lcfd and Aventail

[saggaf]

Hi,

lcfd does not work when coexist with Aventail v4.x !!! I tried to add lcfd into the exclude list of Aventail but it did not work (it worked for Aventail v3.2x only)! The problem get fixed only after uninstalling Aventail ! but this is not a solution as I need to use Aventail badly.

Does any body has any workaround for this problem ?

Thanks.
Sheikh

 

[jrsimmo]

There is a solution for this on the Tivoli Database:
Bottom line, order of installation is significant - ie, the Tivoli product should be installed first. The problem is that Aventail intercepts the packets that Tivoli sends to its Gateways, and it's incompatible with us. Aventail claims all the ports, unless you modify Aventail to exclude the "lcfd.exe" process. So,
*if* you're running Aventail, install Tivoli products first, then install Aventail, and modify Aventail to exclude the Tivoli processes (leaving the ports free for us). It would probably be a good idea to exclude all files that open TCP/IP connections.

To get lcfd and Aventail to work together:
1. Upgrade Aventail Connect from 3.01s (or whatever it is) to 3.21s
2. Change the "Modify List" of the Aventail configuration file to add
"lcfd.exe" to the list of apps to EXCLUDE from interception.
Then they should be able to coexist.

One more tip to get it to work.

IBM SecureWay Firewall: How to setup SOCKS in debug level logging.
Problem Desc: How to setup SOCKS in debug level logging.

The socks implementation on Firewall version 4.1 (both platforms) drastically changes the debug logging behavior.

Aventail natively provides logging at a fairly useful debug level, so one easy thing to do is to enable the debug logging that they provide as a documented part of their product. To enable this logging, edit the &quot;s5.conf&quot; file in the &quot;<firewall root>/config&quot; directory on Windows NT or in the &quot;/etc/security&quot; directory on AIX.
Find a stanza which starts like following:

installation &quot;Converted&quot;
{
<lots of indented directives>
}

Any place inside of those two braces, add the following six directives:

secout = LOGFILE;
sysout = LOGFILE;
miscout = LOGFILE;
seclevel = DEBUG3;
syslevel = DEBUG3;
misclevel = DEBUG3;

These directives will redirect all of Aventail's log facilities (&quot;security&quot;, &quot;system&quot;, &quot;miscellaneous&quot to their respective hardcoded files, at the highest debug priorities. The files are &quot;security.log&quot;, &quot;system.log&quot;, and &quot;misc.log&quot;. These files will show up in &quot;c:\&quot; on Windows NT and in &quot;/etc/security/socks&quot; directory on AIX. In addition, ask for verbose output to the screen, but only if running in a console window (as opposed to as a Windows NT Service).

On Windows NT, use the following command:

fwsocks5 -d -c &quot;c:\program files\ibm\firewall\config\s5.conf&quot; -V

On AIX, use the following command:

/usr/sbin/fwSocks5 -d -V3

Thanks,
Jim Simmons
Technical User

 

[KDorner]

This is the closest I've seen to a fix for this. I am using Aventail Connect 5.0.1.76, and I have the Aventail Connect Config. Tool 5.30 to edit config. files. But I see absolutely nowhere to put any exceptions or an application list in a config file in any level of network or subnet, or anywhere else in the config. file. The closest I see in this config. utility is a "required applications list" (applications such as antivirus that must be running to allow connection.)

Can anyone indicate where one can put application exclusions in the Aventail config. file so I can exclude lcfd.exe? The config. file is gibberish without the editor; it can't be edited manually. Thanks.