DOC Cisco VPN Software Client Installation Guide for RTP2 Beta-, This guide provides firewall and network considerations and step-by-step instructions on how to install a Cisco VPN Software Client and install Certificate and Connection Entry for RTP2 Beta- Copyright SIX Group Ltd, 04.2015. All rights reserved. All trademarks observed.
Page i Identification Title: Cisco VPN Software Client Installation Guide for RTP2 Beta- Version, Date: Classification: Intended Audience: <Audience> Distribution: <Distribution> Keywords: Cisco VPN, Installation, Guide Reference: Filename: Cisco-VPN-Software-Client-Quick-Start-und-Installation-Guide-Beta-.docx Synopsis: This guide provides firewall and network considerations and step-by-step instructions on how to install a Cisco VPN Software Client and install Certificate and Connection Entry for RTP2 Beta- Author(s): Martin Schmid Reviewer: XRS-Team Approval: Lee Hannah Responsible: Martin Schmid Revision History Version, Date Description 1.00, 03.01.2012 First Version
Page ii Table of Content 1 Introduction... 1 1.1 Purpose & Scope... 1 1.2 Definitions & Abbreviations... 1 1.3 Contact... 1 2 Cisco VPN Software Client... 1 3 Network & Firewall Considerations... 2 3.1 VPN Endpoints... 2 3.2 DNS Servers... 2 3.2.1 DNS Servers with VPN Connection... 2 3.2.2 Ports Used for Cisco VPN Software Client Connections... 3 3.3 Repo Application Servers... 3 3.4 HTTP Proxy Server Exceptions... 4 3.5 Ports used for Connection and a Quick Guide to Troubleshooting... 4 3.5.1 For Clients with Direct Connections... 4 4... 5 4.1 Downloading and Configuring VPN Software Client... 5 4.2 Setting Up a VPN Connection... 14
Introduction Page 1 1 Introduction 1.1 Purpose & Scope This document describes how to set up a VPN connection with a Cisco VPN Software Client to the RTP2 trading platform. The guide provides basic information about technical requirements and network settings as well as detailed information about the installation and configuration of the Cisco VPN Software Client. 1.2 Definitions & Abbreviations Term/Abbreviation CVI DNS Environments FQDN IPSec Explanation Common VPN Infrastructure Domain Name System M01 RTP2 Beta- Fully Qualified Domain Name Internet Protocol Security RTP2 Repo of SIX trading platform 2 SCAP SSX SSL SWX VEP VPN SIX Swiss Exchange Common Access Portal SIX Swiss Exchange Secure Socket Layer SWX Swiss Exchange. Former name of SIX Swiss Exchange VPN Entrypoint Virtual Private Network 1.3 Contact For further information about specific issues, please contact Repo infodesk: Zürich +41 58 399 2190 E-mail: repoinfodesk@six-group.com 2 Cisco VPN Software Client The following Cisco VPN Software Client version is tested and supported by SIX Swiss Exchange: Cisco VPN Software Client V5.0.07.0440 (64 bit)
Network & Firewall Considerations Page 2 3 Network & Firewall Considerations 3.1 VPN Endpoints The table below gives the FQDN and IP addresses of the SIX Swiss Exchange VPN endpoints for Cisco VPN connections: Membertest & Production Data Centre A Data Centre B vpn.swx.com 146.109.0.10 146.109.64.10 (virtual IP addresses) vpnzs.swx.com 146.109.0.10 (virtual IP address) vpnzs01.swx.com 146.109.0.11 vpnzs02.swx.com 146.109.0.12 vpnzh.swx.com 146.109.64.10 (virtual IP address) vpnzh01.swx.com 146.109.64.11 vpnzh02.swx.com 146.109.64.12 The VPN Endpoints above are valid Repo of SIX Trading and Reference Data servers. NB. Please ensure that all of above VPN Endpoints have been enabled over your firewall. Due to our load balancing mechanism a VPN response that emanates from a source that has not been opened on your firewall will not be accepted by your organisation and your connection to the Repo trading environment could be refused. 3.2 DNS Servers 3.2.1 DNS Servers without VPN Connection These DNS servers resolve VPN endpoints: Data Centre IP Address Data Centre A 146.109.66.249 Data Centre A 146.109.66.250 Data Centre B 146.109.2.249 Data Centre B 146.109.2.250
Network & Firewall Considerations Page 3 3.2.2 DNS Servers with VPN Connection These DNS servers resolve Repo application servers: Data Centre IP Address Data Centre A 146.109.55.251 Data Centre A 146.109.55.252 Data Centre B 146.109.39.251 Data Centre B 146.109.39.252 3.2.3 Ports Used for Cisco VPN Software Client Connections The table below indicates the ports used between the Cisco VPN Software Client and the SIX Swiss Exchange VPN endpoint: IP Protocol No. Name Port Purpose Required for IPSec IPSec Over UDP IPSec Over TCP 17 UDP 500 IKE 50 IPSec None ESP 17 UDP 4500 IPSec via NAT-T 17 UDP 4501 IPSec via UDP 6 TCP 4501 IPSec via TCP 3.3 Repo Application Servers The table below gives the FQDN and IP addresses of the Repo application servers. These addresses can be reached through a Cisco VPN Software Client connection: Beta Reference Server Trading Server 1 rtp2-ref-mbt.pn.swx rtp2-trd1-mbt.pn.swx 146.109.52.199 146.109.52.198 Trading Server 2 rtp2-trd2-m01.pn.swx 146.109.52.197 The application servers above are valid for the Repo of SIX trading and reference data environments.
Network & Firewall Considerations Page 4 3.4 HTTP Proxy Server Exceptions Access to the various online features provided through the Repo platform, e.g. Member Page with Newsboard, Online Help and Statistics. (Membertest / Production) is not possible via a web-proxy server. They can only be accessed through a Cisco VPN (IPSec) tunnel connection. For these specific websites, you need to ensure that you have disabled any potential HTTP proxy server on the client PC. The following HTTP proxy server exceptions have to be set in your web-browser: *.pn.swx (for application servers) *.ps.swx (for CVI Private Web) 3.5 Ports used for Connection and a Quick Guide to Troubleshooting In order to be able to better troubleshoot any potential connectivity issues the following information gives you the ports associated with the individual destinations within both the Repo client-side environment as well as the Exchange-side infrastructures as well as methods to test the validity of any connection. 3.5.1 For Clients with Direct Connections Providing that the VPN is correctly connected, the following table details the application servers and their corresponding ports. If you are encountering connectivity issues with the repo trading system always ensure that the you are unable to make a telnet request to and receive a response from the corresponding FQDNs/IP Addresses in section 3.3 on the appropriate ports below (depending on your environment). The latter set of ports are used to receive help and peripheral information. Destination Environment TCP Port Exchange Beta Reference Server 146.109.52.199 7310 Beta Trading Server 1 and 2 146.109.52.198 146.109.52.199 7311, 7312
Page 5 4 If there is no Cisco VPN Software Client installed follow the step by step instructions below 4.1 Downloading and Configuring VPN Software Client To access the CVI Common VPN Infrastructure, proceed as follows (an Internet connection is required): 1. In your Browser, go to the CVI Common VPN Infrastructure Web page https://www.six-swissexchange.com/members/cvi/scap.html and login with cvim01enr / vicarphing 2. On the CVI Common VPN Infrastructure page, download the following three items: [ ] Cisco VPN Tunnel Software [ ] Connection [ ] CVI Root Certificate 3. For each of the three items, proceed as follows to download them and save them on your Desktop: a. Click on the item link (for example Cisco VPN Tunnel Software) and click Save as in the dialog box.
Page 6 b. In the Folders pane, select Desktop and click Save. 4. When you have repeated steps a to c above for the other two items (Connection and the CVI Root Certificate), verify that all three files are available on your Desktop. 5. On your Desktop, double-click the Cisco VPN Tunnel Software file you have downloaded: vpnclient-win-msi-5.0.03.0560-k9.exe. 6. Click Unzip.
Page 7 7. The file is being unzipped. In the dialog box, click OK. 8. Choose English and click OK. 9. The Installation Wizard is started. Click Next.
Page 8 10. Select the I accept the license agreement option and click Next. 11. Select a destination folder (or leave it unchanged) and click Next. 12. Click Next (2 times) to begin installation.
Page 9 13. When the VPN client has been installed, click Finish. 14. Click Yes to restart your computer. 15. To start the VPN client, click the Start menu and select All Programs > Cisco Systems VPN Client > VPN Client.
Page 10 16. The VPN Client is started. Click the Connection Entries tab and click the Import button. 17. Navigate to the Desktop, select the SWX_CVI.pcf file and click Open. 18. In the dialog box, click OK to confirm the successful import of the Connection Entry.
Page 11 19. The Connection Entry SWX_CVI is now listed under Connection Entry. 20. Click the Certificates tab. 21. On the Certificates menu, click Show CA/RA Certificates. 22. Click the Import button.
Page 12 23. In the dialog box, select the Import from File option and click Browse. 24. Navigate to the Desktop, select the SWXVPNROOTCA.cer file and click Open. 25. Click Import. 26. In the dialog box, click OK to confirm the successful import of the Root Certificate.
Page 13 27. The Root-Certificate swxcapprdrootca is now listed under the Certificates tab.
Page 14 4.2 Setting Up a VPN Connection 1. In your Browser, go to the CVI Common VPN Infrastructure Web page https://www.six-swissexchange.com/members/cvi/scap.html and login with cvim01enr / vicarphing 2. On the CVI Common VPN Infrastructure Web page and click on the link Private CVI VPN Homepage (via SSL connection). 3. A security alert is displayed. Click on Continue to this website (not recommended) link twice. 4. In the Login window, type again cvim01enr / vicarphing
Page 15 5. Click Login.The CVI Private Web page will open. (This may take some time ) 6. On the welcome screen, type the certificate Username and Password provided in the secured email for the RTPM01 environment. 7. Click Enter. 8. After successful login, the Userpage opens. Enter a personal defined download password (for example MyPwd123456).and click Download. 9. Save the certificate in a directory of your choice selecting Save as in a directory of your choice or select Save to store it in your Downloads directory. 10. Open the VPN Client: On the Certificates tab, click the Import button. 11. Select the option Import from File and click Browse.
Page 16 12. Navigate to the choosen directory or to the Downloads directory and select your certificate file (*.p12, in this example it is RTPM012002.p12). Then click Open. 13. The imported certificate is now displayed in the Import Path: box. In the Import Password: box, type the password you have selected (for example MyPwd123456). 14. If preferred you can protect the certificate and connection start by a new certificate password. Select a new password (for example MyNewCertificatePwd123456) and type it in the New Password / Confirm Password boxes. Remember or note down this password because you will use it to start the VPN connection and as well it is needed to delete the certificate. 15. Then click Import.
Page 17 16. A dialog box confirms that the import of the certificate was successful. Click OK. 17. The imported certificate is now displayed under the Certificates tab. 18. Click on Connection Entries tab. Right-click on the SWX_CVI Connection Entry and select Modify from the context menu. 19. As well you can Right-click on a Connection Entry of your choice and select Duplicate from the context menu.
Page 18 20. Right-click on the duplicated Connection Entry and select Modify from the context menu. 21. In the Tab Authentication select the Certificate Authentication option and select the RTPM01xxxx certificate in the Name box. (In this example it is 3 - RTPM012002 (Cisco) ) 22. As well edit the Connection Entry: field to a name of your choice. (In this example RTPM012002).
Page 19 23. Then click Save. 24. Click the Connect button and type in the certificate password if requested to start the connection (for example MyNewCertificatePwd123456). Then click OK. 25. A dialog box is displayed and confirms that you have successfully connected. Click Continue.