Secure Entry Client
Contents
1. Info text for the ToolTip of the project logo For each line in the info text a ToolTip entry with consecutive number ToolTip x must be created e g ToolTipl the info text for the project logo ToolTip2 ToolTip3 third line ToolTip4 fourth line HtmlLocal Ho HTML file that will be displayed if there is a mouse click on the project logo The file must be available locally on the computer If a path is not specified then the file is searched in the current directory of the Secure Client E g HtmlLocal C programs ncp SecureClient MyProjectInfo html 38 NCP engineering GmbH 3 Client Monitor Once you have installed the Client the Monitor should appear automatically on PCs screen To manually display the Monitor click on Start Programs NCP Secure Client Secure Entry Client Monitor The Client Monitor will be loaded and displayed on the screen or in the task bar _ Note When the monitor is loaded it will either be displayed on the screen as well as WSs the taskbar or if it is not displayed but loaded it appears in the taskbar 8 NCP Secure Entry Client Connection Configuration Log Window Help Profile Outside Line Headquarters z Signal 0 ELAN 6 Gun Very Poor Excellent SUPPORT_TEHOTSPOT Gre NG Statistics Time online 00 00 00 Timeout sec 0 Data Tx in Byte 0 Direction Data Rx in Byte 0 Link Type2. A46 CONNMAN 2 2 2 A47 EMP e eng ke de ee a ae we ee a A RADIUS e citen ge Be Ge a a we ee ee GS ee GAAS Log 2 2488 864224444444 44 9 AAS Syslog o ios Boe we Re e a ee ee AAD Console s 2b hia an Go we ea AO 2 2 5 Update of the Update Client ead deed a PASO 3 ncpbudgt exe Budget Manager Connection Management Statistics A51 4 rwsemd exe Command Line Interface A52 4 1 Transferring Commands to the NCP Secure Client A52 4 2 Prerequisite for Program Use 2 A53 4 3 Description of the Commands A53 5 MCPEWSTIEXO se s e A gy eee Se ee e a de A56 cOmmect bDat bs ok wk dees we ses AS disconnect bat ss ss a c ocea ec eo vew sa ASB Appendix Secure Client Services A25 SECURE ENTERPRISE ENTRY CLIENT SERVICES A 26 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES Services and Applications of the Secure Client The services ncpsec exe ncprwsnt exe and rwrsu exe can be called from the Windows system service overview accessed via the Windows start menu under Control Panel Administrative Tools Services the NCP services are highlighted in the Fig below Mu Services action view e ajm SABIO m 1 m Tree Services Local Start Stop Pause Localsystem Manual LocalSystem Bonet Logon Supports pass thro Sa NetMeet
3. Appendix Mobile Computing via GPRS UMTS A 10 SECURE ENTERPRISE ENTRY CLIENT Static key Preshared Key Common secret for data encryption NCP If certificates are not used a common key is needed for data encryption this then needs to be configured identically on both sides VPN client und VPN gateway Static key oon 00 00 00 00 00 00 00 00 00 00 00 0 Destine x NC Link Firewall Select and enable different firewall features Activate the desired firewall options Enabling Stateful Inspection will discard packets from other hosts iz Enable Stateful Inspection al 7 Only communication within the tunnel permitted Microsoft Dial Up Networking if Microsoft s dialer in use only communication within the tunnel is permitted x New Entry Duplicate Delete Help Cancel Available Destinations Destination Name Phone Number Link Type NCP 0191011 xi Do not change the static key setting for the test connection Click on Next It is not necessary to set the Link Firewall for the test con nection Click on Next This concludes the configuration with the assistant Now click on Configuration and complete the configuration in the telephone book Appendix Mobile Computing via GPRS UMTS All SECURE ENTERPRISE ENTRY CLIENT 2 2 Configuration in the Phonebook Phonebook L2Sec Test xj For the test
4. 131 ISDN coe be OS A Se ae aa ee Ye BI Modem si ea oe ba Gok eee eo ee oe we amp e TT LAN over IP s c 6 6 2 44 4 44 688 24 62 4 6 4 132 xDSL PPPoE boo amp Sack ss e 132 xDSL AVM PPP over CAPD E na e a alle GPRS UMTS 2060 a roms a 1SA 8 O NCP engineering SECURE ENTRY CLIENT CONTENTS PPEP 3 ge ogy 8a ee be GA Se ee ee a Se es 12 WEAN c 28 6236345 2 fie aA 6 oe a 183 Ext Dialer bowie AAG a A SS Automatic media detection Joga pros a 14 Use this profile after every system teboot Es Use this phonebook entry after every system reboot 135 Use Microsoft RAS Dialer 2 2 2 2 135 5 1 2 Dial Up Network e s e modura eno neca ma 136 Wsermam 6 s e p woy be eee woe p we ek a BT Password gt a3 8S teas awe ae oe Se we a a a ST Save PassWord s 4 ge eee eee Re ee ew ewe e 137 Destination phone number 2 137 Alternate destination phone numbers 138 RAS script fil e s s soc a ee ee ee ew ee ee we 138 5 1 3 HTTP Logon AA RS O Username HTTP Logan Leer res 140 Password HTTP Logon 2 2 140 Save Password HTTP Logon LR a AO HTTP Authentication Script HTTP Logon a E 5 14 Mod m 2 cia a as ee a ee ce a AL Modem 3 2 5 peip gp go ee ss amp ee DAZ COM Potts osmosis 464 4 344 4 0 142 Baud Rates 2 2 ado wee bo Ee amp Boe we a 142 Release Com Port 142 Modem Init St
5. NCP engineering GmbH 43 SECURE ENTRY CLIENT CLIENT MONITOR 3 1 5 Status Displays The graphic field of the Client Monitor displays different icons depending on the confi guration these icons can take on different status settings depending on the phases of the connection setup Tooltips provide brief comments relative to function when you move the cursor over one of the icons The status displays are described below in the sequence in which they are shown in the illustration below from left to right Status Displays art FER x E PIN Status Firewall Headquarters Chip Card Reader Corporate Network EAP Authentication a EAP Authentication rd If an extended authentication via the Extensible Authentication Protocol EAP has EAB been activated in the EAP options then this will be displayed via the EAP icon The color yellow indicates the EAP negotiation phase red indicates unsuccessful authenti cation green indicates successful authentication with EAP Double click on the EAP icon to reset the EAP Then a new EAP negotiation will be executed automatically side will indicate which protocol was used this information is always displayed with a Eb If the Client is successfully authenticated relative to a network component the opposite green icon and the designation MDS or TLS If an EAP icon is displayed in red and the connection has been set up nonetheless this means that EAP has been configured in the Cl
6. C Programme NCP4SecureClient Browse lt Back Cancel Id Wizard El NCP SECURE COMMUNICATIONS B Select Program Folder Please select a program folder Setup will add program icons to the Program Folder listed below You may type a new folder name or select one from the existing folders list Click Next to continue Existing Folders NCP Management NCP Management Server lt Back Cancel INS LLATION Default directory for installation is Programs ncp SecureClient Undependently of Typical or Custom installation you can select any folder for the software installation by clicking on Browse This is particularly important if the user should have no rights on the system root directory If you select Typical in this window the installation will continue automatically and the setup is finished Selecting the Custom Installation you can define settings according to your requirements In the following window of the Custom installation you define the programmfolder for the client software Default setting NCP Secure Client gt continue next page 30 O NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION FEOEO m Moreover you can have the Program icon NCP SECURE COMMUNEATIONS W Display the Program Icon of the NCP Secure Entry Client on the Desktop lt Back Cancel DHCP settings NCP SECURE
7. 4 4 4 Show WLAN Status Undepending on the connection medium of the current link profile in the Monitor menu window under Show WLAN status you can open or close a separate field for graphic display of WLAN field strength if a WLAN configuration has been activated in the the Monitor menu Configuration under WLAN settings If a multifunction card has been configured then the menu item WLAN panel is not active 108 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 4 5 Always on top When Always on Top is activated the monitor will always be displayed in the fore ground of your desktop regardless of what application is currently active 4 4 6 Autostart This menu item allows to set the monitor to be started after booting Use this menu item to set the following options O no Autostart after booting do not automatically start the system O minimize start after booting start the monitor and minimize the display CI maximize start after booting start the monitor and display it in its normal size If you require the use of the IPSec client often and need the information displayed on Lo the monitor you should select the Autostart option maximize start It is however l not mandatory for communicating with the destination to start the monitor 4 4 7 Minimize when closing If the monitor is closed during an existing connection via the close button x in the up per righ
8. Clicking this button will open a window where you can enter the name Ta budg2002 tsv Finst exe and path of the file to be created for la card dat Einstnt5 exe the log feature to write record to la Deutsch dat la LastReader tmp sa English dat EL btrace exe default name neptrace log EJ Hinweise txt E Licengl txt Aj Infoengl txt Licger txt Infoger txt Liesmich txt NCP engineering GmbH 105 SECURE ENTRY CLIENT CLIENT MONITOR All communication transactions but not the data will then be written to the file until such a time that the Close File command is initiated Creating a log file will enable you to make a more detailed review or analysis of your communication transactions over a longer period of time Close File Clicking on the Close button will close the file that was established with Create File Once the file has been closed it can then be used to make a detailed review or analysis of the communication transactions that have been stored Clear Screen Clicking this button will delete the contents of the log screen and empty the buffers Close Logbook When you click on Close the logbook closes and returns to the monitor Any recor ded data remains unchanged 106 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 4 Window El This feature lets you influence the way in which the monitor is displayed on your screen 4 4 1 Show Pro
9. AuthCodeDisableRest 0 With configuration downloads the authentication code is reset 1 not reset A 46 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES CONNMAN In this section the parameters are set for automatic update of the foreign phonebook for T Online URL http www t update de securevpn phb zip Phonebook file URL of the Connection Manager Check this entry in the configuration file Interval 800000 Time interval in which a new foreign Phonebook should be downloaded from T Online The time starts running after a Client requests a T Online Phonebook for the first time ProxyHost XXX XXX XXX XXX IP address of the HTTP Proxy Server if necessary ProxyPort 80 Port of the Proxy Server ProxyAuthName User ID for the Proxy Server ProxyAuthPwd Password for the Proxy Server CMP CmpPort 829 CMP Listen Port 0 CMP Server disabled CmpPollTime 15 CMP polling interval in seconds LogLevel 0 CMP Log Level possible values 0 9 The value determi nes the depth of the analysis level for the log file Appendix Secure Client Services A 47 SECURE ENTERPRISE ENTRY CLIENT SERVICES RADIUS Enabled 1 The integrated RADIUS Server of the Management System is activated with 1 and deactivated with 0 AuthPort 1812 Authentication Port Standard 1812 should not be chan ged AccPort 1813 Accounting Port Standard 1813 should not be changed LogLevel 0 RADIUS
10. module name The name of the DLL must be entered as PKCS 11 DLL The associated Slotindex is manufacturer dependant standard 0 Module name xyz PKCS 11 DLL Name of the DLL Slotindex After a boot process the Module name you entered appears in the monitor menu if La the file NCPPKI CONF for the drivers have been set to visible with visible 1 You can use an assistant to search for installed PKCS 11 modules and then select the desired module with the associated slot For this click the button PKCS 11 Module NCP engineering GmbH 93 SECURE ENTRY CLIENT CLIENT MONITOR Do not disconnect when Smart Card is removed The connection is not necessarily broken off when the Smart Card is removed Whether Do not disconnect when Smart Card is removed occurs is set via the main menu of the monitor under the menu item Configuration Certificates PIN request at each manual connect Default If this function is not used the PIN request is displayed only for the first con nect of the VPN PKI Client If this function is activated the PIN will be requested at each connect Important If the monitor has not started then no PIN dialog will take place In this case the connection will be established without renewed PIN entry in the case of an automatic connection establishment 94 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR a PIN Policy El You can specify
11. SECURE COMMUNICATIONS jualjo Aquz 31ND8S NCP SECURE COMMUNICATIONS M Secure Entry Client WIN32 64 Version 9 0 February 2007 With Appendix about Mobile Computing Domain Logon and NCP Services Disclaimer Considerable care has been taken in the preparation and publication of this manual errors in content typo graphical or otherwise may occur If you have any comments or recommendations concerning the accu racy then please contact NCP as desired NCP makes no representations or warranties with re spect to the contents or use of this manual and expli citly disclaims all expressed or implied warranties of merchantability or use for any particular purpose Furthermore NCP reserves the right to revise this pub lication and to make amendments to the content at any time without obligation to notify any person or entity of such revisions and changes Copyright This manual is the sole property of NCP and may not be copied for resale commercial distribution or trans lated to another language without the express written permission of NCP engineering GmbH Dombiihler Str 2 D 90449 Niirnberg Germany Trademarks All trademarks or registered trademarks appearing in this manual belong to their respective owners 2007 NCP engineering GmbH All rights reserved Total production of this manual Michael L sel Documentation Publication ml service t online de Pirckheimerstrafe 47 D 90408 Niirnberg Germ
12. amp Be ae amp AOD 4 4 Window tyes a pa aa aa ew a ee LOT 4 4 1 Show Profiles A eB Ee a Ok ewe he a ee SB ee 4 MOT 4 4 2 Show Buttons 2 2 2 eee ee 108 4 4 3 Show Statistics 2 ee ee 108 4 4 4 Show WLAN Status 2 2 2 108 44 5 Alwaysontop 2 2 109 4 4 6 Autostart ce he ee oe Re ae ah eG ee ce ae oe LOD 4 4 7 Minimize when sieves eee ob Be ee Pw koe ee ee ee 109 4 4 8 Minimize when connected 2 110 4 4 9 Language lt e RG we hd he eee Seow we oe DO 45 Help lt 8 2e nO ee wee ee eae be ee Se ee ee TT 4 5 1 License Data and Activation 2 2 111 4 5 2 Search new Updates 112 AO MIO 3 46 no a A As a A 4 6 Licensing a ee aoe e amp a AS 4 6 2 Test Versio Validity Piod ee bee oe a woe a aoe a Je LA 4 6 2 Software Activation lt s e s so a e e a a o a e 2 115 Online Variant e gp s 6 mtrs aeng e pa a a w ew LG Offline Variant s iot a toe sedep a ee 118 4 7 Updates E oe a 18 4 7 1 Software Updates A As a aa UBD 5 Configuration Parameters 2 1 ee ee 127 Dil Protile Settings y 2 1064 44 4 24 A amp 4 128 5 1 1 Basic Settings s e pos 5 ee ee ee lt 4 es 130 Profilemam o asa asu woe we ee ke e wwe ee TST Connection type A DBT VPN to IPSec PA bbe a0 bee ba te 4 IB Internet connection without VPN 131 Communication medium
13. e e a e poe p p a a 4 22 Local System oy de e Get Gt a e a ing as ee Ae ISDN adapter ISDN So He Bo eee we Biome ee are ok amp oe h AA Analog Modem Modem 4 22 LAN adapter LAN over IP 2 2 23 xDSL Broadband Device PPPoE 23 xDSL AVM PPP over CAPD o c o w sorge 23 Multifunction Card GPRS UMTS 23 WLAN adapter WLAN 24 Automatic Media Detection 2 2 2 24 Prerequisites for Strong Security 2 25 TEPIP c sc E E e Ge a as Gea e e eae ZO Smart Card Reader poe e pa tos ZO Smart Card Reader CT API confon bf Ao a a aa e ZO Smart Cards a AE ho aa a e ae O Soft Certificates PKCS 12 Jop gug Doe m Bo who a 8 20 Smart Cards or Token PKCS 11 2 2 2 2 26 2 2 Installing the Client Software 2 2 2 27 Installation and Licensing 2 2 4 2 2 27 Installing fromCD 27 2 2 1 Default Installation a p a ooe a so moso s 28 2 3 Initial Configuration Assistant s s s s s ss s woe a s e 84 2 4 Updateing and Uninstalling eee bok op e ness ee BO 2 5 Upgrade to the Secure Enterprise Client Aeris dk AS 2 6 Project Logo s sa cgis RR ee ee ee Ee ew og BT 3 Client Monitor s sos s s oe sa w aa Ra a as a ae a 39 3 1 The Client Monitor User Interface 2 2 2 2 40 3 1 1 Operating and Display Field
14. lected networks for which Firewall Settings bekannte the respective rule can be unbekannte unbekannte defined and whether this unbekannte mozilla exe rule will be valid re egar d Deaktiviert unbekannte wget exe less of application Unknown networks Friendly networks VPN networks Rules with applications without applications These selection fields for the displays of rules are only for overview purposes and have no ef fect on the application of a filter rule The most important characteristics are displayed for each defined rule Name State Networks Application Clicking on these characteristic buttons sorts the displayed rules Creating a firewall rule Use the buttons underneath the display line to generate or edit the rules To create a firewall rule click on New A filter rule is created via four configuration areas or tabs General In this configuration field you specify the network and the protocol for which the rule will apply Local Enter the values of the local ports and IP addresses in this configuration field Remote Enter the port and address values of the other side in the remote field Applications In this configuration field the rule can be assigned to one or more app lications NCP engineering GmbH 73 SECURE ENTRY CLIENT CLIENT MONITOR E Firewall rule General
15. on to the ISP are transferred from the available profile entries in a manner that is trans parent for the user A Please note the description Destination System Link Type ES 24 O NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION Prerequisites for Strong Security Q If you are using the Client Software with certificates X 509 then the following pre D requisites must be fulfilled a TCP IP The protocol TCP IP must be installed on your PC a Smart Card Reader The Client Software supports all Smart Card readers that are PC SC conform Sub sequently such readers will only be entered in the Client Software Smart Card reader list after the Smart Card reader including the associated driver software has been in stalled on the PC The Client Software detects the Smart Card reader automatically af ter the PC has been booted The Smart Card reader can then be selected as described above and used accordingly In order to use the features of the Smart Card configure the Smart Card by selecting Configuration Certificates in the pull down menu of the Client Software Moni tor When you insert your Smart Card in the Smart Card reader you can enter your PIN E Smart Card Reader CT API conform Please note the following instructions when using a Smart Card reader that is CT API con form M The current software includes drivers for the Smart Card readers SCM Swapsmart and SCM 1x0 PIN Pad reader These Smart
16. 3 2 3 Configuration you are ready for dialing up to the selected destination The profile can be selected in two ways either from the Connection Configuration Log Window Help pull down menu or from Profile Outside Line the pop up menu invoked by j clicking on the right mouse Headquarters y 8 8 button see illustration In order to establish a a connection it is therefore not necessary to start the client monitor itself or to 8 NCP Secure Entry Client A J peer dial up manually The only n software that must be Connect a started is the desired application software Email Pec Timeout sec 0 a browser terminal Exit Direction emulation etc The Link Type LAN connection will then be Speed KByte s 0 000 Encryption established automatically see gt Line Management Connection Mode automatically g NCP Secure Entry Client Joke Connection Configuration Log Window Help It is also possible to manually establish the connection to a selected destination by selecting Connection in the main menu and click on connect Alternatively you can click on the connect button in the tool bar dad GHLO NC T When the connection is established see illustration above the monitor displays a eS thick green bar from the Client to the Server under which the text Connection is estab lished is displayed At the
17. DHCP server the IP address has been assigned by the DHCP server that has the IP address speci fied here DHCP MAC address if this DHCP server has the MAC address specified here This option can only be used if the DHCP server is located in the same IP subnet as the DHCP client The more of these conditions that are fulfilled the more precise the verification that a known network is involved The allocation of an adapter to unknown or known network is automatically logged in the log window of the Client Monitor and in the log file of the firewall see gt Log ging Activate automatic friendly network detection About automatic friendly network detection please refer the parameter field on the fol lowing page 80 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR a Automatic detection of Friendly Nets CARES A The administrator 7 centrally specifies what TOES NN constitutes a Friendly MATES IA Net A Friendly Net is indicated in the monitor by the Firewall icon which is green as soon as the Client has dialed in to a Friendly Net IP address of the Friendly Net detection service A Friendly Net Detection Server FNDS is required this is an NCP software compo nent that must be installed in a network that is defined as Friendly Net This Friendly Net Detection Server must be reachable via IP and its IP address must be entered here To increase redundancy the IP address of a second FND serv
18. DRAFT draft dukes ike mode cfg 02 IKECFG DRAFT draft ietf ipsec dpd 01 DPD DRAFT draft ietf ipsec nat t ike 01 NAT T DRAFT draft ietf ipsec nat t ike 02 NAT T DRAFT draft ietf ipsec nat t ike 03 NAT T DRAFT draft ietf ipsec nat t ike 05 NAT T DRAFT draft ietf ipsec udp encaps 06 UDP ENCAP Oo Implemented Algorithms for Phase 1 and 2 Supported authentication methods for phase 1 IKE policy RSA signature PSK Pre shared Key Supported symmetric encryption algorithms phase 1 amp 2 DES 3DES AES 128 AES 192 AES 256 Supported asymmetric encryption algorithms phase 1 amp 2 DH 1 2 5 Diffie Hellmann RSA 190 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS Supported hash algorithms MD5 SHA 1 Additional phase 2 support PFS Perfect Forward Secrecy IPCOMP LZS Seamless re keying When a profile entry with IPSec tunneling is defined some defaults will be set automa tically These defaults are IKE phase 1 policies Automatic Mode IKE phase 2 policies Automatic Mode IKE phase 1 mode RSA Main Mode IKE phase 1 mode PSK Aggressive Mode configured manually in the Phonebook They can therefore be modified if necessary for other requirements These policies and negotiation modi are set automatically but alternatively they can be NCP engineering GmbH 191 SECU
19. SECURE ENTERPRISE ENTRY CLIENT SERVICES LogTraceLifetime 2 Number of days until the log entries are deleted LogLevel 9 possible values 0 9 With the value the depth of the ana lysis level is determined for the log file LogFile neprsu The file name of the log file ncprsu log LogPath log The directory underneath the installation directory where the log file is located lt Installationdirectory gt log ncprsu log LogFileSize 2000000 This parameter entry is optional If the value of the log file entered here in bytes standard 2000000 is reached then the current log file is renamed to lt name gt old a previous lt name gt old is deleted UseDefaultPhonebook 0 This switch for the Phonebook selection can be used to spe cify whether the Management Server will make a uniform Phonebook available to all users or whether it will make an individual phonebook available to each user UseDefaultPhonebook 0 each user gets his individual phonebook UseDefaultPhonebook 1 each user gets the same phonebook InitUserld inituser This is where you enter the user ID for initial logon on the Management Server This initial user ID for the rollout is the same for all Clients Consequently the parameter Allow multiple users must be activated on the Secure Server for this user ID If the Client dials in with this ID then the Ma nagement Server will send the request for entry of personal VPN user ID
20. This Distinguished Name DN indicates where the configu ration for the administrator is located on the LDAP Server Corresponds to the parameter Administrator DN in the server manual LdapPassword XXX The administrator password that enables access to the LDAP Server Corresponds to the parameter Administrator Pass word in the server manual LdapBaseDN CN XXX O XXX C XX LDAP search path the user specific configurations of the link profiles for the Clients can be found on the LDAP Serv Appendix Secure Client Services A 45 SECURE ENTERPRISE ENTRY CLIENT SERVICES er below this search path These Clients access the Manage ment Server via the associated VPN Gateway see above The username is searched as Common Name cn under the LdapBaseDN LdapAuthA ttribute ncpUserAuthenticationCode If the user ID is found then the value entered in this attribu te is allocated to this user ID as authentication code ClientAuthentication AuthCodeMinLen 6 The minimum length of the authentication code Standard 6 AuthCodeValidDays 14 This is used to specify the validity period of the authenticati on code in days after it has been generated AuthCodeMaxErrCnt 10 This number determines how often the authentication code can be entered incorrectly If the entered error number is re ached then the client can no longer dial in It is only possi ble to cancel the disable via the Management Console
21. Z E Message 4 Header Key Exchange Nonce 3 E Message 5 Header ID Hash BES a sas E dl LA T Message 6 Header ID Hash If the pre shared key method is used in Main Mode then the client on the VPN Gateway must be clearly identifiable by his IP address This is because the pre shared key will be introduced into the symmetric key calculation and encrypted before the transfer of any other information that could identify the client However a client dialing in to the provider is not identifiable by an IP address because he receives a new one with each dial in This means that in Main Mode only the same pre shared key can be given out which weakens the authentication 188 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS IKE Aggressive Mode with Preshared Keys Initiator Destination Message 1 Header SA Key Exchange Nonce ID Message 2 Header SA Key Exchange Nonce ID Hash unencrypted Hash Diffie Hellmann Group Message 3 Header Hash One possibility to avoid a general pre shared key would be to use the Aggressive Mode see above graphic however in this case the client ID is not encrypted IKE Main Mode Identity Protection Mode with RSA Signatures Initiator Destination Message 1 Header Security Association Message 2 Header Security Association unencrypted he Message 3 Header Key Exchange Nonce Message 4 Header Key Exchange Nonce Diffie He
22. 40 3 1 2 The Apperance of the Monitors a a aa aaa aa Al Modification of the Interface 2 2 2 4l 3 1 3 Dialing up und selecting the Profile 4 2 2 42 3 1 4 Symbols of the Monitor 2 43 3 1 5 Status Displays 2 2 ee 44 NCP engineering 5 SECURE ENTRY CLIENT CONTENTS EAP Authentication 2 eee ee ee 44 Smart Card Readers 2 2 44 PIN Status a daa Aas de So ew o a ar a AA Firewall bo ea ae we Re ee Se ee BR A 3 1 6 Connection Setup Symbols ba aa aa AO Symbols of the NAS Dial in 2 2 46 Symbols of the VPN Dial in 2 2 2 46 4 Using the Client Monitor 48 4 1 Connection sos e e tes ir Ge ee ee E e A eee A All Connects e e la A 4 1 2 Disconnect s s e toeea res edad ea 50 4 1 3 HotSpot Logon e 4 4 sa m ace we foa inap woe O 4 1 4 Multifunction Card 51 Network Search bia amp Boe e bE OR Bs eae ST Activate GPRS UMTS SE a Seg GS Gs Gee eh ee ee Enter SIM PIN o sos scs 54 5 66 we ee ee we ea ew 682 Change SIM PIN e sos wi A Gee eA a a ee ea we 32 PUK ENUY o 2 40409 o w Sew a Boe we ek O 4 1 5 ConnectionInfo 53 Time Online s 4 6 8 etn 2 bee See et be ew een OA Timeout o SA Direction ee ee ee ee A Speed s s os s ack a PP ew ea we ele ee ew he OF Multilink ice estara oe eb Ee Ok wea
23. 54 132 NCP engineering GmbH 221 SECURE ENTRY CLIENT INDEX 222 NCP engineering GmbH SECURE ENTERPRISE ENTRY CLIENT Appendix to the NCP Secure Enterprise Client and NCP Secure Entry Client Mobile Computing via GPRS UMTS and Domain Login via NCP Gina NCP SECURE COMMUNICATIONS W Network Communications Products engineering GmbH GERMANY Headquarters Dombiihler Str 2 D 90449 Niirnberg Tel 49 911 9968 0 Fax 49 911 9968 299 internet http www ncp de E mail infoOncp de Appendix Mobile Computing via GPRS UMTS Al SECURE ENTERPRISE ENTRY CLIENT Contents 1 Mobile Computing via GPRS UMTS A5 1 1 Installation coc cesos e e a a AO 1 2 Driver Installation 2 AG 2 Configuring a Destination System Profiles A8 2 1 Configuring witha Wizard 2 a 2 AS 2 2 Configuration in the Phonebook 2 2 2 A12 3 Le Monitor s s ss e w w tee eee Re eS ew a A14 4 Domain Login via NCP Gina sssaaa e 2 eee eee A17 4 1 Logon Options d oe e ee A 9 5 Log Files ocs ece o woes we we a GS A OE et a a A21 Appendix Mobile Computing via GPRS UMTS A2 SECURE ENTERPRISE ENTRY CLIENT Appendix Mobile Computing via GPRS UMTS A3 SECURE ENTERPRISE ENTRY CLIENT For your notes gt Appendix Mobile Computing via GPRS UMTS A4 SECURE ENTERPRISE ENTRY CLIENT 1 Mobile Computing via GPRS
24. 54 Multilink Threshold o o 146 N NAT Traversal 20 28 ich a aa em 161 NAT T NAT Traversal 194 ncoming certificate s SSUBT oo o 165 NEBEKRECONE encon la a ar eee 26 NetBios over IP 4 4 5 6 6608 244446440 b oe ds 170 NetBIOS ber IP zulassen 170 NetKey 20000 0 i sio a de do ee we A 26 Network addresses ies aoe ads ed o ad ee 163 Network Search o cios 504464 ad bee as 51 O Offline Activation s ea ica a a AA ea 118 Online Activation 116 Outside Line PrefixSettings 89 P Password s sa caneu ORR we ew RRS E 137 159 173 PFS Perfect Forward Secrecy 191 PFS StOUp essen eon Bo a Wt a wae we RO we 150 PIN poses Gis ae G Beane a Gane ae Res 61 NCP engineering GmbH 219 SECURE ENTRY CLIENT INDEX PIN Handling e o 3 ose ia Dice ee oh aaa Si eS 62 PIN Pol Gy sires pat te een wae ede cok eb eo aa Ghee 95 PIN PEG UCSC eee ie da we Hh a Gh E iaa RES 94 PIN State Symbol ero ainena ak dos na aS 62 PIN CHAN Ge 0 Dias ii Wok dk E oe wea G 63 PENS TESEE ocios er Ge eh a te aw we 62 PRESEN io io secon o A i a E E 26 PKCS 11 Modul soc sce cece ie we a a 91 93 PROSHIZ ce mis ia a e a A Gh a 26 PKCSHI2 File sia ca o Se 91 93 Policy editor xa se sdr oie ra a A a GS 151 Policy lifetimes a ss eon hs ee a a as 151 Policy Name a sica ica ia oe 153 154 PPP Multilink 444 5430 a A ORO 22 146 PRELP sa
25. 96 7 23 0 10000111 11000000 00000111 11100110 135 96 4 190 10100000 10010101 00000100 LOL 255 255 255 0 PEPE dba eed es ee eB 00000000 Network Subnet 255 255 248 0 11111111 11111111 11111 000 00000000 If the net mask did not have a standard value of 255 255 255 0 in the example shown above but rather an IP address of 255 255 248 0 then the IP addresses would be loca ted in the same subnet and routing would not take place 180 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS Example 2 Two IP addresses with 160 149 115 8 and 160 149 117 201 and the subnet mask 255 255 252 0 are located in the same network but belong to different subnets Binary description network 160 149 115 8 10100000 10010101 011100 11 00001000 160 149 117 201 10100000 10010101 011101 01 11001001 255 255 252 0 11111111 11111111 111111 00 00000000 subnet The choice of a suitable subnet mask depends on the network class the quality of the possible subnets their quantity and their growth potential For planning purposes please refer to the standard tables or to a subnet calculator Subnet tables class C Subnet bits Host bits netmask subnets host 2 6 255 255 255 192 2 62 3 5 255 255 255 224 6 30 4 4 255 255 255 240 14 14 5 3 255 255 255 248 30 6 6 2 LID LIO 255 5 252 62 2 Calculation 2 to the power of n minus 2 quantity of subnets computers where n is th
26. AVM Fritz DSL card Networks Broadband e g ADSL Remote Destination Access Router in the xDSL GPRS UMTS If a mobile cellular telephones is to be used GRPS then this communication medium may be selected Note the description under Installation Prerequisites to Analog mo dem PPTP Microsoft Point to Point Tunnel Protocol Hardware Ethernet Adapter xDSL Modem Networka xDSL Remote destinations Access Router in the xDSL 132 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS WLAN Hardware WLAN adapter Networks WLAN Other sides Access Point Under Windows 2000 XP Vista the WLAN adapter can be operated with the connecti on type WLAN In the monitor menu the special WLAN settings menu option is displayed where the access data for the wireless network can be saved in a profile If this WLAN configuration is activated then the management tool of the WLAN card must be deactivated Alternatively the management tool of the WLAN card can also be used in this case the WLAN configuration in the Monitor menu must be deactivated If the connection type WLAN is set for the destination system in the phonebook then under the graphic field of the Client Monitor an additional area is shown where field strength and the WLAN network are displayed see gt WLAN Settings Ext Dialer If this connection type is set then a pre configured EX
27. CLIENT MONITOR After this menu option has been selected different connection messages will be dis played on the screen If the user is already connected to the Internet he will be connected with the start page http www ncp de A window with the following message will appear You are already connected to the Internet Hotspot logon is not necessary or has alrea dy been executed This text can be changed by the administrator by entering the address of a different Ly HTML start page in the form http www mycompagnie de error html And the text of error html is changed accordingly If the user is not yet logged on then a window will be displayed requesting the user to enter user ID and password for logon to the hotspot operator If the user has not reached a website then the Microsoft error message not found will be displayed 4 1 4 Multifunction Card This menu item is displayed after a multifunction card has been installed see the Ap pendix in this manual In addition the field with the display for UMTS GPRS will be displayed in the Monitor and the WLAN panel will be hidden see Monitor icons above a Network Search After the monitor starts the installed multifunction card automatically searches for a wireless network and displays it with the appropriate field strength as soon as it is found T Online in the Fig below Another network search can be triggered by selec ting the menu i
28. COMMUNICATIONS E IP address definition C Specify an IP address E xj Network settings NCP SECURE COMMUNICATIONS E You can now enter any IP address properties that are to be used by the NCP Secure Entry Client LAN Emulation m m Default Gateway m IP Address Subnet Mask DNS Address Cancel program icon displayed on the desktop Please contact your system administrator or your internet service provider for additional information about your communication gateway Communication with DHCP Dynamic Host Control Protocol means that a temporary IP Address will be assigned automatically for each communication session If required click on Obtain an IP Address from DHCP Server If you Specify an IP Address enter the IP address in this window Default Gateway If a network adapter with a Default Gateway is already installed you will have to delete this Default Gateway Address It is not possible to have more than one network adapter with a Default Gateway DNS Address You should only enter a DNS Address if you have been assigned one from your system administrator or ISP End of User defined Installation gt continue next page NCP engineering GmbH 31 SECURE ENTRY CLIENT INSTALLATION Thereafter you can define Windows logon options NC whether a logon to a remote domain should occur after SECURE COMMUNICATIONS Entering passwords and PIN
29. Card readers can be set in the Monitor under Configuration gt Certificates If however the Smart Card reader does not work with the drivers which are included in the software or a Smart Card reader is to be used which does not show up in the configuration selection of supported readers then ask the supplier or producer of the Smart Card or the respective website reader for the current hardware driver and install it In this case the client software requires some modifications Use an ASCII editor to edit the NCPPKI CONF file You find this file in the installati on directory Enter the name of the connected Smart Card reader as ReaderName xyz and the name of the installed driver as DLLWIN95 or DLLWINNT respectively For operating systems based on Windows NT like Windows 2000 and Windows XP the modulname DLLWINNT has to be used The default name for CT API conform dri vers is CT32 DLL Important Only those drivers that have been appropriately set with visible 1 will be displayed in the list NCP engineering GmbH 25 SECURE ENTRY CLIENT INSTALLATION Modulname SCM Swapsmart CT API gt xyz DLLWIN95 sem20098 dll gt ct32 dll DLLWINNT sem200nt dll gt ct32 dll M After rebooting the PC the new ReaderName is displayed in the Monitor under Configuration Certificates Smart Card reader Now you select that Smart Card rea der oO Smart Cards Currently the following
30. DH2 SECONDS 28800 128 AES CBC MD5 RSA DH2 SECONDS 28800 128 DES3 SHA XAUTH_ RSA DH5 SECONDS 28800 O DES3 MD5 XAUTH_RSA DH5 SECONDS 28800 0 DES3 SHA RSA DHS SECONDS 28800 0 DES3 MD5 RSA DH5 SECONDS 28800 O DES3 SHA XAUTH_RSA DH2 SECONDS 28800 O DES3 MD5 XAUTH_RSA DH2 SECONDS 28800 0 DES3 SHA RSA DH2 SECONDS 28800 0 DES3 MD5 RSA DH2 SECONDS 28800 0 oz If a specific IKE proposal is entered in the IPSec configuration of profile settings the same proposal will automatically be generated with Extended Authentication and sent 192 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 2 If a string is entered in the Preshared Key field the following proposals for the IKE policy will be sent to the destination by default and no certificate will be used for authentication EA HASH AUTH GROUP LT LS KL AES CBC SHA XAUTH PSK DH5 SECONDS 28800 256 AES CBC MD5 XAUTH_ PSK DH5 SECONDS 28800 256 AES _ CBC SHA PSK DH5 SECONDS 28800 256 AES CBC MD5 PSK DH5 SECONDS 28800 256 AES CBC SHA XAUTH_PSK DH2 SECONDS 28800 256 AES CBC MD5 XAUTH_ PSK DH2 SECONDS 28800 256 AES CBC SHA PSK DH2 SECONDS 28800 256 AES CBC MD5 PSK DH2 SECONDS 28800 256 AES CBC SHA xXAUTH_PSK DH5 SECONDS 28800 192 AES CBC MD5 XAUTH_PSK DH5 SECONDS 28800 192 AES_CBC SHA PSK DH5 SECONDS 28800 192 AES_CBC MD5 PSK DH5 SECONDS 28800 192 AES_CBC SHA XAUTH_PSK DH5 SECONDS 28800 128 AES_CBC MD5 XAUTH_PSK DH5 SECONDS 28800 128 AES_CBC SHA
31. E ricas By oh Wem a lt aes as es as 132 Pre shared Key sia Roe Me cad 149 158 193 Profile Import dit a e a es a E 103 Profile Mame gt 2 urenioi stew we hm React un he da iaa 131 Profile SEDES s caco aia Sy eke aE da 67 128 Profile Settings Backup ooo 104 Protocol Firewall 0 0 0 0 cios es 75 Protocol IPSec Policy so cesos ooo ee es 154 Proxy Configuration gt se ss o e 50 PUK Bntty oog 6 te id N 53 R RAS sript file oan ae oe ra eA RR ee A 138 Release Com Port ai g kak sek ake ee we A 142 RSA Sigjat re acuso eee Bc ae AAA N 149 SRA Hwee Medes yee Bad he RS Re Rs i leech is Hae 55 S SA NESOtLAON meca tga BD Ge Ea aoe ai BEE 186 Seamless re k ying s sos me ee eon epai a a 191 Search new Updates oces tacs adone wi ew HS 112 SOCUEILY ws a a daw Roe Ge eG a Slant 3 pd ae a ma we 183 Serial Number Sis ee Woe a Re Be we Gwe SE 56 Serial Number Certificate 56 57 SHA Secure Hash Algorithm 153 SHA op aia da a laa SEG oe A AE A One 191 SHA 1 fingerprint sesei eka ss e e 166 SIgntS ac o e me RS Bod oe dees 26 SIM PIN Cute do cur ee cues xi ae ve ect toe Doe Beas ag 143 LOUNGE KS ho seh eet chet Bok obs le eee JA sa et a ae eg 26 Smart Card saas bb ke be EERE wR EES 26 91 Smart Card Reader msc ica ae ee OS ee we 25 92 ic 6 oka ke as Eid SES eee 56 90 Soft Certificate iria ee eS 26 Software Activation 0000000 G 115 SPEE sind F
32. Givenname Vorname t Title Titel O Organisation Firma ou Organization Unit Abteilung Country Land st State Bundesland Provinz 1 Location Stadt Ort email E mail Example cn VPNGW o ABC c de The common name of the security server is verified here only until the wildcard All following positions can be as desired like 1 5 as numbering The organizational unit must always be ABC in this case and Germany must be the country Incoming certificate s Issuer All attributes of the user to the extent known even with wildcards can be used as user certificate entries of the other side server In this regard compare the entries that are always listed under users for Display Incoming Certificates Use the attribute name abbreviations for this The attribute type abbreviations for certi ficate entries have the following meaning cn Common Name Name s Surname Nachname g Givenname Vorname t Title Titel O Organisation Firma ou Organization Unit Abteilung Country Land St State Bundesland Provinz 1 Location Stadt Ort email E mail NCP engineering GmbH 165 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Example cn ABC GmbH Only the common name of the issuer is verified here oO Issuer s certificate fingerprint To prevent an unauthorized person that imitates a trusted CA from using a counter feited
33. Header RFC 2402 Analog Interface This is an interface for connecting analog devices e g modems facsimile group 3 machines analog telephones etc The current international standard connector for analog devices is RJ11 Asymmetric Encryption Public Key Process In an asymmetric encryption each participant has two keys a secret private key and a public key Both keys stand in a mathemati cally defined relationship to each other 2 Key Ser vice The participant s private key is strictly se cret the public key is available to anyone Key management is straightforward even with large numbers of participants For example Two keys per participant generate a total of 2000 keys to en able secure communication for 1000 participants in all sender recipient combinations RSA is the best known asymmetric encryption process The disadvantage of the asymmetric encryption process is that it is calculation intensive and thus compara tively slow Basic Connection A type of ISDN connection with So interface S So BRI Basic Rate Interface stands for subscriber interface user interface It NCP engineering GmbH 203 SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS consists of a D Channel bandwidth 16 kBits s for controlling and two B Channels bandwidth 64 kBits s each for data transmission Basic Rate Interface BRI An ISDN subscriber service that uses 2 B Chan nels 64 Kbps and 1 D Channel 16 Kbps to
34. ISP can be maintained Logon Logoff Ext Applications Options when a Windows logon is executed The connection can be terminated when the user ends the windows session logs off This permits a change of Windows TF Disconnect when user logs off users on the computer without having to disconnect the VPN connection E External applications Use this configuration field to start applications or batch files depending on the Client Monitor no Windows programs Logon Options xj Logon Logoff Ext Applications Options External applications M Execute extemal applications or batch files eo reis The external applications are added as described on the next page The call sequence from top to bottom can be changed with the green arrow keys Application Batch file Start options C AWINNT SncpleSRiWSCMD EXE postcon All C WINNT ncple AWSRSULEXE postcon All 100 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR Application After you have selected the function Start external applications or batch file you can select an application or batch file from the computer see previous page this application of batch file is then Execute after a connection has been established postcon loaded depending on the start option a ER Execute before a connection has been established precon Execute after a connection has been established post
35. Install button Install Program From Floppy Disk or CD ROM xi Click on Next when the window appears which requests the installation CD Insert the product s first installation floppy disk or CD ROM and then click Next Run Installation Program When the following window appears click on Browse to If this is the correct installation program click Finish To A F start the automatic search again click Back To manually select the EXE file and click search for the installation program click Browse Open on Finish NCP_EntryCl_W in32_900_028 exe Browse Choose Setup Language A window appears where you can select the language to be Select the language for the installation from 1 1 en alec the lanius used for the installation and then click OK gt continue next page 28 O NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION InstallShield Wizard NCP Secure Entry Client Setup is preparing the InstallShield Wizard which will guide you through the rest of the setup process Please wait ELL Cancel NCP Secure Entry Client InstallShield Wizard NCP SECURE COMMUNICATIONS M NCP Secure Entry Client 9 00 Build 7 Setup The InstallShield Wizard will install NCP Secure Entry Client on your computer To continue click Next high security remote ac NCP Secure Entry Client InstallShield Wizard N ATTENTION Important
36. Internet protocol It was defined to also provide application processes with the direct possibility to send datagrams UDP delivers over and above the capabilities of TCP IP simply a port number and checksum of the data Due to the lack of overhead such as receipts and security mecha nisms it is particularly fast and efficient UMTS Universal Mobile Telecommunications Service Fu ture Standard for fast mobile phone communication VPN Virtual Private Network A VPN can be implement ed as a virtual network over all IP carrier networks that means the Internet as well Two specificati ons have crystallized for the realization of a VPN L2F Layer 2 Tunneling and L2TP Layer 2 Tun neling Protocol both processes serve to establish a tunnel that can be considered a virtual leased line In addition to IP frames also IPX data SNA data and NetBios data are transparently transmitted over such a logical connection At the end of the tunnel the data packets must be interpreted and transformed into a DataStream on the basis of the protocol used WAN Abbreviation for Wide Area Network which is a communications network that connects networks that are separated geographically normally LAN Local Area Network WANs are normally pro NCP engineering GmbH 215 SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS vided by PTTs or Carriers and generally speaking offer high speed connection 64 Kbps 2 Mbps or higher WAP W
37. Message will be displayed in the monitor Any further communications is denied until the Call Control Reset is activated see gt Connection pull down menu in the monitor NCP engineering GmbH 97 SECURE ENTRY CLIENT CLIENT MONITOR 4 2 7 EAP Settings EAP Settings S You can specify whether EAP authentication will only be executed via WLAN cards LAN cards or via all network cards in the EAP Options of the Monitor menu The setting made here applies globally for all phonebook entries In an activation box the EAP authentication can be set as follows For all network interfaces Deactivated For all network cards Only for WLAN cards Only for LAN cards This protocol can then be used if a switch a hub or if an access point is used which support 802 1x and the according Authentication Mode for the access to the wireless LAN You can prevent unauthorized users from getting into the LAN via the hardware inter face with the Extended Authentication Protocol EAP MP5 You can use either Username with Password from the configuration field Identi ty or your own EAP User ID with an EAP Password Certificate content can be automatically transferred if in the Phonebook under Tunnel parameters VPN User ID and VPN Password are transferred from the certificate and if Use VPN User ID and VPN Password is activated in the EAP options
38. Micro soft tool must be deactivated Alternatively the management tool of the WLAN card or the Microsoft tool can be used as well If the link type WLAN is set for the destination system in the phonebook then under the graphic field of the Client Monitor an additional area is shown where the field strength and the WLAN network are displayed Please read the description of the parameters Link Type in the section Configuration l Loa parameters Profile Settings E Automatic Media Detection If various link types could be used the client detects automatically which link type ac tally can be used und selects the fastest one On the basis of a pre configured destination system those link types that are currently available for the Client PC are detected and implemented and if multiple alternative transmission paths are available the fastest will be selected automatically The link type priority is specified in the following sequence in a search routine 1 LAN 2 WLAN 3 DSL 4 UMTS GPRS 5 ISDN 6 MODEM The configuration is executed in the phonebook with the link type Automatic media detection under Destination system If desired all destination systems for the VPN gateway that are pre configured for this Client PC can be assigned to this automatic media detection This renders manual selection of a medium WLAN UMTS LAN DSL ISDN MODEM from the profile entries superfluous Input data for the connecti
39. Mobile Computing via GPRS UMTS A 13 SECURE ENTERPRISE ENTRY CLIENT 3 The Monitor WP uA Connection Configuration Log Window Help 101x Destination Outside Line L2Sec Test Connect Disconnect Statistics Time online 00 00 00 Timeout sec O Data Tx in Byte 0 Direction Data Rx in Byte O Link Type GPRS UMTS Speed KByte s 0 000 Encryption If the field strength is not displayed then an error message will appear which refers to a modem error In this case proceed as described under 1 1 Driver installation Connection Configuration Log Window L2Sec Test Client E Signal 46 GPRS T Mobile D O Start the Monitor The Monitor of the VPN PKI client Enterprise Client must look like the adjacent illustration The Entry Client Monitor is essentially the same The field strength of the wireless network must be displayed between the graphic field and the toolbar After the Monitor starts the card will automatically search for a wireless network and displays it with the corresponding field strength once a wireless network has been found T Mobile D in the fig to the left If the network is displayed then another network search can be triggered by clicking on the button Appendix Mobile Computing via GPRS UMTS A14 SECURE ENTERPRISE ENTRY CLIENT xj After searching for an alternative
40. PSK DH5 SECONDS 28800 128 AES_CBC MD5 PSK DH5 SECONDS 28800 128 AES_CBC SHA XAUTH_PSK DH2 SECONDS 28800 128 AES_CBC MD5 XAUTH_PSK DH2 SECONDS 28800 128 AES_CBC SHA PSK DH 2 SECONDS 28800 128 AES_CBC MD5 PSK DH 2 SECONDS 28800 128 DES3 SHA xXAUTH_PSK DH5 SECONDS 28800 0 DES3 MD5 XAUTH_PSK DH5 SECONDS 28800 0 DES3 SHA PSK DH5 SECONDS 28800 O DES3 MD5 PSK DH5 SECONDS 28800 0 DES3 SHA xXAUTH_PSK DH2 SECONDS 28800 0 DES3 MD5 XAUTH_ PSK DH2 SECONDS 28800 0 DES3 SHA PSK DH2 SECONDS 28800 O DES3 MD5 PSK DH2 SECONDS 28800 O The client sends the following IPSEC phase2 default proposals Notation PROTO Protocol Protokoll TRANS Transform Transformation ESP LT Life Type Dauer LS Life Seconds Dauer KL Key Length Schl ssell nge COMP IP Compression Transformation Comp PROTO TRANS AUTH LT LS KL COMP LZS ESP AES MD5 SECONDS 28800 128 Yes Yes ESP AES SHA SECONDS 28800 128 Yes Yes ESP AES MD5 SECONDS 28800 128 No No ESP AES SHA SECONDS 28800 128 No No ESP AES MD5 SECONDS 28800 192 Yes Yes ESP AES SHA SECONDS 28800 192 Yes Yes ESP AES MD5 SECONDS 28800 192 No No ESP AES SHA SECONDS 28800 192 No No ESP AES MD5 SECONDS 28800 256 Yes Yes ESP AES SHA SECONDS 28800 256 Yes Yes ESP AES MD5 SECONDS 28800 256 No No ESP AES SHA SECONDS 28800 256 No No ESP DES3 MD5 SECONDS 28800 0 Yes Yes ESP DES3 MD5 SECONDS 28800 0 No No NCP engineering GmbH 193 SECURE ENTRY CLIENT EXAMPLES AND E
41. S ARR a i m aos E Tree Administration window i x Services Local Ba DHCP Client Manages network co Started Automatic LocalSystem must b e o Pp en ed in the Bp Distributed File Syst Manages logical volu Started Automatic LocalSystem A Bp Distributed Link Tra Sends notifications of Started Automatic LocalSystem Window S S tart menu Sy Distributed Link Tra Stores information so Manual LocalSystem 13 7 By Distributed Transac Coordinates transacti Started Automatic LocalSystem The IPsec policy agent By DNs Client Resolves and caches Started Automatic LocalSystem is highlighted in this win By Event Log Logs event messages Started Automatic LocalSystem E By Fax Service Helps you send andr Manual LocalSystem dow the service sS tops Sy File Replication Maintains file synchro Manual LocalSystem es By Gateway Service fo Provides access to fil Started Automatic LocalSystem and the Auto Start typ e Sy Indexing Service Manual LocalSystem is set to Manual Bainternet Connectio Provides marwor add manud LocalSystem Bp Intersite Messaging Allows sending and re Disabled LocalSystem Manual Loc n EpKerberos Key Distri Generates session ke Disabled LocalSystem By License Logging Ser Started Automatic LocalSystem Bs Logical Disk Manager Logical Disk Manager Started Automatic LocalSystem Bp Logical Disk Manage
42. Symbols of the VPN Dial in After NAS dial in is concluded the VPN dial in to the corporate gateway can take place In this process the dial in connection will be symbolized with a thick yellow line If the dial in is concluded and the connection to the VPN Gateway is successfully established then the thin connection line will be displayed in green 46 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR The colors of the VPN dial in icons change color concurrently with the start of the con nection setup to the gateway Dial in and authentication on the VPN gateway are dis played in precisely the same manner as they are displayed for NAS dial in In addition there are icons for key negotiation keys and compression pliers if configuration of these icons is prescribed from the gateway side Symbols of the VPN Dial in PP j ps oo A x VPN Dial in Dial in Compression GW Headquarters VPN Tunnel to the Gateway GW Encryption GW Corporate Network of the Corporate Network Authentication GW The colors of the icons change from gray to black then flash green and finally are dis played as constant green to indicate successful connection set up In this regard the dial in and authentication processes on the gateway must always be executed encrypti on and compression are optional From left to right the VPN dial in icons are Dial in on the VPN Gateway The target address of the VPN gateway is specified in the
43. The created rule is always execu ted as an exception to the basic setting see gt Basic Settings Firewall Rule Entry Enabled E Bidrectonl oo Rule name The rule appears under this name in the display list State The rule will only be applied to data packets if the status is ac tive Direction With the direction you specify whether this rule will apply for incoming or outgoing data packets According to the Stateful Inspection principle data packets are received that come in from a destination to which data packets may be sent and vice versa However Stateful Inspection is only used for TCP IP protocols UDP TCP You can switch to incoming for instance if a connection will be set up from the re mote side e g for incoming calls or administrator accesses The bi directional setting is only practical if Stateful Inspection is not available e g for the ICMP protocol for a ping Apply rule to following networks When creating a rule at first do not assign it to any network A rule can only be saved if the desired allocation has been made and if a name has been assigned Unknown networks are all networks IP network interfaces that can neither be allocated to a known nor VPN These include for example connections via the Microsoft remote data transmissi on network or also direct or unencrypted connections with the integrated dialer of the client as well as Hotspot WLAN connec
44. WLAN Speed KByte s 0 000 Encryption The Client Monitor serves 4 important purposes M to display the current communications status M for selection of communication medium M for definition of call control parameters M for definition of profiles and associated destination and security parameters O NCP engineering GmbH 39 SECURE ENTRY CLIENT CLIENT MONITOR 3 1 The Client Monitor User Interface 3 1 1 Operating and Display Field The Client Monitor consists of O A title header indicating the security version of the client O the main menu bar O A display of the selected Profile and a window for Outside Line Prefix O the graphic status field displaying the communi cation status The field that displays signal strength only opens for connection types UMTS GPRS WLAN O the button bar with connect and disconnect O and the statistics field E NCP Secure Entry Client Sex Connection Configuration Log Window Help Outside Line Profile Headquarters v a a ese Signal 0 f LAN lial Very Poor Excellent SUPPORT_TEHOTSPOT mes Becas NC Statistics Time online Data Tx in Byte 00 00 00 0 WLAN Timeout sec Direction Link Type Encryption Data Rx in Byte Speed KByte s The user interface is conform Windows standards and operation is similar to that of other Windows applications The monitor can
45. While the Endpoint Security Policies are output from the Enterprise Management system download of the security policies which the Management Server prescribes must be activated on the Appendix Secure Client Services A 29 SECURE ENTERPRISE ENTRY CLIENT SERVICES VPN Gateway This is done on the Secure Server Manager in the configuration branch Client Policy Enforcement If endpoint security is activated then the current policies are compared and downloaded via the program ncpepsec exe The following services and applications are described in more detail below rwsrsu exe ncpbudgt exe rwscmd exe ncprwsnt exe 1 1 Overview of the ports of the NCP Secure Client for Win2000 XP ncpmon exe 10544 ncpsec exe 10522 10542 ncprwsnt exe 1701 500 10523 10530 10550 10600 10610 rwsrsu exe dynamic port after 12501 Management Server for 98 ME ncpmon exe 10544 ncpbudgt exe 10522 10542 ncpike9x exe 1701 500 10523 10530 10550 10600 10610 rwsrsu exe dynamic port after 12501 Management Server additinal ports PKI 10523 PPPoE 10550 IPHIp 10560 WSUP Driver 10600 DNS Client 10610 A 30 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES 1 2 Registry Entries for the NCP Secure Client The registry entries can be found under two directory paths with the registry editor Software Ncp Engineering GmbH NCP RWS GA 6 0 and Software Ncp Engineering GmbH NCP Secure Client see
46. a connection is gt Bind is to AOA Baba possible It is selected via the Application Select application button a C Programme ping exe local installed application such Select Application as ping exe thus only this application can communicate In this case according to this rule only pings can be executed In this example you should also note that ICMP is permitted from the protocol Local IP Addresses Please note that the assigned Port has als to be selected For e mail application port 80 C Any IP address Explicit IP address Several IP addresses or ranges pop 109 NCP engineering GmbH 79 SECURE ENTRY CLIENT CLIENT MONITOR a Configurationsfield Friendly Networks If in Firewall rules you have defined in the configuration field that a rule will be applied to connections with known network then this rule is always used if a network can be identified as known network according to the criteria that is entered here e g the LAN adapter is in a known network The LAN adapter of the client is considered to be in a known network if IP network and Network mask the IP address of the LAN adapter originates from the specified network range If for example the IP network 192 168 254 0 is specified with the mask 255 255 255 0 then the address 192 168 254 10 would effect an allocation to the known network
47. a oe 14 Protocol IPSec Policy eh dp ed Bae amp 2 D4 Transformation ESP IPSec Policy vis Bets 2S eop oe 2 154 Transformation Comp IPSec Policy 154 Authentication IPSec Policy 2 154 5 1 7 Advanced IPSec Options 155 Use IP compression LZS o s e e c e e 2 2 0 156 Disable DPD Dead Peer Detection 2002an 156 Force UDP Encapsulation Port 4500 2 156 518 Identities lt c ae ooo ER Re Rea S amp S oo ae oT Typelidentity oo lt wee ee 158 ID Identity 366 A 65 See ook e as rs DS Use pre shared key Sopop popa ma y DDS Use extended authentication XAUTH wee bbe eb es 158 Username l Identity s lt soe 2 2 159 Password Identity bee ee oe ew oe we ae ew a 1 Use access data from cont ieuiation E WD 5 1 9 IP Address Assignment 160 Use IKE Config Mode 2 2 2 161 Use local IP address s waca wee ea ee 161 Manual IP address 2 161 DNSIWINS es ss aaa es we TOL DNS Server o s ee Bs g po e press pss dOl WINS Sefvem coco soo cc e be ess mm ew ee ee a TOL Domain Name 161 5 1 10 Remote Networks ee er ag ote eo te OL Network addresses Remote Networks te Bl tn at at a Ba ge 109 Subnet masks eg hes e ay 40 ge ee LOS Apply tunneling security for joes networks bo amp A Pe hte amp 163 3 1 11 C
48. activation button il NCP Secure Entry Client Connection Configuration Log Window Help a See Software has not been activated Valid for another 30 days Gia terre NCP In order to use a full version with no time limitations the software must be released in the activation dialog with the license key and the serial number that you have received With activation you accept the license conditions that you can view in the activation dialog after clicking on the appropriate button The activation dialog can be opened via the activation button in the message bar of the monitor as well as the via the monitor menu Help License data and activation The license data can be entered either online or offline via a wizard In the offline variant a file that is generated after entering the license key and serial number must be sent to the NCP web server and the activation key that is then dis played on the website must be noted This activation key can be entered in the licensing window of the Monitor menu at a later point in time In the online variant an assistant forwards the licensing data to the web server immedi ately after entry and thus the software is immediately released NCP engineering GmbH 113 SECURE ENTRY CLIENT LICENSING 4 6 2 Test Version Validity Period The test version is valid for 30 days Without software activation or licensing it will no longer be possible to setup a connection
49. ae ewe 54 Configuration Locks e resa eaka a e k 00005 102 Conicet ia ec best Sk do dde de a A el 50 171 Connection Info vps y sore I a eee ee e S 33 Connection Mod psg e o ci HA he 171 Connection types iaa ek eR ac AOE aa 131 CRL Certificate Revocation List 198 NCP engineering GmbH 217 SECURE ENTRY CLIENT INDEX D Default Gateway s a esse cada eR a Ok ae we ide 31 deflate compression s ne aeren nnana 00000008 154 Destination phone number o o o o o 137 Destination phone number alternate 138 DH Group s space eo a BS ii eS 153 DHCP Dynamic Host Control Protocol at Dial Prefix eii Ht hol OREM ee a a 143 Diffie Hellmann 190 IDIiSCOnNHECE s a aes vee a A a eS Y 50 Display CA Certificate ociosas ae 56 Displaying ACE Server Messages 62 DNSIWINS ter ia ea ed Ee A ae 161 Domain Name cocer ed ee a 161 DPD Dead Peer Detection 156 E EAP Authentication 44 147 BAP Settings is cise fo ck ee Besa e Hey eae 98 Encryption 22 46 4464 rara ee oda aS es 153 Encryption Lamp s i024 4 2 s40 0 9 4 eta ad wd m 54 Enter SIM PIN ovio bole we hb ead ESS ias 52 Establishing a Connection 0 171 Exch Mode 40 bid ds e we ded Be de 150 Extended Authentication 0 192 Extended Authentication XAUTH 158 174 extendedKeyUsage 60 167
50. and password authentication code back to the Appendix Secure Client Services A 43 SECURE ENTERPRISE ENTRY CLIENT SERVICES Client Only after entry of the personal access data can the user receive a personalized Phonebook or soft certificate If a Client logs on with this InitUserID and if LDAP au thentication is not configured then the Client will only be asked for his VPN user ID In this process the system checks whether a directory exists on the Update Server for this entered VPN user ID If this is not the case then the lo gon will be rejected the user will get another chance to enter a VPN user ID Compare parameter Chek kUserDirAfterInitLogon CheckUserDir 1 AfterInitLogon This parameter entry is optional Standard 1 1 For the first logon InitLogon without authentication code with VPN user ID the system checks whether a direc tory exists for this new user If this is not the case e g for misspelled VPN user ID the logon fails and the user is again requested to enter his VPN user ID 0 The logon is executed in such a manner that the system searches for a Phonebook or soft certificate for this user If nothing is found then the following appears in the log win dow of the user Monitor Configuration at current level Clients CheckInterval 86400 The update interval is specified in seconds and as delivered the parameter is set to one day 86400 seconds The update interval describes a t
51. been configured accordingly see the registry entries below then an extended log output is generated in which the IP address of the Manage ment Server can be located under the entry PRIDLS Primary Download Server If the NCP Secure Enterprise Management Server is installed behind an external VPN gate way then its IP address must be saved in the Phonebook of the Secure Client under DNS WINS Management Server Then the Client s rwsru service contacts the Management Server Update Server to execute a version compare This is done after each restart of the Secure Client for the first VPN connection to the central gateway at least As soon as the rwsrsu service detects that a newer version is ready for the Secure Cli ent then depending on the configuration a new software program an updated configu ration Phonebook a PKCS 12 file soft certificate as well as CA certificates are transmitted to the Secure Client In this process a Phonebook or a certificate is updated depending on the VPN user ID that is used on the Client Here you can specify whether each user will receive an indi vidual directory for stored configurations or whether a general directory will be refer enced for all VPN users for this purpose The latter option however is only available in conjunction with certificates Appendix Secure Client Services A 33 SECURE ENTERPRISE ENTRY CLIENT SERVICES 2 2 Configuration The Management Server as we
52. before the Windows Logon Gets appears eons login establishing a connection to O ES the remote destination s NAS which may necessitate entering the PIN for your certificate and or your Password if not already stored in the Client Software After establishing a connection to the remote destination s NAS you can Installshield logon to the remote domain This logon will be already encrypted Please note Activate this option before the Windows logon thus the NCP Gina will also be automatically installed The logon options can also be used only if the NCP Gina is installed after the Windows Gina which is possible in this setup window These logon options can be set via the Monitor menu of the Client under Configuration If the logon option is not activated here and if it will be used at a later point in time then the NCP Gina can be permanently installed after this setup using the command rwscmd ginainstall See the description Secure Client Services in this regard in the appendix of this SECURE COMMUNICATIONS B manual The data of the Client Setup Status NCP Software will now be copied NCP Secure Entry Client is configuring your new software installation Creating folder and icons IIIT The associated network components will now be installed InstallShield gt to complete continue next page 32 NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION NCP Se
53. case the currently configured IP address DHCP as well of the PC is used for the IPSec client Manual IP address This is the IP address and the subnet mask these can be freely entered here In this case the address entered here is used regardless of the configuration in the network set tings DNS WINS IKE Config Mode if configured and available enables dynamic assignment of client IP addresses DNS WINS server addresses and domain name Activating this function you can define an alternative DNS Server as opposed to using the one that is automatically assigned during the PPP negotiation to the NAS ISP DNS server The IP address of the DNS server entered will be the one used instead of the DNS serv er assigned during the PPP negotiation WINS server The IP address of the WINS server entered will be the one used instead of the WINS Server assigned during the PPP negotiation Domain Name This is the domain name which otherwise is transferred to the system per DHCP in the network settings NCP engineering GmbH 161 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 10 Remote Networks Profile Settings Headquarters Basic Settings HTTP Logon Line Management IPSec General Settings Identities IP Address Assignment Remote Networks Certificate Check Link Firewall with via VPN tunnels If you are using tunneling and you have made no entries in this folder then your
54. connection It is recommended to use the standard setting xDSL PPPoE with Windows operat ing systems as this provides direct communication over the network interfaces No additional network card is necessary with the AVM Fritz DSL card a Multifunction Card GPRS UMTS If you are using a multi function card special features of the mobile computing can be used depending on the card characteristics see the appendix of the handbook Mobile Computing Due to the direct support of the multi function card for UMTS GPRS WLAN through the Secure Client installation of management software from the card implemented is not necessary The VPN connection is established via the integrated NCP Dialer independent of the Microsoft data communications network Currently supported multi function cards T Mobile Multimedia NetCard Vodafone Mobile Connect Card KPN Mobile Connect Card T Mobile DSL card 1800 integrated Card of the Lenovo Notebooks Sierra Chipset Vodafone EasyBox USB Adapter for UMTS GPRS NCP engineering GmbH 23 SECURE ENTRY CLIENT INSTALLATION a WLAN adapter WLAN Under Windows 2000 XP the WLAN adapter can be operated with the link type WLAN In the monitor menu the special WLAN settings menu item is displayed where the access data for the wireless network can be saved in a profile If this WLAN configuration is activated then the management tool of the WLAN card or the
55. connection setup If the SSID does not match so that a connection to the access point cannot be se tup with this profile then subsequently the profiles that have been referenced as auto matically configured will be referenced for the connection setup and the appropriate SSID will be used a Search networks If this WLAN Configuration is activated then the management tool of the WLAN card must be deactivated WLAN ZD1211 802 11b g Wireless LAN Microsofts Packet Schedule Z Alternatively the management a an Se baa tool of the WLAN card can also be used in this case the Encryption Network type neptest2003 72 91 dBm No Infrastrukture WLAN configuration in the NCP 0G4 57 91 dBm No Infrastrukture TKIP1 68 69 dBm Yes Infrastrukture monitor menu must be deactivated Adapter If a WLAN adapter is installed then it will be displayed NCP engineering GmbH 85 SECURE ENTRY CLIENT CLIENT MONITOR WLAN networks After an automatic scan process that takes a few seconds this can also be triggered manually by clicking on the Scan button the currently available networks will be displayed with data on SSID field strength encryption and network type These va lues can be configured accordingly in an associated profile SSID The name for the SSID Standard Security is assigned by Field strength the network operator and is displayed under the graphic field Encryption of the Moni
56. corresponds to the program ncprsu exe on the Management Server see below rwsrsuhlp exe Help program for rwsrsu exe start it with rwsrsu h neprndll exe Is used by the Update Client and calls a DLL that stops or restarts the Client when the re is an update ncpbudgt exe Budget Manager see below ncpmsg exe Corresponds to the Budget Manager and if configured in the Client Monitor it opens the message window with the appropriate warning for the user rwscmd exe Command line interface see below ncppopup exe Program for entering license data and viewing the software version information it can be started via Windows Programs Secure Client Popup ncpsec exe PKI module of the Client software this program is only necessary when using digital certificates The configuration of smart card readers and soft certificates is described in detail in the respective Secure Client manual in the Monitor section ncpepsec exe Module for endpoint security between the Secure Client and VPN Gateway the poli cies for endpoint security are configured on the Secure Enterprise Management system with the plug in Endpoint Policy Enforcement Consequently Endpoint Policy En forcement is only possible if NCP Secure Enterprise Management is implemented The security policies of all endpoints of the components implemented can only be uniform ly allocated to all endpoints with this central management tool
57. dial in point that does not require a script the system automatically switches to the NCP Dialer If the data communications dialer will always be used then the appropria te setting must be made NCP engineering GmbH 135 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 2 Dial Up Network Profile Settings Headquarters Basic Settings Dial Up Network Line Management IPSec General Settings Identities IP Address Assignment Remote Networks Certificate Check Link Firewall 0911996880 identify you when accessing the destination From a technical standpoint these two items are included as part of the PPP negotiation to the ISP Internet Service Provider If the Commu nication media LAN over IP has been selected then this folder will not appear since these parameters are not relevant for LAN operation This folder contains the parameters Username and Password which are needed to properly Parameters O Username O Password O Save password O Destination phone number O Alternate destination phone numbers O RAS script file 136 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Username This parameter is used to identify yourself to the remote Network Access System NAS when establishing a connection to your destination or alternatively to your In ternet Service Provider ISP if you are communicating across the Internet The userna me ma
58. diasplayed Following types of encryption are supported AES Blowfish 3DES The encryption type is assigned by the central site gateway 54 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR a Key exchange Display what Session Key exchange method is used Static Key The same Static Key must be used at both endpoints of com munication It is entered under Profile Settings Identity IKE IPSec To transfer the Session Key the encrypted Control Channel of Phase negociation is used E Rx and Tx Bytes Rx and Tx Bytes indicates the amount of data being sent out and received in for each protocol and for each communications session The amount of data is expressed in Bytes 1 byte 1 character The total amount of data sent and received for all proto cols is also displayed 4 1 6 Available Communication Media The purpose of this window is only to inform about the available communication media and the currently DSL PPPoE used communication gt UMTS GPRS medium On the basis of gt ISDN CAPI is not installed a pre configured Y Modem destination system those link types that are currently available for the Client PC are detected and implemented and if multiple alternative transmission paths are available the fastest will be selected automatically Communication media 6 LAN over IP WLAN The available communication media are displayed with
59. ee eS A MediaType p s 62 sos rs ea Gos Behe ee eo eG OF Compression w 2 2 ee eee SA ENcrypuom lt s ems Hae Roe ee aA eo ae ee aw he DA Key exchange 2 4 04 bce sa ee ew eee es OD Rx and Tx Bytes Se OMG oe S oe OD 4 1 6 Available Communication Media erie a na ae 0 4 1 7 Certificates as hd BE ae wb a DO View Issuer Certificate tole amp amp Moe eo ee we Dod e DE View Client Certificate lt s s s o ces caerau 57 View incoming Certificate o e e yowa ea a ST Display CA Certificates Sh a pea 28 Display and analysis of extensions fot cuititicates too e aa WS Display ofextensions 59 Extension checks s os we eee Dee ee ee a we s 60 4 1 8 Enter PIN bob BORG Be Me ew of ood eg HOT Safeguarding PIN Ue ps e e 02 4 1 9 ResetPIN bal Pew toe 2 PIN State Symbol Visible in the Client Monitor SS eo ee a 02 PIN Handling after Logoff or Sleep Mode 62 Displaying ACE Server Messages forRSA Token 62 4 1 10 Change PIN php ae eos ef ee lb a amp amp 63 4 1 11 Call Control Statistics a a a a a 64 4 1 12 Call Control Reset La as a a a 64 4 1 13 Exit Disconnect the Monitor Pia a ee ee ee 00 6 NCP engineering SECURE ENTRY CLIENT CONTENTS 4 2 Configuration y posee pry spamme 66 4 2 1 Profile Settings bb Be Sane Go we bu SA le 4 4507 Entries in the profile settings LG EOS a be e a O 4 2 2 Firewall Settings s o
60. either be operated by using pull down menus from the menu bar or by using buttons from the button bar or via the context menu right mouse button 40 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 3 1 2 The Apperance of the Monitors The monitor can be displayed in different sizes according to the setup in Window from the monitor menu see gt Window n The communication medium g A Wie m O 1s shown in the statistic Connection Configuration Log Window Help window or can be entered by defining the profile so Headquarters ISDN that is displayed in the a status field as well TET Cia Je ND Modification of the Interface le The monitor appearance can be modified by the administrator This is particularly re nes levant for the menu choices Link Information Certificates Link Control and E Logon Options Also the administrator can suppress profile parameter fields and can suppress individual parameters or set them to non configurable The suppressed and deactivated features and parameters simplify software operation they do not influence the performance of the software or your work Refer the section 3 3 Configuration 3 3 8 Configuration Locks O NCP engineering GmbH 4 SECURE ENTRY CLIENT CLIENT MONITOR 3 1 3 Dialing up und selecting the Profile Once the software has been installed and a profile has been configured correctly see gt
61. executed after the destination has been selected _ j Using the Logon Options refer also the appendix Mobile Computing via Lo GPRS UMTS NCP engineering GmbH 101 SECURE ENTRY CLIENT CLIENT MONITOR 4 2 9 Configuration Locks Use configuration locks to modify the configuration main menu in the monitor in such a way that the user can no longer modify the pre set configurations or so that selected parameter fields are no longer visible for the user The configuration locks are enabled after applying the defined settings with OK gy Clicking the cancel button the default settings will be used a General Configuration Locks In order to effectively specify the configuration blocks identification must be entered which consists of User ID and Password The password must be confirmed thereafter Configuration Locks Please note that identification 1s absolutely necessary for the configuration block in order to activate the blocks or to cancel the configuration blocks If the identification is forgotten there 1s no other possibility to cancel the blocks Now authorization to open menu items under the main menu item Configuration can be limited for the user As standard the user can open all menu items and edit the configurations If the check mark is removed from the respective menu item with a mouse click then the user can no longer open this menu item 102 O NCP en
62. from the Gy The automatic HTTP logon can be executed automatically with the settings in this parameter access point hotspot without opening a browser window You must agree to the terms and conditions of the HotSpot operator in order to set up the connection A Please note that there are charges associated with the connection via a HotSpot operator Parameters O User name HTTP Logon O Password HTTP Logon O Save Password HTTP Logon O HTTP Authentication Script HTTP Logon NCP engineering GmbH 139 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS The logon at the HotSpot is automated with these data This is executed as follows for a connection setup to the Access Point an HTTP redirect to the Client with a website for logon is executed from the Access Point Instead of a browser start for HTTP au thentication the authentication occurs automatically in background with the entries made here For script driven logon you can use a script from the installation directory lt install gt scripts samples and you can modify it for other HotSpots For the WLAN connection type the authentication data for the HotSpot are transferred Ly from the WLAN settings a Username HTTP Logon This is the user name that you have obtained from your HotSpot operator E Password HTTP Logon This is the password that you have obtained from your HotSpot operator The password is concealed with asterisks when entere
63. is faded the most important information concerning data transfe re statistic and security can be seen in the statistic field of the monitor see gt Win dow Show Statistics O NCP engineering GmbH 53 SECURE ENTRY CLIENT CLIENT MONITOR E Time Online Time Online indicates the total amount of time that the PC is actually connected to the destination regardless of any timeouts disconnects The value is reset to zero 0 ei ther as a result of re booting your PC or when you change the destination m Timeout The Client Monitor displays the time remaining until the next timeout disconnect oc curs which begins immediately following the last exchange of data over the Link in cluding any handshaking See Phonebook Line Management O Direction Direction indicates the current direction of communications as follows Out outbound or outgoing call is currently being executed In inbound or incoming call is currently taking place a Speed The displayed number varies according to the current data throughput E Multilink If a connection is established via several ISDN B channels the statistic showes on a Media Type The following Media Types are supported ISDN Modem LAN over IP xDSL PPPoE xDSL AVM PPP over Capi GPRS and PPTP E Compression Compression is always defined by the gateway IPSec compression is displayed with IPSec Compression LZS Oo Encryption The used encryption type is
64. is the default setting If the check mark is removed from the checkbox then a different browser can be specified in the form PROGDIR Mozilla Firefox firefox exe In addition the MD5 hash value of the browser exe file can be determined and entered in the MD5 Hash field In this manner the system ensures that a hotspot connection is only realized with this browser Under Start Page Address the start page described above is entered in the form http www mycompagnie de error html 4 2 12 Profile Settings Backup If a secure profile setting has not yet been generated for instance in the case of a first installation then a first profile setting NCPPHONE SAV will automatically be crea ted Oo Create A profile setting backup will be created after each click on the Create menu item and after a confirmation question that contains the configuration up to this point E Restore The last profile setting backup will be read in after each click on Restore Thus changes in the configuration that have been made since the last profile setting backup will be lost 104 NCP engineering GmbH 4 3 Log This feature automatically logs records all communication transactions but not the data going via the Client Selecting the Log function will open the window of the logbook The contents of the log l are stored in memory 19 05 02 17 17 26 Ip Address 000 000 000 000 13 05 02 17 17 26 PriDNS A
65. issuer certificate the issuer s fingerprint can also be entered if it is known a Use SHA1 fingerprint The algorithm for fingerprint generation can be either MD5 Message Digest version 5 or SHA1 Secure Hash Algorithm 1 Further certificate checks In addition to the certificate verification according to content a certificate check is executed on the Secure Client in many respects 1 Selection of the CA Certificates The corporate network administrator specifies which issuers of certificates can be trusted This is done by copying the CA certificates of his choice into the ncple ca certs Windows directory The copying over can be automated with diskettes in a soft ware distribution if the issuer certificates are located in the root directory of the first diskette at the installation Afterwards issuer certificates can be automatically distribu ted via the Secure Update Server or if the user has the requisite write authorizations in the designated directory they can be set by the user himself see Display CA Cer tificates The formats pem and crt are supported for issuer certificates They can be viewed in the monitor under the menu item Connection Certificates Display CA Certifica tes If the issuer certificate of another side is received then the client determines the issuer then searches the issuer certificate first on Smart Card or in the PKCS 12 file and then in the NCPLE CACERTS direc
66. license key and serial number After a successful verification the NCP Secure Entry Client software is then enabled as a full version must be sent to the NCP web server and the activation key Offline Activation hatis th displ d h The licensing information has to be entered which is used to generate an activation data that 1s then 1Sp aye on the file step 1 and then must be submitted via the browser to the NCP activation server w eb site must b e note d In th e The Activation Server will respond with an activation code which is required in step 2 The i activation code is needed to enable the full version online vari ant an assistant forwards the licensing data to the web server immediately Pre caca after entry and thus the software is immediately released O NCP engineering GmbH 115 SECURE ENTRY CLIENT LICENSING ENTE Ate selecting the type of License Data activation the license data will Please insert license data be entered in the appropriate fields Click on Next oO Online Variant With the online variant the license data will be transmitted to the NCP Activation Serv er via an Internet connection This Internet connection can either be established via the Data Communications Dialer via DSL or via the Entry Client If the Internet connection is not set up via the Entry Client then the connection must ISS first be established in order to then start the activation assistant via the Monitor me
67. network the Please selecta network from the list window for network selection will be displayed Network ENE M The desired network can be V Always rescan networks selected from a list If a new network search is not desired every time the Monitor is called up then this function which is active by default must be switched off via the Check button NCP VPNA 1 Clie 7 lolx The connection set up can a 5 7 a be executed precisely in the Connection Configuration Log Window Help meras fed L2Sec Test stationary network see Connection setup in the EN Client Software Manual JAS Dial up alternatively the connection Client E can be setup with the modes automatic manual or Signal 46 GPRS alternating T Mobile D The connection type is displayed in green UMTS to the left E x Once the connection is set up then you can work in Connection Configuration Log Window Help the same manner you work L2Sec Test in your local corporate network Connection is shed This also applies if the card automatically changes from the connection medium GPRS UMTS to GPRS due to low field strength In this case the connection remains intact T Mobile D If the field strength increases again then the card automatic switches back Appendix Mobile Computing via GPRS UMTS A 15 SECURE ENTERPRISE ENTRY CLIENT NCP YPN PKI Client L2Sec Test Connectio
68. new license key is ge nerated by entering the serial number and the update key that can be purchased locally from the reseller on the following web site http www ncp de english services updkeys index html The software update always available free of charge if the newer version is a service re lease this is indicated by the change of the second decimal place For example If a version 8 26 is installed and the next software version has the number 8 27 then a soft ware update from 8 26 to 8 27 as well as use of the new features will be free of char ge The new features can be used without activation with a new license key as soon as the new software has been installed A service release contains bug fixes an extension of hardware support and compatibility extensions 4 7 1 Software Updates Software Update Wizard After you have selected the Welcome tthe catas update Wid pan e adjacent window In order to check for new updates you will need an Internet connection If the Entry Client will be used to set up the Internet connection then ensure that port 80 for HTTP is released if the firewall is active oO v gt o D u E En j v mn e D H NCP engineering GmbH 125 SECURE ENTRY CLIENT LICENSING If a proxy server will be configured in the operating system then these settings can be transferred Proxy server 62 153 165 41 Port feo bo O ces If the prox
69. official IP ad dresses by the software This saves official Internet addresses that are not available in unlimited num bers on the one hand and on the other hand NAT es tablishes a certain protection Firewall for the LAN IPCP Internet Protocol Control Protocol IPsec IETF Standards RFC s 2401 2412 12 98 IPX Internet Packet Exchange Netware protocol from Novell IPXCP Internetwork Packet Exchange Control Protocol ISDN Integrated Services Digital Network A digital net work that integrates all narrow band communication services for example telephone telex fax teletext videotext consisting of channels with a transfer speed 64 000 bit s A basic connection in the so called narrow band ISDN has three transmission channels channel B1 64 000 bits s B2 64 000 bits s D Channel 16 000 bits s The total transmi ssion rate is 144 000 bits s By the end of the mil lennium this network should be uniformly extended throughout Europe The specifications for ISDN are worked out by ITU and CEPT ISDN Adapter The products of the NCP Arrow family are ISDN adapters They make it possible to connect existing non ISDN capable terminals to the ISDN network The adapter handles the software and the hardware adaptation of the terminal interface to the ISDN in terface So An ISDN adapter with Upo terminal interface enables the conversion of ISDN two wire NCP engineering GmbH 209 SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNIC
70. on the Configure button Upon doing so a folder opens and displays a list of the following parameter folders on the left side Profile Settings Headquarters xi Basic Settings Dial Up Network Dap Nenon Modem aaa A Headquatets OO 00 0 O S Line Managemen t acre dl IPSec General Settings Fl ates Identity IP Address Assignment Remote Networks Certificate Check Firewall Settings Upon selecting one of the folders the associated parameters will be displayed see gt 4 Configuration Parameters E Ok Profile Upon clicking OK in the configuration window the configuration of a profile is con cluded The new or modified profile is available in the monitor It can be selected in the monitor and via the menu Connection gt Connect a connection to the relating de stination can be established a Duplicate Profil You may want to use an existing profile for the basis of a new profile perhaps however with slight modifications In order to do so first select the profile to be duplicated and then click on the Duplicate button Upon doing so the Basic Settings parameter fol der will open You must now enter a new name for the profile and then click on OK A new profile is now created with parameters identical to the profile that was duplica ted except for the Proflie Name Important It is not possible to have 2 or more profiles with identical names Each pro nes file must be as
71. order to be able to communicate with the Client Software it is essential to have ei ther Microsoft Windows 2000 Windows XP or Windows Vista installed on your PC min 128 MB RAM During the installation you are asked to have your or disks rea dy as these will be needed for updating your PC s driver database files Please insert these when prompted to do so Remote Destination The parameters of the remote destination must be entered in the profile settings In or der to communicate with the remote destination it must support one of the following media types ISDN PSTN analog modem LAN over IP or PPP over Ethernet Local System Q One of the following communication devices and its respective drivers must be proper i ly installed on the Client Software PC a ISDN adapier ISDN The device e g internal or external adapter must support the ISDN CAPI 2 0 Kernel Mode standard When using PPP Multilink the software can bundle up to 8 ISDN B Channels Any ISDN device supporting the ISDN CAPI 2 0 can be used Please check your device to be sure that such a driver is available The Client Software does not sup port TAPI based ISDN devices E Analog Modem Modem The Client Software can communicate with any industry standard analog PC modem provided that it and the modem drivers have been properly installed and the modem in itialization string and the COM port definition for the modem is correct The modem has to support Hayes AT
72. other side if the extendedKeyUsage extension is present then the intended purpose must contain SSL Server Authentication This applies as well for callback to the Client via VPN subjectKeyldentifier authorityKeyldentifier A key identifier is an additional ID hash value to the CA name on a certificate The authoritykeyidentifier SHA1 hash over the issuer s public key on the incoming certi ficate must agree with the subjectKeyIdentifier SHA1 hash over the public key of the owner on the corresponding CA certificate If no CA certificate is found then the con nection is rejected The keyidentifier designates the public key of the certification authority and thus not only one but a series of certificates if required The use of the key identifier allows a greater flexibility for the determining a certificate path In addition the certificates that possess the authoritykeyidentifier extension do not need to be revoked if the CA issues anew certificate when the key remains the same NCP engineering GmbH 167 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 3 Checking Revocation Lists The Secure Server can be provided with the associated CRL Certificate Revocation List for each issuer certificate It will be copied into the ncple crls Windows directo ry If a CRL is present then the Secure Client checks the incoming certificates to see if they are listed in the CRL The same applies for an ARL Autho
73. profile settings under IPSec Settings Gateway Authentication on the VPN Gateway a The necessary parameters are in the profile settings under Identity Extended Au thentication XAUTH is always used User ID and password are either read from the configuration under these parameters or they are read from the certificate A certificate that will be used is configured in the Monitor menu under Configuration Certifica tes and the issuer certificate of the gateway that will be selected must agree with the user certificate Encryption A Either a pre shared key or the private key from a certificate are used for encryption Both alternatives are set in the profile settings under Identity If the pre shared key is used then the Shared Secret must be entered here If the pre shared key is not used then the certificate will be used automatically The gateway specifies which encryption will be used Compression Compression is only used if it is also supported by the gateway You make the com pression settings in the profile settings under Use Extended IPSec Options IP Com pression NCP engineering GmbH 47 SECURE ENTRY CLIENT CLIENT MONITOR 4 Using the Client Monitor The description follows the menu items in the menu bar The menu bar consists of the following items from left to right O Connection O Configuration O Log O Window O Help 48 NCP engineer
74. routing the tables have been firmly defined In dynamic routing the router receives information about the network through router information protocols for example RIP NLSP OSPF that is collected and continuously updated in self learning router tables RSA The first procedure that fulfilled the demands for public key cryptographics Invented 1977 by Ron Rivest Adi Shamier and Leonard Adlemann SHA Secure Hash Algorithm see also Signature Signature A digital signature requires the generation of a ma thematical link between document and the secret personal signature key of the participant The document sender generates a checksum or so cal led Hash Value this he in turn codifies with his se cret key and thus creates a digital signature additi on to the original document The document reci pient can check the signature with the sender s public key by constructing on his side the Hash va lue from the message and comparing it to the en crypted signature Because the sender s signature is directly bound into the document every later modification would be noticed Also interception or eavesdropping of the signature through data in terception is to no avail The digital signature can not be emulated or copied because it uses the se cret key It is impossible to determine the secret key from the signature Smartcard If you use the functionality of the Smartcard after CHAP Authentication User ID and Password then the Strong A
75. same time the traffic lights change from red to green The green traffic light denotes an established connection and occuring costs 42 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 3 1 4 Symbols of the Monitor The Client s Monitor interface has been informatively designed with icons They pro vide information about the current status of the connection or about specific configured features via appearance and color The traffic light icon is always visible when the Client starts If you minimize close the Monitor this icon will be displayed in the taskbar Double click on this icon to re open the Monitor The traffic light icon only disappears when the Monitor is closed The other icons are described in details on the following pages Firewall EAP Authentication Chip Card Reader PIN Status Dial in Authentication Encryption Compression In addition either WLAN VPN Tunnel panel or a UMTS GPRS panel will be displayed in the monitor depending on configuration and installation of a Display of multifunction card the Field Strength l Symbol l In the UMTS GPRS panel for WLAN you can select the desired data or HotSpot below transmission process by Display of the WLAN clicking on the respective or of the HotSpot label Then the icon will be Button for Network Search UMTS GPRS displayed in green or Profile Selection WLAN
76. security IPSec tunneling and security are thoroughly described making a complete VPN framework available In principle it is possible to use vendor independent compo nents For site to site VPN s the gateways may be supplied by different manufacturers for end to site gateways the clients may be supplied by another manufacturer The establishment of a connection to IPSec traffic is based on the Internet Key Ex change Protocol IKE E IPSec General Functional Description In every IP host client or gateway that supports IPSec there is an IPSec module i e an IPSec engine This module examines each packet for certain characteristics in order to apply the appropriate security negotiation to it Testing of the outgoing IP packets from the IP stack occurs relative to a Secure Policy database SPD With this all configured SPDs will be processed When using the IP Sec Client the SPDs are only stored at the central site gateway The SPD consists of multiple entries SPD entries which in turn contain a filter porti on The filter portion or Selector of an SPD entry consists primarily of IP addresses UPD and TCP ports as well as other IP header specific entries If the values of an IP packet agree with the values from the SPD entry Selector portion then further determi nation as to what should be done with this IP packet is made from the SPD Entries The packet can simply be allowed through permitted or discarded or certain secur
77. size should not exceed 64 kByte E Additional Configuration Settings in the Registry Additional settings for the Update Client can be made in the file ncpmon ini under the header RWSRSU Registry Entry Meaning RsuPort Port for TCP connection to the Management Server Standard is 1250 The port must agree with the RsuPort in the file NCPRSU CONF on the Management Server RsuLogLevel If this entry exists then extended log outputs are generated in the file installdir KRWSRSU LOG Permitted values are 0 9 RsuLogFileSize aximum size of the log file in bytes Standard is 200 000 bytes Appendix Secure Client Services A 35 SECURE ENTERPRISE ENTRY CLIENT SERVICES RsuAutoAnswer This setting can also be changed with installdir rwscmd rwsautoanswer If this entry is present then you can determine how the Up date Client will handle the update when a software update is ready to be provided 0 off standard The question as to whether an update should be executed is displayed for the user The user selects yes or no l yes All updates are executed automatically without asking the user 2 no The update will not be executed A 36 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES 2 2 2 Automating the Initial Logon For a rollout the initial logon initialization logon of the Client on the Management Server can be automated via batch files User inputs that he gets from the information in the PI
78. then the connection will not be established No Root Certificate found If no CA certificates are present in the installation directory under CACERTS then a connection that implements certificates is not permitted Oo Display and analysis of extensions for incoming certificates and CA certificates Certificates can contain extensions These serve for the linking of additional attributes with users or public keys that are required for the administration and operation of the certification hierarchy and the revocation lists In principle certificates can contain any number of extensions including those that are privately defined The certificate extensions are written in the certificate by the issuing certification authority Three extensions are significant for the IPSec client and the gateway O extendedKeyUsage O subjectKeyldentifier O authorityKeylIdentifier 38 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR Display of extensions To display the extensions of an incoming or CA certificate you have to proceed as follows The Ca certificate which extension should be displayed has to be opened by a doubble click in the window of Ca certificates Upon doing so the next window with general information is opened For the incoming certificate this window is already opened after View incoming certificate was selected in the certificate menu Subject Key Identifier 24 AE 60 BF D1 F9 63 F6 14 AF CF
79. wed in the monitor under the menu item Connection Certificates Display CA Certificates If the issuer certificate of another side is received then the NCP Secure Client determi nes the issuer then searches the issuer certificate first on Smart Card or PKCS 12 and then in the NCPLE CACERTS directory If the issuer certificate cannot be found then the connection cannot be established If no issuer certificates are present then no con nection will be permitted 7 3 2 Check of Certificate Extensions Certificates can experience extensions These serve for the linking of additional attribu tes with users or public keys that are required for the administration and operation of the certification hierarchy and the revocation lists In principle certificates can contain any number of extensions including those that are privately defined The certificate ex tensions are written in the certificate by the issuing certificate authority Three extensions are significant for the Secure Client and the Secure Server O extendedKeyUsage O subjectKeyldentifier O authorityKeylIdentifier NCP engineering GmbH 197 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS oO extendedKeyUsage If the extendedKeyUsage extension is present in an incoming user certificate then the Secure Client checks whether the defined extended application intent is SSL Server Authentication If the incoming certificate is not intended for server auth
80. with which the system may communicate Any IP address permits communication with any IP address of the other side without limitation Explicit IP address only allows communication with the IP address on the other side specified here Several IP addresses IP ranges permits communication with different IP address on the other side according to the entries With the settings under remote ports you can specify the ports via communication with remote systems is permitted Any port sets no limitations whatsoever relative to destination port for outgoing packets or source port for incoming packets NCP engineering GmbH 77 SECURE ENTRY CLIENT CLIENT MONITOR Explicit port only allow communication via the specified port if this port if it is present al destina tion port in the outgoing data packet or if it is present a source port in the incoming packet If for example a rule only permits Telnet to a different system then port 23 must be entered here Several ports ranges can be used if multiple ports will be used for a rule e g FTP port 20 21 78 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR a Firewall rule Applications Eni x Assign rule to a certain application Firewall Rule General Local Remote Applications Perera this means that with blocked pplications gt A h aD l basic setting for this Define an application for this rule k x x x application
81. with UDP based DNS service Because Stateful Inspection filters can note the current status and context information of a communication relationship it is necessary that source and destination address as well as source and destination port and also the DNS header in the query packet be included when saving the status and context infor mation The system executes an interpretation on the application layer Example An incoming connection to port 21 of a computer is an FTP connection for a pure port filter An additional test does not take place On the other hand the Stateful Inspection filter additionally checks whether the data transferred via this connection belong to an established FTP connection If not then the connection will be disconnec ted immediately In addition a Stateful Inspection filter is able to adapt rules depen ding on necessary communication processes If for example an outgoing FTP connec tion is allowed then the firewall also automatically enables the establishment of the as sociated reverse channel The corresponding information ports is read out of the con trol connection One advantageous aspect of Stateful Inspection filters is the capability to check the data on all protocol layers this means from the network layer to the application layer Thus for example an FTP GET can be allowed however an FTP PUT can be prohibi ted A positive effect of the increased intelligence relative to conventional packet fil ter
82. yellow signal lamps and the automatically selected with a green signal lamp For configuration purposes note the description of Automatic Media Detection in the parameterfolder Destination System of the phonebook NCP engineering GmbH Pp SECURE ENTRY CLIENT CLIENT MONITOR 4 1 7 Certificates In the pulldown menu Connection you will find the entry Certificates which consists of the Gy following submenus Configuration View Issuer Certificate View Client Certificate View Incoming Certificate and Display CA Certificate Certificates are normally created by a CA Certification Authority utilizing some sort of PKI based architecture and they may be implemented on a Smart Card in addition to a digital si gnature s Such Smart Cards represent an individual personal identity card oO View Issuer Certificate In order to view the Issuer Certificate select Connection Certificate View Issuer Certificate Upon doing so the individual assigned data will be displayed read only for your review purposes Certificate Authority The CA and the issuer of a Issuer Certificate are normally CA identical self signed certificate The CA of the Issuer Cer tificate has to be identical with the CA of the Client Certifi cate see gt View Client Certificate Serial Number The serial number of the certificate can be compared with the registered serial number in the R
83. 00 9600 19200 38400 57600 und 115200 E Release Com Port If you are using an analog modem for communications in conjunction with the IPSec client it may be desirable upon conclusion of each communications session to release the Com Port for other communication applications e g Fax Answering Machine As long as this parameter is set to OFF factory default setting the Com Port will be as signed exclusively to the Secure Client and no other application will be able to use it 142 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS m Modem Init String AT commands can be required depending on the mobile cellular phone or modem and the link mode For these commands refer to the respective user manual or obtain the information from your telco or provider Complete each command with lt cr gt Car riage Return E Dial Prefix This field is optional Normally it will not be necessary to enter anything in this field provided that your modem has been properly installed and is available to the client as a standard communications driver However if it is desirable to enter a Dial Prefix re fer to your Modem manual for more detailed information Following are some examples of Dial Prefixes ATDT ATDP ATDI ATDX m APN The APN Access Point Profile Settings Headquarters Name is required for the A D p Network GPRS and UMTS dial in Modem 7 Line Management You obt
84. 197 198 Extension checks 2 eaae eee ee 60 extension certificate 000 60 167 External Applications oo 96 100 External Dialer s gorap g e dete a i ew ww 133 F Fingerprint 3 9 vce Khe eh oR a Had 4 POS 56 Firewall sv 3 sales 8 2 we oso ee A da 45 Firewall Settings s s ei eega iea a ee ee 70 185 Firewall Basic Settings o o es 72 Firewall Loses sites aida a ei we oo de ai 84 Fit wall Options circa ek 82 Friendly Networks Firewall 80 G Gateway IPSEC iaa aeni e aa A ek 149 Gateway IPSEC lt a A a a 149 GPRS tod Acct sh o a dd da 23 132 GPRS UMTS r tiee g a ot ts Set cae he 23 GSM iio oS tee tA De ho OG eS Ee 23 H Hardware Certificate 0 gne cm ad a ee e oe eee aS 57 Hash ss tins oe we GA he Se a a RS Sw ow A 153 Hash IKE Richtlinie 05 153 HotSpot Logoi gt se as shoes da 50 HSCSD z ae aa each Re Bok Re ww A Rtg a ol 23 HTTP Authentication 147 HTTP Authentication Script aooaa a a 140 HTTP Logon gt e sadot a a Ee A Ra RRO 139 l ID Identit t oc e a Go ae ar e A ae 158 Identity canina ei OS Qe a ae es oe eS 158 IKE Config Mode p jee sb we ee ew a 161 194 218 NCP engineering GmbH SECURE ENTRY CLIENT INDEX IKE Policy 6 ars ob or Se ke a E R 149 152 186 Inactivity Timeout is aida ae HR eS ia 145 Incoming certificate s sica og eee ee Se See S 58 Incoming certificate s
85. 35 1D FD B5 The window General Authority Key Identifier Key 24 4E 60 BF D1 F9 63 F6 14 4F CF 35 1D FD B5 i Authority Key Identifier Serial Number 00 displays the general certificate data The window Extensions displays the certificate extensions if available NCP engineering GmbH 59 SECURE ENTRY CLIENT CLIENT MONITOR Extension checks KeyUsage If the KeyUsage extension is contained in an incoming certificate then it will be veri fied The following KeyUsage bits are accepted Digital Signature Key Encipherment key transport key management Key Agreement key exchange process If one of the bits is not set then the connection is interrupted extended KeyUsage If the extendedKeyUsage extension is present in an incoming user certificate then the Secure Client checks whether the defined extended application intent is SSL Server Authentication If the incoming certificate is not intended for server authentication the connection will be refused If this extension is not present in the certificate it will be ignored Please note that the SSL server authentication is direction dependent This means that the initiator of the tunnel establishment checks the incoming certificate of the other side which if the extendedKeyUsage extension is present must contain the intended purpose SSL Server Authentication This applies also for a callback to the Client via VPN Exception For a s
86. AL TERMS interface Upo range 3 5 km on bus capable ISDN 4 wire interface So range 150 m with ISDN TK equipment in accordance with Telekom Guideli nes ISP Internet Service Provider ISO OSI Reference Model The ISO standardized model that describes com munication in 7 layers 7 Application Layer 6 Presentation Layer 5 Session Layer 4 Transport Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer Data transmitted in a network are processed consecutively 7 1 as above The order is reversed on the receiver side L2F Tunnel VPN protocol Layer 2 Forwarding L2TP Tunnel VPN protocol Layer 2 Tunneling Protocol L2Sec NCP designation functional description in RFC 2716 LCP Link Control Protocol LDAP Lightweight Directory Access Protocol see Direc tory Service MAC Address This stands for Medium Access Control Layer Ad dress It is a physical address in the network MIB Management Information Base MDS5 Message Digit 5 Used to generate a hash value Name Exact Internet name it is supposed to make it ea sier for the users to work on the Internet The na mes are entered in the Internet browser and are then translated into IP addresses by the Domain Server NAS Network Access System NetBios Network Basic Input Output System an interface that offers datagram and stream oriented commu nication OCSP Abbreviation for Online Certificate Status Proto col It is a protocol used for online verificat
87. Administrative servic Manual LocalSystem Ra Messenger Sends and receives m Started Automatic LocalSystem 3 If the Auto start type Be ncpike Provides NCP IPSEC I Started Automatic LocalSystem Sa NcpMamd Started Automatic LocalSystem z change has been execu ted then the command netstat n a can be executed again In this case UDP port 500 should no longer be listed under the active connecti ons 196 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 3 Certificate Checks In addition to the certificate verification according to content a certificate check is executed on the Secure Client in many respects 7 3 1 Selection of the CA Certificates The corporate network administrator specifies which issuers of certificates can be trusted This is done by copying the CA certificates of his choice into the ncple ca certs Windows directory The copying over can be automated with diskettes in a soft ware distribution if the issuer certificates are located in the root directory of the first diskette at the installation Afterwards issuer certificates can be automatically distribu ted via the Secure Update Server see Update Server Manual or if the user has the requisite write authorizations in the designated directory they can be set by the user himself see gt Display CA Certificates The formats pem and crt are supported for issuer certificates They can be vie
88. Automatic mode In this case it is not necessary to configure the IPSec policy with the policy editor It will be assigned by the destination ESP 3DES MDS or other policy name When selecting the name of the pre confi gured IPSec policy the same policies with their affiliated proposals should be valid for all users This means that on the client side as well as on the server side the same pro posals for the policies should be available oO Exch mode The Exchange Mode determines how the Internet Key Exchange should proceed Two different modes are available Main Mode also referred to as Identity Protection Mode and the Aggressive Mode These modes are differentiated by the number of mes sages and by their encryption Main Mode in Main Mode standard setting six messages are sent over the Control Channel and the last two messages are encrypted The last two messages contain the username the signature or a hash value This is why it is also known as Identity Protec tion Mode Aggressive Mode in Aggressive Mode only three messages are sent over the Control Channel and nothing is encrypted oO PFS group With the selection of one of the offered Diffie Hellman groups it is determined whether a complete Diffie Hellman DH Group key exchange PFS Perfect Forward Secrecy should occur in Phase 2 in addition to the SA negotiation The Standard is none 150 O NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATI
89. Destination Initial Configuration Assistant j If you use the assistant click on Next If selected then an IPSec test destination will be added to the client s phonebook and the assistant will guide you through the definition of generic parameters The following access data are created automatically VPN protocol is IPSec the Tunnel Endpoint of the VPN gateway is 62 153 165 36 XAUTH userID and Password is ncpipsecnative The link type is LAN If a connection via an ISP should be established the parameters for dial up must be configured in the profil settings Create test connections ation Assistant 2 Setting up the variant with strong security you can use a test certificate Select certificate type 34 NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION The PIN of the test certificate EA oe W Later you will be prompted for the PIN of the certificate is 1234 and must be entered The PIN is 1234 wenn establishing the connection Initial Configuration Assistant Tx Once you have saved the test configuration you can set up Test connection finished r r r NCP immediately a test connection in LAN mode by clicking the The configuration is now completed You may add additional destinations in the Test button phonebook if this is required Please select the destination to be used for test purposes Test connection IPSec native z Test NCP Secure Entr
90. Dir STRING Installation directory ProductName STRING Name of the product e g NCP Secure Client OemVersion DWORD O Ncp 2 T Online 4 Dlink 5 LanCom 6 Bintec DisableRws DWORD 1 Client is inactiv 0 Client is activ PrgFolder STRING Name des start menu PrgVersion STRING Version as string z B 8 01 IconMonitor STRING Menu name of the monitor IconPopup STRING Menue name of the popup IconTracer STRING Menue name of the tracer MonVer DWORD 2772 UninstKey STRING Name for deinstalltion key in the registry A 32 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES 2 rwsrsu exe Update Client The service rwsrsu exe is used for communication between Secure Client and Enterpri se Management formerly Update Server and functions as Update Client Use rwsrsu exe to trigger an automatic update of soft certificates configurations and soft ware 2 1 Functional Description The Secure Client and Enterprise Management formerly Update Server are compared for each encrypted VPN connection of a Secure Client to the NCP Secure Server This Update Service cannot be used for pure dial in connections If an Enterprise Management Server Update Server is installed and the appropriate configuration is executed then the NCP Secure Server VPN Gateway sends the IP ad dress of the Management Server Update Server to the Client after authenticating the Client If the Update Client has
91. E ENTERPRISE ENTRY CLIENT 2 Configuring a Destination System Profiles Create a new destination system profile in the NCP Client software Follow the in structions provided in the Client Software Manual 2 1 Configuring with a Wizard Click on New entry and Available Destinations follow the wizard s pe Name Creme e Configure instructions Afterwards you New Entry can complete the configuration Bilis in the telephone book Delete A connection to the corporate network is provided below as Cencel an example Help An NCP Gateway is used as the destination system for this test connection TEER Basic Settings Define type of connection NCP Link to Corporate Network using L2Sec i k Create a link ta the corporate network over a Virtual Private Network VPN secured by C ICK ON Next SSL Handshake within L2TP to a NCP gateway Link to ES Network using IPSec over L2TP xi Enter a name for this eeeeaae destination system A onnection Name gt st Enter the name of the connection NCP profile E c The connection may be given a descriptive name enter a name in the following field Name ofthe connection L2Sec Test B x a Link type Dial up configuration Click on Next Select the media type of the connection NCP Determine how the connection to the corporate network should be established If the internet should be used via modem setthe connection type to modem an
92. E file e g the iPass dialer will start when you press the Connect button This EXE file must first set up the connec tion to the Internet and then trigger the set up of the VPN connection to the client via RWSCMD connect In this case our dialer works in LAN mode This connection type will only work with manual connection setup With connection type Ext Dialer in order not save yourself the trouble of entering the complete path for the dialer in the DAT file alternatively the path can be read out of the registry Two new INI entries have been created to detect the path for the dialer Under DialerExec the EXE name of the dialer is all that must still be entered Example for Ipass The installation path of the Ipass dialer Software Ipass iPassConnectEngine is loca ted in the registry under InstallPath The EXE file must be entered manually DialerInstallPathKey DialerInstallPathValue DialerExec Caption Software Ipass iPassConnectEngine InstallPath IPassConnectGUl exe iPassConnect tow oueou NCP engineering GmbH 133 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Automatic media detection If different connection types are used in alternation such as modem and ISDN then manual selection of the destination system with the respectively available connection medium is not necessary if a destination system has been configured for Automatic media detection and
93. ERS PROFILE SETTINGS Duplicate You may want to use an existing Policy or SPD for the basis of a new one however with some slight modifications In order to do so first select the Policy or SPD to be duplicated and then click on the Duplicate button Upon doing so a parameter folder will open You must now enter a new name for this group and then click on OK A new Policy or SPD is now created with parameters identical to those that were dupli cated except for the Name Delete If you want to delete a Policy or SPD from the IPSec configuration tree select the ap propriate group and then click on the Delete button Upon executing Delete the Po licy or SPD will be permanently deleted Close When you click on Close the IPSec folder closes and returns to the Monitor IKE Policy edit IKE Policy The parameters in this field relate to phase 1 of the Internet Key Exchange IKE with which the con enea Mn DA trol channel for the SA ne Pr AE EN 7 DH Group 2 1024 Bit gotiation was established You determine the IKE mode Exchange Mode main mode or aggressive mode in the Phonebook PresharedKey under IPSec General Set S ll The IKE policies that you DH Group 2 1024 Bit configure here will be li oe sted for the policy selecti oh Contents and name of these policies can be changed at any time i e new policies can be ad ded Every policy lists at least one proposa
94. ESP UDP 4500 NAT T UDP 67 DHCPS UDP 68 DHCPC This global definition saves you the set up of dedicated single rules for the respective VPN variants for VPN networks that permit a communication in the tunnel then no data transfer can Please note that only the tunnel set up is enabled with this If no additional rules exist nes occur via the VPN connection Continue to activate firewall with stopped client The firewall can also be active if the client is stopped if this function is selected In this state however each incoming and outgoing communication is suppressed so that no data traffic at all is possible as long as the client is deactivated If the above mentioned function is not used and the client is stopped then the firewall will also be deactivated 82 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR UDP Pre filtering In the default setting when you start the Client independent of the Firewall UDP pak kets will be filtered out so that a connection to the Client PC from the outside is not possible If you start an application with server function on the Client PC which is ba sed on UDP data transfer e g terminal applications or NTP then this default setting can have a disturbing effect on data communication Consequently this default setting can be switched off or it can be limited to UDP packets of unknown networks Always Default setting In this switch position when you start th
95. For EAP TLS with certificate now the EAP user name can be directly referenced from the certificate configuration The following content of the configured certificate can be used by entering the appropriate placeholders in the EAP configuration Commonname SCERT_CN E mail SCERT EMAILS menu under Configuration EAP Options User ID and Password Double click on the EAP icon to reset the EAP Subsequently a new EAP negotiation will be executed auto matically LA After configuration of the certificate these placeholders are entered in the monitor ISS 98 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 2 8 Logon Options Cay The logon options are only effective when the computer has booted Al Logon Because the connection setup to the gateway occurs prior to the Windows logon the logon to the remote domain is already encrypted and the firewall is activated Show connection dialog befor Windows logon The NCP Gina dialogs can be hidden via the Monitor menu without de installing the Gina Thus Gina concatenations that may possibly be necessary for the respective work environment remain intact If you want to display the Gina dialog then note that the NCP Gina must be installed in any case This can be done in three ways Logon Options a With the software installation Enea cea here the system asks the user if he wants to use the Windows logon via the NCP Gina If yes it will be installed R
96. Hash value The Hash value is the signature of the certifica te The Hash value is encrypted with the private key of the CA View incoming Certificate Display of the certificate that is communicated in the SSL negotiation from the other side Secure Server You can see for example whether you have accepted the issuer displayed here in the list of your CA certificates see below If the incoming user certificate is one of the CAs not known from the list Display CA Certificates then the connection will not take place If no certificates are stored in the installation directory under CACERTS then no veri fication takes place NCP engineering GmbH 57 SECURE ENTRY CLIENT CLIENT MONITOR a Display CA Certificates CA CaiGhcates Multiple issuer certificates are supported with the client software multiple CA support The issuer certificates must be collected in the installation directory under CACERTS for this In the client monitor the list of CA certificates read in is displayed under the menu item Connection gt Certificates Display CA Certificates AS C DE ST B ayern L Nuemberg O T est OU T est CN NCP Test CA4 Email info nep c If the issuer certificate of another side is received then the client determines the issuer then searches for the issuer certificate first on Smart Card or in the PKCS 12 file and then in the CACERTS directory If the issuer certificate is not known
97. IGURATION PARAMETERS PROFILE SETTINGS 5 1 9 IP Address Assignment Profile Settings Headquarters IPSec General Settings Identities g Remote Networks 0 0 0 0 Certificate Check o oo 7 Link Firewall 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 C In this parameterfield you can determine how to assign IP addresses Moreover the server i assigned automatically by the PPP negotiation can be changed with an alternativ server Therefore the network settigs of the operation system must be switched to DNS mode Parameters O Use IKE Config Mode O Use local IP address O Manual IP address O DNS WINS O DNS server O WINS server O Domain Name 160 O NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Use IKE Config Mode IP addresses and DNS servers are assigned via the IKE Config Mode protocol Draft 2 All WAN interfaces can be used for the NAS dial in DPD Dead Peer Detection and NAT T NAT Traversal are automatically executed in the background for IPSec Tunneling if supported by the destination gateway The IP Sec client uses DPD to check in regular intervals whether the other side is still active If the other side is inactive then an automatic connection disconnect occurs Using NAT Traversal is automatic with the IPSec client and is always necessary if network address translation is used on the side of the destination system device Use local IP address In this
98. KeylIdentifier 60 167 197 198 Automatic detection of Friendly Nets 81 Automatic Media Detection 24 134 Automatic mode s ssa ck ce isa E EN 149 AVM PPP overCAPI 23 B Basic locked settings sos cas bec Ge we sins 72 Basic open settings cesen resi a Ee he 72 Baud ate ui aeons Pal eva o 142 Blowfish spr eei olan oa Ws eR a edge Aine 153 Blowfish 124 or 448 o 54 Bluetooth z pse Sam glee en a ae ee he oe Be ined 22 Broadband Device sesa chee 3 ae hom a G 23 Cc CA Certificate ios Gb ae eo a See we es 58 Call Control ooo Gh a ae a et ee aE 97 Call Control Manager coccion a 96 Call Control Reset s a e enpa a ia 64 Call Control Statistics 2 0 o 64 CDP Certificate Distribution Point 60 Certificate Authority osmosis o 56 Certificate Extensions 197 Certificate rene walle sa cori y p BH kk BR ee we BR 95 Certificates sete aaa ook Bow HR Bd BIE Hee Re oe 56 Certificates Configuration gt s lt ese sgo oo esu 90 Certification Authority 56 90 Change SIM PIN s y 2 gcse eek ate A Hae a ee 52 Chip Card Reader miso o a ca 44 Che ent Cerificate ss arts ea aia cacas amp 57 Client Logon s od eo hae ae ee a 172 COM PO 2245 3 ieee ite Gy acti t AS vico Ba ete ten amp 142 Communication medium 131 COMPLESSION e soe e de ee Gales Bhat a Hace ae
99. LIENT MONITOR a User Certificate Configuration Certificates from Smartcard from PKCS 12 File PKCS 11 Module Pionai E Certificate By clicking on the menu item Configuration Certificates you can first determine whether you want to use the certificates and thus the Extended Authentication and where you want to store the user certificates The PIN entry policies and the interval of validity are specified in a second parameter field None By choosing Certificate from the submenu you can deter mine whether or not you want to use the certificate and thus use the Extended Authentication The default value is None from PKCS 12 File In order to use a Soft Certificate select from PKCS 12 File and then define the directory path in which the PKCS 12 file is stored for access purposes Normally you will receive this file encrypted from your network admini strator or your CA Certification Authority from Smart Card In order to use Smart Card based Certificates select from Smart Card and then select the Smart Card Reader from the list of supported Smart Card Readers see also gt Enter PIN PKCS 11 Module Select PKCS 11 Module from the list in conjunction with Extended Authentication in order for the respective Certi ficate to be read from a Smart Card in a Smart Card Reader or from a Token O NCP engineering GmbH 91 SECURE ENTRY CLIENT CLIENT MONIT
100. Log Level Possible values 0 9 The value de termines the depth of the analysis level for the log file Log The value determines the depth of the analysis level for the log file Possible values 0 9 LogLevel 0 SessLogLevel 0 MgmLogLevel 0 ReplLogLevel 0 PackageLogLevel 0 LogPath log The path is specified with the directory for the log files A 48 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES Number of days until the log entries are deleted LogLifetimeSecurity 90 LogLifetimeConfig 90 LogLifetimeLogins 90 LogLifetimeAdmin Logins 90 LogLifetimeSystem 30 LogLifetimeTasks 90 LogLifetimeTrace 2 LogLifetimeAccounting 90 LogLifetimeSyslog 90 LogLifetimeRadius 90 Syslog Hosts 127 0 0 1 Syslog Server Hostname Port 514 Syslog Destination Port Standard 514 Facility 20000 Facility Base LogTrace 0 Facility Base 1 LogConfig 0 Facility Base 2 LogSecurity 0 Facility Base 3 LogLogins 0 Facility Base 4 LogAdminLogins 0 Facility Base 5 LogSystem 0 Facility Base 6 LogRadius 0 Facility Base 7 ListenPort 0 Standard 514 0 Listening disabled Console Console 0 aus Console l an Appendix Secure Client Services A 49 SECURE ENTERPRISE ENTRY CLIENT SERVICES 2 2 5 Update of the Update Client A new Update Client is installed like a software package on the Management Server computer by starting UpdRW
101. Multilink the Secure Client can bundle up to 8 ISDN B Channels therefore in order to take advantage of this your PC must be equipped with the necessa ry number of ISDN BRI Basic Rate Interface ports In order for Multilink to work requires that your PC be equipped with an ISDN device that supports multiple ISDN B Channels It is also necessary that the Network Access System NAS that you are communicating with support Multilink operation When using PPP Multilink additional costs will be incurred for each B Channel used This parameter defines how additional links will be added if requested There are 3 possible settings off default setting Tx links are added according to the bit rate demanded by the transmitter Rx links are added according to the bit rate demanded by the receiver TxRx links are added according to the bit rate demanded by both transmitter and receiver Oo Multilink Threshold This parameter tells the client the bit rate as a percent of the current bit rate at which a new link B Channel is to be added Possible settings are from 1 to 100 The default setting is 20 The Threshold setting is common to both transmitter and receiver In order for this value to be activated it is necessary to have Tx Rx or TxRx under PPP Multilink selected Important In order for PPP Multilink to work it must be supported by the destination s Network Access System 146 NCP engineering GmbH 1
102. N letter for example can be transferred to a tool via appropriate parameters and batches instead of interactively Use the program rwscmd exe starting with Secu re Client v 7 21 for this automatic init user procedure with the following commands rwscmd setinituser lt name gt lt auth codes Writes the specified VPN user ID and the authentication code into the re gistry the Update Client reads it from the registry rwscmd rsuautoanswer lt off yes no gt Notes the desired mode in the registry off Ask user whether a software update should be executed yes always execute software update no do not execute a software update rwscmd select Destination Name Selects the specified Phonebook destination In addition please note After a successful init logon the Update Client checks whether eS the file rsuinit bat is present in the installation directory If this is the case then it is automatically executed after the disconnect Note that the complete path information e g when calling RWSCMD is strictly required as the standard path is not the instal lation directory L Example A batch file for the initial logon with the Multiple user must be started manually and can look like the following STARTINIT BAT c installdir rwscmd setinituser lt name gt lt auth code gt c installdir rwscmd rsuautoanswer yes e installdir rwsemd connect Destination Name Appendix Secure Client S
103. NTRY CLIENT CLIENT MONITOR 4 2 6 Call Control Manager Configuration External Applications Call Control Manager xj Ext Applications Call Control Use this configuration to start applications or batch files depending on the Client Start options CAWINNTAncplelRWSCMD EXE postcon D copy copy bat discon Add Edit Delete IV Start default browser after connection has been established IV Deny the start of the dis Jconmect bat This setting will be assumed after the system restart Further information regarding the dis connect bat see the on line help Start page URL Monitor The external applications are added as described below The sequence in which they are called from w top to bottom can be changed with the green arrow keys If you want to start the standard browser after connection set up then activate this function and enter the website of the browser Application EAWINNT neple RWSRSU EXE ul Start option Execute after a connection has been established postcon TF Wait until the application is finished wait Help Lox Cancel After you have selected the function Start external applications or batch files you can select an application or batch file from the computer via the Add button that this application or batch file will be loaded depending on the start option Execute before connection
104. NTRY CLIENT LICENSING oftware Activation Assistant bj In the following window enter lic nes Dala the license data and click on Please insert license data D Next Please enter the following data for the NCP Secure Entry Client Software 2 License key l l l Serial number Software Activation Assistant y Enter name and path for the activation file The default is Activation file Select target place of activation file D the installation directory of the software and the name The activation data file has been generated This file has to be submitted via ActiData txt with serial http www nep de english services license to the NCP activation server number Please enter the path and name where the file should be stored Activation file aa El Now the activation file is sistant x D created and this file must be State offline activation i a Activation file has been generated NCP transferred to the Activation Server Activation data file has been generated V License key and serial number have been verified V Activation data has been generated V Activation data file has been saved V Updating the license data Successfully generated the Activation data file C AWINNT ncple ActiD ata tat Please transfer the activation file to the NCP activation server http www nep de english services license Beck tm elena NCP web site must http www nc
105. Net where the Client is currently located has been defined in the gt global firewall tir NCP engineering GmbH 45 SECURE ENTRY CLIENT CLIENT MONITOR 3 1 6 Connection Setup Symbols In addition to the status displays the graphic field of the Client Monitor also includes connection set up icons Dial in Internet ISP Service Authentication ISP Provider NAS Internet Dial in m Symbols of the NAS Dial in If a dial in to the Network Access Server or Internet Service Provider ISP is taking place on the Internet then the dial in connection will be indicated by a thin yellow line The dial in is concluded and the connection to the ISP is established when the thin con nection line is displayed in green The colors of the NAS dial in icons change color concurrently with the start of the con nection setup Dial in to the ISP is displayed with a green globe authentication at the ISP is indicated with a handshake During the connection setup its color changes from gray Bees to blue then flashes green and finally is displayed as constant green to indicate successful connection set up The parameters for NAS dial in are located in the profile settings under Network Dial In If the profile will be used for Automatic Media Detection see gt Profile Set tings Basic Settings then it is strictly required that you enter a user ID and a pass gt word under Network Dial In E
106. O EAP Authentication O HTTP Authentication 144 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Connection Mode You can define how the client builds a link via the profile to the destination There are three Modes to select from automatic default Means that the Secure Client will automatically ac tivate a connection in accordance with your application pro gram requirements to the profile setting A disconnect also occurs automatically provided that the Inactivity Timeout parameter is set to any value other then zero manual Means that you must manually activate a connection Dis connect will be activated by the Inactivity Timeout provided that this parameter has been set to any value other the zero 0 variable When this mode is selected the connection must be estab lished manually Subsequently the mode adapts according to the manner in which the connection was terminated If the connection was terminated as a result of a timeout then the following connection will be automatically initiated as required If the connection was terminated manually then the follo wing connection must also be established manually Important When setting the Connection Mode to Manual you should also set the In activity Timeout parameter to any value other than zero 0 in order for an automatic disconnect to be made Otherwise you may incur unnecessary communi
107. ON PARAMETERS PROFILE SETTINGS Policy lifetimes The lifetime of the policies defined here are RAEE applicable to all the policies m Duration bl El pemon The number of Kbytes or the size of the time interval can be adjusted El pown Policy editor IPSec Configuration This menu item is l clicked for configuring T IKE Policy policies and if YI Pre shared Key faas necessary a static tpa RSA Signatur a IPSec Policy Secure Policy Database 7 ESP 3DES MD5 A configuration window will open displaying the branch with the policies and the Secure Policy Database as well as buttons for operation in the right hand part of the configuration window Use the mouse to select the policy whose values are to be modified The buttons will then be active The default values of the policies can be edited i e the parameters can be set or modified according to the requirements for the link to the defined destination Configure If you want to change any Policy or SPD data and parameters start by selecting the ap propriate name and then click on the Configure button Upon doing so a folder opens and displays the IPSec parameters New Entry In order to define a new Policy or SPD select one of the Policies or the SPD and click on New Entry The new Policy SPD is entered All parameters are assigned a default value except the Name NCP engineering GmbH 151 SECURE ENTRY CLIENT CONFIGURATION PARAMET
108. OR Smart Card Reader In order to use the Smart Card s Certificate with your card reader select the respective Smart Card reader from the list see also gt PIN Entry Smart Card Reader PC SC conform The Client Software automatically supports all PC SC conform Smart Card readers The Client software automatically recognizes the Smart Card reader each time the PC is re booted Thereafter the installed Smart Card reader can be selected and used as re quired Smart Card reader CT API conform Together with the current Client Software the following drivers are included for SCM Swapsmart and SCM 1x0 PIN Pad reader In the event that the Smart Card reader does not work together the drivers that are included or another Smart Card reader is in stalled then please contact the respective manufacturer Also make the following set tings in the Client Software Edit the file NCPPKI CONF which is located in the in stallation directory by entering the ReaderName of the Smart Card reader xyz con nected to your PC and enter as DLLWIN95 or DLLWINNT the name of the installed driver For operating systems based on Windows NT like Windows 2000 and Windows XP the modulname DLLWINNT has to be used The default name for CT API con form drivers is CT32 DLL ReaderName SCM Swapsmart CT API gt xyz DLLWIN95 secem20098 d11 gt t32 di1 DLLWINNT scm200nt dll gt ct32 dl1l The ReaderName will be displayed in th
109. PIN guidelines that must be complied with during PIN entry or PIN Minimum number of characters ls modi a T PIN must contain only numberic characters User Certificate PIN Policy Certificate renewal Y PIN must contain a no alpha character MPI FT PIN must contain a lowercase character T PIN must contain a numberic character FT PIN must not repeat a character more than haft the length of password Minimum number of characters Standard is a 6 digit PIN An 8 digit PIN is recommended for security reasons Further policies It is recommended to implement all PIN policies other than the one specifying that only numbers may be contained Additionally the PIN should not begin with a num ber The specified policies are displayed when the PIN is changed and the policies that are only fulfilled at entry are highlighted in green see Change PIN Oo Certificate renewal ertific x In this configuration field you can specify whether a message is given out that warns of the expiration of validity and you can specify how many days before the certificate validity expiration this message should go out As soon as the set time frame before expiration goes into effect a message will appear each time a certificate is used indicating the expiration date of the certificate User Certificate PIN Policy Certificate renewal 30 days before certificate expiration warning NCP engineering GmbH 95 SECURE E
110. Provides NCP PPP VPN and DIALING services Path to executable EXTempr060328epCAncpleincprwsnt exe Startup type automatic X Service status Started Start Stop Pause Resume You can specify the start parameters that apply when you start the service from here Appendix Secure Client Services A27 SECURE ENTERPRISE ENTRY CLIENT SERVICES In addition to the services there are also applications in the installation directory ncptrcw exe Tracer Tue Jan 10 09 24 22 2006 Ncp Secure Client Systemlnit RWSGA installation path C WWINNTAncple RWSGA phonebook C WINNT neple ncpphone cfg RWSGA DemVersion 0 Tue Jan 10 09 24 26 2006 NCPIKE initialized successfully 02 00 5a 63 84 ca Rwsga dapter version_info vertxt Secure Client Professional Version 8 05 RwsgaAdapter version_info softver 1 AdapterConfig rwspdmt 3 AdapterConfig rwsp_o_isdn 0 AdapterConfialrwsp_o_asyn 0 CardReadConfig Type 2 ue Jan 10 09 24 27 2006 Raswin port_init CAPI Reading confia from C CAPI Reading config success Creating PASSTHRU Adapter Pthru receive thread starting 0181AF94 1 Pthru dapter Init PASSTHRU Adapter TCPIP gt 3Com EtherLink PCI PthruAdapter SystemName DEVICE 6E863D1C 1E 33 4241 A07E 6C2029C8232D Adapterlnit Index 0 MediaT ype 0 Mtu 1300 Dhcp 0 Passthu 0 JpAdr 000 000 000 000 MacAd IPHLP NepleDir C WINNT ne 2 Adapternit Index 200 Media
111. RE ENT CLIENT EXAMPLES AND EXPLA Oo Default mode proposals 1 With the setting Assigned by Destination and the Preshared Key field left empty Ie the following proposals for the IKE policy will be sent to the destination by default and Los a certificate will be used for authentication refer to gt IKE Policy Phase 1 Parame ter Notation EA Encryption Algorithm Verschl sselung HASH Hash Algorithm Hash AUTH Authentication Method Authentisierung GROUP Diffie Hellmann Group Number DH Gruppe LT Life Type Dauer LS Life Seconds Dauer KL Key Length Schltssellange EA HASH AUTH GROUP LT LS KL AES CBC SHA XAUTH_RSA DH5 SECONDS 28800 256 AES CBC MD5 XAUTH_RSA DH5 SECONDS 28800 256 AES CBC SHA RSA DH5 SECONDS 28800 256 AES CBC MD5 RSA DH5 SECONDS 28800 256 AES _ CBC SHA XAUTH_RSA DH2 SECONDS 28800 256 AES _ CBC MD5 XAUTH_RSA DH2 SECONDS 28800 256 AES _ CBC SHA RSA DH2 SECONDS 28800 256 AES CBC MD5 RSA DH2 SECONDS 28800 256 AES CBC SHA XAUTH_RSA DH5 SECONDS 28800 192 AES CBC MD5 XAUTH_ RSA DH5 SECONDS 28800 192 AES _ CBC SHA RSA DHS SECONDS 28800 192 AES_CBC MD5 RSA DHS SECONDS 28800 192 AES CBC SHA XAUTH_ RSA DH5 SECONDS 28800 128 AES CBC MD5 XAUTH_RSA DH5 SECONDS 28800 128 AES CBC SHA RSA DH5 SECONDS 28800 128 AES CBC MD5 RSA DH5 SECONDS 28800 128 AES _ CBC SHA XAUTH_RSA DH2 SECONDS 28800 128 AES _ CBC MD5 XAUTH_RSA DH2 SECONDS 28800 128 AES CBC SHA RSA
112. S tee Alege sik Dee oe tact A dee whe ate Y 54 Stateful Inspection osc yeay dea o o 169 199 Stateful Packet Inspection 000 71 subjectKeyldentifier 60 167 197 198 Subnet masks Sg a io HE 163 T Test Version Validity Period 114 Time Online ee e a a AR ce 54 TICO z osc as a rt e 54 145 TUS db rra bra ares 98 LOKEM ap ata ar a a 26 220 O NCP engineering GmbH SECURE ENTRY CLIENT INDEX Transformation Comp ec res recit serrat tay 154 Ti eera g e SS eek ap e a Gece aE We ee Be 55 U UDP Encapsulation Port 4500 156 UMTS ieia eo bce oo A ae e ae Gok A 132 Upgrade to the Secure Enterprise Client 37 User Certificate Configuration 91 USC ME aaa a ae 137 159 173 V MATO cara HS aOR IA As 23 Validity ci iaa aa on don A 56 57 View Client Certificate sitiar ira doses ews la dci ds 56 View Incoming Certificate o oo 56 View Issuer Certificate e ica ss arta dacs mano B 56 W WAN domainlogon s soed oe mee o e e y 172 WLAN citeres a PN ee a eo ae So ae 85 133 WLAN adapter ex o aalus ee a a 24 WLAN adapter under Windows 2000 XP 24 WLAN networks mir e we dee He a 86 WEAN Profiles aa ce ed Goa A Hae eS me HR 86 X A bor eas BEBE m a Kw eY 25 XAUTH protocols 5 06 6 oa aw ee ee es eS 194 ADSL iaa a hed 23 132 xDSL AVM PPP over Capi 54 132 XDSL PPPOE sece aoda coi e
113. SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS EAP authentication If the Client must authenticate itself at the Access Point HotSpot with EAP Extensi ble Authentication Protocol then this function must be activated It means that for this destination system the EAP configuration in the Monitor menu under EAP options will be used Please note that the EAP configuration in the monitor menu is valid for all destination j systems and must be switched active if this link specific setting will be effective EAP is used if an Access Point is used for the wireless LAN that is 802 1x capable and it demands a corresponding authentication This can prevent unauthorized users from plugging into the LAN via the hardware interface After configuration of the EAP a status display must appear in the graphic field of the Monitor If this is not the case then the EAP configuration must be switched active in the Monitor menu Double click on the EAP icon to reset the EAP Then the EAP is re negotiated HTTP authentication This function must be activated for automatic HTTP authentication at the access point HotSpot For this an additional parameter field HTTP Logon must be switched on in the pho nebook where the authentication data can be entered thereafter see gt Next parameter field The HTTP logon is not switched on in the phonebook for a link with the connection type WLAN Instead activation of this fu
114. SRSU2xx exe The new Update Client files are stored in the database of the Management Server in the directory rwsrsu v200 independent of the version number It is not necessary to restart the Management Server thereafter A 50 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES 3 ncpbudgt exe Budget Manager Connection Management Statistics After installation of the Client Software the so called Budget Manager runs automat ically for connection management and statistics when the monitor starts The Budget Manager is responsible for monitoring Client software connections in ac cordance with precisely defined criteria These criteria are specified in the Monitor menu under Configuration Connection Management See the manual for the Secure Client Monitor and Connection Mana gement Activating Connection Management in the monitor menu is only practical if the con nections are not routed to a corporate network gateway or if charges are incurred for connection time or frequency of the connections Otherwise charge management can be administered centrally If the Budget Manager is not used then it can be removed from the registry see Fig below In this regard note that it is automatically re installed for an update or for a new installation Thereafter it must be deleted again with regedit g Registry Editor Registry Edit View Favorites Help 9 Modul
115. Smart Cards are supported Signtrust NetKey 2000 TC Trust CardOS M4 Telesec PKS SigG a Soft Certificates PKCS 12 Instead of a Smart Card you can also use soft certificates or tokens Oo Smart Cards or Token PKCS 11 Drivers in the form of a PKCS 11 library are supplied with the software for the card reader or token This driver software must first be installed Then the NCPPKI CONF file must be edited M Edit the NCPPKI CONF file located in the installation directory by entering the name of the connected reader or token xyz as module name The name of the DLL must be entered as PKCS 11 DLL The associated Slotindex is manufacturer dependant standard 0 Important Only those drivers are visible in the list that have been set to visible with visible 1 Modulname XYZ PKCS 11 DLL Name of the DLL Slotindex M After rebooting the PC the new ReaderName is displayed in the Monitor under Configuration Certificates Smart Card reader Now you select that Smart Card reader 26 NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION 2 2 Installing the Client Software ce only according to the operation systems Windows 2000 Windows XP and Windows Vista Full functionality cannot be garanteed when using the client under Windows NT Windows 98 or older Windows versions 1 The actual version and later versions of the Client will be tested by the quality as
116. T OVERVIEW a Encryption Triple DES 128 192 Bit Blowfish 128 Bit AES 128 192 256 Bit RSA 1024 2048 Bit Hash Process SHA1 Secure Hash Algorithm 1 MD5 Message Digit 5 Firewall Functionalities IP NAT Network Address Translation LAN adapter protection PC protection against access from other systems at VPN con nection E Filtering IP broadcasts Netbios over IP E PKI Public Key Infrastructure in accordance with the X 509 v 3 standard Smart cards TCOS 1 2 and 2 0 CardOS M4 PC SC Soft certificate PKCS 12 IP Adress Allocation DHCP Dynamic Host Control Protocol Point to Point Protocols PPP LCP Link Control Protocol PPP IPCP IP Control Protocol PPP CCP Compression Control Protocol PPP PAP Password Authentication Protocol PPP CHAP Callenge Handshake Authenication Protocol PPP ECP Encryption Control Protocol a Compression Process Stac E Line Management Short Hold Timeout time controlled NCP engineering GmbH 19 SECURE ENTRY CLIENT PRODUCT OVERVIEW oO Client Monitor The PDA is configured on a standard PC via the Client Monitor The PDA Monitor is used for status display and for dialing the destination O Dialer NCP Dialer Microsoft RAS Dialer E Options Central NCP Secure Enterprise VPN PKI Gateway Upgrade to NCP Secure Enterprise Solution with central Management
117. T ype 0 Mtu 1500 Dhcp 0 Passthru 1 Ip dr 172 016 015 247 MacAdr 00 04 76 e3 05 2f Trace Monitor can also be started via Windows Programs Secure Client Tracer This is an autonomous application program for qualified system technicians For example it can used to create traces for troubleshooting ncpmon exe starts the Client Monitor can be started by double clicking on the traffic light icon in the toolbar or via Windows Programs Secure Client Monitor Monitor operation and menu prompts are described in detail in the manual for the respective Secure Client ncpike9x exe IKE protocol for Windows 95 98 ncpike exe IKE protocol for Windows 2000 XP Ibtrace exe tracer on driver level for virtual NCP adapter inst95 exe installation program for Windows 95 98 purposes The tracer is not intended for the normal user insrnt5 exe installation program for Windows 2000 XP uninst exe The Secure Client can be deinstalled with this program by bypassing the Windows software administration 3monapl exe Field strength display for UMTS GPRS when using a multi function card ncpauth exe is used for http authentication ncprwsnt exe Responsible for data communication frame processing via NCP PPP and VPN as well as the dial services A 28 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES rwsrsu exe NCP Update Client Update Client
118. TRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS E Modem This field will view the modem s installed on your PC Select the required modem Selecting a Modem causes the corresponding COM Port and Modem Init String for this Modem to be automatically entered in the appropriate Phonebook Link Definition parameter fields All other parameters for this communication media can be configured in the control pa nel of your PC 7 the Secure Client In this case the Secure Client will automatically use the driver and Note We recommend that you install your Modem prior to installing and configuring i values installed with the Modem a COM Port In this field you can define the COM Port to be used by your Modem Normally when you install a Modem under Windows the COM Port will be defined during the installa tion of the Modem If you then select Modem under the Link Definition field the COM Port already assigned to the Modem will be automatically enter in the COM Port field dem Thereafter the Secure Client will automatically import and use the pre defined Note We recommend that you first select the appropriate modem in the field Mo COM Port E Baud Rate Baud Rate refers to the transmission rate between the PC s Com Port and the Modem If for example your Modem is able to transmit data at 14 4 Kbits then the Baud Rate should be set to 19200 factory default setting The following rates may be selected 1200 2400 48
119. The 30 day test has expired the software must be either activated or Please activate or uninstall the software de installed For activation select the menu option License data and activation in the monitor menu Help Here you can see which software version y you have and how the software is licensed gt Dala x 7 A i e you can see that the test version has Software version expired and that the software has not yet Product NCP Secure Entry Client i i A B Produet aoe been activated licensed ServicePack Licensed version Click on the license conditions to display the Product NCP Secure Entry Client i i i 2 Vason a license agreement text By activating l eral number Sel Wicd A tema licensing the software you accept the license Activation Not activated conditions Activation Licensing To enable the full version the software must be activated s a E aora TURES ned fachas SETA Click on the Activation button to license the software By licensing the software you agree to abide by the Close al In the window that appears you X can select an online variant or Activation Mode E What kind of activation mode should be used NCP an offline variant In the offline variant a file that 9 is generated after entering the During the online activation process license data will be generated submitted to and A verified by an NCP activation server
120. Tod fi lick h To enable the full version the software must be activated a newer license key 10 do this click on the requiring a serial number and matching activation key Licensing button See the description at By licensing the software you agree to abide by the the end of the offline variant for more information in this regard NCP engineering GmbH 117 SECURE ENTRY CLIENT LICENSING a Offline Variant The offline variant is executed in two steps In the first step a file that is generated after entering the license key and serial number is sent to the NCP Web Server Then an activation key will be shown on the web site and you must note this number in order to enter the license key in the licensing window of the Monitor menu in a se cond step which can also be executed at a later point in time Software Activation Assistant J Start the offline variant via the i ee A Activation Mod monitor menu Help License What kind of activation mode should be used Data and Activation an d select this variant in the first window of the Activation Assistant Click on Next Software Activation Assistant In the second window of the Offline Activation Activation Assistant the two which step shoud bolsos steps of the offline activation process are explained The first step creation of the activation file is selected automatically Click on Next 118 O NCP engineering GmbH SECURE E
121. Tool and High Availability Services E RFCs and Drafts RFC 2401 Security Architecture for the Internet Protocol RFC 2403 The Use of HMAC MD5 96 within ESP and AH RFC 2404 The Use of HMAC SHA 1 96 within ESP and AH RFC 2406 IP Encapsulating Security Payload ESP RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP RFC 2408 Internet Security Association and Key Management Protocol ISAKMP RFC 2409 The Internet Key Exchange IKE RFC 3947 Negotiation of NAT Traversal in IKE RFC 3498 UDP Encapsulation of IPSEC ESP packets DRAFT Draft beaulieu ike xauth 05 XAUTH DRAFT Draft dukes ike mode cfg 02 IKECFG DRAFT Draft ietf ipsec dpd 01 DPD DRAFT Draft ietf ipsec nat t ike 01 NAT T DRAFT Draft ietf ipsec nat t ike 02 NAT T DRAFT Draft ietf ipsec nat t ike 03 NAT T DRAFT Draft ietf ipsec nat t ike 05 NAT T DRAFT Draft ietf ipsec udp encaps 06 UDP ENCAP 20 NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION 2 Installation A Setup program performs the installation of the Client Software quickly and smooth ly The following text describes the procedures for installing the Client Software under Windows 2000 XP and Windows Vista Prior to executing Setup be sure that the following prerequisites are fulfilled O O NCP engineering GmbH 21 SECURE ENTRY CLIENT INSTALLATION 2 1 Installation Prerequisites System Requirements In
122. UMTS If you are using a multi function card for UMTS GPRS WLAN then with the NCP Client software special features of the mobile computing can be used depending on the card characteristics Due to the direct support of the multi function card for UMTS GPRS WLAN through the Secure Client installation of management software from the card implemented is not necessary The NCP Secure Client combines all communication and technical security mecha nisms for economic data communication on the basis of the end to end principle of security The Client Monitor has visual displays of all connection states field strength the selected network and the provider Also the integrated dynamic Personal Firewall is optimized for remote access and protects the mobile teleworkstation even at system start against any attacks and guarantees maximum security also during the automatic hotspot login The VPN connection is established via the integrated NCP Dialer inde pendent of the Microsoft data communications network Currently supported multi function cards T Mobile Multimedia NetCard Vodafone Mobile Connect Card KPN Mobile Connect Card Alternative versions of the NCP Client Software Enterprise Client from version 8 10 SP1 Entry Client from Version 8 21 Appendix Mobile Computing via GPRS UMTS AS SECURE ENTERPRISE ENTRY CLIENT 1 1 1 2 Installation aaa A First install the appropriate cure Client 8 10 Setup softwa
123. XPLANATIONS 7 2 5 Further Configuration Pre shared Key or RSA Signature According to the defaults through the other side the automatic setting Automatic Mode can be changed as IKE policy to Preshared Key or RSA Signature certificate If the other side expects Pre shared key then the key must be entered in the field The Preshared Key must be identical for all clients in this case IP addresses and DNS server are assigned via the IKE Config Mode protocol Draft 2 currently compatible only against Cisco All previous WAN interfaces can be used for the NAS dial in The authentication for IPSec Tunneling is handled via the XAUTH protocol Draft 6 If IPSec Tunneling is used then additionally the following parameters must still be set in the Identities configuration field Username User Name of the IPSec user Password Password of the IPSec user User access data from configuration optional DPD Dead Peer Detection and NAT T NAT Traversal are automatically executed in the background for IPSec Tunneling when supported by the destination The IPSec client uses DPD to check in regular intervals whether the other side is still active If the other side is inactive then an automatic connection disconnect occurs Using NAT Traversal is automatic with the IPSec client and is always necessary 1f network address translation is used on the side of the destination system device E Bas
124. a tats te es Se E es A 7 1 2 TP Address Structure 178 7 1 3 Subnet Masks e eee ee eee ee ee ee 180 Standard masks s os e sa coe ek op 181 Reserved addresses ee ee ee 182 7 1 4 Using IP Addresses e c o s suram aa 182 7 2 Security ra oe a 189 7 2 1 IPSec Oveiview Me ee Ae cia edt cr tee Mess Gea OS IPSec General Functional Deverption SS 2 ee eos ete pi 83 7 2 2 Firewall Settings o Do Bee a y BD 7 2 3 SA Negotiation and Policies Le he A ee ee Ge a 186 Phase 1 IKE Policy 186 Phase 2 IPSec Policy Sa ee Owe e 186 Control Channel and SA Negotiation sos 26 ee eee a e 187 IKE Modes 2 6 4 2 eee 188 7 2 4 IPSec Tunneling oe koe a ee 190 Implemented Algorithms dor Phase ain 2 a sg e 190 Supported authentication methods for phase 1 IKE pokey 190 Supported symmetric encryption algorithms phase 1 amp 2 190 Supported asymmetric encryption algorithms phase 1 amp 2 190 Supported hash algorithms 2 191 Additional phase 2 support 191 Default mode proposals lt s o ce se e e ae 192 7 2 5 Further Configuration co 194 Basic configurations depending on the IPsec Metas o 194 Gateway does not support XAUTH 194 Gateway supports IKE config mode 194 Gateway does not support IKEconfigmode 194 7 2 6 IP
125. ace when activating this function it does for other data packets NCP engineering GmbH 75 SECURE ENTRY CLIENT CLIENT MONITOR E Firewall rule Local Firewall Rule Entry On this tab the filter are set for the lo cal IP addresses and IP ports If the basic setting is blocked then those data packets will be let through to the outside by the firewall whose source address agrees with the address under Local IP address or is within the range of validity Of the incoming data packets those are let through whose destination address agrees with the address under Local IP addresses or is within the validity area The same is true for blocked basic setting with the IP ports Those data packets are permitted outside by the firewall whose source port falls under the definition of the local port Of the incoming data packets those are let through whose destination port falls under the definition of the local port Any IP address includes all source IP addresses of outgoing packets or destination IP addresses of in coming packets regardless of the local network adapter Explicit IP address is the IP address defined for the local network adapter It can be assigned to the ad dress of the Ethernet card the WLAN card or it can also be assigned to the VPN adapter Several IP addresses designates an address range or pool For example this can be the IP address pool from which the address assigned by th
126. after this 30 day period expires FANCP Secure Client Popup After installation each time the software is started the validity period will be shown in the popup NCP window Moreover in a footer of SECURE COMMUNICATIONS M the Monitor the system will display how long the test version can still be used and when 10 days validity remain a message box will be displayed to remind 2A you that the software has not yet 1 been licensed This message box j will appear once a day high security remote access If the test phase has expired then only those connections to destination systems can be setup with the Entry Client software that are used for software activation licensing Thus one of the profiles of the Entry Client can be used to set up an Internet connection for licensing purposes Or a connection to the NCP Secure Enterprise Management can be established in order to download a licensed version of the software You must have at least a version 9 0 to activate the Client software under Windows Vista This is the prerequisite If a no charge update to version 9 0 is available to you then you will receive the associated license key when the software is activated Otherwise updates to version 9 0 can be purchased in the NCP E store or purchased from your NCP dealer 114 NCP engineering GmbH SECURE ENTRY CLIENT LICENSING 4 6 2 Software Activation x At the latest when the test phase has expired
127. age ment port through which the Client Manager sets the Phone books MgmSSLPort 12504 Standard 12504 should not be changed management port through which the Client Manager sets the Phonebooks via SSL A 40 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES Rep Port 12505 Standard 12505 should not be changed management port through which the Management Server creates a backup RepIDBPort 12506 Standard 12506 should not be changed management port through which the Client Manager replicates the database MaxSessions 50 Number of Client sessions that the Management Server will process concurrently A maximum of 200 Client sessions are possible PrimaryIPAddr 127 0 0 1 NCP Secure Management Server Configuration X Services Operation Mode 4 gt Management Server operation mode Primary Server Backup Server IP Adresse Primary Server fi 27 0 0 1 IP Adresse Failsafe Primary Server fi 27 0 0 1 Shared Secret exec Hinweis Die Betriebsart kann nur umgeschalten werden wenn zuvor alle Dienste gestoppt wurden e Backup Server im Normal Betrieb Backup Server als Failsafe Primary Server nur bei Ausfall des Primary Servers If the Management Server is used as Backup Server then the IP address of the primary server is specified here This confi guration is made in the Windows start menu prior to starting the Management Ser
128. age Digest version 5 SHA Secure Hash Algorithm SHA 256 SHA 384 and SHA 512 bit DH Group IKE Policy The selection of one of the offered Diffie Hellman groups determines the level of secu rity for the key exchange in the control channel Later a symmetrical key will be gene rated according to this selection The higher the DH group the more secure the key ex change will be NCP engineering GmbH 153 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS IPSec Policy edit The IPSec policies Phase 2 parameters that you con figure here will be listed for the policy selection Protocol Tramsfom None __ ESP AE t T The same policies with their affiliated proposals should be valid for all users This means that on the client side as well as esp on the server side the same proposals for the po mos El alli licies should be available IPSec Policy You can extend the list of proposals or delete a pro posal from the Proposal List by using the buttons Add and Remove a Policy Name IPSec Policy Give this policy a name over which an SPD can later be allocated E Protocol IPSec Policy The fixed default value is ESP E Transformation ESP IPSec Policy One can specify which encryption algorithms DES Triple DES Blowfish AES 128 AES 192 and AES 256 are to be used within the ESP Encrypted Security Payload Multiple IPSec proposals with different secu
129. ain this name from IPSec General Sotings jentilles your provider The APN is JIP Address Assignment Remote Networks used particularly for admini _ Ceticate Check F Link Firewall strative purposes AT CPIN SIM PIN If you use an SIM plug in card for GPRS UMTS also then enter the PIN for this card here If you use a mobi le phone then this PIN must be entered on the mobile phone NCP engineering GmbH 143 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 5 Line Management Profile Settings Headquarters Line Management IPSec General Settings Advanced IPSec options Identities IP Address Assignment Remote Networks Certificate Check Link Firewall In the Line Management you can define the Connection Mode as well as Timeout values used for automatically disconnecting the link If the client is using the communication medium ISDN you can activate channel bundling in this folder In order for channel bundling to work requires that your PC be equipped with a communi cations device that supports multiple ISDN B Channels It is also necessary that the Network Access System that you are communicating with supports the same number of channels The required authentication before VPN connect is assigned by the network of the hotspot operator Parameters O Connection Mode O Inactivity Timeout C Voice over IP VoIP setting priorities O PPP Multilink O Multilink Threshold
130. ans that without additionally configured rules all IP data traffic will be suppressed The exception are the data packets that are permitted permitted through by the separately created active firewall rules Permit Filter If a characteristic of a data packet meets the definition of a firewall rule then at this point the work through of the filter rules is ended and the IP packet is forwarded In the blocked basic setting mode in a convenient manner an IPSec tunnel connection is released For this the data traffic can be globally permitted in the configuration field Options via the VPN protocol IPSec Basic open settings In the open base setting all IP packets are first permitted Without additional filter rules all IP packets are forwarded The exception are the data packets that are filtered out not permitted through by the separately created active firewall rules Deny Filter If one of the characteristics of an IP packet coming into the server client meets the definition of a Deny Filter then at this point the working through of filtering rules ends and the IP packet will not be for warded Data packets that do not meet a suitable Deny Filter are forwarded 72 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR a Configurationfield Firewall Rules The rules for the extended firewall are brought toge ther in this configuration field The display options are all active by default and correspond to the se
131. ansmission costs and increasing transpa rency Charge Manager C Channel bundling for high transmission speed in ISDN O Graphic user interface Like all NCP Secure Communications Products the Secure Entry Client supports the use of digital certificates in a Public Key Infrastructure PKI An upgrade to the NCP Secure Enterprise Solution with high performance central management is available as an option O NCP engineering GmbH 15 SECURE ENTRY CLIENT PRODUCT OVERVIEW Technical Data oO LAN Emulation Ethernet adapter with NDIS interface a PC Operating Systems Windows 98se Windows NT V4 0 SP5 Windows 2000 Windows ME Windows XP Prof O Network Protocols IP IPSec VPN Supports Pre Shared Key and certificates central configuration of IPSec proposals e g the central VPN gateway determines the policies for IKE IPSec Phase 2 for the Secure Entry Client IPSec in accordance with RFC 2401 2409 additionally the drafts XAUTH IKE Config DPD NAT T IP Comp are supported for optimization in Remote Access en vironments see RFCs and Drafts below EAP MD5 EAP TLS Extensible Authentication Protocol extended authentication relative to switches and access points Layer 2 Oo Encryption Triple DES 128 192 Bit Blowfish 128 Bit AES 128 192 256 Bit RSA 1024 2048 Bit Hash processes SHA 1 Secure Hash Algorithm 1 MD5 Message Digit 5 im Personal Firewa
132. any 2 NCP engineering GmbH SECURE COMMUNICATIONS M Network Communications Products engineering GmbH GERMANY Headquarters Dombihler Stra e 2 D 90449 Niirnberg Tel 49 911 99680 Fax 49 911 9968 299 Internet http www ncp de E mail infoOncp de O NCP engineering GmbH Support Fax Hotline Number Internet Mail Address NCP offers support for all international users by me ans of Fax and Internet Mail 49 911 99 68 458 supportOncp de When contacting NCP with your problems or queries please include the following information exact product name serial number Version number Accurate description of your problem Any error message s NCP will do its best to respond as soon as possible but we do not guarantee a fixed response period NCP engineering GmbH SECURE ENTRY CLIENT CONTENTS Contents Vs OVERVIEW o e 6 daa A HS A Be wi a wh ee we a 13 1 1 Usingthismanual 2 2 e o 18 1 2 NCP Secure Entry Client Universal IPSec Client 14 1 3 Secure Entry Client s s op ye ae Be 4 Boe aoe woe e e 2 1S Technical Data 4 4 16 1 4 Secure Entry CE Client s som e e maa a eee ee we 18 Technical Data s s s ee 00 18 2 Jnstallation s aa ad e Ble ead a Be LS aw a 21 2 1 Installation Prerequisites e s e so e s uoc awa a ewar er 22 System Requirements s ex wr am spr aoei a aa 22 Remote Destination
133. are License Agreement The terms of the license for use by you the end user referred to hereinafter as the Licensee of NCP software are set out below By reading and accepting this notice you agree to these terms and conditions so please read the text below carefully and completely If zu do not accept the terms of this agreement you cannot use the software Terms of agreement 1 Subject of the Agreement The subject of the agreement is the software supplied in file form including the associated software documentation NCP points out that in accordance with the present state of the art it is impossible to produce computer software which works perfectly with all systems and under all conditions This agreement therefore only covers software which is in principle usable as described in the software documentation is not subject to time restrictions the software must be released with the license key and serial number received xl The licensing process for the software requires your acceptance of the license conditions these conditions can be viewed via mouse click The license data can be entered either online or offline via an assistant Please refer to the xi chapter Licensing Close NCP engineering GmbH 111 SECURE ENTRY CLIENT CLIENT MONITOR Software Activation Assistant gj License key and serial number license Data can be entered after you have al iconie Sala clicked on the l
134. are displayed under the entry field They can be set in the main menu under Certificate PIN Policies ie Then enter your new PIN and confirm it by repeating it in the last entry field With a ney By entering a new PIN the red X will change to a green check as soon as the guidelines are fulfilled see illustration above NCP engineering GmbH 63 SECURE ENTRY CLIENT CLIENT MONITOR 4 1 11 Call Control Statistics Call Control Statistics Call Control Statistics provide you with an overview of your communications on a daily monthly and yearly basis It accurately displays the following information total time online total number of connects outgoing calls total number of charge units if available total amount of data expressed in Bytes sent and received 4 1 12 Call Control Reset If the Limits defined in the Call Control Manager have been exceeded the IPSec client issues a Warning Message and blocks any further communications until such time that the Call Control Reset has been activated see gt Connection pull down menu in the Monitor A connection can only be established after clicking Call Control Reset 64 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 1 13 Exit Disconnect the Monitor Have you already disconnected the link a click on this menu item or on the Discon nect button closes the monitor GP If t
135. ation code After you have entered the activation code you can click on Next Offline activation is concluded with the following window 122 NCP engineering GmbH SECURE ENTRY CLIENT LICENSING License Dat After concluding the activation process you will see that you now have a correctly Software version activated full version in the window for the Product NCP Secure Entry Client Version 8 30 Build 57 license data ServicePack _ Pesisir The number of the software version and the Product NCP Secure Entry Client 7 3 z a a Version 83 number of the licensed version can differ 1f Serial number ES s R A s Type Full version the licensing is only valid for an older Activation OK version Activation Licensing To enable the full version the software must be activated A requiring a serial number and matching activation key If you have received a new license key from By licensing the software you agree to abide by the the Activation Server during the offline i activation process see above in the display of the activation code then enter this Close license key for a license update by clicking on the Licensing button TA nl x i A In next window of the Drente Daa dal NCP Assistant enter the new license key and click on Next Please enter the following data for the NCP Secure Entry Client Software Vie License key xl The license data will be Licensi
136. ation in the LLCP PPP PAP Password Authentication Protocol PPP CHAP Callenge Handshake Authenication Protocol Dialer NCP Dialer alternatively Microsoft RAS Dialer for ISP access via dial in script E Line Management Short hold timeout time controlled and charge controlled E Channel Bundling in ISDN Dynamic freely configurable threshold value NCP engineering GmbH 17 SECURE ENTRY CLIENT PRODUCT OVERVIEW E Client Monitor Configuration of the teleworkstation connection control and monitoring o Connection Manager For international access Support for Gric Infonet UUNet 1 4 Secure Entry CE Client Technical Data oO LAN Adapiers Ethernet Adapter with NDIS Interface Wireless LAN Adapter a Operating Systems Mobile end device Windows CE 3 0 Handheld PC 2000 Pocket PC 2002 Windows CE net 4 2 Windows Mobile 2003 for Pocket PC Configuration PC Windows 98se NT 4 0 from SP5 2000 XP oO Network Protocols IP IPSec VPN support of Pre Shared Key and certificates central configuration of IP Sec proposals e g the central VPN gateway determines the policies for IKE IPSec Phase 2 for the Secure Entry Client IPSec in accordance with RFC 2401 2409 additionally the drafts XAUTH IKE Config DPD NAT T IP Comp are supported for optimization in Remote Access en vironments see RFCs and Drafts below 18 NCP engineering GmbH SECURE ENTRY CLIENT PRODUC
137. ative In order to define a new profile click on Profile Settings in the monitor menu under Configuration Upon doing so the menu opens displaying any defined profiles Click on New Entry Enabeling the Configuration Assistant which assists in the creation of a new profile definition All other parameters will be assigned default values To edit these default values in order to fulfill the requirements of the profile select the desired profile and then Configure to gain access to the individual parameters See gt Profile Settings Configure In order to duplicate a profile click on Duplicate In order to delete a profile click on Delete 128 NCP engineering GmbH Parameterfolders SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Parameters which specify the connection via the profile to the destinations are found in the configuration folders The name of the profile appears in the titel bar see gt Profile Settings Configure Within the configuration folder the connection parameters pretaining to this profile can be configured l Basic Settings 2 Dial Up Network 3 HTTP Logon 4 Modem al Line Management 6 IPSec General Settings Es Advanced IPSec Settings 8 Identities 9 IP Address Assignment 10 Remote Networks 11 Certificate Check 12 Link Firewall Profile Settings Headquarters Basic Settings Dial Up Network Line Manageme
138. be defined Username Username of the IPSec user Password Password of the IPSec user 158 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Username Identity Contact your System Administrator for your Username The name can be up to 256 characters long Note This parameter pertains only to accessing the gateway at the remote site Password Identity Contact your System Administrator for your Password for XAUTH The password can be up to 256 characters long Note This parameter pertains only to accessing the gateway at the remote site Use access data from configuration You can select one of the following methods for authenticating the VPN tunnel against the gateway Use access data from configuration The VPN tunnel will be authenticated based on the User ID and Password entered in the respective fields above Use access data from certificate field e mail The VPN tunnel will be authenticated based on the contents of E Mail field of the se lected certificate Use access data from certificate field cn The VPN tunnel will be authenticated based on the contents of Customer field of the selected certificate Use access data from certificate field serial no The VPN tunnel will be authenticated based on the contents of Serial No field of the selected certificate NCP engineering GmbH 159 SECURE ENTRY CLIENT CONF
139. cation costs if a Disconnect is not executed Inactivity Timeout This parameter is for setting the time delay to be used following the last transmission of data before automatically executing disconnect Time is expressed in seconds Possi ble settings are from 1 to 65356 seconds The default value is 100 If your communications connection regardless of link type receives a Charge Unit im pulse from the network provider this will be used by the Secure Client Timeout feature for achieving an optimal disconnect time with regard to the value set in the Inactivity Timeout This optimized timeout feature will further help to reduce communication costs Note In order for the Inactivity Timeout to be activated it is necessary to enter any va lue from 1 to 65356 The value 0 zero means that no automatic timeout disconnect will be executed When the Inactivity Timeout is set to 0 zero you must manually execute Disconnect Important The Inactivity Timer only begins counting down after the last data trans mission and after any communications handshaking has stopped O NCP engineering GmbH 145 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS a Voice over IP VoIP setting priorities If this Client is used for communication with Voice over IP then this function should be activated in order to send and receive the voice data without delay and without di stortion Oo PPP Multilink When using PPP
140. clude up to 256 characters Normally the password will be as signed to you by your Destination e g your company Headquarters User Help Desk Internet Service Provider etc because it must be supported and accepted by the NAS for authentica tion purposes Upon entering your password all characters will be displayed as an asterisk in order to keep them from being overlooked by someone else Therefore it is necessary to be very careful that you enter your password exactly the way in which it was assigned to you pay attention to upper case and lower case characters Even if you selected automatically as connection mode see gt Establishing a Con L nection to the destination system you have to establish the first connection manually and enter the password For every additional automatically established connection the password is adopted automatically until you reboot your PC or you select a different destination system This means that even though the function Save Password see gt Dial Up Network was not activated automatic connections can still be made where this cached password is used to authenticate When re booting your PC the once ente red password is then deleted Please notice Logon Options If you do not want to delete the password when re booting your PC you have to activa te the function Save Password see Dial Up Network Please notice that for secu rity reasons you must be aware tha
141. commands Mobile cellular telephones can also be used for data communication after the asso ciated software has been installed that presents itself to the client precisely as if it were an analog modem The serial interface IR infrared interface or Bluetooth can be used as interface between mobile phone and PC The opposite side must have the 22 NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION appropriate dial in platform depending on the transfer rate GSM v 110 GPRS or HSCSD The initialization string in the Secure Client modem configuration must be obtained from the ISP or the manufacturer of the mobile cellular phone E LAN adapter LAN over IP When the communication medium LAN has been defined the Client Software may be used as a IPSec client in a LAN that communicates across a LAN network and associa ted router to a central site VPN Gateway When defined as a LAN Client the Client Software can also be used as a VPN or VPN PKI plugin for Microsoft s RAS Dial Up Network client E xDSL Broadband Device PPPoE Cable modems splitters e g for ADSL etc can be used in conjunction with PPP over Ethernet PPPoE which is supported by the Client Software xDSL AVM PPP over CAPI If an AVM Fritz DSL card is to be used then this communication medium may be se lected AVM specific initialization strings may be entered in the field Destination phone number Dial Up Network group for the
142. communications will always be established only to the tunnel end point VPN gate way However if you would like to alternatively communicate with your central site using tunneling as well as the Internet then you must define the IP Networks in your company that you wish to communicate with Then you can toggle between the Internet and your company s VPN gateway This is also referred to as Split Tunneling In this folder you can precisely define the IP Network s to which the Client can communicate Parameters O Network addresses Remote Networks O Subnet masks O Apply tunneling security for local networks 162 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Click on the New button to enter the IP address of the network and the network mask in the window that will eens IP network a Network addresses Remote Networks In this window enter the address of the IP Network s that you want to reach via the gateway These addresses are available from your administrator way ie Note Be sure that IP addresses entered in this field are not the same subnet as the gate I a Subnet masks In this window enter the address es and netmask s of IP Network s that you want to reach via the gateway These addresses are available from your administrator i Note Be sure that IP addresses entered in this field are not the same subnet as the gate way a Apply tun
143. con In addition the application can be started depending on the connection type of the de stination system that is selected in the Gina dialog The application always starts if the connection type All has been selected Wait for domain preparation postdom means that after the initialization period the application will be started immediately The wait function Wait until application has been executed and ended can then be relevant if a series of batch files will be executed one after the other E Options Logon Opinn J Windows requires a certain initialization time between net l l work logon and domain logon This preparation time for the domain logon can be activated and set here The Windows logon will only be executed after the connect ion setup after the initialization time set here has elapsed The standard value is 45 seconds and can be changed as needed Perform EAP authentication before destination selection The standard situation is that EAP authentication takes place prior to establishing the connection to the VPN gateway If EAP will be used without subsequently setting up a connection via the Client pure EAP Client then this function must be activated If EAP with certificate is implemented then the PIN dialog for authentication appears on the network components Thereafter the destination can be selected If the function is not activated then EAP authentication will only be
144. connection select the parameter Modem and E make the following entries Fusion UMTS GPRS WLAN 3 AT amp F lt ceATEOV1 8 amp D28C1S0 0 lt at cgdcont 1 ip internet t d1 de Link Firewall ATHCPINS OO APN The APN Access Point Name is required for the GPRS and UMTS dial in You get the APN from your provider The APN is used primarily for administrative purposes The AT command at cgdconf 1 ip is standard for the transferring the APN to the SIM card however it can vary depending on the provider The APN internet t dl de varies depending on the SIM card and only applies for the SIM D1 card from T Mobile SIM PIN AT command When using a GPRS UMTS card the specific AT command must be entered This command AT CPIN is standard and causes the SIM PIN to be correctly detected SIM PIN If you are using a SIM card for GPRS or UMTS then enter the PIN for this card here If you are using a mobile phone then this PIN must be entered on the mobile phone Appendix Mobile Computing via GPRS UMTS A 12 SECURE ENTERPRIS Phonebaokamlesecuiset Select the parameter field Security VPN IP Networks IPSec Options JHA Support DNS WINS Certificate Check Link Firewall Security Mode Do not use security mode for the test connection Select Do not use and then click on OK Save the telephone book setting and then open the Monitor Appendix
145. ctly 52 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR E PUK Entry After three incorrect attempts to enter the SIM PIN the window for entering the PUK Personal Unblocking Key which accompanies the SIM card will be displayed After correctly entering the PUK you will be able to enter a new SIM PIN xj Please enter the PUK of the SIM card and create a new PIN code The new PIN code will then be applied Ed PUK pp New PIN ni Confirm PIN jee 4 1 5 Connection Info Upon selecting the menu parameter Connection Info link statistics are displayed The window also displays the type of security features being used as well as the IP ad dresses that have been assigned between the IPSec client and the destination resulting from the PPP negotiation The information in the connection info window is read only and has no influence on the functionality of the IPSec client onnect n x IP Address Statistics ISP IP Address Profile Headquarters VPN IP Address Time online 00 00 00 DNS Timeout sec D sec VPN Endpoint Direction out Speed KByte s 0 000 kByte s Data Transferred Mediatype ISDN Protocol Tx Byte Rx Byte MultiLink or I SR E Off IP 0 one Total 0 o Security Encryption Security Mode The field Connection Info could be suppressed by the administrator In this case the menu item could not be activated If the connection info
146. cure Entry Client InstallShield Wizard This comp letes the installation of the Client Software Click NCP InstallShield Wizard Complete the Finish button Before SECURE COMMUNICATIONS TE e The InstallShield Wizard has successfully installed NCP Secure u sing the Client S oftw are it is Entry Client Before you can use the program you must restart your computer necessary to reboot your PC Click on Yes I want to restart my computer now and then click on Finish to reboot your PC No will restart my computer later Remove any disks from their drives and then click Finish to complete setup O v gt o D 2 gt ee e O D n D Finish Cancel O NCP engineering GmbH 33 SECURE ENTRY CLIENT INSTALLATION 2 3 Initial Configuration Assistant Once you have installed the Client Software and rebooted your PC the Client Monitor will be automatically displayed on your PC The Initial Configuration Assistant will also be displayed provided that you have installed the Client Software for the first time on your PC and that no previous Phonebook exists from an earlier Client Soft ware It is located in the installation directory If you do not use the assistant for creating such test destinations then no entries will be added to the phonebook In this case you will have to create your own phonebook entries as described in the chapter Client Monitor under New Entry
147. d 120 NCP engineering GmbH SECURE ENTRY CLIENT LICENSING NCP Home Company Security Products Sales Services Press SECURE COMMUNICATIONS M New Activation Code Activation Code TITNYE New License Key 3005 The Activation Code was successfully generated Our system however has detected that you are eligible for a newer software license In order to use the latest features please finish the activation procedure and use the License Key above In order to finish the software activation please note the activation code above and proceed with Offline Activation under the menu item Help License info and activation Step 2 After completing the activation enter the new License Key under the same menu itern Help License info and activation E Mail support ncp de Then the activation code will be generated and displayed on the web site Note the activation code and continue the activation process under the menu option Help License data and activation by executing the second step of the activation in the offline variant IF the Activation Server detects that you are entitled to a newer software license and that the license key agrees with the installed software then with the online activation the new license key will be displayed automatically If you want to activate the new features then note the new license key conclude the activation process and then use the new license key Please see the
148. d E Save Password HTTP Logon After the password has been entered it can be saved E HTTP Authentication Script HTTP Logon Click on the Browse button to select the saved logon script Incoming certificates can be verified with HTTP authentication For this the variable CACERTDIR must have been set in the script In addition WEB server certificate con tent can also be verified Additional variables are available in this regard CACERTVERIFY SUBJECT Checks the content of the subject e g cn WEB Server 1 CACERTVERIFY ISSUER Checks the content of the issuer CACERTVERIFY FINGERPRINT Checks the MDS fingerprint of the issuer certificate If the content of the variable does not agree with the entered certificate then the SSL connection will not be established and a log message will be output in the Monitor 140 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 4 Modem Profile Settings Headquarters Se Dial Up Network Modem Line Management IPSec General Settings Identities IP Address Assignment Remote Networks Certificate Check Link Firewall This parameter field is only displayed if your selected communication medium is Modem All necessary parameters for this link type are listed here Parameters O Modem O COM Port O Baud Rate O Release COM Port O Modem Init String O Dial Prefix O APN O SIM PIN NCP engineering GmbH 141 SECURE EN
149. d then select the appropriate modem ncel Link type ISDN ES Modem LAN over IP Select GPRS UMTS as xDSL PPPoE x xDSL AVM PPP over CAP connection type GPRS L LAN with HTTP login PPTP x zem Appendix Mobile Computing via GPRS UMTS AS SECURE ENTERPRISE ENTRY CLIENT Link type Dial up configuration Select the media type of the connection Determine how the connection to the corporate network should be established Ifthe internet should be used via modem setthe connection type to modem and then select the appropriate modem GPRS UMTS X Modem selection and settings Link type a l ii Agere Systems AC 97 Modem Fusion UMTS VLAN 3G Modem Fusion UMTS GPI 3G Modem AVM ISDN ISDN lt 75 AVM ISDN FAX G3 F AVM ISDN Custom Config TE Destina ji Link type Dial up configuration Select the media type of the connection NCP Determine how the connection to the corporate network should be established Ifthe internet should be used via modem set the connection type to modem and then select the appropriate modem GPRS UMTS bl Modem selection and settings n Link type Fusion UMTS GPRS WLAN 3G Modem Modern initialization string AT amp F cpATEOV1 amp 028C1S0 0 lt crATX1 lt cr Pulse dialing Sones Destinati x Connection information for the internet service provider NCP Account in
150. d with the D Channel protocol DSS1 with the multiple subscriber number MSN Firewall A division between public network and private network It is a protection mechanism that regula tes the station access A firewall computer seals off a network from unauthorized access particular ly from the WAN side For example authorization of incoming and outgoing connections is regulated by filtering out certain network participants and network services and by determining access rights From the WAN perspective it is usually web ser vers Email servers and VPN servers that are loca ted behind the firewall in the DMZ FTP File Transfer Protocol Based on TCP and TEL NET Port 21 FTP Server A fileserver that supports the File Transfer Proto col enabling users to download or upload files through the Internet or any other TCP IP Network GPRS Standard for fast handy communication GRE Generic Router Encapsulation CISO specific tunneling protocol GSM Global System Mobile Standard for cellular com munications Hash Value see Signature HBCI Standard for Smartcard Readers Online Banking HTTP Hypertext Transfer Protocol Port 80 Hybrid Encryption High performance and high security Hybrid en cryption combines the advantages of symmetric and asymmetric processes While communication content is secured with fast symmetric algorithms participant authentication and key exchange occur on the basis of asymmetric processes Actual doc
151. dditional features that introduce the user into a holistic remote access VPN solu tion The NCP Secure Entry Client offers M Support of all major operating systems Y Dial in over all transmission networks Compatibility with VPN gateways from a wide variety of vendors M Integrated personal firewall for more security Y Dialer protection no misuse by third parties M Higher speed in the ISDN channel bundling M Saving telephone charges charges and connection management M Convenient operation graphic interface M Central management Compatibility list available on the NCP website www ncp de optional 14 O NCP engineering GmbH SECURE ENTRY CLIENT PRODUCT OVERVIEW 1 3 Secure Entry Client The NCP Secure Entry Client communicates with VPN gateways supplied by a wide range of manufacturers on the basis of the IPSec standard This involves client soft ware that can be used as an alternative to the software clients offered on the market in the firewall and router area The Secure Entry Client is differentiated from other IPSec clients through its feature set and through its software architecture Secure Entry Client advantages O Support of all major Windows operating systems including Windows CE O Dial in over all public data transmission networks C Compatibility with virtually all VPN gateways on the market O Integrated personal firewall O Dialer Protection O Intelligent Line Management for minimizing tr
152. ddress 000 000 000 000 and are accessible until 19 05 02 17 SecDNS Address 000 000 000 000 19 05 02 17 17 PCP Receiving not accepted such a time that you Ip Address 172 016 119 234 PiDNS Address 194 025 000 129 re boot your PC SecDNS Address 194 025 000 052 PCP Sending negotiation request to Test connection SSL with the following parameters Ip Address 172 016 119 234 PriDNS Address 194 025 000 129 19 05 02 17 17 26 SecDNS Address 194 025 000 052 19 05 02 17 17 26 IPCP connected to Test connection SSL with IP Address 172 016 119 234 172 016 1 TP tunnel client connection closed 05 17 34 L nnel control connection closed 19 05 02 17 17 34 disconnecting from Test connection SSL on channel 1 19 05 02 17 17 36 ISDN disconnected 3400 from Test connection SSL on channel 1 19 05 02 17 17 36 please look at error codes in documentation Alternatively 1f required the log can also be written stored to a file The log function automatically stores all actions of the Client for a period of seven days Log files older than 7 online days will be automatically deleted This is where the log files are stored and are named NCPyymmdd LOG yy year mm mouth dd date The file can be opened and analyzed with a text editor E Logbook The buttons of the Logbook window have the following functions Create File Close File Clear Screen Close Logbook Create File
153. e Client Services A 23 SECURE ENTERPRISE ENTRY CLIENT SERVICES A 24 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES Contents 1 Services and Applications of the Secure Client A27 1 1 Overview of the ports of the NCP Secure Client A30 for Win2000 XP s e s sosse pas wopr 2 A30 for 98 ME 2 8 8 4 8 amp 24 5 6 4 4 bok ew ABO additinal ports Eara amp e OR A wR wo a ABO 1 2 Registry Entries for the NCP Secure Client be hee ASI Key Software Ncp Engineering GmbH NCP RWSI GA 6 0 A32 Key Software Ncp Engineering GmbH NCP Secure Client A32 2 rwsrsu exe Update Client 2 2 2 2 2 A33 2 1 Functional Description s s ss s e s cw e sesa A33 2 2 Configuration god aaa ae ae AA 2 2 1 Configuration af the Update Client Gascon bo bo bb do ABS Configuration compare via the Management Server A35 Update Interval CheckInterval 2 2 1 A35 Block Size BlockSize pas ava ABI Additional Configuration Settings in the Resist bee ay amp ABS 2 2 2 Automating the Initial Logon 2 A37 Example PAS 2 2 3 Configuration on the Management Saret hopis eo e a e A39 2 2 4 Management Server Settings o 0a a aaa a A40 General 2 a ee ee ee e ee A4O Chente 2 2 4 4 8 beets et ee we ee es oo AAA Authentication A45 ClientAuthentication
154. e Client no UDP pak kets reach the Client PC Only for unknown networks In this switch position UPD filtering will discard all pak kets from unknown networks Off If the filter is switched off all UDP packets reach the Client PC This setting should only be used if problems occur with an application Allow HotSpot logon for external dialers If this function is activated then HotSpot logon can be executed via an external dialer You must call the command line interface rwscmd exe for this See the description in the Services Appendix in this manual for more information in this regard With the command rwscmd logonhotspot Timeout the firewall will be released for ports 80 HTTP and 443 HTTPS This generates a dynamic rule that allows data traffic until the transferred timeout in seconds has elap sed NCP engineering GmbH 83 SECURE ENTRY CLIENT CLIENT MONITOR E Configurationsfield Logging Firewall Settings The activities of the firewall are written to log file depending on the setting The default location of the Output directory for log files is in the installation directory under LOG The log files for the firewall are written in pure text format and are named Firewal lyymmdd log They contain a description of rejected data traffic and or Permitted data traffic If neither of these options has been selected then only status information on the firewall will be logged The l
155. e DHCP server to the client originates Any port allows communication via all source ports for outgoing packets and destination ports for incoming ports Explicit port This setting should only be used if this system makes a server service available e g remote desktop on port 3389 Several ports This setting should only be used if the local ports can be combined in a range that is required by a services that will be made available on this system e g FTP ports 20 21 76 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR Firewall rule Remote On this tab the filters are set for the remote IP addresses and IP ports Firewall Rule Entry If the basic setting is blocked then those data packets will be let through to the outside by the firewall whose destination address agrees with the address under Local IP address or is within the range of validity Of the incoming data packets those are let through whose source address agrees with the address under Local IP addresses or is within the validity area The same is true for blocked basic setting with the IP ports Those data packets are per mitted outside by the firewall whose destination port falls under the definition of the local port Of the incoming data packets those are let through whose source port falls under the definition of the local port With the settings under remote IP address you can specify the remote IP addresses
156. e Monitor Menu after re booting Port If the Installation has been executed correctly the card reader will automatically be as signed a port Should problems arise COM Ports 1 4 can be manually assigned 92 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR Certificate Selection 1 Certificate 3 Standard 1 Up to 3 different certificates located on the Smart Card can be selected from the list The number of certificates on the Smart Card is dependent on the Registra tion Authority that has issued the Smart Card For further in formation please contact your System Administrator The Smart Cards issued by Signtrust and NetKey 2000 come with three certificates 1 for digital signing 2 for encryption and decryption 3 for Authentication optional with NetKey 2000 PKCS 12 File Name If you are using the PKCS 12 format then you will receive a file from your system ad ministrator that must be copied to your PC s hard disk In this case enter the path and filename of the PKCS 12 file or alternatively after clicking the selection button select the file PKCS 11 Module If you are using the PKCS 11 format then you will receive a DLL from your Smart Card reader manufacturer that must be copied to your PC s hard disk In this case enter the path and filename of the driver Edit the NCPPKI CONF file located in the installation directory by entering the name of the connected reader or token xyz as
157. e quantity of subnets host bits With the subnet mask 255 255 255 240 a class C network is divided into subnets This net mask allows a total of 14 subnets each with a maximum of 14 computers 255 255 2554 240 11111111 11111111 11111111 1111 0000 1993 9 99 130 11000111 00001001 01100011 1000 0010 Subnet Nummer 8 199 9 99 146 11000111 00001001 01100011 1001 0010 Subnet Nummer 9 Netzwerk Subnet Host E Standard masks Subnet mask for class A 255 0 0 0 Subnet mask for class B 255 255 0 0 Subnet mask for class C 255 255 255 0 NCP engineering GmbH 181 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS oO Reserved addresses Some IP addresses may not be assigned to network devices These include the network or subnet address and the circular address for networks ref subnets Network addresses consist of network number and the host field filled with binary 0 s e g 200 1 2 0 162 66 0 0 10 0 0 0 also Loop Back there is no transmission into the network The circular address consists of network numbers and the host segment with binary 1 s e g 200 1 2 255 162 66 255 255 10 255 255 255 therefore also an All One Broadcast all components of a network will be addressed Example 198 10 2 255 addressed to all stations in the network 198 10 2 255 255 255 255 addressed to all stations of all connected nets 0 0 0 0 All Zero Broadcast invalid address Please note that this is often used f
158. e sender and the recipient is not endangered If an unauthorized person is in possession of the key then this person can decrypt all messages In other words using the key he will appear as the message sender If for larger groups of participants symmetric encryption is to be used so that each participant can only read messages ad dressed to him then an individual key is required for each sender recipient pair This results in a so mewhat cumbersome key management For examp le for 1000 participants 499 500 different keys are necessary to support all possible relationships Currently the best known symmetric encryption is the DES algorithm 214 NCP engineering GmbH SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS TCP IP An abbreviation for Transfer Control Protocol In ternet Protocol which is a network protocol used by computers to communicate with each other TCP IP can be used in most any LAN or WAN re gardless of the underlying topology Token Ring Ethernet X 25 ISDN Frame Relay etc TCP IP also includes various Internet standards FTP File Transfer Protocol for File Transfer SMTP Simple Mail Transport Protocol for E Mail TELNET Teletype Network for Terminal Emula tion RLOGIN Remote Login for remote con trol purposes TECOS Operating system for Smartcards V 1 2 2 0 Token Ring Ring structure network topology from IBM UDP User Data Protocol This builds directly on the underlying
159. e that should some unauthorized j person use your PC they will be able to use your password Therefore caution should be used when your PC is left unattended Destination phone number You must define a phone number for those destinations using ISDN PSTN GSM other wise the Client will not be able to dial up and establish a connection to the destination or ISP The phone number must be entered exactly in the same manner as if you were dialing the number from a telephone You must enter any required prefixes country codes area codes extensions etc etc NCP engineering GmbH 137 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS In order to acquire an outside line when communicating via a PBX it is necessary to de fine an Outside Line Prefix see gt Outside Line Prefix in the monitor menu Confi guration Example Making a connection from Germany to UK 00 gets you an international line when dialing from Germany 44 this is the country code for United Kingdom 171 prefix for London 1234567 the number you want to reach The following number will be used by the Client for dialing purposes and it will be dis played in the Phonebook as follows 00441711234567 The destination phonenumber may include up to 30 characters E Alternate destination phone numbers It could be that the destination you want to communicate with uses a Network Access System NAS that is equipped with multiple phone numbe
160. e to re start the Monitor Confirmation 176 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 Examples and Explanations This section of the handbook discusses some essential routing concepts The Secure Client configuration is illustrated with several different examples NCP engineering GmbH 177 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 1 IP Functions To correctly configure an IP network you must adhere to the procedure for IP addres sing Below you will find some guidelines and terminology For additional information about IP networks the standard literature is recommended 7 1 1 IP Network Devices IP addresses are assigned to the component interfaces of an IP network These compo nents are also called hosts or computers Multiple networked components e g routers may also be allocated to various addresses The term host address marks the IP address of the host of an IP process regardless of the actual physical structure of the compo nents or the interfaces 7 1 2 IP Address Structure IP addresses have a length of four octets 32 bits 4 bytes and are written in dotted de cimal or hexadecimal notation E g L98 120 6 27 OF C6 0A 06 1B or 0xC6 0x0A 0x06 0x1B The addresses are divided into a network segment which identifies the network and a local address the host segment identifying the host of the network All hosts within a unique network share the same host s
161. eUsage a Name Type Data m MS DOS Emulation ab Default REG_SZ value not set Netcache ab aymwlanClient REG_SZ E Program Files avmwlanstickiwle E a Nis NcpBudget REG 5 E Temp 060328epCl ncple ncpbr E ey ab NcpMonitar Modify E Temp 060328epCl ncple ncpm 3 Run lab NcpPopup E Temp 060328epCl ncple ncpp aa RunOnce ab synchronize Rename mobsync exe flogon 3 RunOnceEx H Setup J SharedDLLs 3 Shell Extensions 2 ShellCompatibility ShellScrap 3 ShellServiceObjectDel A Stillimage E Syncmgr 3 Telephony Uninstall 3 URL J WebcCheck E Welcome X 4 gt my Computer HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Current ersion Run Us El H A GG E Key Software Microsoft Windows CurrentVersion Run NCPBudget Appendix Secure Client Services ASI SECURE ENTERPRISE ENTRY CLIENT SERVICES 4 rwscmd exe Command Line Interface Attention The following description only applies for Windows systems 4 1 Transferring Commands to the NCP Secure Client With rwscmd exe the NCP Secure Client Entry Enterprise GovNet Client has a com mand line interface that can be used for other applications The prerequisite to use the rwscmd exe program is Client software of at least version 7 0 Enterprise Client or 8 0 Entry Client At installation the command line interpreter is copied into the ncple directory under Windows It is called from this directory e g C W
162. egment All devices inside a unique network share the same network segment Each also has a unique host segment There are three classes of Internet addresses each is used according to how many bytes the IP address uses for network segment and host segment Class A large networks network numbers 1 127 For class A addresses the highest bit is equal to zero the next seven bits represent the network segment and the remaining 24 bits represent the host segment The network segment needs 1 byte max 126 different networks The host segment needs 3 bytes max 2 to the 24th power 16 777 216 various hosts In this manner a maximum of 127 different networks each with maximum of 16 777 216 different hosts may be addressed 178 O NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS Class B mid size networks network numbers 128 191 For class B addresses the two highest bits have the values and 0 the following 14 bits represent the network segment and the remaining 16 bits represent the host segment The network segment needs 2 Byte max 16 384 various networks The host segment needs 2 bytes max 2 to the 16th power 65 526 different hosts In this manner a maximum of 16 384 different networks each with maximum of 65 526 different hosts may be addressed Class C small networks network numbers 192 223 For class C addresses the three highest bits have the values 1 1 and O the following 21 bits repr
163. en be General Encryption IP addresses Authentication switched to Ad hoc manually if you want to set up a profile for a direct connection from PC to PC General profile settings Name ET i i A Name neptest2003 If the WLAN adapter permits this SSID ncptest2003 then the Energy Mode can be Network type Infrastructure selected for it Power Mode Medum ooo O Medium Low best network performance NS aceon If the connection type of the selected profile is switched to Automatic this profile can be used for the WLAN autimation see above Configuratio Z Encryption General Encryption P addresses Authentication The encryption mechanism must Encryption Q f be specified by the Access Point Encryption WEP j WLAN router and communicated Authentication oer System F by the administrator Key length 128 Bit z Key format ASCII characters If WPA is used with EAP TLS E Net ES then the EAP options must be acti Lioz vated in the configuration menu of FT Ke3 N inte the monitor and a certificate must F Key 4 be configured in the monitor menu under Configuration Certifica WLAN Configuration Ii IP Addresses General Encryption IP addresses Authentication Configure the IP address of the WLAN card in this window IP Address C Obtain an IP address automatically BR Use the following IP address IP address joo
164. entication then the connection will be refused If this extension is not present in the certificate then this will be ignored Please note that the SSL server authentication is direction dependent This means that the initiator of the tunnel establishment checks the incoming certificate of the other side if the extendedKeyUsage extension is present then the intended purpose must contain SSL Server Authentication This applies as well for callback to the Client via VPN Exception For a server call back to the client after a direct dial up without VPN but with PKI the server checks the client certificate for the extendedKeyUsage extension If this is present then the intended purpose SSL Server Authentication must be con tained otherwise the connection will be rejected If this extension is not present in the certificate then this will be ignored a subjectKeyldentifier authorityKeyldentifier A key identifier is an additional ID hash value to the CA name on a certificate The authoritykeyidentifier SHA1 hash over the issuer s public key on the incoming certi ficate must agree with the subjectKeyIdentifier SHA1 hash over the public key of the owner on the corresponding CA certificate If no CA certificate is found then the con nection is rejected The keyidentifier designates the public key of the certification authority and thus not only one but a series of certificates if required The use of the key identifier a
165. er can be entered af ter the first IP address after a comma The IP address of the first available FND server will be selected automatically for friendly net detection User ID Password FNDS The Friendly Net Detection Server is authenticated via MD5 or TLS The user ID and password entered here must agree with those that have been stored on the FNDS Incoming certificate s subject user The incoming certificate of the FNDS is checked for this string It a Friendly Net only if there is agreement Issuer s certificate fingerprint In order to offer maximum security against counterfeiting the fingerprint of the issuer certificate must be capable of verification It must agree with the hash value entered here Friendly Net Detection via TLS If the Friendly Net will be detected via TLS including authentication via the issuer certificate fingerprint then this issuer certificate must be located in the CaCerts pro gram directory and its fingerprint must agree with the fingerprint configured here NCP engineering GmbH 8l SECURE ENTRY CLIENT CLIENT MONITOR E Configurationsfield Options Firewall Settings With blocked basic E as ss Friendly Netwc ns Logging setting the set up of VPN connections via the Options tab can be globally permitted The following protocols and ports required for the tunnel set up are released per generated filter For IPSec UDP 500 IKE ISAKMP IP protocol 50
166. ernet or to the cor porate network The profi le is created after a few configuration questions in accordance with the selec tion of the desired basic setting Below are the required data for the configuration Link to Corporate Network using IPSec Profile Name Communication Medium Access data for Internet Service Provider User ID Password Phone Number VPN Gateway selection Tunnel Endpoint IP address Access data for VPN Gateway XAUTH User ID Password IPSec Configuration Exch Mode PFS Group Compression Static key Preshared Key without certificate IKE ID Type IKE ID IP Address Assignment IP address of the client DNS WINS Server Firewall Settings ILL LID ds Link to the Internet gt Profile Name Communication Medium gt Access data for Internet Service Providers User ID Password Phone Number The new profile is displayed now in a list of profiles with its assigned name If no further parameter settings are necessary you can close the profile settings by clicking on Ok The new profile is immediately available in the monitor It can be selected in the monitor and via the menu Connection gt Connect a connection to the relating de stination can be established 68 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR a Configure Profile If you want to change any default profile data and parameters start by selecting the ap propriate profile and then click
167. ertificate Check s ves ee eS eee Ra SG Bae we 164 Incoming certificate s subject 2 2 2 2 165 Incoming certificate s Issuer 2 2 2 165 Issuer s certificate fingerprint 4 166 Use SHAI fingerprint a aoe w woa g rae m a 166 Further certificate checks So x o es u aa am s sa 166 5 1 12 Link Firewall ap Ue a a a OD Enable Stateful inspection Pa as teo ee dO Only communication within the minel permitted canos 170 Enable NetBios over IP o 170 If Microsoft s dialer in use only communication Satin ihe tunnel is permitted s lt e s e cs sa ws saaa 2 170 6 Establishing a Connection sosoo a ee ee 171 Establishing a Connection to the destination system 171 Automatic default 2 a a a a aaa 171 Manual 2 cs Soe wb ee aa ae 1 10 NCP engineering SECURE ENTRY CLIENT CONTENTS Variable ue cur psss be Roe a we ae amp ew AL Conh ct s so s om a oe e e sisas ee eee A ee 171 Client Logon E ra A Passwords and User Nemes Yo he oe Ae ee A IS User ID for NAS Dial Up a I3 User Name and Password for Exte ded Authentication 174 Disconnection and error 175 Disconnect Se et ek eS a ee a ee LD Disconnect the Monito poe a Wo aa wb de a 176 7 Examples and Explanations 2 1 1 2 ew ee ee 177 7 1 IP Functions Sod oe ee a Obie a ce OS 7 1 1 IP Network Devices
168. erver call back to the client after a direct dial up without VPN but with PKI the server checks the client certificate for the extendedKey Usage extension If this is present then the intended purpose SSL Server Authentication must be con tained otherwise the connection will be rejected If this extension is not present in the certificate it will be ignored subjectKeyIdentifier authorityKeyIdentifier A key identifier is an additional ID hash value to the CA name on a certificate The authoritykeyidentifier SHA 1 hash over the issuer s public key on the incoming certi ficate must agree with the subjectKeyIdentifier SHA1 hash over the public key of the owner on the corresponding CA certificate If no CA certificate is found then the con nection is rejected CDP Certificate Distribution Point The URL for downloading an CRL is stored in the CDP If the CPD extension is con tained in the certificate then after the connection is setup the CRL is downloaded via the specified URL and checked If the system determines that the certificate is invalid the connection is disconnected During this process the CRL is stored in the ncple crls directory under the common name of the CA 60 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 1 8 Enter PIN The PIN entry can be executed before establishing a connection after the monitor has been started If a connection requiring a certificate is established at a later
169. ervices A 37 SECURE ENTERPRISE ENTRY CLIENT SERVICES The RSUINIT BAT which must bear precisely this name in order to be called automat ically can look like this RSUINIT BAT e installdir rwsemd rsuautoanswer off e installdir rwscemd select Destination Name e installdir rwsemd connect del c installdir rsuinit bat In order to execute an automated non interactive InitLogon the following parameters must be written in ncp ini with rwscmd exe Name Meaning Rsulnteractive 0 automatic InitLogon In this case the following 2 values are read RsuLogonUserld the VPN user ID to be used RsuLogonPw Authentication Code only necessary for LDAP Auth A 38 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES 2 2 3 Configuration on the Management Server ncprsu exe The Update Clients obtain the information relative to the IP address of the Management Server within the PPP negotiation when establishing the connection to the VPN Gate way If the Management Server is installed behind an external VPN gateway then its IP address must be saved in the Phonebook of the Secure Client under DNS WINS Management Server The computer with the Management Server must be reachable from the NCP Secure Server VPN Gateway per TCP IP in the network If the Management Server is installed on the same computer as the Secure Server VPN Gateway then ensure that the IP address of the Management Server is no
170. esent the network segment and the remaining 8 bits represent the host segment The network segment needs 3 bytes max 2 097 152 various hosts The host segment needs byte max 256 various hosts In this manner a maximum of 2 097 152 various networks each with maximum of 256 different hosts may be addressed e g Network Host Class A 122 087 156 045 Class B 162 143 085 132 Class C T955 O76 21 2 024 Please note when assigning the addresses that each physical host must be able to use several IP addresses A workstation can function with one IP address A router needs an IP address for each interface however at least two one for the connection to the lo cal network LAN IP Address and one for the connection to the WAN side NCP engineering GmbH 179 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 1 3 Subnet Masks In a wide area network various physically separated nets LANs may belong to the same network WAN with the same network number On the basis of the network number alone no router can decide if it should create a connection to a physically diffe rent network within the WAN or not Thus the network WAN must be subdivided into smaller segments LANS that each receive their own address block Each address block of the individual physical networks is designated as a subnet Through this subdi vision of a network into subnets the hierarchy network and computer is extended to a hierarchy of ne
171. etroactive installation is possible via the command line interface rwscmd exe likewise retroactive de installation is also possible The Gina is also installed if an appropriate phonebook is provided via Secure Enterprise Management If the Gina dialog does not appear then the connection to the domain server cannot be set up via the NCP Gina In other words you must have the Display dialog for connec tion before Windows logon so that in the boot phase the connection to the VPN gate way can already be set up For this connection set up you must enter access data for the network dial in or PIN and SIM PIN must be entered before the Windows logon Windows logon The following Windows logon can be executed automatically or manually depending on configuration NCP engineering GmbH 99 SECURE ENTRY CLIENT CLIENT MONITOR Execute manually means that the user must enter his logon data manually in the Windows logon screen Automatically means that the Client software will transfer the data entered here to the Microsoft Gina without user intervention If you use the logon option with callback then Negotiate PPP callback must be acti vated see gt parameter field Callback in the Phonebook To select the destination with the logon option please see the section Setup a connecti on Client logon and the Appendix for Mobile Computing O Logoff The Chant connention fo whe VEN Gateway or
172. evocation List of the Certification Authority Validity The validity of certificates is limited Normally the validity of a Issuer Certificate is longer than the validity of a Client Certificate Upon expiration of the Issuer Certificate the va lidity of the Client Certificate of the same CA expires as well Fingerprint Hash value The Hash value is the signature of the certifica te The Hash value is encrypted with the private key of the CA 56 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR View Client Certificate In order to view the Client Certificate select Connection gt Certificate gt View Cli ent Certificate Upon doing so the individual assigned data will be displayed read only for your review purposes Certification Authority The CA and the issuer of a Client Certificate is normally CA identical self signed certificate The CA of the Client Cer tificate has to be identical with the CA of the Issuer Certifi cate see Issuer Client Certificate Serial Number The serial number of the certificates can be compared with the registered numbers in the Revocation List of the Certifi cation Authority see gt strong Radius Authentication Validity The validity of certificates is limited Normally the validity of a Issuer Certificate is longer than the validity of a Client Certificate The expiration of validity erases the functionali ty of certificates Fingerprint
173. f the respective computer is completely camouflaged and the establishment of undesired connections is impossible PIN Personal Identification Number PKCS Abbreviation for Public Key Cryptography System an encryption system with public key PKCS 10 A method defining how a certificate is transferred from the PKI manager to the CA Certification Authority Usually via Http encrypted with SSL as Https PKCS 11 Basis for Smartcard standards NCP engineering GmbH 211 SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS PKCS 12 Soft certificate A standard that describes the data structure syntax PKCS 15 Smartcard pointer description Indicates where what will be found on the Smartcard PKI This is used for Key Management Transaction based security requires a clear partner authentication by means of certificates that have been issued by a trust worthy PKI Particularly for E commerce PKI offers the framework for confidentiality secrecy Integrity counterfeit security authenticity identity security and indisputability PoP Point of Presence POP3 Protocol used for downloading Emails Counter part to SMTP Port 10 PPP Point to Point Protocol Transmission protocol in connection oriented networks PPP negotiation In a PPP negotiation the IP address is assigned automatically after the logon at the provider PRI Primary Rate Interface ISDN interface primary mul tiplex S2m with 30 B Channels and 2 D Cha
174. fig below Registry Editor Registry Edit View Favorites Help ua HKEY_CURRENT_USER Name Type Data oar HKEY_LOCAL_MACHINE ab Default REG_5Z value not set GLa HARDWARE ab IconMonitor REG_SZ Secure Client Monitor ol 2AN aB IconPopup REG_5Z Secure Client Popup a ae ab IconTracer REG_SZ Secure Client Tracer TS avn abIconUninst REG_5Z Uninstall 6 23 capro 2b InstallDir REG_5Z E Temp 060328epClincple Classes ab InstallDirDos REG_5Z E Temp 060328 1 ncple H E Clients 88 LanguageNr REG_DWORD Ox00000002 2 0 23 INTEL 2 Monver REG_DWORD 0x00000001 1 H E Microsoft Rg Oem ersion REG_DWORD 0x00000000 0 NCP engineering GmbH 2b ProBuild REG_SZ 55 H E NCP Enterprise Manager ab PrgFolder REG_SZ NCP Secure Client H E NCP Gina ab prgServicePack REG_SZ 0 H NCP Management Console Re Pratype REG_DWORD 0x00000000 0 H NCP RWS GA ab Prqversion REG_5Z 8 30 El ab ProductName REG_5Z NCP Secure Enterprise Client H NCP Secure Server Manager ab Uninstkey REG SZ NCP RWS GA H E NCP Trap Monitor y Jl Z My Computer HKEY_LOCAL_MACHINE SOFTWARE NCP engineering GmbH NCP Secure Client Appendix Secure Client Services A 31 SECURE ENTERPRISE ENTRY CLIENT SERVICES Key Software Ncp Engineering GmbH NCP RWS GA 6 0 SeCICsi DWORD Secure Client Connection state Information Key Software Ncp Engineering GmbH NCP Secure Client Install
175. files Left side the minimized NCP Secure Entry Client bl el MEM representation Connection Configuration Log Window Help Headquarters Software has not been activated Valid for another 30 days la When Show Profiles is activated gt the configured destinations could be selected by clicking on the listed names picture left side J NCP Secure Entry Client Profile Software has not been activated Valid for another 30 days NCP engineering GmbH 107 SECURE ENTRY CLIENT CLIENT MONITOR 4 4 2 Show Buttons When Show Buttons is activated the buttons concerning to Connect and Disconnect are Po foes displayed therefore the size of the Headquarters window is larger El NCP Secure Entry Client Connection Configuration Log Window Help 30022 Software has not been activated Valid for another 30 days Activation 4 4 3 Show Statistics When Show Statistics is activated all information available from the monitor is displayed the size of the window will be larger ff NCP Secure Entry Client Connection Configuration Log Window Help Profile Outside Line l Headquarters gt Ae Statistics Time online 00 00 00 Timeout sec 0 Data Tx in Byte 0 Direction Data Rx in Byte 0 Link Type Com Speed KByte s 0 000 Encryption Software has not been activated Valid for another 30 days
176. for automatic me dia detection a Use this profile after every system reboot Normally after a restart the Client Monitor opens with the last profile used If this func tion is activated then the profile referred to here is loaded after a system re start re gardless of which profile was last used In order to setup a connection this profile can also be selected manually assumed that the VPN parameters have been configured correctly 134 O NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS E Use this phonebook entry after every system reboot Normally after a restart the Client Monitor opens with the last profile used If this func tion is activated then the profile referred to here is loaded after a system re start re gardless of which profile was last used a Use Microsoft RAS Dialer Microsoft s RAS Dial Up Networking can be used for dialing in to an ISP This is ne cessary when then access point requires a dial up script The RAS Dial Up Networking supports this script The option Use Microsoft RAS Dialer is located in the Client s Phonebook under Destination The RAS Script file including its path and name can be entered in the parameter folder Dial Up Network see gt RAS Script file With the Never setting the NCP Dialer is used exclusively to dial in If the data com munications dialer will be used only for script dial in then select this option For a
177. formation for the internet service provider Enter username password and if necessary the phone number to your internet service provider If save password is not selected you will be prompted for the password before every connection Username ncpuser2tp Password Password confirm Save password Destination Phone Number gaa The card Fusion UMTS GPRS WLAN 3G modem will be displayed accordingly Select this card xj Do not make any changes to the modem initialization string Do not switch pulse dialing on Click on Next You only need to enter a any user name for the Internet Service Provider ISP unless you have received special passwords from the provider Billing and the identification is executed via the SIM card For a test connection to an NCP Gateway enter as telephone number 99 Click on Next Appendix Mobile Computing via GPRS UMTS AQ SECURE ENTERPRISE ENTRY CLIENT Destine xj Read the description of the YPN gateway parameters To which VPN server should the connection be established NC Enter the DNS name i e vpnserver domain com or the official IP address i e 212 10 17 29 of the VPN gateway you wantto connectto With L2TP an optional tunnel secret may be used if used this has to be identically configured atthe VPN gateway With L2S5ec compression may also be used Tunnel Endpoint VPN Gateway s Hostname or IP Addres
178. g below Log On to Windows demo 1 Passworc pecccsece Log on to AC x 2 The Client software Shut Down transfers the requested login data into this screen the MSOGINA automatically so that the user does need to enter anything else for the Windows login For this Use saved login data must be activated in the logon options and the data must be entered in the fields 4 1 Logon Options The logon options are selected via the Configuration Monitor menu Please note the descriptions in your handbook of the client about possible settings in Lio this windows In this window you can decide wether via the connection dialog before Windows logon ona remote domain the connection from the client to the gateway should be established For connection setup to the gateway it may be necessary to enter the PIN for the certificate as well as for the SIM card and the non saved password for network dial in prior to entering the password for the Windows login Logon Options Appendix Mobile Computing via GPRS UMTS A19 SECURE ENTERPRISE ENTRY CLIENT la If the connection setup takes place prior to the Windows logon then the login to the re Loa mote domains will be encrypted If you use the logon option with callback then Negotiate PPP callback must be executed see Callback The computer must be rebooted after every change of logon options made in
179. gineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR a Profiles Configuration Locks The editing rights for the parameters in the profile settings are divided into two groups General rights Visible profile parameter fields CA A General rights The general rights refer only to configuration of the profiles If you specify Profiles may be created then Profiles may be configured however remains excluded thus while new profiles can indeed be defined with the assistant subsequent modification of individual parameters will then no longer be possible lt lt lt sists sid Visible profile parameter fields The parameter fields of the profile settings can be suppressed for the user Please note as well that parameters of a non visible field cannot be configured 4 2 10 Profile Import With this function profile settings can be imported by the client The profile settings to be imported can be created as INI file by the destination system or edited by hand You will find the files IMPORT_D TXT and IMPORT_E TXT in the installation directory for example In those files the syntax and the values of the parameters are described NCP engineering GmbH 103 SECURE ENTRY CLIENT CLIENT MONITOR 4 2 11 HotSpot docto star The configuration for hotspot logon is executed via this menue option The following settings are possible Use standard browser for hotspot logon
180. h the connection via a HotSpot opera tor You must agree to the terms and conditions of the HotSpot operator in order to set The statistics window for the WLAN settings shows the status of the connection to the Access Point in plain text The statistics window completes the graphical displays in the monitor with additional data The connection state is not concerned 88 O NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 2 4 Outside Line Prefix Outside line prefix A special number or dial prefix is generally required when communicating via a PBX in order to acquire an outside line The number entered in this field depending on the type of PBX will then be used for all outgoing calls until changed or deleted This eliminates the need for modifying the destination phone number s in the phonebook particularly when travelling The outside line prefix within the graphical user interface or the NCP logon is limited to the numbers 0 to 9 and the characters and By entering the comma you can configure a dial pause through the outside line NCP engineering GmbH 89 SECURE ENTRY CLIENT CLIENT MONITOR 4 2 5 Certificates Configuration By clicking on the menu item Configuration Certificates you can first determine whether you want to use the certificates and thus the Extended Authentication and where you want to store the user certificates The PIN entry polic
181. hanges Afterwards a valid PIN must be reentered again for authentication a PIN State Symbol Visible in the Client Monitor If a valid PIN is entered this is symbolized by a green check next to the PIN display in the client monitor If the PIN has not yet been entered correctly the green check will not appear a PIN Handling after Logoff or Sleep Mode When a user logs off Windows NT 2000 XP the PIN cache is cleared and must be reen tered at next logon When the machine enters sleep mode the PIN cache is also cleared E Displaying ACE Server Messages for RSA Token If messages are sent by the ACE server because of the RSA token they will be dis played on the monitor in an input field for example Expiration of valid PIN 62 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 1 10 Change PIN Change PIN x The PIN for a Smart Card or for a soft certificate can be changed under the menu item Change PIN if the correct PIN number has previously been entered This menu item will not be activated without the previous entry of a valid PIN number For security reasons after opening this dialog the still valid PIN must be entered a second time This is to insure PIN change for the authorized user only The digits of the PIN are displayed in this entry field and in the next entry fields as asterisks A click on OK you have changed your PIN PIN policies that need to be complied with
182. has been established precon Execute after connection has been established postcon Execute after connection has been disconnected discon The wait function Wait until application has been executed and ended can then be re levant if a series of batch files will be executed one after the other Deny the start of the dis connect bat This fuction should always be activated if execution of the cited batch files with ad ministrator rights system rights is not necessarily required for a desired application Please see the description in the Services Appendix in the manual The applications batch files for which user rights are adequate can be started in the Monitor menu External Applications see above 96 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR E Call Control Call Control Manager The Call Control Manager is a feature devised to help control and limit communication costs The following Limit factors can be defined the maximum time online the maximum number of connects outgoing calls the maximum number of charge units that may be incurred The time period for which these limits are to adhere to may also be defined It is possible to define that a Warning Message be displayed upon reaching 90 of any limit In the event that the set Limit s are exceeded the link will be automatically disconnected and a Warning
183. he connection is still established with a click on this menu item or on the Discon O nect button the monitor can be closed as well Please note that closing the Monitor y does not automatically terminate the connection If the link should be established al though the monitor is closed and fees may occur the software asks you explicitly for a prompt Upon selecting No your desktop will not display any icon and you will not be notified that the link is active and fees may occur In order to terminate the connection correctly you would have to restart the Monitor Confirmation O NCP engineering GmbH 65 SECURE ENTRY CLIENT CLIENT MONITOR 4 2 Configuration You can specify all settings for work with the IPSec Client which should work longer than one session with this menu choice Specifically this means creating profiles configuration for IPSec links choosing communication media as well as obtaining an outside line for connec tions to telecommunications systems In addition you can individually configure precisely how certificates should be used how the call control manager should work and which configuration rights the user receives 66 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 2 1 Profile Settings Entries in the profile settings After installing the Secure Client for the first time it will be necessary to define a profi le for your requirements in the profile set
184. he functions of both security processes as a hybrid and works on the network layer as well as on the user layer With condition dependent packet filtering not only are the Internet and transport layer ta ken into consideration but the dependencies from the state of a connection are also ta ken into consideration All current and initiated connections are stored with address and allocated port in a dynamic connection table The Stateful Inspection filter decides which packets belong to which connection based on a specified raster information States can be connection establishment transfer or connection disconnect and they apply for TCP as well as for UDP connections An example using a Telnet session The state Connection establishment is defined in that user authentication has yet taken place If the user has logged in with user name and password then this connection is set to the normal connection state Because the respective state of a connection is constantly monitored access to the internal corporate network remains denied to un authorized parties The advantage relative to static packet filters is that the decision whether a Gateway or Client will forward a packet or not is not based on source address destination address or ports The security management also checks the state of the connection to a partner Only those packets are forwarded that belong to an active connection Data packets that O NCP engineering G
185. ic The SA must first have been negotiated in order for the IPSec process to start This SA nego tiation takes place once per SPD which can be created for different ports addresses and protocols This SA negotiation requires a control channel First the client must create a Layer 2 PPP link to the provider With this link the client is as signed a new IP address each time he dials in The IPSec module in the client receives an IP frame with the destination address of the corporate network An SPD entry for this IP frame will be found but no SA exists at this time The IPSec module then issues a request to the IKE module to negotiate an SA Thus the requested security policies as present in the SPD entry are handed off to the IKE module Negotiating an IPSec Security Association IPSec SA is considered a Phase 2 negotiation However before an IPSec SA can be negotiated with the other side Secure Server a kind of control channel from the client to the Secure Server VPN gateway must first exist This control channel is established via the Phase I negotiati on whose result is an IKE Security Association IKE SA Thus the Phase I negotiation un dertakes the complete authentication of the client relative to the Secure Server and generates an encrypted control channel Then the Phase 2 negotiation IPSec SA can immediately take place over this control channel The Phase 1 negotiation is a handshake over which the ex change of certificates is p
186. ic configurations depending on the IPsec gateway The configuration possibilities that you must be aware of depending on whether the Ip sec gateway supports Extended Authentication XAUTH and IKE config mode or not are listed below Gateway does not support XAUTH As initiator the IPSec Client always suggests Extended Authentication as standard This property cannot be configured If the gateway does not support Extended Authen tication then it will not be executed Gateway supports IKE config mode If the gateway supports the IKE config mode the function Use IKE Config Mode in the paramaeter field IP Address Assignment could be activated Gateway does not support IKE config mode 194 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS If the gateway does not support the IKE config mode then two configurations are pos sible 1 The IP address is defined as Manual IP address see gt Profile Settings IP Address Assignment the IP address must be entered which has been specified by the gateway or by the administrator 2 The function Use local IP address see gt Profile Settings IP Address Assignment causes the private IP address to be set equal to the public IP address that the client gets per each Internet session from the provider or if under the LAN connection type the address that the LAN adapter has If the private IP address has been set and the Type is set
187. icensing button Later the correctly entered license data is no longer displayed at this point 4 5 2 Search new Updates Use this menu option to check whether updates are available for the software test ver sions as well For more information see the License section below 4 5 3 Info The info window shows the product designation and the version number of the software you are using SECURE COMMUNICATIONS M Secure Entry Client Wersion 8 30 Build 57 high security remote access Copyright NCP engineering GmbH www nep de 112 NCP engineering GmbH SECURE ENTRY CLIENT LICENSING 4 6 Licensing In the Help Monitor menu under the menu option License Data and Activation the software version implemented and possibly the licensed version with serial number are shown The Client software is always installed first as a test version if Client software has not yet been installed or if there is a previously installed older version then the software has not yet been activated This also applies if the older version has already been licen sed then this older version will be reset to the status of a test version and the license data must be re entered within 30 days via the activation dialog The time remaining until software activation i e the validity period of the test version is displayed in Profile Quiside Line the message bar of the monitor Headquarters next to the
188. ient however the network component does not require EAP Chip Card Reader If a smart card reader has been installed and configured see Monitor menu gt Configu ration Certificate then its icon will be displayed in blue If the smart card is inserted in the reader this icon will be displayed in green Ge 44 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR E PIN Status PIN A PIN icon in gray always means that the system is still waiting for the PIN to be ente red for the respectively configured certificate Double click on this icon to open the dialog for entering the PIN An incorrect PIN is acknowledged with an error message and remaining number of possible PIN entry attempts will be reduced After successfully entering the PIN the icon will be displayed in green This color indi PIN cates that the entered PIN is valid even 1f a connection has not been set up If you want to ensure that unauthorized persons cannot establish a connection in your absence then the PIN must be reset see Monitor menu gt Reset Connection PIN or the PIN query function for each connection setup must be activated under Configuration Certifica te In the latter case the dialog for PIN entry will not be displayed after double clicking on the grey icon it will only be displayed after connection setup Firewall 135 The firewall icon is always visible if a firewall is activated If the global firewall Per
189. ies and the interval of validity are specified in a second parameter field Certificates are normally created by a CA Certification Authority utilizing some sort of PKI based architecture and they may be implemented on a Smart Card in addition to a digi tal signature s Such Smart Cards represent an individual personal identity card You can use certificates with the length of the private key up to 2048 Bits The system monitors whether the PKCS 12 file is present If for example this file is stored on USB stick or an SD card then after pulling out the SD card the PIN is reset and an exi sting connection is disconnected This process corresponds to the Connection disconnect when smart card is removed which can be set when using a smart card under Configura tion Certificates in the monitor menu If the SD card is later re inserted then the connecti on can be restored after another PIN entry The environment variables users of the operating system can be inserted in the certificate configuration The variables are changed when closing the dialog and when copying the tele phone book and they are written back into the configuration If an environment variable does not exist then it is removed from the path when converted and a log entry is written into the logbook If a sign syntax is missing then the variable remains and a log entry is written as above 90 NCP engineering GmbH SECURE ENTRY CLIENT C
190. ime period in seconds after which the Secure Client or the RWSRSU will contact the Management Server in order to check whether updated files are present BlockSize 20000 The block size designates the maximum size in bytes of the data packets that will be transmitted The block size should not exceed 64 kByte 65536 The Update Client compares its value with the block size for each connection with the Management Server A 44 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES Authentication The complete configuration section under Authentication is used for rollout if an LDAP Server is also available UseLdapAuthentication 1 0 LDAP authentication is not used 1 LDAP authentication is used If LDAP authentication is used then the following parame ter values must be used accordingly These values must agree with those that have been configured with the Server Manager on the Secure Server VPN Gateway see the Serv er Manual LDAP Server LdapHost 127 0 0 1 IP address of the LDAP host in the corporate network Cor responds to the parameter LDAP Host in the server manu al LdapPort 389 The port number of the LDAP Server Only change this va lue if the LDAP Server definitively runs under a different port number than the standard number specified here 389 Corresponds to the parameter Port LDAP Host in the server manual LdapAdminDN CN XXX O XXX C XXX
191. implemented There are two versions of CAPI 1 1 and 2 0 The ISDN applications are programmed accordingly either for CAPI 1 1 or CAPI 2 0 or for the specific CAPI requirements A hybrid CAPI allows implementati on of application software for CAPI 1 1 as well as for CAPI 2 0 see Hybrid CAPI 204 O NCP engineering GmbH SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS CCP Compression Control Protocol Certificates Certificates are issued by a CA Certification Authority with a PKI Manager software and stored on a Smartcard This Smartcard contains di gital signatures in addition to the Certificates The se digital signatures are equivalent to a digital per sonal identity card CHAP Challenge Authentication Protocol CLI Calling Line Identification Caller ID Euro ISDN COSO Charge One Side Only The low level callback is negotiated via D Channel and uses call waiting via D Channel This method is very popular because as opposed to PPP no local charge is assessed to the caller when dialing up or connecting to the re mote destination The caller initiates the request for a connection on the ISDN D Channel The re ceiver establishes the connection and is charged Cryptography Applications are encryption electronic signature authentication and Hash Value Calculation These are mathematical processes that are used with a key CTAPI Interface to Smartcard Readers CUG Closed User Group Euro ISDN DES Data Enc
192. in each case a destination system with the alternatively available connection types such as modem and ISDN has been selected RPGs ME AA In this regard ensure that the Basic Sett destination system with Fee Go Sat amp automatic media detection is IP Adios Assignment configured with all parameters Estrena Check ol necessary for the connection to the VPN Gateway particularly the IP address of the VPN gateway on the other hand the destination systems with the alternative connection types must be configured in such a manner that each desired connection type possibly the modem parameters as well is Line Management A IPSec General Stings set and the function Entry for entities IP Address Assignment automatic media detection is Remote Networks Certificate Check y 1 Link Firewall activated In addition for the respective connection medium the input data to the ISP must be set in the Network dial in parameter field For connection setup the Client automatically detects which connection types are cur rently available and selects the fastest of these and if there are multiple alternative transmission paths it automatically selects the fastest The connection type priority is specified in the following sequence in a search routine 1 LAN 2 WLAN 3 DSL 4 UMTS GPRS 5 ISDN 6 MODEM The incoming data for the connection for the ISP are transferred from the phonebook entries that have been configured
193. in the central data network is prevented Secondly the respective status of existing connecti ons is monitored via Stateful Inspection Moreover the firewall can detect whether a connection has opened Spawned connections as is the case with FTP or Netmeeting for example whose packets likewise must be forwarded If a rule is defined for an outgoing connection which permits an access then the rule automatically applies for the corresponding return packets For the communication partner a Stateful Inspection connection is represented as a direct line which can only be used for an exchange of data that corresponds to the agreed rules The firewall rules can be configured dynamically i e it is not necessary to stop the software or restart the system The firewall settings in the configuration menu of the Client Monitor permit a more precise specification of firewall filtering rules They have a global effect This means that regardless of the currently selected destination system the rules of the extended firewall settings are always worked through first before the firewall rules from the te lephone book are applied A combination of the global and link based firewall can be quite effective in certain scenarios However generally the global setting possibilities should be able to cover virtually all requirements Please note that the link based firewall settings take priority over the global firewall settings at activation For i
194. indows ncple gt rwsemd lt Kommando gt If the syntax is not observed or if a command is specified incorrectly or incompletely then a window will be displayed that lists the possible commands connect connect Destination Name disconnect lock unlock start stop select Destination Name setinituser InitUserld Password rsuautoanswer off yes no ginaon ginaoff ginainstall ginaunins logonhotspot Timeout A 52 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES 4 2 Prerequisite for Program Use O The services ncprwsnt ncpsec and rwsrsu must be started These services start as a standard function after installation of the Client Software they are located in the di rectory C Windows ncple gt O It is only necessary to start the Monitor if passwords or PIN entries are required since rwscmd exe does not start a PIN dialog O In addition write authorizations must exist to the registry key KEY LOCAL MACHINE Software NCP engineering GmbH NCP Enterprise Monitor 4 3 Description of the Commands rwscmd connect Required Windows authorization User rights Description Connection setup with the last destination entry set in the Monitor connect Destination Name e g rwscmd connect LAN via Router IP Required Windows authorization User rights Description Connection setup with the transferred destination entry Apostrophes are set instead of the square bracket
195. ing GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 1 Connection also find information windows displaying the current link establishment and the implemented certificates In addition Link control statistics can be read here and if required the Link con trol barrier can be deleted if a threshold value that you have set is exceeded ay With this choice you will find commands for Link establishment and Link break off You will NCP engineering GmbH 49 SECURE ENTRY CLIENT CLIENT MONITOR 4 1 1 Connect This command is used to initiate a connection A connection can only be made if a pro file has been properly defined and selected in the Profile Settings see gt Profile Set tings Basic Settings The selected profile is displayed in the Profile field of the mo nitor Selecting the function Connect the connection will be established manually to the de stination system Whether the link is built manually or automatically depends on the Connection Mode defined for the profile in the Line Management folder of the profi le settings as well as the communication medium being used see Profile Settings Line Management Connection Mode 4 1 2 Disconnect A connection can be terminated manually by clicking on Disconnect in the Connection pull down menu or by clicking the right mouse button As soon as the connection has been terminated the traffic light switches from green to red 4 1 3 Ho
196. ing Remote Allows authorized p Bs Network Connections Manages objects in Reame Started Manual LocalSystem Be Network DDE Provides network ti Restart 7 Manual LocalSystem Ba Network DDE DSDM Manages shared d _ Manual LocalSystem Sant LM Security Sup Provides security tc All Tasks All Manual LocalSystem Sa Performance Logs a Configures perform Repo Manual LocalSystem Bs Plug and Play Manages device ins k t Started Automatic Localsystem Bs Print Spooler Loads files to memc Properties Started Automatic LocalSystem Bs Protected Storage Provides protected 9 Started Automatic LocalSystem 9005 RSYP Provides network sre Sra Manual LocalSystem gRemote Access Aut Creates a connection to a remote network Manual LocalSystem Ba Remote Access Con Creates a network connection Manual LocalSystem Kg Remote Procedure Provides the endpoint mapper and other Started Automatic LocalSystem sd Help Bs Security Accounts Stores security information for local user a Started Automatic LocalSystem You can view the properties of these services from this Windows screen or you can start or stop the services All services of the Secure Client are started automatically from the installation directory after the ncprwsnt Properties Local Computer 2 x General Log On Recovery Dependencies Service name neprwsnt software is installed Display name Description
197. instruction Before continuing with the installation you must ensure that neither a VPN client nor a personal firewall from a different manufacturer is installed on this end device The exceptions are Microsoft products If a VPN client or personal firewall from a different manufacturer is installed then this can cause instability system crash and loss of data The personal firewall integrated in the NCP Secure Entry Client software offers all security mechanisms required to protect your system against attacks from the Internet or from the W LAN Do you want to continue installing the software NCP Secure Entry Client InstallShield Wizard License Agreement NCP SECURE COMMUNICATIONS W Please read the following license agreement carefully Press the PAGE DOWN key to see the rest of the agreement NCP Engineering Software License Agreement The terms of the license for use by you the end user referred to hereinafter as the Licensee of NCP software are set out below By reading and accepting this notice you agree to these terms and conditions so please read the text below carefully and completely wyo do not accept the terms of this agreement you cannot use the tware Terms of agreement z Do you accept all the terms of the preceding License Agreement If you select No the setup will close To install NCP Secure Entry Client you must accept this agreement lt Back Yes The Insta
198. ion of certificates 210 NCP engineering GmbH SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS PAP PAP Password Authentication Protocol Security mechanism inside the PP for authenticating the other side PAP defines a method according to which the establishment of a connection whereby the rights of the sender are checked based on a user name and password In this process the pass word is sent over the line in clear text The reci pient compares the parameters with his own data and if in agreement releases the connection PBX An abbreviation for Private Branch Exchange which is an automatic telephone switching system that enables users within a company to place calls to each other without having to go through the public telephone network Users of course can also make calls and receive calls from the public tele phone network PC SC Interface to Smartcard readers PEM An older form of Soft Certificates without private key Personal Firewall Client software security mechanisms combine tunneling processes and personal Firewalling IP Network Address Translation IP NAT as well as universal filter mechanisms IP Nat is of central importance then it ensures that only outgoing connections from the computer to the Internet are possible Incoming data packets are checked on the basis of refined filtering for precisely defined characteristics and are discarded if there is no agreement This means that the Internet port o
199. ireless Application Protocol Developed by No kia Ericsson and Motorola WINS An abbreviation for Windows Internet Naming Service which is a Windows NT Server method for linking a computer s host name to its address This was the original Microsoft derivative of DNS and is also referred to as INS Internet Naming Service X 25 An ITU International Telecommunications Union recommendation that specifies the connection bet ween an end device e g PC or terminal and a packet switched network X 25 and is based on three definitions 1 the physical connection bet ween the end device and the network 2 the trans mission access protocol and 3 the implementati on of virtual circuits between network users Toge ther these definitions specify a synchronous full duplex end device terminal to network connecti on X 509 v3 A Standard of Certification 216 NCP engineering GmbH SECURE ENTRY CLIENT INDEX Index SIDES sa 6 as a Re A le 153 SUIS a ad Monde a tia et aa eB 98 A access data from configuration 159 Activate GPRS UMTS oore p paraos o 52 AES 128 AES 192 AES 256 153 19 Analog Modem 0 00000 ee eee 22 Analogs Interface sasas nod oes wh a HS a KaR 203 APN aaa BG OE aoe A ae OO eRe ow 143 Applications Firewall o es os e sasoe acem pa o 79 ARL Authority Revocation List 198 Authentication 153 154 authority
200. ishment can only be executed after correct PIN entry NCP engineering GmbH 61 SECURE ENTRY CLIENT CLIENT MONITOR Safeguarding PIN Use If you activate the function PIN request at each connection in the certificate confi guration then the PIN can no longer be entered via the Enter PIN Monitor menu op tion The menu option Enter PIN is thus switched to inactive automatically This en sures that the PIN will only be queried and can only be entered directly before the con nection is set up Activate this function to prevent an unauthorized user from setting up an undesired connection if the PIN has already been entered Likewise if the Change PIN function has been switched active then the PIN that has already been requested in other function contexts is no longer used i e when setting up a connection or in the Enter PIN connection menu Instead you can always select the menu option Change PIN and the new PIN will be automatically reset immedi ately after the change ll This ensures that when configuring PIN query at every connection set up on an un nes authorized Client Monitor a PIN entered previously by an unauthorized user cannot be used at anytime to set up a connection 4 1 9 Reset PIN This menu item can be selected for deleting the PIN for making the valid PIN useless to other users It can be helpful for example if you leave your client temporary or if the user c
201. ity po licies of the IPSec process can be imposed on the packet These security policies are also described in the SPD entry If in this manner it is determined that an IP packet is linked with an SPD entry that triggers an IPSec process then it will be examined to see whether a security association NCP engineering GmbH 183 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS SA exists for this SPD entry If an SA does not yet exist then first an authentication and a key exchange will take place before the negotiation of an SA see below IPSec Negotiation Phase 1 After the SA negotiation negotiations follow for data packet encryption ESP and or authentication AH of the data packets The SA describes which security protocol should be used ESP Encapsulating Security Payload supports the encryption and authentication of IP packets AH Authentication Header supports only the authentication of IP packets The SA also describes the ope rating mode in which the security protocol should be used either Tunnel or Transport mode In Tunnel mode an IP header is inserted in Transport mode the original header is used Additionally the SA describes which algorithm will be used for authentication which encryption method for ESP and which key should be used Of course the other side should work according to the same SA If the SA is negotiated then each packet will be processed according to the operating mode and protocol either Tu
202. l for authentication and encryption algorithms This means that any policy can consist of several proposals The same policies with their affiliated proposals should be valid for all users This means that on the client side as well as on the server side the same proposals for the policies should be available You can extend the list of proposals or delete a proposal from the proposal list by using the buttons Add and Remove 152 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Policy Name IKE Policy Give this policy a name over which later an SPD can be allocated Authentication IKE Policy Both sides must have been successfully authenticated in order to establish a control channel for phase IKE Security Association The authentication mode is limited to the use of pre shared keys This means for mutu al authentication a static key is used You define this key in the parameter folder Iden tity Encryption IKE Policy Symmetrical encryption of messages 5 and 6 in the control channel occurs according to one of the optional encryption algorithms if Main Mode Identity Protection Mode is used Choices are DES 3DES Blowfish AES 128 AES 192 and AES 256 Hash IKE Policy This is mode that determines how the hash value over the ID is formed or in other words this determines which hash algorithm is used in the IKE negotiation Choices are MD5 Mess
203. l language support The default language is English In order to choose a language click on Language in the Window pulldown menu and then select the desired language In the near future the client will have additional language support 110 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 5 Help Help Help License data and activation Search new updates Info Select the Help menu option to open the online help context independently with Table of Contents and Index Moreover you can enter the license key and read the version number of the software here 4 5 1 License Data and Activation El The software version implemented and possibly the licensed version with serial number are shown under the Software version Product NCP Secure Entry Client menu option License Data and Version 8 30 Build 57 Activation ServicePack shi ha If the software is used as a test Product NCP Secure Entry Client P th th fae lidit a Version 8 30 version en e remaining validity Serial number i A i E Type Trial version valid for another 2 days period Is displayed in the popup Activation Not activated JER TON In order to use a valid full version that Activation Licensing To enable the full version the software must be activated requiring a serial number and matching activation key By licensing the software you agree to abide by the CP Engineering Softw
204. ll IP NAT Network Address Translation Stateful Inspection Filter rules assigned to applications and certain connections Filter rules assigned to certain protocols ports and addresses Identification of friendly networks Automatic hotspot logon Extensive logging options E Filtering IP Broadcasts Netbios over IP 16 NCP engineering GmbH SECURE ENTRY CLIENT PRODUCT OVERVIEW m PKI Public Key Infrastructure in accordance with X 509 v 3 standard Entrust Entrust Ready Smartcards PKCS 11 TCOS 1 2 and 2 0 CardOS M4 via CT API or PC SC Soft certificate PKCS 12 PIN policy Administrative specification for PIN entry of any complexity Revocation lists Checking the CRL Certificate Revocation List and ARL Authori ty Revocation List Certificate control Verification and notification of a certificate s validity period E One Time Password convenient entry by separating PIN and password RSA ready E DynDNS Dynamic DNS Accessing the central VPN gateway with changing public IP addresses query of the current IP address via a public DynDNS server oO IP Adress Allocation DHCP Dynamic Host Control Protocol a Point to Point Protocols PPP over ISDN PPP over GSM V 110 PPP over PSTN Modem PPP over Ethernet xDSL PPP LCP Link Control Protocol PPP IPCP IP Control Protocol PPP MLP Multilink Protocol PPP Call Back negoti
205. ll Shield Assistant is now started It will guide you through the installation Read the terms of the Welcome window carefully and click on Next Note the following message und deactivate any VPN Client and Personal Firewall of another manufacturer to avoid data loss The next window displayes the Software Licensed Agreement In order to proceed with the installation of the licensed version click on Yes Clicking No will stop the installation process continue next page O NCP engineering GmbH 29 SECURE ENTRY CLIENT NCP NCI x cure El Setup Type NC SECURE COMMUNEATIONS W Select the setup type that best suits your needs Click the type of setup you prefer Program will be installed with the most common options Recommended for most users Custom You may select the options you want to install Recommended for advanced users Destination Folder C Programme NCP SecureClient Browse lt Back Cancel Under Windows Vista it could also be Program Files Funkwerk Secure IPSec Client cd NCP Secut Setup Type NCP SECURE COMMUNICATIONS W Select the setup type that best suits your needs Click the type of setup you prefer Program will be installed with the most common options Recommended for most users C Typical You may select the options you want to install Recommended for advanced users Destination Folder
206. ll as the Update Client NCP Secure Client can be set especially for communication to each other If configurations are executed then the service i e the program must first be stopped and then restarted so that the changes become effective for Management Servers with net stop ncprsu net start ncprsu for the Update Client under Windows NT XP 2000 with net stop rwsrsu net start rwsrsu for the Update Client under Windows 98 ME in the directory installdir ncple with rwsrsu stop rwsrsu start A 34 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES 2 2 1 Configuration of the Update Client rwsrsu a Configuration compare via the Management Server The rwsrsu Remote Software Update service that is always active on the Secure Cli ent is first set by the Management Server The Update Client receives the Update inter val for this and the block size for the compare These data are transmitted from the con figuration of the Management Server to the Client when it the Client logs on Update Interval Checkinterval As delivered the setting for the update interval is one day Use the update interval to specify a time period in seconds after which the Secure Client or the RWSRSU will contact the Management Server in order to check whether updated files are present Block Size BlockSize The block size designates the maximum size in bytes of the data packets that will be transmitted The block
207. llmann Group Message 5 Header ID Certificate Signature symmetric encryption and Hash Message 6 Header ID Certifikate Signature encrypted If RSA signatures have been set Graphic above and below then this means that certificates will be used and thus pre configuration of all secrets is no longer relevant IKE Aggressive Mode with RSA Signatures Initiator Destination Message 1 Header SA Key Exchange Nonce ID Message 2 Header SA Key Exchange Nonce ID Certificate Signature unencrypted Hash Diffie Hellmann Group Message 3 Header Certificate Signature NCP engineering GmbH 189 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 2 4 IPSec Tunneling The compatibility with other manufactures relies on the ability to conform to the IPSec RFC s and to some drafts official or not The IPSec Client running in IPSec compati ble mode supports the following RFC s and drafts RFC 2104 Keyed Hashing for Message Authentication RFC 2401 Security Architecture for the Internet Protocol RFC 2403 The Use of HMAC MD5 96 within ESP and AH RFC 2404 The Use of HMAC SHA 1 96 within ESP and AH RFC 2406 IP Encapsulating Security Payload ESP RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP RFC 2408 Internet Security Association and Key Management Protocol ISAKMP RFC 2409 The Internet Key Exchange IKE DRAFT draft beaulieu ike xauth 05 XAUTH
208. llows a greater flexibility for the determining a certificate path In addition the certificates that possess the authoritykeyidentifier extension do not need to be revoked if the CA issues a new certificate when the key remains the same 7 8 3 Checking Revocation Lists The Secure Server can be provided with the associated CRL Certificate Revocation List for each issuer certificate It will be copied into the ncple crls Windows directo ry If a CRL is present then the Secure Client checks the incoming certificates to see if they are listed in the CRL The same applies for an ARL Authority Revocation List that must be copied into the ncple arls Windows directory If incoming certificates are contained in the CRL or ARL lists then the connection is not permitted If CRLs or ARLs are not present then no check takes place in this re gard 198 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 4 Stateful Inspection Technology for the Firewall Settings The Stateful Inspection firewall technology can be used for all network adapters as well as for RAS connections It is activated on the client in the telephone book under Firewall settings see gt Configuration parameters Firewall settings It is then acti ve on the gateway if the Protect LAN adapter function has been switched on in the Server Manager under Routing interfaces General The fundamental task of a firewall is to p
209. ly be entered if it has not yet been entered in the configuration of the destination system profile in the Modem parameter field in the telephone book or if the saved PIN does not agree with SIM you are using Appendix Mobile Computing via GPRS UMTS A 17 SECURE ENTERPRISE TRY CLIENT NCP Secure Client T Mobile D Enter PIN NCP Secure Client 2Sec Test Client comen _ Disconnect EA Server Then the signals of the card will be displayed after the network search the wireless network found is shown with the respective field strength If search for alternative networks has been activated then a different network as well as a different connection medium can be selected manually Then click on OK in order to continues with domain login Use Local login to exit the domain login dialog If use of the certificate has been configured for this connection then at this point its PIN must be entered Then click on OK This establishes the connection and a tunnel into the central corporate network is setup Further procedure depends on the configuration in the Monitor menu under Configuration Logon options Appendix Mobile Computing via GPRS UMTS A 18 SECURE ENTERPRISE ENTRY CLIENT 1 The user enters the request login data as in the standard Windows login IS Professional see Standard Windows A o z login in the Fi
210. mbH 199 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS cannot be assigned to an established connection are rejected and recorded in the log file New connections can only be opened according to the configured rules In the simplest firewall function only the incoming and outgoing connections are test ed and monitored relative to the protocol TCP IP UDP IP ICMP IPX SPX the ap propriate ports and the participating computers Connections are permitted or blocked depending on a specified system of rules Further tests such as content or transferred data do not take place The Stateful Inspection filters are a further development of the dynamic packet filter and offer a more complex logic The firewall checks whether a connection allowed on the port filter can also be established for the defined purpose The following additional information about a connection is also managed Connection identification number State of the connection such as establishment data transfer disconnect Source address of the first packet Destination address of the first packet Interface through which the first packet came Interface through which the first packet was sent Based on this information the filter can decide which subsequent packets belong to which connection Thus a Stateful Inspection system can also eliminate the UDP prob lem This involves the relative ease with which UDP packets can be forged such as is the case
211. me String Enter the name which you have received from your administrator This is the DNS Name of this gateway which is stored by the DynDNS service provider A second gateway can be entered in the same syntax after a comma IKE Policy The IKE policy is selected from the list box All IKE policies that you set up with the policy editor are listed under IKE policy The policies appear in the box with the name that you specified in the configuration You will find two pre configured policies in the policy editor under IKE policy as Pre shared Key and RSA Signature Contents and name of these policies can be changed at any time i e new policies can be added Every policy lists at least one pro posal for authentication and encryption algorithms see gt IKE Policy editing This means that a policy consists of different proposals There are functional differences be tween these two IKE policies by using a static key or an RSA signature see gt Ex amples and Explanations IPSec IKE Modes The same policies with their affiliated proposals should be valid for all users This me ans that on the client side as well as on the server side the same proposals for the poli cies should be available Automatic mode In this case it is not necessary to configure the IKE policy in the IP Sec Configuration It will be assigned by the remote site Pre shared Key This preconfigured policy can be used without PKI support The
212. modify the Windows XP default settings so that any software can be installed without the Microsoft compatibility check Open the Windows Control Panel and then System Properies Driver Signing Set the install procedure to Install the software anyway and dont t ask for my approval M You can ignore the warning when installing the client After the warning pops up you click on proceed Installation Windows XP will let you install the client adapter The installation will not have any negative effect on the operating system Installing from CD After inserting the CD in the drive of your PC the welcome window appears on the monitor Click on Install Products and then select the Client Software version to be installed All further installation procedures are identical with the installation proce dures for installing from removable disk from the window Choose Setup Language O NCP engineering GmbH 27 SECURE ENTRY CLIENT INSTALLATION 2 2 1 Default Installation Installing the Client Software First you copy the EXE file you have got with a down load or with the CD onto the hard disk of your PC The filename of the EXE file dis plays the number of the verion and build number of the software e g NCP_EntryCl Win32 900 028 EXE To install the Client Software select in the windows main menu Start Settings Con trol Panel Select Add Remove Programs in the Control Panel and then click on the
213. n is establishe Client Signal 46 ished g SPRES h peti Activate GPRS NCP YPN PKI Client L2Sec Test at NAS Dial up uy T Mobile D w You can also change the connection medium manually Click on the desired medium with the mouse in the Fig to the left Activate GPRS However if you change the medium manually the connection will be disconnected Then the connection will be reestablished automatically if this is what has been configured for the connection setup in the phonebook Appendix Mobile Computing via GPRS UMTS A16 SECURE ENTERPRISE ENTRY CLIENT 4 Domain Login via NCP Gina The Client software starts in background in the boot VA Fe phase and captures the call Windows Crtl Alt Delete Welcome to Windows E press ctr Alt Delete to begin The integrated Personal Firewall provided by the Lema Jura ahia abona nin yin computer secure For more information dick ral NCP software is already active at this time so that the PC is already protected The destination system that has been configured for the connection medium GPRS UMTS can be selected during the boot phase NCP Secure Client L2Sec Test The function Activate domain login is only required if there was previously an incorrect logoff The search for available alternative networks takes a few seconds and is usually only significant abroad NCP SA The SIM PIN must then on
214. n must also be selected by the re cipient as the ID for incoming connection The following ID Types are available IP Address Fully Qualified Domain Name Fully Qualified Username entspricht der E Mail Adresse des Benutzers IP Subnet Address ASNI Distinguished Name ASN1 Group Name Free String used to identify Groups E ID Identity For IPSec there is a differentiation of incoming and outgoing connections The value that the initiator selected as ID for outgoing connection must also be selected by the re cipient as the ID for incoming connection According to the selected ID type the character string i e the address range with mi nus must be entered in this field a Use pre shared key The pre shared key is a string of the max length of 255 characters Any alpha nume ric characters can be used If the other side expects a pre shared key during the IKE negotiation then this key must be entered in the field Shared secret Please confirm the shared secret in the field below The same pre shared static key must be used at both end points of the communication A Use extended authentication XAUTH The authentication for IPSec Tunneling can be dealt with utilizing extended authenti cation XAUTH protocol Draft 6 If XAUTH is to be used and supported by the ga teway enable Use extended authentication XAUTH In addition to pre shared key username and password can
215. nction causes the authentication data from the WLAN settings in the Monitor menu to be used for this destination system NCP engineering GmbH 147 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 6 IPSec General Settings Profile Settings Headquarters 0 0 0 0 IP Address Assignment Remote Networks fatomatcmode H Certificate Check Lnk Fun Main Mode E the policies to be used for the IPSec connection in the negotiation of phase 1 and 2 Using the automatic mode the client accepts the policies assigned by the gateway Should the client use its own policies as the initiator of the connection you have to configure them with the policy editor The advanced options could be used according to the requirements of the gateway a In this parameter folder you enter the IP address of the gateway Furthermore you determine Parameters L Gateway O Exch mode O IKE Policy O PFS group O IPSec Policy O Policy lifetimes O Policy editor 148 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Gateway This is the IP address of the IPSec gateway You receive the address from your admini strator as an IP number if the gateway has a permanent official IP address or as a string hostname that is mapped to a dynamic IP address from the Internet Service Provider IP address The address is 32 bits long and consists of four numbers separated by pe riods Na
216. neling security for local networks If you wish to encrypt the local LAN traffic by means of VPN tunneling enable this function O NCP engineering GmbH 163 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 11 Certificate Check Profile Settings Headquarters Basic Settings HTTP Logon Line Management IPSec General Settings Identities IP Address Assignment Remote Networks Certificate Check Link Firewall You can specify in the Certificate Check parameter field per destination system which en tries must be present in a certificate from the other side Secure Server see Display In coming Certificate General See also Further Certificate Checks See also O Incoming certificate s subject O Incoming certificate s Issuer O Issuer s certificate fingerprint O Use SHA1 fingerprint Ol Further certificate checks 164 O NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Incoming certificate s subject All attributes of the user to the extent known even with wildcards can be used as user certificate entries of the other side server In this regard compare the entries that are always listed under users for Display Incoming Certificates Use the attribute name abbreviations for this The attribute type abbreviations for certi ficate entries have the following meaning cn Common Name Name s Surname Nachname g
217. ng key will be downloaded This concludes the update process 2 6 Project Logo The logo is displayed in a panel of the Client over the entire width of the Monitor at the very bottom An ini file ProjectLogo ini must be created for the logo where the following can be entered Project logo for small fonts Project logo for large fonts Info text ToolTip if the cursor is positioned on the logo HTML file if there is mouse click on the logo For the installation a ProjectLogo ini is copied into the installation directory that contains further explanations for creating the logo NCP engineering GmbH 37 SECURE ENTRY CLIENT INSTALLATION GENERAL Picture 96 Picture _120 ToolTipl HtmlLocal Picture_96 Bitmap of the project logo for view with small fonts 96 DPI Height 24 pixels minimal Width 328 pixels precise If a path is not specified then the file is searched in the current directory of the Secure Client E g Picture _96 C programs ncp SecureClient MyProjectPicture bmp Picture_120 Bitmap of the project logo for view with large fonts 120 DPI Height 29 pixels minimal Width 404 pixels precise If a path is not specified then the file is searched in the current directory of the Secure Client E g Picture _96 C programs ncp SecureClient MyProjectPicture bmp ToolTip 1 ToolTip XxX Ho
218. ng status NCP verified and then transferred Licensing has been processed Click on Finished when the verification has been concluded Continue software licensing V License data has been verified Y Updating the license data NCP engineering GmbH 123 SECURE EN LICENSING TAREA Ln the window with the license data you will rT _ see that the number of the software version and the number of the licensed version now agree 124 NCP engineering GmbH SECURE ENTRY CLIENT LICENSING 4 7 Updates Under the Menu option Check for updates in the Monitor menu under Help you can check whether a version of the software that is newer than the version you have in stalled is available at NCP This is also possible if a test installation has been installed If a newer version is available at NCP then a software update is always possible Infor mation on the performance range of the latest software is always available on the web site http www ncp de english services whatsnew index html The software update always costs money if the newer version is a major release which is indicated by the change on the first decimal place For example If a version 8 26 is installed and the next software version has the number 8 3 then a software update from 8 26 to 8 3 as well as use of the new features will cost money The new license key was activated as described above under software activation The
219. nnel or Transport and either ESP or AH respectively The IPSec Client uses always the IP protocol in Tunnel mode 184 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 2 2 Firewall Settings The firewall settings consists mainly of IP addresses UDP and TCP ports as well as other IP header specific entries If the values of an IP packet agree with values from the selector portion then further determinations from the SPD entries specify how to proceed with this IP packet Following the entries for configuring the IPSec Client L Command permit deny disabled O IP Protocol This is the transport protocol that can be ICMP TCCP or UDP One of these offered protocols can be selected or any can be used O Source IP address This can be a simple IP address or an address range The latter is necessary if a shared SA behind a firewall supports multiple output systems for example O Destination IP address This can be a simple IP address or an address range The latter is necessary if a shared SA behind a firewall supports multiple output systems for example O Source Port These can be either individual TCP or UDP port numbers or a range of port numbers You determine the port numbers with allocated service by using the Select button O Destination Port These can be either individual TCP or UDP port numbers or a range of port numbers You determine the port numbers with allocated service by u
220. nnels Radius Remote Authorization Dial In User Service see Directory Service RA Registration Authority For the most part the regi stering location is the site that accepts the certifi cate application The RA is also the site where the loss or deterioration of a valid certificate is repor ted It is also the site that issues revocation lists for certificates that have become invalid RAS Remote Access services Company Specific Mi crosoft dial in help for Remote Access Routing Information Protocol also routing mode Revocation list The revocation list includes client certificates that have been revoked or blacklisted When a user for example notifies the CA that their Smartcard has been stolen the certificate will be revoked by the CA and entered in the Revocation List Certificates that expire will not be listed in a revocation list Revocation Lists are regularly updated 212 NCP engineering GmbH SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS RIP Routing Information Protocol also Routing Mode RFC Request for Comment Blueprint for a standard or a pre standard that is in discussion and will be kept in the list of RFC s as long as it proves itself in practice Earlier forms of RFC s are drafts Routing Tables Routers require information about the best routes from the source to the destination for route selection in the network With the routing table s help these segments are calculated With static
221. nstance if the Link Firewall is set to Always and Only al low communication in the tunnel then in spite of global configuration rules that may possibly be different only one tunnel can be set up for communication All other traf fic will be rejected by the Link Firewall Configuration of the firewall settings The filter rules of the firewall can be defined application based as well as additional ly address oriented relative to friendly unknown networks To avoid any conflict between the rules of the Link Firewall in the phonebook and the global firewall we recommend to switch off the Link Firewall when using the advan ced global firewall The IP addresses of the respective links to the VPN gateway can be inserted in the filter rules of the global firewall NCP engineering GmbH 71 SECURE ENTRY CLIENT CLIENT MONITOR a Configurationfield Basic Settings Firewall Settings In the basic settings you Basic Settings ETA decide how the extended firewall settings will be used Disable Firewall If the extended firewall is deactivated then only the firewall configured in the telepho ne book will be used This means that all data packets will only be worked through via the security mechanisms of this connection oriented firewall if they have been confi gured Basic locked settings recommended If this setting is selected then the security mechanisms of the firewall are always acti ve This me
222. nt IPSec General Settings Identities IP Address Assignment Remote Networks Certificate Check Link Firewall NCP engineering GmbH 129 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 1 Basic Settings Profile Settings Headquarters Basic Settings Dial Up Network Line Management IPSec General Settings Identities IP Address Assignment Remote Networks Certificate Check Link Firewall In the folder General enter Profile name the Communication type and the Com munication medium you wish to use and is available to Windows Parameters O Profil name O Connection type O Communication medium O Use this entry for automatic media detection O Use Microsoft RAS Dialer C Use this phonebook entry after every system reboot 130 O NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS Profile name When entering new profiles you should enter a unique name for each profile The profi le name may include any character or number as desired up to a maximum of 39 char acters including spaces Connection type Alternatively there are two connection types available with the IPSec client VPN to IPSec correspondent In this case you dial into the corporate network or into the gateway with the IPSec client A VPN tunnel is set up for this Internet connection without VPN In this case only use the IPSec client for dialing into the Inte
223. nu option Help License data and activation Software Activation Assistant If the Entry Client is used to Internet Connection set up the connection on the Hein eomnect toha Intanet Internet then a suitable profile must first be established for the Entry Client Ensure in this regard that port 80 is released for HTTP if the firewall is activated If a proxy server Headquarters i i eae 5 will be configured in the operating system then these settings can be transferred After the profile has been selected click on Next 116 NCP engineering GmbH SECURE ENTRY CLIENT LICENSING The Internet connection via the Entry Client does not have to be set up prior to activa tion It is set up automatically after the desired existing profile has been selected in the assistant for software activation and after clicking on the Next button The software is activated automatically in the specified sequence x sist State Online Activation Online activation has been processed Connection to the Internet will be established and online activation processed Connection to the Internet will be established Activation data has been generated Activation data has been transmitted Software has been activated License data has been updated Disconnected voltware State Online Activation Online activation has been processed Connection to the Internet will be established and online activation p
224. nual and variable You define the connection mode of the destination system in the Phonebook under Line Management Connection Mode Automatic default The Client works on the principle of LAN emulation whereas with Microsoft RAS every connection has to be established manually This means that the Secure Client will automatically activate a connection in accordance with your application program requi rements to the destination selected in the Phonebook Manual This means that you must manually activate a Connect This is done by clicking on Connection in the Monitor and than selecting Connect Variable When this mode is selected the connection must be established manually Sub sequently the mode adapts according to the manner in which the connection was termi nated If the connection was terminated as a result of a timeout then the following connecti on will be automatically initiated as required On the other hand if the connection was terminated manually then the following con nection must then also be established manually a Connect Independent of the connection mode the monitor always displays the connection status as explained in the section 3 1 6 Symbols of the Dial in NCP engineering GmbH 171 SECURE ENTRY CLIENT ESTABLISHING A CONNECTION a Client Logon If the Client Logon to the Network Access Server occurs before the Windows Logon to the remote domain Log
225. o The settings made here are only Subnetmask ooo effective if the WLAN Defaut gateway 0000 configuration has been activated as DNS server o described above In this case the is A PAE e aes configuration entered here will De R E transferred into the Microsoft DNS server booo pooo configuration of the network WINS server ooo pooo connections See gt Network connections Properties of Internet Help Taree protocol TCP IP NCP engineering GmbH 87 SECURE ENTRY CLIENT CLIENT MONITOR Eur Configuration up the connection a Statistics WLAN Settings SSID Feldstarke dBm Feldstarke Geschwindigkeit BSSID MAC Addr Netzwerktyp Verschlusselung Authentisierung Algorithmus Frequenz Channel Unterstiitate Raten Benutze DHCP IP Adresse Subnetzmaske Standardgateway 1 DNS Server 2 DNS Server neptest2003 65 dBm 72 11 0 Mbps 00 0e 84 83 62 19 Infrastrukture WEP Open System WEP 2 4420 GHZ 7 54 48 36 24 18 12 9 6 1 Ein 0 0 0 0 0 0 0 0 0 0 0 0 172 16 11 20 172 16 11 16 Authentication The access data for the HotSpot must be entered in this window These user data are only used for this WLAN profile Authentication can be executed by entering user ID and password or via script The script automates the logon to the HotSpot operator Please note that there are charges associated wit
226. og files are written at each start of the firewall The maximum number is main tained in the log directory as has been entered as number of the Days for logging Note Activating the Logging will decrease the performance For each packet corre sponding to this setting an according log text has to be written 84 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR 4 2 3 WLAN Settings Integrated WLAN configuration for Windows 2000 XP Under Windows 2000 XP the WLAN adapter can be operated with the connection type WLAN see gt Phonebook Parameters Destination system In the monitor menu Configuration WLAN settings the access data for the wireless network can be saved in a profile WLAN Automation In the WLAN Settings under WLAN Profile select the profile with which a con nection will be setup to the access point Other than the profile selected here there are other profiles that can be used for dialing into the access point if these have been con figured with the connection type Automatic and if the function Use profiles with automatic connection type for connection setup has been activated in the WLAN settings In other words multiple profiles have been created with the connection type Automat ic and if the function Use profiles with automatic connection type for connection se tup is used then the last selected profile will be referenced for a possible
227. ogon options in the Client manual rwscmd ginaon Required Windows authorization Administrator rights Description Switches the NCP Gina dialogs for logon to the VPN Gateway so that they are visible if the NCP Gina has been installed rwscmd ginaoff Required Windows authorization Administrator rights Description Switches the NCP Gina dialogs invisible and thus skips the VPN Gateway logon with the NCP Gina rwscmd logonhotspot Timeout If a hotspot logon will be executed via an external dialer then the firewall can be relea sed for ports 80 HTTP and 443 HTTPS with this command This generates a dyna mic rule that allows data traffic for this hotspot logon until the transferred timeout in seconds has elapsed Because the firewall can thus be released via the command line the parameter Allow Loy hotspot logon for external dialers has been added under Options in the firewall set E tings The command can only be executed via rwscmd if this parameter is active See gt Configuration parameters Phonebook Firewall settings Appendix Secure Client Services A 55 SECURE ENTERPRISE ENTRY CLIENT SERVICES 5 ncprwsnt exe Responsible for data communication frame processing via NCP PPP and VPN as well as the dial services Applications which need system rights can be started with this service automatically af ter a connect or a disconnect For that purpose two batch files in the installation di
228. om unauthorized accesses even if no connection is established when connected The PC is not vulnerable if a connection exists O Only communication within the tunnel permitted Only communication within the tunnel permitted This function can also be switched on with activated firewall to additionally filter IP packets so that only VPN connecti ons are possible ls Enable NetBios over IP This parameter switches off a filter which prevents NetBios frames from being trans mitted over IP links The default setting is Off meaning that NetBios frames are filtered will be filtered out of the data stream When this parameter is activated NetBios frames will be included in the data stream over IP This may be desirable when using Microsoft Networking in conjunction with the Secure Client a If Microsoft s dialer in use only communication within the tunnel is permitted When using the Client Monitor this function prevents communication to the Internet via the RAS Dialer 170 NCP engineering GmbH SECURE ENTRY CLIENT ESTABLISHING A CONNECTION 6 Establishing a Connection Establishing a Connection to the destination system Provided the software is installed properly and the profile parameters are configured correctly a dial up to the destination system can take place Part of the configuration is to define the mode with which this connection is to be established There are three mo des to select from automatic ma
229. on Options see gt Monitor Logon Options the connection is established in the same way as described under Connect see above To initiate a link to be built select the de stination system to connect to and then click on the OK button NCP Secure Entry Client x Select your Destination Destination Headquarters y Dutside Line Local logoff With a click on this button the link build is stopped Local Login Activate Domain Logon With this option a safe WAN domain logon is possible even if the logoff was not executed correctly The logon takes some seconds This function is not necessary if the shut down of the PC was made correctly and mapped drivers were disconnected properly If the use of a Soft Certificate was con figured like example destination Test connection SSL you first have to enter the PIN NCP Secure Entry Client PIN Caoa The following stations of the link built in the same procerure as described above under 3 1 6 Symbols of the Dial in 172 NCP engineering GmbH SECURE ENTRY CLIENT ESTABLISHING A CONNECTION a Passwords and User Names The password see Dial Up Network Password is used for identifying yourself to the re mote Network Access System NAS when establishing a connection to your Destination or alternatively to your Internet Service Provider ISP if you are communicating across the In ternet The password ID can in
230. onnection will not be established and the reason is displayed in the monitor please notice ISD hai SY the passage ISDN CAPI CAPI is not installed Error Codes a gee NCP Secure Entry Client NCP Secure Entry Client PAP CHAP error a Invalid User ID or Password NAS a sse E Disconnect With the function Disconnect a connection can be manually terminated If you want to keep the possibility to disconnect manually you have to set the connection mode to manually and deactivate the active Timeout by setting it to zero 0 gt Connection Mode If the connection is terminated the color of connection line changes until it disappears and the lamps of the traffic light changes from green to red during the period of offline NCP engineering GmbH 175 SECURE ENTRY CLIENT ESTABLISHING A CONNECTION A Disconnect the Monitor If the connection is still established with a click on this menu item or on the Discon nect button the monitor can be closed as well Please note that the connection is not automatically terminated by closing the Monitor If the link should be established al though the monitor is closed and fees may occur the software asks you explicitelly for a prompt see picture Upon selecting No your desktop will not display any icon and you will not be noti fied that the link is active and fees may occur In order to terminate the connection cor rectly you would hav
231. or standard settings 7 1 4 Using IP Addresses C Each address in your enterprise wide network should be unique Make sure that this is the case when connecting to the Internet or linking new networks L Use a logical comprehensible addressing scheme e g organized according to admini strative units buildings departments etc O For connection to the Internet you will need an official unique Internet address O If possible do not assign any addresses in which the network or host segment end in 0 This might lead to misinterpretations and to undefined errors in the network C Subnet masks will only be evaluated by the Internet protocol if the network numbers of all communication partners are the same The subnet masks have network segments of different length just as do the address classes 182 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 2 Security ments are collected in the parameter field IPSec General Settings This section i Configuration parameters for IPSec for implementation in remote access environ describes some possibilities of configuration 7 2 1 IPSec Overview IPSec can only be implemented for IP data traffic The IPSec specification includes not only Layer 3 tunneling but also includes all necessary security mechanisms like strong authentication key exchange and encryption The IPSec RFC s 2401 2409 permit the development of a VPN with specified IP
232. os e so oor w ow soes 70 Firewall properties DA a ake se ee el Configuration of the sali sedans Sos ho Bt e ee A Configurationfield Basic Settings 2 72 Disable Firewall ee RS as A Basic locked settings Gscommendedi r egue a e Basic open settings Po oe Soe eed Sue we amp TZ Configurationfield Firewall Rules IS Creating a firewall rule lt s lt s c s s ao w s sopoae 73 Firewallrule General o oo c s wa moe mosu oa a w a TA Firewall rule Local s oo oor moe ooe sesoses ew we s 76 Firewall rule Remote 77 Firewall rule Applications pisan ss YO Configurationsfield Friendly Networks tad bt BS oe S780 Automatic detection of Friendly Nets 2 2 81 Friendly Net Detection via TLS 2 81 Configurationsfield Options lt s s lt o s e s sos ssor s 2 82 Configurationsfield Logging a aaa 84 4 2 3 WLAN Settings 218 amp 09 Integrated WLAN eontisundtion for Windows 2000 XP E 85 WLAN Automation 85 Searchnetworks 2 2 2 85 WLAN Profil s o pp eos soe mempana eee mpos i eo 86 Statistics a ER bo ee E le e o ee bee 888 4 2 4 Outside Line Prefix Bom Rees Ba we SL A aa gt 89 4 2 5 Certificates Configuration 2 2 2 2 2 90 User Certificate acid a Sea a Y Certificate par aug ro ars gl Smart Card Reader AA A a a e 92 POTE o iaa aa BS ee e a 292 Ce
233. ossible and it contains key exchange for the control channel NCP engineering GmbH 187 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS Oo IKE Modes Essentially two types of IKE policies can be configured They differ according to the type of authentication which can be either over Pre shared Key or RSA signature Each of the two types of Internet Key Exchange can be executed in two different mo des These are Main Mode also referred to as Identity Protection Mode or Aggressive Mode These modes are differentiated by the number of messages and by the encrypti on In Main Mode standard setting six messages are sent over the Control Channel and the last two messages are encrypted The last two messages contain the user ID the si gnature the certificate and if required a hash value This is why it is also known as Identity Protection Mode In Aggressive Mode only three messages are sent over the Control Channel and nothing is encrypted You determine the IKE mode Exchange Mode Main Mode or Aggressive Mode Security parameter fields under Link Profiles for a dynamic SPD and under IP Sec Secure Policy Database for a static SPD See also Exchange Mode IKE Main Mode Identity Protection Mode with Preshared Keys Initiator Destination Message 1 Header Security Association Message 2 Header Security Association unencrypted SS S Message 3 Header Key Exchange Nonce
234. ound if supported by the destination gateway The IPSec client uses DPD to check in regular intervals whether the other side is still active If the other side is in active then an automatic connection disconnect occurs With this function you can disable DPD a Force UDP Encapsulation Port 4500 With UDP encapsulation only port 4500 should be released on the external firewall this is different than the situation with NAT Traversal or UDP 500 with ESP The NCP Gateway detects UDP encapsulation automatically If UDP encapsulation is used then the port can be freely selected Standard for IPSec with UPD is port 4500 for IPSec without UDP port 500 156 O NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 8 Identities Profile Settings Headquarters Line Management IP Address F IPSec General Settings Use access data from configuration E i According to the security mode setting IPSec a more detailed parameter setting can take l place Parameters O Type Identity O ID Identity O Use pre shared key O Use extended authentication XAUTH O Username Identity O Password Identity O Use access data from configuration O NCP engineering GmbH 157 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS a Type Identity For IPSec there is a differentiation of incoming and outgoing connections The value that the initiator selected as ID for outgoing connectio
235. p de english services license NCP engineering GmbH 119 SECURE ENTRY CLIENT LICENSING Offline software activation Please copy the content of the activation file that is generated by the NCP Secure Client offline activation step 1 into the text field that is provided for it Click on the Send button to transmit the file to our activation server Alternatively you can also upload the activation file directly to the activation server To do this click Offline Activation on the Browse button and select the file with the activation data Click on the Send button to transmit the data to our activation server After sending the activation data or the file you will receive an activation code Continue the software activation process in the NCP Entry Client by opening the monitor menu Help gt License info and activation gt Offline activation Under step 2 the activation code displayed below will be queried This step concludes the software activation process Content of the activation file Filename CAWINNT ncple ActiData txt _Browse _ Send Reset There are two ways to transfer the activation file to the Activation Server Either copy the content of the activation file with Copy amp Paste after you have opened the activation file with the Notepad ASCII editor into the window that is open on the web site or click on the Browse button and select the activation file Click on Sen
236. permitted through or not on the basis of previously specified configurations The implemented technology is Stateful Inspection Stateful Inspection is a very recent fire wall technology and offers the high est security available today for Internet connections and thus the corporate network Security is insured from two perspectives On one hand this func tionality prevents unauthorized access to data and resources in the central data network On the other hand it monitors the respective status of all existing Internet connections as a con trol instance Additionally the Stateful Inspection firewall recognizes whether a connection has opened spawned connections such as is the case with FTP or Netmeeting whose packets likewise must be forwarded The Stateful Inspection connection presents itself as a di rect line to the communication partner that may only be used for a data exchange that corre sponds to one of the agreed upon rules lt Parameters O Enable Stateful Inspection O If Microsoft s dialer in use only communication within O Only communication within the tunnel permitted the tunnel is permitted O Enable NetBios over IP NCP engineering GmbH 169 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS a Enable Stateful Inspection off The firewall s security mechanisms will not be used always The firewall s security mechanisms will always be used this means the PC is protected fr
237. re version and then install the PCMCIA card driver on your notebook Driver Installation The driver for the Qualcomm 3G CDMA PCMCIA card is on the included CD in the directory Software Modems Language Independent Start OptionFusion exe with a double click and confirm the query that is displayed with OK i Option Fusion Driver Package 1 0 0 mmie After completing the installation end setup by ar clicking on Finish Complete the installation Windows needs to reebot in order to complete the driver installation After the reboot insert your card and let windows complete the card installation Please note that this can take some time Then the computer will re boot After the reboot insert the card in a PCMCIA slot Appendix Mobile Computing via GPRS UMTS A6 SECURE ENTERPRISE ENTRY CLIENT Please note the following if using the Windows XP operating system If Windows XP is used with Service Pack 2 and security packages then a connection cannot be established via the card The software will display an error message when attempting to establish a connection see Fig to the left In this case a new driver must be installed The file OptionCardInstaller exe is available from NCP for this purpose A newer driver is on the driver CD for the newer Multimedia NetCard from T Mobile which only supports UMTS GPRS Appendix Mobile Computing via GPRS UMTS A7 SECUR
238. rec tory have to be edited connect bat This batch file includes the executable programs or batch files which should be execu ted after a connect disconnect bat This batch file includes the executable programs or batch files which should be execu ted after a disconnect te Note the parameter Deny the start of the dis connect bat It is located in the monitor L menu Call Control Manager Ext Applications under the item Configuration j This function should always be activated exceptionally the execution with of one of L the batch files administrator rights is absolutely necessary Applications batch files which require only user rights can be started via this monitor menu Configuration Call Control Manager Ext Applications by entering their na mes see gt Client Monitor Call Control Manager A 56 Appendix Secure Client Services
239. revent hazards from other networks or exter nal networks Internet from spreading in your own network This is why a firewall is also installed at the junction between corporate network and the Internet for instance It checks all incoming and outgoing data packets and decides whether a data packet will be allowed through or not based on previously specified configurations Stateful Inspection is the Firewall technology that currently offers the highest possible security for Internet connections and thus for the corporate network Security is assu red in two aspects On one hand this functionality prevents unauthorized access to data and resources in the central data network On the other hand it monitors the status of all existing Internet connections as control instance Furthermore the Stateful Inspecti on firewall recognizes whether a connection has opened spawned connections as is the case for instance with FTP or Netmeeting whose packets likewise must be forwar ded The Stateful Inspection Internet connection appears as a direct line to the commu nication partner which may only be used for a data transfer according to the agreed upon rules Alternative designations for Stateful Inspection are Stateful Packet Filter Dynamic Packet Filter Smart Filtering and Adaptive Screening Stateful Inspection conceptually unifies the protective possibilities of packet filter and application level gateways this means it integrates t
240. ring 2 2 eee 143 Dial Prefix 2 wc g a moe ee eS ee we Ge eS eo 143 APN io GE Eo Be ee BD Ghee ha a 143 SIM PIN 4 002 6 BS ae ee Bae Be oe RG a a a oe 14S 5 1 5 Line Management 144 Connection Mode 145 Inactivity Timeout poa amp aoe eee 3 be LAS Voice over IP VoIP setting pones feeb be a A PPP Multilink s o o ana s o bea ee BS a sa 146 Multilink Threshold 146 EAP authentication lt e o cocote w ww s awo TAT HTTP authentication s s s o se pore ero mpesa s 147 5 1 6 IPSec General Settings o ooa a 148 Gateway sos eeru eremu araa BR So Ae a a 2 149 IKE Policy soc coe wo o a eb we a a wa 149 IPSec Policy s ie e Gwe a a a See woe es SO Exch mode ss qonay pre aoe fe bon a wee e eo es ee LSO PFS group pbb a be Bae te ee oe e O Policy felines Ege Eo ee A em BGR Aa GS Duration s s ecc e e Oe Se ee ee ee we a 191 Policy editor gi s eve s bE OR OSS EE Ew ee 191 IKE Policy edit A E Policy Name IKE Policy be eee ee E E E E E E Authentication IKE Policy oaoa aa aaa 153 Encryption IKE Policy ss soco e s 2 153 NCP engineering 9 SECURE ENTRY CLIENT CONTENTS Hash IKE Policy soe sopp eoa aos epo a 153 DH Group IKE Policy 2 2 153 IPSec Policy edit bo de a Bode a me amp Boa ow a we D4 Policy Name IPSec Policy oe fee be ke Ge es
241. rity Revocation List that must be copied into the ncple arls Windows directory If incoming certificates are contained in the CRL or ARL lists then the connection is not permitted If CRLs or ARLs are not present then no check takes place in this regard 168 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 12 Link Firewall Profile Settings Headquarters X Basic Settings p ESTEE pl ca With firewall settings activated packets from other gement hosts will be discarded IPSec General Settings i j Identities IP Address Assignment Enable Stateful Inspection always Remote Networks Certificate Check T Only communication within the tunnel permitted Y Enable NetBIOS over IP Microsoft Dial Up Networking T If Microsoft s dialer in use only communication within the tunnel is permitted Help Cancel The Link Firewall configuration field with extended configuration possibilities is included in this client The firewall settings can also be used to protect the RAS connections The activa ted firewall is displayed on the monitor as a symbol wall with arrow A firewall s funda mental task is to prevent hazards from the Internet from spreading within the corporate net work This is why a firewall is also installed at the junction between corporate network and the Internet It checks all incoming and outgoing data packets and decides whether a data packet will be
242. rity combinations can be defined a Transformation Comp IPSec Policy IPSec compression The data transmission with IPSec can also be compressed as in transfer without IPSec This enables a maximum threefold increase in throughput After selecting the Comp compression protocol you can select between LZS and deflate compression o Authentication IPSec Policy The authentication mode can be specifically set here for the security protocol ESP Choices are MD5 SHA SHA 256 SHA 384 and SHA 512 bit 154 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 7 Advanced IPSec Options Profile Settings Headquarters Line Management IPSec General Settings Advanced IPSec options Identities IP Address Assignment Remote Networks Certificate Check Link Firewall Basic Settings 1 In this filed you can enter further IPSec settings Parameters O Use IP compression LZS L Disable DPD Dead Peer Detection O Force UDP Encapsulation NCP engineering GmbH 155 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS a Use IP compression LZS The data can be compressed in order to increase transmission rates By enabeling com pression the throughput can be increased to up 3 times that the regular transmissions without compression Oo Disable DPD Dead Peer Detection DPD Dead Peer Detection and NAT T NAT Traversal are automatically executed in the backgr
243. rld Passwort Required Windows authorization Administrator rights Description If you do not want a window to be displayed for the initial connection then the user ID and optionally the password can be transferred for the initial logon for the initprocess E Apostrophes are set instead of the square brackets They are necessary because this is a transfer with spaces rwscmd rsuautoanswer off yes no Required Windows authorization Administrator rights Description This is where you set how the system will respond to queries for a soft ware update yes Client software automatically gets an update without query no Automatic software update is rejected and not executed off With the off setting the system asks in a message window whether the software should be updated A 54 Appendix Secure Client Services SECURE ENTERPRISE ENTRY CLIENT SERVICES rwscmd ginainstall Required Windows authorization Administrator rights description Installs the NCP Gina if this has not yet occurred in the software installation see the section Installati on in the Client manual rwscmd ginaunins Required Windows authorization Administrator rights Description Deinstalls the NCP Gina If an external Gina calls the NCP Gina then deinstallation is not possible with this command In this case it must be removed from the registry manually or the Ginas must be deinstalled again in the reverse sequence see the section L
244. rnet Here the Network Address Translation IPNAT continues to be used in background so that only those data packets are accepted that have been requested Communication medium You can select the communication medium for each profile provided that you have the required device installed on your PC and recognized by Windows GPRS UMTS WLAN Automatic media detetion PPTP Ext Dialer ISDN Hardware ISDN device Network ISDN Remote destination appropriate ISDN support Modem Hardware Asynchronous modem PCMCIA modem GSM adapter with COM Port support Network PSTN also GSM Remote destination Modem or ISDN device with digital modem NCP engineering GmbH 131 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS LAN over IP Hardware LAN adapter Networks Ethernet or Token Ring based LAN xDSL PPPoE Hardware Ethernet adapter Networks Broadband e g ADSL Remote destination Access Router in the xDSL XDSL AVM PPP over CAPI If an AVM Fritz DSL card is to be used then this communication medium may be selected AVM specific initialization strings may be entered in the field Destination Phone Number Dial Up Network group for the connection It is recommended to use the standard setting xDSL PPPoE with Windows operating systems as this provides di rect communication over the network interfaces No additional network card is necessa ry with the
245. rocessed Y Y Y Y Y Y xl Y Activation data has been generated V Activation data has been transmitted V Software has been activated y License data has been updated As soon as the Activation Server detects that you are entitled to a Successful software activation newer software license and that New license key 0580 co you e fore nonar o o eid a Tha nan icense key will be transferred automatically e software Nevertheless the license key agrees with the please write down the updated license key for the next activation or for installed software then with reinstallation online activation the new license j key will be transferred automatically license update and thus the new features of the software will be released Please see the section Updates at the end of this section for more information in this regard ata xi After concluding the activation process in the window for the license data you can see pei that you now have a correctly activated full Product NCP Secure Entry Client E Version 8 30 Build 42 version ServicePack Licensed version The number of the software version and of Product E NCP Secure Entry Client 5 E A via Version 83 the licensed version can differ if the Serial number te Type Full version 1 i 1 1 1 anne Fal licensing is only valid for an older version otherwise the licenses must be updated with Activation Licensing li k
246. rs If this is the case then it may be useful to enter more than one phone number for the destination if for example the primary Destination Phone Number is occupied The alternate destination phone number s can be entered following the primary destination phone number and separa ted by a colon A maximum of 30 digits can be entered in the Destination phone number field The IP Sec client supports a maximum of 8 alternate phone numbers Example 00441711234567 00441719876543 The first number is the primary Destination Phone Number and will always be dialed first The second number is the Alternate Destination phone number and will be dialed when a connection to the primary number is not possible Important This will only work if the protocol settings associated with alternate Desti nation phone number are the same as the primary Destination phone number E RAS script file If Microsoft s RAS Dial Up networking is to be used the RAS script file including its path and name must be entered See gt Basic Settings Use Micosoft RAS Dialer 138 O NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 3 HTTP Logon Profile Settings Headquarters Basic Settings HTTP Logon i Line Management IPSec General Settings Identities IP Address Assignment Remote Networks Certificate Check Link Firewall field Centrally created logon scripts and the stored logon data can be transferred
247. rtificate S lection oe 2 8 he Ge HS a Re ee we OD PKCS 12 File Name c soog e p ee ee ee 2 93 PKCS 11 Module A Gos ee S Do not disconnect when Smart Card i is semoved ao ae DA PIN request at each manual connect 94 PIN Policy de og bar E es amp ve a OS Minimum nimib r a T eat E Boe oa DO Further policies s s as ee bon Bw ee eee eo 42 99 Certificate renewal bo a e OD 4 2 6 Call Control Manager Coignation o e So ee a O External Applications 2 9 Call Control eto e E Sa OF 4 2 7 BAP Settings s s 5 2 4 2 8 yee 6a fe eee Se a 08 4 2 8 Logon Options goos w 2 ee 99 LOLON escoltas OY Gee a ea me me a OD LOSOf o woe Gee be we ew ew we wee e 100 NCP engineering 7 SECURE ENTRY CLIENT CONTENTS External applications 100 Options PEE risa GY oe OL 4 2 9 Configuration Locks ok ee amp EE ek ee ee amp Son a ee M02 General Configuration Locks 102 Profiles Configuration Locks gt s ses ses as a 103 General rights ia oma Bee SS sd 109 Visible profile parameter fields fo og het Oye a oe ee ad 2 109 4 2 10 ProfileImport s s s ee 2 2 a a a 103 4 2 11 HotSpot Soe bok gee Boe wow bw a aon ce 104 4 2 12 Profile Settings Backup De e es See Gg OF Create sos 3 4s Ce PO e RR amp See bos e ae ee x DOA Restore sea a RRS EAS Se HE a HM 5104 4 3 Log A ee a a
248. ryption Standard DHCP Communicating with DHCP Dynamic Host Con trol Protocol means that an IP Address is automat ically assigned to you for every session Directory Service Remote Accesses like Email addresses telephone numbers etc are stored in directories of various databases Two problems are associated with this directory multiplicity they are 1 large volumes of the same data must be captured many times 2 individual entries are not linked to each other The maintenance required is enormous and inconsisten cies cannot be ruled out A standardized procedure is required that will facilitate the capture and maintenance of all information in a central directo ry NCP Security Management supports the stand NCP engineering GmbH 205 SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS ardized protocols RADIUS Remote Authorization dial In User Service and LDAP Lightweight Di rectory Access Protocol The latter insures access to centralized directory services DMZ Demilitarized Zone an area between the Firewall and the enterprise network with Web Servers Email Servers and VPN Servers DNS The Domain Name Server DNS makes the IP address available for an Internet session after dial in with user name and password It provides additional Internet routing in that it retranslates the given desired destination names into IP addresses and creates the connection to this address DNS Server A computer with a databa
249. s 62 153 165 36 Layer tunneling options Tunnel secret confirm Tunnel secret 1 Activate Compression over VPN Desi x NC Certificate usage Should a certificate be used for authentication For strong authentication a certificate can be used This certificate will be checked by the VPN gateway at beginning of the connection Secure Client Monitor s menu item Configuration Certificates allows for the configuration of which certificate the clientis going to use a Do notuse certificate for authentication C Use certificate for authentication lt Back Connection information for VPN gateway Account information for the VPN connection Enter username and password for the VPN connection If save password is not selected you will be prompted for the password before every connection VPN UserID nepuseri2tp VPN Password Y Save VPN Password YPN Password confirm a ae gateway parameters If you want to setup a test connection to the NCP Gateway then enter as tunnel endpoint 62 153 165 36 as tunnel secret secret Compression is not necessary Click on Next You do not need a certificate for a test connection to the NCP Gateway Click on Next Enter the following as access data for the NCP VPN Gateway VPN User ID ncpuserl2tp Click on Save VPN Password and enter the following as VPN password ncpuserl2tp Click on Next
250. s They are necessary because this is a transfer with spaces rwscmd disconnect Required Windows authorization User rights Description Disconnects the current connection rwscmd lock Required Windows authorization User rights Description Locks the Client connection setup is no longer possible Appendix Secure Client Services A 53 SECURE ENTERPRISE ENTRY CLIENT SERVICES rwscmd unlock Required Windows authorization User rights Description Unlocks the Client resets the lock that was set with Lock rwscmd start Required Windows authorization Administrator rights Description Starts all services popup and monitor of the NCP Secure Client If called again the message Secure Client is already open is displayed rwscmd stop Required Windows authorization Administrator rights Description Stops all services popup and Monitor of the NCP Secure Client Also note that if the command rwscmd stop has been executed then the command rwscmd start must be executed thereafter so that the services and the monitor can be restarted In this case a reboot is not sufficient as the popup and the monitor are not started rwscmd select Destination Name Required Windows authorization User rights Description In the Secure Client the system goes to the desired destination Apostrophes are set instead of the square brackets They are necessary because this is a ES transfer with spaces rwscmd setinituser Use
251. s and then click on the Add Remove button The Uninstall Shield Program will now delete the client software from your PC Important After the removal of the software components the profile and configuration settings are still saved and can be restored in the event a newer version of the client is installed In order to completely delete everything manually remove the installation di rectory default Windows ncple 36 NCP engineering GmbH SECURE ENTRY CLIENT INSTALLATION 2 5 Upgrade to the Secure Enterprise Client You upgrade from a Secure Entry Client to a Secure Enterprise Client by replacing the licensing and the software This can be done manually on site or via an Update Server For a manual upgrade the software is reinstalled from the CD and NCP Secure Enter prise Client is entered as the product to be installed In this process the install pro gram recognizes that a software version has previously been installed and executes an update after appropriate confirmation Then the new activation key with serial number must be entered in the Pop up menu For an upgrade via an Update Server the IP address of the Update Server is entered in the client s telephone book see DNS WINS In this case the Secure Client soft ware will be downloaded automatically the next time the client dials into the corporate network At the next dial in with this new software a CNF file profile settings with licensi
252. s is the option of assembling individual packets during a communication relations hip and thus bring extended possibilities for user authentication to the application Stateful Inspection filters are not immune to certain attacks that take place on the lower protocol layers as a consequence of the undependable separation of the network seg 200 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS ments Thus for instance fragmented packets usually from outside to inside will be allowed through without further testing NCP engineering GmbH 201 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS For your notes gt 202 NCP engineering GmbH SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS Abbreviations and Technical Terms 3DES TripleDES Standard of Encryption with 112 Bits AES Abbreviation for Advanced Encryption Standard It is a European development of Belgian encryp tion experts Joan Daemen and Vincent Rijmen Rijndael algorithm and supercedes DES Data Encryption Standard This is an encryption algo rithm that has key lengths of up to 256 bits Thus N to the 256th power is the measuring unit for the number of possible keys that can be generated with this algorithm In spite of increasing processor speeds it is expected that the AES algorithm will offer acceptable security for the next 30 years AES will soon find wide distribution in VPN and SSL encryptions AH Authentication
253. s long and consists of four numbers separa ted from each other by a dot There are 8 bits available for each number thus it can take on 256 values However the total number of possible IP addresses remains limited The internet user thus does not receive a one time non modifiable num ber assigned to him rather for every one of his sessions he gets the IP address that has not yet been assigned The IP addresses are assigned for the duration of a time slice This assignment of address is usually an automatic PPP negotiation over DHCP Special programs can translate the IP address into a name These programs run on a Domain Server 208 NCP engineering GmbH SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS IP Network Address Translation IP Network Address translation is already setup when the workstation software is installed and it is activated as default when a new destination system is created When IP network address translation is used all transmitted frames are sent with the nego tiated PPP IP address The workstation software translates this official IP address into the system s own Internet address or in the case of a worksta tion into its own user defined IP address In gene ral it is possible with NAT to work in a LAN with unofficial IP addresses that are not valid in the In ternet and in spite of that fact access the Internet from the LAN To make this possible the unoffi cial IP addresses are translated into
254. same Static Key is used on both sides see gt Pre shared key Shared secret in the parame ter folder Identity RSA Signature This preconfigured policy can only be set with PKI support Implemen tation of the RSA signature as additional strong authentication only makes sense when using a Smart Card or a soft certificate NCP engineering GmbH 149 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS oO IPSec Policy The IPSec policy is selected from the List box All IPSec policies that you set up with the policy editor are listed under IPSec policy The policies appear in the box with the name that you specified in the configuration Two IPSec policies differ according to the IPSec security protocol AH Authentication Header or ESP Encapsulating Security payload Because the IPSec mode with AH security is totally unsuitable for flexible remote access only an IPSec policy with ESP protocol ESP 3DES MD5 is preconfigured and comes standard with the software see gt Examples and Explanations IPSec AH and ESP Every policy lists at least one proposal for authentication and encryption algorithms see gt IPSec Policy editing This means that a policy consists of different propo sals tor The same policies with their affiliated proposals should be valid for all users This means that on the client side as well as on the server side the same proposals for the policies should be available
255. se containing all relevant host computers domain name addresses and their corresponding IP addresses When queried the DNS Server responds by returning the IP address corresponding to the domain name address D Channel Protocol The D Channel insures that terminals can commu nicate with the network Among other things it monitors connection setup and breakdown It in cludes Layers 2 and 3 HDLC is implemented on Layer 2 in ISDN for the logical data transfer The actual D Channel protocol resides on Layer 3 Cur rently DSS1 is available throughout Europe as D Channel protocol DSA Directory System Agent DSS1 Abbreviation for the European standard Digital Subscriber System No 1 This is the European ISDN protocol for D Channel DUA Directory User Agent ECP Encryption Control Protocol EDI This is an abbreviation for Electronic Data In terchange which is a set of standards for controlling the transmission of business documents e g purcha se orders and invoices between computers ESP Encapsulating Security Payload RFC 2406 206 NCP engineering GmbH SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS Euro ISDN The International Telecommunications Union ITU standard for European ISDN refers to the D Channel Protocol DSS1 as well as various ser vice features e g Time amp Charges Completion of Calls to Busy Subscriber Call Forwarding Call Waiting etc In Euro ISDN the individual termi nals are addresse
256. sec ports for connection establishment and data traffic 196 7 3 Certificate Checks Ms oS es O 7 3 1 Selection of the CA Certificates sae BE OS A atra DT 7 3 2 Check of Certificate Extensions e o s e w sesa 197 extendedKeyUsage teow amp Ba o gw 198 subjectKeylIdentifier authorityKeyldentifier pr 198 7 8 3 Checking Revocation Lists as em gt 7 4 Stateful Inspection Technology for the Firewall Settings bon dS ie ce 199 NCP engineering 11 SECURE ENTRY CLIENT CONTENTS Abbreviations and Technical Terms 6546 e ee ee 203 AS sar oie ete A Gi at ay GY bs ke eG HR ss a Ge ss a E S 217 Appendix Mobile Computing via GPRS UMTS and Domain Login via NCP Gina o A 1 Appendix Secure Client Services e A23 12 O NCP engineering SECURE ENTRY CLIENT PRODUCT OVERVIEW 1 Overview This manual describes Installation Configuration Features and User Interface of the ISS NCP Secure Entry Client and its Components The NCP Secure Client Software works according to the principle of Ethernet LAN emulation and supports the routable protocol TCP IP Additional information on upgrades and product variants are available on the NCP website http www ncp de 1 1 Using this manual The structure of this manual is presented below to help you quickly find what you need in this documentation The manual is subdivided into seven larger sections that offer s
257. section Scenarios at the end of this section for more information in this regard NCP engineering GmbH 121 SECURE ENTRY CLIENT Offline Activation Which step should be used Offline activation requires 2 step Please select the corresponding step Step 1 Generate Activation Data The license key and serial number are required to generate the activation data file This file must then be submitted to the NCP activation server using a web browser Step 2 Enter Activation Code Enable the software with the activation code provided by the NCP activation server lt Back Cancel Ea NCP Please enter the received activation code After a successful verification the software will be enabled as a full version Activation code Insert activation code from the web side Li Activation code lt Back s Cancel ation Assistant x NCP State offline activation Activation has been processed Continue software activation V License data has been verified Y Proceeding with enabling the full version of the software VY Updating the license data Successfully enabled the software Finish f a LICENSING The second step of the offline variant is triggered via the Monitor menu Help License data and activation After the offline variant has been selected select the second step An Activation Assistant window will open where you can enter the activ
258. signed its own unique name Delete Profile If you want to delete a profile select the appropriate profile and then click on the De lete button NCP engineering GmbH 69 SECURE ENTRY CLIENT CLIENT MONITOR 4 2 2 Firewall Settings All firewall mechanisms are optimized for Remote Access applications and are activa ted when the computer is started This means that in contrast to VPN solutions with autonomous firewall the teleworkstation is already protected against attacks before actual VPN utilization The Personal Firewall also offers complete protection of the end device even if the client software is deactivated Please note that the firewall settings are globally valid i e they apply for all desti nation systems in the telephone book Lo be effective for the associated telephone book entry destination system and the con Ca On the other hand the Link Firewall Setting that is made in the telephone book can only nection to this destination system 70 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR Firewall properties The firewall works in accordance with the principle of packet filtering in conjunction with Stateful Packet Inspection SPI The firewall checks all incoming and outgoing data packets and decides whether a packet will be forwarded or rejected on the basis of the configured rules Security is ensured in two ways First unauthorized access to data and resources
259. sing the Select button O NCP engineering GmbH 185 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 2 3 SA Negotiation and Policies In order to initiate the IPSec filter process the SA must first have been negotiated One SA negotiation takes place for the phase 1 IKE policy and at least two for incoming and outgoing connection for phase 2 IPSec policy For every destination network see Profile Settings Remote Networks two SAs are also negotiated Oo Phase 1 IKE Policy IPSec establishes the control channel in tunnel mode over the IKE protocol to the IP address of the secure gateway In Transport mode it is established directly to the IP Ad dress of the other side You define parameters to determine encryption and authentication type over the IKE protocol in the IKE Policies Thus an authentication can be achieved via a pre shared key or RSA signature These IKE guidelines are referenced in the IPSec editor E Phase 2 IPSec Policy The SA negotiation is concluded over the control channel From the IPSec engine the SA is handed off to the IKE protocol that it transmits over the control channel to the IPSec engine 186 NCP engineering GmbH SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS Control Channel and SA Negotiation Control Channel Phase 1 SA negotiation Phase 2 WSUP eee WSUP eee NIC1 Description of the Graph
260. sonal Firewall with defined rules is active and the link specific firewall is not active then the icon will be displayed in red without arrows E q If the administrator has specified a Friendly Net Friendly Net Detection and if the Client is in a friendly net then the firewall icon will be displayed in the color green Friendly Net Detection specifications are made in the Monitor Configuration menu un der Settings Friendly Nets either by specifying static network routes or by activa ting automatic Friendly Net Detection In this regard see the description under Fire wall Settings Configuration Field Friendly Nets Why HHH If Link Firewall is activated the icon will be displayed with arrows regardless of whe ther the global firewall is active or inactive If the Link Firewall has been switched active in the Phonebook with Activate Stateful Inspection gt Always and the system is configured so that communication is only allo wed in the tunnel then the firewall icon will be displayed with two red arrows If the option Only allow communication in the tunnel is switched off then the icon will be displayed with one green arrow and one red arrow If Stateful Inspection is only activated for an existing connection then arrow icons are only displayed after a connection setup HA 3 The arrow symbols appear in front of a green firewall if in addition to Link Firewall me options a Friendly
261. start the update proc After a successful installation you will required to reboot the system After starting the Install shield Wizard select the installation language as you would for the standard installation and then answer the update query with Yes Then the installation NCP Secure Entry Client InstallShield Wizard will be executed automatically _ Itis concluded when you reboot the computer high security remote ac A version of the NCP Secure Entry Client Software already exists on pour PC Do you wish to update this version No 126 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 Configuration Parameters With the IPSec client you can define and configure numerous individual profiles for corresponding destinations in accordance with your communication requirements In this section all parameter descriptions are listed and they are arranged in the same sequential order as displayed in the monitor NCP engineering GmbH 127 SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 5 1 Profile Settings Upon clicking Profile Settings in the monitor menu the menu is opened with an overview of the definied profiles and the phonenumbers of the assigned destinations Profile Settings The buttons ee located to the Exe a E right can be used to add remove copy and modify the entries of the profiles Test connection IPSec n
262. subject 0 165 IP compression LZS v oore Gage eos Fae SE ad See 156 IPCOMP LZS os aso ds ee Ge ee eee ed are ww eee 191 IPSec Policy amp 2 2a e048 as sii GS ares ea 150 154 186 IR infrared interface s s s o sa 044443044554 4 4 Gao 22 ISDN p coa Dew aoe a Bw A 54 131 Issuer Certificate s aana ai ais e a a a 56 Issuer s certificate fingerprint 166 K Key exchange ic wo ey a bal Oa Yea RS 55 L LAN adapter ata cars RG eae he Re aa 23 LAN OYT IES g a0 Sa OO ORE we Oe ee Cd 54 License Data and Activation 111 LICEOSIOS Lua fh Mote an ee hee Rie Re aa al G 27 Line Management 2 2000005 144 Link Firewalls 5 604 4 re Ae Bok ed Se ak we a 169 Link to Corporate Network using IPSec 68 131 Link to the Internet 68 131 LOgDOOK ovio rra SSE der e A 105 Logon Options pds 6 e dos aw et he owe ae Ad n 99 Lokales System zra og ets Go ee ee ee He See ee 28 LZS dui a AE e sah AE ah cat ae we a aE 54 154 M MD id fase Se eee ee ete ee ee ces on Smee ene ete 191 MDS Message Digest version 5 153 Media Types lt daera manip Ok Oe aa a e 54 Microsoft RAS Dialer aaa aaa 135 Microsofts dialet i sy cre brenti a 170 Mobile cellular telephones ooa aaa 22 Modem d w a at ak amp dow o aes da de 54 141 142 Modem Init Strings ek sn ae 143 Multifunction Card o 23 31 M lts 6 6 amp said ee RS
263. suran The initial installation steps for the Client Software are almost the same for Windows 2000 Windows XP and Windows Vista Please note that there are some differences when installing from a hard disk CD or removable disk You can obtain the software as EXE file by downloading it from the website under www ncp de Installation and Licensing First the NCP Secure Entry Client is installed as a test version If you posess a license you can enter the license data after a reboot of the software by selecting the monitor menu option License Info and Activation The test version is valid for 30 days Wi thout software activation or licensing it will no longer be possible to setup a connecti on after this 30 day period expires When 10 days validity remain a message box will be displayed to remind you that the software has not yet been licensed For licensing the software please refer to the chapter Licensing in the handbook Please note when installing the Software under Windows XP Vista Windows XP informs the user as soon as a driver software is being installed which is not licensed by Microsoft Windows XP runs a Microsoft specific compatibility test and warns the user not to install the software This test does not check the compatibili ty of the software with Windows XP Since the software is not licensed by Microsoft the warning occurs when the client is installed on a Windows XP machine What to do M You can
264. t hand side of the active titel bar Alt F4 then a message window alerts you that no icon tray icon will appear in the task bar this means that the user then cannot recognize on his screen whether connection charges are accrueing how long connection charges will accrue or whether the connection has already ended In this case the monitor must be restarted to determine the status of the connection and to correctly end the connection The Minimize when closing menu item has been added under Window If this menu item is active then the monitor is only minimized when closing via the x in the active titel bat or via Alt F4 Clicking on the close button x in the header has the same effect in this setting as clicking on the minimize button in the active titel bar The possible destination system can be read and the connection can be established or terminated with a right mouse click on the icon or the monitor can also be ended if the connection is terminated By clicking Disconnect in the connection menu the monitor can be terminated NCP engineering GmbH 109 SECURE ENTRY CLIENT CLIENT MONITOR 4 4 8 Minimize when connected If this menu item is activated the monitor will be minimized when the connection is es tablished successfully Closing the monitor is only possible via the main menu Connection Exit 4 4 9 Language The client software has been designed for internationa
265. t identical to the address of the tunnel endpoint that the clients use to set up the tunnel Otherwise the rwsrsu service would attempt to set up a connection to the Management Server out side of the tunnel a function that in most cases has already been suppressed by the Firewall The subsequent configuration of the Management Server is executed by editing confi L guration data in the main menu of the Management Console under Management Serv er Settings Appendix Secure Client Services A 39 SECURE ENTERPRISE ENTRY CLIENT SERVICES 2 2 4 Management Server Settings In the Management Console open Settings under the main menu option Manage ment Server The parameters are ordered according to DeletePkcs1 24fterD ownL groups General LogTraceLifetime 2 p General DistributionCode Clients Checklnterval 100 The values can be rin Authenti kl Authenti Authenti A lets o Authentil Group Clients Authenti Parameter Checkl interval Authenti Authenti Value changed by double clicking on the appropriate parameters cora y Please restart the Management Server after editing the parameter values so that the new e configuration will be effective General RsuPort 12501 Standard 12501 Must agree with the setting on the Upda te Client see above registry entry MgmPort 12502 Standard 12502 sollte nicht ver ndert werden man
266. t should some unauthorized person use your PC they will be able to use your password Therefore caution should be used when your PC is unattended User ID for NAS Dial Up If the Password has not Profile Settings Headquarters hh been entered or saved it Dial Up Network F Line Management will be requested in a IPSec General Settings seperate window Identities E IP Address Assignment Remote Networks ey cie The User Name of the Dial Up Network must always be entered in the configuration of the profile Without this User ID a dial up to the NAS is impossible see gt Dial Up Network O NCP engineering GmbH 173 SECURE EN Y CLIENT ESTABLISHING A CONNECTION User Name and Password for Extended Authentication Profile Settings Headquarters Basic Settings Dial Up Network Line Management IP ties IP Address Assignment Remote Networks Certificate Check Firewall Settings eneral Settings A rm IP Address E Use access data from configuration Aaa If you use Extended Authentication User Name and Password must be entered in the configuration folder of the profile Otherwise the establishing of a connection will not be successful see gt Profile Settings Identities Use extended authentication XAUTH 174 O NCP engineering GmbH SECURE ENTRY CLIENT ESTABLISHING A CONNECTION Disconnection and error If an error occurs a c
267. tSpot Logon Requirements The user must be in the receiving range of a hotspot with an activated Los WLAN card There must be a connection to the hotspot and the wireless adapter must have an assigned IP address Windows XP provides you with the needed configurati ons concernig access to WLANS The clients firewall makes sure that only the IP address assignment is being done by DHCP without any further possibilities of access to or from the WLAN The firewall has intelligent automated processes for clearing the ports of one or more https so as to make logins and outs to the hotspot available Durig this process only data traffic to the hotspot server is possible In this way a public WLAN can only be used for connec ting VPN to the central data network direct internet access is excluded For opening the homepage of a hotspot in the browser a possible existing proxy configuration must be deactivated E At present the clients hotspot access works only with those hotspots that redirect in Lo quiries with the help of browsers to the homepage of the public WLAN provider for example T Mobile or Eurospot Under previously described conditions a click on the menu option HotSpot Logon opens the website to log into the standard browser After entering the access data the VPN connection to for example the company s headquarters can be established and safe communication is possible 50 NCP engineering GmbH SECURE ENTRY CLIENT
268. tem or by clicking on the button for Network Search Signal 60 yee VU ION A Very Poor Excellent T Mobile D ed If the field strength is insufficient the card will automatically switch over from UMTS as data transmission technology to GPRS and the connection will remain intact When the field strength increases the card will automatically switch back O NCP engineering GmbH J SECURE ENTRY CLIENT CLIENT MONITOR If a network search was executed the window for network selection will be displayed left The desired network can be selected from a list If you do not desire another network search each time the Monitor is called is then this function which is active by default must be switched off via the Check button Networks a Activate GPRS UMTS The data transmission technology can also be changed manually To do this click on the text with the desired transmission technology or select this menu item When chan ging the medium manually the connection will first be disconnected The connection will then be re established automatically if Automatic Connection Set Up has been installed in the Phonebook E Enter SIM PIN Enter SIM PIN The dialog for entering the SIM PIN is automatically displayed for a connection setup Use this menu item to also enter the SIM PIN even before a connection setup a Change SIM PIN You can only change the SIM PIN if the previous SIM PIN has been entered corre
269. tep by step descripti ons or that describe the structure of the graphic user interface according to the respec tive object Two appendices providing additional information and definitions of specia lized terms follow these sections 1 Product overview with brief description of the performance range of the software 2 Installation instructions 3 Description of the graphic user interface 4 Description of the configuration possibilities in the monitor 5 Description of the parameters listed in the telephone book 6 Description of a connection establishment 7 Examples and explanations particularly for IPsec Appendices with a glossary abbreviations and terms and an index Cross references appear in the text in parenthesis and cite the reference with the title or after a comma with the subtitle An exclamation mark in the margin indicates that the text so marked is of particular significance Naturally the software also offers context sensitive help NCP engineering GmbH 13 SECURE ENTRY CLIENT PRODUCT OVERVIEW 1 2 NCP Secure Entry Client Universal IPSec Client The NCP Secure Entry Client can be used in any VPN environment The client commu nicates on the basis of the IPsec standard see gt Examples and explanations Security IPsec with the gateways provided by a wide variety of vendors and is the alternative to the uniform IPsec client technology offered on the market The Secure Entry Client has a
270. the Moni tor E This function can only be activated with administrator rights Appendix Mobile Computing via GPRS UMTS A 20 SECURE ENTERPRISE ENTRY CLIENT 5 Log Files If a multi function card for UMTS GPRS is installed then a log file is written in the log directory of the Secure Client with the following columns Ist Column Time 2nd Column Current field strength 3rd Column Average field strength of the last minute 4th Column Average field strength of the last 5 minutes 5th Column Average field strength of the last 10 minutes 6th Column Current network type UMTS or GPRS 7th Column Current network An entry is created every 10 seconds however the entries are only written to the file every 5 minutes A log file is created with the name mfc lt DATE gt log for each day The log files for the last 7 days are saved Appendix Mobile Computing via GPRS UMTS A 21 SECURE ENTERPRISE ENTRY CLIENT For your notes gt Appendix Mobile Computing via GPRS UMTS A 22 SECURE ENTERPRISE ENTRY CLIENT SERVICES Appendix to the NCP Secure Enterprise Client and NCP Secure Entry Client Services and Applications of the Secure Client NCP SECURE COMMUNICATIONS M Network Communications Products engineering GmbH GERMANY Headquarters Dombiihler Str 2 D 90449 Niirnberg Tel 49 911 9968 0 Fax 49 911 9968 299 internet http www ncp de E mail infoOncp de Appendix Secur
271. time then the PIN entry can be omitted unless the configuration for the certificate requests it see gt Configuration Certificates If you have configured the IPSec client for the use of a Smart Card or of a PKCS 11 module see Configuration Certificates then a light blue symbol for the Smart Card appears in the status field If you have inserted your Smart Card in the card reader the symbol color changes from light blue to green If the PIN has not been entered before a connection establishment then the PIN entry dialog appears when the first connection requiring the use of a certificate is to be established to a destination at the latest Thereafter the PIN entry can be comitted in the case of repeated manual connection establishment if this has been configured see gt Configuration Certificates Enter PIN pa N Using a soft certificate the PINcan have of 4 digits Using a Smart Card it must have at O least 6 digits P Incorrect entries and incorrect PINs are acknowledged with the error message In Oo correct PIN after approximatly 3 seconds At this point a connection establishment is 2 not possible Please note that a Smart Card or a token can be blocked after multiple in correct PIN entries In this case please contact your remote administrator An estab lished connection will by default be disconnected if the Smart Card or token is remo ved during the operation The connection establ
272. tings For this purpose there is a Configurati on Assistant which will walk you through the configuration steps of a profile In this way the first profile will be created The profile settings provide the basis for defining and configuring destinations pro files which can be modified or reconfigured at any time according to requirements Upon clicking Profile Settings in the Monitor menu Configuration the menu is ope ned and displays an overview of the defined profiles and their respective names and the telephone numbers of the according destinations Profile Settings Test connection IPSec native Headquarters There is also a toolbar with the following function buttons Configure New Entry Duplicate Delete OK Help and Cancel a New Entry Profile In order to define a new Destination click on Profile Settings When the window opens click on New Entry Upon doing so the Configuration Assistant opens and walks you through the configuration of a new Profile according to your requirements Upon entering all items in the assistant the new profile is entered in the Profile Settings based on these parameters All other parameters are assigned a default value O NCP engineering GmbH 67 SECURE ENTRY CLIENT CLIENT MONITOR Destination Wizard J Using the configuration as sistant connections can be Basic Settings Define type of connection quickly established with the Int
273. tions If a rule will apply for unknown net works then this option must be activated 74 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR Known networks are defined in the tab of the same name in the Firewall settings window If a rule will apply for known networks then this option must be activated VPN networks are all IPSec connections in the set up condition Moreover under this group there are also all encrypted direct dial in connections via the client s integrated dialer If a rule will apply for VPN networks then this option must be activated Protocol Select the appropriate protocol depending on the application TCP UDP ICMP GRE ESP AH IGRP RSVP IPv6 or IPv4 all Line management Use this parameter to influence the type of connection For example you select the option that the rule configured here is only valid at inacti ve VPN connection if you an Internet connection with concurrently present VPN con nection to be excluded otherwise the Internet connections to unknown networks should be allowed For this this rule for unknown networks must be used i e this rule must permit access to unknown networks The option no automatic connect is only practical if in the telephone book the con nection set up has been set to automatic in the Line Management parameter field For the data packets defined via this rule automatic connection set up does not take pl
274. to IP address in the pa rameter folder Identities then there is no need to enter an IP address in the field for the ID This is the only way to ensure that each current public IP address will be transferred to the gateway automatically for phase 1 identification NCP engineering GmbH 195 SECURE ENTRY CLIENT EXAMPLES AND EXPLANATIONS 7 2 6 IPsec ports for connection establishment and data traffic Please note that the server requires exclusive access to UDP port 500 If NAT Traversal is used then access to port 4500 is also required Without NAT Traversal the IP proto col ESP protocol ID 50 is used Port 500 which is used for connection establishment under Windows systems is used as standard by the IPsec policies To change this proceed as follows 1 To determine which ports Since as are currently being used Active Connections by your system you can E enter the following com TCP a mand under the Com TE mand Prompt TCP netstat n a UDP to display current net UDP work status UDP ddress State LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING 9 351856 ESTABLISHED fz paf i x o KE KEK EK KK KEK E NOOO a ree ROSSO eeseesseesgr gt 16 ee OOOOCOCOOCOCOCOOOCOONNNOOOOOO ones ne bee db edited tte te tee brett a tat SOI AAA ODA 2 If the port is used then the System Services Aston ve es Ga
275. tor in the same manner as the field strength Fig Network type below After double clicking on the network to be selected the SSID is automatically transferred into a WLAN profile for this adapter if a profile has not yet been created for this network see below WLAN Profiles General Signal 60 gt TA J Very Poor Excellent i SUPPORT_TEHOTSPOT E WLAN Profiles Previously created profiles for the adapter selected above are displayed in a list Network type encryption and SSID must agree Infrastrukture with the above network Infrastrukture Infrastrukture parameters A new profile is Infrastrukture static Nc Infrastrukture generated by clicking on the TKIP1 dhcp Infrastrukture TKIP2 dhcp Infrastrukture New button or by double WEP dhcp Infrastrukture 7 s WEP static Infrastrukture clicking on the corresponding network in the previous window or by clicking on the right mouse button Profiles can also be edited or deleted via the buttons General Profile Settings The name can be freely assigned and for a new profile generation after double clicking on the scanned network it is initially identical with the SSID of this network The procedure is the same with the network type which must be identical with the network type that is sent in the broadcast of the wireless network 86 NCP engineering GmbH SECURE ENTRY CLIENT CLIENT MONITOR guration lx The network type must th
276. tory If the issuer certificate cannot be located then the connection cannot be established If no issuer certificates are present then no connection will be permitted 166 NCP engineering GmbH SECURE ENTRY CLIENT CONFIGURATION PARAMETERS PROFILE SETTINGS 2 Check of Certificate Extensions Certificates can contain extensions These serve for the linking of additional attributes with users or public keys that are required for the administration and operation of the certification hierarchy and the revocation lists In principle certificates can contain any number of extensions including those that are privately defined The certificate exten sions are written in the certificate by the issuing certification authority Three extensions are significant for the Secure Client and the Secure Server extendedKey Usage subjectKeyldentifier authority KeyIdentifier extendedKeyUsage If the extendedKeyUsage extension is present in an incoming user certificate then the Secure Client checks whether the defined extended application intent is SSL Server Authentication If the incoming certificate is not intended for server authentication then the connection will be refused If this extension is not present in the certificate then this will be ignored Please note that the SSL server authentication is direction dependent This means that the initiator of the tunnel establishment checks the incoming certificate of the
277. transmit data audio voice and video signals over a digital dial up circuit BRI s are available from your local PTT BCP Bridge Control Protocol BITS Bump In The Stack A type of IPSec implementation BITW Bump In The Wire A type of IPSec implementation Blowfish Encryption Standard with 128 448 Bit Browser Web Browser This is the user interface to the Internet With its HTTP Hypertext Transfer Protocol capability it can handle different formats for example HTML GIF CAD that are required for a multi media sound and graphics representation of the information CA Certification Authority Also Trust Center for example D trust a combined undertaking of Debis and the Federal Printing Office With PKI Manager Software a CA issues digital signed confirmations certificates and stores them on a Smartcard Chipcard A CA can be a private service provider or a public institution These certifying authorities do not need govern ment permission and the private service provider or public institution is liable for the correctness of the certificates CAPI Common Application Program Interface This inter face is designated as a common ISDN API in ISDN and corresponds to the PCI interface Pro grammable Communication Interface The inter face direct access to ISDN and the lower protocol layers Layers 1 3 Higher level protocols applica tions like telex and file transfer can be used regard less of the hardware platform
278. twork subnet and computer This extended hierarchy makes it easier to locate a computer in the total network WAN An example using the telephone nomenclature can illustrate how this works The area code designates in which area the telephone is located This hierarchy insures also a certain access security For example a computer on a subnet will not automat ically have access to the resources of another subnet Or to use a specific case a pro duction worker does not have access to the personnel department data provided that the subnet masks have been selected according to corporate departments The subnet mask indicates the location of the subnet field in an IP address The subnet mask is a binary 32 bit number like an IP address It has a 1 in every position of the network segment and an IP address according to the network class within the first to the third octet The next octet shows the position of the subnet field The digits 1 adja cent to the subnet field indicate the subnet bits All remaining positions with 0 re main for the host segment Examples Example 1 The subnet mask is used for the interpretation of the IP address Accordingly an ad dress 135 96 7 230 with the mask 255 255 255 0 may be interpreted as follows The network has the address 135 96 0 0 the subnet has the number 7 the host number 230 An IP address with 135 96 4 belongs a to a different subnet 4 on the same network Binary representation 135
279. u ment data encryption is determined by a random NCP engineering GmbH 207 SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS number session key that is generated for each in dividual communication connection This one time key is encrypted with the recipient s public key and the message is added Then the recipient re constructs the session key with his private key and decrypts the message IETF Internet Engineering Task Force IKE Internet Key Exchange which is part of IPsec for secure key management separate security associa tion negotiation and key management protocol RFC 2409 Internet The Internet is a worldwide open computer net work It is open to all Every company and each in dividual can connect to the Internet and can com municate with all other connected users regardless of the computer platform or the respective network topology A general shared network protocol is ne cessary to insure that data exchange between the different computers and networks is possible see TCP IP Intranet A network within a company or organization em ploying applications associated with the Internet such as Web pages Web browsers FTP Sites E Mail etc However these are only accessible to those within the company or organization IP Address Each computer in the Internet has an IP address In ternet Protocol Address that clearly identifies it for as long as it is part of the Internet An IP address is 32 bit
280. uthentication with the stored cer tificates on the Smartcard and the Gateway will be executed Among other things the user certificate NCP engineering GmbH 213 SECURE ENTRY CLIENT ABBREVIATIONS AND TECHNICAL TERMS the root certificate and the secret private key are stored on the Smartcard The Smartcard can only be used with a valid PIN SMTP Simple Mail Transport Protocol Internet standard to distribute Email Based on TCP Port 25 It is text oriented SNA Systems Network Architecture Hierarchically oriented network for the control of terminals and for application access support in IBM host systems SNMP Simple Network Management Protocol Network management protocol based on UDP IP Source Routing The possibility to optimize route selection between bridges in Token Ring networks With SNA route information hanging on the datablock is also trans mitted In this manner the confirmation route is also clearly manifest SPD Security Policy Database SSL Secure Socket Layer According to the SSL proto col Dynamic Key Exchange can be used SSL de veloped by Netscape in the meantime has be come the standard protocol for Dynamic Key Exchange SSLCP Secure Socket Layer Control Protocol STARCOS Operating system for Smartcards Symmetric Encryption Sender and recipient use the same key for sym metric encryption and decryption Symmetric al gorithms are very fast and very secure only if the key transfer between th
281. ver under NCP Management Server Configuration see fig above Appendix Secure Client Services A 41 SECURE ENTERPRISE ENTRY CLIENT SERVICES ServerType 0 NCP Secure Management Server Configuration a Services Operation Mode Management Server operation mode C Primary Server Backup Server IP Adresse Primary Server fi 27 0 0 1 IP Adresse Failsafe Primary Server fi 27 0 0 1 Shared Secret pe Hinweis Die Betriebsart kann nur umgeschalten werden wenn zuvor alle Dienste gestoppt wurden Backup Server im Normal Betrieb Backup Server als Failsafe Primary Server nur bei Ausfall des Primary Servers 0 Management Server is used as primary Server 2 Management Server is used as backup Server This configuration under Windows is made prior to star ting the Management Server in the Windows start menu un der NCP Management Server Configuration see fig above ReplSecret If the Management Server is used as Backup Server then the Shared Secret is entered for the Primary Server This con figuration under Windows is made prior to starting the Ma nagement Server in the Windows start menu under NCP Management Server Configuration see Fig above DeletePKCS12 0 AfterDownload Standard 0 after a download the soft certificate is deleted from the database 1 the certificate is not deleted A 42 Appendix Secure Client Services
282. y Client After the connection is Connection Configuration Log Window Help established the monitor is Profile A Oui Una 1 displayed like shown on the left side Connection has been established Hoe a AIJA Connect Disconnect o NC Statistics Time online 00 00 00 Timeout sec 0 Data Tx in Bytes 0 Direction Data Rx in Bytes 0 Link Type Speed KByte s 0 000 Encryption Software has not been activated imi Valid for another 30 days ant For further configuration of any profile refer the descriptions under Client Monitor Profile Settings and Configuration Parameters IPSec General Settings For activation note the section 4 6 Licensing in this handbook NCP engineering GmbH 35 SECURE ENTRY CLIENT INSTALLATION 2 4 Updateing and Uninstalling tempting to install the new Client Software If this is the case then you will be asked if you wish to update your current Client Software to the newer version now in your pos session During the update the current profile settings certificate data and call control manager statistics will be applied to the new client a If you are already using a previous version of the Software it will be detected when at In order to uninstall the Client Software go to Start Settings Control Pa nel Now click on Add Remove Software and then select the client from the list of program
283. y consist of up to 254 characters Normally the username will be assigned to you by your destination e g your company Headquarters User Help Desk Internet Service Provider etc because it must be supported and accepted by the NAS Radius or LDAP server for authentication purposes Password This parameter is used for identifying yourself to your Internet Service Provider ISP if the Internet is used The password can include up to 128 characters Normally the password will be assigned to you by your destination e g your company Headquarters User Help Desk Internet Service Provider etc because it must be supported and ac cepted by the NAS RADIUS or LDAP Server for authentication purposes Upon entering your password all characters will be displayed as an asterisk in order to keep them from being detected by someone else Therefore it is necessary to be very careful that you enter your password exactly the way in which it was assigned to you also with regards to the use of upper case and lower case characters If the user chooses not to enter and save the password he will be prompted to manually enter it with every connection attempt Save password This parameter should be activated when it is desired that the Password if entered is to be stored Otherwise it will be removed from memory when re booting the PC or changing the profile Default is the activated function Important For security purposes you must be awar
284. y settings are correctly configured then click on OK The Assistant will now search for newly available software updates via the Internet connection Software Update Wizard Searching for software updates Searching for available software updates The Wizard is searching for new available software updates for the NCP Secure Entry Client If a software update is available then it is displayed as shown in the next window software Installed yerno Avateble version In this case the version is Product NCP Secure Entry Client Produkt NCP Secure Entry Client Version 8 30 yee Aes differentiated only via the build Build 50 Build 54 number Licensed 8 3 Size 9 305 kByte Click on Next if you want to FETT ITT TTT Al 2 use the more current version A ne For further information see http www nep de english home index html cok hen toos The new features are described under http www ncp de english services whatsnew index html Software Update Wizard This downloads the installation package for the newest software Update software download complete The update software has been successfully downloaded The installation package for the for the NCP Secure Entry 143 S 29 Client software update has successfully been downloaded Click on Finish to end the Monitor and start the installation of the software update Select Finished to close the monitor and
Download Pdf Manuals
Related Search