Rich clients access application server

Hi

 

 

We have a big problem delivering our application under firepass. I consider our architecture as a standard enterprise application architecture.

 

Therefore it is surprising that there seems to be no option. It would be great if somebody could tell us how we can operate our application using the firepass. This is not a basic question because we have tried several configurations and talked for one day with a F5 field engineer.

 

 

Our scenario:

 

- it is a 3-Tier application

 

- it has MS Windows rich clients

 

- the application server is MS IIS based (ASP.NET and WCF) web services (SOAP) that handle requests from the clients (using SOAP over HTTP which is today’s a very common client server communication protocol). The client communicates to two different application servers only on port 80 (or 443 if we want).

 

- the client is deployed either by MS click once technology or MSI

 

- the third thier is the database which is not relevant here, because we only look at the communication between client and application server

 

- the client runs on machines in the LAN

 

- the client runs on machines in the WAN (internet) as well and those machines are not in the windows domain of the application server

 

- the user is authenticated on the application server against the domain controller (AD) using NTLM

 

- the application server uses LDAP or a database to authorize client actions (this is custom code and out of scope of this post)

 

- in the LAN the user is in a single-sign-on scenario (this means our client application passes the NTLM token of the user logged in to the machine to the application server. This is done using the standard mechanisms, .net and Windows provide, which is very common)

 

- in the WAN we have Firepass between the client and the application server

 

 

Our solutions:

 

1. We wanted to use static application tunneling to access the application. But firepass seems to not support single sign on in this scenario: a) the user logs in to the firepass and starts the application tunnel b) then the user starts our client the application c) our application server is not getting user credentials. Instead our client receives the request to authenticate from the application server (from the IIS). > this can be easily reproduced by opening a intranet website that is configured using integrated windows authentication and NTLM using a static application tunnel. I know that for this portal access has a solution but our client cannot work with portal access because it doesn't run within an internet explorer.

 

 

2. We tried dynamic application tunneling but this is not working because we don't want to configure a path on the client machine and because we have more than one executable running.

 

 

3. We tried to "fake internet explorer" from our client to login to the firepass, to catch the cookies and attach them to our HTTP-request our client does: This is a hack and we can't get it to work because of the many java scripts running. There is now no option left and we are about to conclude that there is no way to operate that modern designed rich client application over firepass. The only alternative is to operate it using Citrix which is not satisfactory because our application has some advanced graphical features.

 

 

4. We can ask the client twice for credentials: Once when he logs into firepass and second when he starts the appliation. This is not exactly user friendly.

 

 

It would be great if somebody could help us with this issue

 

 

Thanks in adcance Chris