Secure Access 6$&#&OLHQW#9HUVLRQ#51313,QVWDOODWLRQ#)#2SHUDWLRQ#0DQXDO 3:9563409533#,VVXH#6 $XJXVW#533: The Best Connections in the Business
Copyright Trademarks 2007 General DataComm, Inc. A RIGHTS RESERVED. This publication and the software it describes contain proprietary and confidential information. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic or machine-readable format without prior written permission of General DataComm, Inc. The information in this document is subject to change without notice. General DataComm assumes no responsibility for any damages arising from the use of this document, including but not limited to, lost revenue, lost data, claims by third parties, or other damages. If you have comments or suggestions concerning this manual, please contact: General DataComm, Inc. Technical Publications 6 Rubber Avenue, Naugatuck, Connecticut USA 06770 Telephone: 1 203 729 0271 All brand or product names are trademarks or registered trademarks of their respective companies or organizations. Documentation Revision History GDC P/N 076R301-V200 Issue Date Description of Change 1 February 2007 Initial release of SAC Client Software Version 2.0.0 2 May 2007 Minor corrections and clarifications 3 August 2007 Clarify Windows XP installation procedure. Related Publications Description Secure Access Controller Server Version 2.0.0 Operation Manual Secure Access Controller Client Version 2.0.0 Installation & Operation Manual Secure Access Controller Server/Client Version 2.0.0 Release Notes SpectraComm V.F 28.8/33.6 Modem Installation & Operation Manual SpectraComm Dual V.34 Modem Installation & Operation Manual Part Number 076R300-V200 076R301-V200 076R906-V200 060R112-REV 060R122-REV -REV is the hardware revision (-000, -001, etc.) -VREV is the most current software version (-V500, V600, V700, etc.) In addition to the publications listed above, always read Release Notes supplied with your products.
Table of Contents Preface Support Services and Training... iv Corporate Client Services...iv Factory Direct Support & Repair...iv Contact Information...iv Chapter 1: Introduction & Specifications Introduction to the SAC System... 1-1 Theory of Operation...1-2 SAC Client Interface...1-3 Web Management...1-3 Installation and Operation Guidelines...1-4 Chapter 2: Installation & Configuration Client Installation... 2-1 Before Your Begin...2-1 First-time Client Installation...2-2 Client Re-install or Upgrade...2-5 Uninstall Client... 2-9 Client Configuration... 2-10 Chapter 3: Operation Overview... 3-1 Secure Communication... 3-1 Communication Procedure...3-2 Web Console Access... 3-4 User Profile Maintenance...3-4 Acquiring the User Key...3-6 076R301-V200 Secure Access Controller Client Version 2.0.0 i Issue 3 Installation & Operation Manual
Table of Contents ii Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Preface Scope of this Manuals This manual describes how to install and configure the Secure Access Client software, used by remote users to interface with the Secure Access Controller (SAC) System. This manual is intended for network equipment technicians, and assumes a working knowledge of data communication equipment. The information contained in this manual has been carefully checked and is believed to be entirely reliable. As General DataComm improves the reliability, function, and design of their products, it is possible that the information in this document may not be current. Contact General DataComm, your authorized sales representative, or point your browser to http:\\www.gdc.com for the latest information on this and other GDC products. General DataComm, Inc. 6 Rubber Avenue, Naugatuck, Connecticut 06770 U.S.A. Tel: 1 203 729-0271 Toll Free: 1 800 523-1737 For more information on the other components of your Secure Access Controller System, refer to the accompanying documentation, such as: Secure Access Controller Server Operation Manual (P/N 076R300-V200) Secure Access Controller Server/Client Release Notes (P/N 076R906-V200) SpectraComm V.F28.8/33.6 Modem Installation & Operation Manual (P/N 060R112-000) SpectraComm Dual V.34 Modem Installation & Operation Manual (P/N 060R122-000) Note A complete list of Related Publications is listed on the inside front cover of this document Safety Information This document is concerned with Secure Access Client software only. For Safety and Compliance information about your workstation, modem, servers, or network hardware, consult the manufacturer s documentation provided with those devices. Manual Organization This manual is divided into the following chapters. When using the digital version of this manual, click on any link (shown in blue text) to jump to that section. Chapter 1, Introduction & Specifications Chapter 2, Installation & Configuration Chapter 3, Operation 076R301-V200 Secure Access Controller Client Version 2.0.0 iii Issue 3 Installation & Operation Manual
Preface Support Services and Training Support Services and Training General DataComm offers two comprehensive customer support organizations dedicated to pre-and post-sale support services and training for GDC products. Corporate Client Services and Factory- Direct Support & Repair assist customers throughout the world in the installation, management, maintenance and repair of GDC equipment. Located at GDC s corporate facility in Naugatuck, Connecticut USA, these customer support organizations work to ensure that customers get maximum return on their investment through cost-effective and timely product support. Corporate Client Services Corporate Client Services is a technical support and services group that is available to GDC customers throughout the world for network service and support of their GDC products. Customers get the reliable support and training required for installation, management and maintenance of GDC equipment in their global data communication networks. Training courses are available at GDC corporate headquarters in Naugatuck, Connecticut, as well as at customer sites. Factory Direct Support & Repair GDC provides regular and warranty repair services through Factory Direct Support & Repair at its U.S. headquarters in Naugatuck, Connecticut. This customer support organization repairs and refurbishes GDC products, backed by the same engineering, documentation and support staff used to build and test the original product. Every product received for repair at Factory Direct Support & Repair is processed using the test fixtures and procedures specifically designed to confirm the functionality of all features and configurations available in the product. As part of GDC s Factory Direct program, all product repairs incorporate the most recent changes and enhancements from GDC Engineering departments, assuring optimal performance when the customer puts the product back into service. Only GDC s Factory Direct Support & Repair can provide this added value. Contact Information General DataComm, Inc. 6 Rubber Avenue Naugatuck, Connecticut 06770 USA Attention: Corporate Client Services Telephones: 1 800 523-1737 1 203 729-0271 Fax: 1 203 729-3013 Email: clientservices@gdc.com General DataComm, Inc. 6 Rubber Avenue Naugatuck, Connecticut 06770 USA Attention: Factory Direct Support & Repair Telephones: 1 800 523-1737 1 203 729-0271 Fax: 1 203 729-7964 Email: factorydirect@gdc.com Hours of Operation: Monday - Friday 8:30 a.m. - 5:00 p.m. E (excluding holidays) http://www.gdc.com iv Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
POWER ON FAIL ON OFF DPS-19 POWER SUPPLY POWER ON FAIL ON SD SD MR INS OFF CT DPS-19 POWER SUPPLY SCM RD RD ON TM ALM L A N W AN TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TM ALM TM ALM TM ALM TM ALM TM ALM TM ALM TM ALM TM ALM V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RXD RTS CTS DCD GD DTR OH NR TM ALM V.F 28.8 POWER ON FAIL ON OFF DPS-19 POWER SUPPLY POWER ON FAIL ON SD SD MR INS OFF CT DPS-19 POWER SUPPLY SCM RD RD ON TM ALM L A N W AN TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TM ALM TM ALM TM ALM TM ALM TM ALM TM ALM TM ALM TM ALM V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 V.F 28.8 TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH TXD RTS DCD DTR NR RXD CTS GD OH Chapter 1: Introduction & Specifications Introduction to the SAC System The Secure Access Controller (SAC) is a system that provides secure and authenticated management to network equipment such as switches, routers, multiplexers, data transport devices, etc. A SAC protected network provides encrypted authenticated connections, so that equipment is protected from illegal access and malicious hackers. A SAC system consist of SAC Servers, Clients and the Secure Access Modem (SAM). Figure 1-1 shows SAC components and the protected network equipment communicating over secure tunnels via the PN. SAC Servers SAC Servers consist of an Administration Web Server, a Database Server (with hard disk backup), and an Authentication Server. As shown in Figure 1-1, these dedicated servers communicate with each other over a private network, and are managed by the SAC system administrator only. SAC Client Desktop Software The Client software is installed on remote user PCs or laptops to initiate calls to the Secure Access Modem and Authentication Server. It sets up secure tunnels between those devices, and then onto the protected network equipment. Figure 1-2 shows SAC Server/Client relationships. Secure Access Modem The Secure Access Modem (SAM) protects managed network equipment connected via the PN from malicious or unauthorized tampering by remote users. Note This manual describes the installation and operation of the SAC Client only. For detailed information about the SAC Servers or the SAM, contact your SAC system administrator. REMOTE DIAL-IN USER (SAC Client Software) Each connection sets up a secure tunnel that passes encrypted data to authenticated users. Public Switched Telephone Network CENTRAL OFFICE or CUOMER PREMISES GDC Secure Access Modem (SC V.F28.8/33.6 or SC V.34 Dual) Protected Network Equipment LOCATION "1" Virtual Private Network LOCATION "2" Modem Bank SAC Authentication Primary Server SAC Database Server (with backup hard disk) SAC Administration Web Server SAC Authentication Secondary Server Modem Bank Figure 1-1 SAC System Components 076R301-V200 Secure Access Controller Client Version 2.0.0 1-1 Issue 3 Installation & Operation Manual
Introduction & Specifications Introduction to the SAC System Theory of Operation SAC System Connections The Secure Access Modem is connected to the SAC Servers via the PN. The Authentication Server is connected to the PN via a modem bank, allowing access to the server by multiple users. A second Authentication Server may be added to minimize delay and avoid downtime. Access & Authentication Access privileges to network equipment are determined by the system administrator via the SAC Administration Server, typically located at a service coordination center. The Administration Web Console software communicates with the SAC Database Server, where access data and remote user accounts are stored. Access data from the Database Server informs the Authentication Server which authorized users may access specific network equipment as intended by the system administrator. Remote User Validation In order for the remote user to establish a connection with the protected network equipment, the following actions must occur: 1. Remote users must make a request of the system administrator for access rights to particular network equipment. 2. The system administrator must enter remote user accounts and a valid Secure Access Modem (SAM) into the SAC Database. 3. The SAM must be capable of obtaining a valid cryptographic (private) key from the Authentication Server at reset, powerup, timeout, or at the end of a session. (If information in the SAC Database does not agree with information sent by the modem, the SAM will be denied a valid private key.) 4. The remote user's client software must contact the Authentication Server to verify the remote user s SAM ID and Password. The authenticated user receives a public key and SAM phone number to make a secure connection to the requested SAM and protected network equipment. Communication with SAM SAC AUTHENTICATION SERVER SAC DATABASE SERVER SAC ADMINIRATION SERVER Secure connection to SAM and protected network equipment SAC CLIENT INTERNET BROWSER Remote Users Figure 1-2 System Administrator Authentication, Database, and Administration Web Servers in a SAC System 1-2 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Introduction & Specifications Introduction to the SAC System SAC Client Interface Any person intending to access protected network equipment must first be registered by the SAC system administrator and then assigned authentication privileges for a remote login. Once the SAC Client software is properly installed and configured, it can be launched from the remote user s PC or laptop to connect with the SAC Authentication Server and a Secure Access Modem. A successful login will create a secure connection to the protected network equipment. Chapter 2, Installation & Configuration in this manual provides detailed instructions on installing and configuring the SAC Client software on your PC or laptop. Chapter 3, Operation in this manual describes how to access the protected network equipment via the SAC Client interface, and other user functions. Web Management The SAC Web Console is an interface used primarily by the system administrator to perform almost all configuration and management of the SAC system via a browser (e.g., Internet Explorer). When the system administrator registers a user for remote login privileges, the user also receives limited access to two convenient Web Console functions: User Key Downloading and the User Profile. Your system administrator may choose to assign you additional super user privileges that allow you to control and manage either the SAC Servers, SAMs, or Users via the Web Console. The extent of these additional privileges are determined by which role you are assigned by the administrator. There are four roles in the SAC system, each activating specific links at the Web Console menu: Remote Login SAM Management Server Management User Management Table 1-1 and the accompanying screen illustrate the Web Console with the complete SAC Main Menu as seen by a super user who has permission to all menu functions. Function links on the menu will be displayed or hidden according the role(s) assigned. If you think you need additional permissions at the Web Console, contact your system administrator. [admin] Sign out System Server User SAM Audit Key Download Profile Table 1-1 User Roles and Permissions Permitted Links System Access Server Access User Config. SAM Config. Audit Access User Key Download SAM Key Download Profile Config. Remote Login SAM Management Server Management User Management System Administrator 076R301-V200 Secure Access Controller Client Version 2.0.0 1-3 Issue 3 Installation & Operation Manual
Introduction & Specifications Introduction to the SAC System Installation and Operation Guidelines This section gives general guidelines and a brief overview of tasks normally performed by the remote user. Refer to the following sections of this manual for detailed procedures: Chapter 2, Installation & Configuration Chapter 3, Operation 1. First Time Setup If you are not using a GDC SpectraComm modem, have your modem documentation available to help set the modem s initialization string, as required by the SAC Authentication Server(s). From your system administrator, obtain the following SAC system information: the SAM ID a valid User Key phone numbers for the Primary and Secondary SAC Authentication Servers your initial username and password Perform all of the procedures in Chapter 2, Installation & Configuration in the sequence given. 2. Client Software Help The installation process stores an electronic (PDF) version of this manual on your hard drive in the following location: [drive:] Program Files\SecureNex\sCom\076r301_v200.pdf Any time the Client software screens display the Help button, the user can automatically launch a separate window for viewing the manual without interrupting Client operation. Subsequent upgrades of the Client software will automatically update the manual as necessary. Note The Adobe Acrobat Reader is public domain software that must be installed on the PC or laptop in order to view or print this manual. 3. Management Communication via the Client Start up the SAC Client and log in to the SAC Authentication Server with your assigned username and password. Start up your terminal software and connect to the desired network device to be managed. When complete, end the management session by performing the following tasks: Disconnect the terminal connection to protected network equipment. Close the secure connection to the SAM. Exit the SAC Client interface. 3. Maintenance Procedures Use the Web Console to update your User Profile as necessary. See Chapter 3, Operation. Before uninstalling the Client, save a copy of the Client User key and configuration file as described in Chapter 2, Installation & Configuration. If the system administrator has given you additional Web Console privileges, refer to the detailed information and procedures provided in the separate SAC Server Installation & Operation Manual and SAC Server/Client Release Notes, listed in the front of this document. 1-4 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Chapter 2: Installation & Configuration Client Installation The Secure Access Client Software is typically installed by the remote user on a Windows XP or Windows 2000 PC/laptop equipped with an internal or external modem and a web browser (e.g., Internet Explorer). Note Refer to the Secure Access Controller Server/Client Release Notes for this version and check the minimum requirements and recommendations for your PC/laptop. Before Your Begin To properly install the SAC Client software as described in this chapter, the following conditions must be met: The system administrator must have registered the user in the SAC system with a User ID and Password, and enabled the user with the appropriate role(s). A valid Remote User Public Key (User.key) must be provided by the system administrator, or acquired by the user via downloaded at the Web Console (see Chapter 3, Operation ). The Secure Access Modem name (SAM ID) and the Authentication Server phone number(s) must be provided by the system administrator. If a previous installation of the Client is already resident, the Install Wizard will detect it and present a different sequence of instructions that allow you to keep or discard your configuration and user key. Proceed to the instructions for either of the following: First-time Client Installation Client Re-install or Upgrade To avoid conflicts with previously installed Client drivers, always restart Windows as prompted in the install or uninstall procedures. Special Considerations for Windows XP Media Center Edition 2005 When the SAC Client software is installed on a PC that is running Windows XP Media Center Edition 2005, the telephony service settings intended for Caller/ID will use the same communications (COM) port that is assigned to the modem. This conflict will lock up the COM port on the PC so that the SAC Client can not open the port. To resolve this conflict, disable all the telephony services in Windows XP Media Center Edition 2005 as follows: 1. From the Start Menu, click Settings, and then select Messenger and Caller ID. (In some cases, you will only be able to select Messenger.) 2. Under Show notification for:, select None. 3. Click Save to put the change into effect. 076R301-V200 Secure Access Controller Client Version 2.0.0 2-1 Issue 3 Installation & Operation Manual
Installation & Configuration Client Installation First-time Client Installation If the Client software is not resident on your PC/laptop, perform the following steps. If the Install Wizard detects Client software, use the alternate procedure for Client Re-install or Upgrade. 1. Close all applications that may be running on your PC or laptop. 2. Insert the SAC Client software CD in the drive and launch the Client Install Wizard (SNcom.Installer.exe). At the Welcome screen, click Next to continue. 3. The End User License Agreement screen appears. If you agree to the terms of the agreement, click I Agree to continue. You must accept the agreement to install the Client software. 4. The Choose Install Location screen appears, similar to the example below. 5. Select a directory where the software will be installed by accepting the default directory, or by browsing to another location. Click Next to continue. 6. The Choose Components screen appears, similar to the example below: 7. The Components screen lists the components to be installed. Both components displayed are required and cannot be de-selected. Click Next to continue. 2-2 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Installation & Configuration Client Installation 8. The Install Wizard now displays the User Key Import screen. If you don t have your user key yet, click the Import later radio button, then click Install to continue. Note If you have already downloaded a valid User key or received it from the system administrator, you may import it now. Perform the steps in the Import User Key procedure in the next section. You can then complete the installation as described below. 9. The Install Wizard now displays a progress screen, shown below. 10. The Windows operating system may display standard hardware installation warnings. Click Continue Anyway to continue with the installation. This may take a few minutes, depending on your computer s resources. 11. When the Client software and driver are installed, the Install Wizard will prompt you to select the desired shortcuts, as shown in the example screen below. 12. Click to select or de-select one or both shortcuts, then click Next. The Client software and driver are now resident on your computer. 13. The Complete screen appears, indicating that the Installer has successfully detected your computer s current serial port parameters. Click the Finish button to pre-set the Client with these parameters. 076R301-V200 Secure Access Controller Client Version 2.0.0 2-3 Issue 3 Installation & Operation Manual
Installation & Configuration Client Installation 14. The following Restart screen appears. You should now restart your computer for the new Client driver and port parameters to take effect. 15. Click the Yes button to restart Windows now. Note IMPORTANT! In order for the Client to operate properly with the correct driver and pre-set serial port parameters, it is strongly recommended that you restart Windows now. 16. After Windows restarts, the Client will be ready for configuration. 17. Proceed to Client Configuration in this chapter to configure the Client with the specific characteristics of the SAC Server and Secure Access Modem, as provided by your system administrator. 2-4 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Installation & Configuration Client Installation Client Re-install or Upgrade Reinstalling or upgrading the Client is similar to a first-time installation, with the following advantage. The Installer will automatically detect the previous installation, save its configuration and user key, and require you to uninstall the Client and restart Windows. Then, when you relaunch the Installer, you will have a chance to apply the saved configuration file (config.ini) and User key (User.key) to the new installation of the Client, if desired. 1. Close the Client and any applications that may be running on your PC or laptop. 2. Insert the SAC Client software CD in the drive and launch the Client Install Wizard (SNcom.Installer.exe). At the Welcome screen, click Next to continue. 3. When the Installer detects your previous installation of the Client on the computer, the following screen appears. To proceed, you must allow the Installer to remove this previous Client and restart Windows now. 4. Click Continue to remove the Client while retaining your configuration and user key. 5. The following Restart screen appears: 6. Click OK to restart Windows. Note IMPORTANT! You must restart Windows now to completely remove any residual Client driver information from the computer. Otherwise errors may occur in a later installation of the Client. 7. When Windows restarts, log on and then launch the SNcom.Installer.exe file on the SAC Client software CD. The Setup Wizard Welcome screen appears. Click Next. 076R301-V200 Secure Access Controller Client Version 2.0.0 2-5 Issue 3 Installation & Operation Manual
Installation & Configuration Client Installation 8. The End User License Agreement screen appears. If you agree to the terms of the agreement, click I Agree to continue. You must accept the agreement to install the Client software. 9. The Install Location screen appears, similar to the example below. 10. At the Install Location screen, select a directory where the software will be installed by accepting the default directory, or by browsing to another location. Click Next to continue. 11. The Components screen appears, similar to the example below: 12. The Components screen lists the components to be installed. Both components displayed are required and cannot be de-selected. Click Next to continue. 2-6 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Installation & Configuration Client Installation 13. The Configuration and User Key screen appears, as shown below. To keep the configuration file and the user key from the previous installation, put a checkmark in both boxes, then Click Next. Proceed to step 14. To clear your configuration file but keep the user key, remove the checkmark from the appropriate box, then Click Next. Proceed to step 14. To clear the previous user key, remove the checkmark from the appropriate box, then Click Next. The Install Wizard will now display the User Key Import screen. Click the Import later radio button to proceed with the installation. Note If you opt to clear the previous user key, you will have to acquire a new user key as described in Chapter 3 under the paragraphs on Acquiring the User Key, and then import the key. 14. The Install Wizard now displays a progress screen, shown below. 15. The Windows operating system may display standard hardware installation warnings. Click Continue Anyway to continue with the installation. This may take a few minutes, depending on your computer s resources. 076R301-V200 Secure Access Controller Client Version 2.0.0 2-7 Issue 3 Installation & Operation Manual
Installation & Configuration Client Installation 16. When the Client software and driver installation is complete, the Install Wizard will prompt you to select the desired shortcuts, as shown in the example below. 17. Click to select or de-select one or both shortcuts, then click Next. 18. The Complete screen appears, indicating that the Installer has successfully detected your computer s current serial port parameters. Click the Finish button to pre-set the Client with these parameters. 19. The following Restart screen appears, as shown below. You must restart Windows now for the detected serial port settings to take effect. 20. At the Restart window, click YES to restart Windows. 21. After Windows restarts, the Client will be ready for configuration. 22. Proceed to Client Configuration in this chapter to configure the Client with the specific characteristics of the SAC Server and Secure Access Modem, as provided by your system administrator. 2-8 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Installation & Configuration Uninstall Client Uninstall Client Typically, the SAC Client software is uninstalled automatically during a reinstall or upgrade of the Client. You can also manually remove the Client by using the provided Uninstall Wizard (Uninstall.exe). This utility will completely remove the Client software and drivers from the scom folder on your computer, along with your user configuration and key files. 1. Exit the Client software if running and close all applications. 2. Copy the current Client configuration file (config.ini) and the User key (User.Key) and save them on your PC or laptop. The Client stores these files in the following location: [drive]:\program Files\SecureNex\sCOM\ Note IMPORTANT! If you want to retain your current Client configuration and User key, be sure to save a copy of config.ini and User.Key files in a separate folder on your computer, apart from the scom folder. Otherwise, the Uninstall Wizard will delete them along with the Client software and driver. 3. From the Start menu, click [drive]:\program Files\SecureNex\sCOM\Uninstall 4. When the Uninstall Wizard Welcome screen appears, click Uninstall to proceed. The following progress screen appears. Once begun, you will not be able to stop this process. 5. When finished, the Complete screen appears. Click the Finish button to close the Uninstall Wizard. The Restart prompt appears, as shown below: 6. At the Restart window, click OK to restart Windows. Note IMPORTANT! You must restart Windows now to completely remove any residual Client driver information. Otherwise, errors may occur in a later installation of the Client. 7. When Windows restarts, the Uninstall process will be successfully completed. 076R301-V200 Secure Access Controller Client Version 2.0.0 2-9 Issue 3 Installation & Operation Manual
Installation & Configuration Client Configuration Client Configuration After installation and the initial auto-setup, the Client software must be configured with the specific parameters as required by the SAC Authentication Server and the Secure Access Modem (SAM). A. To begin Client configuration, launch the Client interface by using one of the methods below: From the Start menu, go to [drive]:\program Files\SecureNex\sCOM\ From the SNcom shortcut on the desktop (if selected during Client installation) From the SNcom shortcut in the Quick Launch list (if selected during installation) B. The SAC Client opens with the General screen, shown below, with four additional tabs for Client configuration. Click the Help button at any time to open a separate window for viewing this manual without interrupting Client operation. Click the Minimize Button to move the Client screen to the icon tray while leaving the Client running. Once the Client is configured, the Connect button will start a secure management session and the Connection and Activity fields will display communication statistics. The Disconnect button will terminate the session and leave the Client running. Click the Exit Button to terminate the Client software. Any active management sessions will also be terminated. C. For a first time installation of the Client software, perform all of the following steps in order: Import User Key Configure the Serial Port Configure the Modem Configure Dialing Properties D. Once all configurations have been correctly and successfully completed, the Client is ready to start secure communication with the remote modem and protected network equipment. 2-10 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Installation & Configuration Client Configuration Import User Key The Client must have a valid User Key before you can attempt to communicate with the SAC Authentication Server or the SAM. A User Key can be imported during Client installation, or during Client configuration, as described below. To proceed, you must have already received a User Key from your system administrator, or downloaded a valid User Key via the Web Console (for details, refer to Chapter 3 under the paragraphs on Acquiring the User Key ). 1. At the Client window, click the User Key tab. If the Status field indicates a valid user key in effect, skip this procedure. 2. To import a User Key file: Click the Import by key file radio button. Click the File... button to browse to the file location on your computer, and then select the User Key file. 3. As an alternative, import key data as follows: Click the Import by key data radio button. From the Web Console, copy a valid User Key as text data, then paste the key data it into the entry field labeled: Import by key data. 4. Click Import Key. 5. The Client now verifies the imported key and displays one of the following status messages: Invalid User Key This message displays when no key has been imported, or imported key is invalid. Valid User Key This message displays when an imported key is valid. 6. If the Invalid User Key message and icon appears, click the Clear Key button to remove the invalid key from the Client. Repeat this procedure. If not successful, contact your system administrator for assistance. 7. Once a Valid User Key message appears, the Client is enabled. Note For security purposes, you can remove a valid User Key from the Client by clicking the Clear Key button. This is a quick way for system administrators to temporarily disable a fully configured Client on inventory laptops. To enable Client for a new remote user, simply repeat the Import User Key procedure. 076R301-V200 Secure Access Controller Client Version 2.0.0 2-11 Issue 3 Installation & Operation Manual
Installation & Configuration Client Configuration Configure Serial Ports After the Client was installed, the Install Wizard detected the serial ports on your computer and automatically set up default port numbers for the two serial communication ports required by the Client. At the Serial Port screen, ensure that these port numbers are correctly selected for the following serial communication port functions: one (physical) port to communicate with your modem one (virtual) port to communicate with your terminal software (e.g., HyperTerminal) 1. At the Client window, click the Serial Ports tab to display the Serial Ports screen. An example screen is shown at right. 2. Check that the desired port number is displayed for the terminal connection. If not, select correct port from the pulldown list and then click Apply. 3. Check that the desired port number is displayed for the modem connection. If not, select correct port from the pulldown list and then click Apply. 4. The default connection parameters for the modem are selected by the Client as listed below. It is recommended that these values not be changed. Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Hardware flow control: Yes 2-12 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Installation & Configuration Client Configuration Configure Modem Your modem must be provided with an initial AT command string that includes several parameters required by the SAC Authentication Server and the Secure Access Modem. The Client will display a default command string that can be used for some modems. Consult your modem s documentation to determine the proper AT commands that correspondingly initialize your particular modem. 1. At the Client window, click the Misc tab to display the configurable modem and communication parameters. An example screen is shown at right. 2. At the Modem Initial command field, type the AT command string that will initialize your modem as follows: s12=50 (Guard timer set to 5) s7=80 (Await Connect Complete) e0 (Echo Off) &c1 (Data Carrier Detect On) &d2 (Data Terminal Ready Off) x1 (Dial Tone Off) &k3 (Enable HW Flow Control) 3. The modem will use default timeout values set by the Client, unless changed by the user. To change the default values: Enter a preferred Response timeout value from 4000 to 6000, in milliseconds. Default is 6000. Enter a preferred Dialing timeout value, in milliseconds, depending on the quality of the phone line and switch. Default is 85000. Enter a preferred Dialing pause value, in milliseconds. Default is 2500. 4. Click Apply to save your modem timeout entries. 5. Enter a communication inactivity timeout depending on the computing capabilities on the server and client PC. The default value is 12000 milliseconds. 6. Click Apply to save your communication timeout entry. Configuration of the Client modem is complete. 076R301-V200 Secure Access Controller Client Version 2.0.0 2-13 Issue 3 Installation & Operation Manual
Installation & Configuration Client Configuration Configure Dialing Properties Remote users must configure the Client with valid phone numbers of the SAC Authentication Servers, and with the appropriate dialing rules for the remote sites. These properties allow the Client to automatically dial the SAC Authentication Servers and communicate with the Secure Access Modem from whatever office the remote user is dialing from. You must have received the SAC Authentication server phone number(s) from your system administrator to proceed. 1. At the Client window, click the Dialing Properties tab to display the Dialing Properties screen, shown at upper-right. 2. Enter the phone number(s) for the Primary and Secondary Authentication Servers. Click Apply to save the number(s) to the Client. 3. For PBX or long distance calls to the server and to the SAM, you must add dialing rules for each remote location. The screen at right shows a Client configured with dialing rules for four sites, as described below. 4. To begin, click Add to display the Dialing Rule entry screen, shown at lower-right. 5. Enter dialing rules for reaching the Server from a remote site, as described below: In the Name field, enter a description of your site, for example, Montreal. To access an outside line, check the box, then enter the PBX number and pause character, such as 9,. For a long distance call to the server, check the box and enter the LD prefix. 6. Now enter dialing rules for reaching the SAM from this same remote site: To access an outside line, check the box, then enter the PBX number and pause character, such as 9, For a long distance call to SAM from this site, check the box and enter the LD prefix. 7. Click OK to save the dialing rules for this site. The Dialing Properties screen reappears, showing the new remote site in the Dialing Rules list. Repeat this procedure to add dialing rules for more remote sites. To set one of the rules as the default, select a rule, then click Set Default. The rule is marked with a check. To clear it, select the default rule and click Clear Default. To edit an existing rule, double-click the rule, or select the rule and click Edit. An entry box appears for modifying the rules for that site. To delete a rule, select the rule, then click Delete. The rule is removed from the list. Note The Client configuration is complete. Proceed to Chapter 3, Operation for communication procedures. 2-14 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Chapter 3: Operation Overview This chapter describes the following tasks commonly performed by the remote user: Make a secure connection to the SAC Authentication Server and SAM. Start and stop secure communication with the network equipment via SAM. Update your User Profile via the Web Console. Acquire a User Key via the Web Console Note If your system administrator has given you additional authentication privileges at the Web Console, refer to the separate Secure Access Controller Server Operation Manual and Release Notes for detailed instructions. Secure Communication If the remote user is registered and the Client software properly installed and configured, the user can request secure communication with the Secure Access Modem (SAM). Once authenticated, the user can manage the protected network equipment via a secure tunnel, using AES encryption. Figure 3-1 demonstrates the flow of authentication messages and communication between the Client, the SAC Authentication Server, the SAM and the protected network equipment. Remote User MODEM User ID Password 1 2 Public Key SAM Phone No. Authentication Process MODEM BANK Authentication Server Client Public Key Exchange 3 Secure Communication Decrypted Data 4 Encrypted Data SAM MODEM Decrypted Data Protected Equipment Figure 3-1 Authentication and Secure Communication the SAC System 076R301-V200 Secure Access Controller Client Version 2.0.0 3-1 Issue 3 Installation & Operation Manual
Operation Secure Communication Communication Procedure 1. Launch the Client interface by using one of the methods below: via the Start menu, go to [drive]:\program Files\SecureNex\sCom via the SNcom shortcut on the desktop (if selected during Client installation) via the SNcom shortcut in the Quick Launch list (if selected during installation) 2. The SAC Client window opens at the General tab, as shown below. 3. Click the Connect button to display the Client log in screen, shown below. 4. At the Log in screen, enter the SAM ID as provided by your system administrator. 5. Type your username and password in the entry fields. 6. From the pulldown list, select the appropriate Dialing Rules for your current dialing location. Note If you are at a new site that requires a unique dialing rule to reach the SAC Server and SAM, click Cancel and then create new rules as described in Chapter 2, under the paragraphs on Configure Dialing Properties. 3-2 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Operation Secure Communication 7. When all entry fields are complete, click the OK button. With a successful connection, a message screen displays the progress of the key exchange with the server and then the SAM, as shown below. In the event of a problem, an alert box will explain the reason. If necessary, click the Stop button to cancel the key exchanges. 8. Once authenticated, the following sequence of events occurs: a. A secure connection is established with the designated SAM. b. The Client window is automatically minimized into the icon tray. c. the following message appears: SNcom is connected at [actual connection rate in bps]. Terminal client communicating with remote host via [virtual COM port]. where [virtual COM port] is the number of the serial port configured to communicate with your terminal software. 4. Start your terminal software, such as HyperTerminal. 5. At the New Connection window, enter a connection name and select an icon, then click OK. The terminal software displays a Connect to window. 6. At the Connect to window, enter the number of the serial port displayed in the step 8. message. Click OK to continue. 7. Most terminal software programs will display a Properties window with default connection values for the selected serial port, as shown below: Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None 8. The SAC Client can use the default values. Click OK to continue. You can now communicate with the protected network equipment through a secure tunnel established by the SAM. 9. Save session data if desired, then end the management session by quitting the terminal window. Note that the Client and the secure tunnel are still connected to the SAM. 10. To quickly disconnect the secure tunnel and quit the SAC Client software in one step, rightclick the minimized SNcom icon in the desktop tray and select Exit. The call is dropped and the Client interface is terminated. 076R301-V200 Secure Access Controller Client Version 2.0.0 3-3 Issue 3 Installation & Operation Manual
Operation Web Console Access Web Console Access A registered user may access the SAC Web Console to perform the following tasks: create and modify your username, password and contact information, as described below acquire the Remote User Key required by the Client, as described below other privileges as allowed by the system administrator Note If your system administrator has given you additional authentication privileges at the Web Console, refer to the separate Secure Access Controller Server Operation Manual and Release Notes for detailed instructions. User Profile Maintenance The Profile page allows registered users to change their personal information, or change their password. You must have received the IP address or DNS name of the SAC Administration Server from your system administrator to use this web-based interface. 1. To access the Web Console, point your browser to the IP address or the DNS of the SAC Administration Server. The SAC Main Menu appears with two or more menu items as allowed by your system administrator. 2. At the SAC Main Menu, click the Profile link. A Profile menu is displayed. 3. At the Profile menu, click My Profile. An example page is shown below: 4. Change personal information in each field as necessary. 5. When all personal information is correct, click the Update link to save the changes to the SAC system. You are returned to the Profile page menu. Note The User ID field is read-only and can only be changed by the system administrator. 3-4 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
Operation Web Console Access 6. To change your password, select Change Password from the Profile menu. An entry page is shown below: 7. Type your current password and the new password in the entry fields, then confirm the new password. 8. Click Change to save the new password to the SAC system. 076R301-V200 Secure Access Controller Client Version 2.0.0 3-5 Issue 3 Installation & Operation Manual
Operation Web Console Access Acquiring the User Key The Client software must be provided with a valid User Key before it can be used to communicate with the SAC Authentication Server or the SAM. As explained in Chapter 2, Installation & Configuration, the User Key can either be supplied by the system administrator as a file, or downloaded by the user via the Web Console. The following procedure describes this download process via the Web Console. To proceed, you must have already received the IP address or DNS name of the Administration Server from your system administrator. 1. To access the Web Console, point your browser to the IP address or the DNS of the SAC Administration Server. The SAC Main Menu appears with two or more menu items as allowed by your system administrator. 2. At the SAC Main Menu, click the Key Download link. A Key Download menu appears. 3. At the Key Download menu, click User Key. An example User Key page is shown below. Note IMPORTANT! Do not copy the example User Key shown below. Your key will be different. 4. Click the Download link to acquire the User Key as a key file. When the File download window appears, select Save. 5. When the Save as prompt appears, select a destination for storing the file, then click Save. 6. In the Download Complete window, select Open folder to find the user.key file you downloaded. 7. You can now use the file to import a valid User Key as a key file into the SAC Client software. Alternative Method Instead of importing the User Key as a file, you may select and copy the key data from the User Key field and paste it directly into the Client as key data, as described in brief below: Open the SAC Client to the User Key tab, then click the radio button for Import by Key data. From the Web Console, copy a valid User Key as text data, then paste the data into the Import by key data field. Continue with the Import Key procedure as described in Chapter 2 under the paragraphs on Import User Key. 3-6 Secure Access Controller Client Version 2.0.0 076R301-V200 Installation & Operation Manual Issue 3
The Best Connections in the Business