VPN Installation Instructions

Virtual Private Network

Overview of the MERS® System VPN Solution

Installation Instructions and

Troubleshooting Tips

(Applicable to Cisco VPN Client, Versions 5.0.01.0600 and 5.0.07.0290)

Overview of the MERS® System VPN Solution-Installation Instructions and Troubleshooting Tips 2

© Copyright 2011 Hewlett-Packard Development Company, L.P. All rights reserved.

Table of Contents

Table of Contents ......................................................................................................................................................................... 2

Overview - VPN Client................................................................................................................................................................ 3 Introduction ............................................................................................................................................................................. 3 Network/Firewall Requirements .............................................................................................................................................. 3

Installing the VPN Client ............................................................................................................................................................. 4 Verifying System Requirements .............................................................................................................................................. 5 Gathering Information You Need ............................................................................................................................................ 6 Installing the VPN Client ......................................................................................................................................................... 6 Removing a VPN Client Version Installed with MSI Installer ................................................................................................ 9 Creating a New Connection Entry ......................................................................................................................................... 11 Group Authentication ............................................................................................................................................................ 13

Configuring the VPN Client to Auto-Connect ........................................................................................................................... 15

Troubleshooting ......................................................................................................................................................................... 18 Windows 2000 (only) Requires Adding Client for MS Networks for Dialup Connections ................................................... 18 Upgrading from Windows XP Requires a Clean Installation ................................................................................................ 18 Aladdin Runtime Environment (RTE) Issue with Windows 2000 ........................................................................................ 18 Microsoft MSN Installation ................................................................................................................................................... 18 WINS Information Might Not Be Removed from Windows Servers If Not Disconnected Before Shutdown ...................... 18 DNS ....................................................................................................................................................................................... 19 Network Interfaces ................................................................................................................................................................. 19 Microsoft Outlook Error Occurs on Connection or Disconnect ............................................................................................ 19 Problem Installing VPN Client .............................................................................................................................................. 19



Overview - VPN Client

Introduction The VPN Client is an application that runs on a Microsoft® Windows®-based PC and other platforms that meets the system requirements for sections defined in the following page.

The VPN Client on a remote PC, communicating with the MERS® System Cisco VPN device, creates a secure connection over the Internet that allows you to safely access your MERS® System FTP directory as if you were an on-site user. This secure connection is a Virtual Private Network (VPN). The VPN Client allows customers to take advantage of VPN technology utilizing IP Security (IPSec). VPN provides the most robust remote access environment to remote users. Simple to deploy and operate, the Cisco VPN Client is used to establish secure, end-to-end encrypted tunnels to the MERS® System environment.

Network/Firewall Requirements The VPN Client is an internet solution that utilizes certain firewall ports and incorporates certain protocol types to create the secure connection. Your firewall technician may be required to modify your company’s firewall settings to allow the VPN connection to be established. The following Ports must allow traffic in both directions:

• UDP Port 500

• UDP Ports 4500 and above

The following protocols must be allowed to travel to and from the MERS® System VPN device:

• ESP IP Protocol 50

• AH IP Protocol 51



Installing the VPN Client CAUTION ****Installing the VPN Client software using InstallShield on WindowsVista, Windows 2000 or Tablet PC2004/2005 requires Administrator privileges. If you do not have Administrator privileges, you must have someone with Administrator privileges install the product for you. To avoid problems with the TCP/IP Registry Compatibility service and the VPN Virtual Adaptor, we strongly recommend that Windows Vista users install Vista SP2 or later. IMPORTANT: You must remove any previously installed VPN Client software. If you have not removed a previously installed VPN Client, when you execute the VPN Client executable, an error message displays. Refer to pg. 10 for uninstall instructions. If the InstallShield Wizard identifies an existing version of the VPN Client, the Cisco 5000 Client, or Nortel Networks Extranet Access Client prior to installing, it displays a dialog box that asks if you want to uninstall the existing client program.



Verifying System Requirements The following table indicates the system requirements to install the VPN Client on each of the supported platforms.

Operating System Requirements

• Windows Vista (all released versions) • Windows XP • Windows 2000 • TabletPC 2004/2005 • Windows 7

For VPN Client 5.0.07:

• Windows 7 on x64 (64-bit) • Windows 7 on x86 (32-bit) only • Windows Vista on both x86 and x64 • Windows XP on x86

Cisco VPN client supports smart card authentication on Windows 7, Vista and XP. The VPN Client no longer supports Windows 98 and Windows NT.

• Microsoft TCP/IP installed. (Confirm via Start>Settings>Control Panel>Network>Protocols or Configuration.)

• 50 MB hard disk space.

• RAM: - 128 MB for Windows XP (256 MB

recommended) - 64 MB for Windows 2000 (128 MB

recommended)

RedHat Version 6.2 or later Linux (Intel), or compatible libraries with glibc Version 2.1.1.6 or later, using kernel Versions 2.2.12 or later

• 32 MB Ram

• 50 MB hard disk space

32-bit or 64-bit Solaris kernel OS Version 2.6 or later.

• 32 MB Ram

• 50 MB hard disk space

Mac OS X, Version 10.2.0 or later • 50 MB hard disk space

• PPC only. None of the Release 4.8.x versions supports Mac OS X on Intel processors

Cisco VPN Client for Windows Vista, release 5.0.0.340, does not support the following features:

• System upgraded from Windows XP or earlier Windows operating systems to Vista (Clean OS installation

required).

• Start before logon.

• SmartCard authentication.

• Integrated firewall.

• InstallShield.

• Auto Update



VPN Client 5.0.07 new features:

• Support for Windows 7 on x64 (64-bit). This release, however, does not support WWAN devices (also

called wireless data cards) on Windows 7 x86 (32-bit) and x64.

• Support for Windows Vista on x64.

Note that this version does not provide online help.

Gathering Information You Need To configure and use the VPN Client, you will need the information listed in this section. Follow the steps below to obtain this information from your HP Integration Technical Resource. If you have not previously done so, request your VPN Credentials via the Online Form at http://www.mersinc.org/downloads/vpn_request.aspx. Your HP Integration Technical Resource will reply with the necessary security information via email including:

• IP address of the secure gateway to which you are connecting.

• Your IPSec Group Name.

• Your IPSec Group Password.

• Username and password.

• FTP Credentials

Installing the VPN Client To install the VPN Client on your system, follow these steps. We suggest you accept the defaults unless your system administrator has instructed otherwise. **Note** The following screenshots reference installation on a 32-bit machine. Step 1: (Existing VPN Users) Cisco recommends that you uninstall prior versions of the Cisco VPN Client or any VPN software installed on your workstation using Microsoft Add/Remove Programs from your Control Panel. See Removing a VPN Client Version Installed with MSI Installer for details. Step 2: Determine the correct architecture for your machine and download the appropriate VPN Client (32-bit or 64-bit) from www.mersinc.org. Log onto www.mersinc.org and from the Tools and Services Menu select Downloads, then VPN; the link for the VPN Client will appear in the body of the page. Click on the download arrow and save the client on your workstation. Step 3: IMPORTANT- Exit all Windows programs, and disable any antivirus software during the install process.

http://www.mersinc.org/downloads/vpn_request.aspx

http://www.mersinc.org/



Step 4: Double-click on the icon from your desktop The WinZip dialog box appears.

Figure 1-1 Unzip VPN Client extract to temp file

Step 5: Choose the Browse option to select the folder to which the software will be extracted. Step 6: Click Unzip. **Note** Cisco does not allow you to install the VPN Client software from a network drive. If you attempt to do so, you receive an error message. Step 7: Choose Start > Run. The run dialog box appears. Step 8: Choose the Browse option to select the folder to which the software was extracted. Select the Setup.exe application and click OK. The program displays the Cisco Systems logo and InstallShield Setup window shown in Figure 1-2.



Figure 1-2 Starting InstallShield Installation Version 5.0.01.0600 or Version 5.0.07.0290

Step 8: If the InstallShield Wizard identifies an existing version of the VPN Client, the Cisco 5000 Client, or Nortel Networks Extranet Access Client, it displays a dialog box that asks if you want to uninstall the existing client program. To continue with the uninstall process, click Yes. 2-4 The VPN Client launches the appropriate uninstall wizard: the Cisco VPN Client uninstall wizard to uninstall a previous version of the VPN Client, the Extranet Access Client wizard program, or the Cisco 5000 wizard. Follow the instructions on the uninstall wizard dialog boxes to automatically uninstall the program and reboot. After your system reboots, the Cisco Systems VPN Client Setup wizard resumes. Step 9: Follow the instructions on the screens and enter the following information: A destination folder for the VPN Client files (or click Next> to accept the default location C:\ProgramFiles\Cisco Systems\VPN Client). Step 10: After you have installed the VPN Client, the InstallShield Wizard displays the following screen. You must restart your computer before you can configure and use the VPN Client. (See Figure 1-3.) Figure 1-3 Completing InstallShield Installation



• Click Finish. • To restart now, click the Yes radio button. Your system reboots. Be sure to remove any diskette from the

drive before you reboot. • To restart later, click the No radio button and then click Finish. The VPN Client Setup closes.

Remember: you must restart your computer before you can use the VPN Client.

Removing a VPN Client Version Installed with MSI Installer Note: If you have not removed a previously installed VPN Client, when you execute the VPN client executable, an error message displays. See Figure 1-4 below. You must uninstall the previously installed VPN Client before proceeding with the new installation. To remove a VPN Client installed with the MSI installer, use the Windows Add/Remove Programs control panel. To remove a VPN Client installed with InstallShield, select Uninstall Client on the Programs > VPN Client > Uninstall Client menu sequence.2-7Figure 2-5



Figure 1-4 VPN Client Executable Error

To uninstall a VPN Client version that was installed with the MSI installer, follow these steps: Step 1: Double-click the Add/Remove Programs control panel and select Cisco VPN Client. (See Figure 1-5.) Figure 1-5 Removing Cisco VPN Client

Step 2: Click Remove. You see a dialog box asking you to confirm that you want to remove the VPN Client from your PC. 2-8 Step 3: Click Yes. The Installer displays a dialog box asking whether you want to delete your existing connection profiles. Step 4: Click Yes (the default)



Step 5: The wizard displays a dialog box asking whether you want to delete your existing Cisco certificates. Click Yes (the default) to delete them. Step 6: To remove the Cisco VPN Client, click Next. The wizard removes the Cisco VPN Client. Step 7: To make these changes take effect, you must restart your computer. When it finishes uninstalling the VPN Client, the wizard asks whether you want to restart your computer now or restart later. Select the appropriate radio button and click Finish. If you select Restart Now, the wizard exits and restarts your computer. If you select Restart Later, the wizard simply exits.

To use the VPN Client, you must create at least one connection entry, which identifies the following information:

• The VPN device (the remote server) used to gain access to the MERS® System environment.

• Preshared keys—The IPSec group designated for MERS® System access.

• Optional parameters that govern VPN Client operation and connection to the remote network You can create multiple connection entries if you use your VPN Client to connect to multiple networks (though not simultaneously) or if you belong to more than one VPN remote access group.

Creating a New Connection Entry Use the following procedure to create a new connection entry. Step 1: Start the VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Client (the icon may also be named “VPN Dialer”).

Step 2: The VPN Client application starts and displays the advanced mode main window (Figure 2-1). You will see an ‘open’ padlock in your System Tray (bottom right hand corner of your screen). If you are not already there, open the Options menu in simple mode and choose Advanced Mode or press Ctrl-M.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/#88167



Figure 2-1 VPN Client Main Window

Step 3: Select New from the toolbar or the Connection Entries menu. The VPN Client displays a form (Figure 2-2). Figure 2-2 Creating a New Connection Entry





Step 4: Create a New VPN Connection Connection Entry- Enter a unique name for this new connection. You can use any name to identify this connection; for example, “MERSVPN”. This name can contain spaces, and it is not case-sensitive. Description- Enter a description for this connection. This field is optional, but helps to further identify this connection. For example, “Connection to MERS System FTP remote server”. Host- Enter the IP address of the MERS® System remote VPN Concentrator. This will be provided to you by your HP Technical Integration Resource when you request VPN Access.

Group Authentication

Click the Group Authentication radio button.

Name- In the Name field, enter the name of the IPSec group for MERS® System access. This entry is case-sensitive and will be provided to you by your HP Technical Integration Resource when you request VPN Access. Password- In the Password field, enter the password (which is also case-sensitive) for your IPSec group. This will be provided to you by your HP Technical Integration Resource when you request VPN Access. The field will display asterisks when populated. Confirm Password- Verify your password by entering it again in the Confirm Password field.



Establishing your Connection Step 1: Select the CONNECT button

Step 2: Enter your Unique username and password provided by your HP Technical Integration Resource.

Step 3: Click OK The VPN Client will connect and minimize; you will see a ‘locked’ padlock in your System Tray (bottom right-hand corner of your screen) to indicate a secure connection.

You are now ready to access your MERS® System FTP directory. Contact the MERSCORP Help Desk if you have any questions or require assistance. 1 888 680-MERS (6377)



Configuring the VPN Client to Auto-Connect Use the following procedure to enable the VPN Client to auto-connect when launched. Step 1: Open the VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Client (the icon may also be named “VPN Dialer”).

Step 2: The VPN Client application starts and displays the main window (Figure 3-1). Highlight the Connection Entry you created previously and select “Connection Entries” from the menu bar. Figure 3-1 VPN Client Main Window




Step 3: From the “Connection Entries” list, select “Create Shortcut”. See Figure 3-2. Figure 3-2 VPN Client Main Window.

The Padlock Icon now appears on your desktop using the same name as your connection entry. Figure 3-3 VPN Icon on Desktop.

Step 4: Double click the new Icon. After the Group Name and Password are authenticated the following window is displayed. Enter your User id (if not already populated) and your password and check the “Save Password”



box. You will not see this page again. On future connection attempts, the VPN Client will automatically connect after the Connection Entry on your Desktop is launched. **Note** The “Save Password” dialogue box appears only after you have successfully connected the first time. Figure 3-4 Enter and Save Password.



Troubleshooting Windows 2000 (only) Requires Adding Client for MS Networks for Dialup Connections For the Cisco VPN Client running on a Windows 2000 system, you cannot access Microsoft resources unless you add the Client for Microsoft Networks for the Dial-up adapter.

Upgrading from Windows XP Requires a Clean Installation After upgrading Windows XP to Windows 7 or Vista, one may experience various problems with the VPN Client, ranging from client not logging, client won’t connect, virtual adapter not installing, and so on. Upgrading from a clean install of Windows XP to Vista has been tested and the VPN Client does work in this situation. However, upgrading a Windows XP installation with legacy applications ranging from Firewalls, Antivirus, device drivers, and so on to Windows 7 or Vista is not supported, because the problems stem from the legacy applications no longer supported by the OS.

Aladdin Runtime Environment (RTE) Issue with Windows 2000 Using versions of the Aladdin Runtime Environment (RTE) on Windows 2000 can cause the following behavior:

The login prompt that is posted by the Aladdin etoken when connecting the VPN Client can get hidden in the background. If this happens, the VPN connection can timeout and fail with the following event: "System Error: Connection Manager failed to respond."

A side effect of this is that the VPN Client's service and dialer might become out of synch, and the PC might need to be restarted (CSCdv47999). To avoid this issue, use Aladdin Runtime Environment (RTE) version 2.65 or later.

Microsoft MSN Installation Microsoft's MSN installation fails if you have already installed the VPN Client. Uninstall the VPN Client before you install MSN. After MSN has completed installation, you can install the VPN Client.

WINS Information Might Not Be Removed from Windows Servers If Not Disconnected Before Shutdown If the VPN Concentrator is configured to send WINS server addresses down to the VPN Client and the PC is shut down or restarted without first disconnecting the VPN Client, the WINS servers are not removed from the network properties. This might cause local PC registration and name resolution problems while not connected with VPN. To work around this problem, do one of the following:

• Be sure to disconnect the VPN Client before shutting down. If you are having problems, check your network properties and remove the WINS entries if they are not correct for your network.

• Alternatively, enable "Disconnect VPN connection when logging off". Go to Options > Windows Logon Properties, check Disconnect VPN connection when logging off.



DNS For DNS resolution, if the DOMAIN NAME is not configured on the network interface, you need to enter the fully qualified domain name of the host that needs to be resolved.

Network Interfaces • The VPN Client does not support Point-to-Point Protocol over ATM (PPPoA). • The VPN Client cannot establish tunnels over Token Ring. However, it does not conflict with an installed

Token Ring interface. • The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).

Microsoft Outlook Error Occurs on Connection or Disconnect The following Microsoft Outlook error might occur when the VPN Client connects or disconnects: “Either there is no default mail client, or the current mail client cannot fulfill the messaging request. Run Microsoft Outlook and set it as the default mail client.” This message does not affect operation of the VPN Client. The issue occurs when Microsoft Outlook is installed but not configured for email, although it is the default mail client. It is caused by a Registry Key that is set when the user installs Outlook. To eliminate this message, do one of the following:

• Right-click the Outlook icon, go to Properties, and configure it to use Microsoft Exchange or Internet Mail as the default mail client.

• Use Internet Explorer to configure the system to have no default mail client. • Configure Outlook as the default mail client.

Connection Time

Using the VPN Client to connect to PC running Windows 7 or Vista system might take longer than one running Windows XP. The actual time it takes to connect might vary from customer to customer.

Unsupported Features The Cisco VPN Client for Windows 7 and Vista does not support the following features:

• Upgrade from Windows XP (clean OS installation required). • Start Before Logon • Integrated Firewall • InstallShield • AutoUpdate

Problem Installing VPN Client The VPN client may appear to run through the installation, but the install does not complete successfully. The user may need to ensure they have Read/Write access to the individual machine onto which they are installing VPN client. If the User Rights (in the Start-up folder) are set to Read Only, then VPN client cannot be installed.

VPN Installation Instructions

Documents