ClickOnce publishing redux!

A topic of concern for some customers has been publishing ClickOnce applications. ClickOnce is a deployment technology that allows you to create self-updating Windows-based applications that can be installed and run with minimal user interaction.

The way ClickOnce applications operate is simple: the user launches a website, and clicks a button or a link. The server sends the applications’ binary to the client computer, and runs it. Onscreen, this looks like this:


While technically, ClickOnce is touted as a web application, from UAG’s perspective, it is not, and this makes it a challenge to publish. Back in April 2009, I discussed this topic, and suggested a technique that allows one to publish it, but later on, with the release of Service Pack for UAG, this method was blocked for security reasons. Recently, though, I’ve found another way to do this.

One challenge with ClickOnce applications is that they require an SSL-VPN tunnel to operate. This is rather simple to address, as UAG has several compatible application templates that could tunnel the traffic. The second challenge, though, is launching the application itself. Since the app is launched via a web page, the user needs to visit that page after the tunnel is established. If you are thinking of the “browser embedded application” template, your reasoning is good, but wrong. With the B.E.A template, you can specify a URL, but UAG will HAT it. When the ClickOnce application launches from the HAT URL, it will fail, so that solution won’t do.

For ClickOnce to work, the requirement is that the user visits the internal URL of the application…as if he was connecting to the server inside the corporate network. The SSL-VPN tunnel allows this, but we don’t want to force our users to have to manually type in the URL. The solution? Use the “Enhanced Generic Client Application”. This template allows you to specify an executable and parameters to launch following the establishment of the tunnel. Here are the steps:

1. Check your application’s properties – what Servers and Ports it communicates on. Many ClickOnce apps only require port 80 and a single server, but some require additional ports like 443*.

2. On the UAG console, add a new application.

3. From the Client/Server and Legacy group, select “Enhanced Generic Client Application(multiple servers)

4. Configure the application’s name and endpoint policy.

5. On step 4, type in the server or servers, and port or ports you discovered in step 1. To specify multiple ports, use commas to separate the numbers.

6. In the executable field, type in iexplore

7. In the argument field, type in the full URL of the internal application

8. Click OK and activate your configuration


The way this application template works is by establishing the SSL-VPN tunnel. That tunnel is configured so that it will only forward traffic to the specified servers, and on the specified ports. After finishing launching the tunnel, UAG will launch the specified executable (Internet Explorer), with the parameter specified as the URL. This last bit is the trick that causes UAG to launch an internal, unsigned URL.

In fact, one can specify additional arguments for IE, such as the –K option, that launches IE in a Kiosk-mode window. Additional arguments are listed here.

One more critical thing that you need to know about is that 64 bit clients may not be able to use this. The SSL-VPN tunnel that UAG creates is only suitable for 32 bit applications, even on 64 bit systems. Since the .Net framework that runs the ClickOnce app is part of the system, it will be 64 bit, which will prevent it from communicating over the tunnel. Unfortunately, there’s no solution for that at this point.

* Having the right server names and ports is critical – one missing server would cause it to fail, and it will probably not even tell you the real cause, as ClickOnce applications rarely have a friendly logging or tracing available. Ideally, the application vendor will provide you with this info. If not, an alternative is to use Netmon to capture the application’s communication process, and gaher the details from there. For example:


This shows that this specific ClickOnce application uses ports 1946 and 5005, so the tunnel will need to include those as well.

Props to Allen and Bill for their help with this!

Comments (0)

Skip to main content