File:         README.TXT
Product:      Secure Entry CE Client
Manufacturer: NCP engineering GmbH, Nuremberg, Germany

-------------------------------------------------------------------------------
Installation Instructions
-------------------------------------------------------------------------------

1.    Overview
1.1   NCP Secure Entry Client - Universal IPSec Client
2.    Installation
2.1   Installation Prerequisites
2.2   Installation of the PC component
2.2.1 Installation from the hard disk
2.2.2 Installation from CD
2.2.3 Diskette installation
2.3   Before Starting
2.4   Transferring the Profile Settings and the Certificates
2.4.1 Profile Settings
2.4.2 Certificates
2.5   Update and Uninstalling the PC component
2.6   Installation of the PDA component
2.7   Full version release
2.8   Uninstalling the PDA component
2.8.1 Uninstalling from PC
2.8.2 Uninstalling from the PDA component
2.9   Extended installation
2.9.1 Autostarting the NCP Service on the PDA


================================================================================
Using devices with the newest firmware (WLAN driver), the most actual version of 
the client should be installed. You will receive the newest NCP Entry CE Client 
from the web site:
http://www.ncp.de/english/download/index.html
================================================================================




-------------------------------------------------------------------------------
1.    Overview
-------------------------------------------------------------------------------

1.1   NCP Secure Entry Client - universal IPsec client

The NCP Secure Entry Client can be used in any VPN environment. The client 
communicates on the basis of the IPsec standard (see -> Examples and 
explanations, Security, IPsec) with the gateways provided by a wide variety of 
vendors* and is the alternative to the uniform IPsec client technology offered 
on the market. The Secure Entry Client has additional features that introduce 
the user into a holistic remote access VPN solution.

The NCP Secure Entry Client offers:

- Support of all major operating systems
- Dial-in over all transmission networks
- Compatibility with VPN gateways from a wide variety of vendors
- Integrated personal firewall for more security
- Dialer protection (no misuse by third parties)
- Convenient operation (graphic interface)
- Central management (optional)


-------------------------------------------------------------------------------
2.    Installation
-------------------------------------------------------------------------------

The installation of the Secure Entry CE Client software is conveniently carried 
out via setup for all Windows systems. The installation procedure is identical 
for all versions of the Secure Client. Before you install the software, the 
installation prerequisites must be fulfilled for full functionality, as 
described in the following chapter. Also please be aware that the NCP Secure 
Entry CE Client software consists of two components that must be installed 
separately.
- PC component
The PC component has the NCP Secure Entry CE Client Configurator for creating 
the Profile Settings. From this Configurator, the Profile Settings are copied 
onto the PDA via ActiveSync.
- PDA component
The PDA component consists of the NCP Secure CE Client Service (NCP Client 
Service) that analyses the data for the modem, (or mobile phone), or a LAN 
adapter and the chip card reader, and the NCP Secure CE Client Configurator (NCP 
Client Configurator) for selection of the profile and the connection 
establishment to the according destination system.

Sequence from installation to starting operation
Please follow the sequence!
- Installation of the PC component
- Installation of the chip card reader on the PDA (if Smart Cards are
  implemented)
- Installation of the PDA component
- Start the NCP Client Service on the PDA (if the Strong Security version is 
  implemented)
- Configuration of the profiles on the PC
- Transfer of the Profile Settings (and the certificate for the Strong Security 
  version)
- Starting operation on the PDA

2.1   Installation Prerequisites

- Operating System

System requirements for the mobile device:
- Operating Systems Windows CE 3.0, Windows CE.net 4.2
- approx. 3 MB program memory
- approx. 1 MB free data memory
- StrongARM Processor (min. 200 MHz)

System requirements for the PC componente:
- Operating Systems Windows 98se/NT(4.0) SP5 /2000/XP
- 32 MB RAM
- 10 MB free memory on hard disc
- Installation of Microsoft ActiveSync Version 3.0 or later

- Local System

The dial-up via the selected profile to the destination system is handled via a 
PDA (Personal Digital Assistant) with Windows CE. Because the NCP dialer as well 
as the Microsoft RAS dialer can be used for dial-in, all marketable combinations 
of PDAs and mobile phones are supported. The prerequisites are appropriate CE 
compatible drivers.

Analogue modems and mobile phones

For communication via modem (or mobile phone), the modem must have been 
correctly recognized by Windows CE.

Drivers for modems that support the Hayes command set are integrated in Windows 
CE. Likewise Windows CE supports most mobile phones with IR interface or 
Bluetooth and built-in modem.

Data connections requiring an initialization string for their establishment 
(mostly GPRS) can be established only with the NCP dialer, that is if the 
Microsoft RAS dialer is not in use.

The modem data will be downloaded by the PDA when starting the PC component. 
Please insure that an ActiveSynch connection between PC and PDA exists at this 
point in time.

LAN adapter (LAN over IP)

In order to operate the client software with the connection type "LAN over IP" 
in a local area network, a LAN adapter (Ethernet or Wireless LAN) must be 
installed on the PDA.

- Prerequisites for Strong Security

If you use the VPN/PKI/ CE Client software (Strong Security version of the 
client), that supports certification (X.509), then either a chip card reader 
must be connected to the PDA or a soft certificate must be loaded on it.

Chip Card reader (PC/SC conformant)

The client software automatically supports all chip card readers that are PC/SC 
conformant. These chip card readers will only be listed after the reader is 
connected and the associated driver software has been loaded. When starting the 
"NCP Client Service" on the PDA, the chip card reader is searched in the system. 
Consequently it is absolutely necessary that the card reader be installed and 
connected at this point in time!

Certificate configuration

Please note: Before you undertake a certificate configuration with the Client 
Configurator (see -> Client Configurator, configuration, certificates), the 
information about available chip card readers must have been transferred from 
the PDA to the PC. Because the NCP Client Service creates these, the NCP Client 
Service must have been loaded before starting the PC component. An existing 
ActiveSynch connection is required to transfer this data. 

Chip cards (Smart Cards)

The Strong Security version of the client supports chip cards from Signtrust, 
NetKey 2000 and TC Trust (CardOS M4). NCP continuously strives to support the 
new chip card readers and chip cards. Refer to the NCP website to check the most 
current list of supported products.

Chip card or Token (PKCS#11)

The PKCS#11 Modules of other manufacturers are supported by their driver library 
(DLL).

Soft certificates (PKCS#12 file)

Instead of reading out the certificate of a Smart Card via a chip card reader, a 
soft certificate (PKCS#12 file) can also be used.

Certificate configuration

Please note: Path and name of the PKCS#12 file required for the configuration 
(see -> Client Configurator, configuration, certificates) must agree with the 
location of the file on the PDA!

The menu item "Configuration - transfer PKCS#12 file to the PDA" in the Client 
Configurator can be used for transferring the PKCS#12 file. If this function is 
used, then the path can be specified as follows:
%INSTALLDIR%\certs\<PKCS#12-file name>



2.2   Installation of the PC component

There is no difference in the software installation procedure used under the 
operating systems Windows 98/ME and Windows NT/2000/XP. However please note 
whether you are installing from the hard disk, from the CD, or from the 
diskette. If you have already installed an older version of the software then 
please see the chapter "Update and Uninstall"

2.2.1 Installation from the hard disk

If you would like to install the software after a download from the NCP FTP 
server, then unpack the ZIP file first. The directories "DISK1", "DISK2", 
"DISK3" will automatically be created while unpacking. If the request message 
"Install program from diskette or CD" appears when starting the installation, 
then click "Next" and afterwards click "Browse" in order to select SETUP.EXE in 
the "DISK1" directory. All further installation procedures are identical to 
those described in the section "Installation from diskette".

2.2.2 Installation from CD

After you have inserted the CD in the drive of your computer, after a few 
seconds the NCP greeting screen automatically appears on your monitor. Select 
which product you would like to install and then click on "Install". The 
subsequent procedure is identical with the diskette installation from the point 
"Select the setup language".

2.2.3 Diskette installation

The first installation step is to select "Start -> Settings -> Control Panel" in 
the main Windows menu. Select "Add/Remove Programs" in the Control Panel. Then 
click on the "Install..." button in the "Install/Uninstall" tab. Now insert the 
first diskette with the client software in the drive of your computer, if you 
have not already done so, and click "Next..."

When "SETUP.EXE" is displayed, click on "Finish". In the next window you can 
select the setup language. Then click on "OK". Then the setup program prepares 
the install shield assistant, with whose help the installation is continued. 
Please read the instructions in the welcome window of the setup program before 
you click on "Next".

Then the licence conditions are displayed. If you agree with the contract, then 
select "Yes" otherwise the installation will be aborted. (The licensing is done 
first on your PDA device.) This is where you specify the destination directory 
for the client software. (Standard is programs\ncp\ceclient). Otherwise you can 
specify the program file folder. Then the files are copied over.

Follow the instructions on the screen and change the diskettes when you are 
requested to do so. After all required files have been copied over from the 
installation diskettes, and the program group has been created, click on "End" 
to conclude Setup.

Leaving the setting "Start PDA Installation", the PDA component is automatically 
installed after finishing the installation of the PC component. If you here 
swich off the automatically installation, you can install the PDA component 
later. For that see chapter "Installation of the PDA component".

After installation you will find in the Windows start menu, in the program group 
"NCP Secure Client", the program "Secure Entry CE Client Configurator". The 
configuration of the profiles, the composition of the Profile Settings, and the 
transmission of the Profile Settings to the PDA (see -> Client Configurator) are 
executed with this program Configurator.


2.3   Before Starting

After installing, the Client Monitor is displayed without configuration. To use 
the Secure Entry Client you first have to generate an entry in the phonebook, 
what means that you have to define a profile to which an IPSec connection can be 
established.

In a Confirmation window the program offers to configure a profile together with 
the help of a Configuration Assistant. 

Click on "Yes" in the Confirmation window and refer the description in the 
handbook under "3. NCP Client Configurator":
- Configuration / Profile Settings (The entries in the Profile Settings)
Only if a profile has been set in the profile settings, a connection to the 
according destination can be made:
- Establishing a Connection


2.4   Transferring the Profile Settings and the Certificates

2.4.1 Profile Settings

Before transferring the profile settings, the profile system must first be 
configured in the PC and the profile settings must be completed. See the 
sections "Client Configurator of the PC component" and "Configuration 
parameters" in the manual to do this. If you are using the Strong Security 
version of the software with chip card reader, then please note the following: 
Before you undertake a certificate configuration with the PC component, the 
information about available chip card readers must have been transferred from 
the PDA to the PC. Because the NCP Client Service creates these, the NCP Client 
Service must have been loaded before the starting the PC component. An existing 
ActiveSynch connection is required for transferring this data. The transmission 
of the profile settings is described in the section "Profile Settings Upload".

2.4.2 Certificates

The supplied test certificates from NCP, CA certificate (ncpsupportca.der) and 
user certificates (user1.p12 and user2.p12) are already located on the PC and 
the PDA after the installation of the two software components. If you are using 
your own soft certificates, then these must be transferred from the PC via 
ActiveSync. In this case, insure that the PDA can only read CA certificates in 
the DER (Distinguished Encoding Rules) format with file endings DER, CER, or 
CRT! The PEM format is not supported. The destination directory on the PDA for 
the CA certificate is:
\Programs\NCP Secure CE Client\CaCerts
The destination directory on the PDA for the user certificate is:
\Programs\NCP Secure CE Client\CaCerts
The transfer of the user certificate in its directory can be facilitated by 
selecting the menu item "Transfer PKCS#12-file to the PDA" in the PC component 
Configurator (see -> Client Configurator of the PC component, configuration).


2.5   Update and Uninstalling the PC component

If an older version of the client software is found, then it is possible to 
execute an update. The Profile Settings will be maintained in the configuration 
made earlier if you are updating. To remove the PC component, go to: "Start" -> 
"Settings" -> "Control panel". Now click on "Add/Remove Programs" and select 
"NCP Secure CE Client" from the list. Then click on the "Add/Remove" button. The
Uninstall Shield Program now deletes the Client software from your PC.

Important: After the component have been removed, the client's Profile Settings 
remains intact, so that it can be used for newer versions of the Secure CE 
client. In order to completely delete the file from your PC, you must proceed 
manually. The Profile Settings is located in the directory:
\programs\ncp\ceclient\bin\ncpphone.cfg


2.6   Installation of the PDA component

If the installation of the PDA component is not done automatically after 
installing the PC component, the installation of the PDA component will be 
triggered from the PC. Click in the configurator under "Connection" the menu 
item "PDA installation". Please insure that the "Software" dialog from 
ActiveSynch is not open when you execute the PDA installation program! Now 
ActiveSynch has been requested to install the NCP Secure CE Client on the 
mobile device.

Select the standard directory as the installation directory on the PDA. 
Afterwards the data for the NCP Secure CE Client will be transmitted.

After the data transmission has been concluded, check the screen of the mobile 
device: On the PDA the installation is executed while unpacking the transferred 
data.

After unpacking you will be requested by the PDA to do a soft reset. This 
concludes the installation of the PDA component. 

After the soft reset you will find the two icons in the programs file folder for
- NCP Client Monitor
- NCP Client Service

Before a connection can be established, the telephone book with the configured 
destination systems, and the certificate data, if required, must be transferred 
to the PDA!


2.7   Full version release

If you would like to license the PDA component, then please proceed as follows:

Activate "Windows Explorer" in the Windows start menu under "Programs", select 
"My Device" and then under the programs, select "NCP Secure CE client", here 
select "ncppopup". A window is displayed with the designation of the currently 
installed test version.

Select "Change" here, then you can enter the activation key and the serial 
number of your full version. Enter the codes! Then confirm with "OK" A full 
version is now released.


2.8   Uninstalling the PDA component

The PDA component can be removed from the PC side via ActiveSynch, and also 
directly on the PDA.

2.8.1 Uninstalling from PC

After starting ActiveSynch select "Add/Remove Programs", highlight the NCP 
Secure CE Client as in the adjacent graphic and click on "Remove". In the window 
that then appears underneath, click on "OK". On the PDA a message appears 
briefly next to it and then a request to do a soft reset appears. Click OK, 
execute a soft reset, and then redo the Uninstall as described to this point!

After that the uninstall is concluded. If certificates are still 
present on the PDA, then these must be manually removed from the specified 
directories. The Profile Settings will be deleted automatically.

2.8.2 Uninstalling from the PDA component

Select "Settings - System - Remove Programs" in the start menu of the PDA, 
select the program NCP Secure CE Client and activate the remove button. The 
system will ask you to confirm with "Yes". The client will be stopped and then 
you will be requested to execute a soft reset.

Click OK here, execute a soft reset. After that the uninstall is concluded. If 
certificates are still present on the PDA. Then these must be manually removed 
from the specified directories. The Profile Settings will be automatically 
deleted.


2.9   Extended installation

In the installation directory of the PC component ther is the file 
AUTOINSTALL.RTF under \ncp\ceclient\bin\. This file describes how to use 
AUTOINSTALL.EXE which is located in the same directory. Using this file you can 
execute following functions:
- Installing
- Uninstalling
- Transferring the Profile Settings
- Changing the License
- Changing the Settings

2.9.1 Autostarting the NCP Service on the PDA

The NCP Service does not have to be manually started from the program monitor 
after the installation, and after a soft reset. The Service is started 
automatically if the ncprwscestart program has been copied from the installation 
directory on the PDA into the autostart directory under Windows CE. You can do 
this with AUTOINSTALL.EXE.

===============================================================================
NCP engineering GmbH, 
September 2006
