SonicWALL / Aventail Connect Tunnel Client Help
The SonicWALL / Aventail Connect Tunnel with Smart Tunneling is a client component of the SonicWALL / Aventail virtual private network (VPN) solution, which enables secure, authorized access to Web-based and client/server applications, and file shares. This help information describes Connect Tunnel for the Mac OS X and Linux operating systems.
Connect Tunnel on Mac and Linux platforms supports IPv6, which is preferred if both IPv4 and IPv6 are available.
With Connect Tunnel you can connect to network resources that are protected by the SonicWALL Aventail VPN and access the following types of resources:
- Client/server resources: Client/server applications, thin client applications, and terminal services.
- Web sites and applications: Web content and Web-based applications that can be accessed through a browser.
- Network shares: Shared folders and files, and mapped drives.
This client application requires JVM (Java Virtual Machine) and is intended for use on 32-bit and 64-bit Linux computers and Apple Macintosh-based PPC/IA-32 and PPC/IA-64 computers.
To access network resources through Aventail Connect, your identity must first be verified. This ensures that only authorized users can access protected network resources. The credentials used to verify your identity typically consist of a username and password or passcode.
- In the Finder, double-click Applications, and then double-click the Aventail Connect icon. The Aventail Connect login dialog appears.
- In the Configuration list, select a VPN configuration and Click Connect. If there are no saved configurations, you must create one; see Creating a New Configuration for more information.
- If you access a network resource that uses self-signed or invalid server certificate, Aventail Connect will display the certificate. Verify that the server certificate is from a trusted source before accepting it. Because anyone can issue a certificate, you should accept certificates only from trusted sources. Otherwise, the information you receive may be invalid. If you have any concerns about whether to accept a certificate, check with your administrator.
- In the Login Group selection, choose your Login Group and Click Ok.
- In the Username box, type your username.
- In the Password or Passcode box, type your password or passcode. (Passwords may be case-sensitive: make sure the Caps Lock and Num Lock keys are not enabled.)
- Click Ok. A message in the login dialog indicates the status of the VPN connection.
Notes
- In the Aventail Connect login dialog, you can initiate a connection to a different VPN or login group by choosing a different configuration from the list.
- From the Applications directory, you can drag the Aventail Connect icon to the dock for easier access.
- After Aventail Connect is installed, you can run startctui from any location. You can also start Aventail Connect by double-clicking the Aventail Connect icon in the desktop. The Aventail Connect login dialog appears.
- In the Configuration list, select a VPN configuration and Click Connect. If there are no saved configurations, you must create one; see Creating a New Configuration for more information.
- If you access a network resource that uses self-signed or invalid server certificate, Aventail Connect will display the certificate. Verify that the server certificate is from a trusted source before accepting it. Because anyone can issue a certificate, you should accept certificates only from trusted sources. Otherwise, the information you receive may be invalid. If you have any concerns about whether to accept a certificate, check with your administrator.
- In the Login Group selection, choose your Login Group and Click Ok.
- In the Username box, type your username.
- In the Password or Passcode box, type your password or passcode. (Passwords may be case-sensitive: make sure the Caps Lock and Num Lock keys are not enabled.)
- Click Ok. A message in the login dialog indicates the status of the VPN connection.
Notes
- In the Aventail Connect login dialog, you can initiate a connection to a different VPN or login group by choosing a different configuration from the list.
Aventail Connect enables you to log in to different login groups if necessary (for example, if you alternate between logging in to the “Sales” and “Marketing” groups). You may need to provide different authentication credentials for each login group.
You must specify a login group each time you initiate a connection to your VPN. This option is available only when Aventail Connect is offline (that is, when not connected to your VPN).
To specify the login group
- In the Aventail Connect login dialog box, choose a Configuration and click Edit.
- In the Edit Configuration screen click Forget Selection and choose Save.
- Choose the saved Configuration and click Connect.
- Select the new Login Group and click Ok.
To specify a different VPN to connect to, Aventail Connect must be offline (that is, not connected to your VPN).
To specify the host name or IP address of the VPN
- In the Aventail Connect login dialog box, click Add Configuration.
- Enter a name for the configuration in the Name box.
- In the Server box, type the host name or the IP address of the VPN you want to connect to.
- Click OK. The login dialog box appears.
When Aventail Connect is running and connected to the VPN, a connection status dialog appears. This dialog contains basic connection information, including the name of the configuration you are currently using, and the host name or IP address of the VPN you are connected to. You can minimize this dialog; on Linux systems, closing this dialog will end your network connection and close Aventail Connect.
To end your VPN session and disconnect from the remote network, click Disconnect in the Aventail Connect login dialog.
To simplify the login process you can set up one or more VPN configurations. If, for example, you sometimes connect to a different login group or a different VPN, you can save these settings under different names.
To view your settings, Aventail Connect must be offline (that is, not connected to your VPN).
- In the Aventail Connect login dialog, select the Configuration from the Configuration list.
- Click on Edit.
To edit your settings, Aventail Connect must be offline (that is, not connected to your VPN).
- In the Aventail Connect login dialog, select Configuration from the Configuration list.
- Click Edit to edit the configuration.
- Make edits to Name or Server box as necessary.
- Click Save to save your changes.
To create a new configuration, Aventail Connect must be offline (that is, not connected to your VPN).
- In the Aventail Connect login dialog, select Add Configuration from the Configuration list.
- Assign a name to this configuration (for example, Connect from home). This is the name that you will see in the Configuration list when you log in, so specify one that best describes its function.
- In the Server box, enter the host name or IP address for the VPN.
- Click Save to save your changes.
To delete a configuration, Aventail Connect must be offline (that is, not connected to your VPN).
- In the Aventail Connect login dialog, select the Configuration from the Configuration list and click Edit.
- Click Delete to delete the configuration.
When requests for resources or Internet access are received from clients by the appliance, they can be handled a few different ways. Your administrator makes this configuration choice in AMC:
- In split tunnel mode, only traffic destined for resources that have been specified in AMC is redirected to the appliance, and all other traffic is routed as normal. In other words, your administrator sets up a list of resources that are kept secure because they are accessible only through the appliance, but you have open access to anything not spelled out in the resource list (for example, other Internet sites).
- In redirect all mode, which is the more secure (and restrictive) approach, all traffic is redirected through the appliance: you are not allowed to access anything that is not in the list of allowed resources.
- Your administrator can opt to give you access to local printers and file shares, regardless of the tunnel mode.
If you are having trouble accessing resources, your administrator may instruct you to make a change in the Advanced settings. The Network conflict resolution options are available only when your administrator has configured you for split tunnel mode for this particular VPN configuration. If you need to make a configuration change, it must be done while Connect Tunnel is disconnected.
For example, let’s say you have a host resource—a Web server—with an address of 192.168.230.1. You are on a business trip and the printer you want to use is on a local network at a conference center, and it uses that same address. You are using a realm that is configured for split tunnel mode, and your administrator has opted to give you access to local printers and file shares. To enable you to print at the conference center, your administrator may instruct you to open the Advanced settings, click Prefer local network resource access, and then click Update.
If your administrator has allowed the Credential Caching policy, you can enable or disable it via the Remember Credential check box on the Connect Tunnel Options dialog box. If enabled (checked) on Linux, the policy works while Connect Tunnel is running. However, on Mac OS the information is stored in the keychain and persists across reboots.
If Secure Network Detection is enabled, Connect Tunnel is put into one of three states when connecting to an appliance for the first time:
- Connected: The machine is not in a secure location and requires a VPN connection to access resources.
- Idle: The machine is in a secure network and does not need the VPN connection to access resources.
- Disconnect/Error: The connection is dropped and disconnected due to external network events (for example, network change, dropped wifi signal, etc.).
Some VPN configurations require that you accept a server certificate before you can gain access to a protected network resource. A server certificate is essentially a digital signature that verifies the server identity.
If you access a network resource that uses a server certificate, Aventail Connect may display the certificate. Verify that the server certificate is from a trusted source before accepting it. Because anyone can issue a certificate, you should accept certificates only from trusted sources. Otherwise, the information you receive may be invalid. If you have any concerns about whether to accept a certificate, check with your administrator.
For Linux users, some network resources may require traffic to pass through an Internet proxy server, which provides access from your local network to the Internet. Your administrator determines whether a proxy server is required, but you may occasionally be required to specify settings for it.
In many cases, Aventail Connect can automatically detect your Internet proxy server settings. If the settings cannot be automatically detected, however, you must manually specify them.
This section describes how to specify outbound proxy server settings. This option is available only when Aventail Connect is offline (that is, when not connected to your VPN), and only in the Linux version of the program.
To configure outbound proxy server settings (Linux)
- In the Aventail Connect login dialog, click Advanced.
- Click the Proxy tab.
- Click one of the following options:
- Direct Connection to the Internet: Enables a direct connection to the Internet, with no outbound proxy server redirection.
- Automatically detect proxy settings: Configures the client to detect and use the outbound proxy server settings as defined on your remote network.
- Manual proxy configuration: Enables you to manually specify proxy server settings. In the SSL box, type the host name or IP address of the Internet proxy server. In the Port box, type the number of the port on which the server is listening. Select the Use the same proxy server for all protocols to use the specified SSL server for all traffic, or specify different proxy servers and their port numbers for HTTP, FTP, or SOCKS traffic. Optionally, in the No proxy for box, you can specify host names or IP addresses that you do not want redirected through a proxy server.
- Automatic proxy configuration URL: Configures the client to retrieve a proxy auto-configuration (.pac) file that specifies proxy-server settings. In the text box, type the URL of the server that hosts the .pac file.
- Click OK. The login dialog appears.
This section describes how to troubleshoot basic Aventail Connect tunnel client problems. If you are having trouble connecting to your VPN, or accessing local or remote network resources, see if your problem is addressed by the following. If the problem persists, contact your system administrator.
Unable to Connect
Here are a few items to check if you are having trouble connecting to your VPN:
- Make sure that Aventail Connect is running and actively connected to the network. For more information, see How to Tell if Aventail Connect is Running.
- Verify in the Aventail Connect Properties dialog box that you are initiating a connection to the correct host name or IP address. For more information, see Starting Aventail Connect.
- Verify in the Aventail Connect Properties dialog box that you are initiating a connection to the correct login group. For more information, see Specifying a Login Group.
- If you use a personal firewall, you may need to configure it before you can access your VPN. To do this, configure the firewall to enable traffic to the VPN host name or IP address over port 443.
Unable to Access Resources or the Internet
Your device may have been classified into the wrong security zone:
- Your administrator may ask you to confirm the security zone into which you have been classified. If security zones have been configured, you can view your current zone by pausing on the Aventail Connect icon in the taskbar notification area with your cursor.
When requests for resources or Internet access are received from clients by the appliance, they can be handled a few different ways. Your administrator makes this configuration choice in AMC:
- In split tunnel mode, only traffic destined for resources that have been specified in AMC is redirected to the appliance, and all other traffic is routed as normal. In other words, your administrator sets up a list of resources that are kept secure because they are accessible only through the appliance, but you have open access to anything not spelled out in the resource list (for example, other Internet sites).
- In redirect all mode, which is the more secure (and restrictive) approach, all traffic is redirected through the appliance: you are not allowed to access anything that is not in the list of allowed resources.
- Your administrator can opt to give you access to local printers and file shares, regardless of the tunnel mode.
If you are having trouble accessing resources, your administrator may instruct you to make a change in the Connect tunnel Properties dialog box, on the Advanced tab. The Network conflict resolution options are available only when your administrator has configured you for split tunnel mode. If you need to make a configuration change, it must be done while the Connect tunnel is disconnected.
For example, you have a host resource—a Web server—with an address of 192.168.230.1. You are on a business trip and the printer you want to use is on a local network at a conference center, and it uses that same address. You are using a realm that is configured for split tunnel mode, and your administrator has opted to give you access to local printers and file shares. To enable you to print at the conference center, your administrator may instruct you to open the Connect tunnel Properties dialog box, click the Advanced tab, and then click Prefer local network resource access for your session.