Transcript
ViPNet Client Monitor 4.3 User's Guide
© 1991–2015 Infotecs Americas. All rights reserved. Version: 00116-04 34 01 ENU This document is included in the software distribution kit and is subject to the same terms and conditions as the software itself. No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means — electronic, mechanical, recording, or otherwise — for any purpose, without the prior written consent of Infotecs Americas Inc. ViPNet® is a registered trademark of Infotecs Americas Inc., New York, USA. All brands and product names that are trademarks or registered trademarks are the property of their owners.
Global contacts page http://www.vipnet.com/
Contents Introduction ................................................................................................................................................................ 12 About This Document ............................................................................................................................................. 13 Audience ............................................................................................................................................................ 13 Document Conventions ............................................................................................................................... 13 About ViPNet Client ................................................................................................................................................. 15 ViPNet Client Purpose and Scope ............................................................................................................ 15 ViPNet Client Components ......................................................................................................................... 15 ViPNet Driver ......................................................................................................................................... 15 ViPNet Monitor ..................................................................................................................................... 16 ViPNet MFTP .......................................................................................................................................... 16 ViPNet Application Control .............................................................................................................. 16 ViPNet Business Mail .......................................................................................................................... 17 ViPNet CSP .............................................................................................................................................. 17 ViPNet Update System ....................................................................................................................... 17 Principle of the ViPNet Driver Operation .............................................................................................. 17 What's New in Version 4.3.1 ................................................................................................................................. 20 System Requirements .............................................................................................................................................. 21 Distribution Kit ........................................................................................................................................................... 22 Feedback ....................................................................................................................................................................... 23 Finding Additional Information ................................................................................................................. 23 Contacting Infotecs ........................................................................................................................................ 23 Errata .................................................................................................................................................................... 23 Chapter 1. Installing, Upgrading, and Uninstalling ViPNet Client ................................................................ 24 ViPNet Client Setup .................................................................................................................................................. 25 Installing ViPNet Client in the Silent Mode .................................................................................................... 27 Additional Setup Options in the Silent Mode ..................................................................................... 27 How to Use a Group Policy to Install ViPNet Client .................................................................................... 29 Upgrading ViPNet Client ........................................................................................................................................ 33 Upgrading from ViPNet Network Control Center ............................................................................. 33 Receiving Upgrades with Group Policies .............................................................................................. 34 Receiving Upgrades in Windows Update Center ............................................................................... 34 Upgrading ViPNet Client with the Setup File ...................................................................................... 34 Adding, Removing, and Repairing ViPNet Client Components .............................................................. 36 Uninstalling ViPNet Client...................................................................................................................................... 38
Moving a ViPNet Host to Another Computer................................................................................................ 39 Chapter 2. Installing and Updating Keys and Host Links ................................................................................ 41 Installing Keys and Host Links .............................................................................................................................. 42 Installing Keys and Host Links for One User ........................................................................................ 43 Installing Keys and Host Links for Several Users on One Host ..................................................... 44 Advanced Mode of Keys and Host Links Installation ....................................................................... 45 Installing Keys and Host Links on a Host Where Several ViPNet Programs Are Installed .............................................................................................................................................................. 47 Installing Keys and Host Links in the Silent Mode ............................................................................ 47 Recurrent Installation of Keys and Host Links after a Program Failure ..................................... 48 Using Keys and Host Links Installed Previously ............................................................................................ 50 Updating Keys, Host Links, and Security Policies ......................................................................................... 51 Receiving Updates .......................................................................................................................................... 51 Updating Keys and Host Links with a Key Set ..................................................................................... 51 Uninstalling Keys and Host Links ........................................................................................................................ 54 What Should I Do at Key Compromise? ........................................................................................................... 55 Chapter 3. Getting Started with ViPNet Client .................................................................................................. 57 Starting ViPNet Monitor ......................................................................................................................................... 58 User Logon Modes ......................................................................................................................................... 59 Password Only ....................................................................................................................................... 61 Password on Device ............................................................................................................................ 61 PIN and Device ...................................................................................................................................... 62 Logging On As Another User ..................................................................................................................... 63 Finishing the Work with ViPNet Monitor ......................................................................................................... 65 ViPNet Monitor Interface ....................................................................................................................................... 66 Working with the List of ViPNet Hosts ................................................................................................... 68 Using ViPNet Monitor with Restricted Interface ................................................................................ 69 Chapter 4. ViPNet Update System ........................................................................................................................ 70 About ViPNet Update System .............................................................................................................................. 71 Automatic Updating ................................................................................................................................................. 72 Installing Updates Manually ................................................................................................................................. 73 Viewing the Installed Updates Log .................................................................................................................... 75 Chapter 5. Connecting to a Protected ViPNet Network ................................................................................. 76 ViPNet Network Connection Protocols ............................................................................................................ 77 Principles of Establishing Connections on a ViPNet Network ................................................................. 79
About Virtual IP Addresses .................................................................................................................................... 81 General Principles of Assigning Virtual IP Addresses ....................................................................... 81 Configuring Connection to a Protected Network ........................................................................................ 83 Viewing Information about a ViPNet Host...................................................................................................... 86 Configuring Access to ViPNet Hosts ................................................................................................................. 87 Using Aliases for ViPNet Hosts ............................................................................................................................ 90 Configuring Access to Tunneled Hosts ............................................................................................................ 91 Configuring Access IP Addresses Priority for a Coordinator ................................................................... 93 Chapter 6. Configuring and Using DNS and WINS Services in ViPNet Networks .................................... 96 DNS and WINS Services ......................................................................................................................................... 97 DNS ...................................................................................................................................................................... 97 WINS .................................................................................................................................................................... 98 DNS and WINS Services in a ViPNet Network ............................................................................................... 99 Protected or Tunneled DNS or WINS Server ............................................................................................... 100 Usage Peculiarities ...................................................................................................................................... 100 Configuration Best Practices ................................................................................................................... 101 Unprotected DNS or WINS Server................................................................................................................... 102 Usage Peculiarities ...................................................................................................................................... 102 Configuration Best Practices ................................................................................................................... 103 Using a Protected DNS Server to Work with Corporate Resources Remotely .............................. 104 Automatic DNS (WINS) servers registration ..................................................................................... 104 Configuring a DNS or WINS Servers List Manually ........................................................................ 105 Corporate DNS or WINS Server is Installed Right on the ViPNet Host ....................... 106 Corporate DNS or WINS Server is Tunneled by a Coordinator ...................................... 106 An Example of the DNS.TXT File.................................................................................................. 107 Using DNS Servers on Domain Controllers ................................................................................................. 108 Chapter 7. Configuring the Integrated Firewall .............................................................................................. 109 General Principles of Traffic Filtering ............................................................................................................. 110 Network Filters Overview .................................................................................................................................... 112 Using Object Groups............................................................................................................................................. 115 Built-in Object Groups ............................................................................................................................... 116 User-Defined Object Groups Set by Default ..................................................................................... 117 Creating and Editing Object Groups .................................................................................................... 118 Adding ViPNet Hosts ....................................................................................................................... 121 Adding IP Addresses and DNS Names ..................................................................................... 122 Adding Protocols ............................................................................................................................... 123 Adding Schedules ............................................................................................................................. 124
Creating Network Filters ...................................................................................................................................... 125 Creating Private Network Filters ............................................................................................................ 126 Creating Public Network Filters .............................................................................................................. 128 Restoring Pre-defined Filters and Object Groups ..................................................................................... 131 Object Groups and Network Filters Usage Example ................................................................................ 132 Blocking IP Traffic ................................................................................................................................................... 135 Disabling Traffic Protection ................................................................................................................................ 136 Chapter 8. Application Protocols Processing ................................................................................................... 137 Application Protocols Overview ....................................................................................................................... 138 Application Protocols Description ................................................................................................................... 140 Application Protocols Options .......................................................................................................................... 141 Chapter 9. Integration with ViPNet SafeDisk-V .............................................................................................. 143 General Information about ViPNet SafeDisk-V .......................................................................................... 144 Providing ViPNet Client and ViPNet SafeDisk-V Integration: Checklist ........................................... 145 Working with Integrated ViPNet SafeDisk-V .............................................................................................. 147 Chapter 10. Integrated Communication Tools ................................................................................................ 149 Overview .................................................................................................................................................................... 150 Encrypted Instant Messaging ............................................................................................................................ 151 Interface of the Encrypted Instant Messaging Program .............................................................. 151 Sending Messages....................................................................................................................................... 153 Receiving Messages .................................................................................................................................... 154 Sending Files and Email Messages in the Instant Messaging Session ................................... 155 Stop Exchanging Instant Messages ...................................................................................................... 156 Sending ViPNet Business Mail Messages ..................................................................................................... 157 File Exchange ........................................................................................................................................................... 158 File Exchange Program Interface ........................................................................................................... 158 Sending a File from the ViPNet Monitor Program ......................................................................... 159 Sending a File from the Windows Context Menu ........................................................................... 160 Files Exchange in the Instant Messaging Session ........................................................................... 162 Receiving Files ............................................................................................................................................... 162 External Programs .................................................................................................................................................. 164 Viewing Web Resources of a ViPNet Host ................................................................................................... 165 Shared Host Resources Overview .................................................................................................................... 166 Checking Connection to a ViPNet Host ........................................................................................................ 167 Chapter 11. ViPNet Hosts Management ........................................................................................................... 171
Working with the IP Packets Log ..................................................................................................................... 172 Configuring the IP Packets Search Options ...................................................................................... 172 Viewing Search Results .............................................................................................................................. 173 Viewing the IP Packets Log in Your Web Browser or Microsoft Excel.......................... 176 Choosing IP Packets to View ........................................................................................................ 176 Best Practices of Encrypted and Unencrypted Connections Analysis .......................... 177 Creating a Network Filter When Viewing the IP Packets Log .................................................... 178 Viewing the IP Packets Log of Another Host .................................................................................... 178 Viewing the IP Packets Log Archive ..................................................................................................... 179 Configuring IP Packets Logging............................................................................................................. 179 Viewing IP Packets Filtering Statistics ............................................................................................................ 182 Viewing Information about a Client, Program Working Time, and the Number of Connections.............................................................................................................................................................. 183 Managing ViPNet Monitor Configurations .................................................................................................. 184 The Open Internet Configuration .......................................................................................................... 186 Configurations: Internal Network and Internet ................................................................................ 186 Scheduling Configuration Change ........................................................................................................ 187 Starting a Remote Access Program ................................................................................................................ 189 Installing Third-Party Software for Remote Management .......................................................... 190 Configuring a Terminal Server for Remote Management ........................................................... 190 Configuring Autologon for the Operating System and ViPNet Monitor .............................. 192 Configuring Autologon for the Windows OS......................................................................... 193 Working in the ViPNet Host Administrator Mode .................................................................................... 196 ViPNet Monitor Advanced Settings ..................................................................................................... 197 Restricting User Interface ............................................................................................................... 198 Program Startup Options ............................................................................................................... 198 Computer Locking Settings ........................................................................................................... 199 Traffic Protection Options .............................................................................................................. 200 Advanced Security Settings ..................................................................................................................... 200 Setting the User Logon Mode ................................................................................................................ 201 Viewing the Event Log ............................................................................................................................... 202 Start and Abnormal Termination Options .................................................................................................... 205 Chapter 12. Security Service Settings ................................................................................................................ 206 Changing a User Password ................................................................................................................................. 207 Setting a User-Defined Password.......................................................................................................... 208 Setting a Random Password ................................................................................................................... 208 Setting a Random Numeric Password ................................................................................................. 209 Configuring Encryption ........................................................................................................................................ 211
Managing External Storage Devices ............................................................................................................... 212 External Device Initialization ................................................................................................................... 213 Changing a Device PIN .............................................................................................................................. 214 Configuring the ViPNet CSP Program............................................................................................................ 216 Chapter 13. Working with Certificates and Keys ............................................................................................. 218 Viewing Certificates in the Certificate Manager Window ...................................................................... 219 Viewing Personal Certificates .................................................................................................................. 220 Viewing Trusted Root Certificates ......................................................................................................... 221 Viewing Issued Certificates ...................................................................................................................... 221 Viewing the Certification Path ................................................................................................................ 221 Viewing Certificate Fields and Printing a Certificate ...................................................................... 222 Managing Certificates .......................................................................................................................................... 223 Installing Certificates in a Store ............................................................................................................. 224 Installing Certificates in a Store Automatically ...................................................................... 224 Installing Certificates in a Store Manually ............................................................................... 225 Choosing Certificates for Current Usage ............................................................................................ 231 Renewing a Private Key and a Certificate........................................................................................... 232 Configuring Notification That a Private Key and a Certificate Have Expired............. 233 Procedure of Renewing a Private Key and a Certificate .................................................... 234 Installing Certificates in Containers ...................................................................................................... 239 Installing a Certificate Automatically ......................................................................................... 239 Installing a Certificate Manually .................................................................................................. 239 Working with Certificate Requests ....................................................................................................... 240 Viewing a Certificate Request ...................................................................................................... 240 Deleting a Certificate Request ..................................................................................................... 241 Exporting a Certificate ............................................................................................................................... 241 Certificate Export Formats ............................................................................................................. 242 Working with a Key Container .......................................................................................................................... 244 Changing the Container Password ....................................................................................................... 246 Deleting a Password to a Key Container, If the Password Is Stored on a Computer ....... 248 Verifying a Key Container ......................................................................................................................... 248 Installing a New Key Container and Changing the Key Container with the Current Certificate ........................................................................................................................................................ 249 Moving a Key Container............................................................................................................................ 250 Appendix A. Troubleshooting .............................................................................................................................. 251 Collecting Information for Troubleshooting ............................................................................................... 252 Common Issues ....................................................................................................................................................... 253
Cannot Validate the Setup File's Signing Certificate ..................................................................... 253 Unable to Install or Upgrade the Program ........................................................................................ 253 Cannot Install ViPNet Client in the Silent Mode ............................................................................. 254 Cannot Start the Program ........................................................................................................................ 254 Incorrect Password or User Keys Not Found .................................................................................... 255 Cannot Log On with a Certificate .......................................................................................................... 255 Cannot Save the Password....................................................................................................................... 256 Cannot Connect to the Internet ............................................................................................................. 256 Cannot Connect to a ViPNet Host ........................................................................................................ 256 Cannot Address a Domain Host by Its DNS Name ........................................................................ 256 Cannot Connect to an Unprotected Host on a Local Network ................................................. 257 Cannot Establish Connection over the SSL Protocol ..................................................................... 257 Cannot Establish Connection over the PPPoE Protocol ............................................................... 257 There is a Host Registered on the Network with the Identifier that Coincides with Your Host's Identifier .................................................................................................................................. 258 Conflicting IP Addresses or DNS Names ............................................................................................ 258 Cannot Start the MSSQLSERVER service ............................................................................................ 259 Cannot Change Settings of the ViPNet Monitor Program .......................................................... 259 Cannot Use a Hardware Random Numbers Generator ................................................................ 260 Failures in the Work of Third-Party Programs .................................................................................. 260 Unable to Apply the Software Update Received from the Network Control Center ........ 261 Security Service Alerts .......................................................................................................................................... 262 Password Expired ......................................................................................................................................... 262 Current Certificate is Invalid or Not Found ....................................................................................... 263 Current Private Key or the Corresponding Certificate Validity Period is Going to Expire ................................................................................................................................................................ 264 Current Private Key Expired ..................................................................................................................... 265 Valid Certificate Revocation List Not Found ..................................................................................... 266 Certificate Issued on the Administrator's Initiative Has Been Installed .................................. 267 Appendix B. Keys and Certificates ...................................................................................................................... 269 Cryptography Overview ....................................................................................................................................... 270 Symmetric Encryption ................................................................................................................................ 270 Asymmetric Encryption ............................................................................................................................. 271 Combining Symmetric and Asymmetric Encryption ...................................................................... 272 Combining a Hash Function and an Asymmetric Algorithm of a Digital Signature ......... 273 Public Key Certificates Overview ...................................................................................................................... 275 Definition and Scope .................................................................................................................................. 275 Structure .......................................................................................................................................................... 277
PKI in Public Key Cryptography.............................................................................................................. 279 Encrypting Documents Using Certificates ......................................................................................... 281 Encrypting ............................................................................................................................................ 281 Decrypting............................................................................................................................................ 282 Signing Digital Documents Using Certificates ................................................................................. 283 Signing................................................................................................................................................... 283 Verifying a Digital Signature ......................................................................................................... 283 Signing and Encrypting Digital Documents Using Certificates ................................................. 284 Signing and Encrypting ................................................................................................................... 284 Decrypting and Verifying ............................................................................................................... 285 Keys in ViPNet Software ...................................................................................................................................... 287 Symmetric Keys in ViPNet Software ............................................................................................................... 288 Appendix C. Events Tracked by the ViPNet Software .................................................................................... 290 Blocked IP Packets ................................................................................................................................................. 291 Service Events and Allowed IP Packets Events ........................................................................................... 295 Appendix D. External Storage Devices .............................................................................................................. 297 Overview .......................................................................................................................................................... 297 Supported External Storage Devices .................................................................................................... 298 Appendix E. Recommendations on Providing Compatibility of the ViPNet Client Software with Third-Party Programs ............................................................................................................................................. 300 Compatibility of the ViPNet Software and the Hyper-V Technology ................................................ 301 Compatibility of the ViPNet Client Software and Cisco Agent Desktop .......................................... 302 Appendix F. Version History ................................................................................................................................. 303 What's New in Version 4.3 ....................................................................................................................... 303 What's New in Version 4.2 ....................................................................................................................... 304 What's New in Version 4.1 ....................................................................................................................... 308 What's New in Version 4.0 ....................................................................................................................... 309 What's New in Version 3.2.10 ................................................................................................................. 315 What's New in Version 3.2.9 .................................................................................................................... 316 What's New in Version 3.2.8 .................................................................................................................... 316 What's New in Version 3.1.5 .................................................................................................................... 321 What's New in Version 3.1.4 .................................................................................................................... 322 What's New in Version 3.1.3 .................................................................................................................... 325 What's New in Version 3.1.2 .................................................................................................................... 326 Appendix G. Glossary ............................................................................................................................................. 332
Appendix H. Index .................................................................................................................................................. 340
Introduction About This Document
13
About ViPNet Client
15
What's New in Version 4.3.1
20
System Requirements
21
Distribution Kit
22
Feedback
23
ViPNet Client Monitor 4.3. User's Guide | 12
About This Document Audience This document is intended for the users of the ViPNet Client software. It contains information about purpose and scope of ViPNet Client and its components, recommendations on configuring and using the ViPNet Monitor software.
Note: In this document, ViPNet Monitor functionality is described given that a user has maximum permissions. If any program features or settings are not available, contact your ViPNet network administrator.
A ViPNet Client user does not have to be an information technology professional. However, at least the minimal level of exposure to network technologies, IP protocols, firewalls, security, tunneling and cryptography is recommended.
Document Conventions This document uses the following conventions: Table 1. Document conventions Icon
Description Warning: Indicates an obligatory action or information that may be critical for continuing user operations. Note: Indicates a non-obligatory, but desirable action or information that may be helpful for users. Tip: Contains additional information.
Table 2. Conventions for highlighted information Icon
Description
Name
The name of an interface element. For instance, the name of a window, a box, a button, or a key.
Key+Key
Shortcut keys. To use the shortcut keys, press and hold the first key and press other keys.
ViPNet Client Monitor 4.3. User's Guide | 13
Icon
Description
Menu > Submenu > Command
A hierarchical sequence of elements. For instance, menu items or sections in the navigation pane.
Code
A file name, path, text file (code) fragment or a command executed from the command line.
ViPNet Client Monitor 4.3. User's Guide | 14
About ViPNet Client ViPNet Client Purpose and Scope The ViPNet Client software is intended for using in ViPNet networks managed with the ViPNet Administrator software or the ViPNet Network Manager program. ViPNet Client functions as a VPN client in a ViPNet network and insures protection of a host from unauthorized access, while you are working in a local or global network. The ViPNet Client software can be installed on any computer — a desktop computer, remote or mobile laptop, a server — with Windows OS to secure traffic.
ViPNet Client Components The ViPNet Client software has the following components:
The ViPNet driver, which is a network protection low-level driver.
The ViPNet Monitor program.
The ViPNet MFTP transport module.
The ViPNet Application Control program.
The ViPNet Business Mail program.
The cryptographic service provider ViPNet CSP.
ViPNet Update System.
ViPNet Driver The ViPNet driver (see Principle of the ViPNet Driver Operation on page 17) is a network protection lowlevel driver that encrypts and filters the IP traffic. The ViPNet driver interacts directly with the drivers of your computer's network interfaces (either physical or emulated), which ensures that the ViPNet driver is completely independent of the operating system and its undocumented features. The ViPNet driver intercepts and controls the whole IP traffic, whether it is inbound or outbound. One of the most important features of the ViPNet driver is its efficient control of IP traffic on the system startup. The Windows OS uses only one service at its startup. The ViPNet driver and encryption keys are initialized before you access the system, in other words, before other OS services and drivers are started. As a result, the ViPNet driver is the first to get control over the TCP/IP stack. By the moment network adapters drivers are initialized, the ViPNet driver is ready to encrypt and filter traffic. Thus, the ViPNet driver provides a secure connection to the domain controller and the control of applications network activity, as well as blocks packets received from unprotected hosts. On the OS startup, the ViPNet
ViPNet Client Monitor 4.3. User's Guide | 15
Monitor software verifies its own check sums, warranting the integrity of the software, keys, host links and the list of applications that are allowed to access the network.
ViPNet Monitor The main feature of the ViPNet Monitor program is configuring the ViPNet driver (see Principle of the ViPNet Driver Operation on page 17) parameters and logging events associated with traffic processing by the driver in the IP packets registration log. If you exit ViPNet Monitor, the ViPNet driver will continue protecting the IP traffic of the host, but in this case, the information about IP packets processed by the ViPNet driver may fail to be saved to the IP packets registration log (the ViPNet driver can store no more than 10,000 log entries in its memory). The ViPNet Monitor program:
Allows you to configure the parameters of the integrated firewall (see Configuring the Integrated Firewall on page 109).
Allows you to manage the parameters of processing the application protocols FTP, HTTP, SIP.
Provides a set of integrated features for protected exchange of messages, conferencing, file exchange, and more.
ViPNet MFTP On a client (see Client (ViPNet client) on page 333), the ViPNet MFTP transport module ensures exchange of files, control envelopes and Business Mail envelopes with other ViPNet hosts. For more information about the transport module, see the document “ViPNet MFTP. Administrator’s Guide.”
ViPNet Application Control ViPNet Application Control is an optional component of the ViPNet Client software. To control the network activity of applications on each host, you need to have a special entry in the ViPNet registration file. ViPNet Application Control allows you to:
Obtain information about all the applications attempting to access the Internet.
Limit, allow or block access to the Internet for an application.
View the events log to get information about applications network activity.
For more information about the program, see the document “ViPNet Application Control. User’s Guide.”
ViPNet Client Monitor 4.3. User's Guide | 16
ViPNet Business Mail ViPNet Business Mail is an e-mail client for ViPNet users included in the ViPNet Client software. Business Mail is intended for exchanging e-mail messages with other ViPNet users. Using ViPNet Business Mail you can send and receive messages with file attachments, encrypt messages and attachments, and digitally sign them. Business Mail can automatically process incoming messages and files according to the rules specified (autoprocessing). For more information about ViPNet Business Mail, see the document “ViPNet Business Mail. User’s Guide.”
ViPNet CSP The ViPNet CSP program is a cryptographic service provider calling cryptographic functions via the Microsoft CryptoAPI 2.0 interface. Thus cryptographic functions implemented in accordance with Russian standards can be used in different programs, for example, Microsoft Office. ViPNet CSP allows you to:
Create and verify a digital signature.
Encrypt the data including email messages.
Perform authentication and protect connections over the TLS/SSL protocol.
Warning: When installing ViPNet CSP included in ViPNet Client, the TLS/SSL support is disabled by default. To enable the TLS/SSL support, run the ViPNet CSP setup program and add the component TLS/SSL protocol support.
For more information about the ViPNet CSP cryptographic service provider, see the document “ViPNet CSP. User’s Guide.”
ViPNet Update System ViPNet Update System is responsible for receiving and installing software, keys, and host links updates in ViPNet Client, as well as for updating security policies that were sent from ViPNet Policy Manager. For more information, see the section ViPNet Update System.
Principle of the ViPNet Driver Operation The ViPNet driver is the core of the ViPNet software. Its main functions are filtering, encryption and decryption of incoming and outgoing IP packets. Each outgoing IP packet is processed by the ViPNet driver in one of the following ways:
is encrypted and sent;
ViPNet Client Monitor 4.3. User's Guide | 17
is sent as is (unencrypted);
is blocked (according to the network filters).
Each incoming IP packet is processed in one of the following ways:
is allowed (if the packet is unencrypted and the filters allow unencrypted traffic);
is decrypted (if the packet was encrypted);
is blocked (according to the network filters).
The ViPNet driver works between the data link and network layers of the OSI model, which allows processing IP packets before they reach the TCP/IP stack and, eventually, the application layer. Thus, the ViPNet driver protects IP traffic of all applications not affecting your usual workflow.
Figure 1. The ViPNet driver in the OSI model Due to this approach, introduction of the ViPNet technology does not require any changes in wellestablished business processes, and the ViPNet network deployment costs are not high.
Note: For the sake of simplicity, in the figure above:
The transport and session layers are combined into the transport layer. The application and presentation layers are combined into the application layer. The figure below demonstrates how the ViPNet driver participates in processing a request for viewing a web page. The web page is hosted by an IIS server installed on computer B.
ViPNet Client Monitor 4.3. User's Guide | 18
Figure 2. TCP/IP network protected with the ViPNet software Computer A requests computer B to display the web page over the HTTP protocol. This request is transferred to lower layers of the TCP/IP stack, and service information is added to this request in each of the layers. Then the ViPNet driver on computer A receives the request and encrypts it by adding its own information to the request. The ViPNet driver on computer B receives the request and removes service information from it. Then the ViPNet driver decrypts the request and sends it to the application layer via the TCP/IP stack for processing.
ViPNet Client Monitor 4.3. User's Guide | 19
What's New in Version 4.3.1 This section contains a brief description of changes made in ViPNet Client 4.3.1 and its new features. For the history of changes made in previous versions, see Version History (on page 303).
RSA certificates In version 4.3.1, you can install and use RSA certificates in ViPNet Client.
Limited functionality of ViPNet CSP when using the default installation settings When installing ViPNet CSP included in ViPNet Client 4.3.1, the TLS/SSL support is disabled by default. You can enable the TLS/SSL support by running the ViPNet CSP installation file and adding the corresponding component.
Additional parameters in the ViPNet Business Mail autoprocesing settings New autoprocessing parameters were added to ViPNet Business Mail. The new parameters allow to configure email exchange parameters for ViPNet network users that do not have a partner network connection between them. o
A method for determining senders and recipients in the processing rules of BML files. Now you can not only define a sender and a recipient manually, but also automatically determine senders and recipients using a mapping file of the users in two ViPNet networks.
o
It is now possible to remove signatures using the incoming emails filter. You can use this option if you do not need to or cannot verify digital signatures during email exchange.
ViPNet Client Monitor 4.3. User's Guide | 20
System Requirements The minimum system requirements for your computer to run ViPNet Client are as follows:
Processor: Intel Core 2 Duo or any other x86-compatible processor of similar characteristics with two or more cores.
RAM: 1 GB.
Free disk space: at least 150 MB (250 MB recommended).
A network interface or a modem.
Operating system: Microsoft Windows XP (32 bit), Server 2003 (32 bit), Vista (32/64 bit), Server 2008 (32/64 bit), Server 2008 R2 (64 bit), Windows 7 (32/64 bit), Windows 8 (32/64 bit), Windows 8.1 (32/64 bit), Server 2012 (64 bit), Server 2012 R2 (64 bit). You must install the latest service pack for your version of Windows.
If your operating system is other than Windows 8 or Windows Server 2012, the update rollup for time zones KB2570791 must be installed on your computer.
Internet Explorer 6.0 or later.
Note: No other firewalls should be installed on the computer.
ViPNet Client Monitor 4.3. User's Guide | 21
Distribution Kit ViPNet Client distribution kit includes:
A program installation file.
Documentation in the PDF format: o
“ViPNet Client Monitor. User’s Guide.”
o
“ViPNet Client. Quick Start.”
o
“ViPNet Business Mail. User’s Guide.”
o
“ViPNet MFTP. Administrator’s Guide.”
o
“ViPNet Application Control. User’s Guide.”
o
“ViPNet CSP. User’s Guide.”
o
“ViPNet Network Deployment. Administrator’s Guide.”
o
“ViPNet Permissions Classification. Supplement to ViPNet Documentation.”
o
“New Features in ViPNet Client and ViPNet Coordinator 4.x. Supplement to ViPNet Documentation.”
o
“Glossary. Supplement to ViPNet Documentation.”
o
“ViPNet Client/Coordinator. Information about Third-Party Software Components.”
o
“ViPNet CSP. Information about Third-Party Software Components.”
ViPNet Client Monitor 4.3. User's Guide | 22
Feedback Finding Additional Information For more information about Infotecs products and technologies, see the following resources:
ViPNet documentation web portal http://www.vipnet.com/redir/doc_vipnet/.
Information about current Infotecs products http://www.vipnet.com/redir/products/.
Information about Infotecs solutions http://www.vipnet.com/redir/solutions/.
Contacting Infotecs We value any feedback from you. If you have any questions concerning Infotecs products and solutions, any suggestions, complains or other feedback, feel free to contact us by means of the following:
Global contacts page http://www.vipnet.com/
Telephone (Germany): +49 (0) 30 206 43 66 0
Telephone (USA): +1 (646) 589-8571
Errata Infotecs makes every effort to ensure that there are no errors or misprints in the text of all documents supplied with ViPNet software. However, no one is perfect, and mistakes do occur. If you find an error in one of our documents, like a spelling mistake or some inaccuracy in describing user scenarios or system features, we would be very grateful for your feedback. By sending in errata you may save other reader hours of frustration, and at the same time you will be helping us provide documentation of even higher quality.
ViPNet Client Monitor 4.3. User's Guide | 23
1 Installing, Upgrading, and Uninstalling ViPNet Client ViPNet Client Setup
25
Installing ViPNet Client in the Silent Mode
27
How to Use a Group Policy to Install ViPNet Client
29
Upgrading ViPNet Client
33
Adding, Removing, and Repairing ViPNet Client Components
36
Uninstalling ViPNet Client
38
Moving a ViPNet Host to Another Computer
39
ViPNet Client Monitor 4.3. User's Guide | 24
ViPNet Client Setup Warning: Before installing the ViPNet Client software, make sure that no third-party firewalls or applications performing network address translation (NAT) are installed on your computer. Using ViPNet Client and another firewall simultaneously may lead to conflicts between the programs and problems with network access.
Before you install ViPNet Client, make sure that network settings on your computer are standard and that the time zone, date and time are specified correctly. You must have Windows OS administrator rights to install the program. To install ViPNet Client, you need:
The setup file.
A key set for the host (a *.dst file) (see Key set on page 334). If several users are going to work on the host, an individual key set is required for each user.
The ViPNet host user password or external storage device (see External Storage Devices on page 297). The ViPNet network administrator provides you with the key set and user password (or an external device).
To install the ViPNet Client software: 1
Click the setup file
. Wait until the preparation for installation is finished.
Note: After you start the setup program, you may be warned that the setup file's signing certificate cannot be verified. In this case, see Cannot Validate the Setup File's Signing Certificate (on page 253).
2
Read the terms and conditions of the license agreement. If you accept the terms and conditions, select the corresponding check box. Then click Continue.
3
If you want the computer to be restarted automatically after the software is installed, select the corresponding check box.
4
If you want to adjust the installation parameters, click Customize and specify: o
ViPNet Client components you are going to install.
o
The path to the ViPNet Client components installation folder.
o
The user name and organization.
o
The name of the ViPNet Client folder on the Start menu.
ViPNet Client Monitor 4.3. User's Guide | 25
To start ViPNet Client installation, click Install now.
Note: You can install ViPNet Client in the silent mode (see Installing ViPNet Client in the Silent Mode on page 27). In this mode, the installation process will not be displayed on the screen.
5
Depending on whether there are keys and host links installed earlier on this computer, do one of the following: o
If no keys and host links have been installed, install them (see Installing Keys and Host Links on page 42).
o
If ViPNet software has already been installed on this computer and keys and host links have been deployed for it, then, on the ViPNet Monitor startup, specify the paths to the user keys and host keys folders (see Using Keys and Host Links Installed Previously on page 50).
Warning: In the latter case, we strongly recommend you not to obtain a new key set from the ViPNet network administrator and not to install new keys for the ViPNet Client software, because it may lead to ViPNet software malfunction.
6
If you manage your ViPNet network in ViPNet Network Manager version earlier than 4.3 or ViPNet Administrator version earlier than 4.4.1, then the standard Windows Firewall will be automatically disabled at the first start of ViPNet Monitor. In later versions, the ViPNet network administrator manages Windows Firewall work. That is why, at the first start of ViPNet Monitor, Windows Firewall will be enabled or disabled depending on the settings specified by the ViPNet network administrator.
ViPNet Client Monitor 4.3. User's Guide | 26
Installing ViPNet Client in the Silent Mode If you install ViPNet Client in the silent mode, the user interface of the installation program is not displayed on the computer screen. You should use the Windows command line to start installation and set the same parameters as those set by the user when installing the program in a regular mode. When you use the silent mode, you can install the program remotely or create a program that will call Windows command line and automatically start the program installation with the preset parameters. For example, you may write a logon script, which will start the program installation automatically at system startup. You may find the information about writing logon scripts on the Microsoft web page http://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx. To start the ViPNet Client setup program in the silent mode, in the Windows command line, execute one of the following commands:
/qn for silent mode installation without displaying the process on the screen;
/qb for silent mode installation displaying the progress bar.
If necessary, you may specify additional ViPNet Client setup options in the command line (see Additional Setup Options in the Silent Mode on page 27). After the installation process is started, you cannot change the setup parameters.
Note: Wait for several minutes after you start setup in the silent mode. If it seems that the installation has been completed unsuccessfully (no shortcut appears on the desktop, the computer is not restarted), see Cannot Install ViPNet Client in the Silent Mode (on page 254).
In the silent mode, ViPNet Client is installed in the following folders:
If you install ViPNet Client on this computer for the first time, it is installed in: o
The folder C:\Program Files\infotecs\ViPNet Client for the 32-bit Windows OS.
o
The folder C:\Program Files (x86)\infotecs\ViPNet Client for the 64-bit Windows OS.
The current installation folder, if ViPNet Client has already been installed on this computer.
Additional Setup Options in the Silent Mode If necessary, in the command line, specify additional setup options:
If you want to install only some of ViPNet Client components, in the command line, list them. To do this, use the following parameter:
ViPNet Client Monitor 4.3. User's Guide | 27
ADDLOCAL=""
ViPNet Client components are as follows: o
Core is the base software component.
o
Monitor is the ViPNet Monitor program.
o
RF is the ViPNet Application Control program. This component can be installed only if the ViPNet Monitor component is also installed.
o
BM is ViPNet Business Mail.
Warning: The Core component is mandatory for the installation.
If you do not specify the software components using the ADDLOCAL parameter, all of them will be installed.
If you want desktop shortcuts to be created for the installed components, set CREATESHORTCUT_DESKTOP="Yes"
In the command line, you may also specify the computer restart options after the installation process is completed: o
/forcerestart to force computer restart upon the installation has been completed (set by
default in the silent mode); o
/norestart to disable forced computer restart after the installation.
Suppose, you want to install ViPNet Client in the silent mode under following conditions: your computer must not restart after the installation, the ViPNet Application Control component must not be installed, desktop shortcuts must be created for installed components. To do this, execute the following command: /qn /norestart ADDLOCAL="Core,Monitor,BM" CREATESHORTCUT_DESKTOP="Yes"
ViPNet Client Monitor 4.3. User's Guide | 28
How to Use a Group Policy to Install ViPNet Client You can automate ViPNet Client software installation on user computers in your corporate network by using Active Directory group policies. You need to ensure the installation of the following components:
MSI for the ViPNet Client program.
MSI for the ViPNet CSP program. ViPNet CSP is an essential component of ViPNet Client.
MSI packages containing Visual C++ redistributables.
All these software components have different versions for 32-bit and 64-bit OS. Choose a version complying with your OS. You can install only some of ViPNet Client and ViPNet CSP components if necessary. To do this, use the corresponding configuration files in the MST format, which contain the following installation parameters:
monitor_only.mst to install only ViPNet Monitor.
monitor_and_bm.mst to install ViPNet Monitor and ViPNet Business Mail.
csp_only_base.mst to install only the core components of ViPNet CSP.
Take into account that software installation by using group policies on computers running Windows XP and Windows Server 2003 OS has some specific aspects that are described below. Let's consider a corporate network scheme where both 32-bit and 64-bit operating systems are used. There are also computers running Windows XP or Windows Server 2003.
Note: In this section, the interface description is based on Windows Server 2008. The interface of other Windows Server versions may have minor distinctions.
To install ViPNet Client by using Active Directory Group Policy, create two Group Policy objects (GPO): one object is for all computers on your network that run Windows versions later than Windows XP and Windows Server 2003 (hereinafter we will refer to them as new Windows versions); the other object is for computers running Windows XP and Windows Server 2003. To create a GPO for installing software on computers with new Windows versions: 1
Create a distribution point. To do this, create a new folder in the Netlogon share on the domain controller and copy the following folders and files to it: o
ViPNet Client MSI packages for 32-bit and 64-bit OS.
o
ViPNet CSP MSI packages for 32-bit and 64-bit OS.
o
*.MST files containing installation parameters for ViPNet Client and ViPNet CSP MSI packages.
ViPNet Client Monitor 4.3. User's Guide | 29
o
The folders \2008_x86, \2008_x64, and \2010_x86 containing MSI packages and corresponding CAB archives for 32-bit and 64-bit versions of Visual C++ redistributables.
2
In the Active Directory domain create one or several groups of computers running new Windows versions, on which you are going to install ViPNet Client using group policies.
3
Create a new GPO and connect it with the domain.
4
Open the GPO properties dialog box and, on the Scope tab, click Add to add groups of computers running new Windows versions.
5
Open the GPO editor.
6
Go to Computer Configuration\Policies\Software Settings\Software Installation and do the following: o
Add all installation packages stored in the distribution point that you have created. To do this, select the Assigned option for the deployment method and specify the path to the MSI files.
Tip: If the ViPNet Client and ViPNet CSP installation packages you use have different bitness, for each of the packages, on the Common tab, in the Name box, edit the default name by specifying the bitness.
Figure 3. Specifying the bitness in the name of a new installation package To install only separate components of the ViPNet Client and ViPNet CSP software components, select the Advanced option for the deployment method and, on the Modifications tab, specify the path to the MST files. o
When you add two installation packages of different bitness for the same program, by default, the second packages is considered an update package for the first one. To make the installation packages independent from each other, when adding the second package, on the Updates tab, select the first package and click Remove.
ViPNet Client Monitor 4.3. User's Guide | 30
Figure 4. Unlinking installation packages o
Prevent 32-bit versions of ViPNet Client and ViPNet CSP from installing on 64-bit OS computers. To do this, open the application properties window from the context menu. On the Deployment tab, click Advanced. In the displayed window, clear the Make this 32-bit X86 application available to Win64 machines check box.
Figure 5. Advanced options for 32-bit components o
Make sure that the Make this 32-bit X86 application available to Win64 machines check box is selected for 32-bit versions of Visual C++ redistributables.
ViPNet Client Monitor 4.3. User's Guide | 31
7
Save the GPO by clicking OK.
To create a GPO for installing software on computers with Windows XP and Windows Server 2003: 1
Create the distribution point. To do this, create a network folder on the domain controller. Give full access permissions to the Authenticated Users group of this folder (do not use the default folders Netlogon and Sysvol) and copy 32-bit versions of installation packages to it: o
ViPNet Client MSI package for 32-bit OS.
o
ViPNet CSP MSI packages for 32-bit OS.
o
*.MST files containing installation parameters for ViPNet Client and ViPNet CSP MSI packages.
o
The folders \2008_x86 and \2010_x86 containing MSI packages and corresponding CAB archives for 32-bit versions of Visual C++ redistributables.
2
In the Active Directory domain, create a group that will join all computers running Windows XP and Windows Server 2003.
3
Create a new GPO and connect it with the domain.
4
Open the GPO properties dialog box and, on the Scope tab, click Add to add groups of computers running Windows XP and Windows Server 2003.
5
Open the GPO editor.
6
In the section Computer Configuration > Policies > Software Settings > Software Installation, add all installation packages stored in the distribution point that you have created. To do this, select the Assigned option for the deployment method and specify the path to the MSI files. To install only separate components of the ViPNet Client and ViPNet CSP software components, select the Advanced option for the deployment method and, on the Modifications tab, specify the path to the MST files.
7
Save the GPO by clicking OK.
After you have created GPOs for automated installation of ViPNet Client and other software components, restart user computers. You can also configure automatic installation without the need to restart user computers. To add an installation package, in the properties dialog box of the program, on the Deployment tab, select the Install this application at logon check box. In this case, the software will be installed automatically upon the user log on to the system the next time. After the ViPNet Client installation, install ViPNet keys on each ViPNet host. For more information on how to use Group Policy to install programs, see the Microsoft web site http://support.microsoft.com/kb/816102/.
ViPNet Client Monitor 4.3. User's Guide | 32
Upgrading ViPNet Client If a new version of the ViPNet Client software has been released, you can upgrade this software on your computer.
Warning: You can upgrade your software to the 4.x version only if you have version 3.2.x or later installed. Before you start upgrading, exit the program. If you start upgrading while the program is running, the settings made before the upgrade may be missing in the new version. For example, private network settings may be unapplied. If the version of your software is earlier, then, first, upgrade it to the version 3.2.x, and then, to the version 4.x. Otherwise, the upgrade to the version 4.x will fail.
Before the upgrade, your license is verified. If the upgrade version is later than the one permitted by your license, the software will not be upgraded. In this case, to restore the host's operability, uninstall the new software version and reinstall the version permitted by your license. You can upgrade the software in several ways:
You can accept the upgrade on your host which was sent centrally by the ViPNet network administrator using the ViPNet Network Control Center. Such upgrades are accepted automatically (see Upgrading from ViPNet Network Control Center on page 33).
You can upgrade ViPNet Client by accepting a Windows group policy (see Receiving Upgrades with Group Policies on page 34) or by accepting updates in the Windows Update Center (see Receiving Upgrades in Windows Update Center on page 34). Such updates are sent centrally by the ViPNet network administrator using Windows means of creating group policies.
You can upgrade the program manually with a new setup file.
Note: On a computer running Windows XP or Windows Vista, after you start the upgrading process, you may be warned that the setup file's signing certificate cannot be verified. In this case, see Cannot Validate the Setup File's Signing Certificate (on page 253).
Upgrading from ViPNet Network Control Center If ViPNet Client upgrade was sent from ViPNet Network Control Center, you may accept it on your ViPNet host with the ViPNet Update System. Depending on ViPNet Monitor settings, you will receive ViPNet Client upgrades automatically or you will be prompted about available upgrades.
ViPNet Client Monitor 4.3. User's Guide | 33
Receiving Upgrades with Group Policies The ViPNet network administrator can send the ViPNet Coordinator software upgrades to your network host as a group policy using the means of managing group policies. Such upgrades are installed together with group policies on your network and do not require any action from you. For the information about group policies and how to use them, go to the Microsoft web page http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx.
Receiving Upgrades in Windows Update Center The ViPNet network administrator can send the ViPNet Client upgrades to your network host using the means of managing updates (for example, Microsoft System Center Essentials). Such upgrades will be installed on your computer from the Windows Update Center.
Warning: During the upgrading process, it is verified whether the license allows you to install this upgrade. If the upgrade version is later than the one allowed by the license, the software will not be upgraded.
To install the received upgrades: 1
On the Start menu, choose All Programs > Windows Update.
2
In the Windows Update window, check for upgrades. If there are any upgrades, the Install Updates button will be available.
3
To upgrade ViPNet Client, choose ViPNet Client and ViPNet CSP for upgrading. Then click Install Updates.
4
Wait until the upgrading process is completed. If necessary, restart your computer.
Upgrading ViPNet Client with the Setup File Get the setup file of a new version of the software. Then: 1
Click the setup file
2
In the ViPNet Update ViPNet Client window, specify upgrade options: o
. Wait until the preparation is finished.
If the version number of the ViPNet CSP program installed on your computer is the same as the version number specified in the setup file, the Restore ViPNet CSP check box will be displayed in this window. Select this check box if you want to reinstall ViPNet CSP during the upgrade.
ViPNet Client Monitor 4.3. User's Guide | 34
Tip: If ViPNet CSP functions well on this computer, you may leave the check box clear. In this case, ViPNet Client will be upgraded faster.
If the ViPNet CSP version running on the host is not the same as the version in the setup file, the check box will be unavailable and the ViPNet CSP program will be reinstalled automatically. o
If you want the computer to be restarted automatically after ViPNet Client upgrade, select the corresponding check box.
Figure 6. ViPNet Client upgrade options 3
Click Start update.
4
If some ViPNet programs are still running, you may be notified that they cannot be upgraded. In this case, exit all running ViPNet programs and continue.
5
Wait until the upgrade process is completed. If you have chosen to restart the computer automatically, after the upgrade is completed, your computer will be restarted. Otherwise, in the last setup window, click Close and restart your computer manually.
ViPNet Client Monitor 4.3. User's Guide | 35
Adding, Removing, and Repairing ViPNet Client Components If necessary, you can install or uninstall ViPNet Client components or repair the software. For example, you can install ViPNet Business Mail on a ViPNet VPN network's host this way. To perform these operations, you need a ViPNet Client setup file of the required version.
Note: If you uninstall any ViPNet Client components, the user data (ViPNet keys and host links, settings, and other data) is saved and may be used after reinstallation of the software.
To add or remove a component or to repair ViPNet Client, do the following: 1
Run the setup file
. Wait until the preparation for the components' installation is finished.
2
In the Reinstall or remove your ViPNet software window, click the required option: o
to add or remove a component, click Add or remove components;
o
to repair the software, click Reinstall.
If you want the computer to be restarted automatically after the changes in ViPNet Client, select the corresponding check box.
Figure 7. Modifying installed components Then, click Continue.
ViPNet Client Monitor 4.3. User's Guide | 36
3
If you install or uninstall any ViPNet software components, make the necessary changes in the Choose components window. Then, click Continue.
4
Wait for the operation to be completed. Then, click Close.
5
If you have chosen to restart the computer automatically, after the operation is completed, your computer will be restarted. If you have not chosen to restart the computer automatically, in the completing update window, click Close and restart your computer manually.
ViPNet Client Monitor 4.3. User's Guide | 37
Uninstalling ViPNet Client If necessary, you can uninstall the ViPNet Client program and all its components from your computer. When you uninstall the ViPNet Client program, you can save the data generated and used in your workflow: ViPNet keys and host links, program settings, ViPNet Business Mail messages, and other data. To delete ViPNet Client from your computer: 1
Run the setup file. Wait until the preparation for uninstallation is finished.
2
On the components page, select Remove All Components. If you want the computer to be restarted automatically after the software is uninstalled, select the corresponding check box.
3
Click Continue.
4
Depending on whether you want to save the user data or not, select or clear the Delete all user data check box.
5
To continue, click Uninstall.
6
Wait until the software is uninstalled. If you have chosen to restart the computer automatically, after the software is uninstalled, your computer will be restarted. If you have chosen not to restart the computer automatically, in the software uninstalling complete window, click Finish, and then restart the computer manually.
Tip: You can also completely uninstall ViPNet Client by choosing Install ViPNet Client in the Start menu or Start screen. The user data will be saved.
ViPNet Client Monitor 4.3. User's Guide | 38
Moving a ViPNet Host to Another Computer You can move a functioning ViPNet host from one computer to another (for example, in case of replacing a computer with a new one) and save the current configuration of the ViPNet Monitor software and Business Mail messages. To do that, you should copy keys and host links, the email store, and other data from the ViPNet Client folder to your new computer. Keys and host links backups will also allow you to restore the ViPNet host after you reinstall the operating system.
Warning: You cannot use instructions in this section to move your ViPNet host from a 32-bit Windows OS to a 64-bit one and vice versa, because it may lead to ViPNet software malfunction. If you still need to, you can move you ViPNet host correctly only if you install keys and host links on a new computer by using the key set.
After moving the keys and host links, you should delete the original ones. You cannot install the same keys on several computers. To move the keys and host links: 1
Copy the following folders and files from the ViPNet Client installation folder to an external device or another safe location: o
\d_station;
o
\databases;
o
\Protocol (if you need to copy the protocols of protected instant messaging);
o
\TaskDir (if you need to copy files received via File Exchange);
o
user keys folders that are usually \user_AAAA (where AAAA is a hexadecimal identifier of a ViPNet user without the network number).
o
In some cases, the ViPNet Client installation folder may function as the user keys folder, and you should copy the \key_disk folder then.
o
\MS;
o
\MSArch (if you need to copy Business Mail archives);
o
autoproc.dat (this file is present if autoprocessing rules are configured);
o
wmail.ini;
o
AP*.TXT files: APAXXXX.TXT, APCXXXX.TXT, APIXXXX.TXT, APLXXXX.TXT, APNXXXX.CRC, APNXXXX.CRG, APNXXXX.TXT, APSXXXX.TXT, APUXXXX.TXT (where XXXX is a hexadecimal
identifier of a ViPNet host without the network number); o
infotecs.re;
ViPNet Client Monitor 4.3. User's Guide | 39
o
iplir.cfg, iplirmain.cfg;
o
ipliradr.do$;
o
linkXXXX.txt, nodeXXXX.tun (where XXXX is a hexadecimal identifier of a ViPNet host without
the network number); o
mftp.ini.
Note: By default, ViPNet Client is installed in the C:\Program Files\infotecs\ViPNet Client folder of 32-bit Windows versions and in the C:\Program Files (x86)\infotecs\ViPNet Client folder of 64-bit versions. Some of the files and folders mentioned above may be missing from the ViPNet Client program folder.
2
Before you move keys and host links to a new computer, install ViPNet Client on this computer, but do not install keys and host links.
3
When you move the copied keys and host links to a computer with ViPNet Client, make sure that no keys and host links of any other host are installed on that computer. If the keys and host links of some other host are already installed, remove them as described in the Uninstalling Keys and Host Links (on page 54) section or delete the following folders and files: o
User keys folders \user_BBBB (where BBBB is a hexadecimal identifier of a ViPNet user without the network number).
o
Files AP*.TXT, APNYYYY.CRC, APNYYYY.CRG (where YYYY is a hexadecimal identifier of a ViPNet host without the network number).
4
Store the keys and host links copied on step 1 in the new installation folder of ViPNet Client (move and replace).
5
In the wmail.ini file, define the MSDir and MSArchDir parameters specifying the path to the new ViPNet Client installation folder as their values.
6
If necessary, in the mftp.ini file, replace the path to the old ViPNet Client installation folder with the path to the new folder for all the parameters concerned.
7
Delete the certlist.sst file located in the \d_station\abn_AAAA subfolder (where AAAA is a hexadecimal identifier of a ViPNet user without the network number).
8
Start ViPNet Monitor. In the logon window, to the right of the Setup button, click User Keys Folder. Specify the path to the user keys folder.
9
Log on to ViPNet Monitor.
and choose
10 Install the key container (see Installing a New Key Container and Changing the Key Container with the Current Certificate on page 249). 11 On the computer you moved the host from, delete the original keys and host links (see Uninstalling Keys and Host Links on page 54). Now you can work with the ViPNet Client software.
ViPNet Client Monitor 4.3. User's Guide | 40
2 Installing and Updating Keys and Host Links Installing Keys and Host Links
42
Using Keys and Host Links Installed Previously
50
Updating Keys, Host Links, and Security Policies
51
Uninstalling Keys and Host Links
54
What Should I Do at Key Compromise?
55
ViPNet Client Monitor 4.3. User's Guide | 41
Installing Keys and Host Links You should install keys and host links when you deploy ViPNet software on your network host, add new ViPNet users to your host, and in some other cases when keys and host links installed on your host have been damaged or outdated. If you want to install keys and host links for the first time and for one user, follow the instructions in the section Installing Keys and Host Links for One User (on page 43). In the cases mentioned below, you should read the corresponding sections before installing keys and host links:
If you want more than one user to work on a host or you are going to add a new user to the host with users already working on it, see the section Installing Keys and Host Links for Several Users on One Host (on page 44).
If you want to set folders for storing the keys and host links, see the section Advanced Mode of Keys and Host Links Installation (on page 45).
If there are several ViPNet programs on a ViPNet host, but no keys and host links are installed for any of the programs, see the section Using Keys and Host Links Installed Previously (on page 50).
Note: If the host has keys and host links installed for any ViPNet program, follow the guidelines of the section Using Keys and Host Links Installed Previously (on page 50).
If you want to install the program by using the Windows command line, see the section Installing Keys and Host Links in the Silent Mode (on page 47).
If the key set contains an RSA certificate, follow the instructions in the section Installing RSA Certificates (on page 228).
If due to a program or system failure, you cannot log on to the ViPNet Monitor program, as a result of which you have to perform a recurrent installation of keys and host links, see the section Recurrent Installation of Keys and Host Links after Program Failure (see Recurrent Installation of Keys and Host Links after a Program Failure on page 48).
In a ViPNet network managed with the ViPNet Administrator software, a backup set of personal keys (on page 332) is transferred to each user in a key set. A file containing a backup set of personal keys is AAAA.pk (where AAAA is a ViPNet user identifier). When keys and host links are installed, it is stored in the user keys folder (on page 337). For security purposes, after the first keys and host links installation, we recommend you to move the backup set of personal keys from the user keys folder to an external storage device and keep it in a safe place with restricted access (for example, a safe). After you receive a backup set of personal keys, you are personally liable for its safety.
ViPNet Client Monitor 4.3. User's Guide | 42
Warning: If someone got access to your backup set of personal keys or you suppose it might have happened, follow the instructions in What Should I Do at Key Compromise? (on page 55).
Installing Keys and Host Links for One User To install keys and host links: 1
Get a key set (on page 334) from the ViPNet network administrator.
2
Exit from all the ViPNet Client components (see Finishing the Work with ViPNet Monitor on page 65).
3
Start the key setup program in one of the following ways: o
Double-click the key set file.
o
Start ViPNet Monitor. Then, in the logon window, to the right of the Setup button, click on the menu, click Install keys.
and,
Figure 8. Starting KeySetup 4
If there are ViPNet programs running on your computer, you will be prompted to exit them. Exit the programs and click Retry.
5
If, on the Specify a key set file page, the file location is not displayed, specify it by using the Browse button.
6
Make sure that you have chosen the key set intended for your host. The host and user names are displayed below the path to the key set. If necessary, specify another key set.
ViPNet Client Monitor 4.3. User's Guide | 43
Figure 9. Choosing a key set file By default, keys and host links are installed in the ViPNet Client installation folder. If necessary, you can specify other folders for installing them (see Advanced Mode of Keys and Host Links Installation on page 45). 7
Click Install keys.
Note: The Install keys button may be disabled if more than one ViPNet program (see Installing Keys and Host Links on a Host Where Several ViPNet Programs Are Installed on page 47) is installed on the host.
8
If the keys installation is completed successfully, the corresponding message will be displayed.
9
To view information about keys installation, click the Details about actions made link. To finish the keys installation, click Close. If the keys installation has failed, read the message about errors and contact the ViPNet network administrator.
Upon successful keys installation, you can start ViPNet Client.
Installing Keys and Host Links for Several Users on One Host If more than one user is going to work on a host, install keys for each user.
ViPNet Client Monitor 4.3. User's Guide | 44
If some user already works on this ViPNet host and you want to add new users, you need to install the keys only for new users.
Note: You cannot install the keys and host links for several users belonging to different ViPNet networks on one computer.
To install keys and host links for several users on one computer: 1
Get a key set for each new user from the ViPNet network administrator.
2
Install keys and host links (see Installing Keys and Host Links for One User on page 43) by using the key set of each new user one by one.
As a result, in the logon window, in the list of users, you will find all the users whose keys and host links you have installed on this host.
Advanced Mode of Keys and Host Links Installation By default, keys and host links are installed in the program installation folder. If necessary, you may install keys and host links in the advanced mode, which enables you to select folders for installing them. You may need that in case:
You want to store your keys and host links on a special removable drive for security reasons.
You do not have rights to edit or save files in the folder C:\Program Files\ or C:\Program Files (x86)\ (including the program installation folder).
The folders you specify manually in the advanced mode should meet the following requirements:
The folders do not contain the keys and host links of any other ViPNet program.
You have the rights to edit and save files in these folders.
Protection of information contained in these folders is implemented in accordance with your company's security requirements.
The ViPNet Client software has constant access to these folders.
Warning: If you specify the folders incorrectly, the installation process may fail. We do not recommend you to use the advanced mode if you do not really need to.
To install keys in the advanced mode: 1
Get a new key set from the ViPNet network administrator.
2
Follow the instructions in the section Installing Keys and Host Links for One User (on page 43).
ViPNet Client Monitor 4.3. User's Guide | 45
On the Specify a key set file page (see. figure 9 on page 44), select the Advanced mode (for ViPNet administrators only) check box and click Next. 3
On the next page: o
In the Folder for ViPNet host keys box, specify the folder where keys and host links of the ViPNet host will be installed.
o
In the Folder for ViPNet user keys (see User keys folder on page 337) box, specify the folder where keys and host links of the ViPNet user will be installed.
Figure 10. Specifying installation folders for ViPNet host keys and for user keys in the advanced mode 4
To start installation, click Update keys.
5
If the keys installation has been completed successfully, the corresponding message will be displayed. To view information about keys installation, click the Details about actions made link. To finish the keys installation, click Close. If the keys installation has failed, read the message about errors and contact the ViPNet network administrator.
6
At the first startup of ViPNet Client, select the folders where you installed host keys and user keys. To do this: o
In the logon window, to the right of the Setup button, click and choose ViPNet Host Keys Folder. In the Browse window, specify the path to the required folder.
o
Again, to the right of the Setup button, click to the user keys folder.
and choose User Keys Folder. Specify the path
ViPNet Client Monitor 4.3. User's Guide | 46
Installing Keys and Host Links on a Host Where Several ViPNet Programs Are Installed If, apart from your ViPNet program, other ViPNet programs are also installed on the host, but for none of them keys and host links have been installed, then you should choose a program, whose installation folder will be used for storing keys and host links.
Warning: If keys and host links are already installed for some of the ViPNet programs on your host, then do not install new keys and host links. In this case, follow the guidelines in the section Using Keys and Host Links Installed Previously (on page 50).
To install keys and host links: 1
Start installing keys and host links (see Installing Keys and Host Links for One User on page 43). After specifying the key set file, click Next.
2
In the ViPNet program selection window, select ViPNet Client. As a result, the keys and host links will be installed in the ViPNet Client installation folder.
Note: In the advanced mode of keys installation (see Advanced Mode of Keys and Host Links Installation on page 45), this window is not displayed.
3
If the keys installation has been completed successfully, the corresponding message will be displayed. To view information about keys installation, click the Details about actions made link. To finish the keys installation, click Close. If the keys installation has failed, read the message about errors and contact the ViPNet network administrator.
4
At the first start of other ViPNet programs installed on the host, when you are prompted to select the host keys folder, select the ViPNet Client installation folder.
Upon successful keys installation, start the ViPNet Client program.
Installing Keys and Host Links in the Silent Mode If you install ViPNet Client in the silent mode, the user interface of the installation program is not displayed on the computer screen. You may start installation in this mode from the Windows Command Line. The parameters that you normally set when installing the program in the regular mode (see Installing Keys and Host Links for One User on page 43), should be set in the Windows Command Line when installing in the silent mode. When you use the silent mode, you can install keys and host links remotely or create a program that will call the Windows Command Line and automatically start keys and host links installation with the preset parameters.
ViPNet Client Monitor 4.3. User's Guide | 47
For example, you may write a logon script, which will start keys and host links installation automatically at system startup. You may find the information about writing logon scripts on the Microsoft web page http://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx. To start the keys and host links setup program in the silent mode, in the Windows Command Line, execute the command: keysetup <*.dst file> /td /term /check
For example, "C:\Program Files (x86)\infotecs\ViPNet Client\keysetup" "C:\keys\abn_0002.dst" /td "C:\Program Files (x86)\infotecs\ViPNet Client" /term /check
Warning: You can specify only an existing folder as the keys and host links installation folder. If you specify a folder that does not exist, the keys will not be installed.
After the operation is successfully completed, start ViPNet Client.
Tip: To learn more about Windows Command Line options for keys and host links installation, execute the command: keysetup /?
Recurrent Installation of Keys and Host Links after a Program Failure It may happen that you cannot log on to the ViPNet Monitor program because of a system or software failure. In this case, you should contact the technical support to restore access to the program. The ViPNet network administrator will provide you with a new key set, and you will need to install the new keys and host links.
Warning: We strongly recommend you not to perform recurrent keys and host links installation unless it is really necessary, because the safety of user data created in the process of ViPNet Client components work (for example, ViPNet Business Mail messages) is not guaranteed.
If from the moment of installation till failure master keys have been changed in the ViPNet network or the keys have been compromised, then, at the recurrent keys installation, you will lose access to encrypted ViPNet Business Mail messages (including those in archives), messages of the Encrypted Instant Messaging program, and other user data created by the ViPNet Client components. If the above mentioned events did not take place, then the recurrent keys installation will be performed in the same way as updating keys and host links by using the key set (see Updating Keys and Host Links with a Key Set on page 51), and user data will remain safe and accessible.
ViPNet Client Monitor 4.3. User's Guide | 48
To perform recurrent installation of keys and host links on a network host: 1
Get a new key set from the ViPNet network administrator.
2
Install keys and host links (see Installing Keys and Host Links for One User on page 43) with the use of this key set.
ViPNet Client Monitor 4.3. User's Guide | 49
Using Keys and Host Links Installed Previously When you install ViPNet Client, there may be other ViPNet programs present on the computer that require keys and host links and the MFTP transport module for proper operation. In this case, in ViPNet Client, specify the ViPNet host keys folder that is used by the previously installed programs.
Note: If no keys or host links are installed on your host for any ViPNet program, follow the instructions in Installing Keys and Host Links on a Host Where Several ViPNet Programs Are Installed (on page 47).
To specify a host keys folder for a ViPNet host: 1
Start ViPNet Monitor.
2
In the logon window, to the right of the Setup button, click Folder.
3
In the Browse window, specify the path to the required folder.
and choose ViPNet Host Keys
Note: By default, the ViPNet installation folder serves as the ViPNet host keys folder.
After you specify the network host keys folder, you can start working with ViPNet Client.
ViPNet Client Monitor 4.3. User's Guide | 50
Updating Keys, Host Links, and Security Policies You should update keys, host links, and security policies of a ViPNet host on a regular basis to keep the host working properly. If a ViPNet network administrator modifies the network structure or edits certain ViPNet hosts' parameters, for example, creates new links between ViPNet hosts, then keys and host links on the ViPNet hosts are automatically updated. Key and host links updates are created by the ViPNet network administrator in ViPNet Administrator or ViPNet Network Manager. If your corporate security policy changes, you should renew security policies in ViPNet Policy Manager and send the updates to ViPNet hosts in your network. A security policy received by a managed ViPNet host from the ViPNet Policy Manager host defines the current security policy of the managed host. Network filters set on this host affect the current security policy, too (see Network Filters Overview on page 112). The current security policy for this host is applied to all users registered on the ViPNet host and to all ViPNet Monitor configurations. When you add new users or configurations on the host, the current policy is applied to them, too. You can receive keys, host links, and security policies updates on a ViPNet host with ViPNet Update System (see About ViPNet Update System on page 71). If for any reason an update cannot be received via ViPNet Update System, you may install it manually with a key set (see Updating Keys and Host Links with a Key Set on page 51).
Receiving Updates The ViPNet network administrator sends keys and host links updates to hosts from ViPNet Administrator or ViPNet Network Manager, while security policies updates are sent from ViPNet Policy Manager. You can receive keys, host links, and security policies updates on a ViPNet host with ViPNet Update System (see About ViPNet Update System on page 71). Depending on ViPNet Update System settings, the received updates can be installed automatically or manually.
Updating Keys and Host Links with a Key Set If for some reason keys and host links update cannot be received via the network (see Receiving Updates on page 51), you can update them manually by using a key set. To do this: 1
Get a new key set from the ViPNet network administrator. Follow the instructions in the Installing Keys and Host Links for One User (on page 43) section by using the new key set.
ViPNet Client Monitor 4.3. User's Guide | 51
When you specify the key set (see. figure 9 on page 44), the key setup program automatically checks whether the previously installed keys correspond to the new ones (for example, whether these keys are intended for the same ViPNet host).
Warning: When keys are installed in the advanced mode (see Advanced Mode of Keys and Host Links Installation on page 45), this check is not performed.
2
To install keys and host links, click Install keys (see. figure 9 on page 44). If the button is unavailable, inconsistencies between the current and the new keys have been detected. For more information on the inconsistencies, click Next. Depending on the inconsistency type, the corresponding message will be displayed: o
If the key set contains keys of another ViPNet host, or if the keys have a different format and in some other cases, a message will be displayed providing details about the inconsistency.
Figure 11. Inconsistencies between the key set and the current keys on the host are detected
To refuse from installing keys, click Cancel, and then, in the confirmation window, click Yes.
Warning: If you want to proceed with installation, read information about possible consequences and contact your ViPNet network administrator. Before you proceed with the installation, we recommend you to close the key setup program and decrypt your Business Mail messages. Then, start the key setup program again.
To continue installation, select the I have read and agreed to the consequences which this installation may result in check box and click Next.
ViPNet Client Monitor 4.3. User's Guide | 52
o
If the chosen key set cannot be installed (for example, if it is intended for another ViPNet program), an error message will be displayed and further installation will be impossible. Read information about the inconsistency and click Close.
If you cannot install the keys because of an inconsistency, contact your ViPNet network administrator. 3
Finish the installation process by following instructions in Installing Keys and Host Links for One User (on page 43).
Upon successful keys updating, start the ViPNet software.
ViPNet Client Monitor 4.3. User's Guide | 53
Uninstalling Keys and Host Links You may need to remove old keys and host links when you move a ViPNet host to another computer (see Moving a ViPNet Host to Another Computer on page 39). To uninstall keys and host links, finish working with the ViPNet Monitor (see Finishing the Work with ViPNet Monitor on page 65) and then, in Windows Command Line, execute the command: keysetup /clean /td
For example: "C:\Program Files (x86)\infotecs\ViPNet Client\keysetup" /clean / td "C:\Program Files (x86)\infotecs\ViPNet Client"
As a result, all keys and host links will be removed from the specified folder. If you want to uninstall the keys of a specific ViPNet user so that other users continue working on this ViPNet host, specify this user keys folder. For example: "C:\Program Files (x86)\infotecs\ViPNet Client\keysetup" /clean / td "C:\Program Files (x86)\infotecs\ViPNet Client\user_0003"
ViPNet Client Monitor 4.3. User's Guide | 54
What Should I Do at Key Compromise? Key compromise is the loss of trust to the quality of information security provided by the keys you use (integrity, confidentiality, non-repudiation, and authenticity). Key compromise can be explicit and implicit:
Explicit key compromise is revealed when the key is valid.
The fact of implicit compromise is not known to the users of the key. Implicit compromise is most threatening.
The main events leading to the key compromise are as follows: 1
A key set file might have become available to unauthorized persons.
2
An external device with user keys might have become available to unauthorized persons.
3
The user password or access to your computer might have become available to unauthorized persons.
4
Unauthorized persons might have gotten uncontrolled physical access to keys stored on the computer.
5
The ViPNet Monitor software is not installed on the computer connected to a network, or the traffic protection is disabled. At this: o
there might be unauthorized persons in the local network;
o
on the edge of the local network, there is no firewall or the firewall is disabled.
6
An employee having access to the keys was fired.
7
An incoming document is signed by using a certificate specified in the CRL.
8
You do not know for sure what has happened to external devices containing keys (for example, a device with keys fails to work and it is possible that the device has been damaged by a malicious user).
A suspicion that there was an information leakage or that the information was modified requires an investigation whether a compromise took place. If any of the above-mentioned events took place:
Stop working on your host and inform your ViPNet network administrator about the key compromise (or a supposed key compromise).
If only the signature keys have been compromised, then stop using those keys for signing documents and inform your ViPNet network administrator about that.
If you suppose that some unauthorized persons may know the ViPNet user password, but those persons do not have access to your computer, then change your password and continue working. If
ViPNet Client Monitor 4.3. User's Guide | 55
unauthorized persons can get access to your computer, then the keys are considered to be compromised. In a ViPNet network managed with the ViPNet Administrator software, your keys can be updated remotely by using a backup set of personal keys. A backup set of personal keys file ( AAAA.pk, where AAAA is a ViPNet user identifier) is included in a key set and is stored in the user keys folder (see Installing Keys and Host Links on page 42) when you install the keys. If your current personal key is compromised, the Key and Certification Authority administrator sends you the new keys that are protected by using another variant of a personal key. The administrator does not need to transfer this personal key via the network because it is already included in the backup set of personal keys. If during updating the backup set of personal keys is not found during updating, specify the path to this file. If the backup set of personal keys is missing or the password is incorrect, contact your Key and Certification Authority administrator to get a copy of the backup set of personal keys.
ViPNet Client Monitor 4.3. User's Guide | 56
3 Getting Started with ViPNet Client Starting ViPNet Monitor
58
Finishing the Work with ViPNet Monitor
65
ViPNet Monitor Interface
66
ViPNet Client Monitor 4.3. User's Guide | 57
Starting ViPNet Monitor By default, ViPNet driver activates traffic protection at the Windows operation system startup.
Warning: Before the user logs on, ViPNet driver works according to the default protected network filters and public network filters used in the previous session.
Before Windows OS is completely loaded, the ViPNet Monitor logon window will be displayed. Log on to ViPNet Monitor by entering your password or with an authentication device (see User Logon Modes on page 59). To refuse from starting ViPNet Monitor, click Cancel. In this case, traffic protection will be disabled.
Note: To log on to ViPNet Monitor during Windows loading, you can use the on-screen keyboard. To do this, click
and, on the menu, click On-Screen Keyboard.
If you have closed the program (see Finishing the Work with ViPNet Monitor on page 65) or refused from authentication on Windows startup, then, to start ViPNet Monitor, you should: 1
Do one of the following: o
If you use Windows 7, Windows Server 2008 R2 or an earlier version of the Microsoft Windows operating system, on the Start menu, select All Programs > ViPNet > ViPNet Client > Monitor.
o
If you use Windows 8 or Windows Server 2012 operating system, on the Start screen, open the Apps list and select ViPNet > Monitor.
Note: The program location on the Start menu might have been changed at installation.
o
On the desktop, double-click the program shortcut (this shortcut is displayed only if the corresponding option has been selected during the installation). The logon window will be displayed.
Figure 12. Logon window
ViPNet Client Monitor 4.3. User's Guide | 58
2
Choose the logon mode (see User Logon Modes on page 59) and, depending on your choice, type the user password or connect your external storage device and type the PIN. If several ViPNet Client users work on your computer and you use a logon mode that requires a password, then, in the Name list, select your user name.
Figure 13. Choosing a user name to log on After you enter all the required data, click OK. The main ViPNet Monitor window (see ViPNet Monitor Interface on page 66) will be displayed.
User Logon Modes There are three logon modes that you can use in ViPNet Monitor:
Password only (on page 61). To log on to the program, type your user password. Each time you type the password, a password key is generated that is used to access your personal key.
Password on device (on page 61). To log on to the program, connect your external storage device and type the PIN. As a rule, it is supposed that, if you use this logon mode, your password is stored on the device and you do not know it. However, if you do know your user password, you can also log on to the program in the Password only logon mode. Thus, in case your device breaks down, you still can log on to the program. If you do not know your password, you can ask your ViPNet network administrator for it.
Warning: The Password on device logon mode does not meet all security requirements and is not eliminated only to provide compatibility with earlier versions of ViPNet software. Due to this, if you upgraded ViPNet Client to 4.x and this logon mode is used, we recommend you to change this logon mode to Password only or PIN and device.
PIN and device (on page 62). To log on to the program, connect your external storage device and type the PIN (and password in some cases).
By default, the Password only logon mode is set. In the administrator mode, you can change the logon mode (see Setting the User Logon Mode on page 201).
ViPNet Client Monitor 4.3. User's Guide | 59
If the Password on device or PIN and device logon mode is set, you should use an external storage device to log on (see Supported External Storage Devices on page 298). To use an external device for user authentication, install drivers for the device on your computer and then write keys on this device. You can write keys on an external device when you change the logon mode or in the ViPNet Key and Certification Authority program when you create the key set (you cannot work with external storage devices in ViPNet Network Manager).
Warning: If you use the Password on device or PIN and device logon modes and your external device is disconnected, the computer will be blocked automatically according to the settings configured by the ViPNet host administrator (see ViPNet Monitor Advanced Settings on page 197). To continue working, you should connect this device.
In the scheme below, the relation between authentication factors and device types is shown.
Figure 14. The scheme of interdependence between authentication factors and logon modes
ViPNet Client Monitor 4.3. User's Guide | 60
Password Only To log on to the ViPNet Monitor program by using only a password, in the logon window, do the following: 1
In the Logon Mode list, select Password only.
Figure 15. Choosing the Password only logon mode 2
If necessary, in the Name list, choose your ViPNet user name.
Note: This list displays names of all users that have their keys installed on the host (see Installing Keys and Host Links on page 42). If no keys have been installed on the host, then the list will be empty.
3
In the Password box, type your password. If you need to save the password in registry and the program settings (see Advanced Security Settings on page 200) allow it, select the corresponding check box.
4
Click OK.
Password on Device Warning: To prevent failures in the ViPNet software operation, do not use the Password on device logon mode. If you have used this logon mode, we recommend you to change it to Password only or PIN and device.
To log on to ViPNet Monitor with a password on a device, in the logon window, do the following: 1
In the Logon Mode list, select Password on device.
ViPNet Client Monitor 4.3. User's Guide | 61
Figure 16. Using password on an external device for authentication 2
Connect the device where your password is stored.
3
In the Device list, choose the required external device.
4
Type the PIN if necessary. Whether you need to type the PIN or not, depends on the type of your external device (see. figure 14 on page 60). To save the PIN, select the corresponding check box. As a result, you will not need to type the PIN every time you use the device.
5
Click OK.
PIN and Device To log on to the ViPNet Monitor program using the device, in the logon window, do the following: 1
In the Logon Mode list, select PIN and device.
Figure 17. Using keys on an external device for authentication 2
Connect the external device.
3
If necessary, choose your user name from the list below and, in the Password box, type your password. Whether you need to type the password or not, depends on the type of your external device (see. figure 14 on page 60).
4
In the Choose device list, choose the external device, where your personal key or the private key certificate is stored.
ViPNet Client Monitor 4.3. User's Guide | 62
5
Type the PIN if necessary. Whether you need to type the PIN or not, depends on the type of your external device. To save the PIN, select the corresponding check box. As a result, you will not need to type the PIN every time you use the device.
6
In the To authenticate use list, choose: o
Certificate if you want to log on using your certificate stored on your device. In the list of certificates found on your device, choose the required one. If you encounter any difficulties while using the certificate for authentication, see Cannot Log On with a Certificate (on page 255).
Note: The following requirements should be met if you want to log on using the certificate:
Your external device should have support for the PKCS#11 standard. Your certificate conforms with the RSA standard. The certificate is valid (its validity period has not expired). The certificate has not been revoked. The certificate is intended for client authentication. The certificate's purpose is displayed in the Certificate window, on the Details tab, in the Enhanced Key Usage field.
The issuer's certificate is installed in the system store Trusted Root Certification Authorities.
The key container on the device contains the private key corresponding to the certificate.
o
7
Personal key if you want to log on using your personal key included in user keys and stored on your device.
Click OK.
Logging On As Another User If several users are registered on a ViPNet host, you can change the user without exiting ViPNet Monitor. To do this: 1
On the main menu, select File > Change User. The logon window will be displayed.
2
Choose the logon mode (see User Logon Modes on page 59) and, depending on your choice, type the user password or connect your external storage device and type the PIN. If several ViPNet Client users work on your computer and you use a logon mode that requires a password, then, in the Name list, select your user name.
ViPNet Client Monitor 4.3. User's Guide | 63
Note: The keys and host links of the user (see Installing Keys and Host Links on page 42), whose credentials are used to log onto the program, should be installed on the host.
3
Click OK.
ViPNet Client Monitor 4.3. User's Guide | 64
Finishing the Work with ViPNet Monitor There are several ways to finish the work with ViPNet Client: 1
To minimize the main program window, do one of the following: o
Click Close
o
Press Alt+F4.
at the top right corner of the window.
To maximize the window, click the icon 2
in the notification area.
To close the program, in the menu bar, click File > Exit or, in the notification area, right-click the ViPNet Client icon and, on the context menu, choose Exit. To confirm the operation, click Yes.
Note: After you finish working with ViPNet Client, the ViPNet driver continues functioning. The ViPNet driver filters IP traffic according to the filters defined in the integrated firewall settings.
ViPNet Client Monitor 4.3. User's Guide | 65
ViPNet Monitor Interface The main ViPNet Monitor window is shown in the figure below:
Figure 18. The main ViPNet Monitor window The following elements are marked with numbers in the figure: 1
The menu bar.
2
The toolbar. To show or hide the toolbar, on the View menu, click Toolbar. Also, you can add or remove toolbar buttons with the button and-drop while pressing and holding Alt.
3
. To change the order of the toolbar buttons, use drag-
The navigation pane. Contains the list of sections where you can configure different program settings: o
The Private Network section (selected by default) contains the list of ViPNet hosts that were linked with the current host in ViPNet Network Control Center. For more details, see Working with the List of ViPNet Hosts (on page 68).
o
The Network Filters section. Contains subsections with IP traffic filters:
ViPNet Client Monitor 4.3. User's Guide | 66
In the Private Network Filters subsection, you can configure filtering rules for encrypted traffic (see Creating Private Network Filters on page 126).
In the Public Network Filters subsection, you can configure unencrypted traffic filtering rules (see Creating Public Network Filters on page 128).
o
The Object Groups section contains the lists of objects that can be used at network filters creation: ViPNet hosts groups, IP addresses groups, and others (see Using Object Groups on page 115).
o
Statistics and Event Logs. Contains subsections:
In the IP Packets Log section, you can search for entries in the IP packets log (see Working with the IP Packets Log on page 172).
In the Statistics section, you can view statistical information about IP packets filtering (see Viewing IP Packets Filtering Statistics on page 182).
o
In the Configurations section, you can manage ViPNet Monitor configurations (see Managing ViPNet Monitor Configurations on page 184).
o
The Administrator section is displayed only if you are logged on in the administrator mode. In this section, you can perform advanced configuration of the program (see Working in the ViPNet Host Administrator Mode on page 196).
Note: The number and order of sections displayed in the navigation pane depends on the permissions level defined for your host in ViPNet Network Control Center (see Using ViPNet Monitor with Restricted Interface on page 69).
4
The view pane. Displays the section selected in the navigation pane (3).
5
The search box. It is displayed in the Private Network, Network Filters, and Object Groups sections. To search information within a section, in the search box, type several characters of a host's IP address, name, or some other parameter. In the Private Network section, you can search by the following parameters: o
ViPNet host name (displayed in the Private Network section and in the ViPNet Host Properties dialog box, on the Common tab).
o
Computer name (the ViPNet Host Properties dialog box, the Common tab).
o
Host alias (the ViPNet Host Properties dialog box, the Common tab).
o
Real or virtual IP addresses (the ViPNet Host Properties dialog box, the IP addresses tab, the IP addresses list).
o
DNS name (the ViPNet Host Properties dialog box, the IP addresses tab, the DNS name list).
o
Host ID (the ViPNet Host Properties dialog box, the Common tab).
To clear the search box, click Show all. 6
The status bar. Displays the number of your ViPNet network, the IP addresses assigned to the host, and the current configuration of the program. When you change network filters or object groups,
ViPNet Client Monitor 4.3. User's Guide | 67
the status bar displays a message that the network filters or object groups are modified, but the changes have not been applied yet. To show or hide the status bar, on the View menu, click Status bar. The status bar is always displayed when network filters or object groups are modified, even if you previously hid it.
Working with the List of ViPNet Hosts The Private Network (see ViPNet Monitor Interface on page 66) section contains the list of ViPNet hosts linked with the current host in ViPNet Network Control Center. The color of the host name and an icon next to it indicate its host type and current status: Table 3. ViPNet host status indication Icon
Host name color
ViPNet host status
Grey
The client is offline or its status is unknown
Violet
The client is online
Grey or violet, bold
A new client that has recently been linked with the current host
Grey or violet, bold
A new coordinator that has recently been linked with the current host
Grey
The coordinator is offline or its status is unknown
Violet
The coordinator is online
Note: To configure the appearance of the Private Network section, in the main ViPNet Monitor window, on the Service menu, click Options and then go to the General section.
To view the list and search for ViPNet hosts more easily, you can group hosts in folders in the Private Network section:
To create a new folder, in the main ViPNet Monitor window, in the navigation pane or in the view pane, right-click Private Network and, on the context menu, choose Create Folder. The new folder will appear in the navigation pane and in the Private Network section.
To move hosts to a folder, in the Private Network section, select one or several hosts and drag them to the required folder.
To rename a folder, right-click it and, on the context menu, select Rename.
To delete folders: o
Make sure that the folders you need to remove do not contain any hosts. Otherwise, move the hosts to other folders.
ViPNet Client Monitor 4.3. User's Guide | 68
o
In the main ViPNet Monitor window, in the navigation pane or in the Private Network section, select one or several folders.
o
Press Delete or, on the context menu, click Delete.
To search information within a section, in the search box (see ViPNet Monitor Interface on page 66), type several characters of a host IP address, name or some other parameter. To view the host's properties double-click its name. The ViPNet Host Properties dialog box will be displayed, where you can view general information about the ViPNet host and configure access to the host (see Configuring Access to ViPNet Hosts on page 87). To check connection to another ViPNet host, to send a Business Mail or chat message to one or several hosts or to use some other features integrated in ViPNet Monitor (see Integrated Communication Tools on page 149), do one of the following:
In the ViPNet hosts list, select the required host and click the corresponding button on the toolbox.
On the ViPNet host context menu, select the corresponding menu item.
Using ViPNet Monitor with Restricted Interface The ViPNet network administrator can restrict the ViPNet Monitor program functionality and its settings on certain ViPNet hosts and set user permissions level for each ViPNet host in ViPNet Network Control Center. What is more, you can restrict the ViPNet Monitor interface (see ViPNet Monitor Advanced Settings on page 197) when logged on in the ViPNet host administrator mode. User interface restriction means that certain user interface elements of the ViPNet Monitor program become unavailable, most settings, network filters, and other parameters cannot be edited. When you log on as the ViPNet host administrator, all restrictions are removed. In this document, ViPNet Monitor functionality is described given that a user has maximum permissions. If any program features or settings are not available, contact your ViPNet network administrator. For more information on user permissions, see the document “ViPNet Authorities Classification. Supplement to ViPNet Documentation.”
ViPNet Client Monitor 4.3. User's Guide | 69
4 ViPNet Update System About ViPNet Update System
71
Automatic Updating
72
Installing Updates Manually
73
Viewing the Installed Updates Log
75
ViPNet Client Monitor 4.3. User's Guide | 70
About ViPNet Update System ViPNet Update System helps you to receive and install updates of the following types:
ViPNet Client upgrades from ViPNet Administrator or ViPNet Network Manager;
keys and host links updates from ViPNet Administrator or ViPNet Network Manager;
security policy updates from ViPNet Policy Manager.
You can choose to install the updates automatically (see Automatic Updating on page 72) or manually (see Installing Updates Manually on page 73). If you configure updates to be accepted and installed manually on a host, information about it is displayed in the notification area when updates are received on the host.
Figure 19. Displaying updates in the notification area The icon ViPNet Update System may be displayed in the notification area as follows:
means that there is no information on new updates;
means that new updates have arrived;
means that the updates have been successfully installed;
means that the updates have been successfully installed and you need to restart your computer.
If you configure updates to be accepted and installed automatically, ViPNet Update System performs updating quietly, without notifications about updating. The ViPNet Update System icon will not be displayed in the notification area, too.
ViPNet Client Monitor 4.3. User's Guide | 71
Automatic Updating Tip: We do not recommend you to set automatic updates installation if you work with protected SafeDisk-V containers (see Working with Integrated ViPNet SafeDisk-V on page 147), because in this case you will be able to install updates only manually regardless of the settings.
If you want the updates to be installed automatically on your host, do the following: 1
Log on as an OS administrator. If you do not have the administrator rights, you cannot change the ViPNet Update System settings.
2
Do one of the following: o
If you use Windows 7, Windows Server 2008 R2 or an earlier version of the Microsoft Windows operating system, on the Start menu, choose All Programs > ViPNet > ViPNet Update System.
o
If you use Windows 8 or Windows Server 2012 operating system, on the Start screen, open the Apps list and choose ViPNet > ViPNet Update System.
3
In the window, on the Options tab, select the Install updates automatically check box.
4
If you want the computer to be restarted automatically upon the updating, when necessary, then select the corresponding check box.
5
To save the settings, click OK.
Figure 20. Install updates automatically
ViPNet Client Monitor 4.3. User's Guide | 72
Installing Updates Manually If you need to install updates on your ViPNet host manually, you can disable autoupdating. To do this (see. figure 20 on page 72): 1
Log on as an OS administrator. If you do not have the administrator rights, you cannot change the ViPNet Update System settings.
2
Do one of the following: o
If you use Windows 7, Windows Server 2008 R2 or an earlier version of the Microsoft Windows operating system, on the Start menu, choose All Programs > ViPNet > ViPNet Update System.
o
If you use Windows 8 or Windows Server 2012 operating system, on the Start screen, open the Apps list and choose ViPNet > ViPNet Update System.
3
In the ViPNet Update System window, on the Options tab, clear the Install updates automatically check box.
4
If you want the computer to be restarted automatically upon the updating, when necessary, then select the corresponding check box.
5
To save your changes, click OK.
If autoupdating is disabled, then, after you receive updates, install them manually: 1
In the notification area, right-click the ViPNet Update System icon choose Available Updates.
and, on the context menu,
2
In the displayed window, check the list of updates (the ones that will be installed have their check boxes selected). If you do not need an update, clear the associated check box.
Figure 21. Viewing the received updates 3
Click Install updates.
ViPNet Client Monitor 4.3. User's Guide | 73
4
If any ViPNet programs are running on your computer, you will be prompted to exit them to continue the update process. Click Continue. The running ViPNet programs will be automatically closed, and the updating process will be continued. After you run the setup program, the ViPNet Monitor program is unloaded from the computer's memory and the updating process starts. In the notification area, the corresponding information is displayed.
Figure 22. Displaying the new updates installing in the notification area
Warning: Upgrading the software may take a long time. Do not disturb the process and do not restart the computer before the upgrading process is completed.
5
If necessary, after the upgrade is completed, restart your computer. The corresponding information is displayed in the notification area.
ViPNet Client Monitor 4.3. User's Guide | 74
Viewing the Installed Updates Log The installed updates are displayed in the update log. To view the update log, do the following: 1
2
Do one of the folllowing: o
If you use Windows 7, Windows Server 2008 R2 or an earlier version of the Microsoft Windows operating system, on the Start menu, select All programs > ViPNet > ViPNet Update System.
o
f you use Windows 8 or Windows Server 2012 operating system, on the Start screen, open the Apps list and select ViPNet > Update System.
Click the Update log tab.
Figure 23. Update log
ViPNet Client Monitor 4.3. User's Guide | 75
5 Connecting to a Protected ViPNet Network ViPNet Network Connection Protocols
77
Principles of Establishing Connections on a ViPNet Network
79
About Virtual IP Addresses
81
Configuring Connection to a Protected Network
83
Viewing Information about a ViPNet Host
86
Configuring Access to ViPNet Hosts
87
Using Aliases for ViPNet Hosts
90
Configuring Access to Tunneled Hosts
91
Configuring Access IP Addresses Priority for a Coordinator
93
ViPNet Client Monitor 4.3. User's Guide | 76
ViPNet Network Connection Protocols ViPNet hosts can be located inside any network that supports the IP protocol. The means of connection can be different: Ethernet, PPPoE via xDSL, PPP via dial-up or ISDN, mobile access such as GPRS or UMTS, Wi-Fi devices, MPLS, or VLAN. The ViPNet software supports various protocols in the link layer. IP protocols of three types (IP/241, UDP, and TCP) are used to create VPN tunnels between ViPNet hosts and encapsulate traffic transferred over other IP protocols. The IP/241 protocol (on page 334) is used when ViPNet hosts communicate with each other in the same LAN segment and when these hosts are accessible by broadcast addresses. The IP/241 protocol is more efficient because it does not have an 8-byte UDP header. When the original packet is encrypted, it is encapsulated into an IP packet with the 241 protocol number.
Figure 24. ViPNet hosts are in the same LAN segment If the ViPNet hosts are in different network segments, the UDP protocol is chosen automatically, which allows IP packets to pass through firewalls. Upon encryption, the original packet is encapsulated in a UDP packet.
Figure 25. ViPNet hosts connection with a firewall If there is a NAT device on the IP packet’s route, dynamic or static address translation rules should be configured on this device. These rules allow UDP traffic exchange with ViPNet hosts. If you configure static NAT rules, you should specify the ViPNet host's port. The default port is 55777, but you can specify any other port if necessary. If packets pass directly through a coordinator, the port number of the hosts located behind this coordinator is of no importance. As they pass through a coordinator, packets acquire the coordinator’s IP address and port number. In some cases your ISP may have blocked UDP traffic and the ViPNet hosts cannot communicate over the UDP protocol. For example, this may happen if you are connecting to a ViPNet VPN from a hotel or some other public place. Then you can redirect the whole IP traffic via a TCP tunnel, which has been configured
ViPNet Client Monitor 4.3. User's Guide | 77
on the connection coordinator of the host that initiates the connection. You may specify any port when configuring a TCP tunnel on a connection server. By default, port 443 is used.
Figure 26. ViPNet hosts connect via a firewall (translating TCP traffic) On the connection server, the received IP packets are retrieved from the TCP tunnel and forwarded to the destination host over UDP.
ViPNet Client Monitor 4.3. User's Guide | 78
Principles of Establishing Connections on a ViPNet Network ViPNet clients can automatically establish connections to other ViPNet hosts over the shortest accessible routes. They use connection servers to establish communication. Clients receive information about other hosts, their access parameters, and status from their IP addresses servers (see IP address server on page 334). By default, the IP addresses server and connection server features are performed by one coordinator. If necessary, you can set another coordinator as the IP addresses server for your client. Clients detect connection parameters automatically by using connection servers. Client-to-client connections are established in the following way:
Before a client initiates connection to another host, it should detect the access channel to its connection server. If the client communicates through a NAT device, it maintains the channel with the connection server by periodically sending IP packets to it. By default, IP packets are sent each 25 seconds. With most NAT devices, it is usually sufficient to stay connected to the connection server. If necessary, you can modify the frequency.
After connection between the client and its connection server is established, the client initiates connection to another host. It starts transferring test IP packets to a remote host via the connection server. At the same time, the client sends test IP packets to the connection server of the remote host and directly to the remote host.
If the test IP packets are received on the remote host, the remote host registers the connection and begins to transfer response IP traffic directly. The client receives the response IP traffic from the remote host and begins to transfer its IP traffic to the remote host directly, too. If the test IP packets pass only till the remote host's connection server, the connection server registers this connection and sends the response IP packets of the remote host to the client directly. In other words, the client establishes either direct connection with the remote host, or via the remote host's connection server. If the client receives no response IP packets from the remote host or its connection server, communication goes on through the client's connection server.
ViPNet Client Monitor 4.3. User's Guide | 79
Figure 27. Comminication between ViPNet hosts Thus, the ability to communicate over the shortest routes without coordinators' participation increases encrypted IP traffic exchange rate and reduces the load on coordinators.
Note: The described workflow is applicable only if ViPNet software version not earlier than 4.2.x is installed on all hosts communicating with each other.
Moreover, ViPNet connections have the following peculiarities:
If routing is configured for hosts, then connection between clients will be established in compliance with the routes through the gateways, but not coordinators.
If the remote host does not use a NAT device, the client's connection server remembers that the connection can be established directly. So, next time, if the remote host's location has not changed, test IP packets will not be sent, and the IP traffic exchange is performed directly at once.
If clients are located behind devices with dynamic NAT, they can communicate directly. This is possible due to the ability of connection servers to inform clients about IP addresses and ports, by which they can access other hosts via NAT devices. The servers detect this data by the IP packets received from clients. Taking this information into account clients send test IP packets to each other using registered IP addresses and ports. If at least one side receives the test IP packets, the clients begin to exchange all their traffic directly. In other words, direct connection will be established if at least one NAT device allocates one port for a host each time this hosts sends IP packets to different IP addresses. Direct communication between clients is impossible if their NAT devices allocate ports randomly each time IP packets are sent from new IP addresses. That is how the so-called symmetric NAT works. In this case, connection between such clients will be established through one of their connection servers.
Direct connection to the remote client located behind a device with dynamic NAT is possible within 75 seconds (three timeouts or periods of IP packets sending) since the last connection was broken.
If a client is behind a static NAT device, you need to fix the required UDP packets encapsulation port in the program options. Otherwise, the port will be changed preventing the client from connecting to other hosts.
ViPNet Client Monitor 4.3. User's Guide | 80
About Virtual IP Addresses Different local and ISPs' networks often have IP addresses conflicts. The virtual addresses technology allows you to solve this problem effectively when you configure protected connections. You can use virtual IP addresses to set access rules based on virtual IP addresses. Why do you need it? It is common knowledge, that, if an IP address is used to identify a user, you should be cautious, because the IP address might be faked, which will threaten the security of connection. However, it is impossible to fake an IP address in a ViPNet network. When the ViPNet driver receives a packet, it substitutes the real source address with a respective virtual address, and then forwards it to an application. However, this happens only if the packet is successfully decrypted using the sender's private keys, in other words, after the sender's successful identification. This ensures that the recipient's IP address is not faked and access to resources is strongly delimited. Each ViPNet host automatically creates one or more virtual IP addresses for every ViPNet host and tunneled host it is linked with. Each real address corresponds to a virtual IP address. Thus, the number of virtual IP addresses depends on the number of real IP addresses and the number of tunneled IP addresses. Each host has its own list of virtual IP addresses for other hosts. All programs running on the network may use these addresses to connect to the corresponding hosts. The ViPNet driver translates the addresses when sending or receiving IP packets (including the packets of DNS, WINS, NetBIOS, SCCP, SIP, and other services). By default, a ViPNet host automatically uses virtual addresses to connect to other ViPNet hosts if they are inaccessible by broadcast IP addresses. For tunneled hosts, real IP addresses are used by default. If necessary, you can force your ViPNet host to see any other ViPNet hosts by real or virtual addresses.
General Principles of Assigning Virtual IP Addresses By default, the initial address for the virtual addresses generator is 11.0.0.1 (subnet mask: 255.0.0.0). You can change the initial address in the Options dialog box, in the Private Network > Additional parameters. Virtual IP addresses are assigned to ViPNet network hosts and single tunneled hosts automatically starting from the specified initial IP address. By default, for tunneled IP addresses ranges the initial virtual IP address is 12.0.0.1. It can also be the IP address, whose first octet is incremented by 1 in comparison to the IP address specified as the initial IP address for the virtual IP addresses generator.
ViPNet Client Monitor 4.3. User's Guide | 81
Note: A single tunneled IP address is an address explicitly defined in the ViPNet host tunneling settings.
You should take into account that one of Internet address ranges is used for generating virtual addresses by default. That's why an addresses conflict may appear during the communication of a ViPNet host and an unprotected web resource if the resource's IP address coincides with the used virtual address. You will not be able to connect to such a web resource. To access the resource, you should either change the range of the assigned virtual addresses or work with the resource via a proxy server. You can find the generated virtual IP addresses of ViPNet hosts in the ViPNet Host Properties dialog box, on the IP addresses tab. Virtual IP addresses of the tunneled hosts are displayed in the ViPNet Host Properties dialog box on the Tunnel tab of the coordinator functioning as a tunneling server for these tunneled hosts. Virtual IP addresses of ViPNet hosts do not depend on real IP addresses. They are bound to unique identifiers allocated to ViPNet hosts in ViPNet Network Control Center. Virtual IP addresses for single tunneled hosts are bound to each real IP address of a tunneled host. Virtual IP addresses stay assigned to ViPNet hosts and single tunneled hosts until network hosts or tunneled hosts are deleted.
Warning: To avoid errors at specifying initial virtual IP addresses, you should take into account the following requirements:
The value of the first octet should range from 1 to 254. The value of the forth octet should range from 1 to 239. The value of the second and third octets should range from 0 to 255. When you update host links, change real IP addresses of any host or add an IP address of a single tunneled host, the virtual IP addresses generated will not be changed. Newly added real IP addresses and IP addresses of tunneled hosts, as well as, newly added ViPNet hosts, get new unused virtual addresses. You can change virtual addresses, intended for ranges of tunneled addresses when adding new ranges of tunneled addresses. If you change the initial IP address for the virtual IP addresses generator, all virtual IP addresses will be created anew.
ViPNet Client Monitor 4.3. User's Guide | 82
Configuring Connection to a Protected Network Generally, you can connect a client to a ViPNet network without additional configuring. You may need to make advanced settings only in certain cases. Suppose, you need to connect your portable computer to a local network of another company. Your connection server cannot be accessed from this local network, but there is a coordinator in it linked with your host. In this case, in the ViPNet network connection options, you need to specify the correct coordinator that will function as the connection server.
Tip: If you connect to another local network often, then it will be more convenient for you to create a special ViPNet Monitor configuration with the required connection parameters. For information on creating a configuration, see Managing ViPNet Monitor Configurations (on page 184).
You can also change the connection server if yours is unavailable. To specify the connection server: 1
In the main ViPNet Monitor window, on the Service menu, click Options.
2
In the Options dialog box, in the navigation pane, click Private Network.
3
In the Connection server list, select the coordinator that will be used to establish connections with other hosts (the connection server). If the required coordinator is not on the list, click the Browse button
and choose the coordinator in the Choose ViPNet Host window.
This coordinator must be accessible either directly or via a firewall with static NAT. 4
To save the settings, click Apply.
If necessary, you can perform advanced configuring:
In the Private Network section, click Show advanced options and do the following: o
If you want all inbound and outbound traffic to be routed through the connection server, select the Direct all IP traffic through connection server check box.
Note: You may need to direct IP traffic via the connection server if control over the whole transferred IP traffic is required. Take into account that, in this case, it may significantly slow down data exchange between the hosts.
o
If you need to set a client behind a firewall with static NAT, select the Lock UDP port check box and specify the UDP packets encapsulation port number. Create the static rule for this port on the NAT device.
o
If you work through a firewall with dynamic NAT and you need to change the frequency of sending IP packets to the connection server, specify the new value in the Timeout to prevent
ViPNet Client Monitor 4.3. User's Guide | 83
breaks in connections when working through devices with dynamic NAT box. By default, IP packets are sent each 25 seconds. With most NAT devices, it is usually sufficient to stay connected to the connection server. o
If necessary, you can change the IP addresses server by choosing the required one from the IP addresses server list.
Warning: We strongly do not recommend you to change the IP addresses server without consulting your ViPNet network administrator.
Figure 28. Connecting a client to a ViPNet network
If you work with a NAT device that cannot transfer large packets, you can decrease the maximum segment size (MSS) value in the Private Network > Additional Parameters section.
ViPNet Client Monitor 4.3. User's Guide | 84
Figure 29. Advanced configuring To save the advanced settings, click Apply.
ViPNet Client Monitor 4.3. User's Guide | 85
Viewing Information about a ViPNet Host In some cases, for example, when organizing access to a ViPNet host or when there are problems with access to a host, the ViPNet network administrator or technical support service may ask you for some specific information about the host. To view the information about a host of another ViPNet user: 1
In the main ViPNet Monitor window, in the navigation pane, select Private Network. In the view pane, double-click the required ViPNet host.
2
In the ViPNet Host Properties dialog box, view the Common tab contents.
3
If necessary, copy the required text to provide the administrator or technical support service with the information.
Note: You can use the above-described method to view service information of a ViPNet host only if it is not your host. To view the service information of your ViPNet host, in the main window, in the navigation pane, select ViPNet Client.
To view the information about your ViPNet host, in the main ViPNet Monitor window, on the File menu, click My ViPNet Host Properties.
ViPNet Client Monitor 4.3. User's Guide | 86
Configuring Access to ViPNet Hosts For your ViPNet host to connect to other hosts on your ViPNet network, some access parameters should be specified. On a client, it is enough to specify access parameters only for the coordinator functioning as an IP addresses server and the connection server. You need to specify the access parameters in case the coordinators' IP addresses and connection options have not been specified centrally in ViPNet Administrator or ViPNet Network Manager. If you can establish connection to the IP addresses server, all the required access parameters of other ViPNet hosts will be automatically received from this IP addresses server. You can change them in ViPNet Monitor, for example, in case of an IP addresses conflict. We do not recommend you to change them in other cases. To configure the access parameters for a ViPNet host: 1
In the navigation pane of the main ViPNet Monitor window, select Private Network.
2
In the Private Network section, double-click the host you are going to connect to.
3
In the ViPNet Host Properties dialog box, on the IP addresses tab, add the real IP address of the ViPNet host to the list. A virtual IP address will be automatically assigned to this new address. If you do not know the host's IP address, you can resolve it by the computer's name. To do this, click Resolve Host Name/IP Address address by the specified name.
and, in the displayed window, search for the required IP
If the hosts are set to be visible by their real addresses, then, when you add an IP address, it is automatically checked for conflicts with other IP addresses on the list or IP addresses of another host (including tunneled ones). This check helps you to avoid specifying the same IP address twice. If a conflict of IP addresses is found as a result of the check, you will be notified about it. Resolve an IP addresses conflict (see Conflicting IP Addresses or DNS Names on page 258). You may check for IP addresses conflicts manually, too. To do this, click Check conflicts
.
ViPNet Client Monitor 4.3. User's Guide | 87
Figure 30. Specifying IP addresses for a ViPNet host 4
In the ViPNet host's visibility IP addresses list, specify the type of addresses that will be used by your host to access this host. By default, visibility IP addresses are chosen automatically. If a conflict between the real IP addresses and other hosts' addresses on the network is possible, in the list, you should select Virtual IP addresses. When you change the visibility IP addresses, in the coordinator properties, you will be prompted to set the same visibility IP addresses for all ViPNet hosts using this coordinator as their connection server.
5
If you need to use a DNS name to access a ViPNet host, select the Use DNS name check box and add the host's DNS name to the list. When you add a DNS name, the check will be performed for conflicts with DNS names already specified in the program. If a conflict is detected, resolve it (see Conflicting IP Addresses or DNS Names on page 258). You may also click Check conflicts check the DNS names.
to
You may specify several DNS names for a host. When configuring access parameters for a coordinator, on the IP Addresses tab, you should add the DNS names of the hosts tunneled by this coordinator to the DNS names list (see Configuring Access to Tunneled Hosts on page 91). For a client, the order of the DNS names in the list does not matter. For a coordinator, you should specify its DNS name on top of the list, before the DNS names of the tunneled hosts. For more information on using the DNS service in a ViPNet network, see Configuring and Using DNS and WINS Services in ViPNet Networks (on page 96). 6
If a firewall is used, on the Firewall tab, specify the firewall's IP address. If necessary, add more firewall IP addresses. If several IP addresses for access via a firewall are specified, you can set the
ViPNet Client Monitor 4.3. User's Guide | 88
addresses priority by using metrics (see Configuring Access IP Addresses Priority for a Coordinator on page 93). In the UDP port box, specify the port number to access the coordinator via a firewall.
Figure 31. Configuring access to a host via a firewall 7
When configuring access to a coordinator, on the Firewall tab, in the Access port for TCP tunnel box, you can specify the port for connecting your host with the coordinator over TCP (via a TCP tunnel). We recommend you to specify the port if it is not specified in the coordinator's properties, but the TCP tunnel is established on the coordinator. As a rule, the information about the TCP access port number is received on the host automatically, as soon as the TCP tunnel is established on the coordinator. That's why, if the TCP access port is specified in the coordinator's properties, you should not change it.
8
To save the settings, click Apply.
ViPNet Client Monitor 4.3. User's Guide | 89
Using Aliases for ViPNet Hosts For convenience, you can specify an alias for any ViPNet host in the Private Network section. This alias will be displayed in the Private Network section instead of the host name. To find the host in the list, you can type the host alias, as well as its name, in the search box. To specify an alias for a ViPNet host: 1
In the main ViPNet Monitor window, in the navigation pane, click Private Network and select the host, you are going to specify an alias for.
2
In the ViPNet Host Properties dialog box, on the Common tab, in the Alias box, type the name to be assigned to the host.
3
Click OK.
4
Add aliases to other ViPNet hosts if necessary.
Note: If you have added an alias, but the name of the host is still shown in the list, enable the alias display option. To do this:
In the main ViPNet Monitor window, on the Service menu, click Options. In the Options dialog box, in the General section, select the Show aliases for ViPNet users check box.
ViPNet Client Monitor 4.3. User's Guide | 90
Configuring Access to Tunneled Hosts If you configure tunneling parameters for all coordinators in ViPNet Administrator or ViPNet Network Manager, you do not have to make additional settings in ViPNet Monitor on the host. The ViPNet host can establish connection to tunneled hosts. If the required settings have not been made in ViPNet Administrator or ViPNet Network Manager, on the host, configure the tunneled connection manually. To do this: 1
In the navigation pane of the main ViPNet Monitor window, select Private Network.
2
In the Private Network section, double-click the coordinator that tunnels the unprotected host you want to connect to.
3
In the ViPNet Host Properties dialog box, on the Tunnel tab, select the Use IP addresses for tunneling check box and form a list of tunneled hosts' IP addresses by using the corresponding buttons. A virtual IP address (on page 339) will be automatically allocated to every newly specified address. If you do not know the host's IP address, you can resolve it by the computer's name. To do this, click Resolve Host Name/IP Address by the specified name.
and in the displayed window, search for the required IP address
Note: If you need to specify a DNS name of a tunneled host, add the DNS name to the DNS names list of the tunneling coordinator (see Configuring Access to ViPNet Hosts on page 87). Keep in mind that the coordinator name registered on the DNS server should be on top of the list.
When you add an IP address, it is automatically checked whether this address coincides with another IP address on the list or of another host (including tunneled ones). This check helps you to avoid specifying the same IP address twice. If a coinciding IP address is found as a result of the check, you will be notified about it. Resolve the IP addresses conflict (see Conflicting IP Addresses or DNS Names on page 258). You may check for IP addresses conflicts manually, too. To do this, click Check conflicts
.
ViPNet Client Monitor 4.3. User's Guide | 91
Figure 32. Tunneled hosts addresses 4
If there may be an IP addresses conflict in subnetworks, select the Use virtual IP addresses check box.
5
If a tunneled host is in the same subnetwork as your ViPNet host and the routing is not specially configured, make sure that the Do not tunnel the IP addresses of your computer's sub network check box is selected. Otherwise, you will not be able to connect to the tunneled host.
6
If you do not need the connection to some tunneled hosts to be protected, select the Do not tunnel the following IP addresses check box and add the IP addresses of those hosts to the list below.
7
To save the settings, click Apply.
The settings described in this section should be made on your ViPNet host for all coordinators that tunnel the hosts you need to connect to.
ViPNet Client Monitor 4.3. User's Guide | 92
Configuring Access IP Addresses Priority for a Coordinator If a coordinator has several access IP addresses (for example, each one for a different communications channel), then, on another ViPNet host, you can configure priorities for the channels you use to connect to this coordinator. If the channel with the highest priority is unavailable, then the communications channel will be selected according to the priority specified for other channels. When the highest-priority channel becomes available, the connection will be established anew via this channel.
Note: This can be effective only if the host establishes connection to the coordinator via various channels, for example, across the Internet and a dedicated network (in other words, when the connection is routed via different gateways).
Priority of channels is defined by specifying a metric for each access IP address of the coordinator. By default, metrics are assigned automatically. When assigning metrics, you should stick to the following rules:
An IP address metric defines a delay (in milliseconds) before sending test IP packets to detect the IP address accessibility. The connection is established using the first address that appears to be accessible during the poll.
The polling is performed in the following cases: o
At ViPNet Monitor startup.
o
When you check connection to the host manually.
o
Periodically. You can specify the polling interval on the coordinator in the Options dialog box, in the Private Network > Additional Parameters section. By default, the interval of a coordinator polling other coordinators is 15 minutes; the interval of polling its coordinator by a client is 5 minutes.
The IP address with the least metric has the highest priority. This address is always used to establish connections if it is available.
If metrics for all access IP addresses are assigned automatically, then the value of all metrics is 0. If metrics for all access IP addresses are assigned automatically, then the value of all metrics is 0. If for some IP addresses metrics are assigned manually, and for others automatically, then the value of automatic metrics is always 100 milliseconds greater than the maximum value of any manually assigned metric.
The greater the difference between the least metric and other metrics is, the less the chance is that the connection will be established via a low-priority channel in case of a short-time failure. If the connection is established via a low-priority channel, the host will be able to switch to the highestpriority channel quicker, when it becomes available.
If all metrics are equal, then the first channel via which your host will connect to the coordinator will be selected. When the channel has been selected, availability of other communications channels is
ViPNet Client Monitor 4.3. User's Guide | 93
checked only when the connection via the current channel is lost. The same mechanism is used if the connection is established via the highest-priority channel.
If at least one IP address metric is assigned manually, and its value is not the highest one, then the availability of other communications channels, including the one with the highest priority, will be checked as well.
When the ViPNet Monitor starts and when the connection with the coordinator is checked (see Checking Connection to a ViPNet Host on page 167), the availability of all communications channels is always checked in order to select the channel with the least metric.
When a channel is selected, the current access IP address is displayed in the coordinator's properties window, on top of the list on the Firewall tab.
To specify metrics for access IP addresses of a coordinator: 1
In the navigation pane of the main ViPNet Monitor window, select Private Network.
2
In the Private Network section, double-click the coordinator you are going to specify the access IP addresses priority for.
3
In the ViPNet Host Properties dialog box, click the Firewall tab.
4
If necessary, configure the firewall parameters for the coordinator (see Configuring Access to ViPNet Hosts on page 87).
5
To specify a metric for an IP address, select the address from the list and click Edit.
Figure 33. Specifying a metric 6
In the displayed window, check the Set metrics check box and, in the corresponding box, enter the metrics value in milliseconds (valid values range from 1 to 9999). Then click OK.
Consider the following scenario. Suppose, a coordinator has four IP addresses allowing you to access it via channels A, B, C, and D. You need to specify metrics for these channels. You need to specify metrics for these channels. Let the channels have the following priority: 1
A is the fastest and the most secure channel. Should be used in the first place.
2
C and D are secure but slower channels. Should be used if channel A is unavailable.
3
B is a less secure channel. Should be used last of all.
To set the highest-priority level for channel A, specify the minimum metrics value for it, for example, 1. Specify the maximum metrics value (9999) for channel B because using this channel is undesirable. Specify equal metrics for channels C and D so that they do not differ much from the channel A metrics, for example 500.
ViPNet Client Monitor 4.3. User's Guide | 94
With such metrics values, channel A will always be used if it is available. If channel A becomes unavailable or its traffic rate decreases, connection to the coordinator will be established via channel C or channel D. In case of emergency, when channels A, B, and C are all unavailable, channel B will be used. If connection is established via channel B, C, or D, then your host will try to establish connection via channel A when the polling period is finished, on ViPNet Monitor startup, or when the connection to the coordinator is checked. The less the polling period is, the faster the channel will be switched in case of a failure and will then revert to a channel with a higher priority.
ViPNet Client Monitor 4.3. User's Guide | 95
6 Configuring and Using DNS and WINS Services in ViPNet Networks DNS and WINS Services
97
DNS and WINS Services in a ViPNet Network
99
Protected or Tunneled DNS or WINS Server
100
Unprotected DNS or WINS Server
102
Using a Protected DNS Server to Work with Corporate Resources Remotely
104
Using DNS Servers on Domain Controllers
108
ViPNet Client Monitor 4.3. User's Guide | 96
DNS and WINS Services Addresses consisting of digits are not quite friendly to deal with. Sensible names that correspond to computers functions and location are more convenient. For people, it is easier to remember a sensible name than a sequence of digits. Local networks and the Internet link a large number of computers, thus special name services have been introduced to resolve numeric IP addresses into human-readable representation. At present, there are two main name services used in computer networks: DNS and WINS.
DNS In TCP/IP networks, the Domain Name Service System (DNS) is used to translate domain names meaningful to humans into numeric identifiers associated with network equipment for the purpose of locating and addressing these devices worldwide. For example, it translates the 79.11.15.23 IP address into www.company.com. The figure below illustrates how DNS works (it shows how an IP address can be resolved using an alphabetical domain name).
Figure 34. The general principle of the DNS service operation A client requests a DNS server to find out the IP address of the computer which has the www.company.com domain name. If the DNS server finds a match in its local database, it retrieves all the required information about the host found. The retrieved information includes the IP address of the computer named www.company.com. This example illustrates a simple client-to-server request. In practice, the process of resolving an IP address from a DNS name may require several DNS servers, complex requests and other steps not outlined in the above-mentioned figure. DNS uses a hierarchical naming system. A domain name consists of one or more parts, technically called labels that are conventionally concatenated, and delimited by dots. The highest-level domain name (the first part) is fixed and assigned in the Network Information Center, NIC. Domain names for the other levels are assigned on domain name servers randomly.
ViPNet Client Monitor 4.3. User's Guide | 97
WINS WINS (Windows Internet Name Service) translates a computer’s IP address to a NetBIOS name, and vice versa. For example, the IP address 192.168.1.20 will be translated to HOST-A. WINS is the most convenient means of NetBIOS name resolution in routed networks that use NetBIOS over TCP/IP.
Note: NetBIOS (Network Basic Input Output System) is a session layer protocol allowing you to work in local networks and providing your host with access to local resources as well as to the resources of remote computers. NetBIOS sends broadcast packets, thus it does not support transferring information via routers. On the other hand, improvements in NetBIOS allow this system to operate over routing protocols, such as IP and IPX.
The WINS service simplifies NetBIOS name resolution in routed networks that use NetBIOS over TCP/IP. The following figure illustrates a typical situation involving WINS clients and servers.
Figure 35. The general principle of the WINS service operation In this example, the following events take place:
A WINS client, HOST-A, registers any of its local NetBIOS names with WINS-A, its configured WINS server. If the HOST-A client does not have access to the IP address of its WINS server, the client broadcasts its NetBIOS name announcing its availability in the network. When such an event occurs, the local WINS server receives this broadcast message and registers the name and the corresponding IP address contained herein in its database.
Another WINS client, HOST-B, queries WINS-A to locate the IP address for HOST-A on the network. WINS-A replies with the IP address for HOST-A, 192.168.1.20.
WINS and DNS are both name resolution services for TCP/IP networks. While WINS resolves names in the NetBIOS namespace, DNS resolves names in the DNS domain namespace. DNS uses a hierarchical naming system. On the contrary, WINS uses the peer naming system. WINS primarily supports clients that run earlier versions of Windows and applications that use NetBIOS. Environments with some computers using NetBIOS names and other computers using domain names are recommended to use both WINS and DNS services.
ViPNet Client Monitor 4.3. User's Guide | 98
DNS and WINS Services in a ViPNet Network In a ViPNet network, applications may use virtual IP addresses that do not really exist in the network and are unique for each host, which helps to avoid addresses conflicts. To provide DNS and WINS services operation in a ViPNet network where virtual IP addresses are used, the ViPNet software automatically processes IP packets of these services in a special way. Such processing is required in order to provide applications that request information from DNS and WINS with the correct information about the IP addresses of protected hosts (whether these addresses are real or virtual). If the ViPNet software is installed on a DNS (WINS) server or the server is tunneled by a coordinator, you do not need to make advanced settings in the ViPNet software provided that you follow certain rules (see Protected or Tunneled DNS or WINS Server on page 100). You may specify DNS names for ViPNet hosts manually, in ViPNet Monitor on your computer or in ViPNet Network Control Center. In this case, you gain the following advantages in using the DNS service:
Programs can securely communicate with remote ViPNet hosts via DNS names when you use unprotected (public) DNS servers (see Unprotected DNS or WINS Server on page 102).
Now the ViPNet host can connect to its coordinator by the coordinator's DNS name. For this, an IP address that does not belong to the coordinator (for example, the address by which the coordinator is accessible through a NAT device) is published on a DNS server. If a coordinator's access address is published on a public DNS server automatically (by using the dynamic DNS, or DYN DNS, technology), you can organize secure access to the coordinator whose access address is a dynamic IP address.
ViPNet Client Monitor 4.3. User's Guide | 99
Protected or Tunneled DNS or WINS Server Usage Peculiarities Using a DNS or WINS server installed on a protected or tunneled host has the following peculiarities:
You should not make any additional settings in your ViPNet software to provide operability for DNS or WINS services.
If DNS (NetBIOS) names and corresponding IP addresses of protected and tunneled hosts are automatically registered on your DNS (WINS) server, the ViPNet technology ensures automatic publication of the required real or virtual IP addresses of ViPNet and tunneled hosts. The ViPNet driver on the DNS (WINS) server (or on the coordinator that tunnels this server) substitutes the address in the IP packet to a virtual or a real one.
If a protected or a tunneled host addresses a DNS (WINS) server, a ViPNet host identifier is added to the response packet (the identifier of the destination protected host or of the tunneled host's tunneling coordinator). The ViPNet software on the source ViPNet host (or on the source tunneled host's tunneling coordinator) detects whether the destination host's access address is a real or a virtual one.
If an unprotected host addresses a protected DNS (WINS) server, the ViPNet software installed on the DNS (WINS) server or on its tunneling coordinator processes the response packet so that the unprotected host knows real IP addresses of protected and tunneled hosts even if virtual IP addresses have been published for them.
Figure 36. Protected or tunneled DNS server
ViPNet Client Monitor 4.3. User's Guide | 100
Configuration Best Practices If you use a DNS (WINS) server installed on a ViPNet or tunneled host and you need to publish virtual IP addresses, follow these recommendations:
If you manually register ViPNet and tunneled hosts' IP addresses on a DNS (WINS) server, you should specify their virtual or real addresses depending on which type of the addresses is displayed in bold in the ViPNet Monitor program installed on the DNS (WINS) server or on the coordinator tunneling this server.
If a DNS (WINS) server is installed on a ViPNet host, do not place any tunneled hosts, which would communicate with the server by DNS names, in this server's subnet. If the server is installed on a coordinator, this requirement applies to the tunneled hosts of other coordinators.
If a DNS (WINS) server is tunneled by a coordinator, do not deploy any tunneled hosts, which would communicate with the server by DNS names, in this server's subnet.
If you need to deploy any hosts in violation of these recommendations, on the ViPNet hosts, clear the Do not tunnel the IP addresses of your computer's sub network check box (see Configuring Access to Tunneled Hosts on page 91), and on each of the tunneled hosts, add static routes to the ViPNet hosts through the tunneling coordinator.
ViPNet Client Monitor 4.3. User's Guide | 101
Unprotected DNS or WINS Server Usage Peculiarities Often you may need to access a coordinator with a dynamic external access address (for example, the coordinator is connected to the network via a DSL modem) from other ViPNet hosts. You can solve this task by publishing this address on a public DNS server deployed on the Internet and specifying the coordinator's DNS name in the ViPNet Monitor program on the other ViPNet hosts. On a corporate network, you may need to use the public DNS server in other cases, too. Public DNS servers may be exposed to various network attacks, when the IP address of the destination network host is substituted (“spoofed”) to make the source protected host address the attacker's computer. If such an attack is successful, the network host that addresses the protected host by its DNS name establishes an unencrypted connection to the attacking computer, because the attacker's computer IP address is unknown for the ViPNet driver. As a result, the malicious user may obtain confidential information from the protected computer.
Figure 37. Attacking an unprotected DNS server To prevent such attacks, on your ViPNet host, in the ViPNet Monitor settings, for all protected application servers (on page 335) that are registered on the public DNS server and accessible from your ViPNet host, specify DNS names (see Configuring Access to ViPNet Hosts on page 87). Thus, attacks are prevented as follows: the ViPNet driver addresses the server by a DNS name, and the address may be spoofed by the malicious user; but when the ViPNet driver receives the response to the DNS request, it substitutes the address with the host's visibility IP address (real or virtual) that corresponds to the DNS name you specified in ViPNet Monitor.
ViPNet Client Monitor 4.3. User's Guide | 102
Configuration Best Practices If you use an unprotected DNS server, you should follow these recommendations:
If the external IP address used for accessing the coordinator from this server may be changed and you need the DNS server to access this coordinator by its DNS name registered on the unprotected DNS server, on ViPNet hosts, in the ViPNet Monitor settings, specify the DNS name for this coordinator.
If other ViPNet hosts are accessible from your ViPNet host by virtual IP addresses and you need to access these hosts by DNS names registered on the unprotected DNS server, then you should specify these DNS names on your ViPNet host, in the ViPNet Monitor settings. Any IP address (a real or a virtual one) can be registered on the unprotected DNS server. The ViPNet technology ensures establishing and maintaining an encrypted connection by the host's virtual visibility address regardless of the published address's type.
As we mentioned earlier, even if the unprotected DNS server accesses ViPNet hosts by their real IP addresses, for security purposes, it is important that you specify their DNS names on these hosts in ViPNet Monitor.
In all the described cases, you may specify the ViPNet hosts' DNS names on each host manually (see Configuring Access to ViPNet Hosts on page 87), but we recommend you to specify the DNS names for all hosts in ViPNet Network Control Center.
ViPNet Client Monitor 4.3. User's Guide | 103
Using a Protected DNS Server to Work with Corporate Resources Remotely Let's assume that you are a remote user and you connect to a ViPNet network via the Internet. You may work at home, in an Internet cafe, at a hotel, or other places where IP addresses and DNS or NetBIOS names are defined by an Internet provider. However, to work with many corporate business applications, you need to use the DNS (WINS) server of the corporate network. By using the corporate DNS (WINS) server you can refer to the servers and other hosts of the corporate network using their names (not IP addresses). Translating DNS (NetBIOS) names into IP addresses is performed for the addresses of both a corporate network and the Internet.
Automatic DNS (WINS) servers registration The following requirements should be met to access corporate resources remotely:
In the hosts system file that maps IP addresses to host names, there must be no entries about hosts of your corporate network. The path to the file is %systemroot%\System32\drivers\etc\ (by default, it is C:\Windows\System32\drivers\etc\).
The corporate DNS (WINS) server's IP address should be specified in the OS network settings.
Warning: If the ViPNet host is registered on both corporate and public DNS servers, you may encounter problems accessing it. To solve this problem, specify its DNS name in the host's properties on the IP address tab.
You may set the address of the corporate DNS server manually in the connection settings. But we recommend you to specify the addresses of the corporate DNS-servers centrally. To do this, the ViPNet network administrator needs to list the hosts or tunneled resources with the DNS servers in the ViPNet Network Control Center software. In this case, the list of the corporate DNS servers will be transferred to the ViPNet hosts as a part of their key sets. On the hosts, the ViPNet Monitor program will define the current visibility IP addresses of the corporate DNS servers (either real or virtual) and will automatically change the DNS servers' addresses in the settings of the network interfaces of the computer. Consider the following scenario. You are working in the main office on a laptop with the ViPNet Client software installed and connect to a protected corporate DNS server by an IP address (for example, 10.0.0.25). You take your laptop to another office, and the DNS server of your main office becomes accessible by another IP address (for example, 11.0.0.3). You need to connect to the corporate resources of the main office via the Internet.
ViPNet Client Monitor 4.3. User's Guide | 104
When you register the DNS or WINS server, you have to change the Windows network settings on the laptop. It is inconvenient because you will have to restore the settings when you return to the main office. If the ViPNet hosts with the DNS servers are specified in ViPNet Network Control Center, then you do not need to change the connection settings manually. If, for whatever reason, the corporate DNS servers' addresses are not specified in the ViPNet Network Control Center program, you can set the list of the protected DNS servers manually on the host, following the guidelines below.
Configuring a DNS or WINS Servers List Manually If the list of the corporate DNS (WINS) servers was not specified centrally in the ViPNet Network Control Center (see Automatic DNS (WINS) servers registration on page 104), you can create such a list manually on your host. In this case, the ViPNet Monitor program will also determine the current visibility IP addresses of corporate DNS servers and will automatically change settings of your computer's network interfaces. To register a corporate DNS (WINS) server manually, perform the following actions: 1
In any text editor (preferably Notepad), create a blank text file DNS.TXT.
2
Add an entry about the corporate DNS or WINS server to the file. You can learn how to specify the information about the server from the later sections in this chapter. The format of entries in the DNS.TXT file can be different depending on whether the corporate DNS or WINS server is installed on a protected host or is tunneled by the coordinator.
3
Save the file to the \DATABASES\DNSWINSLIST subfolder of the ViPNet software installation folder (if there is no such a subfolder, create it).
Note: To create and edit the DNS.TXT file, you do not need to close the ViPNet Monitor program.
You may register multiple DNS (WINS) servers in the DNS.TXT file at once. In this case, on all the laptop's network interfaces, the DNS or WINS servers' IP addresses lists will be supplemented with the IP addresses these servers are currently accessible by. At the same time, in the network interfaces settings, the IP addresses obtained via DHCP or specified on network interfaces manually will be saved if these IP addresses do not belong to the servers specified in the DNS.TXT file.
Note: If the DNS or WINS servers in use are listed in the DNS.TXT file, then you do not need to specify the servers addresses in the Windows network settings.
ViPNet Client Monitor 4.3. User's Guide | 105
Corporate DNS or WINS Server is Installed Right on the ViPNet Host If your corporate DNS (WINS) server is installed on a ViPNet host, then in the DNS.TXT file, add the following information:
For a DNS server: [DNSLIST] ID00=;
For a WINS server [WINSLIST] ID00=;
where is the hexadecimal identifier of the ViPNet host with the DNS or WINS server installed, plus the network number;
Note: To learn the host identifier, in the main ViPNet Monitor window, in the Private Network section, double-click the ViPNet host with the DNS or WINS server installed. The ViPNet Host Properties dialog box will be displayed. On the Common tab, in the first line, you will find the ViPNet host identifier. ID00 is the identifier of the string number. Any digits are valid after ID.
In the following section, you will find an example of the DNS.TXT file (on page 107).
Corporate DNS or WINS Server is Tunneled by a Coordinator If your corporate DNS (WINS) server is tunneled by a coordinator, then in the DNS.TXT file, add the following information:
For a DNS server: [DNSLIST] ID00=-;
For a WINS server [WINSLIST] ID00=-;
where is the hexadecimal identifier of the coordinator tunneling the DNS or WINS server, plus the network number;
Note: To learn the tunneling coordinator's identifier, in the main ViPNet Monitor window, in the Private Network section, double-click the coordinator. The ViPNet Host Properties dialog box will be displayed. On the Common tab, in the first line, you will find the ViPNet host identifier. ID00 is the identifier of the string number. Any digits are valid after ID.
ViPNet Client Monitor 4.3. User's Guide | 106
In such a case (when the DNS or WINS server is not installed on a ViPNet host), you need to add the tunneling coordinator's ViPNet host identifier, then a dash, and then the DNS or WINS server's IP address. If there are a few DNS (WINS) servers tunneled by the same coordinator, you can enlist their IP addresses after the coordinator's identifier, within the same line, dividing them with a semicolon, without spaces: ID00=-;. Make sure that in the tunneled addresses list of this coordinator these IP addresses are also specified. In the following section, you will find an example of the DNS.TXT file (on page 107).
An Example of the DNS.TXT File The DNS.TXT file may have the following format: [DNSLIST] ID00=000100CA-10.0.0.25; ID01=0001000b; ID02=000110bc-10.0.0.20;10.0.0.21;10.0.2.132; [WINSLIST] ID00=0001000b; ID01=000101fa-10.0.1.132;10.0.1.133;10.0.1.134;
Note that one DNS.TXT file may contain entries for DNS or WINS servers installed on ViPNet hosts as well as for DNS or WINS servers tunneled by a coordinator. The number of entries is not limited.
ViPNet Client Monitor 4.3. User's Guide | 107
Using DNS Servers on Domain Controllers If your organization uses the Active Directory service in the ViPNet network, if there are DNS servers installed on ViPNet hosts, and if these servers synchronize with each other, then addressing domain's hosts by DNS names may work incorrectly. To avoid such problems, for each host, you should register the same address on all reserved DNS servers. Follow one of this methods:
Place unprotected DNS servers behind a separate network interface of the coordinator and configure tunneling of these servers by this coordinator (see Corporate DNS or WINS Server is Tunneled by a Coordinator on page 106). Other (both protected and unprotected) hosts that address the DNS servers must not be behind the same interface of the coordinator to avoid conflicts. If the hosts' IP addresses are registered on protected DNS servers automatically, the IP addresses that correspond to the hosts' visibility addresses on this coordinator will be registered. If you register the hosts' IP addresses on protected DNS servers manually, on each DNS server, register the hosts' visibility addresses (virtual or real) displayed in ViPNet Monitor on this coordinator. The unprotected hosts that address a DNS server to request a ViPNet host's IP address through the tunneling coordinator will receive the host's real IP address.
If you cannot place all DNS servers behind the same coordinator or if the DNS servers have ViPNet Client installed on them, either on the coordinators behind which the DNS servers are placed or in ViPNet Client on the servers, set the hosts (tunneled hosts, clients, and coordinators) registered on these DNS servers to be visible by their real IP addresses. To change the type of visibility addresses of all clients behind the coordinator, it is enough to change visibility addresses on one of these clients in ViPNet Monitor. As a result, you will be prompted to apply this setting on all other clients behind this coordinator automatically.
ViPNet Client Monitor 4.3. User's Guide | 108
7 Configuring the Integrated Firewall General Principles of Traffic Filtering
110
Network Filters Overview
112
Using Object Groups
115
Creating Network Filters
125
Restoring Pre-defined Filters and Object Groups
131
Object Groups and Network Filters Usage Example
132
Blocking IP Traffic
135
Disabling Traffic Protection
136
ViPNet Client Monitor 4.3. User's Guide | 109
General Principles of Traffic Filtering All IP traffic passing through ViPNet hosts is filtered. It can be divided into:
unencrypted traffic;
encrypted traffic.
Figure 38. IP traffic types, filtering rules are applied to IP traffic from unprotected hosts is more likely to be hazardous to safety because in case of attack it is difficult to detect its source and take measures to stop the attack. Both encrypted and unencrypted traffic can be local or broadcast. Local IP traffic is inbound or outbound traffic of a certain host (this host is the destination or source of the IP packets). Broadcast IP traffic is the exchange of IP packets whose destination IP or MAC address is a broadcast one (the IP packets are addresses to all hosts of a certain network segment).
Figure 39. Types of encrypted and unencrypted IP traffic To configure filtering rules correctly, you should be aware of the main principles of IP traffic filtering. All incoming and outgoing IP packets (both encrypted and unencrypted) go through a complex check, which detects whether they match the network filters (see Network Filters Overview on page 112). If an IP packet meets conditions specified in the network filters, this IP packet is allowed or blocked depending on the filter action. If an IP packet does not correspond to any of the filters, it is blocked. Such a filtering method ensures high-level protection and allows connections only to the required hosts over the protocols and ports you specify. An IP packet is processed using network filters until it is allowed or blocked be one of them. As soon as the IP packet is allowed or blocked, all further filters are not applied to it. If the IP packet is not processed by any of the filters, it is blocked.
ViPNet Client Monitor 4.3. User's Guide | 110
Network filters are applied to encrypted IP packets only after they are successfully unencrypted and their source host is identified. In this case, IP addresses of the ViPNet hosts do not have any impact.
Note: In ViPNet Client version 3.2 and earlier, the filtering method is defined by the security level you choose.
IP packets filtering is illustrated by the scheme below:
Figure 40. Unencrypted traffic filtering levels
ViPNet Client Monitor 4.3. User's Guide | 111
Network Filters Overview Network filters are created separately for encrypted and unencrypted traffic. They perform the following functions:
On a protected host, public network filters allow or block IP packets from unprotected hosts.
Note: Unprotected hosts are computers where ViPNet software with the traffic encryption function is not installed. Computers with the ViPNet CryptoService and ViPNet Registration Point software installed are also considered as unprotected hosts.
Private network filters allow you to limit IP traffic exchange with the ViPNet hosts your host is linked with.
Network filters, regardless of their purpose, fall into the following categories:
Filters defined by special configurations.
Filters accepted with security policies (see Security policy on page 336) from the ViPNet Policy Manager program. In the administrator mode, there is an option to exclude such filters from network filters lists (see ViPNet Monitor Advanced Settings on page 197).
Pre-defined and user-defined filters. In case you upgraded ViPNet Monitor from 3.x to 4.x, you do not have pre-defined filters. Only the filters that have been configured before the upgrade are present on the network filters lists (in the converted format).
Default filters.
Filters that are defined by special configurations take priority of all other filters and are applied first. They affect the traffic blocked in the “Open Internet” (see The Open Internet Configuration on page 186), “Internal Network”, or “Internet” configurations (see Configurations: Internal Network and Internet on page 186). You cannot edit or delete such filters.
Note: When you work with protected SafeDisk-V containers, special blocking filters are applied. These filters are created at ViPNet SafeDisk-V startup (see Working with Integrated ViPNet SafeDisk-V on page 147). They have a higher priority than any other filters, including the filters of special configurations. You cannot view these filters, because the ViPNet Monitor user interface is restricted when you work in ViPNet SafeDisk-V. You also cannot switch to a special configuration.
Filters received from ViPNet Policy Manager come after configuration filters and they cannot be edited as well. Pre-defined and user-defined filters of the ViPNet Monitor program have lower priority. With proper permissions, you can edit or delete them at any time. Default filters are applied at the end of packet processing. This category includes only one network filter that is a blocking filter and does not coincide with any of the filters from the above-mentioned categories.
ViPNet Client Monitor 4.3. User's Guide | 112
Network filters are applied in a special order as in the scheme:
Figure 41. The priority of applying network filters You can view the lists of network filters in the view pane of the main ViPNet Client Monitor window, in the Private Network Filters and Public Network Filters sections.
Figure 42. An example of displaying private network filters of various categories
ViPNet Client Monitor 4.3. User's Guide | 113
Network filters have the following peculiarities:
In filters, the following parameters are specified: o
Action applied to IP packets. Filters can allow ( specified parameters.
) or block (
o
IP packets source and destination the filter is applied to.
o
Protocols over which the IP packets are transferred.
o
Schedule of applying a filter.
) IP packets that correspond to the
To specify the filter parameters, you can use object groups (see Using Object Groups on page 115).
User-defined filters affect both new and earlier-created connections. Thus, if the filter blocking the traffic of a certain connection is added after this connection has been established, then this connection will be broken.
Filters are applied to IP packets in the same order they are on the list. If an IP packet is allowed or blocked by the first filter that specifies its parameters, the rest of the filters do not affect this IP packet.
In the ViPNet Monitor program, the filters of different categories are displayed in the lists of the corresponding groups. Their order corresponds to their priority (see the previous scheme). The order of filters defined by the configuration and filters received from ViPNet Policy Manager cannot be changed. You can change the order of default filters and filters created in ViPNet Monitor by using the buttons
and
.
The filters you cannot edit or delete are marked with
.
To change the filter action, double-click the filter and, in its properties window, in the General Options section, select the required action. To enable or disable a filter, select or clear the check box near the filter's name.
When network filters are edited or new filters are created, the status bar displays a message that the filters are modified, but have not been applied yet. To apply the edited or created filters, click Apply all and, within 30 seconds, confirm saving the changes. If you do not want to save the changes, click Cancel. In this case, the previous filter settings will be restored. If necessary, you may discard all changes and restore the pre-defined filters (see Restoring Predefined Filters and Object Groups on page 131).
ViPNet Client Monitor 4.3. User's Guide | 114
Using Object Groups Object groups allow for easier creation of network filters in the ViPNet Monitor program. They unite several values of the same type. You may use an object group instead of separate objects when you configure a filter. Object groups can be of several types:
Figure 43. Types of object groups Built-in object groups contain default objects with unchangeable names, which you may use in userdefined object groups and in network filters you create to specify IP packets source and destination. Built-in object groups are not displayed in group lists. You cannot edit or delete them. For a list of builtin object groups, see Built-in Object Groups (on page 116). Object groups created in the ViPNet Policy Manager program and distributed with security policies. They are not available for editing and using in the network filters you create, or user-defined object groups. In ViPNet Monitor, you can just view the contents of these groups.
ViPNet Client Monitor 4.3. User's Guide | 115
User-defined object groups are created in the ViPNet Monitor program by a ViPNet user. They also include some default groups. For more information on default groups, see User-Defined Object Groups Set by Default (on page 117). Object groups vary in their contents, and you may specify exceptions from each group's contents. A group's contents and exceptions may include other object groups of the same category or some built-in object groups. You can work with such groups in the ViPNet Client Monitor window, Object Groups section.
Figure 44: Working with user-defined object groups User-defined object groups' types are:
ViPNet Hosts, a group of hosts in a private network. It is used for private network filters.
IP Addresses, which may include single IP addresses, IP addresses ranges, and DNS names. It is used for public network filters.
Protocols, which may include protocols and ports. It is used in any filters.
Schedules, which may include timing conditions for network filters application by time and day of the week. It is used in any filters.
You may create an object group of any category. It is rational to group the sets of objects you often use. For more information about group creation, see Creating and Editing Object Groups (on page 118).
Built-in Object Groups The table contains a list of built-in object groups with their values.
ViPNet Client Monitor 4.3. User's Guide | 116
Table 4. Built-in object groups Object group name
Value
All clients
All clients from the host links of the host
All coordinators
All coordinators from the host links of the host
All objects
A collection of all objects belonging to a certain type in a group. You can specify it only as a part of another group of objects. It allows you to create groups including all objects but some exceptions
Open Internet coordinators
All Open Internet coordinators in the ViPNet network Used only in the filters of the “Open Internet” configuration. You cannot specify it in the filters you create
Broadcast addresses
All broadcast addresses Used for creating broadcast filters
My ViPNet host
Your ViPNet host You may specify it as a source of IP packets for outbound connections or as a destination for inbound connections.
Other hosts
Any ViPNet hosts except for your host You may specify it as a source of IP packets for inbound connections or as a destination for outbound connections
Group addresses
A range of addresses for group distribution (224.0.0.0– 239.255.255.255) You can specify it only as the destination for unencrypted connections
User-Defined Object Groups Set by Default In ViPNet Client, there are some preset object groups:
Two default groups of IP addresses: o
Public IP Addresses. This group contains all IP addresses except for private IP addresses.
o
Private IP Addresses. This group contains all IP addresses of local networks: 10.0.0.0; 172.16.0.0; 192.168.0.0.
A set of default groups of protocols that contains groups of the protocols most used for network filters creation, such as: DHCP, ViPNet Core Services, ViPNet Remote Viewing Log, and other groups.
Two default groups of schedules: o
Work week is a group with a schedule where working days (from Monday to Friday) are specified.
ViPNet Client Monitor 4.3. User's Guide | 117
o
Weekend days is a group with a schedule where weekends (Saturday and Sunday) are specified.
Creating and Editing Object Groups To create a new object group: 1
In the main ViPNet Monitor window, in the navigation pane, select Object Groups.
2
In the view pane, click the link corresponding to the type of the object group you are creating, or, in the navigation pane, go to the corresponding subsection.
3
In the view pane, click Create. The object group properties dialog box will be displayed. Specify the new group's parameters.
4
In the General Options section, specify the name of the new object group. A group name must be unique.
5
In the Contents section, specify the contents of the group you are creating. When you are creating a group of the following type: o
ViPNet Hosts, specify the ViPNet hosts that should be included in this group. For more information, see Adding ViPNet Hosts (on page 121). You may also include built-in object groups All coordinators and All clients (see Built-in Object Groups on page 116) into the ViPNet Hosts group.
Figure 45. Creating ViPNet hosts group contents o
IP Addresses, specify separate IP addresses, an IP addresses range or subnetwork, or DNS names. For more information, see Adding IP Addresses and DNS Names (on page 122).
ViPNet Client Monitor 4.3. User's Guide | 118
Figure 46. Creating IP addresses group contents o
Protocols, specify protocols and, if necessary, port numbers. For more information, see Adding Protocols (on page 123).
Figure 47. Creating protocols group contents o
Schedules, compose a schedule of days of the week or time ranges. You may use such schedules later to limit the length of network filters action. For more information, see Adding Schedules (on page 124).
Figure 48. Creating schedules group contents
ViPNet Client Monitor 4.3. User's Guide | 119
Note: Each object group may include subgroups of objects of the same type, in other words, you may nest groups of the same type.
6
In the Exceptions section, specify exceptions from the object group section, in other words, the objects that should not be present in the object group. For example, to create a group of protected hosts consisting of all coordinators except for one, you should add the built-in group All coordinators to the contents, and then specify that coordinator as an exception. You may specify another object group of the same type as an exception, too. Exceptions are created in the same way as object groups' contents.
Note: You do not need to edit the Usage section. A list of filters using this object group is displayed there. When you are creating a new object group, this section is empty.
7
Click OK to complete the task. As a result, the newly created group will be displayed in the list of object groups of the selected type. If you create an object group and do not specify its contents, such a group will be considered empty. We do not recommend you to use empty groups in network filters, because the filters will not be applied in that way.
To edit group properties, select this group in the corresponding object group subsection and doubleclick it or click Properties. After you edit general properties of the group or the items included in it, in the group properties dialog box, click OK. To delete an object group, select it in the corresponding subsection and click Delete. Confirm group deletion. If the object group you are deleting is used by any network filters or if it is nested in another object group, you will be prompted about it and it will not be deleted. In this case, in the message window, click Show Details and view, in which objects this group is used, then remove the group from these objects and repeat deletion.
ViPNet Client Monitor 4.3. User's Guide | 120
Figure 49. An object group cannot be deleted To enable the created or modified object groups, in the object groups section, click Apply all. In the displayed window, within 30 seconds, confirm saving the changes. If you do not want to save the changes, click Cancel.
Adding ViPNet Hosts You may add ViPNet hosts to host groups contents and exceptions or choose them as the source and destination when creating private network filters. To do this:
When creating a hosts group or a network filter, you may add the chosen set of ViPNet hosts. To do this, in the hosts group properties dialog box or network filter properties dialog box, in the corresponding section, click Add and, on the menu, click ViPNet host. In the new window, in the list, select a host or multiple hosts and click OK.
Figure 50. Choosing ViPNet hosts As a result, the selected ViPNet hosts will be added to the group or filter.
When creating a hosts group, you may add a set of hosts of a certain ViPNet network. To do this, in the corresponding sections of the group properties dialog box, click Add and, on the menu, click ViPNet network number. Type the number of the corresponding network number.
ViPNet Client Monitor 4.3. User's Guide | 121
As a result, all hosts of the selected network will be added.
When creating a hosts group, you may add a set of hosts whose names match a mask you specify. To do this, in the corresponding sections of the group properties dialog box, click Add and, on the menu, click ViPNet host name template. Set a mask for a host name. You may set a mask in a standard way by using an asterisk (*) and a question mark (?). As a result, all hosts whose names match the mask will be added.
Adding IP Addresses and DNS Names You may add IP addresses or DNS names to the contents and exceptions of IP addresses groups or specify them when defining the source and destination in local filters for a public network. To add IP addresses in one of the mentioned cases: 1
In the IP addresses group properties or network filter properties, in the corresponding section, click Add and, on the menu, click IP address or IP addresses range.
2
In the displayed window, do the following: o
To add a certain IP address you know, click IP Address and, in the corresponding box, type this IP address.
o
To add IP addresses within a subnet, click Subnet and, in the corresponding boxes, type this subnet's address and mask.
o
To set an IP addresses range, click IP addresses range and, in the corresponding boxes, specify the beginning and the ending range addresses.
Figure 51. Adding IP addresses After you type the required data, click OK. As a result, the specified IP address or IP addresses will be added. To add a DNS name, in the IP addresses group properties or network filter properties, in the corresponding section, click Add and, on the menu, click DNS name. Type the DNS name and click OK. As a result, the DNS name will be added.
ViPNet Client Monitor 4.3. User's Guide | 122
Adding Protocols You may add protocols to the contents of protocols groups and their exceptions or specify them when creating any network filter. To add protocols in one of the mentioned cases, in the protocols group or network filter properties window, in the corresponding section, click Add and, on the menu, click:
TCP/UDP Protocol to add the TCP or UDP protocol with the source and destination port numbers. In the displayed window, do the following: o
Depending on the protocol you want to add, under Protocol, choose the corresponding option.
o
If necessary, specify source port numbers. To do this, select:
o
All ports to specify all ports, which may be useful when, for example, you do not know the required port number.
Port number to specify a certain port number. In the corresponding list, select the required number.
Range to specify port numbers range. In the corresponding boxes, specify the start and the end range numbers.
If necessary, set the destination port in the same way.
Figure 52. Adding the TCP or UDP protocol After you type the required data, click OK.
ICMP message to add the ICMP protocol. In the displayed window, select the ICMP protocol type and code (if necessary) and click OK.
IP protocol to add other protocols. In the list, select the required protocol or type the protocol code (if you know it) and click OK.
ViPNet Client Monitor 4.3. User's Guide | 123
Adding Schedules You may add network filter schedules to the contents and exceptions of schedule groups or set them when configuring any network filter (if you want the filter to be enabled at certain time or in certain time ranges). To add a schedule in one of the mentioned cases: 1
In the schedules group properties or network filter properties, in the corresponding section, click Add and, on the menu, click Time range.
2
In the displayed window, configure the schedule: o
Under Date when the filter will be enabled, set the time range when the network filter will be enabled.
o
Click one of the following options:
Daily to enable the network filter every day at the specified time. If you need the filter to be enabled for a certain time period (for example, for two weeks), select the corresponding check box and set the required time range.
Weekly to enable the network filter on certain days of the week. Select the corresponding check boxes.
Figure 53. Adding a schedule 3
After you type the required data, click OK. As a result, a schedule with the specified parameters will be added.
ViPNet Client Monitor 4.3. User's Guide | 124
Creating Network Filters In the ViPNet Client program, you can create the following filters:
Filters for a private network.
public network filters.
To create any of these filters: 1
In the navigation pane of the main ViPNet Monitor window, select Network Filters and then click the type of filters you are going to create.
2
In the view pane, click Create. The network filter properties dialog box will be displayed. Specify the new filter's parameters.
3
In the General Options section, do the following: o
In the corresponding box, type the filter's name.
o
Specify the new filter's action (block or allow traffic) by clicking the corresponding option under Action. The default filter action is Block IP traffic.
Figure 54. Specifying general parameters of a filter 4
In the Sources section, specify the IP packets' source the filter action will be applied to.
5
In the Destination section, specify the IP packets' destination the filter action will be applied to.
6
In the Protocols section, specify the protocol you want to filter with. In this case, only the IP packets sent over this protocol will be processed with this filter.
ViPNet Client Monitor 4.3. User's Guide | 125
Figure 55. Adding protocols while creating a filter 7
In the Schedule section, specify the filter schedule.
Figure 56. Adding a schedule while creating a filter 8
To save the new filter's parameters, click OK. As a result, the newly created filter will be displayed in the view pane. The created filter will be enabled if you have not cleared the corresponding check box when specifying the filter's general parameters. To disable a network filter, clear the check box associated with the filter's name. Network filters are applied in the same order as they are on the list.
9
To set the priority of the created filter, change its position on the list with the buttons
and
.
10 To apply the created filter, click Apply all after you configure it. In the displayed window, within 30 seconds, confirm saving the changes. For more information about creating filters of various types, see the corresponding sections later in this document.
Creating Private Network Filters To create a filter for encrypted traffic (see Network Filters Overview on page 112): 1
In the navigation pane of the main ViPNet Monitor window, select Network Filters > Private Network Filters.
ViPNet Client Monitor 4.3. User's Guide | 126
2
In the view pane, click Create and, in the displayed window, configure the new filter for encrypted traffic.
3
In the General Options section, specify the filter name and action: block or allow IP traffic.
4
In the Sources section, specify the source of encrypted IP packets. To do this, add: o
One or several ViPNet hosts at once (see Adding ViPNet Hosts on page 121).
o
One or several ViPNet host groups (if you have created them) (see Creating and Editing Object Groups on page 118).
o
The built-in object group My ViPNet host. In this case the filter will be applied to outbound connections of your ViPNet host.
o
The built-in object group Other hosts. In this case the filter will be applied to inbound connections of your ViPNet host.
o
The built-in object groups All coordinators and All clients (see Built-in Object Groups on page 116).
If you do not specify a source, then the filter will be applied to all IP packets sent by any protected hosts and by your host as well.
Figure 57. Specifying encrypted IP packets source 5
In the Destination section, specify the destination of the protected IP packets. To do this, add: o
One or several ViPNet hosts at once (see Adding ViPNet Hosts on page 121).
o
One or several ViPNet host groups (if you have created them) (see Creating and Editing Object Groups on page 118).
o
The built-in object group My ViPNet host. In this case, the filter will be applied to inbound connections of your ViPNet host.
o
The built-in object group Other hosts. In this case, the filter will be applied to outbound connections of your ViPNet host.
o
The built-in object groups All coordinators and All clients (see Built-in Object Groups on page 116).
o
The built-in object group Broadcast. In this case, the filter will be applied to broadcast packets.
ViPNet Client Monitor 4.3. User's Guide | 127
If you specify Broadcast as a destination and My ViPNet host or Other hosts as a source (see earlier in this section), then filters will be created for outgoing or incoming broadcast IP packets respectively. If you do not specify the destination, then the filter will be applied to all IP packets sent to any ViPNet hosts and to your host as well.
Figure 58. Specifying encrypted IP packets destination 6
In the Protocols section, specify the protocol you want to filter with.
7
In the Schedules section, specify the filter schedule if necessary.
8
Click OK. As a result, the newly created filter will be displayed in the view pane.
Creating Public Network Filters To create a filter for local unencrypted traffic (see Network Filters Overview on page 112): 1
In the navigation pane of the main ViPNet Monitor window, select Network Filters > Public network filters.
2
In the view pane, click Create and, in the displayed window, configure the new filter for unencrypted traffic.
3
In the General Options section, specify the filter name and action: block or allow IP traffic.
4
In the Sources section, specify the source of unencrypted IP packets. To do this, add: o
A source IP address, a DNS name, or an IP addresses range if there are several IP addresses (see Adding IP Addresses and DNS Names on page 122).
o
Source IP addresses groups (if you have created any) (see Creating and Editing Object Groups on page 118).
o
The built-in object group My ViPNet host. In this case the filter will be applied to outbound unprotected connections of your host.
o
The built-in object group Other hosts. In this case the filter will be applied to inbound unprotected connections of your host.
ViPNet Client Monitor 4.3. User's Guide | 128
If you do not specify a source, then the filter will be applied to all IP packets sent by any unprotected hosts and by your host as well.
Figure 59: Specifying the IP packets source in the public network 5
In the Destination section, specify the destination of unencrypted IP packets. To do this, add: o
A destination IP address, a DNS name, or an IP addresses range if there are several IP addresses.
o
Destination IP addresses groups, if you have created any.
o
The built-in object group My ViPNet host. In this case, the filter will be applied to inbound unprotected connections of your host.
o
The built-in object group Other hosts. In this case, the filter will be applied to outgoing unprotected connections of your host.
o
The Broadcast IP addresses built-in object group, if you want to add broadcast addresses. In this case, the filter will be applied to broadcast packets.
o
The Group IP addresses built-in object group. In this case, the filter will be applied to the packets sent via group distribution.
If you do not specify a destination, then the filter will be applied to all IP packets sent to any unprotected host.
Figure 60. Specifying the IP packets destination in the public network
ViPNet Client Monitor 4.3. User's Guide | 129
6
In the Protocols section, specify the protocol you want to filter with.
7
In the Schedules section, specify the filter schedule if necessary.
8
Click OK. As a result, the newly created filter will be displayed in the view pane.
ViPNet Client Monitor 4.3. User's Guide | 130
Restoring Pre-defined Filters and Object Groups If you are not going to use the list of network filters you have created, you can roll back to pre-defined filters. In this case, all lists of user-defined filters will be overwritten by the pre-defined ones. Pre-defined group objects will be restored too. To restore pre-defined filters and object groups: 1
In the navigation pane of the main ViPNet Monitor window, select Network Filters.
2
In the view pane, click Restore Network Filters.
3
In the Delete Filters window, confirm the operation by clicking Yes. As a result, in all network filters sections of the program, under Custom Filters, you will see only predefined filters. In the Object Groups subsections, only pre-defined groups will be displayed.
ViPNet Client Monitor 4.3. User's Guide | 131
Object Groups and Network Filters Usage Example Let's describe a typical object groups and network filters use case. Suppose there is a corporate mail server with ViPNet Monitor installed. It is required that this mail server:
Exchanges information with external mail servers.
The employees who work remotely receive and send e-mail messages through the Internet.
External mail servers and users send e-mail messages to your mail server over SMTP. Users receive the messages over POP3 and IMAP. To organize email messages exchange with external mail servers and users and provide the users with access to their mail through the Internet, on a protected mail server, create a network filter that allows receiving and sending IP packets using port 25 for the TCP protocol (the standard port for the SMTP protocol), ports 110 and 143 for the POP3 and IMAP protocols respectively. You can create a protocol group including all the mentioned protocols. You can use this group when you create a network filter. Besides, you can use it again when you create additional filters for your mail server if necessary. To create a protocol group: 1
In the main ViPNet Monitor window, in the navigation pane, select Object Groups > Protocols.
2
In the view pane, click Create and, in the group options window, in the Contents section, add all the required protocols.
3
To add the SMTP protocol, click Add and choose TCP/UDP, and then, in the TCP/UDP Protocol window, specify: o
protocol TCP;
o
source port All ports;
o
destination port 25-smtp.
ViPNet Client Monitor 4.3. User's Guide | 132
Figure 61. An example of an allowing rule for SMTP 4
In the same way add POP3 and IMAP protocols specifying ports 110 and 143 as a destination port respectively.
5
Upon you have added the protocols, in the group options window, click OK. As a result, the protocol group will be created. You can use this group when you create a filter.
Figure 62. The protocols group for your mail server To create a network filter allowing you to exchange e-mail messages with external servers and users, on the protected server, do the following: 1
In the navigation pane of the main ViPNet Monitor window, select Network Filters > Public network filters.
2
In the Public network filters section, create a network filter for all IP addresses because you cannot find out IP addresses of external mail servers in advance and this filter should be applied to IP addresses of all users. To do that, in the view pane, click Create and, in the filter options window, specify its parameters.
3
In the General Options section, in the Action list, click Allow IP traffic.
4
For the filter to be applied to all IP addresses, in the Sources and Destination sections, do not specify any parameters.
5
In the Protocols section, click Add and choose Protocol group. Then, in the options window, choose the protocol group created specially in advance.
6
You do not need to create a schedule for this filter.
ViPNet Client Monitor 4.3. User's Guide | 133
7
Click OK. The network filter will be created.
Thus, on a protected mail server, e-mail messages exchange with external mail servers and employees will be allowed. The employees will have access to their mail through the Internet.
Figure 63. Allowing filter for the SMTP, POP3, and IMAP protocols
ViPNet Client Monitor 4.3. User's Guide | 134
Blocking IP Traffic In the ViPNet Monitor program, you can block your computer's IP traffic. In this case, you will not be able to connect to any protected or unprotected hosts. To block your IP traffic: 1
2
In the ViPNet Monitor program, enable traffic blocking in one of the ways: o
On the ViPNet Client menu, choose Configurations > Block IP Traffic.
o
In the notification area, right-click the program icon menu.
and choose Block IP Traffic from the
If you want traffic to be unblocked automatically when a certain condition is met, then, in the Block IP traffic window: o
Select the Automatically allow IP traffic check box.
o
Choose the condition from the list below the selected check box: after the computer restart or in a certain period of time.
Figure 64. Blocking IP traffic 3
Click Block IP Traffic. All encrypted and unencrypted traffic of your computer will be blocked, and the ViPNet Monitor icon in the notification area will become
4
.
To enable traffic protection, on the ViPNet Client menu, choose Configurations > Allow IP traffic.
ViPNet Client Monitor 4.3. User's Guide | 135
Disabling Traffic Protection If necessary, you can disable IP traffic protection in the ViPNet Client program. In this case, traffic processing and logging will be disabled. You will not be able to connect to ViPNet hosts. If you are using ViPNet SafeDisk-V together with ViPNet Client, you will not be able start ViPNet SafeDisk-V, too.
Warning: We strongly recommend you not to work on a host where traffic protection is disabled because such a host is not protected against unauthorized access from the network. IP traffic protection can be disabled only for a short period of time for testing purposes.
If you want to disable traffic protection: 1
In the ViPNet Monitor program, on the File menu, select Configurations > Disable Protection.
2
If you want traffic protection to be enabled automatically when a certain condition is met, then, in the Disable Protection window: o
Select the Automatically enable IP traffic protection check box.
o
Choose the condition from the list below the selected check box: after the computer restart or in a certain period of time.
Figure 65. Disabling traffic protection 3
Click Disable protection. Traffic protection will be disabled, and the ViPNet Monitor icon in the notification area will become
4
.
To enable traffic protection, on the File menu, select Configurations > Enable protection.
ViPNet Client Monitor 4.3. User's Guide | 136
8 Application Protocols Processing Application Protocols Overview
138
Application Protocols Description
140
Application Protocols Options
141
ViPNet Client Monitor 4.3. User's Guide | 137
Application Protocols Overview The functioning of network services, for example, IP telephony, DNS service, FTP service, is ensured by application protocols. When you use application protocols, IP-addresses are often transferred in the body of an IP packet. Such behavior may lead to service inoperability on protected hosts, in case of using virtual IP addresses technology. Besides the main (control) connection, some application protocols establish additional connections for data transfer on a random port. You cannot create an allowing filter for IP packets sent to the destination port that is not known in advance. Therefore, the connection will be blocked. The application protocols processing function can help you solve these problems. This function ensures:
The substitution of the virtual IP address in the packet's body with a real IP address, in case of using virtual IP addresses technology.
Enabling an allowing network filter for connecting to a random port opened by the application protocol.
Note: In ViPNet Monitor, you can configure application protocols processing options for unencrypted and encrypted traffic.
Take into account that application protocols processing does not automatically allow establishing the control connection to unprotected hosts. The control connection to unprotected hosts is established in accordance with the specified network filters. Let's explain how an application protocol is processed using the FTP protocol as an example. When you transfer a file from an FTP client to an FTP server, two TCP connections are required according to the protocol: a control connection that is established to send commands to the FTP server and receive response packets and an additional connection for data transfer. Connection between a client and a server can be established in one of the two modes: active and passive. In the active mode, the client initiates a control connection from a port 1024-65535 to port 21 on the server. The server connects to the client using the port number the connection was initiated on and establishes a connection for data transfer. On the server, port 20 is used. In the passive mode, after the control connection has been established, the server informs the client about the port number (1024-65535) that the client can use to establish connection. Thus, in the active mode, the client should accept the connection for data transfer from the server, while in the passive mode, the connection for data transfer is always initiated by the client. To establish the control and additional connection, in both active and passive FTP modes, you should configure ViPNet Monitor as follows:
If pre-defined public network filters that allow all outbound connections are enabled, you do not need to perform additional configuring to allow the outbound control connection. If public network filters do not allow any outbound connections, create a public network filter (see Creating Public Network Filters on page 128) that allows outbound connection over the TCP protocol to port 21 of the FTP server.
ViPNet Client Monitor 4.3. User's Guide | 138
To allow additional connection in the active mode, you should enable FTP processing, which means that the required traffic filter will be enabled. Make sure the FTP processing is enabled.
You do not need to make any special settings to allow additional connection in the passive mode.
Let's give one more example of protocol processing considering the SIP protocol. The SIP protocol is used for organizing, modifying and terminating connection sessions: multimedia conferences, phone connections, and streaming multimedia distribution. The initiating SIP client sends a request (for example, an invitation to join a connection session, response confirmation, connection session termination) to the receiving SIP client addressing it by its SIP identifier. Depending on the connection establishment type, the request is either directed to the receiving client, or transferred via a SIP proxy server or a redirect server. The receiving client, depending on the received request type, sends a response (for example, information about a request processing error, request received and being processed, request denied) to the client who initiated the connection. To establish a connection session over the SIP protocol, you should establish TCP and UDP connections between SIP clients using port 5060. To establish a connection session between SIP clients, make sure SIP processing is enabled and configure the following advanced options in ViPNet Monitor: 1
For a SIP client to accept a connection session establishment request or a response, you should create a public network filter that allows inbound connections over the TCP or UDP protocol on port 5060.
2
For a SIP client to send a connection session establishment request or a response: o
If pre-defined public network filters that allow all outbound connections are enabled, you do not need to configure additional filters.
o
If public network filters do not allow any outbound connections, you should create a public network filter that allows an outbound connection over the TCP or UDP protocol on port 5060.
ViPNet Client Monitor 4.3. User's Guide | 139
Application Protocols Description Note: In ViPNet Client version 3.2 and later, there is no web filtering and HTTP application protocol processing.
In the ViPNet Monitor program, you can configure processing parameters for the following application protocols:
The FTP protocol ensures file exchange between an FTP client and an FTP server.
DNS (Domain Name System) provides translation of DNS names into IP addresses.
The H.323 protocol allows using programs for multimedia conferencing in IP networks, including the Internet.
SCCP (Skinny Client Control Protocol) ensures messages exchange between Skinny clients (wired and wireless Cisco IP telephones) and the voice mail server Cisco Unity and Cisco CallManager.
SIP (Session Initiation Protocol) allows establishing sessions to transfer voice and video calls, as well as multimedia information.
Note: The list of application protocols supported by the ViPNet Monitor program is set by default, you cannot add or remove protocols from the list.
ViPNet Client Monitor 4.3. User's Guide | 140
Application Protocols Options Warning: You should disable the DPI (deep packet inspection) function on network equipment (routers, gateways) in networks, where application protocols are processed using ViPNet. The use of DPI may lead to malfunction of the applications using the FTP, DNS, H.323, SCCP, and SIP protocols.
To configure the parameters of processing application protocols for unencrypted and encrypted traffic: 1
In the ViPNet Monitor main window, on the Service menu, click Options.
2
In the Options dialog box, in the navigation pane, click Application Protocols.
Figure 66. Application protocols section In the Application protocols section, the supported application protocols (see Application Protocols Description on page 140) are listed.
Note: By default, mostly used network protocols and ports are specified for all application protocols. The list of application protocols supported by the ViPNet Monitor program is set by default, you cannot add or remove protocols from the list.
3
In the Application Protocols section, click the protocol whose settings you want to change and click Edit.
4
If necessary, in the Configuring Application Protocol: window (the window name depends on the application protocol chosen): o
To enable a network protocol, select the corresponding check box and specify ports.
ViPNet Client Monitor 4.3. User's Guide | 141
Note: The application protocols processing settings must correspond to the settings specified in applications such as a web browser, an FTP client, a SIP client, and others. When you enter port numbers and number ranges, you should divide them using commas.
o
To disable a network protocol, clear the corresponding check box.
o
To disable processing of an application protocol:
Disable all network protocols.
Confirm the operation by clicking OK.
Figure 67. Configuring application protocols processing Upon finishing, click OK.
Warning: We do not recommend you to disable application protocols processing because it may interfere with applications operation.
5
To save the settings, in the Application Protocols section, click Apply.
6
To restore the default settings, in the Application Protocols section, click By default.
ViPNet Client Monitor 4.3. User's Guide | 142
9 Integration with ViPNet SafeDisk-V General Information about ViPNet SafeDisk-V
144
Providing ViPNet Client and ViPNet SafeDisk-V Integration: Checklist
145
Working with Integrated ViPNet SafeDisk-V
147
ViPNet Client Monitor 4.3. User's Guide | 143
General Information about ViPNet SafeDisk-V ViPNet SafeDisk-V is intended for protecting your sensitive data stored on a hard or removable drive. Information that is subject to protection is stored in a SafeDisk-V container. A container is an encrypted file. When you connect a container in the ViPNet SafeDisk-V program, it is displayed as a common logical disk in your operating system. When the data is written to the connected container, it is automatically encrypted. When the data is read, it is automatically decrypted. The encryption process is hidden and does not require any action from you. When you disconnect the container, it disappears from the system and cannot be found. ViPNet SafeDisk-V integrated with ViPNet Client has more advantages than ViPNet SafeDisk which is installed separately:
Only a ViPNet Client user can have access to protected information stored in SafeDisk-V containers. When you are working with the containers, ViPNet Client provides advanced protection (see Working with Integrated ViPNet SafeDisk-V on page 147).
You do not need to update the keys manually. The container keys are updated alongside with the host keys and ViPNet user keys, which protect these container keys.
Note: If you are working with protected SafeDisk-V containers, regardless of the chosen updating mode (see Automatic Updating on page 72), you are able to install updates only manually.
When you are working with SafeDisk-V containers, in the ViPNet Monitor, protected and unprotected connections of the ViPNet host are restricted by the special network filters. These filters are created when ViPNet SafeDisk-V is started, have the highest priority, and are not displayed in the ViPNet Client program (see Working with Integrated ViPNet SafeDisk-V (on page 147)). Moreover, to ensure a higher level of security, when you are working with SafeDisk-V containers, the following possibilities are disabled: switching to the “Internet” or “Open Internet” configurations, changing the user, and logging off.
ViPNet Client Monitor 4.3. User's Guide | 144
Providing ViPNet Client and ViPNet SafeDisk-V Integration: Checklist Warning: The ViPNet Client program version 4.x can be integrated only with ViPNet SafeDisk-V 4.2.
To provide full compatibility of ViPNet SafeDisk-V and ViPNet Client on your host, complete actions from the checklist below. Table 5. Providing ViPNet Client and ViPNet SafeDisk-V integration: checklist Step
Reference
ViPNet network administrator should:
“ViPNet Administrator Network Control Center. Administrator's Guide”
In a ViPNet network managed with the ViPNet Administrator software, in the ViPNet Network Control Center program, add the “SafeDisk” role to a host.
“ViPNet VPN. User’s Guide”
In a ViPNet network managed with the ViPNet Network Manager program, in the ViPNet Network Manager program, on the Keys tab, select the Use SafeDisk-V check box. ViPNet network administrator should:
In a ViPNet network managed with the ViPNet Administrator software, when creating a new host in ViPNet Key and Certification Center, also create a key set file and install it on a host. For a host created earlier, in ViPNet Key and Certification Center, create host links and send them to this host.
“ViPNet Administrator Key and Certification Authority. Administrator's Guide” “ViPNet Administrator Network Control Center. Administrator's Guide” “ViPNet VPN. User’s Guide”
In a ViPNet network managed with the ViPNet Network Manager program, in ViPNet Network Manager, send a key set to the host or save the keys to a file and install them on a host manually. A user with Windows OS administrator rights installs the ViPNet SafeDisk-V program on this host.
ViPNet SafeDisk-V. User’s Guide”
Get acquainted with ViPNet Client and ViPNet SafeDisk-V integration.
Working with Integrated ViPNet SafeDisk-V (on page 147)
Make sure that ViPNet Client is not in the “Open Internet” or “Internet” configuration and that IP traffic protection is enabled. When the program is in one of these configurations or IP traffic protection is
Managing ViPNet Monitor Configurations (on page 184) Disabling Traffic Protection (on page
ViPNet Client Monitor 4.3. User's Guide | 145
disabled, you cannot start ViPNet SafeDisk-V.
136)
Tip: We recommend you to print this checklist and select the check boxes as you advance through the steps outlined in this checklist.
ViPNet Client Monitor 4.3. User's Guide | 146
Working with Integrated ViPNet SafeDisk-V If all the conditions for successful joint work of ViPNet Client and ViPNet SafeDisk-V have been met:
Start ViPNet Monitor, then start ViPNet SafeDisk-V. If ViPNet Monitor will not be started, if it will be started in the “Internet” or “Open Internet” configuration, or if IP traffic protection will be disabled in the program, you will be notified about it and you will not be able to start ViPNet SafeDisk-V.
When you start ViPNet SafeDisk-V, the ViPNet SafeDisk-V window will be displayed, where you can configure traffic protection performed by ViPNet Client. As a result, the corresponding network filters will be added to ViPNet Client. These filters will be enabled only during ViPNet SafeDisk-V operation.
Figure 68. Configuring traffic protection parameters for ViPNet Client You cannot change these settings in ViPNet Monitor. This provides advanced protection against unauthorized access to encrypted containers of the users of both protected and unprotected network segments. (For example, a system administrator or a ViPNet network administrator cannot access your container). By default, when you work with encrypted containers, regardless of your ViPNet Client settings, any unencrypted connections are blocked (in other words, under When working in public network, Block public IP traffic is chosen). We strongly do not recommend you to change the default settings of your working in a public network, because even if you allow only outbound unencrypted connections (click Block web browsing and incoming public IP traffic under When working in public network), it is potentially insecure when you work with the information in an encrypted container.
After you specify traffic protection parameters in the ViPNet SafeDisk-V window, a message about switching in the SafeDisk-V mode will be displayed over the ViPNet Monitor icon in the notification area. The main ViPNet Monitor window title will contain the words “SafeDisk-V Mode”, the program
ViPNet Client Monitor 4.3. User's Guide | 147
interface will be restricted (for example, you will not be able to work with network filters, and so on), and the following features will be locked: o
logging on to the program in the administrator mode;
o
disabling IP traffic protection;
o
switching to the “Internet” and the “Open Internet” configurations;
o
logging off and logging on as another user.
Moreover, blocking filters (according to the settings in the main ViPNet SafeDisk-V window) will be enabled, and their priority will be set higher than that of the filters configured in ViPNet Client. These filters will not be displayed in ViPNet Client.
After you close ViPNet SafeDisk-V (when you execute the Urgent Container Disconnect command in the Danger mode or the Destruct all containers command in the Extreme Danger mode), the following will happen in ViPNet Client: o
all the filters configured on the ViPNet SafeDisk-V startup will be unloaded;
o
in the ViPNet Client program, the filters of the previously used configuration (before the ViPNet SafeDisk-V start) will be used;
o
the unrestricted interface will be enabled, and the following will become available:
logging on to the program in the administrator mode;
disabling IP traffic protection;
switching to the “Internet” and the “Open Internet” configurations;
logging off and logging on as another user.
ViPNet Client Monitor 4.3. User's Guide | 148
10 Integrated Communication Tools Overview
150
Encrypted Instant Messaging
151
Sending ViPNet Business Mail Messages
157
File Exchange
158
External Programs
164
Viewing Web Resources of a ViPNet Host
165
Shared Host Resources Overview
166
Checking Connection to a ViPNet Host
167
ViPNet Client Monitor 4.3. User's Guide | 149
Overview The ViPNet Monitor software includes the following set of additional tools to facilitate a rapid and secure data transfer:
Exchanging encrypted chat and conference messages.
Sending email quickly.
File Exchange.
Starting external programs.
Opening a web resource on this ViPNet host.
Viewing Shared Network Resources.
Checking connection to another ViPNet host.
ViPNet Client Monitor 4.3. User's Guide | 150
Encrypted Instant Messaging ViPNet network users can chat with other ViPNet users or take part in a conference with several users:
You can start a chat with one or many users simultaneously. Note that other counterparts will receive your messages, but will not receive each other's messages. To start a chat, in ViPNet Monitor, in the navigation pane, select Private Network. Then, in the view pane, choose one or several hosts. On the hosts' context menu, click Chat or on the toolbar, click Chat
.
You can start a conference with more than one user, so that all the counterparts would receive each other's messages and respond to them. This is the essential difference between the chat and the conference. To start a conference, in ViPNet Monitor, in the navigation pane, choose Private Network. Then, in the view pane, select several hosts. On the hosts' context menu, click Organize Conference or on the toolbar, click Conference
(by default, this button is hidden).
You can exchange instant messages in several messaging sessions at the same time. If you receive a message which does not belong to any messaging session, a new session is created. All messages in a session, incoming and outgoing, are written to the session log. If you send a message in a certain session, the response message you receive will belong to the same session and will be saved to the same log. If necessary, you can save the session log as a text file. During a chat session, you can send files and email messages to other ViPNet users (see Sending Files and Email Messages in the Instant Messaging Session on page 155).
Note: If Encrypted Instant Messaging is unavailable on your ViPNet host, ask your ViPNet network administrator to allow you using this component.
Interface of the Encrypted Instant Messaging Program In the Encrypted Instant Messaging program, you receive and send messages in the Encrypted Instant Messaging window shown in the figure below:
ViPNet Client Monitor 4.3. User's Guide | 151
Figure 69. The main window of the Encrypted Instant Messaging program The following elements are marked with numbers in the figure: 1
The menu bar.
2
The toolbar. To add or remove buttons displayed on the toolbar, on the View menu, click Customize Toolbar.
3
The Send message to pane. Contains the list of recipients the current messaging session is established with. After sending a message, the status of the message with each recipient is displayed using the following character symbols: o
S — the message has been sent, but not delivered.
o
D — the message has been delivered, and a notification is displayed on the recipient's screen.
o
R — the message has been read by the recipient.
o
T — the message has been read and the recipient is going to answer.
Sent messages are numbered in the order of their sending. The columns with message statuses are displayed in the reverse order (this means that the first character symbol from the left identifies the status of the most recent message). Messages are only sent to the selected participants. 4
The search box. Type a name or several characters in the search box to filter the list of recipients in the Sessions pane or to find a message by a certain word in the Session log pane. The lines containing the symbols you enter will be highlighted with the yellow color.
ViPNet Client Monitor 4.3. User's Guide | 152
5
The Message pane. Use this pane to type new messages.
6
The Session log pane. Displays the message history (log) of the current session.
7
The Sessions pane. Contains a list of active sessions and buttons for switching between them. The following table explains the purpose of the Sessions pane columns:
Column
Description The session status: The column is blank. The session is open and all messages have been processed. The session is open and there are new messages. The session has been closed by the initiator but there are unread messages (you will see this icon only if the other user has initiated a closed session). The session has been closed by the initiator (you will see this icon only if another user initiated the closed session). The session number.
# Participants
The names of the session participants.
New
The number of new (unprocessed) messages. The field is blank if there are no new messages.
Not read
The number of unread messages. The field is blank if there are no unread messages. If there are unread messages among the new messages, items in the list for that session appear in bold.
Date of the last chat message
The date and time of the latest session message
Below the active sessions list, you can see the buttons and , Use them to switch between the listed sessions. The viewing session history remembers 10 last sessions that have been viewed longer than 5 seconds.
Sending Messages To send instant messages: 1
If the Encrypted Instant Messaging window is closed, open it by clicking Applications > Chat. In the Encrypted Instant Messaging window, all the earlier messaging sessions will be opened.
2
To start a new chat or a conference, in the Encrypted Instant Messaging window, do the following: o
On the Session menu, select New, then click Chat or Conference.
ViPNet Client Monitor 4.3. User's Guide | 153
o
In the Choose ViPNet Host window, select the hosts, with users of which you want to chat or to start a conference. Then, click Select.
A new messaging session will open. If you specify only one ViPNet host, with which a messaging session has been already started, this session will be open instead of a new one.
Note: To start a new chat or a conference, you can also select the hosts in the Private Network section and, on the hosts' context menu, click the corresponding option (see Encrypted Instant Messaging on page 151).
3
In the Encrypted Instant Messaging window, select the session, to which you want to send new messages.
4
On the Message pane, enter the text of the message.
5
Click Send or press F5.
Tip: You can configure the action that occurs upon pressing Enter in the Message pane: sending a message or just creating a new line. To do this, in ViPNet Monitor, on the Session menu, click Options. The Options dialog box will be displayed. In the Chat section, under Shortcut Keys, choose Ctrl+Enter: Send Message, Enter: Carriage Return or the opposite option.
Receiving Messages By default, when a message is received, the icon is displayed in the notification area, and the text of the message is displayed in the pop-up window above the icon. To read new messages, do one of the following:
Click the icon
in the notification area.
In the Encrypted Instant Messaging window, on the toolbar, click Read new
.
You can change the way you get notified of a new message. To do this: 1
In the main ViPNet Monitor window, on the Service menu, click Options.
2
In the Options dialog box, in the Chat section, select or clear the following check boxes: o
Display new message notification always on top.
o
Notify about a new message using a flashing icon in the notification area.
o
Display new message notification always on top.
o
Show new messages in a separate window. If the Show new messages in a separate window check box is selected, then, upon receiving new messages, the New Messages window will be displayed.
ViPNet Client Monitor 4.3. User's Guide | 154
Figure 70. New messages are displayed in a separate window In the New Messages window, the list of the new messages in the order of their delivery is displayed. By using the keys on the right of the window, you can accept a message (then it will be saved in the session log), reply to a message, or delete it.
Sending Files and Email Messages in the Instant Messaging Session In an instant messaging session, you can send files and email messages over a protected VPN channel to other participants of the session by clicking File
and Business Mail
on the toolbar.
The File Exchange component (see Files Exchange in the Instant Messaging Session on page 162) is used for sending files. You can send email messages only if the “Business mail” role is assigned to your host and the ViPNet Business Mail program is installed. To send an email message: 1
In the Encrypted Instant Messaging window, in the Sessions pane, select the session whose participants should receive your email message.
2
In the Send message to pane, select the participants and, on the toolbar, click Business Mail
.
The ViPNet Business Mail program will be started and a new message window will be displayed, The selected session participants will be automatically specified as recipients. For more information on creating and sending an email message, see the document “ViPNet Business Mail. User’s Guide.”
Note: Only participants who use the ViPNet Business Mail program will be added to the recipients list. If none of the selected participants use Business Mail, then you will not be able to send the email message.
ViPNet Client Monitor 4.3. User's Guide | 155
Stop Exchanging Instant Messages To close an instant messaging session: 1
In the Encrypted Instant Messaging window, in the Sessions pane, select the session you are going to close.
2
If you want to save the session log as a text file, right-click the session and, on the context menu, select Save As and specify the file for saving the log.
3
Do one of the following:
4
o
On the Session menu, click Close.
o
Press F8.
o
on the toolbar, click Close
.
After you close the session, it will not be displayed in the Sessions pane.
To close the Encrypted Instant Messaging program, do one of the following:
On the Session menu, click Close.
Click Close
.
Note: Later, when you reopen the Encrypted Instant Messaging window, all current sessions will be restored.
ViPNet Client Monitor 4.3. User's Guide | 156
Sending ViPNet Business Mail Messages The ViPNet Client software includes the ViPNet Business Mail program designed for email messages exchange on a protected VPN. If the “Business mail” role is assigned to your host and the ViPNet Business Mail program is installed on it, you can send emails right from the ViPNet Monitor program. To do this: 1
In the navigation pane of the main ViPNet Monitor window, select Private Network.
2
In the Private Network section, select the ViPNet host you are going to send the email message to. To select several hosts, hold the Ctrl key while clicking the required host names one by one. To narrow the list of network hosts, in the Private Network section, in the search box, start typing the name of the host you are searching for.
3
Do one of the following: o
On the toolbar, click Business Mail
.
o
Right-click the host and, on the context menu, click Send Mail via Business Mail.
The ViPNet Business Mail program will be started and a new message window will be displayed. The selected hosts will be automatically specified as recipients. For more information on creating and sending an email message, see the document “ViPNet Business Mail. User’s Guide.”
Note: Only hosts with the “Business mail” role and the ViPNet Business Mail program will be added to the recipients list. If none of the selected hosts meet the requirement, you will not be able to send the email message.
ViPNet Client Monitor 4.3. User's Guide | 157
File Exchange With File Exchange, ViPNet network users can send each other files over a protected VPN channel. There are no restrictions on the size and type of the files you exchange. The integrity of these files is provided. If a file was corrupted in the exchange process, it will be automatically deleted.
Note: For the files received from the computers where earlier versions of the ViPNet software are installed, no integrity check is performed. In the File Exchange window (see. figure 71 on page 159), the Integrity not verified status is displayed for such files. You should decide whether you want to use such a file.
You can start the File Exchange program from ViPNet Monitor interface, from the Windows context menu, or from the Encrypted Instant Messaging program.
Note: If File Exchange is unavailable on your ViPNet host, ask your ViPNet network administrator to allow you File Exchange.
File Exchange Program Interface To view the files sent and received by file exchange, open the File Exchange program window. To do this, in the main ViPNet Monitor window, on the Applications menu, click File Exchange. The File Exchange program window is displayed every time you send or receive files. The File Exchange program window is shown in the figure below.
ViPNet Client Monitor 4.3. User's Guide | 158
Figure 71. The File Exchange window The following elements are marked with numbers in the figure: 1
The menu bar.
2
The toolbar. The toolbar allows you to send a new file, to view the received files or delete a file from the list. To add or remove buttons displayed on the toolbar, on the View menu, click Customize Toolbar.
3
Filtering the file list. There are three modes of viewing the list of files: o
All files.
o
Received files.
o
Sent files.
4
The Received Files group. In this group, the files received from other ViPNet hosts are displayed.
5
The Sent files group. In this group, the files sent to other ViPNet hosts are displayed.
6
A link to the folder where the file is stored.
Sending a File from the ViPNet Monitor Program To send a file using the ViPNet Monitor program: 1
In the navigation pane of the main ViPNet Monitor window, select Private Network.
ViPNet Client Monitor 4.3. User's Guide | 159
2
In the Private Network section, select the ViPNet host you are going to send a file to. To select several hosts, hold the Ctrl key while clicking the required host names one by one. To narrow the list of network hosts, in the Private Network section, in the search box, start typing the name of the host you are searching for.
3
Do one of the following:
4
o
On the toolbar, click Send
.
o
Right-click the host and, on the context menu, select Send File.
In the Open window, specify files or folders you are going to send and click Open. The files chosen will be sent to the destination host.
Warning: The name length of the file you are sending (including the path) should not exceed 130 characters. When you send a folder:
The folder name (including the path) length should not exceed 31 characters and cannot contain the exclamation mark.
The length of the embedded folders and files names should not exceed 31 characters. If the above-described restrictions are violated, the error message will be displayed, and files and folders will not be sent.
5
The File Exchange (see. figure 71 on page 159) window displaying information about the files you have sent and their state will be displayed.
6
As soon as the files you have sent are delivered to the recipient, you receive a delivery notification. To disable notification, in the message box, select the Do not show me this message again check box.
Note: To configure notification, in the main ViPNet Monitor window, on the Service menu, click Options, and then select the File Exchange section.
Sending a File from the Windows Context Menu To send a file to a ViPNet user: 1
In Windows Explorer, choose the file you are going to send. To select several files, hold the Ctrl key while clicking the required host names one by one.
2
Right-click one of the files chosen and, on the context menu, select Send file to ViPNet user.
ViPNet Client Monitor 4.3. User's Guide | 160
Warning: The name length of the file you are sending (including the path) should not exceed 130 characters. When you send a folder:
The folder name (including the path) length should not exceed 31 characters and cannot contain the exclamation mark.
The length of the embedded folders and files names should not exceed 31 characters. If the above-described restrictions are violated, the error message will be displayed, and files and folders will not be sent.
3
In the File Exchange: Choose ViPNet Host window, select one or several recipients. Use the search bar to narrow the hosts list.
Figure 72. Choosing the recipients 4
When you have selected the recipients, click Select. The files will be sent to the hosts selected.
5
The File Exchange (see. figure 71 on page 159) window displaying information about the files you have sent and their state will be displayed.
6
As soon as the files you have sent are delivered to the recipient, you receive a delivery notification. To disable notification, in the message box, select the Do not show me this message again check box.
Note: To configure notification, in the main ViPNet Monitor window, on the Service menu, click Options, and then select the File Exchange section.
ViPNet Client Monitor 4.3. User's Guide | 161
Files Exchange in the Instant Messaging Session To send files from the Encrypted Instant Messaging program: 1
In the Encrypted Instant Messaging window, in the Sessions pane, select the session whose participants should receive your file.
2
In the Send message to pane, select the participants and, on the toolbar, click File
3
In the displayed window, specify files you are going to send and click Open.
.
The chosen files will be sent to the session participants.
Warning: The name length of the file you are sending (including the path) cannot exceed 130 characters. If the above-described restriction is violated, the error message will be displayed, and files will not be sent.
4
The File Exchange (see. figure 71 on page 159) window displaying information about the files you have sent and their status will be displayed.
5
As soon as the files you have sent are delivered to the recipients, you receive a delivery notification. To disable notification, in the message box, select the Do not show me this message again check box.
Note: To configure notification, in the main ViPNet Monitor window, on the Service menu, click Options, and then select the File Exchange section.
Receiving Files When you receive a file from another ViPNet user: 1
The notification and the program icon
are displayed in the Windows notification area.
Figure 73. Notification about received files
Note: To configure notification, in the main ViPNet Monitor window, on the Service menu, click Options, and then select the File Exchange section.
In the File Exchange window, on the File menu, click Options.
ViPNet Client Monitor 4.3. User's Guide | 162
2
To view the received files, in the Windows notification area, click the File Exchange program icon The File Exchange window (see. figure 71 on page 159) will be displayed.
3
In the File Exchange window, in the Received files list, choose the required file and do one of the following: o
In the File Name column, click the file name.
o
On the toolbar, click Received
.
.
A folder containing the file you have selected will be opened in a new window. To view the files received from a certain ViPNet host: 1
In the main ViPNet Monitor window, in the navigation pane, select Private Network.
2
In the Private Network section, select the ViPNet host you received the files from and, on the toolbar, click Received
.
A folder, containing the files from the ViPNet host you have selected, will be opened in a new window.
Note: If, in the Protected Network section, you have selected more than one ViPNet host and clicked Received, the folder containing the subfolders with files received from the selected ViPNet hosts will open.
ViPNet Client Monitor 4.3. User's Guide | 163
External Programs ViPNet Client and ViPNet Coordinator software allows launching external programs, such as:
Microsoft Portrait.
VNC Viewer.
Remote Desktop Connection.
Radmin Viewer.
For more details on working with Radmin Viewer, VNC Viewer and Remote Desktop Connection, see Starting a Remote Access Program (on page 189). By means of external programs you can use different services on the Internet, for example, remote access to your computer desktop. All the traffic of external programs in the ViPNet network is securely encrypted. To interact with another ViPNet host using an external program: 1
In the main ViPNet Monitor window, in the navigation pane, select Private Network.
2
In the Private Network section, right-click the required host and, on the context menu, choose External programs, and then select the required program. The external program selected will be launched automatically in a secure mode. The user of the selected host will be prompted to confirm the start of the program on the computer.
ViPNet Client Monitor 4.3. User's Guide | 164
Viewing Web Resources of a ViPNet Host If any web server or web application is installed on the same computer as ViPNet Client or ViPNet Coordinator, other ViPNet users can establish a protected (encrypted) connection to this computer. Only those ViPNet hosts that are allowed to connect to the hosts with a server installed will be able to access this web server. This feature allows you to implement the protected Internet portal idea. In this portal, you can integrate various applications — CRM, CMS, database-driven applications, and many more. To establish such a connection: 1
In the main ViPNet Monitor window, in the navigation pane, select Private Network.
2
In the Private Network section, select the host with the protected Internet portal and do one of the following: o
On the toolbar, click Web
.
o
Right-click the selected host and, on the context menu, click Open Web Resource on this ViPNet host.
ViPNet Client Monitor 4.3. User's Guide | 165
Shared Host Resources Overview The “Explore shared network place” service allows you to access shared network resources from your ViPNet host. Secure connection is established. To view a shared resource: 1
In the main ViPNet Monitor window, in the navigation pane, select Private Network.
2
In the Private Network section, select the required host and either: o
on the toolbar, click Explore
, or
o
right-click the selected host and, on the context menu, select Explore Shared Network Place.
As a result, network resources available on the selected host will be displayed in a new Windows Explorer window. You can view shared network resources of only one ViPNet host at a time.
ViPNet Client Monitor 4.3. User's Guide | 166
Checking Connection to a ViPNet Host In the ViPNet Monitor program, you can check the current status (accessible, unreachable, activity) of the ViPNet hosts in the Private Network section. To check connection to a host, you should use the ViPNet software version 2.8.9 or later. To check connection to one or several ViPNet hosts and get information about their status: 1
In the navigation pane of the main ViPNet Monitor window, select Private Network.
2
In the Private Network section, select the ViPNet host you need to check connection to. To select several hosts, hold the Ctrl key while clicking the required host names one by one.
3
Do one of the following: o
On the toolbar, click Connection
.
o
Press F5.
o
Right-click one of the selected hosts and, on the context menu, select Check Connection.
The Check Connection window containing information about the selected hosts will be displayed. The Check Connection window is shown in the figure below:
ViPNet Client Monitor 4.3. User's Guide | 167
Figure 74. Check connection window The following elements are marked with numbers in the figure: 1
The menu bar.
2
The toolbar. To add or remove buttons displayed on the toolbar, on the View menu, click Customize Toolbar.
3
The main pane. Contains the list of hosts you have selected to check connection to. The color and the background of a ViPNet host name correspond to its current status:
Host name color
ViPNet host status
Violet
The host is available, but it has been inactive within the last 15 minutes.
Black with a green background
The host is available and has been active within the last 15 minutes.
Black
The host is not connected to the network at the moment.
ViPNet Client Monitor 4.3. User's Guide | 168
o
To view more detailed information about the host status in a separate window, do one of the following:
Double-click the required host.
Select the host from the list and, on the toolbar, click Status
Select the host from the list and press F3.
.
The ViPNet host properties window will be displayed.
Figure 75. Detailed information about the selected host status o
4
In the Check Connection window, you can send a Business Mail or chat message to one or several hosts or perform some other action available in the Private Network section. To do that, right -click the required host and, on the context menu, click the corresponding command.
The main pane columns. In the Status column, the host network status is indicated. You can see possible statuses in the following table.
Status
Description
Accessible
There is a full-fledged connection to the host.
ViPNet connection established but ViPNet [Monitor] is inaccessible
ViPNet Monitor is not active on the host, but the host itself is available via a protected channel. In this case, integrated communication tools will be unavailable (such as Encrypted Instant Messaging, File Exchange and others), but you will be able to view shared resources and web resources of the host, as well as connect to the host via the remote desktop.
Unreachable
There is no connection with this host.
In the Last time of user activity column, you can see the time of the last host activity. To sort the list by a particular column, click the column heading. You can also add or remove columns using the context menu. 5
The search box. Allows you to filter the hosts list in the main pane (3).
ViPNet Client Monitor 4.3. User's Guide | 169
6
The host properties pane. Contains detailed information about the host chosen from the main pane (3).
7
The status bar.
Note: By default, the toolbar (2), search box (5), host properties pane (6), and status bar (7) are not displayed in the Check Connection window. For these interface elements to be displayed, on the View menu, select the corresponding check boxes.
ViPNet Client Monitor 4.3. User's Guide | 170
11 ViPNet Hosts Management Working with the IP Packets Log
172
Viewing IP Packets Filtering Statistics
182
Viewing Information about a Client, Program Working Time, and the Number of Connections
183
Managing ViPNet Monitor Configurations
184
Starting a Remote Access Program
189
Working in the ViPNet Host Administrator Mode
196
Start and Abnormal Termination Options
205
ViPNet Client Monitor 4.3. User's Guide | 171
Working with the IP Packets Log In the IP Packets Log section, you can generate an IP packets registration log according to various search options. This feature allows you to monitor all the inbound and outbound connections of a certain host.
Configuring the IP Packets Search Options To view the IP packets log: 1
In the main ViPNet Monitor window, in the navigation pane, expand Statistics and Event Logs and select IP Packets Log.
Figure 76. Configuring the IP packets log search options 2
In the IP Packets Log section, specify the following search options: o
When IP packets were registered (within the last 24 hours, within the last hour, specified time interval).
o
The number of the log entries displayed. By default, the Show no more than check box is selected and the number of displayed entries is 100. If you clear the check box, all entries that match the search criteria will be displayed.
o
In the IP traffic type list, choose: ViPNet Client Monitor 4.3. User's Guide | 172
All IP traffic to view all entries about all IP packets.
Protected to view entries about encrypted IP packets with the current host as a sender or recipient.
Open to view entries about unencrypted IP packets with the current host as a sender or recipient.
o
In the Event list, specify a certain event type or event types group, ViPNet Monitor assigns to each IP packet (see Events Tracked by the ViPNet Software on page 290).
o
Under My computer, specify the IP address of your computer.
o
Under Other host, specify the IP address or name of the ViPNet host you have connection to.
Note: It is useful to specify both values (IP address and ViPNet host) if the other host has several IP addresses and you need to get information only about connections with a certain IP address of the chosen host.
o
In the Protocol list, choose the protocol used to transfer the IP packets you need to view. If there is no required protocol on the list, click the Browse button window, select the required protocol.
o
o
3
and, in the Protocol List
Under IP packet parameters:
In the Direction list, choose the direction of transferring the IP packets you need to view (All, Incoming, Outgoing).
In the Address type list, specify to what kind of addresses the IP packets were sent (Any, Unicast, Broadcast, Multicast).
To restore the default search options, click Parameters by default.
To apply the search criteria, click Search.
Note: If you search for the packets by using the default criteria, not more than 100 entries about the IP packets registered within the last hour will be displayed.
Viewing Search Results When, in the IP Packets Log section, you click Search, the search for the packets matching the criteria specified is performed. The search results are displayed in the Viewing IP Packets Registration Log window.
ViPNet Client Monitor 4.3. User's Guide | 173
Figure 77. Viewing the IP packets log The following is marked with numbers in the figure: 1
The menu bar.
2
The toolbar. To add or remove buttons displayed on the toolbar, on the View menu, click Customize Toolbar.
3
The main pane. Contains the list of log entries corresponding to the specified search criteria. o
To view more detailed information about the chosen IP packet in a separate window, in the Viewing IP Packets Registration Log, on the toolbar, click Info
o
.
To find the name of the sender or recipient of the chosen IP packet, on the toolbar, click Name or right-click the entry and, on the context menu, click Resolve Name
4
.
The main pane columns.
ViPNet Client Monitor 4.3. User's Guide | 174
To sort the list by a particular column, click the column heading. You can also add or remove columns using the context menu. See the detailed description of the columns in the table below:
Column name
Description
Event type
Event types are indicated with the following icons: means that the IP packets are blocked. means that the IP packets are allowed. means that a service event type has been assigned to these IP packets.
Packet Attributes
IP packets properties are indicated with the following icons: means unencrypted incoming IP packets. means unencrypted outgoing IP packets. means encrypted incoming IP packets. means encrypted outgoing IP packets.
Start time
Date and time when the entry for a group of one-type packets was created (when the first packet in a group was registered). For more information about logging one-type packet events registered within a specified time interval, see Configuring the IP Packets Log (see Configuring IP Packets Logging on page 179).
End time
The end of the time interval within which IP packets of the same type were registered. If the interval has not elapsed yet, this column indicates the time when the latest IP packet of the type was registered. If some more IP packets of the type will be registered, the value of the parameter will be changed.
Source
ViPNet host name (for ViPNet hosts) or IP address and computer name (for open hosts) of the packet source.
Source ID
ViPNet host name of the IP packet source (only for encrypted packets). If the packet is unencrypted, this column is blank.
Source IP address
IP address and computer name of the IP packet source.
Source port
IP packet source port number.
Destination
ViPNet host name (for ViPNet hosts) or IP address and computer name (for unprotected hosts) of the IP packet recipient.
Destination ID
ViPNet host name of the IP packet recipient (only for encrypted packets). If the IP packet is addressed to an unprotected host, this column is blank.
Destination IP address
IP address and computer name of the IP packet recipient.
Destination port (ICMP Type/Code)
IP packet destination port number.
ViPNet Client Monitor 4.3. User's Guide | 175
Protocol
Protocol used to establish the connection.
Event
The event corresponding to this entry. You can find the events description in the Events Tracked by the ViPNet Software (on page 290) appendix.
Counter
The number of one-type IP packets grouped in one entry within a certain period of time.
Size
The size (in bytes) of all IP packets grouped in one entry.
5
The IP packets properties pane. Contains detailed information about the entry chosen on the main pane (3).
6
The status bar. Displays the IP packet or IP packets group size (in bytes), the entry number, and the total number log entries. If, in the main pane (3), several entries are chosen, the total size of all IP packets associated with those entries will be displayed on the status bar.
Tip: You can find out the total size of IP traffic processed by your ViPNet host choosing to display all entries in the IP packets registration log. In the Viewing IP Packets Registration Log window, press Ctrl+A to select all entries. On the status bar, the total size of all the IP packets found will be displayed.
Viewing the IP Packets Log in Your Web Browser or Microsoft Excel To export the generated IP packets log, in the Viewing IP Packets Registration Log window, on the File menu, click one of the following:
View as HTML document. Your IP packets log will be opened in your default browser. In the address bar, you can see the full path to the file.
View as XLS document. Your IP packets log will be opened in Microsoft Excel (the program should be installed on your computer). In Microsoft Excel, use Save as to save the log file as a table.
Choosing IP Packets to View In the IP packets registration log, you can highlight the following types of packets:
broadcast IP packets;
IP packets associated with service events;
IP packets within the same session which started when the connection between the two hosts was established;
IP packets sent to or received from the same IP addresses regardless of the IP traffic direction and connection port.
ViPNet Client Monitor 4.3. User's Guide | 176
Note: A session is all IP packets transferred between host 1 and host 2. If connection is established over TCP or UDP, then port are taken into account as well. For example, all IP packets sent from host 1 to host 2 over HTTP (IIS is installed on host 2, and host 1 opens a web page from this IIS) are considered to be within the same session. However, if host 1 tries to download a file from host 2 via FTP (in other words, download a file from the FTP server installed on host 2), IP packets related to this communication will be considered to belong to another session.
To highlight IP packets: 1
In the Viewing IP Packets Registration Log window, right-click a log entry.
2
On the context menu, click:
3
o
Highlight IP Packets with the Same IP Addresses to select all IP packet entries containing the same IP addresses as the IP packet you right-click.
o
Highlight IP Packets within the Same Session to select all IP packet entries of the same session as the IP packet you right-click.
o
Highlight Broadcast IP Packets to select all broadcast IP packet entries.
o
Highlight Service IP Packets to select all IP packet entries associated with service events.
To cancel selection, on the context menu, click Remove Selection.
Best Practices of Encrypted and Unencrypted Connections Analysis For convenient analysis of unprotected connections in the IP packets log, we recommend you to set the following parameters: 1
In the Viewing IP Packets Registration Log window, right-click any of the columns headings.
2
On the context menu, click Select Columns.
3
To analyze: o
o
4
unencrypted traffic:
In the Select Columns window, choose the following columns to be displayed in the log: Source IP address, Destination IP address.
In the Select Columns window, hide the following columns: Source, Source ID, Destination, and Destination ID.
encrypted connections:
In the Select Columns window, choose the following columns to be displayed in the log: Source ID, Destination ID.
In the Select Columns window, hide the following columns: Source IP address, Destination IP address.
To save the settings and close the window, click OK. To discard the changes and close the window, click Cancel.
ViPNet Client Monitor 4.3. User's Guide | 177
Creating a Network Filter When Viewing the IP Packets Log If you need to allow some IP packets from blocked connections or block some IP packets from allowed connections, you should configure a special network filter for such IP packets when you are viewing connections in the IP packets log. To do this: 1
In the Viewing IP Packets Registration Log window (see Viewing Search Results on page 173), right-click the entry about the blocked connection you want to allow or the allowed connection you want to block.
2
On the context menu, click Create Filter. Depending on the selected connection's type, one of the following windows will be displayed: o
with options for creating a public network filter, if unencrypted IP packets were transferred within the connection;
o
with options for creating a private network filter, if encrypted IP packets were transferred within the connection;
3
In the window's sections, you can see automatically defined network filter parameters, which have been taken from the corresponding connection's log entry. If necessary, edit the filter's parameters (see Creating Network Filters on page 125).
4
In the network filter's properties window, click OK. As a result, the filter you created will be displayed in the network filters list.
Viewing the IP Packets Log of Another Host If you work in the host administrator's mode, you can view the IP packets registration log of another ViPNet host you have link with. To do this: 1
Log on to ViPNet Monitor in the ViPNet host administrator mode (see Working in the ViPNet Host Administrator Mode on page 196).
2
In the main ViPNet Monitor main window, in the navigation pane, select IP Packets Log.
3
In the ViPNet host list, choose a host, whose log you are going to view. If there is no the required host on the list, click the Browse button required host.
4
and, in the Choose ViPNet Host window, select the
After you choose the host whose log you need to view, connection to this host is established. In case the connection is established successfully, the name of the selected host is displayed in the ViPNet host list. To cancel the connection, click Cancel.
ViPNet Client Monitor 4.3. User's Guide | 178
Note: If, on the ViPNet host you are requesting IP packets log from, the ViPNet software of version earlier than 3.0 is installed, your search options will be significantly limited. This happens because the IP packets log format has changed in version 3.0. If the search options are limited, you are informed about that with a corresponding message. Keep in mind, that if you view the IP packets log of another ViPNet host, the search options will be the same as those used on that host. This means that if you work on a coordinator and decide to view the IP packets log of a client, you will be able to define only the search options available for clients.
5
Set the search criteria (see Configuring the IP Packets Search Options on page 172) and click Search.
Viewing the IP Packets Log Archive The IP packets log can be archived to optimize the IP packets search and use disk space efficiently. A new archive is created when the size of the current IP packets log exceeds the value of the Maximum IP packets log size option (see Configuring IP Packets Logging on page 179). If the value is set to “0”, the IP packets log is not archived. To view the IP packets log archive: 1
In the main ViPNet Monitor window, in the IP Packets Log section, choose IP Packets Log Archive and select the archive belonging to the required period of time.
Note: If the IP Packets Log Archive subsection is not displayed, then no archive has been created by the system.
2
Set the search criteria for the log archive (see Configuring the IP Packets Search Options on page 172).
3
The search results will be displayed in the Viewing IP Packets Registration Log window.
Tip: To delete an archive, in the IP Packets Log Archive subsection, select one or several archives and press Delete or click Delete on the context menu.
Configuring IP Packets Logging To configure the IP packets log settings: 1
In the ViPNet Monitor main window, on the Service menu, click Options.
2
In the Options dialog box, in the navigation pane, click IP Packets Log.
ViPNet Client Monitor 4.3. User's Guide | 179
Figure 78. Configuring the IP packets log 3
Specify values for the following parameters: o
In the Maximum IP packets log size box, type or select the maximum log file size (1 MB by default). If your current IP packets log file size exceeds the value specified, the log entries are moved to the log archive in chronological order. To disable logging, set the value to 0. Entries about newly registered IP packets will not be added to the log. However, the entries created before the value has been set to 0 will be saved. The first time the log is archived, in the main ViPNet Monitor window, in the navigation pane, the Archive section is created.
Figure 79. Viewing the IP packets log archive o
In the Maximum IP packets archive log size box, type or select the maximum size of the archive (10 MB by default). If the log archive size exceeds the specified value, older entries will be deleted from the archive. To disable archiving, set the value to 0. However, the data archived before the value has been set to 0 will be saved.
o
In the Log list, choose what IP packets should be logged: All IP packets or blocked IP packets only.
o
In the Log IP packets of the same type in the same log entry every box, specify the time interval in minutes. When the specified time interval is over, a new entry for a certain type of IP packets will be created in the log.
ViPNet Client Monitor 4.3. User's Guide | 180
The underlying mechanism is as follows: when a packet with certain attributes (IP address, protocol, port, and so on) is registered, a new entry is created for it. Within the specified time interval, IP packets with the same IP address, port, protocol, and other attributes are registered, but new log entries are not created for them. You can see the number of such packets in the Counter column of the Viewing IP Packets Registration Log window. When the specified time expires, a new entry will be created for the next IP packet even if some of its attributes match the already created entry. If you receive a packet of another type, a new entry is created for this packet in the log. After a new entry is created, the time count starts again for the IP packets with the same attributes. This mechanism is the same for all IP packets being registered. The Start time and End time columns display the moment when one-type IP packets registration in one entry has begun or ended respectively. This mechanism allows you to decrease the IP packets log size significantly while maintaining its information value. The longer time interval you specify, the smaller the IP packets log size is. However, the accuracy of the log decreases proportionally (you cannot define the time of IP packets registration precisely). If you set the value of the packets registration interval parameter to 0, then an entry will be created for each registered IP packet. However, as a result, the log size may grow significantly. We recommend you to set the 0 value only for a short period of time and only for testing purposes. The ViPNet driver can store no more than 10,000 log entries. When the log size reaches this limit, older entries are rewritten with newer ones. If your IP traffic exchange is intensive, you may lose some information. Besides, traffic processing may slow down, because ViPNet Monitor increases the load on CPU.
4
o
Select the Log broadcast IP packets check box for the broadcast IP packets to be registered in your IP packets log.
o
Make sure that the For TCP connections log only remote server port check box is selected. In this case, the TCP protocol IP packets will be grouped according to the server port regardless of the client port.
To save the settings, click Apply.
ViPNet Client Monitor 4.3. User's Guide | 181
Viewing IP Packets Filtering Statistics To view IP packets statistics, in the main ViPNet Monitor window, in the navigation pane, click Statistics and Event Logs > Statistics. In the Statistics section, you can find information about the number of incoming and outgoing IP packets that have been allowed or blocked in accordance with the specified traffic filters. This information may be useful when you configure ViPNet Monitor for the first time. To reset the IP packets statistics, click Clear.
Figure 80. Viewing IP packets statistics
ViPNet Client Monitor 4.3. User's Guide | 182
Viewing Information about a Client, Program Working Time, and the Number of Connections To get information about the ViPNet network your ViPNet host belongs to, about the user who logged on, about connections, and more, in the main ViPNet Monitor window, select ViPNet Client.
Figure 81. General information about a ViPNet host
ViPNet Client Monitor 4.3. User's Guide | 183
Managing ViPNet Monitor Configurations A configuration is a combination of all ViPNet Monitor program settings. In the Configurations section, you can create several additional configurations and enable the required one at any moment. Using several configurations can be useful in the following case. Suppose that according to the company's security policy you cannot work with local resources and the Internet at the same time. Then you need to create two configurations: one configuration should allow you to work on the Internet and block access to the local network, and the second configuration should allow you to work on the local network and block access to the Internet. Another way is regular reconfiguring of private network connection. In this case, it will be convenient if you create a few configurations with different private network connection parameters. This way you will not need to change the settings every time. Choosing the required configuration will be enough. On the first program startup, the Main configuration is created. It contains default settings. You cannot rename or delete this configuration. Also, there may be special configurations in ViPNet Monitor, which are meant for even more secure work on the Internet: “Open Internet”, “Internal network”, and “Internet”. For more information about these configurations, see the corresponding sections later in this document.
Note: When you are using SafeDisk-V containers, your work in the “Open Internet” and “Internet” configurations is restricted: your access to the Internet is automatically blocked by the configurations' network filters. For more information, see Working with Integrated ViPNet SafeDisk-V (on page 147).
In ViPNet Monitor, you can manage configurations in the following ways: 1
To add a new configuration, in the main ViPNet Monitor window, in the navigation pane, right-click Configurations and, on the context menu, click Create Configuration.
Figure 82. Creating a new configuration The New configuration element will be displayed in the configurations list.
ViPNet Client Monitor 4.3. User's Guide | 184
Note: In the administrator mode, you can create a program configuration for any of the users registered on this host. In this mode, you can see all the configurations created in the process of work with the program, and the configurations are grouped by user names.
2
To rename the configuration, right-click its name and, on the context menu, click Rename.
3
To enable a configuration, right-click its name and, on the context menu, click Load This Configuration.
Note: You can load the required configuration either from the main ViPNet Client menu File > Configurations, or from the context menu of the program icon notification area.
4
in the
If you change any settings in the current configuration (for example, create new network filters, change some program settings), then you can save these changes in any other existing configuration, except for the main configuration. To do this, right-click that configuration and, on the menu, select Save Current Configuration. Confirm saving your changes by clicking Yes. In the current configuration, all changes are saved automatically.
If you have created multiple configurations and the Choose configuration on every startup check box is selected in the program settings (see Start and Abnormal Termination Options on page 205), then the configurations list window will be displayed at ViPNet Monitor startup.
Figure 83. Choosing one of the configurations at the program startup To load one of the configurations, choose it from the list and click OK. If the window is displayed but no configuration is chosen within 30 seconds, the main configuration is chosen automatically. If you have multiple configurations, which are used at different periods of time, for your convenience, you may schedule switching between these configurations automatically (see Scheduling Configuration Change on page 187).
ViPNet Client Monitor 4.3. User's Guide | 185
The Open Internet Configuration If a client is linked to a coordinator, for which in the ViPNet Administrator Network Control Center program the “Open Internet Server” function is enabled, then the “Open Internet” configuration is present in the list of ViPNet Monitor configurations. If your client is configured to access the Internet by using an Open Internet server:
To work in the protected network, enable any of the configurations, except for the “Open Internet” configuration. In this case, you will not be able to connect to the Open Internet server. Consequently, you cannot get access to the Internet.
To work with the Internet resources, enable the “Open Internet” configuration. When the “Open Internet” configuration is enabled, in the Network Filters section, traffic filters that block connections to any of the ViPNet hosts, except for the Open Internet server, will be added.
Note: If your host has both the ViPNet Client and the ViPNet SafeDisk-V programs installed (see Working with Integrated ViPNet SafeDisk-V on page 147), then you cannot work in the “Open Internet” mode.
Thus, your client can connect only to a protected ViPNet network or only to the Internet. This mechanism allows you to isolate the computer exchanging potentially insecure traffic on the Internet from other ViPNet hosts.
Configurations: Internal Network and Internet If the ViPNet network administrator in the ViPNet Administrator Network Control Center program has specified the “h” permission level for a user, then in the ViPNet Monitor program two configurations will be automatically created: “Internal network” and “Internet.” For more information on user permissions, see the document “ViPNet Authorities Classification. Supplement to ViPNet Documentation.” The specifics of “Internal network” and “Internet” are as follows:
The “Internal network” configuration is used to work with the protected ViPNet network and it blocks connections to unprotected hosts. When ViPNet Monitor starts up in this configuration, filters, which block any unprotected IP traffic, except for the DHCP service packets, are automatically added in the Public Network Filters subsection.
The “Internet” configuration is used to work with the unprotected network and it blocks connections to protected hosts.
ViPNet Client Monitor 4.3. User's Guide | 186
When ViPNet Monitor starts up in this configuration, filters, which block any protected traffic, are automatically added in the Private Network Filters subsection.
Note: If your host has both the ViPNet Client and the ViPNet SafeDisk-V programs installed (see Working with Integrated ViPNet SafeDisk-V on page 147), then you cannot work in the “Open Internet” mode.
Scheduling Configuration Change If you work with multiple configurations in ViPNet Monitor, and each configuration must be loaded at certain time, you may configure switching between the configurations automatically. For example, this is convenient if you need to switch a configuration for working on the Internet at the same time regularly. In other cases we recommend you to switch configurations manually. You can schedule configuration change only if there are more than two configurations created.The main configuration and special configurations do not count and you cannot schedule them. The main configuration is loaded automatically. It is enabled when other configurations are not. You can load special configurations only manually.
Warning: When your schedules coincide, we do not guarantee that your configurations can be switched automatically. We recommend you to be careful when scheduling configuration change and to see to that the configurations do not coincide.
To schedule switching configurations: 1
In the main ViPNet Monitor window, in the navigation pane, right-click Configurations or a certain created configuration and, on the context menu, click Configure Schedule.
2
In the Configure Scheduled Configuration Change window, select the Use schedule to load configurations check box and add the required configurations to the list. When you are adding a configuration, in the Schedule Options window, specify the following options: o
in the Effective from list, the time when the configuration will be loaded;
o
in the Duration list, the time period during which the configuration will be enabled after loading (the number of hours);
o
under Recurrence, the week days when the configuration will be loaded.
ViPNet Client Monitor 4.3. User's Guide | 187
Figure 84. Setting a schedule for changing configurations 3
Click OK. As a result, configuration change will be scheduled.
Figure 85. Scheduled configurations To stop automatic switching of configurations, in the Configure Scheduled Configuration Change window, clear the corresponding check box. To configure notification before every scheduled configuration change, in the program options, in the General > Warnings section, select the Notify before performing scheduled configuration change check box.
ViPNet Client Monitor 4.3. User's Guide | 188
Starting a Remote Access Program ViPNet Monitor allows you to get access to a remote ViPNet host using external programs like Remote Administrator (Radmin), VNC or Remote Desktop Connection. A ViPNet host administrator may need remote access to a ViPNet host if it is hard to access the computer physically. A user may need remote access to a ViPNet host deployed on a computer in the office to work on it from home. To start a remote access program: 1
In the main ViPNet Monitor window, in the navigation pane, select Private Network.
2
Right-click the remote host you need to get access to and, on the context menu, click External Programs, then choose the program you need to start.
Figure 86. Starting an external program On the External Programs menu, you can select only a program installed on your computer (see Installing Third-Party Software for Remote Management on page 190). Moreover, the selected host should have a non-zero IP address and it should have the corresponding server software installed, configured, and running (for example, Radmin Server, VNC Server).
Note: If you use the Remote Desktop program, you do not need to install the server software. Remote Desktop allows you to access any ViPNet host with Windows OS remotely.
If all the requirements are satisfied, the connection window is displayed. If the connection is established, you will be prompted to enter the password to get access to the host selected. After you successfully enter the password, a window showing you the remote host's desktop will be displayed.
ViPNet Client Monitor 4.3. User's Guide | 189
Note: Keep in mind that in order to establish connection to a ViPNet host, you should configure the remote access software correctly. For example, if you use the Remote Desktop program, on the host you are connecting to, adjust the following settings:
In the system properties, allow remote access to the computer. Add the external user account to the list of remote users.
Installing Third-Party Software for Remote Management If you want to connect to ViPNet hosts remotely with a third-party program, such as Remote Administrator (Radmin), VNC, or Remote Desktop Connection, make sure that this program is installed on your computer. You can download these programs' distribution kits from the following web pages:
Remote Administrator from the Radmin web page http://www.radmin.com/download/. The Remote Administrator package includes client and server components.
VNC from the RealVNC web page http://www.realvnc.com/download.html. The VNC package includes client and server components.
Remote Desktop Connection from the Microsoft web page http://www.microsoft.com/windowsxp/downloads/tools/RDCLIENTDL.mspx. The Remote Desktop Connection program is installed by default in the following operating systems: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 8. You can establish connections from computers running any version of these operating systems. But you can access only computers running “Corporate”, “Professional”, and “Ultimate” versions. For more information, see the Microsoft web page http://windows.microsoft.com/en-us/windows-8/remotedesktop-connection-frequently-asked-questions.
Configuring a Terminal Server for Remote Management Working in a terminal session (for example, when connecting to a server via Remote Desktop Connection), you may come across a problem that, upon closing the terminal session, the ViPNet Monitor application is automatically unloaded from the remote server’s cache and IP traffic protection is disabled. On coordinators, such a behavior may result in connection failures for all ViPNet hosts using this coordinator as a firewall or an IP addresses server. The problem occurs, if the terminal server is configured to unload all user applications when the terminal session is closed. The figure below displays the options configured in the Terminal Services Configuration snap-in resulting in unwanted ViPNet Monitor unloading.
ViPNet Client Monitor 4.3. User's Guide | 190
Figure 87. A terminal server is configured incorrectly To solve the problem, you should set all the values to default by clearing all the Override user settings check boxes.
ViPNet Client Monitor 4.3. User's Guide | 191
Figure 88. A terminal server is configured correctly
Note: In Windows Server 2008 R2, terminal services are called “Remote Desktop Services”.
Configuring Autologon for the Operating System and ViPNet Monitor When you administer remote computers or computers with restricted physical access, after restart, you often need to perform automatic logon to the operating system and start ViPNet Monitor automatically. This might be problematic as the ViPNet user password is required before the operating system and ViPNet driver startup. To configure the autologon feature for the system and automatic start for ViPNet Monitor: 1
Configure the autologon settings for the Windows operating system (see Configuring Autologon for the Windows OS on page 193).
2
In ViPNet Monitor: o
Set the program to use the saved password when logging on. To do that, log on to ViPNet Monitor in the ViPNet host administrator mode (see Working in the ViPNet Host Administrator Mode on page 196). On the Service menu, click Security Service Settings. In the Security
ViPNet Client Monitor 4.3. User's Guide | 192
Service Settings dialog box, click the Administrator tab and select the Allow password saving in registry check box (see Advanced Security Settings on page 200).
Note: On a remote host, the Password only logon mode should be used (see User Logon Modes on page 59).
o
Enable desktop locking at ViPNet Monitor startup (see Start and Abnormal Termination Options on page 205) in order to prevent an unauthorized user from working on the computer.
Warning: You must have Windows OS administrator rights to configure these settings. If necessary, you can configure the settings remotely.
As a result, the operating system and ViPNet driver will be started automatically.
Configuring Autologon for the Windows OS To configure the autologon feature for the Windows OS: 1
Press Win+R. If you are using the Windows XP or Server 2003 operating system, on the Start menu, select Run.
2
In the Run window, in the Open box, type the control userpasswords2 command and click OK. If you are using the Windows Vista, Server 2008 or Windows 7 operating system, you can also execute the netplwiz command.
3
In the User Accounts dialog box: o
On the Users tab, in the list, choose the user whose credentials you are going to use to log onto the operating system and clear the Users must enter a username and password to use this computer check box. The chosen user should belong to the Administrators group (should be registered as a computer administrator).
ViPNet Client Monitor 4.3. User's Guide | 193
Figure 89. Configuring automatic logon for the Windows operating system o
On the Advanced tab, clear the Require users to press Ctrl+Alt+Delete check box.
Figure 90. Advanced configuring of automatic logon for the Windows operating system
ViPNet Client Monitor 4.3. User's Guide | 194
Note: If your computer belongs to some domain, this option may be unavailable because of the group security policy. In this case, to configure automatic logon to the operating system, you will need to edit the registry manually. Editing registry entries incorrectly can lead to problems in operating system performance. Thus, to ensure security, create a backup copy of the registry. This will allow you to restore the registry in case of a failure. If the Users must enter a username and password to use this computer check box is missing or unavailable, then, in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon section, specify the following parameter values:
AutoAdminLogon — 1 (“true”). This parameter is required to enable autologon for the operating system. If the parameter is set to 0, autologon is disabled.
DefaultDomainName — the name of the domain your computer belongs to. DefaultUserName — the name of the user whose credentials you are going to use to log on to the system automatically.
DefaultPassword — a user password. If you do not assign any value to this parameter, the AutoAdminLogon parameter value is then automatically set to 0 (“false”) disabling the autologon feature. If the specified parameters are missing, create them manually using a string value (REG_SZ). If the Require users to press Ctrl+Alt+Delete check box is missing or unavailable, browse to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System. Then set the Disablecad parameter to 1 (“true”). If the specified parameter is missing, create it manually using the Dword type.
o
4
Click Apply.
In the Automatically Log On window, type the password and click OK.
Figure 91. The system autologon window As a result, at the next computer startup, the user account you have chosen will be used to log on to the operating system automatically (you will not need to type the password and press Ctrl+Alt+Delete).
ViPNet Client Monitor 4.3. User's Guide | 195
Working in the ViPNet Host Administrator Mode You can log on to ViPNet Monitor in the ViPNet host administrator mode. In this mode, you will get access to the following features and settings:
The Administrator section, displayed in the navigation pane of the main window, that allows you to configure advanced parameters on the host (see ViPNet Monitor Advanced Settings on page 197).
The event log containing entries about security level changes and other activities of the user and administrator (see Viewing the Event Log on page 202).
An opportunity to view the IP packets log of a certain ViPNet host (see Viewing the IP Packets Log of Another Host on page 178).
An opportunity to view and edit the ViPNet Monitor program configurations (see Managing ViPNet Monitor Configurations on page 184) created by all users on the host.
If you log on as an administrator, all restrictions preconditioned by your permissions level will be ignored. To log on as an administrator: 1
Do one of the following: o
In the ViPNet Monitor main window, on the File menu, click Log in as Administrator.
o
In the main ViPNet Client window, on the Service menu, click Security Service Settings. In the Security Service Settings dialog box, on the Administrator tab, click Administrator logon.
2
In the Administrator Logon window, type your ViPNet host administrator password.
Figure 92. Typing the ViPNet host administrator password 3
Click OK. If the password you have typed is correct, the program will restart and all additional settings will become available.
ViPNet Client Monitor 4.3. User's Guide | 196
Warning: In a ViPNet network managed with the ViPNet Administrator software, the host administrator password is defined in the ViPNet Administrator Key and Certification Authority program. In a ViPNet network managed with the ViPNet Network Manager program, the host administrator password is stored in the ViPNet_a.txt file located in the folder, in which the key sets are stored.
ViPNet Monitor Advanced Settings When you log on to ViPNet Monitor in the ViPNet host administrator mode, the Administrator section becomes accessible in the main window, in the navigation pane. In this section, you can configure a number of advanced program settings. To configure the advanced settings: 1
Log on to the program in the ViPNet host administrator mode (see Working in the ViPNet Host Administrator Mode on page 196).
2
In the navigation pane of the main ViPNet Monitor window, select Administrator.
Figure 93. Configuring advanced program settings when you work with the program as an administrator 3
To change the ViPNet Monitor program settings, follow the guidelines of these sections:
ViPNet Client Monitor 4.3. User's Guide | 197
4
o
Restricting User Interface (on page 198)
o
Program Startup Options (on page 198)
o
Computer Locking Settings (on page 199)
o
Traffic Protection Options (on page 200)
To save the settings, click Apply. To discard changes, click Cancel.
Restricting User Interface If you want to restrict the user's ability of modifying the ViPNet Monitor parameters and to hide the navigation pane, in the Administrator (see ViPNet Monitor Advanced Settings on page 197) section, select the Restrict user interface check box.
Note: If the special permissions level 3 is specified for the host, then this check box is selected by default, and you cannot clear it.
If this check box is selected, then the following restrictions are enabled in the ViPNet Monitor program:
In the main ViPNet Monitor window, only the view pane with the ViPNet hosts list is available.
On the File menu, the Configurations and Change User commands are unavailable, while the Change User Password and Change Logon Mode commands are available. You may change a password only to a random password based on a passphrase.
The Service menu is unavailable. Because of that, you cannot edit, save, and restore ViPNet Monitor settings and Security Service settings.
You cannot start the transport module ViPNet MFTP by using the Applications menu.
Program Startup Options If you want to configure additional parameters of the ViPNet Monitor program startup, in the Administrator (see ViPNet Monitor Advanced Settings on page 197) section, do the following:
If you do not want ViPNet software to protect traffic after the Windows OS startup, select the Do not secure IP traffic before Windows logon check box. In this case, on Windows OS startup, ViPNet user authentication or ViPNet Monitor automatic startup is not performed. Thus, this computer will be unprotected. For enabling the traffic protection, you can manually start the ViPNet Monitor program.
ViPNet Client Monitor 4.3. User's Guide | 198
Note: We do not recommend you to select this check box on any coordinators, on the clients with a dynamic IP address, and on the clients that connect to the hosts with a dynamic IP address.
If you want to prevent other users (having accounts on the computer) from starting ViPNet Monitor when they access this computer remotely (for example, using Remote Desktop), clear the Allow Monitor to be started in the remote session check box. By default, the check box is selected. This check box is available only if the software for remote sessions is installed on this computer.
Note: Only one ViPNet Monitor instance can be started on the computer. If the program has been started in other user's session, in Windows Task Manager, end the Monitor.exe process and then start the ViPNet Monitor program.
If you want the traffic protection to be enabled, but the ViPNet Monitor program not to start, at Windows OS startup, then select the Do not launch Monitor after Windows logon check box. This means that after the Windows OS startup only ViPNet driver will be launched and this computer will be protected from network attacks.
If you want to restrict user from starting Windows OS without loading ViPNet Monitor, select the Require ViPNet login before Windows logon check box. In this case, in the ViPNet Monitor logon window, the Cancel button will be unavailable.
Note: If the Do not secure IP traffic before Windows logon check box is selected, the Require ViPNet login before Windows logon check box is ignored.
Computer Locking Settings If needed, in the Administrator (see ViPNet Monitor Advanced Settings on page 197) section, in the Lock this Computer group, you can change the computer locking settings.
By default, in the ViPNet Monitor program, the idle computer automatic locking is enabled. If you do not use your mouse or keyboard for the time specified, the current locking mode is applied automatically. If needed, in the When your computer is idle for box, set the time of automatic locking (by default, it is set to 15 minutes). To enable automatic computer locking, in this box, set value 0.
In the ViPNet Monitor program, the automatic computer locking upon detaching the user authentication device is enabled by default. If you want to disable it, clear the When you disconnect your authentication device check box. Computer is locked upon detaching the user authentication device only when you use the “Password on Device” or “PIN and device” logon mode (see User Logon Modes on page 59). If you use a Smartcard Athena (see External Storage Devices on page 297) device, automatic blocking will not work.
ViPNet Client Monitor 4.3. User's Guide | 199
To continue working after your computer has been automatically locked, you need to connect the device, type the Windows user password, and type the PIN and password (if necessary) without changing the logon mode.
Warning: To unlock your computer, connect the exact device that you used previously to log onto the program and use the same logon mode. If you connect another device or choose another logon mode, you will not be able to unlock your computer.
Traffic Protection Options If needed, in the Administrator (see ViPNet Monitor Advanced Settings on page 197) section, you can specify additional IP traffic protection options.
ViPNet software automatically blocks the incoming IP packets, if their sending and receiving time difference exceeds a specified interval. This option affects the hosts linked with your computer (these hosts are displayed in the Private Network section). If needed, in the Maximum time period between sending and receiving an IP packet box, set the proper time interval in minutes (120 minutes by default).
Warning: As a result, IP packets from hosts whose system time is set incorrectly may be blocked.
If needed, you can cancel the effect of the security policies received from the ViPNet Policy Manager program. To do this, in the Security policy group, clear the Apply security policies received from ViPNet Policy Manager check box. For instance, you can cancel security policies to temporarily disable invalid network filters sent to the host by mistake. If you clear the Apply security policies received from ViPNet Policy Manager check box, the action of accepted security policies is canceled (network filters received with the security policies are hidden and their action is canceled), and your host notifies the host with ViPNet Policy Manager that it will not accept any new security policies. If you select the Apply security policies check box again, the previously applied security policies are reapplied and your host starts receiving new security policies from ViPNet Policy Manager.
Advanced Security Settings After you log on in the ViPNet host administrator mode (see Working in the ViPNet Host Administrator Mode on page 196), you can configure advanced settings in the Administrator section as well as the following parameters in the Security Service Settings dialog box, on the Administrator tab:
Allow password saving in registry, in other words, allow the ViPNet host user to select the Save password check box when logging on to ViPNet Monitor. If this check box is selected, your user
ViPNet Client Monitor 4.3. User's Guide | 200
password is stored in the Windows registry and will be entered automatically next time you log on next time you run ViPNet Client.
Note: This parameter is set by the ViPNet network administrator in ViPNet Network Manager or ViPNet Administrator. This parameter is transferred to a host within a key set or a keys and host links update. The host administrator may select or clear the Allow password saving in registry check box, and this change will be effective till the next keys and host links updating. Next time you update keys and host links, the check box will be cleared or selected as set by the ViPNet network administrator in the network management software.
Automatically log on to ViPNet allows you to log on to ViPNet Monitor without confirming your ViPNet user password in the logon window. If this check box is selected, at the program startup, on the current host, the logon window will not be displayed and you will log onto ViPNet Monitor automatically. This happens in the following cases: o
when you use the Password only logon mode — if the password has been saved to the registry, in other words, if the Allow saving password in registry check box has been selected, and, in the logon window, the correct user password has been entered and the Save password check box has been selected;
o
when you use the Password and device or PIN and device logon mode — if the authentication mode has been attached to your computer and, in the logon window, the correct PIN has been entered and the Save PIN check box has been selected.
Enable external certificates. This feature allows you to use certificates not only from your personal store (or ViPNet internal store), but also from the system store. This may be required in case you use a cryptographic service provider of another vendor (for example, CryptoPro) together with the ViPNet software, as well as certificates issued in external Certification Authorities (outside a ViPNet network).
Trust only ViPNet CA administrators' certificates. If you clear this check box, at the certificate validation, the program will search for the root certificate not only in the ViPNet internal store, but also in the Trusted Root Certification Authorities and Intermediate Certification Authorities system stores.
Ignore the absence of the Certificate Revocation Lists (CRLs). We recommend you to select this check box if you use certificates issued by external certification authorities (not belonging to the ViPNet network) because there may be no data on CRLs in those certificates.
Setting the User Logon Mode The logon mode defines which credentials you need to use to log on to ViPNet Monitor. To change the logon mode: 1
Log on to the program in the ViPNet host administrator mode (see Working in the ViPNet Host Administrator Mode on page 196).
2
In the Security Service Settings dialog box, click the Keys tab, and then click Change.
ViPNet Client Monitor 4.3. User's Guide | 201
3
In the Logon Mode window, choose a suitable logon mode. To find more about the available logon modes, see User Logon Modes (on page 59).
Note: The Password on Device mode is unavailable, because it does not meet up-todate security requirements anymore.
If you choose authentication by a certificate, connect the external device to the computer and select the proper certificate in the list of certificates found on the device. If you encounter any difficulties while using the certificate for authentication, see Cannot Log On with a Certificate (on page 255). If you choose authentication by a personal key, connect the external device to the computer in order to save your personal key (see Keys in ViPNet Software on page 287) on the device. When saving the personal key (the protection key (on page 336)) on an external storage device, mind the following. If you use digital signing and encryption in third-party applications (for example, in Microsoft Office), we strongly recommend you to save the key container (on page 334) to the same device. Otherwise, digital signing and encryption in third-party applications will be impossible because there will be no access to the protection key. You can move the key container from the current folder to another folder on a disk, but you will have to enter your password every time you perform digital signing and (or) encryption in a third-party application.
Warning: If you work in the PIN and device logon mode and the external device is disconnected, your computer may be locked automatically, depending on the settings made in the ViPNet host administrator mode (see ViPNet Monitor Advanced Settings on page 197). To continue working, you should connect this device. If necessary, you can change the parameters of automatic computer locking and IP traffic blocking.
4
Click OK. On the Keys tab, under Logon, the Logon mode and Storage type boxes values will change according to the logon mode you have selected.
On a ViPNet network managed with the ViPNet Administrator software, a logon mode also can be set by the ViPNet network administrator in the ViPNet Key and Certification Authority program. If the administrator sets that the user should use a certificate for authentication, then the user has to give an external device with a certificate and a private key to his administrator for registering. At the same time, the conditions given in the note in the Device (see PIN and Device on page 62) section have to be met. After the new authentication mode has been assigned to a user, the administrator sends a host keys update to the user's host. After accepting this update, the user will be able to authenticate by using only the selected mode.
Viewing the Event Log In the event log, the following changes in ViPNet Monitor settings are logged:
Changing network filters.
ViPNet Client Monitor 4.3. User's Guide | 202
User logon and logout.
Administrator logon.
Loading another configuration.
Other events.
This information allows the administrator to control the security. To view the event log: 1
Log on to the program in the ViPNet host administrator mode (see Working in the ViPNet Host Administrator Mode on page 196).
2
In the navigation pane of the main ViPNet Monitor window, select Administrator.
3
In the Administrator section, click Event log.
Figure 94. Viewing the event log 4
To view the event log in the HTML or XLS format, in the Event log window, right-click any entry and, on the context menu, click View as HTML document or View as XLS document. Note that, to view XLS files, you should have the Microsoft Excel program installed on your computer.
Information about the logged events is presented in the table below: Table 6. Events registered in the log Column
Description
Date and time
Time of the event.
User name
The event initiator.
Event
Possible events:
User logon.
User logout.
ViPNet Client Monitor 4.3. User's Guide | 203
Administrator mode (logon using administrator's credentials).
User logon denied (user name is not identified) — displayed when a user password has been typed incorrectly three times.
Administrator logon denied (user name is not identified) — displayed when an administrator password has been typed incorrectly three times.
Tech restart. After you receive updates, the program restarts.
Tech restart. The program restarts after abnormal termination.
Change user. Another user registered on this ViPNet host, logs onto the program.
Change configuration. In the Configurations section, another configuration is chosen.
Change filter. A network filter has been created, edited or deleted.
Switching the “Enable IP, ARP and RARP only” function on and off. You can select or clear the Enable IP, ARP and RARP only check box on the Service menu, in the Options dialog box, in the Manage IP Traffic section.
Switching the “Lock Desktop on startup” function on and off. You can select or clear the Lock desktop check box on the Service menu, in the Options dialog box, in the General > Start and abnormal termination section.
ViPNet Client Monitor 4.3. User's Guide | 204
Start and Abnormal Termination Options To configure ViPNet Monitor start and abnormal termination: 1
In the ViPNet Monitor main window, on the Service menu, click Options.
2
In the Options dialog box, in the navigation pane, select General > Start and Abnormal Termination.
Figure 95. Configuring start and abnormal termination of the program 3
If you do not want the configuration (see Managing ViPNet Monitor Configurations on page 184) selection dialog box to appear on every startup, clear the Choose configuration on every startup check box. When ViPNet Monitor starts, the last used configuration will be loaded. If ViPNet Monitor has only one configuration, the configuration dialog box will not be shown even if the Choose configuration on every startup check box is selected.
4
If you want to lock your computer when ViPNet Monitor starts, select the Lock desktop check box. To unlock the computer after the program starts, enter the ViPNet host user password. This feature helps to prevent unauthorized access to the computer if its operating system is restarted and the user password is saved in the registry. ViPNet Monitor will take all the actions required to protect your computer.
5
If you do not want ViPNet Monitor to restart after abnormal termination automatically, clear the Restart Monitor application after abnormal termination check box (it is selected by default).
6
If you want Windows to restart after system failures automatically, select the Use WatchDog check box, and then, in the Restart after box, specify the time interval (in seconds).
ViPNet Client Monitor 4.3. User's Guide | 205
The WatchDog service tracks ViPNet Monitor operability. If the program's operability decreases due to a system failure, WatchDog will restart the OS. We recommend you to use this service on remote computers, which are difficult to access.
Note: The WatchDog feature is not supported in 64-bit operating systems.
Security Service Settings The operations described in this section can be performed in the Security Service Settings dialog box. To open this dialog box, on the Service menu, click Security Service Settings.
ViPNet Client Monitor 4.3. User's Guide | 206
Changing a User Password We recommend you to change a user password every 3 months. Generally, most organizations have a security policy, which prescripts how often the password should be changed. You should change your user password in the following cases:
The validity period of your password has expired (in case this period is limited).
On your ViPNet host, you receive keys updates containing a new user password from ViPNet Key and Certification Authority or ViPNet Network Manager. In this case, the message “It is recommended to change your password” is displayed, however the password will not be changed automatically. Thus, you will need to change the password manually.
If a key container is protected not with a password, but with a personal user key, the password to the key container will be identical to the user password. That is why, if you need to change a key container password (see Changing the Container Password on page 246), you should change the user password.
Moreover, we recommend you to change the user password after the keys and host links installation when you are logging on to the ViPNet program. This will increase security of your password, as it will be unknown to the ViPNet network administrator. To change your user password: 1
In the Security Service Settings dialog box, click the Password tab.
Figure 96. Changing the current user password 2
Under Password Type, choose the type of your new password:
ViPNet Client Monitor 4.3. User's Guide | 207
o
User-defined is a password created by yourself (see Setting a User-Defined Password on page 208);
o
Random password, based on a passphrase is a password generated automatically from a phrase according to the specified parameters (see Setting a Random Password on page 208);
o
Random numeric is a password generated automatically from the specified number of digits (see Setting a Random Numeric Password on page 209).
3
Click Change password. Your further actions depend on the password type you have chosen and are described in the corresponding sections.
4
If you need to limit the password validity period, select the Enable password expiry check box and specify the desired period in days.
5
Click OK.
Setting a User-Defined Password To change your current user password to a user-defined one: 1
On the Password (see. figure 96 on page 207) tab, choose User-Defined.
2
Click Change password.
3
In the Change Password window, type your new password (no shorter than 6 characters) and confirm it. Pay attention to the case and keyboard layout.
Warning: Your password must not contain more than 31 symbols. Such a password cannot be used in current versions of ViPNet software. This limitation is due to the existing algorithm of transferring your password to the cryptographic service provider. According to this algorithm, the password length cannot exceed 31 symbols.
4
Click OK.
Next time you start ViPNet Monitor Client, you need to type your new password.
Setting a Random Password To change the current password into a random password based on a passphrase: 1
On the Password tab (see. figure 96 on page 207), choose Random password, based on a passphrase and specify the new password parameters: o
In the Dictionary list, select a language for a passphrase.
o
In the Words in a passphrase list, select the desired number of words (3, 4, 6 or 8) in a passphrase. The more words you choose, the longer and more secure the password will be.
ViPNet Client Monitor 4.3. User's Guide | 208
o
In the Symbols from a word list, select the number of characters (3 or 4) that will be taken from the beginning of each word in a password phrase to form a new password.
In the Password length field, the number of characters in a user password will be automatically displayed on the basis of the specified parameters.
Warning: Your password must not contain more than 31 symbols. Such a password cannot be used in current versions of ViPNet software. This limitation is due to the existing algorithm of transferring your password to the cryptographic service provider. According to this algorithm, the password length cannot exceed 31 symbols.
2
Click Change password.
3
Follow the instructions in the Digital Roulette window.
Note: If, within the current session, the digital roulette has already launched once, the window will not be displayed.
Figure 97. Digital Roulette 4
Remember the password and (or) the passphrase displayed in the Change Password window. If necessary, choose another password and passphrase according to the parameters specified. To do that, click Next Password. Click OK.
Now, at ViPNet Monitor startup, you should type the specified number of initial characters from each word in a passphrase without spaces using the Latin keyboard layout. For example, if the passphrase is “sailor conceals sorcerer”, and 3 initial characters of each word should be used, then the password is “saiconsor.”
Setting a Random Numeric Password To change your current user password into a random numeric password: 1
On the Password (see. figure 96 on page 207) tab, choose Random numeric and, in the Number of digits box, specify the password length.
ViPNet Client Monitor 4.3. User's Guide | 209
Warning: Your password must not contain more than 31 symbols. Such a password cannot be used in current versions of ViPNet software. This limitation is due to the existing algorithm of transferring your password to the cryptographic service provider. According to this algorithm, the password length cannot exceed 31 symbols.
2
Click Change password.
3
To continue, follow the instructions in the Digital Roulette window (see. figure 97 on page 209).
Note: If, within the current session, the digital roulette has already launched once, the window will not be displayed.
4
Remember the PIN displayed in the Change Password window. If necessary, change this PIN into some other PIN containing the number of digits specified. To do that, click Next PIN code. Click OK.
When you start ViPNet Monitor next time as this user, you should enter the PIN.
ViPNet Client Monitor 4.3. User's Guide | 210
Configuring Encryption You can configure encryption for outbound traffic. To do this: 1
In the Security Service Settings dialog box, click the Encryption tab.
Figure 98. Configuring encryption 2
In the Encryption algorithm list, choose the algorithm that will be used to encrypt outgoing messages. Outbound traffic encryption will be performed in accordance with the chosen algorithm. All data transferred using the integrated ViPNet communication tools (for example, the ViPNet Business Mail program) will be encrypted in the same way. If you manage your ViPNet network in ViPNet Network Manager version 4.3 or later or ViPNet Administrator version 4.4.1 or later, then the ViPNet network administrator can select another encryption algorithm. The newly selected algorithm will be applied on hosts after updating keys and host links on them.
3
In the next list, specify the keys that should be used for encrypting the data transferred via integrated ViPNet tools. Here you can choose keys that can be accessed only by you or keys available to other users of your host (if there are any). You can view the list of users who have access to encryption keys on the User tab. Choosing encryption keys allows you to restrict access of users working on one host to the encrypted information (for example, information transferred by the ViPNet Business Mail program). In other words, if an outgoing message has been encrypted using the keys to which only you have access, then other users on the same host will not be able to read this message.
4
Click OK.
ViPNet Client Monitor 4.3. User's Guide | 211
Managing External Storage Devices External storage devices can be used in ViPNet Monitor for authentication (when you use the Password and device and PIN and device logon modes) and for key container storage (see Working with a Key Container on page 244). To manage external devices: 1
Click the Devices tab.
Figure 99. Managing external storage devices 2
Connect the device to your computer.
Note: To use an external device, you need to connect it and install the required drivers. You can find the list of compatible storage devices and basic information on how to use them in Supported External Storage Devices (on page 298).
Names of the currently connected devices are displayed in the Connected devices list, while the names of the key containers stored on the selected device are displayed in the Key containers found on the device list.
ViPNet Client Monitor 4.3. User's Guide | 212
Note: Containers created in ViPNet Key and Certification Authority are named sgn_cont. When user keys arrive on your ViPNet host, a new container is named as sgn_cont (for example, sgn_cont1, sgn_cont2, and so on).
3
Click Devices types to specify the types of devices you need to scan for key containers. In the Configuring the Devices List window, select the devices types and click OK.
Note: By default, all check boxes in the Configuring the Devices List window are selected. If you clear the check boxes corresponding to the devices you do not need, you can fasten the program work a little. For example, if a card reader not required in the ViPNet software is attached to your computer, clearing the corresponding check box disables polling this device and speeds up operation of digital signature functions.
4
If necessary, initialize the selected device (see External Device Initialization on page 213).
5
If necessary, change the user PIN or administrator PIN for the selected device (see Changing a Device PIN on page 214).
6
If necessary, click View to view and (or) edit the properties of the key container stored on the connected device (see Working with a Key Container on page 244).
7
If you do not want to use a container stored on the device to log onto the ViPNet software, select the container from the list, then click Delete.
External Device Initialization External device initialization is required when you need to erase all data on the device. To initialize the connected device: 1
Make sure that the device you are going to initialize does not contain any important information. If necessary, copy the information from the external device to another device or hard disk.
2
On the Devices tab (see. figure 99 on page 212), in the Connected devices list, select the required device.
3
Click Initialize.
4
In the message window warning you about deleting all data from the device, click Yes.
5
In the Initialization window, type the device administrator PIN.
6
If necessary, change the user PIN. To do that, type a new PIN and confirm it in the corresponding boxes.
7
Click OK.
ViPNet Client Monitor 4.3. User's Guide | 213
Figure 100. External device initialization Now the connected device is initialized.
Changing a Device PIN Device PIN change may be required when the password expires according to the corporate security policy or by other reasons regulated. To change the user PIN or administrator PIN (depending on the permissions level) for the connected device: 1
Click Change PIN.
2
In the Change PIN window, select the PIN you need to change.
3
In the Type old PIN box, type the current PIN. In the other two boxes, type your new PIN and then click OK.
ViPNet Client Monitor 4.3. User's Guide | 214
Figure 101. Changing a PIN for a device Now you need to use the new PIN to access the device.
ViPNet Client Monitor 4.3. User's Guide | 215
Configuring the ViPNet CSP Program The ViPNet CSP program is a part of the ViPNet Client software. ViPNet CSP is a cryptographic service provider, which calls cryptographic functions via the Microsoft CryptoAPI 2.0 interface. This allows you to perform cryptographic operations in Microsoft applications and other programs using Microsoft CryptoAPI. ViPNet CSP program allows you to work with the key containers (see Key container on page 334) and external storage devices (on page 297). To configure ViPNet CSP or specify the settings of certificates' automatic installation in the system store, do the following: 1
In the Security Service Settings dialog box, click the Cryptoprovider tab.
Figure 102. Configuring cryptographic service provider parameters 2
To configure ViPNet CSP, click Configure CSP. The ViPNet CSP Settings window will be displayed, in which you can do the following: o
Configure the cryptoprovider's parameters.
o
Operate on key containers.
o
Configure parameters of working with external devices: set types of devices that will be searched for key containers; initialize a device or change its PIN code.
ViPNet Client Monitor 4.3. User's Guide | 216
For more information about configuring and using ViPNet CSP, see the document “ViPNet CSP. User’s Guide.” 3
4
If necessary, specify the certificates and CRLs that should be installed in the system store automatically (see Installing Certificates in a Store Automatically on page 224) by selecting the corresponding check boxes: o
current user certificate, to install the current certificate into the Windows system store.
o
ViPNet Certification Authority certificates, to install into the system store the issuers' certificates (root certificates) received with keys updates from ViPNet Key and Certification Authority or ViPNet Network Manager.
o
ViPNet Certificate Revocation Lists, to install into the system store the certificate revocation lists received with keys updates from ViPNet Key and Certification Authority or ViPNet Network Manager.
To save the settings, click OK.
ViPNet Client Monitor 4.3. User's Guide | 217
12 Working with Certificates and Keys Viewing Certificates in the Certificate Manager Window
219
Managing Certificates
223
Working with a Key Container
244
ViPNet Client Monitor 4.3. User's Guide | 218
Viewing Certificates in the Certificate Manager Window This feature is helpful when you need to get detailed information about a certificate: its purpose, issuer, fields, invalidity reason, and more. In ViPNet Client, you can view the following certificate types:
current user certificates,
private user certificates (see Viewing Personal Certificates on page 220),
trusted root certificates (see Viewing Trusted Root Certificates on page 221),
issued certificates (see Viewing Issued Certificates on page 221).
You can see the main information about a certain certificate in the Certificate dialog box, on the General tab:
the certificate purpose or (for invalid certificates) the reason for the certificate invalidity;
certificate subject (the public key owner) name;
certificate issuer's name;
certificate validity period;
the validity period of the private key corresponding to the current certificate;
information about certificate policies, displayed when you click Issuer Statement.
Note: In ViPNet networks managed with the ViPNet Administrator software, the Issuer Statement button is available only if the usage policies have been assigned to the certificate at its issuing in the ViPNet Administrator KCA software.
ViPNet Client Monitor 4.3. User's Guide | 219
Figure 103. Viewing general information about a certificate
Viewing Personal Certificates To view your personal certificates: 1
In the Security Service Settings dialog box, click the Signature tab and click Certificates. The Certificate Manager window will be displayed, so that you can view information about all your personal certificates and the certificates installed in the operating system certificates store. All those certificates have been installed.
Note: The certificates installed in the operating system certificates store are displayed only if in the Security Service Settings dialog box, on the Administrator tab, you select the Enable external certificates (see Advanced Security Settings on page 200) check box.
2
If you need to acquire more detailed information about any of the certificates, select the certificate name and click Properties or double-click the name of the certificate. The Certificate dialog box will be displayed allowing you to view the information about the personal certificate chosen.
ViPNet Client Monitor 4.3. User's Guide | 220
Viewing Trusted Root Certificates To view trusted root certificates: 1
In the Security Service Settings dialog box, click the Signature tab and click Certificates.
2
In the Certificate Manager dialog box, click the Trusted Root Certificates tab.
3
If you need to acquire more detailed information about any of the certificates, select the certificate name and click Properties or double-click the name of the certificate. The Certificate dialog box will be displayed allowing you to view information about the root certificate chosen.
Viewing Issued Certificates To view issued certificates: 1
In the Security Service Settings dialog box, click the Signature tab and click Issued Certificates. The Certificate Manager window will be displayed allowing you to view the information about the certificates issued in ViPNet Key and Certification Authority. These certificates are issued based on the renewal requests or on the ViPNet Key and Certification Authority administrator's initiative, but have not been installed yet.
2
If you need to acquire more detailed information about any of the certificates, select the certificate name and click Properties or double-click the name of the certificate. The Certificate dialog box will be displayed allowing you to view information about the issued certificate chosen.
Viewing the Certification Path To view the chain of certification authorities (see Certification path on page 333) a certain certificate is trusted by: 1
Open the Certificate dialog box for a certificate you need to view the trust chain for.
2
Click the Certification Path tab. On this tab, you can see the certificates representing the hierarchy of certification authorities that issued the certificate, you have displayed the Certificate dialog box for. You can also view the status of those certificates.
3
If you need to acquire more detailed information about any of the certificates, select the certificate name and click Properties or double-click the name of the certificate. The Certificate dialog box will be displayed allowing you to view information about the certificate chosen.
ViPNet Client Monitor 4.3. User's Guide | 221
Viewing Certificate Fields and Printing a Certificate To view the fields of a certain certificate: 1
Open the Certificate dialog box for the certificate, fields of which you want to view.
2
Click the Details tab. By default, the list of all the certificate fields is displayed on this tab.
3
To limit the number of fields you are viewing, choose the fields group in the Show list: o
Version 1 Fields Only to view all the fields except for extensions;
o
Extensions Only to view additional fields of a certificate that conforms to the X.509 standard, version 3;
Note: The Private key validity period field is displayed if the certificate validity period is longer than one year. If the certificate validity period is more than a year, then the private key validity period is one year exactly.
4
o
Critical Extensions Only to view only those extensions that are reported as critical by the issuer;
o
Properties Only to view the parameters that are not certificate fields. Such parameters are assigned to a certificate when it is kept in the system store of a host.
Choose the required field and view its value in the lower part of the dialog box.
To send the certificate to a printer set by default on your host, click Print.
ViPNet Client Monitor 4.3. User's Guide | 222
Managing Certificates ViPNet Client functionality of managing certificates presented in the Security Service Settings dialog box is described in the table below.
Functionality
Reference
Installing certificates in a store. You can install certificates in a store manually, or it can be automatically done.
Installing Certificates in a Store Automatically (on page 224)
Changing the current certificate. You can choose another certificate (from the user's valid personal certificates) as the current one.
Changing the Current Certificate (see Choosing Certificates for Current Usage on page 231)
Private key and certificate renewal. You can configure parameters of notification about the validity period of the current certificate and the corresponding private key. You can also generate a request to renew this certificate and the corresponding private key, if necessary.
Configuring Notification That a Private Key and a Certificate Have Expired (on page 233)
Installing a certificate. To start using a certificate that arrived on your ViPNet host, you should install it first. You can configure parameters of automatic certificate installation or install certificates manually.
Choosing Certificates for Current Usage (see Installing Certificates in Containers on page 239)
Installing Certificates in a Store Manually (on page 225)
Procedure of Renewing a Private Key and a Certificate (on page 234)
Installing a Certificate Automatically (on page 239) Installing a Certificate Manually (on page 239) Installing RSA Certificates (on page 228)
Working with certificate requests. You can view the current state of certificate requests created by the current user, as well as delete unnecessary requests.
Working with Certificate Requests (on page 240) Viewing a Certificate Request (on page 240) Deleting a Certificate Request (on page 241)
Exporting a certificate. Depending on the purpose of using a certificate outside your ViPNet host, you can export the certificate to various file formats.
Exporting a Certificate (on page 241)
ViPNet Client Monitor 4.3. User's Guide | 223
Installing Certificates in a Store Installing certificates in a store allows you to use these certificates in such external applications as Windows Live Mail, Microsoft Outlook, Microsoft Word, and so on. You can install a certificate into a system store or into a ViPNet Client store (the D_STATION subfolder of the transport folder). You can install certificates automatically or manually.
Warning: If a certificate is installed in the Windows Vista or Windows Server 2008 OS store, you should start ViPNet Client as a system administrator. To do that, on the context menu, choose Run as Administrator.
Installing Certificates in a Store Automatically The installation of certificates starts automatically if two conditions are met:
certificates (the current certificate of a user, a root certificate and certificates revocation lists) are absent from the store;
in the Security Service Settings dialog box, on the Cryptoprovider tab, in the Automatically install into the system store section, all the check boxes are selected.
Note: In the automatic mode, the certificates are installed into the store of the current user.
Keep in mind that the root certificate automatic installation may take considerable time, depending on the ViPNet program that you use:
ViPNet Monitor polls for parameters five minutes after it starts and, after that, every two hours. When the Security Service Settings dialog box is open, the polling interval will be 10 to 15 minutes.
ViPNet Business Mail and ViPNet CryptoService have a 30 to 60 minutes parameters' polling interval.
You do not need to do anything when the current certificate and a CRL are installed automatically (if the above mentioned conditions are met). When a root certificate is installed automatically: 1
In the Installing Root Certificate window:
Note: The Installing Root Certificate window is displayed only when there is no root certificate found in the Windows certificate store. This happens in the following cases:
When, after the ViPNet host configuration setup, the ViPNet software starts for the first time.
When you receive the renewed current certificate containing the new root certificate.
ViPNet Client Monitor 4.3. User's Guide | 224
o
to install the certificate automatically, click OK;
o
to cancel the automatic installation of a root certificate and other certificates, select the Disable automatic installation of certificates check box, and then click OK.
Note: In the Security Service Settings dialog box, on the Cryptoprovider tab, in the Automatically install into system store section, the check boxes will be cleared as well.
Figure 104. Installing a root certificate 2
If automatic installation of certificates has not been canceled, in the window allowing you to add a certificate to a store, validate the certificate and click Yes.
Figure 105. Validating a root certificate As a result, the root certificate will be installed in the certificates store of the current user.
Installing Certificates in a Store Manually To work with protected documents, you need a private key and a corresponding certificate. You can install the key and certificate as a single container or as a certificate and a key container separately. If you have a private key and you need to generate a certificate based on this key (or renew an existing certificate), make a certificate request to the Certification Authority.
ViPNet Client Monitor 4.3. User's Guide | 225
Warning: To work with protected documents, except for the user certificate, you need to install the root certificate and CRL into the system certificate store.
You can install a certificate separately and associate it with a private key. To install a certificate into a user's store: 1
Open the Certificates dialog box for the certificate you are going to install into the store (see Viewing Certificates in the Certificate Manager Window on page 219).
2
Click Install Certificate.
3
In the certificates installation wizard, on the start page, click Next.
4
On the Choose the certificate store page, specify the store to install you certificate in and click Next.
Figure 106. Choosing a certificate store
Note: We recommend you to install a certificate into the store of the current user in order to encrypt, decrypt, and sign files, as well as to get access to protected resources using a web browser. In the machine computer's store, install the certificates that will be used by services on this computer. If you use ViPNet CSP on a web server to get access to protected resources, you need to install a certificate into the store. If you cannot install a certificate into the store, log onto the system as an administrator.
5
On the Ready to install this certificate page: o
Check if the parameters have been configured correctly. If necessary, click Back to return to the previous page of the wizard and configure the parameters in a different way.
ViPNet Client Monitor 4.3. User's Guide | 226
Figure 107. The certificate is ready for installation o
If the certificate is stored in a file separately from the private key, select the Choose container with your private key check box.
Note: The Choose container with your private key check box is optional. If you do not select the check box, , after the wizard completes the operation, you will need to specify the private key container location.
o
6
Click Next.
If the Choose container with your private key check box is selected and the container is not found or is unavailable, then, in the ViPNet CSP — Key Container Initialization window, specify the key container location: o
a folder on a disk;
o
a device (you will need to specify its parameters and a PIN).
Note: To use an external device, you need to connect it and install the required drivers. You can find the list of compatible storage devices and basic information on how to use them in Supported External Storage Devices (on page 298).
Then click OK. 7
In the “Do you want to store both the certificate and the private key in the same container?” message window, click Yes to store the certificate in the key container, or No to keep the certificate as a separate file.
ViPNet Client Monitor 4.3. User's Guide | 227
Tip: It is convenient to store a certificate in a key container if you are going to export and install the container onto another computer.
8
If the Choose container with your private key check box is selected and the container is available, in the ViPNet CSP — Key Container Password window, in the Password box, type the password to access the container and click OK.
Note: The ViPNet CSP — Key Container Password window is not displayed if you have previously saved the password and selected the Do not show this window again check box.
9
On the Completing the Certificates Installation Wizard page, click Finish.
As a result, the certificate is installed into the selected certificate store. In case no private key has been found when installing the certificate, you should install the key container corresponding to this certificate (see Installing a New Key Container and Changing the Key Container with the Current Certificate on page 249).
Installing RSA Certificates In ViPNet networks, RSA certificates are distributed in PFX containers and are installed in a special way. If you want to use an RSA certificate in ViPNet Client, your ViPNet network administrator should send you a *.pfx file with an RSA certificate. He can either send this file to your host with key set updates, or provide you with a key set that includes a *.pfx file.
ViPNet Client Monitor 4.3. User's Guide | 228
Warning: You will not be able to create certificate renewal requests for RSA certificates in ViPNet Client.
Within several minutes after your ViPNet host receives the key set updates, or after you manually install the new key set (*.dst file), a window prompting you to install the new certificate will be displayed.
Figure 108: Installing an RSA public key certificate To install the certificate, do the following: 1
In the displayed Security Service Alert window, select Install certificate, and click OK.
2
In the displayed window, enter the password that was set for your ViPNet host in ViPNet Administrator Key and Certification Authority, and click OK.
Figure 109. Entering a password to install an RSA public key certificate If the entered password is correct, your certificate will be installed in ViPNet Client. The issuer certificate and the CRL will also be installed from the PFX container. If the password that you have entered is not the password that was set for your ViPNet host in ViPNet Administrator Key and Certification Authority, the certificate will not be installed, and the *.pfx file will be automatically copied to the ViPNet Client installation folder, to the user keys subfolder \user_AAAA\key_disk\dom (where AAAA is a hexadecimal identifier of a ViPNet user without the network number). In this case, you will be able to install the certificate manually, using the *.pfx file.
ViPNet Client Monitor 4.3. User's Guide | 229
Note: For ViPNet Client to be able to import an RSA certificate from the operating system certificate store, in the Security Service Settings window, on the Administrator tab, the Enable certificates from the storage of your operating system check box should be selected.
To manually import the certificate to ViPNet Client from the *.pfx file, do the following: 1
In Windows Explorer, open the folder containing the .pfx file.
2
Start the Certificate Import Wizard by double-clicking the *.pfx file and follow the instructions in the wizard.
Figure 110. Starting the certificate import wizard 3
When the wizard prompts you to enter the password for the private key, enter the password that was set for your ViPNet host in ViPNet Administrator Key and Certification Authority.
4
On the last page of the wizard, click Finish to import the certificate to your operating system certificate store.
5
In ViPNet Client, select Service > Security Service Settings.
ViPNet Client Monitor 4.3. User's Guide | 230
Figure 111. Installing a certificate 6
In the opened window, on the Signature tab, click Change and select the certificate that you want to use. If you want to view information about the certificate before installation, click Properties.
Figure 112. Selecting a certificate 7
Click OK to install the certificate in ViPNet Client.
Choosing Certificates for Current Usage If you have one or more valid personal certificates, you can use one of them as the current one.
ViPNet Client Monitor 4.3. User's Guide | 231
Warning: You need to choose a certificate as a current one when you receive a new certificate together with user keys. If you received a renewed certificate issued by a user request as part of user keys, to start using the certificate, you should select it as the current one.
To choose a valid personal certificate as the current one: 1
In the Security Service Settings dialog box, on the Signature tab, click Change. If you have at least one valid certificate, the Select Certificate window will be displayed, so that you can view information about all your personal certificates and the certificates installed in the system certificates store.
Note: The certificates installed in the operating system certificates store are displayed only if in the Security Service Settings dialog box, on the Administrator tab, you select the Enable external certificates (see Advanced Security Settings on page 200) check box.
If you have no valid personal certificate, the “You have no valid certificates with the valid private key” message box is displayed. 2
In the Select Certificate window, select the required certificate and click Properties if you need to view information about this certificate. Then click OK.
Note: Only a valid personal certificate that has been installed successfully can be used as a current certificate. If a personal certificate has been published, but has not been installed, then install it (see Installing Certificates in Containers on page 239) and, after that, set it as the current certificate.
If all the described operations are completed successfully, the certificate is set as the current one. On the Keys (see. figure 122 on page 245) tab, in the Signature group box, the data of the keys container containing the selected certificate is updated.
Renewing a Private Key and a Certificate Public key certificate and private key validity period is limited. That is why you should renew them on a regular basis. When you renew a certificate, the corresponding private key is renewed as well. You should renew a certificate and the corresponding private key in the following cases:
The public key certificate expired. Certificate validity period may be up to 5 years.
The private key expired. Private key validity period is 1 year (if the corresponding certificate validity period is more than 1 year) or equal to the certificate validity period (if the certificate validity period is less than 1 year).
ViPNet Client Monitor 4.3. User's Guide | 232
It is required that you receive a certificate with modified data about its subject (title, department and so on) or with additional attributes, extensions added. For example, for using a certificate for a digital document workflow, you may need to add some specific usage policies to it.
Thereby, you should renew your public key certificate and private key at least yearly. You can renew a certificate and a private key not only from ViPNet Client (the Security Service Settings dialog box), but also from its component, the ViPNet CSP program (see the document “ViPNet CSP. User's Guide”).
Note: If a private key expires, but the corresponding public key certificate is still valid, you can create a certificate renewal request. The request will be signed using the private key, but the signature will be invalid. It will not be used for authentication purposes, but only for the request integrity verification. In this case, you will need to validate the request integrity according to the regulations set in your Certification Authority. If both a private key and a certificate expire, you will not be able to create a renewal request. In this case, a new certificate may be issued only on the ViPNet Key and Certification Authority administrator's initiative. If you do not have a private key, you cannot create a certificate request.
Configuring Notification That a Private Key and a Certificate Have Expired By default, ViPNet Client starts notifying you 15 days before a certificate or a private key expires. To change notification settings: 1
In the Security Service Settings dialog box, click the Signature tab. In the Current certificate box, you can see the certificate validity period.
ViPNet Client Monitor 4.3. User's Guide | 233
Figure 113. Viewing information about the current certificate and configuring notification about private key and certificate expiration 2
Select or clear the Notify the user when the certificate is going to expire (1-30 days) check box. If you select the check box, in the box on the right, type or select the number of days (from 1 to 30).
Procedure of Renewing a Private Key and a Certificate Several days before a certificate or a private key expires, do the following:
If notification about the certificate and private key expiration is enabled: o
If the number of days specified is left before the expiration, the corresponding message is displayed.
Figure 114. A certificate and private key expiration message
ViPNet Client Monitor 4.3. User's Guide | 234
o
In the window informing you about the certificate expiration, choose Send certificate renewal request and click OK. The Certificate Renewal Wizard window will be displayed.
Note: You can also open the signature parameters tab or send a certificate renewal request later.
o
If the private key expires, in the message window, select Open signature settings, then click OK. In the Security Service Settings dialog box, on the Signature tab, click Renew Certificate.
If notification about the certificate and private key expiration is disabled: o
In the Security Service Settings dialog box, go to the Signature tab.
o
On the Signature (see. figure 113 on page 234) tab, click Renew Certificate. The Certificate Renewal Wizard window will be displayed.
To generate and send a renewal request: 1
On the start page of the Certificate Renewal Wizard, click Next.
Figure 115. The start page of the certificate renew wizard 2
On the Public key page: 2.1 Specify the key and certificate purpose:
if you are going to use the certificate only for signing, select Signature;
if you are going to use them both for signing and encryption, select Signature and encryption.
2.2 Specify public key parameters according to the table below:
ViPNet Client Monitor 4.3. User's Guide | 235
Figure 116. Selecting public key parameters 2.3 Click Next. 3
On the Private Key Container page, specify the location, where a private key container will be stored: o
a folder on a disk;
o
a device (you will need to specify its parameters and a PIN).
Note: To use an external device, you need to connect it and install the required drivers. You can find the list of compatible storage devices and basic information on how to use them in Supported External Storage Devices (on page 298).
Then click Next.
Figure 117. Specifying the key container location
ViPNet Client Monitor 4.3. User's Guide | 236
4
On the Certificate Validity Period page, specify the required certificate validity period in any of the ways suggested and click Next.
Figure 118. Specifying the certificate validity period 5
On the Ready to Create Certificate Request page: o
Make sure that the parameters you have configured on previous pages are correct. If you need to make any changes in the parameters, click Back to return to the required page.
o
If you need to get a printed version of the request, make sure that the Print request information check box is selected. The request will be printed using the default printer. Otherwise, clear the check box.
Then click Next. 6
If the digital roulette window is displayed, follow the instructions.
Note: If, within the current session, the digital roulette has already launched once, the window will not be displayed.
7
On the Completing the Certificate Renew Wizard page, click Finish. As a result, the certificate renewal request will be sent to ViPNet Key and Certification Authority.
ViPNet Client Monitor 4.3. User's Guide | 237
Note: The ViPNet Key and Certification Authority request timeout may vary significantly depending on the program options set. If you configure Key and Certification Authority to process certificate requests automatically, the timeout will not exceed 5 minutes. If the administrator processes the requests manually, there is no specific timeout. For more information, see “ViPNet Key and Certification Authority. Administrator’s Guide.”
If the certificate renewal request is satisfied in the ViPNet Key and Certification Authority, a new certificate will arrive on the host. The issued certificate will be automatically installed and set as the currently used certificate immediately after it is received in the following cases:
In the Security Service Settings dialog box, on the Signature tab, the Automatically install certificates issued on the initiative of Key and Certification Authority administrator check box is selected.
The key container with the private key corresponding to the certificate is available.
Warning: If the private key container is stored in a folder on the hard drive, it is always available. If the container is stored on a removable drive, it is available provided that the drive is connected and its PIN is saved.
In the Certificate Manager dialog box, the status of your request will change to certificate installed (see Viewing a Certificate Request on page 240).
Figure 119. The request status in case the certificate has been installed If the certificate has arrived, but has not been installed automatically, your request's status will be approved. In this case, install the certificate manually (see Installing a Certificate Manually on page 239). If the certificate renewal request is declined in ViPNet Key and Certification Authority, a new certificate will not be issued. Your request's status will change to rejected. In case of rejection, contact your ViPNet Key and Certification Authority administrator for details.
ViPNet Client Monitor 4.3. User's Guide | 238
Installing Certificates in Containers To start using a certificate you received together with updates from ViPNet Key and Certification Authority, you should install the certificate to a container where the corresponding private key is stored.
Installing a Certificate Automatically To install certificates received from ViPNet Key and Certification Authority automatically, make sure that in the Security Service Settings dialog box, on the Signature tab, the Automatically install certificates, issued by user's request and Automatically install certificates issued on the initiative of Key and Certification Authority administrator check boxes are selected. If these check boxes are selected, the certificates will be installed automatically within an hour since the moment you receive them. A certificate issued on your request can be installed automatically only if the corresponding key container is available. Otherwise, it can be installed only manually (see Installing a Certificate Manually on page 239).
Warning: If a key container is stored in a folder on your hard drive, it is always available. If the container is stored on a removable drive, it is available provided that the drive is connected and its PIN is saved.
When a certificate issued on the initiative of the ViPNet Key and Certification Authority administrator is being installed, the Security Service Alert window with the corresponding notification is displayed (see Certificate Issued on the Administrator's Initiative Has Been Installed on page 267).
Installing a Certificate Manually You should install the certificates you receive from ViPNet Key and Certification Authority manually in the following cases:
If the check boxes allowing for automatic certificate installation are cleared.
If the corresponding key container was unavailable during an attempt to install the certificate automatically.
To install a received certificate manually: 1
In the Security Service Settings dialog box, click the Signature tab and click Issued Certificates.
2
In the Certificate Manager dialog box, on the Issued Certificates tab, select the received certificate you need to install and click Install. As a result, the installed certificate will be displayed in the Certificate Manager dialog box, on the Personal Certificates tab. If you are going to use the certificate for digitally signing, set it as the current one (see Choosing Certificates for Current Usage on page 231).
ViPNet Client Monitor 4.3. User's Guide | 239
Working with Certificate Requests You can work with certificate requests (see Certificate request on page 332) in the Certificate Manager, on the Certificate Requests tab. To open the Certificates Manager window: 1
In the Security Service Settings dialog box, click the Signature tab.
2
Click Certificate Requests.
Viewing a Certificate Request To view detailed information about a certificate request: 1
In the Certificate Manager dialog box, on the Certificate Requests tab, select the required certificate and click Properties or double-click this request.
2
In the Certificate Request window, look through the detailed information on the tabs with the corresponding names. If necessary, click Print to print the request (with the printer used by default on the host). To save the request as a file with the *.txt extension, click Copy to file.
Figure 120: Viewing detailed information about a certificate request
ViPNet Client Monitor 4.3. User's Guide | 240
Deleting a Certificate Request To delete a certificate request: 1
In the Certificate Manager dialog box, on the Certificate Requests tab, select the required certificate (or several certificates holding the Ctrl key) and click Delete.
2
Confirm the operation by clicking Yes.
Information about the request will be deleted. The deleted request will not be displayed on the Certificate Requests tab.
Exporting a Certificate In the ViPNet software, you can export a user certificate into various formats. It depends on the export purpose, which export format you should choose. You may need to export a certificate for the following purposes:
creating a backup copy of the certificate;
copying the certificate to use it on another computer;
sending the certificate to another user to establish encrypted messaging;
printing the certificate.
To export a certificate into a file of a certain format: 1
Open the Certificates dialog box for the certificate you are going to export (see Viewing Certificates in the Certificate Manager Window on page 219).
2
Go to the Details tab and click Copy to File.
3
On the start page of the Certificate Export Wizard, click Next.
Tip: If you want the wizard to skip the first page next time, select the Do not show this page again check box on this page.
4
On the Export file format page, choose one of the formats suggested (see Certificate Export Formats on page 242), and then click Next.
ViPNet Client Monitor 4.3. User's Guide | 241
Figure 121. Choosing the file format 5
On the Export file name page, specify the full path to the file you are creating, and then click Next.
6
On the Completing the Certificate Export Wizard page, make sure that you have configured the export parameters correctly, and then click Finish.
7
In the “The export has been completed successfully” message, click OK.
Certificate Export Formats When you choose the file format you want to use to store the exported certificate, keep in mind the following:
When you export certificates on a Windows OS computer, PKCS #7 is preferable, primarily because this format preserves the chain of certification authorities (certification path). Some applications require the DER Encoded Binary format or the Base64 Encoded format. That is why you should take into account the requirements of an environment (an application or an operating system), where you're importing the certificate to.
A certificate can be viewed and printed in the text and HTML formats.
Below you can find details on each of the certificate export formats supported by the ViPNet software:
The Cryptographic Message Syntax Standard (PKCS #7) The PKCS #7 format allows you to move a certificate or the whole certification chain from one computer to another or from a computer to an external device. PKCS #7 files usually have the .p7b extension, and they are compatible with the ITU-T X.509 standard. The attributes allowed in the PKCS #7 format include countersignatures to be associated with a signature. PKCS #7 also allows arbitrary attributes, such as signing time, to be authenticated along with the content of a message. For details on PKCS#7, see the RSA Labs web page http://www.rsa.com/rsalabs/node.asp?id=2129.
DER Encoded Binary X.509 DER (Distinguished Encoding Rules) for ASN.1, as defined in ITU-T Recommendation X.509, is a subset of Basic Encoding Rules (BER) (Basic Encoding Rules) for ASN.1. Both BER and DER provide a
ViPNet Client Monitor 4.3. User's Guide | 242
platform-independent method for encoding such objects as certificates and messages, used for transfer between devices and applications. The most of applications use DER to encode a certificate, as the certificate (certificate request information) must be encoded using DER and digitally signed. DER certificate files have the .cer extension. For more information, see the “ITU-T Recommendation X.509, Information Technology — Open Systems Interconnection — The Directory: Authentication Framework” document on the International Telecommunication Union (ITU) web site http://www.itu.int/ru/Pages/default.aspx.
Base64 Encoded X.509 This is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME) which is a popular, standard method for transferring binary attachments over the Internet. Base64 encodes files into ASCII text format, making corruption less likely as the files are sent through Internet gateways, while S/MIME provides some cryptographic security services for electronic messaging applications, including non-repudiation of origin using digital signatures, privacy and data security using encryption, authentication, and message integrity. The MIME (Multipurpose Internet Mail Extensions, specification RFC 1341 and successors) defines a mechanism for encoding arbitrary binary information for transmission by e-mail. For more information, see the “RFC 2633 S/MIME Version 3 Message Specification, 1999” on the Internet Engineering Task Force (IETF) web site http://www.ietf.org/rfc/rfc2633.txt?number=2633.
HTML You can view and print these files in any web browser, Microsoft Office applications, and other programs supporting HTML (hypertext markup language).
Text files ANSI-encoded files that you can view and print in any text editor.
ViPNet Client Monitor 4.3. User's Guide | 243
Working with a Key Container A key container contains a private key and a certificate (see Public key certificate on page 336) corresponding to the private key. In the ViPNet Client software, working with a key container, you can perform the following operations:
Installation (see Installing a New Key Container and Changing the Key Container with the Current Certificate on page 249). You may need to install a new key container or change the key container which contains the current certificate in the following cases:
o
If the certificate does not correspond to the private key stored in the container (for instance, due to the certificate being stored apart from the private key). A key container can be installed together with the certificate (see Installing Certificates in a Store on page 224) or separately (see Installing a New Key Container and Changing the Key Container with the Current Certificate on page 249) (for example, in case the private key is stored in the container and the certificate has been created ViPNet Administrator Key and Certification Authority based on the user request).
o
If a key container was created in a third-party application or moved from another computer.
Changing and deleting the container password (see Changing the Container Password on page 246). We recommend that you use the same password to a key container for no longer than one year. When this period expires, you should set a new password to the container. You may need to delete the saved password to a key container in case the password storage conditions and (or) your corporate security regulations have changed so that you may not store the password on your computer anymore.
Deleting the private key stored in the container. You may need to delete a private key from a key container in the following cases:
o
you do not need this private key anymore, for example, if its validity period has expired;
o
the certificate correspondent to this private key is compromised or revoked.
Changing the location of the container (see Moving a Key Container on page 250). You may need to move the current key container to other location in the following cases: o
The container location has been changed, for example, in case it is not safe to keep the key container in the former location.
o
When you change the logon mode to PIN and device, if you use third-party applications for digitally signing and encryption and if the key container is not stored on an external authentication (see Setting the User Logon Mode on page 201) device at the moment.
ViPNet Client Monitor 4.3. User's Guide | 244
Warning: If you work in a ViPNet network managed with the ViPNet Administrator software, you can perform these operations only if you have permission to use a signature. Your ViPNet network administrator assigns this permission to your host in the ViPNet Administrator Network Control Center software.
To work with a key container (on page 334): 1
Go to the Keys tab.
Figure 122. Transferring the key container 2
Under Signature, click one of the following buttons: o
View, for looking through the detailed information about the container you use and to change the container properties:
changing a password (see Changing the Container Password on page 246);
deleting a password (see Deleting a Password to a Key Container, If the Password Is Stored on a Computer on page 248);
verifying that the private key corresponds to the certificate (see Verifying a Key Container on page 248);
deleting a private key.
o
Install container, for installing a new container and changing the currently used container (see Installing a New Key Container and Changing the Key Container with the Current Certificate on page 249).
o
Transfer, for changing the path to the container (see Moving a Key Container on page 250).
ViPNet Client Monitor 4.3. User's Guide | 245
Note: In the Signature group box, information about private key corresponding to the current certificate is displayed. When a new key container is installed (see Installing a New Key Container and Changing the Key Container with the Current Certificate on page 249), information about the current certificate displayed on the Signature tab is changed automatically.
Changing the Container Password We recommend that you use the same password to a key container for no longer than one year. When this period expires, you should set a new password. To change the key container password: 1
In the Security Service Settings dialog box, click the Keys (see. figure 122 on page 245) tab, and then click View.
2
In the Container Properties window, click Change Password.
Figure 123. Container properties window 3
If the message “Password for this container can only be changed on the Password tab in the Security Service Settings” is displayed, click OK, then close the Container Properties window and change the user (see Changing a User Password on page 207) password.
ViPNet Client Monitor 4.3. User's Guide | 246
Figure 124. A message informing that you cannot change the password to the container
Note: This message is displayed when the keys container is protected with a personal user key (not a password). Thus, you can change the container password only by changing the user password as well.
4
If the user keys container has been created in the ViPNet Registration Point program or transferred (see Moving a Key Container on page 250) from the user keys folder (by default, C:\Program Files (x86)\infotecs\\user_\key_disk\dom) to a different folder, then, after you click Change password, the Change password dialog box will appear. In the Change password dialog box, type the current container password, then click OK.
Note: If you have previously selected the Save password check box, then the Change Password window will not be displayed.
5
In the ViPNet CSP — Key Container Password window, type the new password and confirm it. Click OK.
Figure 125. Changing the container password
Warning: Your password should not contain more than 31 symbols. Passwords with length above 31 symbols cannot be used in current versions of the ViPNet applications. This limitation is due to the existing algorithm of transferring the password to the cryptographic provider.
The container password is changed.
ViPNet Client Monitor 4.3. User's Guide | 247
Deleting a Password to a Key Container, If the Password Is Stored on a Computer You may need to delete the saved password to a key container in case the password storage conditions and (or) your corporate security regulations have changed so that you may not store the password on your computer anymore. To remove the previously saved password: 1
In the Security Service Settings dialog box, click the Keys tab (see. figure 122 on page 245), and click View.
2
In the Container properties window (see. figure 123 on page 246), click Delete Saved Password.
The previously saved password will be removed. Then you should enter the password every time you access the key container.
Verifying a Key Container You can verify a key container to make sure that the container file has not been modified, that the certificate and private key in the container correspond to each other, and that you can use them to work with protected documents. To verify a container: 1
In the Container Properties window, on the Keys tab (see. figure 122 on page 245), click View.
2
In the Container Properties window, Click Check.
3
In the ViPNet CSP — Key Container Password window, type the password to access the container and click OK. If you want to save the password in order to access the container without typing it every time, select the Save password check box.
Figure 126. Typing the container password
ViPNet Client Monitor 4.3. User's Guide | 248
4
Then the data fragment signed with the private key will be created, and the digital signature will be verified using the public key certificate. Thus, the private key validity and its compatibility with the certificate stored in the container will be verified.
Note: You can verify a key container only if it contains a certificate corresponding to the private key. A certificate may be missing from a key container, when it is stored separately. A certificate is stored separately from a key container if the certificate renewal request has been generated in the ViPNet CSP software. If the renewal request has been generated in another program, the certificate will be automatically saved to the corresponding key container. When the private key is verified, the certificate validity (its validity period, presence in CRL, and so on) is not verified.
Installing a New Key Container and Changing the Key Container with the Current Certificate You may need to install a new key container or change the key container which contains the current certificate in the following cases:
if, while installing the certificate to the system store or to the ViPNet Client store (see Installing Certificates in a Store on page 224), no corresponding private key was found (for instance, due to storing the certificate as a file separate from the private key; that is, not in the key container);
if the container was generated in another application or moved from another computer.
Note: You can install or change only a container with keys generated in ViPNet software of a version not earlier than 3.2.x.
To install a new key container or change the currently used container: 1
In the Security Service Settings dialog box, click the Keys (see. figure 122 on page 245) tab, and then click Install container.
2
In the ViPNet CSP — Key Container Initialization window, specify the key container location. o
a folder on a disk;
o
a device (you will need to specify its parameters and a PIN).
ViPNet Client Monitor 4.3. User's Guide | 249
Figure 127. The key container initialization from an external device Click OK. 3
In the Select Certificate window, click OK.
As a result, the private key and the certificate stored in the selected container will be set current. The information about the certificate stored in the container installed will be displayed on the Signature tab.
Moving a Key Container You may need to move the current key container if you need to change the path to the container, for example, if it is considered insecure to continue storing the keys in the previous location.
Note: You can move only a container with keys generated in ViPNet software of a version not earlier than 3.2.x. You cannot move a key container to a device that performs hardware encryption.
To change your key container location: 1
In the Security Service Settings dialog box, click the Keys tab (see. figure 122 on page 245), and click Transfer.
2
In the ViPNet CSP — Key Container Initialization window, specify the key container new location: o
a folder on a disk;
o
a device (you will need to specify its parameters and a PIN).
Note: To use an external device, you need to connect it and install the required drivers. You can find the list of compatible storage devices and basic information on how to use them in Supported External Storage Devices (on page 298).
As a result, the key container will be moved to the specified location.
ViPNet Client Monitor 4.3. User's Guide | 250
A Troubleshooting
ViPNet Client Monitor 4.3. User's Guide | 251
Collecting Information for Troubleshooting When troubleshooting to our technical support service, you usually need to provide specific information about the computer where your ViPNet software is installed. Based on this information, technical support workers can find out the source of your problem and how to solve it. You can gather the information about your computer with the lumpdiag utility, which is part of the ViPNet Client software. To work with the utility, you need OS administrator rights on your computer. The utility gathers information about your computer (for example, about the operating system, cryptographic environment, and so on) regardless of whether ViPNet Client is functional.
Note: No personal information is gathered by the utility. Infotecs protects your confidential information, takes all measures to prevent unauthorized access to it, and does not divulge your personal data.
With this utility, you can collect the required information in one archive or save it to the \SysEnv folder, which is automatically created in ViPNet Client installation folder. To get help on using the utility, in Windows Command Line, type lumpdiag -h, where h is the key to call Help. To collect information, in the command line, type: lumpdiag -a [], where:
-a launches the process of collecting information on your computer;
is the path to a file where information collected by the utility will be archived.
If you do not specify the parameter, the collected information will be stored to the \SysEnv subfolder of the ViPNet Client installation folder (by default, it is c:\Program Files (Program Files (х86))\infotecs\ViPNet Client). If the \SysEnv folder already exists, you will be prompted to allow its contents rewriting.
ViPNet Client Monitor 4.3. User's Guide | 252
Common Issues Cannot Validate the Setup File's Signing Certificate On a computer running under Windows XP or Windows Vista, when you are installing ViPNet Client, a security service alarm may be displayed informing you that the certificate, with which this setup file has been signed, cannot be validated.
Figure 128. Cannot validate a certificate This may happen if the root certificate or any certificate from the certificate path is absent or invalid. You may solve this problem in one of the following ways:
Click Do not Install to cancel the setup, then install the operating system update KB931125 (or install all updates for the current version of your operating system). As a result, the certificate path will be updated and you will be able to verify the certificate, with which the setup file has been signed. After you complete the update, start ViPNet Client setup anew.
If necessary, you may install the program without updating your operating system. In this case, in the security service alarm window, click Install.
Unable to Install or Upgrade the Program If you have Kaspersky Anti-Virus installed, ViPNet Client installation and update may be blocked by the Self-Defense component of the antivirus. To solve the problem, do the following: 1
In Kaspersky Anti-Virus, at the bottom of the main application window, click Settings.
2
In the Settings window, go to the Additional section and select Self-Defense in the right frame.
3
In the Self-Defense settings window, clear the Enable Self-Defense check box.
4
In the Attention! window, click Continue.
ViPNet Client Monitor 4.3. User's Guide | 253
Figure 129. Disabling the Self-Defense component in Kaspersky Anti-Virus After you have disabled the Self-Defense component in Kaspersky Anti-Virus, restart the ViPNet Client installation. Disabling the Self-Defense component is only required during installation.
Cannot Install ViPNet Client in the Silent Mode If you install the program in the silent mode on a computer running Windows XP or Windows Vista, you may see that the installation process is not going well, for example: no program shortcut appears on your desktop even a few minutes after you start the installation. A reason for that may be that the setup file's signing certificate cannot be validated or that the root certificate or any certificate in the certification path is absent or invalid. To solve the problem, install the operating system update KB931125 (or just install all available updates for the current version of your OS). As a result, the certification path will be updated and you will be able to validate the signing certificate for the setup file. After you complete the updating process, start the installation anew.
Cannot Start the Program The ViPNet Monitor program may have been manually uninstalled or removed from the computer. Make sure that ViPNet Monitor is installed. If necessary, reinstall the program or contact your ViPNet network administrator.
ViPNet Client Monitor 4.3. User's Guide | 254
Incorrect Password or User Keys Not Found In this case the following message is displayed:
Figure 130: Wrong password message If you get the message:
Check that Caps Lock is not accidentally enabled.
Check that the input language is chosen correctly. The indicator in the logon window shows you the currently selected language.
If you need to type a randomly generated password, select the English input language.
The user keys might be installed in a folder different from the default user keys folder. In this case, in the logon window, to the right of the Setup button, click Keys Folder, and then specify the path to your user keys folder.
, choose ViPNet Host
If the operating system has not been loaded yet, in the logon window, click Cancel. After the operating system is loaded, start ViPNet Monitor and specify the path to the user keys folder.
Cannot Log On with a Certificate If you cannot log on to ViPNet Client by using the certificate and its corresponding private key, which are stored on an external device, this may be caused by the following:
The certificate does not support the RSA standard.
The external device does not support the PKCS#11 standard. You can check whether your device supports this standard in External Storage Devices (on page 297).
The selected certificate is outdated. If you select an outdated certificate, a corresponding message is displayed. In this case, deliver your certificate to the administrator of your certification authority for renewal.
The selected certificate is present in the certificate revocation list, which is installed in the host's storage. If you select an outdated certificate, a corresponding message is displayed. In this case, contact your certification authority administrator.
The certificate does not have the client authentication purpose. The certificate's purpose is displayed in the Certificate dialog box, on the Details tab, in the Enhanced Key Usage field. In this case, ask that your certification authority administrator issues a new certificate for you.
ViPNet Client Monitor 4.3. User's Guide | 255
The issuer's certificate is not installed in the system store Trusted Root Certification Authorities. In this case, get the issuer's certificate from your certification authority administrator and install it to the corresponding system storage. To do this, double-click the certificate and follow the instructions of the certificate installation wizard.
Cannot Save the Password If you want to allow the saving of the password, log on to ViPNet Monitor in the ViPNet host administrator mode (see Working in the ViPNet Host Administrator Mode on page 196).
Cannot Connect to the Internet Your connection to the Internet may be blocked by public network filters or the host's traffic may be blocked. Make sure that network filters allowing connections with addresses required are configured properly and that the host's IP traffic is not blocked (check that on the File > Configurations menu, the Block IP Traffic command is displayed).
Cannot Connect to a ViPNet Host Possible reasons are:
The computer is switched off or ViPNet Monitor is not running on the host.
There are no keys required to establish connection to the host. Contact your ViPNet network administrator.
Your computer is not physically connected to the network or has no access to the Internet.
Cannot Address a Domain Host by Its DNS Name If your organization uses the Active Directory service in its ViPNet network and protected domain controllers with synchronized DNS servers are deployed on different ViPNet hosts or tunneled by different coordinators, other ViPNet hosts that address these DCs may experience problems with IP addresses resolving. In this case, follow the instructions in Using DNS Servers on Domain Controllers (on page 108).
ViPNet Client Monitor 4.3. User's Guide | 256
Cannot Connect to an Unprotected Host on a Local Network Possible reasons are:
The IP address of the unprotected hosts is included in the protected hosts' addresses list. In such a case, the ViPNet driver tries to send an encrypted IP packet to an unprotected host, and connection fails. To eliminate this problem, you need to delete the IP address of the unprotected host from the protected hosts' addresses list.
The filters for working in the public network are configured incorrectly. To work in Microsoft networks correctly, make sure that the required public network filters are enabled and properly configured.
Cannot Establish Connection over the SSL Protocol Probably, the failure of one of the ViPNet Client components led to the connection problem. To solve this problem, follow the instructions described in Cannot Start the MSSQLSERVER Service (on page 259).
Cannot Establish Connection over the PPPoE Protocol Connection over the PPPoE protocol may be blocked by the ViPNet Monitor program. To solve this problem: 1
In the ViPNet Monitor main window, on the Service menu, click Options.
2
In the Options dialog box, in the navigation pane, click Manage IP Traffic.
3
Clear the Block all protocols except IP, ARP check box.
4
Click OK.
ViPNet Client Monitor 4.3. User's Guide | 257
There is a Host Registered on the Network with the Identifier that Coincides with Your Host's Identifier In this case:
In the events log, the event 95 (see Blocked IP Packets on page 291) is registered.
All the IP traffic is blocked.
In ViPNet Monitor, the following notification is displayed:
Figure 131. Notifying that there is a host on the network with the identifier that coincides with the one of your host To solve this problem, you will need to delete your host's duplicate from the ViPNet Network (delete its current keys from it or install new keys on it). Then restart your computer.
Conflicting IP Addresses or DNS Names When you add an IP address or a DNS name in order to configure access to a ViPNet host or a tunneled host, the new address may occasionally coincide with a previously specified IP address or a DNS name of another host. Then, the following message will be displayed:
Figure 132. A conflict of IP addresses or DNS names has been detected A conflict of IP addresses or DNS names may also be detected during the check that you start by clicking Check conflicts
. In this case, the following message will be displayed:
ViPNet Client Monitor 4.3. User's Guide | 258
Figure 133. A conflict of IP addresses or DNS names has been detected after a check You may resolve a conflict by doing the following:
remove the duplicate IP address or DNS name from the other host's parameters;
cancel adding the IP address or DNS name in the first case or remove it from the current host's list in the second case.
You may also ignore the conflict (in the first case, the specified IP address or DNS name will be added); in the second case, you may stop checking for conflicts.
Cannot Start the MSSQLSERVER service Probably, the failure of one of the ViPNet Client components led to the connection problem. To solve this problem: 1
Use the command line to execute the following command: regsvr32 /u C:\Windows\System32\itcssp.dll.
2
Rename the itcssp.dll file located in the C:\Windows\System32 folder as you like. If the ViPNet CSP program compatible with 64-bit operating systems has been installed on your computer, the C:\Windows\SysWOW64 folder contains the itcssp.dll file as well, and you should rename it, too.
3
Restart your computer.
Cannot Change Settings of the ViPNet Monitor Program You may be unable to change ViPNet Monitor settings for one of the following reasons:
The permissions level restricts your activity on the host. Only a user with the maximum permissions level may change ViPNet Monitor settings. Contact your ViPNet network administrator for advancing your permissions level in the ViPNet Network Control Center program.
ViPNet Client Monitor 4.3. User's Guide | 259
The user interface has been restricted (see Working in the ViPNet Host Administrator Mode on page 196) after logging on in the ViPNet host administrator mode. Ask the administrator to disable the user interface restriction.
Cannot Use a Hardware Random Numbers Generator If you need to use a hardware random numbers generator in the ViPNet software: 1
2
On the computer where you will use the hardware random numbers generator, depending on its operating system, do one of the following: o
In Windows Vista and later versions of Windows OS, create the following folder: C:\ProgramData\infotecs\ViPNet CSP.
o
In Windows XP or Windows Server 2003, create the following folder: C:\Documents and Settings\All Users\Application Data\infotecs\ViPNet CSP.
In this folder, create a text file containing the following lines: [Common] EnableCspSupport=Yes [Devices] RandomNumberGeneratorType=
3
4
Specify the random numbers generator type you are going to use as the value of the RandomNumberGeneratorType parameter. Here are the possible values : o
bio means the digital roulette (used in the ViPNet software by default).
o
tokenJava means eToken PRO (Java).
Save the file and rename it to csp_config.ini. At the next random numbers generator startup, the specified generator will be used.
Failures in the Work of Third-Party Programs Peculiarities of the ViPNet software work may affect the operability of some third-party programs. To eliminate the conflict of ViPNet software and third-party programs, apply some changes to the Windows system registry: 1
Press the keys combination Win+R.
2
In the Run window, type regedit and click OK.
ViPNet Client Monitor 4.3. User's Guide | 260
Warning: Do not change any parameters in the system registry except for Flags. Any undesired change may lead to malfunction of your computer.
3
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\infotecs\PatchEngine, set the Flags parameter value to 0.
4
Restart your computer. If the problem has not been solved, contact Infotecs technical support.
Unable to Apply the Software Update Received from the Network Control Center One of the possible causes is that the installation program was unable to shut down some of ViPNet components (for example, some of them are running on another user session). In this case, do the following: 1
Reboot the computer that was unable to upgrade.
2
Resend the update from ViPNet Network Control Center and accept it on the host (see Upgrading from ViPNet Network Control Center on page 33).
ViPNet Client Monitor 4.3. User's Guide | 261
Security Service Alerts Security service alerts are intended to inform you in time about your password, current certificate and certificates revocation list validity periods, and about installing a certificate issued on the Certification Authority administrator's initiative. The password, current certificate and private key statuses are verified every 5 minutes.
Password Expired A message informing you about user password expiration is displayed in the following cases:
If, in the Security Service Settings dialog box, on the Password tab (see. figure 96 on page 207), the Enable password expiry check box is selected and the validity period is specified. If the message is displayed, the specified validity period is over.
If new user keys with a new user password have been received from ViPNet Key and Certification Authority. In such a case, the password is not changed automatically. You need to change it manually (see Changing a User Password on page 207).
Figure 134. The user password expiration message If such a message is displayed: 1
Choose one of the suggested actions: o
Change password to specify a new password according to the settings on the Password tab (see. figure 96 on page 207) of the Security Service Settings dialog box;
o
Open password settings to open the Password tab (see. figure 96 on page 207) of the Security Service Settings dialog box, where you can set password parameters and then change the password; ViPNet Client Monitor 4.3. User's Guide | 262
2
o
Notify me again in for the message to be displayed again in a specified time period (10 minutes, 1 hour, 6 hours, 1 day, 1 week);
o
Remind me at next ViPNet user logon for the message to be displayed again at the next ViPNet Client startup.
Click OK.
Current Certificate is Invalid or Not Found A message informing you that the current certificate is not found or is invalid is displayed in the following cases:
If the current certificate is not found or is invalid, but other valid personal certificates have been found. In such a case, you can set one of the certificates as the current one by selecting Choose another certificate as your current one.
If no valid personal certificate is found. In this case, contact your Certification Authority administrator to get a new certificate.
Warning: You cannot sign digital documents until the new certificate is received and installed.
Figure 135. A message informing you that the current certificate is invalid If such a message is displayed: 1
Choose one of the following: o
Choose another certificate as your current one to set another valid personal certificate as the current one in the Select certificate window.
ViPNet Client Monitor 4.3. User's Guide | 263
Note: This option is available if other valid personal certificates are found in the user's certificates storage.
2
o
Change your options on the Signature tab to open the Signature tab of the Security Service Settings dialog box, where you can manage certificates.
o
Notify me again in for the message to be displayed again in a specified time period (10 minutes, 1 hour, 6 hours, 1 day, or 1 week).
o
Remind me at next ViPNet user logon for the message to be displayed again on the next ViPNet Client startup.
Click OK.
Current Private Key or the Corresponding Certificate Validity Period is Going to Expire A message informing you, that the validity period of the private key or its corresponding certificate is expired, is displayed in the following cases:
If the private key or its corresponding certificate is going to expire, and no current certificate renewal requests have been found (or the last renewal request has been approved, but the certificate cannot be set as the current one). In this case, you can create a certificate renewal request (see Procedure of Renewing a Private Key and a Certificate on page 234). To do this:
o
if the certificate expires, select Send certificate renew request;
o
if the private key expires, select Change your options on the Signature tab, and then, in the Security Service Settings dialog box, on the Signature tab, click Renew Certificate.
If the private key or its corresponding certificate is going to expire and the last certificate renewal request has been rejected or is being processed by the ViPNet Key and Certification Authority. In this case, contact your ViPNet network administrator and, if necessary, create another renewal request for the current certificate.
ViPNet Client Monitor 4.3. User's Guide | 264
Figure 136. A certificate and private key expiration message If such a message is displayed: 1
2
Depending on the message type, choose one of the following: o
Choose another certificate as your current one to set another valid personal certificate as the current one in the Select certificate window.
o
Send certificate renew request to create a request for renewing your certificate with the certificate renewal wizard (see Procedure of Renewing a Private Key and a Certificate on page 234).
o
Change your options on the Signature tab to open the Signature tab of the Security Service Settings window, where you can manage certificates.
o
Notify me again in for the message to be displayed again in a specified time period (10 minutes, 1 hour, 6 hours, 1 day, or 1 week).
o
Remind me at next ViPNet user logon for the message to be displayed again at the next ViPNet Client startup.
Click OK.
Current Private Key Expired A message informing you about the private key validity period expiration is displayed:
If the private key is going to expire, and no current certificate renewal requests have been found (or the last renewal request has been approved, but the certificate cannot be set as the current one). In this case, you can select Open security settings to open the Security Service Settings dialog box, the Signature tab. On the Signature tab, click the corresponding button to renew the current certificate (see Procedure of Renewing a Private Key and a Certificate on page 234). Remember that in ViPNet Key and Certification Authority such a request will not be processed automatically, but will be kept until the administrator processes it.
ViPNet Client Monitor 4.3. User's Guide | 265
Warning: The request created is signed with the private key corresponding to the current certificate. However, this signature is not used to prove authentication, but only to verify integrity. Such requests have the Not signed status (see Viewing a Certificate Request on page 240).
If the private key validity period has expired and the last certificate renewal request has been rejected or is being processed by the ViPNet Client. In this case, contact your ViPNet network administrator and, if necessary, create another renewal request for the current certificate.
Figure 137. The private key expiration message If such a message is displayed: 1
2
Choose one of the following: o
Change your options on the Signature tab to open the Signature tab of the Security Service Settings dialog box, where you can manage certificates.
o
Notify me again for the message to be displayed again in a specified time period (10 minutes, 1 hour, 6 hours, 1 day, or 1 week).
o
Remind me at next ViPNet user logon for the message to be displayed again at the next ViPNet Client startup.
Click OK.
Valid Certificate Revocation List Not Found A message, informing you that no valid certificate revocation list is found, is displayed in the following cases:
if no CRL is found in the user store or the CRL has expired;
ViPNet Client Monitor 4.3. User's Guide | 266
if, in the Security Service Settings dialog box, on the Administrator tab, the Ignore the absence of the Certificate Revocation Lists (CRLs) (see Advanced Security Settings on page 200) check box is cleared.
Figure 138. A valid certificate revocation list is not found If such a message is displayed:
Contact your ViPNet network administrator to get a new certificate revocation list.
Select one of the options: o
Notify me again in for the message to be displayed again in a specified time period (10 minutes, 1 hour, 6 hours, 1 day, 1 week).
o
Remind me at next ViPNet user logon for the message to be displayed again at the next ViPNet Client startup.
Then click OK.
Certificate Issued on the Administrator's Initiative Has Been Installed A message notifying you that a certificate issued on the ViPNet Key and Certification Authority administrator's initiative will be displayed on the following conditions:
In the Security Service Settings dialog box, on the Signature tab (see. figure 113 on page 234), the Automatically install certificates issued on the initiative of Key and Certification Authority administrator check box is selected.
You have not requested a certificate renewal, but you receive updates generated by the ViPNet Key and Certification Authority administrator containing a new user certificate and a private key.
When this message is displayed: 1
Select one of the options:
ViPNet Client Monitor 4.3. User's Guide | 267
o
Change your options on the Signature tab to open the Security Service Settings dialog box, the Signature tab (see. figure 113 on page 234), to view the current certificate details or manage certificates.
o
Send certificate renew request to enroll for renewing the current certificate using the certificate renewal wizard (see Procedure of Renewing a Private Key and a Certificate on page 234). You should request for certificate renewal only in case your corporate security policy prohibits usage of a private key generated not personally by you, but on the administrator's workstation. As a result, you will receive a certificate corresponding to a private key generated on your computer.
2
Click OK.
ViPNet Client Monitor 4.3. User's Guide | 268
B Keys and Certificates
ViPNet Client Monitor 4.3. User's Guide | 269
Cryptography Overview Cryptography allows you to solve three main tasks:
ensuring data confidentiality;
data integrity control;
ensuring data authenticity (non-repudiation).
The first task is solved by means of symmetric encryption algorithms. To solve the second and third tasks, you need to use asymmetric encryption algorithms and digital signature. In this section, you will find a brief description of encryption algorithms based on symmetric and asymmetric keys and digital signature. You will also find here some examples of these algorithms usage in some information systems (the examples are not based on the ViPNet technology).
Symmetric Encryption In symmetric encryption and decryption algorithms, the same cryptographic key is used. So that both the recipient and the sender could read the source data (or data of another type), they all need to know the algorithm key. The scheme below shows the process of symmetric encrypting and decrypting.
Figure 139. Encryption and decryption using a symmetric key Due to using one key for encryption and decryption, symmetric encryption algorithms can process a significant load of data in a short period of time. Moreover, symmetric encryption algorithms are simpler in comparison to asymmetric ones. Thus, symmetric algorithms are used to encrypt large data arrays. ViPNet Client Monitor 4.3. User's Guide | 270
To encrypt data using a symmetric algorithm, a cryptographic system uses a symmetric key. The key length (usually in bits) depends on the encryption algorithm and program that uses this algorithm. Using a symmetric key, a source text (open) is transformed into an encrypted text (closed). Then, the encrypted text is transferred to its recipient. If the recipient knows the symmetric key used to encrypt the text, the recipient can transform the encrypted text into the source text.
Note: In practice, a symmetric key should be transferred to its recipient in a secure way. Usually a symmetric pair-wise key is created, which is then delivered to a recipient in person. Then, random (session) symmetric keys are used for encryption. They are encrypted using the pair-wise key and transferred together with the encrypted text via different communications channels. The information security can be threatened if the symmetric pair-wise key is intercepted. In such a case, malicious users can decrypt all the information encrypted using this key.
Asymmetric Encryption Asymmetric encryption algorithms use two mathematically associated keys: a public key and a private key. A public key is used for encryption, a private key is used for decryption. A public key can be distributed freely. A private key is owned only by the user who creates an asymmetric keys pair. A private key must be kept secret to eliminate its interception. Encryption based on asymmetric keys is much slower than the one based on symmetric keys, because two different keys are used for encryption and decryption and the encryption algorithm is more complex. Any user can transfer information encrypted with a public key to the recipient owning a private key. Only the encrypted information recipient owns both keys. Thus, only the recipient has access to the private key required to decrypt the information.
ViPNet Client Monitor 4.3. User's Guide | 271
Figure 140. Encryption and decryption using an asymmetric key
Note: It is very rare that only an asymmetric encryption algorithm is used. Typically, the data are encrypted using a symmetric algorithm, and then only the symmetric key is encrypted using the asymmetric encryption algorithm. Such a combination of cryptographic algorithms is considered further in this chapter (see Combining Symmetric and Asymmetric Encryption on page 272).
Combining Symmetric and Asymmetric Encryption In most programs, symmetric and asymmetric encryption algorithms are combined to take advantage of each method’s strengths. When symmetric and asymmetric encryption algorithms are combined:
The source text is encrypted using a symmetric encryption algorithm. The advantage of a symmetric algorithm is high encryption rate.
The symmetric key (used to encrypt the source text) is encrypted using an asymmetric encryption algorithm. Then it is transferred to the recipient. An asymmetric algorithm ensures that only the intended recipient who owns the private key can decrypt the symmetric key.
The figure below shows the encryption process when symmetric and asymmetric encryption algorithms are combined.
ViPNet Client Monitor 4.3. User's Guide | 272
Figure 141. Encryption using a combined algorithm 1
The sender retrieves the recipient’s public key from a trusted repository.
2
The sender generates a symmetric key and uses this key to encrypt the source data.
3
The symmetric key is encrypted using the recipient’s public key to prevent the symmetric key from being intercepted during transmission.
4
The encrypted symmetric key and encrypted data are transferred to the intended recipient.
5
The recipient uses his or her private key to decrypt the encrypted symmetric key.
6
The recipient decrypts the encrypted data with the symmetric key and gets the source data.
Combining a Hash Function and an Asymmetric Algorithm of a Digital Signature A digital signature protects data in the following way:
The data is signed using a hash function used to define the source data hash sum. Using a hash sum allows you to determine whether the source data have been modified in any way.
The hash sum is signed digitally so that the user who has signed it can be identified. Moreover, the digital signature ensures non-repudiation, because only one user can own the private key corresponding to the digital signature used. Non-repudiation means that the author cannot deny the fact, that he or she has signed the document. ViPNet Client Monitor 4.3. User's Guide | 273
Most applications that support digital signing use a combination of an asymmetric singing algorithm and a hash function. A hash function provides a mechanism to determine whether the source data have been modified in any way. Whereas a digital signature ensures that the resulting hash function is not modified and allows you to identify the data sender. The scheme below illustrates the usage of a hash function and an asymmetric algorithm for digital signing.
Figure 142. The usage of a hash function and an asymmetric algorithm for digital signing 1
The sender creates a file with a source message.
2
The sender's software calculates the hash sum of the source message.
3
The hash sum is encrypted using the sender's private key.
4
The source message and the encrypted hash function are transferred to the recipient.
Note: If you sign the source message digitally, this message is not encrypted. The message can be modified, but any changes will make the hash sum, transferred together with it, invalid.
5
The recipient decrypts the hash sum of the message using the sender's public key. The public key can be transferred with the message or retrieved from a secure repository.
6
The recipient uses the same hash function as the sender to calculate the hash sum of the message.
7
The calculated hash sum is compared to the hash sum received from the sender. If the hash sums are different, this means that the message or the hash sum has been modified during transmission.
ViPNet Client Monitor 4.3. User's Guide | 274
Public Key Certificates Overview Definition and Scope A public key certificate is used in public key cryptography where different keys are used for the direct and reverse conversion:
A private key is used to generate a digital signature (see Digital signature on page 333) and decrypt a message. A private key is kept in secret, it is not distributed.
A public key is used to verify a digital signature and to encrypt a message. A public key is known to all parties of the data exchange process and may be distributed via unprotected communication channels.
Thus, public key cryptography ensures the following operations:
Signing a message — generating a digital signature, attaching it to a message, and verifying of the digital signature by the message recipient;
Encryption — encrypting a document so that the recipient can decrypt it.
The public and private keys complement each other, as only the private key owner can sign the data, as well as decrypt the data encrypted with the public key corresponding to the owner's private key. This system works quite similarly to the mailbox on the corner of a street: everyone can put a letter in the box, in other words, encrypt, but only a person with a private key can retrieve letters, in other words, decrypt. As a public key is freely distributed, there is a risk that a malicious user substitutes the public key of one of the users and claims his or her identity. To ensure trust for public keys, special certification authorities are established. A certification authority functions as a third party trusted by both parties and verifies public keys of each user with its own digital signature. In other words, a certification authority certifies the public keys. A public key certificate (further — a certificate) is a digital document verified with the digital signature of a certification authority and used to confirm that a certain public key belongs to a certain user.
Note: In spite of the fact that messages are protected with a public key, specialists use such word expressions as “sign using a certificate,” “encrypt using a certificate.”
A certificate contains a public key and a list of optional fields of the user (the certificate owner). The optional fields include: certificate owner's and issuer's names, certificate number, certificate validity number, public key purpose (digital signature, encryption), and so on. Certificate structure and protocols of use are regulated by international standards (see Structure on page 277). There are the following types of certificates:
A user certificate. It is used for encryption of outgoing messages and verifying a digital signature by the recipient.
ViPNet Client Monitor 4.3. User's Guide | 275
An issuer's certificate. The current user certificate is issued based on the issuer's certificate. Besides common functions of a user certificate, an issuer's certificate allows you to verify all the certificates signed using the private key corresponding to this certificate.
A root certificate. It is a self-signed issuer's certificate, the top one in a certificate chain (see Certification path on page 333). There is no certificate you can verify a root certificate with, that is why you should absolutely trust the source of this certificate.
A cross certificate. It is a certificate of a certification authority administrator issued by another certification authority administrator. Thus, the “Issuer” and “Subject” values are different and are related to different certification authorities. Cross certificates are used to establish trust relationships of certification authorities with each other. Depending on a trust model established between the certification authorities (see PKI in Public Key Cryptography on page 279), a cross certificate can be used either as an issuer's certificate (in a hierarchical model), or to verify certificates of other network users (in a distributed model).
Figure 143. Types of certificates Using the corresponding root certificate, each user can verify a certificate issued by a certification authority and use its contents. If certificate verification with use of a certificate trust chain, starting with the root certificate, confirms that the certificate is legal, functional, has not expired and has not been revoked, this certificate is considered valid. The documents that are signed with a valid certificate and have not been changed since the moment of signing are considered valid as well. Thus, public key cryptography and public key infrastructure (see PKI in Public Key Cryptography on page 279) ensure encryption and signing messages digitally.
ViPNet Client Monitor 4.3. User's Guide | 276
By means of encryption, confidential information can be transferred via unencrypted communication channels. A digital signature ensures:
Authenticity, meaning that you can unambiguously identify the sender. In comparison to paper workflow, a digital signature is analogical to a handwritten signature of the sender.
Integrity, meaning that information is protected from unauthorized modification both when being stored and during transfer.
Non-repudiation, meaning that the sender cannot deny an action he or she committed. In comparison to paper workflow, this is analogical to showing a passport before performing an action.
Structure For a digital certificate to be useful, it has to be structured in an understandable and reliable way so that the information within the certificate can be easily retrieved and understood. For example, passports follow a similar structure allowing people to easily understand the information in a type of passport that they may never have seen before. In the same way, as long as digital certificates are standardized, they can be read and understood regardless of who issued the certificate. One of the public key certificate formats is defined by the International Telecommunications Union (ITU) recommendations — X.509 | ISO/IEC 9594–8, and in the RFC 3280 Certificate & CRL Profile document by the Internet Engineering Task Force (IETF). At present, version 3 of X.509 is the most used one, which allows you to specify certificate extensions so that you can add some information to the certificate (about security policy, key usage, compatibility, and so on). A certificate contains data elements accompanied with a digital signature of a certificate issuer. A certificate contains mandatory and optional fields. Mandatory fields include:
version of the X.509 standard,
certificate serial number,
algorithm identifier of the issuer's signature,
algorithm identifier of the owner's signature,
issuer's name,
validity period,
owner’s public key,
certificate owner’s name.
ViPNet Client Monitor 4.3. User's Guide | 277
Note: The owner of a certificate is an entity that controls a private key corresponding to a certain public key. An end user or a certification authority can be the owner of a certificate.
Optional fields include:
issuer's unique identifier,
owner’s unique identifier,
certificate extensions.
Figure 144. The structure of a certificate that meets the requirements of the X.509 standard, versions 1, 2, and 3
ViPNet Client Monitor 4.3. User's Guide | 278
Figure 145. An example of a certificate that meets the requirements of the X.509 standard, version 3
PKI in Public Key Cryptography Certificates require a functioning infrastructure to manage the certificates in the environment they are going to be used in. It allows you to verify the authenticity of the document digital signature. PKI manages certificate lifecycle. It is responsible for issuing and storing certificates, creating their backup copies, printing certificates, cross certification, providing certificate revocation lists, and automatic certificates renewal when their validity period is over. The PKI technology is based on the concept of a trust relationship. The main PKI management component is a certification authority (CA). A certification authority serves to register users, issue certificates, store them, issue CRLs and maintain them. In a ViPNet network, a certification authority issues certificates generated by user requests in a special program (for example, ViPNet CSP or ViPNet Client) or automatically (in the process of creating a ViPNet user). If the number of users in a network is great, several certification authorities will be created. Trust relationship between the certification authorities can be based on the distributed or hierarchical model.
In a hierarchical model of trust relationship, certification authorities are organized in a tree-like structure, at the root of which lies the root certification authority. The root certification authority issues the cross-certificates to its subordinate certification authorities, providing that the public keys issued by subordinate certification authorities are trusted. Every superior certification authority delegates the right to issue certificates to its subordinate certification authorities in the same way. As a result, trust to a public key certificate of every certification authority is based on its verification using the key of a superior certification authority. The certificate of a root certification authority is self-signed. Administrators of other certification authorities do not have root certificates of their own. To establish trust relationships, they create cross-certificate requests to their superior certification authorities.
ViPNet Client Monitor 4.3. User's Guide | 279
Figure 146. The hierarchical model of trust relationship
In a cross-certified mesh, all certification authorities are equal: every certification authority administrator has his own root (self-signed) certificate. In this model, trust relationship between certification authorities is established by means of mutual cross certification, which means that both certification authorities issue cross-certificates for each other. Mutual cross-certification is performed between all the certification authorities pairwise. As a result, in each certification authority, cross-certificates issued for administrators of other certification authorities are added to the root certificate. To sign user certificates, each certification authority continues to use its root certificate, while to verify certificates of other network users, it uses an issued cross-certificate of another certification authority. This is possible, because a cross-certificate for a trusted certification authority is issued with the use of its root certificate and contains data about its public key. That is why there is no need to re-issue user certificates in the network from which the request was sent.
ViPNet Client Monitor 4.3. User's Guide | 280
Figure 147. The cross-certified mesh If you know the hierarchical structure and type of trust relationship between certification authorities, you can definitely learn whether a user is the owner of this public key.
Encrypting Documents Using Certificates The sender can encrypt a document using the recipient's public key, so the document can be decrypted only by the recipient. In this case, the recipient's certificate is used to encrypt a document.
Encrypting 1
A document is created.
2
A public key is retrieved from the recipient's certificate.
3
A one-time symmetric session key is generated.
4
The signed document is encrypted using the session key.
5
The session key is encrypted using a key that has been generated over the Diffie–Hellman protocol using the recipient's public key.
6
The encrypted session key is appended to the encrypted document.
7
The document is sent.
ViPNet Client Monitor 4.3. User's Guide | 281
Figure 148. The process of encrypting a message
Decrypting 1
A document is received.
2
Encrypted contents and an encrypted session key are retrieved from the document.
3
The recipient's private key is retrieved from the key container.
4
The session key is decrypted using the recipient's private key.
5
The document is decrypted with the decrypted session key.
6
The unencrypted document is available to the recipient.
Figure 149. The process of decrypting a message
ViPNet Client Monitor 4.3. User's Guide | 282
Signing Digital Documents Using Certificates The sender uses a private key to sign a document; this private key corresponds to a certain public key specified in a certificate. The recipient verifies the digital signature (on page 333) appended to the document and retrieves the public key from the sender's certificate.
Signing 1
A document is created.
2
The hash value of the document is calculated. The hash function of the document is used when a digital signature is being generated on the sender's side, as well as when the digital signature is being verified on the recipient's side.
3
The sender's private key is retrieved from the sender's key container.
4
A digital signature is generated based on the hash value using the sender’s private key.
5
The digital signature is appended to the document.
6
The encrypted document is sent.
Figure 150. The process of signing a document
Verifying a Digital Signature 1
A document is received.
2
A digital signature containing an encrypted hash value is retrieved from the document.
3
The hash value of the document is calculated.
ViPNet Client Monitor 4.3. User's Guide | 283
4
The sender's public key is retrieved from the sender's certificate.
5
The digital signature is decrypted using the sender's public key.
6
The decrypted hash value of the digital signature is compared with the hash value of the document calculated on receipt.
7
If the values match, the document digital signature is valid. If the values do not match (in other words, the received document has been changed since the moment of signing), the document digital signature is invalid. Also, a digital signature is considered invalid when the sender's certificate is expired, revoked, corrupted or signed by a certification authority you do not trust.
Figure 151. The process of signature verification
Signing and Encrypting Digital Documents Using Certificates Signing and Encrypting 1
A document is created.
2
The hash value of the document is calculated.
3
The sender's private key is retrieved from the sender's key container.
4
The recipient's public key is retrieved from the recipient's certificate.
5
A digital signature is generated based on the hash value using the sender’s private key.
ViPNet Client Monitor 4.3. User's Guide | 284
6
The digital signature is appended to the document.
7
A one-time symmetric session key is generated.
8
The signed document is encrypted using the session key.
9
The session key is encrypted using a key that has been generated over the Diffie–Hellman protocol using the recipient's public key.
10 The encrypted session key is appended to the encrypted message. 11 The document is sent.
Figure 152. The process of signing and encrypting a document
Decrypting and Verifying 1
A document is received.
2
Encrypted contents and an encrypted session key are retrieved from the document.
3
The recipient's private key is retrieved from the key container.
4
The session key is decrypted using the recipient's private key.
5
The document is decrypted with the decrypted session key.
6
A digital signature containing an encrypted hash value is retrieved from the document.
7
The hash value of the document is calculated.
8
The sender's public key is retrieved from the sender's certificate.
9
The digital signature is decrypted using the sender's public key.
10 The decrypted hash value of the digital signature is compared with the hash value of the document calculated on receipt. 11 If the values match, the document digital signature is valid.
ViPNet Client Monitor 4.3. User's Guide | 285
If the values do not match (in other words, the received document has been changed since the moment of signing), the document digital signature is invalid. Also, a digital signature is considered invalid when the sender's certificate is expired, revoked, corrupted or signed by a certification authority you do not trust. 12 The unencrypted document is available to the recipient.
Figure 153. The process of decrypting and validating a document
ViPNet Client Monitor 4.3. User's Guide | 286
Keys in ViPNet Software In the ViPNet technology, a combination of symmetric and asymmetric encryption algorithms is implemented. Table 7. Cryptographic algorithms used by the ViPNet software Cryptographic algorithms Using symmetric keys
Using asymmetric keys
IP traffic encryption
Creation and verification of digital
Business Mail messages encryption Application and service envelopes encryption
signatures
Encryption in third-party applications using the ViPNet cryptographic service provider
ViPNet Client Monitor 4.3. User's Guide | 287
Symmetric Keys in ViPNet Software Symmetric algorithms are used to encrypt information and control its integrity. A symmetric key is created for each ViPNet hosts pair in the ViPNet Key and Certification Authority or ViPNet Network Manager software. This allows those hosts exchange encrypted data with each other. Thus, a matrix of symmetric keys is created. This matrix contains data on all the symmetric keys created for all ViPNet hosts. The matrix is encrypted so only the ViPNet Key and Certification Authority or ViPNet Network Manager software has access to it. Transfer symmetric keys only over secure channels (the key sets for host configuration setup must be delivered by hand). If malicious users obtain the symmetric keys, the entire security system will be compromised. Symmetric exchange keys are used to encrypt IP traffic, Business Mail messages, application and service envelopes.
Figure 154. Exchange keys usage To provide higher security and protection for the exchange keys, the following mechanism is used:
exchange keys are encrypted using protection keys;
protection keys are encrypted using personal keys;
personal keys are encrypted using password keys.
ViPNet Client Monitor 4.3. User's Guide | 288
Figure 155. Protection of exchange keys on a ViPNet host When creating a ViPNet network structure, in ViPNet Administrator or ViPNet Network Manager, the ViPNet network administrator creates a key set file (*.dst) for each ViPNet host user. A key set file is required for installing keys and host links on hosts. They contain user keys (a personal key and digital signature keys), keys allowing to exchange information with other hosts (exchange keys), host links required to establish connection to other hosts and the infotecs.re registration file. ViPNet keys update is performed by your ViPNet network administrator.
Note: You can send a request for renewing a digital signature certificate. To do that, in the Security Service Settings dialog box, go to the Signature tab and click Renew Certificate.
ViPNet Client Monitor 4.3. User's Guide | 289
C Events Tracked by the ViPNet Software All the events are divided into groups and subgroups. The hierarchical scheme of the groups is presented on the following figure:
Figure 156. Events grouping in the IP packets registration log
ViPNet Client Monitor 4.3. User's Guide | 290
Blocked IP Packets Table 8. The events of the All IP packets/Blocked IP packets/IP packets blocked by Private Network filters group Event number
Event name
Event description
1
the key for the ViPNet host not found
There is no key to establish connection with the user, whose identifier is specified in the IP packet.
2
message authentication code is incorrect
The protected data or unencrypted information of the cryptographic system has been modified.
3
IP packet blocked by Private Network filter
According to the filtering settings, an incoming encrypted packet or an outgoing unencrypted packet intended for encrypting is blocked.
4
significant time difference
Time difference between the moment of sending and the moment of receiving an IP packet is more than the time period specified in the settings.
7
unknown encryption method
The encryption method, whose code is specified in the incoming packet, is not supported.
8
corrupted IPLIR header
Attributes of an unencrypted packet are not valid.
9
unknown ViPNet host identifier
The identifier of the packet source is unknown.
13
IP packet TTL (time-to-live) expired
A packet is deleted because the limit for its presence in the network has been exceeded.
14
received IP packet is intended for another ViPNet host
An IP packet addressed to another host is received.
15
too many IP packet fragments
More than the possible number of fragmented IP packets is being processed at the same time.
16
your license for tunnel IPaddress has been exceeded
This event is logged only on a tunneling coordinator. The coordinator received IP packets from more hosts than it is allowed by the license.
17
invalid IP address
An IP packet with an incorrect or unknown IP address has been received. The most possible reason this event appears is that an encrypted IP packet has arrived at the coordinator. This packet is intended for the tunneled host registered on this coordinator, but the IP address of the recipient host is missing from the tunneled hosts addresses list.
18
unknown destination IP address
The packet's destination IP address is missing or unknown.
ViPNet Client Monitor 4.3. User's Guide | 291
19
ViPNet hosts addresses conflict detected
The host specified as the packet's source is not its real source.
70
Forwarded IP packet blocked by protected network filter
This event may take place only on the coordinator with the Linux OS installed. The IP packet is blocked by the filtering rule for forward unencrypted traffic.
Table 9. The events of the All IP packets/Blocked IP packets/IP packets blocked by public network filters group Event number
Event name
Event description
22
non-encrypted IP Packet from network node
An unencrypted IP packet is received from a protected source host.
23
non-encrypted broadcast IP Packet network node
An unencrypted broadcast IP packet is received from a protected source host.
24
unregistered IP Packet
ViPNet service traffic is unencrypted.
30
local IP packet blocked by Public Network filter
The packet is blocked by the a local public network filter or no filter can be applied to the packet.
31
forwarded IP packet blocked by Public Network filter
This event is logged only on a coordinator. The packet is blocked by the a forward public network filter or no filter can be applied to the packet.
32
broadcast IP packet blocked by Local Public Network filter
The packet is blocked by a local public network filter for broadcast traffic or no filter can be applied to the packet.
33
IP packet blocked by antispoofing filter
This event is logged only on a coordinator. A corresponding filter is found in the anti-spoofing table.
37
IP packet is blocked by tunnel filter
This event is logged only on a coordinator. The packet is blocked by the filter for tunneled hosts or no filter can be applied to the packet.
39
IP packet is blocked by default filters when launching operating system
At the system startup, the IP packet has been blocked by the default filters.
Table 10. The events of the All IP packets/Blocked IP packets/IP packets blocked by other reasons group Event number
Event name
Event description
80
IP packet's header too short
The size of the IP packet is less than the minimal possible one.
81
invalid IP protocol version
Only version 4 of the IP protocol is supported.
82
incorrect IP header length
The length of the IP packet header is less than the minimal valid one.
ViPNet Client Monitor 4.3. User's Guide | 292
83
incorrect IP packet length
The length of the IP packet is less than the one specified in the IP protocol header.
84
IP packet checksum incorrect
The checksum value of the IP packet is not the same as the one specified in the packet.
85
TCP header too short
The length of the TCP header is less than the minimal valid one.
86
UDP header too short
The length of the UDP header is less than the minimal valid one.
87
defragmentation process failed
An error occurred at the incoming IP packet defragmentation attempt.
88
the source address cannot be a broadcast address
A broadcast address of the sender is specified in the packet.
89
defragmentation process failed
An error occurred at the incoming IP packet defragmentation attempt.
90
not enough resources for crypto-processing
A key for encrypting or decrypting a packet cannot be created because there are not enough resources for the cryptographic service provider. If the error repeats, contact “Infotecs” technical support. Probably, you will need to update the driver version so that it requires less hardware resources or use a more powerful computer.
91
IP packet acquired during the ViPNet driver initialization
All IP packets were blocked during the driver initialization.
92
IP packet size too large
The size of an IP packet is limited to 48 KB.
93
IP packet defragmentation timed out
Not all IP packet fragments were received within a certain time period.
95
duplicate ViPNet host identifier found
On the network, there is a host with the identifier that coincides with the one of your host, but with a different IP address
97
IP packet blocked by SQL filter
The connection is blocked by the Microsoft SQL filter
101
route for forwarded IP packet not found
This event is logged only on a coordinator. There is no rule for a forward IP packet in the routing table.
103
maximal number of connections is exceeded
The number of connections established exceeds the maximal valid number according to coordinator settings.
104
connection already exists
If the attributes of outgoing IP packets for the connection you are establishing are similar to already existing ones, the connection is blocked.
105
can not allocate dynamic port for addresses translation rule
This event is logged only on a coordinator. No port can perform dynamic address translation (for example, there are no ports in the pull).
ViPNet Client Monitor 4.3. User's Guide | 293
111
exchange key not found
There is no key for connection with the recipient's host.
112
message authentication code of non-encrypted IP packets version 4.2 corrupted
Message authentication code value for forwarded unencrypted traffic is incorrect.
113
unknown source ID
The identifier of the forwarded unencrypted traffic source host is not known.
115
failed to find the route for IP packet
For some reason, the route cannot be found in the routing table.
116
network adapter not found
The IP packet cannot be sent, because the network adapter is not found.
117
failed to resolve MAC address using IP address
The recipient's MAC address cannot be resolved using the IP address.
118
failed to encrypt IP packet
An error occurred while encrypting an outgoing IP packet addressed to a protected host.
119
incorrect IPLIR header format
An encrypted IP packet of unknown format is received.
120
inconsistent information about ViPNet host access parameters
An error occurred while sending an IP packet to a protected host.
121
ViPNet cluster error
This event may take place only on a ViPNet cluster. An internal error on a cluster.
122
unknown data-link protocol
An IP packet, sent via an unknown protocol, is received.
Note: In Windows Server 2003 and later versions of Windows, the events 82 and 89 are not logged in the IP packets log, because the OS blocks the corresponding IP packets automatically.
ViPNet Client Monitor 4.3. User's Guide | 294
Service Events and Allowed IP Packets Events Table 11. Events of the All IP packets/All allowed IP packets/Allowed encrypted IP packets group Event number
Event name
Event description
40
encrypted IP packet allowed
An encrypted IP packet has been allowed.
41
encrypted broadcast IP packet allowed
An encrypted broadcast IP packet has been allowed.
44
encrypted forwarded IP packet routed and its IP address changed
This event is logged only on a coordinator. An IP packet is directed to another host by means of changing its recipient's address.
45
encrypted (decrypted) packet from tunneled host
This event is logged only on a coordinator. An IP packet addressed to a tunneled host has been encrypted or decrypted.
Table 12. Events of the All IP packets/All allowed IP packets/Allowed non-encrypted IP packets group Event number
Event name
Event description
60
non-encrypted IP packet allowed
A local IP packet is allowed by a public network filter.
61
non-encrypted broadcast IP packet allowed
A broadcast IP packet is allowed by a public network filter.
62
non-encrypted forwarded IP packet allowed
This event is logged only on a coordinator. A forward IP packet is allowed by a public network filter.
63
IP packet is allowed by tunnel filter
This event is logged only on a coordinator. An IP packet from a tunneled host is allowed by a filter.
64
IP packet is allowed by default filters when launching operating system
At the system startup, the IP packet has been allowed by the default filters.
Table 13. Events of the All IP packets/Service events group (additional information for IP packets registered in the log) Event number
Event name
Event description
ViPNet Client Monitor 4.3. User's Guide | 295
42
IP address of the ViPNet host changed
The ViPNet driver detected that the IP address of a host or its access parameters had changed, so the driver updated the host's routing tables. If access parameters are changed, the event is registered only for the hosts that do not work via a firewall with static or dynamic NAT.
46
ViPNet host access parameters changed
The ViPNet driver detected that the parameters for accessing the host from an external network had changed, so the driver updated the host's routing tables. The event is registered for the hosts that work via a firewall with static or dynamic NAT. To register IP addresses and ports, the attributes of the IP packet (before they were modified by the ViPNet driver) are used.
48
ViPNet host's IP address is registered from broadcast IP packet
The host sends broadcast IP packets.
49
ViPNet host parameters controlling access to this host from external network changed
Information that access parameters to your host via a public network have been changed. To register IP addresses and ports, information about recipient and source hosts is used.
110
new ViPNet host IP address is registered on the DNS server
A message from a DNS server is received informing that an IP address (specified in the sender's IP address field) is registered for the host whose name is specified in the source field.
114
the name is not registered on DNS (WINS) server
A message from a DNS server is received informing that the DNS name of the protected host is not registered on this DNS server.
ViPNet Client Monitor 4.3. User's Guide | 296
D External Storage Devices Overview External storage devices are designed for storing key containers (see Key container on page 334) that you can use for authentication, digital signing (see Digital signature on page 333), or other purposes. On an external device, you can store keys created using different encryption algorithms in ViPNet software or third-party programs. Maximum number of key containers stored on a device depends on the device's memory space. ViPNet software supports two authentication methods involving external storage devices (see User Logon Modes on page 59):
ViPNet user's personal key stored on an external device with the following limitations: o
Each external storage device can be used for authentication of only one ViPNet user.
o
Each external storage device can be used for authentication of one ViPNet user on several ViPNet hosts.
o
If you use this authentication method, then store your digital signature keys (created in a certification authority using ViPNet software) and the personal key on one external storage device.
Certificate with its private key stored on an external device. You can request for the certificate in Windows domain and store the corresponding key container on your external storage device that supports PKCS#11.
You can perform all the required configuring concerning key containers and external storage devices in the ViPNet CSP program. Make sure that you have installed the drives required for your external device. Before you store keys on your device, make sure that the device is formatted.
ViPNet Client Monitor 4.3. User's Guide | 297
Supported External Storage Devices In the table below, you can find the list of devices supported by the ViPNet software. For each external device, the table contains description, conditions, operation specifics, and information on PKCS#11 standard support.
Note: PKCS#11 (also known as Cryptoki) is one of the PKCS standards (Public Key Cryptography Standards — cryptographic standards of public keys) developed by the RSA Laboratories company. The standard defines the API interface independent of the platform and intended for the work with cryptographic devices of identification and data storage.
Table 14. Supported external devices Device name in ViPNet CSP
Device name and type
Requirements
PKCS#11 support
eToken Aladdin
eToken PRO (Java), eToken PRO personal electronic keys, eToken PRO (Java), eToken PRO smart cards by Aladdin Company
The PKI Client software of the 5.1 version or later should be installed on the computer.
Yes
iButton (Dallas) electronic keys of the DS1993, DS1994, DS1995, and DS1996 types
A reader device must be connected to the computer.
Smartcards with memory of the I2C (ASE M4) type, synchro cards with a 2/3 bus and protected memory meeting the requirements of the ISO7816-3 (ASE MP42) standard
The ASEDrive III PRO-S reader by Athena company is used to process data on a smart card.
CardOS/M4.01a, CardOS V4.3B, CardOS V4.2B, CardOS V4.2B DI, CardOS V4.2C, and CardOS V4.4 smart cards by Atos (Siemens)
Siemens CardOS API V5.0 and later should be installed on the computer.
iButton Aladdin
Smartcard Athena
Siemens CardOS
Note: You can use eToken PRO SmartCard with any standard PC/SC-compatible USB card reader. No
The 1-Wire Drivers software version 3.20 or 4.0.3, which ensures data exchange with iButton, should be installed on the computer. No
Drivers of the 2.6 version should be installed on the computer.
Yes
ViPNet Client Monitor 4.3. User's Guide | 298
Note: For each device, the list of supported operating systems is available on the manufacturer's official web page.
ViPNet Client Monitor 4.3. User's Guide | 299
E Recommendations on Providing Compatibility of the ViPNet Client Software with Third-Party Programs
ViPNet Client Monitor 4.3. User's Guide | 300
Compatibility of the ViPNet Software and the Hyper-V Technology Hyper-V is a virtualization system implemented in Microsoft Windows Server 2008 (64 bit). Hyper-V has a peculiarity: to provide access of virtual machines to an external network, you should allocate one of the physical network interfaces on the computer for this purpose. This interface will be connected to the virtual Hyper-V switch. In the host's operating system, a virtual interface with the same properties will be created instead of this interface. For the virtual network interfaces (and interfaces in the host's operating system) to be connected correctly to the external network, on the physical interface used for this connection, you should disable all the services and protocols, except for the Virtual Network Switch protocol. When ViPNet Monitor is installed on a computer with a 64-bit operating system, the Iplir lightweight Filter (х64 edition) service (in other words, the ViPNet network driver) is started on all the network interfaces of the computer. This driver encrypts, decrypts and filters the incoming and outgoing IP packets on the network interface and may have a negative effect on the performance of the Hyper-V virtual network. To ensure that the virtual network and the ViPNet software in the host's operating system are functioning correctly, you should disable the Iplir lightweight Filter (х64 edition) service in the settings of the physical network interface connected to the virtual Hyper-V network.
Figure 157. Configuring a physical interface connected to a virtual Hyper-V network
ViPNet Client Monitor 4.3. User's Guide | 301
Compatibility of the ViPNet Client Software and Cisco Agent Desktop If the contact center policy requires that supervisors should record and listen to agents' conversations by using Cisco Agent Desktop (on agents' hosts) and Cisco Supervisor Desktop (on the supervisor's host), then you do not need to install the ViPNet Client software on the agents' hosts. You can configure tunneled connections to protect the communication between agents and the supervisor. If you use Cisco Agent Desktop and ViPNet Client simultaneously, voice traffic will be transferred to the supervisor with errors for the following reason. Agents' voice traffic is mirrored by the Cisco Agent Desktop driver to the supervisor's host, where the supervisor records and listens to it by using Cisco Supervisor Desktop. If the ViPNet Client software is installed on the supervisor's host, the whole outgoing traffic is encrypted and then transferred, which means that all IP packets have modified headers. The mirrored traffic is not processed by the ViPNet Client program, but is transferred to the supervisor's host by the Cisco Agent Desktop software at once. The unencrypted voice traffic cannot be accepted on the supervisor's host, because the Ndis driver (included in Cisco Agent Desktop) and the ViPNet driver work on different TCP/IP stack layers. The ViPNet driver processes traffic on the network layer , while the Cisco driver works on the data link layer mirroring traffic directly to the supervisor's host (without transferring it to the ViPNet driver). As a result, the supervisor receives unencrypted IP packets. If no ViPNet software is installed on agents' hosts, the whole IP traffic (including the voice traffic) will be transferred unencrypted and can be accepted on the supervisor's host provided that the corresponding filters are created for unencrypted traffic. For the encrypted traffic to be transferred over external networks, you need to configure tunneled connection between agents' and the supervisor's hosts. If recording and listening are not required in a contact center, you can install and use Cisco Agent Desktop and ViPNet Client simultaneously on agents' hosts.
ViPNet Client Monitor 4.3. User's Guide | 302
F Version History This chapter describes new functionality of the ViPNet Client software.
What's New in Version 4.3 This section contains a brief description of changes made to ViPNet Client 4.3 and its new features. For details, see “New Features in ViPNet Client and ViPNet Coordinator 4.x. Supplement to ViPNet Documentation.”
Restoring pre-defined filters and object groups In version 4.3, you can restore the pre-defined network filters. Thus, you can discard all user-defined filters and roll back to the initial state. Pre-defined object groups will be restored too.
Centralized management of encryption algorithms and saving a password to the registry In version 4.3, the password saving feature and an encryption algorithm are set according to the settings received within the keys and host links update. Such updates are created in network management software (ViPNet Network Manager or ViPNet Administrator) that support centralized management of those parameters. A user or a host administrator can still change the settings, but this change will be effective until the next update is installed.
Centralized management of the Windows Firewall state On clients version 4.3, Windows Firewall is enabled or disabled according to the settings specified by the ViPNet network administrator in the network management software. If your ViPNet software version does not support centralized management of Windows Firewall, then at the first start of ViPNet Monitor, Windows Firewall is automatically disabled.
More parameters can be set for software installation using group policies
ViPNet Client Monitor 4.3. User's Guide | 303
Now you can specify more parameters in order to install ViPNet Client using group policies. Now, you can use MST files with settings where you may define the software components you want to install. Thus, you can select only the required components for installation.
What's New in Version 4.2 This section contains a brief description of changes made to ViPNet Client 4.1 and its new features. For details, see “New Features in ViPNet Client and ViPNet Coordinator 4.x. Supplement to ViPNet Documentation.”
Optimization of routing protected IP traffic between clients Unlike the earlier versions, now a client can establish connection to other hosts (either on the LAN or on an external network) via direct accessible routes, escaping coordinators when possible. Even if two clients are behind different firewalls with dynamic NAT, they can communicate with each other directly. The only condition, under which direct communication between clients is impossible, is when their NAT devices allocate ports randomly each time IP packets are sent from new IP addresses. This kind of NAT is called 'symmetric.' In this case, connection between such clients will be established through one of their connection servers.
Figure 158. Establishing connection between ViPNet hosts
Configuring clients' connection to a ViPNet VPN Clients of version 4.2 detect the type of connection to a public network automatically. They establish communication with external hosts via connection servers. Due to this new feature, you do not need to specify the firewall type manually, and this option has been removed from the ViPNet Client Monitor interface. Instead, now you can choose a connection server. Usually you do not need to change the connection server. The only case when you may need to do it is when your clients connect to another LAN, which does not have access to your current connection server but has another coordinator accessible for your client. Some other options are hidden in the ViPNet Client Monitor interface as advanced ones. You may configure them if necessary.
ViPNet Client Monitor 4.3. User's Guide | 304
Figure 159. Changing ViPNet network connection settings in ViPNet Client
Connecting to a ViPNet VPN via a TCP tunnel When a client connects to a ViPNet network remotely, a problem with transferring IP packets over UDP may arise because some ISPs block UDP traffic. Now, a client can establish a TCP connection to other ViPNet hosts via a tunnel established on its connection server if your client cannot connect to them over UDP. When configuring a TCP tunnel on a coordinator, you specify a port to which the sent TCP packets should be transferred. Information about the access port's address is automatically distributed to all clients, for which the coordinator is the connection server. On a client, a coordinator's port number for access via a TCP tunnel is displayed in this coordinator's properties. If no port is specified in a coordinator's properties, but you know for sure that there is a TCP tunnel established on this coordinator, then you can specify this port manually.
ViPNet Client Monitor 4.3. User's Guide | 305
Figure 160. Specifying a port for a TCP tunnel
Changes in the certificate renewal wizard The method of transferring a certificate renewal request in a file became unnecessary. The corresponding option has been removed from the certificate renewal wizard. In ViPNet Key and Certification Authority 4.x, *.sok files received directly from a user cannot be processed. Now you can transfer a generated certificate renewal request to ViPNet Key and Certification Authority only via the ViPNet MFTP transport module. Moreover, the option of choosing the mode of waiting for the renewed certificate from ViPNet Key and Certification Authority in real time has been abandoned, as well as the option of installing the renewed certificate immediately upon receiving it. Both abandoned options could cause errors in the process of a renewed certificate's installation in some cases. Now the certificate can be installed without such errors. It is installed automatically if, in the Security Service Settings dialog box, on the Signature tab, you select the Automatically install certificates, issued by user's request check box.
Changes in ViPNet Update System notifications In version 4.2, if automatic installation of updates is chosen, then ViPNet Update System operates silently, without displaying notifications. If manual installation of updates is chosen, then the corresponding information is displayed in the notification area when updates arrive on the host. In the earlier versions, the ViPNet Update System icon is always displayed in the notification area. In version 4.2, the icon is displayed only when you are required to perform some actions, for example, to restart the computer after updates were installed or to accept updates if manual installation of updates has been chosen. Also, in version 4.2, you can call the ViPNet Update System window from the Start menu.
ViPNet Client Monitor 4.3. User's Guide | 306
Safer start of ViPNet SafeDisk-V To increase the sensitive information protection, the start of the ViPNet SafeDisk-V program is performed differently. Now, if IP traffic protection is disabled in ViPNet Monitor, ViPNet SafeDisk-V will not start. And the other way out, when ViPNet SafeDisk-V is running, you cannot disable the traffic protection.
New options for Encrypted Instant Messaging In Encrypted Instant Messaging 4.2, new features have been added. Now you can: o
search for the required session among all active sessions by a certain word or a part of the word;
o
easily switch between the sessions;
o
view the date and time of the latest message from a session participant;
o
send emails or files within a chat session;
o
check connection with the selected user.
Figure 161. New instant messaging features Moreover, now, when you exit the Encrypted Instant Messaging program, all the started sessions are saved to be restored at the next program startup. In the earlier versions, all the current instant messaging sessions are closed when you exit the program.
Notification about changing object or network filters groups In version 4.2, when you add or edit an object group or a network filter, in the main window, in the status bar, a notification is displayed prompting that the group or filter was being edited, but the changes have not been applied yet. The message will be displayed in the status bar until you click Apply and confirm the changes within 30 seconds.
Figure 162. Notification about changing object and network filters groups
ViPNet Client Monitor 4.3. User's Guide | 307
Changes in the ViPNet Business Mail program In the new version of ViPNet Business Mail, you can change the font, size, and style of your Business Mail message, add images and lists.
Figure 163. Format bar in the new message window Also, in the version 4.2, you can create autoprocessing rules of the new type for processing files in the ViPNet Business Mail internal format (*.bml). By using this feature, now you can organize Business Mail message exchange between users of ViPNet networks without partner network connection. Now, you can as well configure rules for processing incoming messages for specified users of a ViPNet host (if there are more than one user on this host).
What's New in Version 4.1 This section contains a brief description of changes made to ViPNet Client 4.0 and its new features.
Disabling the Windows firewall on the first ViPNet Client startup When you install ViPNet Client 4.1, the standard Windows firewall remains enabled. It is disabled automatically only when you run the program for the first time. This ensures uninterrupted protection of your computer in the network deployment process. You will not be notified about the firewall disabling. In 3.2.x versions, the firewall is disabled right after ViPNet Client is installed.
New signature algorithms In ViPNet Monitor 4.1, more algorithms are supported for signing keys generation.
On-screen keyboard for logon In version 4.1, you may log on to ViPNet Monitor during Windows loading by using the on-screen keyboard. To do this, click
and, on the menu, click On-Screen Keyboard.
ViPNet Client Monitor 4.3. User's Guide | 308
ViPNet Business Mail new features With ViPNet Business Mail 4.1, when archiving, you can save attachments together with the corresponding email messages. In this case, your archive will contain a single file. Storing archived messages and their attachments in a single file makes it easier to copy the archive or to move it to an external storage device (for example, for backup). ViPNet Business Mail 4.1 has new icons. In the main window, the Status column was added, where mail attributes are displayed as graphics.
Figure 164. A new column displaying the message status
What's New in Version 4.0 This section contains a brief description of changes made to ViPNet Client 4.0 and its new features.
Centralized management of ViPNet hosts' security policies is supported In ViPNet Monitor, you can apply network filters and IP addresses translation rules created in ViPNet Policy Manager.
A new format of network filters and IP addresses translation rules In version 4.0, a new format of network filters and IP addresses translation rules (see Configuring the Integrated Firewall on page 109) is used, which allows you to apply security policies created in ViPNet Policy Manager. When the program is upgraded to a new version, filters and rules are fully converted, and there is no need for the user to take any additional actions.
ViPNet Client Monitor 4.3. User's Guide | 309
Figure 165. Viewing network filters in ViPNet Client Monitor
Security levels concept rejected In version 4.0, security levels are not used. To configure the security level needed, you can create network filters or assign a corresponding permissions level to a user.
ViPNet software installation uses the MSI technology For ViPNet Monitor 4.0, an MSI installation package has been developed, which allows you to install the program by using Microsoft System Center or a command line program.
ViPNet CSP setup The ViPNet CSP program may be installed from a separate installation file or together with the ViPNet Client and ViPNet Coordinator programs version 4.0. In any case, ViPNet CSP is installed as a separate application, which makes its upgrading simple and independent of the ViPNet Client and ViPNet Coordinator programs upgrading. Now the cryptographic service provider can be configured only in the ViPNet CSP program. In ViPNet Monitor, on the Cryptoprovider tab, you may open only the settings window of ViPNet CSP.
ViPNet Client Monitor 4.3. User's Guide | 310
Figure 166. Configuring the cryptographic service provider
The ViPNet KeySetup program In version 4.0, the configuration setup program is no longer used. The KeySetup program allows you to perform all scenarios of installing and updating keys on a ViPNet host (see Installing Keys and Host Links on page 42).
User logon modes In ViPNet Monitor version 4.0, when using an external device for authentication (PIN and device mode), you can be authenticated by either your personal key (as in version 3.2.x) or your certificate (see User Logon Modes on page 59).
ViPNet Client Monitor 4.3. User's Guide | 311
Figure 167. Using a device for user authentication The Password on device mode will not be supported in later versions. In version 4.0, we recommend that you choose other logon modes (see Setting the User Logon Mode on page 201). If the users are authenticated by their passwords, then, for another user to log on, he or she only needs to select a proper username from a list without specifying the user keys folder.
Figure 168. Authenticating a user by a password
ViPNet Update System In ViPNet Monitor version 4.0, all updates (namely software, host links, keys updates and security policy updates created in ViPNet Policy Manager) are received and installed by the ViPNet Update System. The ViPNet Update System features a user-friendly graphical interface for work with the received updates.
ViPNet Client Monitor 4.3. User's Guide | 312
Figure 169. The list of updates received When you receive updates, you are informed about them.
Figure 170. Displaying new updates in the notification area
Creating IP packet filters In ViPNet Monitor version 4.0, you can create filters both allowing and blocking right in the IP packets log. Therefore, the Blocked IP Packets section was removed from the interface. Now you can perform all actions with the IP packets in the IP Packets Log section.
Switching configurations automatically In ViPNet Monitor version 4.x, you can switch between program configurations automatically. If you work with several program configurations and you switch between them at certain moments of time, you may schedule automatic change of configurations.
Restricted user interface In ViPNet Monitor version 4.0, you can restrict the user interface (see ViPNet Monitor Advanced Settings on page 197) which is the same as to assign the 3rd permissions level to a host. Thus, if the host has the 3rd permissions level, the check box allowing you to restrict the interface is not available.
Desktop locking and IP traffic blocking In ViPNet Monitor 4.0, you may lock the computer by standard Windows OS means. Now you can block all IP traffic (any connections with protected and unprotected hosts will be blocked) and disable traffic protection (stop traffic processing, IP packets logging, and disable the intrusion detection system).
ViPNet Client Monitor 4.3. User's Guide | 313
Figure 171. Restricted user interface in ViPNet Monitor
Integration with ViPNet SafeDisk-V In version 4.0, when you work with ViPNet SafeDisk-V, protected and unprotected configurations are not used. You can configure traffic protection parameters in a special window. When you start ViPNet SafeDisk-V, ViPNet Client is restarted and many options become unavailable. This includes logging on as another user and exit from ViPNet Client.
A new database in ViPNet Business Mail In ViPNet Business Mail 4.0, an integrated SQLite database is used, which lifts the limit for a number of archived email messages in a database. This also ensures synchronous processing of incoming and outgoing email messages during autoprocessing.
Changes in terminology and interface Table 15. Main changes in terminology and interface Change object
Version 3.2.x
Version 4.0
Terms
Traffic Filtering Rules
Network Filters
Export Settings
Save Settings
Import Settings
Restore Settings
ViPNet Client Monitor 4.3. User's Guide | 314
Menu bar Starting the Business Mail, Application Control, File Exchange, MFTP software components
Revised Can be started by clicking the corresponding buttons in the main ViPNet Monitor window
Can be started from the Applications menu
Network Filters
Filters are now similarly displayed in the ViPNet Monitor and the ViPNet Policy Manager programs
Managing IP traffic
General and Intrusion Detection sections of the Options dialog box
IP traffic is managed in a separate Manage IP Traffic section of the Options dialog box
Locking your computer
A button in the main window of the program
The button has been removed
Documentation and Help update Documentation and Help shipped together with the ViPNet Client software have been updated to reflect the changes in the program features.
What's New in Version 3.2.10 This section contains a brief description of changes made to ViPNet Monitor 3.2.10 and its new features.
Notification of blocked IP packets In ViPNet Monitor, you can receive notifications of IP packets blocked by the integrated firewall. If you want to enable the notification, in the Options dialog box, in the General > Warnings section, select the Notify about blocked IP packets check box.
Fixed errors in the ViPNet Client program o
The error which caused Windows XP SP3 to crash is fixed.
o
The failure to check connection to a host with an earlier version of ViPNet software is fixed.
Changes in working with public key certificates o
Outdated algorithms of creating and verifying digital signatures are not supported any more.
o
The errors of polling the certificate revocation list distribution points are fixed.
o
The qualified certificate request errors are fixed.
Fixed errors in the Business Mail program An error, that occurred when verifying a digital signature of a message with an empty text, is fixed.
ViPNet Client Monitor 4.3. User's Guide | 315
What's New in Version 3.2.9 This section contains a brief description of changes made to ViPNet Monitor 3.2.9 and its new features. For details, see “New Features in ViPNet Client and ViPNet Coordinator 3.2. Supplement to ViPNet Documentation.”
A new view of information about blocked IP packets Now you cannot receive notifications on IP packet blocking. You cannot specify a time period within which the IP packets have been blocked, too. The list of blocked IP packets now displays the IP packets blocked since the program startup or the last clearing of the list.
Figure 172. Viewing blocked IP packets in ViPNet Client 3.2.9
Documentation and Help update Documentation and Help shipped together with the ViPNet Client software have been updated to reflect the changes in the program functionality.
What's New in Version 3.2.8 This section contains a brief description of changes made to ViPNet Monitor 3.2.8 and its new features. For details, see “New Features in ViPNet Client and ViPNet Coordinator 3.2. Supplement to ViPNet Documentation.”
Compatibility with third-party software Compatibility of ViPNet software with Lumension Device Control, Cisco Security Agent, Kaspersky Administration Kit, and MSDE 2000 has been implemented.
Improved multicore processor support Parallel IP packets processing in multicore systems has been optimized. Due to timely IP packets processing and sending the received data in right order, multimedia streaming rate and quality have increased.
ViPNet Client Monitor 4.3. User's Guide | 316
More application protocols can be processed in ViPNet Monitor now Special IP packets processing has been implemented in ViPNet Monitor to process more application protocols.
ViPNet Client and ViPNet SafeDisk-V integration Integration ensures advanced security of confidential information you store in ViPNet SafeDisk-V containers (see ViPNet SafeDisk-V on page 339). Now, access to containers in ViPNet SafeDisk-V is defined by the current type of ViPNet Monitor configuration: protected or unprotected.
Information about IP packets blocked within a specified time period is displayed Now you can choose whether information about IP packets blocked within the last hour, the last 24 hours, or within a specified time period should be displayed.
Private network filters display and encrypted traffic filtering rules configuration have been changed Now you can find information about all filters in the main window, in the Network Filters section.
Figure 173. Navigation pane sections in ViPNet Coordinator Monitor of versions 3.1 and 3.2 The visual appearance of private and public network filters has been synchronized, as well as the actions you can do with the filters.
Figure 174. The visual appearance of private and public network filters in ViPNet Monitor 3.2 and possible actions with the filters
Automatic Logon To ViPNet Client
ViPNet Client Monitor 4.3. User's Guide | 317
Logon without the necessity to confirm ViPNet user password in the logon window has been implemented. You can configure autologon only in the administrator mode on the Administrator tab of the Security Service Settings dialog box. If the Automatically log on to ViPNet check box is selected, at ViPNet Monitor startup, on the current host, the logon window will not be displayed and you will log onto ViPNet Coordinator automatically.
Figure 175. Configuring autologon in ViPNet Client
Certificates are automatically received and installed if they have been issued by the administrator without a user request You can automatically receive and install the certificates issued by the administrator in ViPNet Key and Certification Authority without a user request. If this option is enabled, receiving those certificates and installing them does not require any user action. After such a certificate has been installed, you will be notified about it (see Certificate Issued on the Administrator's Initiative Has Been Installed on page 267).
ViPNet Client Monitor 4.3. User's Guide | 318
Figure 176. The certificates issued by the administrator without a user request will be installed automatically
New key setup program has been developed The new key setup program is intended for working with key sets created in ViPNet Administrator Key and Certification Authority, versions 2.8 and 3.x, and in ViPNet Network Manager, versions 2.x and 3.0. The new setup program offers enhanced functionality and a user-friendly interface.
Warning: For ViPNet networks managed with the ViPNet Administrator software, we do not recommend you to use the ViPNet KeySetup program on the hosts where several ViPNet users have been registered or several programs using ViPNet keys have been installed.
ViPNet Client Monitor 4.3. User's Guide | 319
Figure 177. The new ViPNet KeySetup program
Cryptographic service provider ViPNet CSP has been improved The following features of ViPNet CSP have been improved:
o
TLS support in Windows 7 OS;
o
compatibility with 64-bit operating systems;
o
encryption and digital signature in Microsoft Office 2010.
ViPNet Application Control has been improved The following features have been introduced in ViPNet Application Control:
o
compatibility with 64-bit operating systems;
o
work in several sessions.
To provide better user experience, some terms and graphical user interface element labels containing those terms have been changed
ViPNet Client Monitor 4.3. User's Guide | 320
Before the change, in versions 3.1.x
After the change, in version 3.2
Dialog box name
Access Rule (a dialog box called from the Private Network section)
ViPNet Host Properties
Terms
Access rule
Rule
Protocol filter
Filter
One of the Service menu items
Application Protocols
No menu item
Interface used to configure application protocols
The Application Protocols window
The Application Protocols section in the Options window
Context menu of items in the Blocked IP Packets section of the menu bar
It is the same as the context menu of items in the Private Network and Public Network sections
Another context menu
The Blocked IP Packets section of the Options window
Options used for configuring notifications about blocked IP packets
Options used for configuring a time period within which the IP packets you search for were blocked
Change object
Documentation and Help update Documentation and Help shipped together with the ViPNet Client software have been updated to reflect the changes in the program functionality.
What's New in Version 3.1.5 This section contains a brief description of changes made for ViPNet Monitor 3.1.5 and its new features.
Control over ViPNet Cluster applications health has been implemented Now you can control operability of applications installed on a ViPNet cluster and specially configured to work on it. This ensures a high level of fail safety and accessibility of the applications when they are running. You can adjust the application monitoring settings in the ViPNet Cluster Monitor program. For more information, see “ViPNet Cluster. Administrator’s Guide.”
ViPNet Client Monitor 4.3. User's Guide | 321
Figure 178. Configuring applications operability monitoring in ViPNet Cluster Monitor
Some terms and graphical user interface element labels containing those terms have been changed
Old term
New term
Signature keys container, private key container, public key container
Key container
Distribution key set
Key set
Key disk
User keys
The graphical user interface of ViPNet Client and ViPNet Coordinator as well as documentation and help files to all products have been updated due to the changes in terminology.
Documentation and Help in other localizations ViPNet Client German, Spanish and French localizations have been reviewed for applicability to match the current Russian versions. English documentation and Help files have been updated.
What's New in Version 3.1.4 This section contains a brief description of changes made for ViPNet Monitor 3.1.4 and its new features.
Lock computer feature modification The “Lock computer” feature has changed: now the standard Windows functionality is used.
ViPNet Client Monitor 4.3. User's Guide | 322
Automatic host protection when you detach a user authentication device User authentication device control has been implemented. Now, when the authentication device is disconnected, your computer is automatically locked and the IP traffic is blocked. You can change blocking options by choosing only to block IP traffic or only to lock your desktop, or you can refuse from using this feature.
Figure 179. Lock when you disconnect your authentication device options
Restriction on the number of log entries about blocked IP packets The blocked IP packets entries number control has been implemented. The number of log entries about blocked IP packets has been limited to 300 IP addresses and not more than 30 entries on each port of each IP address. Information displayed in the blocked IP packets section is updated every time you open or refresh the section. As soon as the limit is exceeded, the oldest entries are overwritten with newer ones.
The IP packets log exported to other applications becomes more detailed The list of IP packets attributes included in the exported IP packets log has been extended. You can find information about all IP packets attributes now when viewing the IP packets log in a web browser or Microsoft Excel.
Detailed information about the number of items in Business Mail folders The number of items in Business Mail folders is displayed in a different way now. When, in the folders pane of the main Business Mail window, you select a folder, the total number of items in this
ViPNet Client Monitor 4.3. User's Guide | 323
folder and its subfolders is displayed. Besides, for the Inbox folder, the number of unread e-mail messages will be displayed; for the Sent Items folder, the number of e-mails undelivered will be displayed.
A previously selected item in a Business Mail folder is shown when you return to the folder When you navigate from one Business Mail folder to another, the item selection is remembered and restored when you return to this folder. For example, if, in the e-mails pane, in the Inbox folder, you select an item and then navigate to some other folder, the same item will be displayed (regardless of its position on the messages list) and selected when you return to the Inbox folder.
Improved search in Business Mail E-mail search in the search window of the ViPNet Business Mail program has been improved. When you open the Find E-mail window, the focus is moved to the Archive list, and, in the Search in box, the currently opened folder is set by default.
Improved incoming e-mail autoprocessing The following changes have been introduced to the incoming e-mail autoprocessing in this version:
o
If a list of senders is specified in a rule, the incoming e-mails whose sender is included in the list are processed using this rule.
o
If a list of users whose digital signatures should be verified is specified in a rule, the incoming emails whose attachments are signed by a user in the list are processed using this rule (if the signature is valid).
o
Blank incoming e-mails are not copied to disk (the blank.txt file is not created when there is no text in an e-mail body).
GUI implementation of enabling and disabling the cryptographic service provider ViPNet CSP has changed In the Security Service Settings dialog box, on the Cryptoprovider tab, the Enable/Disable ViPNet CSP check box was replaced with the Enable/Disable button, and a message is displayed in case of insufficient user permissions.
ViPNet Client Monitor 4.3. User's Guide | 324
Figure 180. ViPNet CSP enable and disable button
ViPNet Monitor is now compatible with Network Logon 5.1 Compatibility of ViPNet Monitor with eToken Network Logon 5.1 is implemented. You can log onto ViPNet Monitor when the Network Logon 5.1 eToken is used.
Improved Help The interface of the Help has been modified, the reference information is presented more clearly.
Documentation and Help in other localizations Spanish documentation and Help localization has been released. German and French documentation and Help localizations have been updated to match the Russian version. English documentation and Help files have been updated.
What's New in Version 3.1.3 This section contains a brief description of changes made for ViPNet Monitor 3.1.3 and its new features.
No restrictions on remote ViPNet software startup The default value of the “Let Monitor start in remote session” option has been changed. Now, by default, you are allowed to start ViPNet Monitor remotely.
Service messaging and IP address announcements between hosts have been optimized The number of service messages and IP address announcements between hosts has decreased drastically. Now information about host statuses and parameters is sent only to those ViPNet hosts that really need it. To decrease the messages number, they are aggregated during a specified time period.
ViPNet Client Monitor 4.3. User's Guide | 325
Support for the DHCP protocol when you work using the “Open Internet” configuration The technology used when a ViPNet host connects to the Internet that is a public — “open” — network has changed. Now, when you work with the “Open Internet” configuration, the protected DHCP server can assign IP addresses to the hosts.
Support for a cluster on 64-bit operating systems Now the ViPNet Cluster software is supported by the coordinators with 64-bit operating systems.
Extended support for the centralized monitoring system ViPNet StateWatcher A monitoring agent has been implemented, which allows collecting more detailed information about ViPNet host statuses. Now you can analyze ViPNet MFTP and ViPNet Business Mail performance, the number and total size of queued envelopes, a list of the addresses tunneled by the coordinator, total incoming and outgoing traffic on each network interface, CPU usage, memory and disk space usage, event entries from the Windows system log and OS applications log.
Improved protection against incorrect keys installation or update on ViPNet hosts Control of key set (*.dst file) and host type (client or coordinator) match has been implemented. Now you can install or update only a key set created for the same application (ViPNet Client or ViPNet Coordinator) that is installed on your computer.
Documentation and Help in other localizations German and French documentation and Help localizations have been released.
What's New in Version 3.1.2 This section contains a brief description of changes made to ViPNet Monitor 3.1.2 and its new features.
More comprehensive logon mode names The names of user logon modes have been changed to: o
Password only.
o
Password on device.
o
PIN and device.
Figure 181. Logon modes rename
Options location has been optimized
ViPNet Client Monitor 4.3. User's Guide | 326
The program options previously located in the navigation pane have been combined with other settings.
Figure 182. Private network options location change Now all options are collected in one dialog box displayed by Service > Options.
ViPNet Client Monitor 4.3. User's Guide | 327
Figure 183. Private network options in version 3.1.x
A supplementary way of checking connection to a ViPNet host Now you can check connection to a ViPNet host right in the encrypted messaging session with this host. Right-click the host and, on the context menu, click Check Connection.
An easier way of viewing status information for several ViPNet hosts at a time When you check connection to several ViPNet hosts at a time, instead of several separate windows, only one window containing information about the required hosts statuses is displayed.
Figure 184. Checking connection to several ViPNet hosts at once
Detailed information about host accessibility The messages displayed when you check connection to a host now also include a special message displayed when the host is accessible in the network but the ViPNet software installed on it is disabled.
Easier file sending
ViPNet Client Monitor 4.3. User's Guide | 328
Fewer steps are required now to send files to ViPNet users.
Figure 185. The file exchange process Files are sent right after choosing a recipient ViPNet host.
Figure 186. The file exchange process after the redesign
The function of creating filtering rules when viewing blocked IP packets has been implemented
ViPNet Client Monitor 4.3. User's Guide | 329
Now you can add filtering rules for the public network and tunneled hosts when you are in the blocked IP packets window.
Improved search A list of ViPNet host search criteria has been extended. Now you can search hosts by a host identifier, computer name, alias, DNS name, virtual and real IP addresses.
Supplementary ways of logging on as an administrator Now you can quickly switch to the administrator mode by choosing Administrator logon on the context menu of the program icon in the notification area or on the Service menu.
Unification of graphical user interface implementation of user access to the IP packets registration log Now you can view the IP packets log in the same way from various places in the interface: first, the log search criteria window will be displayed, and then the log entries list.
The function of configuring some settings at ViPNet logon Now you can specify another path to the transport folder and user keys folder when you log onto ViPNet Monitor.
A new way of enabling anti-spoofing on a coordinator Anti-spoofing on a coordinator is now enabled for each network interface individually.
Advanced user permissions The support for user permissions “h” has been added for the “VPN host” role. At this level, on a host, there are always two fixed configurations, namely “Internal network” and “Internet.” In the “Internal network” configuration, access to the private network resources is allowed, while access to the Internet is blocked. In the “Internet” configuration, access to the Internet is allowed, while access to the private network is blocked.
Any ViPNet software localization can be installed regardless of the previously installed one Differences in registering various localizations of the ViPNet software have been eliminated. Now you can install a later version localized to one language over an earlier version localized to another language.
Extended support for the SIP protocol Support for the SIP protocol has been implemented. Now you can use ViPNet-protected IP telephony when there are several network adapters on a computer.
Access to corporate DNS and WINS servers is configured automatically Now you can register protected DNS and WINS servers in the ViPNet software (see Configuring a DNS or WINS Servers List Manually on page 105). Now, you just need to type some server data in a special file, so that the servers IP addresses were added to the network adapters settings automatically. Automatic configuration is convenient for many mobile users, as well as in case the DNS and WINS servers are accessible via virtual addresses.
Improved Documentation and Help
ViPNet Client Monitor 4.3. User's Guide | 330
Documentation and Help files have been revised, their quality has been improved. The emphasis has been made on best practices and user scenarios.
ViPNet Client Monitor 4.3. User's Guide | 331
G Glossary A Authentication The process of identifying an individual usually based on a user name and a password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
B Backup set of personal keys Backups of personal keys created by a ViPNet Key and Certification Authority administrator for a user (by creating a file AAAA.pk, where AAAA is the user’s identifier in the user's ViPNet network). A backup set of personal keys is intended for remote updates of user keys in case of a key compromise or a change of the master key of personal keys.
C Certificate request A message protected with a digital signature that contains the user name, the public key and its properties, the desired validity period of the certificate, certificate intended purposes, and some other information (depends on the request format and the software used to create the request).
ViPNet Client Monitor 4.3. User's Guide | 332
Certificate revocation list (CRL) A list of certificates that have been revoked or suspended by a certification authority administrator, and are not valid at the moment specified in this certificate revocation list.
Certification path A chain of certificates that corresponds to the hierarchy of certification authorities that issued the certificates. A certificate is considered valid if its certificate path is full, in other words, has a root certificate at the end of it, and if all the certificates in the path are valid.
Client (ViPNet client) A ViPNet host that is the start and the end point of data transfer. Opposite to a coordinator, a client does not route VPN traffic and service data.
Container file A special file where all your protected data is stored. This file is mounted as another Windows logical disk in your system. You can work with this disk as you work with other logical disks, drag and drop files, copy, paste, remove and so on. This file has an *.sdc extension and is hidden by default. To show this file in Windows Explorer, enable Show hidden files and folders. This option can be found in the Folder Options dialog box on the View tab.
Coordinator (ViPNet coordinator) A network host with installed ViPNet Coordinator software or a ViPNet Coordinator HW appliance. A ViPNet coordinator functions as a server on a ViPNet network and routes VPN traffic and service data.
D DHCP (Dynamic Host Configuration Protocol) A network protocol of the application layer that enables a server to automatically assign an IP address to a computer, as well as some other parameters necessary for it to work in a TCP/IP network. The parameters are a subnet mask, a gateway IP address, and DNS and WINS servers’ IP addresses.
Digital signature An attribute of an electronic document intended to protect the document authenticity. It is generated when encrypting information using a private key of a digital signature. A digital signature identifies the public key certificate owner, as well as proves non-repudiation of the document contents.
ViPNet Client Monitor 4.3. User's Guide | 333
E External IP addresses Addresses used in an external network.
External network A network that is separated from an internal network with a firewall.
H Host key folder A folder where the host keys and host links of this ViPNet host are stored.
Host links A set of files containing information on ViPNet network objects (hosts, users, host groups), including their names, ViPNet identifiers, IP addresses, and links. These files are generated in ViPNet Network Control Center.
I IP address server A feature of the ViPNet Coordinator software, providing collection and distribution of information about ViPNet host statuses (accessible, unavailable, last time of user activity).
IP/241 protocol An IP protocol 241 developed specially for ViPNet software.
K Key container A file where a private key and the corresponding public key certificate are stored.
ViPNet Client Monitor 4.3. User's Guide | 334
Key set A file with the .dst extension created in ViPNet Key and Certification Authority or ViPNet Network Manager for each user of a ViPNet host. This file contains host links, keys, and a license file necessary to start working with the ViPNet software on the host. To ensure functioning of a ViPNet program, you must install a key set on the host with this program.
Keys and host links update When a ViPNet network administrator makes changes to a network (adds or removes a ViPNet host or a user, issues a new certificate, and so on) by using ViPNet Network Control Center or ViPNet Key and Certification Authority, host links and keys for ViPNet hosts on this network are changed as well. The ViPNet network administrator should create update files and send them from ViPNet Network Control Center to the hosts.
N Network addresses translation (NAT) The technology that ensures translation of IP addresses and ports used on one network into addresses and ports used on another network.
P PKI (public key infrastructure) A set of hardware, software, policies, and procedures intended for creating, managing, distributing, using, storing, and revoking public key certificates, binding public keys with respective user identities by means of a certification authority.
Private address For the IP networks where direct connection to the Internet is not required, three IP addresses ranges can be used: 10.0.0.0-10.255.255.255; 172.16.0.0-172.31.255.255; 192.168.0.0-192.168.255.255. These addresses ranges cannot be used on the Internet. If your IP address belongs to one of these ranges, you should use a firewall with the NAT function or a proxy to connect to the Internet. Any organization may use any addresses sets from the above-mentioned ranges for its local network.
Protected application servers Application servers (a web server, a mail server, an FTP server, and others) installed on protected hosts.
ViPNet Client Monitor 4.3. User's Guide | 335
Protected connection A connection between two hosts that is encrypted by means of ViPNet software.
Protected DNS or WINS server A DNS or WINS server installed on a protected host.
Protected host A host with installed ViPNet software that can encrypt traffic in the network layer.
Protection key A key used to encrypt another key.
Public key certificate An electronic document of a predefined format that uses a digital signature to bind a public key with an identity, information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. A certificate contains information about the key owner, the public key, about its purpose and usage, about the certification authority that has issued the certificate, the certificate validity period, and some other parameters. On a ViPNet network, certificates are issued in ViPNet Key and Certification Authority and verified with the digital signature of the ViPNet Key and Certification Authority administrator. This provides authenticity and integrity of the information specified in the certificate, including its public key and description of its subject.
S Secure Internet Access A technology used in ViPNet software that allows connecting a group of local network computers permitted to work on the Internet to unprotected Internet resources, while providing their security against possible attacks without physically disconnecting them from the local network.
Security policy A set of parameters allowing you to control ViPNet host security. The ViPNet technology ensures hosts' security by means of network filters and network address translation rules.
ViPNet Client Monitor 4.3. User's Guide | 336
T TCP tunnel A mean to connect clients deployed on an external network with ViPNet hosts on this network. It is useful in case your ISP blocks UDP connections. You can establish a TCP tunnel on the coordinator being this client's connection server. Connection over a TCP tunnel is implemented in the following way: IP packets are transferred from the client to the coordinator over the TCP protocol; then, on the coordinator, the received IP packets are retrieved from the TCP tunnel; next, they are forwarded to their destination hosts over UDP.
Tunneled host A host where no ViPNet software encrypting traffic on the network layer is installed. In a potentially dangerous network section, the traffic of this host is encrypted and then decrypted on the coordinator it is placed behind.
U Unprotected DNS or WINS server A DNS or WINS server deployed on an unprotected host.
Unprotected host A host that exchanges unencrypted traffic with a ViPNet host.
User keys folder A folder where user keys are stored.
User password based on a passphrase To log onto a ViPNet program, you need a user password. A random password is based on a passphrase that can be used to remember the password easier. Passphrases may be generated in German, English, French, Spanish or Russian (depending on the software). A passphrase is a grammatically correct phrase. The words in a phrase are randomly chosen from a large vocabulary. A password phrase may consist of 3 or 4 words. A password may be based on two passphrases. A user password is generated using the first ‘x’ (number of) characters from each word of a randomly generated passphrase, consisting of ‘y’ (number of) words, without spaces. The ‘x’ and ‘y’ options, as well as the passphrase’s language, are user-defined.
ViPNet Client Monitor 4.3. User's Guide | 337
For example, if you use the first three letters of each word of the passphrase “illiberal morse lynches babbler”, you will get the password “illmorlynbab.”
User permissions Rights defining whether ViPNet users can change their ViPNet software settings and to what extent. A ViPNet network administrator defines user permissions for a ViPNet host in role properties.
V ViPNet Administrator A software suite intended to manage a ViPNet network. It includes the ViPNet Network Control Center server and client applications and the ViPNet Key and Certification Authority program.
ViPNet host A network node with installed ViPNet software registered in ViPNet Network Control Center.
ViPNet host administrator's password A password to enable the administrator mode on a ViPNet host. The administrator mode provides advanced options for the ViPNet program. A ViPNet host administrator’s password is created by the ViPNet network administrator in ViPNet Key and Certification Authority or ViPNet Network Manager.
ViPNet Key and Certification Authority A part of the ViPNet Administrator software. The ViPNet Key and Certification Authority administrator creates and updates keys for ViPNet hosts and manages certificates and certificate revocation lists.
ViPNet network A logical network that is created and maintained with ViPNet software and consists of ViPNet hosts. A ViPNet network has a special addressing system, which provides for data exchange between its hosts. Each ViPNet network has its own unique number (host ID).
ViPNet network license A permission to use a specified set of ViPNet software suite features. A ViPNet network license defines: the network number, the maximum number of coordinators and clients, the maximum total number of addresses to be tunneled by coordinators of the network, the latest allowed ViPNet software version, the license expiration date, and other parameters.
ViPNet Client Monitor 4.3. User's Guide | 338
ViPNet Network Manager A program that is a part of the ViPNet VPN software suite. It is intended to create, configure, and administer small and middle-sized ViPNet networks. ViPNet Network Manager also functions as certification and key authorities.
ViPNet network structure An ordered combination of links between the following ViPNet network components:
a ViPNet network administrator's workstation;
coordinators;
clients.
Every client must be registered on a coordinator. Coordinators must be linked with the ViPNet administrator’s workstation, and clients must be linked with the coordinator they are registered on. Other links are not mandatory and depend on your corporate security policy.
ViPNet SafeDisk-V Software intended for the sensitive information protection. You can store your private information in ViPNet SafeDisk-V after you create a special container, that is, an encrypted file on a disk or an external device.
Virtual IP address An IP address that is used by ViPNet host A to provide access to resources or tunneled resources of ViPNet host B instead of its real IP address. Virtual IP addresses for ViPNet host B are specified on ViPNet host A. On other hosts, other virtual addresses may be specified for ViPNet host B. ViPNet host B may be allocated as many virtual addresses, as many real addresses it has. When real addresses of ViPNet host B are changed, its virtual addresses specified on other hosts remain the same. Virtual IP addresses of tunneled hosts are mapped to real IP addresses of these hosts. They exist as long as the corresponding real IP addresses exist. Use of virtual IP addresses allows you to avoid conflicts of real IP addresses in case addresses ranges in local networks overlap. Also, you can use these IP addresses to authenticate remote hosts in ViPNet software.
ViPNet Client Monitor 4.3. User's Guide | 339
H Index A Application protocol • 141, 142 Asymmetric key • 278
C Client • 37, 92, 191, 343 Conference • 158 CryptoPro • 310
D DNS • 88, 92, 97, 101, 102, 104, 106
E Encrypted instant messaging • 155 Encrypted traffic • 112, 114, 176 eToken Aladdin • 307 Event log • 208
F File exchange • 66, 162 Filter • 114 Firewall • 111
I iButton • 307 IP packets log • 14, 66, 176, 181, 182, 305 IP packets statistics • 66, 187
K Key compromise • 47, 54 Key set • 47, 54, 298, 345 Keys and host links • 37, 41, 47, 50, 53, 63, 206, 276, 344 Keys folder • 37
L Logon mode • 58, 206
N Network address translation • 301, 345 Network filter • 114
O Open Internet • 191, 347
P Program configuration • 66, 189, 191, 208, 210 Protected network • 66, 114 Public network • 66, 114
ViPNet Client Monitor 4.3. User's Guide | 340
R Renewing a certificate • 50, 271, 272, 345 ruToken • 307
S Shipka • 307 Smartcard • 307 Symmetric key • 216, 277, 298
T Terminal server • 195 Tunneled host • 82, 92, 101, 107, 108, 109, 305, 347 Tunneled IP address • 82, 92, 108, 301 Tunneling • 82, 108, 347
U Unencrypted traffic • 112, 114, 176 Updating keys and host links • 47, 50, 82, 208, 298 Upgrading the ViPNet Software • 31
V ViPNet driver • 13, 14, 15, 82, 305, 310 ViPNet host administrator • 66, 201, 202, 205, 206, 208, 263, 266 ViPNet host status • 66, 171 ViPNet hosts remote management • 168, 194 ViPNet network administrator • 31, 50, 54 ViPNet network host • 66, 82, 91 Virtual IP address • 66, 82, 92, 97
W WINS • 97, 101, 102, 104, 106
ViPNet Client Monitor 4.3. User's Guide | 341