Remote Access Service
VPN Client 2
Technical Support Presentation
March, 2014 – Version 1.1
1
Overview
 Purpose
• Provide troubleshooting, tips and tricks and additional information on specific
VPN client function for the Novartis CONNECT client
 Scope
• VPN Client_2.0_L_EN_01 package
 Audience
• Novartis IT Service Desk’s providing support to Remote Access users
 Presentation ownership
• Pascal Heiniger
Global Service Manager Mobility Application Services
[email protected]
http://www.globalit.novartis.intra/global-infrastructure-services/enterpriseservices/security-infrastructure-services/index.shtml
2
RAS | VPN Client 2 Technical Support | Business Use Only
TROUBLESHOOTING
TIPS & TRICKS
3
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
VPN Client Quick Check – Step 1
 Perform the quick check as
standard ‘intro’ into the
troubleshooting process
• Verify that the Connection
Wizard icon is visible in the
system tray
• Verify that the user can login
with his Entrust certificate
 Remediation
• Reboot the client
• Re-install the VPN Client
package
4
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
VPN Client Quick Check – Step 2
 Run a “Check for Topology
Update” to ensure the client has
the latest update installed
 The “Check for Topology
Update” is working from the
Novartis Intranet as well as from
a direct Internet (no VPN) and
from a regular VPN connection
 If the client is connected directly
to the Internet and an update is
not possible double-check the
proxy settings. Disable the static
proxy if set through the red
button in the Internet explorer
 Note: the “Check for Topology
Update” also restarts the VPN
Client and therefore resolve
issues related to the VPN stack
5
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
VPN Client Quick Check – Step 3
 Verify that the user can
login with his Entrust
certificate
 Double-check that the user
Client Authentication
certificate is available in the
store and that the
certificate is valid
 Remediation
• See PKI troubleshooting
guidelines
6
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
Internet Connectivity Check – Step 4
 Ensure that an IP4 address is
assigned to the client
 Verify that www.novartis.com
resolves against the public IP
(time of writing
164.109.71.93)
 Remediation
• Check cabling or WLAN
association
• Check router
• Double-check that the client is
not switching between WLAN’s
(e.g. neighborhood)
• Reboot the client
7
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
Internet Connectivity Check – Step 5
 Open the browser. Verify
that the proxy is disabled
and check if
www.novartis.com is
reachable
 Remediation
• Check cabling or WLAN
association
• Check router
• Double-check that the client is
not switching between WLAN’s
(e.g. neighborhood)
• Reboot the client
8
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
VPN Client Installation Check – Step 6
 Verify that the following services
are started:
• ‘AppLife Update Service 2.0‘
• ‘Check Point EndPoint Security VPN’
• ‘Connection Wizard Helper’
 Verify that the following
processes are running under the
user context
• Cwclient.exe
 Remediation
• Ensure that the services are set to
‘Automatic’ startup type. Restart the
services (requires local admin rights)
• Launch ‘Connect VPN’ from the
Utilities folder
• Reboot the client
9
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
VPN Client Installation Check – Step 7
 Verify that the c:\Program
Files\CheckPoint\EndPoint
Connect folder includes several
trac.config files (e.g.
trac.config_chbs,
trac.config_useh, …)
 Double-check that the gateway
list is populated within the
‘Connection Wizard’
• Gateway list should include at least
two or more gateways (see sample
screenshot)
 Remediation
• Run ‘Check for Topology Update’
from the Support menu
• Re-Install the VPN client package
10
RAS | VPN Client 2 Technical Support | Business Use Only
Troubleshooting
VPN Client Installation Check – Step 8
 Verify that the file
‘cwservice.exe.config’
exists in the ..\cwizard
folder
 Verify that the file
‘mapg.vbs’ exists in the
..\cwizard folder
 Remediation
• Re-install the VPN client
package
11
RAS | VPN Client 2 Technical Support | Business Use Only
Tip
Terminate the Connection Wizard
Hold CTRL Key
 If the ‘Connection Wizard’
seems to be stuck or the
Connection does not reflect
the current client
connectivity
• Terminate the ‘Connection
Wizard’ clicking on close while
holding the CTRL key (don‘t
forget to restart the ‚Connection
Wizard‘)
• Terminating the Connection
Wizard will automatically
launch the CheckPoint
EndPoint Connect GUI
12
RAS | VPN Client 2 Technical Support | Business Use Only
Tip
Internet Router and Firewall
 Ensure that the latest firmware is running on the
device
 Ensure that the client is not ‘jumping’ between
WLAN’s
 Ensure the following ports and protocols are not
blocked from the device
•
•
•
•
•
•
•
•
- TCP/264 (Topology Download)
- IKE
- IPSEC and IKE (UDP on port 500)
- IPSEC ESP (IP type 50)
- IPSEC AH (IP type 51)
- TCP/500 (if using IKE over TCP)
- UDP 2746 or another port (if using UDP encapsulation)
- UDP 259
 Optional:
• - FW1_scv_keep_alive (UDP port 18233) used for SCV
keep-alive packets
• - FW1_pslogon_NG (TCP port 18231) used for
SecureClient's logon to Policy Server protocol
• - FW1_sds_logon (TCP port 18232) used for
SecureClient's Software Distribution Server download
protocol
• - tunnel_test (UDP port 18234) used by Check Point
tunnel testing application
13
RAS | VPN Client 2 Technical Support | Business Use Only
Tip
Command Line Topology Update
 CwUpdate.exe can be executed from
c:\program files\cwizard with user
rights from a DOS shell or through the
file explorer
 Two command options are available
• /f to force an update of the topologies
• /v to force an update to a specific version of
the topologies (not preferred)
• Without command line options the topology
information is retrieved from the
tpversion.xml located in the c:\program
files\CheckPoint\Endpoint Connect folder
 A restart of the client is not required
however recommended to ensure the
new topology is applied
 Alternatively switch to an other
gateway and then back to the original
one
14
RAS | VPN Client 2 Technical Support | Business Use Only
Tip
NVS Helpdesk Tool Integration
 Two sections are added to the
NVS Helpdesk tool:
 VPN Client
• Software and topology update
version
• Topology update history (last 10
events)
 VPN Client Performance
• Information about the last VPN
connection including reported error
• Total amount of successfull/failed
VPN connections on the client
 Note: The NVS Helpdesk tool
configuration file must be update
to display this information
15
RAS | VPN Client 2 Technical Support | Business Use Only
Tip
Version Information
 The ‘About’ Dialog box
displays now
• The Connection Wizard
Version
• The topology update history (all
updates)
 Note: The client version
and the topology version
does not neccessary match
because of the different
lifecycles
Tip
Recover Client / Reinstall
 The embedded PDF
describes how to recover a
failed VPN installation
• Document Version 1.1 from 11.
February 2014
 To recover or update a
VPN installation
• Don’t perform a repair (this will
leave the client in an unconfigured state)
• Instead fully uninstall, reboot
and re-install the client
Tip
SharePoint Access Denied Issue
 The update/issue of Kerberos tickets might fail on certain
routers/providers because of the name resolution behavior of the
Windows client and the router
 In such cases please set the following registry key’s on the client:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\
Parameters
- REG_DWORD = MaxPacketSize value = „1“
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Para
meters
- REG_DWORD = MaxPacketSize value = „1“
 Please note, this remediation is recommended only in case the user
experiences access denied issues on SharePoint while all other
resources (e.g. Intranet, Outlook etc.) are working well
TECHNICAL FEATURES
19
RAS | VPN Client 2 Technical Support | Business Use Only
Technical Features
Connect G: Drive
 The connect and
disconnect G: drive
executes the script
mapg.vbs in the ..\cwizard
folder
 The menu options
• Connect G: drive is enabled if a
VPN connection is established
and no G: drive is connected
• Disconnect G: drive is enabled
if a G: drive is connected but no
Novartis Intranet detected
20
RAS | VPN Client 2 Technical Support | Business Use Only
Technical Features
Reconnect after Resume
 The dialogue box is
presented to the user if:
• the client is coming back from a
standby or hibernate
• the client is not connected to the
Novartis Intranet
• the client has an Internet
connection
• a VPN connection was
established at the time the client
went into standby or hibernate
 The dialogue box is active for
90 seconds. After this time
the dialog box is closed and
no reconnection is performed
21
RAS | VPN Client 2 Technical Support | Business Use Only
Technical Features
Support Button
 The ‘Check for topology
update’ check for new
versions of the Connection
Wizard and of the topology.
This works also directly over
the Internet (no VPN
connection required)
 Client and service logs
(attention, extensive) are
available over the Support
menu. There are two log files
available
• The client log shows logs
recorded from the CW GUI
• The service log shows log
recorded from the CW service
22
RAS | VPN Client 2 Technical Support | Business Use Only
Technical Features
Cancel Button
 During the establishment of
the VPN connection the
user has the opportunity to
cancel the connection
 The cancel request will
stop the current connection
attempt and issue a rescan
of the client network
connectivity
23
RAS | VPN Client 2 Technical Support | Business Use Only
Download

VPN Client 2 for Connect Technical Support