Aventail ST2 SSL VPN New Features Guide Summary of New Features and Functionality for the Aventail ST2 SSL VPN Platform Upgrade Release August, 2006 2006 Aventail Corporation. All rights reserved. Aventail, Aventail ASAP, Aventail EX-1500, Aventail EX-1600, Aventail EX-750, Aventail Connect, Aventail, Aventail WorkPlace Mobile, Aventail Unified Policy, Avential Smartt Access, Aventail Smart Tunneling, Aventail End Point Control, and Aventail OnDemand, and their respective logos are trademarks, service marks, or registered trademarks of Aventail Corporation. Other product and company names mentioned in this publication are the trademarks of their respective owners.
2 Aventail ST2 New Features Guide Contents INTRODUCTION...3 SUMMARY OF NEW FEATURES...4 DETECT: END POINT CONTROL...6 MOBILE DEVICE END POINT CONTROL...6 HOW IT WORKS: MOBILE DEVICE END POINT CONTROL...6 DEVICE WATERMARKS...9 PROTECT: AVENTAIL UNIFIED POLICY...10 QUARANTINE AND DENY ZONES...10 HOW IT WORKS: QUARANTINE ZONE...11 HOW IT WORKS: DENY ZONE...12 DYNAMIC GROUPS...14 CHAINED/STACKED AUTHENTICATION...15 FORMS-BASED AUTHENTICATION...16 CRL (CERTIFICATE REVOCATION LIST) SUPPORT...17 RESOURCE WILDCARD SUPPORT...18 DETECT: AVENTAIL SMART ACCESS AND SMART TUNNELING...19 SMART TUNNELING: NAT MODE...19 SMART TUNNELING MACINTOSH AND LINUX SUPPORT:...20 SMART TUNNELING: CONFIGURATION ENHANCEMENTS...21 SMART TUNNELING: CONNECT TUNNEL SERVICE EDITION...22 SESSION PERSISTENCE...22 NATIVE ACCESS MODULES: ENHANCED CITRIX SUPPORT...24 AVENTAIL WORKPLACE: MULTIPLE SERVER SIDE CERTIFICATES...24 AVENTAIL WORKPLACE: PERSONAL BOOKMARKS...26 Figures FIGURE 1: SETTING UP A WINDOWS MOBILE POCKET PC DEVICE PROFILE 7 FIGURE 2: EPC SUPPORT SUMMARY 8 FIGURE 3: ADDING A DEVICE CERTIFICATE AS A WATERMARK 9 FIGURE 4: SECURITY ZONE TYPES IN ST2 10 FIGURE 5: DEFINING QUARANTINE ZONES 12 FIGURE 6: DEFINING DENY ZONES 13 FIGURE 7: CONFIGURING DYNAMIC GROUPS 15 FIGURE 8: CHAINED AUTHENTICATION 16 FIGURE 9: FORMS-BASED AUTHENTICATION 17 FIGURE 10: CRL CONFIGURATION 18 FIGURE 11: SECURE NAT CONFIGURATION 20 FIGURE 12: SMART TUNNELING CONFIGURATION OPTIONS 22 FIGURE 13: CONFIGURING SESSION RESUMPTION 23 FIGURE 14: ADDING A CITRIX SERVER FARM 24 FIGURE 15: CONFIGURING WORKPLACE SITES 25 FIGURE 16: ADDING PERSONAL BOOKMARKS 26
Aventail ST2 New Features Guide 3 Introduction Purpose of this Document: This document provides a summary of the new features and functionality included in the Aventail ST2 release (released by Aventail in August 2006). It is intended to provide administrators of current Aventail SSL VPN deployments with a brief overview of the new features in the ST2 release, as well as a description on how to locate the new functionality within the Aventail AMC management interface. The core focus of the Aventail ST2 release is remote access control, providing the strongest and most granular access control capabilities of any SSL VPN provider while at the same time providing the easiest to manage solution. The Aventail ST2 release provides significant investments that enhance overall Network Access Control (NAC) capabilities, by improving how organizations can: 1) Detect what is running on the end point device. Aventail End Point Control detects the identity and security state of each end device used for access. The ST2 release provides enhanced EPC detection functionality as well as expands EPC capabilities to mobile devices. 2) Protect applications with granular access control based on user identity and device integrity. Aventail Unified Policy is the enforcement engine for protecting corporate resources, ensuring that device access is controlled and users only access applications they are authorized for. Aventail ST2 focuses on additional policy control granularity combined with greater end user usability in how policy is applied. 3) Connect users easily and securely to applications across all device types. Aventail Smart Access and Smart Tunneling is the transport mechanism, making it user access to all network resources easy and secure. Aventail ST2 provides expanded capabilities for Smart Tunneling, focusing on ease of administration and IPsec replacement Remote Access Control is the Answer Aventail s SSL-based Remote Access Controller: secure, remote access for all users from all devices, allowing organizations to kick start their NAC initiative today Detect Protect Connect Detect what is running on the end point device Protect applications with granular access control based on user identity and device integrity Connect users easily and securely to applications across all device types Remote Access Traveling Employee Employe e at a Kiosk Corporate Data Center Day Extender Aventail Remote Access Controllers Employee Using a Wireless Hotspot Employee PDA User Directories LDAP Web Apps LDAP Client/Server Apps File Shares AD Extranet Access Internal Access Customer/Supplier Behind a Firewall Business Partner from any Browser 8 Applications Internal Users Databases VoIP RADIUS
4 Aventail ST2 New Features Guide Summary of New Features The ST2 release includes the following new or improved features: Detect (EPC Device Interrogation) Mobile Device EPC: New: Allows full EPC capabilities for mobile device users using Aventail Connect Mobile. Works when the user authenticates via or WorkPlace Mobile (assuming has been loaded on the device). Device Watermarks New: This enables the usage of certificates to watermark Windows (using WorkPlace or Connect Tunnel) and Windows Mobile (using ) devices. The presence of a valid certificate watermark can then be used as a required attribute in a Security Zone (Windows and Windows device profiles only). Protect (Aventail Unified Policy) Quarantine Zone: New: Administrators can now configure Quarantine Zones that display admin defined text and remediation links to users who do not match the End Point Control requirements set for access. The remediation links are not tied to the overall Aventail policy model, meaning the administrator does not have to go through the extra step of referencing the remediation resources in an access control rule. Deny Zone: New: Allows for the creation of a security zone with an explicit condition on why access should be denied. There can be multiple Deny Zones created, each with a specific condition set by the presence of any one or more EPC variables contained within the device profile settings. The administrator can also customize a display message to WorkPlace and Connect Tunnel users who match the Deny Zone criteria, providing the opportunity to be very detailed on why access was denied. Dynamic Groups: New: Allows administrators to define groups dynamically based on criteria that may be contained within a user object of a directory but are not represented by group memberships. When a user logs in, the repository will be searched to see if the user matches any of the set criteria that would match the user against the dynamic group (supports LDAP and AD only). Chained/Stacked Authentication: New: Allows administrators to combine two different authentication methods together. Administrators can choose whether all authentication prompts are displayed on a single page or multiple pages. Administrators can also specify whether to forward credentials from the secondary authentication prompt for SSO. Forms-based Authentication (SSO): Improved: Aventail supports forms-based SSO today, but outside of AMC. With the ST2 release, administrators will be able to configure forms-based SSO directly via AMC. This is useful for Web based applications that use a form for authentication. CRL (Certificate Revocation List) Support: Improved: Previous releases checked the validity of certificates through LDAP. The ST2 release improves by adding CRL support, providing the ability to configure certificates as well as mange the revocation settings for certificates directly from a single page within AMC.
Aventail ST2 New Features Guide 5 Resource Wildcard Support: Improved: Defining resources has been made easier in the ST2 release by allowing administrators to use wildcard characters (including * or?) in a Host name resource or the host name portion of a URL resource. Connect (Aventail Smart Access & Smart Tunneling) Smart Tunneling NAT Mode: New: Configuring Smart Tunneling prior to the ST2 release required administrators providing a pool of IP addresses so that there was at least one address available for every user (OnDemand Tunnel or Connect Tunnel). With the ST2 release, administrators will have a new option available to them called Secure NAT mode. In this mode, all users within a selected community will be allocated unique, non-routable IP addresses and share a single, routable IP address for back-end resources. This limits the time required to get Smart Tunneling up and running, however any application that requires a reverse or cross-connection are not supported (such as VoIP or FTP). Smart Tunneling Macintosh and Linux Support: New: Macintosh and Linux Smart Tunnel Support: The Aventail ST patch introduced non AMC configurable Connect Tunnel clients for Mac and Linux. The Aventail ST 2 release will support configuration of these clients via AMC and will also provide support for an OnDemand version of both the Mac and Linux clients. Smart Tunneling Configuration Enhancements: New: Proxy Server Redirection: Allows Internet traffic running through the tunnel in redirect all modes to be directed through an outbound proxy. New: Connect Tunnel Auto Updating: Connect Tunnel (Windows only) can be configured to automatically update itself when a new version is available. Administrators can specify if the update is performed at the user s discretion or make it mandatory. New: Post Connection Scripting: Allows administrators to specify an executable or script to run on a Windows system after a tunnel connection is established. (Windows version of Connect Tunnel and OD Tunnel only). Smart Tunneling Connect Tunnel Service Edition: New: Allows Connect Tunnel to run as a service on Windows XP and Windows 2000//2003 Server, meaning no user intervention is required to launch Connect Tunnel. Session Persistence: New: This provides support for session resumption for users when their IP address changes without having to reauthenticate, as long as their SSL session has not timed out. Native Access Modules Enhanced Citrix Support: Improved: Provides improved support for Citrix load-balanced Citrix farms. Allows users to browse to Citrix applications from a single link within WorkPlace and also allows support for published applications that run across a Citrix load balanced farm. Aventail WorkPlace Multiple Server Side Certificates: Improved: Allows for unique URL address FQDN s (fully qualified domain names) for each WorkPlace site by allowing administrators to set up multiple server side certificates. This means that WorkPlace sites no longer have to be tied to the same domain name of the appliance. Aventail WorkPlace Personal Bookmarks: New: End users now can add their own bookmarks to the WorkPlace portal page. Personal bookmarks can point to internal or external/internet resources.
6 Aventail ST2 New Features Guide Detect: End Point Control Mobile Device End Point Control New in the ST2 release is Mobile Device End Point Control, specifically devices running the Pocket PC/PDA version of the Windows Mobile 5.0 operating system. This capability requires the agent to be present on the mobile device. For the end point interrogation to occur, the mobile device user can either launch the agent directly, or navigate to the WorkPlace portal, which will then leverage the agent for device interrogation. For information on how to provision the Aventail agent out to users, please reference the administrators guide. Connect Tunnel WorkPlace Portal* * Works through the WorkPlace portal on Mobile devices when the agent has been installed on the end point device. How it Works: Mobile Device End Point Control Required steps: 1. Create a new security zone or edit an existing security zone to include mobile devices. 2. Create a mobile device profile. 3. Reference the security zones in access control rules 4. Reference the security zones within communities 1. Create a new standard zone or edit an existing security zone to include mobile devices Note that before any policies enabled by End Point Control (EPC) can be created, EPC as a feature must be turned on. To enable End Point Control, from the main navigation menu, click End Point Control. Click the Disabled link next to End Point Control. The Configure General Appliance Options page appears. Select the Enable End Point Control check box. To set up security zones for Windows Mobile PocketPC/PDA devices, click End Point Control on the AMC main navigation menu. This page provides an overview of the security zones. To set up a new security zone for a Windows Mobile Pocket PC device, click the + New tab, and select the Standard Zone option. This loads the page that allows administrators to specify the characteristics for a security zone, including selecting the appropriate device profile (which specifies what characteristics are required in order to classify a device into a security zone). Note that Quarantine and Deny Zones can also be created for the Windows Mobile devices as well. Note that a device profile for mobile devices can be added to an existing zone, allowing a zone set up for Windows, Macintosh or Linux devices to also include profiles for Windows Mobile devices. 2. Create a mobile device profile To create a mobile device profile, click the New button in the Device Profile area of the Zone Definition page. To create a device profile for a Windows Mobile 5 Pocket PC edition device, select the Pocket PC/PDA option. Figure 1 provides an example of setting up a device profile for Windows Mobile Pocket PC/PDA devices. Within this page, select the device profile attributes that will be required for users in order to be classified against the security zone specified in step
Aventail ST2 New Features Guide 7 #1. Available attributes for Windows Mobile PocketPC/PDA devices include: Application, Client certificate, Directory name, File name, Windows registry entry, and Windows version. Figure 1: Setting up a Windows Mobile Pocket PC Device Profile Note that one of the options listed for creating a device profile is Mobile phone Full device interrogation is supported only on the Windows Mobile PocketPC/PDA platform. Selecting the Mobile Phone option here allows administrators to create a security zone for any mobile device running a mobile browser, but does not include any options for interrogating the device. This is useful in the situation where administrators want to support WorkPlace portal access from a mobile phone browser, and also want the ability to control which applications are presented to the mobile device via the WorkPlace portal. For more information, reference the mobile device support in the Aventail administrator s guide, or access the Aventail ST New Features Guide (October 2005). A summary of the device profile attributes supported for End Point Control interrogation in the Aventail ST2 Release is provided below: Device Profile Attributes Device Identification Directory Name X X X X Windows domain membership X Any resident file X X X X Device certificate X X
8 Aventail ST2 New Features Guide Device Profile Attributes Device Integrity Anti-virus X X App/ Process X X X X Personal firewall X Windows registry entry X X Windows O/S X X Data Protection Support Aventail Cache Control X X X Aventail Secure Desktop X Figure 2: EPC Support Summary 3. Reference the Standard zone in access control rules This step is the same as in previous releases of the Aventail SSL VPN. Organizations may have specific applications and resources that they want to only provide access to for Windows Mobile Pocket PCs/PDAs with a particular security profile. As an example, administrators may want to have a rule that says the CRM application is only accessible from a trusted mobile device with a valid anti-virus solution running and a valid certificate used as a device watermark. If the mobile device user had a revoked certificate or turned off their antivirus solution, then access to that application should be denied. To accomplish this, organizations can reference the standard zone created in step 2 as part of an access control rule. Standard zones are associated with Access Control rules simply by specifying the Standard zone that applies to each access control rule. Standard zones are treated like any other object that is defined. Access control rules are defined by specifying the users and groups that will have access, what application/resources they will have access to, and from which security zones they will be permitted access. To set up an access control rule, click Access Control on the AMC main navigation menu, and then click the New button. To restrict access to applications based on the identity and integrity of Windows mobile devices, reference the standard zone created in steps #1 and #2 in the access control rule. 4. Reference the security zones within Com munities This step is the same as in previous release of the Aventail SSL VPN. The last step is to reference the defined security zones to communities. This determines the ordering that zones are checked against when classifying a device. It is recommended that zones are ordered from most specific, or most trusted, to least specific, or least trusted. When a user authenticates, the device is then interrogated to classify the device to a zone. Each zone is checked in the order it is listed in the community. For the zone classification to be applicable, the user must be a member of the community that the zone is referenced against. To order security zones in a community, click Realms on the AMC main navigation menu. Either select a predefined community by selecting the + button next to each realm and selecting a community that appears, or click the New button to go through the steps to create a new realm and community. On the End Point Control restrictions tab, choose a standard zone to display and click the Add button. Security zones can then be ordered using the Move Up and Move Down buttons.
Aventail ST2 New Features Guide 9 Device Watermarks New in the ST2 release is support for device certificates to use as a watermark for Windows and Windows Mobile devices to be used as a device identifier as part of the End Point Control interrogation capabilities. This allows administrators to require the presences of a valid certificate as part of access control policy. If the device used for access was lost or stolen, revoking the certificate will quickly and easily disqualify the device against the security zones that require a valid certificate. To leverage a device certificate for this purpose, administrators can manage CA certificates like in previous release, with an additional option to mark CA certificates for Device profiling (End Point Control). Once this step has been completed, each marked certificate is now available for use within Windows and Pocket PC/PDA device profiles (See Figure 3 below). See the Mobile Device End Point Control feature listed in this guide for more information on referencing a device certificate within a security zone set up for Windows Mobile PocketPC/PDA devices. Connect Tunnel WorkPlace Portal* ** * Works through the WorkPlace portal on Mobile devices when the agent has been installed on the end point device. ** Windows Mobile Pocket PC edition only ** Figure 3: Adding a Device Certificate as a Watermark
10 Aventail ST2 New Features Guide Protect: Aventail Unified Policy Quarantine and Deny Zones New in the ST2 release are enhancements to the Aventail policy model, specifically how the results of the End Point Control interrogation interact with the Aventail SSL VPN policy model. Previous to the ST2 release, administrators could set different types of standard zones and relate them to access control rules. Users not matching any of the standard zones would automatically be placed into the default zone. The default zone offered administrators the ability to either allow limited access or deny access, but was not customizable on a per community basis nor did it allow much in terms of notification to users on why access was restricted or denied in any way. The ST2 release enhances this model by adding in additional zone types that make it easier deny access in the event the user s device does not meet the conditions required to gain access, and notify the user on why access was denied. Quarantine Zones provide an easy way to let users know when their device is out of compliance with the corporate security policies that sets what is required in order to gain access. Deny Zones allow administrators to set very specific conditions for when access should be immediately denied based of the presence of something unwanted on the access device. For more information on each type of security zone, see Figure 4 below. Zone Type Standard (Allow) Quarantine Deny Description Multiple standard/allow zones can be created in order to provide different levels of access for users. Administrators can segment zones by levels of trust for different types of devices used for access. Organizations can create as many standard zones as are needed to effectively segment access. As an example, fully trusted access may be matched against a standard zone that requires the most attributes in order to gain access (perhaps for an IT managed device), but then is matched to the most permissive access control rules. Semi trusted access may be matched against a standard zone that is less restrictive in terms of the attributes required for access (perhaps for someone working on their home machine), but then is matched to more restrictive access control rules. New in ST2: The Quarantine Zones can be used for devices for which there is no match to a standard or deny zone. This serves as an alternative to the default zone and allows administrators to customize a message for end users, perhaps to explain what requirements are necessary in order to bring the user s device into compliance with the organization s security policies. Administrators can create Quarantine Zones that are unique for each community. Additionally, administrators can insert remediation links into the Quarantine Zone that can be used by the user to change the device status in an attempt to bring their device into compliance. These links are not tied to the Aventail policy model, meaning separate access control rules do not need to be set up for the remediation links. New in ST2: The Deny Zone makes it easier to immediately deny access based on a device profile. Administrators can now create a Deny Zone and then associate the Deny Zone to device profiles that contain conditions for which access should be immediately denied. Multiple Deny Zones can be created, and for each Deny Zone a customized message can be created. Administrators do not need to relate Deny Zones to deny all access control rules, the deny all access control rule is assumed for each Deny Zone. Deny Zones are evaluated first when a user logs into the Aventail appliance, if there is a match, the user is displayed the message that is related to the specific Deny Zone they matched and are logged out. Figure 4: Security Zone types in ST2
Aventail ST2 New Features Guide 11 It is worth noting that all zone classifications apply to users using the WorkPlace portal as well as users using the Connect Tunnel and agents. This allows a consistent access control policy regardless of the type of access method the user is using for access. Connect Tunnel* WorkPlace Portal ** * Note that Connect Tunnel users placed into the Quarantine Zone or the Deny Zone will actually see the same administrator customized messages that a WorkPlace user will see. ** Windows Mobile Pocket PC edition only How it Works: Quarantine Zone 1. Create a new Quarantine Zone 2. Reference the Quarantine Zones within communities 1. Create a new Quarantine Zone Note that before any policies enabled by End Point Control (EPC) can be created, EPC as a feature must be turned on. To enable End Point Control, from the main navigation menu, click End Point Control. Click the Disabled link next to End Point Control. The Configure General Appliance Options page appears. Select the Enable End Point Control check box. To set up a Quarantine Zone, click End Point Control on the AMC main navigation menu. This page provides an overview of any previously defined security zones. To set up a new Quarantine Zone, click the + New tab, and select the Quarantine Zone option. This will open the Zone Definition Quarantine Zone page. Here the administrator can customize the text that the user will see when placed into quarantine. In addition, the administrator can define remediation links pointing to either internal or external URL resources to allow users to attempt to change the status of their device. To do this, select the New button midway down the page and add in the necessary URLs. See Figure 5 for more information on defining a Quarantine Zone. **
12 Aventail ST2 New Features Guide Figure 5: Defining Quarantine Zones 2. Reference the Quarantine Zone within Communities The last step is to reference the defined Quarantine Zones to communities. With the ST2 release administrators have the option to leverage the Quarantine Zone as a fallback, or leverage the Default zone as a fallback. To assign a Quarantine Zone in a community, click Realms on the AMC main navigation menu. Either select a predefined community by selecting the + button next to each realm and selecting a community that appears, or click the New button to go through the steps to create a new realm and community. On the End Point Control restrictions tab, select the appropriate Quarantine Zone under Zone fallback options. Note that only one Quarantine Zone per community is allowed, although that each community can have their own unique Quarantine Zone. How it Works: Deny Zone 1. Create a new Deny Zone 2. Create a device profile to reference within the Deny Zone 3. Reference Deny Zones within communities 1. Create a new Deny Zone Note that before any policies enabled by End Point Control (EPC) can be created, EPC as a feature must be turned on. To enable End Point Control, from the main navigation menu, click End Point Control. Click the Disabled link next to End Point Control. The Configure General Appliance Options page appears. Select the Enable End Point Control check box.
Aventail ST2 New Features Guide 13 To set up a Deny Zone, click End Point Control on the AMC main navigation menu. This page provides an overview of any previously defined security zones. To set up a new Deny Zone, click the + New tab, and select the Deny Zone option. This will open the Zone Definition Deny Zone page. Here the administrator can customize the message that the user will see when access is denied. See figure 6 for more information on defining a Deny Zone. Figure 6: Defining Deny Zones 2. Create a device profile to reference within the Deny Zone Like any standard zone which is typically set to establish the conditions for when access is allowed, conditions must also be set with the deny zone for when access will be denied. This is done by creating a device profile to associate with the Deny Zone. Within a single Deny Zone can be multiple device profiles. This is useful if the organization wants to deny access based on the presence of a single application, but that application may be running on a Windows desktop, Windows mobile PDA and a Macintosh device. Administrators in this scenario can create three different device profiles, one for each operating system, and then associate each profile to the intended Deny Zone. The process of creating a device profile is unchanged with the ST2 release, with the exception that Windows Mobile PocketPC/PDA device profiles can be created (as mentioned elsewhere in this document). To create a new device profile, click the New button in the Device Profile area of
14 Aventail ST2 New Features Guide the Zone Definition page. Keep in mind that the purpose here is to specify applications, files, registry settings, etc., which must be present to deny access. 3. Reference the Deny Zones within Communities This step is the same as in previous release of the Aventail SSL VPN, with the exception that the deny zone is listed on the community page above the standard zone. Deny Zones are evaluated first when a user logs into the appliance, and are checked in the order set within the community configuration. If there is no match to a Deny Zone, then standard zones are checked. If there is no match there, then the appropriate fallback option is selected. To order a Deny Zone in a community, select Realms on the AMC main navigation menu. Either select a predefined community by selecting the + button next to each realm and selecting a community that appears, or click the New button to go through the steps to create a new realm and community. On the End Point Control restrictions tab, choose a Deny Zone to display and click the Add button. Deny Zones can then be ordered using the Move Up and Move Down buttons. Dynamic Groups New in the ST2 release is the ability to use a directory query to create a dynamic group to use within Access Control rules and Community memberships. Dynamic groups are useful in situations where an organization wants to extend policy that applies to a group of users that may not already be defined within an Active Directory or LDAP directory. This allows administrators further flexibility in narrowing down group memberships to something that is more manageable for access control rules. To add a dynamic group, select Users & Groups on the main AMC navigation menu, then from the Groups page select +New tab, and select the Dynamic Group expression. The Add/Edit Dynamic Group Expression window will open, allowing administrators to define which LDAP/AD authentication realm to run the query against. Figure 7 shows the Add/Edit Dynamic Group Expressions page within AMC. Connect Tunnel WorkPlace Portal * * Note that WorkPlace support is not just confined to Windows Mobile devices, but most phones with a functional Web browser.
Aventail ST2 New Features Guide 15 Elizabeth Swann Jack Sparrow Will Turner Figure 7: Configuring Dynamic Groups Chained/Stacked Authentication For increased security, organizations can require users to authenticate to the Aventail SSL VPN using two different authentication methods. For example, an organization could set up RADIUS or a digital certificate as the first authentication method, and LDAP or Active Directory as the second one. To enable chained/stacked authentication, select Realms on the AMC main navigation menu. Either select a predefined authentication realm, or click the New button to create a new realm. If creating a new authentication realm, specify an Authentication Server from the drop-down list. This will be used as the primary authentication server. To specify a secondary authentication server, select the Advanced option from the bottom of the page. This will allow administrators to specify information about the secondary authentication server. To make the login experience for users a one-step process, administrators can specify here if users should only see one set of authentication prompts on a single page. This will also combine the username into a single prompt (which requires the username to be identical for both authentication methods for the single page option to be applicable). Figure 8 shows the Chained authentication options within AMC. Connect Tunnel WorkPlace Portal * * Note that WorkPlace support is not just confined to Windows Mobile, but most phones with a functional Web browser.
16 Aventail ST2 New Features Guide Figure 8: Chained Authentication Forms-based Authentication Many Web applications use forms-based authentication, in which the user enters a set of credentials into HTML form fields, and a session token is stored in a browser cookie. This type of authentication is popular because it is supported on any combination of browser and Web server. The other benefit is that forms-based authentication allows for customization of the login page. The ST2 release allows administrators to use AMC to set up a single sign-on profile that will forward the credentials a user uses when authenticating to the SSL VPN to a Web application that uses forms-based authentication. It is also worth noting that administrators can also set up single sign-on Web application profiles for Web applications that use Windows NTLM authentication or basic authentication. To enable a forms-based authentication single sign-on profile, select Services on the main AMC navigation menu, then select Configure under Web Proxy Service, and then select Single Sign-On Profiles. Select + New to create a new single sign-on profile. Sign-on profiles exist already on the Aventail appliance for OWA 2003, Citrix Nfuse 1.7 and Citrix MetaFrame XP. Figure 9 provides an example of configuring a single sign-on profile. Note that adding a new
Aventail ST2 New Features Guide 17 single sign-on profile will require a good understanding of the Web based application that the information is being passed to. Connect Tunnel WorkPlace Portal* * Note that Forms-based Authentication is supported only when using Translated Web Access Figure 9: Forms-based Authentication CRL (Certificate Revocation List) Support New in the ST2 release is support for Certificate Revocation List (CRL) for checking the validity of certificates, either for client authentication or leveraging the device watermark feature that was referenced earlier in this document. This enhances the previous functionality of checking certificates via LDAP. To configure certificate revocation checking, first select SSL Settings from the main AMC navigation menu, and then select the Edit option next to CA certificates. From there administrators can either add new certificates or edit existing certificates. Editing an existing certificate brings up the AMC page referenced in Figure 10 below, which shows the new Certificate revocation checking option.
18 Aventail ST2 New Features Guide Connect Tunnel* WorkPlace Portal * * Note that certificates are only supported with Connect Tunnel and as a device watermark. Certificates used for personal authentication are not supported at this time. Figure 10: CRL Configuration Resource Wildcard Support New in the ST2 release is support for using wildcards in the definition of host based resources or the host name portion of a URL resource. When host name is specified, the wildcard characters * and? can be used within an address segment (between periods). For example, the entry mail*.yourcompany.com gives the user access to anything in the yourcompany domain that
Aventail ST2 New Features Guide 19 begins with mail (for example, (mail.yourcompany.com and mail2.yourcompany.com), but not to mail3.wemmet.yourcompany.com. The host name is not case-sensitive. Connect Tunnel WorkPlace Portal Detect: Aventail Smart Access and Smart Tunneling Smart Tunneling: NAT Mode Previous to the ST2 release, all users using a Smart Tunneling agent (Connect Tunnel or OnDemand Tunnel) required a unique address to be provisioned to them from an address pool. New in the ST2 release is Secure NAT, which leverages translated address pools. The advantage of using a translated address pool is that only a single back-end address is required, and all remote connections will share this single address. With NAT mode, any application that requires a reverse connection or cross-connection (such as SMS, VoIP, or FTP) is not supported. However, NAT mode can be enabled on a per-community basis, allowing administrators to choose which users require addresses provisioned from an IP address pool and which users require the single address from a translated address pool. There are several options on how to configure NAT mode. Selecting Services from the main AMC navigation menu and then selecting Configure under the Network tunnel service provides access to IP address pools management. Selecting +New or editing an existing address pool opens the Configure IP Address Pool page (see Figure 11 below). Selecting Translated address pool (Secure NAT) allows administrators to provide the single address required for configuring NAT mode. Additionally, address pools can be configured on a per community basis, which allows administrators to relate existing address pools already configured or configure new address pools on a per community basis, which is useful for designating specific groups of users who will be using NAT mode. Select Realms from the main AMC navigation menu, and then either edit an existing realm or add a new realm. This will allow administrators to add new communities or manage existing communities. Within the Access Methods section of Configure Community, selecting the Configure option under Smart tunnel access (IP Protocol) will allow administrators to edit IP address pools similar to the method mentioned above. Connect Tunnel WorkPlace Portal* *Relevant for OnDemand Tunnel provisioned through WorkPlace.
20 Aventail ST2 New Features Guide Figure 11: Secure NAT configuration Smart Tunneling Macintosh and Linux Support: New in the ST2 release is support for Macintosh and Linux versions of the OnDemand Tunnel and Connect Tunnel agents. To gain access to the cross platform versions of the Connect Tunnel agent, select Agent Configuration from the main AMC navigation menu, and then select Download option next to Client installation packages. This will allow administrators to download the cross platform agents to distribute out to end users. Alternatively, users can be allowed to download and install the Connect tunnel agents themselves through the WorkPlace portal. Setting the actual configuration options for the Connect Tunnel agent or enabling the OnDemand version for users to use through the WorkPlace portal is done by managing access methods within the User Access: Realms configuration section of AMC. See the Smart Tunneling: Configuration Enhancements section of this document for information on how to edit the OnDemand Tunnel and Connect Tunnel agent configuration options. Connect Tunnel WorkPlace Portal* *Relevant for OnDemand Tunnel provisioned through WorkPlace.
Aventail ST2 New Features Guide 21 Smart Tunneling: Configuration Enhancements New in the ST2 release are general enhancements to the management of the Connect Tunnel and OnDemand Tunnel agents. Added in this release were: Proxy server redirection: Allows traffic bound for the Internet to be redirected through an internal proxy server when the VPN connection is active. This is useful in scenarios where an organization has an HTTP proxy server set up to control access to Internet resources. This option is only available in redirect all mode for OnDemand Tunnel and Connect Tunnel. Connect Tunnel WorkPlace Portal* *Relevant for OnDemand Tunnel provisioned through WorkPlace. Connect Tunnel Auto Updating: This allows administrators to make sure users using the Windows version of Connect tunnel are running the most recent version of the Connect tunnel agent. This can be configured to be a mandatory update, or left to the user s discretion on when the update will be applied. Connect Tunnel WorkPlace Portal Post Connection Scripting: This applies to the Windows version of the OnDemand Tunnel and Connect Tunnel agents. This allows administrators to specify an executable or script to run on a user s Windows machine after the tunnel connection is established. Note that any script referenced must already be present on the user s device before it is activated by the OnDemand Tunnel or Connect Tunnel agent. Connect Tunnel WorkPlace Portal* *Relevant for OnDemand Tunnel provisioned through WorkPlace. To see these new configuration options, select Realms from the main AMC navigation menu, and then either edit an existing realm or add a new realm. This will allow administrators to add new communities or manage existing communities. Within the Access Methods section of Configure Community, select the Configure option under Smart tunnel access (IP Protocol) will allow administrators to edit the settings for Connect Tunnel or OnDemand tunnel. Expanding the Advanced options and Windows options highlights the new configuration options in the ST2 release, which are highlighted in Figure 12 below.
22 Aventail ST2 New Features Guide Figure 12: Smart Tunneling Configuration Options Smart Tunneling: Connect Tunnel Service Edition New in the ST2 release is the ability to install the Connect Tunnel agent onto a Windows server. This can be used to secure access for remote applications where the remote application needs to make a regular connection without human intervention. The Connect Tunnel agent can work with the application directly to authenticate and authorize the application traffic. Supported platforms for the Connect Tunnel Service Edition are Windows 2003 and Windows 2000 servers, and Windows XP desktops. The Connect Tunnel Service Edition package can be downloaded from the Aventail Assurance Portal. Session Persistence A user using a mobile PDA or laptop may see their device s IP address change during the course of their SSL VPN session. The user might be using a PocketPC device and roaming from network to another, or the user might be behind a proxy server. The ST2 release allows users to resume their sessions in the event their IP address changes without having to reauthenticate their SSL VPN session. This new feature is enabled as part of Aventail s End Point Control capabilities, allowing administrators to choose which devices and the characteristics of those devices where this capability will be enabled.
Aventail ST2 New Features Guide 23 To enable this feature, select End Point Control on the AMC main navigation menu. This page provides an overview of the security zones. From the list of defined zones, select an existing standard zone to open the Zone Definition Standard Zone page. At the bottom of the page, select the Advanced option to expand this section. Then select the Allow user to resume their session from multiple IP addresses check box (see Figure 13). Note for this feature to be tied to a specific type of device or set of devices, then the appropriate device profiles must be associated to the standard zone where session persistence is turned on, and the standard zone should also be referenced as part of a realm/community. For more information on setting up a new security zone, or ensuring that the device profiles are set up appropriately see the Mobile Device EPC feature in this guide for examples, or consult the Aventail AMC administrators guide. Connect Tunnel WorkPlace Portal Figure 13: Configuring Session Resumption
24 Aventail ST2 New Features Guide Native Access Modules: Enhanced Citrix Support The Aventail Native Access Modules provide access to a terminal server resources (Citrix or Windows Terminal Services) using native application protocols. The ST2 release improves Citrix support by adding support for one or more load-balanced Citrix server farms. Each server farm can include up to six Citrix MetaFrame servers. Additionally, administrators can create links within the WorkPlace portal that allows users to browse out to a Citrix server farm. The process for setting up the Native Access Modules (referred to as Graphical Terminal Agents) is unchanged in this release. For more information, refer to the Aventail AMC administrators guide or reference the Aventail ST New Features Guide (released in October 2005). To add a Citrix server farm as a resource, click Resources from the main AMC navigation menu. Then select +New and then select Citrix server farm from the list. The Add/Edit Citrix Server Farm page appears (see Figure 14). On this page administrators can specify the appropriate information about the Citrix server farms that they want to extend access to. Connect Tunnel WorkPlace Portal Figure 14: Adding a Citrix Server Farm Aventail WorkPlace: Multiple Server Side Certificates Previous to the ST2 release, administrators could create multiple WorkPlace sites, but all sites created had to share the appliance domain name, meaning that the URL for each site all had to be tied to the same domain. New in the ST2 release is the ability to provide each WorkPlace site
Aventail ST2 New Features Guide 25 with a truly unique fully qualified domain name (FQDN). This option does require a separate SSL certificate, and also requires adding the custom FQDN to the organization s public DNS. To add a new WorkPlace site with a unique FQDN, follow the normal process for adding WorkPlace sites. Select Aventail WorkPlace from the main AMC navigation menu, and then select the WorkPlace Sites tab. Then click the +New to open the Configure WorkPlace Site page (Figure 15). Select the Custom host and domain name option to specify a unique FQDN, and provide the necessary information including specifying a unique SSL certificate. Connect Tunnel WorkPlace Portal * * This extends to more than just Windows Mobile, but most mobile phones with a functional browser. Figure 15: Configuring WorkPlace Sites
26 Aventail ST2 New Features Guide Aventail WorkPlace: Personal Bookmarks The Aventail ST2 release adds a new section to the WorkPlace portal where users can add their own personal bookmarks to URLs and other resources (such as SMB hosts). To enable users to add their own bookmarks to the WorkPlace portal, click Services from the main AMC navigation menu. Then select Configure next to the Aventail WorkPlace section. Then from the Configure WorkPlace page, select the Enable users to create personal links checkbox. Leaving this box unchecked will prevent the bookmark section from appearing within the WorkPlace portal. To add a bookmark to the WorkPlace portal, select the Edit link within the Bookmarks section of the WorkPlace portal. Then select the +New button to add a bookmark (See Figure 16). Once done with each bookmark, select OK. Once done adding all bookmarks, hit the Save button at the bottom of the page. Connect Tunnel WorkPlace Portal Figure 16: Adding Personal Bookmarks