Windows headless Client

  • 4 minute read
Prev Next

How does it work?

Headless Clients run without a UI in the background. They enable un-attended systems such as servers or container instances to connect to the Appgate SDP system. Stand alone headless Clients are available for Windows, macOS and Linux; these are also embedded by AppGate into the Windows SSO Client, always-on Clients, Kubernetes Injector and Connector.

Once a profile and credentials have been applied to the headless Client, on boot-up the Client will immediately try to sign in to the Controller(s) (and continue to retry if it fails). For this reason it is STRONGLY ADVISED to always have a valid Policy for headless Clients, otherwise the retries will effectively become a DoS attack on the Controllers and consume large amounts of disk space with log warning messages.

Once signed-in, the headless Client will get its own Entitlements (based on its Policy) to access any permitted resources protected by Appgate SDP and will automatically (try to) establish secure connections with the Gateways. If the headless Client has been installed on a remote server then the Entitlements might include down rules so that users of the Appgate SDP system could access it.

Background information

System limitations

  • Device on-boarding has to be done from the Appgate SDP headless Client for a user on a specific computer. If this device is already registered (using the normal Appgate SDP Client) the headless Client will fail.

  • Authentication options are limited - support is provided only for methods which work with no user present.

  • MFA at sign-in is not supported on Appgate SDP headless Client.

The Windows headless Client uses standard executables:

  • Appgate SDP Service - will run as SYSTEM (in the background).

  • Appgate SDP.exe - is not required.

  • Service Configurator - is included to configure the headless Client. Requires that the Appgate SDP Service is running.

Once a configuration is applied the headless Client will try to sign in using it and continue to retry if it couldn't. You can apply the configuration at any time to force the headless Client to try connecting.

NOTE

Custom scripted device Claims (formerly on-demand device claims) are not supported on Headless Clients.

Installation and uninstallation

How to install

To install the Client the installation needs to be run with the switch /E (/HEADLESS).  It is recommended to run it using the /S (silent installation) switch as well. An existing Appgate SDP full Client installation can be upgraded to run as headless Client by simply running installer with /E. Any existing configuration set for the full Client will not be transferred to the headless Client. Refer to Windows Clients for a full explanation of all the installation switch options. So to install the Windows headless Client in silent mode, type:

start "" /WAIT "Appgate-SDP-x.y.z-Installer.exe" /E /S /P="appgate://url.com"

Powershell requires slightly diffferent syntax:

start "Appgate-SDP-x.y.z-Installer.exe" -ArgumentList ' /E /S /P="appgate://url.com" '

NOTE

The profile link included after the /P switch can be obtained from the Client Profiles UI.

Use services.msc to make sure both Appgate SDP Client Service (appgateservice) and Appgate SDP Driver Control (cxdriver) exists as a service and that both are running.

NOTE

Write access to "TrustedCertificatePath"  is recommended when using the headless Client.

NOTE

Always provide the /E flag every time the Client is installed, upgraded or reinstalled to continue to run it as the headless Client.

Once installed, there will be an Appgate SDP folder in the start menu of Windows which contains a number of items, including a shortcut to the headless Client's Configurator tool.

Installing with the /P option will have set a profile for the Windows headless Client however some credentials will also be required before it can sign-in to the Controller. These should be set using the configurator tool.

The Configurator tool can be used at any time to change the profile or credentials used by the headless Client as well as to check the status of the Windows headless Client, such as checking it has signed in correctly. Profile links can be obtained from the Client Profiles UI.

How to uninstall

To uninstall the Windows headless Client simply run uninstaller from start menu shortcut or Windows `Add or Remove Programs`. Notice that any configuration of the headless Client will not be removed on uninstall, only the headless Client binaries.

Log files

There are two log files for the headless Client;  these are %programdata%\AppGate\driver.log and %programdata%\AppGate\service.log

Related articles
  • Windows headless Client
    Admin Guide > Admin Guide v6.6 > General administration > Client deployment and management > Windows Clients
  • Windows headless client
    Admin Guide > Admin Guide v6.7 > General administration > Client deployment and management > Windows clients
  • Windows always-on Client
    Admin Guide > Admin Guide v6.5 > General administration > Client deployment and management > Windows Clients