`. ONNECT
`C
`v3.01lv2.51
`,
`
`•
`
`' .
`
`,
`
`• ,
`
`, ,
`
`Administrator's Guide
`Windows
`
`1
`
`MICROSOFT 1007
`
`
`
`AVENTAIL CONNECT 3.01/2.51 ADMINISTRATOR’S GUIDE
`
`© 1996-1999 Aventail Corporation. All rights reserved.
`808 Howell Street, Second Floor
`Seattle, WA 98101
`USA
`http://www.aventail.com/
`
`Printed in the United States of America.
`
`TRADEMARKS AND COPYRIGHTS
`
`Aventail is a registered trademark of Aventail Corporation. AutoSOCKS, Internet Pol-
`icy Manager, Aventail VPN, Aventail VPN Client, Aventail ExtraNet Center, and Aven-
`tail ExtraNet Server are trademarks of Aventail Corporation.
`Socks5Toolkit is a trademark of NEC Corporation. MD4 Message-Digest Algorithm
`and MD5 Message-Digest Algorithm are trademarks of RSA Data Security, Inc.
`Microsoft, MS, Windows, Windows 95, Windows 98, and Windows NT are either regis-
`tered trademarks or trademarks of Microsoft Corporation. RealAudio is a trademark of
`RealNetworks. SecurID, SoftID, ACE/Server, and SDTI are either registered trade-
`marks or trademarks of Security Dynamics Technologies, Inc.
`Other product names mentioned in this manual may be trademarks or registered
`trademarks of their respective companies and are the sole property of their respective
`manufacturers.
`© 1995-1996 NEC Corporation. All rights reserved.
`© 1990-1992 RSA Data Security, Inc. All rights reserved.
`© 1996 Hi/fn Inc., including one or more U.S. patents: 4701745, 5016009, 5126739,
`and 5146221, and other patents pending.
`© 1996-1997 Consensus Development Corporation. All rights reserved.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • i
`
` 2
`
`
`
`Table of Contents
`
` Table of Contents
`
`Trademarks and Copyrights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
`INTRODUCTION
`About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
`Document Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
`Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
`Aventail Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`About Aventail Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`ADMINISTRATOR’S GUIDE
`Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`Network Security in a Nutshell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`What is Aventail Connect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`What Does Aventail Connect Do? . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
`How Does Aventail Connect Work? . . . . . . . . . . . . . . . . . . . . . . . . . 11
`Aventail Connect Platform Requirements. . . . . . . . . . . . . . . . . . . . . 13
`Interface Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
`Installation Source Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
`Installing Aventail Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
`Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
`Customized Configuration and Distribution. . . . . . . . . . . . . . . . . . . . 15
`Individual Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
`Network Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
`Administrative Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
`Customizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
`Configuring Aventail Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
`Define an Extranet (SOCKS) Server. . . . . . . . . . . . . . . . . . . . . . . . . 33
`Define a Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
`Enter Redirection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
`Define Local Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
`Manage Authentication Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
`Advanced Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
`Enable Password Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
`Multiple Firewall Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
`The Certificate Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
`Example Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
`Configuration Using Aventail ExtraNet Server . . . . . . . . . . . . . . . . . 72
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • ii
`
` 3
`
`
`
`Table of Contents
`
`UTILITIES REFERENCE GUIDE
`System Menu Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
`Close. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
`Hide Icon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
`Help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
`About. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
`Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
`Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
`Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
`Config Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
`Logging Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
`S5 Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
`Secure Extranet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
`How Extranet Neighborhood Works . . . . . . . . . . . . . . . . . . . . . . . . . 91
`Installing Extranet Neighborhood . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
`Configuring Extranet Neighborhood . . . . . . . . . . . . . . . . . . . . . . . . . 92
`SEE Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
`TROUBLESHOOTING
`Aventail Connect Installation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
`Network Connectivity Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
`Aventail Connect Configuration Problems. . . . . . . . . . . . . . . . . . . . . . . . . 103
`Application and TCP/IP Stack Interoperability Problems. . . . . . . . . . . . . . 105
`Aventail Connect Trace Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
`Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
`Reporting Aventail Connect Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
`GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
`INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • iii
`
` 4
`
`
`
`Introduction
`
`Introduction
`
`Welcome to the Aventail Connect 3.01/2.51 secure Windows client for 16- and
`32-bit Windows applications. The client component of the Aventail ExtraNet
`Center, Aventail Connect is a secure proxy client based on SOCKS 5, the IETF
`standard for authenticated firewall traversal. Aventail Connect delivers enhanced
`security and simplifies SOCKS deployment for users and network managers.
`Aventail Connect redirects WinSock calls and reroutes them based upon a set of
`routing directives (rules) assigned when Aventail Connect is configured. (For
`more information about WinSock, TCP/IP, and general network communications,
`see “Getting Started.”)
`On larger networks, Aventail Connect can address multiple SOCKS 5 servers
`based on end destination and type of service. This feature enables network
`administrators to effectively monitor and direct network traffic.
`Aventail Connect is a proxy client, but when used with SSL it provides the ability
`to encrypt inbound or outbound information.
`Features of Aventail Connect:
`• Aventail Connect supports X.509 client certificates for strong authenti-
`cation with SSL (when encryption is enabled)
`• Automated Customizer utility simplifies client configuration, distribution,
`and installation
`• SSL compression detects low bandwidth connections and compresses
`encrypted data (when encryption is enabled)
`• Secure Extranet Explorer (via Extranet Neighborhood icon on desk-
`top) allows users to securely access Windows or SMB hosts over an
`extranet connection (Windows 95, Windows 98, and Windows NT 4.0
`only)
`• Supports WinSock 2.0 (LSP) applications in Windows 98, and Windows
`NT 4.0, and WinSock 1.1 and WinSock 2.0 applications in Windows 95
`• Supports WinSock 1.1 applications in Windows 3.1, Windows for Work-
`groups 3.11, and Windows NT 3.51
`• MultiProxy feature allows you to use a SOCKS server or an HTTP
`proxy to control outbound access
`• Allows the use of port ranges for redirection rules
`• Provides integration with SoftID™ and SecurID™ tokens
`• Provides automated installation and uninstallation
`• Credential cache timeout feature allows administrators to specify when
`credentials expire
`• Provides optional password protection for configuration files
`• Supports both SOCKS v4 and SOCKS v5 (RFC 1928 and RFC 1929)
`standards
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 1
`
` 5
`
`
`
`Introduction
`
`•
`
`•
`
`• Enables network redirection through successive extranet (SOCKS)
`servers
`Includes a logging utility to troubleshoot problems with network connec-
`tions
`Includes a Configuration wizard for simplified step-by-step creation of
`configuration files
`• Allows internal network connections to pass through without interfer-
`ence
`• Supports multiple authentication methods including SOCKS v4 identifi-
`cation, username/password, CHAP, CRAM, HTTP Basic (username/
`password), and SSL 3.0
`
`SEE ALSO: For more information on the differences between
`Aventail Connect 3.01 and Aventail Connect 2.51,
`see “What Does Aventail Connect Do?” in the Admin-
`istrator’s Guide.
`
`NOTE: Not all versions of Aventail Connect have encryption
`enabled.
`
`.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 2
`
` 6
`
`
`
`Introduction
`
`ABOUT THIS DOCUMENT
`This Administrator’s Guide provides basic information about Aventail Connect. It
`includes entry-level data for non-technical users, plus installation, setup, and
`configuration information for network administrators. This information is also
`available via Aventail Connect Help and the Aventail Web site at
`http://www.aventail.com/content/products/docs/.
`
`DOCUMENT ORGANIZATION
`This document is divided into three main sections: Administrator’s Guide, Utili-
`ties Reference Guide, and Troubleshooting.
`The Administrator’s Guide describes procedures for setting up, installing, and
`configuring Aventail Connect for individual and multiple networked workstations.
`It also describes how to create a customized Aventail Connect package for distri-
`bution to multiple users.
`The Utilities Reference Guide describes the Aventail Connect system menu
`commands and utility programs. It contains detailed information about using the
`S5 Ping utility and the Logging Tool, and documents the authentication/encryp-
`tion modules and settings.
`The document concludes with Troubleshooting and the Glossary.
`You can also use the Quick Start Card, a short document designed to help you
`install Aventail Connect to an individual workstation, and the Aventail Connect
`flowchart, at
`http://www.aventail.com/contents/solutions/presentations/quickstart/
`vpnclient.pdf.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 3
`
` 7
`
`
`
`Introduction
`
`DOCUMENT CONVENTIONS
`
`The following typographic conventions are used in this document. Exceptions
`may be made for online material; for instance, italics may be difficult to read
`online.
`
`Convention
`
`Usage
`
`Filenames, extensions, directory names,
`keynames, and pathnames.
`Command-line commands, options, and portions
`of syntax that must be typed exactly as shown.
`Dialog box controls (Edit… buttons), e-mail
`addresses (support@aventail.com), URLs,
`(www.aventail.com), and IP addresses
`(165.121.6.26).
`Placeholders that represent information the user
`must insert.
`
`Bold
`
`Italic
`
`SEE ALSO: A reference to additional useful information.
`
`NOTE:
`
`Information the user should be aware of to increase
`understanding and/or efficiency of the software.
`
`CAUTION: An operational item that the user should be aware of to
`avoid a network policy/software conflict, or lapse, which
`may create a MINOR security flaw.
`
`WARNING: An operational item that the user should be aware of to
`avoid a network policy/software conflict, or lapse, which
`may create a SERIOUS security flaw.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 4
`
` 8
`
`Courier font
`
`
`Introduction
`
`AVENTAIL TECHNICAL SUPPORT
`
`Contact Aventail Technical Support if you have questions about installation, con-
`figuration, or general usage of Aventail Connect. Refer to the Aventail Support
`Web site, at http://www.aventail.com/index.phtml/support/
`online_support.phtml, or the Aventail Knowledge Base, at
`http://www.aventail.com/index.phtml?page_id=03110000, for the latest tech-
`nical notes and information. Refer to the readme.txt documentation for addi-
`tional information not included in the Administrator’s Guide.
`Aventail Technical Support:
`Web site: http://www.aventail.com/index.phtml/support/index.phtml
`E-mail: support@aventail.com
`Phone: 206.215.0078
`Fax: 206.215.1120
`
`ABOUT AVENTAIL CORPORATION
`
`Aventail Corporation is the leading vendor of extranet software. Its extranet solu-
`tions allow organizations to secure their networked communications and man-
`age their employees’ access to the Internet. Building an extranet gives
`organizations the ability to dynamically create a private communication or data
`channel over the Internet. Aventail’s adherence to open security standards sim-
`plifies extranet deployment, enables interoperability, and leverages corporations’
`existing network investments. Its extranet solutions allow companies to extend
`the reach of their corporate extranets to customers, partners, remote offices, and
`worldwide employees.
`
`Aventail Corporation
`808 Howell Street, Second Floor
`Seattle, WA 98101
`Phone:206.215.1111
`Fax:206.215.1120
`http://www.aventail.com/
`info@aventail.com
`
`An aventail is a piece of chainmail armor worn around the neck area. In the 14th
`century, knights wore an aventail to protect themselves while in combat. Today,
`Aventail continues the tradition of protection by allowing organizations to
`securely communicate over the Internet.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 5
`
` 9
`
`
`
`Administrator’s Guide
`
` Administrator’s Guide
`
`This section includes procedural and background information on installing Aven-
`tail Connect on both single and networked workstations. It includes:
`•
`"Getting Started," with brief explanations of network security and com-
`munications
`• Definitions of SOCKS and Aventail Connect
`• Aventail Connect platform and installation requirements, with an intro-
`duction to WinSock 2.0 and LSP architecture
`"Installing Aventail Connect," which includes network diagrams of
`Aventail ExtraNet Center and SOCKS v4-based server configurations
`• Directions on how to create and edit configuration files, and an intro-
`duction to the Aventail Customizer
`
`•
`
`NOTE: Aventail understands the importance of a flexible, easy-to-use
`installation process. If you have feedback regarding the Aventail
`Connect installation procedures, or if there are additional features
`you want to see implemented, please e-mail comments to sup-
`port@aventail.com. Your input is appreciated.
`
`GETTING STARTED
`
`If you are new to Aventail Connect technology, the following section will help you
`understand what Aventail Connect is and does, and its relationship to network
`security in general.
`
`NETWORK SECURITY IN A NUTSHELL
`
`Escalating security threats are forcing companies to seek ways to safeguard
`their corporate networks and the information they exchange. The first response
`to these concerns has been the development of security firewalls—software bar-
`riers that control the flow of information. But firewalls are not designed to handle
`complex security issues, such as monitoring network usage, providing private
`communication over public networks, and enabling remote users to gain secure
`access to internal network resources.
`Enter SOCKS v5, an Internet Engineering Task Force (IETF)-approved security
`protocol targeted at securely traversing corporate firewalls. SOCKS was origi-
`nally developed in 1990, and is now maintained by NEC. SOCKS acts as a cir-
`cuit-level proxy mechanism that manages the flow and security of data traffic to
`and from your local area network (LAN) or extranet. An application whose traffic
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 6
`
`
`10
`
`
`
`Administrator’s Guide
`
`is proxied by SOCKS is considered “socksified.” SOCKS is more than a stan-
`dard security firewall. Other features:
`• Client Authentication: (SOCKS v5 only) Authentication allows network
`managers to provide selected user access to internal and external
`areas of a network.
`• Traffic Encryption: (SOCKS v5 only) Encryption ensures that network
`traffic is private and secure.
`• UDP Support: (SOCKS v5 only) User Datagram Protocol (UDP) traffic
`has traditionally been difficult to proxy, with the exception of SOCKS v5.
`• Aventail Connect supports X.509 client certificates within SSL: Includes
`a Certificate wizard for generating and processing client certificate
`requests.
`• Cross-Platform Support: Unlike many other security solutions, SOCKS
`can be used on various platforms, such as Windows NT, Windows 95,
`Windows 98, and various forms of UNIX.
`
`NOTE: Not all versions of Aventail Connect include the SSL module for
`encryption.
`
`WHAT IS AVENTAIL CONNECT?
`
`Aventail Connect is the client component of the Aventail ExtraNet Center. Aven-
`tail Connect works with the Aventail ExtraNet Server, the SOCKS 5 server com-
`ponent of the Aventail ExtraNet Center. You can use Aventail Connect as a
`simple proxy client for managed outbound access, and for secure inbound
`access.
`Aventail Connect automates the “socksification” of Transmission Control Proto-
`col/Internet Protocol (TCP/IP) client applications, making it simple for worksta-
`tions to take advantage of the SOCKS v5 protocol. When you run Aventail
`Connect on your system, it automatically routes appropriate network traffic from
`a WinSock application to an extranet (SOCKS) server, or through successive
`servers. (WinSock is a Windows component that connects a Windows PC to the
`Internet using TCP/IP.) The SOCKS server then sends the traffic to the Internet
`or the external network. Network administrators can define a set of rules that
`route this traffic.
`Aventail Connect is designed to run transparently on each workstation, without
`adding overhead to the user’s desktop. In most cases, users will interact with
`Aventail Connect only when it prompts them to enter authentication credentials
`for a connection to a secure extranet (SOCKS) server. Users may also occasion-
`ally need to start and exit Aventail Connect, although network administrators
`often configure it to run automatically at startup. Aventail Connect does not
`require administrators to manually establish an encrypted tunnel; Aventail Con-
`nect can establish an encrypted tunnel automatically.
`To understand Aventail Connect, you first need to understand a few basics of
`TCP/IP communications.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 7
`
`
`11
`
`
`
`Administrator’s Guide
`
`TCP/IP COMMUNICATIONS
`
`Windows TCP/IP networking applications (such as telnet, e-mail, Web browsers,
`and ftp) use WinSock (Windows Sockets) to gain access to networks or the
`Internet. WinSock is the core component of TCP/IP under Windows, and is the
`interface that most Windows applications use to communicate to TCP/IP.
`WINSOCK CONNECTION TO A REMOTE HOST
`
`Via WinSock, an application goes through the following steps to connect to a
`remote host on the Internet or corporate extranet:
`1. The application executes a Domain Name System (DNS) lookup to convert
`the hostname into an Internet Protocol (IP) address. If the application already
`knows the IP address, this step is skipped.
`2. The application requests a connection to the specified remote host. This
`causes the underlying stack to begin the TCP handshake, when two comput-
`ers initiate communication with each other. When the handshake is complete,
`the application is notified that the connection is established, and data can then
`be transmitted and received.
`3. The application sends and receives data.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 8
`
`
`12
`
`
`
`Administrator’s Guide
`
`WHAT DOES AVENTAIL CONNECT DO?
`
`Aventail Connect slips in between WinSock and the underlying TCP/IP stack.
`(See diagram below.) As an application that sits between WinSock and the TCP/
`IP stack, Aventail Connect 3.01 is a Layered Service Provider (LSP). Aventail
`Connect can change data (compressing it or encrypting it, for example) before
`routing it to the TCP/IP stack for transport over the network. The routing is deter-
`mined by the rules described in the configuration file.
`
`_w , TepM' "PIkotoo
`(u,e, el her_Soc, 1.1 c<
`_Soc,2)
`
`",,,,,,,,,1.1
`(~> -
`~",,,,,,,,,~
`
`_Soc, 2
`
`Aventail Connect
`(Layered Seroi<e Prowider)
`
`~ipIe LSP, con
`be "' ,;j~ ot je;,
`
`."
`
`TepM' ,;joe,
`
`Phy,cot ne!wc<,
`
`Windows TCP/IP applications and Aventail Connect have no direct contact with
`one another; instead, each of them communicates through WinSock. Multiple
`LSP applications can be installed at the LSP level.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 9
`
`
`13
`
`
`
`Administrator’s Guide
`
`NOTE: Aventail Connect does not alter or replace WinSock or any other
`core TCP/IP components (files) provided by the operating system.
`
`When the Aventail Connect LSP receives a connection request, it determines
`whether or not the connection needs to be redirected (to an Aventail ExtraNet
`Server) and/or encrypted (in SSL). When redirection and encryption are not nec-
`essary, Aventail Connect simply passes the connection request, and any subse-
`quent transmitted data, to the TCP/IP stack.
`The two most popular versions of WinSock are version 1.1 and version 2. Aven-
`tail Connect 3.01, like all LSPs, requires WinSock 2.0; WinSock 1.1 does not
`support LSPs. WinSock 2.0 includes backward-compatibility with all WinSock
`1.1 applications. Not every platform supports WinSock 2.0 and its LSP structure.
`• Windows 98 and Windows NT 4.0 support WinSock 2.0 natively. (Win-
`dows NT 4.0 requires Service Pack 3 or above, available from
`Microsoft.)
`• Windows 95 supports WinSock 1.1. Windows 95 can also support Win-
`Sock 2.0, but you must install a Microsoft patch to add support for Win-
`Sock 2.0.
`• Windows 3.1, Windows for Workgroups 3.11, and Windows NT 3.51 do
`not support WinSock 2.0; they support only WinSock 1.1.
`For those platforms that do not support WinSock 2.0 and LSP applications,
`Aventail includes Aventail Connect 2.51 on the Aventail Connect 3.01/2.51 CD.
`Aventail Connect 2.51 was designed for operating systems that support only
`WinSock 1.1. For Windows 3.1, Windows for Workgroups 3.11, or Windows NT
`3.51 operating systems, setup will install Aventail Connect 2.51. If you are work-
`ing on a Windows 95 operating system, setup will detect whether you have
`installed the Microsoft Windows 95 WinSock 2.0 Update. If setup detects the
`Microsoft update, which upgrades Windows 95 to support WinSock 2.0, setup
`will install Aventail Connect 3.01. If setup does not detect the Microsoft update, it
`will install Aventail Connect 2.51.
`The Aventail Connect 2.51 user interface is identical to that of Aventail Connect
`3.01; however, Aventail Connect 3.01 includes MultiProxy (see “Multiple Firewall
`Traversal”). Aventail Connect 2.51 does not include MultiProxy.
`In the future, more Windows applications may require WinSock 2.0.
`During installation, setup determines which version of Aventail Connect to install.
`On WinSock 2.0 platforms, Aventail Connect 3.01 is installed. On WinSock 1.1
`platforms, Aventail Connect 2.51 is installed. The following table shows how
`setup determines which version of Aventail Connect to install.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 10
`
`
`14
`
`
`
`Administrator’s Guide
`
`Operating System
`
`WinSock Support
`
`Aventail Connect Version
`Installed
`
`Windows 98,
`Windows NT 4.0
`
`Windows 95
`
`Windows 3.1,
`Windows for Workgroups 3.11,
`Windows NT 3.51
`
`WinSock 2.0
`
`Aventail Connect 3.01
`
`With Microsoft
`patch: WinSock 2.0
`
`Without Microsoft
`patch: WinSock 1.1
`
`Aventail Connect 3.01
`
`Aventail Connect 2.51
`
`WinSock 1.1
`
`Aventail Connect 2.51
`
`You can create custom packages that include one or both versions of Aventail
`Connect (3.01 and 2.51) Setup will determine which version to install on each
`workstation. (For more information, see “Customizer.”)
`WINDOWS 95 AND WINSOCK
`
`The Microsoft Windows 95 WinSock 2.0 Update upgrades WinSock 1.1 to Win-
`Sock 2.0 in Windows 95. This patch (filename w95ws2setup.exe) is available
`from the Microsoft Web site, at http://www.microsoft.com/windows/down-
`loads/contents/Updates/W95Sockets2/default.asp. Unless you need specific
`Aventail Connect 3.01 features, Aventail recommends that you do not upgrade
`from WinSock 1.1 to WinSock 2.0. If you do not upgrade to WinSock 2.0, Aven-
`tail Connect 2.51 will be installed.
`If you do need to install the Microsoft Windows 95 WinSock 2.0 Update, follow
`the instructions provided by Microsoft. Reboot your computer after upgrading,
`prior to installing Aventail Connect.
`
`HOW DOES AVENTAIL CONNECT WORK?
`
`The following three steps are identical to standard WinSock communications
`steps described above; however, nested inside them are additional actions and
`options introduced by Aventail Connect.
`1. The application does a DNS lookup to convert the hostname to an IP address.
`If the application already knows the IP address, this entire step is skipped.
`Otherwise, Aventail Connect does the following:
`•
`If the hostname matches a local domain string or does not match a redi-
`rection rule, Aventail Connect passes the name resolution query
`through to the TCP/IP stack on the local workstation. The TCP/IP stack
`performs the lookup as if Aventail Connect were not running.
`If the destination hostname matches a redirection rule domain name
`(i.e., the host is part of a domain we are proxying traffic to) then Aventail
`Connect creates a false DNS entry (HOSTENT) that it can recognize
`
`•
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 11
`
`
`15
`
`
`
`Administrator’s Guide
`
`•
`
`•
`
`during the connection request. Aventail Connect will forward the host-
`name to the extranet (SOCKS) server in step 2 and the SOCKS server
`performs the hostname resolution.
`If the DNS proxy option is enabled and the domain cannot be looked up
`directly, Aventail Connect creates a fake DNS entry that it can recog-
`nize later, and returns this to the calling application. The false entry tells
`Aventail Connect that the DNS lookup must be proxied, and that it must
`send the fully qualified hostname to the SOCKS server with the SOCKS
`connection request.
`2. The application requests a connection to the remote host. This causes the
`underlying stack to begin the TCP handshake. When the handshake is com-
`plete, the application is notified that the connection is established and that
`data may now be transmitted and received. Aventail Connect does the follow-
`ing:
`a. Aventail Connect checks the connection request.
`•
`If the request contains a false DNS entry (from step 1), it will be
`proxied.
`If the request contains a routable IP address, and the rules in the
`configuration file say it must be proxied, Aventail Connect will call
`WinSock to begin the TCP handshake with the server designated
`in the configuration file.
`If the request contains a real IP address and the configuration file
`rule says that it does not need to be proxied, the request will be
`passed to WinSock and processing jumps to step 3 as if Aventail
`Connect were not running.
`b. When the connection is completed, Aventail Connect begins the
`SOCKS negotiation.
`•
`It sends the list of authentication methods enabled in the configu-
`ration file.
`• Once the server selects an authentication method, Aventail Con-
`nect executes the specified authentication processing.
`It then sends the proxy request to the extranet (SOCKS) server.
`This includes either the IP address provided by the application or
`the DNS entry (hostname) provided in step 1.
`c. When the SOCKS negotiation is completed, Aventail Connect notifies
`the application. From the application’s point of view, the entire SOCKS
`negotiation, including the authentication negotiation, is merely the TCP
`handshaking.
`3 The application transmits and receives data.
`If an encryption module is enabled and selected by the SOCKS server, Aven-
`tail Connect encrypts the data on its way to the server on behalf of the appli-
`cation. If data is being returned, Aventail Connect decrypts it so that the
`application sees cleartext data.
`
`•
`
`•
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 12
`
`
`16
`
`
`
`Administrator’s Guide
`
`AVENTAIL CONNECT PLATFORM REQUIREMENTS
`
`The following table lists the minimum system requirements for each of the plat-
`forms that Aventail Connect supports.
`
`Platform
`
`Processor
`
`RAM
`
`Extranet (SOCKS) Server
`
`Windows 98;
`Windows NT 4.0
`(requires
`Microsoft Service
`Pack 3 or above)
`
`Windows 95;
`Windows NT 3.51
`
`Windows 3.1;
`Windows for
`Workgroups 3.11
`
`x86-based or
`Pentium personal
`computer
`
`16 MB
`
`Network-accessible
`SOCKS v4 or v5 compliant
`server
`
`x86-based or
`Pentium personal
`computer
`
`x86-based or
`Pentium personal
`computer
`
`8 MB
`
`4 MB
`
`Network-accessible
`SOCKS v4 or v5 compliant
`server
`
`Network-accessible
`SOCKS v4 or v5 compliant
`server
`
`Aventail Connect 3.01 runs on the following operating systems:
`• Windows 98
`• Windows NT 4.0 (with Service Pack 3 or above, available from
`Microsoft)
`• Windows 95, with the Microsoft WinSock 2.0 update (To install Aventail
`Connect 3.01, you must upgrade Windows 95 with the Microsoft Win-
`Sock 2.0 update prior to Aventail Connect installation and setup. If you
`do not install the Microsoft patch, Aventail Connect 2.51 will be
`installed. For more information, see “What Does Aventail Connect
`Do?”.)
`Aventail Connect 2.51 runs on the following operating systems:
`• Windows 3.1
`• Windows for Workgroups 3.11
`• Windows NT 3.51
`• Windows 95, without the Microsoft WinSock 2.0 update (If you do not
`upgrade Windows 95 with the Microsoft WinSock 2.0 update, Aventail
`Connect 2.51 will be installed. For more information, see “What Does
`Aventail Connect Do?”.)
`
`NOTE: A WinSock-compatible 16- or 32-bit TCP/IP application must be
`installed and configured prior to running Aventail Connect. This
`can be the Microsoft-provided TCP/IP stack or a third-party TCP/
`IP stack.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide • 13
`
`
`17
`
`
`
`INTERFACE FEATURES
`
`The following table lists the interface features for each platform. Each of these
`features is discussed in greater detail later in the Administrator’s Guide.
`
`Administrator’s Guide
`
`Open Secure
`Extranet
`Explorer
`
`Double-click
`Extranet
`Neighborhood
`icon on
`desktop
`
`Not available
`
`View
`Program
`Icon
`
`In system
`tray
`
`Hide
`Program
`Icon
`
`Not
`available
`
`Minimized
`on desktop
`
`Configure
`during
`setup
`
`Platform
`
`Windows 95,
`Windows 98,
`Windows NT
`4.0
`
`Start Aventail
`Connect
`
`Start\Programs
`\Aventail
`Connect menu
`
`Windows 3.1,
`Windows for
`Workgroups
`3.11,
`Windows NT
`3.51
`
`Aventail
`Connect icon
`in Aventail
`Connect
`program group
`window
`
`Display
`System
`Menu
`
`Right-click
`Aventail
`Connect
`icon in
`system tray
`
`Click
`Aventail
`Connect
`icon in
`Aventail
`Connect
`program
`group
`window
`
`INSTALLATION SOURCE MEDIA
`
`Regardless of platform, Aventail Connect can be delivered on CD or as