contivity client

Contivity VPN ClientUser and

Administrator GuideFor:

MacintoshMac OS X

LinuxSolarisHP-UX

Windows CE

Part Number 314455-3.3Version 3.3

July 2005

Copyright ©2005 by Apani Networks. All rights reserved.

This software or document (and the software described herein) is furnished under a license agreement between Apani Networks and the Licensee. The software may be used or copied only in accordance with the terms of the license agreement. The document may not be reproduced in whole or in part, except with the written permission of Apani Networks.

Product names mentioned in this document are trademarks or registered trademarks of their respective holders.

Published by:Nortel Networks Corporation8200 Dixie Road, Suite 100Brampton, Ontario L6T 5P6Canada

Nortel Networks600 Technology Park DriveBillerica, MA 01821-4130

Customer Support:Voice: 1-800-4NORTELWeb Page: http://www.nortel.com

For FAQs, follow the pathway:Customer Support FAQ Search (selection on left side of screen) Product family: Enterprise Data Product: Contivity

For Technical Documentation, follow the pathway:Customer Support Technical Documents Select a Product:Contivity 4000 VPN Switches

The Apani Networks site is an excellent source of information. You can use the Apani Knowledge Base to search for FAQs pertaining to the Contivity VPN Client.

1. http://support.apani.com/kb/

2. Select Contivity VPN Client in the Select a Product list.

3. Click Start Search.

ContentsContents iii

Chapter 1. Getting Started 1

Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - 2Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3

Product Name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3Cautionary Information - - - - - - - - - - - - - - - - - - - - - - - - - - 3Keyboard Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - 3Typographical Conventions - - - - - - - - - - - - - - - - - - - - - - - 4Typographical Terminology - - - - - - - - - - - - - - - - - - - - - - - 4

System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5What’s New in Version 3.3? - - - - - - - - - - - - - - - - - - - - - - - - - 8Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9

The Nortel Networks Contivity Switch - - - - - - - - - - - - - - - 9The Contivity VPN Client - - - - - - - - - - - - - - - - - - - - - - - - 9

Chapter 2. Installing the Contivity VPN Client 11

Configuring the Contivity Switch - - - - - - - - - - - - - - - - - - - - - 13Initial Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - 13Nortel Networks Contivity Switch Configuration - - - - - - - 13Split Tunnel Inbound Port Filtering on Linux or Unix Computers

15Pre-Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17Installing the Contivity VPN Client for Macintosh - - - - - - - - - 19Installing the Contivity VPN Client for Macintosh OS X - - - - - 22Installing the Contivity VPN Client for Linux - - - - - - - - - - - - - 28

Installing with RPM Distribution on RedHat with GCC 3.X 29Installing with RPM Distribution on SUSE 8.2 - - - - - - - - - 30Installing with RPM Distribution on SUSE 9.0 through 9.3 - 30Installing with TAR Distribution - - - - - - - - - - - - - - - - - - - 31

Contivity VPN Client iii

Installing the Contivity VPN Client for Solaris - - - - - - - - - - - - 32Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32Dynamic Routing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32Installing with TAR Distribution - - - - - - - - - - - - - - - - - - - 33Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33

Installing the Contivity VPN Client for HP-UX - - - - - - - - - - - - 35Mounting the CD - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 35Installing with TAR Distribution - - - - - - - - - - - - - - - - - - - 36Installing the Software - - - - - - - - - - - - - - - - - - - - - - - - - - 36Operational Note - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37

Installing the Contivity VPN Client for Windows CE - - - - - - - - 38Windows CE Compatibility - - - - - - - - - - - - - - - - - - - - - - 38Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38

Registering the Contivity VPN Client Software - - - - - - - - - - - - 39New Registration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39Entering a New Registration - - - - - - - - - - - - - - - - - - - - - - 40

Removing the Contivity VPN Client from Macintosh - - - - - - - 42Removing the Contivity VPN Client from Macintosh OS X - - - 44Removing the Contivity VPN Client from Linux - - - - - - - - - - - 46Removing the Contivity VPN Client from Solaris - - - - - - - - - - 48Removing the Contivity VPN Client from HP-UX - - - - - - - - - - 50Removing the Contivity VPN Client from Windows CE - - - - - - 52Customizing User-Interface Graphics - - - - - - - - - - - - - - - - - - 53

Chapter 3. Configuring the Contivity VPN Client 55

User Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57Launching the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 58Certificate Management - - - - - - - - - - - - - - - - - - - - - - - - - - - 61

Importing a CA Certificate - - - - - - - - - - - - - - - - - - - - - - - 62Requesting a Certificate - - - - - - - - - - - - - - - - - - - - - - - - 63Importing a Certificate - - - - - - - - - - - - - - - - - - - - - - - - - 67Deleting a Certificate - - - - - - - - - - - - - - - - - - - - - - - - - - 69Viewing Certificate Details - - - - - - - - - - - - - - - - - - - - - - 70

Defining a New Connection Profile - - - - - - - - - - - - - - - - - - - 71Completing the Connection - - - - - - - - - - - - - - - - - - - - - - 80Editing a Connection Profile - - - - - - - - - - - - - - - - - - - - - 83

Connecting the Contivity VPN Client - - - - - - - - - - - - - - - - - - 84Selecting the Connection Profile - - - - - - - - - - - - - - - - - - 84Completing the Connection - - - - - - - - - - - - - - - - - - - - - - 90

Monitoring Connection History - - - - - - - - - - - - - - - - - - - - - - 92Connection Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - 92

iv

Contents

Setting Client Preferences - - - - - - - - - - - - - - - - - - - - - - - - - - 93Audit Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93Controlling Audit Information Logging - - - - - - - - - - - - - - 94Notification Alerts - - - - - - - - - - - - - - - - - - - - - - - - - - - - 96Configuration Locking - - - - - - - - - - - - - - - - - - - - - - - - - 97

Viewing Audit Information - - - - - - - - - - - - - - - - - - - - - - - - 101Disconnecting the Contivity VPN Client - - - - - - - - - - - - - - - 102Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - 103

Glossary 107

Index 115

Contivity VPN Client v

1 Getting Started

Contents of this Chapter

Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - 2

Provides an introductory overview of Contivity VPN Client functions.

Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3

Explains the typographical and command conventions used in this guide.

System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5

Lists the system requirements for installing a Contivity VPN Client.

What’s New in Version 3.3? - - - - - - - - - - - - - - - - - - - - - - - - - 8

Provides a list of features that are new to Contivity VPN Client version 3.1.1.

Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9

Provides a brief introduction to the Nortel Networks Contivity Switch and the Contivity VPN Client.

Contivity VPN Client 1

Chapter 1. Getting Started

Organization of this Guide

This guide is organized as follows:

Chapter 1, Getting Started—introduces the guide, explains the conventions used in the guide, lists system requirements for the Contivity VPN Client, and pro-vides an overview of the Contivity VPN Client.

Chapter 2, Installing the Contivity VPN Client—describes how to configure the Nortel Networks Con-tivity Switch for the Contivity VPN Client and how to install the Contivity VPN Client on supported systems.

Chapter 3, Configuring the Contivity VPN Client—a guide to the configuration and use of the Contivity VPN Client.

Glossary—provides brief definitions of security terms and terminology used in this guide.

2

Conventions

Conventions

Product Name Throughout most of this guide, the Contivity VPN Client is referred to simply as the Client and the Nortel Networks Contivity Switch is referred to simply as the Contivity Switch.

Cautionary Information

This guide presents several classes of cautionary informa-tion:

NOTE clarifies or identifies exceptions.

IMPORTANT calls your attention to information necessary to the proper installation and configuration of the Client.

CAUTION alerts you to situations that could result in unexpected or destructive results to data or software.

Keyboard Conventions

The following conventions are used in describing actions for you to take, methods of selecting and entering data, and operation of the system:

Computer dialog, code, file names, directory names, and screen instructions are represented by a mono-spaced font:

screen text display

Characters you enter on a command line are represented by bold mono-spaced type:

system text: your response

Optional text you enter on a command line is represented in mono-spaced italicized type. Where it is a term for a file name, directory name, path, or such, it is surrounded by angle brackets:

<filename>

The “|” character is used to signify one or the other:

<filename1>|<filename2>



Typographical Conventions

This guide uses the following typographical conventions:

The names of on-screen buttons, checkboxes, option buttons, and keys are in Bold Text with Initial Caps.

The names of windows, dialog boxes, lists, window elements, and dialog box elements are in Bold Italics, capitalized the same as the item.

The names of menus and menu items are in Bold Text. Menu selections are shown as:Choose MenuName Item1 Item2This means to select Item1 in the MenuName menu and then select Item2 in the sub-menu.

Numbered items in a list describe steps in a procedure that must be followed in order. Bulleted items in a list are members of a set or parts of a whole that have no order or priority.

Typographical Terminology

Press—means to press a particular key or key combination. It does not imply also pressing the Enter key:

Press Tab

Key Combinations—two or more keys that must be pressed simultaneously are linked by a plus sign:

Press Ctrl+Alt+Del

Type—means to type text, usually in a text box or scroll box within a dialog box. It does not imply to press the Enter (or Return) key. It is usually followed by a step such as “Click OK” or “Click Continue.”

Enter—means to type text and press the Enter (or Return) key when the text has been typed.

4

System Requirements

System Requirements

A Contivity VPN Client installation requires the followingminimum configurations.

Mac OS 8/9Operating System: Mac OSSystem Version: 8.6 through 9.2.2Power MacintoshCD-ROM Drive10 MB of free disk space64 MB of RAMEthernet card or dialup modemA web browser (Netscape and Internet Explorer are preferred.)

Mac OS XOperating System: Mac OS XSystem Version: 10.3 through 10.3.9, 10.4 through 10.4.1Power Macintosh or equivalentCD-ROM Drive10 MB of free disk space128 MB of RAMEthernet card or dialup modemA web browser (Safari, Netscape, or Internet Explorer are preferred.)

LinuxLinux for Intel x86 or equivalent processorsIntel-based Linux system (The Client will not work on a Sparc-based system.)Linux kernel 2.4.x* and 2.6.xOperating Systems:RedHat Enterprise Advanced Server 3.0 to 4

Fedora Core 1 through Core 4SUSE 8.2, 9.0, 9.1, 9.2, 9.3

32MB RAM (64 MB Recommended)



30MB of free disk spaceEthernet card or dialup modemCD-ROM Drivegcc 3.x (RedHat Enterprise Advanced Server 3.0 to 4, Fedora Core 1 to Core 4, and SUSE 8.2, 9.0, 9.1, 9.2, 9.3)kernel-source 2.4.x, or 2.6.xA web browser (Netscape and Mozilla are preferred.)X-Window System* If the system is using the 2.4.x kernel, the kernel

header’s 2.4.x package must be used. If the system is using the 2.6.x kernel, the kernel header’s 2.6.x package must be used.

SolarisSystem Version: 2.7 to 2.9Sun SPARC platformCD-ROM Drive12 MB of free disk space; 32 MB of RAMEthernet cardA web browser (Netscape and Hot Java are supported.)

HP-UXSystem Version: 10.2x, 11.xHP-9000 seriesHP-VUE or HP-CDE GUI system (preferred)CD-ROM Drive10 MB of free disk space; 32 MB of RAMEthernet cardA web browser (Netscape is supported.)

6

System Requirements

Windows CE 2003, 2003 SEThe Contivity VPN Client for Windows CE 2003 is supported on the following platforms only:• Dell Axim X3i• Dell Axim x30• Dell Axim x5• HP iPAQ 5555• Toshiba e750• Siemens SX-66Ethernet, 802.11b wireless, and GPRS



What’s New in Version 3.3?

Mac OS 10.4 Support

The Client now supports Mac OS 10.4 (Tiger).

Linux

Added support for Fedora Core 3 and Core 4.

Added support for SuSE 9.2 and 9.3.

Added support for RedHat Enterprise Linux - Advanced Server 4.

Windows CE 2003

Added support for Siemens SX-66.

8

Product Overview

Product Overview

The purpose of the Client is to provide tunneled, secure communications between the Client computer and the Contivity Switch across an IP network, including the Internet and the local area network (LAN).

The Nortel Networks Contivity Switch

The Contivity Switch is a single hardware device that pro-vides routing, firewall, bandwidth management, encryp-tion, authentication, and data integrity for secure tunneling across managed IP networks and the Internet. Contivity Switches are used to connect remote users, branch offices, suppliers, and customers with the cost and performance advantages of shared IP networks and the security and control inherent in private networks.

The Contivity VPN Client

The Client is an intelligent, autonomous software agent residing in the computer for which communication is to be secured. All communications security functions are per-formed using the rules supplied by the Contivity Switch.

When the Client is installed, the Contivity Switch (according to the policies set by the network administrator) sends a set of security policies for the Client to follow when exchanging data with the Contivity Switch. These rules determine:

(1) the algorithm to be used for ESP encryption;

(2) if ESP data integrity checking is to be performed and if so, the algorithm to use;

(3) if anti-replay protection is to be provided;

(4) if Authentication Header (AH) Integrity protection is to be applied

Once these instructions are received directly from the Con-tivity Switch, the Client stores these rules locally and fol-lows them autonomously when communicating with the


Contivity Switch. The user of the Client computer can con-tinue to operate as before except that all communications over the extranet or Internet are now protected with a layer of secu-rity as part of the network protocol.

Once connected to the Contivity Switch, the operation of the Client is transparent to the user and requires no user interven-tion.

10

2F Installing theContivity VPN Client

This chapter provides a list of required Contivity Switch settings to operate with the Contivity VPN Client, step-by-step instructions for the installation and removal of Contivity VPN Client software, and instructions for customizing the user-interface graphics on the Contivity VPN Client.


Configuring the Contivity Switch - - - - - - - - - - - - - - - - - - - - - - 13

Provides instructions for configuring the Contivity Switch prior to installing the Client.

Pre-Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17

Provides a step-by-step procedure for pre-configuring Clients for mass deployment in a large installation.

Installing the Contivity VPN Client for Macintosh - - - - - - - - - - 19

Provides a step-by-step procedure for installing a Client on a Macintosh system.

Installing the Contivity VPN Client for Macintosh OS X - - - - - - 22

Provides a step-by-step procedure for installing a Client on a Macintosh OS X system.

Installing the Contivity VPN Client for Linux - - - - - - - - - - - - - 28

Provides a step-by-step procedure for installing a Client on a Linux system.

Installing the Contivity VPN Client for Solaris - - - - - - - - - - - - - 32

Provides a step-by-step procedure for installing a Client on a Solaris system.


Chapter 2. Installing the Contivity VPN Client

Installing the Contivity VPN Client for HP-UX - - - - - - - - - - - - 35

Provides a step-by-step procedure for installing a Client on an HP-UX system.

Installing the Contivity VPN Client for Windows CE - - - - - - - - 38

Provides a step-by-step procedure for installing a Client on a Windows CE system.

Registering the Contivity VPN Client Software - - - - - - - - - - - - 39

Explains the procedure for receiving a license code and registering your Contivity VPN Client.

Removing the Contivity VPN Client from Macintosh - - - - - - - - 42

Provides a step-by-step procedure for removing the Client software and database from a Macintosh.

Removing the Contivity VPN Client from Macintosh OS X - - - - 44

Provides a step-by-step procedure for removing the Client software and database from a Macintosh OS X.

Removing the Contivity VPN Client from Linux - - - - - - - - - - - 46

Provides a step-by-step procedure for removing the Client software and database from a Linux system.

Removing the Contivity VPN Client from Solaris - - - - - - - - - - - 48

Provides a step-by-step procedure for removing the Client software and database from a Solaris system.

Removing the Contivity VPN Client from HP-UX - - - - - - - - - - 50

Provides a step-by-step procedure for removing the Client software and database from an HP-UX system.

Removing the Contivity VPN Client from Windows CE - - - - - - 52

Provides a step-by-step procedure for removing the Client software from a Windows CE system.

Customizing User-Interface Graphics - - - - - - - - - - - - - - - - - - 53

Explains how to customize areas of the Graphical User Interface with user-provided art.

12

Configuring the Contivity Switch


The Contivity Switch must be configured for the Client prior to installing the Client. This is important because the Client accepts configuration settings that are sent down from the Contivity Switch during IKE negotiations.

Initial Configuration This document assumes that you have already configured the Contivity Switch with basic settings including identity, private and public addresses, etc. Be sure that IPSec is enabled.

Nortel Networks Contivity Switch Configuration

To work with the Client, the Contivity Switch’s IPSec settings must be set according to the values in the following table.

"Supported" means the Client supports all valid options for this setting.

"Don’t Care" means the Client ignores this feature, but it may be supported by other clients.

Parameter Setting(s) Allowed

Split Tunneling Supported*

Split Tunnel Networks Supported*

Client Selection

Allowed Clients Only Contivity Clients or Both Contivity and Non-Contivity

Allow undefined networks for non-Contivity clients

Supported

Authentication

Database Authentication (LDAP)

User Name and Password Supported

RSA Digital Signature Don’t Care



Default Server Certificate Supported

Radius Authentication

User Name and Password Supported

Axent Technologies Defender Don’t Care

RSA Security SecureID Supported

Encryption Supported (all settings except 40-bit DES)

Perfect Forward Secrecy Supported

Forced Logoff Supported (up to 23:59, or 00:00 for off)

Client Auto Connect Don’t Care

Banner Supported

Display Banner Supported

Client Screen Saver Password Required

Disabled (not supported)

Client Screen Saver Activation Time Don’t Care

Client Failover Tuning Supported

Allow Password Storage on Client Supported on Macintosh, Linux, and Windows CE 2003 only

Compression LZS Compression supported

IPSec NAT Traversal Supported

Rekey Timeout Supported

Rekey Data Count Supported

Domain Name Don’t Care (See note about Macintosh computers on page 58.)

Primary DNS Supported

Secondary DNS Supported

Primary WINS Don’t Care

Secondary WINS Don’t Care


14


* If using split tunneling with the Client located on aLinux or a Unix computer, please refer to the follow-ing section for port filtering requirements.

Split Tunnel Inbound Port Filtering on Linux or Unix Computers

Linux and Unix operating systems support multiple simulta-neous users. In order to help prevent unauthorized access to the private network, the client automatically blocks inbound access to TCP and UDP ports 0 through 1023 on the client's local (public) network when you are connected to the Con-tivity Switch with split tunneling enabled. Remote systems and users cannot use services on these Well Known Ports while the client is connected. Existing, active communications through inbound ports 0 through 1023 will be blocked as soon as the client connects to the Contivity Switch.

NOTE: All inbound and outbound access on the Client’s local (public) network is blocked when the client is connected and split tunneling is disabled.

When the Client is connected with split tunneling enabled, the Client permits outbound access through all ports. The Client also permits inbound access through ports 1024 and above. This allows the local user to take advantage of split tunneling to connect to remote servers using web browsers and other applications.

Client Policy Macintosh: Don’t CareLinux and Unix: Supported

NOTE: You must enable at least one of the following user authentication options:LDAP with User Name and PasswordLDAP with Default Server CertificateRADIUS with User Name and PasswordRADIUS with RSA Security SecurID




CAUTION: The Client cannot protect the Client computer, tunnel, and the private networks behind the Contivity Switch from all possible remote attacks, even though it blocks inbound access through ports 0 through 1023 (Well Known Ports) when connected. Access through higher ports is still possible. (The X Window System uses ports 6000 through 6063, for example.) The system administrator of the Client computer must frequently check to ensure that services have not been inadvertently or malevolently enabled on higher ports.We highly recommend that you enable a host-based firewall on the Client computer.

The Contivity Switch administrator can enable inbound access on one or more ports 0 through 1023 by creating a Client Policy on the Contivity Switch. See "Client Policy" in the "Group and User Configuration" chapter of the Nortel Net-works Managing the Contivity Extranet Switch user guide. Keep in mind that creating a Client Policy blocks all inbound and outbound ports, except those specifically enabled by the Con-tivity Switch administrator.

16

Pre-Configuration

Pre-Configuration

A pre-configuration allows you to configure a Client and then install a number of Clients with the same configuration. This precludes individual users from having to enter license codes, group IDs, and preferences. The primary purpose of a pre-configuration is to simplify the installation of large numbers (100+) of Clients.

If you are performing a pre-configuration on platforms with different operating systems, it may be necessary to change the file format of the database files before distributing to the other operating systems.

After a Client has been pre-configured, when the user first launches the Client, the Product Registration window will not appear and the user is taken directly to the Connections window. There is one exception to this rule.

If you are pre-configuring a multi-seat license installation, you might want to require the input of the seat number by each Client. To do this, enter a 0 (zero) as the seat number in the configuration of the first Client. Thereafter, each Client, when launched, will present the Product Registration window and require the input of a seat number.

To enter a zero for the seat number of the first Client, you must first enter a valid seat number. Then complete and test the configuration. Prior to performing step 3, below, edit the registration (see “Entering a New Registration” on page 40) and change the Seat Number to zero.

To perform a pre-configuration:

1. Perform a manual installation of the Client.

2. Configure the Client, following the instructions provided in Chapter 3, Configuring the Contivity VPN Client.

3. Copy the prefs.db and eac.db files to the same directory as the installer. This step differs slightly with different platforms.



• For a Macintosh (Classic) installation:

Copy the .db files into the same directory as the installer.

• For a Macintosh OS X installation:

Copy the .db files into the same directory as the nleac.pkg file.

• For a Linux tar installation:

a. Untar the directory created by the tar file.

b. Copy the .db files to the nleac-<version> directory.

c. Re-tar the directory.

• For a Linux RPM installation:

Copy the .db files into the/usr/src/<distributor>RPMS/i386 directory. This is the same directory where the binary package was placed during the rebuild for the first install.

• For a Solaris installation:

Copy the .db files to the directory containing the nleac package.

• For an HP-UX installation:

Copy the .db files to:

<top-distribution-dir>/nleac/catalog/nleac/km

NOTE: A pre-configured Client installation for Windows CE is not supported.

4. Using either a web distribution or creating a CDROM, install the Clients.

Each Client, when installed, will be configured as the original.

18

Installing the Contivity VPN Client for Macintosh


NOTE: We recommend that you remove any previously-installed IPSec Client software before installing the Contivity VPN Client. Failure to do so might result in a failure of the installation.

To install the Client for Macintosh, perform the following steps:

1. Locate and launch the Contivity VPN Client Installer. Note: There are separate installers for MacOS versions (10.3—Panther and 10.4—Tiger).

The Contivity VPN Client splash screen appears.

Figure 2-1. ContivityVPN Client Splash

Screen

2. Click Continue.

The License Agreement appears.



Figure 2-2. LicenseAgreement

3. If you want to print a copy of the License Agreement, click Print. Click Save As to save a text copy of the License Agreement.

4. Click Continue when you are finished reading the License Agreement.

The Consent screen appears.

Figure 2-3. ConsentScreen

5. Click Read Me to review the Read Me file.

6. Click Install to accept the License Agreement and continue with the installation, or click Quit to exit the installation.

20


The Installing dialog box appears and shows the progress of the installation. You can stop the installation at any time by clicking Stop.

After all installation files have been decompressed and installed, the Installation was successful dialog box appears.

Figure 2-4. InstallationWas Successful Message

7. Click Restart to exit the Installer program and Restart the computer with the newly installed software.

After the computer restarts, you are ready to configure the Client. Those instructions are contained in the following chapter.



Installing the Contivity VPN Client for Macintosh OS X


To install the Client for Macintosh OS X, perform the fol-lowing steps:

1. Display the Contivity VPN Client Installation CD-ROM (or folder from electronic download).

Figure 2-5. MacintoshOS X Install CE-ROM

2. Double-click Install Disk Image (.dmg) file.

A screen appears informing you that the install program requires an administrator password.

22


Figure 2-6. MacintoshOS X Install

Authorization

3. Click on the lock image.

An authentication dialog box appears.

Figure 2-7. MacintoshOS X Install

Authentication

4. Type your user name in the Name text box.

5. Type your administrator password in the Password or phrase text box.

6. Click OK.

The Contivity VPN Client Install screen appears.



Figure 2-8. MacintoshOS X Client Installer

Screen

7. Click Continue.

The Release Notes appear.

Figure 2-9. MacintoshOS X Client Release

Notes

8. Scroll to read the Read Me file, click Print to print the file, or click Save to write the file to another location.

9. Click Continue to continue with the installation.

24


The Software License Agreement appears.

Figure 2-10. MacintoshOS X Software License

Agreement

10. Scroll to read the license agreement, click Print to print the file, or click Save to write the file to another location.

11. Click Continue to continue the installation.

A message appears asking you to agree to the terms of the license agreement.

Figure 2-11. MacintoshOS X Agreement to

Terms of License

12. Click Agree to continue.

You are prompted for a destination for the installation.



Figure 2-12. MacintoshOS X Select Destination

13. Select the destination drive and click Continue.

You are prompted for the type of installation.

Figure 2-13. MacintoshOS X Type of Installation

Prompt

14. To accept Easy Installation (recommended), click Install.

26


A message is displayed:

Installing this software requires you to restart your computer when the installation is done. Are you sure you want to install the software now?

15. Click Continue Installation to complete the installation.

Messages are displayed informing you of the progress of the installation.

At the completion of the installation, a message appears informing you that the software was successfully installed.

Figure 2-14. MacintoshOS X Installation

Successful

16. Click Restart.

Your computer will now reboot.



Installing the Contivity VPN Client for Linux

NOTE: You must be logged on as root to execute the commands that will install the Client on Linux.


The Contivity VPN Client is shipped on a multi-platform CD-ROM. Use the mount command to mount the CD, then install the Client using either the RedHat Package Manager (RPM) distribution or TAR distribution. Assuming that the CD is mounted at "/cdrom", the full path to the Linux package would be "/cdrom/linux/nleac."

NOTE: Commands are case sensitive. Those commands shown here in lower case must be typed in lower case.

28


Installing with RPM Distribution on RedHat with GCC 3.X

To install the Client on a Linux computer using RedHat with with GCC 3 (RedHat Advanced Server 3.0 - 4 and Fedora Core 1 through Core 3*), use the following procedure:

The Client is kernel dependent. The package contains source code that needs to be rebuilt before being installed on the host. To rebuild the package, on the host where the Client is being installed, enter the following command:

rpmbuild --rebuild cvc_linux-rh-gcc3-[version]-0.src.rpm

This command rebuilds the Client and places the binary package in the /usr/src/redhat/RPMS/i386/ directory.

To install the package, enter the following command:

rpm -i /usr/src/redhat/RPMS/i386/cvc_linux-rh-gcc3-[version]-0.i386.rpm

Log out and log back in to the Linux computer before using the Client.

NOTE: A reboot may not always be necessary. We highly recommend, however, that you reboot the computer before using the Client.

*Fedora Core 4 users must install using the TAR distribution.



Installing with RPM Distribution on SUSE 8.2

To install the Client on a Linux computer using SUSE 8.2, use the following procedure:


rpm --rebuild cvc_linux-suse-gcc3-[version]-0.src.rpm

This command rebuilds the Client and places the binary package in the /usr/src/redhat/RPMS/i386/ directory.


rpm -i /usr/src/packages/RPMS/i386/cvc_linux-suse-gcc3-[version]-0.i386.rpm



Installing with RPM Distribution on SUSE 9.0 through 9.3

To install the Client on a Linux computer using SUSE 9.0-9.3 with GCC 3, use the following procedure:


rpmbuild --rebuild cvc_linux-suse-gcc3-[version]-0.src.rpm

This command rebuilds the Client and places the binary package in the /usr/src/packages/RPMS/i386/ directory.


rpm -i /usr/src/packages/RPMS/i386/cvc_linux-suse-gcc3-[version]-0.i386.rpm

30




Installing with TAR Distribution

To install the Client with TAR distribution, unTAR the files by entering the following command in the directory where the TAR file is located:

# tar -xvf <file_name>.tar

Enter the new directory created by the TAR file:

# cd <directory_name>

Rebuild the package on the host where the Client is being installed:

# make all


# make install

Reboot the Linux computer before using the Client.




Installing the Contivity VPN Client for Solaris


Requirements In order to configure the Client and to access the on-line help, you must have a web browser installed on the host computer. The Contivity VPN Client prefers Netscape, but will also use the Sun HotJava browser.


If you install a browser after the Client, make sure that a file called "netscape" exists in the standard command path. That file should call or point to the installed browser. For example, if you install Netscape at "/opt/NSCPcom/netscape," create a symbolic link call "/usr/bin/netscape" or change your com-mand path to include "/opt/NSCPcom."

In order to install a Client on a Solaris system, you must have root or superuser permission.

Dynamic Routing The Client will not operate on a Solaris system that has dynamic routing enabled. If dynamic routing is enabled, you must disable it prior to installing the Client.

To disable dynamic routing:

Create a file named /etc/defaultrouter.

The contents of the file should be the IP address of the router.

32

Installing the Contivity VPN Client for Solaris



tar -xvf <file_name>.tar

Enter the new directory created by the TAR file and proceed with step 3 of a normal installation (on the following page). The unTARed files are in the directory <directory_name>.

Installation To install the Client for Solaris:

1. Insert the CD into the drive.

The Solaris Volume Manager should mount the CD at /cdrom/cdrom0.

2. Change directory to the location of the Client installation software:

cd /cdrom/cdrom0/<path>

3. Enter the package installation command:

pkgadd -d . nleac

The version of the Client that is about to be installed is listed along with the first part of the User’s Sublicense Agreement. The User’s Sublicense Agreement is displayed in sections to allow it to be read in its entirety. Between each section, the following prompt is displayed:

Press RETURN to continue [?]

After the entire license agreement has been displayed, you are prompted to accept the agreement:

Do you accept the above license agreement [y, n, ?]

4. Press y to continue.

The installer checks the system to verify that the package can be installed and the install program provides you the opportunity to abort the installation.

Do you want to continue with the installation of <nleac> [y,n,?] y



5. Press y to continue the installation. (Pressing n or any other key will abort the installation.)

Files from the CD are copied to the system. A series of messages appear, listing the process of file processing and ending with a message stating that the installation of the Client was successful.

6. Reboot the Solaris system to ensure proper operation and to start using the Client.

The installation of the Client is complete.

34

Installing the Contivity VPN Client for HP-UX



To install the Client software on a HP-UX computer, you must be logged on as root and be working from a Console window.


Mounting the CD For this procedure, the example mount point is:

/cdrom

The example CD-ROM drive is:

/dev/dsk/c0t2d0

1. Insert the CD into the drive.

2. If the pfs_mountd and pfsd daemons are not already running, enter the following commands. (If they are running, skip to step 3.)

nohup pfs_mountd &nohup pfsd &

3. To mount the CD, enter the command:

pfs_mount -t rrip /dev/dsk/c0t2d0 /cdrom

After several messages, the # prompt indicates that the CD has been mounted.

4. Allow the local host to open X-windows on the console:

xhost +localhost





tar -xvf <file_name>.tar

Enter the new directory created by the TAR file and proceed with installing the software (below). The unTARed files are in the directory <directory_name>.

Installing the Software

1. To run the install program, enter the following command (entire command is on one line):

/usr/sbin/swinstall –i -x source_directory=/cdrom/<path>/nleac nleac

This command runs the installer, specifies that the soft-ware source is on the CD-ROM, and selects the Client for installation.

The Specify Source dialog box appears. The path you entered in the above step is displayed in the Source Depot Path text box.

2. Click OK.

The SD Install - Software Selection dialog box appears.

3. Choose Actions Install (analysis).

The Install Analysis dialog box appears and the License Agreement window appears in the foreground.

4. Press Enter to scroll or Space to page through the license agreement. At the end, the following prompt appears:

Do you agree with the previous license agreement? [y or n]

5. Enter y to continue the installation. (Entering n or any other key will abort the installation.)

The License Agreement window closes. The Install Analysis dialog box advises you that the installation will begin. The installer will analyze your system, checking available disk

36


space and operating system version number. When the analysis is completed, the OK button becomes active.

6. Click OK.

A Confirmation dialog box appears.

7. Click Yes to continue the installation.

A second Confirmation dialog box appears. The second confirmation is performed because the kernel will be modi-fied, requiring a reboot.

8. Click Yes to continue the installation.

9. An Install Window appears and shows you the progress of the installation.

10. After the files are installed and the kernel is rebuilt, click Done.

11. Click OK to reboot the computer.

NOTE: The disks will be sync’d but shutdown scripts will not run.

Operational Note The following note is specific to HP-UX 11 users only. It has nothing to do with the installation of the Client but should be considered before launching and using the Client on HP-UX 11.

HP-UX 11 pings its default gateway once every few minutes (Dead Gateway Detection). If it does not get a response from the gateway it stops sending packets. When a mandatory tunnel is established, the host will not be able to communicate with its local network, including the gateway.

As the result, the client will stop communicating with the switch after a few minutes.

To turn off dead gateway detection, issue the command:

"ndd -set /dev/ip ip_ire_gw_probe 0".

Configuring nddconf (/etc/rc.config.d/nddconf) turns off dead gateway detection permanently. Otherwise, it would turn on again after a reboot.



Installing the Contivity VPN Client for Windows CE

IMPORTANT: You must remove any previously-installed IPSec Client software before installing the Contivity VPN Client. Failure to do so will result in a failure of the installation and of the PDA device as well.

Windows CE Compatibility

This version of the Netlock Contivity VPN Client is designed to be installed and run under Pocket PC 2003 and 2003 SE.

Installation Installation can be done from a desktop computer using ActiveSync or directly on the PDA itself.

Installing from aDesktop:

Unzip the install package to a known location on the hard disk of the desktop machine.

Run the program setup.exe from that location.

This starts the desktop portion of the install. Accept the default for the location of the product on the PDA and observe that the desktop install starts the PDA install at the proper time and that it runs to completion. Reboot the PDA at this time.

NOTE: The Client requires installation in the default directory. If you choose an alternate location, the Client will not start.

Installing Directly: 1. Copy the .cab file to the PDA.

2. Double-click the .cab file.

The Client software is installed.

Configuration The PDA must be rebooted after installation for the client to function.

38

Registering the Contivity VPN Client Software


New Registration At the completion of installation when you first start the Client, the Product Registration window appears. You must enter your license code before any further operations can take place.If the Client has been pre-configured (see “Pre-Configuration” on page 17), the Product Registration window will not appear and the Connections window appears when the Client is first launched.An exception to that rule is: in a multi-seat license installation, if a 0 (zero) is entered as the seat number on the initial Client configuration, the Product Registration window will appear. In this case, you are prompted only for a Seat Number.

Figure 2-15. ProductRegistration Window

How and where you obtain the license code depends on where you purchased the Client.

Nortel Networks—If you purchased the Client from Nortel Networks, click the note at the bottom of the dialog box. You will be connected to the Apani Networks web site. A form is displayed which you fill out. When filling out the form, you will be asked to supply the registration code attached to the installation CD. Upon completion of the form, you will be given the license code.



Apani Networks—If you purchased the Client from Apani Networks, you were given the license code at the time of purchase.

1. Enter the license code in the License Code text box.

2. If this Client is one of a multi-seat license, type the assigned seat number for this client in the Seat Number text box.

3. Click Register.

A window appears with the message that the license code has been validated.

Figure 2-16. LicenseCode Validated

4. Click OK.

The Connections window appears and you can begin the configuration and operation of the Client as described in Chapter 3.

Entering a New Registration

If for any reason you need to re-enter the license code or other registration information:

1. In any of the windows (such as Connections, Monitor, Preferences, etc.), click Registration in the left column of the window to display the Product Registration window.

40


Figure 2-17. Re-Displaying the Product

Registration Window

2. Click Clear.

A confirmation prompt appears.

Figure 2-18. ConfirmingClear Registration

3. Click Yes, Clear Registration.

The current registration is cleared and the initial Product Registration window appears, as shown in Figure 2-15.



Removing the Contivity VPN Client from Macintosh

IMPORTANT: This procedure completely removes the Client software from the Macintosh computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.

IMPORTANT: The Client must be disconnected before the Client software is removed. Failure to do this will result in the Client computer being unable to access the public network. For the procedure to disconnect the Client, see Chapter 3, Configuring the Contivity VPN Client, “Disconnecting the Contivity VPN Client” on page 102.

To remove the Client from a Macintosh:

1. Delete the following files from the System folder by dragging them to the Trash:

In the Extensions folder:

Netlock Contivity Key MgrNetlock Contivity Menu LdrNetlock Contivity Port ScannerNetlock Contivity Security Lib

In the Preferences folder:

The entire Netlock Contivity Client folder

42

Removing the Contivity VPN Client from Macintosh

NOTE: If you want to save the configuration information, as for example in an upgrade or re-installation, save the contents of the Netlock Contivity Client folder to another location where it will not be overwritten by another installation or upgrade. After installing the upgrade version, restore the contents of the Netlock Contivity Client folder.

2. Reboot the computer. Empty the Trash as soon as the computer has rebooted.



Removing the Contivity VPN Client from Macintosh OS X

IMPORTANT: This procedure completely removes the Client software from the Macintosh OS X computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.


To remove the Client from a Macintosh OS X computer:

1. Display the hard disk (HD) map.

2. Select Library Application Support Netlock.

The Netlock map appears.

Figure 2-19. MacintoshOS X Netlock Screen

3. Double-click Uninstall.

44

Removing the Contivity VPN Client from Macintosh OS

The Uninstaller screen appears.

Figure 2-20. MacintoshOS X Uninstaller Screen

4. Click Uninstall.

A screen appears with a prompt to enter your Adminis-trator Password.

Figure 2-21. MacintoshOS X Uninstall Enter

Admin Password Prompt

5. Type the Administrator Password in the text box.

6. Click OK.

The uninstall process begins. A progress message is dis-played followed by a message that the uninstall was suc-cessful.

Figure 2-22. MacinstoshOS X Uninstall

Successful

7. Click OK.



Removing the Contivity VPN Client from Linux

IMPORTANT: This procedure completely removes the Client software from the Linux computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.


NOTE: You must be logged on as root to execute the command that will remove the Client from Linux.

To remove a Client from Linux, enter the following command:

If using RPM distribution:

• - with RedHat 8.0 systems:

# rpm -e cvc_linux-rh8

• - with other Linux systems:

Enter the following command to obtain the correct version number:

rpm -ga | grep cvc

The system will return the name of the installed rpm—something on the order of:

cvc_linux_rh_gcc<number>_<version_number>-0

Enter the command:

# rpm -e cvc_linux_gcc<number>_<version_number>-0

46

Removing the Contivity VPN Client from Linux

If using TAR distribution:

# cd <directory with unTARed installation files># make uninstall

Reboot the Linux host computer.

NOTE: If you want to save the configuration information, as for example in an upgrade or re-installation, save the file /etc/netlock/eac.db to another location where it will not be overwritten by another installation or upgrade. After installing the upgrade version, restore the eac.db file.



Removing the Contivity VPN Client from Solaris

IMPORTANT: This procedure completely removes the Client software from the Solaris computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.


To remove a Client from Solaris, perform the following steps:

1. Login as root.

2. At the Unix prompt, enter:

pkgrm nleac

A screen message appears, listing the Solaris version number and requesting confirmation for removal of the Netlock Extranet Access Client package.

The following package is currently installed:nleac Netlock Extranet Access Client (sparc) (version number)Do you want to remove this package?

3. Enter y to continue removal of the Client package.

48

Removing the Contivity VPN Client from Solaris

A second request appears, confirming removal of the Client package.

## Removing installed package instance <nleac>This package contains scripts which will be executed with super-user permission during the process of removing this package.Do you want to continue the removal of this package (y,n,?,q)

4. Enter y to confirm removal of the Client.

A series of messages appear, describing the step-by-step removal process and finishing with the message that the removal of the Client was successful.

/etc/netlock <non-empty directory not removed>## Executing postremove script.Removing Agent log files.Removing Agent database files.Removing directory /etc.## Updating system information.Removal of <nleac> was successful.

5. Reboot the Solaris system to ensure proper operation.

The removal of the Client is now complete.




Removing the Contivity VPN Client from HP-UX

IMPORTANT: This procedure completely removes the Client software from the HP-UX computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.


To remove a Client from HP-UX, perform the following steps:

1. Login as root.

2. At the Unix prompt, enter:

/usr/sbin/swremove -i nleac

3. The Remove Agent window appears.

4. Select Remove (analysis) in the Actions menu.

The Remove (analysis) dialog box appears.

5. Click OK.

The Remove Agent Confirmation dialog box appears.

6. Click Done.

The installer will prompt to reboot the system.

7. Click OK.

The removal of the Client from HP-UX is now complete.

50

Removing the Contivity VPN Client from HP-UX



Removing the Contivity VPN Client from Windows CE


To remove the Client software from the PDA:

Select the Remove Programs applet under Settings.

52

Customizing User-Interface Graphics

Customizing User-Interface Graphics

The Client allows you to add customized graphic art to the various windows. With this feature, you can add graphics that are meaningful to your application, such as a logo or business unit representation. The graphics files packaged with the Client software are used if you do not specify customized graphics. The ability to customize user-interface graphics is applicable to all platforms that run Client software.

The graphics must be in CompuServe Bitmap (GIF) format. There are two graphics that can be customized (listed in the table below and illustrated in Figure 2-23). The graphics replace the logos for Nortel Networks and Apani Networks.

For Macintoshcomputers:

To add a customized graphic, add the applicable GIF file to the Netlock Contivity Client folder in the Preferences folder. The graphic will appear in the appropriate windows after the system is started the next time.

For othercomputers:

To add a customized graphic, create the graphic with the file name and size as shown in the following table. Copy or move the file to the /etc/netlock directory. The graphic will display in the GUI after the computer has been restarted.

The graphics files, their required sizes (in pixels), and their current applications are:

Examples of the customized displays are shown in Figure 2-23.

File Name Size Application

logo1.gif 100w X 32h Nortel Networks Logo

logo2.gif 72w X 32h Apani Networks Logo



Figure 2-23. CustomizeGUI Display

logo1.gif logo2.gif

54

3 Configuring theContivity VPN Client

This chapter explains how to establish a connection between the Client and the Contivity Switch. It also explains how to monitor Client status, how to control the logging of Alert information, and how to disconnect and reconnect the Client.


User Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57

Discusses the two types of user interface provided by the Contivity VPN Client.

Launching the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 58

Explains the procedures for launching the Client after installation and license registration and prior to establishing a new connection.

Certificate Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61

Explains the procedures for using digital certificates and for importing certificates and CA certificates.

Defining a New Connection Profile - - - - - - - - - - - - - - - - - - - - 71

Explains the step-by-step manual procedures for defining a connection profile prior to establishing a new connection between the Contivity VPN Client and the Nortel Networks Contivity Switch.

Connecting the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 84

Explains the step-by-step procedure for establishing the connection between the Contivity VPN Client and the Contivity Switch using a defined connection


Chapter 3. Configuring the Contivity VPN Client

profile or re-connecting the Client after it has been disconnected.

Monitoring Connection History - - - - - - - - - - - - - - - - - - - - - - 92

Explains the procedure for viewing the status of the Contivity VPN Client connection.

Setting Client Preferences - - - - - - - - - - - - - - - - - - - - - - - - - - - 93

Explains the procedures for controlling what audit and error information will be logged, controlling the maximum log file size, enabling or disabling the display of alerts information messages, and controlling configuration lockdown features.

Viewing Audit Information - - - - - - - - - - - - - - - - - - - - - - - - - 101

Explains the procedure for viewing the log files of audit and error information.

Disconnecting the Contivity VPN Client - - - - - - - - - - - - - - - 102

Explains the step-by-step procedure for disconnecting the Contivity VPN Client from the Contivity Switch.

Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - - 103

Provides instructions for the operation of the Contivity VPN Client using the command line interface instead of the graphical user interface.

56

User Interface

User Interface

The Client provides a graphical user interface (GUI).

The instructions on the following pages illustrate the use of the GUI in the operation of the Client.

A command line interface is available for Client users on Mac-intosh OS X and Linux computers.

The command line interface does not duplicate the function-ality of the GUI. Its main purpose is to be used in shell scripts that connect to the Contivity Switch, allow limited operations such as file transfers, and disconnect.

The instructions for using the command line interface begin on page 103.



Launching the Contivity VPN Client

IMPORTANT: The operation and appearance of windows differ from one browser to another. The contents of the windows are the same. The illustrations that follow all show windows in a Safari browser on a Macintosh OS X system. Where procedural steps and descriptions are different from Macintosh to Linux and Unix systems, those differences are noted in the text.

NOTE: If your TCP/IP configuration uses dialup PPP (Pass or Remote Access) or a similar non-continuous network connection, you must first connect to the network using your dialup tool before launching the Client.

NOTE: On Macintosh computers only: The Default Domain Name list in the TCP/IP Control Panel is not changed when connection is made to the Contivity Switch. You can use fully qualified domain name(s) or add additional names to the list. You might want to create two TCP/IP Control Panel configurations. Enable one prior to connecting to the Contivity Switch and use the other configuration at all other times.

After completion of a new installation and rebooting:

• on Macintosh (Ver. 8 and 9) computers, a Netlock icon is displayed on the menu bar

• on Mac OS X computers an Alias is created and labeled Netlock Contivity VPN Client.url

• on Windows CE (PDA) computers, Contivity VPN Client selection is listed under the Start menu or the Start/Programs menu

58

Launching the Contivity VPN Client

• on other computers, a Netlock icon is displayed on the front panel

Figure 3-1. Netlock Iconon Menu Bar

Depending on the type of computer you have:

• On Macintosh computers:

1. Click the Netlock icon on the menu bar.

A drop-down menu appears.

Figure 3-2. Client Menu(as seen on Macintosh)

2. Choose Extranet Access Client.

The browser launches and the Connections window appears.

• On Macintosh OS X computers:

Click the Netlock Contivity VPN Client icon.


• On other computers (Linux, Solaris, and HP-UX):

1. Click the expand arrow above the Netlock icon on the Front Panel. Or, on the command line, enter the command:

start_cvc

A pop-up menu appears.

2. Choose Extranet Access Client.


Netlock Icon

Choose



• On Windows CE computers:

1. Click Contivity VPN Client under the Start menu or the Start/Programs menu.


NOTE: Another way to launch the Client is to load the browser and go to URL "http:/127.0.0.1:9161" or to "http:/localhost:9161."

Figure 3-3. ConnectionsWindow

To establish a new connection between the Client and the Contivity Switch, follow the procedures in “Defining a New Connection Profile” on page 71.

If you are re-connecting to the Contivity Switch or if your connection has been pre-configured, follow the procedure in “Connecting the Contivity VPN Client” on page 84.

If you will be using Certificate Authorization to establish a connection, as opposed to User Name and Password or one of the Group Authentication options, follow the procedures in the next section to import and assign your personal certificate. After that, follow the procedures to establish a new connection or to re-connect, as appropriate.

60

Certificate Management


The Client supports the use of X.509 Version 3 public key cer-tificates to bind public key values to the Client and the Contivity Switch. The binding is asserted by having a trusted Certificate Authority (CA) digitally sign each certificate. These digitally signed certificates (CA certificates) provide each Client and Contivity Switch with the confidence that the asso-ciated key is owned by the correct system with which secure communications will be established. The CA certificate is used to validate the certificate provided to the Client by the Con-tivity Switch when the Client establishes a connection with the Contivity Switch.

If you are using Certificate authorization to establish a connec-tion, as opposed to User Name and Password or one of the Group Authentication options, the personal certificate and CA certificate must be in place prior to establishing a connection. Use the procedures in this section to request a personal certifi-cate, to request a CA certificate, to import certificates, to view certificate details, to assign a certificate, and to delete a certificate.

Certificate management is performed with the Certificate Man-agement window.

To display the Certificate Management window, click Certifi-cates in the left column of the first Connections window (see Figure 3-3).

The Certificate Management window appears.



Figure 3-4. CertificateManagement Window

Before you can use your personal certificate, you must have imported a CA certificate. This is a signed certificate from your designated Certificate Authority (CA) that validates the certifi-cates issued by the CA.

Importing a CA Certificate

To import a CA certificate:

1. In the Certificate Management window, click CA Certs in the left column.

The Certificate Management window displays CA Certifi-cates.

Figure 3-5. CACertificate Management

No CA Certificates should be listed at this time.

2. Click Add.

The Certificate Management window appears.

62


Figure 3-6. Add a CACertificate

3. Do one of the following to specify the CA certificate file:

• Type the full path of the file containing the CA certificate in the Filename text box and click Import.

• Go to the CA certificate file, cut and paste the certificate into the Certificate panel.

4. With either a file name listed or the CA certificate displayed, click Add.

The CA certificate is imported into the Client and will be used to validate personal certificates imported from now on.

Requesting a Certificate

To establish a connection using personal certificate authoriza-tion, you must have imported the certificate and added it to the certificate store. This is a four-part process:

• Generate the Certificate Signing Request (CSR)

• Submit the CSR to the CA

• Import the certificate from the CA

• Add the certificate to the certificate store

This section explains how to request a certificate by (1) gener-ating a request and (2) exporting the request. Importing and assigning the certificate is covered in the following section.



Generating aCertificate Request

To generate a Certificate Signing Request (CSR):

1. In the Certificate Management window (see Figure 3-4), click Requests in the left column.

The Certificate Management window displays Pending Certificate Requests (which at this point should display "No pending certificate requests.").

Figure 3-7. No PendingCertificate Requests

2. Click New.

The Certificate Signing Request form appears in the Certificate Management window.

64


Figure 3-8. CertificateSigning Request Form

3. Type the required information in the appropriate text boxes. Type a 6-character passphrase in the Passphrase text box. Type the passphrase again. (You will need this passphrase for authorization when connecting the Client to the Contivity Switch.)

4. Click Generate Request.

The Certificate Management window lists the new request.

Figure 3-9. New PendingCertificate Request



Exporting aCertificate Request

When the Certificate Signing Request (CSR) has been created, you can export it to the Certificate Authority (CA).

1. In the Certificate Management window shown inFigure 3-9, click Export.

The Certificate Management window displays the CSR export form.

Figure 3-10. Exportingthe CSR

The CSR is displayed in the CSR panel.

2. To export the CSR, you can either:

• Type a file name in the Filename text box where the CSR is to be sent and click Export.

• Or cut and paste the CSR from the display to the export location.

3. Click Continue.

The process of receiving the CSR and generating a new certifi-cate is a function of the CA. At the completion of the process, the new certificate will be in a location where you can then import it into the Client.

66


Importing a Certificate

When a CSR is sent to the CA, a new certificate is generated. That certificate will be in a file or on a server, ready to be imported. The actual location and the method of generating the certificate varies depending on the particular CA being used.

IMPORTANT: The certificate can be in either binary or base-64 encoded format. If using base-64 encoded format, you should be aware of line endings if transferring files between Windows, Unix, and Macintosh computers because all of those systems use different line endings.

To import a new certificate:

1. The Certificate Management window should be displayed with Local Certs selected.

Figure 3-11. CertificateManagement Window

2. Click Add.

The Certificate Management window displays a form for importing a personal certificate.



Figure 3-12. Importing aPersonal Certificate

3. Do one of the following to specify the certificate file:

• Type the full path of the file containing the certificate in the Filename text box and click Import.

• Go to the certificate file, cut and paste the certificate into the Certificate panel.

4. Click Add.

The Certificate Management window displays the certifi-cate information and notifies that the import was suc-cessful.

Figure 3-13. CertificateImported

The window shown above can contain more than one cer-tificate. You will select the certificate to use for your per-

68


sonal certificate authorization. This is explained in the following section, "Establishing a New Connection."

5. Click Connections in the left column to close the Certificate Management window and return to the Connections window.

When you get to the step in establishing a new connection where you must give the name of the certificate, you can select from a pull-down list of certificates.

Deleting a Certificate

To delete a certificate:

1. If you are in the Connections window, click Certificates in the left column to display the Certificate Management window.

Figure 3-14. PersonalCertificates Listed

2. Select the certificate that you want to delete.

3. Click Delete.



Viewing Certificate Details

To view the details of a certificate:

1. In the Certificate Management window, click Local Certs to view the list of certificates currently imported into the Client (see Figure 3-14, above).

2. Select the certificate from the list.

3. Click Show.

The window displays a view of the certificate details.

Figure 3-15. CertificateDetails

4. Click Continue to close the window and return to the Certificate Management window.

70

Defining a New Connection Profile


When the Client is launched, the Connections window is dis-played. (If you have been importing a certificate or performing a similar function and are in the Certificate Management window, click Connections in the left column.)

The procedures described below are predicated on this being a new connection for which you are creating a configuration profile.

If a connection has already been defined, or if your system administrator has defined the connection and enabled configuration lockdown, follow the procedures described in “Connecting the Contivity VPN Client” on page 84.

If a connection has been previously established but you want to define a new configuration profile, follow the procedure described below.

Figure 3-16. ContivityVPN Client New

Connections Window

A connection profile is identified by a Connection Name. The profile specifies the user name and password (if required), the destination name or address, and the authentication method to be used to complete the connection. There may be numerous connection profiles from which to choose. It is also possible the the system administrator will pre-define a profile and then enable configuration lockdown in which case no selection of (or changes to) connection profiles can be made.



To define a new connection profile:

1. Click New.

The page to define a new connection profile appears.

Figure 3-17. Define aNew Connection Profile

2. Type a name for the connection in the Connection Name text box.

3. Type the address of the Contivity Switch in the Destination text box.

The address can be either in decimal format (nnn.nnn.nnn.nnn) or a DNS Lookup address.

4. Click Next.

The page to select the method of authentication appears.

Figure 3-18. Selectingthe Authentication

Method

5. Select one of the three authentication methods.

6. Click Next.

72


7. How you proceed now depends upon the method of authentication that you selected in Step 5 and that will be used for this connection profile.

• If authorization will be only with a User Name and Password, continue with "User Name and Password Authentication below.

• If authorization will be by Certificate Authorization, continue with the procedure under “Digital Certificate Authentication” on page 75.

• If authorization will be by any of the optional Group Authentication methods (such as RADIUS) where you were given a Group ID and Password and possibly an RSA SecurID Token or Card, continue with the procedure under “Group Security Authentication” on page 76.

User Name andPassword

Authentication

If you selected User Name and Password Authentication in the page shown in Figure 3-18, a page for you to specify a user name appears.

Figure 3-19. Selecting aUser ID

1. Type a User ID in the User ID text box.

2. Select Prompt or leave unselected.



If you select Prompt, you will be prompted to type in the User ID on the New Connections page, like this:

If you leave Prompt unselected, the User ID will appear on the New Connections page without prompting, as shown in Figure 3-20, below. Also, if you leave Prompt unselected, a username should not be entered with <connect_string> when using the command line interface.

3. Click Finish.

The Connections window appears with the connection pro-file for this connection displayed.

Figure 3-20. User Namein Connections Window

4. Type the password in the Password text box.

NOTE: The Save Password feature only works on Macintosh computers and is not available on Linux and Unix systems.

You also may have the option of saving your password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a con-nection.

5. Continue with the procedure described in “Completing the Connection” on page 80.

74


Digital CertificateAuthentication

If you selected Digital Certificate Authentication in the page shown in Figure 3-18, a page for you to specify a certificate appears.

Figure 3-21. Selecting aCertificate

1. Select a certificate from the Default Cert list.

If no certificates are listed, a certificate or certificates will have to be imported. See “Importing a Certificate” on page 67.


If you select Prompt, you will be prompted to type in the certificate name on the New Connections page, like this:

If you leave Prompt unselected, the certificate will appear on the New Connections page without prompting, as shown in Figure 3-32, below. Also, if you leave Prompt unselected, a username should not be entered with <connect_string> when using the command line interface.

3. Click Finish.

The Connections window appears with the connection pro-file for this connection displayed.



Figure 3-22. CertificateName in Connections

Window

4. Type the passphrase that you used when generating the Certificate Signing Request in the Passphrase text box.

The use of the passphrase protects the integrity of the signed digital certificate.


Group SecurityAuthentication

If you selected Group Security Authentication in the page shown in Figure 3-23, a page appears for you to specify one of the Group Authentication Options.

Figure 3-23. SelectingGroup Authentication

Options

76


1. Type a User Name in the User Name text box.


If you leave Prompt unselected, the User Name will appear on the New Connections page without prompting, like this:

Also, if you leave Prompt unselected, a username should not be entered with <connect_string> when using the com-mand line interface.

If you select Prompt, you will be prompted to type in the User Name on the New Connections page, as shown in Figure 3-27, Figure 3-28, or Figure 3-26, below.

3. Type the Group ID in the Group ID text box.

4. Type a password in the Group Password text box.

5. Select the appropriate Group Authentication Option. You can select:

• If authentication will be by using only a Group ID and Password, select Group ID and Password.

• If authentication will be by a standard RSA SecurID Token, which may be a Key Fob or a Card, without a numeric pinpad (as shown in Figure 3-24), select Response Only Token.

• If authentication will be by an RSA SecurID PinPad Card having a numeric pinpad entry (as shown in Figure 3-25), select Response Only Token and select Passcode Display.

Figure 3-24. RSASecurID Token Key Fob

and Card



Figure 3-25. RSASecurID PinPad Card

6. Click Finish.

Depending on the type of Authentication option selected, the Connections window appears with the connection pro-file for this connection displayed.

• If you selected Group ID and Password, continue with the procedure under Group Password Authentication, below.

• If you selected Response Only Token, continue with the procedure under “Response Only Token” on page 79.

• If you selected Response Only Token and Passcode Display, continue with the procedure under “Response Only Token with Passcode” on page 80.

Group Password Authentication

After selecting Group Password Authentication and clicking Finish in the previous Connections window, the Group Password option appears in the Connections window.

Figure 3-26. GroupPassword Option in

Connections Window

78


7. Type the Group Password in the Password text box.


You also may have the option of saving the password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a con-nection.


Response Only Token

After selecting Response Only Token and clicking Finish in the previous Connections window, the Response Token option appears in the Connections window.

Figure 3-27. ResponseToken Option in

Connections Window

9. Type the PIN given to you by the network administrator.

10. Type the Token number currently appearing on your RSA SecurID Card.




Response Only Token with Passcode

After selecting Response Only Token and Passcode Dis-play followed by clicking Finish in the previous Connections window, the Response Token with Passcode option appears in the Connections window.

Figure 3-28. ResponseToken with Passcode

Option in ConnectionsWindow

12. Enter the PIN given to you by the network administrator on the pinpad of your RSA SecurID Card.

13. Read the Passcode number from your RSA SecurID Card and type that number in the Passcode field.

14. Continue with the procedure for completing the connection, described below.

Completing the Connection

After defining the authentication method, you were instructed to return to this point. Continue with the following steps to complete establishing a connection.

Depending on previous connections, you may have the option of disabling Keepalives. This would override the setting of the Contivity Switch. You can disable Keepalives at the Client, even if it has been enabled at the Contivity Switch. If Keepalives is disabled at the Contivity Switch, it cannot be enabled at the Client.

1. Click Connect.

80


The Client Monitor window appears and displays a mes-sage screen while the connection is being made.

Figure 3-29. Negotiationin Progress Message

When negotiations between the Client and the Contivity Switch complete successfully, the Contivity VPN Client window with connection values is replaced by the Client Monitor window (see Figure 3-31). The Negotiation Status value in the Client Monitor window displays Successful. The other values are updated according to the Contivity Switch IPSec settings.

If the Notification Alerts preference is enabled on Macin-tosh computers, a separate message will also be displayed, indicating that a secure session is established.

Figure 3-30. ConnectionCompleted Message

If the connection is not established:

• The Contivity VPN Client window is displayed, and

• If the Notification Alerts preference is Enabled (on Macintosh only), a separate message will also be displayed, indicating that the negotiation failed. Check your user authentication settings (user name, password, and choice of authentication options). If you see a message indicating an incompatible Contivity Switch configuration, e.g., compression setting, contact your network administrator for assistance.

The Client Monitor window periodically refreshes the Duration, Bytes In/Out, and Frames In/Out values as long as the Client is connected to the Contivity Switch.



Figure 3-31. ClientMonitor Window

NOTE: You do not have to keep the browser window open once you have completed a connection. You may close the browser window or quit the browser application. The connection will stay unchanged.

To access the Client again:

On Macintosh computers, click the Netlock icon on the menu bar and choose an item from the drop-down menu.

On Macintosh OS X computers, click the Netlock icon on the desktop.

On other computers, click the expand arrow above the Netlock icon on the Front Panel and choose an item from the pop-up menu.

82


Editing a Connection Profile

Provision is made to edit a connection profile. The editing fea-ture can be disabled by the system administrator using the Configuration Lockdown facility. If the editing feature has been disabled, the Edit button will not appear in any of the configuration windows.

To edit settings in a configuration profile, click Edit in the part of the configuration that you want to edit.

A screen will appear that will be similar to the screen with which you set the current screen’s values while creating the current configuration profile. The editing screen, instead of having blank values as it did when creating the configuration profile, will show the current configuration values.

You can change any values by typing in a new value, for example, change a password or select a new certificate.

Click Next to move through the configuration screens in the same order as when creating the configuration profile.

If you change a value, such as changing the method of authen-tication, when you click Next, you will then have to continue through the remainder of the configuration procedure for the newly selected method. The values for successive screens would be blank, as in defining a new profile.



Connecting the Contivity VPN Client

The following procedure is for:

Re-connecting a Client to a Contivity Switch

Establishing a initial connection of a Client to a Contivity Switch when a configuration profile has previously been defined

Selecting the Connection Profile

To connect the Client:

1. If the browser is not already launched and the Connections window displayed, follow the procedures described in “Launching the Contivity VPN Client” on page 58, to launch the Client.

The Connections window is displayed.

The appearance and content of the window will vary depending upon the configuration profile defined for this Client and, if the Client has been previously connected, upon the configuration profile last used.

2. The current configuration profile name is shown in the Connection list. If you want to connect under a different connection profile, select the connection name in the Connection list.

If Java scripts have been enabled, the new profile features are displayed. If Java scripts have not been enabled, click Go after selecting the connection name.

3. The type of authentication for this connection is shown directly under the Connection list under the Type heading. This will show one of several values:

• User ID & Password—If this is shown as the authentication Type, continue with the procedure described in “User ID & Password Authentication” on page 85

• Digital Certificate—If this is shown as the authentication Type, continue with the procedure

84


described in “Digital Certificate Authentication” on page 86.

• One of the Group Authentication options may be displayed:

• Group (Token)—If this is shown as the authentication Type, continue with the procedure described in “Response Token Authentication” on page 87.

• Group (Token/Passcode)—If this is shown as the authentication Type, continue with the procedure described in “Response Token with Passcode Authentication” on page 88.

• Group Password—If this is shown as the authentication Type, continue with the procedure described in “Group ID and Password Authentication” on page 89.

User ID & PasswordAuthentication

If User ID & Password is the method of authentication, the Connections window that first appears will look like the fol-lowing:

Figure 3-32. User ID andPasword Connections

Window

The User Name might be displayed or a selection text box will prompt to select a User Name from the scroll list. Whether the prompt appears depends on the setting when the configura-tion profile was defined.



1. If you are being prompted, select your User Name from the selection list.

2. Type your password in the Password text box.


You also may have the option of saving your password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a con-nection.


Digital CertificateAuthentication

If Digital Certificates is the method of authentication, the Con-nections window that first appears will look like the following:

Figure 3-33. DigitalCertificates Connections

Window

The Certificate name might be displayed or a selection text box will prompt to select a Certificate name from the scroll list. Whether the prompt appears depends on the setting when the configuration profile was defined.

1. If you are being prompted, select your Certificate from the selection list.

2. Type your passphrase in the Passphrase text box.

86


This is the passphrase used to protect the integrity of the personal certificate. It is not the same as the User ID Pass-word.


Response TokenAuthentication

If the Response Token is the method of authentication, the Connections window that first appears will look like the fol-lowing:

Figure 3-34. ResponseToken Connections

Window



2. Type the PIN given to you by the network administrator.

3. Type the Token number currently appearing on your RSA SecurID Card (see Figure 3-24).




Response Tokenwith Passcode

Authentication

If the Response Token with Passcode is the method of authen-tication, the Connections window that first appears will look like the following:

Figure 3-35. ResponseToken with Passcode

Option in ConnectionsWindow



2. Enter the PIN given to you by the network administrator on the pinpad of your RSA SecurID Card (see Figure 3-25).

3. Read the Passcode number from your RSA SecurID Card and type that number in the Passcode field.


88


Group ID andPassword

Authentication

If Group ID and Password is the method of authentication, the Connections window that first appears will look like the fol-lowing:

Figure 3-36. GroupPassword Connections

Window



2. Type the Group Password in the Password text box.


You also may have the option of saving the password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a con-nection.

3. Continue with the procedure described in "Completing the Connection" below.



Completing the Connection

Continue with the following steps to complete establishing a connection.

Depending on previous connections, you may have the option of disabling Keepalives. This would override the setting of the Contivity Switch. You can disable Keepalives at the Client, even if it has been enabled at the Contivity Switch. If Keepalives is disabled at the Contivity Switch, it cannot be enabled at the Client.

1. Click Connect.

The Client Monitor window appears and displays a mes-sage screen while the connection is being made.

Figure 3-37. Negotiationin Progress Message

When negotiations between the Client and the Contivity Switch complete successfully, the Contivity VPN Client window with connection values is replaced by the Client Monitor window (see Figure 3-31). The Negotiation Status value in the Client Monitor window displays Successful. The other values are updated according to the Contivity Switch IPSec settings.

If the Notification Alerts preference is enabled on Macin-tosh computers, a separate message will also be displayed, indicating that a secure session is established.

Figure 3-38. ConnectionCompleted Message

If the connection is not established:

• The Contivity VPN Client window is displayed, and

• If the Notification Alerts preference is Enabled (on Macintosh only), a separate message will also be displayed, indicating that the negotiation failed. Check your user authentication settings (user name,

90


password, and choice of authentication options). If you see a message indicating an incompatible Contivity Switch configuration, e.g., compression setting, contact your network administrator for assistance.

The Client Monitor window periodically refreshes the Duration, Bytes In/Out, and Frames In/Out values as long as the Client is connected to the Contivity Switch.


NOTE: You do not have to keep the browser window open once you have completed a connection. You may close the browser window or quit the browser application. The connection will stay unchanged.

To access the Client again:

On Macintosh computers, click the Netlock icon on the menu bar and choose an item from the drop-down menu.

On Macintosh OS X computers, click the Netlock icon on the desktop.

On other computers, click the expand arrow above the Netlock icon on the Front Panel and choose an item from the pop-up menu.



Monitoring Connection History

Connection Statistics

The statistics for an established connection between the Client and the Contivity Switch are displayed in the Client Monitor window. The Client Monitor window appears as soon as a suc-cessful connection is established. The connection Duration, Bytes In/Out, and Frames In/Out values are periodically updated. To update those values in the window without waiting, click Refresh.


If the Client Monitor window is not displayed and you want to display it:

On Macintosh computers:

a. Click the Netlock icon on the menu bar.

b. Choose Extranet Access Client in the drop-down menu.

The Client Monitor window appears.

On other computers:

a. Click the expand arrow above the Netlock icon on the Front Panel.

b. Choose Extranet Access Client in the pop-up menu.


92

Setting Client Preferences


The Client Preferences window allows you to control the log-ging of audit information, to display the log files of audit information, to set the size of the log files, to control the dis-play of audit messages, and to control configuration lockdown features.

Audit Controls The Client logs audit messages to a log file. You can view the log file at any time. Audit controls are used to select the types of audit messages that are written to the log file and to set the maximum size of the log file.

Four types of audit information may be logged. The four types of information are:

You can enable (or disable) log file archiving by selecting what (if any) information will be logged.

InformationType

Meaning

Security Audits Indicates a possible penetration attempt.

System Audits Indicates a failure of an operating system resource within the Client.

Protocol Audits Indicates a failure of the key management or encapsulation protocol.

Trace Audits Records actions provided by the key management and encapsulation protocols.



Controlling Audit Information Logging

Types of InformationLogged

To select the logging of Client audit information and to select which types of information should be logged:

1. In the Client Monitor window, click Preferences.

The Client Preferences window appears.

If the Client Monitor window is not displayed, you can also view Preferences by:


Click the Netlock icon on the menu bar and select Preferences in the drop-down menu.

• On other computers:

Click the expand arrow above the Netlock icon on the Front Panel and select Preferences in the pop-up menu.

Figure 3-41. ClientPreferences Window

2. Select which of the four types of information you want to have logged. See “Audit Controls” on page 93.

3. Click Submit.

94


Changing the LogFile Size

The Client maintains audit information in a log file. When the size of the log file reaches a maximum value, it is archived in an old log file (overwriting the previous old log file, if it exists) and a new log file is created. An audit message is written at the top of the new log file. This mechanism prevents audit information from filling the disk. The amount of time it takes for the log file to reach its maximum allowed size depends on which audit types are logged and how often the Client is run. The default maximum log file is 1000 Kilobytes.

To choose the log file maximum size:


The Client Preferences window appears (see Figure 3-41).






2. Type a value, in kilobytes, in Max Logfile Size to set the maximum log file size. The minimum setting is 10 Kb; the maximum setting is 10240 Kb.

3. Click Submit.



Notification Alerts

On Macintosh computers, the Client can display pop-up notifi-cation messages in windoids when a connection succeeds, when a connection fails, when the connection is dropped, and when errors occur.

To disable notification messages (Macintosh only):








2. Deselect the Enable check box to disable Notification Alerts.

3. Click Submit.

To re-enable notification alerts:


Or, click the Netlock icon on the menu bar and select Preferences in the drop-down menu.


2. Select the Enable check box to enable Notification Alerts.

3. Click Submit.

96


Configuration Locking

Configuration locking allows you to prevent a user from editing or deleting a connection profile, prevent a user from creating a new connection profile, and set a passphrase to pre-vent others from accessing configuration locking.

To set configuration locking:

1. In the Preferences window, click Configuration Locking.

The Configuration Locking window appears.

Figure 3-42. ConfigurationLocking Window

To Lock a configuration:

All of the current connection profiles are listed in the Configu-ration Locking window.

1. Select (check) those configurations that you want to lock.

2. Click Submit.

When a user selects a connection profile, the Edit and Delete buttons are not available.



Figure 3-43. Editing andDeleting of

Configuration Locked

To prevent a user from defining a new connection:

1. In the Configuration Locking window, leave Allow New Configs unselected.

Figure 3-44. Disallowinga New Configuration

2. Click Submit.

When a user selects a connection profile, the New button is not available.

98


Figure 3-45. Editing,Deleting, and Creating a

New ConfigurationLocked

Figure 3-45 shows a connection for which configuration locking has been applied and new connections are not allowed. If new connections are not allowed but the configura-tion has not been locked, the user will be able to edit and delete a connection profile but not create a new one, as shown in Figure 3-46.

Figure 3-46. Creating aNew Configuration

Prohibited

To set a passphrase for configuration locking:

1. In the Configuration Locking window, type a passphrase in the Passphrase text box.

2. Type the passphrase a second time in the Repeat text box.



Figure 3-47. Specifying aPassphrase

1. Click Submit.

The passphrase is set. The next time you click Configura-tion Locking in the Preferences window to set configura-tion locking, you will be prompted to enter the passphrase, as shown in Figure 3-48.

Figure 3-48. PassphrasePrompt for

Configuration Locking

When the Configuration Locking window appears, the pass-phrase is cleared. If you want to set the passphrase to limit access the next time, you must enter it again as in the above steps.

100

Viewing Audit Information

Viewing Audit Information

To view logged audit information:

In any of the Client windows (Connections, Client Monitor, Certificate Management, Preferences, etc.), click Logfiles in the left-hand column.

The log files are displayed in the Contivity VPN Client Log window.

Figure 3-49. Viewing Agent Status

2. When you are finished viewing the log files, close the Client Log window.



Disconnecting the Contivity VPN Client

To disconnect the Client from the Contivity Switch:

1. The Client Monitor window may already be displayed. If it isn’t:


a. Click the Netlock icon on the menu bar.

b. Choose Extranet Access Client in the drop-down menu.



a. Click the expand arrow above the Netlock icon on the Front Panel.

b. Choose Extranet Access Client in the pop-up menu.


2. In the Client Monitor window, click Disconnect.

A status message is displayed informing you that the net-work session is no longer established.

102

Command Line Interface


On Macintosh OS X and Linux computers only, the Client pro-vides a command line interface. The command line interface does not duplicate the functionality of the graphical user inter-face (GUI). It does, however, provide a means of connecting to and disconnecting from the Contivity Switch.

The command line interface can be used in shell scripts to con-nect to the Contivity Switch, perform some functions such as file transfers, and disconnect.

IMPORTANT: You must be careful with the file permissions for scripts that invoke the command line utility. If you embed Contivity connection information, such as usernames and passwords, in scripts that invoke the command line utility, the information may be disclosed to other users who have read access to your scripts. There is no way to prevent users with Administrator (Mac OS X) or root privileges from reading your files.

If you use a single line command to invoke the command line utility, the connection information (including username/password) in the command can be seen by other users who run process monitoring utilities or have access to logs of precesses run on your computer.

The format of the command is:cvc [-c <connect_string>|-p|-q|-d|-h|-v]

The options are:

<connect_string> = connection:username:password

-c connect connects to the Contivity Switch using <connect_string>



-p prompt prompts for <connect_string> then connects to the Contivity Switch using <connect_string>

-q read reads <connect_string> from stdin then connects to the Contivity Switch using <connect_string>

-d disconnect disconnects from the Contivity Switch-h help displays a list of command options

-v version displays the current version and build number of the Client

IMPORTANT: When defining a connection profile (see “Defining a New Connection Profile” on page 71) if you leave Prompt unselected, you would not be prompted for a User ID when establishing a connection using the GUI. The same default applies when using the command line interface. If Prompt is unselected, you should not enter a username as part of the <connect_string>. Doing so will cause an error. Without the username prompt, the <connect_string> should look like:connection::password. Note that two colons are still used.

NOTE: If the browser is open and the Client Window is displayed when you connect using the command line interface, the Client Window is not updated. You must first use the browser Refresh or Reload command to update the window.

104


Examples 1:# cvc -h

Contivity VPN Client Command Line InterfaceUsage: cvc [-c <connect string>] [-pqdvh] -c connect using specified connect string -p prompt for connect string and connect -q read connect string from stdin and connect connect string = connection:username:password -d disconnect -v display version -h help

Example 2:# cvc -c connection_name/username/password

Connects the Client to the Contivity Switch using the con-nection named in the connect string then passes the user name and password to the Contivity Switch to establish the Client-to-Contivity Switch connection.

Example 3:# cvc -d

Disconnects the Client from the Contivity Switch.


PRELIMINA

RYGlossary

AH See: Authentication Header.

Anti-ReplayProtection

A form of partial sequence integrity. It detects the arrival of duplicate IP packets (within a constrained window) and the arrival of IP packets out of sequence. See also: Integrity.

Authentication (1) The verification of the identity of a user, device or other entity in a computer system, usually as a prerequisite to allow-ing access to system resources.(2) The verification of data that have been stored, transmitted, or exposed to possible unauthorized modification.

AuthenticationHeader (AH)

An upper-level header located between the IP header and the payload within an IP packet. The AH includes an integrity check value (ICV) for the contents of the IP packet. The exact nature of the checksum depends upon the method selected during configuration. It is used to ensure the integrity of the entire IP packet, including both the payload and the IP header. The AH does not provide data confidentiality.

AuthenticationInformation

The public key information needed to authenticate a digital signature.

Authorization The granting of privileges, which includes the granting of access based on previously authorized access.

Compression See: Data Compression.

Confidentiality The protection of data from unauthorized disclosure. Usually, the unauthorized disclosure of application level data is the pri-mary concern, but the disclosure of the external characteristics of communication can also be a concern in some circumstances. The traffic flow confidentiality service addresses this latter con-


PRELIMINA

RY

cern by concealing source and destination addresses, message length, or frequency of communication. In the IPSec context, using Encapsulating Security Payload (ESP), especially at a security gateway, can provide some level of traffic flow confi-dentiality.

Data Compression Encoding data to take up less storage space. Digital data is compressed by finding repeatable patterns of binary 0s and 1s. The more patterns can be found, the more the data can be com-pressed. Text can generally be compressed to about 40% of its original size, and graphics files from 20% to 90%. Data com-pression, as used in the Contivity VPN Client, is applied to the data before encryption.

Data EncryptionStandard (DES)

A standard encryption algorithm providing a high degree of protection. DES has a key length of 56 bits and meets U.S. gov-ernment approval for general export. See also: Triple DES.

Data Integrity The property that data has not been altered or destroyed in an unauthorized manner.

Data OriginAuthentication

The corroboration that the source of data received is as claimed.

Decryption See: Encryption.

Denial of Service Denotes attacks that do not cause a security violation as such, but harm the availability of a service. For example, someone sending a large number of forged packets to a host could degrade the performance of the host.

DES See: Data Encryption Standard.

Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient).

Encapsulating SecurityPayload (ESP)

An OSI layer 3 connection or connectionless security protocol. In general, ESP provides for the following: peer entity authenti-cation, data origin authentication, access control services, con-nection confidentiality, connectionless confidentiality, traffic flow confidentiality, connection integrity without recovery, and connectionless integrity.

108

Glossary

PRELIMINA

RY

Encapsulation The process of wrapping a packet, or some part of it, in a secu-rity envelope to provide the means for network devices to check the authentication of the sending node and the integrity of the data.

Encryption A security mechanism used for the transformation of data from an intelligible form (plaintext) into an unintelligible form (ciphertext) to provide confidentiality. The inverse transforma-tion process is termed decryption, but encryption is often used generically to refer to both processes.

Entity A device attached to a network and identified by an internet-work address, network number, or any combination. Compo-nents are comprised of one or more entities.

ESP See: Encapsulating Security Payload.

Extranet (1) A semi-permanent WAN connection over a public network between a corporation and its business associations, such as partners, customers, suppliers, and investors.(2) A Web site for existing customers rather than the general public. It can provide access to paid research, current invento-ries and internal databases, and virtually any information that is private and not published for everyone. An extranet uses the public Internet as its transmission system, but requires pass-words to gain access. See also: Internet, Intranet.

File Encryption File encryption software is specific to particular operating sys-tems, and does not protect data during remote logins or when updating records across a network.

Firewall (1) A combination of hardware and software that separates a LAN into two or more parts for security purposes.(2) A router or workstation with multiple network interfaces that controls and limits specific protocols, types of traffic within each protocol, types of services, and direction of the flow of information.

Host Any computer on a network that is a repository for services available to other computers on the network. It is quite com-mon to have one host machine provide several different ser-vices.


PRELIMINA

RY

ICV See: Integrity Check Value.

Identity-BasedSecurity Policy

A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/ objects being accessed.

IKE See: Internet Key Exchange.

Integrity A security service ensuring that data modifications are detected.

Integrity Check Value(ICV)

A value that is derived by performing an algorithmic transfor-mation on the data unit for which data integrity services are provided. The ICV is sent with the protected data unit and is recalculated and compared by the receiver to detect data modi-fication.

Intrusion Detection A generic term for detecting network penetration attempts by observing activities on the network.

Internet (1) A large network made up of a number of smaller networks.(2) "The" Internet is made up of more than 100,000 intercon-nected networks in over 100 countries, comprised of commer-cial, academic and government networks. See also: Extranet, Intranet.

Internet Key Exchange(IKE)

A key management protocol that provides secure management and exchange of cryptographic keys between distant devices. IKE also provides a secure way to transmit keys. IKE uses pub-lic-key cryptography to create a secure association. That associ-ation is then used to perform a secure second public-key exchange, resulting in a symmetric key for encryption.

Intranet An inhouse Web site serving the employees of the enterprise. Although intranet pages may link to the Internet, an intranet is not a site accessed by the general public. The term has become so popular that it is often used to refer to any inhouse LAN and client/server system. See also: Extranet, Internet.

IPSec Internet Protocol Security. A set of protocols for authentica-tion, privacy, and data integrity that is transparent to the underlying network infrastructure and can be configured to run in two distinct modes—tunnel mode and transport mode.

110

Glossary

PRELIMINA

RY

IPSec is implemented at the packet processing layer of network communication as opposed to earlier security approaches that were implemented at the application layer.IPSec provides two choices of security service: Authentication Header (AH), which allows authentication of the sender, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data, The spe-cific AH and ESP information is inserted into the packet as a header that follows the IP packet header. Separate key proto-cols, such as ISAKMP, can be selected. See also: Authentication, Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and ISAKMP

ISAKMP Internet Security Association and Key Management Protocol. The IPSec standard procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA) and for defining payloads for exchanging key generation and authenti-cation data. See also: Authentication, Internet Key Exchange (IKE), and IPSec.

IS Router Intermediate Services Router. A router, acting as a security gateway, usually placed between an intranet and the public network. See also: Router.

Key Generation Method of establishing key materials used in ciphering func-tions.

Key Management The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.

LAN (Local Area Network) See Intranet.

Logging The process of maintaining a diary of the occurrence of security relevant events.

Logging Trail A chronological record of system activities that can be used to reconstruct and review the sequence of activities surrounding or leading to an operation, procedure, or event in a transaction from its inception to final results.

LZS An algorithm used for data compression. See also: Data Com-pression.

NAT See: Network Address Translator.


PRELIMINA

RY

Network AddressTranslator (NAT)

Usually implemented in a firewall or router at the boundary between a company's intranet and the public Internet, main-taining a mapping between internal IP addresses and external public IP addresses. The internal addresses are not advertised outside of the intranet and can remain private (in the case of globally ambiguous addresses), or secret (in the case of glo-bally unique addresses).

Packet Filtering A method for determining how passing IP packets should be handled. Packet filtering is applied to all IP packets passing the IPSec engine. Packet filtering may modify the IP packet, pass it intact, or even drop it. See also: Port Filtering.

Perfect ForwardSecrecy

Forces the regeneration of keying material for each new Secu-rity Association (SA) and/or completely separates authentica-tion encryption from data encryption.

Port Filtering Allows communications to be limited to certain specific appli-cations.

Protocol A set of rules that governs the communication and exchange of data between system elements and that provides a basic level of service in a system.

Protocol Alerts An alert indicating a failure of the key management or encap-sulation protocol.

RC4 An encryption algorithm that provides solid, mid-range pro-tection using a variable-length encryption key. RC4/128 key length is 128 bits and is approved for limited export. RC4/40 key length is 40 bits and meets U.S. government standards for general export.

Repudiation Denial by one of the entities involved in a communication of having participated in all or part of the communication.

Router A special-purpose dedicated system that connects several net-works and makes decisions about which of several paths net-work traffic will take. The process may be repeated several times on a single packet by multiple routers until the packet is delivered to its final destination. To accomplish this, a routing protocol is used to gather information about the network, and algorithms based on several criteria known as “routing met-rics” choose the best route. See also: IS Router.

112

Glossary

PRELIMINA

RY

Security Audit An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures.

Security Audit Trail Data collected and potentially used in a security audit.

Security Controls Hardware, firmware, and software features within a system that restrict access of resources to authorized users, devices, or entities only.

Security Gateway An intermediate system acting as a communications interface between two networks. The internal subnetworks and hosts served by a security gateway are presumed to be trusted because of shared local security administration. The set of hosts and networks on the external side of the security gateway is viewed as not trusted or less trusted.

Security Policy The set of laws, rules, and practices that regulate how an orga-nization manages, protects, and distributes sensitive informa-tion.

Security Service The technology-based security functions provided by a net-working system. They are Authentication Services, Access Control Services, Confidentiality Services, Data Integrity Ser-vices, and Non-repudiation Services.

Subject An active entity, either a person, device, or process, that causes information to flow among objects or changes the system state.

Subnet A portion of a network, which may be a physically indepen-dent network, which shares a network address with other por-tions of the network and is distinguished by a subnet number. A subnet is to a network what a network is to an internet.

Subnet Number A part of the internet address that designates a subnet. It is ignored for the purposes of internet routing, but is used for intranet routing.

TCP Transmission Control Protocol. The major Internet transport protocol, which provides reliable, connection-oriented, full-duplex streams.


PRELIMINA

RY

Threat Any circumstance or event which has the potential to cause harm to a system. Harm may arise in the form of destruction, modification, or disclosure of data, and/or denial of service.

Transformation A particular type of change applied to an IP packet. ESP encryption and AH integrity are types of transformations. A Security Association supplies the keys and other association-specific data to a transformation.

TransformationSequence

A set of transformations applied to an IP packet one after another. For example, an outgoing IP packet can be protected first with an ESP to ensure data confidentiality and higher level data integrity, and then with an AH to protect the integrity of the IP header carrying the IP packet. In this case, the transfor-mation sequence consists of an ESP transformation followed by an AH transformation. IPSec supports other types of transfor-mations, and therefore transformation sequences may occa-sionally be rather long, even 5 or 6 stages. However, more transformation sequences typically consist of just one or two steps.

Transport Mode As opposed to tunnel mode wherein the entire packet, includ-ing the IP header, is wrapped in the packet protection of a tun-nel and a new IP header is prepended to the packet, in transport mode, the IP header is sent in the normal, unencap-sulated format.

Triple DES A stronger iteration of the Data Encryption Standard, Triple DES is designed to resist focused, persistent attacks by well-financed, expert crypto-analysts. The U.S. government restricts Triple DES to domestic use and limited export.

Tunnel Mode Packet transmission wherein the entire packet, including the IP header, is wrapped in the packet protection of a tunnel and a new IP header is prepended to the packet.

UnsecuredCommunications

Unencrypted, non-firewalled, or unprotected communications between two network computers.

Virtual PrivateNetwork (VPN)

A temporary, secure connection over a public network, usually the Internet.

114

Index

Aaddress of Contivity Switch 72address, DNS 72allowing new configuraitons 98audit

information 101audit information

controlling 93logging 94viewing 101

authentication 13autoconnect 14

Bbulleted lists 4

CCertificate Authority

Netlock Manager 61third party 61

Certificate Management window 62certificates

managing 61

Clientdisconnecting 102discussion about 9installing on Macintosh 19log file archiving 93new connection 71preferences 93purpose 9re-connecting 84registering license code 39

Contivity VPN ClientSee Client

Client Log window 101command line interface 57commands

start_cvc 59compression 14configuration locking 97Configuration Locking window 97configuring the Contivity Switch 13connecting the Client 71connection profile 71Connections window 60Contivity Switch

address 72configuring 13description of 9purpose 9

controllingaudit information logging 94log file size 95

conventionskeyboard 3terminology 4typographical 3

customizing graphics 53


Ddatabase authentication 13deleting files 42disabling Keepalives 80, 90disconnecting the Client 102display banner 14DNS Lookup 72

Eencryption 14establishing a new connection 71Extensions folder 42

FFailover 14failover 14forced logoff 14

Ggraphical user interface (GUI) 57graphics files

headbar.gif 53graphics, customizing 53group ID 73

Hheadbar.gif file 53HP-UX

installing Client on 35removing Client from 50system requirements 6

Iinformation

status 101trace 93

installingClient for HP-UX 35Client for Linux 28Client for Macintosh 19Client for Macintosh OS X 22Client for Solaris 32Client for Windows CE 38

IPSecContivity Switch settings 13

KKeepalives, disabling 80, 90keyboard conventions 3

LLDAP 13license code 39Linux


locking a configuration 97log file archiving for Clients 93

MMacintosh

installing Client on 19removing a Client from 42, 44system requirements 5

Macintosh OS Xinstalling Client on 22removing Client from 44system requirements 5

managing the use of certificates 61

116

Index

NNortel Contivity Switch

See Contivity Switchnumbered lists 4

Oobtaining a license code 39operation of Client 9organization of document 2overview of product 9

Ppassword

with Group ID 73with user name 73

perfect forward secrecy 14PIN 79, 87Preferences folder 42, 53Preferences window 94preferences, setting 93prevent defining a new connection profile 98prevent deleting a connection profile 97prevent editing of connection profile 97product overview 9product registration 39

Rradius authentication 14Read Me screen 20re-connecting the Client 84registration of Client 39removing

Client from HP-UX 50Client from Linux 46Client from Macintosh 42Client from Macintosh OS X 44Client from Solaris 48

requirements, system 5

Ssaving

configuration information 42security policies 9setting configuration locking 97setting preferences 93Solaris


split tunneling 13start_cvc command 59status

information 101supported settings 13system requirements

HP-UX 6Linux 5Macintosh 5Macintosh OS X 5Solaris 6

Ttimeout 14trace information 93tunneling 13typographical conventions 3typographical terminology 4

Uuser interface

command line 57graphical (GUI) 57

user name 73using certificates 61

Vviewing audit information 101


Wwindows

Certificate Management 62Client Log 101Configuration Locking 97Connections 60Preferences 94

Windows CEinstalling Client on 38

XX.509v3 certificates

format 61

118