aventail connect 5

Aventail Connect 5.3User’s Guide

©2003 Aventail Corporation. All rights reserved. Aventail, Aventail EX-1500, Aventail ExtraWeb, Aventail Anywhere VPN, Aventail Connect, Aventail ASAP WorkPlace, Aventail Web File Access, Aventail OnDemand, and their respective logos are trademarks, service marks, or registered trademarks of Aventail Corporation.Other product and company names mentioned in this publication are the trademarks of their respective owners.

Last modified 11/17/03 17:32

Aventail Connect 5.3 User’s Guide | i

Table of Contents

Chapter 1Introduction to Aventail Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What is Aventail Connect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What is a VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Verifying Your Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Local vs. Remote Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Login Groups and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2Connecting to Your Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Running Aventail Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

How to Tell if Aventail Connect is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Starting Aventail Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Selecting Your Configuration File at Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Manually Selecting Your Network Location at Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Automatically Selecting Your Network Location at Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Changing Your Network Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Manually Selecting Your Remote Network at Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Automatically Selecting Your Remote Network at Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Running Aventail Connect Automatically at Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Specifying a Login Group or Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Updating the Aventail Connect Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Downloading and Installing Automatic Software Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Downloading and Installing Manual Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Remote Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Enabling Remote Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Disabling Remote Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Authenticating with a Username and Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Client Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

What is a Digital Certificate?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Authenticating with a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Challenge-Response Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Quitting Aventail Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 3Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Loading a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Updating a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Startup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Running Aventail Connect Automatically at Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Displaying the Aventail Connect Splash Screen at Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Prompting for Configuration File and Local Network at Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

ii | Table of Contents

Configuring Multiple Login Group Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Internet Proxy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Manually Specifying Internet Proxy Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Automatically Detecting Internet Proxy Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Locating Internet Proxy Settings with a Configuration Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Clearing Internet Proxy Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Credential Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Deleting Your Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Certificate Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Exporting a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Importing a Client Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Appendix AAventail Connect Dialog Boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23System Menu Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Aventail Connect Options Dialog Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Aventail Connect Options Dialog Box: General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Network Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Startup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Aventail Connect Options Dialog Box: Network Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Local Network Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Remote Network Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Remote Ping Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Aventail Connect Options Dialog Box: Internet Proxy Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Aventail Connect Options Dialog Box: Advanced Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Personal Firewall Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Required Application Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Startup Dialog Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Remote Network Access Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Internet Proxy Server Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Network Configuration Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Software Updating Dialog Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Connect Software Update Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Connect Automatic Updates Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Event Viewer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Logging Categories Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Appendix BTroubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Aventail Connect Event Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Opening the Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Setting the Logging Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Filtering Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Saving Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Copying Log Messages into Other Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Printing Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Finding a Specific Log Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Clearing the Event Viewer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Aventail Connect 5.3 User’s Guide | iii

Closing the Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Running the Diagnostic Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

iv | Table of Contents

Aventail Connect 5.3 User’s Guide | 1

Chapter 1Introduction to Aventail Connect

Welcome to the Aventail Connect 5.3 User’s Guide. Aventail Connect is the client component of Aventail’s VPN solution, which enables secure, authorized access to Web-based and client/server applications.

This section introduces you to the Aventail Connect client and familiarizes you with basic virtual private network (VPN) concepts.

What is Aventail Connect?The Aventail Connect client allows you to connect to network resources that sit behind the Aventail client/server access service on the Aventail appliance. Aventail Connect runs transparently on your desktop, intelligently identifying and securely routing application requests to the Aventail appliance. (See diagram below.) The Aventail Connect client automatically routes appropriate network traffic from an application such as an e-mail program or a Web browser to the Aventail appliance. The appliance then sends the traffic to the remote network or to the Internet. Your administrator defines routing rules for this traffic.

In most cases you will interact with the Aventail Connect client only when you are prompted to specify a network or a login group, or to enter authentication information for connections to resources secured by the Aventail appliance. You may occasionally need to start and quit the Aventail Connect client, although administrators often configure it to run automatically at startup.

2 | Chapter 1 - Introduction to Aventail Connect

What is a VPN?Think of a VPN as an extension of your private network. A company can use a VPN to make applications and information available to only authorized users, both inside and outside the company. A VPN can provide access to Web-based applications or traditional client/server applications, and encrypts all traffic to make it unreadable to unauthorized users.

VPNs are an essential tool in managing today’s dynamic business relationships. For example, a company could put sales information on the VPN and allow only its sales department and designated customers to access the information.

Verifying Your IdentityTo access your network resources, you must first verify your identity. This ensures that only authorized users can access protected network resources. The authentication credentials used to verify your identity typically consist of a username and password that you must type in an authentication dialog box. In some cases you must also authenticate with a digital certificate or a token.

Local vs. Remote NetworksWhen routing traffic to the VPN, the Aventail Connect client must keep track of your location. It does this by assigning a local network and a remote network. Your local network is your current location, or where you are connecting from. Your remote network is the location of the network resource that you are connecting to.

Most companies use the Aventail Connect client for inbound network access; this allows users to access their network resources from a remote location. For example, if Jane, an employee of ABC Corporation, wants to connect to the ABC corporate VPN from her laptop while traveling, her local network is the Internet (where she is connecting from) and her remote network is ABC (where she is connecting to).

Internet

Local Network: Internet

Jane’s Laptop ABC Corporate Extranet

Remote Network: ABC Corp.


Some companies use the Aventail Connect client for outbound network access as well. For example, if Jane wants to connect to the Internet from her computer at ABC Corporation’s headquarters, her local network is ABC and her remote network is the Internet.

In many cases, the Aventail Connect client can automatically detect your local network location. However, Aventail Connect may prompt you to specify your local network location or the remote network that you want to connect to. Specifying the correct local and remote networks ensures that you can successfully access your network resources.

Login Groups and ServersAventail Connect supports multiple login groups, which enables a user to log in to different login groups or servers.

In some cases, in addition to providing credentials, you may be prompted to log in to a specific group or server (for example, “Employees” or “Partners”). This information should be provided by your system administrator.

Local Network: ABC Corp.

Jane’s Desktop

Remote Network: Internet

Internet

4 | Chapter 1 - Introduction to Aventail Connect


Chapter 2Connecting to Your Network Resources

This section describes how to run the Aventail Connect client, select startup options, and update the Aventail Connect software.

Notes

• Depending on how your network administrator configured your Aventail Connect setup package, some user interface components and options may be disabled or removed.

• In the Aventail Connect interface, an ellipsis (...) button is a standard Browse button; you can click the ellipsis (...) button to search for files to open or save.

Running Aventail ConnectWhen the Aventail Connect client starts, it loads a configuration file that was created by your administrator. This file contains the rules that the Aventail Connect client uses to properly route network traffic to and from your computer.

The Aventail Connect client may prompt you at startup to select a configuration file, network location, or remote network. If you are unsure of which configuration file, network location, or remote network to select, contact your administrator.

6 | Chapter 2 - Connecting to Your Network Resources

How to Tell if Aventail Connect is RunningWhen the Aventail Connect client is running, its icon appears in the taskbar notification area:

Starting Aventail ConnectAdministrators can set up the Aventail Connect client to run at startup, so you may never need to manually launch the Aventail Connect application. Some administrators require you to start Aventail Connect via the Start menu.

� To start the Aventail Connect client

• Click the Start button, point to Programs, point to Aventail Connect, and then click Connect 5.3.

Depending on how your preferences are configured, you may be prompted to specify a configuration file, your local network location, or the remote network that you want to connect to.

The Aventail Connect icon appears in the taskbar notification area, indicating that the Aventail Connect client is running in the background.

Selecting Your Configuration File at StartupUpon startup, the Aventail Connect client may prompt you to select a configuration file, which contains the rules that the Aventail Connect client uses to properly route network traffic to and from your individual workstation.

� To select your configuration file

• In the Network Configuration dialog box, type or select the appropriate configuration file, or use the Browse (...) button to locate it, and then click OK.

Manually Selecting Your Network Location at StartupUpon startup, the Aventail Connect client may prompt you to select your network location. Your network location is your local network, or the location that you are connecting from.

� To select your network location

• In the Network Configuration dialog box, select your current network location from the Select the network location of your computer box, and then click OK.

-OR-

• In the Remote Network Access dialog box, select your current network location from the Select your local network box, and then click OK.

Aventail Connectenabled


Automatically Selecting Your Network Location at StartupYou can configure the Aventail Connect client to automatically detect your network location. This prevents you from having to manually specify your network location each time you start Aventail Connect. Your network location is your local network, or the location that you are connecting from.

� To automatically select your network location

• In the Network Configuration dialog box, select the Automatically detect the network location of your computer check box, and then click OK.

-OR-

• In the Remote Network Access dialog box, select the Automatically detect local network check box, and then click OK.

-OR-

• On the Network tab of the Aventail Connect Options dialog box, select the Automatically detect local network check box, and then click OK or Apply.

Changing Your Network LocationAt startup, the Aventail Connect client may prompt you to specify your network location. You can also manually change your network location setting at any time.

When you have the Automatically detect the network location of your computer option enabled, if you change your local network location and Windows detects a new IP address, Aventail Connect will automatically prompt you for your new remote network. If the Automatically detect the network location of your computer option is disabled, follow the procedure below to manually change your local network location.

Before changing your local network location, you must disable remote network access. For more information, see “Disabling Remote Network Access” on page 11.

� To change your network location

1. In the taskbar notification area, right-click the Aventail Connect icon, and then click Options.

2. On the Network tab of the Aventail Connect Options dialog box, click Change.

3. In the Change Local Network dialog box, click the appropriate network in the Select the network location of your computer box, and then click OK.

Manually Selecting Your Remote Network at StartupUpon startup, the Aventail Connect client may prompt you to select your remote network. Your remote network is the network location that you are connecting to.

� To select your remote network

• In the Remote Network Access dialog box, select the appropriate remote network from the Select the remote network box, and then click OK.


Automatically Selecting Your Remote Network at StartupYou can configure the Aventail Connect client to automatically detect your remote network location at startup. When you enable this feature, Aventail Connect associates the specified remote network with the currently specified local network. This prevents you from having to manually specify your remote network each time you start Aventail Connect from the associated local network.

� To automatically select your remote network

• In the Remote Network Access dialog box, select the Default to this remote network from this local network check box, and then click OK.

� To clear your default remote network setting


2. On the Network tab of the Aventail Connect Options dialog box, under Remote Network, click Clear Default Networks.

Running Aventail Connect Automatically at StartupYour administrator may configure the Aventail Connect client to run automatically when you start your computer, or you may be required to start Aventail Connect via the Start menu. If you use Aventail Connect infrequently (for example, only when you are traveling), you might prefer to start Aventail Connect manually.

� To run the Aventail Connect client automatically at startup


2. On the General tab of the Aventail Connect Options dialog box, under Startup Options, select the Run Connect automatically at Windows startup check box, and then click OK or Apply.

Specifying a Login Group or ServerIn some cases, when you initiate a connection to a remote network you may be prompted to log in to a specific group or server (for example, “Employees” or “Partners”). This information should be provided by your system administrator.

� To log in to a login group or server

• If you are presented with a Log in to: prompt, select the appropriate group or server from the list. If the list does contain the appropriate name, type the group or server name in the Log in to: box.

Updating the Aventail Connect SoftwareAventail Connect supports various software-updating options. Your network administrator may issue software updates when a new version of the Aventail Connect software becomes available, or when your network requirements change. Aventail


Connect can check for updates at regular intervals scheduled by your network administrator, or whenever you click Connect Software Update on the Aventail Connect system menu. Your administrator can also disable the updating feature; if software updating is disabled, the Connect Software Update command is unavailable.

Downloading and Installing Automatic Software UpdatesIf your administrator configured Aventail Connect to automatically check for newer Aventail Connect software or setup packages at scheduled intervals, an updating icon and an alert will appear in the taskbar notification area whenever an Aventail Connect update is ready for download.

� To download and install an automatic software update

1. Click the Aventail Connect updating icon in the taskbar notification area.

2. In the Connect Software Update dialog box, click Start Download. (If you want to download the update at a later time, click Remind Me Later and then, in the Connect Automatic Updates dialog box, specify when you want the reminder to appear.)

3. After the update downloads, click Install on the Connect Software Update dialog box. (If you want to install the update at a later time, click Remind Me Later and then, in the Connect Automatic Updates dialog box, specify when you want the reminder to appear.)

4. After the update installs, restart your computer to complete the update process.

Downloading and Installing Manual Software UpdatesIf your administrator configured Aventail Connect to run in manual-update mode, the Aventail Connect software or setup packages will be updated only when you initiate updates.

� To download and install a manual software update

1. When you want to check for a newer Aventail Connect setup package, right-click the Aventail Connect icon in the taskbar notification area, and then click Connect Software Update.

• If Aventail Connect detects a new setup package, the Connect Software Update dialog box appears, and you can continue to step 2, below.

• If a new Aventail Connect setup package is not available, Aventail Connect will display a message indicating that the currently installed version of Aventail Connect is up to date. Click OK and do not proceed to step 2.

2. In the Connect Software Update dialog box, click Start Download. (If you want to download the update at a later time, click Remind Me Later and then, in the


Connect Automatic Updates dialog box, specify when you want the reminder to appear.)

3. After the update downloads, click Install on the Connect Software Update dialog box. (If you want to install the update at a later time, click Remind Me Later and then, in the Connect Automatic Updates dialog box, specify when you want the reminder to appear.)

4. After the update installs, restart your computer to complete the update process.

Remote Network AccessWhen you access your protected network resources from a location other than within your corporate network, you are accessing your network remotely.

To enable remote network access to a different protected network, you must first disable remote access to the network to which you are currently connected. You can then enable remote access to a different network.

This section explains how to enable and disable remote network access via the Aventail Connect system menu.

When remote network access is disabled, a red circle with an X in it appears on the Aventail Connect icon in the taskbar notification area:

If you have any open connections on your computer, you may need to terminate those connections before enabling or disabling remote network access.

Enabling Remote Network AccessTo enable remote network access to a different protected network, you must first disable remote access to the network to which you are currently connected. You can then enable remote access to a different network.

Depending on how your administrator has configured your remote network access settings, enabling remote network access may cause open local connections to terminate.

If you are having trouble accessing your remote network resources, ensure that remote network access is enabled.

� To enable remote network access

1. Right-click the Aventail Connect icon in the taskbar notification area, and then click Enable Remote Network.

2. In the Remote Network Access dialog box, in the Select the remote network box, type or select the remote network that you want to enable access to, and then click OK.

Aventail Connectdisabled


Disabling Remote Network AccessBefore performing certain Aventail Connect tasks, you must first disable remote network access. These tasks are:

• Enabling remote access to a different network

• Changing your local network settings

• Changing Internet proxy settings

Disabling remote network access may prevent you from accessing certain network resources or applications.

Depending on how your administrator has configured your remote network access settings, disabling remote network access may cause open redirected connections to terminate.

� To disable remote network access

• Right-click the Aventail Connect icon in the taskbar notification area, and then click Disable Remote Network.

When remote network access is disabled, a red circle with an X in it appears on the Aventail Connect icon in the taskbar notification area:

AuthenticationAuthentication is the process of verifying your identity. Most VPNs require you to supply authentication credentials before you are granted access to their resources. If you try to connect to resources through a secure server, the Aventail Connect client may prompt you to supply authentication credentials. (For some types of authentication methods, your input is not required.) Credentials can be as simple as your username and password, or as elaborate as a client certificate plus username and password. Your administrator assigns your credentials.

The Aventail Connect client supports three basic methods of authentication: username/password, SSL-based client certificates, and Challenge-Response Authentication Method (CRAM).

When you supply your credentials, the Aventail Connect client saves them in memory. This is known as memory caching. Memory caching stores the credentials for the current session only. When you restart the Aventail Connect client or Windows, the memory cache is flushed. If you reconnect to a network resource that requires authentication, you must reenter your credentials as prompted.

Aventail Connectdisabled


Authenticating with a Username and PasswordIf the network resource to which you are connecting requires username/password authentication, you are prompted to supply your credentials in a dialog box that looks similar to this:

Depending on how your administrator has configured the Aventail Connect client, you may be able to use your Windows logon credentials to automatically authenticate to Aventail Connect at Windows logon time in future sessions (if your Windows logon credentials are the same as your Aventail Connect credentials). This allows you to enter your logon credentials once instead of twice.

� To enter authentication credentials

1. In the Username box, type your username.

2. In the Password box, type your password. (Passwords may be case-sensitive. Make sure the CAPS LOCK and NUM LOCK keys are not enabled.)

3. If the Use Windows Logon Credentials check box is displayed in the authentication dialog box, select it to use your Windows logon credentials to authenticate to Aventail Connect in future sessions, or clear it to display the Aventail Connect authentication dialog box in future sessions.

4. Click OK.

When you click OK, your credentials are sent to the Aventail appliance. If the credentials are valid, you are connected to the network resource.

If your credentials are refused by the appliance, a message appears stating that the connection could not be established. Try the transaction again, retyping your username and password. If problems persist, contact your administrator.

Client CertificatesSome VPNs are configured to authenticate users with digital client certificates. If your VPN requires authentication with client certificates, your administrator will give you instructions about how to request, install, and authenticate with a digital certificate.


What is a Digital Certificate?

Secure Sockets Layer (SSL) authentication uses certificates to identify authorized users. A digital certificate is essentially an electronic statement that verifies the integrity of a connection. Digital certificates are issued by a certificate authority (CA), such as VeriSign.

Authenticating with a Client Certificate

You may have multiple digital certificates to choose from; they can be stored on disk or in a browser, such as Microsoft Internet Explorer.

� To authenticate with a client certificate

• If you are prompted to authenticate with a client certificate, select the certificate that your administrator has instructed you to use for that remote network, and then follow the on-screen prompts.

Challenge-Response AuthenticationIn the Aventail Connect client, the CRAM authentication module is used to support challenge-response authentication systems such as SecurID and other token-based authentication systems. CRAM authentication can also require you to enter your username and password, or other identifying information.

There are several ways to use CRAM authentication. The specific method you use is determined by your administrator. CRAM authentication generally requires you to authenticate at two separate prompts. If prompted with CRAM authentication prompts, follow the on-screen instructions or contact your administrator for more information.

Server CertificatesSome VPN configurations require that you accept a server certificate before you can gain access to a protected network resource. A server certificate is essentially a digital signature that verifies a server’s identity.

If you access a network resource that uses a server certificate, the Aventail Connect client may display the certificate. You must then verify that the server certificate is from a trusted source before accepting it.

Because anyone can issue a certificate, you should accept certificates only from trusted sources. Otherwise, the information you receive may be invalid. If you have any concerns about whether to accept a certificate, check with your administrator.

� To process a server certificate

1. When you see a trusted certificate display on-screen, verify that the certificate is associated with the correct server.

2. Accept or reject the certificate:

• If you click Reject, your connection is not established.


• If you click Accept, the certificate is accepted as valid. The Aventail Connect client may then display an Enter Username/Password dialog box for you to fill in.

Quitting Aventail ConnectYou may occasionally need to quit the Aventail Connect client. However, doing so may limit access to certain network resources or prevent you from using certain applications.

� To quit the Aventail Connect client

• In the taskbar notification area, right-click the Aventail Connect icon to display the Aventail system menu, and then click Exit.


Chapter 3Configuration

This section introduces you to Aventail Connect configuration files and describes how to configure certain Aventail Connect settings.

It is good practice to check with your administrator before making any changes to the Aventail Connect configuration.

� NOTE Depending on how your network administrator configured your Aventail Connect setup package, some user interface components and options may be disabled or removed.

Configuration FilesAdministrators configure most Aventail Connect client settings before deploying the client to you. Configuration files determine how your network traffic is routed. You may occasionally need to select a configuration file or update a configuration file.

Loading a Configuration FileAt startup, the Aventail Connect client may prompt you to select a configuration file. You can also manually load a different configuration file at any time.

� To load a configuration file

1. Right-click the Aventail Connect icon in the taskbar notification area, and then click Options.

2. Click the General tab and then, under Network Configuration, click Change.

3. In the Select Configuration File dialog box, click the configuration file that you want to load, and then click Open.

4. Click OK or Apply.

The new configuration file loads into the Aventail Connect client.

16 | Chapter 3 - Configuration

Updating a Configuration FileYour administrator may periodically ask you to manually update your configuration file. In most cases, you should manually update your configuration file(s) only when your administrator instructs you to do so.

Note that the Update Now button is disabled if the current configuration file does not contain configuration-updating information.

� To manually update a configuration


2. Click the General tab and then, under Network Configuration, click Update Now. Click OK or Apply.

Startup OptionsYou can configure certain Aventail Connect startup options, including those that determine whether the Aventail Connect client runs automatically at startup, whether the Aventail Connect splash screen displays at startup, whether you are prompted at startup to specify a configuration file and your network location, and whether multiple login group support is enabled.

Running Aventail Connect Automatically at StartupYour administrator may configure the Aventail Connect client to run automatically when you start your computer, or you may be required to start Aventail Connect via the Start menu. If you use Aventail Connect infrequently (for example, only when you are traveling), you might prefer to start Aventail Connect manually.

Note that if you disable the Run Connect automatically at Windows startup option, you may be preventing certain applications from working properly. For example, password expiration notifications will not work, and mapped drives will not be remapped.

� To run Aventail Connect automatically at startup


2. Click the General tab and then, under Startup Options, select the Run Connect automatically at Windows startup check box. Click OK or Apply.

Displaying the Aventail Connect Splash Screen at StartupYou can configure Aventail Connect to briefly display the Connect splash screen each time Connect starts, or you can configure the splash screen to not display.

� To display the Connect splash screen at startup



2. Click the General tab and then, under Startup Options, select the Display the Connect splash screen check box. Click OK or Apply.

Prompting for Configuration File and Local Network at StartupYou can specify whether Aventail Connect prompts you to specify a configuration file and your local network location at startup. When you enable this feature, the Aventail Connect client prompts you for your configuration file and local network each time you start Aventail Connect.

� To prompt for configuration file and local network at startup


2. Click the General tab and then, under Startup Options, select the Prompt for configuration file and local network at startup check box. Click OK or Apply.

Configuring Multiple Login Group SettingsAventail Connect supports multiple login groups, which enables a user to log in to different login groups or servers.

If you are a member of multiple login groups and you frequently alternate between login groups each time you connect to your remote network, you need to be able to select from the available login groups each time you initiate a connection. You can configure Aventail Connect to prompt you for your login group whenever you connect to the remote network; this allows you to log in to a different login group each time. For example, if you are a member of the “Employees” login group and the “Sales” login group and you log in to both of those login groups regularly, you should enable multiple login group support so the login group prompt is displayed each time you connect to the remote network.

If, however, you always log in to the same login group, you can disable multiple login group support; this prevents the login group prompt from being displayed when you connect to the remote network. When you disable multiple login group support, the first time you connect to the remote network Aventail Connect prompts you to specify a login group; Aventail Connect caches your selection. For subsequent network connections, Aventail Connect will automatically log you in to the cached login group when you connect to the remote network; the login group prompt will not be displayed as long as the login group information is cached.

If multiple login group support is disabled and you need to switch login groups, you can clear your credential cache, which is where your login group settings are stored. After clearing your credential cache, Aventail Connect will prompt you to specify a login group the next time you connect to the remote network.

� To enable multiple login group support


2. Click the General tab and then, under Startup Options, select the Enable support for multiple login groups check box. Click OK or Apply.


Internet Proxy OptionsSome network resources require traffic to pass through an Internet proxy server. An Internet proxy server provides access from your local network to the Internet. Your administrator determines whether an Internet proxy server is required, but you may also be required to specify your Internet proxy server settings occasionally.

You can manually specify Internet proxy settings or you can have the Aventail Connect client automatically detect them. You can also clear all of your existing Internet proxy settings before specifying or detecting new Internet proxy settings.

Manually Specifying Internet Proxy Server SettingsIn most cases, the Aventail Connect client can automatically detect your Internet proxy server settings. For more information, see “Automatically Detecting Internet Proxy Server Settings” on page 18. However, if Aventail Connect cannot automatically detect the settings, you must manually specify your Internet proxy server settings.

Before you can manually specify your Internet proxy server settings, you must get the technical information about the server from your administrator. You must know:

• The server’s name.

• The number of the port on which the server is “listening.”

• The version of the server (HTTP, SOCKS v5, or SOCKS v4).

Before specifying Internet proxy server settings, you must disable remote network access. For more information, see “Disabling Remote Network Access” on page 11.

� To specify Internet proxy server settings


2. In the Aventail Connect Options dialog box, click the Internet Proxy tab.

3. In the Server box, type the name of the Internet proxy server.

4. In the Port box, type the port number on which the server is listening.

5. In the Version box, click the proxy server type (HTTP, SOCKS v5, or SOCKS v4), and then click OK.

Automatically Detecting Internet Proxy Server SettingsIn most cases, the Aventail Connect client can automatically detect your Internet proxy server settings. However, if Aventail Connect cannot automatically detect the settings, you must manually specify your Internet proxy server settings. For more information, see “Manually Specifying Internet Proxy Server Settings” on page 18.

Before detecting your Internet proxy server settings, you must disable remote network access. For more information, see “Disabling Remote Network Access” on page 11.

� To detect Internet proxy server settings




3. Click Detect.

If the Aventail Connect client successfully detects your Internet proxy server settings, it populates the Server, Port, and Version fields on the Internet Proxy tab.

Locating Internet Proxy Settings with a Configuration Script

Depending on how your administrator has configured your Internet proxy server settings, you may be prompted with the Internet Proxy Server dialog box when you initiate a connection. In this dialog box, you can manually specify your Internet proxy server settings or you can specify a configuration script that contains information about which proxy server the Aventail Connect client should use for Internet access. If you need to use a configuration script, your administrator will tell you what its location is. For more information, see “Internet Proxy Server Dialog Box” on page 32.

Clearing Internet Proxy Server SettingsYou can clear your Internet proxy server settings before detecting or specifying new Internet proxy server settings, or if you no longer need to use an Internet proxy server to access the Internet.

Before clearing your Internet proxy server settings, you must disable remote network access. For more information, see “Disabling Remote Network Access” on page 11.

� To clear Internet proxy server settings



3. Click Clear.

Credential ManagementCredentials include the information (such as username/password or digital certificate) that you supply when connecting to a network resource that requires user authentication.

This section explains how to delete your credentials and how to manage your digital certificates.

Deleting Your CredentialsAs long as your credentials are cached in memory, you can establish connections to network resources without needing to reenter your authentication information.

You might delete authentication credentials when they are no longer valid, or when you want to force a reauthentication for added security or testing purposes. After you delete your credentials, you are prompted to reenter them the next time you establish a connection.


In addition to your authentication credentials, the credential cache also contains any cached login group information. If multiple login group support is disabled and you need to switch login groups, you can clear your credential cache, which is where your login group settings are stored. After clearing your credential cache, Aventail Connect will prompt you to specify a login group the next time you connect to the remote network.

� To delete your credentials


2. In the Aventail Connect Options dialog box, click the Network tab.

3. Under Remote Network, click Clear Credentials.

Certificate ManagementYour VPN configuration may require you to authenticate with a certificate stored on a disk or in a Web browser, such as Microsoft Internet Explorer. Your administrator may instruct you to import or export a digital client certificate as part of the VPN enrollment process. This section explains how to import and export digital client certificates.

Exporting a Client Certificate

Your administrator may instruct you to export a digital certificate as part of the Aventail enrollment process. This section explains how to export digital certificates to a disk with Microsoft Internet Explorer 5.x, and Netscape Navigator 4.x and 6.x. To export certificates with other Web browsers, refer to your browser’s documentation or online Help.

� To export a client certificate with Internet Explorer 5.x

1. On the Internet Explorer Tools menu, click Internet Options.

2. In the Internet Options dialog box, click the Content tab, and then click Certificates.

3. In the Certificate Manager dialog box, select the certificate that you want to export, and then click Export. For Aventail.Net certificates, the Issued By column contains Aventail.Net CA.

4. In the Welcome... dialog box of the Certificate Manager Export Wizard, click Next.

5. In the Export Private Key with Certificate dialog box, click Yes, export the private key, and select the Mark this key as exportable check box. Click Next.

6. In the Certificate Export File dialog box, click Personal Information Exchange - PKCS #12 (.PFX), and then select the Include all certificates in the certificate path if possible check box. Click Next.

7. In the Password Protection for the Private Key dialog box, type and then retype a password to protect the exported certificate. click Next.

8. In the Export File Name dialog box, in the File Name box, type the path of the directory that you want to export the file to, or click Browse to locate it. Click Next.


9. In the Completing the Certificate Manager Export Wizard dialog box, click Finish.

� To export a client certificate with Netscape Navigator 4.x

1. On the Netscape Navigator toolbar, click Security.

2. Under Certificates, click Yours.

3. Select the certificate that you want to export, and then click Export.

4. In the Password Entry window, type the password for your Netscape certificate store, and then click OK.

5. In the next Password Entry dialog box, type a new password to protect the exported certificate, and then click OK.

6. In the File Name to Export dialog box, select the directory that you want to export the file to, and then click Save.

� To export a client certificate with Netscape Navigator 6.x

1. In the main Netscape Navigator window, click Edit.

2. In the Preferences dialog box, under Category, click to expand Privacy & Security, and then click Certificates.

3. Click Manage Certificates.

4. In the Certificate Manager dialog box, click the Your Certificates tab, and then click Backup.

5. In the File Name to Backup dialog box, select the certificate file that you want to export, and then click Save.

6. In the Choose a Certificate Backup Password dialog box, type and then retype a password to protect the exported certificate. Click OK.

Importing a Client Certificate

Your administrator may instruct you to import a digital client certificate as part of the VPN enrollment process. This section explains how to import client certificates with Microsoft Internet Explorer 5.x, and Netscape Navigator 4.x and 6.x. To import certificates with other Web browsers, refer to your browser’s documentation or online Help.

� To import a client certificate with Internet Explorer 5.x

1. On the Internet Explorer Tools menu, click Internet Options.

2. In the Internet Options dialog box, click the Content tab, and then click Certificates.

3. In the Certificate Manager dialog box, click Import.

4. In the Welcome... dialog box of the Certificate Manager Import Wizard, click Next.

5. In the Select File to Import dialog box, in the File Name text box, type the path of the digital certificate that you want to import, or click Browse to locate it. Click Next.


6. In the Password Protection for Private Keys dialog box, in the Password text box, type the password that was given during the export process (if one was entered), or assign a new password. Clear the Enable strong private key encryption check box. Select the Mark private key as exportable check box. Click Next.

7. In the Select a Certificate Store dialog box, click Automatically select the certificate store based on the type of certificate, and then click Next.

8. In the Completing the Certificate Manager Import Wizard dialog box, click Finish.

The imported certificate file appears in the list of certificates in the Certificate Manager dialog box.

� To import a client certificate in Netscape Navigator 4.x

1. On the Netscape Navigator toolbar, click Security.

2. Under Certificates, click Yours.

3. In the Your Certificate window, click Import a Certificate.

4. In the Setting Up Your Communicator Password window, type and then retype a password to protect the certificate. Click OK.

5. In the File Name to Import dialog box, select the certificate that you want to import, and then click Open.

6. In the Password Entry dialog box, type the password that protects the certificate, and then click OK.

The imported certificate appears in the list of certificates in the Your Certificate window.

� To import a client certificate in Netscape Navigator 6.x

1. In the main Netscape Navigator window, click Edit.

2. In the Preferences dialog box, under Category, click to expand Privacy & Security, and then click Certificates.

3. Click Manage Certificates.

4. In the Certificate Manager dialog box, click the Your Certificates tab, and then click Restore.

5. In the File Name to Restore dialog box, select the certificate that you want to import, and then click Open.

6. At the software security device password prompt, type the password that protects your certificate store, and then click OK.

7. At the certificate password prompt, type the password that protects the certificate that you are importing, and then click OK.

The imported certificate appears in the list of certificates in the Your Certificates tab.


Appendix AAventail Connect Dialog Boxes

This section introduces you to the dialog boxes that you see when using the Aventail Connect client to connect to your protected network resources. It describes the dialog box components and provides a brief introduction to the tasks that you can perform in each dialog box. For more detailed procedural information, see “Connecting to Your Network Resources” on page 5 and “Configuration” on page 15.

� NOTE In this section, “Optional” indicates a component that may or may not be present in the Aventail Connect user interface, depending on how your network administrator configured your Aventail Connect setup package.

System Menu CommandsAlthough the Aventail Connect client requires little or no user interaction, its system menu contains commands that allow you to configure the software and perform troubleshooting tasks. To display the system menu, right-click the Aventail Connect icon in the taskbar notification area.

The commands on the system menu are explained below.

24 | Appendix A - Aventail Connect Dialog Boxes

Aventail Connect Options Dialog BoxesThe Aventail Connect Options dialog box is used to configure Aventail Connect startup options, change networks, and perform diagnostic tests.

Aventail Connect Options Dialog Box: General TabOn the General tab of the Aventail Connect Options dialog box, you can change or update your configuration file and configure startup options.

Network Configuration Options

On the General tab of the Aventail Connect Options dialog box, under Network Configuration, you can load or update a configuration file.

Menu Command Function

Help Opens the Aventail Connect online Help.

About Displays the Aventail Connect About box.

Connect Software Update Checks for a new version of the Aventail Connect software; if a new version is available, Aventail Connect initiates the updating process. This command may be unavailable, depending on how your administrator configured Aventail Connect.

Enable Remote Network Opens the Remote Network Access dialog box, where you can enable remote network access.

Disable Remote Network Disables remote network access.

Options Opens the Aventail Connect Options dialog box.

Event Viewer Opens the Event Viewer window.

Exit Quits the Aventail Connect client.

Field Optional? Description

Network Configuration File

x Displays the configuration file that is currently loaded.

Show configuration updating status

x Displays a status bar during configuration-file updating process.

Change x Loads a new configuration file.

Update Now x Updates the current configuration file. (This button is disabled if the current configuration file does not contain configuration-updating information.)


Startup Options

On the General tab of the Aventail Connect Options dialog box, under Startup Options, you can configure certain startup options, described in the table below.

Option Optional? Description

Run Connect automatically at Windows startup

x Specifies whether Aventail Connect starts automatically at Windows startup. When this check box is selected, the Aventail Connect client starts automatically each time you start your computer. When this check box is cleared, you must start the Aventail Connect client manually via the Start menu.

NOTE Enabling this option on the Windows XP Professional and Windows 2000 Professional operating systems also automatically enables Windows domain logon support, which allows you to use your Windows logon credentials to automatically authenticate to Aventail Connect in future sessions (if your Windows logon credentials are the same as your Aventail Connect credentials). This requires you to enter your logon credentials only once at startup instead of twice.

Display the Connect splash screen

x Specifies whether the Aventail Connect splash screen is displayed at startup. When this check box is selected, the Aventail Connect splash screen is briefly displayed during Aventail Connect startup.

Prompt for configuration file and local network at startup

x Specifies whether you are prompted to specify a configuration file and local network at startup. When this check box is selected, the Aventail Connect client prompts you to specify your local network and configuration file each time you start the Aventail Connect client, regardless of whether Detect local network at startup is enabled.

Enable support for multiple login groups

x Specifies whether multiple login groups support is enabled or disabled. When enabled, if you are a member of multiple login groups, Aventail Connect prompts you to specify a login group each time you connect to the remote network; this allows you to log in to a different login group each time. When disabled, if you are a member of multiple login groups, Aventail Connect automatically logs you in to the cached login group when you connect to the remote network; the login group prompt is not displayed.


Aventail Connect Options Dialog Box: Network TabOn the Network tab of the Aventail Connect Options dialog box, you can view, detect, or change your local network settings; view your remote network access settings; run the Remote Ping diagnostic tool; and clear your authentication credentials. You can also open the Change Local Network dialog box, which allows you to change your local network.

Local Network Options

On the Network tab of the Aventail Connect Options dialog box, under Local Network Options, you can view, detect, or change your local network settings.

Remote Network Options

On the Network tab of the Aventail Connect Options dialog box, under Remote Network, you can clear your default remote network settings, run the Remote Ping diagnostic tool, and clear your cached remote network credentials.


Local Network x Displays your current local network location. Typically, the local network is “Internet.”

Automatically detect local network

x Enables or disables local network detection. When enabled (check box is selected), the Aventail Connect client automatically detects your local network location at startup. When disabled (check box is cleared), you must manually specify your local network at each startup.

DNS Domain

Subnet/Mask

DHCP Server

DNS Server

Gateway

x Displays the local network’s DNS information. This information can be useful for troubleshooting purposes.

Detect x Detects your local network location. (This button is disabled when remote network access is enabled.)

Change x Changes your local network location. (This button is disabled when remote network access is enabled.)


The Remote Network Access box displays your remote network access mode, which your administrator has configured for you. You cannot reconfigure this setting.


Remote Network x Displays your current remote network.

Remote Network Access x Displays your remote network access mode. See table below for more information about remote network access modes.

Clear Default Networks x Clears your default remote network settings. This will require you to specify a remote network the next time you start Aventail Connect.

Remote Ping x Runs the ping and traceroute diagnostic utilities. (This button is disabled when remote network access is disabled.)

Clear Credentials x Clears your remote network authentication credentials from memory. This will require you to re-enter your credentials the next time an application attempts to connect to the remote network.

Mode Description

Standard: Single network with local access

Connections to remote resources are redirected to the remote network; all other connections pass through to the local network.

Restricted: Redirect all connections (no local access)

Redirects all network traffic to the remote network. No local network access is allowed.

Restricted: Refuse non-directed connections (no local access)

Connections to remote resources are redirected to the remote network; all other connections are refused.

Multiple networks with local network access (Connect 4.x mode)

Allows simultaneous connections to multiple networks. Conflicts between destinations are not allowed in this mode.


Remote Ping Dialog Box

The Aventail Connect Remote Ping tool is a diagnostic utility that is used to test a remote network connection. You may never need to use Remote Ping; however, your administrator may ask you to run a ping or traceroute test if you are having trouble connecting to remote network resources.

Aventail Connect Options Dialog Box: Internet Proxy TabOn the Internet Proxy tab of the Aventail Connect Options dialog box, you can view, clear, or detect your Internet proxy server settings.

The following fields are disabled when remote network access is enabled.

Aventail Connect Options Dialog Box: Advanced TabYour administrator may configure Aventail Connect to require that certain applications be running in order for Aventail Connect to run. Common required applications include personal firewall software and anti-virus software. On the Advanced tab of the Aventail Connect Options dialog box, you can view the settings for and the status of any applications that are required to be running.

Depending on how your administrator configured Aventail Connect, the Advanced tab may not appear.

Field Description

Remote Network Selects the network you are currently logged on to.

Remote Destination Selects the host on the remote network that you want to test.

Operation Selects Ping or Traceroute. (Your administrator will tell you which to select.)

Start/Stop Runs/stops the ping or traceroute utility.

Clear Clears the Remote Ping results window.

Close Closes the Remote Ping dialog box.

Field Description

Server Displays Internet proxy server’s name.

Port Displays Internet proxy server’s port number.

Version Displays Internet proxy server’s version.

Clear Clears Internet proxy server settings.

Detect Detects Internet proxy server settings.


Personal Firewall Options

Your administrator may require that personal firewall software be running on your computer in order for Aventail Connect to establish a connection to the remote network. Depending on how your administrator configured Aventail Connect, you may be required to start a personal firewall application before connecting to your remote network through Aventail Connect. You may also be required to keep the personal firewall application running for the duration of the remote network connection.

Required Application Options

Your administrator may require that a particular software application be running on your computer in order for Aventail Connect to establish a connection to the remote network. Depending on how your administrator configured Aventail Connect, you may be required to start an application, such as an anti-virus application, before connecting to your remote network through Aventail Connect.

Startup Dialog BoxesAt Aventail Connect startup, or when initiating a connection to a network resource, you are prompted in the Remote Network Access dialog box to supply information about your local network and the remote network to which you want to connect. Under certain circumstances, you may also be prompted to supply information about your Internet proxy server in the Internet Proxy Server dialog box.

Field Description

Software Displays the name of the required personal firewall application.

Vendor Displays the name of the company that manufactures the personal firewall software (Sygate or Zone Labs).

Status Displays the status of the personal firewall application. A green icon indicates that the personal firewall application is running. A red icon indicates that the personal firewall is not running. A gray icon indicates that Aventail Connect could not detect the state of the personal firewall application.

Field Description

Application Displays the name of the required application.

Status Displays the status of the application. A green icon indicates that the application is running. A red icon indicates that the application is not running. A gray icon indicates that Aventail Connect could not detect the state of the application.

Network Displays the name(s) of the network(s) to which the application requirement applies.


Remote Network Access Dialog BoxAt startup, the Aventail Connect client may prompt you to specify your local network (the network that you are connecting from) and your remote network (the network that you want to connect to). In most cases, the Remote Network Access dialog box displayed at startup looks like this:

You can manually specify a remote network at any time. You can open the Remote Network Access dialog box by clicking Enable Remote Network on the Aventail Connect system menu. This version of the Remote Network Access dialog box looks like this:

If the Aventail Connect client cannot detect a remote network, the Remote Network Access dialog box displayed at startup looks similar to the version directly above. In this case, you are prompted to specify the DNS name or IP address of the remote network access server. In most cases, you can click Cancel and proceed with your connection request. (That is, in most cases, you do not need to run the Aventail Connect client for this type of connection.)


If your administrator has enabled multiple login group support, and if you are a member of multiple login groups, the Remote Network Access dialog box may look like this:


Select the remote network

x Specifies the network that you are connecting to.

Default to this remote network

x Enables and disables default remote network. When enabled, Aventail Connect automatically connects you to the specified remote network when you connect from the associated local network. When disabled, you must specify a remote network.

Select your local network x Specifies the network that you are connecting from. This field is disabled when the Automatically detect local network check box is selected.

Automatically detect local network

x Enables and disables automatic local network detection.

Select or enter your login group

x Specifies the login group or login server that you are connecting to.

Enter the DNS name or IP address of the network access server

x Specifies the network access server’s DNS name or IP address. (Displayed if Aventail Connect cannot detect any possible remote networks.)


Internet Proxy Server Dialog BoxIf the Aventail Connect client is unable to automatically detect your Internet proxy server settings, you are prompted with the Internet Proxy Server dialog box.

In the Internet Proxy Server dialog box, you can manually specify your Internet proxy server settings or you can specify a configuration script that contains information about the proxy server that the Aventail Connect client should use for Internet access. If you need to use a configuration script, your administrator will tell you where it is located.

Options x Displays the Aventail Connect Options dialog box. This button is unavailable when Windows domain logon support is enabled and you are logging on to the operating system.


Field Description

Server Name of proxy server you want to connect to.

Port Port number of proxy server.

Version Version (HTTP, SOCKS v4, or SOCKS v5) of proxy server.

Use the following configuration script to locate the Internet proxy server

Path of configuration script that contains the proxy server information.


Network Configuration Dialog Box

At startup, the Aventail Connect client may prompt you to specify your network location in the Network Configuration dialog box. This dialog box appears at startup if you are using an Aventail Connect version 4.x configuration file or if you have configured Aventail Connect to prompt you to specify a configuration file at startup.

Software Updating Dialog BoxesAventail Connect supports various software-updating options. Aventail Connect can check for newer versions of the Aventail Connect software at regular intervals scheduled by your network administrator, or whenever you click Connect Software Update on the Aventail Connect system menu.

Note that the software-updating feature may be unavailable, depending on how your administrator configured Aventail Connect.

Option Optional? Description

Select your network configuration file

x Selects the network configuration file that will allow you to connect to your network resources. (In most cases, you will have just one configuration file.) Configuration files are provided by your administrator.

Select the network location of your computer

x Selects your local network (the network that you are connecting from).

Automatically detect the network location of your computer

x When selected (enabled), the Aventail Connect client automatically detects your local network.

Prompt for this information at startup

x When selected (enabled), the Aventail Connect client prompts you to specify your configuration file and local network at startup.


Connect Software Update Dialog BoxThe Connect Software Update dialog box appears when you click Connect Software Update in the Aventail Connect system menu, or when you click the Aventail Connect update-notification icon in the taskbar notification area.

Field Description

Publisher Displays the name of the company or department that scheduled the update.

Date Displays the date and time that the update was issued.

Version Displays the Aventail Connect software release version included in the update.

Priority Displays the update priority level.

• Normal: Indicates a normal scheduled update.

• Critical: Indicates a critical update that should be installed immediately.

Size Displays the size of the Aventail Connect setup package.

Update Notes Displays a message about the software update from your network administrator.

Remind Me Later Opens the Connect Automatic Updates dialog box, where you can choose when to be reminded to perform the update.

Start Download/Stop Download

Starts and stops the update download process. You must download the software update before you can install it.

Install Installs the software update. Note that you must download the update before you can install it.

Cancel Cancels the update download or installation.


Connect Automatic Updates Dialog BoxIf you click Remind Me Later in the Connect Software Update dialog box, the Connect Automatic Updates dialog box appears. In this dialog box, you can specify when to be reminded to perform the update.

Event Viewer WindowThe Event Viewer is a diagnostic utility for tracing Aventail Connect activity. The Event Viewer, which runs in the background whenever the Aventail Connect client is running, displays connection and diagnostic messages. You can save the message list to a log file that your administrator can use in troubleshooting technical problems. Log files are also useful when running the Aventail Connect client for the first time, to ensure that network traffic is being routed properly.

Field Description

Please remind me in <x> minutes

Select the length of time that will elapse before Aventail Connect reminds you to download the software update.

Cancel Closes the Connect Automatic Updates dialog box, and selects the default value of 30 minutes.

OK Closes the Connect Automatic Updates dialog box, and selects the value that you specified in the Please remind me list.


For information about working with the Event Viewer, see “Aventail Connect Event Viewer” on page 42.

Field Description

Open Opens a saved log file.

Save Saves a log file in binary or text format.

Pause/Run Pauses/restarts the logging process.

Refresh Refreshes the Event Viewer window contents.

Clear Clears the Event Viewer window contents.

Find Searches for log messages with key words.

Categories Displays the Logging Categories dialog box, where you can specify the types of events to be logged.

Logging Level Specifies the level of logging to perform.

Date Displays the date on which the log message was generated.

Time Displays the time of day that the log message was generated.

Category Displays the type of event.

Context Displays the context of the connection being made.


Logging Categories Dialog BoxIn the Logging Categories dialog box, you can specify the default logging level and the types of events to be logged.

Event Describes the event.

Field Description

Field Description

Default Logging Level Selects the default level of Aventail Connect activity to log.

Category Displays the available logging categories. A check mark to the left of a category indicates that the category is enabled.

Logging Level Specifies the level at which each enabled category is being logged.

OK Saves changes and closes the Logging Categories dialog box.

Cancel Closes the Logging Categories dialog box without saving changes.

Select All Enables all logging categories.

Defaults Applies the default logging-category settings.


Appendix BTroubleshooting

This section describes how to troubleshoot basic Aventail Connect problems, and describes how to use the Event Viewer and Remote Ping diagnostic utilities.

Frequently Asked QuestionsIf you are having trouble connecting to your network resources, see if your problem is addressed in the following FAQs. If the problem persists, contact your administrator.

Q: Why can’t I connect to my network resources?

If you are having trouble making a successful connection to your remote network resources, verify that:

• The Aventail Connect client icon appears in the taskbar notification area, indicating that Aventail Connect is running. For more information, see “How to Tell if Aventail Connect is Running” on page 6.

• Remote network access is enabled. (If an X is visible on the Aventail Connect icon in the taskbar notification area, remote network access is disabled.) For more information, see “Remote Network Access” on page 10.

• You have specified the correct local network location. For more information, see “Manually Selecting Your Network Location at Startup” on page 6.

• You have specified the correct remote network. For more information, see “Manually Selecting Your Remote Network at Startup” on page 7.

Q: Why are some user interface components or options are disabled or missing?

Depending on how your network administrator configured your Aventail Connect setup package, some user interface components and options may be disabled or removed.

Q: What are the limitations to single sign-on with Windows credentials?

• This feature is supported only on the Windows 2000 Professional and Windows XP Professional operating systems. This feature is not supported on the Windows 98 and Windows XP Home operation systems.

40 | Appendix B - Troubleshooting

• Aventail Connect supports this feature only when Windows domain logon support is enabled, and only on the initial Windows logon. If you log off, or if you shut down Aventail Connect, the cached credentials are flushed.

• You can authenticate to Aventail Connect with your Windows logon credentials only when using Username/Password authentication and only if your Windows logon credentials are the same as your Aventail Connect credentials.

Q: What are the Windows domain logon support limitations?

• Aventail Connect supports Windows domain logon functionality on the Windows 2000 Professional and Windows XP Professional operating systems. Windows domain logon functionality is not supported on the Windows XP Home Edition, Windows Me, and Windows 98 operating systems.

• To enable Windows domain logon support, no other third-party Graphical Identification and Authentication (GINA) APIs can be installed on your computer.

• When Windows domain logon support is enabled:

• Aventail Connect does not support Internet Explorer client certificates unless the certificate is already cached.

• You cannot switch to a different configuration file when running in multiple remote network access mode.

• Aventail Connect cannot read Internet Explorer proxy settings.

• The Options button is disabled in the Remote Network Access dialog box displayed at startup.

Q: Why are certain Aventail Connect options grayed out?

Some Aventail Connect options can be configured only when remote network access is disabled. These options are:

• Specifying your local network location

• Detecting Internet proxy server settings

• Clearing Internet proxy server settings

• Specifying a different remote network

To configure any of these options, first disable remote network access, and then try again. For more information, see “Disabling Remote Network Access” on page 11.

Q: I use iPass as my ISP. Why can’t I browse the corporate network?

The iPassConnect client must be configured to enable Microsoft Networking Support. This configuration is typically performed by your administrator or by iPass technical support.

Q: Why, when the Aventail Connect client automatically detects my local network, does it always detect the same local network, even when I change locations?

For Aventail Connect to automatically detect the correct local network, your computer must be configured with a valid IP address/subnet mask and a valid DNS domain. If your computer is not configured in this way, disable local network detection and manually specify your local network as prompted. For more information, see “Automatically Selecting Your Network Location at Startup” on page 7.


Q: I am using the Aventail Connect client for the first time. Why am I unable to browse the network or map a drive on the network?

During your first use of the Aventail Connect client, you may need to allow Aventail Connect to first establish a correlation between corporate domains and resources on each domain before you can browse the domains from Windows Explorer, or before you can successfully map network drives. To establish this correlation:

1. Establish an Internet connection to your Internet service provider (ISP), and then start the Aventail Connect client.

2. Double-click the Network Neighborhood icon on your desktop, and then manually browse the NT domains listed in Network Neighborhood.

By browsing these NT domains, the Aventail Connect client can “discover” the information about the domains you will be accessing. After you have completed these steps, you can browse the domains in Windows Explorer and map drives.

Q: Why do I see an error message indicating that my password is invalid?

• Passwords may be case-sensitive. Make sure the CAPS LOCK and NUM LOCK keys are not enabled, and then try typing your password again.

• Your credentials may have expired. For more information, contact your administrator.

Q: Can I reset my corporate NT domain password through Aventail?

Yes, if the domain is defined in your Aventail Connect configuration file. Just press CTRL+ALT+DEL, and then follow the prompts.

Q: I have Internet Explorer configured to use a proxy server. When I am outside my company’s network, Aventail Connect successfully detects and uses the proxy settings defined in Internet Explorer. Why, when I try to access a resource within my company’s network from Internet Explorer, does proxy detection fail?

If Internet Explorer is configured to use a proxy server, the only connection request Aventail Connect ever sees is the proxy server’s IP address. Because this proxy server is locally accessible, the Aventail Connect client does not redirect its IP address; the request is incorrectly sent by Internet Explorer out of the proxy server and to the Internet (where the resource does not exist).

To fix this problem, add rules that describe your company’s network (such as *.yourcompany.com) to the Internet Explorer Exceptions list (in Internet Explorer’s LAN Settings dialog box).

Q: I am being prompted to specify my remote network server’s DNS name or IP address. What should I do?

Unless you are trying to connect to a network resource without a configuration file (see below), click Cancel and proceed with your connection request. For certain types of connections, you do not need to run the Aventail Connect client.


Q: Can I run the Aventail Connect client without a configuration file?

Yes. As long as you are an authorized user, you can connect to a network resource without a configuration file. Default settings are loaded and the Aventail Connect client redirects all network traffic to the Aventail appliance. This allows you to connect to network resources for which you don’t have a configuration file. (Note that you must be authorized to access the network resource for this to work.)

When prompted at startup to specify your remote network in the Remote Network Access dialog box, type the DNS name or IP address of the server in the Enter the DNS name or IP address of the network access server box.

If you used a configuration file prior to trying this feature, it may still show up in the General tab of the Aventail Connect Options dialog box, but settings in that configuration file are ignored.

Aventail Connect Event ViewerThe Aventail Connect logging utility, which traces Aventail Connect activity, runs in the background while Aventail Connect is running. The logging utility generates event logs, such as connection alerts and diagnostic messages, as they occur. The Aventail Connect Event Viewer displays those event logs. You can save the message list to a log file that your administrator can use in troubleshooting technical problems. Log files are also useful when running the Aventail Connect client for the first time, to ensure that network traffic is being routed properly.

Opening the Event ViewerWhen the Aventail Connect client is running, the event logger runs in the background. To view the log messages, you must open the Event Viewer window.

� To open the Event Viewer

• In the taskbar notification area, right-click the Aventail Connect icon, and then click Event Viewer.

The Event Viewer window appears.

Setting the Logging LevelThe Event Viewer supports five levels of log messages. Unless your administrator instructs you to do otherwise, keep the Event Viewer log level set to the default Information level.

Log Level Event Types Logged

Fatal Fatal errors only.

Errors Errors and fatal errors.

Warnings Errors and warnings.

Information Errors, warnings, and information.


The Event Viewer also supports multiple logging categories, which specify the types of connections to monitor.

� To set the logging level

1. In the Logging Level list, click the appropriate log level.

2. On the Event Viewer Events menu, click Categories.

3. In the Logging Categories dialog box, select the check boxes of the connection types that you want to log, and clear the check boxes of the connection types you do not want to log. To log all types of connections, click Select All. Click OK.

The Event Viewer records and displays information at the specified logging level as the Aventail Connect client generates it.

Filtering Log MessagesYou can filter the contents of the log window by selecting the types of messages that you want to view. You can exclude or show only certain types of messages.

� To filter log messages

1. In the Event Viewer message list, right-click in the column of an existing message that includes the type of category, context, event level, or event type that you want to include or exclude. For example, if you want to exclude all authentication messages, right-click in the Category column of any message that contains “Authentication” in its Category column.

2. Click Show Only... (for category or context) or Exclude... (for event level, category, context, or event).

• To turn off filtering and display all log messages, right-click anywhere in the message list, and then click Show All Events.

Saving Log MessagesYou can save log messages in text (.txt) or binary (.lgf) format. Binary (.lgf) log files must be viewed in the Aventail Connect Event Viewer. Text-based (.txt) log files can be viewed in a text editor, such as Notepad.

Debug Debugging messages. (For debugging purposes only.) Use this level only when your administrator instructs you to do so.

Log Level Event Types Logged

Message Element Filtering Options

Category Show only, exclude

Context Show only, exclude

Event level Exclude

Event type Exclude


� To save log messages

1. Select (highlight) the log messages that you want to save. If you want to save all displayed messages, do not select any messages; if no messages are selected, the contents of the Event Viewer are saved in their entirety.

2. On the Event Viewer File menu, click Save.

3. In the Save Connect Log File dialog box, type or select a file name, select the file format (.txt or .lgf), and then click Save.

Copying Log Messages into Other ApplicationsYou can copy Event Viewer log messages to the Windows Clipboard and then paste them into another application, such as an e-mail application or a text editor.

� To copy selected log messages

• In the Event Viewer window, select (highlight) the log messages that you want to copy, and then click Copy on the Event Viewer Edit menu.

Printing Log MessagesYou can print selected log messages, or you can print the Event Viewer window contents in their entirety.

� To print log messages

1. Select (highlight) the log messages that you want to print. If you want to print all displayed messages, do not select any messages; if no messages are selected, the contents of the Event Viewer are printed in their entirety.

2. On the Event Viewer File menu, click Print.

Finding a Specific Log MessageYou can find specific log messages or specific types of messages by performing a key word search.

� To find a specific log message

1. On the Event Viewer Events menu, click Find.

2. In the Find dialog box, type one or more key words, and then click Find Next.

Clearing the Event Viewer WindowBecause old log messages are automatically deleted as new ones are generated, you may never need to manually clear the Event Viewer window.

� To clear the Event Viewer window

• On the Event Viewer Events menu, click Clear.


Closing the Event ViewerClosing the Event Viewer window does not prevent the event logging utility from generating log messages. Even when the Event Viewer window is closed, the event logging utility is always running in the background whenever Aventail Connect is running.

� To close the Event Viewer window

• On the Event Viewer File menu, click Exit.

Running the Diagnostic UtilitiesThe Aventail Connect Remote Ping tool is a diagnostic utility that checks your network connection. You may never need to use Remote Ping; however, your administrator may ask you to run a ping or traceroute test if you are having trouble connecting to your network resources.

The ping utility checks for network connectivity between two hosts and returns information about the quality of the connection. The traceroute utility checks for network connectivity by displaying information about routers between two hosts; it displays information for each hop.

The remote network server that you are testing must have ping support enabled for Remote Ping to work correctly.

� To run Remote Ping


2. On the Network tab of the Aventail Connect Options dialog box, click Remote Ping.

3. In the Remote Ping dialog box, select the remote network (the network you are currently logged on to), and then type or select the network destination (the host that you want to ping).

4. Under Operation, click Ping or Traceroute, depending on which utility you want to run, and then click Start.

The Start button becomes a Stop button. When the connection to the host is made, the information returned from the server is displayed in the results window.

� To stop the ping or traceroute utility

• Click Stop.

This stops the operation and the Stop button becomes a Start button. The results of the operation remain visible in the Remote Ping dialog box.


Glossary

access controlA means of limiting access based on a user’s identity or credentials. Typically used to control user access to network resources. An access policy is the set of rules that defines the privileges of users on the system. These rules define applications or network resources that users or user groups are allowed to access.

aliasAn alternative label or name for an object such as a network, host computer, or network resource. Aliases have significant meaning for the Aventail Web access service; they mask the URLs of the internal network. Because all requests are directed to the Aventail Web access service, the user sees only the incoming URL that contains the alias. The Aventail Web access service matches the alias to a list defined in the AMC, and then translates the URL.

authenticationThe practice of validating a user’s identification or credentials in order to allow access to resources. Credentials are typically compared to some type of permissions list. There is a variety of authentication methods that dictate what type of credentials the user must have and when authentication should take place.

authorizationPermission granted to a user to use a system, and the data stored on it. Authorization specifies access rights after a user has authenticated.

Aventail ASAP WorkPlaceA dynamically personalized menu that provides access to Web-based resources on your network. After the user authenticates, the ASAP WorkPlace displays a list of Personal Links that provide access to all Web-based resources to which the user has access permissions. ASAP WorkPlace is accessible from any Web browser.

Aventail client/server access serviceA server service providing secure, anywhere access to TCP/IP applications on your network, including enterprise client/server applications. The Aventail client/server access service is based on the SOCKS v5 protocol.

Aventail ConnectA configurable 32-bit Windows client that can connect to the Aventail appliance to provide authenticated and encrypted access to network resources. Aventail Connect is installed on the user’s computer.

Aventail OnDemandA secure, lightweight Java applet that can connect to the Aventail appliance to provide authenticated and encrypted access to network resources. Like most Java applets, it is usually configured to download at runtime and is not permanently installed on the user’s computer. The only requirement for the user is a browser with a supported Java virtual machine.

Aventail Web access serviceA server service on the Aventail appliance that provides clientless access to your Web applications and files, making secure access available from any Internet browser.

back-endIn a client/server application or system, the part of the program that runs on the server. (Note: Servers can also have front and back ends).

48 | Glossary

CA (Certificate Authority)A trusted third-party organization that issues, renews, and revokes certificates. The CA guarantees that the individual granted a unique certificate is, in fact, who that individual claims to be (according to the CA’s individual policies). A root CA typically issues certificates to intermediate CAs, which in turn issue certificates to users. Certificates are validated by following this hierarchy of trust up the certificate chain to the root.

certificateA digital certificate that serves to verify a server’s or client’s identity and binds it to an RSA keypair that can be used to encrypt and sign digital information. A certificate is signed by a CA that vouches for the identity of the individual.

certificate chainA sequence of certificates that includes the user's certificate (or “leaf”) at the bottom, certificates for intermediate CAs (if any) in the middle, and the “root” certificate of the primary CA at the top.

cipherA type of cryptographic algorithm that uses a key to convert plaintext to ciphertext, and vice versa.

clientThe client component of a client/server architecture. It is used to send commands to and receive information from the corresponding server component that carries out the requests.

credentialsThe specific information validating a user’s permission to access a resource, such as the specific password used to authenticate or the actual information contained in a certificate.

CSR (Certificate Signing Request)An application to a CA to issue a certificate that contains the user’s name and cryptographic keys. The CSR does not contain information that allows the CA to authenticate the user; this is handled separately per the CA's due-diligence policies. The file name for a request usually ends with .req.

DES (Data Encryption Standard)A popular standardized cipher for encrypting data. A common 56-bit key is used to encrypt and decrypt the data. Because 56 bits is inadequate for modern security standards, a common variant is to use DES three times with different keys (Triple DES).

DMZThe “demilitarized zone” situated between the Internet and a network’s firewall. Typically, the DMZ is used to host resources accessible via the Internet while maintaining security to the private network.

DN (distinguished name)A name made up of a list of attributes and corresponding values that identify a user or group. DNs are used to represent names in certificates, and to look up entries in directory servers. Aventail generally uses the RFC 2253 guidelines when representing DNs.

DNS (domain name system)The Internet utility that translates alphabetic domain names into numeric IP addresses. Each time a domain name is used, a DNS server must translate it. If one DNS server does not know how to translate a given domain name, it asks another server and so on until the domain name is correctly translated.


DNS serverA computer that answers domain name system (DNS) queries. A DNS server maintains a database of host computers and domain names, and their corresponding IP addresses. When presented with the domain name, it returns the matching IP address.

domainA group of computers and devices on a network that are administered as a unit with common rules and procedures. Within the Internet, domains are defined by the IP address. All devices sharing a common part of the IP address are said to be in the same domain.

downstream Web serverA private server on your internal network that is secured behind the Aventail Web access service. The Aventail Web access service uses aliases to obscure the URLs on downstream servers. Because all requests are directed to the Aventail Web access service, the user sees only the incoming URL that contains the alias. The Aventail Web access service matches the alias to a list defined in AMC, and then translates the URL.

encryptionThe use of a cipher to generate the ciphertext, given the plaintext and a key. Encryption protects data from eavesdropping.

Filter-IDA RADIUS attribute used to indicate a group to which the user belongs. Through its use, authorization rules may then specify group names, rather than usernames, in setting policy.

firewallA system that can be implemented in software or hardware and prevents unauthorized access to a network. A firewall examines each message that attempts to pass through and obstructs those that do not meet specified criteria. There are several types of firewall techniques, and it is common to use two techniques together. Firewalls are considered the first line of defense in a security-based architecture.

fully qualifiedMay also be referred to as "full" or "FQDN" (fully qualified domain name). Used to describe the entire name, address, or path of a computer, host, domain, or file. It refers to a listing of all the components of a hierarchical system that lead to the specific file, IP address, host, or domain. A name, address, or path that is not fully qualified may contain an alias or may be a shortened version.

gatewayA combination of hardware and software that connects two networks using different communications protocols. It converts data exchanged between the networks so that each network can read what has been received from the other.

hashAlso referred to as a “hash value.” A number generated by applying a formula to a string of text so that it is unlikely that another string could produce the same number. The hash is always much smaller than the text itself.

hostA computer connected to a TCP/IP network (which includes the Internet) that runs the server programs supplying resources and services to the Internet. Each host has a unique IP address.

50 | Glossary

host nameThe non-numeric name for a specific computer that can be found via the Internet. An example of a host name is private.aventail.com. The host name refers to both the left-most portion of the name (private) and the name in its entirety (private.aventail.com). The remaining two portions are the domain name (aventail) and top-level domain (com).

HTTPSA commonly used method of securing the HTTP protocol by layering it inside SSL.

IP (Internet Protocol)The basic data transfer protocol used for the Internet. Information such as the address of the sender and the recipient is inserted into an electronic “packet” and then transmitted. For more information, refer to RFC 791.

IP addressA unique ID number that identifies each individual computer on the Internet. Each 32-bit address is represented as four sets of 8-bit numbers, ranging from 0 to 255, separated by periods. A hierarchy from left to right represents a rough organization of the entire Internet, so that some networks can contain other networks. The last number on the right identifies the individual host computer.

keyA piece of information necessary for performing certain cryptographic operations. Keys may be generated randomly, or may be derived from user-friendly representations (such as passwords).

key lengthThe size of a key, generally measured in bits. When all other things are equal, a longer key length means a more secure but possibly slower algorithm.

key pairThe matching pair of public and private keys used by public-key cryptographic algorithms (for example, RSA). The public and private keys are used for opposing operations (encrypt a message with the public key; decrypt it with the private key).

LAN (local area network)A network that connects workstations, computers, and other devices within a relatively small area (usually a single building). A LAN allows users to access data on other computers and to share devices such as printers. Multiple LANs can be linked together to create a WAN.

LDAP (Lightweight Directory Access Protocol)A simplified version of the X.500 directory access protocol (DAP). For more information, refer to RFC 2251.

MD5A specific message digest algorithm. MD5 is less secure than SHA-1 but is much faster and is often considered “secure enough.”

multi-homedA machine that has more than one NIC (network interface card) and is attached to more than one network.

NAS (Network Access Server)A server that provides managed connectivity to a set of resources, such as a terminal server handling dial-in modems. A RADIUS client is generally called a NAS.


NAT (Network Address Translation)An Internet standard that translates internal IP addresses into one external IP address, allowing organizations to present just one IP address to the Internet. NAT hides internal addresses, and also conserves IP addresses by reducing the number of addresses an organization needs.

NIC (network interface card)A printed circuit board or card installed in clients and servers in a network that enables the computers to exchange data. Also called a network adapter.

NullIn reference to an authentication method, use of Null authentication means that no authentication is required. It is generally not a good idea to require Null (no) authentication in a production environment.

Personal LinksA dynamically generated list of all Web-based resources to which a user has access permissions. Personal Links are displayed in the Aventail ASAP WorkPlace.

pingA diagnostic tool used to determine connectivity. To “ping” a remote host means to send ICMP ECHO_REQUEST packets and wait for a response. If there is no response, the remote host is down or unreachable; if there is a response, the time delay for the response can be used to determine the Round Trip Time (RTT) necessary for the exchange of data with that host.

plaintextThe unencrypted, readable text of a message.

ports and port numbersIn reference to TCP/IP and UDP networks, a logical channel or channel endpoint. Port numbers are assigned to application programs, and are used to link incoming data to the correct service. Well-known ports are standard port numbers commonly used for certain types of traffic. For instance, port 80 is typically used for HTTP (Web) traffic, while port 20 is typically assigned to FTP transfer.

private keyOne half of a key pair used in public-key cryptographic algorithms, known to its owner and never shared. The public key is the other half of the key pair.

protocolRules and procedures used to exchange information between networks in computer systems.

proxy serverA firewall component that manages Internet traffic to and from a LAN, serving as a proxy or intermediary between internal resources and external requests for those resources. Proxy servers hide true network addresses (preventing IP addresses from being spoofed or mapped), and secure and manage all application communication. With a proxy server, there is never a direct connection between an outside user and an internal resource. All traffic to and from internal resources is proxied by the proxy server. The Aventail client/server access service is a SOCKS v5 proxy server service.

public keyOne half of a key pair used in public-key cryptographic algorithms, known by anybody and included in the user's certificate. The private key is the other half of the key pair.

52 | Glossary

public-key encryptionA cryptographic algorithm that uses two different keys for encrypting and decrypting data (as opposed to a conventional cipher, which uses the same key for both). Such systems allow key pairs (with one half made public and one half kept private) to be generated and used for digital signatures and key exchanges. Public key systems can be extremely secure and allow communication without the exchange of keys in advance, which facilitates communication among large numbers of unrelated parties (as over the Internet). The idea was invented by Diffie and Hellman, and the most commonly used public key algorithm is RSA.

RADIUS (Remote Authentication Dial-In User Service)A protocol for communicating with a back-end authentication database. Useful for Username/Password, CHAP, and CRAM authentication mechanisms. The user sends credentials to the Network Access Server, or NAS, which then sends them to a RADIUS server. The RADIUS server performs the checking of the password, and tells the NAS whether to consider the authentication valid. For more information, refer to RFC 2138.

RSA (Rivest-Shamir-Adelman) encryptionThe most widely used public-key algorithm today, RSA is named for its inventors, Ron Rivest, Adi Shamir, and Leonard Adelman, who developed it at MIT in 1978. PGP, SSL, and S/MIME are generally used with RSA for key exchanges and digital signatures. RSA was patented in the United States, which limited use, but the patent expired in September of 2000.

SecurIDA two-factor user authentication system developed by RSA Security. The system is based on something you know (a PIN), and something you have (a hardware token). These factors are combined to form a dynamic passcode that the user types in via the authentication mechanism.

serverA networked computer that shares resources with other computers. Servers “serve up” information to clients.

SOCKS v5A security protocol for handling TCP traffic through a proxy server. SOCKS is the IETF standard for authenticated firewall traversal and can be used with virtually any TCP application. It acts as a proxy mechanism that manages the flow and security of data traffic to and from a LAN, intranet, or extranet. SOCKS uses sockets to represent and track individual connections. There are two main versions of SOCKS—SOCKS v4 and SOCKS v5. SOCKS v5 provides an authentication mechanism, while SOCKS v4 does not. For more information, refer to RFC 1928.

SSL (Secure Sockets Layer)An authentication and encryption protocol developed by Netscape Communications to secure application protocols such as HTTP over the Internet. SSL uses a key exchange method (RSA is most common) to establish an environment in which all data exchanged is encrypted with a cipher and hashed to protect it from eavesdropping and alteration. The IETF has generated a successor of SSL, a network standard called Transport Layer Security (TLS). SSL is the most widely deployed security protocol on the Internet today. For more information, refer to RFC 2246.

subnetA segment of a network. Networks are divided into subnets (or subnetworks) for performance and security reasons. Subnets share a common network address with other parts of the network, even though they may be physically independent. Subnets are distinguished by subnet numbers and are bridged by routers. IP networks are divided using a subnet mask.


subnet maskThe method used to divide IP networks into smaller segments, or subnets. A subnet mask identifies the subnet to which an IP address belongs. Network administrators can divide the host portion of an IP address into two or more subnets. Part of the host address is then reserved to identify the particular subnet.

syslogThe UNIX system log to which logging information can be output.

TCP/IP (Transmission Control Protocol/Internet Protocol)The basic protocol suite of the Internet, of which TCP and IP are the foundation. TCP is the transport layer of the suite and correlates to OSI Layer 4, which regulates traffic. IP is the network layer of the suite and correlates to OSI Layer 3, which handles addressing. (TCP/IP uses four layers, in contrast to the OSI networking model’s seven layers.) TCP ensures the reliable delivery of packets to their intended destinations, while IP ensures that packets are addressed properly. Other protocols in the TCP/IP suite include SNMP (Simple Network Management Protocol), PPP (Point-to-Point Protocol), SMTP (Simple Mail Transfer Protocol), and UDP (User Datagram Protocol). The TCP/IP protocol suite was developed by the Department of Defense for communications between computers. It has become the de facto standard for data transmission over networks, including the Internet. For more information, refer to RFC 793.

tokenA small security device used to generate dynamic passwords. Some tokens display a number that frequently changes; the number is a password that is valid for a short period of time. Others include keypads for typing in a challenge, and compute the appropriate response that will allow successful authentication. Tokens are sometimes called “first-generation smart cards.”

trusted roots fileA list of the root certificates an administrator chooses to trust. Every certificate chain ends with a root certificate. There is no “higher” CA to validate the root, so that root must either be trusted or not (if not, the whole chain is untrusted and should be rejected).

UDP (User Datagram Protocol)A means of sending data over the Internet without guaranteed delivery. Also known as a connectionless protocol. UDP is part of the TCP/IP protocol suite and corresponds to Layer 4 in the OSI networking model (the transport layer). UDP converts data messages generated by an application into packets to be sent over an IP network, but does not guarantee that all of the packets will be delivered or will be in the proper order when they reach their destination. Unlike TCP, UDP provides no error-recovery services and is used primarily for the exchange of very small data units (datagrams) that require little message reassembly. For more information, refer to RFC 768.

virtual private network (VPN)A secure channel used to access a private network over a public network (such as the Internet). There are two main types of VPNs: remote access VPNs provide remote employees with secure access to e-mail, file servers, and other network resources, and extranet VPNs provide business partners (such as suppliers or vendors) with secure access to a variety of applications, such as supply chain management (scm) programs.

wildcardA special symbol that represents one or more characters. Wildcards can be used to identify files and directories, allowing users to select many files with a single specification. In the Windows operating system, for example, the asterisk is a wildcard that represents any combination of letters, so n* refers to all files that begin with n, and n*.doc refers to all files that start with n and end with .doc.

54 | Glossary

X.500A set of standards developed by the ITU (International Telecommunication Union) and ISO (International Organization for Standardization) in the mid-1980s that defines how global directories should be structured. The X.509 system of authentication (based on public and private key pairs) and LDAP evolved from the X.500 effort.

X.509An ITU recommendation used to define digital certificates. The standard has not been officially approved and thus is implemented in different ways by different companies. Virtually all certificates in use today (SSL, S/MIME) are X.509 certificates.


Index

AAbout command 24accepting server certificates 13advanced options 28applications, required 28authentication

caching credentials 11challenge-response 13client certificates 12, 20CRAM 13credentials 2, 11methods 11overview 2, 11tokens 13username/password 12Windows credentials 12, 39

Aventail Connectconfiguration files 5, 15configuring 15dialog boxes 23Event Viewer 42icon 6overview 1quitting 14Remote Ping 28running 5running automatically 8, 16starting 5, 6system menu commands 23troubleshooting 39updating software 8

Ccaching

credentials 11memory 11

certificatesclient 12, 20, 40exporting 20importing 20server 13

challenge-response authentication 13changing local networks 7clearing

credentials 19Event Viewer window 44Internet proxy settings 19

client certificates 12, 20, 40Close command 24

closing Event Viewer 45commands

About 24Close 24Connect Software Update 24Disable Remote Network 24Enable Remote Network 24Event Viewer 24Help 24Options 24

configuration filesloading 15overview 5, 15prompting for 17selecting 6, 15updating 16

configuration scripts 19configuring

Aventail Connect settings 15Internet proxy options 18startup options 16

Connect Software Update command 24connections, terminating 10copying log messages 44CRAM authentication 13credentials

authentication 2, 11caching 11deleting 19managing 19

Ddeleting credentials 19detecting

Internet proxy server settings 18local networks 3

diagnostic tools 45dialog boxes, overview 23Disable Remote Network command 24disabling remote network access 11

EEnable Remote Network command 24enabling remote network access 10encryption 2Event Viewer

clearing window 44closing 45copying messages 44

56 | Index

filtering messages 43finding messages 44log levels 42opening 42overview 42printing messages 44saving messages 43

Event Viewer command 24

Ffiltering log messages 43finding log messages 44firewalls, required 29

Ggroups, login 8, 17

HHelp command 24

Iicon, Aventail Connect 6importing certificates 20inbound network access 2Internet proxy options, configuring 18

Lloading configuration files 15local networks

changing 7detecting 3overview 2selecting 6, 7

log levels 42log messages

copying 44filtering 43finding 44printing 44saving 43

logging in to a login group 8, 17login groups 8, 17logon, Windows credentials 39

Mmanaging credentials 19memory caching 11methods, authentication 11multiple login groups 8, 17

Nnetworks

inbound access 2local 2, 6, 7

outbound access 3remote 2

Oopening Event Viewer 42Options command 24outbound network access 3Ppersonal firewalls 29ping 28, 45printing log messages 44prompting for configuration files 17

Qquitting Aventail Connect 14

Rrejecting server certificates 13remote network access

disabling 11enabling 10overview 2, 10

remote networksoverview 2prompting for 7selecting 7

Remote Ping 28, 45required applications 28running Aventail Connect 5, 16

Ssaving log messages 43selecting

configuration files 6, 15local networks 6, 7remote networks 7

server certificates 13single sign-on 12, 39software updating 8starting Aventail Connect 5, 6startup options, configuring 16system menu commands 23

Tterminating connections 10tokens, authentication 13traceroute 28, 45troubleshooting 28, 39

Uupdating

Aventail Connect software 8configuration files 16


username/password authentication 12

VVPNs 2WWindows credentials 39Windows domain logon support 39, 40Windows logon credentials 12, 39

58 | Index

aventail connect 5

Documents