Aventail EX-1500 Readme - SonicWALL

Aventail README • 1Aventail READMEASAP Platform version 8.0Part No. 0850-000010-01October 19, 2004This README highlights new features and provides late-breaking information about the AventailEX-1500 and EX-750 appliances. It also lists known issues that are fixed in this release. Thisinformation supplements the printed and online documentation that accompanies the EX-1500 andEX-750. Review the README before installing and configuring the Aventail EX-1500 or EX-750appliance.What’s New in this Release?Version 8.0 of the Aventail ASAP platform includes the following new and enhanced features:• Simplified access policy management: The separate access control lists for Web,client/server, and file system resources have been consolidated into a single Access Controlpage, resulting in fewer steps required to create, manage, and audit access policies.• Support for a new Web proxy client access method: The new, standard Web accessmethod for Windows 2000/XP clients running Internet Explorer 5.5 or later eliminates theneed for Web content translation and provides enhanced access to enterprise Webapplications.• Enhanced End Point Control capabilities: New End Point Control (EPC) configurationoptions give administrators greater control over VPN access by defining zones and deviceprofiles. EPC zones classify connection requests based on selected end-user device attributesthat define the degree of trustworthiness allowed for client devices. EPC zones can also beassociated with access control rules.• Improved update and rollback functionality: The new System Maintenance page includesoptions to update the system configuration or roll back to a previous version of the systemsoftware. This provides an easier alternative—but not a replacement—to using the commandline tools.• User monitoring and termination: The new Active Users page displays the current numberof active user sessions, and displays a searchable list of sessions that can be sorted byusername and realm. This page also includes a new End session option that temporarilyterminates all VPN connections for selected users.• Expanded authentication and user management support: The use of authenticationrealms has been expanded to include support for selecting which EPC zones and accessmethods are available to realm members.• Group affinity checking accommodates network environments where authentication andauthorization are handled by different servers. This allows you to configure a secondaryauthentication server (either LDAP or Microsoft Active Directory) that is queried for groupaffinity• Enhanced OnDemand configuration: The new Configure OnDemand page requires lessdata entry to configure port-mapped applications. The new network Redirection List shows allnetwork resources that are automatically redirected in Dynamic Mode.• Enhanced Simple Network Management Protocol (SNMP) configuration: The ConfigureSNMP page has a new option for enabling support for SNMP traps, and provides the ability todownload the new Aventail Management Information Base (MIB) file, which adds ASAP-specificdata to already supported MIBs.©2004 Aventail Corporation. All rights reserved.

Aventail README • 3http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q167/7/96.asp&NoWebContent=1).SOLUTIONRefresh the browser window for the session running the Web application.Microsoft Outlook Web Access with single sign-on and form-based authentication notsupported (26048, 25025, 26005)DESCRIPTIONSOLUTIONThe appliance does not support Microsoft Outlook Web Access (OWA) with singlesign-on with form-based authentication. If OWA is configured for single sign-on inAMC and the back-end server is configured for form-based authentication,attempting to access OWA from ASAP WorkPlace will result in script errors.The appliance supports single sign-on for OWA with basic or NTLM authenticationforwarding.With SSO enabled, back-end resources configured with NTLM authentication forwardingare sometimes inaccessible using Mozilla v1.7.2 (26228)DESCRIPTIONSOLUTIONWith Single Sign On enabled, timing issues may prevent a Mozilla 1.7.2 user fromaccessing a back-end Web resource offering NTLM authentication. This occurs ifthat resource is configured with different credentials than those used to access theappliance, and the user enters his or her credentials before all connections areclosed. This problem occurs intermittently.Instruct the user wait a few seconds before entering his or her credentials.Aliased URLs cannot contain query strings or file names (23913)DESCRIPTIONSOLUTIONWhen creating an aliased URL to a resource, do not end the URL with a either aquery string or a file name. When the Aventail Web access service receives analiased URL ending in a query string or file name, it may not make a proper requestto the back end server because it appends a trailing slash to the URL.When creating an aliased URL, make sure that it points to a directory.In translated Web mode, reloading a page in Mozilla v1.7.2 may cause intermittentJavaScript warnings (26127)DESCRIPTIONSOLUTIONWhen using translated Web mode and accessing a resource using JavaScripttranslation (as configured in the Web Application Profile), reloading a pagecontaining JavaScript can sometimes cause Mozilla v1.7.2 to display JavaScriptwarnings.Instruct the user to force a page reload (that is, not reading it from the browsercache) by pressing CTRL+SHIFT+R, which will address the problem.Disabling HTTP 1.1 setting in Internet Explorer causes browser connections to fail(26286)DESCRIPTIONSOLUTIONIf Internet Explorer is configured to disable the Use HTTP 1.1 setting on theAdvanced Internet options tab, when a user logs in to a realm that provisionsAventail’s standard Web agent, all browser connections will fail when the standardWeb agent is activated.Ensure that the Use HTTP 1.1 option is enabled in Internet Explorer.©2004 Aventail Corporation. All rights reserved.

4 • ASAP Platform version 8.0Microsoft OWA 2003 re-prompts for authentication using Firefox browser (26285)DESCRIPTIONWhen connecting to Microsoft OWA 2003 using Firefox 1.0 via a Web shortcut inASAP WorkPlace, users are re-prompted for basic authentication after they entervalid credentials.Logging out of Microsoft OWA 2003 in Internet Explorer forces user to reauthenticate tothe appliance (23922)DESCRIPTIONSOLUTIONUsing Internet Explorer to log out of OWA 2003 logs users out of ASAP WorkPlaceand forces them to reauthenticate to the appliance.Using the Aventail standard Web agent will resolve this issue.ACL denies access to Citrix in OnDemand port-mapped mode (26076)DESCRIPTIONWhen an access control rule denies access to a Citrix back-end server, the AventailWeb access service is incorrectly translating the Citrix .ica file even when theOnDemand port-mapped configuration is not loaded. In this situation, when a userlogs in to a realm via OnDemand and downloads an .ica file, attempting to connectto the Citrix host would fail.Logging out of Lotus iNotes v6.0.2 forces user to reauthenticate to the appliance ifJavaScript translation is disabled (23466)DESCRIPTIONSOLUTIONIf Lotus iNotes v6.0.2 is configured with JavaScript translation disabled, clicking theLogout button in iNotes logs the user out of ASAP WorkPlace and forces him or herto reauthenticate to the appliance.Using the Aventail standard Web agent will resolve this translation issue.Otherwise, create a Web application profile and make sure that the TranslateJavaScript option is enabled. Next, apply that profile to the iNotes resource.Errors using Microsoft OWA v5.5 with basic authentication forwarding enabled (25115)DESCRIPTIONSOLUTIONUsers running Microsoft Outlook Web Access (OWA) v5.5 through the Aventail Webaccess service may encounter one or more error messages when they send an e-mail message or attach a file to an e-mail. In the case where the user’s AventailWeb access service credentials match those of the OWA server, creating an e-mailtriggers an error message stating that message body is over the size limit. Whenthe Aventail Web access service credentials don’t match those of the OWA server,the user gets an error message when attempting to attach a file to an e-mail.Disable basic authentication forwarding in the OWA v5.5 server.PlatformDo not to reset system time while using evaluation license (25800)DESCRIPTIONSOLUTIONSetting the system time backward on your appliance while using an Aventailprovidedevaluation license will disable all services on the appliance for licensingreasons.Do not move your system time backward while using an Aventail-providedevaluation license. Before importing a license file you should ensure that theappliance’s system data and time are configured correctly by setting them forwardfor your local time.© 2004 Aventail Corporation. All rights reserved.

6 • ASAP Platform version 8.0error message when the OnDemand application is saved. However, editing theother resource on the Add/Edit Resource page displays the message “The nameentered is already in use by another resource.”SOLUTIONDo not assign the same name to an application configured for OnDemand and toanother resource.Group caching remains enabled when LDAP group lookup options are disabled (26130 &26131)DESCRIPTIONSOLUTIONWhen configuring an LDAP authentication server in AMC, disabling the two Grouplookup options on the Configure Authentication Server page does not disablethe Cache group checking and Cache lifetime options. This may result in userswho belong to an LDAP group included in an access rule being inadvertently deniedaccess to a resource.When disabling the Group lookup options, be sure to also clear the Cache groupchecking check box.Configuring OnDemand for a remote desktop connection in port-mapped mode onWindows XP SP2 (26051)DESCRIPTIONSOLUTIONFor machines running Windows XP Service Pack 2, configuring OnDemand for aremote desktop connection in port-mapped mode will not work with the defaultlocal port setting (3389) assigned by AMC.On the Mapped Mode page for Aventail OnDemand, with Windows TerminalServer selected as the Service type, confirm that the Local host is set to127.0.0.1 and change the Local port to any port number other than 3389 (forexample, 3390).ASAP WorkPlaceOnDemand status details not displayed for Internet Explorer 5.2.3 for the Macintosh(26141)DESCRIPTIONWhen running Microsoft Internet Explorer 5.2.3 for the Macintosh, OnDemandstatus details are not displayed in ASAP Workplace.Resources entered in the Internet Address box in ASAP WorkPlace on a Macintosh don’topen in a new browser session (26139)DESCRIPTIONSOLUTIONIf an Apple Macintosh user running Internet Explorer enters a Web or networkresource in the Intranet Address box in WorkPlace, the resource incorrectlyreplaces WorkPlace in the browser window instead of opening in a new browsersession.WorkPlace shortcuts in AMC work correctly for Macintosh users. When Macintoshusers click a shortcut in WorkPlace, the Web or network resource will open properlyin a new browser session.OnDemand fails to launch in Internet Explorer when Sun JVM 1.4.2_05 is used (26200)DESCRIPTIONSOLUTIONOnDemand fails to launch on Windows XP machines with Sun Java Virtual Machine(JVM) version 1.4.2_05 installed that are running Internet Explorer with anauthenticating proxy defined (not a proxy with anonymous access).Reverting to version 1.4.2_04 of the Sun JVM eliminates this problem.© 2004 Aventail Corporation. All rights reserved.

Aventail README • 7Disabling ActiveX in Internet Explorer causes script errors in ASAP WorkPlace withstandard Web agent (26256)DESCRIPTIONSOLUTIONIf the Run ActiveX controls and plug-ins option is disabled in Internet Explorer’sSecurity Settings dialog box, then users attempting to log in to a realm in ASAPWorkPlace that is configured for the standard (non-translated) Web access modewill receive script error messages.In order to use the standard Web agent in ASAP WorkPlace, Internet Explorer mustbe configured with the Run ActiveX controls and plug-ins option enabled.Disabling ActiveX in Internet Explorer causes WorkPlace to halt (26250)DESCRIPTIONSOLUTIONIf the Run ActiveX controls and plug-ins option is disabled in Internet Explorer’sSecurity Settings dialog box, when users attempt to log in to ASAP WorkPlace,the login process will stop at the “loading agents” stage.Add the URL for the appliance to the list of Trusted sites on Internet Explorer’sSecurity tab, and then set the security level for the Trusted sites zone to Low.Macintosh Java plug-in v1.3.1 does not detect proxy settings (26150)DESCRIPTIONSOLUTIONMacintosh computers using Sun’s Java plug-in v1.3.1 can’t launch OnDemandbecause the Java plug-in is unable to detect the proxy settings.Using Sun’s Java plug-in version 1.4.2 eliminates this problem.OnDemand loads when not required by an EPC zone (25959)DESCRIPTIONIn situations where an EPC zone is created for untrusted users (which requiresAventail Secure Desktop and provides only limited access to Web resources), whenusers log in to ASAP WorkPlace and are placed in the zone, on OnDemand isautomatically loaded even though it can’t be used by untrusted users. This occursbecause OnDemand in dynamic mode is enabled at the realm level.End Point Control (EPC)Standard Web agent doesn’t automatically work in an Internet Explorer session launchedby Aventail Secure Desktop (26125)DESCRIPTIONSOLUTIONClient machines running Aventail Secure Desktop (ASD) can’t automatically operatein standard Web (non-translated) mode in the ASAP WorkPlace browser launchedby ASD. This happens because ASD cannot read the Internet Explorer proxysettings that are modified by the standard Web agent.Opening a new browser window within the secure desktop will correctly read thestandard Web agent proxy settings and provide non-translated access to networkresources. When the new browser session is ended, ASD will work as designed toremove all session-related data stored on the local hard drive.©2004 Aventail Corporation. All rights reserved.

8 • ASAP Platform version 8.0Aventail Cache Control ignores the cache file when a Mozilla user profile name contains aspace (24614)DESCRIPTIONSOLUTIONOn Linux machines running the Mozilla browser, Aventail Cache Control (ACC) willnot clean the user’s cache file at the end of the session if the user profile nameconfigured in Mozilla contains a space. ACC instead will clear the default Mozillacache.Make sure that profile names for Mozilla users who will use ACC do not containspaces.EPC installation delay for Windows restricted users (25592)DESCRIPTIONSOLUTIONUsers who have restricted user rights on Windows 2000 and XP machines runningInternet Explorer will experience a delay while EPC components are downloaded. IfActiveX is disabled on the client, the EPC components are provisioned using Java.Users will need to wait approximately 20 seconds until the Java installation processcompletes.HTTPS URL resources seen in WorkPlace when corresponding host resource isn't created(25893)DESCRIPTIONSOLUTIONCreating an HTTPS URL resource with a Web shortcut in AMC displays the shortcutin ASAP WorkPlace, but clicking the link fails to connect the user to the resource.To access a back-end HTTPS Web resource through the standard Web agent, youmust take an additional step when configuring resources and access control rules.In addition to defining the back-end server as a URL resource and creating anaccess control rule, you must also create a host resource for the Web resource (ora domain resource containing the Web server) and include it in the access controlrule.Delayed display of “File system access error” message for unknown network resources(26010)DESCRIPTIONEntering an unknown network resource in the ASAP WorkPlace Intranet Addressbox may result in a delay before the message “File system access error” isdisplayed in a separate WorkPlace browser window.File downloading error in ASAP WorkPlace with permission denial (25521)DESCRIPTIONWhen a user attempts to download a file in ASAP WorkPlace for which they aredenied access, WorkPlace does not warn the user that there is a permissionviolation. Instead WorkPlace downloads an empty file.Sun’s Java VM fails to install EPC components if Microsoft Internet Explorer is configuredto automatically detect proxy settingsDESCRIPTIONSOLUTIONIf ActiveX is disabled on the client, the EPC components are provisioned using Java.If Microsoft IE is configured to automatically detect proxy settings and the browseris configured with the Sun JVM, the browser will stop responding during the zoneclassification process for End Point Control.Configure Internet Explorer with a different JVM or enable ActiveX© 2004 Aventail Corporation. All rights reserved.

Aventail README • 9After disabling EPC, default zone continues to block VPN access (26239)DESCRIPTIONSOLUTIONWhen the default EPC zone is configured to block VPN access, changing the globalstate of EPC from enabled to disabled on the End Point Control page has no effecton the default zone, which continues to block VPN access.To prevent the default EPC zone from continuing to block VPN access after EPC hasbeen disabled, change the access restriction setting for the default zone to AllowVPN access on the Zone Definition page.Personal firewall prevents Aventail Secure Desktop from exiting (24981)DESCRIPTIONIf a user launches Aventail ASAP WorkPlace with Aventail Secure Desktop (ASD)enabled and has a personal firewall running within the ASD session, then logs offfrom ASAP Workplace, the ASD “padlock” icon disappears from the browser’s statusbar. ASD remains enabled and the personal firewall continues running, but the usercannot switch between the secure desktop and the normal desktop. If ASD reachesits timeout period, both the ASD session and the personal firewall will terminate.Terminating Aventail Cache Control prevents Aventail Secure Desktop from exiting(25025)DESCRIPTIONSOLUTIONIf a user terminates the Aventail Cache Control client process (cclient.exe) usingTask Manager during an Aventail Secure Desktop (ASD) session, the ASD icondisappears from the secure desktop’s taskbar notification area and the user isprevented from exiting ASD or switching to the normal desktop.Users should be discouraged from terminating the Aventail Cache Control clientprocess.Dynamic Redirection prevents resource access in OnDemand under Aventail SecureDesktop (25097)DESCRIPTIONWhen a user is running OnDemand in Dynamic Redirection mode and has AventailSecure Desktop (ASD) enabled, the user will not be able to access the destinationresources.Can’t open OnDemand in a second browser window with Aventail Secure Desktop enabled(25104)DESCRIPTIONSOLUTIONIf a user logs in to Aventail ASAP WorkPlace with Aventail Secure Desktop (ASD)enabled, launches and subsequently closes OnDemand, and then attempts to openOnDemand in a second browser window, OnDemand will stop responding.Close all browser windows to exit ASD, WorkPlace, and OnDemand.Cluster ConfigurationImported configuration not applied to secondary node in high-availability cluster (26904)DESCRIPTIONSOLUTIONWhen two appliances are set up as a high-availability cluster, importing theconfiguration file from another clustered appliance into the new master node doesnot immediately apply the changes to the secondary (slave) node.Reboot the appliance that is set up as the secondary node, which will apply thechanges from the imported configuration file.©2004 Aventail Corporation. All rights reserved.

10 • ASAP Platform version 8.0License file is not properly synchronized on secondary node of cluster (26261)DESCRIPTIONSOLUTIONIf the secondary node of a high-availability cluster is offline or disconnected when alicense is imported into the primary (master) node, the license file will not beproperly synchronized on the secondary node. When the secondary node is broughtback online, the master node correctly manages the synchronization of other data,such as policy and configuration, but licensing is not synchronized.Ensure that the secondary node of the cluster is running and properly connected tothe primary node when importing a license.Issues Fixed in This ReleaseThe following known issues from previous versions of the appliance are fixed in this release. Thenumbers refer to the tracking IDs used in previous versions of the README.Web Access Service23907 Unable to sort e-mail messages in Search window of Outlook Web Access 2003.Platform25121 Overlap of static route configuration prevents access to network interface.24926 Netegrity policy server clock synchronization.24569 Log rotation settings.ASAP WorkPlace25129 OnDemand fails to load without administrator rights in Windows 2000 .End Point Control24406 Aventail Secure Desktop and OnDemand interoperability.Documentation25062 Online Help for Export Root Certificates page incorrectly identifies certificateformat.Security Fixes in This ReleaseThe following security vulnerabilities are fixed in this release. Each issue is tracked using one or moreof the following IDs:• The five-digit number is an internal Aventail tracking ID.• CVE numbers refer to the ID used on the used on the Common Vulnerabilities and ExposuresWeb site (http://www.cve.mitre.org).• DSA numbers refer to Debian Security Advisory IDs (http://www.debian.org/security/).22949 World-writable files and directories found25234 Policy file permissions are world-readable25235 Server certificate and key permissions need restrictions© 2004 Aventail Corporation. All rights reserved.