Aventail SSL VPN. Getting Started Guide. Version 8.6

(1)

Getting Started Guide

Version 8.6

© 1996-2005 Aventail, Aventail Cache Control, Aventail Connect, Aventail Connect Tunnel, Aventail End Point Control, Aventail Management Console, Aventail Connect Mobile, Aventail OnDemand, Aventail OnDemand Tunnel, Aventail Secure Desktop, Aventail Smart Access, Aventail Smart Policy, Aventail Smart SSL VPN, Aventail Smart Tunneling, Aventail ST, Aventail Unified Policy, Aventail WorkPlace, Aventail WorkPlace Mobile, Aventail EX-750, Aventail EX-1500, Aventail EX-2500, and their respective logos are trademarks, registered trademarks, or service marks of Aventail Corporation. Other product and company names mentioned are the trademarks of their respective owners.

Last modified 10/11/05 14:05 Part number 0850-000015-01

(2)

(3)

Chapter 1 Introduction

This chapter provides a brief overview of the features of the Aventail SSL VPN and its key components, and explains some essential virtual private networking components. For detailed information and step-by-step procedures on how to install and configure the appliance, please see the separate Installation and Administration Guide.

Introduction to the Aventail VPN

The Aventail SSL VPN appliance provides secure access—including clientless access to Web applications, access to client/server applications, and file sharing—to employees, business partners, and customers. All traffic is encrypted using Secure Sockets Layer (SSL) to protect it from unauthorized users.

The Aventail appliance makes applications available from a range of access methods—including a standard Web browser, Web-based ActiveX or Java-based agents, a Windows client, or a PocketPC client—on a wide range of platforms and devices including Windows, Macintosh, Linux, and handheld devices. You might use the appliance to:

• Create a remote access VPN that enables remote employees to securely access private company applications such as e-mail over the Internet. • Create a business partner VPN that provides designated suppliers with

access to an internal supply chain application over the Internet. Your Aventail VPN transparently and dynamically provides the appropriate access methods to a wide range of resources, which improves employee productivity and reduces the total cost of ownership.

(6)

The appliance’s granular access control enables you to define policy and control access down to the user and resource level. To increase efficiency, the appliance is managed from a Web-based management console. The Aventail® ASAP Management Console (AMC) enables you to quickly and easily manage policy and configure the appliance from a standard Web browser.

Key VPN Concepts

This section describes the essential concepts that you should become familiar with before installing, configuring, and managing the VPN.

Resources

The Aventail appliance manages a wide variety of corporate resources in three main categories: Web resources, client/server resources, and Windows file shares. Web resources are applications or services that run over the HTTP or HTTPS protocols, such as Microsoft Outlook Web Access. Client/server resources are enterprise applications that run over TPC/IP such as Citrix, and Voice over Internet Protocol (VoIP) telephony applications. Windows file shares include Windows network servers or computers containing shared folders and files.

When managing resources, you have some flexibility to decide which resource type to use for a given object on your network. The type you choose will vary depending on your VPN design. For example, you might define a

(7)

Web application as a URL resource for use by a business partner and “alias” the host name for an extra measure of security. Alternatively, you could define the domain in which the Web application is located as a network resource, which is a convenient way to enable remote employee access to multiple Web resources within a domain.

Smart Tunneling

Aventail Smart Tunneling™ provides secure access for TCP and UDP traffic; bi-directional traffic, such as remote Help Desk applications;

cross-connections, such as VoIP applications; and reverse cross-connections, such as SMS. Smart Tunneling provides access using two access agents: the Aventail® OnDemand™ tunnel agent (a browser-based, Web-activated agent) and the Aventail Connect tunnel client (a Web-installed Windows client). Each client provides network-level access to all resources, effectively making the user’s computer a node on your network.

The tunnel clients are managed from AMC using the Aventail network tunnel service. Configuring this service to manage TCP/IP connections from the network tunnel clients requires setting up IP address pools that are used to allocate IP addresses to the clients.

Authentication

Authentication is the process of verifying a user’s identity to ensure that the individual really is who he or she claims to be. Authentication differs from authorization—authentication verifies identity, while authorization specifies access rights.

To manage user authentication with the appliance, you use AMC to define one or more external authentication servers (also known as directory servers or user stores) that contain the identification or credentials for your user population. The appliance integrates with several of the most common authentication servers. The actual management of the user information is still done on your authentication servers; the appliance simply makes use of that information to evaluate identity of your users.

Depending on the size and complexity of your organization, you may have a single authentication server for all of your users, or multiple authentication servers that store different segments of your user population. Regardless of the number or type of authentication servers you have, the appliance uses a simple method for linking to them. Each authentication server is associated with an authentication realm that you set up. These realms are what users log in to on the appliance to gain access to your resources. So if your organization has one authentication server, you would create one

(8)

authentication realm on the appliance, or if you have several authentication servers, you’d create a realm for each of them. For a more granular approach to deployment and security, you can further subdivide your user population using a subset of a realm known as a community.

Using AMC to set up authentication involves configuring the combination of an authentication server, an authentication method (username/password, token or smart card, or digital certificate), and other configuration items that make the authentication process unique (for example, the LDAP search base or the specific directory server).

The Aventail appliance supports the following directories and authentication methods:

• LDAP with username/password or digital certificate • Microsoft Active Directory with username/password

• RADIUS with username/password or token-based authentication (such as SecurID or SoftID)

• Netegrity SiteMinder with credentials or RSA ClearTrust with credentials • Local users with username and password (used primarily for testing

purposes and not recommended in a production environment)

Access Policy

An access policy is the set of access control rules that defines the privileges of users who connect to resources through the appliance. These rules define the applications or network resources that users or user groups are allowed to access.

Access control rules are stored as a list in AMC, with each rule assigned a specific order in the list. When the appliance evaluates a connection request, it begins at the top of the list and works down the list until it finds a match. When it finds a match, the action required by the rule—either “permit” or “deny”—is applied and no further rules are evaluated. If the appliance reaches the end of the list without finding a match, it applies an implicit “deny” rule to prohibit access to the user.

Access to a resource can be based on several criteria. Most access rules control access based on who the user is—that is, the user’s name or group membership—and the destination resource he or she is trying to reach. You can use other criteria in access control rules, such as the access method used to reach a resource, the user’s network address, or the date and time of the connection request.

(9)

The appliance gives you wide latitude in creating access control rules, depending on whether your organization’s security policy demands stringent control or is relatively permissive. For example, if your VPN is accessed only by highly trusted employees who are using computers managed by your IT department, you could create an open access policy that defines your entire network domain as a resource and grants broad access to your employees. Conversely, if you are providing access to a diverse group of users with varying degrees of access privileges, or who connect from less-secure devices such as public kiosks, you might use an access policy that defines individual resources and establishes more stringent access requirements. As your network changes over time, you will need to configure the access control rules that determine what application resources are available to your various users and groups. Before adding an access control rule, carefully examine your list of existing rules; you might find that you can modify an existing rule instead of creating a new one. To save time, you can also copy an existing rule and modify its parameters.

If you decide to add a new rule, reviewing your current configuration will help you determine where the new rule should fit in the rule order. New rules are added to the top of the access control list by default; you can then move them to their proper positions in the list.

End Point Control

Traditional VPN solutions typically provide access only from the relative safety of a corporate laptop. In that environment, the major security concern is unauthorized network access. Because an SSL VPN enables access from any Web-enabled system, it may bring additional risks from computers in untrusted environments, such as a kiosk at an airport or hotel, or an employee-owned computer.

The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and ensure that your network is not compromised when accessed from computers in untrusted

environments. Aventail’s data protection agents—Aventail Secure Desktop and Aventail Cache Control—automatically remove session data from the PC. The appliance also supports integration with third-party client integrity controls that automatically check for malware on the client system before allowing access.

The appliance’s EPC configuration options give you granular control over VPN access using device profiles and zones:

(10)

• A device profile is a set of attributes that characterize the device requesting the connection. These attributes can include a Windows domain name, the presence of a software programs such as personal firewall or antivirus program, a registry entry, or other unique characteristics.

• A zone classifies a connection request based on the presence or absence of a device profile, and is used to control the provisioning of data protection components or determine which resources are available. When a user connects to the appliance, the appliance interrogates the user’s computer, then determines if its attributes match those defined in a device profile. If the device matches the profile, the appliance classifies the computer into the appropriate End Point Control zone. For example, if the device does not have a personal firewall or antivirus program, it may be classified as “untrusted,” provisioned with a browser cache cleaner, and restricted to Web-based e-mail access.

Users, Groups, and Communities

A user is an individual who needs access to resources on your network, and a user group is a collection of users. After you’ve created users or user groups on the appliance that are mapped to an external authentication server, you can reference them in an access control rule to permit or deny them access to resources.

Communities are a cornerstone of the appliance’s approach to deployment and security. Communities are used to aggregate users and groups for the purpose of deploying access agents to them and providing End Point Control, but can also be referenced in access control rules.

You can create communities for specific types of users, such as remote employees or business partners, and you can configure more granular types of communities, such as a users in a particular department or geographic location.

For example, you may want to deploy one of Aventail’s network tunnel clients to certain employees who require broad access to resources and applications on your network and who use laptops managed by your IT department. You may have another group of users who require only limited access to Web resources because they’re logging in from public kiosks or other non-secure locations. To provide access to these disparate user groups, you could create two separate communities, each configured to deploy the appropriate access agents, and in the case of users connecting via public kiosks, using End Point Control to prevent sensitive data from being left on the kiosk.

(11)

SSL and Encryption

The Aventail appliance encrypts information using the Secure Sockets Layer (SSL) protocol. SSL is an authentication and encryption protocol that uses a key exchange method to establish a secure environment in which all data exchanged is encrypted to protect it from eavesdropping and alteration. The Aventail appliance uses SSL certificates to validate the appliance’s identity to connecting users, and to provide a public key to secure information that the client computer sends to the server. The appliance requires two SSL certificates:

• The Aventail services use a certificate to secure end-user traffic. • AMC uses a certificate to secure management traffic.

There are two types of certificates: self-signed and commercial certificates. With a self-signed SSL certificate, you are verifying your own identity. The associated private key data is encrypted using a password. AMC uses a self-signed certificate.

Although a self-signed SSL certificate is secure, you may want to secure end-user traffic with a certificate from a commercial certificate authority (CA). Commercial certificates are purchased from a CA (such as VeriSign) and are usually valid for one year.

A commercial CA verifies your company’s identity, in effect vouching for your identity by providing you with a certificate that the CA signs. A common analogy for a certificate from a commercial CA is a passport. You can present someone with an ID you create yourself, but they may be skeptical about your identity if they do not already know you. If you present someone with a passport issued to you by a trusted country, he or she may be more inclined to accept your identification as valid because a passport office has made an effort to verify your identity.

For users who connect to the appliance from small form factor devices, you should configure the appliance with a certificate from a leading CA, or else import the root certificate from your CA onto your users’ small form factor devices. When the appliance is configured with either a self-signed certificate or a certificate from a CA that is not well known, most small form factor devices will either display a security prompt or reject the certificate. For example, Windows Mobile smartphones are configured with the roots files for only VersiSign, CyberTrust, Thawte, and Entrust.

When deciding which type of certificate to use for the servers, consider who will be connecting to the appliance and how they will use resources on your network:

(12)

• If business partners are connecting to Web resources through the appliance, they will likely want some assurance of your identity before performing a transaction or providing confidential information. In this case, you would probably want to obtain a certificate from a commercial CA for the appliance.

• On the other hand, employees connecting to Web resources may trust a self-signed certificate. Even then, you may want to obtain a third-party certificate so that end users are not prompted to accept a self-signed certificate each time they connect.

For additional security, Aventail offers an appliance equipped with a FIPS-compliant (Federal Information Processing Standard) SSL module for creating keys and digital certificates.

FIPS

FIPS is a U.S. government standard that provides a benchmark for implementing cryptographic software. FIPS specifies best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system.

Aventail offers a FIPS-enabled appliance that includes an internal hardware security module (HSM) to protect the private cryptographic keys that are used by the appliance, manage the smart cards used to access the HSM, and perform other operational and troubleshooting functions. The hardware security module is FIPS 140-2 Level 2 compliant.

Clustering and High Availability

An Aventail cluster provides high availability by including either integrated load balancing or external load balancing, depending on the appliance model, as well as stateful user authentication failover, and centralized

administration.

A cluster is designed to prevent a single point of failure. When you deploy a cluster, you can distribute applications over more than one computer, which improves response time and avoids unnecessary downtime if a failure occurs. The cluster appears as a single system to users, applications, and the network, while providing a single point of control for administrators.

(13)

Aventail offers three appliances with clustering and high-availability features:

• The entry-level appliance includes support for clustering two identical appliances behind one virtual IP address for up to 100 users, with integrated load balancing.

• The Aventail mid-level appliance includes support for clustering two identical appliances behind one virtual IP address, or up to eight appliances using an external load balancer, for up to 1,000 users. • The Aventail enterprise-level appliance includes support for clustering

two identical appliances behind one virtual IP address, or up to eight appliances using an external load balancer, for up to 2,000 users. These cluster configurations support an active/active configuration, meaning all nodes in the cluster are actively sharing the user load at any given time. You administer all the nodes of an Aventail cluster from one master management console. After installing the software on all nodes, you log in to AMC on one of the nodes and assign it as master. From that point on, this node controls the propagation and synchronization of policy and

configuration across both nodes.

The slave node provides a redundant AMC, but it is not automatically assigned as master if the master node fails. Instead, you must log in to the slave node’s AMC and manually assign it to be the master. When the original master node comes back online, it detects that the other node is now the master and it demotes itself to a slave node.

Role-Based Administration

Role-based administration restricts access for managing the appliance via AMC to authorized users based on their job functions and responsibilities. Permission to perform specific administration functions is assigned to roles defined in AMC.

AMC is configured by default with one primary administrator who has full access to all AMC management features. The primary administrator can then delegate responsibility for four types of AMC management to users designated as secondary administrators. These secondary administrator roles are as follows:

• Security administration: controls permissions to manage access control rules, resources, users, and user groups. It also controls access to settings for WorkPlace, Aventail OnDemand, and End Point Control.

(14)

• System configuration: controls permissions to manage network settings, SSL settings, access and network services, general appliance settings, and authentication servers and realms.

• System maintenance: controls permissions to shut down or restart the appliance, update or roll back the system software, and import or export configuration data.

• System monitoring: controls permissions to view system logs and graphs, modify log settings, view active users, run troubleshooting tools, and terminate user sessions.

For each administrator category, the primary administrator sets the permission level to allow read/write access or read-only access, or to disable access, which hides the relevant portion of the AMC user interface. The primary administrator also sets up a password-protected account for each user designated as a secondary administrator.

Single Sign-On

Single sign-on (SSO) is an option that controls whether to forward user credentials to back-end Web resources. Configuring the appliance to use SSO prevents the user from having to log in multiple times (once to get to the appliance, and again to access an application resource).

The appliance support several types of Web-based SSO:

• Basic authentication forwarding is a widely supported form of authentication forwarding, but is not very secure because it sends passwords in the clear across the network. The appliance can be configured to send each user’s unique authentication credentials, or “static” credentials (that is, the same credentials for all users). Basic authentication forwarding is configured within a Web application profile, which is assigned to a resource.

• NTLM authentication forwarding provides a secure method for sending Windows network credentials to a Microsoft IIS (Internet Information Services) Web server. NTLM (short for “Windows NT LAN Manager”) uses a challenge/response mechanism to securely authenticate users without sending passwords in the clear across the network. NTLM authentication forwarding passes a Windows domain name along with the user’s authentication credentials.

(15)

• Netegrity SiteMinder is a third-party product that provides a centralized mechanism for administering authentication and single sign-on. You can the appliance to receive user authentication credentials from a SiteMinder server and forward the credentials to any back-end Web resources it is protecting.

• RSA ClearTrust is a third-party product that provides a centralized mechanism for managing user authentication and single sign-on. You can the appliance to receive user authentication credentials from a ClearTrust server and forward the credentials to any back-end Web resources it is protecting.

System Monitoring and Logging

System monitoring and logging features permit administrators to view both real-time and historical data about the performance of the appliance and its access services, as well as user activity.

The AMC home page displays a graphical summary of the current number of active users, network bandwidth, disk space usage, and CPU usage. More detailed views of this graphical data are also available in hourly, daily, and weekly increments.

AMC also allows administrators to view the total number of active users at any given time and search the list of active user sessions by user name. User monitoring also lets you terminate a user’s session, even if the user has multiple active connections on different services or nodes.

If you have a Simple Network Management Protocol tool, you can use it to monitor the appliance as an SNMP agent. The appliance provides a variety of management data in Management Information Base (MIB) format.

The AMC log viewer provides a detailed view of appliance, user access, and other activities contained in the following log files:

• The system message log displays server processing and diagnostic information about the access services, as well as detailed information on how access policy rules are applied.

• The user audit logs provide detailed information about connection activity, including a list of users accessing your network and the amount of data transferred.

• The Web proxy audit log provides detailed information about connection activity, including a list of users accessing your network and the amount of data transferred, for the Web proxy service.

(16)

• The management console audit log records information about configuration changes made to the appliance by authorized administrators.

The AMC log viewer allows you to customize the display of log message data using sorting, searching, and filtering options. If you need to perform additional analysis of the log message data, or display the data differently than how it appears in the log viewer, you can export selected data to comma-separated values (.csv) files for use by another application, such as Microsoft Excel.

Aventail VPN Components

Your Aventail SSL VPN appliance consists of several key administrator and client components described next.

Client Components

The appliance includes several components that provide users with access to resources on your network.

Smart Access

With Smart Access™ the appliance automatically communicates with the end point and determines which access method is most appropriate for the user’s system. When a user logs in to ASAP WorkPlace for the first time, WorkPlace automatically provisions the user with the agent that will provide the broadest range of access based on the user’s access privileges, operating system, browser configuration, and any other constraints on the user’s system.

ASAP WorkPlace

The Aventail® ASAP™ WorkPlace portal provides your users with access to Web-based resources. After a user logs in to ASAP WorkPlace, a Web page appears that contains an administrator-defined list of shortcuts. These shortcuts point to the Web-based resources, Windows file system resources, and terminal servers to which the user has access privileges. ASAP WorkPlace is accessible from a standard Web browser.

You can also create customized WorkPlace sites that employ different appearances (colors, logos, and greeting text) and unique URLs. This enables you to configure and deploy unique portals for different audiences (such as partners and employees).

(17)

Web resources and file system resources can be accessed from any Web browser that supports SSL. By default, the appliance is configured to deploy a Microsoft ActiveX control (the Web proxy agent) on newer versions of Microsoft Windows systems running Internet Explorer. The Web proxy agent proxies Web content directly through the appliance. The appliance supports Web-based access to Windows Terminal Services (WTS) and Citrix hosts. These hosts are accessed by Web-based terminal agents that use native application protocols to send data to the terminal server.

For users running other browsers, the appliance will automatically provide translated Web access. If you’d rather not install an agent or your users’ systems don’t support ActiveX, you can configure the appliance to provide translated Web access.

(18)

Network Explorer

Network Explorer is a part of ASAP WorkPlace that provides access to any Windows file system resources that the user has permission to use. These resources can include servers, computers, workgroups, folders, and files.

Connect Tunnel Client

The Aventail® Connect™ tunnel client is a Windows application with a small footprint that provides broad access to network resources. The Connect tunnel client provides access to any type of application or protocol, including non-TCP protocols such as Voice Over Internet Protocol (VoIP), ICMP, and multicast. The Connect tunnel client is initially installed from the ASAP WorkPlace portal or from a separate installer package, and is administered in AMC.

OnDemand Tunnel Agent

The Aventail® OnDemand™ tunnel agent is a lightweight ActiveX or Java agent that provides the same broad access to applications and protocols as the Connect tunnel client. It is similar in all respects to the Connect tunnel client except that it is activated each time a user logs into the ASAP WorkPlace portal.

Connect Mobile Client

Aventail® Connect Mobile™ client is a lightweight application that runs on Pocket PC devices and provides access to a broad range of resources, including client/server applications, thin client applications, file servers, and Web resources. The Connect mobile client is installed using a Windows setup program that extracts the application files and then copies the files to the user’s Pocket PC device through ActiveSync.

Connect Proxy Client

The Aventail® Connect™ proxy client is a Windows application that provides access to a broad range of resources including traditional client/server applications, thin-client applications, file servers, and Web resources. Installed on the user’s computer, the Aventail Connect proxy client can provide additional end-point security by requiring personal firewalls and antivirus applications. Aventail Connect supports Microsoft single sign-on and provides seamless access to network share resources from Network Neighborhood.

(19)

OnDemand Proxy Agent

The Aventail® OnDemand™ proxy agent is a secure, lightweight Java applet that provides access to network resources. protected by the Aventail network proxy service. The OnDemand proxy agent can be downloaded from ASAP WorkPlace “on demand” to give users clientless VPN access—ideal for partners or vendors that do not have standard VPN access to your network or for mobile employees that may need to access network resources from a non-work computer such as a public kiosk.

Web Proxy Access

The Aventail Web proxy agent provides access through ASAP WorkPlace to any Web resource, including Web-based applications, Web portals, and Web servers, as well as Windows network shares. Web proxy access eliminates the need for Web content translation and provides broad access to enterprise Web applications for users running Microsoft Windows XP or 2000 and Internet Explorer or Firefox with ActiveX enabled.

Translated Web Access

Translated Web access is available from any Web browser supported by ASAP WorkPlace and provides access to any Web resource and Windows network shares.

End Point Control

End Point Control components ensure that your network is not compromised when accessed from PCs in untrusted environments. The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and your network. Aventail’s post-authentication data protection agents—Aventail Secure Desktop and Aventail Cache Control— automatically remove session data from the PC. The appliance also supports integration with third-party client integrity controls that automatically check for malware on the client system before allowing access.

Administrator Components

This section highlights the key components that you’ll use to manage the Aventail appliance and services.

(20)

ASAP Management Console

AMC is a Web-based administrative tool used to manage the appliance. It provides centralized access for managing security policies, configuring the system (including networking and certificate configuration), monitoring, troubleshooting, and administrator accounts. AMC is accessible from a Web browser.

Setup Wizard

Setup Wizard streamlines the initial configuration of the appliance. It guides you through the process of selecting basic network settings, configuring appliance options, defining resources, creating a basic access policy, and creating local users for testing purposes. Setup Wizard is a Web-based alternative to using the command-line Setup Tool.

(21)

Aventail Access Services

The appliance uses four access services to manage the access clients and agents that users employ to connect to your network resources:

• The Aventail network tunnel service is a network routing technology that provides secure network tunnel access to a wide range of

applications and protocols, including non-TCP protocols such as Voice over IP (VoIP) and ICMP, reverse-connection protocols like SMS, and bi-directional protocols such as FTP. It works in conjunction with the Aventail Connect tunnel client and the Aventail OnDemand tunnel agent to provide authenticated and encrypted access.

• The Aventail Web proxy service provides users with secure access to Web-based applications, Web servers, and network file servers from a Web browser, or Web-based applications and Web servers from a Pocket PC device using the Aventail Connect Mobile client.. The Web access service contains a secure HTTP reverse proxy that brokers and encrypts access to Web-based resources. It includes user log-off capability to enhance security for users at public Web kiosks. It also manages TCP/IP connections from the Aventail OnDemand Java agent.

• The ASAP WorkPlace service controls access to WorkPlace resources accessed from a Web browser. The ASAP WorkPlace service

communicates with Windows file servers and network shares (including Microsoft Distributed file system, or DFS, resources) using the Server Message Block (SMB) file-sharing protocol.

• The Aventail network proxy service provides a secure proxy for accessing standard client/server applications. It works in conjunction with the Aventail Connect proxy client to provide authenticated and encrypted access over the Internet. The network proxy service is based on the SOCKS v5 protocol. The network proxy service brokers and encrypts access to internal applications and networks. Its proxy-based architecture and use of SSL enables the network proxy service to traverse firewalls, NAT devices, and other proxy servers that can interfere with traditional VPN devices.

Command-Line Tools

Included on the appliance are several command-line administrative tools for performing initial setup of the appliance, backing up configuration settings, patching and upgrading the software, and restoring previous versions or configurations. These operations can also be performed using AMC’s graphic user interface.

(22)

(23)

Chapter 2 Planning Your VPN

To effectively design your VPN, you must identify who will access your VPN, what types of resources you will make available, and which access methods you will provide to end users so they can reach your network.

Who Will Access Your VPN?

A key consideration in planning your VPN is who the users are who need to access your network resources.

Your user community will obviously have a major impact on how you design and administer your VPN. Most VPN users generally fall into one of two major categories: remote employees or business partners.

• Remote employees. When serving remote and mobile employees, you’ll generally provide relatively open access to enterprise resources, such as providing domain-level access to them. Of course, you can also define a more granular access policy for specific resources that contain sensitive information (such as a payroll application).

Employee computer systems under IT control provide the flexibility to install client software—such as the Aventail Connect tunnel or proxy client—on the desktop. The Aventail Connect clients provide direct integration with Windows Network Neighborhood for users accessing the network from a remote location.

• Business partners. Suppliers, vendors, contractors, and other partners generally have restricted access to resources on your network. This requires you to administer more granular resource definitions and access control rules than those typically used for a remote access VPN. For example, instead of simply defining a domain resource and granting employees open access privileges, you’ll often need to define specific host resources and manage a more complex access policy. Additionally,

(24)

when defining a Web resource you may want to obscure its internal host name to maintain the privacy of your network.

Because of the administrative and support issues associated with installing client software on computers outside the control of your IT organization, a Web-based access method is often best for business partners.

What Types of Resources Are You Deploying?

The Aventail appliance manages a wide variety of corporate resources, which fall into three categories:

How Will Users Access Your Resources?

End users can access VPN resources secured by the Aventail appliance using four primary methods. This gives you a range of deployment options for both “managed” desktops controlled by your IT department and systems outside your control, including employees’ home computers, partner desktops, and other systems such as kiosks or handheld devices.

• Standard Web browser. Web resources and file system resources can be accessed from any Web browser that supports SSL. Browser-based access is ideal for providing remote access from virtually any PC, including public kiosks, wireless networks, or small form factor devices

Resource type Examples Planning considerations

Web • Microsoft Outlook Web Access

• Web-based applications • Web portals

• Web servers

• When specifying URLs to Web resources, include the http:// or https:// prefix.

• Use aliases to obscure host names on private networks.

Client/server • Citrix

• Microsoft Outlook • Lotus Notes

• Terminal servers (such as Citrix or WTS)

• Identify resources by host name, IP address or IP range, subnet IP address, or domain name.

Windows file

shares • Windows network servers • Windows shared folders

• Defining a Windows domain gives access to all network file resources to authorized users.

(25)

such as smartphones or PDAs. It’s also a good option for providing business partner access, because it does not require any client configuration or administration.

• ActiveX-enabled browser. Aventail’s ActiveX agent—the Aventail OnDemand network tunnel agent—provides access to resources from Microsoft Internet Explorer and Firefox browsers that support ActiveX. In addition Web resources, this agent provides access to terminal services, thin-client applications, and full client/server applications. • Java-enabled platform. Aventail’s Java agents—the Aventail

OnDemand proxy agent and the Aventail OnDemand tunnel agent— provide access to resources from Java-enabled Web browsers.

• The OnDemand tunnel agent uses Aventail’s tunnel technology to provide full network access to protocols and applications for users of Windows XP or Windows 2000.

• The OnDemand proxy agent provides access to client/server applications and Web resources from a Java-enabled Web browser or any environment—such as Macintosh or Linux systems— configured with a stand-alone Java environment.

The OnDemand proxy agent is a good choice for providing access to users who are connecting with a device that is not managed by IT staff, such as a home PC.

• Windows clients. The Aventail Connect tunnel client and the Aventail Connect proxy client are Windows clients that provide access to a broad range of resources, including traditional client/server applications, thin-client applications, file servers, and Web resources. These Connect clients offer complete integration with the Windows desktop, including support for Microsoft single sign-on and seamless access to network share resources from Network Neighborhood. The Aventail Connect clients are typically used for remote access on systems that can be readily managed by IT, such as a corporate laptop used by a traveling or remote employee.

• Mobile devices. The Aventail Connect mobile client is a lightweight application that runs on Pocket PC devices and provides access to a broad range of resources, including traditional client/server applications, thin client applications, file servers, and Web resources.

(26)

The following table summarizes the available access methods and the advantages of each.

Access method Provides access to Advantages

Aventail Connect network tunnel (Windows client)

Full network access to client/server

applications, Web resources, Windows network shares, and bi-directional applications such as Voice over IP, SMS, and FTP.

• Installed from ASAP WorkPlace portal or from custom installer package, with no rebooting required.

• Managed through AMC. • Enhanced security options

including split-tunneling, and redirection of all traffic or only local traffic.

• Local printing supported. Aventail

OnDemand network tunnel (ActiveX agent)

Full network access to client/server

applications, Web resources, Windows network shares, and bi-directional applications such as Voice over IP, SMS, and FTP.

• Activated from ASAP WorkPlace portal.

• Enhanced security options including split-tunneling, and redirection of all or only local traffic.

• Local printing supported. Aventail Connect

proxy

(Windows client)

Client/server applications, Web resources, and Windows network shares.

• Offers seamless integration with Windows Network Neighborhood. • Security options, including

split-tunneling, personal firewall detection, and antivirus software detection.

• Auto-updating. Aventail Connect

Mobile Client/server applications, thin client applications, file servers, and Web resources.

• Lightweight application that runs on Pocket PC devices.

Aventail OnDemand proxy (Java agent)

Client/server applications and Web resources from any Java-enabled platform.

• Broad cross-platform support. • Lightweight Java agent is easy to

(27)

Your choice of access methods will be based on a variety of factors, including: • Technical considerations, such as the hardware platform, operating

system, or Web browser in use by end users.

• Security requirements, such as the safeguards you want to put in place on the desktop.

• End-user profile, including users’ level of technical sophistication. • Administrative resources available to manage and support a VPN.

Tunnel, Proxy, or Web: Which Access Method is Best for You?

Aventail’s access services and clients offer a wide array of methods with different degrees of capabilities to enable your users to reach your

organization’s resources. Which ones are best for you? That depends on the resources you want to deploy and the computing environment of your users. Generally speaking, the two Aventail network tunnel clients provide the broadest network access and support, and greatest ease of administration. The caveat is that tunnel client users must be running either Windows 2000

Web proxy mode Any Web resource (including Web-based applications, Web portals, Web servers) and Windows network shares.

• Convenient access from any ActiveX-enabled browser. • Defaults to “translated mode” on

other browsers.

• Minimal client configuration or administration tasks.

• Users can access any network URL by typing its actual URL in the browser’s address box. • Broad Web-based access to

enterprise applications. • Single sign-on. Translated Web

browser Any Web resource (including Web-based applications, Web portals, Web servers) and Windows network shares.

• Convenient access from virtually any PC.

• No client configuration or administration tasks.

• Supports the use of aliases to hide internal host names in the browser address bar.

• Single sign-on to back-end Web servers.

(28)

or Windows XP. The Aventail Connect proxy client runs on both current and legacy versions of Windows, and has integrated End Point Control features, but must be installed and configured separately. The Aventail OnDemand proxy agent provides broad cross-platform support for Windows, Macintosh, and Linux users. Web access is clientless and requires no provisioning, but limits access to Web-based applications.

System Requirements for Client Access Agents

Use the following table to determine which Aventail access agents are appropriate for your users’ computers. Items shown in the regular font are supported platforms, while those shown in italics are compatible platforms.

Client

component Operatingsystem Browser Other

ASAP WorkPlace portal

• Windows XP Pro with Service Pack 2 • Windows XP Pro with

Service Pack 1

• Windows XP Home with Service Pack 2 • Windows XP Home with Service Pack 1 • Windows 2000 Pro with Service Pack 4

• Internet Explorer 6.0, Service Pack 2 • Internet Explorer 6.0, Service Pack 1 • Mozilla Firefox 1.0.6 • Macintosh OS X v 10.4 • Macintosh OS X v 10.3 • Macintosh Safari 2.0 • Macintosh Safari 1.3 • Mozilla Firefox 1.0.7

• Linux (Fedora Core 4) • Mozilla Firefox 1.0.7 Connect

tunnel client • Windows XP Pro with Service Pack 2 • Windows XP Pro with

Service Pack 1

• n/a • Windows

administrator rights required for installation

(29)

OnDemand

tunnel agent • Windows XP Pro with Service Pack 2 • Windows XP Pro with

Service Pack 1

• Internet Explorer 6.0, Service Pack 2 • Internet Explorer 6.0, Service Pack 1 • Mozilla Firefox 1.0.6 • Sun JVM 1.5.1 or ActiveX • Sun JVM 1.4.2 plug-in • Windows administrator rights required for installation Connect

proxy client • Windows XP Pro with Service Pack 2 • Windows XP Pro with

Service Pack 1

• n/a • Windows

administrator rights required for installation

OnDemand

proxy agent • Windows XP Pro with Service Pack 2 • Windows XP Pro with

Service Pack 1

• Internet Explorer 6.0, Service Pack 2 • Internet Explorer 6.0, Service Pack 1 • Mozilla Firefox 1.0.6 • Sun JVM 1.5.1 or ActiveX • Sun JVM 1.4.2 plug-in • Windows administrator rights required for dynamic redirection mode • Macintosh OS X v 10.4 • Macintosh OS X v 10.3 • Macintosh Safari 2.0 • Macintosh Safari 1.3 • Sun JVM 1.4.2 plug-in

• Linux • Mozilla Firefox 1.0.7 • Sun JVM 1.4.2 plug-in

Client

(30)

Connect

Mobile client • Windows Pocket PC 4.2.1 • Windows Pocket PC

4.2

• Pocket Internet Explorer 4.01

Web proxy

agent • Windows XP Pro with Service Pack 2 • Windows XP Pro with

Service Pack 1

• Internet Explorer 6.0, Service Pack 2 • Internet Explorer 6.0, Service Pack 1 • ActiveX Translated

Web Access • Windows XP Pro with Service Pack 2 • Windows XP Pro with

Service Pack 1

• Internet Explorer 6.0, Service Pack 2 • Internet Explorer 6.0, Service Pack 1 • Mozilla Firefox 1.0.6 • Macintosh OS X v 10.4 • Macintosh OS X v 10.3 • Macintosh Safari 2.0 • Macintosh Safari 1.3 • Mozilla Firefox 1.0.7

• Linux • Mozilla Firefox 1.0.7 • Sun JVM 1.4.2 plug-in

Client

(31)

Security Administration

Administering your security policy involves defining resources and then creating access control rules that determine the availability of those resources.

Defining Resources

When managing resources, you have some flexibility to decide which resource type to use for a given object on your network. The type you choose will vary depending on your VPN design. For example, you might define a Web application as a URL resource for use by a business partner and “alias” the host name for an extra measure of security. Alternatively, you could define the domain in which the Web application is located as a network resource, which is a convenient way to enable remote employee access to multiple Web resources within a domain.

Web Resources

Any Web resource—such as a Web application, a Web portal, or a Web server—can be defined as a URL resource; they are specified in AMC using the standard http:// or https:// URL syntax. Examples include Microsoft Outlook Web Access and other Web-based e-mail programs, Web portals, corporate intranets, and standard Web servers.

Defining a Web resource as a URL provides several advantages:

• You can create a Web shortcut on ASAP WorkPlace to make it simple for users to quickly access the URL.

• You can define very specific access rules to control which users can access the URL.

• You have the option of obscuring (or “aliasing”) the internal host name so it is not publicly exposed. When a user accesses an alias in translated mode, the Aventail Web access service proxies the request to the downstream Web resource and translates its private URL using an alias name you define. The user sees only the public (or “aliased”) URL. Web traffic is proxied through the Aventail Web proxy service, a secure gateway through which users can access private Web resources from the Internet.

(32)

Network Resources

As the name implies, “network resources” are flexible enough to encompass virtually anything on your network, including applications, file servers, or multiple Web resources. Network resources are specified in AMC using either a domain, subnet, IP range, host name, or IP address.

Here are some examples of network resources:

• Client/server applications include “traditional” applications

developed for a particular operating system, or thin-client applications designed to be run over the Web. Users access client/server applications using either the Aventail Connect or Aventail OnDemand tunnel or proxy clients, or the Connect Mobile client.

• Network shares include Windows file servers or file shares. When defined as a network resource, network shares are accessible using either Aventail Connect or Aventail OnDemand. (To access a network share using a Web browser, you must instead define it as a file system resource.)

• Source networks are referenced in an access rule to permit or deny a connection to a destination resource based upon the location from which the request originates. This provides you with even greater security. For example, you might permit connections from only a particular domain, or even from an individual IP address.

• Terminal server hosts provide the graphical user interface (GUI) of an application to user terminals that don't have this capability themselves. Windows Terminal Services and Citrix agents can be managed directly from the Aventail appliance.

• Multiple Web resources on your network—whether in a domain, subnet, or IP range—can be defined as a network resource. This approach provides a convenient way for you to administer multiple Web servers from a single object in AMC. For example, if you specify a domain (and create the appropriate access rule) users will be able to access any Web resources contained within that domain from their Web browsers (or from Aventail OnDemand or Aventail Connect).

On the downside, however, your users cannot access those resources from a link on ASAP WorkPlace; instead, they must know the internal host name of the resource. If the Web proxy agent is running, they can enter any URL directly into their browser. However, in translated mode, users must manually type URLs in the Intranet Address box in WorkPlace.

(33)

With such a wide scope of resource definitions—from broad resources such as a domain or subnet down to a single host or IP address—you may wonder how best to define your network resource definitions. Broad resource definitions simplify your job as network administrator, and are typically used when managing a remote access VPN with an open access policy. For example, you could define your internal DNS namespace as a domain and create a single policy rule granting employees access privileges.

On the other hand, a more restrictive security policy will require you to define network resources more narrowly. This approach is typically used when administering a partner VPN. For example, to provide an external supplier with access to an inventory application, you might specify its host name as a resource and create a policy rule specifically granting the supplier access privileges.

File System Resources

File system resources include Windows network servers or computers containing shared folders and files that users can access through ASAP WorkPlace.

For a file system resource, you can define a specific resource by typing a UNC path or you can define an entire Windows domain.

• Defining an entire Windows domain gives authorized users access to all the network file resources within the domain.

• A specific file system resource can be an entire server, a shared folder, or a network folder.

• A file system resource can also reference a user’s personal folder on the network. This feature allows you to create a single shortcut on ASAP WorkPlace that dynamically references a personal folder for the current user.

The various options for defining a file system resource provide you with the flexibility to create an open policy that provides access to an entire domain, or to create a more granular policy that controls access at the server, share, or folder level.

(34)

Managing Access Control with an Access Policy

After you’ve defined your VPN resources, you control which resources are available to users by creating an access policy.

After a user successfully authenticates (that is, verifies his or her identity), the appliance evaluates the access rules to control authorization to specific resources. Rules appear on the Access Control page:

Access control rules are stored as a list, with each rule assigned a specific order. When the appliance evaluates a connection request, it begins at the top of the list and works down the list (that is, in ascending numeric order) until it finds a match. When it finds a match, the action required by the rule— either “permit” or “deny”—is applied and no further rules are evaluated. If the appliance reaches the end of the list without finding a match, it applies an implicit “deny” rule to prohibit access.

Access to a resource can be based on several criteria. Most access rules control access based on who the user is—that is, the user’s name or group membership—and the destination resource he or she is trying to reach. (If you don’t restrict access to a particular user or destination resource, the word “Any” appears in the access control list.)

Additionally, you can control access based on several other criteria: • The End Point Control zone from which the connection request

originates. Suppose you want to require users accessing a sensitive financial application to run a cache cleaner after each session. If so, you could configure a rule restricting access to systems in a “trusted” zone running Aventail Secure Desktop.

• The user’s network address from which the connection request originates. You might want to control access to a resource based on the names of any source networks you want evaluated in the rule.

(35)

• The access method used to reach the resource. You might want to enable broad access to resources within an internal domain from the network tunnel or proxy agents, but prevent browser-based access to Web servers within the domain.

• The encryption strength of the connection. You might require connections to a particularly sensitive resource to use strong 128-bit encryption.

• The day and/or time of the request. For example, you might allow business partners to access a particular application only from 9:00 A.M. to 5:00 P.M. on weekdays.

To summarize the authorization process: 1. A user initiates a connection.

2. The appliance analyzes the connection request to identify its attributes (including user and group information, the destination being requested, source network from which the request originates, and the day or time of the request).

3. The appliance reads the first rule in the access control list and compares it to the request criteria:

• If a match is found, the action (“permit” or “deny”) specified in the rule is applied. After this occurs, no further rules are evaluated. • If no match is found, the appliance evaluates the next rule in the

list to see if it matches the request.

4. If the appliance processes all of the rules without finding a match, it applies an implicit end rule to deny access.

Access Control for Bi-Directional Connections

VPN connections typically involve what are called forward connections—these are initiated by a user to a network resource. However, if you deploy Aventail’s network tunnel clients (Connect tunnel or OnDemand tunnel) to your users, then bi-directional connections are enabled.

Within the Aventail VPN, bi-directional connections encompass the following: • Forward connections from a VPN user to a network resource.

• Reverse connections from a network resource to a VPN user. An example of a reverse connection is an SMS server that “pushes” a software update to a user’s machine.

(36)

• Cross-connections refer specifically to Voice over Internet Protocol (VoIP) applications that enable one VPN user to telephone another VPN user. Cross-connections require a pair of access control rules: one for the forward connection and one for the reverse connection.

• Other examples of bi-directional connections include an FTP server that downloads file to or uploads files from a VPN user, and remote Help Desk applications.

Design Guidelines for Access Rules

Because the appliance processes your access control rules sequentially, the order in which you organize them has great significance in terms of whether access is permitted or denied. Carefully review your security policy settings to avoid inadvertently placing rules in the wrong order.

• Put your most specific rules at the top of the list. As a general rule, it is usually best to put your most specific rules at the top of the list. Putting the least restrictive rules at the top of the list may cause the appliance to find a match before it has a chance to process your more restrictive rules.

• Be careful with “Any” rules. If you create a rule that does not restrict access to a particular user or destination resource, the word “any” appears in the access control list. Carefully consider the impact of “any” in your policy rules. For a “permit” rule, too many “any” criteria could expose a security hole. On the other hand, too many “any” criteria in a “deny” rule could unnecessarily restrict network access.

• Optimizing performance. Because the appliance evaluates rules in sequential order, you can optimize performance by placing the network resources that are accessed most frequently at the top of the list. • Avoid resource and access method incompatibilities. In some very

specific cases, certain combinations of resource types and access methods can create problems with your access policy. AMC validates your rule and notifies you of potential problems when you save it. See the “Security Administration” chapter of the Aventail Installation and Administration Guide for details on resolving incompatibility issues.

(37)

End Point Control

Traditional VPN solutions typically provide access only from the relative safety of a corporate laptop. In that environment, the major security concern is unauthorized network access. Because an SSL VPN enables access from any Web-enabled system, it may bring additional risks from PCs in untrusted environments, such as a kiosk at an airport or hotel, or an employee-owned computer.

The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and ensure that your network is not compromised when accessed from PCs in untrusted environments. Aventail’s data protection agents—Aventail Secure Desktop and Aventail Cache Control—automatically remove session data from the PC. The appliance also supports integration with third-party client integrity agents that automatically check for malware on the client system before allowing access. These client integrity agents apply globally to all connections during pre-authentication.

The appliance’s EPC configuration options give you granular control over VPN access using device profiles and zones:

• A device profile is a set of attributes that characterize the type of device requesting the connection. Examples of these attributes include an application or file name, the presence of a personal firewall or antivirus program, a registry entry, or other distinguishing characteristics used to identify a client computer.

• A zone classifies a connection request based on the presence or absence of a device profile, and is used to provision data protection components or determine which resources are available.

When a user connects to the appliance, the appliance interrogates the user’s computer, then determines if its attributes match those defined in the zone’s device profile. If the device matches the profile, the appliance classifies the computer into the zone.

(38)

The following diagram illustrates the End Point Control evaluation process performed by the appliance when a user connects to the appliance:

Your Aventail VPN is provided with some default EPC zones and device profiles for several common access scenarios.

The preconfigured EPC zones include:

• Antivirus and cache control required: This zone applies to Windows XP/2000 computers and Apple Macintosh computers and requires them to have either Norton or McAfee antivirus software installed and enables Aventail Cache Cleaner to clean the browser cache after each user session. It references the preconfigured Windows Antivirus and Macintosh Antivirus device profiles.

• Windows firewall enabled: This zone requires Windows XP or 2000 computers to have a personal firewall program from Sygate, Microsoft or Zone Labs installed. It uses the preconfigured Windows firewall device profile.

• Default: This zone can serve as a global fail-safe to either allow or block VPN access in situations where connection requests don’t match the criteria for any other zones.

The preconfigured device profiles include:

• Windows Antivirus: This device profile is configured to detect whether both an antivirus program and a personal firewall program are present on computers running Windows XP or 2000.

(39)

• Macintosh Antivirus: This device profile is configured to detect whether both an antivirus program and a personal firewall program are present on Apple Macintosh computers.

• Windows firewall: This device profile is configured to detect whether a personal firewall is installed on computers running Microsoft Windows XP or 2000.

• Macintosh computer: This device profile is configured to identify computers running the Macintosh operating system.

If the preconfigured device profiles don’t address your specific security needs or computing environment, you can create additional profiles that the appliance will use to detect the presence of specified attributes on users’ device.

Device profile attribute Description

Antivirus program • Looks for either Norton or McAfee antivirus software.

• Supported on Microsoft Windows XP/ 2000, and Apple Macintosh.

Application • Looks for an application process running on the client device.

• Supports * and ? wildcards.

• Supported on Microsoft Windows XP/2000, Apple Macintosh, and Linux.

Directory name • Looks for a directory on a device’s hard drive.

File name • Looks for a file name and extension on a device.

• Optionally can include file size, absolute or relative modification date.

• Optionally validates file integrity on Windows devices.

• Supports * and ? wildcards. • Supports comparison operators.

(40)

To configure EPC, you first create one or more device profiles that identify the client attributes you want to look for. Next, you define an EPC zone and reference the device profiles required for a device to be classified into that zone. The zone is in turn referenced in a community; this determines which users can be classified into the specified zone and which data protection agents are deployed to those users. Optionally, you can reference a zone in an access control rule to determine which resources are available to users in that zone.

Personal firewall program • Looks for Sygate, Microsoft, or ZoneLabs personal firewalls.

• Supported on Microsoft Windows XP/2000. Windows domain • Determines if a user belongs to a domain.

• Supported on Microsoft Windows XP/2000. Windows registry entry • Looks for a Windows registry entry key

name.

• Optionally looks for a value name and data. • Supports * and ? wildcards.

• Supports comparison operators.

• Supported on Microsoft Windows XP/2000 Windows version • Looks for major version numbers on

Microsoft Windows XP & 2000.

• Optionally looks for minor version numbers and build numbers.

Device name & description • Supported on pocket PC/PDA, and on mobile phones.

Aventail SSL VPN. Getting Started Guide. Version 8.6

Getting Started Guide

Version 8.6

Table of Contents

Chapter 1

Introduction

Introduction to the Aventail VPN

Key VPN Concepts

Resources

Smart Tunneling

Authentication

Access Policy

End Point Control

Users, Groups, and Communities

SSL and Encryption

FIPS

Clustering and High Availability

Role-Based Administration

Single Sign-On

System Monitoring and Logging

Aventail VPN Components

Client Components

Smart Access

ASAP WorkPlace

Network Explorer

Connect Tunnel Client

OnDemand Tunnel Agent

Connect Mobile Client

Connect Proxy Client

OnDemand Proxy Agent

Web Proxy Access

Translated Web Access

End Point Control

Administrator Components

ASAP Management Console

Setup Wizard

Aventail Access Services

Command-Line Tools

Chapter 2

Planning Your VPN

Who Will Access Your VPN?

What Types of Resources Are You Deploying?

How Will Users Access Your Resources?

Tunnel, Proxy, or Web: Which Access Method is Best for You?

System Requirements for Client Access Agents

Security Administration

Defining Resources

Web Resources

Network Resources

File System Resources

Managing Access Control with an Access Policy

Access Control for Bi-Directional Connections

Design Guidelines for Access Rules

End Point Control