APPX Desktop Client Encryption
Effective with Release 5.0.0, the APPX Desktop Client includes an option to enable SSL encryption for "Remote" APPX Desktop Client sessions.
Overview
Release 5.0.0 or higher of the APPX Desktop Client allows SSL encryption to optionally be enabled for "Remote" APPX Desktop Client sessions when connecting to APPX Server 5.0.0 or higher. The APPX Desktop Client SSL encryption feature encrypts all data transmitted between the APPX Desktop Client and the APPX Server including login ID, password, all session data, all reports printed by the client, and all files transferred between the client and the server. The APPX Desktop Client can only establish an encrypted SSL connection with an APPX Server that has an
APPX Login Manager that supports and that has been properly configured to accept SSL connection requests from the various types of APPX clients. The APPX Login Manager on the APPX Server may be configured to either require that an APPX Desktop Client that is requesting a connection must use SSL encryption, to only use SSL encryption if so requested by the APPX Desktop Client that is requesting a connection, or to only accept "clear text" connections from an APPX Desktop Client that is requesting a connection. If an SSL session is initiated, the APPX Login Manager may further require that the APPX Desktop Client identify itself by providing an acceptable SSL certificate [Note: This feature is not yet implemented by the APPX Desktop Client].
APPX Desktop Client Handshake
When an APPX Desktop Client connects with an APPX Login Manager to establish a client session with an APPX Server, the first step is to complete a "handshake". The handshake exchanges version and configuration information between the APPX Desktop Client and the APPX Login Manager. This information is used to determine whether the connection should use enable SSL encryption or use "clear text".
APPX Desktop Client versions prior to 5.0 are not able to connect using SSL. If you want to use SSL, you must upgrade your APPX Desktop Client to version 5.0 or higher. You must also upgrade your server to APPX Server version 5.0 or higher. The following chart shows the types of connections that are technically possible for the various combinations of versions of the APPX Desktop Client and APPX Server. Please note that while it is technically possible for an APPX Desktop Client version prior to 5.0 to connect to an APPX Server version of 5.0 or higher, this combination is not recommended or supported since upward compatibility of old APPX Desktop Client versions with newer APPX Server versions is not assured. The APPX Desktop Client version should always be the same or higher than the APPX Server version with which a session is to be established.
APPX Desktop Client Preferences - SSL
The APPX Desktop Client provides five preferences (parameters) relating to configuring the APPX Desktop Client to use SSL encryption.
- APPX Desktop Client Preferences - SSL:
The SSLMode preference is used to identify the type of connection that the APPX Desktop Client should attempt to establish - either SSL or "clear text". Depending on the value specified for
SSLMode, the other SSL preferences may not always be relevant.
- Required - This option is used to "Require" that the APPX Desktop Client establish an SSL connection with the APPX Login Manager on the APPX Server. In the event that the APPX Login Manager is an older version that does not support SSL connections or if the APPX Login Manager is not configured to allow SSL connections, the client will display an error dialog informing the user that an SSL connection with the requested APPX server is not available. The value of SSLMismatchAllowed will determine if the user is provided with an option to continue with a "clear text" connection.
- Optional - This option is similar to the Required option. However, in the event that the APPX Server does not support or is not configured to support an SSL connection, the client will automatically establish a "clear text" connection without notifying the user. The SSLMismatchAllowed preference is not relevant when this option is specified. Note that not all pre 5.0 servers support this option. If you have trouble connecting and you are connecting to a pre 5.0 sever, you should use the 'Disabled' option below. Most pre 5.0 Windows servers (appxdsvc) do not support this option.
- Disabled - This option is used to "Disable" the APPX Desktop Client's ability to establish an SSL connection. In other words, this option is used to "require" that the APPX Desktop Client establish a "clear text" connection with the APPX Login Manager on the APPX Server. In the event that the APPX Login Manager is not configured to allow a "clear text" connection, the client will display an error dialog informing the user that a "clear text" connection with the requested APPX Server is not allowed. The value of SSLMismatchAllowed will determine if the user if provided with an option to continue with an SSL connection. You may also have to use this option when connecting with pre 5.0 servers if the client hangs when attempting the connection.
SSLAnonAllowed
This preference determines whether or not the APPX Desktop Client is allowed to connect to an APPX Server that does not have an SSL certificate signed by a trusted authority such as Verisign or Thawte.
- True - An SSL connection is allowed whether or not the server has a signed certificate.
- False - An SSL connection is only allowed if the server has a signed certificate.
This preference determines whether or not the user is provided with an option to continue in the event that the required connection type is not available. If set to False, the user will be presented with an Error Dialog Window in the event that the requested type of connection cannot be established. True, the user is given the option of continuing with a different type of connection or cancelling. For example, if
SSLMode is set to Required but the server does not allow SSL connections:
- True - If the requested type of connection, either SSL or "clear text", is not available, the user is provided an option to continue with the type of connection that is available.
- False - If the requested type of connection, either SSL or "clear text", is not available, the connection attempt fails.
SSLSelfSignedAllowed
This preference determines whether or not the APPX Desktop Client is allowed to establish an SSL connection with an APPX Server that has a self-signed SSL certificate.
- True - The connection is allowed
- False - The connection is not allowed
SSLHandshakeTimeout
This preference specifies the length of time in seconds that the client is to wait after attempting to establish an SSL connection with the APPX Login Manager. If the specified amount of time passes without establishing an SSL connection, then the connect request will fail. This option is not relevant when the value of
SSLMode is "disabled".
- An integer 0 through 10, with the default being 3.
APPX Login Manager Parameters - SSL
Please refer to the
APPX Login Manager on the Release 5 features page for information relating to SSL server configuration options.
Limitations:
- The APPX Desktop Client has not yet implemented the feature that will allow a certificate on the client to be provided to the APPX Server.
Enhancement Suggestions:
None yet.
Comments:
Read what other users have said about this page or add your own comments.
SSLMode - The option value should be changed from Pre43 to be NoSSL or PreSSL
--
SteveFrizzell - 19 Sep 2008
--
AlKalter - 04 Apr 2008