remote access service
DESCRIPTION
Remote Access Service. VPN Client 2 Technical Support Presentation March, 2014 – Version 1.1. Overview. Purpose Provide troubleshooting, tips and tricks and additional information on specific VPN client function for the Novartis CONNECT client Scope VPN Client_2.0_L_EN_01 package - PowerPoint PPT PresentationTRANSCRIPT
Remote Access ServiceVPN Client 2Technical Support PresentationMarch, 2014 – Version 1.1
1
Overview
Purpose• Provide troubleshooting, tips and tricks and additional information on specific
VPN client function for the Novartis CONNECT client Scope
• VPN Client_2.0_L_EN_01 package Audience
• Novartis IT Service Desk’s providing support to Remote Access users Presentation ownership
• Pascal HeinigerGlobal Service Manager Mobility Application [email protected]://www.globalit.novartis.intra/global-infrastructure-services/enterprise-services/security-infrastructure-services/index.shtml
RAS | VPN Client 2 Technical Support | Business Use Only2
TROUBLESHOOTINGTIPS & TRICKS
RAS | VPN Client 2 Technical Support | Business Use Only3
TroubleshootingVPN Client Quick Check – Step 1
Perform the quick check as standard ‘intro’ into the troubleshooting process• Verify that the Connection
Wizard icon is visible in the system tray
• Verify that the user can login with his Entrust certificate
Remediation• Reboot the client• Re-install the VPN Client
package
RAS | VPN Client 2 Technical Support | Business Use Only4
TroubleshootingVPN Client Quick Check – Step 2
Run a “Check for Topology Update” to ensure the client has the latest update installed
The “Check for Topology Update” is working from the Novartis Intranet as well as from a direct Internet (no VPN) and from a regular VPN connection
If the client is connected directly to the Internet and an update is not possible double-check the proxy settings. Disable the static proxy if set through the red button in the Internet explorer
Note: the “Check for Topology Update” also restarts the VPN Client and therefore resolve issues related to the VPN stack
RAS | VPN Client 2 Technical Support | Business Use Only5
TroubleshootingVPN Client Quick Check – Step 3
Verify that the user can login with his Entrust certificate
Double-check that the user Client Authentication certificate is available in the store and that the certificate is valid
Remediation• See PKI troubleshooting
guidelines
RAS | VPN Client 2 Technical Support | Business Use Only6
TroubleshootingInternet Connectivity Check – Step 4
Ensure that an IP4 address is assigned to the client
Verify that www.novartis.com resolves against the public IP (time of writing 164.109.71.93)
Remediation• Check cabling or WLAN
association• Check router• Double-check that the client is not
switching between WLAN’s (e.g. neighborhood)
• Reboot the client
RAS | VPN Client 2 Technical Support | Business Use Only7
TroubleshootingInternet Connectivity Check – Step 5
Open the browser. Verify that the proxy is disabled and check if www.novartis.com is reachable
Remediation• Check cabling or WLAN
association• Check router• Double-check that the client is
not switching between WLAN’s (e.g. neighborhood)
• Reboot the client
RAS | VPN Client 2 Technical Support | Business Use Only8
TroubleshootingVPN Client Installation Check – Step 6
Verify that the following services are started:• ‘AppLife Update Service 2.0‘• ‘Check Point EndPoint Security VPN’• ‘Connection Wizard Helper’
Verify that the following processes are running under the user context• Cwclient.exe
Remediation• Ensure that the services are set to
‘Automatic’ startup type. Restart the services (requires local admin rights)
• Launch ‘Connect VPN’ from the Utilities folder
• Reboot the client
RAS | VPN Client 2 Technical Support | Business Use Only9
Troubleshooting VPN Client Installation Check – Step 7
Verify that the c:\Program Files\CheckPoint\EndPoint Connect folder includes several trac.config files (e.g. trac.config_chbs, trac.config_useh, …)
Double-check that the gateway list is populated within the ‘Connection Wizard’• Gateway list should include at least two
or more gateways (see sample screenshot)
Remediation• Run ‘Check for Topology Update’ from
the Support menu• Re-Install the VPN client package
RAS | VPN Client 2 Technical Support | Business Use Only10
TroubleshootingVPN Client Installation Check – Step 8
Verify that the file ‘cwservice.exe.config’ exists in the ..\cwizard folder
Verify that the file ‘mapg.vbs’ exists in the ..\cwizard folder
Remediation• Re-install the VPN client
package
RAS | VPN Client 2 Technical Support | Business Use Only11
TipTerminate the Connection Wizard
If the ‘Connection Wizard’ seems to be stuck or the Connection does not reflect the current client connectivity• Terminate the ‘Connection
Wizard’ clicking on close while holding the CTRL key (don‘t forget to restart the ‚Connection Wizard‘)
• Terminating the Connection Wizard will automatically launch the CheckPoint EndPoint Connect GUI
RAS | VPN Client 2 Technical Support | Business Use Only12
Hold CTRL Key
TipInternet Router and Firewall
Ensure that the latest firmware is running on the device
Ensure that the client is not ‘jumping’ between WLAN’s
Ensure the following ports and protocols are not blocked from the device• - TCP/264 (Topology Download)• - IKE• - IPSEC and IKE (UDP on port 500)• - IPSEC ESP (IP type 50)• - IPSEC AH (IP type 51)• - TCP/500 (if using IKE over TCP)• - UDP 2746 or another port (if using UDP encapsulation)• - UDP 259
Optional:• - FW1_scv_keep_alive (UDP port 18233) used for SCV
keep-alive packets• - FW1_pslogon_NG (TCP port 18231) used for
SecureClient's logon to Policy Server protocol• - FW1_sds_logon (TCP port 18232) used for SecureClient's
Software Distribution Server download protocol• - tunnel_test (UDP port 18234) used by Check Point tunnel
testing application
RAS | VPN Client 2 Technical Support | Business Use Only13
TipCommand Line Topology Update
CwUpdate.exe can be executed from c:\program files\cwizard with user rights from a DOS shell or through the file explorer
Two command options are available• /f to force an update of the topologies• /v to force an update to a specific version of
the topologies (not preferred)• Without command line options the topology
information is retrieved from the tpversion.xml located in the c:\program files\CheckPoint\Endpoint Connect folder
A restart of the client is not required however recommended to ensure the new topology is applied
Alternatively switch to an other gateway and then back to the original one
RAS | VPN Client 2 Technical Support | Business Use Only14
TipNVS Helpdesk Tool Integration
Two sections are added to the NVS Helpdesk tool:
VPN Client• Software and topology update version• Topology update history (last 10
events)
VPN Client Performance• Information about the last VPN
connection including reported error• Total amount of successfull/failed VPN
connections on the client
Note: The NVS Helpdesk tool configuration file must be update to display this information
RAS | VPN Client 2 Technical Support | Business Use Only15
TipVersion Information
The ‘About’ Dialog box displays now• The Connection Wizard
Version• The topology update history (all
updates)
Note: The client version and the topology version does not neccessary match because of the different lifecycles
TipRecover Client / Reinstall
The embedded PDF describes how to recover a failed VPN installation• Document Version 1.1 from 11.
February 2014
To recover or update a VPN installation• Don’t perform a repair (this will
leave the client in an un-configured state)
• Instead fully uninstall, reboot and re-install the client
TipSharePoint Access Denied Issue
The update/issue of Kerberos tickets might fail on certain routers/providers because of the name resolution behavior of the Windows client and the router
In such cases please set the following registry key’s on the client:• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\
Parameters- REG_DWORD = MaxPacketSize value = „1“
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters- REG_DWORD = MaxPacketSize value = „1“
Please note, this remediation is recommended only in case the user experiences access denied issues on SharePoint while all other resources (e.g. Intranet, Outlook etc.) are working well
TECHNICAL FEATURES
RAS | VPN Client 2 Technical Support | Business Use Only19
Technical FeaturesConnect G: Drive
The connect and disconnect G: drive executes the script mapg.vbs in the ..\cwizard folder
The menu options• Connect G: drive is enabled if a
VPN connection is established and no G: drive is connected
• Disconnect G: drive is enabled if a G: drive is connected but no Novartis Intranet detected
RAS | VPN Client 2 Technical Support | Business Use Only20
Technical FeaturesReconnect after Resume
The dialogue box is presented to the user if:• the client is coming back from a
standby or hibernate• the client is not connected to the
Novartis Intranet• the client has an Internet
connection• a VPN connection was established
at the time the client went into standby or hibernate
The dialogue box is active for 90 seconds. After this time the dialog box is closed and no reconnection is performed
RAS | VPN Client 2 Technical Support | Business Use Only21
Technical FeaturesSupport Button
The ‘Check for topology update’ check for new versions of the Connection Wizard and of the topology. This works also directly over the Internet (no VPN connection required)
Client and service logs (attention, extensive) are available over the Support menu. There are two log files available• The client log shows logs recorded
from the CW GUI• The service log shows log recorded
from the CW service
RAS | VPN Client 2 Technical Support | Business Use Only22
Technical FeaturesCancel Button
During the establishment of the VPN connection the user has the opportunity to cancel the connection
The cancel request will stop the current connection attempt and issue a rescan of the client network connectivity
RAS | VPN Client 2 Technical Support | Business Use Only23