Client types
There are two types of Linux Client. For a quick overview of the differences, refer to the Client compatibility matrix.
Designed for normal enterprise usage - including pre-installation as part of standard builds | |
For installation on unattended machines such as Servers. |
Ensure the Client version is designed for use with the associated software OS version - see Download Center
Installing and running the Client
There are separate installers for full and headless.
Configuration settings
To list local firewall rules
sudo iptables -L (look for the appgate-filter-input/output chains)
Client settings
These are found in
~/.config/appgatesdp-service
In the following file ~/.config/appgatesdp-service/user.settings find <configuration><appSettings> and:
to not show the data usage user acceptance screen the first time the client starts:
<add key="userApprovalPref" value="True" />to prevent the running of device claim scripts. Remember these run with full admin privileges so present a security risk:
<add key="scriptsDisabledPref" value="True" />
To clean all client settings
rm -rf ~/.config/appgate-ui ~/.config/appgatesdp-service ~/.local/share/appgatesdp-service
To remove a Client profile link
Open gnome-keyring (seahorse) or kwallet. Look for "AppGate (Profile:123456etc)".
Open an item and reveal the password to see the profile name.
Delete the required Profile.
To remove all stored passwords/certificates
Open gnome-keyring (seahorse) or kwallet.
Delete all entries containing 'AppGate'
DNS configuration
The client comes with a "set_dns" script which tries to change the network configuration when connecting to AppGate ZTNA, so that the AppGate ZTNA DNS is called for AppGate ZTNA domains, while the regular DNS remains in charge of resolving everything else.
To achieve this the built-in script runs a dns resolver (dnsmasq) which is executed locally under the name "appgate-resolver". If systemd-resolved is detected to be running, then it will be used instead of dnsmasq. The script resets the network configuration when AppGate ZTNA disconnects.
The set_dns script has some requirements:
dnsmasq
dbus
systemd as pid 1
This was tested against network-manager and wicd.
Since the built-in script can't possibly cover every network configuration, it is possible to write a custom script that must use the same command line. More information about the command line can be found running:
/opt/appgate/linux/set_dns --help
journalctl -u appgatedriver.service | grep set_dns
Any such script must be configured in /etc/appgate.conf, and will then replace the built-in one.
Troubleshooting
If the network configuration is left in a strange state, it is possible to do the following steps to restore it:
/opt/appgate/linux/set_dns --reset
chattr -i /etc/resolv.conf
mv /etc/resolv.appgate /etc/resolv.conf
then restart your network manager
Verifying package files
The Linux installer packages have been signed with GPG using the AppGate public key. Use the relevant tools for each distribution to verify the validity of the package. The AppGate public GPG key can be found inside the installed keyring at /opt/appgate/appgate.gpg and can be downloaded here: appgate.pub
Fingerprint
F36B 319B CE07 48F7 7930 52E6 F600 207F 0680 FA29
Fedora
For verification on Fedora the package rpm is needed. It is by default installed on all rpm-based distributions.
Make sure the AppGate public key has been installed.
sudo rpmkeys --import appgate.pub
If using the keyring installed with the client the key first needs to be exported, before importing:
gpg --keyring /opt/appgate/appgate.gpg --export --armor > appgate.pub
Verify the package with:
rpmkeys --checksig PACKAGENAME
Ubuntu
For verification on Ubuntu systems the package dpkg-sig is needed
sudo apt install dpkg-sig
Make sure the AppGate public key has been installed.
gpg --import appgate.pub
or if using the keyring installed with the client
gpg --import /opt/appgate/appgate.gpg
Verify the package with:
dpkg-sig --verify PACKAGENAME