File: README.TXT Product: FEC Secure IPSec Client Manufacturer: Funkwerk Enterprise Communications GmbH Nuremberg, Germany ------------------------------------------------------------------------------- 1. Product Description =============================================================================== 1.1 Universal IPSec Client ------------------------------------------------------------------------------- The FEC Secure IPSec Client can be used in any VPN environment. The client communicates on the basis of the IPsec standard with the gateways provided by a wide variety of vendors and is the alternative to the uniform IPsec client technology offered on the market. The Client Software emulates an Ethernet LAN adapter. The Client has additional features that introduce the user into a holistic remote access VPN solution. The FEC Secure IPSec Client offers: - Support of all major operating systems - Dial-in over all transmission networks - Compatibility with VPN gateways from a wide variety of vendors - Integrated personal firewall for more security - Dialer protection (no misuse by third parties) - Higher speed in the ISDN (channel-bundling) - Saving telephone charges (charges and connection management) - Convenient operation (graphic interface) 1.2 Performance range ------------------------------------------------------------------------------- The FEC Secure IPSec Client supports all major operating systems (Windows 2000, XP, Vista). Connecting to the corporate network is media-type independent, e.g. in addition to ISDN, PSTN analog telephone network, GSM, GPRS, and xDSL, LAN technologies such as WLAN (on the corporate campus and hotspots) or local area networks (branch office network) are also supported. A possible scenario: an employee must access the corporate network from various locations with one and the same end device: - in the branch office via WLAN - in the corporate headquarters via LAN - on the road at hotspots and at customer sites via WLAN or GPRS - in the home office via xDSL, cable, or ISDN 2. Installation =============================================================================== The FEC Secure IPSec Client supports actually the 32-Bit operation systems Windows XP, Windows 2000 and Windows Vista. A Setup program performs the installation of the Client Software quickly and smoothly. The following text describes the procedures for installing the Client Software under Windows 2000/XP/Vista. Prior to executing Setup be sure that the following prerequisites are fulfilled. 2.1 Installation Prerequisites ------------------------------------------------------------------------------- System Requirements: In order to be able to communicate with the Client Software it is essential to have either Microsoft Windows 2000 SP4 + RSP1 or Windows XP SP2 or Windows Vista installed on your PC (min. 128 MB RAM). During the installation you are asked to have your or disks ready, as these will be needed for updating your PC's driver database files. Please insert these when prompted to do so. Remote Destination: The parameters of the remote destination must be entered in the profile settings. In order to communicate with the remote destination it must support one of the following media types: ISDN, PSTN (analog modem), LAN over IP, WLAN or PPP over Ethernet (PPPoE). Local System: One of the following communication devices and its respective drivers must be properly installed on the Client Software PC. * ISDN adapter (ISDN) The device (e.g. internal or external adapter) must support the ISDN CAPI 2.0 Kernel Mode standard. When using PPP Multilink the software can bundle up to 8 ISDN B-Channels. Any ISDN device supporting the ISDN CAPI 2.0 can be used. Please check your device to be sure that such a driver is available. The Client Software does not support TAPI based ISDN devices. * Analog Modem (Modem) The Client Software can communicate with any industry standard analog PC modem, provided that it and the modem drivers have been properly installed and the modem initialization string and the COM port definition for the modem is correct. The modem has to support Hayes AT commands. Mobile (cellular) telephones can also be used for data communication, after the associated software has been installed that presents itself to the client precisely as if it were an analog modem. The serial interface, IR (infrared) interface, or Bluetooth can be used as interface between mobile phone and PC. The opposite side must have the appropriate dial-in platform depending on the transfer rate (GSM, v.110, GPRS or HSCSD). The initialization string in the Secure Client modem configuration must be obtained from the ISP or the manufacturer of the mobile (cellular) phone. * LAN adapter (LAN over IP) When the Link Type LAN has been defined the Client Software may be used as a IPSec client in a LAN that communicates across a LAN network and associated router to a central site VPN Gateway. When defined as a LAN Client, the Client Software can also be used as a VPN or VPN/PKI plugin for Microsoft's RAS (Dial- Up Network) client. * Broadband Device (xDSL (PPPoE)) Cable modems, splitters (e.g. for ADSL), etc. can be used in conjunction with PPP over Ethernet (PPPoE), which is supported by the Client Software. * xDSL (AVM - PPP over CAPI) The link type "xDSL (AVM - PPP over CAPI)" has been added in the "Destination" configuration field in the telephone book. If an AVM Fritz DSL card is to be used then this link type may be selected . AVM specific initialization strings may be entered in the field "Destination Phone Number" ("Dial-Up Network" group) for the connection. It is recommended to use the standard setting "xDSL (PPPoE)" with Windows operating systems as this provides direct communication over the network interfaces. No additional network card is necessary with the AVM Fritz! DSL card. * Multifunction Card (GPRS/UMTS) If you are using a multi-function card, special features of the mobile computing can be used depending on the card characteristics (see the appendix of the handbook "Mobile Computing2). Due to the direct support of the multi-function card for UMTS/GPRS/WLAN through the Secure Client, installation of management software from the card implemented, is not necessary. The VPN connection is established via the integrated Dialer independent of the Microsoft data communications network. Currently supported multi-function cards: - T-Mobile Multimedia NetCard - Vodafone Mobile Connect Card - KPN Mobile Connect Card - T-Mobile DSL card 1800 - integrated Card of the Lenovo Notebooks (Sierra Chipset) - Vodafone EasyBox USB-Adapter for UMTS/GPRS * WLAN adapter (WLAN) Under Windows 2000/XP/Vista the WLAN adapter can be operated with the link type "WLAN". In the monitor menu the special "WLAN settings" menu item is displayed where the access data for the wireless network can be saved in a profile. If this "WLAN configuration" is activated, then the management tool of the WLAN card, or the Microsoft tool must be deactivated. (Alternatively the management tool of the WLAN card or the Microsoft tool can be used as well.) If the link type WLAN is set for the destination system in the phonebook, then under the graphic field of the Client Monitor an additional area is shown where the field strength and the WLAN network are displayed. Please read the description of the parameters "Link Type" in the section "Configuration parameters / Phonebook". * Automatic Media Detection If various link types could be used, the client detects automatically which link type actally can be used und selects the fastest one. On the basis of a pre-configured destination system, those link types that are currently available for the Client PC are detected and implemented, and if multiple alternative transmission paths are available, the fastest will be selected automatically. The link type priority is specified in the following sequence in a search routine: 1. LAN, 2. WLAN, 3. DSL, 4. UMTS/GPRS, 5. ISDN, 6. MODEM. The configuration is executed in the phonebook with the link type "Automatic media detection" under "Destination system". If desired, all destination systems for the VPN gateway that are pre-configured for this Client PC can be assigned to this automatic media detection. This renders manual selection of a medium (WLAN, UMTS, LAN, DSL, ISDN, MODEM) from the phonebook entries superfluous. Input data for the connection to the ISP are transferred from the available phonebook entries in a manner that is transparent for the user. Please note the description "Destination System / Link Type". Prerequisites for Strong Security If you are using the Client Software which provides support for X.509 certificates (Strong Security version of the Client), then the following prerequisites must be fulfilled: * TCP/IP The protocol TCP/IP must be installed on your PC. * Smart Card Reader The Client Software supports all Smart Card readers that are PC/SC conform. Subsequently such readers will only be entered in the Client Software Smart Card reader list after the Smart Card reader including the associated driver software has been installed on the PC. The Client Software detects the Smart Card reader automatically after the PC has been booted. The Smart Card reader can then be selected as described above and used accordingly. In order to use the features of the Smart Card, configure the Smart Card by selecting "Configuration -> Certificates" in the pull-down menu of the Client Software Monitor. When you insert your Smart Card in the Smart Card reader, you can enter your PIN. + Smart Card Reader (CT-API conform) Please note the following instructions when using a Smart Card reader that is CT-API conform: * The current software includes drivers for the Smart Card readers SCM Swapsmart and SCM 1x0 (PIN Pad reader). These Smart Card readers can be set in the Monitor under "Configuration -> Certificates". If, however, the Smart Card reader does not work with the drivers, which are included in the software, or a Smart Card reader is to be used, which does not show up in the configuration selection of supported readers, then ask the supplier or producer of the Smart Card (or the respective web site) reader for the current hardware driver and install it. In this case the client software requires some modifications: * Use an ASCII editor to edit the NCPPKI.CONF file. You find this file in the installation directory. Enter the name of the connected Smart Card reader as ReaderName (xyz) and the name of the installed driver as DLLWIN95 or DLLWINNT respectively. For operating systems based on Windows NT like Windows 2000 and Windows XP the modulname DLLWINNT has to be used. (The default name for CT-API conform drivers is CT32.DLL.) Important: Only those drivers that have been appropriately set with "visible = 1" will be displayed in the list! Modulname = SCM Swapsmart (CT-API) -> xyz DLLWIN95 = scm20098.dll -> ct32.dll DLLWINNT = scm200nt.dll -> ct32.dll * After rebooting the PC the new "ReaderName" is displayed in the Monitor under "Configuration -> Certificate -> Smart Card reader". Now you select that Smart Card reader. + Smart Cards Currently, the following Smart Cards are supported: * Signtrust * NetKey 2000 * TC Trust (CardOS M4) * Telesec PKS SigG + Soft Certificates (PKCS#12) Instead of a Smart Card you can also use soft certificates or tokens. + Smart Cards or Token (PKCS#11) Drivers in the form of a PKCS#11 library are supplied with the software for the card reader or token. This driver software must first be installed. Then the NCPPKI.CONF file must be edited. *Edit the NCPPKI.CONF file located in the installation directory by entering the name of the connected reader or token (xyz) as "module name". The name of the DLL must be entered as PKCS#11-DLL. The associated "Slotindex" is manufacturer-dependant (standard = 0). Important: Only those drivers are visible in the list that have been set to visible with "visible = 1". Module name = xyz PKCS#11-DLL = Name of the DLL Slotindex = * After a boot process the "Module name" you entered appears in the monitor menu under "Configuration-> Certificates -> Configuration -> Smart Card reader". Now select this Smart Card reader or token. 2.2 Installing the Client Software ------------------------------------------------------------------------------- The actual version and later versions of the FEC Secure IPSec Client will be tested by the quality assurance only according to the operation systems Windows 2000, Windows XP and Windows Vista. Full functionality cannot be garanteed when using the client under Windows NT, Windows 98 or older Windows versions. You can obtain the software as EXE file by downloading it from the website under: www.funkwerk-ec.com. Installation and Licensing First the FEC Secure IPSec Client is installed as a test version. If you posess a license, you can enter the license data after a reboot of the software by selecting the monitor menu option "License Info and Activation". The test version is valid for 30 days. Without software activation or licensing it will no longer be possible to setup a connection after this 30-day period expires. When 10-days validity remain, a message box will be displayed to remind you that the software has not yet been licensed. For licensing the software please refer to the chapter "Licensing" in the handbook. Please note when installing the Software under Windows XP/Vista Microsoft Windows XP/Vista informs the user as soon as a driver software is being installed which is not licensed by Microsoft. Windows XP runs a Microsoft specific "compatibility test" and warns the user not to install the software. This test does not check the compatibility of the software with Windows XP/Vista. Since the client software is not licensed by Microsoft, the warning occurs when the client is installed on a Windows XP machine. What to do: - You can modify the Windows XP/Vista default settings so that any software can be installed without the Microsoft compatibility check. Open the Windows Control Panel and then "System (Properies) - Driver Signing". Set the install procedure to "Install the software anyway and dont't ask for my approval"! - You can ignore the warning when installing the client. After the warning pops up you click on "proceed Installation" Windows XP will let you install the client adapter. The installation will not have any negative effect on the operating system. Installing from CD After inserting the CD in the drive of your PC, the welcome window appears on the monitor. Click on "Install Products" and then select the Client Software version to be installed. All further installation procedures are identical with the installation procedures for Installing from removeable disk, from the window "Choose Setup Language". 2.2.1 Default Installation ............................................................................... Installing the Client Software First you copy the EXE file you have got with a download or with the CD onto the hard disk of your PC. The filename of the EXE file displays the number of the verion and build number of the software, e. g.: FEC_EntryCl_Win_203_040.EXE To install the Client Software select in the windows main menu: Start / Settings / Control Panel. Select "Add/Remove Programs" in the Control Panel and then click on the "Install" button. Click on "Next" when the window appears which requests the installation CD. When the following window appears click on "Browse" to select the EXE file and click on "Finish". "Choose Setup Language". A window appears where you can select the language to be used for the installation and then click "OK". The "Install Shield Assistant" is now started. It will guide you through the installation. Read the terms of the Welcome window carefully and click on "Next". Note the following message und deactivate any VPN Client and Personal Firwall of another manufacturer to avoid data loss. The next window displayes the Software Licensed Agreement. In order to proceed with the installation of the licensed version click on "Yes". Clicking "No" will stop the installation process. Default directory for installation is: Programs\Funkwerk Secure IPSec Client (Under Windows Vista it could also be:Program Files\Funkwerk Secure IPSec Client) Undependently of "Typical" or "Custom" installation you can select any folder for the software installation by clicking on "Browse". This is particularly important if the user should have no rights on the system root directory. If you select "Standard Installation"in this window the installation will continue automatically and the setup is finished. Selecting the "Custom" Installation you can define settings according to your requirements. In the following window of the "Custom" Installation you define the programmfolder for the client software. (Default setting: "FEC Secure IPSec Client"). In the next window you can define whether the Program Icon should be displayed on the desktop or not. Please contact your system administrator or your internet service provider for additional information about your communication gateway. Communication with DHCP (Dynamic Host Control Protocol) means that a temporary IP Address will be assigned automatically for each communication session. If required, click on "Obtain an IP Address from DHCP Server". If you "Specify an IP Address", enter the IP address in this window. Default Gateway: If a network adapter with a Default Gateway is already installed, you will have to delete this Default Gateway Address. It is not possible to have more than one network adapter with a Default Gateway. DNS Address: You should only enter a DNS Address if you have been assigned one from your system administrator or ISP. Thereafter you can define whether a logon to a remote domain should occur after establishing a connection to the remote destination's NAS, which may necessitate entering the PIN for your certificate and/or your Password (if not already stored in the Client Software). After establishing a connection to the remote destination's NAS, you can logon to the remote domain. This logon will be encrypted. Please note: Activate this option before the Windows logon, thus the NCP Gina will also be automatically installed. The logon options can also be used only if the NCP Gina is installed after the Windows Gina - which is possible in this setup window. These logon options can be set via the Monitor menu of the Client under "Configuration". If the logon option is not activated here, and if it will be used at a later point in time, then the NCP Gina can be permanently installed after this setup using the command rwscmd /ginainstall See the description "Secure Client Services" in this regard, in the appendix of this manual. The data will now be copied from the installation CD or removeable disk. The associated network components will now be installed. This completes the installation of the Client Software. Click the "Finish" button. Before using the Client Software it is necessary to reboot your PC. Click on "Yes, I want to restart my computer now" and then click on "Finish" to reboot your PC. 2.3 Updateing and Uninstalling ------------------------------------------------------------------------------- If you are already using a previous version of the Software it will be detected when attempting to install the new Client Software. If this is the case, then you will be asked if you wish to update your current Client Software to the newer version now in your possession. During the update the current profile settings, certificate data and call control manager statistics will be applied to the new client. In order to uninstall the Client Software go to: "Start" -> "Settings" -> "Control Panel". Now click on "Add/Remove Software" and then select the client from the list of programs and then click on the "Add/Remove" button. The Uninstall Shield Program will now delete the client software from your PC. Important: After the removal of the software components, the profile and configuration settings are still saved and can be restored in the event a newer version of the client is installed. In order to completely delete everything; manually remove the installation directory. =============================================================================== Funkwerk Enterprise Communications GmbH, February 2008