Remote Access End User Guide (Cisco VPN Client) Confidential Contents 1 INTRODUCTION ................................................................................................................................ 3 2 AUDIENCE ......................................................................................................................................... 3 3 CONNECTING TO N3 VPN (N3-12-1) OR EXTENDED VPN CLIENT ............................................. 3 4 DISCONNECTING FROM N3 VPN (N3-12-1) AND EXTENDED VPN CLIENT ............................... 4 5 USEFUL INFORMATION (N3-12-1) AND EXTENDED VPN ............................................................ 4 5.1 5.2 5.3 5.4 5.5 5.6 5.7 6 NEW PIN MODE ............................................................................................................................ 4 NEXT PASSCODE PROMPT.......................................................................................................... 6 LOST TOKEN ................................................................................................................................. 6 BROKEN TOKEN ............................................................................................................................ 6 UNABLE TO ACCESS N3 VIA THE VPN ............................................................................................ 6 OPERATING SYSTEMS SUPPORTED ................................................................................................ 6 VPN CLIENTS ............................................................................................................................... 6 REVOKING THE USER ..................................................................................................................... 6 File: 116095548 Issue N3SP-TEC-TDT-Error! 2 of 6 Reference source not found.: 17 June 2007 ©British Telecommunications Plc 2006 Confidential 1 Introduction This document outlines how to use the Remote Access VPN. This version covers the single user VPN solution catalogue item N3-12-1 and the Extended VPN using Cisco VPN client software. The requisite components are the Cisco VPN client and the RSA SecurID token. The N3-12-1 VPN solution encrypts the data from the end user device to the N3 VPN Gateway. If the end user accesses the local LAN using this remote access method it must be noted that the data will not be encrypted between the users local LAN and the N3 VPN gateway. Security from the VPN Gateway to the local services or LAN is the responsibility of the NHS LEGAL ENTITY and is not a part of this VPN Remote access solution. The Extended VPN solution encrypts the data traffic from the end user device to the designated end customer site LAN on N3 network. In the Extended VPN solution, a VPN tunnel is established from the VPN client on the end user device to the N3 VPN Gateway. The VPN tunnel is then extended from the N3 VPN Gateway to the router (CPE) on the designated customer site inside N3 network. Audience This guide is intended for persons using the already installed and configured N3 VPN Client with the N3-12-1 (VPN Remote Access) or Extended VPN catalogue service. It is intended as a user guide for the service. The intended audience is expected to be familiar with using the Microsoft Windows operating system. Connecting to N3 VPN (N3-12-1) or Extended VPN Client Switch on the Laptop/PC. To Launch the VPN either click on the “Cisco VPN Client” icon on the desktop or from the Start Menu, select “Start, All Programs, Cisco Systems VPN Client, Cisco VPN Client”. If the RSA SecurID token is new or in “New PIN” mode, a new PIN number will need to be associated with the token. Follow instructions below (Useful Information, New PIN Mode.) Otherwise, the user will need the PIN number associated with the token to proceed. If the VPN client has been configured there will at least be an entry listed below the “Connection Entry” column. Depending on the type of service the name of the entry will either be “N3 Remote Access” or “N3 Extended VPN”. Highlight the VPN Entry and click ‘Connect’, the VPN Client User authentication window will be displayed. Enter the ‘Username’, given by BT. Under the password please enter the PIN number followed by the number displayed on the RSA SecurID and click OK. While entering the password please ensure that that there is no character, including space, between the PIN number and the number displayed on RSA SecureID File: 116095548 Issue N3SP-TEC-TDT-Error! 3 of 6 Reference source not found.: 17 June 2007 ©British Telecommunications Plc 2006 Confidential Once the VPN successfully authenticates the connection, the Cisco VPN Client minimises itself to the system tray and a locked padlock icon will be displayed. The Laptop/Pc is now connected to N3 network and further access will be determined by the type of VPN connection. Disconnecting from N3 VPN (N3-12-6) and Extended VPN Client To disconnect from the VPN, double click on the Cisco VPN client icon in the system tray near the clock. A dialog window will be displayed. Click the disconnect button to exit the Cisco VPN Client. Click Yes to acknowledge the disconnection and finish. Useful Information (N3-12-6) and Extended VPN New PIN Mode If the token is in “New PIN” mode, select a PIN and associate it with the token in order to authenticate the connection. When the token is first received, it would usually be in the “New PIN” mode. PINs must be four (4) to eight (8) characters in length and must consist of just numeric digits (0 through 9) Memorise the PIN. Do not write it down or reveal it to anyone. File: 116095548 Issue N3SP-TEC-TDT-Error! 4 of 6 Reference source not found.: 17 June 2007 ©British Telecommunications Plc 2006 Confidential New PIN registration process: Click “Connect,” enter the Username and Password (only the number displayed on the RSA SecurID) and click “OK.” Next, a prompt appears to set a new PIN. Click ‘y’ in the Password field to set your own PIN number and click “OK”. Enter and confirm the PIN to set the PIN and connect to the VPN. Now the new PIN number will be associated with the token. The PIN number will be required for all subsequent connections. File: 116095548 Issue N3SP-TEC-TDT-Error! 5 of 6 Reference source not found.: 17 June 2007 ©British Telecommunications Plc 2006 Confidential Next PASSCODE Prompt Enter Next PASSCODE:" This error occurs when your SecurID card is out of sync or 'Next Token Mode' is ON. When you get this prompt, you will need to enter the next code displayed on your SecurID without your 4-digit PIN number. Enter the next number displayed on your SecurID card at this prompt and click OK you should then be logged into the VPN as normal and your SecurID will also be resynchronized. Lost Token Any lost SecurID tokens should be reported to the Local NHS Helpdesk as soon as possible to avoid possible security issues. Broken Token If the SecurID token is not generating a new number or is displaying 888888, call the local NHS helpdesk so that a replacement token may be organised. Unable to Access N3 via the VPN Before reporting a problem with N3 VPN connectivity to the local helpdesk, it is important to check that the Internet access is working and all cable connections are correct. Double click on the Internet icon and browse to a web page (Preferably one not recently accessed to avoid sites that are stored in memory) Operating Systems Supported Windows 2000 Windows XP VPN Clients N3SP is aware that it is possible to obtain VPN Clients for Operating Systems and devices other than those currently supported by the above services. VPN Clients are available from Cisco and could be used, for example, with Mac’s and various hand held devices. However, these are not supported by N3SP. It should also be noted that some of these VPN Clients are not free and would need to be purchased. N3SP accepts no liability for such VPN Clients and cannot guarantee in any way their ability to work. Revoking the User If the remote user token has been lost, stolen or comprised please inform the N3 Helpdesk, who will then revoke it. File: 116095548 Issue N3SP-TEC-TDT-Error! 6 of 6 Reference source not found.: 17 June 2007 ©British Telecommunications Plc 2006