HELP_general
Connect Tunnel for Windows
The Connect Tunnel client is a Windows client component of the Secure Mobile Access (SMA) solution, which enables secure, authorized access to Web-based and client/server applications, and Windows file shares.
• Configuring Connect Tunnel Settings
• Updating the Connect Tunnel Software
The Connect Tunnel client enables you to connect to network resources that are protected by the Secure Mobile Access E-Class SRA appliance.
• Resources Available from Connect Tunnel
• How to Tell if Connect Tunnel is Running
Resources Available from Connect Tunnel
Connect Tunnel enables you to securely access the following types of resources:
|
How to Tell if Connect Tunnel is Running
When Connect Tunnel is running and connected to the VPN, an icon may appear in the taskbar notification area. If you pause on the icon with your cursor, connection status information will appear:
You can configure Connect Tunnel to not display this during active connections; for more information, see Configuring General Settings.
You can also verify the state of the Connect Tunnel VPN connection in the Windows Network Connections window.
To view connection status information:
1. On the Start menu, click Control Panel. Continue with the following steps depending on your operating system.
– Windows Vista: Click Network and Sharing Center, and then click Manage network connections. The Network Connections window appears.
– Windows 7: Click Network and Internet, then click Network and Sharing Center, and then click the Connect to a network link. This displays all available wireless, wired, dial-up, and VPN connections.
2. On the View menu, click Details.
3. In the Dial-up section, view connection status information for the Connect Tunnel connection. (Note that your administrator may have customized the name of this application.)
If Connect Tunnel experiences a temporary network interruption, a red circle with an X appears on the Connect Tunnel icon in the taskbar notification area. If the network connection is reestablished, the red circle with the X disappears and the Connect Tunnel icon returns to its normal state.
This section describes how to run the Connect Tunnel client.
• Processing Server Certificates
Connect Tunnel can be downloaded from the WorkPlace menu. You must have administrator privileges to install the software. Your administrator will make it available to you.
Log in to WorkPlace. Depending on your configuration, you might be issued a one-time password by your administrator, that will allow you to download Connect Tunnel.
Enter the password that was sent to you. The Workplace application will come up. You will now be able to download the software.
In WorkPlace, click the entry for Install Connect Tunnel.
Click Install. When the installation is complete, log out of Workplace.
To access network resources through Connect Tunnel, you must first verify your identity. This ensures that only authorized users can access protected network resources. The credentials used to verify your identity typically consist of a username and password (or passcode). Depending on the resources, you may also need to enter a one-time password and/or accept an Acceptable Use Policy.
To start Connect Tunnel:
1. Click the Start button, point to All Programs, point to Connections, select the Connect Tunnel connection you want to use, and then click the Connect button. (Your administrator may have customized the name of this application.)
2. You will see an initial login screen.
3. In the Connect Tunnel login dialog box, enter your authentication credentials. Depending on how your administrator has configured Connect Tunnel, you may see a combination of these prompts:
– Type your username in the Username box.
– In the Password or Passcode box, type your password or passcode. (Passwords may be case-sensitive. Make sure the Caps Lock or Num Lock keys are not enabled.)
– Enter a one-time password that was sent to you by your administrator.
– If a client certificate is required for authentication, the Certificate list displays the ones on your device that match the certificate authority (CA) used by the authentication server. Often there will be only one listed.
4. If an Acceptable Use Policy is displayed, click Accept to accept it.
5. Click Connect.
The Connect Tunnel icon appears in the taskbar notification area, indicating that Connect Tunnel is running and connected to the VPN.
Your login may not be exactly the same as that shown above. Your administrator could send you a login that allows you to connect to a specific network.
Note In the Connect Tunnel login dialog box, you can click Properties to display the Connect Tunnel Properties dialog box, where you can initiate a different connection or change program preferences. For more information, see Configuring Connect Tunnel Settings.
Connect Tunnel enables you to log in to different groups if necessary (for example, if you alternate between logging in to the “Sales” group and the “Marketing” group). You may need to provide different authentication credentials for each login group.
You must specify a login group each time you initiate a connection to your VPN. This option is available only when Connect Tunnel is offline (that is, when not connected to your VPN). You must have administrator privileges on your computer in order to change this setting.
To specify the login group:
1. In the Secure Mobile Access VPN Connection login dialog box, click Properties.
2. Click the Connections tab, and then, to the right of the Login group box, click Change. The Secure Mobile Access VPN Connection Login Groups dialog box appears and displays the current list of login groups.
3. In the Select or enter your login group box, select or type the name of the login group you want to log in to. If the correct login group does not appear in the list, click Refresh to update the list of available login groups.
Depending on how your administrator configured Connect Tunnel, some login groups may not appear in the list; however, you can still log in to a “hidden” login group (if you are authorized to do so) by typing its name in the Select or enter your login group box.
4. Click OK.
Processing Server Certificates
Some VPN configurations require that you accept a server certificate before you can gain access to a protected network resource. A server certificate is essentially a digital signature that verifies a server’s identity.
If you access a network resource that uses a server certificate, Connect Tunnel may display the certificate. You must then verify that the server certificate is from a trusted source before accepting it.
Because anyone can issue a certificate, you should accept certificates only from trusted sources. Otherwise, the information you receive may be invalid. If you have any concerns about whether to accept a certificate, check with your administrator.
To process a server certificate:
1. When a trusted certificate appears, verify that the certificate is associated with the correct server.
2. Accept or reject the certificate:
– If you click Reject, your connection is not established.
– If you click Accept, the certificate is accepted as valid, and the login process will continue.
Similarly, you may be asked to accept a license agreement or Acceptable Use Policy.
This section describes how to quit the Connect Tunnel client with Smart Tunneling. Note that quitting Connect Tunnel will end your VPN session and disconnect you from the remote network.
To quit Connect Tunnel:
• In the taskbar notification area, right-click the Connect Tunnel icon, and then click Disconnect.
Configuring Connect Tunnel Settings
This section describes how to view and configure the Connect Tunnel client with Smart Tunneling settings. You must have administrator privileges on your computer in order to change any of these settings.
• Viewing Current Connect Tunnel Settings
• Configuring General Settings
• Connecting to a Different VPN
• Establishing an Initial Network Connection
Viewing Current Connect Tunnel Settings
This section describes how to view the current settings for Connect Tunnel.
To view current Connect Tunnel settings:
1. On the Start menu, click Control Panel. Continue with the following steps depending on your operating system.
– Windows Vista: Click Network and Sharing Center, and then click Manage network connections. The Network Connections window appears.
– Windows 7: Click Network and Internet, then click Network and Sharing Center, and then click the Connect to a network link. This displays all available wireless, wired, dial-up, and VPN connections.
2. In the Dial-up section, right-click the name of the Connect Tunnel connection (your administrator may have customized the name of this application), and then click Properties. The Connect Tunnel Properties dialog box appears.
3. Review the information on the Connection and About tabs:
– Click the Connections tab to view the current connection settings.
– Click the About tab to view basic information about the application.
– Click File Info on the About tab for more detailed information.
This section describes how to configure general settings for Connect Tunnel.
To configure general Connect Tunnel settings:
1. On the Start menu, click Control Panel. Continue with the following steps depending on your operating system.
– Windows Vista: Click Network and Sharing Center, and then click Manage network connections. The Network Connections window appears.
– Windows 7: Click Network and Internet, then click Network and Sharing Center, and then click the Connect to a network link. This displays all available wireless, wired, dial-up, and VPN connections.
2. In the Dial-up section, right-click the name of the Connect Tunnel connection (note that your administrator may have customized the name of this application), and then click Properties. The Connect Tunnel Properties dialog box appears.
3. Click the Connections tab, and configure the Connection settings as necessary:
– To display a status bar during the connection process, select the Display progress while connecting check box.
– To display the Connect Tunnel icon in the taskbar notification area during active connections, select the Show icon in notification area when connected check box.
– To display a notification if the network connection is experiencing limited or no connectivity, select the Notify me when this connection has limited or no connectivity check box.
– To display a prompt to establish a new connection if network connectivity is lost, select the Prompt to connect if connection is lost or dropped check box.
4. Click OK.
This section describes how to specify a different VPN to connect to.
To specify the host name or IP address of the VPN:
1. On the Start menu, click Control Panel. Continue with the following steps depending on your operating system.
– Windows Vista: Click Network and Sharing Center, and then click Manage network connections. The Network Connections window appears.
– Windows 7: Click Network and Internet, then click Network and Sharing Center, and then click the Connect to a network link. This displays all available wireless, wired, dial-up, and VPN connections.
2. In the Dial-up section, right-click the name of the Connect Tunnel connection (note that your administrator may have customized the name of this application), and then click Properties. The Connect Tunnel Properties dialog box appears.
3. Click the Connections tab, and then, in the Host name or IP address of the VPN box, type the host name or the IP address of the VPN you want to connect to.
4. Click OK.
This section tells how to specify additional connections.
Clicking the Properties button on the login menu takes you to the Connections tab, which contains the list of connections and their associated properties, along with operations for modifying, adding, and deleting connections.
On the Connections tab is the Connections list: a list of connections configured for this client machine. Selecting one item from the list populates all data fields under the Properties section for both the Connection and Logging tabs.
Default Connection is a connection you can use to modify and/or connect to an appliance to pull down the administrator-defined list of connections.
The Properties section is hidden for AMC Administrator defined connections, visible for Default Connection.
The Connections tab contains general parameters for the selected connection.
Connection Name shows a user-friendly name for the connection, used in the connection display list. It is disabled for Default Connection.
Configuring a Default Connection
The login for your Connect Tunnel may have the option for default connections. In this case, Default Connection is available in the Connections list.
If Default Connection is selected, clicking the Properties button brings up the Connections Properties window.
This tab displays information about the Host name and Login group (Realm). If you wish to change login groups, clicking Change will allow you to choose from a list of your current login groups. If no other groups are available, click Cancel to return to the Connection window.
The Network Conflict Resolution section allows you to choose what type of network conflict resolution should be performed. If Network Conflict Resolution is administrator controlled by community settings, this section is not available.
The First Connect section allows you to establish an Internet connection prior to establishing a VPN connection. This is most often used when establishing connections by running dialup over VPN. To use this option, select the Establish this connection from checkbox and then select from the drop-down list of connections.
Display progress while connecting is an option that controls whether or not to display the logon sequence messages while the connection is being established. This includes, but is not limited to: Authentication, EPC Checks and VPN Establishment.
Show icon in notification area is an option that lets you specify whether or not the Secure Mobile Access VPN Connection icon (Knight head) is displayed in the Windows system tray.
Notify me when this connection has limited or no connectivity is an option that lets you see messages about possible connection problems (slowness, packet loss, etc.) that may be incurred while Connect Tunnel is running.
Prompt to connect if connection is lost or dropped is an option that controls whether or not the Secure Mobile Access VPN Connection window (CTW-1) pops back up if the connection is dropped or lost for any reason.
When finished making your choices, click OK. Connect Tunnel saves the current configuration and closes the Connection Properties window.
Establishing an Initial Network Connection
In some cases, you may need to establish a network connection before you can connect to the VPN; this is usually necessary only if you use a dial-up connection to connect to the Internet. This section describes how to configure a connection that must be established before you connect to the VPN.
To configure a first connection:
1. On the Start menu, click Control Panel. Continue with the following steps depending on your operating system.
– Windows Vista: Click Network and Sharing Center, and then click Manage network connections. The Network Connections window appears.
– Windows 7: Click Network and Internet, then click Network and Sharing Center, and then click the Connect to a network link. This displays all available wireless, wired, dial-up, and VPN connections.
2. In the Dial-up section, right-click the name of the Connect Tunnel connection (note that your administrator may have customized the name of this application), and then click Properties. The Connect Tunnel Properties dialog box appears.
3. Click the Connections tab and then, under First connect, select the Establish this connection first check box.
4. From the list, select the connection that must be established first, and then click OK.
Updating the Connect Tunnel Software
Your network administrator may issue software updates when a new version of the Connect Tunnel software becomes available, or when your network requirements change. Your administrator determines whether to make software updates available to you, and when.
If your administrator has enabled Connect Tunnel software updating, an alert appears during the login process whenever an Connect Tunnel update is ready for download.
To download and install a software update:
• During login, if the Connect Tunnel Software Update dialog box appears and indicates that a software update is available. The available options depend on how your administrator has configured software updating:
– Click Update to immediately download and install the software update. If you select this option, the software update will be installed, and then the login process will continue.
– Click Remind Me Later to postpone the software update and continue logging in. If you select this option, Connect Tunnel will reprompt you (once per day) until you download and install the update by clicking Update. Depending on how your administrator has configured Connect Tunnel, this option may be unavailable.
– Click Cancel to cancel the software update and the login process.
This section describes how to troubleshoot basic Connect Tunnel Tunnel client problems. If you are having trouble connecting to your VPN, or accessing local or remote network resources, see if your problem is addressed by the following. If the problem persists, contact your system administrator.
• Unable to Access Resources or the Internet
Here are a few items to check if you are having trouble connecting to your VPN:
• Make sure that Connect Tunnel is running and actively connected to the network. For more information, see How to Tell if Connect Tunnel is Running.
• Verify in the Connect Tunnel Properties dialog box that you are initiating a connection to the correct host name or IP address. For more information, see Connecting to a Different VPN.
• Verify in the Connect Tunnel Properties dialog box that you are initiating a connection to the correct login group. For more information, see Specifying a Login Group.
• If you use a personal firewall, you may need to configure the firewall before you can access your VPN. To do this, configure the firewall to allow ngvpnmgr.exe traffic to access the Internet, and add the VPN’s host name or IP address as a trusted host or zone.
• Authentication may require that you have a particular client certificate on your device. If you make changes to the certificates installed on your computer between logon attempts, update the list presented during login by clicking Refresh.
Unable to Access Resources or the Internet
Your device may have been classified into the wrong security zone:
• Your administrator may ask you to confirm the security zone into which you have been classified. If security zones have been configured, you can view your current zone by pausing on the Connect Tunnel icon in the taskbar notification area with your cursor.
When requests for resources or Internet access are received from clients by the appliance, they can be handled a few different ways. Your administrator makes this configuration choice in AMC:
• In split tunnel mode, only traffic destined for resources that have been specified in AMC is redirected to the appliance, and all other traffic is routed as normal. In other words, your administrator sets up a list of resources that are kept secure because they are accessible only through the appliance, but you have open access to anything that’s not spelled out in the resource list (for example, other Internet sites).
• In redirect all mode, which is the more secure (and restrictive) approach, all traffic is redirected through the appliance: you are not allowed to access anything that is not in the list of allowed resources.
• Your administrator can opt to give you access to local printers and file shares, regardless of the tunnel mode.
If you are having trouble accessing resources, your administrator may instruct you to make a change in the Secure Mobile Access VPN Connection Properties dialog box, on the Connections tab. The Network conflict resolution options are available only when your administrator has configured you for split tunnel mode. If you need to make a configuration change, it must be done while the Connect Tunnel is disconnected.
For example, let’s say you have a host resource—a Web server—with an address of 192.168.230.1. You are on a business trip and the printer you want to use is on a local network at a conference center, and it uses that same address. You are using a realm that is configured for split tunnel mode, and your administrator has opted to give you access to local printers and file shares. To enable you to print at the conference center, your administrator may instruct you to open the Secure Mobile Access VPN Connection Properties dialog box, click the Connections tab, and then click Prefer local network resource access for your session.
You may need to respond to an administrator request to enable debug logs, to reproduce a problem, or download logs for another reason.
1. To enable logging, click the Properties button.
2. Click on the Logging tab.
3. First, clear the existing log by clicking Clear Logs, then click Apply.
4. Select the checkbox for Enable Debug Logging and click OK. Let the log run for the specified time.
The log will be named according to the formula:
ngutil-YYYYMMDD_at_HHMMSS.txt
5. When you want to export the log, come back to the Settings tab, click Export Logs and then click OK.