File:          README.TXT
Product:       Secure Entry Client
Manufacturer:  NCP engineering GmbH Nrnberg, Deutschland
-------------------------------------------------------------------------------


1. Product Description
===============================================================================

1.1 Universal IPSec Client
-------------------------------------------------------------------------------
The IPSec Client can be used in any VPN environment. The client communicates on 
the basis of the IPsec standard with the gateways provided by a wide variety of 
vendors* and is the alternative to the uniform IPsec client technology offered 
on the market. The Client Software emulates an Ethernet LAN adapter. The Client 
has additional features that introduce the user into a holistic remote access 
VPN solution.

The IPSec client offers:
- Support of all major operating systems
- Dial-in over all transmission networks
- Compatibility with VPN gateways from a wide variety of vendors*
- Integrated personal firewall for more security
- Dialer protection (no misuse by third parties)
- Higher speed in the ISDN (channel-bundling)
- Saving telephone charges (charges and connection management)
- Convenient operation (graphic interface)
- Central management**
*) Compatibility list available on the NCP website www.ncp.de
**) optional

1.2 Performance range
-------------------------------------------------------------------------------

The IPSec client supports all major operating systems (Windows 98se, ME, NT, 
2000, XP). Connecting to the corporate network is media-type independent, e.g. 
in addition to ISDN, PSTN analog telephone network, GSM, GPRS, and xDSL, LAN 
technologies such as WLAN (on the corporate campus and hotspots) or local area 
networks (branch office network) are also supported.
A possible scenario: an employee must access the corporate network from various 
locations with one and the same end device:
- in the branch office via WLAN
- in the corporate headquarters via LAN
- on the road at hotspots and at customer sites via WLAN or GPRS
- in the home office via xDSL, cable, or ISDN

2. Installation
===============================================================================

A Setup program performs the installation of the Client Software quickly and 
smoothly. The following text describes the procedures for installing the 
Client Software under Windows 98/ME and Windows NT/2000/XP. Prior to executing 
Setup be sure that the following prerequisites are fulfilled.

2.1 Installation Prerequisites
-------------------------------------------------------------------------------

System Requirements:
In order to be able to communicate with the Client Software it is essential to 
have either Microsoft Windows 98, Windows ME, Windows NT (4.0 or later) with the 
service pack 5.0 (or later), Windows 2000 or Windows XP installed on your PC 
(min. 32 MB RAM). During the installation you are asked to have your or disks 
ready, as these will be needed for updating your PC's driver database files. 
Please insert these when prompted to do so.

Remote Destination:
The parameters of the remote destination must be entered in the profile 
settings. In order to communicate with the remote destination it must support 
one of the following media types: ISDN, PSTN (analog modem), LAN over IP, WLAN  
or PPP over Ethernet (PPPoE).

Local System:
One of the following communication devices and its respective drivers must be 
properly installed on the Client Software PC.

* ISDN adapter (ISDN)
The device (e.g. internal or external adapter) must support the ISDN CAPI 2.0 
Kernel Mode standard. When using PPP Multilink the software can bundle up to 8 
ISDN B-Channels. Any ISDN device supporting the ISDN CAPI 2.0 can be used. 
Please check your device to be sure that such a driver is available. The Client 
Software does not support TAPI based ISDN devices.

* Analog Modem (Modem)
The Client Software can communicate with any industry standard analog PC modem, 
provided that it and the modem drivers have been properly installed and the 
modem initialization string and the COM port definition for the modem is 
correct. The modem has to support Hayes AT commands.
Mobile (cellular) telephones can also be used for data communication, after the 
associated software has been installed that presents itself to the client 
precisely as if it were an analog modem. The serial interface, IR (infrared) 
interface, or Bluetooth can be used as interface between mobile phone and PC. 
The opposite side must have the appropriate dial-in platform depending on the 
transfer rate (GSM, v.110, GPRS or HSCSD). The initialization string in the 
Secure Client modem configuration must be obtained from the ISP or the 
manufacturer of the mobile (cellular) phone.

* LAN adapter (LAN over IP)
When the Link Type LAN has been defined the Client Software may be used as a 
IPSec client in a LAN that communicates across a LAN network and associated 
router to a central site VPN Gateway. When defined as a LAN Client, the Client 
Software can also be used as a VPN or VPN/PKI plugin for Microsoft's RAS (Dial-
Up Network) client.
Adapters for a wireless LAN (WLAN adapter) are handled exactly like normal LAN 
adapters. "LAN (over IP)" must also be selected for WLAN.

* Broadband Device (xDSL (PPPoE))
Cable modems, splitters (e.g. for ADSL), etc. can be used in conjunction with 
PPP over Ethernet (PPPoE), which is supported by the Client Software.

* xDSL (AVM - PPP over CAPI)
The link type "xDSL (AVM - PPP over CAPI)" has been added in the "Destination" 
configuration field in the telephone book. If an AVM Fritz DSL card is to be 
used then this link type may be selected . AVM specific initialization strings 
may be entered in the field "Destination Phone Number" ("Dial-Up Network" group) 
for the connection.
It is recommended to use the standard setting "xDSL (PPPoE)" with Windows 
operating systems as this provides direct communication over the network 
interfaces.
No additional network card is necessary with the AVM Fritz! DSL card.

* Multifunction Card (GPRS/UMTS)
If you are using a multi-function card, special features of the mobile computing 
can be used depending on
the card characteristics (see the appendix of the handbook "Mobile Computing2). 
Due to the direct support of the multi-function card for UMTS/GPRS/WLAN through 
the Secure Client, installation of management software from the card 
implemented, is not necessary. The VPN connection is established via the 
integrated NCP Dialer independent
of the Microsoft data communications network. Currently supported multi-function 
cards:
- T-Mobile Multimedia NetCard
- Vodafone Mobile Connect Card
- KPN Mobile Connect Card
- T-Mobile DSL card 1800

* WLAN adapter under Windows 98/NT (LAN over IP)
Adapters for a wireless LAN (WLAN adapter) are handled exactly like normal LAN 
adapters. "LAN (over IP)" must also be selected for WLAN. In this case the 
management tool of the WLAN card, or the Microsoft tool must be activated.

* WLAN adapter under Windows 2000/XP (WLAN)
Under Windows 2000/XP the WLAN adapter can be operated with the link type 
"WLAN". In the monitor menu the special "WLAN settings" menu item is displayed 
where the access data for the wireless network can be saved in a profile. If 
this "WLAN configuration" is activated, then the management tool of the WLAN 
card, or the Microsoft tool must be deactivated. (Alternatively the management 
tool of the WLAN card or the Microsoft tool can be used as well.)
If the link type WLAN is set for the destination system in the phonebook, then 
under the graphic field of the Client Monitor an additional area is shown where 
the field strength and the WLAN network are displayed.
Please read the description of the parameters "Link Type" in the section 
"Configuration parameters / Phonebook".

* Automatic Media Detection
If various link types could be used, the client detects automatically which link 
type actally can be used und selects the fastest one.
On the basis of a pre-configured destination system, those link types that are 
currently available for the Client PC are detected and implemented, and if 
multiple alternative transmission paths are available, the fastest will be 
selected automatically. The link type priority is specified in the following 
sequence in a search routine: 1. LAN, 2. WLAN, 3. DSL,  4. UMTS/GPRS, 5. ISDN, 
6. MODEM.
The configuration is executed in the phonebook with the link type "Automatic 
media detection" under "Destination system". If desired, all destination systems 
for the VPN gateway that are pre-configured for this Client PC can be assigned 
to this automatic media detection. This renders manual selection of a medium 
(WLAN, UMTS, LAN, DSL, ISDN, MODEM) from the phonebook entries superfluous. 
Input data for the connection to the ISP are transferred from the available 
phonebook entries in a manner that is transparent for the user.
Please note the description "Destination System / Link Type".


Prerequisites for Strong Security

If you are using the Client Software which provides support for X.509 
certificates (Strong Security version of the Client), then the following 
prerequisites must be fulfilled:

* TCP/IP
The protocol TCP/IP must be installed on your PC.

* Smart Card Reader

The Client Software supports all Smart Card readers that are PC/SC conform. 
Subsequently such readers will only be entered in the Client Software Smart Card 
reader list after the Smart Card reader including the associated driver software 
has been installed on the PC. The Client Software detects the Smart Card reader 
automatically after the PC has been booted. The Smart Card reader can then be 
selected as described above and used accordingly. 
In order to use the features of the Smart Card, configure the Smart Card by 
selecting "Configuration -> Certificates" in the pull-down menu of the Client 
Software Monitor. When you insert your Smart Card in the Smart Card reader, you 
can enter your PIN.

+ Smart Card Reader (CT-API conform) 
Please note the following instructions when using a Smart Card reader that is 
CT-API conform: 
* The current software includes drivers for the Smart Card readers SCM Swapsmart 
and SCM 1x0 (PIN Pad reader). These Smart Card readers can be set in the Monitor 
under "Configuration -> Certificates".
If, however, the Smart Card reader does not work with the drivers, which are 
included in the software, or a Smart Card reader is to be used, which does not 
show up in the configuration selection of supported readers, then ask the 
supplier or producer of the Smart Card (or the respective web site) reader for 
the current hardware driver and install it. In this case the client software 
requires some modifications:
* Use an ASCII editor to edit the NCPPKI.CONF file. You find this file in the 
WINDOWS\SYSTEM directory (Windows 95/98) or in the SYSTEM32 directory (Windows 
NT/2000). Enter the name of the connected Smart Card reader as "ReaderName" 
(xyz) and the name of the installed driver as DLLWIN95 or DLLWINNT respectively. 
The default name for CT-API conform drivers is CT32.DLL. 

Important: Only those drivers that have been appropriately set with "visible = 
1" will be displayed in the list!

Modulname  = SCM Swapsmart (CT-API) -> xyz
DLLWIN95   = scm20098.dll           -> ct32.dll
DLLWINNT   = scm200nt.dll           -> ct32.dll

* After rebooting the PC the new "ReaderName" is displayed in the Monitor under 
"Configuration -> Certificate -> Smart Card reader". Now you select that Smart 
Card reader. 

+ Smart Cards
Currently, the following Smart Cards are supported:
* Signtrust 
* NetKey 2000 
* TC Trust (CardOS M4) 
* Telesec PKS SigG 

+ Soft Certificates (PKCS#12) 
Instead of a Smart Card you can also use soft certificates or tokens.

+ Smart Cards or Token (PKCS#11)
Drivers in the form of a PKCS#11 library are supplied with the software for the 
card reader or token. This driver software must first be installed. Then the 
NCPPKI.CONF file must be edited.
*Edit the NCPPKI.CONF file located in the windows\system directory (Windows 
95/98) or system32 directory (Windows NT/2000), with an ASCII editor by entering 
the name of the connected reader or token (xyz) as "module name". The name of 
the DLL must be entered as PKCS#11-DLL. The associated "Slotindex" is 
manufacturer-dependant (standard = 0).

Important: Only those drivers are visible in the list that have been set to 
visible with "visible = 1".

Module name = xyz
PKCS#11-DLL = Name of the DLL
Slotindex   = 

* After a boot process the "Module name" you entered appears in the monitor menu 
under "Configuration-> Certificates -> Configuration -> Smart Card reader". Now 
select this Smart Card reader or token.



2.2 Installing the Client Software
-------------------------------------------------------------------------------

The initial installation steps for the Client Software are almost the same for 
both Windows 98/ME and Windows NT/2000/XP. Please note that there are some 
differences when installing from a hard disk, CD or removeable disk.

Installation and Licensing

First the NCP Secure Entry Client is installed as a test version. If you posess 
a license, you can enter the license data after a reboot of the software by 
selecting the monitor menu option "License Info and Activation". The test 
version is valid for 30 days. Without software activation or licensing it will 
no longer be possible to setup a connection after this 30-day period expires. 
When 10-days validity remain, a message box will be displayed to remind you that 
the software has not yet been licensed. For licensing the software please refer 
to the chapter "Licensing" in the handbook.

Please note when installing the Software under Windows XP:

Microsoft Windows XP informs the user as soon as a driver software is being 
installed which is not licensed by Microsoft. Windows XP runs a Microsoft 
specific "compatibility test" and warns the user not to install the software. 
This test does not check the compatibility of the software with Windows XP. 
Since the client software is not licensed by Microsoft, the warning 
occurs when the client is installed on a Windows XP machine. 
What to do:
- You can modify the Windows XP default settings so that any software can be 
installed without the Microsoft compatibility check. Open the Windows Control 
Panel and then "System (Properies) - Driver Signing". Set the install procedure 
to "Install the software anyway and dont't ask for my approval"!
- You can ignore the warning when installing the client. After the warning 
pops up you click on "proceed Installation" Windows XP will let you 
install the client adapter. The installation will not have any negative 
effect on the operating system.

2.2.1 Installing from a hard disk (e.g. 30 day limited test version)
...............................................................................

If you want to install the Client Software after downloading it, first extract 
the data. Extracting the data in directory "Disk1" will be made automatically. 
Then start the installation with Setup.exe from directory "DISK1". All further
installation steps are the same as described in the following text under
"Installation from removeable disk" when the window "Choose Setup Language"
appears.

2.2.2 Installing from CD
...............................................................................

After inserting the CD in the drive of your PC, the welcome window appears on 
the monitor. Click on "Install Products" and then select the Client Software 
version to be installed. All further installation procedures are identical with 
the installation procedures for Installing from removeable disk, from the window 
"Choose Setup Language".

2.2.3 Installing from removeable disk
...............................................................................

To install the Client Software select in the windows main menu: Start -> 
Settings -> Control Panel. Select "Add/Remove Programs" in the Control Panel and 
then click on the "Install" button. Insert the removable disk with the Client 
Software if you have not already done so and then click "Next".

When SETUP.EXE appears click on "Finish". A window appears where you can select 
the language to be used for the installation and then click "OK".

"Choose Setup Language". A window appears where you can select the language to 
be used for the installation and then click "OK".

The "Install Shield Assistant" is now started. It will guide you through the 
installation. 

Read the terms of the Welcome window carefully and click on "Next".

The next window displayes the Software Licensed Agreement. In order to proceed 
with the installation of the licensed version click on "Yes". Clicking "No" will 
stop the installation process.

If you are not in possession of an Authorized Client Software License, select in 
this window install as a test version. (If you install the the free 30 day 
limited test version, it is valid only for a period of 30 days from the day of 
installation. Thereafter it cannot be used.)

If you are in possession of a license, select in this window "Install as 
Authorized Licensed Version" and click on "Next". Enter the serial number of 
your software license and the activation key in the appropriate fields when 
prompted to do so. (Please refer the bill of delivery.) Upon entering these 
codes correctly, the "Next" button will be activated. By clicking on "Next" the
Client Software will be activated as an authorized license version.

Undependently of "Typical" or "Custom" installation you can select any folder 
for the software installation by clicking on "Browse". This is particularly 
important if the user should have no rights on the system root directory.

If you select "Standard Installation"in this window the installation will 
continue automatically and the setup is finished.

Selecting the "Custom" Installation you can define settings according to 
your requirements. In the following window of the "Custom" Installation you 
define the programmfolder for the client software. (Default setting: "NCP 
Secure Client"). In the next window you can define whether the Program Icon 
should be displayed on the desktop or not. 

Please contact your system administrator or your internet service provider for 
additional information about your communication gateway.

-> for Windows 98/ ME continue 2.2.4
-> for Windows NT/ 2000/XP continue 2.2.5


2.2.4 User defined Installation and completion under Windows 98/ME
...............................................................................

Following are a list of minor differences in the installation procedures for 
Windows 98/ME and Windows NT/2000/XP.

Communication with DHCP (Dynamic Host Control Protocol) means that a temporary 
IP Address will be assigned automatically for each communication session. If 
required, click on "Obtain an IP Address from DHCP Server". If you "Specify an 
IP Address", enter the IP address in this window. Default Gateway: If a network 
adapter with a Default Gateway is already installed, you will have to delete 
this Default Gateway Address. It is not possible to have more than one network 
adapter with a Default Gateway. DNS Address: You should only enter a DNS Address 
if you have been assigned one from your system administrator or ISP.

[If you already have the software installed on your PC, this will be detected by 
the installation program. You will be prompted and asked if you wish to "Update" 
the current Secure Client or if you wish to cancel the installation (see -> 
"Update and Uninstalling").]

After all data from the CD or removeable Disk have been loaded, click on
"finish" to complete the setup. Now you will be prompted to install the driver.
To proceed, click on the "OK" button.

The Network window will appear. Click on "Add" (Under Windows ME a correspondend 
dialogue "add hardware" is displayed). Select Network Component and then click 
on "Add" again. Under "Manufacturer" select NCP and then select the driver in 
the window on the right. Click on "OK" in order to install the driver. This 
completes the installation of the Client Software with setup under
Windows 98/ME.

Upon doing so the driver will be installed and displayed in the list of adapters 
in the Network window. TCP/IP will also be installed and bound to the Secure 
Client Adapter. Thereafter it will be necessary to copy files from the operating 
system in order to update the driver data base. Insert the respective CD or 
enter the path for the operating system. Click "Yes" and wait till you are 
prompted to reboot your system. Note: You must reboot your PC.

2.2.5 User Defined installation and completion under Windows NT/2000/XP
...............................................................................

Communication with DHCP (Dynamic Host Control Protocol) means that a temporary 
IP Address will be assigned automatically for each communication session. If 
required, click on "Obtain an IP Address from DHCP Server". If you "Specify an 
IP Address", enter the IP address in this window. Default Gateway: If a network 
adapter with a Default Gateway is already installed, you will have to delete 
this Default Gateway Address. It is not possible to have more than one network 
adapter with a Default Gateway. DNS Address: You should only enter a DNS Address 
if you have been assigned one from your system administrator or ISP.

[Now you can define any additional protocols and services to be installed. Be 
sure to have the operating system CD or Diskettes available, as you may need a 
driver for the installation. Click on "Next" to conclude the User Defined 
installation. Thereafter that you can define whether a logon to a remote domain 
should occur after establishing a connection to the remote destination's NAS, 
which may necessitate entering the PIN for your certificate and/or your Password 
(if not already stored in the Client Software). After establishing a connection 
to the remote destination's NAS, you can logon to the remote domain. This logon 
will be encrypted.]

The data will now be copied from the installation CD or removeable disk. The
associated network components will now be installed. This completes the
installation of the Client Software under Windows NT/2000/XP. Click the
"Finish" button. Before using the Client Software it is necessary to reboot
your PC. Click on "Yes, I want to restart my computer now" and then click on
"Finish" to reboot your PC. 

Refer to the section "Using the Client Software under Windows NT/2000/XP" to 
find notes for User Rights.

2.2.6 Using the Client Software under Windows NT/2000/XP
...............................................................................

In order to use the Client Software without having administration rights, 
read/write rights must be set for the following files and directories:

1.  All files of the installation directory (default: subdirektory NCPLE) 
    require read rights (under Windows NT).
2.  The NCPBM.DAT file requires read and write rights (Statistics, Budget 
    Manager)
3.  The file NCPPHONE.CFG requires read and write rights.
4.  The file NCP.DB in the installation directory (default: subdirektory NCPLE) 
    requires read and write rights.
5.  Under Windows XP the installation directory (default: subdirektory NCPLE) 
    requires full rights.


2.3 Assistant for first Configuration
-------------------------------------------------------------------------------

Once you have installed the Client Software and rebooted your PC, the Client 
Monitor will be automatically displayed on your PC. The "Assistant for first 
Configuration" will also be displayed, provided that you have installed the 
Client Software for the first time on your PC and that no previous Phonebook 
exists from an earlier Client Software. It is located in the installation 
directory.

If you do not use the assistant for creating such test destinations, then no 
entries will be added to the phonebook. In this case you will have to create 
your own phonebook entries, as described in the chapter "Client Monitor" under 
"New Entry - Destination".


If you use the assistant, click on "Next". If selected then an IPSec test 
destination will be added to the client's phonebook and the assistant will guide 
you through the definition of generic parameters. The following access data are 
created automatically: VPN protocol is IPSec, the Tunnel Endpoint of the VPN 
gateway is: 62.153.165.62, XAUTH userID and Password is "ncpipsecnative". The 
link type is LAN. If a connection via an ISP should be established, the 
parameters for dial-up must be configured in the profil settings. Setting up 
the variant with strong security you can use a test certificate.

The PIN of the test certificate is "1234" and must be entered wenn establishing 
the connection. Once you have saved the test configuration, you can set up 
immediately a test connection (in LAN mode) by clicking the "Test" button.

For further configuration of a profil refer the description under "Client 
Monitor, Profil settings" and "Configuration Parameters, IPSec settings".


2.4 Updateing and Uninstalling
-------------------------------------------------------------------------------

If you are already using a previous version of the Software it will be detected 
when attempting to install the new Client Software. If this is the case, then 
you will be asked if you wish to update your current Client Software to the 
newer version now in your possession. During the update the current profile 
settings, certificate data and call control manager statistics will be applied 
to the new client.

In order to uninstall the Client Software go to: "Start" -> "Settings" -> 
"Control Panel". Now click on "Add/Remove Software" and then select the client 
from the list of programs and then click on the "Add/Remove" button. The 
Uninstall Shield Program will now delete the client software from your PC.

Important: After the removal of the software components, the profile and 
configuration settings are still saved and can be restored in the event a newer 
version of the client is installed. In order to completely delete everything; 
manually remove the installation directory (default \Windows\ncple).


2.5 Upgrade to the Secure Enterprise Client
-------------------------------------------------------------------------------

You upgrade from a Secure Entry Client to a Secure Enterprise Client by 
replacing the licensing and the software. This can be done manually on-site, or 
via an Update Server.

For a manual upgrade the software is reinstalled from the CD, and "NCP Secure 
Enterprise Client" is entered as the product to be installed. In this process 
the install program recognizes that a software version has previously been 
installed and executes an update after appropriate confirmation (see 2.5). Then 
the new activation key with serial number must be entered in the Pop-up menu.

For an upgrade via an Update Server - the IP address of the Update Server is 
entered in the client's telephone book (see -> DNS / WINS). In this case the 
Secure Client software will be downloaded automatically the next time the client 
dials into the corporate network. At the next dial-in with this new software a 
CNF file (profile settings) with licensing key will be downloaded. This oncludes 
the update process.
===============================================================================
NCP engineering GmbH, April 2006
