Pulse Connent Secure, Summaries of Engineering

Download Pulse Connent Secure and more Summaries Engineering in PDF only on Docsity!

Pulse Connect Secure

CIE Best Practices Guide

Product Release 8. 2

Document Revision 1.

Published: 2015 - 12 - 21

Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose, CA 95134 http://www.pulsesecure.net © 2015 by Pulse Secure, LLC. All rights reserved

Pulse Secure and the Pulse Secure logo are trademarks of Pulse Secure, LLC in the United States. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Pulse Secure, LLC assumes no responsibility for any inaccuracies in this document. Pulse Secure, LLC reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Pulse Connect Secure CIE Best Practices Guide

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Pulse Secure product that is the subject of this technical documentation consists of (or is intended for use with) Pulse Secure software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.pulsesecure.net/support/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.”

© 201 5 by Pulse Secure, LLC. All rights reserved ii

Table of Contents

Table of Contents ..................................................................................................................... ii

List of Tables ............................................................................................................................iv

About This Guide ..................................................................................................................... v

Document Conventions .......................................................................................................................................................v Requesting Technical Support ............................................................................................................................................v Self-Help Online Tools and Resources .......................................................................................................................... vi

Table of Contents

• PART 1 Creating CIE-Compatible Web Applications Opening a Case with PSGSC vi
• CHAPTER 1 Creating CIE-Compatible Web Applications
  • CIE Overview
    • Content Types Supported Through the CIE
  • HTML Support Through the CIE
    • Use Well-Formed HTML
    • Use Standard HTML
    • Specify the Correct Content Type
    • Construct URLs Using RFC Standards
    • Use a Supported HTTP header......................................................................................................................................
    • Set Character Encoding Through META Tags
    • Avoid Browser-Specific Code.........................................................................................................................................
    • Do Not Use Multiple BASE Tags
    • Do Not Embed an “ © 201 5 by Pulse Secure, LLC. All rights reserved v

About This Guide

 Document Conventions  Requesting Technical Support

Document Conventions

Table 1 defines notice icons used in this guide.

Table1: Notice Icons

Icon Meaning Description Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning Alerts you to the risk of personal injury from a laser.

Tip Indicates helpful information.

Best practice Alerts you to a recommended use or implementation.

Requesting Technical Support

Technical product support is available through the Pulse Secure Global Support Center (PSGSC). If you have a support contract, then file a ticket with PSGSC.

 Product warranties—For product warranty information, visit http://www.pulsesecure.net.

CIE Best Practices Guide

vi © 201 5 by Pulse Secure, LLC. All rights reserved

Self-Help Online Tools and Resources

For quick and easy problem resolution, Pulse Secure, LLC has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

 Find CSC offerings: http://www.pulsesecure.net/support  Search for known bugs: http://www.pulsesecure.net/support  Find product documentation: http://www.pulsesecure.net/techpubs/  Find solutions and answer questions using our Knowledge Base: http://www.pulsesecure.net/support  Download the latest versions of software and review release notes: http://www.pulsesecure.net/support  Search technical bulletins for relevant hardware and software notifications: http://www.pulsesecure.net/support  Open a case online in the CSC Case Management tool: http://www.pulsesecure.net/support To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: http://www.pulsesecure.net/support

Opening a Case with PSGSC

You can open a case with PSGSC on the Web or by telephone.

 Use the Case Management tool in the PSGSC at http://www.pulsesecure.net/support.  Call 1-844 751 7629 (Toll Free, US). For international or direct-dial options in countries without toll-free numbers, see http://www.pulsesecure.net/support.

CHAPTER 1 Creating CIE-Compatible

Web Applications

 CIE Overview  HTML Support Through the CIE  JavaScript Support Through the CIE  Framed Toolbar Support Through the CIE  CSS Support Through the CIE  Java Support Through the CIE  Microsoft Silverlight Support  VBScript Support Through the CIE  ActiveX Support Through the CIE  Flash Support Through the CIE  XML Support Through the CIE  PDF Support Through the CIE  Content Types Supported Through Pass-Through Proxy  Determining When to Use the CIE vs. Pass-Through Proxy

CIE Overview

One of the core technologies that Pulse Connect Secure offers is the Content Intermediation Engine (CIE), a highly advanced parser and rewriter. The CIE retrieves Web-based content from internal Web servers and changes URL references and Java socket calls so that all network references point to Pulse Connect Secure.

For instance, when an authenticated user clicks a link, the request goes to Pulse Connect Secure. Pulse Connect Secure performs intermediation by parsing the incoming link to determine the internal destination server and then forwarding the request to that internal server on behalf of the end-user. In other words, Pulse Connect Secure acts as the internal server to the end-user and acts as an end-user to the internal server. This intermediation process provides protection and clear separation between end-users and internal resources.

In order to successfully intermediate Web applications, the CIE must successfully locate all links within a page and rewrite them accurately. The CIE guide provides guidelines to Web application developers and user interface designers for creating Web applications that the CIE can successfully intermediate. The document provides general recommendations, lists the content-types that Pulse Connect Secure supports, the level of support that Pulse Connect Secure provides for each of the content types, and the language constructs to avoid.

CHAPTER 1: Creating CIE-Compatible Web Applications

NOTE: The Content Intermediation Engine does not intermediate all types of links. For instance, it does not intermediate ftp, rtsp, mms, and mailto links.

Content Types Supported Through the CIE

The Content Intermediation Engine fully supports Web applications written in standard HTML, JavaScript, VBscript, and Java. There are a few corner cases, however, in which these content types are sensitive to intermediation and parsing. If this document does not contain information about a content type, the Content Intermediation Engine does not officially support it, but the content type may still work through Pulse Connect Secure. Related Documentation

 CIE Best Practices Guide

HTML Support Through the CIE

The Content Intermediation Engine fully supports native HTML 4.0. When creating HTML content, however, please adhere to the guidelines in the following sections.

Use Well-Formed HTML

We recommend that you run your HTML through an HTML syntax checker to ensure that the HTML is well-formed. This process eliminates the possibility of poorly formed HTML with missing information such as end tags and right brackets. Although the Content Intermediation Engine is powerful enough to successfully intermediate invalid HTML, it is safer to write valid and well-structured HTML.

Use Standard HTML

We recommend that you use standard HTML in your Web pages. For example, use the standard format: Click Here

instead of the more rare format: Click Here

Specify the Correct Content Type

The Content-Type header in your Web page should match the actual content of the document. For example, do not send a content type of text/html if the content is XML.

Construct URLs Using RFC Standards

Follow the URL specification available at http://www.faqs.org/rfcs/rfc1738.html when constructing URLs in HTML pages. Avoid using HTML escape codes in the URLs. Use forward slashes ('/') in URLs instead of backward slashes ('').

CHAPTER 1: Creating CIE-Compatible Web Applications

Do Not Embed an “label

link\”)’”);

Instead, use variables as shown in this example: document.write(“ CIE Best Practices Guide

For complete and up to date product support, see the Pulse Connect Secure Supported Platforms Guide located on the Pulse Secure website.

Support for both audio and video multimedia traffic is available, and without the need for any additional plug-ins. HTML5 support can scale to thousands of users, which remains on par with the standard support for rewriter sessions. Remote Desktop Protocol (RDP) access in Pulse Connect Secure can be delivered over HTML5, via third-party RDP, through a WebSockets translator.

JavaScript Support Through the CIE

The Content Intermediation Engine handles complex uses of JavaScript, including menu animation, field validation, pop-up windows, frame manipulation, and calendar functions. In addition, the Content Intermediation Engine also supports standard and advanced JavaScript functions such as setTimeout, setInterval, and insertAdjacentHTML. When creating JavaScript content, however, please adhere to the guidelines in the following sections.

Use Straightforward JavaScript

Even though the Content Intermediation Engine is sophisticated enough to handle complex constructs in JavaScript, it may have trouble processing code whose purpose is obscured by multiple levels of indirection. We recommend that you write your code in a straightforward fashion in order to enable the Content Intermediation Engine to capture all the URL references.

Usage of document.write

The Content Intermediation Engine supports the use of document.write. We recommend the following guidelines when using document.write :

 Do not use base href’s in document.write.  Avoid writing nested script tags in document.write. If you must write nested script tags in a document.write , break the string “

Avoid Complicated Constructs in the eval() Function

The server cannot intermediate JavaScript code that dynamically generates and executes on the browser such as the eval() function. Instead, Pulse Connect Secure inserts a client-side JavaScript parser into the rewritten page in order to parse and rewrite the dynamically generated code. However, the client-side parser is not as sophisticated as the server-side intermediation engine. As a result, Pulse Connect Secure sometimes accurately rewrites code inside a CIE Best Practices Guide

properly rewrite more complicated statements such as nested with statements since it is difficult to distinguish local variable references from property references on an object.

For example: foo = 1;

is a local variable but: with (obj) { foo = 1; }

In this example, it is difficult to determine if foo is a local variable or a property of obj. Pulse Connect Secure uses heuristics to trap the common combinations of objects and properties but this practice obviously does not translate to a general solution. For that reason, we recommend that you avoid the use of with.

IFRAME Objects Must Contain an src Attribute

IFRAME objects must contain an src attribute to avoid the secure/non-secure warning. For example, the rendering of the following IFRAME results in a secure/non-secure warning. var ifrm = document.createElement("IFRAME"); ifrm.id = foo; ifrm.height = 100; ifrm.width = 100; document.body.insertAdjacentElement("bar",ifrm);

Use frames.length Instead of frames[0]

When checking for the existence of frames in a document that may not contain any frames, use frames.length instead of frames[0].

Setting a Cookie and Accessing the Cookie Through JavaScript

A cookie is not available through JavaScript unless the HTML body exists in the response to the page where the cookie was set. That is, if you are setting a cookie in an HTML response and want that cookie to be available in JavaScript, the response body must contain some HTML content.

For example, the following web page will not work:

1. Set a cookie, myURL, on a 302 response.

2. The 302 response does not contain any HTML but contains JavaScript.

3. In the onunload function in the JavaScript, access the myURL cookie.

4. The cookie is not accessible.

Understand the Number of Cookies You Can Set

Most browsers have an upper bound on the number of cookies that you can set on the client- side through the use of document.cookie. You cannot use the maximum number of cookies allowed by the browser, however, since Pulse Connect Secure sets cookies as well.

CHAPTER 1: Creating CIE-Compatible Web Applications

In most deployments, Pulse Connect Secure manages configuration information by setting up to four cookies. (Depending on the options chosen by the Pulse Connect Secure administrator, this number might be smaller.) Therefore, your Web application can set the maximum number of cookies allowed by the browser minus four. Deployments that use the eTrust SiteMinder server, however, must set less cookies, since Pulse Connect Secure sends cookies to the Web browser to enable single sign-on between SiteMinder and Pulse Connect Secure.

Use ASCII Characters

To render pages through the CIE engine correctly, avoid non-ascii characters such as ` and ñ in JavaScript.

Selective Rewriting Resource Policy for a POST URL

If the ACTION URL for a FORM POST is being generated on the client-side in JavaScript, a selective rewriting resource policy for the ACTION URL may not work.

To work around this issue:

1. Change the web application so that the ACTION URL is in static HTML. For example,

2. Change the POST to a GET.

Comments in Assignment Statements

Comments inserted in the middle of a right hand side assignment statement in javascript are not supported. For example, the following statement is not supported through the CIE engine. foo = foo.replace(/class=/,''). //replace(/

]

>/,'

'). replace(/ style=""/,'');

Mixing JavaScript and Static Content

Pages where the OBJECT tag or the APPLET tag is partly written in JavaScript and partly as static content do not function well within the engine. To ensure correct functionality write the complete tag through static text or through JavaScript.

Miscellaneous

In addition to the issues outlined in the previous sections, also keep the following guidelines in mind when creating JavaScript content:

 Avoid using variables that indirectly assign URL references to native JavaScript objects using the array format rather than the regular dot format. For example: document["location"] = "http://www.yahoo.com"; and var d = document; var l = "location"; d[l] = "http://www.yahoo.com"; Instead, use:

CHAPTER 1: Creating CIE-Compatible Web Applications

A document with BASE with a specific target

...beginning of the document...

 The parent variable—You can use the parent variable from within a frame set (see exception that follows), but do not use the parent variable if your Web page does not include a frame set. Also, do not use the parent variable from a JavaScript function within your topmost frame set. If you do, the application does not behave as you intend. Instead, When Pulse Connect Secure intermediates the page, the variable references the Pulse Connect Secure frame set instead of your intended document.

CSS Support Through the CIE

The Content Intermediation Engine supports cascading style sheets. When using cascading style sheets, make sure to set their content types to text/css. If you set an incorrect content type, errors could occur through the Content Intermediation Engine. Note that Pulse Connect Secure does not support JavaScript in cascading style sheets.

Java Support Through the CIE

Java class files contain compiled Java byte-code which the Java Virtual Machine interprets and executes. When Pulse Connect Secure encounters this byte-code, it rewrites the compiled Java without decompiling it. The Pulse Connect Secure new byte-code redirects all HTTP(s) and socket based network communication to an intermediate proxy server via secure HTTPS tunneling. This approach provides a secure and portable proxy mechanism for Web-based client/server applications that utilize client Java applets. The Java rewriting technology is available on the Sun JVM (version 1.4.1+) and MS JVM platform

NOTE: The process of rewriting Java code may affect performance. To improve the performance of Java applications, we recommend using the Enable Java instrumentation caching option in the Maintenance > System > Options page of the Pulse Connect Secure Web console. For more information, see Templates Feature Guide.

Supported Java Classes and Methods

Pulse Connect Secure supports most network related classes and methods through the Java rewriting engine. In general, as long as the Java applet uses TCP and the network traffic is initiated from the client, Pulse Connect Secure supports the applet. The following table lists Java classes and corresponding methods that are supported through the Content Intermediation Engine.

Table2: Supported Java Classes and Methods

CIE Best Practices Guide

Supported Java class Correspondingmethods java.applet.Applet All methods java.applet.AppletContext showDocument javax.swing.JApplet All methods java.net.Socket All methods java.net.URL getHost, getPort, getFile, getProtocol, openStream, openConnection, toString java.net.HttpURLConnection setRequestProperty java.net.URLConnection setRequestProperty java.net.InetAddress All methods java.lang.reflect.Method Invoke java.lang.Class getResource java.lang.ClassLoader getResource, getResourceAsStream netscape.javascript.JSObject eval, call, removeMember, setSlot, setMember msxml3.IXMLHttpRequest Open javax.net.ssl.SSLSocketFactory createSocket javax.swing.JEditorPane setPage com.ms.lang.RegKey getStringValue, getIntValue, getBinaryValue java.util.ResourceBundle getBundle

Unsupported Java Functionality

Listed below are Java features that are not supported through the Content Intermediation Engine.

 Pulse Connect Secure may not support class files written in a proprietary format. To prevent Java intermediation problems with Pulse Connect Secure, ensure that all network-related classes conform to the Sun Java specification. If the class files do not contain standard byte code then Pulse Connect Secure cannot intermediate the content.  Pulse Connect Secure does not support Java applets that include a checksum validation verifying that the applet is unaltered. (Pulse Connect Secure cannot support this type of validation since it alters the applet’s byte code during intermediation.) Instead, you should use the standard code-signing procedures to secure the applet.  Pulse Connect Secure does not support Java applets connections that initiate from the server. If the applet contains server-initiated connections through the use of the ServerSocket class, then the applet does not work through Pulse Connect Secure.  Pulse Connect Secure does not support Java applets that make UDP connections.  Pulse Connect Secure does not support Java applets that use Java Remote Method Invocation (RMI) Technology.