Aventail SSL VPN. Getting Started Guide. Version 8.6

Transcription

1 Aventail SSL VPN Getting Started Guide Version Aventail, Aventail Cache Control, Aventail Connect, Aventail Connect Tunnel, Aventail End Point Control, Aventail Management Console, Aventail Connect Mobile, Aventail OnDemand, Aventail OnDemand Tunnel, Aventail Secure Desktop, Aventail Smart Access, Aventail Smart Policy, Aventail Smart SSL VPN, Aventail Smart Tunneling, Aventail ST, Aventail Unified Policy, Aventail WorkPlace, Aventail WorkPlace Mobile, Aventail EX-750, Aventail EX-1500, Aventail EX-2500, and their respective logos are trademarks, registered trademarks, or service marks of Aventail Corporation. Other product and company names mentioned are the trademarks of their respective owners. Last modified 10/11/05 14:05 Part number

2

3 Aventail SSL VPN Getting Started Guide i Table of Contents Chapter 1 Introduction Introduction to the Aventail VPN Key VPN Concepts Resources Smart Tunneling Authentication Access Policy End Point Control Users, Groups, and Communities SSL and Encryption FIPS Clustering and High Availability Role-Based Administration Single Sign-On System Monitoring and Logging Aventail VPN Components Client Components Network Explorer Connect Tunnel Client OnDemand Tunnel Agent Connect Mobile Client Connect Proxy Client OnDemand Proxy Agent Web Proxy Access Translated Web Access End Point Control Administrator Components Chapter 2 Planning Your VPN Who Will Access Your VPN? What Types of Resources Are You Deploying? How Will Users Access Your Resources? Tunnel, Proxy, or Web: Which Access Method is Best for You? System Requirements for Client Access Agents Security Administration Defining Resources Managing Access Control with an Access Policy End Point Control System Requirements for End Point Control

4 ii Table of Contents Putting It All Together: Using Realms and Communities Chapter 3 Preparing for Installation and Deployment Installation Deployment Checklist Verifying Your Firewall Policies Installation and Configuration Overview Deployment Deploying ASAP WorkPlace Deploying the Aventail Access Methods Deploying End Point Control Agents Chapter 4 Common VPN Configurations Remote Access VPN Scenarios Providing Access to Specific Web Resources Providing Access to All Web Resources on Your Network Providing Access to Any Web Resources on a Portion of Your Network Providing Windows Users with Broad Access to Network Resources Providing Web-based File Access to Entire Networks Partner VPN Scenarios Providing Access to a Specific Web Resource and Obscuring Its Internal Host Name Providing Web-based Access to a Client/Server Application End Point Control Scenarios Deploying Aventail Cache Control to Employees on an Untrusted System Deploying Aventail Secure Desktop to Partners from Their Domain Allowing Selected Employees to Bypass Aventail Cache Control Access Policy Scenarios Forward Connections Reverse Connections Application-Specific Scenarios Providing Access to Outlook Web Access (OWA) Providing Access to Voice Over IP (VoIP) Providing Access to Windows Terminal Services or Citrix Authentication Scenarios Using Multiple Realms vs. a Single Realm Using a Single Community Using Multiple Communities Access Component Provisioning Scenarios WorkPlace Scenarios Creating Custom WorkPlace Sites Adding Shortcuts to WorkPlace

5 Aventail SSL VPN Getting Started Guide 1 Chapter 1 Introduction This chapter provides a brief overview of the features of the Aventail SSL VPN and its key components, and explains some essential virtual private networking components. For detailed information and step-by-step procedures on how to install and configure the appliance, please see the separate Installation and Administration Guide. Introduction to the Aventail VPN The Aventail SSL VPN appliance provides secure access including clientless access to Web applications, access to client/server applications, and file sharing to employees, business partners, and customers. All traffic is encrypted using Secure Sockets Layer (SSL) to protect it from unauthorized users. The Aventail appliance makes applications available from a range of access methods including a standard Web browser, Web-based ActiveX or Javabased agents, a Windows client, or a PocketPC client on a wide range of platforms and devices including Windows, Macintosh, Linux, and handheld devices. You might use the appliance to: Create a remote access VPN that enables remote employees to securely access private company applications such as over the Internet. Create a business partner VPN that provides designated suppliers with access to an internal supply chain application over the Internet. Your Aventail VPN transparently and dynamically provides the appropriate access methods to a wide range of resources, which improves employee productivity and reduces the total cost of ownership.

6 2 Chapter 1 - Introduction Key VPN Concepts Resources The appliance s granular access control enables you to define policy and control access down to the user and resource level. To increase efficiency, the appliance is managed from a Web-based management console. The Aventail ASAP Management Console (AMC) enables you to quickly and easily manage policy and configure the appliance from a standard Web browser. This section describes the essential concepts that you should become familiar with before installing, configuring, and managing the VPN. The Aventail appliance manages a wide variety of corporate resources in three main categories: Web resources, client/server resources, and Windows file shares. Web resources are applications or services that run over the HTTP or HTTPS protocols, such as Microsoft Outlook Web Access. Client/server resources are enterprise applications that run over TPC/IP such as Citrix, and Voice over Internet Protocol (VoIP) telephony applications. Windows file shares include Windows network servers or computers containing shared folders and files. When managing resources, you have some flexibility to decide which resource type to use for a given object on your network. The type you choose will vary depending on your VPN design. For example, you might define a

7 Aventail SSL VPN Getting Started Guide 3 Smart Tunneling Authentication Web application as a URL resource for use by a business partner and alias the host name for an extra measure of security. Alternatively, you could define the domain in which the Web application is located as a network resource, which is a convenient way to enable remote employee access to multiple Web resources within a domain. Aventail Smart Tunneling provides secure access for TCP and UDP traffic; bi-directional traffic, such as remote Help Desk applications; crossconnections, such as VoIP applications; and reverse connections, such as SMS. Smart Tunneling provides access using two access agents: the Aventail OnDemand tunnel agent (a browser-based, Web-activated agent) and the Aventail Connect tunnel client (a Web-installed Windows client). Each client provides network-level access to all resources, effectively making the user s computer a node on your network. The tunnel clients are managed from AMC using the Aventail network tunnel service. Configuring this service to manage TCP/IP connections from the network tunnel clients requires setting up IP address pools that are used to allocate IP addresses to the clients. Authentication is the process of verifying a user s identity to ensure that the individual really is who he or she claims to be. Authentication differs from authorization authentication verifies identity, while authorization specifies access rights. To manage user authentication with the appliance, you use AMC to define one or more external authentication servers (also known as directory servers or user stores) that contain the identification or credentials for your user population. The appliance integrates with several of the most common authentication servers. The actual management of the user information is still done on your authentication servers; the appliance simply makes use of that information to evaluate identity of your users. Depending on the size and complexity of your organization, you may have a single authentication server for all of your users, or multiple authentication servers that store different segments of your user population. Regardless of the number or type of authentication servers you have, the appliance uses a simple method for linking to them. Each authentication server is associated with an authentication realm that you set up. These realms are what users log in to on the appliance to gain access to your resources. So if your organization has one authentication server, you would create one

8 4 Chapter 1 - Introduction Access Policy authentication realm on the appliance, or if you have several authentication servers, you d create a realm for each of them. For a more granular approach to deployment and security, you can further subdivide your user population using a subset of a realm known as a community. Using AMC to set up authentication involves configuring the combination of an authentication server, an authentication method (username/password, token or smart card, or digital certificate), and other configuration items that make the authentication process unique (for example, the LDAP search base or the specific directory server). The Aventail appliance supports the following directories and authentication methods: LDAP with username/password or digital certificate Microsoft Active Directory with username/password RADIUS with username/password or token-based authentication (such as SecurID or SoftID) Netegrity SiteMinder with credentials or RSA ClearTrust with credentials Local users with username and password (used primarily for testing purposes and not recommended in a production environment) An access policy is the set of access control rules that defines the privileges of users who connect to resources through the appliance. These rules define the applications or network resources that users or user groups are allowed to access. Access control rules are stored as a list in AMC, with each rule assigned a specific order in the list. When the appliance evaluates a connection request, it begins at the top of the list and works down the list until it finds a match. When it finds a match, the action required by the rule either permit or deny is applied and no further rules are evaluated. If the appliance reaches the end of the list without finding a match, it applies an implicit deny rule to prohibit access to the user. Access to a resource can be based on several criteria. Most access rules control access based on who the user is that is, the user s name or group membership and the destination resource he or she is trying to reach. You can use other criteria in access control rules, such as the access method used to reach a resource, the user s network address, or the date and time of the connection request.

9 Aventail SSL VPN Getting Started Guide 5 End Point Control The appliance gives you wide latitude in creating access control rules, depending on whether your organization s security policy demands stringent control or is relatively permissive. For example, if your VPN is accessed only by highly trusted employees who are using computers managed by your IT department, you could create an open access policy that defines your entire network domain as a resource and grants broad access to your employees. Conversely, if you are providing access to a diverse group of users with varying degrees of access privileges, or who connect from less-secure devices such as public kiosks, you might use an access policy that defines individual resources and establishes more stringent access requirements. As your network changes over time, you will need to configure the access control rules that determine what application resources are available to your various users and groups. Before adding an access control rule, carefully examine your list of existing rules; you might find that you can modify an existing rule instead of creating a new one. To save time, you can also copy an existing rule and modify its parameters. If you decide to add a new rule, reviewing your current configuration will help you determine where the new rule should fit in the rule order. New rules are added to the top of the access control list by default; you can then move them to their proper positions in the list. Traditional VPN solutions typically provide access only from the relative safety of a corporate laptop. In that environment, the major security concern is unauthorized network access. Because an SSL VPN enables access from any Web-enabled system, it may bring additional risks from computers in untrusted environments, such as a kiosk at an airport or hotel, or an employee-owned computer. The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and ensure that your network is not compromised when accessed from computers in untrusted environments. Aventail s data protection agents Aventail Secure Desktop and Aventail Cache Control automatically remove session data from the PC. The appliance also supports integration with third-party client integrity controls that automatically check for malware on the client system before allowing access. The appliance s EPC configuration options give you granular control over VPN access using device profiles and zones:

10 6 Chapter 1 - Introduction A device profile is a set of attributes that characterize the device requesting the connection. These attributes can include a Windows domain name, the presence of a software programs such as personal firewall or antivirus program, a registry entry, or other unique characteristics. A zone classifies a connection request based on the presence or absence of a device profile, and is used to control the provisioning of data protection components or determine which resources are available. When a user connects to the appliance, the appliance interrogates the user s computer, then determines if its attributes match those defined in a device profile. If the device matches the profile, the appliance classifies the computer into the appropriate End Point Control zone. For example, if the device does not have a personal firewall or antivirus program, it may be classified as untrusted, provisioned with a browser cache cleaner, and restricted to Web-based access. Users, Groups, and Communities A user is an individual who needs access to resources on your network, and a user group is a collection of users. After you ve created users or user groups on the appliance that are mapped to an external authentication server, you can reference them in an access control rule to permit or deny them access to resources. Communities are a cornerstone of the appliance s approach to deployment and security. Communities are used to aggregate users and groups for the purpose of deploying access agents to them and providing End Point Control, but can also be referenced in access control rules. You can create communities for specific types of users, such as remote employees or business partners, and you can configure more granular types of communities, such as a users in a particular department or geographic location. For example, you may want to deploy one of Aventail s network tunnel clients to certain employees who require broad access to resources and applications on your network and who use laptops managed by your IT department. You may have another group of users who require only limited access to Web resources because they re logging in from public kiosks or other non-secure locations. To provide access to these disparate user groups, you could create two separate communities, each configured to deploy the appropriate access agents, and in the case of users connecting via public kiosks, using End Point Control to prevent sensitive data from being left on the kiosk.

11 Aventail SSL VPN Getting Started Guide 7 SSL and Encryption The Aventail appliance encrypts information using the Secure Sockets Layer (SSL) protocol. SSL is an authentication and encryption protocol that uses a key exchange method to establish a secure environment in which all data exchanged is encrypted to protect it from eavesdropping and alteration. The Aventail appliance uses SSL certificates to validate the appliance s identity to connecting users, and to provide a public key to secure information that the client computer sends to the server. The appliance requires two SSL certificates: The Aventail services use a certificate to secure end-user traffic. AMC uses a certificate to secure management traffic. There are two types of certificates: self-signed and commercial certificates. With a self-signed SSL certificate, you are verifying your own identity. The associated private key data is encrypted using a password. AMC uses a selfsigned certificate. Although a self-signed SSL certificate is secure, you may want to secure enduser traffic with a certificate from a commercial certificate authority (CA). Commercial certificates are purchased from a CA (such as VeriSign) and are usually valid for one year. A commercial CA verifies your company s identity, in effect vouching for your identity by providing you with a certificate that the CA signs. A common analogy for a certificate from a commercial CA is a passport. You can present someone with an ID you create yourself, but they may be skeptical about your identity if they do not already know you. If you present someone with a passport issued to you by a trusted country, he or she may be more inclined to accept your identification as valid because a passport office has made an effort to verify your identity. For users who connect to the appliance from small form factor devices, you should configure the appliance with a certificate from a leading CA, or else import the root certificate from your CA onto your users small form factor devices. When the appliance is configured with either a self-signed certificate or a certificate from a CA that is not well known, most small form factor devices will either display a security prompt or reject the certificate. For example, Windows Mobile smartphones are configured with the roots files for only VersiSign, CyberTrust, Thawte, and Entrust. When deciding which type of certificate to use for the servers, consider who will be connecting to the appliance and how they will use resources on your network:

12 8 Chapter 1 - Introduction FIPS If business partners are connecting to Web resources through the appliance, they will likely want some assurance of your identity before performing a transaction or providing confidential information. In this case, you would probably want to obtain a certificate from a commercial CA for the appliance. On the other hand, employees connecting to Web resources may trust a self-signed certificate. Even then, you may want to obtain a third-party certificate so that end users are not prompted to accept a self-signed certificate each time they connect. For additional security, Aventail offers an appliance equipped with a FIPScompliant (Federal Information Processing Standard) SSL module for creating keys and digital certificates. FIPS is a U.S. government standard that provides a benchmark for implementing cryptographic software. FIPS specifies best practices for implementing cryptographic algorithms, handling key material and data buffers, and working with the operating system. Aventail offers a FIPS-enabled appliance that includes an internal hardware security module (HSM) to protect the private cryptographic keys that are used by the appliance, manage the smart cards used to access the HSM, and perform other operational and troubleshooting functions. The hardware security module is FIPS Level 2 compliant. Clustering and High Availability An Aventail cluster provides high availability by including either integrated load balancing or external load balancing, depending on the appliance model, as well as stateful user authentication failover, and centralized administration. A cluster is designed to prevent a single point of failure. When you deploy a cluster, you can distribute applications over more than one computer, which improves response time and avoids unnecessary downtime if a failure occurs. The cluster appears as a single system to users, applications, and the network, while providing a single point of control for administrators.

13 Aventail SSL VPN Getting Started Guide 9 Aventail offers three appliances with clustering and high-availability features: The entry-level appliance includes support for clustering two identical appliances behind one virtual IP address for up to 100 users, with integrated load balancing. The Aventail mid-level appliance includes support for clustering two identical appliances behind one virtual IP address, or up to eight appliances using an external load balancer, for up to 1,000 users. The Aventail enterprise-level appliance includes support for clustering two identical appliances behind one virtual IP address, or up to eight appliances using an external load balancer, for up to 2,000 users. These cluster configurations support an active/active configuration, meaning all nodes in the cluster are actively sharing the user load at any given time. You administer all the nodes of an Aventail cluster from one master management console. After installing the software on all nodes, you log in to AMC on one of the nodes and assign it as master. From that point on, this node controls the propagation and synchronization of policy and configuration across both nodes. The slave node provides a redundant AMC, but it is not automatically assigned as master if the master node fails. Instead, you must log in to the slave node s AMC and manually assign it to be the master. When the original master node comes back online, it detects that the other node is now the master and it demotes itself to a slave node. Role-Based Administration Role-based administration restricts access for managing the appliance via AMC to authorized users based on their job functions and responsibilities. Permission to perform specific administration functions is assigned to roles defined in AMC. AMC is configured by default with one primary administrator who has full access to all AMC management features. The primary administrator can then delegate responsibility for four types of AMC management to users designated as secondary administrators. These secondary administrator roles are as follows: Security administration: controls permissions to manage access control rules, resources, users, and user groups. It also controls access to settings for WorkPlace, Aventail OnDemand, and End Point Control.

14 10 Chapter 1 - Introduction Single Sign-On System configuration: controls permissions to manage network settings, SSL settings, access and network services, general appliance settings, and authentication servers and realms. System maintenance: controls permissions to shut down or restart the appliance, update or roll back the system software, and import or export configuration data. System monitoring: controls permissions to view system logs and graphs, modify log settings, view active users, run troubleshooting tools, and terminate user sessions. For each administrator category, the primary administrator sets the permission level to allow read/write access or read-only access, or to disable access, which hides the relevant portion of the AMC user interface. The primary administrator also sets up a password-protected account for each user designated as a secondary administrator. Single sign-on (SSO) is an option that controls whether to forward user credentials to back-end Web resources. Configuring the appliance to use SSO prevents the user from having to log in multiple times (once to get to the appliance, and again to access an application resource). The appliance support several types of Web-based SSO: Basic authentication forwarding is a widely supported form of authentication forwarding, but is not very secure because it sends passwords in the clear across the network. The appliance can be configured to send each user s unique authentication credentials, or static credentials (that is, the same credentials for all users). Basic authentication forwarding is configured within a Web application profile, which is assigned to a resource. NTLM authentication forwarding provides a secure method for sending Windows network credentials to a Microsoft IIS (Internet Information Services) Web server. NTLM (short for Windows NT LAN Manager ) uses a challenge/response mechanism to securely authenticate users without sending passwords in the clear across the network. NTLM authentication forwarding passes a Windows domain name along with the user s authentication credentials.

15 Aventail SSL VPN Getting Started Guide 11 Netegrity SiteMinder is a third-party product that provides a centralized mechanism for administering authentication and single signon. You can the appliance to receive user authentication credentials from a SiteMinder server and forward the credentials to any back-end Web resources it is protecting. RSA ClearTrust is a third-party product that provides a centralized mechanism for managing user authentication and single sign-on. You can the appliance to receive user authentication credentials from a ClearTrust server and forward the credentials to any back-end Web resources it is protecting. System Monitoring and Logging System monitoring and logging features permit administrators to view both real-time and historical data about the performance of the appliance and its access services, as well as user activity. The AMC home page displays a graphical summary of the current number of active users, network bandwidth, disk space usage, and CPU usage. More detailed views of this graphical data are also available in hourly, daily, and weekly increments. AMC also allows administrators to view the total number of active users at any given time and search the list of active user sessions by user name. User monitoring also lets you terminate a user s session, even if the user has multiple active connections on different services or nodes. If you have a Simple Network Management Protocol tool, you can use it to monitor the appliance as an SNMP agent. The appliance provides a variety of management data in Management Information Base (MIB) format. The AMC log viewer provides a detailed view of appliance, user access, and other activities contained in the following log files: The system message log displays server processing and diagnostic information about the access services, as well as detailed information on how access policy rules are applied. The user audit logs provide detailed information about connection activity, including a list of users accessing your network and the amount of data transferred. The Web proxy audit log provides detailed information about connection activity, including a list of users accessing your network and the amount of data transferred, for the Web proxy service.

16 12 Chapter 1 - Introduction Aventail VPN Components Client Components The management console audit log records information about configuration changes made to the appliance by authorized administrators. The AMC log viewer allows you to customize the display of log message data using sorting, searching, and filtering options. If you need to perform additional analysis of the log message data, or display the data differently than how it appears in the log viewer, you can export selected data to comma-separated values (.csv) files for use by another application, such as Microsoft Excel. Your Aventail SSL VPN appliance consists of several key administrator and client components described next. The appliance includes several components that provide users with access to resources on your network. Smart Access With Smart Access the appliance automatically communicates with the end point and determines which access method is most appropriate for the user s system. When a user logs in to ASAP WorkPlace for the first time, WorkPlace automatically provisions the user with the agent that will provide the broadest range of access based on the user s access privileges, operating system, browser configuration, and any other constraints on the user s system. ASAP WorkPlace The Aventail ASAP WorkPlace portal provides your users with access to Web-based resources. After a user logs in to ASAP WorkPlace, a Web page appears that contains an administrator-defined list of shortcuts. These shortcuts point to the Web-based resources, Windows file system resources, and terminal servers to which the user has access privileges. ASAP WorkPlace is accessible from a standard Web browser. You can also create customized WorkPlace sites that employ different appearances (colors, logos, and greeting text) and unique URLs. This enables you to configure and deploy unique portals for different audiences (such as partners and employees).

17 Aventail SSL VPN Getting Started Guide 13 Web resources and file system resources can be accessed from any Web browser that supports SSL. By default, the appliance is configured to deploy a Microsoft ActiveX control (the Web proxy agent) on newer versions of Microsoft Windows systems running Internet Explorer. The Web proxy agent proxies Web content directly through the appliance. The appliance supports Web-based access to Windows Terminal Services (WTS) and Citrix hosts. These hosts are accessed by Web-based terminal agents that use native application protocols to send data to the terminal server. For users running other browsers, the appliance will automatically provide translated Web access. If you d rather not install an agent or your users systems don t support ActiveX, you can configure the appliance to provide translated Web access.

18 14 Chapter 1 - Introduction Network Explorer Network Explorer is a part of ASAP WorkPlace that provides access to any Windows file system resources that the user has permission to use. These resources can include servers, computers, workgroups, folders, and files. Connect Tunnel Client The Aventail Connect tunnel client is a Windows application with a small footprint that provides broad access to network resources. The Connect tunnel client provides access to any type of application or protocol, including non-tcp protocols such as Voice Over Internet Protocol (VoIP), ICMP, and multicast. The Connect tunnel client is initially installed from the ASAP WorkPlace portal or from a separate installer package, and is administered in AMC. OnDemand Tunnel Agent The Aventail OnDemand tunnel agent is a lightweight ActiveX or Java agent that provides the same broad access to applications and protocols as the Connect tunnel client. It is similar in all respects to the Connect tunnel client except that it is activated each time a user logs into the ASAP WorkPlace portal. Connect Mobile Client Aventail Connect Mobile client is a lightweight application that runs on Pocket PC devices and provides access to a broad range of resources, including client/server applications, thin client applications, file servers, and Web resources. The Connect mobile client is installed using a Windows setup program that extracts the application files and then copies the files to the user s Pocket PC device through ActiveSync. Connect Proxy Client The Aventail Connect proxy client is a Windows application that provides access to a broad range of resources including traditional client/server applications, thin-client applications, file servers, and Web resources. Installed on the user s computer, the Aventail Connect proxy client can provide additional end-point security by requiring personal firewalls and antivirus applications. Aventail Connect supports Microsoft single sign-on and provides seamless access to network share resources from Network Neighborhood.

19 Aventail SSL VPN Getting Started Guide 15 OnDemand Proxy Agent Web Proxy Access The Aventail OnDemand proxy agent is a secure, lightweight Java applet that provides access to network resources. protected by the Aventail network proxy service. The OnDemand proxy agent can be downloaded from ASAP WorkPlace on demand to give users clientless VPN access ideal for partners or vendors that do not have standard VPN access to your network or for mobile employees that may need to access network resources from a non-work computer such as a public kiosk. The Aventail Web proxy agent provides access through ASAP WorkPlace to any Web resource, including Web-based applications, Web portals, and Web servers, as well as Windows network shares. Web proxy access eliminates the need for Web content translation and provides broad access to enterprise Web applications for users running Microsoft Windows XP or 2000 and Internet Explorer or Firefox with ActiveX enabled. Translated Web Access End Point Control Translated Web access is available from any Web browser supported by ASAP WorkPlace and provides access to any Web resource and Windows network shares. End Point Control components ensure that your network is not compromised when accessed from PCs in untrusted environments. The Aventail appliance includes support for several End Point Control (EPC) components designed to protect sensitive data and your network. Aventail s post-authentication data protection agents Aventail Secure Desktop and Aventail Cache Control automatically remove session data from the PC. The appliance also supports integration with third-party client integrity controls that automatically check for malware on the client system before allowing access. Administrator Components This section highlights the key components that you ll use to manage the Aventail appliance and services.

20 16 Chapter 1 - Introduction ASAP Management Console AMC is a Web-based administrative tool used to manage the appliance. It provides centralized access for managing security policies, configuring the system (including networking and certificate configuration), monitoring, troubleshooting, and administrator accounts. AMC is accessible from a Web browser. Setup Wizard Setup Wizard streamlines the initial configuration of the appliance. It guides you through the process of selecting basic network settings, configuring appliance options, defining resources, creating a basic access policy, and creating local users for testing purposes. Setup Wizard is a Web-based alternative to using the command-line Setup Tool.

21 Aventail SSL VPN Getting Started Guide 17 Aventail Access Services The appliance uses four access services to manage the access clients and agents that users employ to connect to your network resources: The Aventail network tunnel service is a network routing technology that provides secure network tunnel access to a wide range of applications and protocols, including non-tcp protocols such as Voice over IP (VoIP) and ICMP, reverse-connection protocols like SMS, and bidirectional protocols such as FTP. It works in conjunction with the Aventail Connect tunnel client and the Aventail OnDemand tunnel agent to provide authenticated and encrypted access. The Aventail Web proxy service provides users with secure access to Web-based applications, Web servers, and network file servers from a Web browser, or Web-based applications and Web servers from a Pocket PC device using the Aventail Connect Mobile client.. The Web access service contains a secure HTTP reverse proxy that brokers and encrypts access to Web-based resources. It includes user log-off capability to enhance security for users at public Web kiosks. It also manages TCP/IP connections from the Aventail OnDemand Java agent. The ASAP WorkPlace service controls access to WorkPlace resources accessed from a Web browser. The ASAP WorkPlace service communicates with Windows file servers and network shares (including Microsoft Distributed file system, or DFS, resources) using the Server Message Block (SMB) file-sharing protocol. The Aventail network proxy service provides a secure proxy for accessing standard client/server applications. It works in conjunction with the Aventail Connect proxy client to provide authenticated and encrypted access over the Internet. The network proxy service is based on the SOCKS v5 protocol. The network proxy service brokers and encrypts access to internal applications and networks. Its proxy-based architecture and use of SSL enables the network proxy service to traverse firewalls, NAT devices, and other proxy servers that can interfere with traditional VPN devices. Command-Line Tools Included on the appliance are several command-line administrative tools for performing initial setup of the appliance, backing up configuration settings, patching and upgrading the software, and restoring previous versions or configurations. These operations can also be performed using AMC s graphic user interface.

22 18 Chapter 1 - Introduction

23 Aventail SSL VPN Getting Started Guide 19 Chapter 2 Planning Your VPN Who Will Access Your VPN? To effectively design your VPN, you must identify who will access your VPN, what types of resources you will make available, and which access methods you will provide to end users so they can reach your network. A key consideration in planning your VPN is who the users are who need to access your network resources. Your user community will obviously have a major impact on how you design and administer your VPN. Most VPN users generally fall into one of two major categories: remote employees or business partners. Remote employees. When serving remote and mobile employees, you ll generally provide relatively open access to enterprise resources, such as providing domain-level access to them. Of course, you can also define a more granular access policy for specific resources that contain sensitive information (such as a payroll application). Employee computer systems under IT control provide the flexibility to install client software such as the Aventail Connect tunnel or proxy client on the desktop. The Aventail Connect clients provide direct integration with Windows Network Neighborhood for users accessing the network from a remote location. Business partners. Suppliers, vendors, contractors, and other partners generally have restricted access to resources on your network. This requires you to administer more granular resource definitions and access control rules than those typically used for a remote access VPN. For example, instead of simply defining a domain resource and granting employees open access privileges, you ll often need to define specific host resources and manage a more complex access policy. Additionally,

24 20 Chapter 2 - Planning Your VPN when defining a Web resource you may want to obscure its internal host name to maintain the privacy of your network. Because of the administrative and support issues associated with installing client software on computers outside the control of your IT organization, a Web-based access method is often best for business partners. What Types of Resources Are You Deploying? The Aventail appliance manages a wide variety of corporate resources, which fall into three categories: Resource type Examples Planning considerations Web Microsoft Outlook Web Access Web-based applications Web portals Web servers Client/server Citrix Microsoft Outlook Lotus Notes Terminal servers (such as Citrix or WTS) When specifying URLs to Web resources, include the or prefix. Use aliases to obscure host names on private networks. Identify resources by host name, IP address or IP range, subnet IP address, or domain name. Windows file shares Windows network servers Windows shared folders Defining a Windows domain gives access to all network file resources to authorized users. How Will Users Access Your Resources? End users can access VPN resources secured by the Aventail appliance using four primary methods. This gives you a range of deployment options for both managed desktops controlled by your IT department and systems outside your control, including employees home computers, partner desktops, and other systems such as kiosks or handheld devices. Standard Web browser. Web resources and file system resources can be accessed from any Web browser that supports SSL. Browser-based access is ideal for providing remote access from virtually any PC, including public kiosks, wireless networks, or small form factor devices

25 Aventail SSL VPN Getting Started Guide 21 such as smartphones or PDAs. It s also a good option for providing business partner access, because it does not require any client configuration or administration. ActiveX-enabled browser. Aventail s ActiveX agent the Aventail OnDemand network tunnel agent provides access to resources from Microsoft Internet Explorer and Firefox browsers that support ActiveX. In addition Web resources, this agent provides access to terminal services, thin-client applications, and full client/server applications. Java-enabled platform. Aventail s Java agents the Aventail OnDemand proxy agent and the Aventail OnDemand tunnel agent provide access to resources from Java-enabled Web browsers. The OnDemand tunnel agent uses Aventail s tunnel technology to provide full network access to protocols and applications for users of Windows XP or Windows The OnDemand proxy agent provides access to client/server applications and Web resources from a Java-enabled Web browser or any environment such as Macintosh or Linux systems configured with a stand-alone Java environment. The OnDemand proxy agent is a good choice for providing access to users who are connecting with a device that is not managed by IT staff, such as a home PC. Windows clients. The Aventail Connect tunnel client and the Aventail Connect proxy client are Windows clients that provide access to a broad range of resources, including traditional client/server applications, thinclient applications, file servers, and Web resources. These Connect clients offer complete integration with the Windows desktop, including support for Microsoft single sign-on and seamless access to network share resources from Network Neighborhood. The Aventail Connect clients are typically used for remote access on systems that can be readily managed by IT, such as a corporate laptop used by a traveling or remote employee. Mobile devices. The Aventail Connect mobile client is a lightweight application that runs on Pocket PC devices and provides access to a broad range of resources, including traditional client/server applications, thin client applications, file servers, and Web resources.

26 22 Chapter 2 - Planning Your VPN The following table summarizes the available access methods and the advantages of each. Access method Provides access to Advantages Aventail Connect network tunnel (Windows client) Aventail OnDemand network tunnel (ActiveX agent) Aventail Connect proxy (Windows client) Aventail Connect Mobile Aventail OnDemand proxy (Java agent) Full network access to client/server applications, Web resources, Windows network shares, and bidirectional applications such as Voice over IP, SMS, and FTP. Full network access to client/server applications, Web resources, Windows network shares, and bidirectional applications such as Voice over IP, SMS, and FTP. Client/server applications, Web resources, and Windows network shares. Client/server applications, thin client applications, file servers, and Web resources. Client/server applications and Web resources from any Java-enabled platform. Installed from ASAP WorkPlace portal or from custom installer package, with no rebooting required. Managed through AMC. Enhanced security options including split-tunneling, and redirection of all traffic or only local traffic. Local printing supported. Activated from ASAP WorkPlace portal. Enhanced security options including split-tunneling, and redirection of all or only local traffic. Local printing supported. Offers seamless integration with Windows Network Neighborhood. Security options, including splittunneling, personal firewall detection, and antivirus software detection. Auto-updating. Lightweight application that runs on Pocket PC devices. Broad cross-platform support. Lightweight Java agent is easy to administer and deploy.

27 Aventail SSL VPN Getting Started Guide 23 Access method Provides access to Advantages Web proxy mode Translated Web browser Any Web resource (including Web-based applications, Web portals, Web servers) and Windows network shares. Any Web resource (including Web-based applications, Web portals, Web servers) and Windows network shares. Convenient access from any ActiveX-enabled browser. Defaults to translated mode on other browsers. Minimal client configuration or administration tasks. Users can access any network URL by typing its actual URL in the browser s address box. Broad Web-based access to enterprise applications. Single sign-on. Convenient access from virtually any PC. No client configuration or administration tasks. Supports the use of aliases to hide internal host names in the browser address bar. Single sign-on to back-end Web servers. Your choice of access methods will be based on a variety of factors, including: Technical considerations, such as the hardware platform, operating system, or Web browser in use by end users. Security requirements, such as the safeguards you want to put in place on the desktop. End-user profile, including users level of technical sophistication. Administrative resources available to manage and support a VPN. Tunnel, Proxy, or Web: Which Access Method is Best for You? Aventail s access services and clients offer a wide array of methods with different degrees of capabilities to enable your users to reach your organization s resources. Which ones are best for you? That depends on the resources you want to deploy and the computing environment of your users. Generally speaking, the two Aventail network tunnel clients provide the broadest network access and support, and greatest ease of administration. The caveat is that tunnel client users must be running either Windows 2000

28 24 Chapter 2 - Planning Your VPN or Windows XP. The Aventail Connect proxy client runs on both current and legacy versions of Windows, and has integrated End Point Control features, but must be installed and configured separately. The Aventail OnDemand proxy agent provides broad cross-platform support for Windows, Macintosh, and Linux users. Web access is clientless and requires no provisioning, but limits access to Web-based applications. System Requirements for Client Access Agents Use the following table to determine which Aventail access agents are appropriate for your users computers. Items shown in the regular font are supported platforms, while those shown in italics are compatible platforms. Client component Operating system Browser Other ASAP WorkPlace portal Windows XP Pro with Service Pack 2 Windows XP Pro with Service Pack 1 Windows XP Home with Service Pack 2 Windows XP Home with Service Pack 1 Windows 2000 Pro with Service Pack 4 Macintosh OS X v 10.4 Macintosh OS X v 10.3 Internet Explorer 6.0, Service Pack 2 Internet Explorer 6.0, Service Pack 1 Mozilla Firefox Macintosh Safari 2.0 Macintosh Safari 1.3 Mozilla Firefox Linux (Fedora Core 4) Mozilla Firefox Connect tunnel client Windows XP Pro with Service Pack 2 Windows XP Pro with Service Pack 1 Windows XP Home with Service Pack 2 Windows XP Home with Service Pack 1 Windows 2000 Pro with Service Pack 4 n/a Windows administrator rights required for installation