Frequently asked questions about the IAG SSL VPN component features

This article describes some frequently asked questions about the Microsoft Intelligent Application Gateway (IAG) Secure Socket Layer (SSL) virtual private network (VPN) component features.

Q1: How do I determine whether to configure an application to use Socket Forwarder or SSL Wrapper?

A1: The choice of whether to use Socket Forwarder or SSL Wrapper is based on the requirements of the application. Each has unique advantages and disadvantages.

Socket Forwarder

Advantages:

• Administrator credentials are not required every time that the user tries to access an application.
• Multiple traffic routes that have more than one host name and port are allowed per application.

Disadvantages:

• A conflict may occur between the Layered Service Provider (LSP) and the Namespace Provider (NSP).
• Socket Forwarder is available only when you use the ActiveX components and Internet Explorer.

SSL Wrapper

Advantages:

• SSL Wrapper works with ActiveX components in Internet Explorer and with Java components in other browsers.
• SSL Wrapper does not require the installation of LSP and NSP.

Disadvantages:

• Administrator credentials are required for ActiveX components and Java components.
• SSL Wrapper only supports a single server and a single port per application.

Q2: What is the difference between Socket Forwarder and SSL Wrapper?

A2: Both SSL Wrapper and Socket Forwarder let you tunnel TCP data from a client to the IAG internal network through an SSL tunnel. There are differences in how SSL Wrapper and Socket Forwarder perform this tunneling, and each tunneling implementation has different limitations. In the IAG Configuration console, you can configure the usage of Socket Forwarder or SSL Wrapper on the Client Settings tab of a tunneled application. If you select Disabled for Socket Forwarding Mode, SSL Wrapper is used. If you select Basic, Extended, or VPN for Socket Forwarding Mode, Socket Forwarder is used.

SSL Wrapper characteristics:

• SSL Wrapper works with both ActiveX components and Java SSL Wrapper components. SSL Wrapper can work across a range of browsers and platforms.
• SSL Wrapper is a simple relay that establishes a local listener on the client system.
• When you run SSL Wrapper, it will dynamically modify the host file of the client. Host names are mapped with local loop back addresses.
• SSL Wrapper requires administrator credentials to run because only an administrator can make host file modifications.

Socket Forwarder characteristics:

• Socket Forwarder only works with ActiveX components in Internet Explorer.
• Socket Forwarder can tunnel traffic in a wider range of scenarios than SSL Wrapper.
• Socket Forwarder does not require administrative credentials.
• Socket Forwarder is implemented by LSP and NSP Winsock components that operate transparently on the TCP stack.

Q3: How do I set the IP address of the SSL VPN destination server dynamically?

A3: To set the IP address of the SSL VPN destination server dynamically, follow these steps.

Note These steps are performed per user session at run time.

1. Open the IAG Configuration console, locate the SSL VPN application that you want to configure, and then open Application Properties.
2. Click the Server Settings tab, set 254.254.254.254 as the server's IP address, and then click OK.
3. Set up a session parameter in Session Manager to indicate to which IP address a specific session should be connected. The most convenient script to use is the Validate script.
   
   The syntax of the SetSessionParam command is as follows.

   SetSessionParam cookie, "PortRelayport", "IP/Host"
   

   Note The cookie placeholder is the cookie of the user session. The port placeholder is the port that is defined for this SSL VPN application on the Server Settings tab. The IP/Host placeholder is the destination IP address or the host name of the server that will receive all SSL VPN traffic for this application. The destination IP address or the host name of the server is also for the specific user session.
   
   Sample configuration
   
   For example, if you are configuring an application whose type is "Terminal Services Web Client," follow these steps:
   1. Open the IAG Configuration console, locate the SSL VPN application that you want to configure, and then open Application Properties.
   2. Click the Server Settings tab, set 254.254.254.254 for the server's IP address, leave the "3389" default value for the port, and then click OK.
   3. In the Validate script, locate the configuration part of the user session, and then add script lines that resemble the following.

      strCookie = GetSessionCookie()
      strTSServer = "<IPaddress>"
      SetSessionParam strCookie , "RelayPort3389", strTSServer 
      

      Note The <IPaddress> placeholder represents the IP address or the host name of the Terminal Services server. For example, the IP address may be 192.168.10.10.

Q4: Why does the SSL VPN tunnel close on a destination computer when you use Remote Desktop Protocol (RDP) to remotely access the computer?

A4: The SSL VPN tunnel closes when the destination computer has the Fast User Switching feature enabled. Using RDP to access a destination computer that has the Fast User Switching feature enabled is currently not supported.

Q5: Can a Socket Forwarder application be configured to perform Single Sign-On (SSO)?

A5: A Socket Forwarder application cannot be configured to perform SSO. Socket Forwarding mode tunnels traffic at the network level. Socket Forwarder tunneled data is not processed by the IAG filter, and the data cannot be accessed by the IAG filter features, such as SSO, URL Inspection, Host Address Translation, and Application Customization Templates.