File:           WHATSNEW.TXT 
Product:        NCP Secure Entry CE Client 
Version:        Version 2.26
Manufacturer:   NCP Engineering GmbH, 90499 Nuremberg, Germany

--------------------------------------------------------------------------------
Latest Release Info. - NCP Secure Entry CE Client
--------------------------------------------------------------------------------
New features of Version 2.26 relative to version 2.21
-------------------------------------------------------------------------------- 

The NCP Entry CE Client 2.26 supports the actual versions of the operation system Windows Mobile 5.

Using devices with the newest firmware (WLAN driver), the most actual version of the client should be installed. You will receive the newest NCP Entry CE Client from the web site:
http://www.ncp.de/english/download/index.html




New features of Version 2.21 relative to version 2.20
-------------------------------------------------------------------------------- 

1. Minimizing the monitor when closing (new menu item in the popmenu)

The "Minimize when closing" menu item has been added in the popup menu. If this 
menu item is active, then the monitor is only minimized when closing via the [x] 
button in the header, not closed. The monitor appears as tray icon figured as 
stoplight in the task bar. The color of the stoplight displays the status of the 
connection (green = connection is still established).
Ending the monitor is only possible by activating the popup menu again and 
deactivating the function "Minimize when closing". Then a new click on the [x] 
button in the header will close the monitor.


2. Certificate Information Dialogue

A new popup menu for certificate information has been added to the smart card 
and PIN display of the Monitor GUI. Clicking on the smart card or PIN symbols 
activates the certificate information and displays four menu items:
- Certificate Info  (displays the CA and User Certificates which are in use; 
a sub-menu shows the certificate contents.)
- Enter PIN         (enables PIN entry)
- Reset PIN         (resets PIN for another entry)
- ReInit PKI module (starts re-initialisation after a connection error to the 
smart card reader.)


3. New connection mode

always = This mode is to be used especially for Push services at the PDA (e.g. 
E-Mail Push service). Using this mode the client checks wether a VPN connection 
is established. If not, the client will build it up. (If the PDA is connected to  
a docking station, no connection will be established.)


4. Support of Windows Mobile 5.0

On Pocket PCs and MDA Pro from T-Moile the client supports the Windows operation 
system Mobile 5.0. In this case you have to note that only the driver of the 
loopback adapter and the media driver have a signature, but not all the other 
executable files. (See also the file "notes").

5. Permit communication over ActiveSync protocol (TCP 990, 999, 5678, 5679)

ActiveSync connections are handled by the Link Firewall as normal TCP 
connections. Although ActiveSync establishes the TCP connection in both 
directions (PC <--> PDA), with activated Stateful Inspection filter ActiveSync  
traffic is allowed in the Link Firewall. 

The connection is blocked if "Only permit communication in the tunnel" is 
activated. To permit an ActiveSync connection with this setting the function 
"Permit communication over ActiveSync protocol" must be enabled.

The (global) firewall must be released for ActiveSync in the case of a direct 
connection (via USB, serial or infrared). This is done in the firewall settings 
of the monitor under "Options - Permit ActiveSync connections (TCP 990, 999, 
5678, 5679)". This setting can also be made on the PDA via the popup menu, if 
the (global) firewall is active.

If ActiveSync is operated via network (LAN or WLAN) then in addition a separate 
firewall rule for name resolution (DNS/WINS) must be created.




New features of Version 2.20 relative to version 2.04
-------------------------------------------------------------------------------- 

1. Loopback adapter is deactivated (standard) on PocketPC platform

On Windows CE devices of the PocketPC platform, the virtual network adapter "NCP 
Loopback" is deactivated with new installation (standard).  

This means that profile settings with NCP Dialer, and to some extent automatic 
mode as well, cannot be implemented. These profiles are automatically hidden on 
the PDA after an upload from the Configurator. In this case a text appears in 
the log window, stating that the profiles are not compatible with the current 
setting on the PDA. 


2. Firewall

The Personal Firewall can be set in the "Configuration" configurator menu, and 
it is a fixed component of the Secure Client. All firewall mechanisms are 
optimized for Remote Access applications and are activated when the computer is 
started. This means that in contrast to VPN solutions with autonomous firewall, 
the teleworkstation is already protected against attacks before actual VPN 
utilization. The Personal Firewall also offers complete protection of the end 
device, even if the client software is deactivated. All firewall rules can be 
centrally specified by the administrator, and compliance with these rules can be 
forced. The prerequisite in this case is the central NCP Secure Enterprise 
Management system, which is used to configure the Client, which can be 
permanently specified as unchangeable for the user.


3. Automatic hotspot logon

NCP has permanently integrated the Personal Firewall in the Secure Client 
software in order to protect the Remote Client against any kind of attack in 
every phase of the connection set-up in WLANs and hotspots, without the user 
having to do anything. It has intelligent automated processes for secure hotspot 
logon.

Functional description:
If a user with his end device is in receiving range of a public WLAN, then he 
selects the menu option "Hotspot Logon". The Client then searches the hotspot 
automatically and opens the website for the logon procedure in the standard 
browser. After successfully entering the access data and release by the 
operator, the VPN connection can be established to corporate headquarters, for 
instance, and the user can securely communicate, as he would on an office 
workstation.
To keep the PC invulnerable at all times when logging onto the WLAN, the 
firewall dynamically releases the ports for http or https for logon or logoff.
Logoff at the hot spot free. In this process data traffic is only possible with 
the hotspot server of the operator. Non-requested data packets are rejected. In 
this manner the system guarantees that a public WLAN will only be used for the 
VPN connection to the central data network and that there is no direct Internet 
access.
Direct communication to the Internet bypassing the VPN tunnel is impossible due 
to the previously described dynamic firewall rules that are set automatically by 
the integrated Personal Firewall of the NCP Secure Client.
Please note: proxy settings that may have been entered must be adapted or 
deactivated for logon via the standard browser at the hotspot.
If hotspot logon has not been executed by the NCP Secure Client then this fact 
is communicated to the user through the message "Hotspot could not be found".
In such a case you must determine whether a general problem exists in 
conjunction with the mechanisms implemented by NCP relative to this hotspot 
operator.


4. ActiveSync with Link Firewall

ActiveSync connections are handled by the Link Firewall as normal TCP 
connections. Although ActiveSynch establishes the TCP connection in both 
directions (PC <--> PDA), with activated Stateful Inspection filter traffic is 
only allowed in the Link Firewall. The connection is blocked if "Only permit 
communication in the tunnel" is activated.

Also compressed connections of the RAS-Dialer can by monitored by the Client as 
normal IP traffic, because the compression (CCP), as well as the VanJacobson IP 
header compression (in the IPCP) can no longer be negotiated.

The (global) firewall must be released for ActiveSync in the case of a direct 
connection (via USB, serial or infrared). This is done in the firewall settings 
of the monitor under "Options - Permit ActiveSync connections (TCP 990, 999, 
5678, 5679)". This setting can also be made on the PDA via the popup menu, if 
the (global) firewall is active.

If ActiveSync is operated via network (LAN or WLAN) then in addition a separate 
firewall rule for name resolution (DNS/WINS) must be created.


5. Log window on the configurator

In the PC component, the Configurator, there is a log window for messages. The 
texts in this log window, (window size can be changed with the cursor), refer to 
the communication between PDA and PC component, or the compatibility of the 
profile settings of the Configurator relative to the current settings of the 
PDA. Thus, for example, the system checks whether the virtual adapter (Loopback 
Adapter) is switched off on the PDA, and when copying the profiles onto the PDA, 
the system indicates that in this case the NCP Dialer cannot be used. The 
corresponding profile will then not be displayed on the PDA.
 
Red messages: Errors and unsuccessful connections
Green messages: OK messages when uploading profile settings and certificate Blue 
messages: Instructions and warnings due to incompatible profiles WAN support, 
virtual adapter on the PDA - Upload to the PDA)


6. VPN password query in automatic mode

If no VPN password has been entered, then the password will be queried 
automatically for a connection setup, regardless of whether manual, automatic, 
or alternating. Once a password has been entered, it is saved until
- the profile is changed or
- the service is restarted or
- a different password is entered via manual connection setup 


7. Monitor in the foreground for connection status change

When changing the connection status the Monitor appears in the foreground, if it 
has been switched on via the user interface in ncpconfig.exe on the PDA. The 
Monitor must be restarted after changing this setting.


8. Compression type deflate

The compression type, deflate, is supported. In the profile settings the 
parameter "Use IP compression" appears under "IPSec settings". If this function 
is activated, then both compression types, LZS and Deflate will be negotiated. 


9. Cold start installation

With a separate program (Admin Pack) a new installation, including profile 
settings, can be made without PC. For this the software is stored in the flash 
ROM of the device, or on Flashcard. After a cold start it is then installed 
automatically. Three files are required in order for profile settings and 
licensing to be transferred concurrently:
- the CAB file of the software from the PC
- an installation program (Admin Pack) with instructions
- a configuration program (script)
The installation program is started by the system's autostart mechanism. 
In the configuration program it is indicated which software is involved (Entry 
or Enterprise) whether a telephone book/profile setting is present, and where it 
is, as well as information about the license. In addition it is noted whether 
settings will be made in the registry, prior to, or after, the installation.
The Admin Pack is available directly from NCP on request.


10. Entering the smart card reader with wildcards

The name of a smart card reader is specified in the configuration. If you 
subsequently use a different reader then the name is different and the reader 
will not be found. For two readers that only differ in firmware, (and which 
consequently have a different name), this may not be desired. For instance: 
SpringCard GCR-R1.44-GI slot A 
SpringCard GCR-R1.44-GI slot A 
--> for the above example the following reader name can be entered with an 
asterisk (*) as wildcard: SpringCard*


11. Integrated ping utility

The CE Client has a program for sending ICMP echo_requests (ping). It is called 
via the Client's popup menu. The program "Ping.exe" is in the installation 
directory of the Client software and can also be used stand-alone.


12. New connection medium PocketPC Connection Manager

In the profile settings the connection medium "PocketPC Connection Manager" can 
be set for PocketPC platforms, in the "Basic settings" parameter field. This 
connection medium is ideal for devices with integrated telephone (MDA). While a 
GPRS connection exists, you can telephone at the same time. The PocketPC 
Connection Manager automatically takes over the parking of GPRS connection. When 
configuring a profile for this application ensure that the timeout-span selected 
is large enough, or that timeout is deactivated, and Dead Peer Detection (DPD) 
is deactivated in the IPSec settings.
When using this connection medium, which is only practical for deactivated 
Loopback adapter, you can select the destination network: Internet or corporate 
network. This setting can also be changed retroactively on the PDA via the Popup 
menu. 
When using this media type, the PocketPC Connection Manager is forced to set-up 
a connection (in the Internet or corporate network). This means that the 
Connection Manager will automatically select an RAS connection and set it up, or 
it will detect an existing LAN card and will not setup any other connection.
Under "Start -> Settings -> Connections", the system can configure appropriate 
Internet and company connection with its own onboard resources.
If the virtual adapter is active then more precise project-specific knowledge of 
the environment is required for effective use of the Connection Manager.



New features of Version 2.04 relative to version 2.0
-------------------------------------------------------------------------------- 

General information concerning data transfer between PDA and PC:

With an activated firewall all unknown WAN packets will be blocked. A connection 
setup will still function (PPP negotiation are known packets and are not 
blocked), thereafter however, data traffic is no longer possible. This applies 
for ActiveSynch connections as well as for manually-started RAS connections, if 
these use compression.

Remedy: Select a destination system in the Client Monitor for which no firewall 
is activated or end the NCP Client Driver (if this type of destination has not 
yet been created)!


1. WAN support

Support of WAN adapters can be configured on the PDA with the NCPCONFIG.EXE 
program. This program is in the installation directory on the PDA and can be 
started manually from the directory. The system is shipped with WAN support 
switched on.

Firewall functionality for the RAS adapter is also provided, but only with 
active WAN support. In addition, WAN support is also required in order to use 
IPSec tunneling via RAS connections. All other connection types via the RAS 
adapter do not require WAN support.

The prerequisite for WAN support is EUU3 on the PDA. After activation and 
subsequent soft reset, an ActiveSynch connection to the PC (via USB or serial 
port) must still be possible. If this is not the case, then WAN support is not 
functioning and must be switched off with NCPCONFIG.EXE. After another soft 
reset ActiveSynch should be functioning again.

NCP recommends deactivating WAN support only if problems occur.


2. Status displays in the graphic field of the monitor

The following status displays are shown in the graphic field:
- Smart card 
- PIN status 
- Firewall option 
- EAP status 


3. Displaying the ACE server messages

ACE server queries that reach the client via XAUTH are displayed to the user.


4. IPSec clearing previous session

If there is an unexpected connection disconnect then the client saves the 
parameters for the last negotiated connection and properly logs these off the 
next time a connection is set-up. Then the system sets up a new connection.


5. PKCS#11 Module

The appropriate PKCS#11 entry appears under "from smart card reader", after the 
PKCS#11 module has been created in the NCPPKI.CONF file.


6. Accept modem data from RAS entry

If you select "Modem" as connection type and the Microsoft RAS Dialer, then 
there is the additional option, "Accept modem data from the RAS entry". If this 
option is selected, then all RAS entries found in the PDA will be displayed 
under "Modem". The modem configuration, including device-specific settings for 
the RAS entry newly created by the NCP Client, will be transferred from the 
selected entry.

Device-specific settings include, for example, the baud rate and the init 
string, however they do not include the telephone number. Thus it is possible to 
use a modem init string via the RAS Dialer.

 
7. Disable Auto-poweroff

If the PDA is not used for a longer period of time, then it switches off 
automatically into power save mode. This can also occur while a VPN connection 
is active. This automation mechanism can be switched off in the client monitor. 
Proceed as follows for this:

Hold the entry pen on the graphic field of the monitor for several seconds, a 
pop-up menu will appear that shows the current setting and which allows you to 
change the current setting.


8. Operation without virtual network adapter

Operation without virtual network adapter is recommended on devices with Pocket 
PC 2003 (Phone Edition). Follow the procedure below to switch off the virtual 
adapter:

- use the Explorer file to go the installation directory (normally: 
\Programs\NCP Secure CE Client\) and call up NCPCONFIG.EXE.
- select the "Loopback" file tab and deactivate the virtual network adapter.
- execute a soft reset.




New features of Version 2.0 relative to version 1.22
-------------------------------------------------------------------------------- 


1. Firewall Settings (new configuration field)

The "Firewall settings" configuration field with extended configuration 
possibilities has been added, instead of the "Protect LAN adapter" function in 
earlier versions. The firewall settings can also be used for RAS connections.

The activated firewall is displayed on the monitor as a symbol (wall with 
arrow).

A firewall's fundamental task is to prevent hazards from the Internet from 
spreading within the corporate network. This is why a firewall is also installed 
at the junction between corporate network and Internet. It checks all incoming 
and outgoing data packets and decides whether a data packet will be permitted 
through or not, on the basis of previously specified configurations. Stateful 
Inspection is implemented as a very recent firewall technology.

Activation off: The firewall's security mechanisms will not be used.
Activation always: The firewall's security mechanisms will always be used, this 
means the PC is protected from unauthorized accesses even when not connected.
Activation when connected: The PC is not vulnerable if a connection exists.
Only communication within the tunnel permitted: This function can also be 
switched on with activated firewall to additionally filter IP packets so that 
only VPN connections are possible. 


2. Update Server (new parameter)

The "Update Server" parameter has been added in the configuration field 
"DNS/WINS" in the telephone book. Here you must enter the IP address of the NCP 
Update Server if the Gateway of the other side is not an NCP Gateway, and thus 
no update server can be automatically made known via the PPP negotiation.

If the IP address of an update server is entered, although the other side is an 
NCP Gateway, then regardless of the IP address entered, the update server will 
be used that has been made known in the PPP negotiation between NCP Gateway and 
NCP Secure Client. The entered IP address will be ignored.


3. Dynamic DNS support (DynDNS)

The VPN Gateway does not require a permanent official IP address; this means 
that setting up a permanent Internet connection is also not required. Instead of 
this the Gateway obtains its IP address from the Internet Service Provider. 
Because the ISP assigns a different address for each renewed dial-in from the 
Gateway side, the unique identification through the Secure Client can no longer 
take place via a permanently configured IP address. Instead of this, the 
administrator allocates a name to the VPN Gateway (DNS Name) that is saved on 
the DynDNS server when registering with user name (User ID) and password.

On the client side now instead of the (fixed) IP address for the tunnel endpoint 
(see -> Client telephone book, VPN Tunneling) enter this Gateway name (DNS Name) 
stored with the DynDNS service provider. Enter the DNS Name in the "Tunnel 
Endpoint (Dest.)" field.

Now a DNS request takes place, before establishing the tunnel from the client to 
the Gateway, to ask for the name of the current IP address of the Gateway via 
which a resolution of the DNS Name is executed. In this process the client gets 
the respectively current IP address of the Gateway and the tunnel to the Gateway 
can be established.

Please note that a connection from the client to the Gateway can naturally only 
take place as long as the Gateway maintains a connection to the Internet (for 
example via DSL flat rate).


4. Connection to IPSec Gateways of other manufactures (new VPN Protocol)

In the client telephone book under "VPN Tunneling" you can select between the 
VPN protocols "L2TP" (Layer 2) and "IPSec Tunneling" (Layer 3). If you select 
"IPSec Tunneling" then the IPSec connection is established without a layer 2 
tunnel (L2TP). When selecting "IPSec Tunneling" there is a message that the 
following settings are automatically made in the "Security" configuration field:
Security mode    =  IPSec
IKE Policy       =  determined by other side
IPSec Policy     =  determined by other side
Exchange mode    =  main mode

In the phonebook the parameters, "IKE ID type" and "IKE ID" are displayed for 
the configuration:
IKE ID type = Alternatives: IP address, fully qualified domain name, fully 
qualified username, IP subnet-address, ASN1 distinguished name, ASN1 group name, 
and free string used to identify groups
IKE ID     = the associated string must be entered according to the selected ID 
type.

"Preshared Key" or "RSA Signature": According to the defaults through the other 
side, the automatic setting "Determined by other side" can be changed as IKE 
policy to, "Preshared Key" or "RSA Signature" (certificate). If the other side 
expects "Preshared key", then the key must be entered in the field. (The 
"Preshared Key" must be identical for all clients in this case.)

IP addresses and DNS server are assigned via the IKE Config Mode protocol (Draft 
2) (currently compatible only against Cisco). All previous WAN interfaces can be 
used for the NAS dial-in.

The authentication for "IPSec Tunneling" is handled via the XAUTH protocol 
(Draft 6). If "IPSec Tunneling" is used, then additionally the following 
parameters must still be set in the "VPN Tunneling" configuration field:
VPN User ID  = User Name of the IPSec user
VPN Password = Password of the IPSec user
User access data from the certificate = optional

DPD (Dead Peer Detection) and NAT-T (NAT Traversal) are automatically executed 
in the background for "IPSec Tunneling" when supported by the destination. The 
IPSec client uses DPD to check, in regular intervals, whether the other side is 
still active. If the other side is inactive, then an automatic connection-
disconnect occurs. Using NAT Traversal is automatic with the IPSec client and is 
always necessary if network address translation is used on the side of the 
destination system device.


5. Seamless Rekeying

A new Security Association is automatically negotiated 10 seconds prior to the 
expiration of the current SA (see -> Parameter "Duration" in the configuration 
of the IKE- and IPSec-Policies). This assures data exchange to continue 
seamlessly with any packet loss.


6. L2TP Polling

With an L2TP tunnel the other peer is polled to check wether it is still active. 
When no reply is given the connection is dropped. This polling mechanism is 
activated when no data has been received from the Gateway - and takes place 
every 10 seconds. This mechanism does not in any way affect the time-out 
settings.


7. EAP Settings (new configuration field)

Use of the Extended Authentication Protocol Message Digest5 (EAP MP5) can be 
specified via the main menu of the monitor under "Configuration - EAP Settings". 
This protocol can then be used if a switch, a hub, or if an access point is 
used, which support 802.1x and the according Authentication Mode for the access 
to the wireless LAN. You can prevent unauthorized users from getting into the 
LAN via the hardware interface with the Extended Authentication Protocol (EAP 
MP5). You can use either "VPN User ID" with "VPN Password" or your own "EAP User 
ID" with an "EAP Password".


8. Transfer CA certificate to the PDA

Use this menu item in the user interface of the PC component to copy CA 
certificates into the "cacert" directory on the PDA.


9. General information concerning InitString

An InitString example for GPRS via E-plus:
AT+cgdcont=1,"IP","internet.eplus.de"<cr>
Important for the notation: with quotation marks, without space, AT in front, 
<cr> at the back
In case of malfunction, test with an additional ATZ<cr> in front of the 
InitString (triggers a modem reset).


10. Activation key

Now the activation key and serial number are read out and set from an existing 
CNF file (telephone book from the Update Server). 

If the product category changes in the process (VPN <--> PKI / GovNet), then the 
"Client Driver must be restarted thereafter, so that the PKI part is switched 
on/switched off. However this condition is NOT indicated with a box. 


11. Connection disconnect after standby mode

It is possible, using a registry key, to influence the behavior after leaving 
standby mode (=switching the PDA off). Either a registry editor or 
"autoinstall.exe" is required to modify the entries. 
Key: [HKEY_LOCAL_MACHINE\SOFTWARE\NCP\NCP Secure CE Client]
Values: DisconnectAfterPowerOn - 0/1 (Default=1) 
Determines whether a possibly still existing VPN should be disconnected or not 
after "Switching on". However this is only practical for (W)LAN. PKI connections 
are always terminated because the PIN will be switched to invalid!


12. Autoinstall

An autoinstall.exe is in the installation directory on the PC. Using this file 
you can make settings on the NCP client, on the PDA, and the installation can be 
automated to some extent.  Information can be called up using "autoinstall = 
help" or it can be called up in the autoinstall.rtf file (also in the 
installation directory).


13. PKI monitoring - determines whether the PKCS12 file is present

This version monitors whether the PKCS#12 file is present. If this file is 
stored on a USB stick or SD card, for instance, then the PIN is reset and the 
connection is terminated after pulling the SD card (as is the case with a Chip 
Card). Later if the SD card is re-inserted, then the connection can be 
established after entering the PIN. 


14. DHCP, standard setting

The NCP adapter is automatically set to DHCP during the installation on the PDA. 
This setting can lead to problems for some devices (the adapter does not get an 
IP address). If this is the case, the IP address can be changed in the following 
dialog: 
Start Menu -> Settings -> Connections -> Network adapter -> NCP Loopback 


15. PC component

Previously an activSync connection to the PDA had to exist when starting the PC 
component; otherwise the subsequent telephone book upload/download did not 
function. Now the exchange functions even if the PDA is only attached later. 
Also the modem data and the smart card reader data can be subsequently loaded 
from the PDA; there are 2 new menu entries for this.
Please note: The information about available modems is generated "fresh" on the 
PDA each time, however the information about smart card readers is only 
generated each time the driver starts on the PDA.




New features of Version 1.22, Build 14 relative to version 1.0
-------------------------------------------------------------------------------- 

1.    NCP Dialer and Microsoft RAS Dialer

The new version of the NCP Secure CE Client can use the Microsoft RAS dialer as 
well as the NCP Dialer. With the NCP Dialer, initialization strings can be sent 
to mobile phones (modems) so that GPRS connections can be established with any 
suitable mobile phone (v.110 also).

The question of which dialer to use depends on the hardware components or which 
mobile phone or modem is implemented for establishing the connection, and 
whether the dial-in point (ISP) requires a dial-in script. The appropriate CE 
client configuration is executed on the PC component in the phonebook. (See -> 
Readme.txt)


2.    The "Modem" parameter window

This parameter field appears only if you have selected the "Modem" connection 
type. All required parameters for this connection type are collected here. Only 
the "Baud rate" and "Modem" parameters can be configured when implementing the 
Microsoft RAS Dialer. The drivers associated with the modem will be listed for 
selection according to the implementation of the dialer previously specified 
under "Destination system".


3.    Certificate Check

The new Secure CE Client is able to check incoming Server Certificates. If the 
certificate check fails the connection will not be established. The cause can be 
read in the Log windows of the client.
 
You can specify in the "Certificate Check" parameter field, per destination 
system, which entries must be present in a certificate from the other side 
(Secure Server).
See also the file Readme.txt.


4.    Certificate support

Certificates with a private key up to a length of 2048 bits can be implemented. 
NCP Secure Server 5.21 (27), or higher, must be implemented on the other side.


5.    Downloading the Update Server

The CE Client can use the service of configuration updates and certificate 
updates in conjunction with the NCP Secure Update Server. The updates are 
executed automatically, this means as soon as a new phonebook (configuration 
update) or a new certificate (certificate update) is ready for the client. 


6.    Password queries

When creating a phonebook entry with the PC component, the password field for 
"Network dial-in", as well as the password (VPN) field for dialing into the VPN 
gateway (under tunnel parameters), can remain empty. In this case, the passwords 
will be requested before the connection is established on the PDA.


7.    PIN request at each connection establishment

The "PIN request at each connection establishment" can be set in the main menu 
of the PC component under "Configuration - certificates". Please note however, 
that a connection establishment is not possible for "Automatic connection 
establishment" with this setting and a closed monitor.


8.    Autostarting the NCP driver on the PDA

The NCP driver does not have to be manually started from the program monitor 
after the installation, and after a soft reset. The driver is started 
automatically if the ncprwscestart program has been copied from the installation 
directory on the PDA into the autostart directory under Windows.

--------------------------------------------------------------------------------
For further information please consult the Web-Site: www.ncp.de
--------------------------------------------------------------------------------
NCP engineering GmbH, Nuremberg, Germany
09/20/2006
