Aventail Corporation
Technical Integration Guide
Introduction:
This supplement describes how to integrate Microsoft Office Outlook with Aventail’s SSL VPN appliance and how to configure Aventail ASAP Management Console (AMC) in order to provide users secure remote access to their respectiveMicrosoft Exchange Mailboxes.
There are four modes of accessing Microsoft Exchange Mailbox
a)Microsoft Outlook Web Access using a Web browser
b)Microsoft Outlook using a thick client
c)Pocket Outlookon Small Form Factor devices
d)Outlook Mobile Access on Small Form Factor devices
Aventail supports all four modes. Support and Configuration steps are discussed in this document to ease the process of integration.
Audience:
Administrator:
The administrator is assumed to be aware of Microsoft Outlook Server and Outlook Client installation.
For information on installation and configuration of Microsoft Outlook Server, refer to the installation guide of Microsoft Outlook Server.
An administrator can use this document to:
a)Configure AMC to provide access Microsoft Exchange Mailbox.
b)Troubleshoot and resolve end-user-related access problems
Help Desk Technician:
Help desk technicians should understand Access Control rules set by the administrator, and can use this document to troubleshoot and resolve end user related access problems.
End User:
An end user can use this document to learn how:
a)To get OWA access by logging into WorkPlace portal
b)To use Outlook client to connect to his mailbox
Outlook Web Access: Configuration
Compatibility and System Requirements to use Outlook Web Access
Support for various Microsoft Office Outlook Web access versions
Aventail Image versions / Outlook Web access VersionsASAP 7.2 and prior / Outlook Web Accessof Exchange Server2000(Premium and Basic)
ASAP 8.0 and later versions / Outlook Web Access of Exchange Server2000 / 2003(Premium and Basic)
C
Client System Specifications: For Outlook Web Access
Operating system / Web browserWindows XP Professional with Service Pack 2, Windows XP Home Edition with Service Pack 2, or Windows 2000 with Service Pack 4 / Microsoft Internet Explorer v6.0 with Service Pack 1, or Mozilla Firefox 1.5
Linux (Suse, Fedora2, Fedora4) / Mozilla Firefox 1.5 with Java enabled
Macintosh OS X / Macintosh Safari 1.2 or Mozilla Firefox 1.5 with Java enabled
Support on various Aventail ASAP Appliances
All Aventailappliances provide interoperability support forMicrosoft Office Outlook. Support is given on Standalone, on Dual-node cluster, and Multi-node cluster with configuration either of a single home or of a dual home.
AMC Configuration for OWA:
AMC enables users to have secure remote Web access totheir respective Microsoft Exchange Mailboxesin just a few easy configuration steps.
Prerequisites:
a) Confirm the Hostname or IP address of your Microsoft Outlook Server
b) Configure network and SSL settings, and import license file in AMC
c) Ensure that you can resolve and ping your Microsoft Outlook Serverfrom the appliance
For more information on network settings, refer to chapter 4 of the Aventail EX-2500 Installation and Administration Guide for details on configuring network details.
The following sections describe the configuration steps.
Configuring the appliance to provide Outlook Web access to a group
Step1) Add a resource, using the Resources tab on left-hand side of the AMC.
a)Fill in the Resource name (e.g., Outlook Web Access) and Description
b)Type in the IP addressor URL ( , where Exchange is the start page) of OutlookServer ofyour company.
c)Check “Create Shortcut on Aventail WorkPlace” (the resource created will be seen as a link when users login to the WorkPlace portal)
d)Click Save
Advanced Configuration:
Alias:
If you want to obscure the internal host name for a URL resource, supply an alias name (e.g., Outlook alias) in this box. This is a public alias that will represent the private URL (e.g., user would access of
Synonyms:
If your Outlook Server has more than one host name (or “synonym”), type those host names (or IP addresses) in this box. Separate multiple synonyms with semicolons.
e)Click on User Access -> Aventail WorkPlace on the left tab in AMC
f)Click on Advanced
g)Type in OWA start page(Exchange) as shown below
h) Click on Save.
Step2) Creating realms and Provisioning Agents
a)Click the Realms tab on the left-hand side of your AMC screen
b)Create a new realm
c)Enter the Name and Description of the realm
d)Choose an authentication server on which Outlook users will be authenticated (in the example above, Active Directory is used)
e)Click Next
f)Click Create New to create a community of users
g)Click Edit to choose a member group and this group of users will belong to this community.(default is set to Any)
h)Click Access Methods to choose agents that will be provisioned on logging in to Aventail WorkPlace portal
Refer to chapter 10 (User Access Components and Services) of the Aventail Installation and Administration Guide to understand different access methods.
Best Practices: Use Translated Web access.
Step3) Create an access rulefor created resource.
Access to a particular resource is given through the Access Control List (ACL), a list of rules. In the above example, a group of users authenticating using the AD realm are given the access.
a) Click the Edit tabs to choose required User Group and Resource
To create “User Groups” and “Resources” refer to chapters 5 & 6 of the Aventail Installation and Administration Guide.
Zones, realms, and authentication methods provide granular control on defining ACL.
For more information on accessing WorkPlace portal, refer to chapter 9 of the Aventail Installation and Administration Guide.
Configuring Single Sign-On (SSO)for OWA:
Aventail supports
a) Basic SSO – When your OWA server is setup for Basic authentication
b) SSO with NTLM authentication - When your OWA server is setup for Integrated Authentication
c) Form based authentication - When your OWA server is setup for Form-based Authentication
Configurations for all these methods are discussed below:
a) Single Sign-On configuration (SSO) for OWA without NTLM (Windows NT LAN Manager) authentication forwarding:
SSO is supported on username and password authentication.
Step1) Modify Outlook Web Access resource
a)Click Resources
b)Choose Outlook Web Accessresource
c)Choose Web Application Profile as OWA/Single Sign-On.
For users who are authenticated with username/password, same credentials will be used to authenticate against Microsoft Outlook Server.
b) Single Sign-On configuration (SSO) for OWA with NTLM (Windows NT LAN Manager) authentication forwarding:
SSO is supported on username and password authentication.
Step1) Modify Outlook Web Accessresource
a)Click on Resources
b)Choose Outlook Web Accessresource
c)Choose Web application profile as OWA-SSO
Step2) Modify authentication server configuration to forward NTLM domain
a)Select the Authentication server on which users will authenticate to get access.
b)Click Edit and continue on to advance configuration
c)Type in domain name in which the Microsoft Outlook Server exists
Or
If the authentication server name is same as domain name, choose the second option
The provided domain name or authentication server name will be forwarded along with user credentials.
c) Form Based SSO configuration for OWA:
SSO is supported on username and password authentication.
Step1) Modify Outlook Web Access resource
a)Click Resources
b)Choose Outlook Web Access resource. Since the authentication form is an SSL-based resource, the URL is https and not http ( e.g.:
c)Choose Web application profile as OWA/Single Sign-On
Step2) Configure Web proxy service
a)Click on the Services tab under System Configuration
b)Click on the Configure link under Web Proxy Service
c)Click on Single Sign-On Profiles.
d)Replace EXCHANGE_SERVER in ‘Application URL’ with either URL of Exchange Server (outlook-server.com) or IP address of Outlook Server.
e)Replace EXCHANGE_SERVER in ‘destination element’ with either URL of exchange server (exchange-server.com) or IP address of Outlook Server.
f)Set other parameters to your requirement. For example:
- Username – Whether to pass username itself or domain name
- Force down level – Whether premium or basic OWA access is required.
Step 3) If your Outlook Server is running SSL, then Import Outlook Server’s CA Certificate
a)Click on SSL Settings tab under system configuration
b)Click on Edit under CA certificates section
c)Click on New
d)Import or paste in the contents of the Outlook Server’s CA Certificate
e)Under Usage tab, choose Web Server Connections
Client End Access:
Users who wish to have Outlook Webaccess need to:
a)Login to WorkPlace portal of your company using a realm on which access control rule is configured.
b)Click theOutlook Webaccess resource link, seen on your WorkPlace portal.
The Outlook Web Access resource will be visible as a WorkPlace link.
In our example, users coming in a realm (Outlook Access) using AD authentication were given the access.
c) Click onOutlook Web Access.
d) Type in credentials when prompted for username and password
On authentication, users will be directed to their respective mailboxes.
Client-Server Access: Using Microsoft Outlook Client
Compatibility and System Requirements
Support for various versions of Microsoft Outlook Servers:
Aventail Image versions / Outlook Web access VersionsASAP 7.2 and prior / Outlook Web Access of Exchange Server2000
ASAP 8.0 and later versions / Outlook Web Access of Exchange Server2000 / 2003)
C
Client system requirements:
Microsoft Outlook Client works on only Microsoft Windows® 2000 with Service Pack 3 (SP3) or later; or Windows XP or later.
Support on various Aventail ASAP Appliances
Aventail EX-750, EX-1500, EX-1600, and EX-2500 appliances have interoperability support with Microsoft Office Outlook. Support is given on Standalone, Dual-node cluster, and Multi-node cluster, with configuration being either of a single home or a dual home.
AMC Configuration for Exchange:
AMC enables users to have secure remote Web access to their respective Microsoft Exchange Mailboxes in just a few easy configuration steps.
Prerequisites:
a) Confirm with Hostname or IP address of your Microsoft Outlook Server
b) Configure network and SSL settings, and import license file in AMC
c) Ensure that you can resolve and ping your Microsoft Outlook Serverfrom the Aventail appliance
For more information on network settings, refer to chapter 4 of the Aventail EX-2500 Installation and Administration Guide for details on configuring network details.
The following sections describe the configuration steps.
Step1) Create a resource for Microsoft Outlook Server
a)Type in resource name and IP Address or Host name(as illustrated above)
Step2) Creating realms and Provisioning Agents
a)Click the Realms tab on the left-hand side of your AMC screen
b)Create a new realm
c)Enter the Name and Description of the realm
d)Choose an authentication server on which Outlook users will be authenticated (in the example above, Local authentication is used)
e)Click Communities to create a community of users
f)Click Edit to choose a member group and this group of userswill belong to this community (default is set to ‘any’)
g)Click Access Methods to choose the agents that will be provisioned on logging in to Aventail WorkPlace portal
- Outlook client with Connect /OnDemand Tunnel:
Choose Smart tunnel access (Connect Tunnel or OnDemand tunnel)
Configure AMC to deploy Network Tunnel Service
- Outlook client with OnDemand proxy:
Choose Web based proxy (Connect Tunnel or OnDemand tunnel)
Refer to chapter 10 (User Access Components and Services) of the Aventail Installation and Administration Guide to understand and configure different access methods.
Step3) Create an access rule (ACL) for created resource.
Access Control List (ACL), a list of rules, controls the access to a particular resource. In the above example, all users, comingfrom Outlook access realm,can configure their Outlook clients to access their mailboxes.
a) Click the Edit tabs to choose required User Group and Resource.
To create “User Groups” and “Resources” refer to chapters 5 & 6 of the Aventail Installation and Administration Guide.
Zones, realms, and authentication methods provide granular control on defining ACL.
For more information on accessing WorkPlace portal, refer to chapter 9 of the Aventail Installation and Administration Guide.
Client-end Access:
To run Microsoft Outlook Client:
Prerequisites:
a)To have Outlook client installed on your machine.
b)To have one of Aventail’s User access Components and Services installed
Or
To log into WorkPlace portal with OD tunnel as an access agent.
For information on Aventail Connect , Connect Tunnel, On Demand(OD) proxy and OD tunnel refer to chapter 10 (User access Components and Services) of the Aventail Installation and Administration Guide.
Steps to start Outlook client:
a)Launch Connect Tunnel or Aventail Connect and authenticate, or log in to the WorkPlace portal.
b)Launch the Outlook client
c)Provide the Outlook Server’s hostname or IP address (e.g., exchangeserver.yourlabdomain.com or 10.20.20.53; contact your administrator for details) while configuring Client
d)Authenticate with credentials to gain access to your mailbox
Internationalization Support:
Aventail supports internationalization (i18n)versions 8.5.2 and 8.6.1. Support is tested in both Japanese and South Korean languages.
a)Outlook Web Access: browser supporting local languages can be used
b)Outlook Mobile Access: Small Form Factor devices that support internationalization can be used.
c)Microsoft Outlook Client: Localized thick client versions of Outlook can be used
Upgrades:
a)If your appliance is configured to have Microsoft Outlook access, and if you are planning to upgrade or rollback, then no changes are required in AMC.
b)Upgrading Microsoft Outlook Server or Client is completely transparent to Aventail appliances and requires no changes in AMC (versions supported are only Microsoft Exchange Server 2000 and Microsoft Exchange Server 2003.
Troubleshooting:
a) Check Access Control Rules to be sure you have access permissions to required users
The AMC logging facility can help you deduce problems (example below).
Use “IP or server name” or URL as search strings to view required logs. Resource definition (URL) could be wrong, as shown above.
b) Check if Microsoft Outlook Server is routable from appliance
c) Check if traffic is reaching the appliance; verify if Firewall is blocking it
d) Check logs on Microsoft Outlook Server
For more information on trouble shooting, refer “Appendix A” of the Aventail Installation and Administration Guide.
Supported Small Form Factor Devices
Pocket Outlook and Outlook Mobile Access (OMA) are supported on following devices:
- Audiovox
- Blackberry
- Danger
- Dell
- Ericsson
- Hewlett-Packard
- Motorola
- NEC
- Nokia
- Palm
- Panasonic
- Samsung
Descriptions of some of the models are listed below:
Audiovox / Smart Phone AdvancedDOCOMO / PPC / PDA
Windows CE / iMode Phone (CHTML)
J-SH51 / iMode Phone Vodafone
J-SA51 / iMode Phone Vodafone
V601 / iMode Phone v601t/v601sh Vodafone
UP Browser / WAP Phone (V 2.0)
I-PHONE / iMode Phone (CHTML)
Blazer / PPC/PDA
Nokia / Smart Phone – Basic
UP link / WAP Phone (v 2.0)
Motorola / WAP Phone (v 2.0)
Blackberry / WAP Phone (v 2.0)
KDDI / Smart Phone
SEC / WAP Phone (v 2.0)
Non-Supported Features:
a)Firefox and Safari support for OWA is only with Extraweb translated mode.
b)Microsoft supports only Basic OWA with Firefox browser.
©2006 Aventail Corporation. All rights reserved. Aventail, Aventail ASAP,
Aventail Connect, Aventail EX-750, Aventail EX-1500, Aventail EX-1600,
Aventail EX-2500 and Aventail OnDemand, and their respective logos are
trademarks,registered trademarks, or service marks of Aventail Corporation.
Other product and companynames mentioned are the trademarks of their
respective owners.
1
Microsoft Office Outlook - Integration Guide
Version 1.0 – July, 2006