Rendezvous – a DIY VPN(profiting from mobile access to the enterprise)

Rendezvous Server

ETbjec valuO

04/18/23 2

AppGate

AppGate Network Security specialises in providing extremely secure network solutions, such as application VPNs, personal

firewalls and application access control systems.

AppGate Network Security ties together all the pieces of security technology in one easy-to-use system. AppGate

solutions work in both fixed and wireless network environments, with a broad range of client systems. It scales from small organisations up to enterprise-level customers,

supporting thousands of users.

 

That is why AppGate Network Security has customers among the largest and most prestigious corporations in the world.

04/18/23 3

Zühlke Engineering Genuine Breadth and Depth in IT & Technology Consultancy

Bespoke Systems Developments Coaching and Mentoring Project Resources Consulting Training

Iterative Development Methods System Architecture Design & Realisation Enterprise Application Integration (EAI) Web Services Mobile Computing Information Security Technical Reviews Software Audits Evaluation of Methods, Tools and Components

Disciplines

Services

04/18/23 4

ObjectValue Ltd.

• One-man wireless and IT consultancy

• Worked as a partner of AppGate to develop and test the Rendezvous concept

• Company still exists, but staff working full-time for Zühlke

• http://www.objectvalue.com/

04/18/23 5

The Problem

• Hypothesis: equipping knowledge workers with mobile access to enterprise applications leads to better productivity

E-mail Scheduling Contacts Intranet Web servers ERP CRM Custom applications etc.

• People need proof: a user trial lasting at least a few weeks provides the clearest evidence of Return on Investment (ROI)

• Technology trailblazers depend on expensive infrastructure upgrades to connect their mobile devices to the company network

• How can users be empowered to try the technology without having to justify the business case in advance and wait for the IT dept.?

04/18/23 6

Rendezvous concept

Using an AppGate, companies can already give their mobile workers secure, always-on, remote access to services such as corporate email, CRM systems, etc.

The Rendezvous concept takes a standard AppGate server and re-uses it in a new way to give smaller companies/teams the same benefits, but without the need to invest in an AppGate server themselves.

The rendezvous software has been developed by one of AppGate’s partners, ObjectValue Ltd., and supports the same range of platforms as the AppGate client (Windows, MacOS, Linux, etc.)

04/18/23 7

AppGate Rendezvous Server

Hosted outside a company’s firewall, the Rendezvous Server gives individual users working outside the office secure access to chosen services within the office.

appGATEserver

ProtectedNetworkRemote

Worker

Applicationservers

Data

GPRS

Secured connectionSecured connection

Rendezvous

Server

04/18/23 8

AppGate Rendezvous Server

Typical office user connected to office services (such as email server)

Applicationservers

Data

ProtectedNetwork

xxxx

04/18/23 9

ProtectedNetwork

AppGate Rendezvous Server

User opens connection to AppGate using the normal client (via proxy if required), selected ports are forwarded and the Rendezvous client is started automatically

appGATEserver

Applicationservers

Data

xxxx

04/18/23 10

ProtectedNetwork

AppGate Rendezvous Server Ports in the range 2xxxx on the client are forwarded to

the same port number on the AppGate itself. This is the port number on which the Rendezvous Server listens for connections from its office client.

appGATEserver

Applicationservers

Data

Rendezvous

Server

xxxx

04/18/23 11

ProtectedNetwork

AppGate Rendezvous Server Rendezvous Server and client together act as a virtual

firewall router, relaying connection requests from the mobile device to office services (such as the email server)

appGATEserver

Applicationservers

Data

xxxx

Rendezvous

Server

04/18/23 12

AppGate Rendezvous Server

Leaving the office client running, the user later connects to AppGate from a remote location with the same ID, and so establishes the second of a pair of connections

Ports in the range xxxx on the client are forwarded to 1xxxx on the AppGate itself – so for sending mail via SMTP, local port 25 on the mobile device would be forwarded to port 10025 on the AppGate

appGATEserver

RemoteWorker

GPRS

04/18/23 13

AppGate Rendezvous Server The Rendezvous Server associates the corresponding

1xxxx and 2xxxx ports internally based on the user ID, establishing a fully secured end-to-end tunnel from the mobile user via the PC in the office to the application server.

appGATEserver

RemoteWorker

Applicationservers

Data

GPRS1xxxx 2xxxx Protected

Network

RendezvousServer

xxxx xxxx

04/18/23 14

Demonstration

QuickTime™ and aH.263 decompressor

are needed to see this picture.

If you cannot see the movie above, make sure you have the free

QuickTime player installed (see www.apple.com) and then click here.

04/18/23 15

Working at the application layer

AppGate client opens just one secure tunnel through the firewall to the server on port 22 (normally)

The connections for each service are multiplexed through this tunnel – by default 5 connections are allowed

Each connection simply lets the client see a remote port on the AppGate server – The AppGate server can not look back into the network

The AppGate client can link only the 5 default connections to the AppGate server, e.g. 20025 to 20025, 20110 to 20110 etc.

Using the Rendezvous client, users choose which of the default connections they need

pop3

smtp

intranet

Application tunneling

Port 22

04/18/23 16

Accessing intranet Web servers To resolve intranet URLs, DNS lookups must be made

within the office network, so a proxy server is used. The mobile browser is configured to use localhost:8080 as its proxy.

Rendezvous relays HTTP requests to the real proxy server in the office.

appGATEserver

RemoteWorker

Webservers

Proxyserver

GPRS18080 28080 Protected

Network

RendezvousServer

8080 80

8080

04/18/23 17

Sharing a Rendezvous Client Where it is not desirable to leave the office PC switched

on, the Rendezvous Client and Appgate Client can be set up to run on an office server (e.g. NT, Linux)

Multiple mobile users from the same office can connect to the same Rendezvous Server and hence Rendezvous client using the same AppGate user ID

All will access the same set of services, but because they will sign in with different network user IDs they will not receive identical information or gain unauthorised access to data

Users sharing a single instance of the Rendezvous client can connect consecutively or at the same time without interfering with each other

Security – wherever your business needs it

AppGate Network Security AB

www.appgate.com

jamie@appgate.com

Security – wherever your business needs it