File:           WHATSNEW.TXT 
Product:        NCP Secure Entry Client 
Version:        Version 8.30
Manufacturer:   NCP Engineering GmbH, 90499 Nuremberg, Germany

--------------------------------------------------------------------------------
Latest Release Info. - NCP Secure Client under Windows 98se/ME/NT/2000/XP
--------------------------------------------------------------------------------
New features of version 8.30 relative to version 8.21
--------------------------------------------------------------------------------

1. New Connection Types

We have added two new connections types for the Client the Phonebook's 
"Destination system" parameter field:
- WLAN
- Automatic media detection

WLAN: Configuring a destination system with connection type WLAN enables direct 
activation and configuration of the WLAN card. Installation of the management 
software can be dispensed with (only under Windows 2000/XP).

Automatic media detection: This connection type can be implemented if different 
connection types are used in alternation. If this is the case, the client 
automatically detects the connection types that are currently available, and 
then selects the fastest of these. 


2. Integrated WLAN Configuration for Windows 2000/XP

Under Windows 2000/XP the WLAN adapter can be operated with the connection type 
"WLAN". In the monitor menu the special "WLAN settings" menu item is displayed 
where the access data for the wireless network can be saved in a profile. If 
this "WLAN configuration" is activated, then the management tool of the WLAN 
card, or the Microsoft tool must be deactivated.

Alternatively the management tool of the WLAN card or the Microsoft tool can be 
used as well. The tools that are not activated must be deactivated.

If the connection type WLAN is set for the destination system in the phonebook, 
then under the graphic field of the Client Monitor an additional area is shown 
where the field strength and the WLAN network are displayed.

Please read the description of the parameters "Connection type" in the section 
"Configuration parameters / Phonebook", and the appendix "Mobile computing via 
GPRS / UMTS / WLAN", prior to configuring the WLAN settings.

If WPA is used with EAP (TLS), then the EAP options must be activated in the 
configuration menu of the monitor and a certificate must be configured (in the 
monitor menu under "Configuration / Certificates").


3. Automatic Media Detection

On the basis of a pre-configured destination system, those connection types that 
are currently available for the Client PC are detected and implemented, and if 
multiple alternative transmission paths are available, the fastest will be 
selected automatically. The connection type priority is specified in the 
following sequence in a search routine: 1. LAN, 2. WLAN, 3. DSL,  4. UMTS/GPRS, 
5. ISDN, 6. MODEM.

The configuration is executed in the Phonebook with the connection type 
"Automatic media detection" under "Destination system". If desired, all 
destination systems for the VPN gateway that are pre-configured for this Client 
PC can be assigned to this automatic media detection. This renders manual 
selection of a medium (UMTS, DSL, ISDN, MODEM) from the Phonebook entries 
superfluous. Input data for the connection to the ISP are transferred from the 
available Phonebook entries in a manner that is transparent for the user.


4. Available Communication Media

The purpose of this window is only to inform the user about the available link 
types an the currently used link type. On the basis of a pre-configured 
destination system, those link types that are currently available for the Client 
PC are detected and implemented, and if multiple alternative transmission paths 
are available, the fastest will be selected automatically.

The available link types are displayed with yellow signal lamps and the 
automatically selected with a green signal lamp.

For configuration purposes note the description of "Automatic Media Detection" 
in the parameterfolder "Destination System" of the phonebook.


5. Licensing

Licensing no longer occurs via the popup menu, now it is executed via the 
Monitor menu option "Help / License Data and Activiation".

The software version implemented, and possibly the licensed version with serial 
number, are shown under the menu option " License Data and Activiation" in the 
monitor.

If the software is used as a test version then the remaining validity period is 
displayed in the popup.

In order to use a valid full version that is not subject to time restrictions, 
the software must be released with the license key and serial number received.

The licensing process for the software requires your acceptance of the license 
conditions, which can be viewed via mouse click.

License key and serial number can be entered after you have clicked on the 
activation button. Now the license data can be entered either online or offline 
via an assistant.

In the offline variant, a file that is generated after entering license key and 
serial number must be sent to the NCP web server, and the activation key that is 
displayed on the website must be noted. This activation key can be entered in 
the licensing window of the Monitor menu at a later point in time.

In the online variant, an assistant forwards the licensing data to the web 
server immediately after entry and thus the software is immediately released.


6. Friendly Net Detection (FND)

FND enables the NCP Client to automatically detect whether it is in a Friendly 
Net (FN) or not.
 
Integrated intelligent automation mechanisms in the Personal Firewall 
automatically replace manual interventions. The administrator can define what 
constitutes an FN in the Firewall settings of the Monitor. The monitor indicates 
the presence of a FN by displaying the Firewall Icon in green.
 
A Friendly Net Detection Server (FNDS) is required; this is an NCP software 
component that must be installed in a network that is defined as "Friendly Net". 
The FNDS is authenticated via EAP or EAP-TLS.

The user does not have to worry about setting the Personal Firewall. The NCP 
Client dynamically accesses a suitable firewall policy depending on the 
communication environment. Unintentional use of incorrect firewall 
configurations, and thus attacks on the corporate network are prevented.

To increase redundancy the IP address of a second FND server can be entered 
after the first IP address, after a comma. The IP address of the first available 
FND server will be selected automatically for friendly net detection.


7. The Range of supported Smart Cards has been extended

The following smart cards are supported directly via the PC/SC or CT-API 
interface:
- Signtrust
- NetKey 2000
- TC Trust (CardOS M4)
- Telesec PKS SigG


8. External Applications

Use this connection management configuration field in the monitor menu to start 
applications or batch files, depending on the Client Monitor. 

In a more extensive configuration you can determine when the application will be 
started:
- Prior to starting the connection setup (precon)
- After starting the connection setup (postcon)
- After starting the connection disconnect(discon)

The wait function "Wait until application has been executed and ended" can be 
relevant if a series of batch files will be executed one after the other.


9. External Applications before Windows Logon

You can also start external applications (console applications or batch files, 
no Windows programs) with the NCP Gina via the menu item "Logon options" in the 
monitor menu "Configuration".
- Prior to starting the connection setup (precon)
- After starting the connection setup (postcon)

In addition, the application can be started depending on the connection type of 
the destination system that is selected in the Gina dialog. The application 
always starts if the connection type "All" has been selected.

"Wait for domain preparation (postdom)" means that after the initialization 
period, the application will be started immediately prior to domain logon.

The wait function "Wait until application has been executed and ended" can then 
be relevant if a series of batch files will be executed one after the other.


10. Dialog and Installation of the NCP Gina

The NCP Gina dialogs can be hidden via the Monitor menu without de-installing 
the Gina. Thus Gina concatenations that may possibly be necessary for the 
respective work environment remain intact.

If you want to display the Gina dialog, then note that the NCP Gina must be 
installed in any case. This can be done in three ways:
- With the software installation, here the system asks the user if he wants to 
use the Windows logon via the NCP Gina. If yes, it will be installed.
- Retroactive installation is possible via the command line interface 
rwscmd.exe, likewise retroactive de-installation is also possible.

The standard situation is that EAP authentication takes place prior to 
establishing the connection to the VPN gateway. If EAP will be used without 
subsequently setting up a connection via the Client (pure EAP Client) then this 
function must be activated. If EAP with certificate is implemented, then the PIN 
dialog for authentication appears on the network components. Thereafter the 
destination can be selected.

If the function is not activated then EAP authentication will only be executed 
after the destination has been selected.


11. Allow HotSpot Logon for External Dialers

If this function is activated, then hotspot logon can be executed via an 
external dialer. You must call the command line interface rwscmd.exe for this. 
(See the description in the "Services" Appendix in this manual for more 
information in this regard!) With the command
rwscmd /logonhotspot [Timeout]
The firewall will be released for ports 80 (HTTP) and 443 (HTTPS). This 
generates a dynamic rule that allows data traffic for this hotspot logon, until 
the transferred timeout (in seconds) has elapsed. 


12. Initialization Time after Network Logon

Windows may require a certain initialization time between network logon and 
domain logon. This preparation time for the domain logon can be activated and 
set here. The Windows logon will only be executed after the connection setup 
after the initialization time set here.

The standard value is 45 seconds and can be changed as needed. 


13. New Parameter Field in the Phonebook "Authentication before VPN"

This parameter field only appears if the connection type "LAN" or "WLAN" has 
been configured for the destination system, or if an external dialer is used, or 
if the destination system has been configured for automatic media detection. 
Please read the description of the "Destination / connection type" parameter 
field, for more information in this regard.


14. New Parameter Field in the Phonebook "HTTP Authentication"

HTTP authentication allows automatic, script-driven logon for mobile users at 
hotspots (DSL as well). 

For a link with the connection type WLAN the HTTP logon is not switched on in 
the phonebook! Instead, activation of this function causes the authentication 
data from the WLAN settings in the Monitor menu to be used for this destination 
system.

If the access point executes an HTTP redirect, then user name and password entry 
is not necessary in a browser window. Instead the authentication data are 
entered here.

Authentication is executed via an appropriate script. Examples are in the 
installation directory <system root> ncple\scripts\sample.

For connection type WLAN the authentication data for the hotspot are transferred 
from the WLAN settings.

The user sets up the connection to the hotspot automatically if the HTTP 
application is activated. A message box informs the user that there are charges 
for this connection and that he accepts the contract conditions of the hotspot 
operator.


15. Support for UDP Encapsulation (Port 4500)

If UDP encapsulation is used then the port can be freely selected. Standard for 
IPSec with UPD is port 4500, for IPSec without UDP port 500. 
The NCP Gateway detects the UDP encapsulation automatically.


16. Voice over IP (VoIP) setting priorities

If the Client is used for communication with Voice over IP, then this function 
"Voice over IP (VoIP) setting priorities" (in the phonebook under "Line 
Management") should be activated in order to send and receive the voice data 
without delay and without distortion.


New features of version 8.21 relative to version 8.20
--------------------------------------------------------------------------------

1.  Support of multi-function cards for UMTS/GPRS

If a multi-function card for UMTS/GPRS is installed, then an additional field 
appears with the connection type "GPRS/UMTS". This field shows field strength, 
connection type (UMTS or GPRS), and the network. In addition, the current 
connection type can be switched and the network can be changed.

2.  Menu item for SIM PIN entry for multi-function cards

The menu for the multi-function card has been extended with the "SIM PIN Entry" 
option. The menu option is only active if the SIM PIN has not been configured, 
or if it has not been entered.

3.  PIN handling for SIM has been reworked

PIN handling for the SIM has been completely reworked to support the multi-
function card (UMTS/GPRS). The necessary request for PIN or PUK entry is 
automatic. If entry of the PIN/PUK is interrupted, then it can be called later, 
via the menu. In addition, the current PIN or SIM can be changed via the menu.

4.  Configuration correction for the SIM PIN for UMTS/GPRS

If the SIM PIN of the multi-function card has been entered incorrectly, then 
there is a request to enter the PIN when a connection is set-up, which then is 
corrected in the configuration.

5.  Extension of the display for the field strength of multi-function cards

The field strength is also displayed with percentage values in the field for the 
multi-function card, in addition to the graphic bar level display.

6.  Log file for a multi-function card

If a multi-function card for UMTS/GPRS is installed, then a log file is written 
in the log directory of the Secure Client, with the following columns.
        1st  Column:   Time
        2nd Column:   Current field strength
        3rd Column:   Average field strength of the last minute
        4th Column:   Average field strength of the last 5 minutes
        5th Column:   Average field strength of the last 10 minutes
        6th Column:   Current network type (UMTS or GPRS)
        7th Column:   Current network
An entry is created every 10 seconds; however the entries are only written to 
the file every 5 minutes. A log file is created with the name "mfc<DATE>.log" 
for each day. The log files for the last 7 days are saved.

7.  Log entry when setting up a connection (reason for the set-up)

If an existing connection is disconnected, then the system writes a log entry in 
the Client's logbook citing the reason why the connection was disconnected.

8.  Log entry when disconnecting a connection (field strength status)

If an existing connection is disconnected, then the system writes a log entry in 
the Client's logbook citing the last field strength status values for UMTS/GPRS.

9.  "MAC address" parameter in the firewall rules

The parameter, "MAC address", has been removed in the rules under "General" in 
the firewall settings.



New features of version 8.20 relative to version 8.12
--------------------------------------------------------------------------------

1. Installation directory

In the user-defined installation you can select any installation directory for 
the software. This is particularly important if the user will have no rights on 
the system root directory.


2. Firewall

The Personal Firewall can be set in the "Configuration" monitor menu, and it is 
a fixed component of the Secure Client. All firewall mechanisms are optimized 
for Remote Access applications and are activated when the computer is started. 
This means that in contrast to VPN solutions with autonomous firewall, the 
teleworkstation is already protected against attacks before actual VPN 
utilization. The Personal Firewall also offers complete protection of the end 
device, even if the client software is deactivated. All firewall rules can be 
centrally specified by the administrator, and compliance with these rules can be 
forced. The prerequisite in this case is the central NCP Secure Enterprise 
Management system, which is used to configure the Client, which can be 
permanently specified as unchangeable for the user.


3. Automatic hotspot logon

NCP has permanently integrated the Personal Firewall in the Secure Client 
software in order to protect the Remote Client against any kind of attack in 
every phase of the connection set-up in WLANs and hotspots, without the user 
having to do anything. It has intelligent automated processes for secure hotspot 
logon.

Functional description:
If a user with his end device is in receiving range of a public WLAN, then he 
selects the menu option "Hotspot Logon". The Client then searches the hotspot 
automatically and opens the website for the logon procedure in the standard 
browser. After successfully entering the access data and release by the 
operator, the VPN connection can be established to corporate headquarters, for 
instance, and the user can securely communicate, as he would on an office 
workstation.
To keep the PC invulnerable at all times when logging onto the WLAN, the 
firewall dynamically releases the ports for http or https for logon or logoff.
Logoff at the hot spot free. In this process data traffic is only possible with 
the hotspot server of the operator. Non-requested data packets are rejected. In 
this manner the system guarantees that a public WLAN will only be used for the 
VPN connection to the central data network and that there is no direct Internet 
access.
Direct communication to the Internet bypassing the VPN tunnel is impossible due 
to the previously described dynamic firewall rules that are set automatically by 
the integrated Personal Firewall of the NCP Secure Client.
Please note: proxy settings that may have been entered must be adapted or 
deactivated for logon via the standard browser at the hotspot.
If hotspot logon has not been executed by the NCP Secure Client then this fact 
is communicated to the user through the message "Hotspot could not be found".
In such a case you must determine whether a general problem exists in 
conjunction with the mechanisms implemented by NCP relative to this hotspot 
operator.


4. Import of configuration data

With the function "Profile Import" in the configuration menu of the monitor 
profile settings can be imported by the client. The profile settings to be 
imported can be created as INI-file by the destination system or edited by hand. 
You will find the files IMPORT_D.TXT and IMPORT_E.TXT in the installation 
directory for example. In those files the syntax and the values of the 
parameters are described.


New features of version 8.12 relative to version 8.11
--------------------------------------------------------------------------------

1. Compression type Deflate

The compression type Deflate is now supported. In the phonebook the parameter 
"Use IP compression" under "IPSec Settings" is displayed. Using this function 
both methods, LZS and Deflate, are negotiated.
 
2. In the phonebook under "IP Address assignment" you enter the domain name.

3. Using multiple Soft Certificates on one Client PC

If you want to set up PC-sharing for multiple users, who each use a separate 
certificate,  then you can configure this in the main menu of the Client Monitor 
under "Configuration - Certificates - User Certificate".

Under "User Certificate" you must switch on the "Activate Soft Certificate 
Selection" menu item, and you must select a "Certificate Path". If this path has 
been created previously, then you can select this path via the Select button. 
(C:\WINNT\ncple\usercert, for example). The various user certificates must then 
be created under this path. If these settings are saved with "OK", then the 
certificate list will appear under the graphic field of the monitor, with the 
list of all user certificates saved under the certificate path (for instance 
user1 to user4).
If the user has selected his soft certificate (user2 for instance) and has 
established a connection to the central VPN gateway, then he must first enter 
his PIN. Then the connection to the destination system will be established.

4. Using EAP 802.1x

For WLAN and switches supporting port authentication the client supports EAP-
MD5/TLS. This makes it unneccessary to install a separate EAP client.
EAP-MD5: UserId/Password authentication is supported and the possibility exists 
to get the UserId/Password from the certificate used for the VPN connections.
EAP-TLS: Certificates are used and are taken from the NCP certificate 
configuration. EAPOL KEY (Dynamic WEP key ) is supported.

5. Statefull Packet Inspection

Stateful Packet Inspection is always activated. This means, for non-VPN 
connections to provider SPI (Statefull Packet Inspection) is now always enabled. 

6. XAUTH protocol

Changed the XAUTH protocol for use with NETSCREEN and OTP.



New features of version 8.11 relative to version 8.10
--------------------------------------------------------------------------------

The context-sensitive online help for the Client has been converted to HTML 
format. New features have been implemented in the following areas:
I.   General parameters in the telephone book (profile settings)
II.  Functions for connection type and connection setup
III. New functions in the PKI environment
IV.   Status displays


I.   General parameters in the telephone book (profile settings)
-------------------------------------------------------------------------------

1. Phonebook and its parameters renamed

The "Phonebook" was renamed to "Profile Settings". Accordingly, "Destination 
Systems" and "Destinations" was renamed to "Profiles". The following parameter 
fields were renamed:
Destination System   -> Basic Settings
Security             -> IPSec General Settings
                 and -> Identities
DNS/WINS             -> IP Address Assignment


2. Only allow communication in the tunnel when using the RAS dialer 

The parameter, "Only allow communication in the tunnel when using the Microsoft 
RAS Dialer", has been added under "Firewall" in the telephone book. If for 
example a VPN connection has already been set-up via the NCP Dialer, and this 
parameter is set, then no connection can be set-up parallel to the Internet via 
the RAS Dialer.


3. Also forward local area networks in the tunnel

If local area network data traffic, will be forwarded via VPN tunneling, then 
this function must be activated.


4. Extended Firewall Settings

Filters for incoming and outgoing data traffic can be defined with this filter 
editor. The filters can be set for protocols, network IP addresses, and host IP 
addresses.


5. IPSec settings

The IPSec configuration, which in previous versions could be opened in the 
Monitor under "Configuration - IPSec", is now made with the help of the IPSec 
Editor in the parameter field "IPSec Settings" under "Profile Settings".


6. Configuration Locks

Use configuration locks to modify the configuration main menu in the monitor in 
such a way that the user can no longer modify the pre-set configurations, or so 
that selected parameter fields are no longer visible for the user.

The configuration locks are enabled after applying the defined settings with 
"OK". Clicking the cancel button the default settings will be used.

In order to effectively specify the configuration blocks, identification must be 
entered, which consists of "User ID" and "Password". The password must be 
confirmed thereafter.

Please note that identification is absolutely necessary for the configuration 
block, in order to activate the blocks, or to cancel the configuration blocks. 
If the identification is forgotten there is no other possibility to cancel the 
blocks!


7. DPD (Dead Peer Detection) deactivate

DPD (Dead Peer Detection) and NAT-T (NAT Traversal) are automatically executed 
in the background for "IPSec Tunneling" when supported by the destination. The 
IPSec client uses DPD to check, in regular intervals, whether the other side is 
still active. If the other side is inactive, then an automatic connection-
disconnect occurs. This function deactivates DPD.


8. Use this entry after each restart

The parameter, "Use this telephone book entry after every system restart", has 
been added in the telephone book under "Destination system". If the parameter is 
set, then this destination system will be used when restarting, regardless of 
which destination system was active when the system was brought down.



II.  Functions for connection type and connection setup
-------------------------------------------------------------------------------

1. DSL without PPPOE protocol

In order to use DSL, an NCP PPPOE protocol does not need to be installed.


2. New connection type - GPRS

Now GPRS can be selected as an autonomous connection type. Two new parameters 
can be entered under "Modem" in the telephone book, for this:
- PIN for GPRS card
- APN
- AT command for SIM card


3. The comma is also approved when obtaining a line

Change: In the field for obtaining an outside line, in addition to the 
characters, "1234567890#*" now the comma "," is also approved. This means that a 
dial pause can be configured with the comma when obtaining a line.


4. Error messages if the connection setup is faulty

If a connection setup is faulty then error codes are displayed as red text in 
the graphic field of the monitor. These error codes have been extended in such a 
manner that when a connection setup fails, a text is always displayed when the 
Client detects the failed attempt. For example no error can be displayed if the 
connection has been disconnected by the server.


5. Minimize after connection set-up

The option, "minimize after connection setup", has been added in the Monitor. It 
can be activated in the Monitor menu under "Window".


III. New functions in the PKI environment
-------------------------------------------------------------------------------

1. The PC/SC interface is now only opened for card accesses

The PC/SC interface is only opened for a connection setup in which a smart card 
access occurs. This means that now other applications can also open the PC/SC 
interface in "exclusive" mode. 


2. Monitoring whether the PKCS#12 file is available

From now on the system monitors whether the PKCS#12 file is present. If, for 
example, this file is stored on USB stick or an SD card, then after pulling out 
the SD card the PIN is reset and an existing connection is disconnected. This 
process corresponds to the "Connection disconnect when smart card is removed", 
which can be set when using a smart card, under "Configuration, Certificates" in 
the monitor menu. If the SD card is later re-inserted, then the connection can 
be restored, after another PIN entry.


3. PKCS#11 module automates search and selection

On the monitor for certificate configuration (see -> Monitor Menu configuration, 
Certificates), you can use an assistant to search for installed PKCS#11 modules 
and, and you can select the desired module with the associated.


4. Using environment variables when configuring certificates

The environment variables (users) of the operating system can be inserted in the 
certificate configuration. The variables are changed when closing the dialog, 
and when copying the telephone book, and they are written back into the 
configuration. If an environment variable does not exist, then it is removed 
from the path when converted, and a log entry is written into the logbook. If a 
% sign (syntax), is missing then the variable remains, and a log entry is 
written, as above.


5. RWSCMD extended with VPN user name from certificate

The "RWSCMD" tool now also supports destination systems in which the VPN user 
data is read out from a certificate. The prerequisite in this case is that the 
PIN must be entered beforehand so that the certificate data can be read.


6. Analysis of the KeyUsage certificate extension

If the KeyUsage extension is contained in an incoming certificate, then it will 
be verified. The following KeyUsage bits are accepted:
- Digital Signature
- Key Encipherment (key transport, key management)
- Key Agreement (key exchange process)
If one of the bits is not set, then the connection will be cleared. 


7. Analysis of the CPD (Certificate Distribution Point) certificate extension

The URL for downloading an CRL is stored in the CDP. If the CPD extension is 
contained in the certificate, then after the connection is setup, the CRL is 
downloaded via the specified URL and checked. If the system determines that the 
certificate is invalid then, the connection is disconnected. In this process the 
CRL is stored in the ncple\crls directory, under the common name of the CA.


8. HTTP Proxy for CRL download

A proxy for the CRL download can be configured via HTTP in the ncppki.conf file 
in the "HttpProxy" group:
[HttpProxy]
ProxyHost = xxx.xxx.xxx.xxx
#IP address of the proxy server for CRL download via HTTP
ProxyPort = 80
#Port of the proxy server for CRL download via HTTP
ProxyUser = xyz
#User name of the proxy server for CRL download via HTTP
ProxyPw = xxxx
#Password of the proxy server for CRL download via HTTP


9. Minimum PIN length under PIN policy

The minimum possible value for PIN length can be changed from 6 to 4 characters 
under "Configuration - Certificates - PIN Policy".


IV. Status displays
-------------------------------------------------------------------------------

1. Status displays in the graphic field of the monitor (Gina also)

The following status displays are shown in the graphic field:
- Smart card 
- PIN status 
- Firewall option 
- EAP status 
These icons in the status line have been extended with Tool Tips (quick info), 
when the mouse is placed on an icon.


2. Reset EAP

Change: You can reset the EAP by double clicking on the EAP icon in the status 
display in the graphic field of the monitor. Then the EAP is renegotiated.


--------------------------------------------------------------------------------
For further information please consult the Web-Site: www.ncp.de
--------------------------------------------------------------------------------
NCP engineering GmbH, Nuremberg, Germany
04/07/2006
