background image

3

Configuring the Contivity VPN Client

by the University of California, Berkeley. The name of the University may not be used to endorse or promote products 
derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED 
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains 
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third 
parties).

Nortel Networks Inc. software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel 
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING 
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE 
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE 
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping 
container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted 
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content 
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel 
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no 
rights other than those granted to you under this License Agreement. You are responsible for the selection of the 
Software and for the installation of, use of, and results obtained from the Software.

1.

Licensed Use of Software.

 Nortel Networks grants Customer a nonexclusive license to use a copy of the Software 

on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. 
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), 
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software 
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and 
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. 
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. 
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse 
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or 
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property 
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the 
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or 
certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s 
Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to 
include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect 
to such third party software.

2.

Warranty.

 Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, 

Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS 
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, 
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to 
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in 
such event, the above exclusions may not apply.

Содержание Contivity VPN Client

Страница 1: ...Version 6 01 Part No 311644 J Rev 00 August 2005 600 Technology Park Drive Billerica MA 01821 4130 Configuring the Contivity VPN Client ...

Страница 2: ...Corporation SecurID is a trademark of RSA Security Inc VeriSign is a trademark of VeriSign Incorporated The asterisk after a name denotes a trademarked item Restricted rights legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithsta...

Страница 3: ...e on only one machine at any one time or to the extent of the activation or authorized usage level whichever is applicable To the extent Software is furnished for use with designated hardware or Customer furnished equipment CFE Customer is granted a nonexclusive license to use Software only on such hardware or CFE as applicable Software contains trade secrets and Customer agrees to treat Software ...

Страница 4: ...lf of the United States Government the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U S Federal Regulations at 48 C F R Sections 12 212 for non DoD entities and 48 C F R 227 7202 for DoD entities b Customer may terminate the license at any time Nortel Networks may terminate the license if Customer fails ...

Страница 5: ...omain Logon 23 Two step domain logon 23 Graphical Identification and Authentication GINA 24 Logging on through client connection 25 First domain logon 26 Enabling and disabling Connect Before Logon 27 Uninstalling the client 28 Chapter 2 Customizing the client 29 Configuring client profiles 30 Setup ini file 32 Customizing the setup ini file 33 Installation modes and options 39 Verbose mode 39 Ski...

Страница 6: ...nt 50 Controlling the client from a third party application 52 Running in silent success mode 55 Remotely changing the group password 56 GINA chaining 58 IPsec mobility and persistent tunneling 59 Inverse split tunneling 60 Using the 0 0 0 0 0 subnet wildcard 60 Configuring the subnet wildcard 60 Configuring tunneling modes using the CLI 61 Co existence with MS IPsec service 62 Configuring co exis...

Страница 7: ... checking 70 Entrust certificate based authentication 71 Custom installation 72 Entrust certificate enrollment procedure 73 Entrust certificate enrollment tunnel 74 Direct access enrollment process 74 Entrust certificate enrollment process 75 Entrust roaming profiles support 77 Offline and online 77 Configuring Entrust for Roaming Profiles 79 Configuring the Certificate Authority Server 79 Create ...

Страница 8: ...8 Contents 311644 J Rev 00 ...

Страница 9: ...44 Figure 12 Blink none blinknone ico 44 Figure 13 Blink right blinkright ico 44 Figure 14 Blink left blinkleft ico 45 Figure 15 Both blinkboth ico 45 Figure 16 Client connecting icons 45 Figure 17 Contivity VPN Client bitmap 46 Figure 18 Client status bitmap 46 Figure 19 GINA bitmap 47 Figure 20 Security banner 48 Figure 21 Screen with View Banner option 49 Figure 22 TunnelGuard Notify banner 50 ...

Страница 10: ...10 Figures 311644 J Rev 00 ...

Страница 11: ...2 VPN Client support 29 Table 3 Supported UseTokens and TokenType settings 31 Table 4 Options section and keyword settings for setup ini file 33 Table 5 Settings for group ini file 41 Table 6 Command line parameters 53 Table 7 Tunneling mode options 61 Table 8 Client error messages 85 ...

Страница 12: ...12 Tables 311644 J Rev 00 ...

Страница 13: ...the Contivity gateway This guide assumes that you have the following background Experience with windowing systems or graphical user interfaces GUI Familiarity with network management Complete details for configuring and monitoring the Contivity Secure IP Services Gateway are in Configuring Basic Features for the Contivity Secure IP Services Gateway Before you begin The minimum PC requirements for ...

Страница 14: ... options Do not type the braces when entering the command Example If the command syntax is ldap server source external internal you must enter either ldap server source external or ldap server source internal but not both brackets Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example If the command syntax is show ntp associations you can enter...

Страница 15: ...nts Enter only one of the choices Do not type the vertical line when entering the command Example If the command syntax is terminal paging off on you enter either terminal paging off or terminal paging on but not both Table 1 Acronyms and terms Certification path Ordered sequence of certificates leading from a certificate whose public key is known by a client to a certificate whose public key is t...

Страница 16: ...nstructions for configuring the Contivity Stateful Firewall and Contivity interface and tunnel filters Configuring Advanced Features for the Contivity Secure IP Services Gateway provides instructions for configuring advanced LAN and WAN settings PPP frame relay PPPoE ADSL and ATM T1CSU DSU dial services and demand services DLSw IPX and SSL VPN Configuring Tunneling Protocols for the Contivity Secu...

Страница 17: ...cal manuals and release notes free directly from the Internet go to www nortel com documentation Find the product for which you need documentation then locate the specific category and model or version for your hardware or software product Use Adobe Acrobat Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to the Adobe Systems...

Страница 18: ...rica go to the Web site below and look up the phone number that applies in your region http www nortel com callus When you speak to the phone agent you can reference an Express Routing Code ERC to more quickly route your call to the appropriate support specialist To locate the ERC for your product or service go to http www nortel com erc Getting Help through a Nortel distributor or reseller If you...

Страница 19: ...It also includes information on Windows Domain Login and Nortel graphical identification and authentication NNGINA Windows installations To install the client copy the Contivity VPN Client EAC601D exe that is on the Contivity Secure IP Services Gateway CD into the Client folder onto your hard drive 1 Double click EAC601D exe The Welcome screen appears Figure 1 Figure 1 Welcome screen ...

Страница 20: ...g the client 311644 J Rev 00 2 Click Next The License Agreement screen appears Figure 2 Figure 2 License Agreement screen 3 Click Yes to accept the license The Destination screen appears Figure 3 Figure 3 Destination screen ...

Страница 21: ...ation or click Browse to install in another directory The Select Program Folder screen appears Figure 4 Figure 4 Program folder screen 5 Click Next to select the default program folder or choose one of the listed program folders The Install and run Contivity VPN Client screen appears Figure 5 Figure 5 Install and run screen ...

Страница 22: ... Authentication GINA on page 24 7 Click Next The Start Copying Files screen appears Figure 6 Figure 6 Start Copying Files screen 8 Click Next to continue the installation 9 When prompted at the end of the installation reboot your system 10 Double click the Contivity VPN Client icon a Enter a new Connection name b Optionally enter a description for the connection c Create a new Dial up Connection C...

Страница 23: ...work Control Panel Select the Network Connection icon and click Create a New Connection to bring up the New Connection Wizard Under the Network Control Panel for Windows XP and Windows 2000 verify that NetBEUI is not installed If NetBEUI is listed click it then click Remove This forces the Network Neighborhood to use NetBIOS over TCP IP which is compatible with the switch Click OK and reboot your ...

Страница 24: ...y to launch the client then log off the local system to authenticate to the Windows domain The Nortel GINA nngina dll launches and synchronizes a successful tunnel creation with the Contivity VPN Client and disconnects the Contivity tunnel when you log off After making a successful Contivity VPN connection the Windows domain logon is continued through the established Contivity VPN tunnel connectio...

Страница 25: ...vity VPN Client GINA interface appears This is a Contivity GINA dialog not the Windows GINA dialog Figure 7 Figure 7 Connect Before Logon screen 2 Enter your Windows credentials which are used to perform a local system logon The Contivity VPN client is launched Figure 8 on page 26 Note Auto domain logon is the default Note If you do not want to use the Connect Before Logon feature after it is inst...

Страница 26: ...existing Contivity VPN tunnel connection First domain logon You can also log on to the system using an existing local account to establish the Contivity VPN Tunnel You are then logged into the local system with the credentials provided Note When the Contivity VPN Client is running as a service under Windows 2000 or Windows XP you may not be able to log off after you log in and log off several time...

Страница 27: ... deselecting the Auto Domain Logon option and logging on using an existing local user account The Windows GINA screen appears to complete the domain logon Enabling and disabling Connect Before Logon To enable or disable Connect Before Logon go to the Options menu Figure 9 and either select or deselect the Connect Before Logon option The Contivity VPN Client GINA dialog provides simultaneous Window...

Страница 28: ...stall NNGINA unless it is at the top of the GINA chain If it is not on top of the GINA list uninstalling it could break the GINA chain The software notifies you that you must uninstall NNGINA before GINA can be uninstalled This could occur multiple times until GINA is at the top of the chain ...

Страница 29: ...Client also provides support for IP Security IPsec mobility and persistent tunneling Table 2 shows the versions of the client that are available in limited 56 bit or full 128 bit form as well as the available encryptions Diffie Hellman groups and hashes Table 2 VPN Client support Version 56 bit 128 bit 256 bit Deffie Hellman groups HASH 4 65 and below DES 40 56 DES 40 56 3DES NA 1 2 MD5 SHA 1 4 86...

Страница 30: ...AES settings cannot be modified through the GUI AES is visible to the end user only in the Status window where the Security and IKE fields display the appropriate AES information when an AES connection is established Configuring client profiles To preconfigure the client with profiles including information such as the authentication type and destination you must distribute a baynet tbk file that c...

Страница 31: ...ng Entrust authentication this is the user s epf file TokenType used in combination with UseTokens to indicate the type of authentication being used The following combined settings are supported Table 3 UsePAPGroup 0 indicates no RADIUS authentication 1 indicates RADIUS authentication GroupName Options Authentication Options dialog box Group Name field SavePassword 0 indicates that the user did no...

Страница 32: ... and its settings are created by InstallShield when the distribution media is made The EnableLangDlg Y parameter is set when the installation is a localized version A Language dialog appears during installation from which a user selects the language to install The Languages section is the list of supported languages in the kit This is the list presented in the Language dialog mentioned above when ...

Страница 33: ...ty VPN Client FreeDiskSpace 970 EnableLangDlg Y ISUPDATE UpdateURL http Languages Default 0x0009 count 1 key0 0x0009 Customizing the setup ini file You customize the default behavior of the client by modifying the setup ini file To customize your client add to the setup ini file the Options section and the listed keywords described in Table 4 The default settings are noted in the right hand column...

Страница 34: ...ault is 0 False and the item is not checked DisableLoggingConfig 1 If set to 1 you cannot configure logging from client UI The default is 0 and allows you to configure logging DisplayPasscode 1 If set to 1 the Passcode screen for tokens is used instead of the standard token and PIN screen The default is 0 and the standard token and PIN screens are used DisplayReboot 0 If SkipScreens 1 and DisplayR...

Страница 35: ...e default is 0 and the client appears in the Start Menu InstallAsService 1 If set to 1 installs the client as a service on Windows 2000 and Windows XP If not set to1 the user will see a dialog to select how to install the client This does not affect the Installation Type Selection screen and the user s selection always overrides the setup ini setting You can also use InstallAsService as a command ...

Страница 36: ...f CVC is installed as GINA and this option is checked the tunnel will remain up and NNGINA will not show up after you logoff the domain User can switch this option on off by selecting the menu item Options Logoff on Connect The default value is 0 The menu item will not be checked LogoffWarning This flag only affects cases when Client is installed as a Service If set to 1 True the menu item Options...

Страница 37: ...lt behavior If set to 1 the baynet tbk file will only be copied if there is not an existing one in the user s directory Otherwise the original file will be preserved ProductName New Product Name Client if nothing is set RemovePPTP 1 If set to 1 this always removes PPTP on Windows 98 if detected during installation A user can verify that PPTP has been removed by opening the Network Control Panel an...

Страница 38: ... option is used with other commands described in the section Installation modes and options on page 39 This screen can only be hidden in Silent mode if the switch is set It will be ignored in GUI mode IMPORTANT By suppressing presentation of the Nortel Software License Agreement you agree to accept the terms of the agreement on behalf of the users receiving the client software from you The Nortel ...

Страница 39: ...llation Skip Screens mode In this mode the dialog boxes do not appear The license agreement dialog appears and the message Setup Complete Restart the System before using the Contivity VPN Client is shown for 4 seconds No reboot is performed In setup ini set the following Options SkipScreens 1 Silent mode In this mode no license agreement appears and the message Setup Complete Restart the System be...

Страница 40: ...creens 1 DisplayReboot 1 SkipLicenseAgreement 1 Silent with Forced Reboot mode This switch reboots the system immediately after the installation completes The forced reboot is only activated when you are running in Skip Screens mode or in Silent mode The SkipScreens installation switch must be asserted You can use the SkipLicenseAgreement switch with the ForcedReboot switch It has no effect on the...

Страница 41: ...r level passwords only group level passwords Note The corresponding profile entry must have an authtype that uses group authentication If it does not the client will not look for the group ID and group password when displaying the authentication options Table 5 Settings for group ini file Field Description ProfileNames Name of the section that the installation looks for to send the names that are ...

Страница 42: ...the command line using the switch SKIPBINDCHECK If both the setup ini switch and command line switch are used the command line switch takes priority Skip all the installation screens except for the license screen This is the same as using AUTO on the command line If used in conjunction with AUTO the command line switch takes priority You can skip adding the password change icon in the program fold...

Страница 43: ...plication icon Contivity VPN Client task bar icons Contivity VPN Client connecting icons There are from two to four different representations of the group icon within each group You can create icon bitmaps in whatever style you prefer however the Nortel Networks icons are intended to convey a message for the given action such as data transfer activity or establishing a connection The following sec...

Страница 44: ...ith all of the custom installation files Contivity VPN Client task bar icons These icons appear in the task bar to indicate data activity through the tunnel To replace task bar icons create four icons blinknone ico blinkright ico blinkleft ico blinkboth ico and copy them into your custom installation directory with all of the custom installation files Figure 11 is a sample icon with four icons cre...

Страница 45: ...le of four different icons with an arrow pointing clockwise through each of the four quadrants of the circular icon Figure 16 Client connecting icons To replace the client connection icons create a series of icons and rename them connect1 ico connect2 ico connect3 ico connect4 ico then copy them into your custom installation directory with all of the custom installation files Custom bitmaps This s...

Страница 46: ... it into the custom installation directory with the other custom icons and installation files Client status bitmap eacstats bmp Figure 18 shows the bitmap on the status dialog box of the client It is accessible only when a tunnel has been established Figure 18 Client status bitmap To replace the status bitmap with a custom bitmap 1 Create a 16 color bitmap that is 303 x 32 pixels 2 Name the bitmap...

Страница 47: ... bitmap that is displayed on the GINA dialog Figure 19 Figure 19 GINA bitmap The client checks for a new customized bitmap each time the dialog is initialized The NNGINA looks for a custom bitmap named nnginadlg bmp in the installation directory under the icons folder If the Contivity VPN Client was installed into the D Program Files Nortel Networks directory the NNGINA will look for the custom bi...

Страница 48: ...dges the banner The user has three options Accept Close allows traffic to flow and the dialog box closes Accept allows traffic to flow the Security banner remains visible and all links are clickable Cancel terminates the tunnel immediately Figure 20 shows the Security banner screen Figure 20 Security banner The Security banner has a time out If the user does nothing for two minutes the connection ...

Страница 49: ...ity banner to open The deregistration operation stops if it cannot finish in three seconds Also if a DNS operation starts before another DNS operation is finished it asks the latter to terminate If the latter is still alive after 0 5 seconds the former quits otherwise it continues TunnelGuard Notify banner If TunnelGuard checking is enabled on the server the server periodically checks for the exis...

Страница 50: ...the custom icons and bitmaps and copies the custom files into a subdirectory of the target installation directory called Icons By default this directory is C Program Files Nortel Networks Icons To repackage your custom installation with the new icons and bitmaps into a self extracting executable file and to make it simpler to distribute the custom installation to users as one file instead of many ...

Страница 51: ...d to the license screen Other interaction is required only if the installation requires files from the Windows installation CD Use the command line switch PreserveTBKFile to specify whether to overwrite an existing baynet tbk file during the installation If PreserveTBKFile is set to 1 the baynet tbk file will only be copied if there is not an existing one in the users directory Otherwise the origi...

Страница 52: ...s the user name and password that the user supplied to the application in the command line the destination is the remote server use one of the following commands If you are using an LDAP user name and password for authentication Extranet exe U username password destination If you are using a RADIUS user name and password for authentication Extranet exe R username password destination groupid group...

Страница 53: ...in h when the connection is established or fails to be established a profile Activates the connection profile to use o profile Opens the profile allows the user to edit a profile d profile Indicates the connection profile to delete n n a Creates a new connection profile using the Connection Wizard u username password destination Activates a connection with the supplied LDAP user information r user...

Страница 54: ...on is Extranet exe h 1234 m 1225 a MyExtraNetConnection Following the example above when the tunnel either connects or fails to connect the IPsec client responds PostMessage 1234 1225 IPsec Hwnd True False When the message is posted back to the Windows handle of your application lParam indicates success or failure When the tunnel is established lParam is True when tunnel establishment fails lParam...

Страница 55: ...ent Use s a profile to use connection profile Use s u username password destination to activate a connection with the LDAP authentication Use s r username password destination groupid grouppassword to activate a connection with the RADIUS authentication Use s e entrust epf password to activate a connection with Entrust authentication Note To successfully terminate the client by command line with a...

Страница 56: ...sword 4 Axent software token 5 SecureId software token 6 Entrust 9 MSCAPI 10 From profile For example if auth 10 the authentication type is decided by profile The commandline switch always overwrites the ones in profile Some switches may be optional when using a profile as an authentication method If you provide the switches the one specified in profile is overwritten Some switches such as passwor...

Страница 57: ...exe auth 2 user username pin PIN code tokenCode serverip server ip gid group id gpwd group password extranet exe auth 10 profile profilename user username pin PIN code tokenCode serverip server ip gid group id gpwd group password If you are using a simple group Id and password extranet exe auth 3 user username pwd password serverip server ip gid group id gpwd group password extranet exe auth 10 pr...

Страница 58: ...uth 6 user profilename pwd entrust profile password altname subj alt name alttype number serverip server ip If you are using MSCAPI extranet exe auth 9 user MACAPI certificate string serverip server ip extranet exe auth 10 profile profilename user MACAPI certificate string serverip server ip GINA chaining GINA chaining detects the presence of a previously installed third party GINA and passes all ...

Страница 59: ...the client has been notified by the operating system that the IP address has changed it notifies the Contivity gateway These messages are encrypted and authenticated based on the IKE SA to ensure security The Contivity VPN Client logs events to the logfile This includes events such as Contivity VPN Client sending messages that the IP address changed and receiving acknowledgement that these message...

Страница 60: ...ent receives the list of inverse split networks it expands the 0 0 0 0 to include all of the directly connected local subnets detected on the host Any additional subnets in a list are processed as before After expansion traffic destined for these subnets is allowed to flow outside of the tunnel This option is valid for both the Inverse Split and Inverse Split Locally Connected modes but it is real...

Страница 61: ...nel Networks drop down menu 4 Select a network from the Inverse Split Tunnel Networks drop down menu 5 Click OK Configuring tunneling modes using the CLI The tunneling mode is selected in the CLI using the following commands after entering group ipsec configuration mode split tunneling enable inverse inverse local Table 7 Tunneling mode options Split Tunneling Selection Network Selection sent to C...

Страница 62: ...et Persistent tunneling provides a continuous connection After successfully establishing a tunnel session to the Contivity gateway the Contivity VPN Client makes every attempt to maintain a viable VPN connection without additional user intervention For further configuration information on IPsec mobility and persistence see Configuring Basic Features for the Contivity Secure IP Services Gateway Co ...

Страница 63: ... Gateway The IPsec Settings page opens 2 Enable NAT Traversal 3 Set the UDP port to an unused port Figure 24 shows the IPsec Settings page with NAT Traversal enabled and the UDP port set to an unused port Figure 24 IPsec Settings page 4 Select Profiles Groups Edit IPsec The Groups Edit IPsec page opens 5 Select one NAT Traversal type ...

Страница 64: ...64 Chapter 2 Customizing the client 311644 J Rev 00 Figure 25 shows the Group Edit IPsec page with one NAT Traversal type selected Figure 25 Groups Edit IPsec page 6 Click OK ...

Страница 65: ...e allows the Contivity VPN Client full access to the Microsoft Certificate storage and management tools The Microsoft Certificate storage and management tools use PKCS standards based messages and protocols to manage key pair generation and storage Microsoft Certificate storage also provides a mechanism to import digital certificates granted by third party Certification Authorities through the use...

Страница 66: ...patible with the Contivity gateway Version 3 65 or later due to the required certificate extension processing feature on the gateway MSCAPI server CRL checking MSCAPI server Certificate Revocation List CRL checking is disabled by default MSCAPI server CRL checking is governed by the HKLM Software Nortel Networks Extranet Access Client MSCAPIServerCRLCheck registry key If the parameter MSCAPIServer...

Страница 67: ...ial Generally a user wants to keep all private key information and key material private and protected The digital certificate is then retrieved as a PKCS 7 message and imported into the MS CAPI store through the Internet Explorer browser or the Internet options CertMgr tool When you request a digital certificate from the system housing the Microsoft CA the private key material is generated and sto...

Страница 68: ...o remember the request ID Importing a digital certificate into MS CAPI store There are two scenarios when you are importing a digital certificate into the MS CAPI store When you are using the Microsoft CA the import process can be done directly from Internet Explorer when retrieving the digital certificate from the CA When using other CA certificates the client user or CA administrator additionall...

Страница 69: ...ficate Installed and your new certificate has been successfully installed Netscape digital certificate retrieval After the Netscape CA administrator has approved the certificate it can be retrieved through the Netscape browser and imported directly into the MS CAPI store 1 Attach to the Netscape CA from your browser 2 Select the Retrieval tab 3 Type in the Request ID from the digital certificate r...

Страница 70: ... screen appears 5 Select Microsoft Stored Certificate then click on Next The Microsoft Certificate Store screen appears By default this screen lists all of the certificates available including the key usage field for the certificate If you check the Display Only Signature Certificate box only the digital signature is displayed Server certificate CRL checking MS CAPI support on the Contivity VPN cl...

Страница 71: ...rts Entrust Version 6 0 for Entrust single login The single login feature allows you to automatically authenticate to all certificate enabled applications with a single access to your certificate either an epf or tkn file during a login session If you have already presented your certificate to authenticate one application you are not prompted to present the certificate for other applications durin...

Страница 72: ...Entrust ini file entrust ini which was created when you set up the Entrust PKI server The Entrust error messages DLL file enterr dll allows you to see more detailed Entrust error messages and information Solutions to many of these error situations can be obtained through the Entrust knowledge base at http www entrust com support index htm A valid support contract is required to register and access...

Страница 73: ...e The first two situations are similar because the PKI server is located in front of the Contivity gateway and it is directly accessible from the Internet When you provide access to the PKI through the firewall from ports 389 and 709 the second situation is the same as the first The third situation requires remote users to also have an LDAP user name and password so that a temporary tunnel can be ...

Страница 74: ... 709 Nortel has preconfigured a filter rule called Entrust PKI that allows access to the Entrust PKI server You can choose this filter for any group from the Profiles Groups Edit Connectivity Configure screen Set this filter along with a deny all filter on the semi public account that is set up The Entrust PKI filter is made up of the following rules and should be customized by the administrator i...

Страница 75: ...y VPN Client screen appears 2 Select File Connection Wizard The New Connection Profile screen appears 3 Enter a name and description then click on Next The Authentication Type screen appears 4 Select Digital Certificate then click on Next The Digital Certificate Type screen appears 5 Select Entrust Digital Certificate then click on Next The Entrust Certificate Profile Selection screen appears 6 Cl...

Страница 76: ... dial up connection is necessary to access the Internet then review the information on the Generate Certificate screen This screen shows the information that is used to generate the authentication certificate and appears only if the PKI server is located behind the firewall If everything is correct click on Finish a connection to the PKI is established that generates a new certificate This complet...

Страница 77: ...ides on an external server When you enroll for a certificate the certificate is deposited on the roaming server rather than on the user PC or smartcard You log on to Entrust Entelligence authenticate to the roaming server and receive your certificate which you then use to authenticate Entrust ready applications such as VPN The Contivity client supports existing clients with epf files located on th...

Страница 78: ...als supplied by the Roaming Profile server The Roaming Profile server must be accessible to the client PC before tunnel establishment Offline Roaming means the client will use stored cache files for its credentials Offline roaming is used when the Roaming server is unreachable The roaming server and LDAP must be accessible to the client If they are not accessible then the firewall must be enabled ...

Страница 79: ...st for Roaming Profiles Three components are configured for Roaming Profiles Certificate Authority server Roaming Profile server Roaming Profile clients Configuring the Certificate Authority Server From the Registration Authority RA 1 Export Edit and Import the mastercert spec file 2 Edit the entmgr ini file 3 Edit the entrust ini file place into the C WINNT directory 4 Add a Roaming User ...

Страница 80: ...e It is only necessary to edit this file if Off line roaming is required Default Variable Values offline_prof_use 1 To edit the entrust ini file Edit the entrust ini file based on the Roaming requirements Once the file is edited place it on the CA Server Roaming Profile Server and any client PC that will be running a Roaming Profile Use the following edits to enable Roaming Profiles online 4 lines...

Страница 81: ...in the Type drop down list If you choose Web Server you do not have to enter a first and last name as you do if you select Person 4 Type a name for the server in the Name field 5 Type a description of the server in the Description field This information is not mandatory Use this field to record important information about Roaming Server for example its IP address 6 In the Add to drop down list sel...

Страница 82: ...dialog box appears displaying the distinguished name of the Roaming Server you have just added along with the location of the epf file Install and Configure the Roaming Profile Server Required software Entrust Authority Roaming Server 6 0 1 Make sure you have received the Roaming Administrators Profile files and entrust ini files Place them on the hard drive Place the entrust ini into C WINNT 2 In...

Страница 83: ...Profile Clients The following is the required software Contivity VPN Client V05_01 103 Entrust Entellegence 5 02 or newer There are three Entrust Dynamic Link Libraries DLL that must be placed in the WINNT directory kmpapi32 dll version 6 0 541 1210 enter dll version 6 0 520 1241 etsesn32 dll version 6 0 531 1220 Place the edited entrust ini into the C WINNT directory Entrust Entellegence or the C...

Страница 84: ...84 Chapter 3 Using certificates 311644 J Rev 00 ...

Страница 85: ...ay log for further information LOG_CONNLOST_KEEPALIVE Contivity gateway did not respond to keep alives Connection lost Check connection to the Contivity gateway and the dial up connection for failure LOG_NO_PROPOSAL Encryption mismatch The 56 bit client is attempting to connect to the Contivity gateway configured as 3DES LOG_REMOVE Unable to remove previous session log file Check for DOS file prot...

Страница 86: ...Restore the dial up connection or LAN connection before reconnecting LOG_CONNECTION_TERMINATE This message is used with the security violation messages the violation message appears followed by the connection terminated message LOG_CP_VIOLATE Connection terminated due to client policy violation Contact the Contivity gateway administrator LOG_INSTALL_REBOOT Reboot not performed after installation L...

Страница 87: ...NINSTALLE D The auto connection feature has been uninstalled by the Contivity gateway LOG_CES_DISCONNECT A disconnect message was received from the Contivity gateway See the Contivity gateway log for further information LOG_CLEAR_DNS Windows 9x Clear DNS is set LOG_FAIL_ACTIVATE Client failover invoked LOG_FAIL_CLEAR Failover list set to none LOG_FORCED_KEEPALIVES NAT traversal forcing use of keep...

Страница 88: ...88 Appendix A Client logging 311644 J Rev 00 ...

Страница 89: ...4 DisplayReboot 34 domain login 23 E EnableLogging 34 Entrust authentication overview 72 certificate enrollment process 75 certificate enrollment tunnel 74 enrollment procedure 73 Entrust knowledge base 72 Entrust single login 71 Extranet Access Client dialog box 45 Extranet Access Client Status 46 F FolderName 34 ForcedReboot 35 G GINA chaining 58 graphical identification and authentication GINA ...

Страница 90: ...ing 62 PKCS 12 65 PreserveTBKFile 37 ProductName 37 publications hard copy 17 R README TXT 51 reboot 35 ReceiveBuffers 37 RemovePPTP 37 S SendBuffers 37 setup ini 32 setup ini file modifying 33 settings 33 single login Entrust 71 SkipAutoDial 38 SkipAutoDialPrompt 38 SkipBindCheck 38 SkipLicenseAgreement 38 command line 38 SkipScreens 38 Supported UseTokens and TokenType Settings 31 T task bar ico...

Отзывы: