About Intelligent Application Gateway 2007

Applies To: Intelligent Application Gateway (IAG)

Whale Communications Intelligent Application Gateway (IAG) 2007 provides remote access to applications, networks, and internal resources from diverse client endpoints. You can allow access to multiple internal applications through a single IAG portal, or to a single Web application. Endpoint security management enables policy-based access control, user authentication, and portal application authorization.

IAG provides content inspection and deep application-level filtering. It blocks potentially malicious traffic with positive-logic and negative-logic rules that identify errant commands and syntax, and it reduces the immediacy of server software updates by providing protection from zero-day attacks.

Because IAG is application aware, it can address application-specific issues, including security concerns and functionality requirements. This ability enables organizations to customize the behavior of specific applications when accessed remotely. IAG provides out-of-the-box support for key applications. Out-of-the-box support is optimized for each application type, including features such as URL inspection, wiping out of sensitive information that might be recorded by Web browsers when connecting to an IAG server, and more. In addition, the application-aware approach provides tools and interfaces that allow you to define settings which are not supported out-of-the-box for each application individually.

Access control

IAG provides secure, Web-based access to internal applications and data, including the following:

  • Differentiated and policy-driven access to network, server, and data resources.

  • Flexible application-intelligent SSL VPN connections from many devices and locations.

  • Highly granular access and security policy enforced at the session, application, and functionality levels.

  • Comprehensive user authentication.

  • Customizable, identity-based Web portal with single sign-on.

  • Handling of embedded browser applications.

  • Connectivity and control for client/server and legacy applications.

Asset protection

Integrated application protection helps ensure the integrity and safety of network and application infrastructure by blocking malicious traffic and attacks, as follows:

  • An application-layer firewall blocks non-conformant requests, such as buffer overflow or SQL injection, on application protocols.

  • Comprehensive protocol validation and deep content inspection with both positive and negative logic rule sets.

  • URL cloaking and full functionality for remote users through dynamic URL rewrite and HTTP parameter filtering.

  • Application optimizers provide out-of-the-box protection for a wide range of applications.

  • Comprehensive monitoring and reporting integrates with third-party platforms.

  • Extensible infrastructure and tools for custom application publishing and scripting.

Safeguard information

Comprehensive policy enforcement helps drive compliance with legal and business guidelines that require information usage criteria to limit exposure and liability when accessing sensitive corporate data:

  • Helps ensure network integrity by restricting client access based on endpoint security profiles.

  • Strong endpoint security management and verification helps ensure endpoint health compliance and session control.

  • Helps enforce policy controls over actions within an application.

  • Cache-cleanup tailored to specific applications removes downloaded files and pages, URLs, custom caches, cookies, history, and user credentials.

  • Detects endpoint security state.

IAG architecture

IAG architecture consists of the following four elements:

  • SSL VPN platform

  • Endpoint security

  • Application security

  • Unified policy management framework

The IAG integrated approach rests on an architecture that functions across the client, proxy, and the IAG server, and it is managed through a single policy engine. The gateway functions at the application layer, terminating both inbound and outbound communications and parsing traffic through full inspection at the application layer. The ability to understand traffic flows within the context of specific applications is the foundation for the IAG application-specific optimizers, and underpins the ability of IAG to enforce endpoint policy at the browser. This application intelligence allows IAG to extend enterprise application access to unmanaged endpoints without creating risks to network integrity; it avoids having to resort to tunneling at the network layer and jeopardizing back-end resources. In addition, the underlying application intelligence of IAG provides the ability for administrators to create granular access control policies in order to cordon off parts of an application or network files, based on user profiles.

IAG incorporates a native host-checker engine that can be customized to detect third-party antivirus software or personal firewalls, and to support integration with third-party inspection tools. This engine can also extend further into the client-side and detect virtually any metric or watermark used by an organization in order to tag an asset.

Connectivity options

In order to support a wide variety of applications, IAG supports the following connectivity options:

  • Web proxy, for the support of Web applications. The content translation engine removes the need for a client component, enabling pure browser access.

  • The IAG SSL Wrapper component and the inherent IAG Socket Forwarding component enable access to non-Web applications, such as Citrix and Telnet, based on specific application knowledge. It utilizes ActiveX and Java applet controls for SSL tunneling.

  • IAG Network Connector turns remote clients into part of the corporate network, supporting full connectivity to the internal network over a virtual transparent connection. It enables IAG to support split tunneling configurations and affords greater network reliability and performance.