Aventail SSL VPN - SonicWallsoftware.sonicwall.com/Aventail/Documentation/860/ST_v8_6_Getting... ·...

Aventail® SSL VPNGetting Started Guide

Version 8.6

© 1996-2005 Aventail, Aventail Cache Control, Aventail Connect, Aventail Connect Tunnel, Aventail End Point Control, Aventail Management Console, Aventail Connect Mobile, Aventail OnDemand, Aventail OnDemand Tunnel, Aventail Secure Desktop, Aventail Smart Access, Aventail Smart Policy, Aventail Smart SSL VPN, Aventail Smart Tunneling, Aventail ST, Aventail Unified Policy, Aventail WorkPlace, Aventail WorkPlace Mobile, Aventail EX-750, Aventail EX-1500, Aventail EX-2500, and their respective logos are trademarks, registered trademarks, or service marks of Aventail Corporation. Other product and company names mentioned are the trademarks of their respective owners.

Last modified 10/11/05 14:05

Part number 0850-000015-01

Aventail SSL VPN Getting Started Guide | i

Table of Contents

Chapter 1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Introduction to the Aventail VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Key VPN Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2Smart Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4End Point Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Users, Groups, and Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6SSL and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Clustering and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Role-Based Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System Monitoring and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Aventail VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Client Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Network Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Connect Tunnel Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14OnDemand Tunnel Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Connect Mobile Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Connect Proxy Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14OnDemand Proxy Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Web Proxy Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Translated Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15End Point Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Administrator Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2Planning Your VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Who Will Access Your VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19What Types of Resources Are You Deploying? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20How Will Users Access Your Resources? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Tunnel, Proxy, or Web: Which Access Method is Best for You?. . . . . . . . . . . . . . . . . . . . . 23System Requirements for Client Access Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Security Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Defining Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Managing Access Control with an Access Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

End Point Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33System Requirements for End Point Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

ii | Table of Contents

Putting It All Together: Using Realms and Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 3Preparing for Installation and Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Verifying Your Firewall Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Installation and Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Deploying ASAP WorkPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Deploying the Aventail Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Deploying End Point Control Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 4Common VPN Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Remote Access VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Providing Access to Specific Web Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Providing Access to All Web Resources on Your Network. . . . . . . . . . . . . . . . . . . . . . . . . 49Providing Access to Any Web Resources on a Portion of Your Network . . . . . . . . . . . . . . . 50Providing Windows Users with Broad Access to Network Resources . . . . . . . . . . . . . . . . . 50Providing Web-based File Access to Entire Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Partner VPN Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Providing Access to a Specific Web Resource and Obscuring Its Internal Host Name . . . . . 51Providing Web-based Access to a Client/Server Application . . . . . . . . . . . . . . . . . . . . . . . 51

End Point Control Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Deploying Aventail Cache Control to Employees on an Untrusted System . . . . . . . . . . . . . 52Deploying Aventail Secure Desktop to Partners from Their Domain . . . . . . . . . . . . . . . . . 52Allowing Selected Employees to Bypass Aventail Cache Control . . . . . . . . . . . . . . . . . . . . 53

Access Policy Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Forward Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Reverse Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Application-Specific Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Providing Access to Outlook Web Access (OWA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Providing Access to Voice Over IP (VoIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Providing Access to Windows Terminal Services or Citrix . . . . . . . . . . . . . . . . . . . . . . . . 56

Authentication Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Using Multiple Realms vs. a Single Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Using a Single Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Using Multiple Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Access Component Provisioning Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59WorkPlace Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Creating Custom WorkPlace Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Adding Shortcuts to WorkPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Aventail SSL VPN Getting Started Guide | 1

Chapter 1Introduction

This chapter provides a brief overview of the features of the Aventail SSL VPN and its key components, and explains some essential virtual private networking components. For detailed information and step-by-step procedures on how to install and configure the appliance, please see the separate Installation and Administration Guide.

Introduction to the Aventail VPN

The Aventail SSL VPN appliance provides secure access—including clientless access to Web applications, access to client/server applications, and file sharing—to employees, business partners, and customers. All traffic is encrypted using Secure Sockets Layer (SSL) to protect it from unauthorized users.

The Aventail appliance makes applications available from a range of access methods—including a standard Web browser, Web-based ActiveX or Java-based agents, a Windows client, or a PocketPC client—on a wide range of platforms and devices including Windows, Macintosh, Linux, and handheld devices. You might use the appliance to:

• Create a remote access VPN that enables remote employees to securely access private company applications such as e-mail over the Internet.

• Create a business partner VPN that provides designated suppliers with access to an internal supply chain application over the Internet.

Your Aventail VPN transparently and dynamically provides the appropriate access methods to a wide range of resources, which improves employee productivity and reduces the total cost of ownership.

2 | Chapter 1 - Introduction

The appliance’s granular access control enables you to define policy and control access down to the user and resource level. To increase efficiency, the appliance is managed from a Web-based management console. The Aventail® ASAP Management Console (AMC) enables you to quickly and easily manage policy and configure the appliance from a standard Web browser.

Key VPN Concepts

This section describes the essential concepts that you should become familiar with before installing, configuring, and managing the VPN.

Resources

The Aventail appliance manages a wide variety of corporate resources in three main categories: Web resources, client/server resources, and Windows file shares. Web resources are applications or services that run over the HTTP or HTTPS protocols, such as Microsoft Outlook Web Access. Client/server resources are enterprise applications that run over TPC/IP such as Citrix, and Voice over Internet Protocol (VoIP) telephony applications. Windows file shares include Windows network servers or computers containing shared folders and files.

When managing resources, you have some flexibility to decide which resource type to use for a given object on your network. The type you choose will vary depending on your VPN design. For example, you might define a


Web application as a URL resource for use by a business partner and “alias” the host name for an extra measure of security. Alternatively, you could define the domain in which the Web application is located as a network resource, which is a convenient way to enable remote employee access to multiple Web resources within a domain.

Smart Tunneling

Aventail Smart Tunneling™ provides secure access for TCP and UDP traffic; bi-directional traffic, such as remote Help Desk applications; cross-connections, such as VoIP applications; and reverse connections, such as SMS. Smart Tunneling provides access using two access agents: the Aventail® OnDemand™ tunnel agent (a browser-based, Web-activated agent) and the Aventail Connect tunnel client (a Web-installed Windows client). Each client provides network-level access to all resources, effectively making the user’s computer a node on your network.

The tunnel clients are managed from AMC using the Aventail network tunnel service. Configuring this service to manage TCP/IP connections from the network tunnel clients requires setting up IP address pools that are used to allocate IP addresses to the clients.

Authentication

Authentication is the process of verifying a user’s identity to ensure that the individual really is who he or she claims to be. Authentication differs from authorization—authentication verifies identity, while authorization specifies access rights.

To manage user authentication with the appliance, you use AMC to define one or more external authentication servers (also known as directory servers or user stores) that contain the identification or credentials for your user population. The appliance integrates with several of the most common authentication servers. The actual management of the user information is still done on your authentication servers; the appliance simply makes use of that information to evaluate identity of your users.

Depending on the size and complexity of your organization, you may have a single authentication server for all of your users, or multiple authentication servers that store different segments of your user population. Regardless of the number or type of authentication servers you have, the appliance uses a simple method for linking to them. Each authentication server is associated with an authentication realm that you set up. These realms are what users log in to on the appliance to gain access to your resources. So if your organization has one authentication server, you would create one


authentication realm on the appliance, or if you have several authentication servers, you’d create a realm for each of them. For a more granular approach to deployment and security, you can further subdivide your user population using a subset of a realm known as a community.

Using AMC to set up authentication involves configuring the combination of an authentication server, an authentication method (username/password, token or smart card, or digital certificate), and other configuration items that make the authentication process unique (for example, the LDAP search base or the specific directory server).

The Aventail appliance supports the following directories and authentication methods:

• LDAP with username/password or digital certificate• Microsoft Active Directory with username/password• RADIUS with username/password or token-based authentication (such

as SecurID or SoftID)• Netegrity SiteMinder with credentials or RSA ClearTrust with credentials• Local users with username and password (used primarily for testing

purposes and not recommended in a production environment)

Access Policy

An access policy is the set of access control rules that defines the privileges of users who connect to resources through the appliance. These rules define the applications or network resources that users or user groups are allowed to access.

Access control rules are stored as a list in AMC, with each rule assigned a specific order in the list. When the appliance evaluates a connection request, it begins at the top of the list and works down the list until it finds a match. When it finds a match, the action required by the rule—either “permit” or “deny”—is applied and no further rules are evaluated. If the appliance reaches the end of the list without finding a match, it applies an implicit “deny” rule to prohibit access to the user.

Access to a resource can be based on several criteria. Most access rules control access based on who the user is—that is, the user’s name or group membership—and the destination resource he or she is trying to reach. You can use other criteria in access control rules, such as the access method used to reach a resource, the user’s network address, or the date and time of the connection request.


The appliance gives you wide latitude in creating access control rules, depending on whether your organization’s security policy demands stringent control or is relatively permissive. For example, if your VPN is accessed only by highly trusted employees who are using computers managed by your IT department, you could create an open access policy that defines your entire network domain as a resource and grants broad access to your employees. Conversely, if you are providing access to a diverse group of users with varying degrees of access privileges, or who connect from less-secure devices such as public kiosks, you might use an access policy that defines individual resources and establishes more stringent access requirements.

As your network changes over time, you will need to configure the access control rules that determine what application resources are available to your various users and groups. Before adding an access control rule, carefully examine your list of existing rules; you might find that you can modify an existing rule instead of creating a new one. To save time, you can also copy an existing rule and modify its parameters.

If you decide to add a new rule, reviewing your current configuration will help you determine where the new rule should fit in the rule order. New rules are added to the top of the access control list by default; you can then move them to their proper positions in the list.

End Point Control

Traditional VPN solutions typically provide access only from the relative safety of a corporate laptop. In that environment, the major security concern is unauthorized network access. Because an SSL VPN enables access from any Web-enabled system, it may bring additional risks from computers in untrusted environments, such as a kiosk at an airport or hotel, or an employee-owned computer.

The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and ensure that your network is not compromised when accessed from computers in untrusted environments. Aventail’s data protection agents—Aventail Secure Desktop and Aventail Cache Control—automatically remove session data from the PC. The appliance also supports integration with third-party client integrity controls that automatically check for malware on the client system before allowing access.

The appliance’s EPC configuration options give you granular control over VPN access using device profiles and zones:


• A device profile is a set of attributes that characterize the device requesting the connection. These attributes can include a Windows domain name, the presence of a software programs such as personal firewall or antivirus program, a registry entry, or other unique characteristics.

• A zone classifies a connection request based on the presence or absence of a device profile, and is used to control the provisioning of data protection components or determine which resources are available.

When a user connects to the appliance, the appliance interrogates the user’s computer, then determines if its attributes match those defined in a device profile. If the device matches the profile, the appliance classifies the computer into the appropriate End Point Control zone. For example, if the device does not have a personal firewall or antivirus program, it may be classified as “untrusted,” provisioned with a browser cache cleaner, and restricted to Web-based e-mail access.

Users, Groups, and Communities

A user is an individual who needs access to resources on your network, and a user group is a collection of users. After you’ve created users or user groups on the appliance that are mapped to an external authentication server, you can reference them in an access control rule to permit or deny them access to resources.

Communities are a cornerstone of the appliance’s approach to deployment and security. Communities are used to aggregate users and groups for the purpose of deploying access agents to them and providing End Point Control, but can also be referenced in access control rules.

You can create communities for specific types of users, such as remote employees or business partners, and you can configure more granular types of communities, such as a users in a particular department or geographic location.

For example, you may want to deploy one of Aventail’s network tunnel clients to certain employees who require broad access to resources and applications on your network and who use laptops managed by your IT department. You may have another group of users who require only limited access to Web resources because they’re logging in from public kiosks or other non-secure locations. To provide access to these disparate user groups, you could create two separate communities, each configured to deploy the appropriate access agents, and in the case of users connecting via public kiosks, using End Point Control to prevent sensitive data from being left on the kiosk.


SSL and Encryption

The Aventail appliance encrypts information using the Secure Sockets Layer (SSL) protocol. SSL is an authentication and encryption protocol that uses a key exchange method to establish a secure environment in which all data exchanged is encrypted to protect it from eavesdropping and alteration.

The Aventail appliance uses SSL certificates to validate the appliance’s identity to connecting users, and to provide a public key to secure information that the client computer sends to the server. The appliance requires two SSL certificates:

• The Aventail services use a certificate to secure end-user traffic.

• AMC uses a certificate to secure management traffic.

There are two types of certificates: self-signed and commercial certificates. With a self-signed SSL certificate, you are verifying your own identity. The associated private key data is encrypted using a password. AMC uses a self-signed certificate.

Although a self-signed SSL certificate is secure, you may want to secure end-user traffic with a certificate from a commercial certificate authority (CA). Commercial certificates are purchased from a CA (such as VeriSign) and are usually valid for one year.

A commercial CA verifies your company’s identity, in effect vouching for your identity by providing you with a certificate that the CA signs. A common analogy for a certificate from a commercial CA is a passport. You can present someone with an ID you create yourself, but they may be skeptical about your identity if they do not already know you. If you present someone with a passport issued to you by a trusted country, he or she may be more inclined to accept your identification as valid because a passport office has made an effort to verify your identity.

For users who connect to the appliance from small form factor devices, you should configure the appliance with a certificate from a leading CA, or else import the root certificate from your CA onto your users’ small form factor devices. When the appliance is configured with either a self-signed certificate or a certificate from a CA that is not well known, most small form factor devices will either display a security prompt or reject the certificate. For example, Windows Mobile smartphones are configured with the roots files for only VersiSign, CyberTrust, Thawte, and Entrust.

When deciding which type of certificate to use for the servers, consider who will be connecting to the appliance and how they will use resources on your network:


• If business partners are connecting to Web resources through the appliance, they will likely want some assurance of your identity before performing a transaction or providing confidential information. In this case, you would probably want to obtain a certificate from a commercial CA for the appliance.

• On the other hand, employees connecting to Web resources may trust a self-signed certificate. Even then, you may want to obtain a third-party certificate so that end users are not prompted to accept a self-signed certificate each time they connect.

For additional security, Aventail offers an appliance equipped with a FIPS-compliant (Federal Information Processing Standard) SSL module for creating keys and digital certificates.

FIPS

FIPS is a U.S. government standard that provides a benchmark for implementing cryptographic software. FIPS specifies best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.

Aventail offers a FIPS-enabled appliance that includes an internal hardware security module (HSM) to protect the private cryptographic keys that are used by the appliance, manage the smart cards used to access the HSM, and perform other operational and troubleshooting functions. The hardware security module is FIPS 140-2 Level 2 compliant.

Clustering and High Availability

An Aventail cluster provides high availability by including either integrated load balancing or external load balancing, depending on the appliance model, as well as stateful user authentication failover, and centralized administration.

A cluster is designed to prevent a single point of failure. When you deploy a cluster, you can distribute applications over more than one computer, which improves response time and avoids unnecessary downtime if a failure occurs. The cluster appears as a single system to users, applications, and the network, while providing a single point of control for administrators.


Aventail offers three appliances with clustering and high-availability features:

• The entry-level appliance includes support for clustering two identical appliances behind one virtual IP address for up to 100 users, with integrated load balancing.

• The Aventail mid-level appliance includes support for clustering two identical appliances behind one virtual IP address, or up to eight appliances using an external load balancer, for up to 1,000 users.

• The Aventail enterprise-level appliance includes support for clustering two identical appliances behind one virtual IP address, or up to eight appliances using an external load balancer, for up to 2,000 users.

These cluster configurations support an active/active configuration, meaning all nodes in the cluster are actively sharing the user load at any given time.

You administer all the nodes of an Aventail cluster from one master management console. After installing the software on all nodes, you log in to AMC on one of the nodes and assign it as master. From that point on, this node controls the propagation and synchronization of policy and configuration across both nodes.

The slave node provides a redundant AMC, but it is not automatically assigned as master if the master node fails. Instead, you must log in to the slave node’s AMC and manually assign it to be the master. When the original master node comes back online, it detects that the other node is now the master and it demotes itself to a slave node.

Role-Based Administration

Role-based administration restricts access for managing the appliance via AMC to authorized users based on their job functions and responsibilities. Permission to perform specific administration functions is assigned to roles defined in AMC.

AMC is configured by default with one primary administrator who has full access to all AMC management features. The primary administrator can then delegate responsibility for four types of AMC management to users designated as secondary administrators. These secondary administrator roles are as follows:

• Security administration: controls permissions to manage access control rules, resources, users, and user groups. It also controls access to settings for WorkPlace, Aventail OnDemand, and End Point Control.


• System configuration: controls permissions to manage network settings, SSL settings, access and network services, general appliance settings, and authentication servers and realms.

• System maintenance: controls permissions to shut down or restart the appliance, update or roll back the system software, and import or export configuration data.

• System monitoring: controls permissions to view system logs and graphs, modify log settings, view active users, run troubleshooting tools, and terminate user sessions.

For each administrator category, the primary administrator sets the permission level to allow read/write access or read-only access, or to disable access, which hides the relevant portion of the AMC user interface. The primary administrator also sets up a password-protected account for each user designated as a secondary administrator.

Single Sign-On

Single sign-on (SSO) is an option that controls whether to forward user credentials to back-end Web resources. Configuring the appliance to use SSO prevents the user from having to log in multiple times (once to get to the appliance, and again to access an application resource).

The appliance support several types of Web-based SSO:

• Basic authentication forwarding is a widely supported form of authentication forwarding, but is not very secure because it sends passwords in the clear across the network. The appliance can be configured to send each user’s unique authentication credentials, or “static” credentials (that is, the same credentials for all users). Basic authentication forwarding is configured within a Web application profile, which is assigned to a resource.

• NTLM authentication forwarding provides a secure method for sending Windows network credentials to a Microsoft IIS (Internet Information Services) Web server. NTLM (short for “Windows NT LAN Manager”) uses a challenge/response mechanism to securely authenticate users without sending passwords in the clear across the network. NTLM authentication forwarding passes a Windows domain name along with the user’s authentication credentials.


• Netegrity SiteMinder is a third-party product that provides a centralized mechanism for administering authentication and single sign-on. You can the appliance to receive user authentication credentials from a SiteMinder server and forward the credentials to any back-end Web resources it is protecting.

• RSA ClearTrust is a third-party product that provides a centralized mechanism for managing user authentication and single sign-on. You can the appliance to receive user authentication credentials from a ClearTrust server and forward the credentials to any back-end Web resources it is protecting.

System Monitoring and Logging

System monitoring and logging features permit administrators to view both real-time and historical data about the performance of the appliance and its access services, as well as user activity.

The AMC home page displays a graphical summary of the current number of active users, network bandwidth, disk space usage, and CPU usage. More detailed views of this graphical data are also available in hourly, daily, and weekly increments.

AMC also allows administrators to view the total number of active users at any given time and search the list of active user sessions by user name. User monitoring also lets you terminate a user’s session, even if the user has multiple active connections on different services or nodes.

If you have a Simple Network Management Protocol tool, you can use it to monitor the appliance as an SNMP agent. The appliance provides a variety of management data in Management Information Base (MIB) format.

The AMC log viewer provides a detailed view of appliance, user access, and other activities contained in the following log files:

• The system message log displays server processing and diagnostic information about the access services, as well as detailed information on how access policy rules are applied.

• The user audit logs provide detailed information about connection activity, including a list of users accessing your network and the amount of data transferred.

• The Web proxy audit log provides detailed information about connection activity, including a list of users accessing your network and the amount of data transferred, for the Web proxy service.


• The management console audit log records information about configuration changes made to the appliance by authorized administrators.

The AMC log viewer allows you to customize the display of log message data using sorting, searching, and filtering options. If you need to perform additional analysis of the log message data, or display the data differently than how it appears in the log viewer, you can export selected data to comma-separated values (.csv) files for use by another application, such as Microsoft Excel.

Aventail VPN Components

Your Aventail SSL VPN appliance consists of several key administrator and client components described next.

Client Components

The appliance includes several components that provide users with access to resources on your network.

Smart Access

With Smart Access™ the appliance automatically communicates with the end point and determines which access method is most appropriate for the user’s system. When a user logs in to ASAP WorkPlace for the first time, WorkPlace automatically provisions the user with the agent that will provide the broadest range of access based on the user’s access privileges, operating system, browser configuration, and any other constraints on the user’s system.

ASAP WorkPlace

The Aventail® ASAP™ WorkPlace portal provides your users with access to Web-based resources. After a user logs in to ASAP WorkPlace, a Web page appears that contains an administrator-defined list of shortcuts. These shortcuts point to the Web-based resources, Windows file system resources, and terminal servers to which the user has access privileges. ASAP WorkPlace is accessible from a standard Web browser.

You can also create customized WorkPlace sites that employ different appearances (colors, logos, and greeting text) and unique URLs. This enables you to configure and deploy unique portals for different audiences (such as partners and employees).


Web resources and file system resources can be accessed from any Web browser that supports SSL. By default, the appliance is configured to deploy a Microsoft ActiveX control (the Web proxy agent) on newer versions of Microsoft Windows systems running Internet Explorer. The Web proxy agent proxies Web content directly through the appliance. The appliance supports Web-based access to Windows Terminal Services (WTS) and Citrix hosts. These hosts are accessed by Web-based terminal agents that use native application protocols to send data to the terminal server.

For users running other browsers, the appliance will automatically provide translated Web access. If you’d rather not install an agent or your users’ systems don’t support ActiveX, you can configure the appliance to provide translated Web access.


Network Explorer

Network Explorer is a part of ASAP WorkPlace that provides access to any Windows file system resources that the user has permission to use. These resources can include servers, computers, workgroups, folders, and files.

Connect Tunnel Client

The Aventail® Connect™ tunnel client is a Windows application with a small footprint that provides broad access to network resources. The Connect tunnel client provides access to any type of application or protocol, including non-TCP protocols such as Voice Over Internet Protocol (VoIP), ICMP, and multicast. The Connect tunnel client is initially installed from the ASAP WorkPlace portal or from a separate installer package, and is administered in AMC.

OnDemand Tunnel Agent

The Aventail® OnDemand™ tunnel agent is a lightweight ActiveX or Java agent that provides the same broad access to applications and protocols as the Connect tunnel client. It is similar in all respects to the Connect tunnel client except that it is activated each time a user logs into the ASAP WorkPlace portal.

Connect Mobile Client

Aventail® Connect Mobile™ client is a lightweight application that runs on Pocket PC devices and provides access to a broad range of resources, including client/server applications, thin client applications, file servers, and Web resources. The Connect mobile client is installed using a Windows setup program that extracts the application files and then copies the files to the user’s Pocket PC device through ActiveSync.

Connect Proxy Client

The Aventail® Connect™ proxy client is a Windows application that provides access to a broad range of resources including traditional client/server applications, thin-client applications, file servers, and Web resources. Installed on the user’s computer, the Aventail Connect proxy client can provide additional end-point security by requiring personal firewalls and antivirus applications. Aventail Connect supports Microsoft single sign-on and provides seamless access to network share resources from Network Neighborhood.


OnDemand Proxy Agent

The Aventail® OnDemand™ proxy agent is a secure, lightweight Java applet that provides access to network resources. protected by the Aventail network proxy service. The OnDemand proxy agent can be downloaded from ASAP WorkPlace “on demand” to give users clientless VPN access—ideal for partners or vendors that do not have standard VPN access to your network or for mobile employees that may need to access network resources from a non-work computer such as a public kiosk.

Web Proxy Access

The Aventail Web proxy agent provides access through ASAP WorkPlace to any Web resource, including Web-based applications, Web portals, and Web servers, as well as Windows network shares. Web proxy access eliminates the need for Web content translation and provides broad access to enterprise Web applications for users running Microsoft Windows XP or 2000 and Internet Explorer or Firefox with ActiveX enabled.

Translated Web Access

Translated Web access is available from any Web browser supported by ASAP WorkPlace and provides access to any Web resource and Windows network shares.

End Point Control

End Point Control components ensure that your network is not compromised when accessed from PCs in untrusted environments. The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and your network. Aventail’s post-authentication data protection agents—Aventail Secure Desktop and Aventail Cache Control—automatically remove session data from the PC. The appliance also supports integration with third-party client integrity controls that automatically check for malware on the client system before allowing access.

Administrator Components

This section highlights the key components that you’ll use to manage the Aventail appliance and services.


ASAP Management Console

AMC is a Web-based administrative tool used to manage the appliance. It provides centralized access for managing security policies, configuring the system (including networking and certificate configuration), monitoring, troubleshooting, and administrator accounts. AMC is accessible from a Web browser.

Setup Wizard

Setup Wizard streamlines the initial configuration of the appliance. It guides you through the process of selecting basic network settings, configuring appliance options, defining resources, creating a basic access policy, and creating local users for testing purposes. Setup Wizard is a Web-based alternative to using the command-line Setup Tool.


Aventail Access Services

The appliance uses four access services to manage the access clients and agents that users employ to connect to your network resources:

• The Aventail network tunnel service is a network routing technology that provides secure network tunnel access to a wide range of applications and protocols, including non-TCP protocols such as Voice over IP (VoIP) and ICMP, reverse-connection protocols like SMS, and bi-directional protocols such as FTP. It works in conjunction with the Aventail Connect tunnel client and the Aventail OnDemand tunnel agent to provide authenticated and encrypted access.

• The Aventail Web proxy service provides users with secure access to Web-based applications, Web servers, and network file servers from a Web browser, or Web-based applications and Web servers from a Pocket PC device using the Aventail Connect Mobile client.. The Web access service contains a secure HTTP reverse proxy that brokers and encrypts access to Web-based resources. It includes user log-off capability to enhance security for users at public Web kiosks. It also manages TCP/IP connections from the Aventail OnDemand Java agent.

• The ASAP WorkPlace service controls access to WorkPlace resources accessed from a Web browser. The ASAP WorkPlace service communicates with Windows file servers and network shares (including Microsoft Distributed file system, or DFS, resources) using the Server Message Block (SMB) file-sharing protocol.

• The Aventail network proxy service provides a secure proxy for accessing standard client/server applications. It works in conjunction with the Aventail Connect proxy client to provide authenticated and encrypted access over the Internet. The network proxy service is based on the SOCKS v5 protocol. The network proxy service brokers and encrypts access to internal applications and networks. Its proxy-based architecture and use of SSL enables the network proxy service to traverse firewalls, NAT devices, and other proxy servers that can interfere with traditional VPN devices.

Command-Line Tools

Included on the appliance are several command-line administrative tools for performing initial setup of the appliance, backing up configuration settings, patching and upgrading the software, and restoring previous versions or configurations. These operations can also be performed using AMC’s graphic user interface.


Chapter 2Planning Your VPN

To effectively design your VPN, you must identify who will access your VPN, what types of resources you will make available, and which access methods you will provide to end users so they can reach your network.

Who Will Access Your VPN?

A key consideration in planning your VPN is who the users are who need to access your network resources.

Your user community will obviously have a major impact on how you design and administer your VPN. Most VPN users generally fall into one of two major categories: remote employees or business partners.

• Remote employees. When serving remote and mobile employees, you’ll generally provide relatively open access to enterprise resources, such as providing domain-level access to them. Of course, you can also define a more granular access policy for specific resources that contain sensitive information (such as a payroll application).

Employee computer systems under IT control provide the flexibility to install client software—such as the Aventail Connect tunnel or proxy client—on the desktop. The Aventail Connect clients provide direct integration with Windows Network Neighborhood for users accessing the network from a remote location.

• Business partners. Suppliers, vendors, contractors, and other partners generally have restricted access to resources on your network. This requires you to administer more granular resource definitions and access control rules than those typically used for a remote access VPN.

For example, instead of simply defining a domain resource and granting employees open access privileges, you’ll often need to define specific host resources and manage a more complex access policy. Additionally,

20 | Chapter 2 - Planning Your VPN

when defining a Web resource you may want to obscure its internal host name to maintain the privacy of your network.

Because of the administrative and support issues associated with installing client software on computers outside the control of your IT organization, a Web-based access method is often best for business partners.

What Types of Resources Are You Deploying?

The Aventail appliance manages a wide variety of corporate resources, which fall into three categories:

How Will Users Access Your Resources?

End users can access VPN resources secured by the Aventail appliance using four primary methods. This gives you a range of deployment options for both “managed” desktops controlled by your IT department and systems outside your control, including employees’ home computers, partner desktops, and other systems such as kiosks or handheld devices.

• Standard Web browser. Web resources and file system resources can be accessed from any Web browser that supports SSL. Browser-based access is ideal for providing remote access from virtually any PC, including public kiosks, wireless networks, or small form factor devices

Resource type Examples Planning considerations

Web • Microsoft Outlook Web Access

• Web-based applications

• Web portals

• Web servers

• When specifying URLs to Web resources, include the http:// or https:// prefix.

• Use aliases to obscure host names on private networks.

Client/server • Citrix

• Microsoft Outlook

• Lotus Notes

• Terminal servers (such as Citrix or WTS)

• Identify resources by host name, IP address or IP range, subnet IP address, or domain name.

Windows file shares

• Windows network servers

• Windows shared folders

• Defining a Windows domain gives access to all network file resources to authorized users.


such as smartphones or PDAs. It’s also a good option for providing business partner access, because it does not require any client configuration or administration.

• ActiveX-enabled browser. Aventail’s ActiveX agent—the Aventail OnDemand network tunnel agent—provides access to resources from Microsoft Internet Explorer and Firefox browsers that support ActiveX. In addition Web resources, this agent provides access to terminal services, thin-client applications, and full client/server applications.

• Java-enabled platform. Aventail’s Java agents—the Aventail OnDemand proxy agent and the Aventail OnDemand tunnel agent—provide access to resources from Java-enabled Web browsers.

• The OnDemand tunnel agent uses Aventail’s tunnel technology to provide full network access to protocols and applications for users of Windows XP or Windows 2000.

• The OnDemand proxy agent provides access to client/server applications and Web resources from a Java-enabled Web browser or any environment—such as Macintosh or Linux systems—configured with a stand-alone Java environment.

The OnDemand proxy agent is a good choice for providing access to users who are connecting with a device that is not managed by IT staff, such as a home PC.

• Windows clients. The Aventail Connect tunnel client and the Aventail Connect proxy client are Windows clients that provide access to a broad range of resources, including traditional client/server applications, thin-client applications, file servers, and Web resources. These Connect clients offer complete integration with the Windows desktop, including support for Microsoft single sign-on and seamless access to network share resources from Network Neighborhood. The Aventail Connect clients are typically used for remote access on systems that can be readily managed by IT, such as a corporate laptop used by a traveling or remote employee.

• Mobile devices. The Aventail Connect mobile client is a lightweight application that runs on Pocket PC devices and provides access to a broad range of resources, including traditional client/server applications, thin client applications, file servers, and Web resources.


The following table summarizes the available access methods and the advantages of each.

Access method Provides access to Advantages

Aventail Connect network tunnel

(Windows client)

Full network access to client/server applications, Web resources, Windows network shares, and bi-directional applications such as Voice over IP, SMS, and FTP.

• Installed from ASAP WorkPlace portal or from custom installer package, with no rebooting required.

• Managed through AMC.

• Enhanced security options including split-tunneling, and redirection of all traffic or only local traffic.

• Local printing supported.

Aventail OnDemand network tunnel

(ActiveX agent)

Full network access to client/server applications, Web resources, Windows network shares, and bi-directional applications such as Voice over IP, SMS, and FTP.

• Activated from ASAP WorkPlace portal.

• Enhanced security options including split-tunneling, and redirection of all or only local traffic.

• Local printing supported.

Aventail Connect proxy

(Windows client)

Client/server applications, Web resources, and Windows network shares.

• Offers seamless integration with Windows Network Neighborhood.

• Security options, including split-tunneling, personal firewall detection, and antivirus software detection.

• Auto-updating.

Aventail Connect Mobile

Client/server applications, thin client applications, file servers, and Web resources.

• Lightweight application that runs on Pocket PC devices.

Aventail OnDemand proxy

(Java agent)

Client/server applications and Web resources from any Java-enabled platform.

• Broad cross-platform support.

• Lightweight Java agent is easy to administer and deploy.


Your choice of access methods will be based on a variety of factors, including:

• Technical considerations, such as the hardware platform, operating system, or Web browser in use by end users.

• Security requirements, such as the safeguards you want to put in place on the desktop.

• End-user profile, including users’ level of technical sophistication.

• Administrative resources available to manage and support a VPN.

Tunnel, Proxy, or Web: Which Access Method is Best for You?

Aventail’s access services and clients offer a wide array of methods with different degrees of capabilities to enable your users to reach your organization’s resources. Which ones are best for you? That depends on the resources you want to deploy and the computing environment of your users.

Generally speaking, the two Aventail network tunnel clients provide the broadest network access and support, and greatest ease of administration. The caveat is that tunnel client users must be running either Windows 2000

Web proxy mode Any Web resource (including Web-based applications, Web portals, Web servers) and Windows network shares.

• Convenient access from any ActiveX-enabled browser.

• Defaults to “translated mode” on other browsers.

• Minimal client configuration or administration tasks.

• Users can access any network URL by typing its actual URL in the browser’s address box.

• Broad Web-based access to enterprise applications.

• Single sign-on.

Translated Web browser

Any Web resource (including Web-based applications, Web portals, Web servers) and Windows network shares.

• Convenient access from virtually any PC.

• No client configuration or administration tasks.

• Supports the use of aliases to hide internal host names in the browser address bar.

• Single sign-on to back-end Web servers.

Access method Provides access to Advantages


or Windows XP. The Aventail Connect proxy client runs on both current and legacy versions of Windows, and has integrated End Point Control features, but must be installed and configured separately. The Aventail OnDemand proxy agent provides broad cross-platform support for Windows, Macintosh, and Linux users. Web access is clientless and requires no provisioning, but limits access to Web-based applications.

System Requirements for Client Access Agents

Use the following table to determine which Aventail access agents are appropriate for your users’ computers. Items shown in the regular font are supported platforms, while those shown in italics are compatible platforms.

Clientcomponent

Operatingsystem

Browser Other

ASAP WorkPlace portal

• Windows XP Pro with Service Pack 2


• Windows XP Home with Service Pack 2


• Windows 2000 Pro with Service Pack 4

• Internet Explorer 6.0, Service Pack 2


• Mozilla Firefox 1.0.6

• Macintosh OS X v 10.4


• Macintosh Safari 2.0



• Linux (Fedora Core 4) • Mozilla Firefox 1.0.7

Connect tunnel client






• n/a • Windows administrator rights required for installation


OnDemand tunnel agent









• Sun JVM 1.5.1 or ActiveX

• Sun JVM 1.4.2 plug-in

• Windows administrator rights required for installation

Connect proxy client






• n/a • Windows administrator rights required for installation

OnDemand proxy agent











• Windows administrator rights required for dynamic redirection mode






• Linux • Mozilla Firefox 1.0.7 • Sun JVM 1.4.2 plug-in

Clientcomponent

Operatingsystem

Browser Other


Connect Mobile client

• Windows Pocket PC 4.2.1

• Windows Pocket PC 4.2

• Pocket Internet Explorer 4.01

Web proxy agent








• ActiveX

Translated Web Access















Clientcomponent

Operatingsystem

Browser Other


Security Administration

Administering your security policy involves defining resources and then creating access control rules that determine the availability of those resources.

Defining Resources

When managing resources, you have some flexibility to decide which resource type to use for a given object on your network. The type you choose will vary depending on your VPN design. For example, you might define a Web application as a URL resource for use by a business partner and “alias” the host name for an extra measure of security. Alternatively, you could define the domain in which the Web application is located as a network resource, which is a convenient way to enable remote employee access to multiple Web resources within a domain.

Web Resources

Any Web resource—such as a Web application, a Web portal, or a Web server—can be defined as a URL resource; they are specified in AMC using the standard http:// or https:// URL syntax. Examples include Microsoft Outlook Web Access and other Web-based e-mail programs, Web portals, corporate intranets, and standard Web servers.

Defining a Web resource as a URL provides several advantages:

• You can create a Web shortcut on ASAP WorkPlace to make it simple for users to quickly access the URL.

• You can define very specific access rules to control which users can access the URL.

• You have the option of obscuring (or “aliasing”) the internal host name so it is not publicly exposed. When a user accesses an alias in translated mode, the Aventail Web access service proxies the request to the downstream Web resource and translates its private URL using an alias name you define. The user sees only the public (or “aliased”) URL.

Web traffic is proxied through the Aventail Web proxy service, a secure gateway through which users can access private Web resources from the Internet.


Network Resources

As the name implies, “network resources” are flexible enough to encompass virtually anything on your network, including applications, file servers, or multiple Web resources. Network resources are specified in AMC using either a domain, subnet, IP range, host name, or IP address.

Here are some examples of network resources:

• Client/server applications include “traditional” applications developed for a particular operating system, or thin-client applications designed to be run over the Web. Users access client/server applications using either the Aventail Connect or Aventail OnDemand tunnel or proxy clients, or the Connect Mobile client.

• Network shares include Windows file servers or file shares. When defined as a network resource, network shares are accessible using either Aventail Connect or Aventail OnDemand. (To access a network share using a Web browser, you must instead define it as a file system resource.)

• Source networks are referenced in an access rule to permit or deny a connection to a destination resource based upon the location from which the request originates. This provides you with even greater security. For example, you might permit connections from only a particular domain, or even from an individual IP address.

• Terminal server hosts provide the graphical user interface (GUI) of an application to user terminals that don't have this capability themselves. Windows Terminal Services and Citrix agents can be managed directly from the Aventail appliance.

• Multiple Web resources on your network—whether in a domain, subnet, or IP range—can be defined as a network resource. This approach provides a convenient way for you to administer multiple Web servers from a single object in AMC. For example, if you specify a domain (and create the appropriate access rule) users will be able to access any Web resources contained within that domain from their Web browsers (or from Aventail OnDemand or Aventail Connect).

On the downside, however, your users cannot access those resources from a link on ASAP WorkPlace; instead, they must know the internal host name of the resource. If the Web proxy agent is running, they can enter any URL directly into their browser. However, in translated mode, users must manually type URLs in the Intranet Address box in WorkPlace.


With such a wide scope of resource definitions—from broad resources such as a domain or subnet down to a single host or IP address—you may wonder how best to define your network resource definitions. Broad resource definitions simplify your job as network administrator, and are typically used when managing a remote access VPN with an open access policy. For example, you could define your internal DNS namespace as a domain and create a single policy rule granting employees access privileges.

On the other hand, a more restrictive security policy will require you to define network resources more narrowly. This approach is typically used when administering a partner VPN. For example, to provide an external supplier with access to an inventory application, you might specify its host name as a resource and create a policy rule specifically granting the supplier access privileges.

File System Resources

File system resources include Windows network servers or computers containing shared folders and files that users can access through ASAP WorkPlace.

For a file system resource, you can define a specific resource by typing a UNC path or you can define an entire Windows domain.

• Defining an entire Windows domain gives authorized users access to all the network file resources within the domain.

• A specific file system resource can be an entire server, a shared folder, or a network folder.

• A file system resource can also reference a user’s personal folder on the network. This feature allows you to create a single shortcut on ASAP WorkPlace that dynamically references a personal folder for the current user.

The various options for defining a file system resource provide you with the flexibility to create an open policy that provides access to an entire domain, or to create a more granular policy that controls access at the server, share, or folder level.


Managing Access Control with an Access Policy

After you’ve defined your VPN resources, you control which resources are available to users by creating an access policy.

After a user successfully authenticates (that is, verifies his or her identity), the appliance evaluates the access rules to control authorization to specific resources. Rules appear on the Access Control page:

Access control rules are stored as a list, with each rule assigned a specific order. When the appliance evaluates a connection request, it begins at the top of the list and works down the list (that is, in ascending numeric order) until it finds a match. When it finds a match, the action required by the rule—either “permit” or “deny”—is applied and no further rules are evaluated. If the appliance reaches the end of the list without finding a match, it applies an implicit “deny” rule to prohibit access.

Access to a resource can be based on several criteria. Most access rules control access based on who the user is—that is, the user’s name or group membership—and the destination resource he or she is trying to reach. (If you don’t restrict access to a particular user or destination resource, the word “Any” appears in the access control list.)

Additionally, you can control access based on several other criteria:

• The End Point Control zone from which the connection request originates. Suppose you want to require users accessing a sensitive financial application to run a cache cleaner after each session. If so, you could configure a rule restricting access to systems in a “trusted” zone running Aventail Secure Desktop.

• The user’s network address from which the connection request originates. You might want to control access to a resource based on the names of any source networks you want evaluated in the rule.


• The access method used to reach the resource. You might want to enable broad access to resources within an internal domain from the network tunnel or proxy agents, but prevent browser-based access to Web servers within the domain.

• The encryption strength of the connection. You might require connections to a particularly sensitive resource to use strong 128-bit encryption.

• The day and/or time of the request. For example, you might allow business partners to access a particular application only from 9:00 A.M. to 5:00 P.M. on weekdays.

To summarize the authorization process:

1. A user initiates a connection.

2. The appliance analyzes the connection request to identify its attributes (including user and group information, the destination being requested, source network from which the request originates, and the day or time of the request).

3. The appliance reads the first rule in the access control list and compares it to the request criteria:

• If a match is found, the action (“permit” or “deny”) specified in the rule is applied. After this occurs, no further rules are evaluated.

• If no match is found, the appliance evaluates the next rule in the list to see if it matches the request.

4. If the appliance processes all of the rules without finding a match, it applies an implicit end rule to deny access.

Access Control for Bi-Directional Connections

VPN connections typically involve what are called forward connections—these are initiated by a user to a network resource. However, if you deploy Aventail’s network tunnel clients (Connect tunnel or OnDemand tunnel) to your users, then bi-directional connections are enabled.

Within the Aventail VPN, bi-directional connections encompass the following:

• Forward connections from a VPN user to a network resource.

• Reverse connections from a network resource to a VPN user. An example of a reverse connection is an SMS server that “pushes” a software update to a user’s machine.


• Cross-connections refer specifically to Voice over Internet Protocol (VoIP) applications that enable one VPN user to telephone another VPN user. Cross-connections require a pair of access control rules: one for the forward connection and one for the reverse connection.

• Other examples of bi-directional connections include an FTP server that downloads file to or uploads files from a VPN user, and remote Help Desk applications.

Design Guidelines for Access Rules

Because the appliance processes your access control rules sequentially, the order in which you organize them has great significance in terms of whether access is permitted or denied. Carefully review your security policy settings to avoid inadvertently placing rules in the wrong order.

• Put your most specific rules at the top of the list. As a general rule, it is usually best to put your most specific rules at the top of the list. Putting the least restrictive rules at the top of the list may cause the appliance to find a match before it has a chance to process your more restrictive rules.

• Be careful with “Any” rules. If you create a rule that does not restrict access to a particular user or destination resource, the word “any” appears in the access control list. Carefully consider the impact of “any” in your policy rules. For a “permit” rule, too many “any” criteria could expose a security hole. On the other hand, too many “any” criteria in a “deny” rule could unnecessarily restrict network access.

• Optimizing performance. Because the appliance evaluates rules in sequential order, you can optimize performance by placing the network resources that are accessed most frequently at the top of the list.

• Avoid resource and access method incompatibilities. In some very specific cases, certain combinations of resource types and access methods can create problems with your access policy. AMC validates your rule and notifies you of potential problems when you save it. See the “Security Administration” chapter of the Aventail Installation and Administration Guide for details on resolving incompatibility issues.


End Point Control

Traditional VPN solutions typically provide access only from the relative safety of a corporate laptop. In that environment, the major security concern is unauthorized network access. Because an SSL VPN enables access from any Web-enabled system, it may bring additional risks from PCs in untrusted environments, such as a kiosk at an airport or hotel, or an employee-owned computer.

The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and ensure that your network is not compromised when accessed from PCs in untrusted environments. Aventail’s data protection agents—Aventail Secure Desktop and Aventail Cache Control—automatically remove session data from the PC.

The appliance also supports integration with third-party client integrity agents that automatically check for malware on the client system before allowing access. These client integrity agents apply globally to all connections during pre-authentication.

The appliance’s EPC configuration options give you granular control over VPN access using device profiles and zones:

• A device profile is a set of attributes that characterize the type of device requesting the connection. Examples of these attributes include an application or file name, the presence of a personal firewall or antivirus program, a registry entry, or other distinguishing characteristics used to identify a client computer.

• A zone classifies a connection request based on the presence or absence of a device profile, and is used to provision data protection components or determine which resources are available.

When a user connects to the appliance, the appliance interrogates the user’s computer, then determines if its attributes match those defined in the zone’s device profile. If the device matches the profile, the appliance classifies the computer into the zone.


The following diagram illustrates the End Point Control evaluation process performed by the appliance when a user connects to the appliance:

Your Aventail VPN is provided with some default EPC zones and device profiles for several common access scenarios.

The preconfigured EPC zones include:

• Antivirus and cache control required: This zone applies to Windows XP/2000 computers and Apple Macintosh computers and requires them to have either Norton or McAfee antivirus software installed and enables Aventail Cache Cleaner to clean the browser cache after each user session. It references the preconfigured Windows Antivirus and Macintosh Antivirus device profiles.

• Windows firewall enabled: This zone requires Windows XP or 2000 computers to have a personal firewall program from Sygate, Microsoft or Zone Labs installed. It uses the preconfigured Windows firewall device profile.

• Default: This zone can serve as a global fail-safe to either allow or block VPN access in situations where connection requests don’t match the criteria for any other zones.

The preconfigured device profiles include:

• Windows Antivirus: This device profile is configured to detect whether both an antivirus program and a personal firewall program are present on computers running Windows XP or 2000.


• Macintosh Antivirus: This device profile is configured to detect whether both an antivirus program and a personal firewall program are present on Apple Macintosh computers.

• Windows firewall: This device profile is configured to detect whether a personal firewall is installed on computers running Microsoft Windows XP or 2000.

• Macintosh computer: This device profile is configured to identify computers running the Macintosh operating system.

If the preconfigured device profiles don’t address your specific security needs or computing environment, you can create additional profiles that the appliance will use to detect the presence of specified attributes on users’ device.

Device profile attribute Description

Antivirus program • Looks for either Norton or McAfee antivirus software.

• Supported on Microsoft Windows XP/ 2000, and Apple Macintosh.

Application • Looks for an application process running on the client device.

• Supports * and ? wildcards.

• Supported on Microsoft Windows XP/2000, Apple Macintosh, and Linux.

Directory name • Looks for a directory on a device’s hard drive.


File name • Looks for a file name and extension on a device.

• Optionally can include file size, absolute or relative modification date.

• Optionally validates file integrity on Windows devices.


• Supports comparison operators.



To configure EPC, you first create one or more device profiles that identify the client attributes you want to look for. Next, you define an EPC zone and reference the device profiles required for a device to be classified into that zone. The zone is in turn referenced in a community; this determines which users can be classified into the specified zone and which data protection agents are deployed to those users. Optionally, you can reference a zone in an access control rule to determine which resources are available to users in that zone.

Personal firewall program • Looks for Sygate, Microsoft, or ZoneLabs personal firewalls.

• Supported on Microsoft Windows XP/2000.

Windows domain • Determines if a user belongs to a domain.

• Supported on Microsoft Windows XP/2000.

Windows registry entry • Looks for a Windows registry entry key name.

• Optionally looks for a value name and data.


• Supports comparison operators.

• Supported on Microsoft Windows XP/2000

Windows version • Looks for major version numbers on Microsoft Windows XP & 2000.

• Optionally looks for minor version numbers and build numbers.

Device name & description • Supported on pocket PC/PDA, and on mobile phones.

Device profile attribute Description


System Requirements for End Point Control

Use the following table to determine whether your users’ devices meet the system requirements for using End Point Control:

Clientcomponent

Operatingsystem

Browser Other

End Point Control (interrogator & installer)













• Macintosh Safari 2.0• Macintosh Safari 1.3



Aventail Cache Control









• Sun JVM 1.5.1









Putting It All Together: Using Realms and Communities

Realms are the top-level objects that tie together and streamline authentication, user management, access agent provisioning, and End Point Control restrictions.

A realm references an authentication servers such as Microsoft Active Directory, LDAP, or RADIUS. To manage user authentication, you must define an authentication server in AMC, which is then referenced by a realm you set up for users to log in the appliance.

After users log in to the appliance, they are assigned to a community, which is a user population with similar access and security requirements. A community determines which access methods are provided to its member users, and whether any restrictions are placed on their end point devices.

Aventail Secure Desktop

• Windows XP Pro with Service Pack 1 or 2

• Windows XP Home with Service Pack 1 or 2





• Sun JVM 1.5.1


Clientcomponent

Operatingsystem

Browser Other


The following illustration shows how a realm authenticates users, assigns them to communities to provision access agents and, with End Point Control enabled, assigns community members to different zones based on the trustworthiness of their computers.

If your network uses only one authentication server to store user information, you’ll probably need to create only one realm in AMC. However, if your network uses multiple authentication servers, you’ll need to create at least one realm for each server.

Using only one realm doesn’t limit your ability to configure more granular levels of user access and End Point Control. AMC allows you to create subsets of users based on their access needs or other security considerations. A community can consist of all the users in a realm, or only selected users or groups.

In the simplest scenario, you could have one realm mapped to a single authentication server. That realm could then reference the global community that is configured by default in AMC. This would be useful if you have a homogenous user population with identical access requirements.

Depending on the complexity of your organization and your user population, you might need multiple communities. For instance, you might have two distinct groups of users requiring VPN access: employees who connect from trusted computing environments (such as laptops provided by your IT department) and require broad access to your network resources, and business partners who connect through unsecured computing environments and who require access only to specific, limited resources. You could, for example, configure the employee community to deploy a tunnel client to the


employees, enabling them to access Web, network, and file share resources. You could then provide your business partners with more limited Web-only access.

If End Point Control is enabled, communities can also be used to assign members to specific “zones of trust.” Continuing the example of using separate communities for employees and for business partners, you could use EPC to detect whether employees’ computers are running an antivirus program and firewall before placing them in a trusted zone. Business partners, or employees connecting from computers without the requisite security programs, could be assigned to a less-trusted zone where they would be provisioned with Aventail Secure Desktop or Aventail Cache Control.


Chapter 3Preparing for Installation and Deployment

This chapter provides an overview of the basic steps involved and information required to install and configure your Aventail appliance and deploy resources to users.

Installation

You have two options for installing your Aventail VPN appliance. You can either use a Web browser to run Setup Wizard and let it guide you step-by-step through the process of configuring basic network settings and other options, or you can establish a serial connection to the appliance and run Setup Tool from the command line. Setup Wizard will probably be easier for first-time administrators of the appliance, while the command-line method will be more familiar to administrators with Linux experience.

In addition to configuring the appliance’s basic networks settings, Setup Wizard also lets you import your license file, configure an SSL certificate required to proxy traffic, and set the date and time. Setup Wizard also enables you to create test users on the appliance and create some basic resources and access control rules to assist you in testing the appliance when you’re done setting it up.

Deployment ChecklistBefore configuring the appliance, you’ll need to gather the following information. You’ll provide some of this information when running Setting Wizard or Setup Tool, but most of it will be used when configuring the appliance in AMC.

• The root password you’ll use to administer the appliance.• Internal IP address and, optionally, an external IP address. • The default gateway address.

42 | Chapter 3 - Preparing for Installation and Deployment

• Name resolution information including domain name servers and search domains.

• Interface speeds for one or both network adapters. (Interface speeds should be specifically set in AMC rather than allowing network devices to auto-negotiate them.)

• The name for the appliance. (Because this name will be used only in log files, you don’t need to add it to DNS.)

• If you’re installing a cluster, you’ll need several pieces of additional information. See the Installation and Administration Guide for more details.

Certificate informationSeveral pieces of information will be used to generate the server and AMC certificates:

• Fully qualified domain name (FQDN) for the appliance. You’ll need to add this name to your public DNS, and it will be visible to users when they connect to Web-based resources.

• FQDN for the ASAP Management Console (AMC). You’ll use this name to access AMC, which is used to administer the appliance.

Name lookup information• Internal DNS domain name of the network to which the appliance will be

connected.• Primary internal DNS server address (additional DNS servers are

optional).• The IP address for an internal WINS server and the name of your

Windows domain (these are required to browse files on a Windows network using Aventail ASAP WorkPlace, but otherwise optional).

Authentication information• Server name and login information for your authentication servers

(LDAP, Microsoft Active Directory, Netegrity SiteMinder, RSA ClearTrust, and/or RADIUS).

Routing information• Default gateway address. If the computer from which you’ll access AMC

is on a different network than the appliance, you’ll need to specify a gateway when you run Setup Tool. In AMC, you’ll supply the default gateway to the Internet.


• Routing information to any internal resources, which may include static and/or dynamic routes. To use dynamic routing, your site must support the Routing Information Protocol (RIP).

Virtual address pool information • If you are planning to deploy either network tunnel client (Connect

tunnel or OnDemand tunnel) you’ll need to either allocate IP addresses for one or more address pools, or use a DHCP server (which can be specified explicitly or located automatically.)

Optional configuration information • To enable SSH access from a remote machine, you’ll need the remote

host’s IP address.• To synchronize with an NTP server, you’ll need the IP addresses for one

or more NTP servers. • To send data to a syslog server, you’ll need the IP address and port

number for one or more syslog servers.

Verifying Your Firewall PoliciesFor the appliance to function correctly, you must open ports on your external (Internet-facing) and internal firewalls.

External firewall

For secure access to the appliance from a Web browser, Aventail Connect, or Aventail OnDemand, you must make sure that ports 80 and 443 are open on firewalls at your site. Opening your firewall to permit SSH access is optional, but can be useful for performing administrative tasks from a remote system.

Traffic type Port/protocol Usage Required?

HTTP 80/tcp Unencrypted network access x

HTTPS 443/tcp Encrypted network access x

SSH 22/tcp Administrative access to the appliance


Internal firewall

If you have a firewall on the internal network, you may need to adjust its policy to open ports for back-end applications with which the appliance must communicate. In addition to opening ports for standard network services such as DNS and e-mail, you may need to modify your firewall policy in order for the appliance to access the following services.

Installation and Configuration Overview

The installation process is composed of several basic steps that are outlined here. For detailed information, please see the Installation and Administration Guide.

1. Rack mount the appliance and connect the cables.

2. Enter the static URL for Setup Wizard (192.168.0.10) in the Web browser’s address bar.

Traffic type Port/protocol Usage

Microsoft networking

• 138/tcp and 138/udp

• 137/tcp and 137/udp

• 139/udp

• 162/snmp

• 445/smb

Used by ASAP WorkPlace to perform WINS name resolution, browse requests, and access file shares

LDAP (unencrypted)

389/tcp Communicate with an LDAP directory or Microsoft Active Directory

LDAP over SSL (encrypted)

636/tcp Communicate with an LDAP directory or Microsoft Active Directory over SSL

RADIUS 1645/udp or 1812/udp Communicate with a RADIUS authentication server

NTP 123/udp Synchronize the appliance clock with an NTP server

Syslog 514/tcp Send system log information to a syslog server

SNMP 161/udp Monitor the appliance from an SNMP management tool


3. Run Setup Wizard to configure the basic network settings, and optionally set up some basic resources, access rules, and test users. (You can alternately run Setup Tool from the command line.)

4. Log in to AMC complete the network configuration.

5. Configure a server certificate (either a self-signed certificate using AMC or one obtained from a commercial certificate authority).

6. Define one or more authentication servers.

7. Define a realm containing one or more communities to deploy access agents and optionally provision End Point Control tools.

8. Define application resources.

9. Define users and groups.

10. Create access control rules.

11. Configure Web, network, and graphical terminal shortcuts for ASAP WorkPlace.

12. Apply your changes.

13. Test system accessibility.

Deployment

After you’ve defined your resources and access policy, it’s time to make those resources available to users. Web resources, Windows file shares, and terminal servers can be easily deployed using ASAP WorkPlace. The Aventail OnDemand tunnel and proxy agents, and Connect Mobile, offer access to client/server applications, and the Aventail Connect tunnel and proxy clients provide Windows users with broad access to resources throughout your network.

Deploying ASAP WorkPlace

ASAP WorkPlace, a Web portal that provides users with dynamically personalized access to your network, makes it easy to deploy resources directly from the appliance. WorkPlace provides access to the major components of your VPN:

• Web shortcuts provide your users with quick access to Web resources. Network shortcuts provide your users with access to file system resources. Graphical terminal shortcuts provide your users with Web-based access to resources that are available through Windows Terminal Services or Citrix hosts.


• The Network Explorer page provides Web-based access to Windows file shares. Its Windows Explorer-like interface supports most common file management tasks, such as opening, uploading, downloading, and copying files. The appliance’s file system access policy is used to control each user’s access privileges. You can also disable file uploads from ASAP WorkPlace, or disable access to file shares entirely.

• The Intranet Address box enables users to type URLs and/or UNC path names to access resources for which you haven’t created specific links. For example, a user could type the host name of a Web server, or a specific folder on a Windows share.

You can also create multiple WorkPlace sites for different user populations. Each site can have a unique appearance (including logo, heading, greeting text, and a unique external URL).

WorkPlace also provides support for a variety of small form factor devices, including PDAs, Pocket PCs, smartphones, WAP-compatible phones, and iMode phones.When a user logs into WorkPlace from a small form factor device, WorkPlace detects the device type and automatically transforms to best match the capabilities of the client device.

For complete information on configuring ASAP WorkPlace, see the Aventail Installation and Administration Guide.

Deploying the Aventail Access Methods

Following is a brief description of how the Aventail access clients and agents are deployed to users. For detailed information, see the Aventail Installation and Administration Guide.

Access client or agent Deployment options

Aventail Connect tunnel client • Users can download and install the Windows client by clicking a link on ASAP WorkPlace’s provisioning page.

• Administrators can create a custom installer package of the Connect tunnel client components and make it available for users to install from another network location without requiring them to log in to ASAP WorkPlace.

Aventail OnDemand tunnel agent

• The agent is automatically activated each time a user logs in to ASAP WorkPlace and authenticates using a Web browser.


Deploying End Point Control Agents

Following is a brief description of how End Point Control components are deployed to users. Both the Aventail and third-party EPC tools are configured starting from the Agent Configuration page in AMC. For detailed information, see the Installation and Administration Guide.

Aventail OnDemand proxy agent

• In embedded mode, OnDemand automatically starts when a user connects to ASAP WorkPlace.

• In stand-alone mode, the user manually starts OnDemand by clicking a link on WorkPlace. OnDemand appears in a separate browser window.

Aventail Connect proxy client • Client is configured using a separate Windows program called the Aventail Connect Configuration Tool.

• You can customize Connect setup packages using the Aventail Connect Customizer tool.

Aventail Connect Mobile client

• Client is installed using a Windows setup program that extracts the application files and then copies the files to the user’s Pocket PC device.

Web proxy agent • The agent is automatically activated each time a user logs in to ASAP WorkPlace and authenticates using a Web browser.

Translated Web agent • The translated Web agent provides access through the ASAP WorkPlace portal as a fallback for systems that do not support the Web proxy agent.

Access client or agent Deployment options

EPC component Deployment steps

Aventail Secure Desktop • Upload Aventail Secure Desktop license to the appliance from the Manage License page.

• Enabled and configured on the Configure Data Protection page.

• EPC must also be enabled on the End Point Control page.

• Deployed on a per-realm basis.


Aventail Cache Control • Enabled and configured on the Configure Data Protection page.

• EPC must also be enabled on the End Point Control page.

• Used as a fallback if Aventail Secure Desktop isn’t supported on a client device.

• Deployed on a per-realm basis.

Sygate On-Demand • Requires a separate purchase and upload.• Enabled on the Configure Data Protection page.• Deployed globally.

ZoneLabs Integrity Clientless Security

• Requires a separate purchase and upload.• Enabled on the Configure Client Integrity page.• Deployed globally.

WholeSecurity Confidence Online

• Requires a separate purchase.• URL pointing where the WholeSecurity agent is

located is configured on the Configure Client Integrity page.

• Deployed globally.

EPC component Deployment steps


Chapter 4Common VPN Configurations

This chapter provides some practical examples of common scenarios for configuring and deploying VPN access for your users. Unless otherwise noted, the configuration steps described here are performed using AMC.

Remote Access VPN Scenarios

To better understand how to deploy a remote access VPN, here are some common scenarios.

Providing Access to Specific Web Resources

To provide user access to a specific Web application or other Web resource:

1. Define a URL resource on the Add/Edit Resource page.

2. Create an access control rule referencing the URL on the Add/Edit Access Rule page.

3. Add a Web shortcut to WorkPlace on the WorkPlace Shortcuts page.

Providing Access to All Web Resources on Your Network

To provide user access to all the Web resources on your network:

1. Define a network resource (such as a domain or subnet) for all internal DNS domains on the Add/Edit Resource page.

2. Create a rule referencing the network object on the Add/Edit Access Rule page.

3. Instruct users to type the host name or URL for any Web resources in the Intranet Address box on WorkPlace.

50 | Chapter 4 - Common VPN Configurations

Providing Access to Any Web Resources on a Portion of Your Network

To provide user access to any Web resource limited to a specific portion of your network:

1. Define a network resource (such as a domain or subnet) for the portion of the network containing the Web resources on the Add/Edit Resource page.

2. Create a rule referencing the network object on the Add/Edit Access Rule page.

3. Instruct your users to type the host name or URL for any Web resources in the Intranet Address box on WorkPlace.

Providing Windows Users with Broad Access to Network Resources

To provide Windows users with comprehensive access to your network resources:

1. Define a resource referencing your DNS domain on the Add/Edit Resource page.

2. Create a rule referencing the domain Add/Edit Access Rule page.

3. Configure and distribute either of the network tunnel clients, or the Connect proxy client, to your users.

Providing Web-based File Access to Entire Networks

To provide Web-based access to file system resources across your network:

1. Define a resource referencing your Windows domain on the Add/Edit Resource page.

2. Create a rule referencing the domain on the Add/Edit Access Rule page.

3. Add a network shortcut referencing the domain on the WorkPlace Shortcuts page.

4. Make sure WorkPlace’s Network Explorer tab is enabled (this is the default state).

5. Instruct your users to click the appropriate link to the file system resource in Network Explorer.


Partner VPN Scenarios

Here are examples of common steps for deploying a VPN to business partners. These scenarios could also be useful in providing VPN access to contractors or other third-party users who require access to your network resources.

Providing Access to a Specific Web Resource and Obscuring Its Internal Host Name

To provide access to a specific Web resource that uses an alias to prevent users from seeing its internal host name:

1. Define a URL resource on the Add/Edit Resource page, and then in the page’s Advanced section specify an alias for the resource.

2. Create a rule referencing the URL on the Add/Edit Access Rule page.


Providing Web-based Access to a Client/Server Application

To provide Web access to a client/server application:

1. Define a network resource on the Add/Edit Resource page, referencing the application’s host name or IP address.

2. Create a rule on the Add/Edit Access Rule page referencing the network resource.

3. Configure the OnDemand proxy agent (if accessing a thin client, you can optionally configure OnDemand to automatically start the application).



End Point Control Scenarios

Here are some basic examples of how to deploy End Point Control to protect sensitive data and ensure that your network is not compromised when accessed from devices in untrusted environments.

Deploying Aventail Cache Control to Employees on an Untrusted System

Follow these configuration steps to deploy Aventail Cache Control to employees who are connecting from untrusted environments. This configuration uses the global default EPC zone as a fail-safe for employees who are connecting from devices that don’t match your device profiles.

1. Define a device profile with attributes identifying a trusted system (such as a Windows registry key, the name of a corporate application, or your Windows domain name).

2. Reference the device profile in a zone, and configure the zone to require no data protection tools.

3. Reference the zone in any communities used by your employees.

4. Configure the global Default zone to require Aventail Cache Control.

Connection requests from devices that don’t match the trusted profile are automatically assigned to the default zone, and Aventail Cache Control removes history, temporary files, passwords, and cookies from users’ systems after each Web session.

Deploying Aventail Secure Desktop to Partners from Their Domain

To deploy Aventail Secure Desktop to business partners who are connecting from their company domain:

1. Define a device profile with an attribute referencing the partner’s Windows domain name.

2. Reference the device profile in a zone, and configure the zone to require Aventail Secure Desktop.

3. Reference the zone in the community used by your partners.

4. Configure the Default zone to block VPN access (this will prevent unknown systems from accessing the network).


Allowing Selected Employees to Bypass Aventail Cache Control

Follow these configuration steps to permit employees using home computers to bypass Aventail Cache Control (ACC) when connecting to your network, but deploying ACC to everyone else:

1. Define a device profile on the Device Profile Definition page with an attribute referencing an application or other attribute that is unique to your organization.

2. Reference the device profile in a zone on the Zone Definition page, and configure the zone to require no EPC.

3. Reference the zone in the community used by your employees.

4. Configure the Default zone to require Aventail Cache Control.

Access Policy Scenarios

Access control rules determine what resources are available to users or groups. Rules can be defined broadly to provide access from any Aventail access method, or defined narrowly so that only a specific access method is permitted.

VPN connections typically involve what are called forward connections—these are initiated by a user to a network resource. All Aventail access methods support forward connections. However, if you are running the Aventail network tunnel service and deploy Aventail’s network tunnel clients to your users, you can also create access control rules for bi-directional connections.

For the Aventail VPN, bi-directional connections encompass:

• Reverse connections from a network resource to a VPN user, such as an SMS server that “pushes” a software update to users’ computers.

• Cross-connections using Voice over Internet Protocol (VoIP) applications that enable one VPN user to telephone another VPN user. Cross-connections require a pair of access control rules: one for the forward connection and one for the reverse connection. For information on VoIP scenarios, see “Providing Access to Voice Over IP (VoIP)” on page 55.

• Other types of bi-directional connections include FTP servers that download files to or upload files from a VPN user, and remote Help Desk applications.


Forward Connections

To create an access control rule for a forward connection:

1. Define the resource that will be controlled by the access control rule on the Add/Edit Resource page.

2. Create the rule on the Add/Edit Access Rule page.

3. Configure the rule so that the From box specifies the users to whom the rule will apply, and the To box specifies the destination resource the users will be permitted to access.

4. Specify the access methods that users must use in order to connect to the resource.

Reverse Connections

To create an access control rule for a reverse connection from a resource to VPN users:

1. Ensure that the network tunnel service is running on the appliance, through the AMC home page or the Services page.

2. Create an IP address pool for the network tunnel clients (Connect tunnel and/or OnDemand tunnel) on the Configure Network Tunnel Service page.

3. Ensure that the users who will access the VoIP application belong to a community that is configured to deploy one of the network tunnel clients to their computers, on the Access Methods page.

4. Define the resource that will be controlled by the access control rule on the Add/Edit Resource page.

5. Configure the rule so that the From box specifies the resource to which the rule will apply, and the To box specifies the users whom the resource will be permitted access.

6. Specify the access methods that users must use in order to connect to the resource.


Application-Specific Scenarios

Here are some examples of how to configure the appliance to permit remote users to access some commonly used applications such as Microsoft Outlook Web Access and Citrix.

Providing Access to Outlook Web Access (OWA)

For convenience, AMC includes a pre-configured Web application profile for Microsoft Outlook Web Access (OWA). To provide user access to OWA:

1. Define a URL resource for the Outlook Web Access server on the Add/Edit Resource page.

2. Select OWA/Single Sign-On as the Web application profile on the Add/Edit Resource page. This automatically configures single sign-on and content translation for OWA.

3. Create an access control rule referencing the OWA server resource on the Add/Edit Access Rule page.

4. Add a Web shortcut to OWA for ASAP WorkPlace users on the Add/Edit Web Shortcut page.

5. Use the Start page box on the Add/Edit Web Shortcut page to append more specific information to the URL for OWA. For example, if you want the link to point to a directory or file other than the root, type a relative path in the Start page box since OWA stores content in a location other than the root. If the selected URL for Outlook Web Access points to mail.example.com, you could set the start page to /exchange/root.asp. The resulting URL would be https://mail.example.com/exchange/root.asp.

Providing Access to Voice Over IP (VoIP)

To permit users running an Aventail network tunnel client to call each other using a Voice over IP (VoIP) telephony application.

1. Ensure that the network tunnel service is running on the appliance, on the AMC Home page or Services page.

2. Create an IP address pool for the network tunnel clients (Connect tunnel and/or OnDemand tunnel) on the Configure Network Tunnel Service page.

3. Define a network resource using an IP range or subnet that corresponds to the IP address pool on the Add/Edit Resource page.


4. Ensure that the users who will access to the VoIP application belong to a community that is configured to deploy one of the network tunnel clients to their computers, on the Access Methods section of the Configure Community page.

5. Create an access control rule from the VoIP users to the address pool that will be used for the VoIP application on the Add/Edit Access Rule page.

6. Create a second access control rule from the address pool for the VoIP application to the VoIP users the Add/Edit Access Rule page.

Providing Access to Windows Terminal Services or Citrix

To allow users to access a Windows Terminal Services or Citrix host.

1. Configure the appropriate agent file or URL for the Windows Terminal Services agent or the Citrix agent on the Configure Graphical Terminal Agents page.

2. Define a network resource on the Add/Edit Resource page for the Windows Terminal Services or Citrix host.

3. Create a rule on the Add/Edit Access Rule page referencing the network resource.

4. Create a WorkPlace link for accessing the Windows Terminal Services or Citrix host on the Add/Edit Terminal Shortcut page.

Authentication Scenarios

Realms are used by the appliance for the following key purposes:

• Referencing external authentication servers.• Provisioning access agents to VPN users, based on their community

membership.• Determining which End Point Control restrictions are imposed on users’

devices.• Controlling the user’s login experience at a WorkPlace portal.


Using Multiple Realms vs. a Single Realm

If your organization uses only one authentication server, you’ll probably need to configure only one realm in AMC. However, if your users are stored in multiple authentication repositories, you will need to create a separate realm for each repository. For instance, if your employees are stored on an LDAP server, while your business partners are stored on an Active Directory server, you would create a separate realm to reference each server.

Another scenario in which you may want to create separate authentication realms on the appliance would be if you need to provide a unique look and feel for different users, whether you use only one external authentication server or multiple servers. Each realm would be associated with a custom WorkPlace site with its own unique colors, logos, and greeting text, and would have a custom URL.

The configuration steps involved in creating multiple realms are as follows:

1. Create a separate realm for each external authentication server on the General section of the Configure Realm page.

2. Associate one or more communities with each realm on the Communities section of the Configure Realm page.

3. Configure each community to define which realm members belong to it, select which access agents are deployed, and specify any End Point Control restrictions.

4. Determine whether users in each realm will log in by selecting their realm from a list in a main WorkPlace portal, or by going directly to a custom WorkPlace portal.

Using a Single Community

When you create an authentication realm in AMC, a default community associated with the realm is also automatically created. This single community may be sufficient if you have a homogenous group of users whose resource needs and access methods are identical. However, if you have a diverse group of remote users, you’ll probably want to create multiple communities, as described in the next topic.

The configuration steps involved in creating a single community are as follows:

1. Create a realm on the General section of the Configure Realm page that references an external authentication server. AMC automatically creates a default community that is referenced by the realm. The


default community settings are global and apply to any realms that reference it.

2. Configure the community by selecting the users or groups who belong to it, the access methods they’ll use to connect to the VPN, and optionally any End Point Control options.

Using Multiple Communities

Multiple communities give you the flexibility to provision different access agents to different populations of users, and to similarly deploy different End Point Control configurations. This scenario is useful when all your users are stored on a single external authentication server, but you want to segment them, whether by their role in your organization, but the type of resources they need to access, or for other security reasons.

For example, you may want to create a community for those employees who use IT-managed laptops for remote access, and provision them with the Connect tunnel client to allow them extensive access to your network resources. For your business partners, you may want to create a community that restricts them to Web access and assigns them to an End Point Control zone that provisions a data protection tool to remove all session data after they log off.

The configuration steps involved in creating multiple communities are as follows:

1. Create a realm that references an external authentication server on the Configure Realm page.

2. Create two or more communities whose membership includes your selected users or groups.

3. Configure the access agents available to each community.

4. Optionally configure an End Point Control zone and device to deploy pre- or post-authentication data integrity tools.

5. Attach the EPC zone to the community.


Access Component Provisioning Scenarios

All of the Aventail user access components are provisioned or activated through the ASAP WorkPlace portal with the exception of the Aventail Connect proxy client and the Connect Mobile client, which are deployed separately.

Optionally, you can make the Aventail Connect tunnel client components available for users to download and install from another network location (such as a Web server, FTP server, or file server) without requiring them to log in to ASAP WorkPlace.

User access agents are deployed on a per-community basis. When configuring a user community, you can specify which access methods will be available to community members to connect to resources on your network.

Multiple agents can be active simultaneously. For example, the OnDemand proxy agent in dynamic mode and the Web proxy agent might be active at the same time; OnDemand in dynamic mode would provide users with access to TCP/IP resources, and the Web proxy agent would provide users with access to Web resources.

When a user logs in to ASAP WorkPlace for the first time, WorkPlace automatically provisions and installs the appropriate user access agent based on the user’s community settings. The agent that is deployed will be installed on the user’s computer; on subsequent connections from the same computer with the same Web browser, that same agent will automatically be deployed.

WorkPlace Scenarios

Here are some examples of how to use WorkPlace to create a customized portal for your users to access your network resources.

Creating Custom WorkPlace Sites

You can create multiple WorkPlace sites for different user populations. Each custom WorkPlace site can have its own unique external URL and appearance.

To create custom WorkPlace sites:

1. Create a WorkPlace site on the Configure WorkPlace Site page.

• Enter a name for the site and its fully qualified domain name in the General section, and specify the realm users will log in to.


• Customize the font, color scheme, logo, and other visual attributes of the site in the Appearance section.

• Specify a fully qualified domain for the WorkPlace site. Users will type this name, prefixed with http://, to access WorkPlace. Note that you must communicate this external FQDN to users so they know how to access WorkPlace. You must also add this FQDN to your public DNS.

2. Define the resources you want the users to be able to access on the Add/Edit Resource page.

3. Create the appropriate shortcuts to the resources on the WorkPlace Shortcuts page.

Adding Shortcuts to WorkPlace

If you don’t want to create customized WorkPlace sites, you can make modifications to the preconfigured default WorkPlace site. Shortcuts, which appear on the WorkPlace Home page, provide your users with quick access to Web, network file system, and other resources, and do not require that users know specific URLs, hosts, or file system paths.

To configure shortcuts in WorkPlace:

1. Define the resources (Web, network, or graphical terminal) you want the users to be able to access on the Add/Edit Resource page.

2. Select the type of shortcut you want to create on the WorkPlace Shortcuts page.

3. Configure the relevant shortcut options.

Aventail SSL VPN - SonicWallsoftware.sonicwall.com/Aventail/Documentation/860/ST_v8_6_Getting... ·...

Documents

Transcript of Aventail SSL VPN - SonicWallsoftware.sonicwall.com/Aventail/Documentation/860/ST_v8_6_Getting... ·...