`lix'l'LuNl-i'r
`\1. .w
`
`\ \ NT‘and UNIX
`
`....
`
`Administrator's Gu‘i‘de
`
`Petitioner Apple Inc. - EX. 1011, Cover
`
`Petitioner Apple Inc. - Ex. 1011, Cover
`
`
`
`Table of Contents
`
`7DEOHRI&RQWHQWV
`
`AVENTAIL EXTRANET CENTER QUICK START GUIDE
`Aventail ExtraNet Server Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`Aventail ExtraNet Center Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
`Aventail ExtraNet Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
`Client Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
`Essential Concepts for Aventail ExtraNet Server Policies . . . . . . . . . . . . . . . 9
`Access Control Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
`Authentication Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
`Filter Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`Proxy Chaining Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
`Objects Used to Build Aventail ExtraNet Server Policies . . . . . . . . . 10
`POLICY CONSOLE
`Policy Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
`Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
`Running the Policy Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
`Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
`Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
`General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
`Logging and Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
`Log Viewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
`Opening the Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
`Configuring Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
`Configuring server services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
`Viewing available services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
`Starting a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
`Changing startup properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
`Reconfiguring a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
`Viewing server status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
`Connect to Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
`Connecting to a remote server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
`Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
`Access Control Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
`Column headings (definitions) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
`Changing rule order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
`Adding rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
`
`Aventail ExtraNet Server v3.0 Administrator’s Guide (UNIX and Windows NT) • i
`
`Petitioner Apple Inc. - Ex. 1011, p. i
`
`
`
`Table of Contents
`
`Editing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
`Deleting rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
`Access Control Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
`Creating access control rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
`Assigning a "permit" or "deny" status to a rule . . . . . . . . . . . . . . . . . 21
`Making a rule active or inactive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
`Source networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
`Destination networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
`Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
`Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
`Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
`Changing rule order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
`Adding authentication rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
`Editing authentication rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
`Deleting authentication rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
`Authentication Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
`Source Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
`Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
`Authentication Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
`Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
`HTTP Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
`HTTP Authentication Forwarding filter . . . . . . . . . . . . . . . . . . . . . . . 48
`Adding Filtering Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
`Editing Filtering Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
`Removing Filtering Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
`Filter Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
`HTTP Content Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
`Proxy Chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
`Adding a Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
`Editing a Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
`Deleting a Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
`Proxy Chain Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
`Adding a primary/fallback host and port . . . . . . . . . . . . . . . . . . . . . . 54
`Editing a primary/fallback host and port . . . . . . . . . . . . . . . . . . . . . . 54
`Determining SOCKS version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
`Active/disabled (checkbox) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
`Network Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
`Routing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
`Adding a route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`Editing a route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`Deleting a route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`Adding a routing rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`Editing a routing rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
`Deleting a routing rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
`
`Aventail ExtraNet Server v3.0 Administrator’s Guide (UNIX and Windows NT) • ii
`
`Petitioner Apple Inc. - Ex. 1011, p. ii
`
`
`
`Table of Contents
`
`CONFIGURATION FILE FORMAT
`Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
`General Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
`Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
`Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
`Booleans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
`Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
`Simple Strings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
`Strings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
`Common Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
`Order of Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
`Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
`Loading a Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
`Including a Module in an Installation. . . . . . . . . . . . . . . . . . . . . . . . . 61
`Referencing a Module in a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
`Defining Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
`Defining Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
`Defining SOCKS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
`Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
`Common Attributes of Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
`Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
`Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
`Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
`Routing Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
`Proxy Chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
`Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
`Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
`Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
`Log Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
`Log Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
`Log Output Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
`Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
`Information Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
`Output Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
`
`Aventail ExtraNet Server v3.0 Administrator’s Guide (UNIX and Windows NT) • iii
`
`Petitioner Apple Inc. - Ex. 1011, p. iii
`
`
`
`Quick Start Guide
`
`$YHQWDLO([WUD1HW6HUYHU4XLFN6WDUW*XLGH
`Welcome to the Aventail ExtraNet Server Quick Start Guide.
`Aventail ExtraNet Server is the server component of the Aventail ExtraNet Center, a
`client/server solution for management of sophisticated extranets. Setup of the Aventail
`ExtraNet Center requires that installation on both a server and multiple client machines.
`Setup of the Aventail ExtraNet Server consists of installing several components.
`
`AVENTAIL EXTRANET CENTER COMPONENTS
`The following are the components of the Aventail ExtraNet Center.
`• Aventail ExtraNet Server: The primary component of Aventail ExtraNet Cen-
`ter is the ExtraNet Server. This is a SOCKS v5 proxy server that manages the
`authentication of users and processes all of the connection requests. Aventail
`ExtraNet Server can manage traffic for both incoming (external users attempt-
`ing to reach internal network resources) and outgoing (internal users attempt-
`ing to reach external network resources) network traffic.
`• Aventail Policy Console: The Aventail Policy Console is the graphical admin-
`istrative tool for creating, viewing and managing the policies for your extranet.
`It can also be used for starting and stopping the ExtraNet Server as well as
`viewing log and license files.
`
`The Policy Console provides a graphical front-end for the configuration file
`that the Aventail ExtraNet Server uses. The Policy Console can be run locally
`on the machine that the ExtraNet Server is installed on or remotely to manage
`a server that resides on another machine. When the Policy Console is being
`run remotely, it will establish a secure LAN, WAN or Internet connection via
`the Management Server (see below). A remote Policy Console running on a
`Windows NT machine can configure a UNIX Aventail ExtraNet Server and
`vice versa.
`• Aventail Management Server: The Aventail Management Server is an
`optional service that allows administrators to remotely manage an ExtraNet
`Server. The Management Server and Policy Console communicate via a
`secure, encrypted connection.
`
`The Management Server must be installed on the same machine as the
`ExtraNet Server.
`• Aventail Management Server Config Tool: The Aventail Management Server
`Config Tool is the administrative utility that establishes a policy specific to the
`Management Server. This policy will determine which administrators can man-
`age the ExtraNet Server, how they must authenticate and which network inter-
`faces the server will accept traffic from. The policy also defines the specific
`directories that can be browsed remotely.
`• Aventail Connect: Aventail Connect is the client component of the Aventail
`ExtraNet Center solution.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 5
`
`Petitioner Apple Inc. - Ex. 1011, p. 5
`
`
`
`Quick Start Guide
`
`AVENTAIL EXTRANET SERVER INSTALLATION
`The following instructions will get the Aventail ExtraNet Server up and running in a very
`basic configuration.
`
`Windows NT
`The general Aventail ExtraNet Server configuration will require encrypted sessions only
`and force all users to authenticate against the accounts in the Windows NT Server
`username/password database. This configuration provides unrestricted access for both
`outbound and inbound traffic. A sample X.509 certificate is supplied and configured
`during installation and should be used for non-secure testing purposes only.
`Instructions on tightening access controls, configuration as a dual-homed server,
`obtaining “real” digital certificates, configuring the Aventail Management Server, and
`changing other parameters may be found in the “Aventail ExtraNet Center Administration
`Guide” located in the “\docs” directory.
`Installation: Run setup.exe from the Aventail ExtraNet Center directory of the CD-
`1.
`ROM or run the downloaded distribution file.
`2. License File: Copy the aventail.alf license file into the C:\Aventail\etc
`directory. (The license file is obtained automatically via email after downloading or
`provided on diskette following purchase.)
`3. Run the Policy Console: Start | Programs | Aventail ExtraNet Center | Policy Con-
`sole.
`4. Modify Default Configuration File: From the Access Control tab, click on the red
`box to the left of the Action column to change the rule from Deny to Permit. The box
`color will turn green and the text under the Action column will change to Permit.
`5. Start the Aventail ExtraNet Server:
`• From Policy Console menu bar, select File | Save.
`
`• Select Services | Configure.
`
`• Select “Aventail ExtraNet Server.”
`
`• Click “Start.”
`
`UNIX
`The general configuration will require encrypted sessions only and force all users to
`authenticate against the accounts in the UNIX “/etc/passwd” file. This configuration
`provides unrestricted access for both outbound and inbound traffic. A sample X.509
`certificate is supplied and configured during installation and should be used for non-
`secure testing purposes only.
`Instructions on tightening access controls, configuration as a dual-homed server,
`obtaining “real” digital certificates, configuring the Aventail Management Server, and
`changing other parameters may be found in the “Aventail ExtraNet Center Administrator’s
`Guide” located in the “/docs” directory.
`Installation: Run the install.sh script from the Aventail ExtraNet Center directory
`1.
`of the CD-ROM or install the downloaded distribution file.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 6
`
`Petitioner Apple Inc. - Ex. 1011, p. 6
`
`
`
`Quick Start Guide
`
`NOTE: This will install into the default directory, /usr/local/
`aventail. If you wish to install into a different location, specify by
`executing the install.sh script with the “prefix” switch. For
`example:
`install.sh --prefix=/<install directory>/
`where <install directory> is the location to install.
`
`2. License File: Copy the aventail.alf license file into the /etc directory of the
`installation root. The default is /usr/local/aventail/etc. (The license file is
`obtained automatically via email after downloading or provided on diskette following
`purchase.)
`3. Run the Policy Console: At the command line, type:
`<install directory>/bin/apc
`4. Modify Default Configuration: File From the Access Control tab, click on the red
`box to the left of the Action column to change the rule from Deny to Permit. The box
`color will turn green and the text under the Action column will change to Permit.
`5. Start the Aventail ExtraNet Server:
`• From the Policy Console menu bar, select File | Save.
`
`• Select Services | Configure.
`
`• Select “Aventail ExtraNet Server.”
`
`• Click “Start.”
`
`- OR -
`From the command line, type:
`<install directory>/bin/socks5
`-s for log to stderr -p <port> for port values other than 1080
`
`CLIENT INSTALLATION
`These installation steps will get the client component of Aventail ExtraNet Center,
`Aventail Connect, up and running in a basic configuration. Instructions covering advanced
`configuration options, public certificates, and troubleshooting may be found in the
`“Aventail Connect Administrator’s Guide” and in the online Help.
`
`NOTE: Leave all settings not described below as DEFAULTS.
`
`1.
`
`Installation: Run setup.exe from the Aventail Connect directory of the CD-ROM or
`run the downloaded distribution file.
`2. License File: Copy the aventail.alf license file into the C:\Program
`Files\Aventail\Connect directory. (The license file is obtained automatically via
`email after downloading or provided on diskette following purchase.)
`3. Create a Configuration File:
`• Select Programs | Aventail Connect | Configuration Tool.
`
`• Select File | New.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 7
`
`Petitioner Apple Inc. - Ex. 1011, p. 7
`
`
`
`Quick Start Guide
`
`4. Add Server Definition:
`• From the Servers tab, click Add.
`
`• Type in Alias name =”Aventail ExtraNet Server.”
`
`• Hostname or IP address = public DNS hostname or IP address of machine with
`Aventail ExtraNet Server installed and running. This host must be reachable by
`TCP/IP (i.e., ping test).
`
`• Click OK.
`5. Define Destinations:
`• From the Destinations tab, click Add.
`
`• Type in Alias name = “Private Network.”
`
`• Select “Network.”
`
`• Domain Name = <internal DNS Domain name for private network>.
`
`• Select “Subnet.”
`
`• Enter network IP Address/Subnet mask.
`
`• Click OK.
`6. Specify Redirection Rules:
`• From the Redirection Rules tab, click Add.
`
`• Select Destination “Private Network.”
`
`• Select Redirect via “Aventail ExtraNet Server.”
`
`• Click OK.
`
`• Click Add.
`
`• Select Destination “Everything Else.”
`
`• Do not Redirect.
`
`• Click OK.
`7. Save Client Configuration File:
`• From the Config Tool menu bar, select File | Save.
`
`• Type aventail.cfg.
`
`• Click OK.
`
`• Select File | Select Make Active.
`
`• Select File.
`
`• Select Exit.
`8. Start Aventail Connect:
`• Start | Programs | Aventail Connect | Connect.
`
`• Point to new configuration file aventail.cfg.
`
`• Select OK.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 8
`
`Petitioner Apple Inc. - Ex. 1011, p. 8
`
`
`
`Quick Start Guide
`
`• Start any TCP application to initiate the connection. The ExtraNet Server or
`other SOCKS proxy server must be running.
`
`ESSENTIAL CONCEPTS FOR AVENTAIL EXTRANET SERVER POLICIES
`It is important to understand the primary components of the Aventail Policy Manager that
`are used to build an extranet policy. There are four types of rules that can be used to build
`an Aventail ExtraNet Server policy:
`
`Access Control Rules
`Access control rules define the network resources and services that are accessible to
`users and groups based on where they are coming from, what day or time it is, how they
`authenticated, and what their encryption strength is.
`The following are the parameters that make up an access control rule:
`• Active/Inactive: Temporarily disables a rule without having to delete it.
`• Permit/Deny: Defines whether the rule will permit or deny access based on
`the criteria selected.
`• Source Networks: Defines the originating source of the connection for the rule
`to be applicable.
`• Source Ports: Defines the originating ports (services) of the connection for the
`rule to be applicable.
`• Destination Networks: Defines which network resource(s) the rule will permit
`or deny access to.
`• Destination Ports: Defines which services on the Destination Networks can
`be used by the rule.
`• Users and Groups: Defines which users and groups the rule applies to.
`• Times: Defines the times or days the rule is active.
`• Authentication Matching: Defines the authentication methods to be used for
`the rule to be applicable.
`• Key Length: Specifies the encryption strength required for the rule to be appli-
`cable.
`• Commands: Defines the commands that can be used on the specified Desti-
`nation Networks.
`
`Authentication Rules
`Authentication rules define the authentication options available to users or groups based
`on where they are coming from.
`The following are the parameters that make up an authentication rule:
`• Source Networks: Defines the originating source of the connection for the rule
`to be applicable.
`• Authentication: Defines the authentication methods available.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 9
`
`Petitioner Apple Inc. - Ex. 1011, p. 9
`
`
`
`Quick Start Guide
`
`Filter Rules
`Filters can be applied to network traffic based on the same parameters as an access
`control rule. This means that you can apply filters on a very granular level, such as only
`apply them to specific users, traffic between two locations, or during certain times.
`• Filter Type: Defines which of the loaded (and configured) filters should be
`used for the rule.
`
`• All other components used for access control rules except permit and deny.
`
`Proxy Chaining Rules
`Defines the methods for accessing network destinations located behind other ExtraNet
`Servers.
`• Destination Networks: Specifies which network resources the rule will permit
`or deny access to.
`• Proxy Server: Specifies the IP address or hostname of the ExtraNet Server
`that secures the intended network destination.
`
`NOTE: In order to use proxy chaining, server-to-server authentication
`methods must be loaded first. Please reference the Aventail
`ExtraNet Center Administrator’s Guide for more information.
`
`Objects Used to Build Aventail ExtraNet Server Policies
`• Groups: These can be made up from six different types of user databases:
`Windows NT, Novell NDS, UNIX passwd, Host, SSL User (X.509), and Single
`User. Only SSL Users and Single Users can be created and deleted by the
`administrator. Administrators can select any combination of these six types of
`users and groups and apply them to rules. Administrators can also select any
`combination of users and groups and place them in a folder for easy re-use in
`multiple rules.
`• Source or Destination Networks and Ports: Network resources can be a
`host, domain, IP range or subnet. Administrators can select any combination of
`network resources they have created to use in rules. Administrators can also
`select any combination of network resources and place them in a folder for
`easy re-use in multiple rules. Combinations of single ports and port ranges can
`be applied to source and destination networks to restrict the available services
`a user can access.
`• Time: Days of the week and hours during those days or date range for which a
`rule is applicable.
`• Authentication method: Available methods include SSL which can use any of
`the following methods to sub-authenticate users. These methods can also be
`used individually but will not provide encryption unless used with SSL for sub-
`authentication. Client certificates can be used in conjunction as well.
`
`• Username/Password back-ended to Windows NT, NetWare bindery/
`NDS, RADIUS, File, Crypt file, UNIX passwd file.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 10
`
`Petitioner Apple Inc. - Ex. 1011, p. 10
`
`
`
`Quick Start Guide
`
`• CRAM back-ended to RADIUS or ACE/Server.
`• CHAP back-ended to RADIUS or file.
`• Key length requirements: Can be set to any, 40-bit or higher, 56-bit or higher,
`or 128-bit or higher.
`• Filters: Available filters include an HTTP filter and an authentication forwarder
`filter.
`• Commands: Available commands include any, traceroute, ping, UDP, connect
`and bind
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 11
`
`Petitioner Apple Inc. - Ex. 1011, p. 11
`
`
`
`Policy Console
`
`3ROLF\&RQVROH
`
`,QWURGXFWLRQ
`The Aventail Policy Console is the graphical administrative tool for creating, viewing, and
`managing the policies for your extranet. You can also use the Policy Console to start and
`stop the Aventail ExtraNet Server, or to view log files and license files. The Policy
`Console provides a graphical front-end for the configuration file that the Aventail ExtraNet
`Server uses to handle connection requests. There are no major differences between the
`Windows NT and UNIX Policy Consoles.
`The first section of this chapter covers the server settings. These are server-level settings
`that specify, among other settings, which port to run on, logging, and starting and
`stopping the Aventail ExtraNet Server. The next section covers the policy part of the
`server. These various rules consist of access-control rules, authentication rules, filter
`rules, proxy-chaining rules, and network rules. The Policy Console Tools are covered at
`the end of this chapter.
`For more information on using the Policy Console to manage a remote Aventail ExtraNet
`Server, refer to the “Management Server” chapter.
`5XQQLQJWKH3ROLF\&RQVROH
`On Windows NT:
`Start | Programs | Aventail ExtraNet Center | Policy Console
`On UNIX:
`At the command line, type <install directory>/bin/apc
`6HUYHU6HWWLQJV
`(Add some introductory content here)
`
`SERVER OPTIONS
`(Add some introductory content here)
`
`General
`The Aventail ExtraNet Server requires fundamental licensing and connection information
`prior to a specific network configuration: how to handle UDP, connection timeouts,
`concurrent connections, etc.
`To open the Server options dialog box, at the Policy Console menu select View | Server
`Options.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 12
`
`Petitioner Apple Inc. - Ex. 1011, p. 12
`
`
`
`Policy Console
`
`SOCKS PORT
`This is the port on which the server wil listen for incoming connections. The default
`is 1080.
`
`USE THE CLIENT'S UDP PORT
`Checking this enables support for unknown UDP connections. If enabled, the Aventail
`ExtraNet Server relays packets from hosts to which it has not previously sent data.
`
`SETTING THE CONNECTION TIMEOUT
`Controls the duration of client connections. If there is no activity after a specified period,
`the client connection will timeout. You can establish a timeout interval of seconds to
`weeks.
`
`CONFIGURING THE LICENSE ALERT
`The license alert will create logging information at predetermined intervals that you are at
`"X" percentage of your license limit. For example, if you have an Aventail license for
`1,000 users and you establish a threshold of 80%, alerts will be sent to your logging at the
`intervals you determine every time concurrent connections exceed 800.
`
`Logging and Auditing
`Logging is an essential part of diagnosing and maintaining server function. With logging
`you can track user activity, diagnose failed connections, repair system failures, and
`configure the logging output for Aventail or WebTrends formats.
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 13
`
`Petitioner Apple Inc. - Ex. 1011, p. 13
`
`
`
`Policy Console
`
`LOGGING
`You can select one of three logging methods, one of eight levels of information, and three
`output options.
`LOG METHODS
`• Security- Security information will consist of failed authentication
`attempts and methods. Select the logging level from the drop-down
`menu and check the desired output option. The default filename is
`security.log.
`• System- System information will point out network problems as they
`affect the Aventail ExtraNet Server; i.e., low memory, timing out, a
`SOCKS server crashing, etc. Select the logging level from the drop-
`down menu and check the desired output option. The default filename
`is system.log.
`• Miscellaneous- Miscellaneous information will consist of everything
`else not covered by the two prior methods. Select the logging level from
`the drop-down menu and check the desired output option. The default
`filename is misc.log.
`LOG LEVELS
`
`NOTE: Processing large amount of information may impact the server's
`performance for brief periods of time.
`
`• Fatal- Fatal error information only.
`• Error- Critical error information only.
`• Warning- Non-critical warning information, as well as Error level
`information.
`Information- Detailed logging information, including all previous level
`data.
`• Verbose- All previous level data, but less data than Debug 1.
`
`•
`
`Aventail ExtraNet Server Administrator’s Guide (UNIX and Windows NT) • 14
`
`Petitioner Apple Inc. - Ex. 1011, p. 14
`
`
`
`Policy Console
`
`• Debug 1, Debug 2, and Debug 3- Debugging programs of increasing
`debug information. This can be a large amount of data, and should be
`used only when troubleshooting.
`OUTPUT OPTIONS
`• Event Viewer- Logging information will output to the Windows NT Event
`Viewer's Application Log. Note that the server will always log startup
`information to the Event Viewer, regardless of settings at the Logging
`tab.
`(S5) Logging Tool (Windows only)- The (S5) Logging Tool is the
`dynamic logging tool for all (Windows) Aventail ExtraNet Server activity.
`Start the (S5) Logging Tool via the Tools | Logging Tool menu of the
`Policy Console.
`• Plain-text file- Aventail ExtraNet Server activity information will output to
`the default logging file, server.log in the Aventail ExtraNet Server
`installation directory
`
`•
`
`AUDITING
`Enabling this option will direct exportable logging information to the audit log.
`OUTPUT FORMATS
`• Aventail- outputs information into the Aventail format.
`• Webtrends- Outputs audit log information in the Webtrends format. For
`more information on Webtrends, contact http://www.webtrends.com.
`
`.
`
`Tips: - To debug the server, use the (S5) Logging Tool (Windows only),
`and set the Debug level to 3.
`- For normal operations, either log to the system log, or log to file.
`-To archive traffic through the server, and process reports on it, use
`the audit log. There are maximum no log settings. However, log-
`g