The Novell BorderManager VPN client software allows a workstation to communicate securely over the internet to a network protected by a Novell VPN server over the Internet.
The following features are available in the VPN client software.
The NBM 3.8 VPN Client has to provide user x509 certificate and server's trusted root to perform IKE main mode of authentication. These two should be copied to the local workstation (<drive>:\novell\vpnc\certificates\users or <drive>:\novell\vpnc\certificates\trustedroot) from where VPN is to be executed.
The VPN Client provides a feature to retrieve the user certificate from Novell eDirectory. It requires Novell client as dependency for the same. If Novell client is installed this option will be enabled for the user to retrieve his/her certificate. To retrieve user certificate you have to provide username, password, context, tree and IP address (optional), user certificate name (only name, that is adminCert). This will retrieve user certificate and store under <drive>:\novell\vpnc\certificates\users as AdminCert.pfx. If the number of certificates for a user are more it will store them as AdminCert(n).pfx (n = 1..n)
In IKE mode of authentication the user can provide IKE and IPSEC parameters by clicking the policy editor on the VPN tab. This policy will mandate to the VPN server if the server is not imposing any policy.
Novell VPN client is integrated with Novell Modular Authentication service (NMAS). NMAS works with Novell Client. Install the Novell Client to benefit from the NMAS functionality.
Select NMAS option in the configuration tab and provide NMAS user information and credentials in the eDirectory tab. In the VPN tab provide VPN server IP address and NMAS sequence (for example, NDS/eDirectory, Universal Smart Card, Simple Password and so on). For credentials the method will pop up a dialog box if the same is not already entered.
Select NMAS and check the LDAP box in the Configuration tab. Go to VPN tab and enter VPN server IP address and LDAP user DN (for example, CN=Admin,O=Novell). The LDAP method will pop up a dialog box for the credential.
Select Backward Compatibility mode in the Configuration tab. Provide eDirectory credentials in the eDirectory tab. In this mode NBM 3.8 Client will talk to NBM server (BMEE 3.6, NBM 3.7, NBM 3.8) in SKIP mode. The ActiveCard token authentication will be enabled if NMAS is installed on the client. The ActiveCard token authentication method will work if the ActiveCard token method is configured for the user in eDirectory. The VPN tab requires credentials for ActiveCard token method.
Select Pre-shared Authentication mode in the Configuration tab. Go to VPN tab and provide password for the pre-shared key configured in the VPN server.
This version of the Novell VPN Client will integrate into the Novell Client for Windows 98, Windows NT, Windows 2000, or Windows XP Home. Re-start the machine after installing the new VPN client. During re-start the VPN client will integrate with Novell Client. Once the system comes up the Novell Login screen will have a Location drop-down list. The list will contain the default entry as well an entry for the VPN capabilities. You can select any of the locations, depending on the operation to be performed.
Four new tabs are available that can be configured in a Service Instance by selecting Novell Client32 Properties. The four tabs do the following:
This version of VPN client for Windows 98, Windows Me, Windows NT, Windows 2000 and Windows XP uses NICI (128-bit) encryption because there is no export restriction with NICI.
If NICI 1.7.0 (128-bit version) is not installed, the VPN Setup program installs it. This version of NICI overwrites NICI 1.5.7 (56-bit) or NICI 1.5.3 (56/128-bit), but not NICI 2.6.0. If NICI 2.6.0 is installed, NICI 1.5.7 and 2.6.0 will co-exist.
On Windows 98 and Windows Me, you may select a dial-up entry of any server type. Previously (with Novell BorderManager Enterprise Edition 3.0), you could only select dial-up entries of type Novell Virtual Private Network. All entries must be configured to negotiate only for TCP/IP connections. If you want to invoke the VPN client from Dial-Up Networking instead of vpnlogin.exe, then the dial-up entry that you select from Dial-Up Networking must be of server type Novell Virtual Private Network; otherwise, vpnlogin.exe will not be spawned after the dial-up connection has been established.
On Windows NT, you may select a dial-up entry of any server type. There is no Novell Virtual Private Network server type from the Dial-Up Networking selection on Windows NT.
If there is a dial-up requirement. Install dial-up networking before VPN client install.
When you make your dial-up entry selection from VPNLogin.exe, choose entries that do not enable Point-to-Point Protocol (PPP) compression. Compressing data that has been encrypted will incur unnecessary CPU overhead and will not offer any savings in the size of the packets being sent.
Install the modem, then install VPN Client.
During VPN client installation, if you choose to use Dial-Up Networking, the VPN client installation creates a Novell VPN dial-up entry for you.
During VPN Client login, the eDirectory user will be notified in case user's eDirectory password has expired and grace logins are being used. The user will also be given an option to change the eDirectory password during VPN Client login. This option will also be provided on the VPN Client system tray icon. The user will get the change password option only if user is using eDirectory credentials for VPN/NetWare login from the VPN Client application. Change Password will fail in case of contextless login. It requires all eDirectory user credentials.
The policy specified by the administrator in eDirectory will be applied on the client. If a policy is changed for that particular VPN user while a VPN session is on the changes will not get reflected until the next session.
This version of the VPN client supports the silent install feature, which allows the installation to be completed without user input. If the Dial-Up option is selected, some user intervention may be required if the workstation does not have the Dial-Up Networking or RAS components
To use this feature, you run SETUP.EXE with a switch to create a response file that contains the answers to all the questions normally asked during installation. Because this includes selection of the dial-up client, the LAN client, or both, you may need to create multiple response files based on user needs.
After creating the response file, you can then run SETUP.EXE with a different switch to use the response file so that installation requires minimal user intervention. There is also a switch to generate a log file for the silent install. This can be used to verify that the install completed successfully, or to diagnose why the installation failed. Examples on how to use these switches are given below.
You may often need to do a "silent install" on workstations that have different versions of Windows. If Windows or the Novell Client was from CD, then the VPN client install will ask for those installation CDs. In this situation, since the responses to the install prompts will depend on the version of Windows that is installed, it is best to create a response file that will query the user for these installation CDs if needed.
To create this kind of a response file:
Perform a normal install of the VPN client without creating the response file. This installation may ask for the Windows and/or Novell Client CDs. Proceed normally through the installation.
After rebooting, run SETUP.EXE again, this time creating the response file. This re-install will not query for the Windows or Novell Client install CDs, so the generated response file will not know what to answer when the user installation asks for the Windows or Novell Client CD. Because there is no answer in the response file, the user will be queried for the Windows or Novell Client CDs if they are needed
To verify that the response file is working properly, run the installation in silent mode on a workstation that does not have VPN client installed. The install log file should show ResultCode=0.
The silent install feature only works with the SETUP.EXE under the disk1 directory. It does not work with the self-extracting exe.
The silent install feature is enabled by executing SETUP.EXE under the disk1 directory with certain command-line options. The available options for SETUP.EXE are:
Depending on which of the two options is being used, the -f1 and -f2 options may also be used to specify names files.
To use the silent install feature:
Create a response file by issuing the following command from disk1 of the VPN client disks:
setup.exe -r -f1"<RESPONSE_FILE>"
where <RESPONSE_FILE> contains the absolute path and name of the response file. The -f1"<RESPONSE_FILE>" option may be omitted, in which case a response file named SETUP.ISS is created in the Windows or WinNT directory. For example,
setup.exe -r -f1"c:\temp\setup.iss" executes the installation and saves the input to c:\temp\setup.iss
NOTE: When using the -f1 and -f2 switches, do not put a space before the quote sign. For example: -f1 "filename" won't work. -f1 "filename" will work.
Execute the installation based on previously captured input by issuing the following command from disk1 of the VPN client disks.
setup.exe -s -f1"<RESPONSE_FILE>" -f2"<LOG_FILE>"
where <RESPONSE_FILE> contains the absolute path and name of response file, and <LOG_FILE> contains the absolute path and name of log file.
For example, setup.exe -s -f1"c:\temp\setup.iss" -f2".\setup.log" executes the installation, taking input from setup.iss in the c:\temp directory, and records the result in the file setup.log in the same directory as setup.exe.
Verify that the silent install was successful by checking the contents of setup.log. You should see a result section with the following:
[ResponseResult]
ResultCode=0
A value of 0 for ResultCode indicates that installation was successful. A nonzero value indicates failure. The possible ResultCode values are:
The most common installation error code seen is -12. An error condition usually displays an error message dialog box requiring user input, such as Click OK to acknowledge the error. Because the response would not be in the response file, the silent install process assumes that the response file has the dialog boxes out of order and hence reports error -12.
A batch file may be used to further automate the silent install process. For example, you could create the following INSTALL.BAT in the DISK1 subdirectory: setup.exe -s -f1"c:\vpninst\disk1\response.txt" -f2"c:\temp\vpninst.log" rem This assumes that the VPN client has been extracted to c:\vpninst. rem It could be on a network drive, or somewhere else. Don't put a space between -f1 and the quotation mark. If the VPN Login icon shows up on your desktop, reboot, and the VPN client installation will be over.
If you have a file named vpnconfig.txt in your VPN client installation directory Disk1, the installation program will take VPN server addresses, authentication mode, NetWare server IP address, NMAS sequences, eDirectory context, whether to enable eDirectory login or not, and so on from this file. The program will then update them into the workstation's Registry.
The text file syntax template is included in Disk1. You can modify the template according to corporate requirements. The template is self explanatory.
If your VPN server is your firewall, then the exception filters are already configured to allow this traffic to pass through. Filters need to be updated during VPN configuration.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 1997-2001, 2002, 2003, 2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell is a registered trademark of Novell, Inc. in the United States and other countries.
All third-party products are the property of their respective owners.