1 / 23

Remote Access Service

Remote Access Service. VPN Client 2 Technical Support Presentation March, 2014 – Version 1.1. Overview. Purpose Provide troubleshooting, tips and tricks and additional information on specific VPN client function for the Novartis CONNECT client Scope VPN Client_2.0_L_EN_01 package

amalie
Download Presentation

Remote Access Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Remote Access Service VPN Client 2 Technical Support Presentation March, 2014 – Version 1.1

  2. Overview • Purpose • Provide troubleshooting, tips and tricks and additional information on specific VPN client function for the Novartis CONNECT client • Scope • VPN Client_2.0_L_EN_01 package • Audience • Novartis IT Service Desk’s providing support to Remote Access users • Presentation ownership • Pascal HeinigerGlobal Service Manager Mobility Application Servicespascal.heiniger@novartis.comhttp://www.globalit.novartis.intra/global-infrastructure-services/enterprise-services/security-infrastructure-services/index.shtml RAS | VPN Client 2 Technical Support | Business Use Only

  3. Troubleshootingtips & tricks RAS | VPN Client 2 Technical Support | Business Use Only

  4. TroubleshootingVPN Client Quick Check – Step 1 • Perform the quick check as standard ‘intro’ into the troubleshooting process • Verify that the Connection Wizard icon is visible in the system tray • Verify that the user can login with his Entrust certificate • Remediation • Reboot the client • Re-install the VPN Client package RAS | VPN Client 2 Technical Support | Business Use Only

  5. TroubleshootingVPN Client Quick Check – Step 2 • Run a “Check for Topology Update” to ensure the client has the latest update installed • The “Check for Topology Update” is working from the Novartis Intranet as well as from a direct Internet (no VPN) and from a regular VPN connection • If the client is connected directly to the Internet and an update is not possible double-check the proxy settings. Disable the static proxy if set through the red button in the Internet explorer • Note: the “Check for Topology Update” also restarts the VPN Client and therefore resolve issues related to the VPN stack RAS | VPN Client 2 Technical Support | Business Use Only

  6. TroubleshootingVPN Client Quick Check – Step 3 • Verify that the user can login with his Entrust certificate • Double-check that the user Client Authentication certificate is available in the store and that the certificate is valid • Remediation • See PKI troubleshooting guidelines RAS | VPN Client 2 Technical Support | Business Use Only

  7. TroubleshootingInternet Connectivity Check – Step 4 • Ensure that an IP4 address is assigned to the client • Verify that www.novartis.com resolves against the public IP (time of writing 164.109.71.93) • Remediation • Check cabling or WLAN association • Check router • Double-check that the client is not switching between WLAN’s (e.g. neighborhood) • Reboot the client RAS | VPN Client 2 Technical Support | Business Use Only

  8. TroubleshootingInternet Connectivity Check – Step 5 • Open the browser. Verify that the proxy is disabled and check if www.novartis.com is reachable • Remediation • Check cabling or WLAN association • Check router • Double-check that the client is not switching between WLAN’s (e.g. neighborhood) • Reboot the client RAS | VPN Client 2 Technical Support | Business Use Only

  9. TroubleshootingVPN Client Installation Check – Step 6 • Verify that the following services are started: • ‘AppLife Update Service 2.0‘ • ‘Check Point EndPoint Security VPN’ • ‘Connection Wizard Helper’ • Verify that the following processes are running under the user context • Cwclient.exe • Remediation • Ensure that the services are set to ‘Automatic’ startup type. Restart the services (requires local admin rights) • Launch ‘Connect VPN’ from the Utilities folder • Reboot the client RAS | VPN Client 2 Technical Support | Business Use Only

  10. Troubleshooting VPN Client Installation Check – Step 7 • Verify that the c:\Program Files\CheckPoint\EndPoint Connect folder includes several trac.config files (e.g. trac.config_chbs, trac.config_useh, …) • Double-check that the gateway list is populated within the ‘Connection Wizard’ • Gateway list should include at least two or more gateways (see sample screenshot) • Remediation • Run ‘Check for Topology Update’ from the Support menu • Re-Install the VPN client package RAS | VPN Client 2 Technical Support | Business Use Only

  11. TroubleshootingVPN Client Installation Check – Step 8 • Verify that the file ‘cwservice.exe.config’ exists in the ..\cwizard folder • Verify that the file ‘mapg.vbs’ exists in the ..\cwizard folder • Remediation • Re-install the VPN client package RAS | VPN Client 2 Technical Support | Business Use Only

  12. TipTerminate the Connection Wizard Hold CTRL Key • If the ‘Connection Wizard’ seems to be stuck or the Connection does not reflect the current client connectivity • Terminate the ‘Connection Wizard’ clicking on close while holding the CTRL key (don‘t forget to restart the ‚Connection Wizard‘) • Terminating the Connection Wizard will automatically launch the CheckPoint EndPoint Connect GUI RAS | VPN Client 2 Technical Support | Business Use Only

  13. TipInternet Router and Firewall • Ensure that the latest firmware is running on the device • Ensure that the client is not ‘jumping’ between WLAN’s • Ensure the following ports and protocols are not blocked from the device • - TCP/264 (Topology Download) • - IKE • - IPSEC and IKE (UDP on port 500) • - IPSEC ESP (IP type 50) • - IPSEC AH (IP type 51) • - TCP/500 (if using IKE over TCP) • - UDP 2746 or another port (if using UDP encapsulation) • - UDP 259 • Optional: • - FW1_scv_keep_alive (UDP port 18233) used for SCV keep-alive packets • - FW1_pslogon_NG (TCP port 18231) used for SecureClient's logon to Policy Server protocol • - FW1_sds_logon (TCP port 18232) used for SecureClient's Software Distribution Server download protocol • - tunnel_test (UDP port 18234) used by Check Point tunnel testing application RAS | VPN Client 2 Technical Support | Business Use Only

  14. TipCommand Line Topology Update • CwUpdate.exe can be executed from c:\program files\cwizard with user rights from a DOS shell or through the file explorer • Two command options are available • /f to force an update of the topologies • /v to force an update to a specific version of the topologies (not preferred) • Without command line options the topology information is retrieved from the tpversion.xml located in the c:\program files\CheckPoint\Endpoint Connect folder • A restart of the client is not required however recommended to ensure the new topology is applied • Alternatively switch to an other gateway and then back to the original one RAS | VPN Client 2 Technical Support | Business Use Only

  15. TipNVS Helpdesk Tool Integration • Two sections are added to the NVS Helpdesk tool: • VPN Client • Software and topology update version • Topology update history (last 10 events) • VPN Client Performance • Information about the last VPN connection including reported error • Total amount of successfull/failed VPN connections on the client • Note: The NVS Helpdesk tool configuration file must be update to display this information RAS | VPN Client 2 Technical Support | Business Use Only

  16. TipVersion Information • The ‘About’ Dialog box displays now • The Connection Wizard Version • The topology update history (all updates) • Note: The client version and the topology version does not neccessary match because of the different lifecycles

  17. TipRecover Client / Reinstall • The embedded PDF describes how to recover a failed VPN installation • Document Version 1.1 from 11. February 2014 • To recover or update a VPN installation • Don’t perform a repair (this will leave the client in an un-configured state) • Instead fully uninstall, reboot and re-install the client

  18. TipSharePoint Access DeniedIssue • The update/issue of Kerberos tickets might fail on certain routers/providers because of the name resolution behavior of the Windows client and the router • In such cases please set the following registry key’s on the client: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters • REG_DWORD = MaxPacketSize value = „1“ • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters • REG_DWORD = MaxPacketSize value = „1“ • Please note, this remediation is recommended only in case the user experiences access denied issues on SharePoint while all other resources (e.g. Intranet, Outlook etc.) are working well

  19. Technical features 19 RAS | VPN Client 2 Technical Support | Business Use Only

  20. Technical FeaturesConnect G: Drive • The connect and disconnect G: drive executes the script mapg.vbs in the ..\cwizard folder • The menu options • Connect G: drive is enabled if a VPN connection is established and no G: drive is connected • Disconnect G: drive is enabled if a G: drive is connected but no Novartis Intranet detected RAS | VPN Client 2 Technical Support | Business Use Only

  21. Technical FeaturesReconnect after Resume • The dialogue box is presented to the user if: • the client is coming back from a standby or hibernate • the client is not connected to the Novartis Intranet • the client has an Internet connection • a VPN connection was established at the time the client went into standby or hibernate • The dialogue box is active for 90 seconds. After this time the dialog box is closed and no reconnection is performed RAS | VPN Client 2 Technical Support | Business Use Only

  22. Technical FeaturesSupport Button • The ‘Check for topology update’ check for new versions of the Connection Wizard and of the topology. This works also directly over the Internet (no VPN connection required) • Client and service logs (attention, extensive) are available over the Support menu. There are two log files available • The client log shows logs recorded from the CW GUI • The service log shows log recorded from the CW service RAS | VPN Client 2 Technical Support | Business Use Only

  23. Technical FeaturesCancel Button • During the establishment of the VPN connection the user has the opportunity to cancel the connection • The cancel request will stop the current connection attempt and issue a rescan of the client network connectivity RAS | VPN Client 2 Technical Support | Business Use Only

More Related