Getting Started - Client VPN Symantec Client VPN v9.0 This chapter includes the following topics: What is new in this release on page 2 System requirements on page 3 Documentation on page 3 Upgrading to Symantec Client VPN version 9.0 on page 4 Driver signing on Windows 2000 and Windows XP on page 4 Installing Symantec Client VPN version 9.0 on page 5 Obtaining configuration information and logon credentials on page 6 Configuring Symantec Client VPN on page 6 Configuring tunnels that do not support VPN policies on page 7 Configuring a certificate on page 8 Establishing a security gateway connection on page 9 Online Help on page 9 Information on the Symantec Web site on page 9 Staying current on page 9 Media Replacement on page 10 Symantec Educational Services on page 10 Symantec Technical Support on page 10 Symantec Client VPN lets a remote user with Internet access securely connect to and use resources on a private network as if the remote workstation was physically located inside the protected network. This guide provides initial instructions for using Symantec Client VPN v9.0. For more detailed instructions, see the Symantec Client VPN User s Guide.
2 Symantec Client VPN v9.0 What is new in this release What is new in this release Before you begin, obtain your configuration information and log on credentials from your system administrator. Client compliance A new client compliance feature on the Symantec Gateway Security 5000 Series requires that clients connecting to it by way of Client VPN or Clientless VPN are secured to a set of standards configured on the security gateway. In order to meet Client Compliance standards when connecting to a Symantec security gateway, you must have Symantec Client Security and Sym Sentry installed and enabled on the client computer. The Sym Sentry component is on the Symantec Client Security CD in the Sentry folder. Windows system tray A new icon in the Windows system tray lets you open the Symantec Client VPN GUI, set port controls, connect or disconnect from configured gateways, enable or disable file and print sharing, run LiveUpdate, and view the Symantec Client VPN log file. New VPN base license You can license an appliance for VPN only with a new base license for VPN, which includes a 25-VPN sessions license and unlimited gateway-to-gateway VPN capability. Both IPsec and SSL VPN session are counted by the VPN session license and can be mixed and matched as required. Endpoint compliance Symantec Gateway Security 5000 Series v3.0 offers enforcement over systems that connect remotely using an IPsec client or SSL VPN, to ensure that prior to allowing access to a trusted network, that the user s systems have the appropriate Symantec Antivirus version and virus definitions are in place.
Symantec Client VPN v9.0 System requirements 3 System requirements Before you begin, verify that your computer meets the minimum requirements. Operating system Microsoft Windows 2000: Professional, Server, or Advanced Server; with Service Pack 3 or later Microsoft Windows XP: Home or Professional; with Service Pack 1 or later Hardware configuration Documentation 233 MHz processor 20 MB free hard drive space for files 128 MB RAM CD-ROM drive, if you are installing from a CD Microsoft TCP/IP must be installed and bound to the network adapters that are used by Symantec Client VPN. One or more pre-installed Network Interface Cards (NICs) or modems. Install and configure your NIC as you intend to use it with Symantec Client VPN. In addition to the Getting Started Guide you can find more information in the Symantec Client VPN online Help and the Symantec Client VPN documentation set. The following documents are provided in the \ClientVPN\AES_3DES_DES directory on the Symantec Client VPN CD-ROM: File name: ClientVPN_Users.pdf Title: Symantec Client VPN User s Guide Provides detailed instructions on installing, configuring, and connecting with the Client VPN. File name: ClientVPN_Admin.pdf Title: Symantec Client VPN Administration Guide Provides detailed instructions for configuring multiple Symantec Client VPN installations. File name: ClientVPN_ReleaseNotes.pdf Title: Symantec Client VPN Release Notes This document.
4 Symantec Client VPN v9.0 Where to begin Online Help CD file structure Online Help is available from each screen of the Symantec Client VPN GUI. Click the Help button at the bottom of the screen. The files on the Client VPN CD are structured as follows: Where to begin Adobe/ AdbeRdr60_enu_full.exe AdbeRdr60_enu_full.ini ClientVPN/ AES_3DES_DES/ (kit files) Packager/ Documentation/ Kit/ (kit files) You can find additional information about this product in the following documents: Release Notes and Readme files You can find release notes and readme files on the product CD-ROM and at: http://www.symantec.com/techsupp/enterprise/. Always check the Symantec web site for the latest updates. Upgrading to Symantec Client VPN version 9.0 The upgrade process depends on the software currently installed on your system: If you have Symantec VPN Client version 7.0, 7.01, or 8.0, you can install Symantec Client VPN version 9.0 without uninstalling. Note: Your existing tunnel configurations are upgraded and available once the upgrade has completed. Driver signing on Windows 2000 and Windows XP The Symantec Client VPN software-only device driver is required for the client to function; however, it is not signed by Microsoft. Upon installation, the Driver Signing Options behavior is set to Ignore. On Windows 2000, this prevents the display of the Digital Signature Not Found dialog box. On Windows XP, this prevents the Hardware Installation dialog box from complaining that the software has not passed Windows logo testing.
Symantec Client VPN v9.0 Installing Symantec Client VPN version 9.0 5 Leave this button set to Ignore while the product is installed. If you see one of these dialog boxes and you are prompted to continue installation, you must check Yes or Continue Anyway. Installing Symantec Client VPN version 9.0 The following procedure summarizes the Symantec Client VPN installation. For a more detailed description, see the Symantec Client VPN User s Guide. To install the Symantec Client VPN software 1 Do one of the following: Insert the Symantec Client VPN CD in the CD-ROM drive. On the Welcome dialog box, click Install Symantec Client VPN. Download the Symantec Client VPN software to your hard drive. In the directory to which you have downloaded, double-click setup.exe. 2 You are prompted to: Agree to the software License Agreement Select the Symantec Client VPN install directory Select the Symantec Client VPN Program folder Restart the computer Run LiveUpdate after installation You should run LiveUpdate after you install Symantec Client VPN to get any updates to the client software. This also lets you update other Symantec products installed on your system. To run LiveUpdate 1 Log on to Symantec Client VPN. 2 On the Options tab, click LiveUpdate. 3 Follow the instructions on the LiveUpdate screens. For more information, see the Symantec Client VPN User s Guide.
6 Symantec Client VPN v9.0 Obtaining configuration information and logon credentials Obtaining configuration information and logon credentials To connect, your remote computer must have Symantec Client VPN installed and configured to connect to the security gateway, or your administrator can provide the security gateway configurations through a Client VPN package. If you are responsible for configuring your remote computer with Symantec Client VPN, contact your administrator to obtain the following configuration information: The IP address or resolvable DNS name of the security gateway to which you will connect. Your Client ID. This is your user name as it is defined on the security gateway. One of the following, depending on how you will authenticate: If you will authenticate using a shared secret, the shared secret key. If you will authenticate using an Entrust certificate, a certificate file and a certificate password. The Gateway Phase 1 ID (if applicable and if it differs from the default setting or the Security Gateway s IP address). If your administrator has created a Client VPN package file for you, make sure that you receive the file and, optionally, a package installation password. For details about Client VPN packages, see the Symantec Client VPN User s Guide. Configuring Symantec Client VPN Log on to your remote computer to configure Symantec Client VPN to securely connect to a security gateway and use your protected corporate resources. To log on 1 In the Microsoft Windows system tray, double-click the Symantec Client VPN icon. 2 On the logon screen, type a user name and password for your local profile, and then click OK. The default user name is the currently authenticated Windows user. 3 In the Verify password text box, retype your password, and then click OK.
Symantec Client VPN v9.0 Configuring tunnels that do not support VPN policies 7 Configuring tunnels that do not support VPN policies If you are trying to connect to a security gateway which cannot download VPN policies and tunnel information, you must configure additional parameters on Symantec Client VPN. To configure for connections that do not support automatic download of VPN policies and tunnel information 1 Complete steps 1 through 7 in Configuring tunnels that do not support VPN policies on page 7, except for the following: In step 4, uncheck Download VPN Policy. 2 On the Advanced tab, specify the IKE policy to be used for phase 1 negotiations by doing one of the following: To use a preconfigured IKE policy, select a policy from the drop-down list. To create a new IKE policy, click New. Instructions for creating a new IKE policy are provided in the Symantec Client VPN User s Guide. 3 On the Tunnels tab, click New. 4 In the Secure Tunnel dialog box, in the Tunnel name text box, type a name of your choice. 5 In the Network address text box, type the IP address of the protected network behind the security gateway. 6 In the Network mask text box, type the protected network s mask. 7 In the VPN policy list, do one of the following: To use a preconfigured VPN policy, select a policy from the drop-down list. To create a new VPN policy, click New. Instructions for creating a new VPN policy are provided in the Symantec Client VPN User s Guide. 8 Click OK to create the tunnel, and then click OK again to configure the security gateway.
8 Symantec Client VPN v9.0 Configuring a certificate Configuring a certificate If you will authenticate using an Entrust certificate, you need a certificate profile file and a certificate password from your security gateway administrator. To configure your certificate 1 Use Windows explorer to copy the certificate profile file to the directory where you installed Symantec Client VPN. 2 Log on to Symantec Client VPN. 3 On the Options tab, click Configure Certificate. 4 In the Configure Certificate dialog box, click Configure new certificate. 5 In the Entrust Profile dialog box, type the name of the Entrust certificate profile file, and then click OK. 6 In the Enter Password dialog box, type the Entrust password, and then click OK. 7 A message indicates that the certificate has been configured. Click OK. 8 In a text editor, edit the config.cf file in the ClientVPN directory. 9 Uncomment the following line: isakmpd.enforce_id_in_cert=0 10 Log off and then log back on to Symantec Client VPN. When you log on, you will see a logon screen that includes a text box for the certificate password. Each time you log on you must supply this password, as it authenticates your connection.
Symantec Client VPN v9.0 Establishing a security gateway connection 9 Establishing a security gateway connection Before you try to connect, establish an Internet connection through a modem, a digital subscriber line (DSL), or other Internet connectivity option. You can also configure Symantec Client VPN to automatically dial your service provider when you log on. See the Symantec Client VPN User s Guide. To connect to a security gateway 1 Log on to Symantec Client VPN. 2 On the Gateways tab, select a security gateway, and then click Connect. 3 If you use extended authentication, such as a Defender token, when prompted, type any additional information such as user name and PIN, and then click OK. Symantec Client VPN must remain running while you are connected. You can minimize it by clicking on the minimize button in the top right corner. To disconnect from a security gateway 1 Right-click the Symantec Client VPN icon in the system tray. 2 In the menu that displays, click Disconnect < address>, where <address> is the IP address or DNS name of the security gateway to which you are connected. Online Help Online Help is available from each screen of the Symantec Client VPN GUI. Click Help at the bottom of the screen. Information on the Symantec Web site Staying current Check the Symantec Technical Support Web site (www.symantec.com/techsupp) for answers to frequently asked questions, troubleshooting tips, and the latest product information. Symantec issues product updates for the security gateway, which are available at the Symantec Enterprise Support Web site for download from: http:// www.symantec.com/techsupp/enterprise/. To install product updates or view a list of installed hotfixes, in the SGMI, select Hotfix on the System menu.
10 Symantec Client VPN v9.0 Media Replacement Media Replacement You may need to replace the media or documents if they are lost or damaged. If you need a replacement CD-ROM because it is defective, email supportsolutions@symantec.com. If you require a new CD-ROM because you have lost it, contact your Sales Representative or reseller to purchase a new media kit. Symantec Educational Services Symantec Educational Services offers technical product training to ensure you receive the full benefit of product functions and capabilities, and optimize the return on your security solutions investment. Symantec training provides your IT professionals, network operators, and security administrators with expert instruction, hands-on product training, lab exercises based on real-world scenarios, troubleshooting experience, and more. Students can register to attend class at a training facility, or Symantec can provide cost-effective product training on site, at your convenience. For more information, please go to http://education.symantec.com or send an email to education@symantec.com. Symantec Technical Support Customers with a current maintenance agreement may contact the Symantec Enterprise Support group by phone or online at: http://www.symantec.com/techsupp/enterprise/ Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at: https://www-secure.symantec.com/ platinum/login.html