Administrator's Guide
`
`' Always show me suspect certificates: Aventail Connect will display
`suspect certificates each time they are received. The Certificate dialog
`box will appear for each new connection to the server(s) sending a sus-
`pect certificate. (This option allows you to continue the connection
`despite the fact that the certificate is questionable.) The SSL module
`authenticates the server’s certificate based on the following questions:
`-
`Is the certificate valid?
`
`- Did a trusted certificate authority (CA) issue the certificate?
`
`-
`
`Is the name established by the certificate the same as the name of
`the server for this connection?
`
`If a certificate does not pass all three tests, it is considered a suspect certifi-
`cate.
`
`- Show me the same certificate once: Aventail Connect will display a
`suspect certificate the first time that it is received. If you choose to
`maintain the connection, the questionable certificate will not be dis-
`played again during the current session.
`
`- Show me the certificate, but reiect the connection: Aventail Con-
`nect will reject a connection if the certificate is suspect. It will display the
`certificate to allow you to vi ew it.
`
`4. Click Advanced in the dialog box to show the acceptable cipher (a crypto-
`graphic algorithm used to encrypt the data stream) options.
`
`Aventail Connect 3.01/2.51 Admi'ni'straror’s Guide - 49
`
`Petitioner Apple Inc. — Exhibit 1022, p. 150
`
`Petitioner Apple Inc. - Exhibit 1022, p. 150
`
`

`
`Administrator? Guide
`
`Aventaf! Connect 3.01/2.51 Administratorb Guide - 50
`
`Petitioner Apple Inc. — Exhibit 1022, p. 151
`
`Petitioner Apple Inc. - Exhibit 1022, p. 151
`
`

`
`Administrator's Guide
`
`Allow RC4
`
`Allow DES
`
`Offer the RC4 cipher to the server.
`
`Offer the DES cipher to the server.
`
`Allow NULL Encryption Do not encrypt using SSL. SSL will be used to
`authenticate only.
`
`Allow Diffie—He||man
`Anonymous
`
`Enable Compression
`
`Trusted Roots
`
`Do not authenticate the server; only do encryption.
`
`Use SSL compression to improve performance when
`slower connections are detected.
`
`Select a certificate file that specifies trusted certificate
`chain roots. and specify the maximum allowable
`certificate-chain length.
`NOTE: The trusted root tile MUST be placed in the same drrectoqr as the
`Aventail Connect configuration file.
`
`Select the specific file
`
`Client Certificate
`
`Select a client certificate file.
`NOTE: The client certificate MUST be placed in the same directory that
`Aventail Connect was installed to.
`
`Select the specific file
`
`During the initial SSL connection, the client and the server negotiate which
`cipher to use. Checking a particular cipher in the dialog box does not mean
`that it will be used. Instead, each checked cipher is offered to the server, but
`the server determines which cipher to use. if the server requires a cipher that
`is not selected in this dialog box, the authentication will fail.
`
`Any or all of the acceptable cipher options can be selected:
`
`- Allow RC4: Aventail Connect encrypts the information using the RC4
`cipher.
`
`- Allow DES: Aventail Connect encrypts the information using the DES
`cipher.
`
`- Allow NULL Encryption: Aventail Connect allows the server to select
`no encryption. Message integrity is still assured, but the data will be
`sent in cleartext.
`
`- Allow Diffie-Hellman Anonymous: Aventail Connect will be able to
`communicate with the extranet (SOCKS) server without requiring a
`server certificate. The client and server will not exchange certificates,
`so there will be no authentication. The encryption will still be negotiated,
`and the data stream will still be encrypted (unless NULL encryption is
`chosen by the server).
`
`Aventail Connect 3.01/2.51 Admr'nr'strator’s Guide ' 51
`
`Petitioner Apple Inc. — Exhibit 1022, p. 152
`
`Petitioner Apple Inc. - Exhibit 1022, p. 152
`
`

`
`Administrator's Guide
`
`' Enable Compression: To speed the encryption process and enhance
`overall performance. Aventail Connect will automatically compress
`encryption when a narrow bandwidth andior slow modem are detected.
`
`5.
`
`If necessary, add (or delete) a trusted root (* . rot) to (or from) the list of
`
`trusted roots by clicking Browse. Only the filename of the roots file loads via
`the Browse button, and not the pathname.
`
`CA U TION: The trusted root tite must be in the same directory as
`the Aventail Connect configuration file.
`
`If Aventail Connect sends a client certificate to the server during the initial
`authentication exchange, it sends the certificate identified in the Client Certif-
`icate window. To load the client certificate, press Browse and then select the
`
`client certificate (* . cer) from the Aventail Connect directory. Only the file-
`name of the certificate file loads via the Browse button, and not the path-
`name.
`
` _ CAUTION: The ciient certificate tite must be ptaceo‘ in the Aventaif
`
`Connect directory.
`
`When Aventail Connect receives a certificate from a server, it looks at the root
`
`of the certificate chain and matches it against the Aventail Connect list of
`trusted roots.
`
`You can specify the maximum number of certificates in a certificate chain. The
`default maximum length is two certificates. In most instances, Aventail recom-
`mends allowing no more than two certificates to form a chain, although you
`can specify up to ten. The longer the certificate chain, the less secure the
`chain is.
`
`CA UTION:
`
`in most instances, Aventait recommends aiiowing no more
`than two certificates in a certificate chain. Attowing more
`than two certificates can compromise security.
`
`6. After making appropriate selections, click OK.
`
`The dialog box closes and the Config Tool reappears.
`
`ADVANCED TAB OPTIONS
`
`The Advanced tab in the Config Tool contains three advanced options. In the
`Advanced tab, you can allow SOCKS tunneling through successive extranet
`(SOCKS) servers, secure selected applications, and set credential cache time-
`outs.
`
`Aventaii Connect 3.01/2.51 Administrator's Guide - 52
`
`Petitioner Apple Inc. — Exhibit 1022, p. 153
`
`Petitioner Apple Inc. - Exhibit 1022, p. 153
`
`

`
`Administrator '5 Guide
`
`1} Config Tool ~ C:K...'U5tventai|\.l5rventaiI.clg
`
`Eile
`
`lialrs
`
`Fledirection Flules
`Local Name Flesolution
`
`I
`
`Sewers
`l“ld‘r'5i"|DBCl
`
`I
`
`I
`
`Destinations
`iltuthenticalion
`
`l7
`Applications to Secure
`
`5' Secure all applications
`
`
`F Secure all applications except listed
`
`
`1" Secure gnly applications listed
`Credential Timeouts
`
`Modify: List
`
`l
`
`
`
`
`
`
`5' flever time out cached credentials.
`7' Tine out credentials lrom line first entered
`_
`7' Tine out credentials lrom tine_|ast used.
`
`.
`
`ll
`
`_.l
`.
`_—| Mm‘
`
`ALLOW SOCKS TUNNELING THROUGH SUCCESSIVE EXTFIANET SEFWEFIS
`
`Once sewers and destinations are defined, you can direct SOCKS traffic
`through successive extranet (SOCKS) servers.
`
`On the Advanced tab in the Config Tool, select the Enable redirection... box to
`allow credential information to fonlvard to successive extranet servers.
`
`SECURE SELECTED APPLICATIONS
`
`This option allows you to:
`
`-
`
`-
`
`secure all applications except those listed,
`
`secure only the applications that are listed,
`
`- or secure all applications, enabling neither exclusion nor inclusion.
`
`
`
`NOTE: You can exclude and include only 32-bit applications. You cannot
`exclude and include 16-bit applications.
`
`You can exclude or include specified applications in the Exclusioniinclusion List.
`With the Exclusionllnclusion List, you can secure all applications except those
`on the list, or you can secure only those applications on the list. The default set-
`ting is to secure (hook) all network applications.
`
`Aventail Connect 3.01/2.51 Adminislralofls Guide - 53
`
`Petitioner Apple Inc. — Exhibit 1022, p. 154
`
`Petitioner Apple Inc. - Exhibit 1022, p. 154
`
`

`
`Administrators Guide
`
`Excluding Applications
`
`You can exclude specific applications through the Exclusionilnclusion List. When
`you enable the “Secure all applications except listed” option, Aventail Connect
`will not proxy any applications that are on the Exciusionilnclusion List.
`
`To exclude an application
`
`1. Under “Applications to Secure,” select Secure all applications except listed
`and click Modify List.
`
`The Edit List dialog box appears.
`
`
`
`
`2. Click Add....
`
`Aventail Connect 3.01/2.51 Administratorb Guide - 54
`
`Petitioner Apple Inc. — Exhibit 1022, p. 155
`
`Petitioner Apple Inc. - Exhibit 1022, p. 155
`
`

`
`The Specify Application dialog box appears.
`
`Administrator '5 Guide
`
`i'5fiF'rograrn
`§ Spellflhk
`E netscapee:-:e
`E N |:i'W'rap. e:-ce
`nsnotify. ene
`
`
`
`Lchnkjrlt
`
`VI El
`
`
`
`|
`
`
`
`F3138 ofype:
`
`|i'-applications
`
`‘I
`
`ca,-.ce|
`
`3. Highlight the application(s) to add to the Exclusionilnclusion List, and then
`click Open.
`
`The Specify Application dialog box disappears and the applications are now
`in the Edit List dialog box.
`
`4. In the Edit List dialog box, select All occurrences or Only this occurrence.
`
`
`
`NOTE: You may have more than one path (instance) of a specified flie-
`name (e. g., ftp . exe). You can choose to exclude one specified
`appiication, with a tuiiy quaiified pathname (e. g., C : \wi n-
`dows\ Sys3 2 \ ftp . exe), or ail‘ instances of a specified fitename
`(e.g., aii instances of ftp.exe).
`
`- Only this occurrence: Selecting this option excludes only the speci-
`fied application.
`
`- All occurrences: Selecting this option excludes all applications with
`the specified filename.
`
`To undo application exclusion
`
`1. Under “Applications to secure,” select Secure all applications except listed,
`and then click Modify List.
`
`The Edit List dialog box appears.
`
`2. Highlight the application you want to remove from the Exclusionilnclusion List,
`and then click Remove.
`
`The application is removed from the Exclusionilnclusion List.
`
`Aventaii Connect 3.01/2.51 Administrator’s Guide - 55
`
`Petitioner Apple Inc. — Exhibit 1022, p. 156
`
`Petitioner Apple Inc. - Exhibit 1022, p. 156
`
`

`
`Administrator's Guide
`
`inciuding Appiicarions
`
`You can include specific applications through the Exclusion/inclusion List. When
`you enable the “Secure only applications listed" option, Aventail Connect will
`hook only those applications that are on the Exclusionilnclusion List.
`
`To include an application
`
`1. Under “Applications to secure," select Secure only applications listed, and
`then click Modify List.
`
`The Edit List dialog box appears.
`
`2. Click Add.
`
`The Specify Application dialog box appears.
`
`3. Highlight the application(s) to add to the Exclusionilnclusion List, and then
`click Open.
`
`The Specify Application dialog box disappears and the applications are now
`in the Edit List dialog box.
`
`4. In the Edit List dialog box, select All occurrences or Only this occurrence.
`
`
`
`NOTE: You may have more than one instance of a specified application
`(e. g., ftp . exe). You can choose to inciude one specified appli-
`cation, with a fuiiy quaiified pathname (e. 9., C : \Win—
`dc-ws\ Sys3 2 \ ftp . exe), or aii instances of a specified
`appiication (e. g., aii instances of ftp . exe).
`
`- Only this occurrence: Selecting this option excludes only the speci-
`fied application.
`
`- All occurrences: Selecting this option excludes all applications with
`the specified filename.
`
`To undo application inclusion
`
`1. Under “Applications to secure," select Secure only applications listed, and
`then click Modify List.
`
`The Edit List dialog box appears.
`
`2. Highlight the application you want to remove from the Exclusionilnclusion List,
`and then click Remove.
`
`The application is removed from the Exclusionilnclusion List.
`
`Securing ail Appiications
`
`You can secure at! applications, enabling neither exclusion nor inclusion. When
`you secure all applications, Aventail Connect ignores any applications on the
`Exclusionilnclusion List.
`
`Aventaii Connect 3.01/2.51 Administrator’s Guide - 56
`
`Petitioner Apple Inc. — Exhibit 1022, p. 157
`
`Petitioner Apple Inc. - Exhibit 1022, p. 157
`
`

`
`Administrator's Guide
`
`To secure all applications
`
`' On the Advanced tab, under “Applications to Secure," select Secure all
`
`applications.
`
`
`
`NOTE: Aventail Connect secures all applications by default. Unless you
`need to exclude or include specific applications, Aventail recom-
`mends that you use the default Secure all applications setting.
`
` ' CAUTION: Microsoft internetserverproducts (including Microsoft inter-
`
`net information Server {ilS) and Microsoft Peer Web Server)
`include inetiniaexe, which conflicts with Aventail Connect
`
`3.01. To eliminate this conflict, exclude inetinloexe through
`the Application Exclusion/inclusion List in the Coniig Tool.
`
`CREDENTIAL CACHE TIMEOUTS
`
`With the credential cache timeout feature, you can control when credentials
`expire (time out). If a user has not made a connection to the extranet (SOCKS)
`server for a certain length of time (determined by the administrator). then the
`credentials will automatically be deleted from the credential cache. if a credential
`times out, the user must reauthenticate by entering the proper credentials before
`regaining access to the extranet. This feature can help to prevent unauthorized
`users from gaining access to secured areas.
`
`9v Conlig Tool - C:‘s...\Aventai|\Aventai|.clg
`Eilei flelp
`7
`A
`7
`‘
`
`
`
`Fledirection Flules
`Local Name Resolution
`
`I
`
`Servers
`AUVGVICBU
`
`I
`
`I
`
`Destinations
`Authentication
`
`I
`I
`
`l- Enable redirection through successive SUCKS sewers.
`Applications to Secure
`
`
`
`
`
`5' Secure all applications
`1" Secure all applications except listed
`1"‘ Secure gnly applications listed
`Credential Timeouts
`
`_
`_
`tjodriy LI5;l
`
`
`
`
`
`l‘“
`
`_.l
`.
`_-r '*"'"-
`
`in flever time out cached credentials.
`F Time out credentials lrom tinefirst entered.
`r-*
`""used"""""‘
`uulm-...r.¢...................uu-.M.u.4.n-A-r.|-s
`.«-u-q.a.._.._,..._.
`
`There are three credential cache timeout options.
`
`- Never time out cached credentials: Credentials never time out.
`
`Aventail Connect 3.01/2.51 Administrator’s Guide - 5?
`
`Petitioner Apple Inc. — Exhibit 1022, p. 158
`
`Petitioner Apple Inc. - Exhibit 1022, p. 158
`
`

`
`Admlnlslraror's Guide
`
`' Time out credentials from time first entered: Credentials time out x
`
`minutes after the user first entered the credentials (where “x” is the
`number of minutes you enter in the Min. box).
`- Time out credentials from time last used: Credentials time out Jr min-
`
`utes after the user last connected through the extranet server (where
`")4" is the number of minutes you enter in the llllin. box).
`
` . CAUTl0l\l:
`
`ll‘yourmallprogram is configuredto check fore-mallat
`
`regular intervals, the mall-checking frequency must be
`longer than the credential cache timeout. For example, if
`your mall program ls configured to check for mall every
`ten minutes, you should set the credential cache to less
`than ten minutes.
`
`ENABLE PASSWORD PROTECTION
`
`You can enable password protection for a configuration file. If you enable pass-
`word protection, users will not be able to view or modify the configuration file
`without the assigned password. A password is not required to use the configura-
`tion file with Aventail Connect.
`
`To enable password protection
`
`1. From any tab of the Config Tool, select File I Set Password.
`
`33- [Ioniig Tool — E:\...\Avenlail\.l5.venlai|.clg
`
`EZ:kF'rog1am Fi|'es\itli.veritail\l!l.ventai|. cfg
`
`The Configuration File Password dialog box will appear.
`
`2. Enter the desired password.
`
`3. Reenter the password to confirm, and then click OK.
`
`Aventall Connect 3.01/2.51 Adml'nl'slralcr’s Guide - 58
`
`Petitioner Apple Inc. — Exhibit 1022, p. 159
`
`Petitioner Apple Inc. - Exhibit 1022, p. 159
`
`

`
`Administrator's Guide
`
`To disable password protection
`
`1. From any tab of the Config Tool, select File I Set Password.
`
`The Configuration File Password dialog box will appear.
`
`2. Clear the password from both boxes. and then click OK.
`
`
`
`NOTE:
`
`if you save an existing configuration fiie using the Save As com-
`mand, Avenfaii Connect wiii prompt you to enter the correct pass-
`word for the configuration fiie.
`
`MULTIPLE FIREWALL TRAVERSAL
`
`To gain access to your extranet, users may need to traverse multiple firewalls. In
`the simplest case, this involves an employee at a partner company gaining
`access to the Internet via an outbound proxy server at the partner company, and
`having an authenticated, encrypted, and controlled connection to your internal
`network via an Aventail ExtraNet Server. This capability is provided in Aventail
`Connect 3.01 by the Aventail MultiProxy feature. Aventail Connect can open
`connections through SOCKS servers, through HTTP proxies, or through proxy
`chaining.
`
`- MultiProxy with SOCKS Server: Uses a SOCKS server to control out-
`bound access.
`
`° MultiProxy with HTTP Proxy: Uses an HTTP proxy to control out-
`bound access.
`
`- Proxy Chaining: Uses two Aventail ExtraNet Sewers, where one
`Aventail ExtraNet Sewer acts as a client to another Aventail ExtraNet
`Server.
`
`AVENTAIL MULTIPROXY
`
`The Aventail MultiProxy feature allows Aventail Connect to traverse multiple fire-
`walls by making connections through successive proxy servers. Aventail Con-
`nect makes a connection with each proxy server individually. Each proxy server
`forms a link in a chain that connects Aventail Connect to the final destination.
`
`Any or all of the proxy servers can apply authentication and access control rules.
`Proxies can be Aventail ExtraNet Sewers, other SOCKS 5 servers, SOCKS 4
`
`servers, or HTTP proxies.
`
`Using an HTTP proxy server to control outbound traffic eliminates the need to
`install a separate SOCKS server. This HTTP proxy can filter outbound connec-
`tion requests and route those requests to the specified servers. MultiProxy sup-
`ports RFC 2068 HTTP Basic (usernameipassword) authentication. If your proxy
`uses HTTP Basic (usernameipassword) authentication, Aventail Connect will
`store the username and password information in the credential cache, as it does
`with SOCKS sewers.
`
`Aventail Connect 3.01/2.51 Administrators Guide - 59
`
`Petitioner Apple Inc. — Exhibit 1022, p. 160
`
`Petitioner Apple Inc. - Exhibit 1022, p. 160
`
`

`
`
`
`NOTE: The MuitiProxy feature supports the use of HTTP proxies in
`Aventaii Connect 3.01 oniy. HTTP proxies cannot be used in
`A ventaii Connect 2.51.
`
`Administrator's Guide
`
`The steps for making a connection using MultiProxy are:
`
`1. The client application requests access to the destination server.
`
`2. Aventail Connect establishes a connection with the outbound server (SOCKS
`sewer or HTTP proxy). Aventail Connect then sends the access request to
`the outbound sewer, specifying the Aventail ExtraNet Sewer as the destina-
`tion. The user authenticates with the outbound server, if necessary.
`
`3. Aventail Connect instructs the outbound server to establish a connection with
`
`the Aventail ExtraNet Sewer on the specified port. The user authenticates
`
`with the Aventail ExtraNet Sewer, if necessary.
`
`4. Aventail Connect instructs the Aventail ExtraNet Server to proxy its connec-
`tion to the final destination.
`
`5. Once the connection between the client and the Aventail ExtraNet Server is
`
`established, the outbound server simply relays the data.
`
`The following example illustrates the connections made during a MultiProxy con-
`nection through three proxy sewers.
`
`IE
`
`|
`:
`I
`:I
`lapplicalj tn
`
`proxy 3
`Aventail Cc-rnect
`|:ur::o<y 1
`I
`I
`.
`I
`l
`I
`tonne-:|:Ion #1 -ISKKS
`connezticun #2 :5mKS :
`connection #3
`:SCICKS
`:I:Inna:tiI:In #4
`
`
`
`In the following diagram, the Aventail ExtraNet Server acts as both a destination
`and a server. It is a destination because a proxy sewer routes traffic to it. It is a
`sewer because it routes traffic to the final destination.
`
`
`
`d
`
`2
`
`final destination
`
`crI_IH:n:III_Ind proxy server
`
`»'-‘l.1rentai| ExtraNet
`Center server
`
`Aventail Connect 3.01/2.51 Administraror’s Guide ' 60
`
`Petitioner Apple Inc. — Exhibit 1022, p. 161
`
`Petitioner Apple Inc. - Exhibit 1022, p. 161
`
`

`
`Administrator's Guide
`
`CA U TION:
`
`if using an HTTP proxy, you must configure your HTTP
`proxy and fire wait to aiicw H TTPS/SSL connections to
`port 1080, OR you must run the Aventaii ExtraNel‘
`Server on port 443 or part 563.
`
`Configuring Aventaii il/fuitiProxy
`
`You have two options for configuring Mu|tiProxy. You can configure Aventail
`Connect 3.01 to redirect all Internet traffic (including extranet traffic) through
`your outbound proxy, or you can configure Aventail Connect 3.01 to redirect only
`extranet traffic through your outbound proxy.
`
`To configure Aventail I'li|ultiProxy
`
`1. Create a destination (“Final destination”).
`
`2. Create a server (“Extranet server”).
`
`3. To redirect only extranet traffic: Create a destination ("Extranet server"),
`using the same information from step 2, above.
`
`_0R_
`
`To redirect all Internet traffic (including extranet traffic): Create a destina-
`tion (“Local network,” the network local to Aventail Connect).
`
`
`
`NOTE:
`
`if you have muitipie domains or subnets, you may need to create
`muitipie destinations.
`
`4. Create a server (“Outbound proxy”). This can be a SOCKS 5, SOCKS 4, or
`HTTP proxy server.
`
`5. Create a redirection rule (Redirect “Final destination" through "Extranet
`sewer").
`
`6. To redirect only extranet traffic: Create a redirection rule (Redirect “Extra-
`net server" through “Outbound proxy”). Do not redirect “(everything else)."
`
`..OR..
`
`To redirect all Internet traffic (including extranet traffic): Create a redirec-
`tion rule (Do not redirect “Local network"). Redirect "(everything else)" through
`the outbound proxy. (NOTE: Your outbound proxy must belong to “Local net-
`work.”')
`
`Aventaii Connect 3.01/2.51 Administraror’s Guide - 61
`
`Petitioner Apple Inc. — Exhibit 1022, p. 162
`
`Petitioner Apple Inc. - Exhibit 1022, p. 162
`
`

`
`Admfnistratorb Guide
`
`J
`
`ln.-II Un.':l|*.'.'I
`
`Redirect only the extranet traffic through
`the outbound proxy. Leave all other
`traffic alone.
`
`Redirect all Internet traffic throuh the
`outbound proxy. Leave only “Local network”
`traffic alone.
`
`Aventail Connect 3.01/2.51 Administrator? Guide - 62
`
`Petitioner Apple Inc. — Exhibit 1022, p. 163
`
`Petitioner Apple Inc. - Exhibit 1022, p. 163
`
`

`
`Administrator's Guide
`
`Pnoxv CHAINING
`
`Proxy chaining is an Aventail ExtraNet Server feature. With proxy chaining,
`Aventail ExtraNet Servers forward connections for certain destinations to other
`
`DFOXY SBNBFS.
`
`The following diagram and table illustrate the differences between MuItiProxy
`and proxy chaining. In many cases, Mu|tiProxy is the preferred method for tra—
`versing multiple firewalls. With Mu|tiProxy, each proxy server can provide
`authentication, access control, and encryption.
`
`PRl2|X‘I' EHAIHIHE: Serverl appears as a user to server2.
`
`
`
`!'1"!FoIFulfiI
`
`Aventail Connect
`client
`
`serverl
`(outbound)
`
`server?
`Ifiifiventail Extrahlet
`Server)
`
`Destination server
`
`{ii Authenticated and encrypted tunnel
`In Mu|tiProxy, an authenticated and encrvpted
`tunnel exists between the client and the Fiventail
`
`Extralflet Server.
`
`Aventail Connect 3.01/2.51 Admr'nr'siraror’s Guide ' 63
`
`Petitioner Apple Inc. — Exhibit 1022, p. 164
`
`Aventail Connect
`client
`
`serverl
`(outbound)
`
`Destination server
`
`|:l:WE.'l'Itai| Extrali-let
`Server)
`
`MULTIPRDXV: The user authenticates with server2 directlv.
`
`Petitioner Apple Inc. - Exhibit 1022, p. 164
`
`

`
`Administrator's Guide
`
`Mulh‘Proxy
`
`Proxy Chaining
`
`Server 1
`
`Can be Aventail ExtraNet
`
`Must be Aventail ExtraNet
`
`Server, other SOCKS 5 server,
`SOCKS 4 server, or H'|'|'P
`proxy.
`
`Server.
`
`Server 2
`
`Must be Aventail ExtraNet
`
`Must be Aventail ExtraNet
`
`Authentication
`to Server 1
`
`Sewer.
`
`User authenticates (if
`necessary).
`
`1 Server.
`
`User authenticates.
`
`Authentication
`
`User authenticates.
`
`Server 1 authenticates
`
`to Server 2
`Trust model for
`Server 2
`
`I Not inherited. Each user must
`individually authenticate with
`Server 2.
`
`automatically.
`I Inherited from Server 1. Server
`2 trusts everyone who
`authenticates to Server 1
`
`Access control
`rules
`
`Can be for specific users.
`
`Client
`
`1 equally.
`Treats everyone who
`authenticates to Server 1
`
`equally.
`
`configuration
`redirection rules
`
`'
`
`r- :-
`s..\dlhIPofir)1I')D';I
`
`|
`
`aauud I muwvrr-wn.
`
`|
`Server 1.
`
`Advantages
`
`- Server 1 can be an Aventail
`ExtraNet Server, other SOCKS
`5 server, SOCKS 4 server, or
`HTFP proxy.
`- Most secure. because no
`
`security policy is inherited from
`
`- Client is aware of Server 1
`only.
`- User authenticates only once.
`to Server 1.
`
`Disadvantages
`
`- User may need to authenticate
`more than once.
`- Client must be aware of
`Server 1 and Server 2.
`
`° All users connecting through
`Server 1 appear as a single
`user to Server 2.
`
`Aventaii Connect 3.01‘/2.51 Admi'ni'siraror’s Guide - 64
`
`Petitioner Apple Inc. — Exhibit 1022, p. 165
`
`Petitioner Apple Inc. - Exhibit 1022, p. 165
`
`

`
`Administrator's Guide
`
`HTTP PFIOXIES AND WEB Bnowsens
`
`Extranets often include Web pages that must be viewed with a Web browser.
`When a Web browser uses an HTTP proxy server, Aventail Connect sees con—
`nections being made to the HTTP proxy rather than to the final destination.
`Therefore, Aventail Connect cannot redirect the connections to the Aventail
`
`ExtraNet Server or provide authentication and encryption. For Aventail Connect
`to function properly, the Web browser cannot use the HTTP proxy to connect
`with sites protected in the extranet; this is because Aventail Connect must redi—
`rect and encrypt connections. The Web browser can still use the HTTP proxy to
`connect to sites that are not protected in the extranet.
`
`If access to Web pages behind the Aventail ExtraNet Server requires users to
`connect through a Web browser (e.g., Microsoft Internet Explorer or Netscape
`Navigator), you must configure the Web browser to not use the HTTP proxy in
`the Web browser for those sites protected in the extranet.
`
`When users need to access Web pages behind an Aventail ExtraNet Server. you
`must properly configure the Web browser.
`
`Configuring Aventail Connect and the Web Browser
`
`There are two approaches to configuring Aventail Connect for use with a Web
`browser.
`
`- Configure the Web browser to not use the HTTP proxy for any traffic.
`(Aventail Connect redirects all connections through the outbound
`proxy.)
`
`..OR..
`
`- Configure the Web browser to not use the HTTP proxy for only those
`sites that are protected in the secure extranet. (Aventail Connect redi-
`rects only extranet connections through the outbound proxy.)
`
`To use either approach, you must first configure Aventail Connect. The Aventail
`Connect configuration is the same for both approaches, whether you are config-
`uring your browser to not use the HTTP proxy for all traffic or for protected sites
`only.
`
`To configure Aventail Connect for use with a Web browser
`
`‘I.
`
`In the Servers tab of the Config Tool, add the HTTP proxy as a server.
`
`2.
`
`In the Destinations tab of the Config Tool, add the HTTP proxy as a destina-
`tion.
`
`3.
`
`4.
`
`In the Redirection Rules tab of the Config Tool, edit the "(everything else)”
`rule to redirect all traffic to the HTTP proxy server.
`
`In the Redirection Rules tab, select the HTTP proxy and select the Do not
`redirect option.
`
`Avenrail Connect 3.01/2.51 Admr'nr'siraror’s Guide - 65
`
`Petitioner Apple Inc. — Exhibit 1022, p. 166
`
`Petitioner Apple Inc. - Exhibit 1022, p. 166
`
`

`
`Administrator's Guide
`
`CA UTION: Make sure you do not redirect the outbound proxy.
`Redirecting the outbound server or proxy wiii instruct
`the outbound proxy to redirect traffic to itseif, causing
`Aventaii Connect to behave unpredictabiy.
`
`To configure the Web browser to not use the HTTP proxy for all traffic
`
`After you have configured Aventail Connect by following the instructions above,
`configure the Web browser by using one of the following procedures.
`
`- Microsoft Internet Explorer
`
`a. On the View menu, click Internet Options.
`
`b. Click the Connection tab.
`
`c. Click to clear the Access the Internet using a proxy server check box.
`
`- Netscape Navigator
`
`a. On the Edit menu, click Preferences.
`
`b. Under “Category,” click to expand Advanced, and then click Proxies.
`
`c. Select Direct Connection to the Internet, and then click OK.
`
`To configure the Web browser to not use the HTTP proxy for protected
`sites only
`
`After you have configured Aventail Connect, configure the Web browser by
`using one of the following procedures.
`
`- Microsoft Internet Explorer
`
`9-???’
`
`On the View menu, click Internet Options.
`
`Click the Connection tab.
`
`Under “Proxy Server," click Advanced.
`
`In the Exceptions box, type the URL of each site that is in the protected
`extranet.
`
`- Netscape Navigator
`
`P-P579‘
`
`On the Edit menu, click Preferences.
`
`Under “Category.” click to expand Advanced, and then click Proxies.
`
`Select Manual Proxy Configuration, and then click View.
`
`In the Exceptions box, type the URL of each site that is in the protected
`extranet.
`
`Aventaii Connect 3.01/2.51 Administrator’s Guide - 66
`
`Petitioner Apple Inc. — Exhibit 1022, p. 167
`
`Petitioner Apple Inc. - Exhibit 1022, p. 167
`
`

`
`Administrator's Guide
`
`CONFIGUFIING THE HTTP Pnoxv
`
`To allow SSL connections to destination ports other than 443 (https) and 563
`(snews), you may need to configure your HTTP proxy. Typically, if you plan to
`connect to a SOCKS server on port 1080 using an HTTP proxy, you must
`change the HTTP proxy configuration.
`
`To avoid changing the HTTP proxy configuration, you must run the destination
`Aventail ExtraNet Server on port 443 or port 563. and configure Aventail Con-
`nect accordingly.
`
`lvlost HTTP proxies can allow connections to port 1080. The following instruc-
`tions describe how to configure the Microsoft Proxy Server, Netscape Proxy
`Server, or Apache Web Server to allow port 1080 connections.
`
`- Microsoft Proxy Server 2.0: Follow the Microsoft instructions at
`http:/!support.microsoft.comlsupportl'kbr‘artic|es!q184./OI28.asp.
`You must modify a registry setting with regedt32 .exe.
`(regedit . exe will not work; you must use regedt32 . exe.)
`
`- Netscape Proxy Server 3.5: Add the following to your obj . conf file:
`<Object ppath="connect: //*"> (all ports)
`Service fn="connect" method="COI~lNECT”
`
`</object>
`To specify a particular port, add the following to your obj . conf file:
`Cobject ppath="<:oz1nect : //* : 1080"
`
`- Apache Web Server 1.3.2 (Linux) with Proxy Support: The following
`two lines must be included in the httpd.conf file:
`
`Proxy Requests On
`
`AllowCONNE:CT <port list> (NOTE: This feature is available only
`on version 1.3.2 and greater.)
`
`THE CERTIFICATE WIZARD
`
`Aventail Connect supports client certificates and provides you with a certificate
`wizard to help generate and process a certificate. You start the certificate wizard
`through the Aventail Connect program group (via the Start button or Program
`Manager).
`
`The Certificate wizard can create certificates for clients and servers. In this case,
`
`you are only interested in creating a client certificate. However, whether for client
`or server, you will need to mn this wizard twice: Once to generate a Certificate
`Signing Request (CSR) to submit to your Certificate Authority (CA); the second
`time, to process the certificate file. If this is your first time in generating a certifi-
`cate request, Aventail recommends that you complete the second step immedi-
`ately after the first.
`
`To generate the client key pair and Certificate Signing Request (CSR)
`
`1. Select the certificate wizard from the Aventail Connect program group.
`
`Aventail Cor1rieci3.0l'/2.51‘ Admr'nr'siraror’s Guide ' 6?
`
`Petitioner Apple Inc. — Exhibit 1022, p. 168
`
`Petitioner Apple Inc. - Exhibit 1022, p. 168
`
`

`
`2. In the Certificate Type dialog box, select the client certificate option, and
`then click Next.
`
`Administrators Guide
`
`Certificate Type
`
`
`
`3. Provide the requested information by following the prompts in the subsequent
`dialog boxes.
`
`4. In the Key Length dialog box, select the size of your key.
`
` NOTE: NotallCA5acceptkeysiergerthan512bits. itisprudenttoknow
`
`which key lengths your CA accepts prior to generating your key
`pair. For testing purposes use 512 bits.
`
`Aventaii Connect 3.01’/2.51 Administrator's Guide - 68
`
`Petitioner Apple Inc. — Exhibit 1022, p. 169
`
`Petitioner Apple Inc. - Exhibit 1022, p. 169
`
`

`
`Administrator '5 Guide
`
`
`
`
`
`What sizefslrength of keys would you like to generate?
`
`T.he key size or length directly impacts the strength of encryption
`used. The lager the key size the stronger the encryption.
`However, stronger encryption requires more processing power.
`
`P 512 hits, low
`
`17 TEE bits, medium
`
`P “J24 bits. high
`
`5. Once you have generated the random data, continue through the screen
`prompts until the Congratulations! screen, where you will see the name and
`path to the new certificate request.
`
`Congratulations!
`
`The certificate request and keys for v are now ready to he sent to
`your certifying authority for processing. Your certificate authority
`will contact d@b for additional information if needed.
`
`
`
`The certificate request has been saved in:
`
`C:\F'FtU[iFlr5rl'v‘l FILES‘.-5rVENT:t-JLWPNE:L|El~lT'~.Socks5EI1.req
`
`Elnce you