st2+ new features guide -...

Aventail® ST2+ SSL VPN New Features Guide

Summary of New Features and Functionality for the Aventail ST2+ SSL VPN Platform Upgrade Release

November, 2006

©2006 Aventail Corporation. All rights reserved. Aventail, Aventail ASAP, Aventail EX-1500, Aventail EX-1600, Aventail EX-750, Aventail Connect, Aventail Connect Mobile, Aventail WorkPlace Mobile, Aventail Unified Policy, Aventail Smart Access, Aventail Smart Tunneling, Aventail End Point Control, Aventail Advanced EPC, Aventail Advanced Reporting, and Aventail OnDemand, and their respective logos are trademarks, service marks, or registered trademarks of Aventail Corporation. Other product and company names mentioned in this publication are the trademarks of their respective owners.

2 | Aventail ST2+ New Features Guide

Contents

INTRODUCTION .......................................................................................................................................................3

SUMMARY OF NEW FEATURES...........................................................................................................................4

DETECT: END POINT CONTROL .........................................................................................................................6 ADVANCED EPC.........................................................................................................................................................6 DEVICE WATERMARKS BASED ON MACHINE CERTIFICATES........................................................................................8

PROTECT: AVENTAIL UNIFIED POLICY ..........................................................................................................8 VIRTUAL KEYBOARD .................................................................................................................................................8 NESTED GROUPS – ACTIVE DIRECTORY/LDAP..........................................................................................................9 CONNECT TUNNEL AUTHENTICATION IMPROVEMENTS ............................................................................................10 AVENTAIL ADVANCED REPORTING ..........................................................................................................................11 USER INITIATED PASSWORD CHANGE ......................................................................................................................11 STATIC ROUTES IMPROVEMENTS..............................................................................................................................12 DISCARD PENDING CHANGES ...................................................................................................................................13 POLICY AUDIT LOG IMPROVEMENTS........................................................................................................................13

CONNECT: AVENTAIL SMART ACCESS AND SMART TUNNELING........................................................13 ENHANCED AGENT PROVISIONING ...........................................................................................................................13 WORKPLACE SHORTCUT SMART ACCESS ................................................................................................................14 CONNECT TUNNEL SERVICE EDITION AMC DOWNLOAD .........................................................................................14

Figures FIGURE 1 ADVANCED END POINT CONTROL ATTRIBUTES ..........................................................................................7 FIGURE 2 VIRTUAL KEYBOARD SETTINGS..................................................................................................................9 FIGURE 3 ACTIVE DIRECTORY CONFIGURATION ......................................................................................................10 FIGURE 4 ENABLE USER INITIATED PASSWORD CHANGES .........................................................................................12

Aventail ST2+ New Features Guide | 3

Introduction Purpose of this Document: This document provides a summary of the new features and functionality included in the Aventail® ST2+ release (released by Aventail in November 2006). It is intended to provide administrators of current Aventail SSL VPN deployments with a brief overview of the new features in the ST2+ release, as well as a description on how to locate the new functionality within the Aventail® Management Console™ (AMC) interface.

The core focus of the Aventail ST2+ release is continuing the enhancements previously added in the Aventail® ST2 release for remote access control. The ST2+ release adds more ease of control and ease of use to Aventail’s ST2 remote access control platform. The Aventail ST2+ release advances Aventail’s remote access control platform by adding advanced features and functionality in the following three areas:

1) Detect what is running on the end point device. Aventail® End Point Control™ detects the identity and security state of each end device used for access.

The ST 2+ release provides Aventail® Advanced EPC™capabilities for adding granularity to EPC device interrogation.

2) Protect applications with granular access control based on user identity and device integrity. Aventail® Unified Policy™ is the enforcement engine for protecting corporate resources, ensuring that device access is controlled and users only access the applications for which they are authorized.

Aventail ST 2+ provides enhanced authentication capabilities, expanding the number of use cases the ST platform supports.

Aventail ST2+ provides Aventail® Advanced Reporting™ capabilities, allowing organizations to track and audit user access and behavior.

3) Connect users easily and securely to applications across all device types. Aventail® Smart Access™ and Smart Tunneling™ is the transport mechanism, making it user access to all network resources easy and secure.

Aventail ST 2+ focuses on the reliability and usability of agent provisioning as part of the Aventail® WorkPlace™ portal, ensuring users can reliability gain access to any application via the WorkPlace.

8

Detect what is running on the end point device

Remote Access Control is the Answer

Protect applications with granular access control based on user identity and device integrity

Connect users easily and securely to applications across all device types

Aventail’s SSL-based Remote Access Controller: secure, remote access for all users from all devices, allowing organizations to kick start their NAC initiative today

Detect Protect Connect

Corporate Data Center

ApplicationsDirectories

Web Apps

Client/Server Apps

File Shares

Databases

VoIP

AD

RADIUS

LDAP

LDAP

Business Partner from any Browser

Customer/Supplier Behind a Firewall

Extranet Access

Internal Users

Internal Access

Aventail Remote Access

Controllers

Traveling Employee

Day Extender

Employee at a Kiosk

Employee Using a Wireless Hotspot

Remote Access

Employee PDA User


Summary of New Features The ST2+ release includes the following new or improved features:

Detect (EPC Device Interrogation) Advanced EPC:

• New: This simplifies the setup and maintenance of device profiles by providing a pre-defined list of antivirus, personal firewall and anti-spyware solutions (supported for Windows platforms). Administrators can select the specific vendor and product name for each category, and in addition can also specify what product version to verify (e.g. must be version 7, or must be equal to or greater than version 6.x, or must NOT be version 5). Administrators have additional granularity that includes being able to specify a date range for which the product had its signature file updated (e.g. only allow access if the signature file was updated in the last 15 days).

Device Watermarks—Machine Certificates • Improved: Enhances the Device Watermarks feature (new in ST2) by allowing machine

certificates to be used in addition to user certificates as a Device Watermark.

Protect (Aventail Unified Policy) Aventail Advanced Reporting:

• New: Provides an Aventail branded report generation solution to that addresses the specific reporting need of showing “who accessed what from where and when” (i.e., user Joe accessed e-mail servers via tunnel during the following dates and times). Aventail Advanced Reporting leverages the Sawmill reporting solution but with support only for Aventail log formats.

Virtual Keyboard:

• New: Provides additional protection for untrusted environments by allowing authentication credentials to be entered via a virtual keyboard. Administrators can enable this capability on a per WorkPlace site/realm basis, and make this available as an option at logon or a requirement in order to logon.

Nested Groups:

• New: Allows administrators to specify levels of group nesting for user authentication via AD and LDAP. Administrators can easily browse out to their AD or LDAP directories and now can browse within the nested groups to select groups for inclusion in access control policy.

User-Initiated Password Change:

• Improved: Enhances the current password change functionality by allowing users to change their password at any time when logging into WorkPlace. Previously, users could only change their password when the Aventail appliance notified them of the event that their password was about to change.

Connect Tunnel Authentication Improvements:

• Improved: Provides support for certificate authentication via Connect Tunnel. Connect Mobile Authentication Improvements:

• Improved: Provides support for both token authentication and certificate authentication via Connect Mobile.

Static Routes Improvements: • Improved: Allow for easier management of large lists of static routes by adding support for

reordering static routes and for importing and exporting static route lists.

Discard Pending Changes:


• New: Allows the AMD administrator to discard pending changes.

Logging Improvements: • Improved: Policy audit logging has been streamlined to make access policy information

easier to read.

Connect (Aventail Smart Access & Smart Tunneling) Enhanced Agent Provisioning:

• New: This new infrastructure is designed to make the Aventail® Smart Access experience easier to use and more reliable for Windows environments by changing how Aventail installs and provisions agents to users using the WorkPlace portal. By standardizing and streamlining the process for installation of agents (vs. using several different installation mechanisms before for different agents and different browser capabilities), Aventail has made the process of first-time WorkPlace usage on a Windows device faster with better detection of device capabilities for agent support/activation and better troubleshooting in the event of any issues with agent provisioning.

• In addition, administrators can set up provisioning in such a way where users can opt out of provisioning any agents, getting limited Web-application-only access or quarantine access depending on how the administrator has configured access.

Microsoft IE7 Support:

• New: Support for WorkPlace and all WorkPlace agents for Microsoft Internet Explorer version 7.

WorkPlace Shortcut Smart Access:

• New: Ties display of WorkPlace shortcut to the successful provisioning of any required agents. When the user first accesses WorkPlace, shortcuts will be grayed out until agents are successfully activated. Assists in situations where users quickly select a link that requires an agent before the agent has completed activation.

Connect Tunnel Service Edition AMC Download:

• New: Allows administrators to download the Aventail® Connect Tunnel Service Edition™ agent directly from the appliance via the AMC portal, instead of the previous method of having to go to the Assurance portal in order to obtain the service edition tunnel agent.


Detect: End Point Control

Advanced EPC New in the ST2+ release, Aventail® Advanced EPC™ is a significant enhancement to Aventail® End Point Control™ (EPC™) through the integration of OPSWAT, allowing for much greater granularity and control over anti-virus, anti-spyware, and Personal Firewall solutions.

This simplifies the setup and maintenance of device profiles by providing a pre-defined list of antivirus, personal firewall and anti-spyware solutions. Administrators can select the specific vendor and product name for each category, and in addition can also specify what product version to verify (e.g., must be version 7, or must be equal to or greater than version 6.x, or must NOT be version 5).

This capability is included on the EX-2500, but does require a separate license on the EX-750 and EX-1600/1500. Advanced End Point Control will now be licensed with the Aventail Secure Desktop (ASD) add-on. Existing customers with an ASD license will be allowed capability at no additional charge.

Currently support for Advanced EPC is available only on Windows.

Supported Agents/Platforms: Windows Macintosh Linux Windows Mobile

Connect Tunnel

WorkPlace Portal

Connect Mobile

How it Works: Advanced End Point Control Required steps:

1. Create a new security zone or edit an existing security zone to include mobile devices.

2. Create a mobile device profile.

3. Reference the security zones in access control rules

4. Reference the security zones within communities

1. Create a new standard zone or edit an existing security zone to include an AEPC device profile

Note that before any policies enabled by EPC can be created, EPC as a feature must be turned on. To enable EPC, from the main navigation menu, click End Point Control. Click the Disabled link next to End Point Control. The Configure General Appliance Options page appears. Select the Enable End Point Control check box.

To set up security zones for Windows Mobile/PocketPC/PDA devices, click End Point Control on the AMC main navigation menu. This page provides an overview of the security zones. To set up a new security zone for a Windows Mobile/PocketPC/PDA device, click the + New tab, and select the Standard Zone… option. This loads the page that allows administrators to specify the characteristics for a security zone, including selecting the appropriate device profile (which specifies what characteristics are required in order to classify a device into a security zone).

2. Create a device profile that encompasses additional EPC control

To create a new device profile, click the New button in the Device Profile area of the Zone Definition page, or edit a current profile by clicking on the name of a profile. You may also create a new device profile by selecting Device Profiles from the End Point Control page. Figure 1 provides an example of the additional antivirus attributes that are available to select. Within this


page, select the antivirus, anti-spyware, and personal firewall attributes that will be required for users in order to be classified against the security zone specified in Step 1 above.

Figure 1 Advanced End Point Control attributes

Note that the available options are much greater with more granular selection: there are more antivirus, anti-spyware, and personal firewall vendor options available with much more selection over software packages and version. In addition, there is more control over signatures where, for example, the requirement is that a signature must be less than 7 days old in order to classify.

3. Reference the Standard Zone in access control rules

This step is the same as in previous releases of the Aventail SSL VPN.

Organizations may have specific applications and resources that they want to only provide access to for devices with a particular security profile. As an example, administrators may want to have a rule that says the CRM application is only accessible from a trusted PC device with a valid antivirus solution running and a valid certificate used as a Device Watermark. If the trusted PC device user had a revoked certificate or had had not recently updated their antivirus signature, then access to that application should be denied. To accomplish this, organizations can reference the Standard Zone created in Step 2 above as part of an access control rule.

Standard Zones are associated with access control rules simply by specifying the Standard Zone that applies to each access control rule. Standard Zones are treated like any other object that is defined. Access control rules are defined by specifying the users and groups that will have access, what application/resources they will have access to, and from which security zones they will be permitted access. To set up an access control rule, click Access Control on the AMC main navigation menu, and then click the New button. To restrict access to applications based on


the identity and integrity of Windows Mobile devices, reference the Standard Zone created in Steps 1 and 2 in the access control rule.

Note that you may also reference a Deny Zone. This would be useful, for example, in a case where it is required to deny access where an antivirus signature was out of date. Refer to the ST2 New Features Guide for more information on Deny Zones.

4. Reference the security zones within Communities

This step is the same as in previous release of the Aventail SSL VPN.

The last step is to reference the defined security zones to communities. This determines the ordering that zones are checked against when classifying a device. It is recommended that zones are ordered from most specific, or most trusted, to least specific, or least trusted. When a user authenticates, the device is then interrogated to classify the device to a zone. Each zone is checked in the order it is listed in the community. For the zone classification to be applicable, the user must be a member of the community against which that zone is referenced.

To order security zones in a community, click Realms on the AMC main navigation menu. Either select a predefined community by selecting the’+’ button next to each realm and selecting a community that appears, or click the New button to go through the steps to create a new realm and community. On the End Point Control restrictions tab, choose a Standard Zone to display and click the Add button. Security zones can then be ordered using the Move Up and Move Down buttons.

Device Watermarks based on machine certificates New in the ST2+ release is an enhancement to the Device Watermarks support added in ST2. Now, machine certificates can be used in addition to user certificates as a Device Watermark. This allows administrators to require the presences of a valid certificate as part of access control policy. If the device used for access was lost or stolen, revoking the certificate will quickly and easily disqualify the device against the security zones that require a valid certificate. To leverage a device certificate for this purpose, administrators can manage CA certificates like in previous release, with an additional option to mark CA certificates for Device profiling (End Point Control). Once this step has been completed, each marked certificate is now available for use within Windows Mobile/Pocket PC/PDA device profiles (See Figure 3 below). See the Mobile Device End Point Control feature listed in this guide for more information on referencing a device certificate within a security zone set up for Windows Mobile/PocketPC/PDA devices.


Connect Tunnel

WorkPlace Portal*

Connect Mobile**

* Works through the WorkPlace portal on mobile devices when the Connect Mobile agent has been installed on the end point device.

** Windows Mobile Pocket PC edition only

Protect: Aventail Unified Policy

Virtual Keyboard For extra protection against security threats such as keyboard sniffers on kiosk-based computers, the Virtual Keyboard is a feature in which login credential can be entered on a Virtual Keyboard that appears on screen and is use through the display, bypassing the physical keyboard.


The Virtual Keyboard can be enabled as an option, in which the end user has the option of selecting to use the Virtual Keyboard when logging in to the WorkPlace, or it can be enabled as required, where the end user is presented with the Virtual Keyboard as the only option in which to enter login credentials.


Connect Tunnel

WorkPlace Portal

Connect Mobile

How it Works: Virtual Keyboard Required steps:

1. Enable Virtual Keyboard

2. Select whether or not to make the Virtual Keyboard the required means by which to enter login data

1. Enable Virtual Keyboard

The Virtual Keyboard is enabled at the Agent Configuration page. Select Edit next to Client Integrity. Click Enable virtual keyboard.

2. Require Virtual Keyboard

Make use of the Virtual Keyboard required by selecting Require use of keyboard. Requiring data entry via the virtual keyboard will adjust the WorkPlace login page such that data entry will not be allowed directly in to the username and password fields, and will only be allowed through the virtual keyboard. In this case, the virtual keyboard will be displayed by default.

Figure 2 Virtual Keyboard Settings

Nested Groups – Active Directory/LDAP New in the ST2+ release is the ability to leverage the groups nesting capabilities of Active Directory.


This feature allows administrators to specify the number of sub-groups to traverse in evaluating group membership. To specify that sub-groups are checked for user membership, select Authentication servers on the main AMC navigation menu, then New to specify a new authentication server or Edit next to a current Active Directory server configuration. Under Nested group lookup, enter the number of sub-groups to include when evaluating group membership of a user. For LDAP servers, check the “Look in static groups for user members” box, and then enter the number of sub-groups to include.

Figure 3 Active Directory Configuration

Connect Tunnel Authentication Improvements Certificate authentication in Aventail® Connect Tunnel™ provides for a long needed additional

When the tunnel is issued a challenge as part of SSL negotiation, it will now be able to respond with a client certificate. If multiple certificates are available and it is not apparent which should be used, the client will prompt the user to select a certificate from the list of available certificates. When the user selects one, the client responds to the challenge with the selected certificate. If the selected certificate is accepted, then the Connect Tunnel will continue to use that certificate by default, as the client certificate. If the certificate fails, the user is presented with an error and the options to select another certificate. If the default certificate is removed from the system, the user will be presented with an error and will again be prompted to select a certificate.



Connect Tunnel

WorkPlace Portal

Connect Mobile

Aventail Advanced Reporting Available as an add-on product that runs on a separate host machine, Aventail Advanced Reporting adds powerful and robust reporting capabilities about connection activity to Aventail SSL VPN appliances. This feature delivers up-to-date reporting of who accessed what resources, at what time, from which remote location, and more.

Aventail Advanced Reporting is available for Windows or Linux host platforms and report data can be accessed and viewed form any browser.

A limited 14 day free trial of Aventail Advanced Reporting is available for evaluation. Purchase of Aventail Advanced Reporting through your Aventail sales representative or reseller.

To get Aventail Advanced Reporting 1. Log on to Aventail Assurance

2. Navigate to Downloads, and select the Aventail Advanced Reporting link

3. Download the setup program for either Linux or Windows versions.

4. Download the Install Instructions, this will make it much easier to get up and running with Aventail Advanced Reporting.

User Initiated Password Change New in ST2+ is the ability for users to initiate AD and LDAP password changes from within the WorkPlace. Prior to ST2+, users could only change their password when the Aventail appliance notified them of the event that their password was about to change.

How it Works: 1. First, the administrator must enable this capability

2. User initiates password change

1. Enable user initiated password change

Enabling of user initiated password change is set at the by select Authentication Servers from the main navigation menu. To edit a server configuration to allow user initiated password change, select Edit next to a configuration. Make sure that the connection between the appliance and the Active Directory server is secured by selecting the arrow to the right of Active Directory over SSL, and checking Use SSL to secure Active Directory connection. Finally, by select the arrow to the right of Advanced and check Enable user-initiated password change. Click Save to save your changes.


Figure 4 Enable user initiated password changes

2. User initiates password change

When user initiated password change is enabled on the server and a user wishes to change a password, a Change password checkbox will appear at the WorkPlace login page. When this box is checked, the user will be instructed to first log in, and then will be presented with the Change password page. At this page the user will be required to enter their old password, then enter a new password twice to assure correctness. If the new passwords match, clicking Save saves the new user password and takes the user to the WorkPlace. If the passwords to not match, the user is given an error.


Connect Tunnel

WorkPlace Portal

Connect Mobile

Static Routes Improvements ST2+ adds support for better ordering of large lists of static routes and adds importing and exporting of lists of static routes.

How it Works: 1. Note sorting of static routes list

2. Export a list of static routes

3. Import a list of static routes


1. Static routes ordering

Static routes are configured at the Network Settings page. Select Edit next to Routing. Notes under Static routes that the list of static routes is ordered as follows:

• Primary key: net mask, largest to smallest (descending order)

• Secondary key: IP address, smallest to largest (ascending order) 2. Export a list of static routes

On the Network Settings page under Static routes, select Export to save the default filename routes.csv.

2. Import a list of static routes

On the Network Settings page under Static routes, select Import. Click Browse, and select a comma separate value file (.csv file) that contains a list of static routes.

The file must contain one entry per line, each containing three fields for IP address, Net mask, and Gateway. Each field must be separate by a comma.

Select Import to import the file. When you have imported your list, all existing static routes information will be overwritten with the new information contained in the .csv file.

Discard Pending Changes The AMD administrator now has the ability to discard all configuration changes that have been made since the last time changes we applied.

When at Apply Changes, select Discard to return to the last used configuration.

Policy Audit Log Improvements Prior to ST2+, all policy audit log entries were made up of two messages for each matching rule: the first one indicating that a match was found, the second describing the policy action that was taken (permit or deny). Now, when a permit or deny rule is matched, a single message will be logged describing the system information (time, date, etc.), connection details, and the policy action taken. An example log message: Info 11/24/06 17:11:50.226 Policy 00000003 User '(jsmith)@(local)' connecting from '192.168.11.111:0' matched access rule #1, access to 'server.test3.com:80' is denied.

Connect: Aventail Smart Access and Smart Tunneling

Enhanced Agent Provisioning Due to major security enhancements in Windows XP Service Pack 2, Internet Explorer 7, and the upcoming Vista, it has become much more difficult to propagate malware to computers by way of the browser. This is good, but it does have an impact on legitimate agent based software that may rely on installation of software from within the browser.

In addition, installation of access agents has become less dependable and harder to troubleshoot and remediate in the context of the “hardened” browsers.

The new provisioning capabilities leverage the built-in installation capabilities of Windows, making installation and uninstallation of access agents more secure and more dependable, and more consistent with current-day Windows applications. Now, installation will require that the user run an installer program that is provisioned by WorkPlace, and will see an installation more consistent with Windows applications. This installation is usually a one time occurrence.


These changes primarily impact those access agents which require logging in to the WorkPlace portal.

Users will have the ability to opt out of and bypass agent installation. In addition, the administrator will have the option of requiring agent installation.

Troubleshooting is another area that has been upgraded. As of this release, when an access agent installation does fail, the installer program can capture and upload a record of the installation process to the Aventail appliance, making troubleshooting information available. Most of the changes to provisioning impact the end user. While there are not many major new features to the administrative part of these capabilities, in the case where a user opts to not move forward with an install, the administrator can deploy an option which will allow the user limited portal access.

How it Works: 1. Require an agent installation for network access

1. Require an agent installation

The new provisioning features are configured within each Community. To require a successful agent installation for access, go to Realms and select the Realm you wish to edit. Select Communities. Under Access Methods for each community, or for the community you wish to change, select Edit. Check “Require agent in order to access network” (at the very bottom of the page), then OK.

Requiring agent installation is disabled by default.

Administrator Note: Be aware that agent installation is required in order for End Point Control to work. Because users can permanently or temporarily opt out of agent installation, you may see an increase in the number of users classified into Quarantine Zones or the Default Zone (if you require end point control interrogation as part of your security policy). If this is the case, you should consider requiring agent installation.


Connect Tunnel

WorkPlace Portal *

Connect Mobile

*relates to OnDemand agents

WorkPlace Shortcut Smart Access Prior to ST2+, all WorkPlace shortcuts would show as available, even before the access agents had loaded. This would cause confusion to the end user if they selected a link because since the agent had not yet loaded, they would not be able to actually access the site specified in the link.

Now, links do not show as available until the access agent has loaded.

Connect Tunnel Service Edition AMC Download The Connect Tunnel Service Edition is now available to download directly from the appliance. Prior to ST2+, it was necessary to go to the Aventail Assurance portal in order to obtain this agent.

To download the Connect Tunnel Service Edition, select Agent Configuration from the main menu. At the Agent Configuration page, select Download next to Client Installation Packages. Click Windows Service under Connect tunnel service to download the installer.

st2+ new features guide -...

Documents