Thin Client SSL connection

[Rich Cassell]

Hi,

We have a thin client user who have said that they no longer want to use VPN's on their network and need a new way to access the software. We have a web application which can be used but it's an ongoing development and does a fraction of what the thin client can do, so they're not wanting to move onto it. We've found that you can add sections into the INI files at both the client and server ends which allow an SSL connection for the thin client, however, we're having problems getting it to work.

At the moment, i'm only trying to get the very basic set up working without any emphasis being placed on certificates etc (I'm using an empty test system for this). So far, i've added the following attributes to the relevant sections in each INI file:

-- Server Side --
[JadeAppServer]
RPCEncryptionEnabled=true
RPCEncryptionHookDLL=SSL_TLS
SSLSecurePort=<portnum>
SSLCertificateFile=C:\Jade62\c_bin\server.pem *Currently using the default server.pem file in the binary directory.

-- Client Side --
[JadeThinClient]
RPCEncryptionEnabled=true
RPCEncryptionHookDLL=SSL_TLS
SSLSecurePort=<portnum>

When set up in this way, i'm getting a proxy error saying that ISA isn't allowing SSL traffic through that port - however i'm confident that it should be doing. We do use a proxy internally, but i get this same error when turning all proxy settings off... even if i remove the Windows Registry entry...!

I've read through various sections of the Jade documentation and can't see why the above set up won't work, albeit with very basic security. I understand the error appears to be un-Jade related but i can't help but think that it must be something missing from the INI files, ISA is definitely allowing SSL through that port.

If anybody has ever set up a thin client connection in this way, any help would be very appreciated.

Cheers!

Rich

[ghosttie]

There are SSLProxyHost, SSLProxyPort etc. ini settings but I haven't ever actually used them.

[Rich Cassell]

Hi ghosttie

Thanks for your reply.

Yeah there are a few other parameters that i am not using which may be the problem. The Proxy ones you mentioned are the most likely to be needed as it's a proxy error i am getting. I have tried to use them in various ways but i never seem to get any different results. I imagine i'm using them wrong though to be honest...

[torrie]

Jade should pick up the settings for the Proxy from the Windows Settings (see the SSL Security settings section in the Object Manager PDF)

We've upgraded from ISA to Forefront TMG and can no longer run the PARSYS application which uses an SSL connect to Jade. The firewall tries to inspect the traffic (as it does with HTTPS connections) but there is something that stops it working. I think it may be something to do with the names on the certificates, but I've yet to work this out.

Are you able to get this working internally without ISA server being in the mix?

[Rich Cassell]

Hi Torrie,

No, we get the same error internally too. As you say, the proxy settings seem to be picked up automatically which is why i haven't explicitly define them in the INI parameters. Additionally, i also forgot to point out that we're running 6.2.17... I thought i'd mention it just in case these settings are for 6.3 only... Although being as though we're getting half way there, i imagine it's not a problem.

Cheers,

[torrie]

When running internally, have you tried adding the IP address / FQDN of the Application Server to the Proxy Exceptions in IE? (see the Advanced Proxy settings in IE.) Is IE configured to ignore the proxy for local addresses?

[Rich Cassell]

IE is already configured to bypass the proxy for local addresses. I hadn't thought about setting up a Proxy Exception for the App Server but this doesn't seem to have changed anything.

Cheers for your help so far!

Rich

[torrie]

Just trying to eliminate the obvious, but is the app server on a server with a firewall e.g. Windows Server 2008? Do you need to punch a hole for the SSL port?

I often use telnet (an optional feature in Windows) to check TCP connections. if running the following results in a black screen with a cursor, then you can connect to that server on the port.

Telnet <Server Name> <Port No>

Once you get a black screen (a telnet screen), you can press Ctrl + ] to escape the telnet session and then type Exit to close telnet.

If telnet returns a connection error, then I would look for network issues.

[Rich Cassell]

Hi Torrie,

Eliminating the obvious is good! I'm sure it'll be something obvious in the end!

Our network support team have ensured us that the port is open and not in use etc, just to be sure though, i have attempted a telnet as you suggested and it connected fine.

Rich