manualshive.com logo in svg

Nortel Contivity VPN Client, User Manual

The Nortel Contivity VPN Client user manual is essential for ensuring seamless connectivity and secure remote access. Download the comprehensive manual for free at our website, providing step-by-step instructions, troubleshooting tips, and configuration guidance. Maximize your VPN experience with this essential resource.

Share
Download
background image

6

Contents

311644-J Rev 00

Reboot Only mode   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Silent with Forced Reboot mode  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Setting up the group.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Custom icons  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Create your icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Client application icon (eacapp.ico)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Contivity VPN Client task bar icons  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Custom bitmaps  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Client dialog bitmap (eacdlg.bmp)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Client status bitmap (eacstats.bmp)   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Client GINA bitmap (nnginadlg.bmp)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Banners  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Security banners  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Dynamic Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

TunnelGuard Notify banner  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Installing a custom client   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Controlling the client from a third-party application  . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Running in silent success mode   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Remotely changing the group password  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

GINA chaining   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

IPsec mobility and persistent tunneling  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Inverse split tunneling   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Using the 0.0.0.0/0 subnet wildcard   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring the subnet wildcard  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configuring tunneling modes using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Co-existence with MS IPsec service  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring co-existence with MS IPsec service   . . . . . . . . . . . . . . . . . . . . . . 62

Chapter 3
Using certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

MS CryptoAPI   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

MS-CAPI feature dependencies and backward compatibility   . . . . . . . . . . . . . . . . 66

MSCAPI server CRL checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Microsoft CA digital certificate generation  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Steps from browser running on client system or CA system . . . . . . . . . . . . . . 67

Summary of Contents for Contivity VPN Client

Page 1: ...Version 6 01 Part No 311644 J Rev 00 August 2005 600 Technology Park Drive Billerica MA 01821 4130 Configuring the Contivity VPN Client ...

Page 2: ...Corporation SecurID is a trademark of RSA Security Inc VeriSign is a trademark of VeriSign Incorporated The asterisk after a name denotes a trademarked item Restricted rights legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithsta...

Page 3: ...e on only one machine at any one time or to the extent of the activation or authorized usage level whichever is applicable To the extent Software is furnished for use with designated hardware or Customer furnished equipment CFE Customer is granted a nonexclusive license to use Software only on such hardware or CFE as applicable Software contains trade secrets and Customer agrees to treat Software ...

Page 4: ...lf of the United States Government the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U S Federal Regulations at 48 C F R Sections 12 212 for non DoD entities and 48 C F R 227 7202 for DoD entities b Customer may terminate the license at any time Nortel Networks may terminate the license if Customer fails ...

Page 5: ...omain Logon 23 Two step domain logon 23 Graphical Identification and Authentication GINA 24 Logging on through client connection 25 First domain logon 26 Enabling and disabling Connect Before Logon 27 Uninstalling the client 28 Chapter 2 Customizing the client 29 Configuring client profiles 30 Setup ini file 32 Customizing the setup ini file 33 Installation modes and options 39 Verbose mode 39 Ski...

Page 6: ...nt 50 Controlling the client from a third party application 52 Running in silent success mode 55 Remotely changing the group password 56 GINA chaining 58 IPsec mobility and persistent tunneling 59 Inverse split tunneling 60 Using the 0 0 0 0 0 subnet wildcard 60 Configuring the subnet wildcard 60 Configuring tunneling modes using the CLI 61 Co existence with MS IPsec service 62 Configuring co exis...

Page 7: ... checking 70 Entrust certificate based authentication 71 Custom installation 72 Entrust certificate enrollment procedure 73 Entrust certificate enrollment tunnel 74 Direct access enrollment process 74 Entrust certificate enrollment process 75 Entrust roaming profiles support 77 Offline and online 77 Configuring Entrust for Roaming Profiles 79 Configuring the Certificate Authority Server 79 Create ...

Page 8: ...8 Contents 311644 J Rev 00 ...

Page 9: ...44 Figure 12 Blink none blinknone ico 44 Figure 13 Blink right blinkright ico 44 Figure 14 Blink left blinkleft ico 45 Figure 15 Both blinkboth ico 45 Figure 16 Client connecting icons 45 Figure 17 Contivity VPN Client bitmap 46 Figure 18 Client status bitmap 46 Figure 19 GINA bitmap 47 Figure 20 Security banner 48 Figure 21 Screen with View Banner option 49 Figure 22 TunnelGuard Notify banner 50 ...

Page 10: ...10 Figures 311644 J Rev 00 ...

Page 11: ...2 VPN Client support 29 Table 3 Supported UseTokens and TokenType settings 31 Table 4 Options section and keyword settings for setup ini file 33 Table 5 Settings for group ini file 41 Table 6 Command line parameters 53 Table 7 Tunneling mode options 61 Table 8 Client error messages 85 ...

Page 12: ...12 Tables 311644 J Rev 00 ...

Page 13: ...the Contivity gateway This guide assumes that you have the following background Experience with windowing systems or graphical user interfaces GUI Familiarity with network management Complete details for configuring and monitoring the Contivity Secure IP Services Gateway are in Configuring Basic Features for the Contivity Secure IP Services Gateway Before you begin The minimum PC requirements for ...

Page 14: ... options Do not type the braces when entering the command Example If the command syntax is ldap server source external internal you must enter either ldap server source external or ldap server source internal but not both brackets Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example If the command syntax is show ntp associations you can enter...

Page 15: ...nts Enter only one of the choices Do not type the vertical line when entering the command Example If the command syntax is terminal paging off on you enter either terminal paging off or terminal paging on but not both Table 1 Acronyms and terms Certification path Ordered sequence of certificates leading from a certificate whose public key is known by a client to a certificate whose public key is t...

Page 16: ...nstructions for configuring the Contivity Stateful Firewall and Contivity interface and tunnel filters Configuring Advanced Features for the Contivity Secure IP Services Gateway provides instructions for configuring advanced LAN and WAN settings PPP frame relay PPPoE ADSL and ATM T1CSU DSU dial services and demand services DLSw IPX and SSL VPN Configuring Tunneling Protocols for the Contivity Secu...

Page 17: ...cal manuals and release notes free directly from the Internet go to www nortel com documentation Find the product for which you need documentation then locate the specific category and model or version for your hardware or software product Use Adobe Acrobat Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to the Adobe Systems...

Page 18: ...rica go to the Web site below and look up the phone number that applies in your region http www nortel com callus When you speak to the phone agent you can reference an Express Routing Code ERC to more quickly route your call to the appropriate support specialist To locate the ERC for your product or service go to http www nortel com erc Getting Help through a Nortel distributor or reseller If you...

Page 19: ...It also includes information on Windows Domain Login and Nortel graphical identification and authentication NNGINA Windows installations To install the client copy the Contivity VPN Client EAC601D exe that is on the Contivity Secure IP Services Gateway CD into the Client folder onto your hard drive 1 Double click EAC601D exe The Welcome screen appears Figure 1 Figure 1 Welcome screen ...

Page 20: ...g the client 311644 J Rev 00 2 Click Next The License Agreement screen appears Figure 2 Figure 2 License Agreement screen 3 Click Yes to accept the license The Destination screen appears Figure 3 Figure 3 Destination screen ...

Page 21: ...ation or click Browse to install in another directory The Select Program Folder screen appears Figure 4 Figure 4 Program folder screen 5 Click Next to select the default program folder or choose one of the listed program folders The Install and run Contivity VPN Client screen appears Figure 5 Figure 5 Install and run screen ...

Page 22: ... Authentication GINA on page 24 7 Click Next The Start Copying Files screen appears Figure 6 Figure 6 Start Copying Files screen 8 Click Next to continue the installation 9 When prompted at the end of the installation reboot your system 10 Double click the Contivity VPN Client icon a Enter a new Connection name b Optionally enter a description for the connection c Create a new Dial up Connection C...

Page 23: ...work Control Panel Select the Network Connection icon and click Create a New Connection to bring up the New Connection Wizard Under the Network Control Panel for Windows XP and Windows 2000 verify that NetBEUI is not installed If NetBEUI is listed click it then click Remove This forces the Network Neighborhood to use NetBIOS over TCP IP which is compatible with the switch Click OK and reboot your ...

Page 24: ...y to launch the client then log off the local system to authenticate to the Windows domain The Nortel GINA nngina dll launches and synchronizes a successful tunnel creation with the Contivity VPN Client and disconnects the Contivity tunnel when you log off After making a successful Contivity VPN connection the Windows domain logon is continued through the established Contivity VPN tunnel connectio...

Page 25: ...vity VPN Client GINA interface appears This is a Contivity GINA dialog not the Windows GINA dialog Figure 7 Figure 7 Connect Before Logon screen 2 Enter your Windows credentials which are used to perform a local system logon The Contivity VPN client is launched Figure 8 on page 26 Note Auto domain logon is the default Note If you do not want to use the Connect Before Logon feature after it is inst...

Page 26: ...existing Contivity VPN tunnel connection First domain logon You can also log on to the system using an existing local account to establish the Contivity VPN Tunnel You are then logged into the local system with the credentials provided Note When the Contivity VPN Client is running as a service under Windows 2000 or Windows XP you may not be able to log off after you log in and log off several time...

Page 27: ... deselecting the Auto Domain Logon option and logging on using an existing local user account The Windows GINA screen appears to complete the domain logon Enabling and disabling Connect Before Logon To enable or disable Connect Before Logon go to the Options menu Figure 9 and either select or deselect the Connect Before Logon option The Contivity VPN Client GINA dialog provides simultaneous Window...

Page 28: ...stall NNGINA unless it is at the top of the GINA chain If it is not on top of the GINA list uninstalling it could break the GINA chain The software notifies you that you must uninstall NNGINA before GINA can be uninstalled This could occur multiple times until GINA is at the top of the chain ...

Page 29: ...Client also provides support for IP Security IPsec mobility and persistent tunneling Table 2 shows the versions of the client that are available in limited 56 bit or full 128 bit form as well as the available encryptions Diffie Hellman groups and hashes Table 2 VPN Client support Version 56 bit 128 bit 256 bit Deffie Hellman groups HASH 4 65 and below DES 40 56 DES 40 56 3DES NA 1 2 MD5 SHA 1 4 86...

Page 30: ...AES settings cannot be modified through the GUI AES is visible to the end user only in the Status window where the Security and IKE fields display the appropriate AES information when an AES connection is established Configuring client profiles To preconfigure the client with profiles including information such as the authentication type and destination you must distribute a baynet tbk file that c...

Page 31: ...ng Entrust authentication this is the user s epf file TokenType used in combination with UseTokens to indicate the type of authentication being used The following combined settings are supported Table 3 UsePAPGroup 0 indicates no RADIUS authentication 1 indicates RADIUS authentication GroupName Options Authentication Options dialog box Group Name field SavePassword 0 indicates that the user did no...

Page 32: ... and its settings are created by InstallShield when the distribution media is made The EnableLangDlg Y parameter is set when the installation is a localized version A Language dialog appears during installation from which a user selects the language to install The Languages section is the list of supported languages in the kit This is the list presented in the Language dialog mentioned above when ...

Page 33: ...ty VPN Client FreeDiskSpace 970 EnableLangDlg Y ISUPDATE UpdateURL http Languages Default 0x0009 count 1 key0 0x0009 Customizing the setup ini file You customize the default behavior of the client by modifying the setup ini file To customize your client add to the setup ini file the Options section and the listed keywords described in Table 4 The default settings are noted in the right hand column...

Page 34: ...ault is 0 False and the item is not checked DisableLoggingConfig 1 If set to 1 you cannot configure logging from client UI The default is 0 and allows you to configure logging DisplayPasscode 1 If set to 1 the Passcode screen for tokens is used instead of the standard token and PIN screen The default is 0 and the standard token and PIN screens are used DisplayReboot 0 If SkipScreens 1 and DisplayR...

Page 35: ...e default is 0 and the client appears in the Start Menu InstallAsService 1 If set to 1 installs the client as a service on Windows 2000 and Windows XP If not set to1 the user will see a dialog to select how to install the client This does not affect the Installation Type Selection screen and the user s selection always overrides the setup ini setting You can also use InstallAsService as a command ...

Page 36: ...f CVC is installed as GINA and this option is checked the tunnel will remain up and NNGINA will not show up after you logoff the domain User can switch this option on off by selecting the menu item Options Logoff on Connect The default value is 0 The menu item will not be checked LogoffWarning This flag only affects cases when Client is installed as a Service If set to 1 True the menu item Options...

Page 37: ...lt behavior If set to 1 the baynet tbk file will only be copied if there is not an existing one in the user s directory Otherwise the original file will be preserved ProductName New Product Name Client if nothing is set RemovePPTP 1 If set to 1 this always removes PPTP on Windows 98 if detected during installation A user can verify that PPTP has been removed by opening the Network Control Panel an...

Page 38: ... option is used with other commands described in the section Installation modes and options on page 39 This screen can only be hidden in Silent mode if the switch is set It will be ignored in GUI mode IMPORTANT By suppressing presentation of the Nortel Software License Agreement you agree to accept the terms of the agreement on behalf of the users receiving the client software from you The Nortel ...

Page 39: ...llation Skip Screens mode In this mode the dialog boxes do not appear The license agreement dialog appears and the message Setup Complete Restart the System before using the Contivity VPN Client is shown for 4 seconds No reboot is performed In setup ini set the following Options SkipScreens 1 Silent mode In this mode no license agreement appears and the message Setup Complete Restart the System be...

Page 40: ...creens 1 DisplayReboot 1 SkipLicenseAgreement 1 Silent with Forced Reboot mode This switch reboots the system immediately after the installation completes The forced reboot is only activated when you are running in Skip Screens mode or in Silent mode The SkipScreens installation switch must be asserted You can use the SkipLicenseAgreement switch with the ForcedReboot switch It has no effect on the...

Page 41: ...r level passwords only group level passwords Note The corresponding profile entry must have an authtype that uses group authentication If it does not the client will not look for the group ID and group password when displaying the authentication options Table 5 Settings for group ini file Field Description ProfileNames Name of the section that the installation looks for to send the names that are ...

Page 42: ...the command line using the switch SKIPBINDCHECK If both the setup ini switch and command line switch are used the command line switch takes priority Skip all the installation screens except for the license screen This is the same as using AUTO on the command line If used in conjunction with AUTO the command line switch takes priority You can skip adding the password change icon in the program fold...

Page 43: ...plication icon Contivity VPN Client task bar icons Contivity VPN Client connecting icons There are from two to four different representations of the group icon within each group You can create icon bitmaps in whatever style you prefer however the Nortel Networks icons are intended to convey a message for the given action such as data transfer activity or establishing a connection The following sec...

Page 44: ...ith all of the custom installation files Contivity VPN Client task bar icons These icons appear in the task bar to indicate data activity through the tunnel To replace task bar icons create four icons blinknone ico blinkright ico blinkleft ico blinkboth ico and copy them into your custom installation directory with all of the custom installation files Figure 11 is a sample icon with four icons cre...

Page 45: ...le of four different icons with an arrow pointing clockwise through each of the four quadrants of the circular icon Figure 16 Client connecting icons To replace the client connection icons create a series of icons and rename them connect1 ico connect2 ico connect3 ico connect4 ico then copy them into your custom installation directory with all of the custom installation files Custom bitmaps This s...

Page 46: ... it into the custom installation directory with the other custom icons and installation files Client status bitmap eacstats bmp Figure 18 shows the bitmap on the status dialog box of the client It is accessible only when a tunnel has been established Figure 18 Client status bitmap To replace the status bitmap with a custom bitmap 1 Create a 16 color bitmap that is 303 x 32 pixels 2 Name the bitmap...

Page 47: ... bitmap that is displayed on the GINA dialog Figure 19 Figure 19 GINA bitmap The client checks for a new customized bitmap each time the dialog is initialized The NNGINA looks for a custom bitmap named nnginadlg bmp in the installation directory under the icons folder If the Contivity VPN Client was installed into the D Program Files Nortel Networks directory the NNGINA will look for the custom bi...

Page 48: ...dges the banner The user has three options Accept Close allows traffic to flow and the dialog box closes Accept allows traffic to flow the Security banner remains visible and all links are clickable Cancel terminates the tunnel immediately Figure 20 shows the Security banner screen Figure 20 Security banner The Security banner has a time out If the user does nothing for two minutes the connection ...

Page 49: ...ity banner to open The deregistration operation stops if it cannot finish in three seconds Also if a DNS operation starts before another DNS operation is finished it asks the latter to terminate If the latter is still alive after 0 5 seconds the former quits otherwise it continues TunnelGuard Notify banner If TunnelGuard checking is enabled on the server the server periodically checks for the exis...

Page 50: ...the custom icons and bitmaps and copies the custom files into a subdirectory of the target installation directory called Icons By default this directory is C Program Files Nortel Networks Icons To repackage your custom installation with the new icons and bitmaps into a self extracting executable file and to make it simpler to distribute the custom installation to users as one file instead of many ...

Page 51: ...d to the license screen Other interaction is required only if the installation requires files from the Windows installation CD Use the command line switch PreserveTBKFile to specify whether to overwrite an existing baynet tbk file during the installation If PreserveTBKFile is set to 1 the baynet tbk file will only be copied if there is not an existing one in the users directory Otherwise the origi...

Page 52: ...s the user name and password that the user supplied to the application in the command line the destination is the remote server use one of the following commands If you are using an LDAP user name and password for authentication Extranet exe U username password destination If you are using a RADIUS user name and password for authentication Extranet exe R username password destination groupid group...

Page 53: ...in h when the connection is established or fails to be established a profile Activates the connection profile to use o profile Opens the profile allows the user to edit a profile d profile Indicates the connection profile to delete n n a Creates a new connection profile using the Connection Wizard u username password destination Activates a connection with the supplied LDAP user information r user...

Page 54: ...on is Extranet exe h 1234 m 1225 a MyExtraNetConnection Following the example above when the tunnel either connects or fails to connect the IPsec client responds PostMessage 1234 1225 IPsec Hwnd True False When the message is posted back to the Windows handle of your application lParam indicates success or failure When the tunnel is established lParam is True when tunnel establishment fails lParam...

Page 55: ...ent Use s a profile to use connection profile Use s u username password destination to activate a connection with the LDAP authentication Use s r username password destination groupid grouppassword to activate a connection with the RADIUS authentication Use s e entrust epf password to activate a connection with Entrust authentication Note To successfully terminate the client by command line with a...

Page 56: ...sword 4 Axent software token 5 SecureId software token 6 Entrust 9 MSCAPI 10 From profile For example if auth 10 the authentication type is decided by profile The commandline switch always overwrites the ones in profile Some switches may be optional when using a profile as an authentication method If you provide the switches the one specified in profile is overwritten Some switches such as passwor...

Page 57: ...exe auth 2 user username pin PIN code tokenCode serverip server ip gid group id gpwd group password extranet exe auth 10 profile profilename user username pin PIN code tokenCode serverip server ip gid group id gpwd group password If you are using a simple group Id and password extranet exe auth 3 user username pwd password serverip server ip gid group id gpwd group password extranet exe auth 10 pr...

Page 58: ...uth 6 user profilename pwd entrust profile password altname subj alt name alttype number serverip server ip If you are using MSCAPI extranet exe auth 9 user MACAPI certificate string serverip server ip extranet exe auth 10 profile profilename user MACAPI certificate string serverip server ip GINA chaining GINA chaining detects the presence of a previously installed third party GINA and passes all ...

Page 59: ...the client has been notified by the operating system that the IP address has changed it notifies the Contivity gateway These messages are encrypted and authenticated based on the IKE SA to ensure security The Contivity VPN Client logs events to the logfile This includes events such as Contivity VPN Client sending messages that the IP address changed and receiving acknowledgement that these message...

Page 60: ...ent receives the list of inverse split networks it expands the 0 0 0 0 to include all of the directly connected local subnets detected on the host Any additional subnets in a list are processed as before After expansion traffic destined for these subnets is allowed to flow outside of the tunnel This option is valid for both the Inverse Split and Inverse Split Locally Connected modes but it is real...

Page 61: ...nel Networks drop down menu 4 Select a network from the Inverse Split Tunnel Networks drop down menu 5 Click OK Configuring tunneling modes using the CLI The tunneling mode is selected in the CLI using the following commands after entering group ipsec configuration mode split tunneling enable inverse inverse local Table 7 Tunneling mode options Split Tunneling Selection Network Selection sent to C...

Page 62: ...et Persistent tunneling provides a continuous connection After successfully establishing a tunnel session to the Contivity gateway the Contivity VPN Client makes every attempt to maintain a viable VPN connection without additional user intervention For further configuration information on IPsec mobility and persistence see Configuring Basic Features for the Contivity Secure IP Services Gateway Co ...

Page 63: ... Gateway The IPsec Settings page opens 2 Enable NAT Traversal 3 Set the UDP port to an unused port Figure 24 shows the IPsec Settings page with NAT Traversal enabled and the UDP port set to an unused port Figure 24 IPsec Settings page 4 Select Profiles Groups Edit IPsec The Groups Edit IPsec page opens 5 Select one NAT Traversal type ...

Page 64: ...64 Chapter 2 Customizing the client 311644 J Rev 00 Figure 25 shows the Group Edit IPsec page with one NAT Traversal type selected Figure 25 Groups Edit IPsec page 6 Click OK ...

Page 65: ...e allows the Contivity VPN Client full access to the Microsoft Certificate storage and management tools The Microsoft Certificate storage and management tools use PKCS standards based messages and protocols to manage key pair generation and storage Microsoft Certificate storage also provides a mechanism to import digital certificates granted by third party Certification Authorities through the use...

Page 66: ...patible with the Contivity gateway Version 3 65 or later due to the required certificate extension processing feature on the gateway MSCAPI server CRL checking MSCAPI server Certificate Revocation List CRL checking is disabled by default MSCAPI server CRL checking is governed by the HKLM Software Nortel Networks Extranet Access Client MSCAPIServerCRLCheck registry key If the parameter MSCAPIServer...

Page 67: ...ial Generally a user wants to keep all private key information and key material private and protected The digital certificate is then retrieved as a PKCS 7 message and imported into the MS CAPI store through the Internet Explorer browser or the Internet options CertMgr tool When you request a digital certificate from the system housing the Microsoft CA the private key material is generated and sto...

Page 68: ...o remember the request ID Importing a digital certificate into MS CAPI store There are two scenarios when you are importing a digital certificate into the MS CAPI store When you are using the Microsoft CA the import process can be done directly from Internet Explorer when retrieving the digital certificate from the CA When using other CA certificates the client user or CA administrator additionall...

Page 69: ...ficate Installed and your new certificate has been successfully installed Netscape digital certificate retrieval After the Netscape CA administrator has approved the certificate it can be retrieved through the Netscape browser and imported directly into the MS CAPI store 1 Attach to the Netscape CA from your browser 2 Select the Retrieval tab 3 Type in the Request ID from the digital certificate r...

Page 70: ... screen appears 5 Select Microsoft Stored Certificate then click on Next The Microsoft Certificate Store screen appears By default this screen lists all of the certificates available including the key usage field for the certificate If you check the Display Only Signature Certificate box only the digital signature is displayed Server certificate CRL checking MS CAPI support on the Contivity VPN cl...

Page 71: ...rts Entrust Version 6 0 for Entrust single login The single login feature allows you to automatically authenticate to all certificate enabled applications with a single access to your certificate either an epf or tkn file during a login session If you have already presented your certificate to authenticate one application you are not prompted to present the certificate for other applications durin...

Page 72: ...Entrust ini file entrust ini which was created when you set up the Entrust PKI server The Entrust error messages DLL file enterr dll allows you to see more detailed Entrust error messages and information Solutions to many of these error situations can be obtained through the Entrust knowledge base at http www entrust com support index htm A valid support contract is required to register and access...

Page 73: ...e The first two situations are similar because the PKI server is located in front of the Contivity gateway and it is directly accessible from the Internet When you provide access to the PKI through the firewall from ports 389 and 709 the second situation is the same as the first The third situation requires remote users to also have an LDAP user name and password so that a temporary tunnel can be ...

Page 74: ... 709 Nortel has preconfigured a filter rule called Entrust PKI that allows access to the Entrust PKI server You can choose this filter for any group from the Profiles Groups Edit Connectivity Configure screen Set this filter along with a deny all filter on the semi public account that is set up The Entrust PKI filter is made up of the following rules and should be customized by the administrator i...

Page 75: ...y VPN Client screen appears 2 Select File Connection Wizard The New Connection Profile screen appears 3 Enter a name and description then click on Next The Authentication Type screen appears 4 Select Digital Certificate then click on Next The Digital Certificate Type screen appears 5 Select Entrust Digital Certificate then click on Next The Entrust Certificate Profile Selection screen appears 6 Cl...

Page 76: ... dial up connection is necessary to access the Internet then review the information on the Generate Certificate screen This screen shows the information that is used to generate the authentication certificate and appears only if the PKI server is located behind the firewall If everything is correct click on Finish a connection to the PKI is established that generates a new certificate This complet...

Page 77: ...ides on an external server When you enroll for a certificate the certificate is deposited on the roaming server rather than on the user PC or smartcard You log on to Entrust Entelligence authenticate to the roaming server and receive your certificate which you then use to authenticate Entrust ready applications such as VPN The Contivity client supports existing clients with epf files located on th...

Page 78: ...als supplied by the Roaming Profile server The Roaming Profile server must be accessible to the client PC before tunnel establishment Offline Roaming means the client will use stored cache files for its credentials Offline roaming is used when the Roaming server is unreachable The roaming server and LDAP must be accessible to the client If they are not accessible then the firewall must be enabled ...

Page 79: ...st for Roaming Profiles Three components are configured for Roaming Profiles Certificate Authority server Roaming Profile server Roaming Profile clients Configuring the Certificate Authority Server From the Registration Authority RA 1 Export Edit and Import the mastercert spec file 2 Edit the entmgr ini file 3 Edit the entrust ini file place into the C WINNT directory 4 Add a Roaming User ...

Page 80: ...e It is only necessary to edit this file if Off line roaming is required Default Variable Values offline_prof_use 1 To edit the entrust ini file Edit the entrust ini file based on the Roaming requirements Once the file is edited place it on the CA Server Roaming Profile Server and any client PC that will be running a Roaming Profile Use the following edits to enable Roaming Profiles online 4 lines...

Page 81: ...in the Type drop down list If you choose Web Server you do not have to enter a first and last name as you do if you select Person 4 Type a name for the server in the Name field 5 Type a description of the server in the Description field This information is not mandatory Use this field to record important information about Roaming Server for example its IP address 6 In the Add to drop down list sel...

Page 82: ...dialog box appears displaying the distinguished name of the Roaming Server you have just added along with the location of the epf file Install and Configure the Roaming Profile Server Required software Entrust Authority Roaming Server 6 0 1 Make sure you have received the Roaming Administrators Profile files and entrust ini files Place them on the hard drive Place the entrust ini into C WINNT 2 In...

Page 83: ...Profile Clients The following is the required software Contivity VPN Client V05_01 103 Entrust Entellegence 5 02 or newer There are three Entrust Dynamic Link Libraries DLL that must be placed in the WINNT directory kmpapi32 dll version 6 0 541 1210 enter dll version 6 0 520 1241 etsesn32 dll version 6 0 531 1220 Place the edited entrust ini into the C WINNT directory Entrust Entellegence or the C...

Page 84: ...84 Chapter 3 Using certificates 311644 J Rev 00 ...

Page 85: ...ay log for further information LOG_CONNLOST_KEEPALIVE Contivity gateway did not respond to keep alives Connection lost Check connection to the Contivity gateway and the dial up connection for failure LOG_NO_PROPOSAL Encryption mismatch The 56 bit client is attempting to connect to the Contivity gateway configured as 3DES LOG_REMOVE Unable to remove previous session log file Check for DOS file prot...

Page 86: ...Restore the dial up connection or LAN connection before reconnecting LOG_CONNECTION_TERMINATE This message is used with the security violation messages the violation message appears followed by the connection terminated message LOG_CP_VIOLATE Connection terminated due to client policy violation Contact the Contivity gateway administrator LOG_INSTALL_REBOOT Reboot not performed after installation L...

Page 87: ...NINSTALLE D The auto connection feature has been uninstalled by the Contivity gateway LOG_CES_DISCONNECT A disconnect message was received from the Contivity gateway See the Contivity gateway log for further information LOG_CLEAR_DNS Windows 9x Clear DNS is set LOG_FAIL_ACTIVATE Client failover invoked LOG_FAIL_CLEAR Failover list set to none LOG_FORCED_KEEPALIVES NAT traversal forcing use of keep...

Page 88: ...88 Appendix A Client logging 311644 J Rev 00 ...

Page 89: ...4 DisplayReboot 34 domain login 23 E EnableLogging 34 Entrust authentication overview 72 certificate enrollment process 75 certificate enrollment tunnel 74 enrollment procedure 73 Entrust knowledge base 72 Entrust single login 71 Extranet Access Client dialog box 45 Extranet Access Client Status 46 F FolderName 34 ForcedReboot 35 G GINA chaining 58 graphical identification and authentication GINA ...

Page 90: ...ing 62 PKCS 12 65 PreserveTBKFile 37 ProductName 37 publications hard copy 17 R README TXT 51 reboot 35 ReceiveBuffers 37 RemovePPTP 37 S SendBuffers 37 setup ini 32 setup ini file modifying 33 settings 33 single login Entrust 71 SkipAutoDial 38 SkipAutoDialPrompt 38 SkipBindCheck 38 SkipLicenseAgreement 38 command line 38 SkipScreens 38 Supported UseTokens and TokenType Settings 31 T task bar ico...

Reviews:

No comments

Related manuals for Contivity VPN Client

QMS VMS Software Manual preview
VMS
Brand: QMS Pages: 118
Novell SENTINEL 6.1.1.0 - README Manual preview
SENTINEL 6.1.1.0 - README
Brand: Novell Pages: 13
AVIRA ANTIVIR VIRUS SCAN ADAPTER FOR SAP SOLUTIONS User Manual preview
ANTIVIR VIRUS SCAN ADAPTER FOR SAP SOLUTIONS
Brand: AVIRA Pages: 67
Tandberg Data IBM LOTUS NOTES-DOMINO V 11.3 - INSTALLATION AND ... Integration Manual preview
IBM LOTUS NOTES-DOMINO V 11.3 - INSTALLATION AND ...
Brand: Tandberg Data Pages: 49
Epson PowerLite 955W Specification Sheet preview
PowerLite 955W
Brand: Epson Pages: 6
Epson Stylus Color 600Q Specification Sheet preview
Stylus Color 600Q
Brand: Epson Pages: 1
Epson Stylus Pro - Stylus Color Pro Ink Jet Printer Specification Sheet preview
Stylus Pro - Stylus Color Pro Ink Jet Printer
Brand: Epson Pages: 14
Epson Software Film Factory User Manual preview
Software Film Factory
Brand: Epson Pages: 73
Epson Stylus Pro - Stylus Color Pro Ink Jet Printer Reference Manual preview
Stylus Pro - Stylus Color Pro Ink Jet Printer
Brand: Epson Pages: 98
Epson Stylus Color 600Q User Manual preview
Stylus Color 600Q
Brand: Epson Pages: 95
Epson PowerLite 955W User Manual preview
PowerLite 955W
Brand: Epson Pages: 209
Epson PowerLite D6150 User Manual preview
PowerLite D6150
Brand: Epson Pages: 196
MACROMEDIA BREEZE 5 Integration Manual preview
BREEZE 5
Brand: MACROMEDIA Pages: 232
Kenwood ARCP-2000 Instruction Manual preview
ARCP-2000
Brand: Kenwood Pages: 21
Kenwood KDC-X8006U Instruction Manual preview
KDC-X8006U
Brand: Kenwood Pages: 40
Kenwood KDC-MP735U Instruction Manual preview
KDC-MP735U
Brand: Kenwood Pages: 52
Kenwood KDC-X891 Instruction Manual preview
KDC-X891
Brand: Kenwood Pages: 68
Tascam HS-P82 Release Note preview
HS-P82
Brand: Tascam Pages: 6

Brands by name

Popular brands

Load more brands