NetScaler 9000 Series
SSL VPN User’s Guide
for
Windows
®platform only
180 Baytech Drive San Jose, CA 95134
Phone: 408-678-1600, Fax: 408-678-1601 www.netscaler.com
WORK (SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF NETSCALER, INC.
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. NETSCALER, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
Modifying the equipment without NetScaler’s written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the NetScaler 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:
•Move the NetScaler equipment to one side or the other of your equipment. •Move the NetScaler equipment farther away from your equipment.
•Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by NetScaler, Inc., could void the FCC approval and negate your authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch are trademarks of NetScaler, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved.
Contents
Chapter 1 : NetScaler SSL VPN Overview . . . 1 - 1 1.0 NetScaler SSL VPN : Architecture . . . 1 - 2 2.0 NetScaler SSL VPN : Key Features . . . 1 - 3 Chapter 2 : Getting Started with NetScaler SSL VPN . . . 2 - 1 1.0 System Requirements . . . 2 - 2 2.0 Starting a NetScaler SSL VPN Session . . . 2 - 3 3.0 Using the SSL VPN Browser Plug-in . . . 2 - 8
Accessing Services 8 Using Portal Tools 9
3.2.1 The Ping Tool . . . 2 - 9 3.2.2 The Tip and Help Tools . . . 2 - 10 Using Bookmarks 10
Accessing a Remote File System 11
3.4.1 Top Panel . . . 2 - 12 3.4.2 Left Panel . . . 2 - 12 3.4.3 Right Panel . . . 2 - 13 Configuring the SSL VPN Browser Plug-in 16
3.5.1 General Tab . . . 2 - 17 3.5.2 Tunnel Tab . . . 2 - 17 3.5.3 Compression Tab . . . 2 - 21 3.5.4 About Tab . . . 2 - 22 Accessing Help 23
Terminating the SSL VPN Session 23
Chapter 3 : Using Advanced Plug-in Features. . . 3 - 1 1.0 Forward Proxy Support . . . 3 - 2 2.0 Client Computer Security Check . . . 3 - 3 3.0 Windows Client Cleanup . . . 3 - 4
Windows Client Cleanup Dialog 4 Client Cleanup Item Listing Dialog 6
Chapter 4 : Troubleshooting the SSL VPN Browser Plug-in . . . 4 - 1 1.0 Debugging the SSL VPN Browser Plug-in . . . 4 - 2 2.0 NetScaler SSL VPN Session Error Codes . . . 4 - 3 3.0 Limitations . . . 4 - 9
Chapter 5 : FAQs . . . 5 - 1
Appendix A
Chapter
1
NetScaler SSL VPN Overview
The NetScaler SSL VPN is a secure remote access solution that provides point-to-point communication between remote users, such as mobile
employees, partners, or resellers, and a private enterprise network. It does so by creating a secure SSL-based tunnel between a user’s computer and the NetScaler 9000 system. This allows authorized remote users to gain access to critical business resources such as corporate intranets, shared file systems, native client/server applications, and terminal services.
This chapter provides an overview of the NetScaler SSL VPN features. The following topics are described in this chapter:
z NetScaler SSL VPN : Architecture z NetScaler SSL VPN : Key Features
1.0 NetScaler SSL VPN : Architecture
When you log on to a Web site that is secured by the NetScaler SSL VPN, the NetScaler system instructs Internet Explorer to download the SSL VPN browser plug-in onto your computer. This plug-in is an ActiveX control that creates a secure channel of communication between your browser and the NetScaler system, and allows you to remotely access those resources you are authorized to use.
Once the SSL VPN browser plug-in is downloaded, you will be prompted to permit it to execute. The plug-in will monitor network activity. When a TCP or UDP application, like Telnet or Microsoft Outlook, connects to a server in the company's private network, the plug-in will intercept the connection, secure it using SSL, and redirect it to the server via the NetScaler SSL VPN. The NetScaler system then reconnects the application to the server. The routing decision is made based on the routes configured in the NetScaler 9000 system. This is illustrated in the following figure.
Figure 1 Interception of the SSL VPN browser plug-in
As shown in Figure 1, the plug-in inserts itself between the application layer and the kernel. It connects to the NetScaler SSL VPN device using an SSL-encrypted connection.
2.0 NetScaler SSL VPN : Key Features
The NetScaler SSL VPN supports:
z SSL 2.0, SSL 3.0, and TLS 1.0 protocols z 1024 bit encryption
z All TCP/UDP-based applications
z CIFS file system access through NetBios/Web Interface
z Client computer security check, whereby the SSL VPN browser plug-in
ensures that certain personal firewalls and antivirus applications are running on the client computer
z Forward proxy and proxy authentication support
z Deletion of cached Internet files generated on a Windows® client, after an
Chapter
2
Getting Started with NetScaler
SSL VPN
The preceding chapter covered the architectural details of the SSL VPN browser plug-in. In this chapter you will learn to use the plug-in. This chapter begins with a brief introduction to the system requirements for the plug-in. This is followed by detailed instructions on downloading and running the plug-in. The final section covers the various controls of the user interface. The following topics are described in this chapter:
z System Requirements
z Starting a NetScaler SSL VPN Session z Using the SSL VPN Browser Plug-in
1.0 System Requirements
The system requirements for the SSL VPN browser plug-in are:
Operating system: MS Windows 98, Windows 2000, Windows NT,
Windows ME, Windows XP, or Windows 2003 Server.
Web browser: Internet Explorer 5.5 and above.
Note The Windows version of the plug-in does not support LINUX or Mac OS. When using the NetScaler SSL VPN with these platforms, your computer will automatically download and install the multi-platform version of the plug-in. For details on using the SSL VPN with these platforms, refer to the SSL VPN Users Guide for Windows, LINUX, Mac OS, and UNIX Platforms.
2.0 Starting a NetScaler SSL VPN Session
As mentioned earlier, the NetScaler SSL VPN has been designed to provide remote users access to authorized resources on a private network, over a secure connection. To establish a secure connection, you must first log on to the SSL VPN Web site. Contact your system administrator for the URL to this Web site, and the login credentials. The typical format for such a URL is as follows:
https://companyname.com
To log on to your company’s SSL VPN Web site
1. Type the URL of your company’s SSL VPN web site in the browser window. If your administrator has not configured a proper SSL certificate that identifies the server, the operating system will prompt you with a security alert asking your permission to access the NetScaler SSL VPN login window.
Figure 1 The Security Alert window.
The security alert indicates that there might be discrepancies in the certificate. For example:
z the certificate has expired.
z the domain name in the certificate does not match the domain name of the server.
Click the ‘No’ button and contact your VPN administrator before continuing to access the SSL VPN.
2. Open an Internet Explorer window and enter the URL of the SSL VPN web site. The SSL VPN login page is displayed.
Figure 2 SSL VPN Login page
3. Enter your username and password.
4. Click Go. When you log on to the SSL VPN system for the first time, a security warning is displayed as shown in the following figure. This warning prompts you to download the SSL VPN browser plug-in.
Figure 3 Security warning
5. Click Yes. The Secure Remote Access Session window is displayed as shown in the following figure, and the plug-in begins to download. A "Loading..." message is displayed in this window.
Figure 4 Session window with the “Loading..” message
6. When the download has completed, the Secure Remote Access Session window displays the following message: "Closing this window will exit SSL VPN Session". This indicates that the SSL VPN session is now active. The portal page configured by the administrator is displayed in the main browser window, as shown in the following figure.
Figure 5 Session window with the portal page in the background
Note If you are not automatically prompted to download the plug-in after successfully logging in, click the "Click here" hyperlink in the alternative page that is displayed. This alternative page is shown below.
Figure 6 Download prompt page
Note For details on working with a pop-up blocker, consult your system administrator.
3.0 Using the SSL VPN Browser Plug-in
The Secure Remote Access Session window is the graphical user interface to the SSL VPN browser plug-in. It allows you to access intranet sites, file systems, and mail. Closing the secure session window will end the session. As a result, you will be disconnected from the private network.
Figure 7 Secure Remote Access Session window.
The buttons on the Secure Remote Access Session window are described as follows:
z Services: Click this button to view the portal page. This page provides links to commonly accessed web sites on the corporate network. z File Transfer: Click this button to download/upload files, from the
network, via the web-based interface.
z Configuration: Click this button to configure the plug-in. z Help: Click this button to access the help system.
z Logout: Click this button to log off from the SSL VPN session.
3.1 Accessing Services
The Portal page is created based on the data configured by the administrator. The Portal page is shown in Figure 8. This page lists the most commonly accessed intranet web sites and file systems. The administrator configures the links visible under the ‘Configured’ areas on this page. You can create your own bookmarks to appear under the ‘Personal’ bookmark sections. The next section illustrates using this feature.
Note Your VPN administrator may have customized the Portal page. So the appearance of the page may vary from what is shown in this guide.
Figure 8 Portal page
3.2 Using Portal Tools
The Portal page has several built in tools to assist you in using the SSL VPN. These tools include a ping interface for checking the accessibility of network hosts, tips, and a link to the SSL VPN User’s guide. All of these tools can be found in the left pane on the Portal page as shown in the previous figure.
3.2.1 The Ping Tool
The ping tool is used to check the accessibility of other computers on your intranet and on the Internet. This feature can help you in troubleshooting connectivity issues with your SSL VPN session in addition to determining whether or not a server which is hosting an intranet resource is answering on the network.
To use this tool, enter the IP address or hostname of the computer you which to ping. Then click the ‘Ping’ button. The tool will respond with a message immediately below the entry box with the result of the ping.
3.2.2 The Tip and Help Tools
The Tip tool offers helpful hints on using the SSL VPN and its various features. The Help tool is used to access the SSL VPN User’s Guide. The User’s Guide includes not only instruction on using the SSL VPN but also lists error code explanations and other troubleshooting assistance.
3.3 Using Bookmarks
The NetScaler SSL VPN Portal allows you to create your own set of links to commonly accessed resources. These bookmarks may be links to either web sites or network accessible file systems on your intranet. You may also create bookmarks to external web sites on your portal page.
To create these bookmarks, click on the ‘add’ links on the right side of the page. Figure 9 below shows the new page.
In the ‘Name’ field, enter the label to be used for your new link. In the ‘Address Field’ enter either the uniform resource locator (URL) for the website you are creating a link to or the network path to the fileserver you wish to add a link for. Once done, select the ‘Add’ button to apply the new link or ‘Cancel’ to exit the window without making any changes.
Note The system automatically differentiates between website addresses (URLs) and network file system paths based on the format in which they are entered. Hence you do not need to specify which type of resource your link is for when you create it.
3.4 Accessing a Remote File System
This page allows you to log on to the intranet and access shared resources. The following figure illustrates the various components of this page. Figure 10 File Transfer page.
The following sections cover the various components of the File Transfer page.
3.4.1 Top Panel
The top panel of the browser window displays a number of buttons that will allow you to perform various tasks, pertaining to the storage and transfer of files.
Click this button to log on to the corporate network or a specific computer on that network.
Click this button to navigate to the preceding folder in the folder tree.
Click this button to refresh the contents of the active folder.
Click this button to create a subfolder within the folder that is selected.
Click this button to download the file from the remote server.
Click this button to upload the file from the local client computer to a folder in the remote file server.
Click this button to delete the file from the remote machine. Click this button to change the name of a file or folder, which is selected.
Click this button to disconnect NetScaler SSL VPN from the remote server.
3.4.2 Left Panel
The servers, their directories, and the directory structure are displayed in a tree format in the left panel as shown in the following figure. Click the + icon to view a subfolder.
Figure 11 Left panel
3.4.3 Right Panel
The right panel displays the Login Server window. Use this window to log on to the file system on the intranet or an appropriate file server. To access the file system, leave the Login Server field blank or click the Network Neighborhood link in the left panel.
To log on to a file server
1. Enter the IP address or the name of the server in the Address field.
Note If you leave this field blank, you will be logged on to the file system on the intranet. Alternately, if you type \\servername\c$, you can access the hidden shared folders on the server.
3. Enter your password in the Password field. If you do not have a password, leave the field blank.
4. Enter a valid domain name. If you have not been assigned a domain, leave the field blank.
The right panel now displays the subfolders and files as shown in the
following figure. The location of the active folder is displayed in the Address field.
Figure 12 Right panel
To download a file from a remote server
1. Select the file.
2. Click the Download icon. The File Download window is displayed.
3. Click the Save button. The Save As dialog box is displayed as shown in the following figure.
Figure 13 Save As dialog box
4. Navigate to the appropriate folder, and click the Save button to save the file.
To upload a file to the remote server
1. Select the file in the local machine.
2. Click to upload the file to the remote server.
To remove a folder, subfolder, or file
1. Select the file, folder, or subfolder.
2. Click the Delete icon. The file is deleted from the remote machine.
Note A parent folder that contains subfolders cannot be removed. To delete a parent folder with sub folders, you need to delete the sub folders first and then delete the parent folder.
3.5 Configuring the SSL VPN Browser Plug-in
Use the Configuration window to configure the SSL VPN browser plug-in and monitor the status of the server.
Figure 14 General tab
The Configuration window is divided into several tabbed panes. The controls under each tab are described in the following sections.
3.5.1 General Tab
Runtime data pertaining to SSL VPN browser plug-in is displayed in the General Tab. This tab consists of the following group boxes:
z General Information z Tunneled Connections
3.5.1.1 General Information
The fields within this group box are:
z Status: This label indicates whether SSL VPN browser plug-in is
connected or not.
z Duration: This label shows the duration for which SSL VPN browser
plug-in has been online. This duration is displayed in the hh:mm:ss format.
z Idle Time: This label indicates the duration for which SSL VPN browser
plug-in has been idle. This duration is displayed in the hh:mm:ss format.
z User name: This label reflects the user name logged in to the current
session.
z Bytes Sent: This label indicates the quantity of data, in bytes, that has
been uploaded from SSL VPN browser plug-in to the NetScaler system.
z Bytes Received: This label indicates the quantity of data, in bytes, that has
been downloaded from the NetScaler system through the SSL VPN browser plug-in.
3.5.1.2 Tunneled Connections
This panel provides a snapshot of various parameters such as process ID, IP address of the server, bytes sent, bytes received, and connection duration time for a particular tunneled connection.
3.5.2 Tunnel Tab
This tab consists of the following group boxes: z Split Tunneling
z Domain/IP Conflict z Network Conflict
Figure 15 Tunnel Tab
3.5.2.1 Split Tunneling
For security reasons, some corporations require that all the traffic pertaining to the end user pass through the SSL VPN when the end-user is connected to the corporate network. This is to ensure that a hacker logged on to the client PC is disconnected as soon as the SSL VPN comes up. Without this feature the hacker would be able to use the violated PC as a jumping off point to attack the corporate network.
When Split Tunneling is enabled, the plug-in forces all intranet connections through the SSL VPN tunnel, while the Internet connections are directly routed to the external server. When Split Tunneling is disabled, the plug-in forces all connections -both internal and external - through the SSL VPN tunnel.
This group box consists of two buttons Enable and Disable, to control split tunneling. If your administrator has disabled split tunneling, all items in this panel will be dimmed out, and you will not be allowed to perform any configuration tasks. If your administrator has enabled split tunneling, you will have control over this feature. To disable Split Tunneling, click the Disable button. Click the OK button to save your changes.
3.5.2.2 Domain/IP Conflict
This group box consists of controls that can be set to prevent domain
conflicts. All DNS lookups are performed locally. When the lookup fails, the system resorts to a remote lookup on the intranet via the SSL VPN tunnel. In such cases, a local domain name might conflict with a domain name within the intranet. Such conflicting domain name(s) can be configured on the plug-in using the Configuration window. This ensures that a remote intranet lookup is performed prior to looking up that domain name locally.
The following example illustrates this concept. A remote private network has a domain named "paris". A client, connecting to this network, also has a domain named "paris" in their local network. When you type http://paris in the browser window, the plug-in performs a domain name lookup. The plug-in then routes the connection to the local domain if the configured network subnet does not enforce the routing to the remote private network. Alternately, if the remote domain "paris" is configured in the Configuration window, the plug-in performs the domain name lookup in the remote private network. The connection is then tunneled to the remote private network if the configured network subnet enforces similar tunneling. You can add wildcard intranet domain suffixes, such as "*.mycompany.com".
Note When split tunneling is disabled, the local domain is not included during the lookup and the Domain/IP Conflict pane is disabled.
To add domain names/IP addresses that can be accessed in the remote private network
1. Enter the domain name/IP address of the host and click Add.
2. Click Apply to save the changes.
To remove a domain names/IP address from the list
1. Deselect the domain name/IP address from the list.
2. Click Apply to save the changes.
To remove all domain names/IP address from the list
1. Click Remove All.
3.5.2.3 Network Conflict
This group box consists of controls that can be set to prevent network conflicts. Currently, all connections that match the configured destination intranet subnets are routed to the remote private intranet network. It is possible that a remote user's machine or network might have a network identity (host with an IP address or a network subnet) that conflicts with a host or subnet in the remote private network.
For example, consider a scenario where both the remote and local networks have a subnet IP address of 192.168.0.0 with a netmask of 255.255.0.0. The application needs to connect to the local network. To force this to happen, deselect the conflicting network subnet in the Configuration window. The plug-in routes all connections for that subnet to the local network.
To connect to the same subnet on the remote network (default behavior), select the network subnet again in the Configuration/Tunnel window.
Note When split tunneling is disabled, access to the local network is disabled. This group box is unavailable when split tunneling is disabled.
To avoid Network Conflicts
1. Deselect the networks from the list of networks.
2. Click Apply to save the changes. 3.5.2.4 Trace Tab
You can debug the plug-in by studying the traces that it generates when it is active. Use the options in this window to enable or disable the generation of a trace file. Once enabled, the plug-in writes traces to the file specified in the Trace Filename field.
Figure 16 Trace Tab
3.5.3 Compression Tab
The compression tab displays statistics about the current SSL VPN session’s TCP traffic compression rates, broken down by individual connections. The columns on this tab include the following statistics.
z Port: The port number the connection is communicating on. z UncmpDataSize: Size of the data before compression is applied. z CmpDataSize: The data size after compression is applied.
z Bandwidth Saving: The approximate bandwidth savings by the use of
compression, expressed as a percentage. This is calculated by the compressed data size subtracted from the actual size, all divided by the actual data size.
z CmpRatio: The compression ratio based on actual data size versus the
compressed data size.
Note Bandwidth savings may occasionally show as a negative value. This happens most frequently with applications such as Telnet where transmitted data is sent in very small pieces and other applications where data is precompressed .
Figure 17 Compression Tab
3.5.4 About Tab
This window displays the version, supported features, and web site information for this SSL VPN session and software.
3.6 Accessing Help
The Help window on the Secure Remote Session window displays the help system for the plug-in. To access this window, click the Help button.
3.7 Terminating the SSL VPN Session
To log off from the SSL VPN session, close the Secure Remote Access Session window or click the Logout button. This will disconnect all active connections. All in-memory session cookies are deleted. If Client Clean up is enabled, the Client Clean up window is displayed. For details, refer to the next chapter.
Chapter
3
Using Advanced Plug-in
Features
This chapter introduces you to some of the advanced features of the SSL VPN browser plug-in. The first section covers the forward proxy settings for the plug-in. This is followed by a section that covers the Client Computer Security Check feature of the plug-in. The last section covers the procedure for enabling Client-side Cleanup. When enabled, this feature causes the plug-in to delete all the temporary files during the log off process. These files are generated during an SSL VPN operation on the client machine, and may pose a security threat. The following topics are described in this chapter: z Forward Proxy Support
z Client Computer Security Check z Windows Client Cleanup
1.0 Forward Proxy Support
Forward proxy servers support Internet access for a number of clients through a single server for security, caching, or filtering. If your network uses a Forward Proxy server, you need to configure your Web browser to point to that Forward Proxy server when accessing SSL VPN.
When the plug-in runs on a computer, it begins to function as the Forward Proxy server. When the Forward Proxy server requires authentication, the following window is displayed.
Figure 1 Forward proxy setting
You need to enter an appropriate login name and password in this window for further action. If you enter an incorrect login name or password, the window will be displayed again.
2.0 Client Computer Security Check
The SSL VPN administrator can configure the plug-in to enforce a security policy on the client computer. A security policy is typically meant to ensure that security applications are installed and running. Security applications typically include personal firewalls, anti-virus packages, and customized applications or services. The plug-in performs a security check to ensure that the security policy is adhered to.
These checks can be performed against numerous aspects of your computer’s operating system.NetScaler system can also enforce the following security requirements:
z Installed files on the client file system
z Administrator specified services and processes z Personal firewall software
z Anti-virus applications z Internet security suites
z Customized applications or services
These security checks can be performed once on login to the SSL VPN and also at periodic intervals during an active SSL VPN session as specified by the administrator.If a security check fails at any of these points, the plug-in will not be able to access the NetScaler SSL VPN, even if successfully authenticated. If you are currently logged in and a security check fails, you will be disconnected from the SSL VPN. When a security check fails, the plug-in will alert you to the failure, including the cause along with an error code. If you receive an error message such as this, make a note of it and contact your VPN administrator to rectify the failed security requirement on your computer as soon as possible.
3.0 Windows Client Cleanup
The temporary files generated on the client computer during an SSL VPN session, could pose a security threat. These files can be misused to obtain confidential information. To eliminate this threat, the SSL VPN browser plug-in supports the cleanup of the files after the SSL VPN session is closed. This feature, however, needs to be enabled by the system administrator. If the system administrator enables this feature, a client cleanup dialog window is displayed when you log off from the SSL VPN session. This feature is explained in this section.
3.1 Windows Client Cleanup Dialog
When you select the Logout button from the Secure Remote Session window, you may be presented with the Client Cleanup dialog discussed here. If your VPN administrator has configured the SSL VPN to not present this dialog, you will not see it when you log out.
The system administrator can also configure the NetScaler system to delete some groups of files before this dialog box is displayed. In this scenario, the options corresponding to these configured groups are disabled when this dialog box is displayed.
This dialog box provides four options.
z If you click the ‘Cleanup’ button, the plug-in opens another dialog box
(which is detailed shortly) that allows you to select individual files for removal based on the check boxes you select along the left side of this dialog box.
z If you click the ‘View logfile’ button, you will be presented with a log of
the cleanup mechanism’s actions during this session.
z Selecting the ‘Launch browser and Exit’ button, the session will log out
and the Login page is displayed again.
z If you click the ‘Exit’ button, the plug-in exits.
The following sections explain the check box options in this window.
Clean up browser cache, cookie, and temporary files
When you select this option and click the ‘Cleanup’ button, data that is stored in the browser cache is selected for deletion by the plug-in. Browser caching improves performance by storing local copies of data accessed via the Web. The NetScaler system supports the deletion of all cached files, which have been accessed/created during the SSL VPN session, and does not differentiate between files cached from the intranet or internet web sites. The plug-in also supports the cleanup of temporary files and cookies.
Clean up history and browser typed URLs in the address bar
When you select this option , all the URLs stored by the browser and history data added during this session are deleted by the plug-in. This requires that all browser windows be closed in order to clean up this information.
Clean up password and auto complete information stored by IE
Selecting this option will add all of the auto complete data that Internet Explorer stored during your session. This auto complete data includes any user credentials, user names and passwords, credit card numbers and any other data entered while filling in forms on web sites.
Close file transfer browser window
When you select this option and click the Cleanup and Exit button, all the directory and file information, buffered by the File transfer browser, are deleted by the plug-in. This can also occur if the file transfer window is active when the SSL VPN session is terminated. Close this window before you exit the SSL VPN session.
Clean up NetScaler ActiveX Browser Plug-in
When you select this option and click the Cleanup and Exit button, the plug-in is deleted from the hard disc of the client computer.
Clean up Client Authentication Certificate
If SSL Client Certificate Authentication was used during your session, you would use this option to select residual certificates stored on your system by the SSL authentication process.
Clean up application data created by IE
Selecting this option will allow the cleanup process to remove all
non-roaming classified (not stored on an external server) application data such as user preferences, temporary files, application state information, etc. that were created locally during the session.
Close all applications, which have accessed the SSL VPN services
When you select this option and click the Cleanup and Exit button, the plug-in closes certain processes. These processes correspond to the applications that access the SSL VPN service during the SSL VPN session. This will prevent the leakage of sensitive information buffered by the application.
3.2 Client Cleanup Item Listing Dialog
When you select the Cleanup button from the Client Cleanup dialog, you will be presented with the window shown in Figure 3. The items that populate this dialog are shown based on the options you select from the previous Client Cleanup dialog.
The listing is broken up in to two sections. The upper listing section includes all the browser cache, cookies, and URL files marked for deletion. The lower section lists all the other items selected for removal which are WIndows Registry Entries.
Each item in these two listings has a checkbox before it that you may use to individually select and deselect items for clean up.
The buttons on this page perform the following actions.
z Check All: Clicking this button will mark all items in the listings for
removal.
z Uncheck All: Using this button will unmark all the items in the listings. z Cleanup!: This button initiates the clean up procedure. Once you click
this button, items marked for clean up will be permanently removed and you will be returned to the Client Cleanup dialog.
z Exit: This button exits the dialog, returning you to the Client Cleanup
window. If you have not selected the Cleanup! button, no items will be removed when you click the exit button.
Chapter
4
Troubleshooting the SSL VPN
Browser Plug-in
This chapter covers the troubleshooting of the SSL VPN browser plug-in. The following topics are described in this chapter:
z Debugging the SSL VPN Browser Plug-in z NetScaler SSL VPN Session Error Codes
1.0 Debugging the SSL VPN Browser
Plug-in
You can configure the plug-in to run in debug mode. In this mode, the SSL VPN browser plug-in logs all of its major activities into an ASCII file. These ASCII files, also known as log files, are stored in the file system.
On Windows 95/98/ME, you need to specify the names of these files in the following format:
z hooklog<num>.txt z nssslvpn.txt
Use the hooklog<num>.txt file for debugging the interception code and the nssslvpn.txt file for debugging the plug-in.
On Windows NT/2000/XP/2003, you can specify the file name. The default filename is c:\nssslvpn.txt.
You can use these log files to debug and troubleshoot the plug-in. Kindly mail the log files to NetScaler Support if you encounter any problems. To enable the creation of these files, select the Enable Client Trace option in the Trace pane of the Configuration window.
2.0 NetScaler SSL VPN Session Error
Codes
The error codes, displayed by the NetScaler SSL VPN session window, are displayed in the following table.
Note All the 2xxx and 3xxx error messages are displayed in black. The following table lists the specific error codes displayed by the SSL VPN session. It also provides a description of these error codes.
Table 1 Error codes displayed in the Session window.
Error Code Description
0001-1000 Normal operation 1001-2000 Internal error
2001-3000 SSL VPN browser plug-in errors 3001-4000 Browser errors
4001-5000 Windows Client Side Cleanup errors
Table 2 Specific error codes displayed by the SSL VPN session
Codes Message Explanation Action
0001 "Loading ..." This message indicates that the plug-in is loading the
configuration and the interception software before the SSL VPN session is ready to tunnel connections/data.
None
0002 “Closing this window will exit the SSL VPN session"
This message indicates that the plug-in is functioning and it is ready to tunnel connections/ data to the NetScaler 9000 system.
0003 "Closing this window will exit the SSL VPN session"
This message indicates that the plug-in is functioning and the client system has been secured with appropriate security software. (e.g. anti-virus packages and personal firewall). The message also indicates that the plug-in is ready to tunnel connections/ data to the NetScaler 9000 system.
None
0004 "Exiting ..." This message is displayed when the user clicks the Logout button in the Secure Session window. The message indicates that the plug-in has begun to close the SSL VPN session.
None
1001 "Internal Error, please report to admin"
This message indicates that the plug-in has failed to open the interception file.
Reboot your computer, and log on to the windows account, which has administrative privileges.
1002 "Internal Error, please report to admin"
This message indicates that the version of the plug-in and the version of the interception software do not match.
Log off from the SSL VPN session, cleanup the plug-in, and login again.
Contact NetScaler Support to obtain the correct version. 1003 "Internal Error,
please report to admin"
This message indicates that the plug-in failed to allocate memory.
Log off from the SSL VPN session and login again. Report this problem to NetScaler Support. 1004 "Internal Error,
please report to admin"
This message indicates that the plug-in is unable to call the windows library function successfully.
Report this problem to NetScaler support. Table 2 (Continued) Specific error codes displayed by the SSL VPN session
1005 "Internal Error, please report to admin"
This message indicates that the plug-in failed to create the temporary interception file. This error occurs when the user does not possess Write permission in the Windows system directory.
Ensure that the windows account has been configured with the write permissions in the Windows System Directory, which is c:\windows\system32 or c:\windows\system. Contact the system administrator. 1006 "Internal Error,
please report to admin"
This message indicates that the plug-in failed to obtain the list of running applications when it tried to check whether a specific application was running.
Contact the system administrator.
1007 "Internal Error, please report to admin"
This message indicates that the plug-in in failed to check whether a particular security service was running. The security service could be a personal firewall or an anti-virus services.
Ensure that the security service is running.
1008 "Internal Error, please report to admin"
This message indicates that the SSL VPN client has a
socket-handling problem.
Log off from the SSL VPN session and login again. 1009 Reserved error
code number
N/A N/A
1010 "Login failed." Pocket PC client failed to login to the SSL VPN.
Make sure the correct username/password is provided.
Table 2 (Continued) Specific error codes displayed by the SSL VPN session
1011 "Failed to download configuration"
This error is displayed when the plugin fails to download the configuration form the VPN gateway after trying three times.
Make sure network is up and that the plugin has the same version as NetScaler kernel. Refer to Appendix A at the end of this guide for instructions on manually uninstalling the plugin. Uninstalling the plugin will force the correct plugin version to be downloaded from the NetScaler VPN gateway on next login.
1012 "Failed to initialize plugin (num)."
The Plugin failed to initialize. The ‘num’ value displays further error indicators.
Close other unneeded applications. If the error persists, contact your VPN administrator or NetScaler. 2001 "SSL VPN session
has been timed out"
This message indicates that your SSL VPN session has timed out.
Click the Logout button on the Secure Remote Access Session window to log off from the SSL VPN session and login again. 2002 "Please install
dsclient.exe" This message indicates that the plug-in has not been able to detect dsclient.exe on the client machine. This software, from Microsoft Corp., enables SSL encryption/decryption for some Windows platforms.
Contact the system
administrator to download and install dsclient.exe on your Windows 98 or Windows 95 client computer.
2003 "SSLVPN configuration issue"
This message indicates that the CLI has not been configured correctly.
Contact the system
administrator to configure SSL VPN correctly.
2004 "Need to install endpoint security software"
This message indicates that at least one of the required endpoint security software packages is not installed.
Contact the system administrator to install the required security software. 2005 "Need to upgrade
endpoint security software"
This message indicates that endpoint security software has not been upgraded.
Contact the system
administrator to upgrade the required security software. 2006 "Required
security software is not activated"
This message indicates that the an endpoint security software has not been activated.
Run the required security software.
Table 2 (Continued) Specific error codes displayed by the SSL VPN session
2007 "Hook doesn't match plug-in version"
This message indicates that the interception code does not match the version of the plug-in.
Logout and login again.
2008 "Plug-in version mismatch"
This message indicates that the the plug-in, which was downloaded, does not match the version of the NetScaler kernel.
Please log off from the Web site, remove the plug-in manually, and login again. Go to \Tools\Internet Options\Settings\View Objects\ and delete the "nsload Control" icon.
2009 "Proxy requires unsupported authentication"
This message indicates that the plug-in has received an unsupported authentication method.
Report the problem to NetScaler.
2010 "Proxy authentication failed, need to relogin."
This message indicates that you clicked the Cancel button for proxy authentication.
Log off and log on again.
2011 "Hook activation
failed." The plugin failed to activate the network socket interception code.
Automatic installation of the plug-in requires administrative privilege. For
non-administrative windows accounts, the plug-in must be manually installed.
2012 "Failed to validate SSL Certification."
The plugin failed to validate the
SSL Certificate. The incorrect SSL certificate is bound on the NetScaler VPN gateway.
2013 "Failed to parse forward proxy setting."
The plugin failed to parse the Internet Explorer forward proxy setting.
Correct the Internet Explorer configuration under Tools -> Internet Options -> Connections ' LAN Settings. Ensure that the correct configuration is in place. 2014 “Need to stop
software "XYZ"“ The client security check detected that a disallowed software process is running. In the error message, the actual name of the detected software is displayed in place of ‘XYZ’.
Stop the detected software process before logging in to the SSL VPN again.
Table 2 (Continued) Specific error codes displayed by the SSL VPN session
3001 "Another session is running"
This message indicates that the system has detected another session already running in the same client machine. The SSL VPN supports only one session per machine.
Close the other SSL VPN session and log on again.
3002 "You need to login first"
This message indicates that you have to provide authentication details to connect to the SSL VPN. This error message is displayed when you try to bypass the login process and directly access the plug-in.
Log on with authenticated account.
3003 "Support Microsoft IE4 and later only"
This message indicates that the system has not been able to detect the presence of Internet Explorer on the client machine. Alternately, this message could also indicate that the client machine has an older version of Internet Explorer. The SSL VPN supports Microsoft Internet Explorer version 4 and above.
Upgrade Internet Explorer and Login again.
3004 “Failed to load plugin, contact VPN admin “
This error message indicates that the plug-in could not load. The error may be due to any one of several reasons including settings on your PC or
insufficient user privileges
Check your user privileges on your computer as well as your PC’s network configuration. Contact your VPN
administrator if the problem persists.
3005 "Invalid username or password"
This message indicates that username and password entered are incorrect. Another possible reason is the backend authentication server may not be available at login time.
Verify that the entered username and password are correct and re-enter them.
4001 "Internal Error" This message indicates that the plug-in did not forward cleanup information to the client software.
None
Table 2 (Continued) Specific error codes displayed by the SSL VPN session
3.0 Limitations
The plug-in does not currently support:
z NetBios/UDP-based applications and TCP console type applications on
Windows 95, 98, and ME.
z Browsing Network Neighborhood. z NetBios P-node Type.
z Traceroute, and Active FTP.
z Browsing of shared folders in the Windows 98 file system server through
Chapter
5
FAQs
Q 1 Why does the NetScaler SSL VPN need a Windows account with administrative privileges?
The SSL VPN browser plug-in inserts a new layer between the application and Windows Kernel. This operation requires administrative privilege in a Windows account.
Q 2 Why does NetScaler SSL VPN not work with MS Windows 9x?
The MS Windows 9x operating system does not support encryption/ decryption for SSL/SSPI, which is required for NetScaler SSL VPN. If the plug-in identifies that the encryption library is not installed, it will display an error message page. Click the hyperlink "Click Me" in the error message page to install the required encryption library (dsclient.exe). Please follow the instructions provided by the software to install the encryption library and reboot the machine after the installation. The dsclient.exe encryption library is provided by Microsoft.
Q 3 Does NetScaler SSL VPN use a client side IP address?
Unlike the traditional IPSec VPN, the NetScaler SSL VPN does not set an IP address on the client machine. The plug-in uses the client machine's original IP address to connect to the NetScaler SSL VPN Web site. This depends on the configuration of the NetScaler system. If the USIP (use source IP) is enabled, the server will see the client IP address. Otherwise the server will not see the client IP address.
Q 4 How does the SSL VPN browser plug-in make routing decisions?
The NetScaler SSL VPN server forwards the configured static routing entries in the NetScaler system to the remote user's plug-in. The plug-in then
intercepts and tunnels all the connections to the NetScaler SSL VPN server. These connections are tunneled to the SSL VPN server only if the destination IP matches with the downloaded routing entries/subnet. If the match is not found, then the connections are not tunneled and are routed to the remote client machine's default router.
When NetScaler is configured for split tunnel OFF, all traffic will be tunneled into the NetScaler.
Q 5 Why doesn't the SSL VPN work when my Personal Firewall is enabled?
The NetScaler SSL VPN opens a server port on the local PC. The default port number is 3128. If the port is used being by another application, the plug-in searches for the next available port. The last available port is 3138. If a port is not available, the SSL VPN will not work. The SSL VPN connection also fails when a personal firewall blocks the SSL VPN port that has been opened. Q 6 What should the client do when Windows crashes?
The client does not need to do anything in the event of a Windows crash. After the operating system reboots, you can log on to the NetScaler SSL VPN again. The NetScaler system inserts a layer into the operating system
dynamically. No temporary files are left on the Windows file system. There is one exception though. If you have configured forward proxy on the browser, you might lose configuration information. To prevent this, you need to reconfigure the browser after Windows is rebooted.
Q 7 Why does NetBios not access data on my computer?
One reason could be that your computer operates on either Windows 95, 98, or ME. These operating systems do not support native NetBios. You need to access a Web-based File Transfer application to download/upload files. If your computer does not run one of these operating systems, ensure that it is not set to P-node. You can run the following command to find out the node type:
C:> ipconfig /all
To modify it to H-node, run:
Navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Para meters
Carefully make the following change:
Name: DhcpNodeType
Value Type: REG_DWORD - Number
Appendix A
Uninstalling the SSL VPN Browser Plug-in
To uninstall the plug-in, perform the following procedure. 1. Launch Internet Explorer.
2. Select Internet Options from the Tools menu. The Internet Options
dialog box is displayed.
Figure 1 Internet Options dialog box
Figure 2 Settings dialog box
4. Click View Objects. The Downloaded Program Files folder is
displayed. This folder contains all of the Web browser plug-ins. The plug-in is labeled Nsload Control.
Figure 3 Downloaded Program Files folder
To uninstall the plug-in, delete Nsload Control by right-clicking it and selecting the Remove option from the shortcut menu.
