from a client whose fully qualified host name ends with appgate.com. Another example;from{10.42.23.0/24}matches users whose clients are located on the 10.42.23.* subnet.- Platform
This statement is used to detect what platform the user is running. This statement should not be used for strong security, since it is possible to fake the platform reported by the client. However, it may well be used for presenting the relevant services on different platforms.
- IP tunneling
This statement (really an Attribute statement) is used to detect that the client is using IP tunneling as its traffic capturing mechanism.
- Firewall
This statement (really an Attribute statement) is used to detect that an AppGate Device Firewall is running on the client computer.
- identd
This statement (really an Attribute statement) is used to verify that an identd daemon is answering on the connecting client computer. This is normally only interesting if the client is a Unix computer.
- Authentication
Defines valid authentication methods for the services. Using this as part of an access rule, it is possible to restrict access to a service based on the authentication method used for the connection. The drop down box displays all the authentication methods that has been defined for the AppGate server.
It is possible to differ between different instances of radius authentication, if multiple radius authentication methods has been defined.
- Crypto
Defines valid cryptography methods for the services. Using this as part of an access rule, it is possible to restrict access to a service based on the cryptography method used for the connection.
- Access rule
This is a drop-down box containing all access rules that have already been defined. Using this option, access rules may be "nested" inside of other access rules to produce an easily customized rule.
For instance, nested rules are used when you want an access rule to encompass everything one rule does, plus additional restrictions.
There is no need to define a negating role, as there are "negate" buttons everywhere where access rules are used.
- Server
Defines an AppGate server where this rule should evaluate to 'true'. This is only relevant in multi-machine AppGate clusters.
NOTE: If an access rule is defined using an expression which allows access only to a certain AppGate Server and load balancing is used, the access rule applies to the server one is actually connected to, but this is not always the same server the user tried to connect to. Therefore, it is not recommended to define this type of access rule while using load balancing.
In a situation where a single Service is "Attached .." multiple times into Folders or directly in a Role it becomes a bit more complex and perhaps not entirely intuitive what is actually shown as icons to the user.
The way it works is that all the potentially visible objects, meaning non transparent Folders and Services, are built up with an initial state of not to be shown.
The Role tree (or directed graph in this case) is then traversed from root to leaves. Any Access rule evaluating to false will stop further traversal into that branch of the tree (graph). If the traversal reaches an object that is potentially going to be visible it is marked to really become visible.
A potentially confusing effect of this is that some Services may become visible icons in more than one position.
The AppGate server cannot verify that the attributes set from the clients are accurate. It is, for instance, possible for a cunning hacker to tell the AppGate server that the client machine is using anti-virus software. Attributes from the clients should be used to select different services depending on the configuration of the machine, not to grant access to sensitive information.
An access rule called
secure_from_internet
which gives 'true' if the connection comes from a host outside of the
company network and uses a certificate for authentication.
(not from(*.appgate.com)) and auth(certificate)
An access rule called
secure_from_intranet
which is true if the connection comes from a host on the company
network and the user uses a certificate or password for authentication.
from(*.appgate.com) and (auth(certificate) or auth(password))
These two rules can be used as building blocks to create another
access rule called secure_connection.
secure_from_intranet or secure_from_internet
The 'Client Check Setup' section of the console allows the administrator to upload and define Client Check Commands.
Client Check Commands are commands which are run on the client machine when the client connects to an AppGate server. The output from these commands is used to set attributes which can be used in Access rules. The commands are stored on the AppGate server and downloaded to the client machine (if they have not already been downloaded when connecting at an earlier time).
The command may be any form of file that may be executed on the designated client platform (e.g a native Win32 binary for Windows, a .bat file for Windows or a Bourne-shell script for Unix). It must return exit code zero if the attribute should be set. The attribute is then set to the last line of output on stdout.
To upload a new command executable, click on the
'Upload...' button and select the file that should be
uploaded. By default, the AppGate server has the executable
called check.exe already uploaded and ready
for use.
To add a new Client Check Command, click on the 'Add...' button and specify which attribute that should be set, which platform the Client Check Command applies to, which executable will be run, and which arguments will be given to the executable.
To edit an existing Client Check Command, either double-click on the Client Check Command or select one from the list and click on the 'Edit...' button.
To remove an existing Client Check Command, select one from the list and click on the 'Delete' button.
Binary commands that have not been assigned an attribute are listed without an attribute and can not be edited, but they can be deleted by selecting them and clicking on the 'Delete' button.
A program called check.exe is pre-installed
on every AppGate server. It can perform a great number of checks
on a Windows client machine, such as reading a registry entry, see
if a certain program is running or calculate a checksum of a file.
Because check.exe is such a versatile program,
it has a lot of options:
-fileexistsfile-filesizeisfilesize-filesizelargerfilesize-filesizesmallerfilesize-fileversionfile-productversionfile-md5sumfile-sha1sumfile-regexistsrootkeyvalue-regprintrootkeyvalue-getprivateprofilestringappnamekeydeffile-fsecureavversion print |max age in days-sophosmaxagertimewherertimeis of the form nn['d'|'h'|'m'] -processname-execcommand...-isadmin -issvcrunningname-querysvcname-isportbusyport-matchoutputcommandneedle1...-isnetbtenabled -canmountagshares -isunitmounteddriveletter-downloadtourl[-hashhash]filehashis of the form {md5,sha1}:XXXXX... -downloadandrunurl[hash]hashis of the form {md5,sha1}:XXXXX... -downloadandrunasargurl[-hashhash]cmdhashis of the form {md5,sha1}:XXXXX...cmdmay contain #f which will be expanded to the file name of the downloaded copy of the file to which the url points. -downloadanddourlop[hash] whereopis one of: edit, explore, find, open or print andhashis of the form {md5,sha1}:XXXXX... -afiledateisfiledate-afiledatenewerfiledate-afiledateolderfiledatewheredateis of the form yyyymmdd[hh[mm[ss]]]. -rfiledatenewerfilertime-rfiledateolderfilertimewherertimeis of the form nn['d'|'h'|'m']
Here are some examples of check.exe commands:
-fileexists %windir%/notepad.exe
-regexists HKEY_LOCAL_MACHINE "Software/Microsoft/Internet Explorer" Build
-regprint HKLM "Software/Microsoft/Internet Explorer" Build
-process mstask.exe
-afiledateis c:/windows/notepad.exe 20040401
-afiledatenewer c:/windows/notepad.exe 200404012359
-afiledateolder %windir%/notepad.exe 20040401235959
-rfiledatenewer c:/windows/notepad.exe 10d
-rfiledateolder #REG[HKLM,Software/ACME Software,SomeValue] 10h
It is possible to add your own server-defined attributes by writing a small script that the server will run for each user at login. Attributes created this way must be prefixed with "script."
The script is a standalone program, it can be written as a shell script, in perl or be a compiled binary. Existing attributes are available to the script as environment variables. Each attribute is stored in an environment variable with the same name as the attribute except that dots are replaced with underscores. The new attributes should be written to stdout in a space separated form. A newline should follow after each pair. E.g:
script.test1 value_1
script.test2 An other value
To add the script to the login process, transfer it to the appgate
server and run
ag_cfggetset -s agsh.client_attributes_script /path/to/your_script
A net group is a way to define a group of destination hosts for use in multiple components, such as IP Access components and others.
As an example assume a group of servers, named h1, h2 and h3. Access to those servers may be defined in a number of different Services. It means that the list h1,h2,h3 is used as "Destination hosts(s)" in a number of different places. If another host h4 is needed, it is then necessary to modify all occurrences of h1,h2,h3 and make it into h1,h2,h3,h4. This can be tedious and error prone and the use of net groups can help.
As an example, a net group, called $OURSERVERS can be defined, initially with the Hosts value set to h1,h2,h3. In all the Services and their IP Access components, or other components with a Destination hosts(s) field, it is then possible to refer to the net group by typing in $OURSERVERS instead of the actual host list. If it later on is necessary to add the fourth host, h4, it can just be add it to the definition of $OURSERVERS in the net groups panel and it will affect all components referring $OURSERVERS.
Net groups work much like a variable, it is a pure text substitution that is done on the Destination hosts(s) field of a component before it go into action. This means that it is not limited to only a list of hosts, it can be networks ranges and IP-numbers following the same syntax as for the component where it is referenced.
The name of a net group must be begin with a "$", both in the definition and when it is referenced. It is recommended, though not required, to write them in all uppercase letters.