Professional Documents
Culture Documents
9/28/2012
Table of Contents
Introduction Getting a VPN Account Installing Check Point Mobile Authentication Compliance & System Requirements System Tray Connecting with Check Point Mobile Stopping and Starting Check Point Mobile Compliance Window VPN Options Advanced VPN Options Deleting and Creating Sites Collecting and Sending Log Files Troubleshooting Technical Support Appendix Client Icon Software Downloads 23 23 15 16 17 18 22 2 3 3 6 7 8 9 14 14
Page |1
9/28/2012
Introduction
Virtual Private Networks (VPNs) allow FedEx employees and vendors to work away from the office. VPNs create secure tunnels over the Internet, ensuring confidentiality, integrity, and authenticity. This form of remote access makes services such as internal web sites, email, and departmental servers available from places such as a home office or hotel.
Page |2
9/28/2012
The next step is getting an IdentityGuard eGrid account. After your VPN request has been fully approved in IdM, you must: 1. Login to the FedEx IdentityGuard self-service web site to complete a short enrollment process. 2. You'll receive an IdentityGuard eGrid sheet (JPEG image format) that will be used for VPN login. 3. Keep your eGrid secure and do not share it with others.
Page |3
9/28/2012
6. Click Next
8. Click Next
9. Click Next
Page |4
9/28/2012
12. Test the connection by following the normal procedures used to establish VPN connectivity.
Page |5
9/28/2012
Authentication
FedEx requires two-factor authentication to login to VPN. Your employee number and enterprise password are the first factor, and the security grid card is the second. The security grid card is called an eGrid. New/replacement eGrids can be acquired at the IdentityGuard web site, Keyword eGrid. The eGrid web site is externally accessible (ie from home or hotel) at https://idguard.fedex.com. If youve lost your eGrid you can access the site using your challenge questions. If youve forgotten your challenge questions you can contact your regional/OpCo help desk for a onetime PIN. The temporary PIN will allow you to download a new eGrid. Always be sure to cancel lost/compromised eGrids at the IdentityGuard site. eGrid provides secure and cost effective two-factor authentication. The eGrid contains a series of numbers and letters in clearly marked rows and columns. After entering the user name and enterprise password the user will be prompted for the eGrid coordinates. The user then cross-references each letter and number combination, similar to using a Bingo card. For example, if Mobile VPN prompted the user for [C5] [D4] [H4], the user would match [C5] with J, [D4] with E, and [H4] with E.
Page |6
9/28/2012
Supported Operating Systems Windows XP Home and Professional 32-bit, with or without Service Packs 1, 2, or 3 Windows Vista 32-bit and 64-bit, with or without Services Packs 1 or 2 Windows 7 32-bit and 64-bit, Premium or Enterprise, with or without Service Pack 1
Page |7
9/28/2012
System Tray
The VPN client can be accessed from an area on your PC known as the System Tray, or Systray. It is in the bottom right-hand corner, immediately left of the clock. You may already see some icons there such as WiFi, volume control, and Outlook. The icon youre looking for is a gold padlock. It may be hidden from view, which you can expand by clicking on the double up arrows. 1. This is a screenshot of the System Tray. 1.2 The VPN client icon is currently visible. 1.3 Right-click on the icon to display the VPN clients menu. 2. This is a screenshot of the System Tray. 2.1 The VPN client icon is currently hidden from view. 2.2 Left-click on the up arrows to expand the System Tray. 3. The System Tray has been expanded. 3.1 The VPN client icon, a gold padlock, is now visible.
4. You can right-click on the icon to show the menu for the VPN client. From here you can connect to VPN, create a new site, and more.
Page |8
9/28/2012
Page |9
9/28/2012
3. Input your login credentials. Username = FedEx ID Password = Enterprise password (8 characters)
4. Click Connect
P a g e | 10
9/28/2012
6. Look up the coordinates on your eGrid card and input the results.
P a g e | 11
9/28/2012
8. You should receive a successful connection. You can click Close or wait for the window to close automatically. From here you can use Outlook and access internal FedEx web sites.
P a g e | 12
9/28/2012
Quick Connect
Quick Connect re-connects to the users last VPN Gateway Open the Systray (gold padlock), right-click on the icon, and click Connect.
Changing Sites
You may experience better network performance by choosing a VPN gateway geographically closer to you.
P a g e | 13
9/28/2012
Compliance Window
Right-clicking the client icon in the system tray and selecting Show Client displays the main client window.
Status: Displays the details of the VPN connection, Firewall, and Compliance. Tools: Gives the option of Connect or Disconnect depending on the status of VPN.
P a g e | 14
9/28/2012
VPN Options.
Enable Logging: Collects information useful for troubleshooting Collect Logs: Exports logs to a CAB file. Reproduce the problem before sending your logs to support. Proxy Settings: Open and Set to No Proxy Use Secure Authentication API File: do not check Enable Secure Domain Logon: Log into VPN upon logging into Windows
P a g e | 15
9/28/2012
VPN Sites Location Memphis Memphis EMEA APAC Employees wtce.fw.fedex.com ctce.fw.fedex.com nose.fw.fedex.com singapore.vpn.fedex.com Vendors wtcy.fw.fedex.com memy.fw.fedex.com nosy.fw.fedex.com siny.fw.fedex.com
P a g e | 16
9/28/2012
Go up one directory. Then right-click on the highlighted file and do Send to >> Documents. The file is now in the Documents folder, ready to be attached to an email. It is named format trlogs_dd-mm-yyyy_hh.mm.ss.
P a g e | 17
9/28/2012
Troubleshooting
Wrong username/password when trying to connect
Check the expiration date on your eGrid. Its in the bottom right-hand corner. If its expired you need to get a new one at the eGrid site using your challenge questions. If youve forgotten your challenge questions you can get
a temporary PIN from your regional/OpCo help desk.
Vendors: Make sure you are using the vendor package with the vendor sites and not attempting to connect to the employee sites. Verify your eGrid is not locked out by logging into the eGrid web site. Make sure your caps lock is off. Verify your enterprise password hasn't expired by logging into the eGrid web site. Verify the date and time on your computer is correct.
P a g e | 18
9/28/2012
Not Compliant
Check Point Mobile VPN will tell you how to become compliant. The above graphic informs the user that they need to update their Anti-Virus software. Compliance Policy is corrupt This occurs because the client has not connected and downloaded the Compliance Policy.
Cannot Connect
Connection errors are the second most commonly reported error with Check Point Mobile. This section will provide stepby-step troubleshooting instructions. Try pinging at least two major web sites. Go to Start >> All Programs >> Command Prompt Use the ping command ping google.com ping twitter.com ping facebook.com ping yahoo.com
P a g e | 19
9/28/2012
If you get a "reply from (IP address here)", you have basic Internet connectivity. If there is packet loss during several ping attempts it is an indicator that connectivity at their location is having issues, such as interference with WiFi, faulty home network equipment, or Internet Service Provider issues. Try accessing at least two major web sites with a web browser http://www.google.com http://www.twitter.com http://www.facebook.com http://www.yahoo.com Are you attempting to connect over a connection with some kind of web filtering or VPN blocking? VPN will not work at a FedEx location unless you are using a mobile broadband connection such as a MiFi or AirCard. Some hotels block VPN connections. Contact the IT support staff for the hotel and verify VPN (IPSec protocol) is not blocked. Some hotspots such as those at public libraries, coffee shops, universities, or airports block VPN connections. Contact the IT support staff for that hotspot and verify VPN (IPSec protocol) is not blocked. Some mobile broadband/cellular/3G/4G providers such as Verizon, AT&T, Sprint, or T-Mobile may require proprietary drivers/applications to connect with a MiFi or AirCard (USB, ExpressCard, or PC Card). Contact your provider and verify they don't block VPN (IPSec protocol) and that the proprietary drivers/applications are configured properly for VPN (IPSec protocol). Disable Proxy usage in Check Point VPN Client (see Check Point Mobile Technical Guide) 1. 2. 3. 4. 5. 6. 7. Open the Internet Options menu From Internet Explorer: go to Tools >> Internet Options From the Control Panel: go to Internet Options Go to the Connections tab at the top of the menu Go to LAN Settings near the bottom of the menu Check Automatically Detect Settings Uncheck everything else
P a g e | 20
9/28/2012
Make sure the system is using an automatically assigned (DHCP) IP address and not a static IP address (frequently used at FedEx locations). Windows 7 Go to: Start Control Panel >> Network >> Sharing Click Change View (top right corner of Control Panel) Set to Small Icons. Click Network >> Sharing On the left side, click Change Adapter Settings Right-click on the network adapter being used for Internet Access and select Properties For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc." For WiFi, it will usually be named "Wireless Network Connection For 3G/4G AirCard, it may be named "Mobile Broadband" or 3G/4G adapter" In the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) and select Properties Set both radio buttons to Obtain IP address/DNS server address automatically Click Ok, then click Close Windows XP Go to: Start >> Control Panel >> Network Connections For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc." For WiFi, it will usually be named "Wireless Network Connection 3. For 3G/4G aircard, it may be named "Mobile Broadband" or "3G/4G adapter" In the Networking tab, click Internet Protocol Version 4(TCP/IPv4) and select Properties Set both radio buttons to Obtain IP address/DNS server address automatically Click Ok, then click Close
P a g e | 21
9/28/2012
Technical Support
P a g e | 22
9/28/2012
Appendix
Client Icon
Software Downloads
Check Point Mobile and McAfee anti-virus are available at the following sites: http://www.infosec.fedex.com/vpn https://idguard.fedex.com/ Keyword: VPN Externally accessible from Internet (ie from home or hotel). Requires eGrid to login.
P a g e | 23