DirectLine for Business VPN USER GUIDE

Transcription

1 DirectLine for Business VPN USER GUIDE

2 Contents VPN Security Service...1 Overview... 1 Before You Set Up VPN Secure Remote... 1 Downloading and Installing VPN Software... 1 After Completing the Installation... 2 Configuring Your VPN Software... 2 Defining a Site... 2 Establishing a Secure Connection... 6 Using the VPN-Security Service... 7 Startup... 7 Shutdown... 7 Firewall, Routers, LAN ports information... 7 Setting Up file exchange... 8 Sending Files... 9 Address Construction... 9 To Send a File... 9 Receipt file Receiving Files and Reports Outbound (from BMO) Trading relationships Listing received files Receiving files Appendix A Client Questionnaire...13 Appendix B - Definitions...15 File Encoding Other definitions...15 USE OF DIRECTLINE FOR BUSINESS IS SUBJECT TO APPLICABLE AGREEMENTS. i DIRECTLINE IS A REGISTERED TRADE-MARK OF BANK OF MONTREAL. OTHER PRODUCTS AND SERVICES NOT LISTED ABOVE ARE TRADEMARKS, SERVICE MARKS, OR REGISTERED TRADEMARKS OF THEIR RESPECTIVE COMPANIES. INTERCHANGE SERVICES IS A SERVICE MARK OF GXS, INC. BMO-FG-GXS-VPN

3 VPN Security Service OVERVIEW The VPN Secure Remote service helps you to conduct secure and confidential file exchanges with the Bank of Montreal ( BMO ) over untrusted networks, such as the Internet, by encrypting and decrypting information entering and leaving your PC. This service and VPN Secure remote software is provided in conjunction with Global exchange Services, Inc. (GXS). This user guide provides the basic information you need to quickly start using the VPN-Security Service on Microsoft Windows. BEFORE YOU SET UP VPN SECURE REMOTE The following items are required before you begin the setup: 1. This User Guide. 2. A VPN Questionnaire (Appendix A of this document) to be completed and returned to BMO. 3. VPN user ID and password. 4. A Mailbox ID (same as FTP user ID) and Password 5. Your trading relationships (also know as mail slots) Your BMO Implementation Specialist (IS) will provide you with your VPN user ID and password, Mailbox ID and password as well as your mail slots. Please review the Send and Receive sections of this document. DOWNLOADING AND INSTALLING VPN SOFTWARE Follow the steps below to download the VPN software. 1. Exit all running programs except your Web browser. 2. Use your Web browser to access any web page on the Internet. This will confirm that TCP/IP is working properly on your PC. 3. Using your Web browser, connect to 4. Log on to the GXS VPN Software Distribution Web site using the user ID and user password all in upper case letters. 5. Follow the instructions on the Web site to download a copy of VPN SecuRemote that works with your PC s Operating System. The supported Windows Operating Systems include Windows 98/ME, Windows NT, Windows 2000, Windows XP Professional Edition, and Windows Create a temporary directory for installation, such as C:\TEMP. Save the.exe file to your temporary directory. 6. Exit from your Web browser. PAGE 1 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

4 7. Open the Start menu and Run the.exe located in the newly created temporary directory (i.e., C:\TEMP) 8. Use default settings for all installation options. Simply click on Next until the installation is complete. 9. When the installation is complete, click Finish to reboot. If your computer fails to connect to your LAN after installing the VPN software, allow Windows to fully open and then shut the computer down and power off (a simple reboot may not work). Your computer should connect after the second restart. AFTER COMPLETING THE INSTALLATION You may want to delete the downloaded.exe file in your temporary directory. CONFIGURING YOUR VPN SOFTWARE 1. After you install the software, you will see an envelope with a gold key in your Windows system tray. This is the VPN-1 SecuRemote icon. 2. Click on this icon to open up the VPN-1 SecuRemote configuration window. You will be prompted to create a new VPN site. Click Yes to continue. You must define the GXS VPN gateway as the site that handles the remote encryption and decryption. You can find the Site Name in the GXS ICS Welcome Letter. 3. The VPN Site Name for Interchange Services can be a resolvable name such as xxx.xxx.gxs.com, or an IP address equivalent. 4. Once your configuration is complete, you may close the site window. You do not need to have the site window open for SecuRemote to function. Envelope icon in system tray. DEFINING A SITE 1. Open the VPN-1 SecuRemote site window by clicking the VPN-1 SecuRemote icon in the Windows system tray. 2. Alternatively, you can open the Windows Start menu and choose SecuRemote from the SecuRemote program group. PAGE 2 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

5 3. Select Create New Site from the Sites menu, or click on the Create New Site icon in the toolbar. 4. In the Site window, type the resolvable name or the IP address of the site and click OK. 5. Authenticate yourself if you are asked to do so. PAGE 3 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

6 6. You will be prompted to verify the VPN site certificate fingerprint. Click OK to continue. 7. An authentication confirmation window is displayed once you are successfully authenticated to the GXS VPN gateway. Click OK to continue. PAGE 4 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

7 8. Click OK to save the VPN site date. The VPN site is now properly defined. PAGE 5 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

8 ESTABLISHING A SECURE CONNECTION When you connect to this service for the first time in a session, SecuRemote prompts you for a user name and password, as shown below. 1. Enter your VPN user ID(mailbox ID) and VPN password, then click OK. Your password for the current connection will be retained by the VPN-1 SecuRemote until: You terminate SecuRemote. You reboot your system. You erase your password in SecuRemote. Note: Your password automatically expires in 18 hours. 2. If you want to erase your password, simply open the Password menu and select Invalidate Password. PAGE 6 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

9 USING THE VPN-SECURITY SERVICE Your VPN software, VPN-1 SecuRemote, is active when the small envelope with the gold key is displayed on the Windows taskbar. When SecuRemote is encrypting traffic, the envelope will close momentarily as the data is transmitted. The envelope stays open when your system is not transmitting or receiving data, which is usually most of the time, and if you place your cursor over the envelope it displays a small box stating that it is idle. When a SecuRemote user asks for a connection to the mailbox, the SecuRemote software intercepts the outgoing data packet and compares the destination to a list of secured networks/hosts. Since our server is identified to be in the Security Domain of the VPN Gateway, SecuRemote automatically encrypts your documents. The SecuRemote PC then begins to establish an encrypted link to the VPN Gateway. It prompts you for a valid user ID and password. The VPN Gateway checks with the Authentication Server to see if you are permitted to connect to GXS. Once you are authenticated, an encrypted link is established. When you communicate with computers that are not defined in the Security Domain, the SecuRemote program passes the data without encryption. STARTUP VPN-1 SecuRemote starts automatically each time your PC starts up. If you end SecuRemote, you can manually start it up. Open the Start menu, then Programs and Checkpoint VPN-1 SecuRemote and click on the SecuRemote program icon. When SecuRemote starts, a small envelope appears on the taskbar. SHUTDOWN To shutdown the VPN-1 SecuRemote program, right click on the envelope icon located on the taskbar. A pop-up menu appears. Click Stop VPN-1 SecuRemote to disable SecuRemote. You will not be able to communicate with sites that require encryption once SecuRemote is disabled. You may also shut down SecuRemote by opening the Site window, opening the File menu, and selecting Stop VPN-1 SecuRemote. FIREWALL, ROUTERS, LAN PORTS INFORMATION For a successful implementation you will need to have the following router / firewall configurations: Site creation or Update TCP port 264 (referred to as topology update) Authentication / Key Exchange UDP port 500 bi-directional (referred to as IKE or IPSEC) Encryption IP protocol 50 bi-directional (referred to as ESP) Encryption UDP port 2746 bi-directional (referred to as encapsulated UDP) PAGE 7 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

10 Enable the following Port/Protocol - UDP ports 500 and TCP port IP Protocol If the PC installed with VPN SecuRemote is behind a firewall/router/proxy using Network Address Translation (NAT), the following Ports/Protocols should be opened on the firewall between the PC and the GXS VPN Gateway. a. The following port should be allowed in outbound direction from the PC to (GXS VPN Gateway) for VPN site download and update: TCP Port 264 b. The following port/protocol should be allowed in both inbound and outbound directions between the PC and (GXS VPN Gateway) for authentication and IPSec ESP encryption encapsulation: UDP Port 500 and UDP If the PC installed with VPN SecuRemote is behind a firewall or router NOT using Network Address Translation (NAT), the following Ports/Protocols should be opened on the firewall between the PC and the GXS VPN Gateway. a. The following port should be allowed in outbound direction from the PC to (GXS VPN Gateway) for VPN site download and update: TCP Port 264 b. The following port/protocol should be allowed in both inbound and outbound directions between the PC and (GXS VPN Gateway) for authentication and IPSec ESP encryption (without encapsulation): UDP Port 500 and IP Protocol 50 SETTING UP FILE EXCHANGE You may need to use third party software that supports FTP protocol to exchange files with BMO over VPN Secure Remote tunnel. Follow the instructions below to start sending files using FTP: 1. Open an FTP session: ftp open iftp.ics.us.gxs.com. If URL is not working, enter IP instead: Enter your Mailbox ID provided by the IS. Result: A password prompt displays. PAGE 8 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

11 SENDING FILES ADDRESS CONSTRUCTION You can send files to BMO from your mailbox. In order to send files you must establish/confirm mail slots (trading relationship/s) with your IS. Depending on the number of services you have with us, you may have more than one inbound mail slot. The construction of the Send address for you is mailbox-send. Mailbox ID is the same as the FTP user ID. BMO Receive addresses have been constructed using the application, document type and file encoding. This constructs your inbound mail slot. Your inbound trading relationship consists of the following: Application name provided by the IS; Application Document Type provided by the IS; File Encoding provided by you when implementation was requested. Example: When you are sending an Electronic Funds Transfer (EFT) file to BMO, your inbound mail slot will look as follows: DEFT-DEFT80-A where DEFT is the application name, DEFT80 is the document type, and A is encoding. The above mail slot means that you can send 80 byte mail slot relationships. Refer to Appendix B for available file encodings. TO SEND A FILE In order to send files, FTP commands must to be entered in your FTP software. 1. You must first change to the /send directory on the server. This is performed as follows: cd /send 2. You must also include two commands that instruct the FTP Service on how to process the file(s) being sent. Both use the QUOTE SITE command. There is no order preference between these two commands, either one can come before the other. The only requirement is that they come before the actual sending of the file(s). The first command causes the service to treat the file as binary. This is required in order to instruct the service to forward the file to BMO without additional processing. The syntax is as follows: QUOTE SITE standard=none The second command defines the sending and receiving addresses for the PUT command. The required syntax is: QUOTE SITE parm=sa=sender_address;ra=receiver_address Refer to the Address Construction section for details on address construction. The sender_address is your user id(or Mailbox ID)-SEND. The receiver_address is your inbound mail slot. Refer to the Address Construction section. For example, you can use the following command: QUOTE SITE parm=sa=aaa12345-send;ra=deft-deft80-a PAGE 9 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

12 The above means that you are sending an 80 byte EFT file from your Mailbox ID AAA12345 and the file is in ASCII format. 3. The final step to send a file is to use the PUT command. In the example below, a file named testfile.dat located in C:\temp directory will be used. This file will also be sent in binary mode. The command to send this file would appear as: PUT -BIN C:\temp\testfile.dat As a result there will be four commands cd /send QUOTE SITE standard=none QUOTE SITE parm=sa=aaa22755-send;ra=arp-arp-a PUT -BIN C:\temp\testfile.dat In the example above, a file named testfile.dat located in C:\temp directory will be sent. This file will also be sent in binary mode. RECEIPT FILE Important: The following Receive address is provided in order for you to confirm whether the file was transmitted. This address has the following format: mailbox-receipt This address is used to receive a receipt, providing the user with information on whether or not a Sent transaction was delivered successfully. These files are text-based and contain a single line without record terminators and should be readable on either Unix or Windows platforms. The receipt message indicates that BMO has received your file successfully and will convey it to the appropriate product (e.g., EFT). To verify that your file has been successfully processed by the appropriate product, please check any output reports or files generated. See the Receiving Files and Reports section for more details. RECEIVING FILES AND REPORTS Any product files or reports that you expect to receive from any BMO service such as EFT, can be delivered electronically to you via the VPN Secure remote service. OUTBOUND (FROM BMO) TRADING RELATIONSHIPS BMO will send your reports and files to your mailbox. Depending on the number of services you have with us, you may have more than one outbound mail slot (also known as trading relationship). Your outbound mail slot consists of the following: Mailbox ID provided by the IS Application name provided by the IS Application document type provided by the IS PAGE 10 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

13 File encoding provided by you when implementation was requested. BMO will send your files / reports to one of the outbound mail slots. Example: If you are set up to receive EFT reports or files your mail slot will look as follows: AAA12345-DEFT-WINTESTE20RPT-A where AAA12345 is your mailbox ID, DEFT is the application name, WINTESTE20RPT is the document type, and A is encoding. The above mail slot will be receiving reports from the EFT system in ASCII format. Refer to Appendix B for available file encodings. Please work with your IS to get details of all of your outbound mail slots. LISTING RECEIVED FILES The following section will describe commands that can be used to obtain a listing of messages in your inbox that corresponds to what you have received from BMO. 1. You must first change to the /receive (inbox) area in ICS. The command used to perform this change is: cd /receive 2. The VPN Secure Remote Service provides a way to filter the listing based on your outbound mail slot. Using the filter feature, you can obtain a listing of your inbox, and only display files received by a specific mail slot. The following command is used to define this filter: QUOTE SITE parm=ad=filter_address The filter_address is replaced by any one of your mail slots. For example, to see what RECEIPT messages have been received, we will set the following filter: QUOTE SITE parm=ad=aaa12345-receipt To see only Electronic Funds reports: QUOTE SITE parm=ad=aaa12345-deft-winteste20rpt-a 3. Once this command has been accepted by the service, you can then request a list of files based on this filter by using the command: dir byparm This tells the server to use the filter (parm) to generate a directory listing. 4. Therefore to list files for a specific mail slot you will need to perform the following commands: cd /receive QUOTE SITE parm=ad=aaa12345-receipt (or any other mail slot) dir byparm The matched files will be listed e.g. Detail: "Sender ILOG IC Control# Sent (GMT) Mfile" Detail: "BMOCOM-SEND AUG05 14:53 M " Detail: "BMOCOM-SEND AUG05 14:53 M " Detail: "BMOCOM-SEND AUG05 14:53 M " PAGE 11 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

14 The content is normally displayed showing the sender, date and time and what is termed the Mfile. The Mfile is named uniquely by the Service and does not reflect the file name given by BMO. Your mail slots allow you to identify relevant files and reports. RECEIVING FILES The process of receiving content/files uses the same QUOTE SITE parm command as described in the Listing Received Files section. However, in order to actually receive the messages instead of just listing them, the GET command must be used. The GET command shown below will download all messages/files based on the QUOTE SITE filter set. The messages/files will be stored in separate files based on the Mfile name. The command used is: GET *,byparm If no files are found, nothing will be downloaded. You may also want to download files received by a specific address and store them in a unique folder. This can be done by appending the folder (destination) to the GET command used below. cd / receive QUOTE SITE parm=ad=aaa12345-deft-winteste20fle-a GET *,byparm D:\Program Files\Inbox\WINTESTE20FILES PAGE 12 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

15 Appendix A Client Questionnaire SECTION I: B ASIC I NFORMATION ABOUT YOUR COMPANY Company Name: Company Business Contact Name: Company Business Contact Phone: Company Business Contact Fax: Company Business Contact Company Address: City: Zip/Postal Code: Country DirectLine for Business customer ID (if known) Other Customer Contacts Technical Contact Name: Technical Contact Phone: Technical Contact Fax: Technical Contact Desired Production Date: DD/MMM/YYYY Please list services to which you want to enable file exchange (e.g. EDI, BAI, DEFT, etc.) PAGE 13 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

16 S ECTION II: GXS M AILBOX I NFORMATION: 1. Do you have an existing mailbox on the GXS Interchange Service platform and would you like to use it? 2. Would you like the same files/reports delivered and shared with multiple Mailboxes (i.e. users), e.g., multiple divisions within your company that require separate access? Additional fees apply. 3. Please provide your GXS Mailbox Ids (if they exist) for multiple mailbox delivery. If no mailboxes are currently set up, indicate the number of required mailboxes. 4. Would you like all files and reports delivered (shared) to multiple mailboxes or only to specific ones (e.g., specific EFT reports, EDI files, etc)? YES, enter mailbox ID NO, proceed to the next question If NO, proceed to Section III. - Use this field to fill in other mailbox IDs (if you answered Yes in question 1) If only Specific product option selected, fill in the following: Enter product(s) S ECTION III S ECURE FTP INFORMATION Please provide the Windows version: Indicate file encoding (See Appendix B for encoding description) Software Version Inbound files to BMO A (ASCII) E (EBCDIC) Outbound files from BMO W (WINDOWS) A (ASCII) E (EBCDIC) Additional Notes: PAGE 14 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT

17 Appendix B - Definitions FILE ENCODING BMO supports several file encoding types. These are: W: Windows (ASCII machine) This encoding can be used in Outbound transmission from BMO ONLY. The default delimiter on the Windows platform is CR (Carriage Return) and Line Feed (LF). This means that the record terminators within the application files on the windows platform are CRLF. A: Unix (ASCII machine). The default delimiter on Unix platform is Line Feed (LF). This means that the record terminators within the application files on the Unix platform are LF. E: Mainframe (EBCDIC machine). There is no specific character as the record delimiter on the mainframes (Unisys or IBM). The encoding of the data is EBCDIC. While sending and receiving files from the mainframes no data conversion needs to be performed. OTHER DEFINITIONS Mailbox This is your user ID to connect to FTP server Mail Slots (or trading relationships) Mail slots belong to a mailbox and are used to receive various Cash Management files and reports. BMO sends your files and reports to an appropriate mail slot. By using mail slots you can easily identify the application to which your files and reports belong. PAGE 15 FOR ASSISTANCE, PLEASE CALL THE HELP DESK AT