JNS-RVPNUNIPERETCREENEMOTECLIENTAGDMINISTRATORSUIDEVersion 8.6 P/N 093-1635-000 Rev. A Licenses, Copyrights, and Trade-a. Install and use, on a single computer for use by themarksAdministrator, one (1) copy of NetScreen-Remote 8.6 tomanage security policies for up to 10, 100, 1000 or moreEnd Users, as indicated on the license certificate(s)THE SPECIFICATIONS REGARDING THE JUNIPERprovided to you by NetScreen; andPRODUCTS IN THIS DOCUMENTATION ARESUBJECT TO CHANGE WITHOUT NOTICE. ALLb. Download and install a single copy of NetScreen-RemoteSTATEMENTS, INFORMATION, AND8.6 on each of 10, 100, 200, 500, 1000 or more End UserRECOMMENDATIONS IN THIS DOCUMENTATIONcomputers as indicated on the license certificate(s)ARE BELIEVED TO BE ACCURATE BUT AREprovided to you by Juniper.PRESENTED WITHOUT WARRANTY OF ANY KIND,Licenses that authorize use of NetScreen-Remote 8.6 withEXPRESS OR IMPLIED. USERS MUST TAKE FULLa greater number of End Users are available as upgradesRESPONSIBILITY FOR THEIR USE ANDand may be purchased from Juniper as required by you.APPLICATION OF ANY JUNIPER PRODUCTS. NOYou must purchase all license upgrades separately. YouPART OF THIS DOCUMENTATION MAY BEshall ensure that End Users agree to be bound by theREPRODUCED OR TRANSMITTED IN ANY FORM ORterms and conditions of this Agreement.BY ANY MEANS, ELECTRONIC OR MECHANICAL,FOR ANY PURPOSE, WITHOUT RECEIVING2. Use Within a Single System and Network. TheWRITTEN PERMISSION FROM JUNIPERforegoing license and rights are granted only to you for useTECHNOLOGIES, INC.by your Administrator and End Users. NetScreen-Remote8.6 must be used in the manner set forth in the applicableJUNIPER NETSCREEN-REMOTEdocumentation. NetScreen-Remote 8.6 is considered "in8.6 LICENSE AGREEMENTuse" when its software is loaded into permanent ortemporary memory (i.e. RAM). The Administrator maymake one (1) copy of NetScreen-Remote 8.6 for backup andPLEASE READ THIS LICENSE AGREEMENTrecovery purposes. Other than the rights explicitly("AGREEMENT") CAREFULLY BEFORE USING THISgranted herein, no right to copy, distribute, or sell, and noPRODUCT. BY INSTALLING AND OPERATINGother right to install and use NetScreen-Remote 8.6, orJUNIPER NETSCREEN-REMOTE 8.6any component thereof, is granted to you.ACCOMPANYING THIS AGREEMENT, YOU INDICATE3. Limitation on Use.You are only licensing the rights setYOUR ACCEPTANCE OF THE TERMS OF THISforth above to NetScreen-Remote 8.6. Except only asAGREEMENT, ARE CONSENTING TO BE BOUND BYspecifically described above, you may not engage inITS TERMS, AND ARE BECOMING A PARTY TO THISactivity designed (or otherwise attempt), and if you are aAGREEMENT. THIS AGREEMENT IS A VALID ANDcorporation will use your best efforts to prevent yourBINDING OBLIGATION ON YOU. IF YOU DO NOTemployees and contractors from engaging in activityAGREE TO ALL OF THE TERMS OF THISdesigned (o r otherwise attempting): (a) to modify,AGREEMENT, DO NOT START THE INSTALLATIONtranslate, reverse engineer, decompile, disassemble,PROCESS.create derivative works of, or distribute NetScreen-This is a license, not a sales agreement, between you, asRemote 8.6 (or any component thereof) and thean End User or as the Administrator (each as definedaccompanying documentation; (b) to distribute, sell,below), and Juniper Networks, as the owner and providertransfer, sublicense, rent, or lease any rights inof "NetScreen-Remote 8.6." NetScreen-Remote 8.6 consistsNetScreen-Remote 8.6 (or any component thereof) orof Juniper proprietary software and third party softwareaccompanying documentation in any form to any person;licensed or sublicensed, to you, as part of a single product,or (c) to remove any proprietary notice, productfor use within a single network. "Administrator" meansidentification, copyright notices, other notices orthe individual or group within the purchasingproprietary restrictions, labels, or trademarks onorganization that is responsible for managing networkNetScreen-Remote 8.6, documentation, and containers.security access, including setting security policies,NetScreen-Remote 8.6 is not designed or intended for useconfiguring NetScreen-Remote 8.6, and allowing Endin online control of aircraft, air traffic, aircraft navigationUsers to download NetScreen-Remote 8.6 or otherwiseor aircraft communications; or in the development, design,installing NetScreen-Remote 8.6 on End User equipment.construction, operation or maintenance of nuclear,"End User" means your employees, contractors, andchemical, or biological weapons of mass destruction or anyconsultants performing services for you in connection withnuclear facility. You warrant that you will not use oryour network, authorized by the Administrator to installredistribute NetScreen-Remote 8.6 (or any componentand use NetScreen-Remote 8.6 on a single computerthereof) for such purposes.subject to the terms and conditions of this license.4. Proprietary Rights. All rights, title and interest in andAny and all documentation and all software releases,to, and all intellectual property rights, includingcorrections, updates, and enhancements that are or maycopyrights, in and to NetScreen-Remote 8.6 andbe provided to you by NetScreen shall be considered partdocumentation, remain with Juniper. You acknowledgeof NetScreen-Remote 8.6 and be subject to the terms ofthat no title or interest in and to the intellectual propertythis Agreement.associated with or included in NetScreen-Remote 8.6 andJuniper products is transferred to you and you will not1. License Grant. Subject to the terms of this Agreement,acquire any rights to NetScreen-Remote 8.6 except for theNetScreen grants you a limited, non-transferable, non-license as specifically set forth herein.exclusive, revocable, license and right to:Juniper NetScreen-Remote VPN Client Administrators Guideii 5. Term and Termination. The term of the license is for theimport NetScreen-Remote 8.6. NetScreen-Remote 8.6 mayduration of Juniper's copyright in NetScreen-Remote 8.6.not be downloaded, or NetScreen-Remote 8.6 otherwiseJuniper may terminate this Agreement immediatelyexported or re-exported (i) into, or to a national or residentwithout notice if you breach or fail to comply with any ofof, Cuba, Iraq, Iran, North Korea, Libya, Sudan, Syria, orthe terms and conditions of this Agreement. You agreeany country to which the U.S. has embargoed goods; or (ii)that, upon such termination, you will either destroy allto anyone on the U.S. Treasury Department's lists ofcopies of the documentation or return all materials toSpecially Designated Nationals, Specially DesignatedJuniper. The provisions of this Agreement, other than theTerrorists, or Specially Designated Narcotic Traffickers, orlicense granted in Section 1 ("License Grant") shallotherwise on the U.S. Commerce Department's Table ofsurvive termination.Denial Orders.6. Limited Warranty. The sole warranty provided under9. U.S. Government Restricted Rights. NetScreen-Remotethis Agreement and with respect to the NetScreen-Remote8.6 is "commercial computer software" and is provided8.6 is set forth in Juniper's Remote Warranty. THEwith restricted rights. Use, duplication, or disclosure byJUNIPER NETSCREEN-REMOTE WARRANTYthe United States government is subject to restrictions setCONTAINS IMPORTANT LIMITS ON YOURforth in this Agreement and as provided in DFARSWARRANTY RIGHTS. THE WARRANTIES AND227.7202-1(a) and 227.7202-3(a) (1995), DFARS 252.227-LIABILITIES SET FORTH IN THE REMOTE7013(c)(1)(ii) (OCT 1988), FAR 12.212(a)(1995), FARWARRANTY ARE EXCLUSIVE AND ESTABLISH52.227-19, or FAR 52.227-14(ALT III), as applicable.JUNIPER'S ONLY OBLIGATIONS AND YOUR SOLE10. Tax Liability. You agree to be responsible for theRIGHTS WITH RESPECT TO NETSCREEN-REMOTEpayment of any sales or use taxes imposed at any time8.6 AND THIS AGREEMENT. ALL EXPRESS ORwhatsoever on this transaction.IMPLIED CONDITIONS, REPRESENTATIONS ANDWARRANTIES INCLUDING, WITHOUT LIMITATION,11. General. If any provisions of this Agreement are heldANY IMPLIED WARRANTIES OR CONDITIONS OFinvalid, the remainder shall continue in full force andMERCHANTABILITY, FITNESS FOR A PARTICULAReffect. The laws of the State of California, excluding thePURPOSE, SATISFACTORY QUALITY,application of its conflicts of law rules shall govern thisNONINFRINGEMENT OR ARISING FROM A COURSEAgreement. The United Nations Convention on theOF DEALING, USAGE, OR TRADE PRACTICE, AREContracts for the International Sale of Goods will notHEREBY EXCLUDED TO THE EXTENT ALLOWED BYgovern this Agreement. This Agreement is the entireAPPLICABLE LAW.agreement between the parties as to the subject matterhereof and supersedes any other agreements,7. Limitation of Liability. Your exclusive remedy for anyadvertisements, or understandings with respect toclaim in connection with NetScreen-Remote 8.6 and theNetScreen-Remote 8.6 and documentation. Thisentire liability of Juniper are set forth in the NetScreenAgreement may not be modified or altere d, except byRemote Warranty. Except to the extent provided in thewritten amendment, which expressly refers to thisRemote Warranty, if any, IN NO EVENT WILL JUNIPERAgreement and which, is duly executed by both parties.OR ITS AFFILIATES OR SUPPLIERS BE LIABLE FORANY LOSS OF USE, INTERRUPTION OF BUSINESS,You acknowledge that you have read this Agreement,LOST PROFITS OR LOST DATA, OR ANY INDIRECT,understand it, and agree to be bound by its terms andSPECIAL, INCIDENTAL, OR CONSEQUENTIALconditions.DAMAGES OF ANY KIND, REGARDLESS OF THETHE SPECIFICATIONS REGARDING THE JUNIPERFORM OF ACTION, WHETHER IN CONTRACT, TORTPRODUCTS IN THIS DOCUMENTATION ARE(INCLUDING NEGLIGENCE), STRICT LIABILITY ORSUBJECT TO CHANGE WITHOUT NOTICE. ALLOTHERWISE, EVEN IF JUNIPER OR ITS AFFILIATESTATEMENTS, INFORMATION, ANDOR SUPPLIER HAS BEEN ADVISED OF THERECOMMENDATIONS IN THIS DOCUMENTATIONPOSSIBILITY OF SUCH DAMAGE, AND WHETHER ORARE BELIEVED TO BE ACCURATE BUT ARENOT ANY REMEDY PROVIDED SHOULD FAIL OF ITSPRESENTED WITHOUT WARRANTY OF ANY KIND,ESSENTIAL PURPOSE. THE TOTAL CUMULATIVEEXPRESS OR IMPLIED. ADMINISTRATORS AND ENDLIABILITY TO YOU, FROM ALL CAUSES OF ACTIONUSERS MUST TAKE FULL RESPONSIBILITY FORAND ALL THEORIES OF LIABILITY, WILL BETHEIR USE AND APPLICATION OF ANY JUNIPERLIMITED TO AND WILL NOT EXCEED THEPRODUCTS. NO PART OF THIS DOCUMENTATIONPURCHASE PRICE OF NETSCREEN-REMOTE 8.6MAY BE REPRODUCED OR TRANSMITTED IN ANYPAID BY YOU. YOU ACKNOWLEDGE THAT THEFORM OR BY ANY MEANS, ELECTRONIC ORAMOUNT PAID FOR NETSCREEN-REMOTE 8.6MECHANICAL, FOR ANY PURPOSE, WITHOUTREFLECTS THIS ALLOCATION OF RISK.RECEIVING WRITTEN PERMISSION FROM JUNIPER.8. Export Law Assurance. You understand thatCopyright NoticeNetScreen-Remote 8.6 is subject to export control laws andregulations. YOU MAY NOT DOWNLOAD ORCopyright1998-2004 Juniper Networks, Inc.OTHERWISE EXPORT OR RE-EXPORT NETSCREEN-Copyright 2002 by Sygate Technologies, Inc. All rightsREMOTE 8.6 OR ANY UNDERLYING INFORMATIONreserved.OR TECHNOLOGY, EVEN IF TO DO SO WOULD BEALLOWED UNDER THIS AGREEMENT, EXCEPT INAll rights reserved. Printed in USA.STRICT COMPLIANCE WITH ALL UNITED STATESAND OTHER APPLICABLE LAWS ANDREGULATIONS. Specifically, you agree that you areTrademarksresponsible for obtaining licenses to export, re-export, orJuniper NetScreen-Remote VPN Client Administrators Guideiii Juniper Networks, the Juniper logo, NetScreen-RemoteSoftware or refund Customer's purchase price. If a8.6, NetScreen-Remote 8.6 Express, NetScreen-Remote,warranty claim is invalid for any reason, Customer will beGigaScreen ASIC, and ScreenOS are trademarks andcharged at Juniper's then-current rates for all servicesNetScreen is a registered trademark of NetScreenperformed and expenses incurred by Juniper.Technologies, Inc.Restrictions. No warranty will apply if the Software (i)Sygateis a registered trademark of Sygatehas been altered, except by Juniper; (ii) has not beenTechnologies, Inc. Microsoft is a registered trademark,installed, operated, repaired, or maintained in accordanceand Windows, Windows ME, Windows 2000, Windows NT,with instructions supplied by Juniper; or (iii) has beenWindows XP, and Windows 95/98 are trademarks ofsubjected to abnormal physical, thermal or electricalMicrosoft Corporation. All other companies and productstress, misuse, negligence, or accident. In addition, thenames are trademarks or registered trademarks of theirSoftware is not designed or intended for use in (i) therespective holders.design, construction, operation or maintenance of anynuclear facility, (ii) navigating or operating aircraft; or (iii)JUNIPER NETSCREEN-REMOTEoperating life-support or life-critical medical equipment,8.6and Juniper disclaims any express or implied warranty offitness for such uses. Juniper shall not be responsible forWARRANTYCustomer's or any third party's software, firmware,information, or memory data contained in, sorted on, orSoftware Warranty. Juniper Networks ("Juniper")integrated with any Software returned to Juniper,warrants that for a period of ninety (90) days from eitherwhether under warranty or not. Customer is responsiblesoftware installation or sixty (60) days following shipment,for backing up its programs and data to protect againstwhichever occurs first (the "Start Date"), the media onloss or corruption.which the Juniper software purchased by CustomerDisclaimer. EXCEPT AS EXPRESSLY SET FORTH("Software") will be free from defects in materials andABOVE, JUNIPER MAKES NO REPRESENTATION ORworkmanship under normal use consistent with theWARRANTY OF ANY KIND, EXPRESS, IMPLIED ORinstructions contained in the enclosed documentation.STATUTORY, INCLUDING BUT NOT LIMITED TOThis limited warranty extends only to the originalWARRANTIES OF MERCHANTABILITY, FITNESS FORpurchaser. Customer's sole and exclusive remedy and theA PARTICULAR PURPOSE, TITLE,entire liability of Juniper, its suppliers and affiliates,NONINFRINGEMENT OR ARISING FROM A COURSEunder this warranty is, at Juniper's option, either (i) toOF DEALING, USAGE, OR TRADE PRACTICE.replace the media on which the Software is furnished withFURTHER, JUNIPER DOES NOT WARRANT THATnew media containing the Software; or (ii) to correct theTHE SOFTWARE IS ERROR FREE OR THAT BUYERreported defect through updates and fixes made generallyWILL BE ABLE TO OPERATE THE SOFTWAREavailable at www.juniper.net/support. Juniper makes noWITHOUT PROBLEMS OR INTERRUPTION.other warranty with respect to the Software, andspecifically disclaims any warranty that the Software isLimitation of Liability. IN NO EVENT WILL JUNIPERerror free or that Customer will be able to operate theOR ITS AFFILIATES OR SUPPLIERS BE LIABLE FORSoftware without problems or interruptions.ANY LOSS OF USE, INTERRUPTION OF BUSINESS,LOST PROFITS, OR LOST DATA, OR INDIRECT,Warranty Claims. For a period of ninety (90) days from theSPECIAL, INCIDENTAL, OR CONSEQUENTIALStart Date, Juniper may provide Customers upgrades andDAMAGES, OF ANY KIND REGARDLESS OF THEfixes for the Software at www.juniper.net/support.FORM OF ACTION, WHETHER IN CONTRACT, TORTCustomers may also send emails to support@juniper.net to(INCLUDING NEGLIGENCE), STRICT LIABILITY ORobtain technical support for a period of one (1) year fromOTHERWISE, EVEN IF JUNIPER OR ITS AFFILIATEthe Start Date.OR SUPPLIER HAS BEEN ADVISED OF THEReturn Procedures. Customer must notify Juniper of anyPOSSIBILITY OF SUCH DAMAGE, AND WHETHER ORdefect in the Software within the warranty period andNOT ANY REMEDY PROVIDED SHOULD FAIL OF ITSprovide proper documentation and verification of defect.ESSENTIAL PURPOSE. THE TOTAL CUMULATIVECustomers should include Software product serial numberLIABILITY TO CUSTOMER, FROM ALL CAUSES OFin every service request. Within ten (10) business days ofACTION AND ALL THEORIES OF LIABILITY, WILL BEthe date of notification, Juniper will provide CustomerLIMITED TO AND WILL NOT EXCEED THEwith a Return Material Authorization ("RMA") numberPURCHASE PRICE OF THE SOFTWARE PAID BYand the location to which Customer must return, at itsCUSTOMER.cost, the defective Software. Customer is responsible forproper packaging of Software returned to Juniper,including description of the failure, shipment to Juniper'sEXPRESS OR IMPLIED. USERS MUST TAKE FULLdesignated location, and return of Software within ten (10)RESPONSIBILITY FOR THEIR USE AND APPLICATION OFdays after issuance of the RMA number. In no event willANY JUNIPER SECURITY PRODUCTS. NO PART OF THISJuniper accept any returned Software that does not have aDOCUMENTATION MAY BE REPRODUCED ORvalid RMA number. Customer's failure to return SoftwareTRANSMITTED IN ANY FORM OR BY ANY MEANS,within thirty (30) days of its receipt of an RMA may resultELECTRONIC OR MECHANICAL, FOR ANY PURPOSE,in cancellation of the RMA. Juniper does not acceptWITHOUT RECEIVING WRITTEN PERMISSION FROMresponsibility for any Software lost in transit andJUNIPER NETWORKS.recommends that the return be insured for the full value.Juniper will use all reasonable efforts within five (5) daysof receipt of defective Software to repair or replace suchJuniper NetScreen-Remote VPN Client Administrators Guideiv ContentsContents .................................................................................................................. vWhat is Juniper NetScreen-Remote? .............................................................iWho Should Read this Guide? ......................................................................iAdministrator Decisions ................................................................................. iAssumptions ................................................................................................. iiTerms ........................................................................................................... iiAdministrator Decisions ................................................................................ iiDeactivating NetScreen-Remote ................................................................ ivUsing this Guide .......................................................................................... ivRelated Publications ....................................................................................vTerminology .................................................................................................vFor More Information ...................................................................................vChapter 1 Installation ............................................................................................. 1System Prerequisites .................................................................................... 2Updating from Previous Versions ................................................................. 3Installation .................................................................................................. 5Starting Installation .......................................................................................... 6Continuing with Installation.............................................................................. 7Modifying Installation ............................................................................... 10Chapter 2 Interface.............................................................................................. 13Security Policy Editor ................................................................................. 14Menus............................................................................................................ 16File Menu ..................................................................................................16Edit Menu ..................................................................................................17Options Menu ...........................................................................................18Help Menu ................................................................................................20Shortcut Toolbar Icons ................................................................................... 21Certificate Manager ................................................................................. 22My Certificates Page ................................................................................23Root CA Certificates Page ........................................................................24Trust Policy Page .......................................................................................25CA Certificates Page ................................................................................26RA Certificates Page .................................................................................27CRLs Page .................................................................................................28Requests Page ..........................................................................................29About Page ...............................................................................................30v ContentsDesktop Taskbar Icons and Shortcut Menu ............................................... 31NetScreen-Remote Icon................................................................................ 31Shortcut Menu ............................................................................................... 32Chapter 3 Digital Certificates ...............................................................................35Public Key Cryptography .......................................................................... 36Signing a Certificate...................................................................................... 36Verifying a Digital Signature .......................................................................... 36Obtaining Certificates and CRLs ............................................................... 37Online Enrollment Using a Web Browser ........................................................ 37Manual (Cut-and-Paste) Enrollment............................................................... 38Step 1: Creating the Certificate Request ..................................................39Step 2: Submitting the Request to Your CA ...............................................42Step 3: Retrieving the Signed Certificate ..................................................43Step 4: Retrieving the CA Certificate ........................................................43Step 5: Importing the CA Certificate .........................................................44Step 6: Importing the Personal Certificate ................................................44Step 7: Obtaining the CRL ........................................................................46SCEP Enrollment............................................................................................. 47Step 1: Retrieving the CA Certificate ........................................................47Step 2: Retrieving a Personal Certificate ..................................................48Managing Certificates, CRLs, and Certificate Requests ........................... 50Viewing Certificates, CRLs, and Certificate Requests .................................... 51Verifying Certificates...................................................................................... 52Exporting Certificates .................................................................................... 53Deleting Certificates, CRLs, and Certificate Requests ................................... 53Configuring a CA Certificate......................................................................... 54Updating a CRL ............................................................................................. 54Retrieving Certificate Requests...................................................................... 55Chapter 4 VPNs with Pre-Shared Keys ...................................................................57Configuring the NetScreen-Remote Client ................................................ 58Step 1: Creating a New Connection ........................................................58Step 2: Creating the Pre-Shared Key ........................................................60Step 3: Defining the IPSec Protocols .........................................................61Chapter 5 Configuring a VPN Tunnel with Digital Certificates...............................67Configuring the NetScreen-Remote Client ................................................ 68Step 1: Creating a New Connection ........................................................68Step 2: Configuring the Identity ................................................................70Step 3: Defining the IPSec Protocols .........................................................71Chapter 6 Configuring a Manual Key VPN Tunnel ................................................77Configuring the NetScreen-Remote Client ................................................ 78Step 1: Creating a New Connection ........................................................78Step 2: Defining the IPSec Protocols .........................................................80Step 3: Creating the Inbound and Outbound Keys ..................................84Juniper NetScreen-Remote VPN Administration Guidevi Chapter 7 Sample Scenarios................................................................................ 87Configuring a Dial-Up VPN with Pre-Shared Keys........................................... 87Configuring a Dial-up VPN Using Certificates ................................................ 87Configuring a Dial-Up VPN with XAuth ........................................................... 87Configuring L2TP Over IPSec Tunnel............................................................... 87Configuring a Dial-Up VPN with Manual Key ................................................. 88Configuring a Dial-Up VPN using NAT Traversal.............................................. 88Setting a Dial-Up VPN with Central Site Traffic Control ................................... 88Chapter 8 Large Scale Distributionwith NetScreen-Global PRO ................................................................................... 89Centralizing Distribution of Common Files ................................................ 90Repackaging The Installation for Use with NetScreen-Global PRO ........... 90Software Distribution ...................................................................................... 91Installation Configuration Files ....................................................................... 91Default.ANG ..............................................................................................91Executing a Custom Installation .................................................................... 98Using NetScreen-Remote Login ................................................................ 98NetScreen-Remote Security Policy Editor Display Only ........................... 100Chapter 9 Large Scale Distribution(Standalone Procedure) ......................................................................................101Centralizing Distribution of Common Files .............................................. 102Repackaging The Installation ................................................................. 102Default Installation Configuration File.......................................................... 103Executing a Custom Installation .................................................................. 109Configuring the Connections ................................................................. 110Exporting Policies and Delivering These to Users ..................................... 110Chapter 10 Contacting Technical Support ........................................................113For More Information .............................................................................. 113Appendix A Configuring L2TP...............................................................................A-1Configuring L2TP Connection ..................................................................... 1Configuring an L2TP Connection for Windows 2000........................................ 1Configuring an L2TP Connection for Windows XP............................................ 2Connecting to Your L2TP VPN ...................................................................... 4Appendix B Deploying NetScreen-Remotewith Smart Cards................................................................................................... B-1Smart Card Overview ................................................................................. 2Generating and Loading a Private Key and Personal CertificateJuniper NetScreen-Remote VPN Administration Guidevii Contentsfrom Microsoft CA ....................................................................................... 2Loading CA Certificate ............................................................................... 3Configuring NetScreen-Remote .................................................................. 4Configuring the NetScreen-Gateway to Acceptyour Smart-Card Certificates ...................................................................... 6Index..................................................................................................................... IX-IJuniper NetScreen-Remote VPN Administration Guideviii PrefaceThis manual provides network administrators with a guide to creating remote-accessvirtual private networks (VPNs) using Juniper Networks NetScreen-Remote software.In it, you will learn installation, configuration, and deployment strategies.What is Juniper NetScreen-Remote?When NetScreen-Remote operates on any IP network, such as the Internet, it can create aVPN tunnel between an end user and a Juniper security appliance. NetScreen-Remotesoftware is a full-featured product ready for advanced IPSec communications that securestraffic sent from a desktop or laptop computer across a public or private TCP/IP network.It also intergrates with Microsoft (MS) Native L2TP protocols, and is compatible withmost Certificate Authorities and MS CryptoAPI (MSCAPI) applications.WSRG?HOHOULDEADTHISUIDEAny system administrator who has to design secure remote-access architecture using theNetScreen-Remote client, distribute the NetScreen-Remote software to a user base, andprovide post-installation user support should read this guide. NetScreen-Remote isintended for use with NetScreen security appliances and systems. However, it willinteroperate with other IPSec and L2TP-compliant devices.ADDMINISTRATORECISIONSThere are several things you must decide before configuring the NetScreen-Remote. Theanswers to these questions will determine your remote-access architecture,authentication, and deployment schemes.Which end-user connection mechanisms will you usefixed or dynamically assigned IPaddresses? You will most likely be usingfixed IP addressesin these cases:DSL user with fixed IPcable user with fixed IPone or two person office with fixed IPi PrefaceASSUMPTIONSThis guide assumes that the user is familiar with the basic functioning of Windowsoperating systems, and standard Windows items, such as buttons, menus, toolbars,windows, etc.Further, this guide assumes that the user has an Internet connection, whether through aprivate network, DSL connection, Ethernet, wireless Ethernet, dial-up modem, or someother form of connection.TERMSDepending on the kind of computing system that you use, you may connect to the Internetthrough a local area network (LAN), DSL, dial-up modem, or any number of othermethods. The term network connection is used to refer to all of these differentconnection methods.ADDMINISTRATORECISIONSThere are several things you must decide before configuring the Security Client. Theanswers to these questions will determine your remote-access architecture,authentication, and deployment schemes.Which end-user connection mechanisms will you usefixed or dynamically assigned IPaddresses? You will most likely be usingfixed IP addressesin these cases:DSL user with fixed IPcable user with fixed IPone or two person office with fixed IPJuniper NetScreen-Remote VPN Administration Guideii Administrator DecisionsYou will most likely be usingdynamically assigned IP addressesin these cases:cable or DSL with PPPoE or DHCP assignment of IP addressestraveling user using a dial-up connectionEthernet or wireless with DHCPWill you require certificates, pre-shared key (AutoKey), or manual key for IPSec tunnelsetup and authentication? Certificatesare the most secure. The administrator can either obtain thecertificate from a CA and send it to the user, or users can request their owncertificate. (See Chapter 3.) Certificates can be loaded onto smart cards andthese smart cards can be distributed to the users.Will you acquire the certificate for the user, then distribute it to the user? Orwill you instruct your end-users to generate and send certificate requests tothe CA, then load the certificates themselves after receiving these from theCA?You can request the certificate using an on-line request process (simplecertificate enrollment process or SCEP). Or you can manually cut and pastethe request to the CA (using PKCS 10 format). Pre-shared keyis easier and faster to set up, but less secure, as thecertificates initial key does not change. Also, if you revoke a users VPN access,you must change the pre-shared key.) Manual key, used for testing, is another option. Because the keys are fixed andnever change, if they are broken, they must be manually reassigned. This wouldmean a lot of re-configuration and is much less secure.After you have made these decisions, configure a few NetScreen-Remote clients andJuniper devices and try out the setup. When you are satisfied with the results, you areready for deployment.For more information, see the VPN volume of the NetScreen Concepts and ExamplesScreenOS Reference Guide, which describes these sample scenarios for using NetScreen-Remote.Juniper NetScreen-Remote VPN Administration Guideiii PrefaceDeactivating NetScreen-RemoteFor easy transition between travel, home, and office use, one click is all it takes todeactivate or activate NetScreen-Remote. Right-click the NetScreen-Remote icon in thetaskbar, and select Deactivate/Activate Security Policy from the pop-up menu. (Thecommand toggles.)NoteNote:You may wish to disable NetScreen-Remote whenever connectedbehind a Juniper device or other VPN gateway.Using this GuideThe following chapters are provided within this document:NoteNote:The term NetScreen-Remote is used in chapters 1 through 9 andAppendices A and B to reference the VPN client component of the NetScreen-Remote Security Client product. NetScreen-Remote Security Client is usedwithin this preface to reference the firewall component of the of the NetScreen-Remote Security Client product.Chapter 1, Installation, describes the prerequisites and installation procedure forNetScreen-Remote.Chapter 2, Interface provides an overview of the layout, icons, and menus that appear inthe interface.Chapter 3, Digital Ce rtificates explains how to obtain and manage certificates andcertificate revocation lists (CRLs).Chapter 4, VPNs with Pre-Shared Keys explains how to set up a VPN tunnel using aPre-Shared Key with AutoKey Internet Key Exchange (IKE).Chapter 5, Configuring a VPN Tunnel with Digital Certificates explains how to set up aVPN tunnel using digital certificates with AutoKey Internet Key Exchange (IKE).Chapter 6, Configuring a Manual Key VPN Tunnel explains how to set up a VPN tunnelusing Manual Keys.Chapter 7, Sample Scenarios provides links to several articles that demonstrate usingNetScreen-Remote with various security components in various environments.Chapter 9, Large Scale Distribution (Standalone Procedure) describes the procedure todeploy Security Clients on a large scale in a stand-alone environment.Chapter 8, Large Scale Distribution with Global PRO describes the procedure fordeploying large numbers of Security Clients in conjunction with NetScreen Global-PRO,using NetScreen-Remote Login.Appendix A,Configuring L2TP/IPSec explains how to configure the L2TP VPNconnection through your Microsoft Dial-Up Networking and how connect to theconnection.Juniper NetScreen-Remote VPN Administration Guideiv Related PublicationsAppendix B,Deploying NetScreen-Remote with Smart Cards describes how to set upyour smart card to interoperate with NetScreen-Remote and a NetScreen-Gateway.Related PublicationsThe following are related publications:Juniper Networks NetScreen Concepts and Examples ScreenOS Reference Guide (VPNVolume)Juniper Networks NetScreen Command Line Interface Reference GuideTerminologyThis manual uses MicrosoftWindowsterminology and concepts that are specific to theInternet. If you are unfamiliar with this terminology, please see your Microsoft Windowsinstallation manual and the Help files that accompany your Web browser.For More InformationFor more information, see the HTML cover page that appears after you insert theNetScreen-Remote CD-ROM. The cover page contains a link to the release notes forNetScreen-Remote. If you have any questions regarding NetScreen-Remote, refer to thesection Getting Help in the release notes or contact the Juniper Technical AssistanceCenter (JTAC). JTAC is available to users with valid service contracts of NetScreen-Remote. You can contact JTAC by one of the following ways:Phone: 1-888-314-JTAC (U.S., Canada, and Mexico)Phone: 408-745-9500Online Knowledge Base fo r NetScreen-Remote athttp://nsremote-support.netscreen.comJuniper NetScreen-Remote VPN Administration Guidev PrefaceJuniper NetScreen-Remote VPN Administration Guidevi 1C hapt er1InstallationThe information contained in this chapter is repeated in the accompanyingNetScreen-Remote Users Installation Guide. You can copy theNetScreen-Remote Users InstallationGuideand distribute it to your end users with the NetScreen-Remote software.This chapter covers the following information:System PrerequisitesUpdating from Previous VersionsInstallationModifying Installation1 Chapter 1 InstallationSPYSTEMREREQUISITESInstall the NetScreen-Remote client in the following environment:PC-compatible ComputerPentium processor or its equivalentOperating SystemMicrosoft Windows 2000 ProfessionalWindows XPProfessional or Home EditionMinimum RAM64 MB RAM for Windows 2000 or Windows XPAvailable Hard Disk SpaceMinimum 5 MB, Maximum 35 MBSoftware InstallationCD-ROM drive, network drive or web siteCo mmunications ProtocolIPSec and IKE L2TP with Windows 2000 (Optional)Native Microsoft TCP/IPDi al-up ConnectionsModem, internal or external (includes analog, DSL,and cable modems connecting to your PC via serialor USB port)Native Microsoft Dial-up NetworkingPPPoE driversCompatible with America Online(AOL) 6.0 orgreaterNetwork ConnectionsEthernetWireless Ethernet (802.11a/b)He lp-file ViewingMicrosoft Internet Explorer4.0 or greaterNote:NetScreen-Remote is not compatible with other VPNsoftware. Uninstall the VPN software prior to using NetScreen-Remote.Juniper NetScreen-Remote VPN Client Administrators Guide 2 Updating from Previous VersionsUPVPDATINGFROMREVIOUSERSIONSIf you are upgrading to NetScreen-Remote from a pre vious version, the installationprogram has been modified to automatically run the uninstall program if an earlierversion is detected on the system. This eliminates the need to manually uninstall aprevious version of software.Fai lu r et ou ni ns ta lt he pr e vi o usve r s i o n wi lc aus es ys t e mc o n fl ic t s re s u lt i ng in f ail ur e o fyo ur W ind o ws o pe r at ing s ys t e m.Note:At the end of the installation process, you need to rebootthe device to complete the process.To manually uninstall a previous version of NetScreen-Remote:1. ClickStarton the Windows task bar, clickSettings, and then clickControlPanel.The Control Panel opens.2. Double-clickAdd/Remove Programs.A list of installed programs appears.Juniper NetScreen-Remote VPN Client Administrators Guide 3 Chapter 1 InstallationFigure 1-1List of Installed Programs3. From the list, selectNetScreen-Remote.4. ClickChange/Remove.The following dialog box appears.Figure 1-2Modify, Repair, or Remove the Program5. SelectRemove,and then clickNext.You are asked if you want to completely remove the selected application and allof its components.Juniper NetScreen-Remote VPN Client Administrators Guide 4 InstallationFigure 1-3Deletion Confirmation Message6. ClickOKto confirm the deletion.The following alert box appears:Figure 1-4Delete Security Policy Alert BoxThis alert box gives you the opportunity to save your existing security policy.The items that you save are installed automatically during the new installationof NetScreen-Remote.Note:VPN connections are dependent on security policies,certificates, and keys. Once deleted, these may not be retrieved.7. ClickNoto keep your existing security policy.A progress box appears.8. ClickOKto acknowledge the successful uninstall.9. Restart your computer.INSTALLATIONBefore installing NetScreen-Remote, ensure that you have uninstalled all other vendorsfirewall or VPN client software. While some computers can function with more that onefirewall/VPN client running at a time, running multiple firewall/VPN clients willinevitably cause performance problems.Also, before installing NetScreen-Re mote, exit all other programs that access yournetwork or Internet connectio n. This includes web browsers, email programs, instantmessenger sessions, and media streaming applications (such as Internet radiobroadcasts).Juniper NetScreen-Remote VPN Client Administrators Guide 5 Chapter 1 InstallationFor Windows 2000 and Windows XP users, use the .exe installation file.Ensure that you have uninstalled any earlier version of the NetScreen-Remote, asdescribed in the previous section.You can install the NetScreen-Remote from a CD-ROM, a network drive share, or awebsite.Starting InstallationStart your installation using one of the following three install methods and then proceedto the sectionContinuing with Installation on page 7.Note:For Windows 2000 and Windows XP platforms, use the.exe installation file.To install NetScreen-Remo te from a CD-ROM:1. With Microsoft Windows running and all other programs closed, insert theNetScreen-Remote CD into the CD-ROM drive.2. Right-clickD:\. (The D designates your CD-ROM drive, which could bedesignated differently depending on your computers setup.)The following menu appears:Figure 1-5Select Install3. SelectInstallfrom the menu to install NetScreen-Remote.4. Go to the next section Continuing with Installation.To install NetScreen-Remote from a network drive share:1. Map to the network drive.2. Locate the NetScreen-Remote files.3. Copy setup.exe to a local area on the PC from the local copy.4. Double-clicksetup.exeto run the NetScre en-Remote setup application.5. Go to the next section, Continuing with Installation.To install NetScreen-Remote from a website:Juniper NetScreen-Remote VPN Client Administrators Guide 6 Installation1. Locate the NetScreen-Remote files on the website.2. Select to download thesetup.exefile and download the file.3. If the file is in a zip format, after the file downloads, unzip it toC:\temp.4. Double-clicksetup.exeto run the NetScre en-Remote setup application.5. Go to the next section, Continuing with Installation.Continuing with InstallationThe NetScreen-Remote setup application starts on your system:1. The InstallShield Wizard starts, as shown in Figure 1-6. ClickNext..Figure 1-6NetScreen-Remote Installation Welcome ScreenThe Software License Agreement appears..Figure 1-7License Agreement2. After reading the license agreement, clickYesto continue.TheSetup Typedialog box appears.Juniper NetScreen-Remote VPN Client Administrators Guide 7 Chapter 1 InstallationFigure 1-8Installation Setup Type3. Select one of the se options:TypicalRecommended for most users; installs all VPN Client components.ExpressInstalls only the components that the system supports.CustomEnables you to select the components to install individually.4. To install NetScreen-Remote in the default destination folder (C:\ProgramFiles\Juniper\NetScreen-Remote), clickNext.To specify another destination folder, clickBrowse. In theChoose Folderdialog box, select the folder of your choice, and clickOK. Then clickNext.5. Verify your selections in the window that appears (Figure 1-9), and thenclickNext.Figure 1-9Start Copying FilesJuniper NetScreen-Remote VPN Client Administrators Guide 8 InstallationThe NetScreen-Remote files are copied to the program folder that you specified.After all the files are copied, the following window appears:Your computer automatically reboots after a successful installation. If you wishto abort the reboot process, clickcancelbefore device timeout. Ifyou log on toyour computer with a password, you will need to re-enter it at the standardWindows login prompt.After a successful installation, the NetScreen-Remote icon appears in the statusarea in the right corner of the Windows taskbar, as shown below.NetScreen-Remote IconFigure 1-10NetScreen-Remote icon on the Windows TaskbarWhen you install the software, if it is a first-time installation, the NetScreen-Remote icon will be deactive instead of the active NetScreen-Remote iconshown in Figure 1-10. The appearance of the inactive NetScreen-Remote iconcan be for one of several reasons, including:-- You have not created any connections yet.-- You installed the software incorrectly.-- You configured NetScreen-Remote to be inactive at the time of bootup.If you determined that the inactive status is because of a problem, follow theprocedure in the Modifying Installation section later in the chapter andselect theRepairoption to reinstall all program components during theinitial setup and installation.Juniper NetScreen-Remote VPN Client Administrators Guide 9 Chapter 1 InstallationMIODIFYINGNSTALLATIONAfter the initial installation, you can add a new program component (modify the software)or reinstall all program components installed by the previous setup (repair the software).To do so:1. Disable any virus-protection software that may be running on yourcomputer.2. On the Windows taskbar, click theStartbutton, clickSettings, and thenclickControl Panel.TheControl Panelopens.3. Double-clickAdd/Remove Programs.TheAdd/Remove Programs Propertiesdialog box appears with a list ofinstalled programs.4. From the list, selectNetScreen-Remote.5. ClickChange/Remove.The followingWelcomedialog box appears.Figure 1-11Modify, Repair, or Remove the Program6. To add or remove the Virtual Adapter, IPSec Client or another component,selectModify, and then clickNext.If you want to reinstall the software, skip to Step 8.TheSelect Componentsdialog box appears.Juniper NetScreen-Remote VPN Client Administrators Guide 10 Modifying InstallationFigure 1-12Select Components7. Select the component to be installed, and then clickNext. The installationprocedure begins.8. To reinstall the software, selectRepair, and then clickNext.The re-installation procedure begins.After either the installation or re-installation is complete, theMaintenanceCompletedialog box appears.Figure 1-13Maintenance Complete9. ClickYes, I want to restart my computer now, and then clickFinishtorestart your computer immediately.Juniper NetScreen-Remote VPN Client Administrators Guide 11 Chapter 1 InstallationJuniper NetScreen-Remote VPN Client Administrators Guide 12 2C hapt er2InterfaceThis chapter provides an overview of the layout, icons, and menus that appear inNetScreen-Remote.NetScreen-Remote consists of these modules:SecurityManually create connections and securityPolicy Editorpolicies.CertificateManage and verify certificates.ManagerNetScreen-Authenticates user and downloadsRemote Loginsecurity policies.13 Chapter 2 InterfaceSecurity Policy EditorThe Security Policy Editor, shown in Figure 2-1, is the software module within theNetScreen-Remote client where you manually create connections and security policies.Menu BarShortcut ToolsNetwork SecurityConnection SecurityPolicy ListOptionsConnect usingSecure GatewayTunnel OptionFigure 2-1Security Policy EditorThe menu bar displays the four main menus of the Security Policy Editor. For adescription of each menu, seeMenus on page 16.The shortcut toolbar contains tools for common commands. For a brief description of eachicon on the toolbar, seeShortcut Toolbar Icons on page 21.The Network Security Policy list displays a hierarchically ordered list of connections andtheir associated proposals. My Connections define the connection(s) that you create. Thelast connection in the list is Other Connections that tells NetScreen-Remote what to dowith all connections not specifically defined. Connections are read in a top-down ordersimilar to firewall rules.Juniper NetScreen-Remote VPN Administration Guide14 Security Policy EditorThe three Connection Security options refer to the type of security to apply to aconnection:Secure:This option secures communication for theconnection. (It is the equivalent of tunnelon other NetScreen products.)Non-secure:This option allows communication for theconnection to pass through unsecured. (Itis the equivalent of permit on otherNetScreen products.)Block:This option does not allow anycommunication for the connection to passthrough. (It is the equivalent of deny onother NetScreen products.)Juniper NetScreen-Remote VPN Administration Guide15 Chapter 2 InterfaceMenusThe four main menus of the Security Policy Editor are:FileEditOptionsHelpThe fifth main menu is the Taskbar icon (located on the taskbar). Itscommands apply to both the Security Policy Editor and the CertificateManager. For a description of its contents, seeShortcut Menu on page 32.File MenuThe File menu contains commands for managing security policies and connections, savingany changes, and exiting from the Security Policy Editor.Figure 2-2File MenuExport Security Policyexports a security policy from NetScreen-Remote tothe location you specify.Import Security Policyimports a security policy to NetScreen-Remote.Save Changessaves any changes that you made to your security policy.Exitcloses the Security Policy Editor after prompting you to save changes.Juniper NetScreen-Remote VPN Administration Guide16 Security Policy EditorEdit MenuThe Edit menu contains commands for relocating connections or redundant gateways inthe Network Security Policy list.Aredundant gatewayis an alternate gateway to access your network that will establish aconnection with the client if the primary gateway is busy, off-line, or unavailable. You canadd up to 10 alternates for each secure connection. The first connection will always serveas the primary.All redundant gateways must be configured with the same security policy information asthe primary, except for the IP address, domain name, distinguished name, or pre-sharedkey (which must be unique to each device). Re dundant gateways are used in the order inwhich they are listed in the top-down order.Figure 2-3Edit MenuAddadds a new connection or a new redundant gateway with the NetScreen-Remote default settings to the Network Security Policy list.Copycopies a connection or redundant gateway from the Network SecurityPolicy list.Deletedeletes a connection or redundant gateway from the Network SecurityPolicy list.Note:You can disable all redundant gateways for a secure connectionwithout deleting them. To do so, select the secure connection, and deselect theConnect using Secure Gateway Tunnel option within the Remote PartyIdentity and Addressing section of the Primary Gateway connection. Thenchoose Save Changes from the File menu.Renameenables you to provide another name for the connection or redundantgateway from the Network Security Policy list.Move Uprelocates a selected connection or redundant gateway one place higherin the Network Security Policy list.Move Downrelocates a selected connection or redundant gateway one placelower in the Network Security Policy list.Juniper NetScreen-Remote VPN Administration Guide17 Chapter 2 InterfaceOptions MenuThe commands in the Options menu affect elements of NetScreen-Remote in anoverarching way.Figure 2-4Options MenuSecurespecifies which connections are secure: All Connections: disables regular Internet while VPN is up. None: disables all VPN connections. Only regular traffic can pass. Specified Connections: allows VPN and regular to pass simultaneously.Global Policy Settingsopens the Global Policy Settings dialog box, in whichyou can set program preferences that affect all transmissions using NetScreen-Remote.Figure 2-5Global Policy SettingsYou can select the following Global Policy settings:Retransmit Interval:the interval between no response and retryconnection.Number of retries:the number of retries before failure or use ofredundant gateway.Send status notifications to peer hosts:sends status notifications toinform communicating parties what the time-out periods are and whethertheir security proposals have been accepted or rejected.Allow to Specify Internal Network Address:allows remote users toappear as internal users on a private network.Enable IPSec Logging:allows you to turn on logging for packetsgenerated during the IPSec phase of a VPN tunnel connection.Juniper NetScreen-Remote VPN Administration Guide18 Security Policy EditorSmart card removal clears keys:allows security keys to be clearedwhen you remove the Smart card from the configuration.Policy Managementpresents options used only in conjunction with theSafeNet/VPN Policy Manager, which contains detailed instructions onconfiguring these options.Certificate Settingsopens the Certificate Settings dialog box.Figure 2-6Certificate SettingsYou can select the following Certificate Manager features:Enable automatic CRL retrieval everyfield enables you to performautomatic retrieval of certificate revocation lists (CRLs) and specify theretrieval frequency (in hours) and the default LDAP server.Use HTTP proxy server for online certificate requests and CRLupdatesenables you to specify an HTTP proxy server for on-linecertificate requests using Certificate Enrollment Protocol (SCEP) andCRL updates when connecting from a secure network to a certificateauthority (CA) on the Internet.Some networks have been designed to allow HTTP connections to exitfrom their private network by first being translated through an HTTPproxy. Select this option only if you use an HTTP proxy to makeconnectio ns outside your private network and your CA is locatedoutside your private network. Specify how often NetScreen-Remote checks (polls) for a response to acertificate request.Juniper NetScreen-Remote VPN Administration Guide19 Chapter 2 InterfaceAdvancedopens the Advanced Certificate Enrollment Settings dialog box:Figure 2-7Advanced Certificate Enrollment Settings dialog boxCSPopens a drop-down menu with selections for a Cryptographic ServiceProvider (CSP):Gemplus GemSAFE Card CSP v1.0IRE Cryptographic Service ProviderMicrosoft Base Cyptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0Microsoft Strong Crypto graphic ProviderSchlumberger Cryptographic Service ProviderKey Sizeopens a drop-down menu with selections for a default key size:512, 1024, 2048, or 4096. The default key size is 4096.Note:ScreenOS does not support a key size of 4096.Place in Local Machine Storeplaces the importe d certificate in your -the logged-on users - personal certificate store. Unless your networksecurity administrator instructs you to change it, accept the default.Save as Default CSP Settingssaves the current settings for thecertificate as the default configuration.Certificate Manageropens the Certificate Manager, the module that allowsyou to manage personal certificates. For more details on Certificate Manager, goto the Certificate Manager section.Help MenuThe Help menu offers access to the NetScreen-Remote Help files.Figure 2-8Help MenuJuniper NetScreen-Remote VPN Administration Guide20 Security Policy EditorContents and Indexopens the Help files.Aboutdisplays the Security Policy Database Editor version and copyrightinformation.Program Add-Onsopens a browser window to SafeNet, Inc.Shortcut Toolbar IconsThe tools in the shortcut toolbar carry out common commands in the Security PolicyEditor.Table 2-1Shortcut Toolbar IconsAdd a New Connection:creates a new connection.Copy Selected Item:copies a connection or a redundant gateway or a proposal.RG:adds a new redundant gateway.Delete:deletes a connection or a redundant gateway or a proposal.Save:saves the current Security Policy.Move Up:moves a selected connection or a redundant gateway or a proposal upone place on the Security Policy list.Move Down:moves a selected connection or a redundant gateway or a proposaldown one place on the Security Policy list.Juniper NetScreen-Remote VPN Administration Guide21 Chapter 2 InterfaceCertificate ManagerThe Certificate Manager is the software module within NetScreen-Remote that allows youto request, import, store, view, verify, delete, and export personal certificates that youreceive from certificate authorities (CAs).Note:On Windows XP, certificates may also be loaded by double-clicking onthe certificate itself or using your web browser. Certificate Manager need notbe used on these systems unless you wish to verify a certificate.The Certificate Manager is organized into these six sections or pages:My CertificatesRoot CA CertificatesTrust PolicyCA CertificatesRA CertificatesCRLsRequestsAboutClick the tab for a specific page to access it.Juniper NetScreen-Remote VPN Administration Guide22 Certificate ManagerMy Certificates PageThe My Certificates page provides tools for managing personal certificates. A personalcertificate verifies the identity of the individual using NetScreen-Re mote.PersonalCertificatesWindowFigure 2-9My Certificates PageAfter highlighting a certificate in the personal certificates window, you can click thefollowing buttons to perform the associated tasks:Viewopens the selected certificate for viewing. To close the certificate, clickanywhere within the certificate displayed.Verifychecks the validity status of the selected certificate.Deleteremoves the selected certificate from NetScreen-Remote.Exportcopies the selected certificate to a directory of your choice in a PKCS12format.Use the Request Certificate and Import Certificate buttons to obtain and induct newpersonal certificates into NetScreen-Remote:Request Certificateprovides a choice of dialog boxes for generating a PKCS10request. You can use either the SCEP, if you already have a CA certificate thatsupports SCEP, or the cut-and-paste method, which is to cut and paste theCert_Request into your CA certificate.Import Certificateopens a dialog box for navigating to a personal certificatefile on your computer, and then loading the certificate into NetScreen-Remote.Note:You can also double-click on the certificate file to import or load it intoyour computer.Juniper NetScreen-Remote VPN Administration Guide23 Chapter 2 InterfaceRoot CA Certificates PageThe Root CA Certificates page provides tools for managing certificate authority (CA)certificates. A CA certificate verifies the identity of the authority that verifies personaland remote certificates.CA CertificatesWindowFigure 2-10CA Certificates PageAfter highlighting a certificate in the CA certificates window, you can click the followingbuttons to perform the associated tasks:Viewopens the selected certificate for viewing. To close the certificate, clickanywhere within the certificate displayed.Verifychecks the validity status of the selected certificate. If the certificate hasexpired, was revoked, or is corrupt, it will fails verification.Configureopens the Configuration Parameters dialog box, allowing you to adddetails to a CA certificate. For example, if you obtained a CA certificate usingthe cut-and-paste method, you can add information enabling you to obtain apersonal certificate online from that CA using the SCEP.Exportcopies the selected certificate to a directory of your choice in PKCs 12format.Deleteremoves the selected certificate from your system.Retrieve CA Certificateopens the following dialog box for obtaining a digitalcertificate from a CA online via SCEP.Figure 2-11Retrieve CA Certificate OnlineJuniper NetScreen-Remote VPN Administration Guide24 Certificate ManagerImport Certificateopens a dialog box for navigating to a personal certificatefile on your computer and then loading the certificate into NetScreen-Remote.Note:Only the PKCS12 format and public key certificates are currentlysupported.Trust Policy PageYour trust policy determines which root CAs are trusted for IPsec sessions. If aroot CA is untrusted, then certificates issued by that CA are considered invalid.Trust policy applies to your personal certificates as well as to other peoplescertificates.Figure 2-12Trust Policy MenuYou can select the following Trust Policy features: Trust specific root CAs: use with private CAs that are loaded as root CAcertificates. Trust CAs that have issued a local personal certificate: use with publicCAs, such as VeriSign, Entrust. There is no need to load CA certificateinto Root CA page. Trust all root CAs installed on the local machine: use with public CAs,such as VeriSign, Entrust. There is no need to load CA certificate intoRoot CA page.Juniper NetScreen-Remote VPN Administration Guide25 Chapter 2 InterfaceCA Certificates PageA CA is a trusted third party source that issues certificates. Examples of a CA areVeriSign and Entrust. A subordinate CA certificate is signed by another CA (the Issuer).For your convenience, common CA certificates have already been loaded.Figure 2-13CA CertificatesAfter highlighting a certificate in the CA certificates window, you can click the followingbuttons to perform the associated tasks:Viewopens the selected certificate for viewing. To close the certificate, clickanywhere within the certificate displayed.Verifychecks the validity status of the selected certificate.Configureopens the Configuration Parameters dialog box, allowing you to adddetails to a CA certificate. For example, if you obtained a CA certificate usingthe cut-and-paste method, you can add information enabling you to obtain apersonal certificate online from that CA using the CEP.Exportcopies the selected certificate to a directory of your choice.Deleteremoves the selected certificate from NetScreen-Remote.Juniper NetScreen-Remote VPN Administration Guide26 Certificate ManagerRetrieve CA Certificateopens the following dialog box for obtaining a digitalcertificate from a CA online.Figure 2-14Retrieve CA Certificate OnlineImport Certificateopens a dialog box for navigating to a digital certificate fileon your computer and then loading the certificate into NetScreen-Remote.RA Certificates PageThe RA Certificates page allows you to view and verify registered authority (RA)certificates. A registration authority is a subordinate-level server at the CA site thatprocesses requests for personal certificates to the CA root server and forwards responsesfrom the CA to the requesting parties. It is only used in the registration process.Note:You will use an RA certificate, only if your CA requires one. In most cases,RA certificates are not used.RA CertificatesWindowFigure 2-15RA Certificates PageIf a CA site is structured hierarchically and issues both a CA certificate and an RAcertificate, it sends the RA certificate automatically with the requested CA certificate.After highlighting a certificate in the RA certificates window, you can click the followingbuttons to perform the associated tasks:Viewopens the selected certificate for viewing. To close the certificate, clickanywhere within the certificate displayed.Juniper NetScreen-Remote VPN Administration Guide27 Chapter 2 InterfaceVerifychecks the validity status of the selected certificate.Deleteremoves the selected certificate from NetScreen-Remote.CRLs PageThe CRLs page provides tools for importing, viewing, updating, and deleting certificaterevocation lists (CRLs). A CRL is a list of revoked digital certificates.It is important tohave the most recent CRL so that you know which certificates are no longer valid.CertificateRevocationList WindowFigure 2-16CRLs PageAfter highlighting a CRL in the CRLs window, you can click the following buttons toperform the associated tasks:Viewopens the selected CRL for viewing. To close the CRL, click anywherewithin the CRL displayed.Verifydirects the client to check the validity dates and attempts to check thecertificate against its CRL.Deleteremoves the selected CRL from NetScreen-Remote.Import CRLopens a dialog box for navigating to a CRL file on your computer,and then loading the CRL into NetScreen-Remote.Update All CRLsmanually replaces all the CRLs in the Certificate RevocationList window with the latest versions available online from the respective CAservers.Juniper NetScreen-Remote VPN Administration Guide28 Certificate ManagerRequests PageThe Requests page provides tools for viewing, retrieving, and deleting any pendingpersonal certificate requests.Depending on the CA contacted, a personal certificate request might take upto two or three days to process and approve. Once approved, you will be sent afile with your personal certificate. To load this file, either use the MyCertificate page or double-click the file.Pending CertificateRequests WindowFigure 2-17Requests PageAfter highlighting a certificate request in the Pending Certificate Reque sts window, youcan click the following buttons to perform the associated tasks:Viewopens the selected request for viewing.Retrievefetches a requested certificate from a CA when it becomes ready. Therequest disappears from the Pending Certificate Requests window, and theretrieved certificate appears in the My Certificates window.Deletecancels the selected request and removes it from your system.Juniper NetScreen-Remote VPN Administration Guide29 Chapter 2 InterfaceAbout PageThe About page shows the software version number, manufacturer, and copyright dates ofthe NetScreen-Remote Certificate Manager in use.Figure 2-18About NetScreen-Remote ScreenJuniper NetScreen-Remote VPN Administration Guide30 Desktop Taskbar Icons and Shortcut MenuDesktop Taskbar Icons and Shortcut MenuThe NetScreen-Remote icon appears in the status area of the taskbar in the lower-rightcorner of the Windows desktop, as shown below.Figure 2-19NetScreen-Remote Icon on the Windows TaskbarThe icons appearance changes to indicate the current activity and state of NetScreen-Remote. Right-click this icon to invoke a shortcut menu.NetScreen-Remote IconThe NetScreen-Remote icon changes color and appearance to reflect the current activityand state of NetScreen-Remote, as shown in Table 2-2.Table 2-2Taskbar IconsNetScreen-Remote logo (disabled)The icon is grayed out. Your Windowsoperating system did not start the Internet Key Exchange (IKE) service properlyor NetScreen-Remote is disabled. If you see this icon, either try enablingNetScreen-Remote, if disabled, or restarting your computer. If neither work, youmay need to reinstall the NetScreen-Remote software. SeeModifyingInstallation on page 10.NetScreen-Remote logo (enabled)The icon is grayed out. If you havesuccessfully installed NetScreen-Remote, you see this icon before your computerestablishes a connection or begins transmitting communications.NetScreen-Remote logo (with red indicator)Your computer has notestablished any secure connections and is transmitting nonsecuredcommunications.Yellow key with gray backgroundYour computer has established at least onesecure connection but is not transmitting any communications.Yellow key with red indicatorYour computer has established at least onesecure connection and is transmitting only nonsecured communications.Yellow with green indicatorYour computer has established at least one secureconnection and is transmitting only secure communications.Yellow with red/green indicatorYour computer has established at least onesecure connection and is transmitting both secure and nonsecuredcommunications.Juniper NetScreen-Remote VPN Administration Guide31 Chapter 2 InterfaceShortcut MenuWhen you right-click the NetScreen-Remote icon on the Windows taskbar, the Ne tScreen-Remote shortcut menu pops up.Figure 2-20NetScreen-Remote Taskbar Shortcut Menu Security Policy Editoropens the software module where you can manuallycreate, store and export connections and security policies.Certificate Manageropens the software module where you can managecertificates. Activate/Deactivate Security Policytoggles NetScreen-Remote on and off.When you activate NetScreen-Remote, the deactivated option displays. Whenyou deactivate NetScreen-Remote, the activated option displays. turns off theNetScreen-Remote so that no security policies are used. Reload Security Policyreplaces an existing security policy with a newsecurity policy.Saving changes to the security policy of an active connection terminatesactive connections. To delay implementing the changes until you end thecurrently active connection, clickNowhen NetScreen-Remote prompts you toreset your active co nnection. Then clickReload Security Policyto put thechanges into effect.Remove Iconremoves the NetScreen-Remote icon from the taskbar on yourdesktop. The icon reappears when you restart your computer. Log Vieweropens the co nnection log, a diagnostic tool that lists Internet KeyExchange (IKE) negotiations as they occur.NetScreen-Remote saves log information to a file called Connection.log inside NetScreen-Remote Directory; it is overwritten by ongoing IKEnegotiations. Connectenables the NetScreen-Remote client to connect to a specificdestination.Juniper NetScreen-Remote VPN Administration Guide32 Desktop Taskbar Icons and Shortcut Menu Disconnectse nables the NetScreen-Remote client to disconnect from a specificdestination. Connection Monitoropens a window that displays statistical and diagnosticinformation for each active connection in the security policy. To see details,select a connection, and clickDetails. Add-onsopens the SafeNet, Inc. corporate web page.Helpopens the NetScreen-Remote Help file. About NetScreen-Remotedisplays product version and copyrightinformation.Figure 2-21Product Version and Copyright TabJuniper NetScreen-Remote VPN Administration Guide33 Chapter 2 InterfaceJuniper NetScreen-Remote VPN Administration Guide34 3C hapt er3Digital CertificatesA digital certificate is an electronic means for verifying ones identity through the word ofa trusted third party, known as a Certificate Authority (CA). The CA server you use canbe owned and operated by an independent CA (built-in support for Microsoft, Verisign,or Entrust) or by your own organization, in which case you become your own CA. If youuse an independent CA, you must contact them for the addresses of their CA and CRLservers (for obtaining certificates and certificate revocation lists), and for the informationthey require when submitting personal certificate requests. When you are your own CA,you make the rules.To use a digital certificate to authenticate your identity when establishing a secure VPNconnection, you must first do the following:Obtain a personal certificate from a CA, and load the certificate in your systemthrough by using the Certificate Manager within NetScreen-Remote, or bydouble-clicking the certificate file.Obtain a CA certificate for the CA that issued the personal certificate (basicallyverifying the identity of the CA verifying you), and load the CA certificate in theCertificate Manager.Obtain a CRL, and load that in the Certificate Manager.You can also view and verify Registration Authority (RA) certificates, and view andupdate CRLs.This chapter covers the following information:Introduction to public key cryptographyObtaining certificates and CRLsManaging certificates, CRLs, and certificate requestsFor information on using certificates when configuring VPN tunnels, seeChapter 5,Configuring a VPN Tunnel with Digital Certificates.35 Chapter 3 Digital CertificatesPublic Key CryptographyIn public key cryptography, a public/private key pair is used to encrypt and decrypt data.Data encrypted with a public key, which the owner makes available to the public, can onlybe decrypted with the corresponding private key, which the owner keeps secret andprotected. For example, if Alice wants to send Bob an encrypted message, Alice canencrypt it with Bobs public key and send it to him. Bob then decrypts the message withhis private key.The reverse is also useful; that is, encrypting data with a private key and decrypting itwith the corresponding public key. This is known as creating a digital signature. Forexample, if Alice wants to present her identity as the sender of a message, she can encryptthe message with her private key and send the message to Bob. Bob then decrypts themessage with Alices public key, thus verifying that Alice is indeed the sender.Public/private key pairs also play an important role in the use of digital certificates. Theprocedure for signing a certificate (by a CA) and then verifying the signature works asfollows (by the recipient):Signing a Certificate1. The Certificate Authority (CA) that issues a certificate hashes the certificateby using a hash algorithm (MD5 of SHA-1) to generate a digest.2. The CA then signs the certificate by encrypting the digest with its privatekey. The result is a digital signature.3. The CA then sends the digitally signed certificate to the pe rson whorequested it.Verifying a Digital Signature1. When the recipient gets the certificate, he or she also generates anotherdigest by applying the same hash algorithm (MD5 of SHA-1) on thecertificate file.2. The recipient uses the CAs public key to decrypt the digital signature.3. The recipient compares the decrypted digest with the digest he or she justgenerated. If the two digests match, the recipient can confirm the integrity ofthe CAs signature and, by extension, the integrity of the accompanyingcertificate.Juniper NetScreen-Remote VPN Client Administrators Guide 36 Obtaining Certificates and CRLsObtaining Certificates and CRLsThere are three methods for requesting a personal certificate:Online Enrollment Using a Web Browser.Manual (cut-and-paste) enrollmentSimple Certificate Enrollment Protocol (SCEP)Manual and SCEP methods are explained in the following sections. A CRL usuallyaccompanies a retrieved personal certificate automatically. If it does not, you candownload one from the certificate authority and then import it into the CertificateManager.Online Enrollment Using a Web BrowserWith most CA systems, a user may request certificates online with an Online Enrollmentform, or the Administrator may enroll on behalf of the user. The online enrollment processallows a user or administrator to either submit a certificate request or directly load acertificate onto a Smart-Card. Regardle ss of which method is chosen, once the certificatehas been approved by the Administrator the user must login to the CA website andretrieve the certificate.The CA certificate and CRL can also be loaded from the web browser into NetScreen-Remote.Detailed information on how to submit web-based certificate requests can be found in thedocumentation for your CA system. Juniper provides application notes on how to obtaincertificates for various CA systems; these no tes are available from the Juniper TechnicalSupport site knowledgebase at http://www.juniper.net/suppo rt/. Online Enrollment viaweb browser is the preferred way of loading certificates, if automatic enrollment via SCEPis not available due to the ease-of-use by the end-user and administrator and lack ofmanual steps, such as saving and uploading files involved with other steps.Juniper NetScreen-Remote VPN Client Administrators Guide 37 Chapter 3 Digital CertificatesManual (Cut-and-Paste) EnrollmentThis procedure is also referred to as cut and paste or file-based method, because itrequires you to transfer information manually to and from text files. CAs handle thismethod in various ways, but always start with a certificate request file. NetScreen-Remote automatically generates the public/private key pair for you. The public key goeswith your request; the private key resides on your hard drive and is kept confidential.To obtain certificates through this method, perform this seven-step procedure, which isdescribed in the following sections:Step 1: Creating the Certificate RequestStep 2: Submitting the Request to Your CAStep 3: Retrieving the Signed CertificateStep 4: Retrieving the CA CertificateStep 5: Importing the CA CertificateStep 6: Importing the Personal CertificateStep 7: Obtaining the CRLJuniper NetScreen-Remote VPN Client Administrators Guide 38 Obtaining Certificates and CRLsStep 1: Creating the Certificate Request1. Open the Certificate Manager, using one of the following three methods: Right-click the NetScreen-Remote icon on the desktop taskbar, and thenselectCertificate Manager. Double-click the NetScreen-Remote icon in the desktop taskbar, then clicktheOptionsmenu, and chooseCertificate Manager.ClickStarton the desktop taskbar, selectPrograms, then selectNetScreen-Remote, and finallyCertificate Manager.The Certificate Manager opens with the My Certificates page in front, as shownbelow. Any certificates you loaded are listed.Figure 3-1My Certificates Menu2. ClickRequest Certificate.Juniper NetScreen-Remote VPN Client Administrators Guide 39 Chapter 3 Digital CertificatesIf you do not have a CA certificate loaded that supports online enrollment, thismessage appears:Figure 3-2File-Based Request Message3. ClickYesto make a file-based request.This dialog box appears:Figure 3-3File-based Certificate Request4. Complete the fields in the Subject Information area as required by your CA.Note:If your CA requires fields that are not shown or a different format, clickEnter Subject Name in LDAP format and enter the full DN. For example,CN=John Doe;CN=Sales;0=Juniper. See Figure 3-4.Juniper NetScreen-Remote VPN Client Administrators Guide 40 Obtaining Certificates and CRLsNote:If you use NetScreen-Remote 8.2r1 or higher, do not enter a value for theIP address field. By entering a value in this field, the system generates a logerror:Invalid RSA signatureIf the error occurs, generate a new certificate request using a DNS name and/or email address.Contact your CA to determine which fields are required. The Domain Name and/or Emailmust match the value configured for the user authentication on the NetScreen device.Figure 3-4File-based Certificate Request - Subject Name in LDAP format5. For advanced setting options, clickAdvanced.Figure 3-5Advanced Certificate Enrollment Settings MenuAdvancedopens a drop-down menu with selections for a Cryptographic ServiceProvider (CSP):Juniper NetScreen-Remote VPN Client Administrators Guide 41 Chapter 3 Digital CertificatesIRE Cryptographic Service Provider (default)Microsoft Base Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0Microsoft Strong Cryptographic ProviderSchlumberger Cryptographic Service Provider (used for smart cards)DataKey Cryptographic Service Provider (used for smart cards)Key Sizeopens a drop-down menu with selections for key size: 512, 1024, 2048,or 4096. (Note that even though NetScreen-Remote software provides an optionof a 4,096 key length, although NetScreen firewall/VPN devices are notcompatible with this key length.)Place certificate and keys in local machine storeenables you to store thecertificate on the local device.Change the CSP setting only if you are using smart cards or your CA supportsanother CSP.6. The default location for saving the Certificate Request File is C:\Temp, andthe default filename is CertReq.req. To save the file in a different location,either type the location in the Filename field or clickBrowseand navigateto the folder of your choice. You can also rename the file.7. If you want to be able to export the private key associated with the personalcertificate you are now requesting, selectGenerate exportable key.Note:TheGenerate exportable keyoption may not work with all CSPs.8. ClickOKto save the file.Step 2: Submitting the Request to Your CAYou must submit your certificate request for approval next.Note:Some of the older CAs require steps 2-2 to 2-5.1. Go to a CAs website and follow their procedure for requesting a certificateuntil you reach the section where you are asked to provide your request. Thisusually involves submitting a saved certificate request to a website or e-mailaddress.NetScreen-Remote supports the following CAs BaltimoreEntrustIPlanet MicrosoftRSA KeyOnJuniper NetScreen-Remote VPN Client Administrators Guide 42 Obtaining Certificates and CRLs VeriSign2. Using a text editor, open the certificate file that you created and saved inStep 1: Creating the Certificate Request.3. Select the entire certificate request, taking care to select the entire text butnot any blank spaces before or after the text, as shown below.Figure 3-6Selecting the Entire Certificate Request4. Copy the selected text and paste it into the certificate request field on thewebsite.5. Submit the request in accordance with the CAs procedure.When your certificate request has been completely processed, the CA mightdisplay the certificate online or send it to you in an e-mail message.Step 3: Retrieving the Signed CertificateThis is the step for retrieving the personal certificate.1. Select the entire certificate, taking care to select the entire text but not anyblank spaces before or after the text, and copy it.2. Paste the text into a simple text editor file.3. ClickSave As, and selectAll Files (*.*).4. Name the file, and save it with the following extension: .cerStep 4: Retrieving the CA CertificateYou must have both a personal certificate and a CA certificate from the CA that issuedyour personal certificate.1. Return to the CAs website and follow the online procedure for requesting aCA certificate.2. Copy the CA certificate and paste it into a text edito r file.3. ClickSave As, and selectAll Files (*.*).4. Name the file, and save it with the following extension: .cerJuniper NetScreen-Remote VPN Client Administrators Guide 43 Chapter 3 Digital CertificatesStep 5: Importing the CA CertificateNote:If you have Microsoft Windows XP, you may skip the following procedure.You need only to double-click the CA certificate file to import it. If you haveMicrosoft Windows 95, you are required to go through the following procedureto import your CA certificate.1. In the Certificate Manager module of NetScreen-Remote, click theCACertificatestab to bring that page to the front.2. ClickImport Certificate.The Open File dialog box appears.3. Navigate to the file where you saved the CA certificate, and then clickOpen.The CA certificate is loaded and appears in the CA Certificate Window, asshown below.Figure 3-7Imported CA CertificateStep 6: Importing the Personal CertificateNote:If you have Microsoft Windows XP, you may skip the following procedure.You need only to double-click the CA certificate file to import it. If you haveMicrosoft Windows 95, you are required to go through the following procedureto import your CA certificate.1. In Certificate Manager, click theMy Certificatestab to bring that page tothe front.2. ClickImport Certificate.The Import Personal Certificate dialog box appears.Juniper NetScreen-Remote VPN Client Administrators Guide 44 Obtaining Certificates and CRLsFigure 3-8Import Personal CertificateIn the Import Type group select one of the following radio buttons:For general certificate importing of current and older certificate and keytypes, click theCertificate and Private Keyoption.For online certificate enrollment, click thePKCS12 Personal Certificateoption.For a manual certificate request, click theCertificate Request ResponseFile.The import type you selected determines the devices available for you tocomplete.3. By default, the Import certificate to local machine store checkbox is clearwhich places the imported certificate in your-the logged-on users-personalcertificate store. Unless your network security administrator instructs you tochange it, accept the default.4. In the Certificate File box, type the drive, directory, and filename/file type ofthe personal certificate or certificate request response file to import or clickBrowse to locate it. The default certificate request response filename isC:\temp_directory_for_OS\Cert.p7r.5. In the Key File box, type the drive, directory, and filename of the private keyfile to import or click Browse to locate it.6. In the Password box, type the password used when the file was exported.7. Unless your network security administrator advises you to change it, leavethe Import certificate to local machine store checkbox selected.8. ClickImport.9. When the key import confirmation message opens, clickOk.10. When prompted to add this personal certificate, clickYes.11. ClickImport.Juniper NetScreen-Remote VPN Client Administrators Guide 45 Chapter 3 Digital CertificatesThe personal certificate is loaded and appears in the Personal CertificatesWindow, as shown in Figure 3-9.Figure 3-9Imported Personal Certificate12. Double click on the certificate.Step 7: Obtaining the CRLA CRL is a list of certificates that the CA no longer recognizes as valid. Logically, anycertificate issued by the CA that has not expired and is not on the CRL is valid.Whenever you retrieve or import a personal certificate from a CA, it usually contains aCRL that imports directly into the Certificate Manager and can be viewed on the CRLspage. You usually need not configure or request anything.If you have to obtain a CRL manually:1. Download the CRL from the CAs website, and save it locally.2. On the CRLs page in the Certificate Manager, clickImport CRL.The Import CRL dialog box appears.3. Navigate to the CRL file that you downloaded, select the file, and clickOpen.A message appears, stating that the CRL has been successfully imported.4. ClickOKto acknowledge the message.Juniper NetScreen-Remote VPN Client Administrators Guide 46 Obtaining Certificates and CRLsSCEP EnrollmentThe Simple Certificate Enrollment Protocol (SCEP) is a method for on-line enrollment. Ifyou select a CA that supports this method, you must have their CA certificate before youcan request a personal certificate online. In this case, you must know the certificate serverDNS name or IP address in advance.An advantage of SCEP enrollment is that the CA automatically imports the CRL with therequested certificate. With the cut-and-paste method, you must download the CRLseparately.To obtain certificates through this method, perform the following two -step procedure:Step 1: Retrieving the CA CertificateStep 2: Retrieving a Personal CertificateStep 1: Retrieving the CA CertificateIf you are on a network on the Trusted side of a Juniper Firewall/VPN device and areattempting to use the SCEP method to obtain a certificate from a CA on the Untrustedside (that is, on the Internet), then you must precede the retrieval procedure by enablingand specifying the DNS name or IP address of the proxy server for your network. To dothis, use the Certificate Settings dialog box, shown on page 2-19 (choose CertificateSettings from the Option menu). If the CA server that you are using is on your network orif you are not requesting the certificate from a network inside a firewall, you can skip thispreliminary step.1. Log on to the Internet.2. Open the Certificate Manager, using one of the following three methods: Right-click the NetScren-Remote icon and selectCertificate Manager.ChooseCertificate Managerfromthe Options menu.ClickStarton the desktop taskbar, thenPrograms,NetScreen-Remote, andCertificate Manager.The Certificate Manager opens with the My Certificates page in front.Juniper NetScreen-Remote VPN Client Administrators Guide 47 Chapter 3 Digital Certificates3. Click theCA Certificatestab to bring that page forward, as shown inFigure 3-10.Figure 3-10CA Certificates Page4. ClickRetrieve CA Certificate.The Retrieve CA Certificate Online dialog box appears.5. In the CA Domain field, type the DNS name of the CA Authority, forexample, entrust.com or verisign.com.6. In the On-line Certificate Server field, type the complete IP or URL addressof the certificate server.If the URL address of the CA certificate server ends with cgi-bin/pkiclient.exe, do not include the protocol connection at the beginning of theURL. If the URL address ends with anything else, you must include theprotocol connection at the beginning of the URL.7. ClickOK.Within a few seconds, the Root Certificate Store message box appears, asking ifyou want to add the CA certificate to the Root Store.8. ClickYes.The CAs digital certificate is now listed under CA Certificates.Step 2: Retrieving a Personal Certificate1. Click theMy Certificatestab to bring that page to the front.2. ClickRequest Certificate.This dialog box appears:Juniper NetScreen-Remote VPN Client Administrators Guide 48 Obtaining Certificates and CRLsFigure 3-11On-line Certificate Request3. In the Subject Information area, enter all relevant personal information.You might not need to fill in every field, depending on the requirements of theCA. The fields that one CA require s might not be required by another.4. In the On-line Request Information area, make the following entries: For the Challenge Phrase, type any combination of numbers or letters youchoose. (For security reasons, only asterisks appear.) For the Confirm Challenge, make the same entry as for the ChallengePhrase. From the Issuing CA drop-down list, select a CA certificate.5. If you want to be able to export the private key at a later time, selectGenerate exportable key.You will only be able to export the private key associated with the personalcertificate you are now requesting if you selectGenerate exportable keynow. For security re