Shaw Secure VPN Gateway (IVE) User Guide

Author: IT Security and Compliance, Shaw Cablesystems G.P.

Status
This document is final. Additions and changes will be made as different products are supported or common troubleshooting steps are identified.

Index
1 2 3 Supported Systems Quick Start System Requirements 3.1 Minimum Hardware Requirements

3.2 Minimum Software Requirements 3.2.1 Qualified Platform 3.2.2 Compatible Platform 3.2.3 Core Functionality (Web and File Browsing) 3.2.4 Advanced Functionality 3.2.4.1 Client-side Java Applets 3.2.4.2 Secure Terminal Access 3.2.4.3 Java version of Secure Application Manager (J-SAM) 3.2.4.4 Windows version of Secure Application Manager (W-SAM) 3.2.4.5 Network Connect 3.2.4.6 Host Checker 3.2.4.7 Secure Virtual Workspace 3.2.4.8 Cache Cleaner 3.2.4.9 Terminal Services 3.2.5 Windows Vista Support 3.3 Checking and Upgrading Software Versions 3.3.1 Windows 3.3.1.1 Performing Windows Update 3.3.1.2 Internet Explorer 3.3.2 Firefox 3.3.3 Sun JRE (Java Runtime Environment) and MS JVM 3.3.4 Red Hat and Fedora Core Linux 3.3.5 Macintosh 3.3.5.1 Safari 3.3.5.2 Netscape 3.3.6 Solaris 3.3.7 Mozilla 4 Logging In 4.1 Host Checker and Cache Cleaner
PAGE 1 OF 26

COMPANY CONFIDENTIAL

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

4.2 Authentication 4.2.1 Authentication Failure 5 Home Page 5.1 Browser Bar 5.1.1 Floating Browse Bar 5.2 5.3 5.4 Browse Field Web Bookmarks Files

5.5 Terminal Sessions 5.5.1 Telnet and SSH Sessions 5.6 Client Application Sessions 5.6.1 Network Connect 5.6.1.1 Network Connect and Internet Explorer 6 Secure Meetings 6.1 6.2 7 8 9 10 10.1 10.2 Scheduling Meetings Conducting Meetings

Logging Out Frequently Asked Questions (FAQ) Troubleshooting Document Information People Document History

1 Supported Systems
The Shaw secure VPN gateway allows access to a limited set of resources from any internet browser. This includes home office computers and personal computers that are not supported by Shaw IT services. Unless your workstation or laptop was provisioned by Shaw IT services then we cannot guarantee support or connectivity to the VPN gateway. Your personal system may not meet the minimum security requirements to connect to the VPN or be incorrectly configured. This document is indented to be used as an installation and troubleshooting guide in the event you have problems connecting.

2 Quick Start
Shaws Secure VPN Gateway is accessible from anywhere on the internet and basic functionality is delivered entirely over the web. To access the gateway simply browse to the following address: http://ive.sjrb.ca Important: Although the secure gateway checks for malicious software installed on your system, if you suspect you have a virus or you system shows any unexpected behaviour (i.e. popups, unexpected shutdowns, extremely degraded performance), DO NOT attempt to launch the VPN. If you have a Shaw
COMPANY CONFIDENTIAL PAGE 2 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

computer please have it examined by IT Desktop Services, otherwise have it checked for malicious software by a qualified professional before connecting.

3 System Requirements
3.1 Minimum Hardware Requirements

The minimum recommended hardware requirements for client systems to utilize the full functionality of the VPN gateway are as follows: CPU Memory Hard Disk Network Operating System Pentium III 733MHz or equivalent 256 MB 20 GB 10/100 Ethernet with broadband internet connection See Minimum Software Requirements below

3.2
3.2.1

Minimum Software Requirements

Qualified Platform

The platforms listed in the qualified category have been systematically tested by QA as part of the current release.

3.2.2

Compatible Platform

The platforms listed in the compatible category have not been systematically tested by our QA department in this release but based on testing in previous releases and knowledge of the platform Juniper Networks (the secure gateway vendor) expects that the functionality will work and will fully support these platforms.

3.2.3
-

Core Functionality (Web and File Browsing)

Windows XP Pro SP1: Internet Explorer 6.0, Firefox 2.0 Windows XP Pro SP2: Internet Explorer 7.0, Internet Explorer 6.0, Firefox 2.0 Windows 2000 SP4: Internet Explorer 6.0, Internet Explorer 5.5, Netscape 8.0, Firefox 1.5 Windows 98 SE: Internet Explorer 6.0, Netscape 4.79 Mac OS X 10.4: Safari 2.0 Mac OS X 10.3.2: Safari 1.1, Internet Explorer 5.2 Mac OS X 10.2.8: Safari 1.0 Mac 9.2: Internet Explorer 5.1.5 and Netscape 4.79 Suse Linux 10: Firefox 2.0 Fedora Core 5: Firefox 2.0

Qualified platforms:

Compatible platforms: Windows Server 2003: Internet Explorer 6.0 Windows XP Home Edition: Internet Explorer 6.0, Firefox 1.5 and greater Windows XP Media Center Edition 2002: : IE 6.0
PAGE 3 OF 26

COMPANY CONFIDENTIAL

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Windows XP SP1 and SP2: AOL 8.0 Windows 2000 SP4: Firefox 1.5 and greater. Mac OS X 10.2.8: Safari 1.1 and greater Suse Linux 9.3: Mozilla 1.6 and Firefox 1.5 and greater Red Hat Linux 9.0: Mozilla 1.6 and Firefox 1.5 and greater Solaris 9: Mozilla 1.4

3.2.4
3.2.4.1

Advanced Functionality
Client-side Java Applets

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0, Internet Explorer 6.0 running Sun JRE 1.5.0_07, Firefox 2.0 running Sun JRE 1.5.0_07 Windows 2000: Internet Explorer 6.0 running Sun JRE 1.5.0_07, Internet Explorer 5.5 SP2 running Microsoft JVM, Firefox 1.5 running Sun JRE 1.4.2 Windows 98 SE: Internet Explorer 6.0 running MS JVM. Mac OS X 10.4: Safari 2.0 running Java 1.5 Mac OS X 10.3.2: Safari 1.1 and above running Java 1.4.2_09 Mac OS X 10.2.8: Safari 1.0 running Java 1.4.1_01 Suse Linux 10: Firefox 2.0 running Sun JRE 1.5.0_07 Fedora Core 5: Firefox 2.0 running Sun JRE 1.5.0_07

Compatible platforms: Windows XP Pro SP1: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Home Edition: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Media Center Edition 2002: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater. Windows 2000: Internet Explorer 6.0 running MS JVM or Sun JRE 1.4.1_01 and greater, Internet Explorer 5.5 SP2 running MS JVM or Sun JRE 1.4.1 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1_01 and greater. Windows 2000: Netscape 8.0 running Sun JRE 1.5.0_05 Red Hat Linux 9.0: Mozilla 1.6 running Sun JRE 1.4.2_04 and greater. Suse Linux 9.3: Firefox 1.5 and Firefox 2.0 running Sun JRE 1.4.2_04 and higher. Windows 98: Internet Explorer 6.0 running Microsoft JVM or Sun JRE 1.4.2_04 and higher. Red Hat Linux 9.0: Firefox 1.5 and greater running Sun JRE 1.4.2_04 and higher. Mac OS 10.2.8: Safari 1.1 running Java 1.4.2_04 Secure Terminal Access

3.2.4.2

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0, Internet Explorer 6.0 running Sun JRE 1.5.0_07, Firefox 2.0 running Sun JRE 1.5.0_07
PAGE 4 OF 26

COMPANY CONFIDENTIAL

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Windows 2000: Internet Explorer 6.0 running Sun JRE 1.5.0_07, Internet Explorer 5.5 SP2 running Microsoft JVM, Firefox 1.5 running Sun JRE 1.4.2 Windows 98 SE: Internet Explorer 6.0 running MS JVM. Mac OS X 10.4: Safari 2.0 running Java 1.5 Mac OS X 10.3.2: Safari 1.1 and above running Java 1.4.2_09 Mac OS X 10.2.8: Safari 1.0 running Java 1.4.1_01 Suse Linux 10: Firefox 2.0 running Sun JRE 1.5.0_07 Fedora Core 5: Firefox 2.0 running Sun JRE 1.5.0_07

Compatible platforms: Windows XP Pro SP1: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Home Edition: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Media Center Edition 2002: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater. Windows 2000: Internet Explorer 6.0 running MS JVM or Sun JRE 1.4.1_01 and greater, Internet Explorer 5.5 SP2 running MS JVM or Sun JRE 1.4.1 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1_01 and greater. Windows 2000: Netscape 8.0 running Sun JRE 1.5.0_05 Red Hat Linux 9.0: Mozilla 1.6 running Sun JRE 1.4.2_04 and greater. Suse Linux 9.3: Firefox 1.5 and Firefox 2.0 running Sun JRE 1.4.2_04 and higher. Windows 98: Internet Explorer 6.0 running Microsoft JRE or Sun JRE 1.4.2_04 and higher. Red Hat Linux 9.0: Firefox 1.5 and greater running Sun JRE 1.4.2_04 and higher. Mac OS 10.2.8: Safari 1.1 running Sun JRE 1.4.2_04 Java version of Secure Application Manager (J-SAM)

3.2.4.3

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0, Internet Explorer 6.0 running Sun JRE 1.5.0_07, Firefox 2.0 running Sun JRE 1.5.0_07 Windows 2000: Internet Explorer 6.0 running Sun JRE 1.5.0_07, Internet Explorer 5.5 SP2 running Microsoft JVM, Firefox 1.5 running Sun JRE 1.4.2 Windows 98 SE: Internet Explorer 6.0 running MS JVM. Mac OS X 10.4: Safari 2.0 running Java 1.5 Mac OS X 10.3.2: Safari 1.1 and above running Java 1.4.2_04 Mac OS X 10.2.8: Safari 1.0 running Java 1.4.1_01 Suse Linux 10: Firefox 2.0 running Sun JRE 1.5.0_07 Fedora Core 5: Firefox 2.0 running Sun JRE 1.5.0_07

Note for Mac and Linux implementations: Automatic editing of hosts file is only available for root users Ports less than 1024 are only available for root users

Compatible platforms:
COMPANY CONFIDENTIAL PAGE 5 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Windows XP Pro SP1: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Home Edition: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Media Center Edition 2002: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater. Windows 2000: Internet Explorer 6.0 running MS JVM or Sun JRE 1.4.1_01 and greater, Internet Explorer 5.5 SP2 running MS JVM or Sun JRE 1.4.1 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1_01 and greater. Windows 2000: Netscape 8.0 running Sun JRE 1.5.0_05 Red Hat Linux 9.0: Mozilla 1.6 running Sun JRE 1.4.2_04 and greater. Suse Linux 9.3: Firefox 1.5 and Firefox 2.0 running Sun JRE 1.4.2_04 and higher. Windows 98: Internet Explorer 6.0 running Microsoft JVM or Sun JRE 1.4.2_04 and higher. Red Hat Linux 9.0: Firefox 1.5 and greater running Sun JRE 1.4.2_04 and higher. Mac OS 10.2.8: Safari 1.1 running Sun JRE 1.4.2_04 Solaris 9: Mozilla 1.4 running Sun JVM 1.4.2_04

Note for Mac, Linux, and Solaris implementations: 3.2.4.4 Automatic editing of hosts file is only available for root users Ports less than 1024 are only available for root users Windows version of Secure Application Manager (W-SAM)

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0, Internet Explorer 6.0, Firefox 2.0 with Sun JRE 1.5\ Windows 2000: Internet Explorer 6.0, Internet Explorer 5.5 SP2, Firefox 1.5 with Sun JRE 1.5 and 1.4.2. Windows Server 2003: Internet Explorer 6.0 Windows 98 SE: Internet Explorer 6.0 (WSAM + NetBIOS is not supported in Windows 98)

Compatible platforms: Windows XP Pro SP1: Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Home Edition: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Media Center Edition 2002: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater. Network Connect

3.2.4.5

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0, Internet Explorer 6.0, Firefox 2.0 with Sun JRE 1.5 Windows 2000: Internet Explorer 6.0, Internet Explorer 5.5 SP2, Firefox 1.5 with Sun JRE 1.5 and 1.4.2. Windows Server 2003: Internet Explorer 6.0 Windows 98 SE: Internet Explorer 6.0 Mac OS X 10.4: Safari 2.0 running Java 1.5
PAGE 6 OF 26

COMPANY CONFIDENTIAL

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Mac OS X 10.3.2: Safari 1.1 and above, running Java 1.4.2_04 Mac OS X 10.2.8: Safari 1.0 and 1.1, running above Java 1.4.1_04 Suse Linux 10: Firefox 2.0 running Sun JRE 1.5.0_07 Fedora Core 5: Firefox 2.0 running Sun JRE 1.5.0_07

Compatible platforms: 3.2.4.6 Windows XP Pro SP1: Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Home Edition: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater, Firefox 1.5 and greater running Sun JRE 1.4.1 and greater. Windows XP Media Center Edition 2002: Internet Explorer 6.0 running Sun JRE 1.4.1_01 and greater. Red Hat Linux 9.0 on x86 platforms: Firefox 1.5 and greater running Sun JRE 1.4.2_04 Suse Linux 9.3 on x86 platforms: Firefox 1.5 and greater running Sun JRE 1.4..2_04 Host Checker

Qualified platforms: Windows XP SP2: Internet Explorer 7.0, Internet Explorer 6.0 and Firefox 2.0 Windows 2000 SP4: Internet Explorer 5.5 SP2 Windows 98: Internet Explorer 6.0 and Firefox 1.5 Mac OS X 10.4: Safari 2.0 Mac OS X 10.3.7: Safari 1.2 Suse Linux 10: Firefox 2.0 Fedora Core 5: Firefox 2.0

Compatible platforms: 3.2.4.7 Windows XP SP1: Firefox 1.5 and greater. Windows XP Home Edition: Internet Explorer 6.0, Firefox 1.5 and greater Windows XP Media Center Edition 2002: : Internet Explorer 6.0 Windows 2000: Internet Explorer 6.0, Firefox 1.5 and greater. Windows NT: Internet Explorer 6.0 Windows 98: Firefox 1.5 and greater. Mac OS X 10.3.7: Safari 1.1 and greater. Red Hat Linux 9.0: Firefox 1.5 and greater Secure Virtual Workspace

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0 Windows XP Pro SP1 and SP2: Internet Explorer 6.0, and Firefox 2.0. Windows 2000 SP4: Internet Explorer 6.0, Internet Explorer 5.5 SP2, and Firefox 1.5.

Compatible platform: Windows XP Home: Internet Explorer 6.0, Firefox 1.5 and greater
PAGE 7 OF 26

COMPANY CONFIDENTIAL

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

3.2.4.8

Cache Cleaner

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0 Windows XP Pro SP1 and SP2: Internet Explorer 6.0 and Firefox 2.0 Windows 2000 SP4: Windows 2000: Internet Explorer 6.0, Internet Explorer 5.5 SP2. Windows 98 SE: Internet Explorer 6.0 Windows 98 SE: Internet Explorer 5.5 SP2

Compatible platform: 3.2.4.9 Windows XP SP1: Firefox 1.5 and greater. Windows XP Home Edition: Internet Explorer 6.0, Firefox 1.5 and greater Windows XP Media Center Edition 2002: Internet Explorer 6.0 Terminal Services

Qualified platforms: Windows XP Pro SP2: Internet Explorer 7.0 Windows XP Pro SP1 and SP2*: Internet Explorer 6.0 and Firefox 2.0. Windows 2000 SP4: Internet Explorer 6.0, Internet Explorer 5.5 SP2, Firefox 2.0 and Firefox 1.5. Windows 98 SE: Internet Explorer 6.0

Compatible platform: Windows XP SP1: Firefox 1.5 and greater. Windows XP Home Edition: Internet Explorer 6.0, Firefox 1.5 and greater Windows XP Media Center Edition 2002: Internet Explorer 6.0

* Windows XP SP2 contains a bug which prevents connections to loopback addresses. This functionality is required for J-SAM, W-SAM, and Terminal Services. Hot fix 884020, http://support.microsoft.com/default.aspx?scid=kb;en-us;884020 includes the fix however; due to possible security vulnerabilities our recommendation is to apply the latest Microsoft security update that includes this fix.

3.2.5

Windows Vista Support

As of Jan 19, 2007 we do not support Windows Vista for advanced functionality. It has been reported that basic features such as web browsing and file transfers do work with the current release of windows Vista running internet explorer 7. We expect full feature functionality to be released and supported by the end of April 2007.

3.3

Checking and Upgrading Software Versions

You may need to upgrade your operating system or software components in order to launch and properly display the secure gateway and/or use advanced features like network connect. Shaw recommends that you install all available updates, according to your operating system vendors recommendations and ensure that your system is functioning normally before connecting to the VPN gateway.

3.3.1

Windows

To check the version of windows you are currently running, as well as the service pack that is installed: 1. right click on My Computer on the desktop and select Properties
COMPANY CONFIDENTIAL PAGE 8 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

2. in the General tab you should see the windows version as well as the service pack level under the heading System:

Figure 3.3.1(1) System Properties window in Windows XP

To upgrade your version of windows you must purchase an upgrade or replacement copy. Please see http://www.microsoft.com/windows/default.mspx for more information. Service packs can be downloaded from Microsoft but we recommend running windows update before using the VPN, windows update will automatically upgrade your system to the latest service pack. 3.3.1.1 Performing Windows Update

To perform a windows update, which will update your windows components to the latest versions as well as install any missing service packs, perform the following steps: 1. launch internet explorer 2. in the Tools menu select Windows Update you will be taken to the windows update site and prompted to update your components as needed.

COMPANY CONFIDENTIAL

PAGE 9 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Figure 3.3.1(1) Tools Menu in Internet Explorer

Depending on the last time windows update was run you may be prompted several times to reboot your system. After rebooting please repeat the above steps until the windows update site reports that your system is up-to-date. 3.3.1.2 Internet Explorer

To check the version of internet explorer that you are running perform the following steps: 1. launch internet explorer 2. in the Help menu select About Internet Explorer you should see the version and service pack level of internet explorer

Figure 3.3.1.2(1) About Internet Explorer Window

Internet explorer can be updated to the latest version by running windows update as specified in section 3.3.1.1. Alternatively internet explorer installation files can be downloaded at http://www.microsoft.com/windows/ie/default.mspx

3.3.2

Firefox

To check the version of Firefox that you are running perform the following steps:
COMPANY CONFIDENTIAL PAGE 10 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

1. launch Firefox 2. in the Help menu select About Mozilla Firefox you should see the version

Figure 3.3.2(1) About Mozilla Firefox Window

The latest version of Mozilla Firefox can be downloaded at http://www.mozilla.com/en-US/firefox/

3.3.3

Sun JRE (Java Runtime Environment) and MS JVM

To find out which version of Java you are currently running visit http://www.javatester.org/version.html Javatester.org provides specific instructions for determining the version of Java you are running with your browser. It also contains links to Suns website where you can download and install the latest version (or older versions) of the Sun JRE. To download the latest version from Sun go to http://java.com/en/download/ Microsoft no longer supports their JVM. If you require a specific version please upgrade to the Sun JRE from Sun Microsystems. Suns JRE runs on Linux, Solaris, Windows and Mac OS(X).

3.3.4

Red Hat and Fedora Core Linux

To find out the version of red hat Linux you are running you can look in the /etc/redhat-release file. You should see a string to indicate the version you are running.

Figure 3.3.4(1) Contents of /etc/redhat-release file

COMPANY CONFIDENTIAL

PAGE 11 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

You may download* the latest versions of Red Hat install media from https://www.redhat.com/apps/download/ *If you do not have an active subscription with Red Hat you will need to purchase the install media. Fedora core is an open-source community supported operating system but major versions can be downloaded from http://fedora.redhat.com/Download/

3.3.5

Macintosh

Only core functionality is available with Mac OS 9.2. OSX is required for any advanced functionality. To determine the version of Mac OS you are running: 1. click on the Apple icon in the top left corner of your screen and select About This Mac. 2. this should bring up version information about the version of Mac OS you are running

Figure 3.3.5(1) About This Mac Window

Please refer to apples support site, http://www.apple.com/support/ to determine if you can upgrade the Mac OS version on your system. 3.3.5.1 Safari

To determine the version of safari you are currently running: 1. Open your Safari web browser by clicking on the Safari icon in the dock. 2. Click on Safari in your Safari menu, located at the top of your screen. 3. A drop-down menu will now appear. Choose the option labelled About Safari. 4. A dialog box will now appear containing the browser's version number.

COMPANY CONFIDENTIAL

PAGE 12 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Figure 3.3.5.1(1) About Safari Window

The latest version of safari can be downloaded at http://www.apple.com/support/downloads/safari.html 3.3.5.2 Netscape

Netscape Version 4.79 for Mac PowerPC as well as most other operating systems can be downloaded at http://browser.netscape.com/ns8/download/archive47x.jsp

3.3.6

Solaris

Solaris runs SunOS. Your version of SunOS can be found by running the command uname a SunOS will report its version numbers as follows: SunOS 5.8 = Solaris 8 SunOS 5.9 = Solaris 9 SunOS 5.10 = Solaris 10 Please visit Suns website at http://www.sun.com to see which version of Solaris your system can support and if you are eligible for an upgrade.

3.3.7

Mozilla

The latest version of the Mozilla browser suite can be downloaded at http://www.mozilla.org/releases/#1.7.13

4 Logging In
To access the login page for the secure access VPN gateway point you internet browser to the following address: http://ive.sjrb.ca Important: Although the secure gateway checks for malicious software installed on your system, if you suspect you have a virus or you system shows any unexpected behaviour (i.e. popups, unexpected shutdowns, extremely degraded performance), DO NOT attempt to launch the VPN. If you have a Shaw computer please have it examined by IT Desktop Services, otherwise have it checked for malicious software by a qualified professional before connecting. Once connected to the system, you may create a bookmark in your web browsers favourites or bookmarks folder so that you do not need to type the entire address in to connect in the future. The secure gateway is accessible from both inside the Shaw network and on the internet. Some features that work on the internet may not work when connecting from the inside. You should access the resource directly if you are connected to Shaws internal network.
COMPANY CONFIDENTIAL PAGE 13 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

4.1

Host Checker and Cache Cleaner

Before you are presented with a page to provide your user id and password, the gateway will attempt to load several software components to check for the following types of malicious software running on your system: keyloggers viruses and Trojans malware other potentially malicious software

You should see a screen indicating that the host checker and cache cleaner are loading.

Figure 4.1(1) Loading Secure Gateway Components

The secure gateway can download and deploy the host checker and cache cleaner software using activex (on windows) or with Java (on other operating systems, or as a fallback install method on windows) If you are presented with a Java window or an activex warning about software needing to be installed from Juniper Networks Inc. you must say Yes, otherwise the host checker and cache cleaner may fail to load preventing you from logging into the VPN.

COMPANY CONFIDENTIAL

PAGE 14 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Figure 4.1(2) ActiveX install warning

Figure 4.1(3) ActiveX install warning

Host checker and cache cleaner may cause one or more the following images (processes) to run on your system: dshostchecker.exe dscachecleaner.exe jhoe.exe dsncservice.exe dssamproxy.exe dssamui.exe

The execution of these programs before you login or during your session is normal. If you have security software that alerts you of these processes or may block their execution, you will be unable to login. You must allow the execution of these processes if prompted by firewall or security software. The host checker process will place an icon in your tray to notify you of malicious software it detects. You can also use it to check the status of the host checker application by right clicking the icon and selecting Details.

Figure 4.1(4) Host checker and Java tray icons

The appearance of the Java icon (coffee cup) is normal during your session. Note for Shaw Secure Users It has been observed that the Shaw Secure product may try to block the execution of these programs. If prompted please allow these programs to run.

COMPANY CONFIDENTIAL

PAGE 15 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

4.2

Authentication

The credentials you must provide to login to the VPN gateway are your Shaw corporate e-mail address and your domain password. (I.e. the same password you use to login to your workstation)

Figure 4.2(1) Secure Gateway Login Page

Some users may have more than one e-mail address. The address you must use is your primary e-mail address. The e-mail address field is not case sensitive. If you are unsure of your primary e-mail address you can check your properties in the global address book. (Address Book in Outlook.) Your primary e-mail address is indicated by the prefix SMTP: (note the capital letters, secondary addresses will be lowercase)

Figure 4.2(2) Outlook Address Book Contact Properties (multiple e-mail addresses example)

COMPANY CONFIDENTIAL

PAGE 16 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

4.2.1

Authentication Failure

A failed username or password combination will produce an Invalid Username or Password message and prompt you to re-authenticate. Your windows domain account will be locked after 5 failed attempts. Please contact the IT Service Centre (4944) to have your account un-locked. Due to security concerns we cannot do password resets over the phone without some form of identity verification.

5 Home Page
A successful login will present you with the Secure VPN Gateway home page. The home page contains all of your pre-defined links, user created links, and links to launch advanced utilities like network connect, secure application manager and secure meetings.

Figure 5(1) Home page browser bar (top) and browse field (bottom)

Your level of access and which panels and features are displayed or accessible on your home page depend on how your account was setup. If you have any questions about missing access or access changes please contact the IT Service Centre (4944)

5.1

Browser Bar

The browser bar is located in the top left of the web page. It provides an interface that should always be displayed while using the secure gateway. The buttons on the bar provide functionality to: Home: return to the home page from any other page you are currently viewing. Meetings: host or join a secure meeting Preferences: change the appearance of your home page, change your password and configure your secure meeting preferences Session Timer: the session timer tells you the remaining time until your session is disconnected. The session timer is reset every time you login. Help: opens the comprehensive online help system Sign Out: logout of the secure VPN gateway and terminate all VPN components running on your system

5.1.1

Floating Browse Bar

When browsing away from the home page to internal sites the VPN gateway will re-write your pages with a browser bar that allows you to navigate back to the home page or sign out regardless of the page you are on.

Figure 5.1.1(1) Floating Browse Bar

You can move the browse bar to either side of the active page by clicking the arrow icon beside the home icon.

COMPANY CONFIDENTIAL

PAGE 17 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

5.2

Browse Field

The browse field is a text entry field that functions similar to the address field on your internet browser, allowing you to enter website addresses (and other resources) to access directly. You can enter the following types of resources in the browse field:
Use this format http://www.domain.com OR https://www.domain.com OR domain.com \\server\share OR smb://server/share telnet://host:port SSH://host:port ica://<hostname> rdp://<hostname> outlook:inbox OR outlook:today OR (any x:y format that your browser supports) To Browse web pages i.e. shawnet

Access shares on Windows file servers i.e. \\dilbert\someuser$ Start a telnet/SSH session to connect to the specified hostname and port Start Citrix terminal services to connect to the specified hostname (Windows only) Start Microsoft terminal services or a remote desktop session to the specified hostname (Windows only) Access your Outlook inbox or calendar (Windows only). (For any text you enter as x:y, the secure gateway passes it to your browser without executing it.) You must have Outlook installed for this feature to work.

5.3

Web Bookmarks

The Web Bookmarks panel on the secure gateway home page provides a centralized location for links to corporate resources. A resource can be any Web page or Web application that can be accessed through the secure gateway. The secure gateway rewrites the links in this panel in order to secure traffic between your computer and the Web resource. When you click a link or use the Browse field at the top of the secure gateway home page, the transmitted page content is rewritten. If your system administrator enables the option for personal bookmarks, you can create your own links in the Web Bookmarks panel by clicking the + (plus sign) icon.

Figure 5.3(1) Web Bookmarks panel

5.4

Files

The Files panel on the secure gateway home page provides a centralized location for links to files that reside on an internal corporate network. If your system administrator enables the option for personal bookmarks, you can create your own links in the Files panel by clicking the + (plus sign) icon.

COMPANY CONFIDENTIAL

PAGE 18 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Figure 5.4(1) Files panel

5.5

Terminal Sessions

Terminal services enable you to use Windows-based or Citrix applications that are running directly on your companys terminal server. When you run an application on the terminal server, most actions are performed on the server itself rather than your workstation. The terminal server only transmits keyboard, mouse, and display information over the network.

Figure 5.4(1) Terminal Sessions panel

If your workstation is connected to the Shaw network, is powered on and has remote desktop services enabled you can configure a session to connect to it remotely. Use the following settings as a guide:

Figure 5.4(2) Example settings for remote desktop connection

Using a smaller screen size or a smaller color depth may improve performance over slow internet connections.

5.5.1

Telnet and SSH Sessions

If enabled by your administrator, you can use the Telnet and SSH protocols in the Browse field of the secure gateway home page or the terminal sessions panel to browse to UNIX servers, networking devices, and other legacy applications that utilize terminal services.

COMPANY CONFIDENTIAL

PAGE 19 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

The secure terminal application is Java based and may not include functionality or emulation for all terminal types. If you are having issues using a text terminal application or console please contact the IT Service Centre (4944) to explore alternative access methods.

5.6

Client Application Sessions

The secure gateway secures traffic to applications that reside on your corporate servers (such as Microsoft Outlook) through the Secure Application Manager. To access an application through the Secure Application Manager, you must first start a Secure Application Manager session through the secure gateway. You can then access your application. Once you start the application, the Secure Application Manager secures the traffic between your computer and the applications server. Access to applications using this method is determined by your profile and access level granted to you when your account was activated. The secure gateway includes two versions of the Secure Application Manager. You can determine which version your administrator has enabled for you by viewing options in the Client Application Sessions panel on the secure gateway home page: WSAM - If you see the Windows Secure Application Manager option in the Client Application Sessions panel, the secure gateway secures application connections using the Windows Secure Applications Manager (WSAM). JSAM - If you see the Java Secure Applications Manager in the Client Application Sessions panel or page, the secure gateway secures application connections using the Java Secure Applications Manager (JSAM). (To use JSAM, you or your administrator must install the Java Virtual Machine on your computer, see section 3.3.3.)

Secure application access is configured by the IT Security and Compliance group on a per user or per group basis based on the requirements to run applications remotely. SAM and JSAM sessions should only be used if no basic access can be used.

Figure 5.6(1) Client Application Sessions panel

5.6.1

Network Connect

Network Connect is a client application that the secure gateway installs on your computer. Once started, this application provides a secure tunnel through the secure gateway to your corporate network from a remote location, such as a customer site, conference kiosk, or home office. Using this secure tunnel, you can access applications, servers, and files on Shaws internal network. The network connect client provides the same functionality as a direct connection to the network would. Network connect requires that a browser session be open to the secure gateway. If you close your active browser window while network connect is connected your connection will be terminated and you will need to login again NOTE: You must have root privileges or the root password to install the network connect client on a Mac or UNIX system and Administrator privileges on a Windows system. Network connect will appear as a tray icon similar to host checker. You can disconnect your session out completely by tight clicking this icon. You can click on Basic View or Advanced View to see network connect status and network statistics.

COMPANY CONFIDENTIAL

PAGE 20 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Figure 5.6.1(1) Network Connect

5.6.1.1

Network Connect and Internet Explorer

An important condition exists where the network connect client may fail to connect if Internet Explorer is configured to automatically detect its proxy settings. If you receive any errors trying to launch the network connect client please ensure that Internet Explorers Connection settings are correct. To disable the automatic proxy detection: 1. choose Internet Options from the tools menu in Internet Explorer 2. click the Connections tab 3. click LAN Settings and ensure that the checkbox beside Automatically Detect Settings is unchecked

COMPANY CONFIDENTIAL

PAGE 21 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Figure 5.6.1.1(1) Internet Explorer LAN Settings Window

6 Secure Meetings
Secure Meeting allows secure gateway users to securely schedule and hold online meetings between both in-network and out-of-network users. In meetings, users can share their desktops and applications with one another over a secure connection, allowing everyone in the meeting to instantaneously share electronic data on-screen. Meeting attendees can also securely collaborate online by remote-controlling one another's desktops and through text chatting using a separate application window that does not interfere with the presentation. NOTE: Secure Meeting grants invitees different levels of access based on the compatibility of their computer configurations. To determine the level of accessibility allowed by your configuration, click the Check Meeting Compatibility link in the meeting sign in page or invitation email.

NOTE: Before you begin using Secure Meeting, we recommend that navigate to the Preferences > General tab and use the Daylight Savings Time option to adjust meeting times based on daylight savings for your area. By default, Secure Meeting uses the daylight savings time rules set on the server by your administrator. However, you can override the server setting by specifying the country whose daylight savings time rules your local client should observe instead. Secure Meeting adjusts your individual meeting times as necessary based the specified DST option and your browser settings.

6.1

Scheduling Meetings

Each Secure Meeting online meeting must be scheduled by a secure gateway user. Through the secure gateway interface, the meeting creator specifies meeting details, including the meeting name, description, start time, start date, recurrence pattern, duration, password, a list of invitees, and the email addresses of the invitees. Meeting creators can use either of the following applications to schedule meetings: Secure Meeting end user consoleWhen the meeting creator uses the secure gateway end user console to schedule a meeting, Secure Meeting displays it in the Meetings page of meetingenabled secure gateway invitees. Secure Meeting also sends a notification email to each invitee with a known email address. Microsoft OutlookWhen the meeting creator uses Microsoft Outlook to schedule a meeting, Outlook displays it in the Calendar page of other Outlook-enabled invitees and sends a notification email to each invitee through the Outlook email server. Secure Meeting also displays the meeting in the meeting creators Meetings page in the secure gateway end user console.

When specifying a list of invitees, the meeting creator must group them into one of two categories: In-network inviteesAn in-network invitee is a secure gateway user who signs into the same secure gateway server as the meeting creator. An in-network invitee can access meetings through the secure gateway and can attend meetings without presenting a meeting password. When inviting an in-network user to a meeting, the meeting creator must specify the users secure gateway username and authentication server. Out-of-network inviteesAn out-of-network invitee is a non-secure gateway user or a secure gateway user who signs into a different secure gateway server as the meeting creator. Out-ofnetwork invitees can only attend meetings if the Secure Meeting administrator enables it. When allowed to attend, out-of-network invitees must access meetings through a special URL that allows them to join the meeting without allowing them access to other resources on the secure gateway. If required by the meeting creator or administrator, out-of-network invitees must supply the meeting password for access. When inviting an out-of-network user to a meeting, the meeting creator must specify the users email address.

COMPANY CONFIDENTIAL

PAGE 22 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

NOTE: If an in-network invitee uses the meeting URL instead of the Meetings page in the secure gateway end user console to join a meeting, Secure Meeting classifies the user as an out-of-network invitee. When the meeting creator uses Microsoft Outlook to schedule a meeting, all invitees except the meeting creator are classified as out-of-network invitees.

6.2

Conducting Meetings

The meeting conductor is an in-network user who is responsible for starting the meeting. Secure Meeting grants the conductor the following responsibilities and capabilities in order to help him effectively run his meeting: Starting the meeting presentationBefore the conductor joins, the other attendees can only chat. They cannot view or make a presentation because the conductor is also the default meeting presenter. The meeting presenter starts the meeting presentation by sharing his desktop or applications with other attendees. Passing conductor and presenter rightsThe meeting conductor can choose to pass some or all of his responsibilities to another meeting attendee. For instance, after joining the meeting, the conductor can specify that another attendee should start the meeting presentation by passing that attendee presenter rights. The conductor can pass his conductor rights to any other in-network user and pass his presenter rights to any other in-network or out-of-network user. Monitoring the meeting The meeting conductor is responsible for expelling meeting attendees if necessary. The meeting conductor can also see the names of all meeting attendees so that he can determine who is attending (even if the meeting creator or administrator chooses to hide names) Ending the meetingThe meeting conductor is responsible for extending the meeting if it runs over the scheduled duration and closing the meeting when it is done.

For more information about conducting a meeting, access the Secure Meeting help from the Help menu in the Secure Meeting Client window.

7 Logging Out
Once your internet browser is closed all of your VPN connections will be terminated. Shaw advises that you use the Sign Out button on the browser bar in the top right of the home page. By signing out the VPN will cleanly shutdown all of the host checker and cache cleaner processes running on your system. Not cleanly logging out can cause internet connection issues after disconnecting. If you are experiencing any strange behaviour after logging out, try logging in again and, once logged in, use the Sign Out button instead of closing the browser.

8 Frequently Asked Questions (FAQ)

Q: Why are we using our e-mail address to login? A: Since duplicate usernames exist in both the SJRB and STARCHOICE domains it is necessary to use an identifier that is unique across both domains. Everyone has a unique e-mail address because two of the same addresses cannot exist on the internet. Q: What does SSL VPN mean? A: SSL stands for Secure Sockets Layer; it is a set of encryption protocols that standard web browsers use to secure communications. Your bank uses an SSL web connection, just like the secure gateway to make sure your information is safe as it travels across the internet. VPN Stands for Virtual Private Network, an extension of the corporate network to remote locations. Q: Why doesnt everyone get VPN access by default? A: To minimize our risk of exposure and loss of confidential information Shaw must approve all VPN requests and track which employees and vendors have remote access.
COMPANY CONFIDENTIAL PAGE 23 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Q: Do we use Citrix? A: Shaw does not currently have a Citrix remote access solution deployed. If you wish to access specific corporate applications you can: a) connect via remote desktop to your workstation b) use Shaw equipment with the required applications are pre-installed Q: Can I use my home computer to connect? A: Yes, if approved, you can access basic functionality and a limited set of internal websites and file servers using your home computer as long as it passes the security checks when logging in. In order to use most advanced features or Network Connect you must be using a Shaw system. Q: Can I connect from behind a router or firewall? A: Yes, an SSL VPN overcomes firewall and router issues that traditional VPNs cause because it uses a standard web browsing connection to pass secure traffic. Q: Can I use the VPN for large quantity of users or critical third-party-access? A: In most cases we recommend working with IT to provision a point-to-point VPN rather than an SSL VPN, however in special circumstances we can use the SSL VPN for third-party-access. Please see IT Security and Compliance for more information as a special agreement is required for third parties.

9 Troubleshooting
The following are common problems experienced by users when connecting to the secure gateway. If you are having trouble connecting or problems accessing a resource please look through these troubleshooting steps before calling the IT Service Centre (4944) Before attempting troubleshooting please ensure that you install all available updates, according to your operating system vendors recommendations and check your operating system, browser and Java versions to ensure they are supported (see section 3.2)

COMPANY CONFIDENTIAL

PAGE 24 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Symptom I receive an error page cannot be displayed when trying to browse to https://ive.sjrb.ca

Cause(s) No internet connection

Possible Resolution Check your internet connection, can you browse to other web sites? The secure gateway could be undergoing maintenance. Please try again soon or contact 4944. Please check the user guide (section 3.2) to see if you browser is supported You may be infected with a virus, if you do not know how to change your browser string please check for viruses. Run windows update and install the latest patches or download a hot fix at http://support.microsoft.com/?kbid=8840 20 Disable automatic proxy detection. See section 5.6.1.1 Contact 4944 and request that your access be changed or reviewed

Service is unavailable

I receive the error you do not have permission to login when trying to browse to http://ive.sjrb.ca

Your internet browser is not supported Your browser is sending an unrecognized browser string You are running an un-patched version of Windows XP SP2

I receive the error nc.windows.app.23791 when launching Network Connect

I receive an error Access to the Web site is blocked by your administrator when trying to access an internal web site While loading the host checker or cache cleaner, the browser stops responding for a long period of time I receive the error Your computer's security is unsatisfactory when trying to browse to http://ive.sjrb.ca

Internet Explorer is configured to Automatically detect proxy You do not have access to view that web site using VPN

An activex install is trying to install to the same location as a Java install You do not have the rights to install applications

Close or terminate your internet browser and restart your computer. Try connecting again You must have access to install applications on your system. Locked down computers or kiosks may not function correctly for use with the secure gateway. Have your computer scanned for viruses and malicious software

You have malicious software running that the secure gateway cannot terminate Java is not installed properly

See section 3.3.3 for instructions on installing or upgrading your Java version If you are using a Shaw system you should connect it to the network and perform an update to your anti-virus software or contact IT Desktop Services Make sure you leave your workstation on when you leave the office Contact the IT Service Centre for information on enabling Remote Desktop on your workstation Contact the IT Service Centre

Anti-virus is not installed or outof-date

I cannot connect to my workstation with terminal services

Your desktop is turned off

Remote Desktop is not enabled on your workstation Outlook web access does not work You may not be authorized to use outlook web access or it may be misconfigured on Shaws server Your account is locked out or disabled

Invalid username or password. Please re-enter your user information.

COMPANY CONFIDENTIAL

Contact the IT Service Centre

PAGE 25 OF 26

SHAW SECURE VPN GATEWAY (IVE) SECURE GATEWAY USER GUIDE V1.DOC

Symptom

Cause(s) You may be entering the wrong e-mail address The content mediation engine may be restarting Certain version conflicts on a Mac system prevent this from functioning properly

Possible Resolution Check to make sure you are entering your PRIMARY e-mail. See section 4.2 The secure gateway could be undergoing maintenance. Please try again soon or contact 4944. Install the latest version of the Safari browser (see section 3.3.5.1) and try running network connect again.

You receive the error The server had an internal Error Network connect is not launching when using Firefox on my Mac OSX system

10 Document Information
10.1 People
Role Contributors Reviewers Distribution Person / People IT Security and Compliance IT Security and Compliance, IT Account Administration, IT Service Centre, IT Business Relations See Reviewers

10.2 Document History

Date 16-Jan-07 19-Jan-07 22-Jan-07 23-Jan-07 Version 0.1 0.2 0.5 1.0 Status Draft Final Draft Final Draft Final Description Initial document. First review and revision Spelling, format changes, >PDF Updated status

COMPANY CONFIDENTIAL

PAGE 26 OF 26