Keon Ready Implementation Guide - RSA

1. Partner Information 

Keon Ready Implementation Guide 


Last Modified 6/16/00 

Partner Name Aventail 

Web Site http://www.aventail.com 

Product Name Aventail Extranet Center & Aventail Connect 

Version & Platform V3.21 

Product Description Aventail ExtraNet Center (AEC) is a management and 

security platform that allows you to collaborate over the 

Internet with your partners, suppliers, customers, and 

contractors—without losing control over privacy or 

ownership. With AEC, all external access to your 

internal resources is tightly controlled, so you can 

ensure that the right people access the right 

information. 

Aventail Connect is the secure client for 32-bit 

Windows applications. Aventail Connect, the client 

component of Aventail ExtraNet Center, is a secure 

proxy client based on SOCKS v5, the Internet 

Engineering Task Force (IETF) standard for 

authenticated firewall traversal. Aventail Connect 

delivers enhanced security and simplifies SOCKS 

deployment for users and network managers. 

Interaction with Keon Keon Certificate Server, Keon Desktop 

Product Category VPN 

2. Contact Information 

Pre-Sales Post-Sales 

Name Scott Stanton David Freedel 

E-mail sstanton@aventail.com dfreedel@aventail.com 

Phone 206-215-0061 206-215-0032 

Web http://www.aventail.com http://www.aventail.com/ 

1


3. Product Requirements 

Browser-Based Access: 

•= Any browser that supports SSL v.3.0 like Microsoft Internet 

Explorer 3.0+ or Netscape Navigator 3.0+, etc. 

Client/Server-Based Access 

•= Microsoft Windows NT 4.0 SP 4 or later 

•= Microsoft Windows 95, 98 

•= Windows 2000 (Client only) 

•= Any Winsock 1.1 or 2.0-compliant application (Winsock 2 

preferred) 

4. Product Configuration 

4.1 Aventail Extranet Server 

First step to getting your SSL certificate into the Aventail Server is to use the Key Wizard utility. 

You are greeted with an information screen explaining some of the things you need. 

2


In the subsequent screen you must fill in the Organization & Organizational Unit information that 

corresponds to you particular installation of Keon Certificate Server. 

The locality attribute is optional for Aventail, but required for Keon. Please make sure you fill out 

this screen completely. 

3 

7


The next few screens need to be filled in with your specific choices. 

4


For key length, Keon Supports keys up to 1024 bits: 

Follow the remaining screens to generate your private key. You’ll then be shown where the 

certificate request is being saved. Note the locations of these files since you will need this 

information when enrolling for your server (SSL) certificate with Keon. 

5


An example of the contents of the certificate signing request: 

Use this CSR to enroll for a server certificate with the Keon Certificate Server. 

After you enroll for a certificate and the Keon Certificate Administrator has approved the 

certificate, you must re-run the key wizard. This time it will recognize that you have already 

generated a request. Click on the ‘yes’ button. 

Next select the request that corresponds with your server name and enter the password. After 

entering your password cut & paste the Keon e-mail response. Remember to only get the text 

between the BEGIN CERTIFICATE and END CERTIFICATE tags: 

6


You will also need to have the Keon Certificate Server root certificate available in a file. This 

screen tells the Extranet Server where to find it. 

7


Please note the location presented here. You will need this when configuring your SSL module in 

the Extranet Server. 

8


To setup your Extranet Server with your new certificate see the Aventail Administration Guide for 

configuring the SSL module & authentication policies. Note that the Extranet Server does not 

support CRL checking. The LDAP section is for setting up finding user certificates for 

authentication, an example is below. 

9

4.2 Aventail Connect Client 


SSL authentication, originally developed for secure Web communications, uses authentication 

certificates to identify authorized users. A certificate is essentially an electronic “statement” 

that verifies the integrity of a connection. Certificates can be stored in the PKCS #11compatible 

Keon Desktop. 

Aventail Connect will prompt for certificate information only when Aventail ExtraNet Server 

requests authentication from a client certificate. In such a case, Aventail Connect will 

automatically prompt you to select a client certificate to authenticate with. Choose Use a 

client certificate stored on a smartcard. 

Once you have chosen your certificate, you will be prompted for the pathname to the Keon 

Desktop DLL in which your certificate resides. Typically, this will be c:\Program Files\RSA 

Security\RSA Keon Desktop\system\domestic\sdpkcs11.dll. 

If you haven’t yet logged on to the Keon Desktop, you will be greeted with the following screen 

asking you to log in: 

10


Finally, Aventail Connect will ask you which certificate you would like to use from the Keon 

Desktop. 

The certificate will then be sent to the Aventail server to authenticate the user and establish 

the VPN tunnel. 

11

5. Certification Checklist 


Version Tested: _Keon Desktop_v5.20__________ Date: _6/1/00________ 

Test Case Personal Server IPSec ______ 

PKCS#10 Enrollment via CSR: 

Generate PKCS#10 Request P 

Process PKCS#10 Request P 

Manual Enrollment: 

Request Certificate P 

Process Certificate Request P 

Import Certificate 

Import PKCS#7 Certificate 

Import via cut & paste P 

View & verify Certificate P P 

Install trusted root Certificate P P 

Certificate Usage 

Use certificate for authentication P P 

Use certificate for encryption P N/A 

Keon Desktop Support 

(if applicable) 

Import certificate via PKCS#12 

Access certificates via MS CSP N/A 

Access certificates via PKCS#11 P 

Revoked certificates enforced N/A 

LDAP Support (if applicable) 

Name lookup & certificate retrieval N/A P 

Revocation recognized via CRL N/A N/A 

� � �� P=Pass X=Fail N/A=Non-available function 

12

6. Known Problems 


There is an incompatibility between the Aventail Connect client and Keon 

Desktop, when the KDT is configured in non-standalone mode and Keon 

Agent support is enabled. Keon Desktop does not support third party 

Layered Service Providers (LSPs). It is however possible, but unsupported, 

to configure the Desktop to co-exist with third-party LSPs. You can use the 

Keon Desktop utility ‘sockinst.exe’. To create a new LSP Chain: 

1.) Double click on ‘MW.w95.spi.tcp” 

2.) Double click on “AutoSocks LSP Dummy Entry” 

3.) Double click on “SDTSF” 

4.) Press on the button “Save Chain” 

5.) Move the newly created entry (chain) “SDTDF+AutoSocks LSP Dummy Entry On: 

MS.w95.spi..tcp” to the top of the list with the “Move UP” button. 

Repeat the above steps for UDP. (I.e. choose MS.w95.SPI.udp instead of MS.w95.spi.tcp) 

13

Keon Ready Implementation Guide - RSA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?