Ref: Tim.H_SR26Apr2000_1_CH MIS PROCEDURE TO PREPARE WINDOWS 95 PC FOR AND INSTALL CHECKPOINT SECURE REMOTE CLIENT PRODUCT V4.1 (BUILD 4153) Bold = text to type in ¤ = radio button select þ = Tick box select Italics = other dialogue Note: Paths to install executables are as from the SecureRemote Install Pack CD created by MIS - if installing from other sources this will change (x:\ = cd drive, usually d:\). If Windows 'cabs' files have not been installed on the target PC then the Operating System CD may be needed at some of the stages below. Procedure TIP: This procedure has been designed for Windows 95 but should work the same for Windows 98 - EXCEPT that for Windows 98 the Password Cache issue may be different or not relevant and you should skip the steps for DUN 1.3 and Winsock 2 as these are already incorporated into Windows 98. 1) Install Windows 95 'Security Patch' to disable password caching. This is used as an extra security measure (not needed for Windows 98 ?):- (NOTE: Regedit is a powerful tool and should be used with extreme care. Simple mistakes could render to OS unusable) a) Start->Run->regedit b) Follow path to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network c) Edit->New->DWORD Value d) Rename default name to DisablePwdCaching e) Right-hand button mouse click->Modify f) Enter the value 1 g) Click OK button h) Registry->Exit 2) Install the DUN 1.3 Upgrade, this improves stability of Dial-up Networking:- a) Start->Run-> x:\SR Install Pack..\MS DUN 1.3\msdun13.exe b) Follow prompts as directed, including any reboots, and choose to keep any newer versions of current files attempted to be overwritten by older files. 3) Install Winsock 2, this improves TCP/IP stability and also helps prevent "Ping of Death" and other similar hack attacks:- a) Start->Run-> x:\SR Install Pack..\Winsock2\w95ws2setup.exe b) Follow prompts as directed, including any reboots, and choose to keep any newer versions of current files attempted to be overwritten by older files. c) Reboot 4) Install DUN and Winsock Y2K Updates:- This has Y2K fixes and a patch for a potential DHCP issue within DUN. a) Start->Run b) x:\SR Install Pack..\Y2K Patches..\y2kvdhcp.exe c) It will run through install automatically d) Click on YES button when asked to Restart 5) Ensure latest hosts file is on the PC:- a) Copy \\centserver\apps\applications\hosts\hosts to c:\windows\hosts NOTE: Together with WINS/DNS, this will provide host name to IP address resolution. Latest changes include entries for GT Intranet sites. 6) Edit c:\windows\lmhosts file to contain (spaces = TAB) - use DOS Edit as Notepad screws it up !:- PDC IP Address PDC Name BDC IP Address BDC Name 7) Ensure Internet Explorer 5 is installed proceed to Step 7, otherwise:- TIP: If IE5 is already installed but does not have the options listed below then in most cases this will not cause any serious issues (e.g. Macromedia Shockwave not installed will just mean user will be prompted to download this when on a site requiring it - the reason we install these is not to promote multimedia usage but to avoid undue use of bandwidth from Web downloads of these plug-ins and must accept that most Web sites require at least some of these components to be viewed properly). However, if for any reason you cannot change current IE5 setup (it can be inconsistent when changing a pre-installed IE5 version !) then you will need to de-install IE5 from Add/Remove Programs in Control Panel, choosing "Restore to previous version" option - this will restore to IE3. You can then reinstall IE5 from scratch, choosing options as below. a) Start->Run b) x:\SR Install Pack..\IE5\ie5setup.exe c) ¤ Accept Agreement (Next>) d) ¤ Install Minimal, or customize your browser (Next>) e) Select these components:- þ Internet Explorer 5 Web Browser þ Offline Web Browsing Pack þ Internet Explorer Help þ Microsoft virtual machine þ Internet Connection Wizard þ Internet Explorer Browsing Enhancements þ Windows Media Player þ Windows Media Player Codecs þ Media Player RealNetworks Support þ DirectAnimation þ Vector Graphics Rendering(VML) þ AOL Art Image Format Support þ Macromedia Shockwave þ Macromedia Flash Player þ Visual Basic Scripting Support f) (Next>) g) Click on YES button to any questions about newer files being overwritten to preserve more up to date versions of files, if asked. h) Click on OK when asked about Restart i) PC reboots 8) Install UUNET Multi-Dial 5.02 and 5.02->5..03 Upgrade as follows:- (Ensure modem is connected to a working direct phone line and that you have your Secure Remote Userid and Password issued by MIS ready). a) Start->Run b) x:\SR Install Pack..\UUNET Multi-Dial 5.0\setup.exe c) Choose all defaults throughout installation d) Click Finish TIP: Do NOT run Multi-Dial at this stage as it does not work properly with IE5, continue on with the Mdial upgrade below. Also please try to complete the whole installation and registration of Multi-Dial in one continuous 'session' as aborted installations may not continue properly after interruption. e) Start->Run f) x:\SR Install Pack..\UUNET Multi-Dial 5.03 Upgrade\ugm502_503.exe g) When finished you will need to register userid/password with UUNET as follows:- h) Start->Programs->UUNET Multi-Dial 5.0->UUNET Multi-Dial 1) Click OK button to Register question Note: If asked to select which modem to use to connect to Internet, select your standard modem (usually Gold Card Global or Xircom - NOT Microsoft VPN. 2) Click OK button to Windows Will Now Install… dialogue 3) Click on YES button to any questions about newer files being overwritten to preserve more up to date versions of files, if asked. 4) Click on OK to proceed with Restart 5) After restart, connection to UUNET Registration process will commence TIP: Be patient - it may dial twice. If unsuccessful twice on the default phone number (0845 088110) an error dialogue will appear. Change phone number to alternative access point 0845 0885336 and click Redial button. 6) Internet Explorer registration application will start 7) Type in userid/pword 8) Select All UK 9) Your registration details (name etc.) will appear, scroll down to bottom of page and click Register Now 10) Click where it says "Please click here to aumotically configure….." (select Open it..) Note: If asked to select which modem to use to connect to Internet, select your standard modem (usually Gold Card Global or Xircom - NOT Microsoft VPN. 11) Multi-Dial Admin path - accept default C:\Program Files\UUNET\Admin (Click OK) 12) Create Directory ? YES 13) Multi-Dial will reconnect to complete registration and confirm Userid/Password 14) Click Run Now 15) Click Connect (test you can connect to Internet) 16) "Connected" will appear at bottom of Multi-Dial window. Also you will get an icon representing 2 computers connected in the bottom-right of the screen (the System Tray). 17) Check you can see some other Web sites (www.ibm.com is usually quick)- you can either select IE from the Multi-Dial panel or the usual Desktop or Start->Programs icons 18) Exit Internet Explorer 19) Right-hand mouse click on the 2-PC icon in the System Tray or select Disconnect (2-PC icon will disappear) 20) Exit Multi-Dial Connection Manager 21) Reboot Note: If the Multi-Dial Registration page is still in the background then CTRL-ALT-DEL and click Shutdown button (if you choose this method you will need to power on to restart after shutdown has completed). 9) Change Multi-Dial DUN settings to include WINS server and to login to network:- a) Double-click My Computer icon b) Double-click Dial-Up Networking icon c) Highlight UUNET Multi-Dial 5.0 icon, right-hand mouse click d) Select Properties e) Select Configure (bottom half of window) f) Ensure Speaker volume set to at least 1 notch g) Click Connection tab h) Uncheck "Wait for dial tone…" i) Click OK j) k) Select Server Types tab and ensure it is setup thus:- þ Log on to network þ TCP/IP l) Click TCP/IP Settings button and ensure it is setup thus:- ¤ Server assigned IP address ¤ Specify name server addresses Primary DNS: External (UUNET) DNS Primary Secondary DNS: External (UUNET) DNS Secondary Primary WINS: Internal WINS Server Secondary WINS: Internal WINS Server þ Use IP header compression þ Use default gateway on remote network TIP: ISPs change their DNS servers from time to time. If in doubt check their web site for latest information. Also, certain applications can sometimes have specific issues with compression etc. and so revised recommended setups may be issued from time to time. m) Click OK button and exit Dial-Up Networking window 10) Add Country (Modem) Change Icon This is to allow easy access to the 'Modems' icon normally within Control Panel. People need access to this so that they can change their current country so that the correct dialling codes will be used. From a Multi-Dial viewpoint, you need this to be correct before Multi -Dial will offer up the correct PoPs for you current location. We will need to discourage users from entering any other changes whilst in this applet - unfortunately there is no easy answer - Windows does not offer up any other way to change dial-up location details. a) Start->Setting->Control Panel b) Highlight the Modems icon c) Right-hand click on Modems icon d) Select Create Shortcut Message appears "Windows cannot create shortcut here…placed on desktop instead ?" e) Click YES button f) Close Control Panel windows g) Highlight newly created Shortcut to Modems icon h) Right-click and select Rename, rename icon to Change Dialup Location i) Right-click on icon and select Copy j) Start->Settings->Taskbar k) Click on Start Menu Programs tab l) Click on Advanced button m) Right click in the Right-hand pane of the display and select Paste n) Click Finish button o) Exit from Taskbar menus 11) Install Secure Remote Client software:- a) Start->Run b) x:\SR Install Pack..\CPSecuRemote-41..\win 9-x\Setup.exe c) Click YES to Accept License Agreement d) Click Next e) Click Next f) Files will be copied on to hard disk g) Select the following:- ¤ Install SecuRemote without Desktop Security Note: Desktop Security is an optional(chargeable) package to run a mini-firewall on the client in addition to the standard basic security/authenication/encryption package - we currently only subscribe to the standard package - it doesn't work with our current FW-1 4.0 software on the server anyway - it is introduced in V4.1. We will review need as and when we upgrade FW-1 server. ¤ Install on dialup adapters only Note: We only need this on dialup adapters as internal HNSE inter-office VPNs are encrypted at the firewall. If and when cable and/or DSL modems are used we will need to change this. h) Click NO to README file i) Click FINISH button j) PC reboots You will notice that a new icon will have appeared in the System Tray - an envelope with a key. k) Start->Programs->SecuRemote l) Tools->Encryption Scheme Select ¤ FWZ m) Click OK button n) Passwords->Enable SDL "Are you sure you want to enable…" appears - click YES button o) Connect to Internet (cancel network logon prompts and network drive connections) p) Sites->Create New 1) Type in IP address:- UK Firewall External IP Address (for UK SecuRemote users) Italian Firewall External IP Address (for Italian SecuRemote users) 2) Check þ Nickname box and replace Nickname field with xx Firewall (where xx = country of firewall, e.g. UK, IT, DE) 3) Click on OK button This will take a minute or so to complete. "IP Address and Key ID should be verified !" appears - click on OK 4) Click on OK 5) Disconnect from Internet