INSTALLATION GUIDE ANYCONNECT ON WINDOWS WORKSTATIONS

(1)

INSTALLATION GUIDE ANYCONNECT ON

WINDOWS WORKSTATIONS

(2)

1 INTRODUCTION

The Astrid MVNO project will allow all Blue Light services (Police, Fire, ...) to access their application using a mobile terminal. Applications are stored in an Astrid

Datacenter

This document is a user guide for an Astrid MVNO user using a Windows PC device.

The prerequisites before implementing and configuring the software are:

 The setup file for installing Anyconnect

 The profile xml file to setup the connection with Astrid VPN device

 If needed the certificate for RSA authentication

(4)

2 SOFTWARE DOWNLOAD

All the files needed for the installation can be downloaded from the site

ftp.astrid.be via the internet.

Remark: You must use a FTP software like Filezilla to download the files! Don’t use your Web browser to do this.

The Filezilla client can be downloaded from the internet at: https://filezilla-project.org/

The login and password to access the ftp server can be found in the letter sent to you by ASTRID.

(5)

3 MOBILE CONNECTIVITY SOFTWARE

INSTALLATION

3.1 In general for any type of 3G/4G modem

In order to be able to connect to the mobile network a 3G/4G modem needs to be installed together with its appropriate software.

Refer to the installation guide of your connectivity device for proper installation. Setting that need to be adjusted during the installation of the software are: In the profile management tab:

- APN: blm.astrid.be

- Authentication: CHAP needs to be enabled, and username “astrid” and password “astrid” are needed.

- If the application requires this information, roaming should be enabled. - Network registration mode should be left on automatic.

- In some “Vodafone Mobile Broadband” clients an Ipv4 number is mandatory, you can just fill in any number, e.g. 22

Check if you are able to connect to the mobile network by pinging 43.16.16.37 and check if you get a response.

(6)

3.2 In particular for the MDT type PANASONIC CF-19

1) Check if your CF-19 is equipped with a 3G modem.

- On the bottom of the device you can find the MODEL NO. With this MODEL NO. Your local reseller should be able to tell you whether your device is equipped with a 3G modem.

- If there is a label on the bottom of the device showing an IMEI code, there’s is a large chance your device is equipped with a 3G modem. 2) Enable the wireless device by putting the switch located on the left side of

the device in the ON position.

3) Put your SIM card into the slot at the back of the device.

4) If the Wireless Wan Manager is not already installed on your computer, download the file:

WirelessWANManagerUtil_V7.1.0.2_52V_W764_ss11636.exe and install it. (You can download this file from the ftp.astrid.be site, see chapter 2 ) 5) Start the Wireless WAN Manager.

(7)

7) Once you entered the PIN code you will have to configure the Wireless WAN Manager by going to the “Settings” pane

8) In the “Settings” pane, check the “Launch Wireless Manager at

Windows startup” button and click on the Advanced button.

(8)

10) In the advanced setting, go to the Profiles pane, select “Manual

selection” and click on the New… button to make a new profile.

11) Give the new profile the name BLM, and assign it the APN name

blm.astrid.be. Dummy username and password can be used e.g. test/test

as these are not checked by the system.

(9)

13) Again in the Advanced settings, select “Manual selection”, choose the BLM profile, and click on Apply and Close.

(10)

15) The Wireless WAN Manager might ask you again if you want to connect to a foreign network. You can just click on Yes. This is normal due to the fact that ASTRID BLM is a roaming network.

(11)

(12)

(13)

4 PRE INSTALLATION CHECKS

Before installing the Cisco Anyconnect client, and especially if you’re installing on a machine with a FEDPOL image, you should check the following:

1) Your machine is running Windows XP it should have SP3 installed. If not, you can download the file:

WindowsXP-KB936929-SP3-x86-ENU.exe and run it.

(You can download this file from the ftp.astrid.be site, see chapter 2)

2) Check if the following services are started: -DHCP Client

-Wireless Zero Configuration

If not, Go to Start -> Setting -> Control Panel. Double click on Administrative Tools and double click on Services. In the Services windows locate the service and double click it. Click on the start button to start the service and change the Startup Type to Automatic.

3) Check if your machine has a “Verisign Class 3 Public Primary Certification Authority - G5” certificate.

If not, you can download the file PCA-3G5.pem. (You can download this file from the ftp.astrid.be site, see chapter 2)

To load the certificate, go to Run and type mmc and run the program. In Console1, go to File and select Add/Remove Snap-in.

Click on the Add button.

Select “Certificates” and click on the Add button. Select Computer account and click on the Next button. Select Local computer and click on the Finish button. Close the “Add standalone snap-ins:” window.

Click on the OK button in the “Add/Remove Snap in” window. In the Console1 window you should have the tree with certificates.

Under the “Trusted Root Certificates Authorities”, right click on “Certificates” and select “All Tasks” -> Import.

This opens the Certificate import Wizard.

Click on Next, browse to the file PCA-3G5.pem (Select All files (*.*) to see the .pem file) and open it.

Click on Next.

In the “Certificate store” window where the proposed store is “Trusted Root Certificate Authorities” just click on Next.

Click on Finish.

(14)

5 INSTALLATION OF THE CISCO ANYCONNECT

SOFTWARE CLIENT

The AnyConnect client is available in an install package. The installation package has to be downloaded first. First, you need to download the setup file on your station.

The file name is:

Anyconnect-win-3.1.04063-pre-deploy-k9.msi

( you can download this file from the ftp.astrid.be site, see chapter 2) Launch the setup by double clicking on this file.

The following display appears, then press “Next”

(15)

(16)

Wait until the setup finish and press “Finish”

(17)

6 CISCO ANYCONNECT PARAMETERS

There are two types of VPN, and the choice is made on the request form (see subscription request form).

 The preferred type is based on the installation of a certificate on the

workstation (Mobile Data Terminal) which does not require the user to enter credentials when connecting.  execute §6.1 hereunder, and skip §6.2

 The second type is based on the usage of credential (username + password) which requires the user to enter those credential each time he makes a connection  skip §6.1 hereunder, and execute §6.2

6.1 RSA-SIG authentication method using a certificate

6.1.1 Profile setup

The profile setup can be done by simply copying the profile xml file called:

astrid-cert-sdc.xml into the appropriate directory.

For Windows XP this directory is:

“C:\Documents and Settings\All users\Application data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile”

(18)

Under the View tab in the “Advanced settings” the “Show hidden files and

folders” option should be selected.

Reboot your PC after copying the file.

For Windows 7 this directory is:

“C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile” If this directory is not visible click on START and select Computer. Select

(19)

Select the “View” tab and click on the “show hidden files, folders, and drives” option

(20)

6.1.2 Download the certificate.

- Connect your Windows workstation to the mobile network , but do NOT connect with Cisco Anyconnect).

- Go to the certificate server: http://43.16.16.37:8080/ejbca/ and click on Create Keystore (check if your proxy setting are disabled to access this site! )

- REMARK: This site is only accessible when connected to BLM, it’s not accessible from the internet!

-

- In the authentication screen, enter you username and password. - ( the username starts with cer….)

(21)

(22)

- Click on the OK button to download the certificate on your PC. DO NOT

install it in your browser!

6.1.3 Certificate installation

Once you have downloaded the certificate file (.p12) or copied the certificate file on your Windows workstation and double click on it. The following screen appears.

(23)

(24)

Enter the certificate password provided by Astrid and press “Next”

Then select the storing place for the certificate by clicking on the “Browse” button:

(25)

Validate with “Next”

(26)

The certificate import is now done :

With this method only your user will be able to use the certificate for the VPN connection. If you want the all users on the workstation to be able to use the VPN connection with certificate, you will have to install the certificate on machine level (see next chapter)

6.1.4 Installation of the certificate on machine level.

(27)

- In Console1 go to File and select Add/Remove Snap-in.

(28)

(29)

- Close the “Add standalone snap-ins:” window by clicking on “Finish”. - In the Console1 window you should have the tree with certificates.

- Select the Personal Certificates, go to All tasks and select Import… - Follow the wizard and import the .P12 certificate ( The one that was

downloaded in chapter 6.2.3)

(30)

6.1.5 Setup the VPN connection

On your windows screen click on “Start” and select and launch the “Cisco Anyconnect Secure Mobility Client”

(31)

If the destination router “sdc-roucdcvpn01.blm.astrid does not appear in the Cisco Anyconnect Secure Mobility Client windows you should re-check the profile setup in 4.

(32)

(33)

6.2 EAP-MD5 authentication method using Username and

Password

6.2.1 Profile setup

The profile setup can be done by simply copying the profile xml file called:

astrid-eap-sdc.xml into the appropriate directory.

For Windows XP this directory is:

“C:\Documents and Settings\All users\Application data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile”

If this directory is not visible go to “My Computer”, and select Folder Options under the Tools tab.

Under the View tab in the “Advanced settings” the “Show hidden files and

folders” option should be selected.

(34)

For Windows 7 this directory is:

“C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile” If this directory is not visible click on START and select Computer. Select

“Organize” and click on “Folders and search options” to open the Folder Option window.

(35)

Reboot your PC after copying the file in the correct directory.

6.2.2 Setup the VPN connection

On your windows screen click on “Start” and select and launch the “Cisco Anyconnect Secure Mobility Client”

(36)

If the destination router “sdc-roucdcvpn01.blm.astrid does not appear in the Cisco Anyconnect Secure Mobility Client windows you should re-check the profile setup in 4.

(37)

Enter your credentials (username and password) Username and password are sent to you by mail.

INSTALLATION GUIDE ANYCONNECT ON WINDOWS WORKSTATIONS