BorderGuard Client. Version 4.4. November 2013

(1)

BorderGuard

®

Client

Version 4.4

November 2013

Blue Ridge Networks 14120 Parke Long Court, Suite 103

Chantilly, Virginia 20151 703-631-0700

WWW.BLUERIDGENETWORKS.COM

All Products are provided with RESTRICTED RIGHTS.

Use, duplication or disclosure by the Government is subject to restrictions set forth herein and in sub-paragraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19, as applicable.

(2)

1 Introduction

1.1 Overview

The BorderGuard (BG) Client is used to securely connect a Windows PC to a remote Home Network (the customer’s or agency’s internal network) after the end-user’s identity is validated. There are three different authentication methods used by the BorderGuard Client. The first is a BorderGuard Client Security token. When the Security Token is inserted into a USB port, the BorderGuard Client application will prompt for a PIN number. After the PIN is validated, BorderGuard Client will connect to the remote Home Network specified on the Security Token. Security Tokens are generated using the Token Utility which can be downloaded from the BorderGuard Management Console. After the Security Token is created, a PIN must be generated on the token using the BorderGuard PIN utility.

The second authentication method is to use an X.509 Identification Certificate. This certificate can be installed on the user’s PC or it can be located on a smart card (such as a CAC or PIV card) inserted into the PC. Also optionally, after the PC has network connectivity to the Home Network, the BorderGuard Client can be configured to terminate the connection if an Active Directory Smart Card Authentication is not performed.

The third authentication method is a USB Crypto Ignition key. In this case, a policy on the key indicates that a PIN is not required and the client will connect without prompting for a password as soon as the key is inserted into a USB port.

2 Hardware and Software Requirements

2.1 Software

 Microsoft Windows VISTA, Service Pack 2 and above (32 and 64 Bit).  Microsoft Windows 7, Service Pack 0 and above (32 and 64 Bit).  Microsoft Windows 8, Service Pack 0 and above (32 and 64 Bit).

2.2 Hardware

 Multi-core processor recommended:

 Recommended: Core 2 Duo (>=1.8Ghz) or better

 Minimum: Pentium 4 with hyper-threading enabled (>=2.4Ghz) or better  1.00 GB of Available RAM (2.0 GB Recommended).

 200 MB free Hard Disk space.

3 Operation

3.1 Installing BorderGuard Client

NOTE: BorderGuard Client should not be installed on any PC that already has a Blue Ridge VPN Client installed on it that uses an iKey for two-factor authentication. Any previous version of BorderGuard Client must be uninstalled prior to installing the latest version.

(4)

3.1.1 Prerequisites

 Disable any Antivirus software.  Close all applications and utilities.

 The system should have at least the minimum configuration described above.

3.1.2 Installing from CD or Disk Drive

1. To run the installation program, logon as a user with local administrator rights on the system. The installation will check the rights and terminate with an error if the user doesn't have the local administrator privileges on the system.

Note: The user does not require administrator privileges to run the application; administrator privileges are only required for installation.

2. If AppGuard Consumer is installed, lower the AppGuard protection level to “Install” or “Off” prior to initiating the BorderGuard Client installation software.

3. If AppGuard Enterprise is installed on the PC, use the Administrator Mode to disable all AppGuard protections and stop the AppGuard Service. Refer to you AppGuard Enterprise System Administrator for more information.

4. Launch the setup program from either the CD or disk drive. 5. Follow the installation directions.

6. Reboot the workstation if prompted.

3.1.3 Installing using SMS or SCCM

Launch setup.exe with the following parameters: /S To Suppress messages from setup.exe /v Pass parameters (below) to the msiexec.exe

/qn Quiet and no user interface /Log <LOG_FILE_PATH> Logs the install to a file

REBOOT=ReallySuppress

Notes:

Parameters are encased in double quotes Everything is case sensitive

3.2 Running BorderGuard Client

3.2.1 First Time Use when using Security Tokens

The very first time that you use your Security Token in a particular USB port, a plug and play

(5)

This should only happen the very first time that a particular USB port is used with the BorderGuard Client. Double click on the BorderGuard Client tray icon to initiate another connection.

3.2.2 Connecting BorderGuard Client using a Security Token

To start the client, insert your token into a USB port and you will be prompted for a PIN (if you have not received a PIN, please contact your system administrator):

Once the PIN is validated, the client will verify that there is connectivity to the Blue Ridge BorderGuard network security appliance. Once connectivity is verified, the client will establish an encrypted tunnel to the home network. While the connection is being established, the BorderGuard Client tray icon will blink until the secure connection is complete. When the connection process is complete, status notification is provided at the tray icon:

Likewise, when the tunnel has been dropped, a status notification of the change is displayed:

Move the cursor over the icon at any time to view a tool tip displaying the current status.

3.2.3 Connecting BorderGuard Client using a Crypto Ignition Key

A Crypto Ignition Key is a special security token which has an embedded policy that indicates a PIN is not required in order to initiate a connection. As soon as the Crypto Ignition Key is inserted into a USB port, the Client will validate the key and initiate a VPN Connection to a BorderGuard listed in the connection policy on the Key.

(6)

The Crypto Ignition Key may be used during PC boot up in order to establish a tunnel prior to logging into the PC. This facilitates Active Directory login remotely through the tunnel. When using this feature, the LED on the Crypto Ignition Key provides connection status:

 On: During PC boot up, if the Crypto Ignition key is inserted prior to the BorderGuard Client service starting, this indicates that the USB driver has recognized that the key has been inserted

 Steady Double Blink: Indicates that the Client is reading the token and is in the process of connecting.

 Steady Single Blink: Indicates that the Client is connected.

 Off: Indicates that either the key’s USB driver is not functioning or that the Client has encountered an error when validating the key.

 Steady Triple Blink: Indicates that the Client is resetting the Cryptographic Engine.

3.2.3.1 Using the Crypto Ignition Key during boot up

When a Crypto Ignition Key is used to initiate a connection prior to logging in, services to establish Network Connectivity and to enable USB device drivers must be started on the PC. Because this may take several minutes, it is recommended that the Crypto Ignition Key be inserted after the Windows Login screen is displayed. Once the key is inserted, USB drivers will recognize the event and the token’s LED will be lit. Next, the client will validate the token’s policy settings and initiate a connection to the BorderGuard. During this step, the LED will blink twice in quick succession if the crypto key can be validated. If it cannot be validated, the LED will be turned off. When a connection has been established, the LED will blink steadily. The

connection can be terminated by removing the Crypto Ignition key or by clicking on the client tray icon.

3.2.4 Connecting BorderGuard Client using an X.509 Certificate

Connecting the client using an X.509 certificate requires that a connection profile be defined on the PC for each user. Once the profile is created and saved, connecting is as simple as double-clicking on the BorderGuard Client tray icon. Connection status notification is provided as shown in section 3.2.2 above.

There are three different methods of creating profiles:

3.2.4.1 Manually Create the Profile

To create a profile, right-click on the BorderGuard Client tray icon and select “Open BorderGuard…” from the tray menu:

(7)

(8)

To create a connection profile, enter the following fields:

 Profile Name: Enter a name for this profile. This name will appear on the client’s main user interface.

 Description: This is an optional description of the connection profile.

 BorderGuard: Enter the IP address of the BorderGuard that the client will connect to.  Certificate: Click on the “Select” button to select an X.509 certificate for authentication

to the BorderGuard. If using a certificate on a smart card, be sure to insert your smart card prior to clicking on this button:

If your policy requires Active Directory Authentication, click on the Check box in the upper left-hand corner. This will cause only certificates which are valid for Active Directory authentication to be displayed.

 Auto Reconnect: Check this box, if you wish to have the client automatically reconnect if the connection should get disrupted.

 Commands Tab (optional): The commands tab is used to run programs or scripts at various trigger points during the connection process:

o Before connecting: This command will run before the connection process is initiated.

o After connecting: This command will run after the connection is established.

o Before disconnecting: This command will run after a user explicitly disconnects (i.e. disconnects by clicking on the Disconnect button or selecting Disconnect from the tray menu) the BorderGuard Client.

o After disconnecting: this command will run after the BorderGuard Client has disconnected from the BorderGuard.

(9)

Also, if a command is included in the policy it will take precedence over any command that is entered by the end-user.

 Alternate BorderGuards (optional): This tab is used to enter additional BorderGuards that will be connected to when the primary BorderGuard does not respond:

To add an Alternate BorderGuard, enter an IP address and then click on the Add button. To change the order of the BorderGuards, click on the up and down arrows as desired. If Load Spreading is selected, the client will randomly connect to one of the

BorderGuards in the Alternate List as well as the BorderGuard entered on the main Connection Profile page resulting in load sharing between all BorderGuards in the list. In the example shown above, the Client will randomly connect to either 65.202.129.8 or 65.202.129.9. If Load Spreading is not selected, then the client will always connect to the BorderGuards in the order listed.

 Disaster Recovery BorderGuards (optional): This tab is used to enter additional BorderGuards that will be connected to if the primary BorderGuard and all Alternate BorderGuards do not respond.

Note, a connection to the disaster recovery BorderGuards will be attempted if and only if all of the other BorderGuards (primary and alternate) could not be reached.

After the profile information is entered, click on OK. The profile will now appear in the Profile drop down box on the main user interface:

(10)

3.2.4.2 Automatically create each user’s profile from the “All Users” profile

This method of creating the profile is especially useful when BorderGuard Client will be used by multiple users on the same PC. In this case, the administrator will create a connection profile manually (refer to Section 3.2.4) and edit the file to remove certificate information. The file(s) should be copied to the C:\ProgramData\Blue Ridge Networks\Profiles directory on the target PC. The first time that a user double-clicks on the BorderGuard Client icon, the All Users connection profile will be copied to the currently logged on User’s profile directory. Since the certificate fields are not included in the All Users Connection profile, the user will be prompted to select a certificate:

Once the certificate is selected, click on OK and the client will proceed with the connection. To create the All Users connection profile, follow the instructions in Section 3.2.4. Once the profile is saved, locate the profile in the current user’s profile directory:

C:\Users\<user_name>\AppData\Roaming\Blue Ridge Networks\Profiles

(11)

the target PC. BorderGuard Client will now use the connection profile file(s) found in this directory to create connection profile files for any user that logs in and uses the BorderGuard Client for the first time.

3.2.4.3 Automatically create the profile based on information embedded in the Certificate

The BorderGuard Client is also able to automatically create a connection profile based on information that is embedded in the Initials field of the Certificate. Of course this feature cannot be used in the case where the certificates are being generated by an outside Certificate Authority (such as for U.S. Government CAC/PIV cards), but when generating certificates using the BorderGuard Management Console this option can be quite useful.

When using this feature, the end-user does not have to create a profile or select a certificate. In this case, when the end-user double-clicks on the tray icon, the BorderGuard Client will search for a certificate in the user’s Certificate Store that contains a BorderGuard IP in the Initials field. If a certificate is found containing the BorderGuard IP, a connection profile using the

information embedded in the Initials Field will be created. Note: the first certificate found with an embedded BorderGuard IP will be used.

On the BorderGuard Management Console ID Certificates page, create a template containing the BG IPs:

Once the template is saved, additional ID certificates with the desired Profile can easily be created by loading the template when creating new certificates.

Populate the Initials field as follows to use the auto-profile features: 1. To specify a Primary BG:

///BG=<ip>///

(12)

The first BG is interpreted as the primary BG and all additional “BG=<ip>” are interpreted as Alternate BGs.

3. To specify Disaster Recovery BGs: ///BG-=<ip>/BG-=<ip>///

4. To specify Load Spreading enter “LS=<0|1>”: ///BG=<ip>/BG=<ip>/LS=<0|1>///

The default setting is for Load Spreading is enabled (“LS=1”).

5. To specify a Static IP (used by the Client’s Virtual Network Interface Card when connected to the Home Network):

///IP=<ip>/NM=<net mask>/GW=<gateway>/DNS=<ip >/WINS=<ip>///

The DNS and WINS specifications are optional. The maximum number of DNS IP addresses is 3. The maximum number of WINS IP addresses is 2.

6. The client can use combinations of any of the above:

///IP=10.0.10.5/NM=255.255.255.255/GW=10.0.10.1/DNS=10.0.10.3/BG=1.2.3.4/BG=1.2.3.5/BG-=11.22.33.44/BG-=11.22.33.55/LS=1///

3.2.5 Disconnecting from your Home Network

To disconnect from the Home Network, perform one of the following:  If using a Security Token or Crypto Ignition Token, remove the token.  Right-click on the tray icon and select “Disconnect” from the tray menu:

(13)

This will display an interface which shows the log files:

From this Window, select the Logs you wish to view and click on “View Logs.” The logs will be opened with NotePad. The Logs can also be deleted from this menu.

3.2.7 Troubleshooting

3.2.7.1 Initial Connection

When using a Security Token, if the BorderGuard Client cannot reach a BorderGuard, it will display the following message:

This is an indication of one of the following:

1. There is no network connectivity – verify that you have Internet access. 2. The BorderGuards are down: Consult your administrator to determine.

3. The BorderGuard IP addresses or UDP ports are being blocked by a Firewall or router. 4. The Token has been disabled.

“DpfPing.exe”, a utility installed with the BorderGuard Client, can be used to troubleshoot issues where Firewalls or routers are blocking access to BorderGuard IP addresses or UDP ports. To use DpfPing, open a DOS command prompt and navigate to the BorderGuard Client Program Files directory:

(14)

On 64-bit systems, the BorderGuard Client is located in the “Program Files (x86)\Blue Ridge Networks” directory. On 32-bit systems, the BorderGuard Client is located in “Program Files\Blue Ridge Networks.” Executing “DpfPing” without any command line parameters will display the command line syntax, but generally the two most useful commands are:

Dpfping <ip_address> -u<udp_port> And

Dpfping <ip_address> -u<udp_port> -rnv

3.2.7.2 Additional Logs

In addition to the Connectivity Logs discussed in Section 3.2.6, the BorderGuard Client provides logs that may be requested by customer support when trouble-shooting connection problems. These logs provide more detail about the activity of each of the BorderGuard Client components during a connection. These logs can be exported by selecting the “Options->Export Log” menu item on the Client’s user interface:

(15)

Select a folder such as your “My Documents” folder or Desktop and click on OK. The client will collect all BorderGuard Client related logs and compress them into a file named “brn.cab” in the selected folder. Email the file to Blue Ridge Networks customer support

([email protected]).

3.2.7.3 Debug Log

When requested by customer service, even more information may be gathered by enabling the Debug Log. This should only be done at customer service’s request as this may have some performance impacts. To enable the debug log, select “Options->Enable Debug Log” menu item on the client’s User Interface:

BorderGuard Client. Version 4.4. November 2013

BorderGuard

®

Client

Version 4.4

November 2013

Table of Contents

1

Introduction

1.1

Overview

2

Hardware and Software Requirements

2.1

Software

2.2

Hardware

3

Operation

3.1

Installing BorderGuard Client

3.2

Running BorderGuard Client