Configuring a ClickOnce Application using IAG


Following the release of SP1 for UAG in December 2010, this type of publishing is no longer possible due to updates to the UAG Filter.


ClickOnce is a deployment technology that allows you to create self-updating Windows-based applications that can be installed and run with minimal user interaction. ClickOnce deployment overcomes three major issues inherent in deployment:

Difficulties in updating applications. With Microsoft Windows Installer deployment, whenever an application is updated, the user must reinstall the entire application; with ClickOnce deployment, you can provide updates automatically. Only those portions of the application that have changed are downloaded, then the full, updated application is reinstalled from a new side-by-side folder.

Impact to the user’s computer. With Windows Installer deployment, applications often rely on shared components, with the potential for versioning conflicts; with ClickOnce deployment, each application is self-contained and cannot interfere with other applications.

Security permissions. Windows Installer deployment requires administrative permissions and allows only limited user installation; ClickOnce deployment allows non-administrative users to install and grants only those Code Access Security permissions necessary for the application.

In the past, these issues sometimes caused developers to decide to create Web applications rather than Windows-based applications, sacrificing the rich user interface and responsiveness of Windows Forms for ease of installation. With applications deployed using ClickOnce, you can have the best of both technologies.

For more information about ClickOnce technology, visit this link:

Publishing a ClickOnce application using IAG is tricky, as the application uses a component of the .Net framework to launch the application, and since this component (DFSVC) runs outside the browser, the application must be tunneled to be able to run. This technique for publishing application is known as "Localhost Redirector publishing", and can also be used for several other troublesome apps, such as some JAVA-based applications. Here are the steps that must be taken to publish such an application.

1. On the IAG server, open the system hosts file with a text editor (c:\windows\system32\drivers\etc\hosts)

2. Add an entry:              localhost1

3. Open the IAG Console

4. Disable any current applications you have that are related to this server, as they might conflict with it.

5. Create a new application.

6. Under Browser-Embedded application, select Generic Browser-Embedded App and click Next

7. Type in an application name to your liking

8. In the Web Servers page, type in:

Addresses: localhost1

Paths: /

Modify port 80 for HTTP to 6001

Remove the HTTPS port 443.

Click Next

9. In the authentication type, leave the "automatically reply" settings unchanged. Click Next

10. In the Server Settings Page, type in:

Server : Type the internal name of the server that is hosting the application

Ports: 80

Click Next

11. In the Portal  Link page, type in the application URL according to the following template:

http://localhost1:6001/internalsite/redir.asp?TARGET=<internal full URL of the application>

For example, say that internal users would browse to http://somehost/somepath/publish.htm and then click a button to run it (as is typical with ClickOnce apps) to launch it, then this settings would be:


*Please note that the word TARGET is case sensitive.

Click Next

12. Activate the configuration.

13. Launch the application on the client will display a notice: "Ready to launch application". After you click OK, it will launch the IAG SSL component, visible as a two-arrow icon on the system tray on the client machine. The browser will then display the standard Publish.htm. Clicking on the RUN button in it will launch the application. It’s possible to customize the default template to not display the above message, but I’ll talk about that another time.

Comments (3)

  1. Anonymous says:

    Hi Ben. Nice post. I found that kind of application some time ago and there was another difficult point to solve. When the clickonce application is initially launched it goes to the internal servers to look for updates. If the protocol used to look for the updates is SMB/CIFS (UNC Share) there is no way to catch that traffic. Any workaround for this? (apart form the obvious 🙂 Change the protocol used to publish the application code

    // Raúl

  2. adam says:

    Hi Ben,

    The post worked really well for IAG, I wondered whether you tried this in UAG?



  3. kippapa says:

    It works in UAG also

Skip to main content