WIXLIB

1IntroductionVirtual IP addressingVirtual IP addressingThe primary access method for production use is the Virtual Adapter feature. This feature allows theVPN Clients to have a second, virtual IP address that is independent of the end-user computer addressin the local network.The virtual IP address is only used in communications through the VPN tunnels. The VPN gateway getsthe IP address and network settings of the VPN Client from the configured DHCP server and forwardsthe information to the VPN Client. For one-way access without DNS resolving, the VPN gateway canalternatively be set up to apply NAT to translate the VPN Client connections. This method is meant fortesting purposes.The VPN gateway specifies the destination IP addresses for traffic that the VPN Clients send into theVPN tunnel. The IP addresses are configured as Site elements for each gateway in the ManagementClient. When the Sites contain specific internal networks, the VPN Clients receive a configuration forsplit tunneling. Split tunneling means that only the specified portion of traffic uses the VPN tunnel, andother connections use the local network as usual.By default, when the VPN Client virtual adapter requests an IP address, it uses the MAC address of thephysical interface used in the VPN connection.To configure the IP address distribution on the gateway, see the Management Client Online Help andthe McAfee Next Generation Firewall Product Guide, in the Virtual Private Networks section.How connection settings workFor IPsec connections, the VPN Clients might need to use different settings at different locations dueto different port filtering and NAT arrangements.The VPN Client can work within the allowed settings to automatically try to connect with TCP tunnelingenabled/disabled or using different port combinations if the automatic IKE retry option is active in theVPN Client installation. The VPN Client tries the settings one by one in the following order until theconnection succeeds or all options are exhausted:1 Enable/disable TCP tunneling, if allowed for the endpoint on the gateway.2 Enable/disable the option to use random local source ports on the client.3 Use only destination port UDP/4500 (NAT-T port) for the gateway, instead of both port UDP/500and UDP/4500.4 Use a combination of a random local source port and destination port UDP/4500 for the gateway.Also, the VPN Client can automatically react if a connection to port UDP/500 succeeds, but port UDP/4500 (NAT-T) is unavailable. In this situation, the VPN Client tries the connection with TCP tunnelingenabled/disabled, if allowed for the endpoint on the gateway. If changing the TCP tunneling optiondoes not help, the VPN Client defaults to using destination port UDP/500 only.The end user is notified if the VPN Client is unable to use one of the two necessary ports.8McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide

2DeploymentTo allow end users to access company networks through the VPN Client, plan your deploymentcarefully.ContentsDeployment optionsDeployment checklistDeployment optionsConsider the available options for deployment.VPN Client typesSMC supports both types of VPN Clients; select the one that is right for your environment.IPsec — IPsec VPNs allow any IP traffic to be transported in the VPN regardless of which higher-levelprotocol the traffic uses on top of the IP protocol. Hosts can communicate through the VPN as if it wasa normal link without the need for application-specific configurations on the gateway device.SSL — SSL VPNs allow authenticated end users to establish secure connections to internal HTTP-basedservices through a portal on a web browser or through a client application that allows direct networkaccess. SSL VPN Portals provide access by using the SSL encryption features included in webbrowsers. End users log on to a portal to access those resources that you have configured. You canuse SSL VPN Portals to provide remote access to specific resources from various types of devices andplatforms.The SSL VPN tunnel and portal cannot be on the same IP address and port pair simultaneously. If bothare needed, McAfee recommends configuring the SSL VPN tunnel to port 443 and adding the portnumber to the URI when accessing the portal.Installation typesThe VPN Client can be installed in interactive mode by manually starting the installer, or in silent modethrough a remote software deployment service. Standard — Uses the downloaded VPN Client files Wizard — Uses a guided installation and configuration process Silent batch file — Uses a script to install the VPN Client without end-user interactionCustom — Uses a third-party program to make a custom installation package that includes thegateway information.McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide9

2DeploymentDeployment optionsInstallation file typesSeveral files are available to use for installing the VPN Client. McAfee-VPN-Client- version .exe McAfee-VPN-Client- version -x64.msi McAfee-VPN-Client- version -x86.msiThe variable, version , is the exact version number that changes each time an update is released.The x64 .msi package is meant for a 64-bit operating system and the x86 .msi for a 32-bit operatingsystem installation. The executable package uses the correct package for the operating systemautomatically.The VPN Client can be installed locally with the .exe installer. The .msi packages allow remoteinstallation or customized installations that remove the need for some end-user actions: With a standard installation package, the end-users type the gateway IP address manually,authenticate themselves to the gateway, and verify the certificate fingerprint of the gateway.Alternatively, you can export the contact details of the gateway to a file and instruct the end usersto copy the file to the correct location. If you generate a customized installation package, the gateway information can be included in theinstallation package, requiring no end-user intervention.See alsoDownload the installation file on page 14Standard installationEnd users either install the VPN Client following the instructions in the installation wizard, or you canprovide a batch file for silent installation.Use the following commands for silent installation, replacing version with the exact version numberin the file you are using: .exe file — McAfee VPN version .exe /quiet .msi file — msiexec /i McAfee-VPN-Client- version -x64.msi /quiet. or msiexec /iMcAfee-VPN-Client- version -x86.msi /quiet.Custom installationThe VPN Client installation package can be customized by creating a Microsoft Installer (MSI)transform file from the McAfee-VPN-Client- version -x64.msi orMcAfee-VPN-Client- version -x86.msi file.The contact information of the security gateways is added to the transform file. To customize theinstallation package, you must have a basic knowledge of MSI transforms and know how transformscan be applied to installation packages.User authenticationEnd users must authenticate before they can connect to a gateway.You can select different authentication methods for each gateway. If several authentication methodsare allowed for an end user, the end user can select between the methods in the VPN Client.Two basic authentication schemes are available:10McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide

2DeploymentDeployment checklist User name and password — The gateway can be integrated with external authentication servers. Certificate — Various certificate authentication options are available for the VPN Client.Certificate authentication is only supported with IPsec connections.Different methods can be used on the same gateway simultaneously.The user name and password method supports integration with external RADIUS or TACACS authentication servers. This integration allows various authentication schemes such as RSA SecurIDcards or Active Directory/Network Policy Server (NPS) authentication.The VPN Client always sends the user name and password using the UTF-8 character encoding. Whenusing external authentication servers, make sure that they support UTF-8 encoding if the user namesor passwords contain letters outside the US-ASCII character set.For a detailed overview to user authentication and step-by-step configuration instructions, see theMcAfee Next Generation Firewall Product Guide or the Management Client online Help.See alsoAuthenticating with client certificates on page 19Deployment checklistDetermine how you want to deploy the VPN Client in your environment.Table 2-1 Deployment checklistDetermine.VerifiedVPN Client type: IPsec SSLInstallation type: Standard Wizard Silent batch file CustomMethod of user authentication: User name and password CertificateVPN Client mode: User-controlled — Whenever the VPN Client connects, it requires authentication. Automated mode — The VPN Client connects automatically.McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide11

2DeploymentDeployment checklist12McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide

3Installing and upgrading the VPN ClientThe VPN Client can be added as a new installation or you can upgrade the VPN Client.ContentsInstallation overviewDownload the installation fileInstall with the wizardInstall using a custom installation packageUpgrade the VPN ClientInstallation overviewThe installation process requires changes in the Management Client and in the end user computer. Before installing the VPN Client, you must configure the VPN-related elements and settings in theManagement Client. Create a VPN, or add the Client Gateway element to an existing VPN and configure the Clientsettings in the internal Gateway and VPN Profile elements. Create the user accounts, or integrate an existing LDAP database or an external authenticationservice with the SMC. Edit the firewall policy so that the policy allows incoming connections from the VPN Clients.The installation of the VPN Client can be done by the administrator or the end user. You can use thestandard VPN Client installation package or create a custom installation package. Either installationoption requires that you download the installation files. A standard installation package allows the end user to install the VPN Client through theinstallation wizard. In a custom installation package, you can include the contact information for the gateway sothat the end users do not need to add it manually.During the upgrade process, the earlier version of the VPN Client is removed and replaced with thecurrent version with the same settings.Instructions for tasks performed in the Management Client can be found in the Management Clientonline Help and McAfee Next Generation Firewall Product Guide, in the Virtual Private Networks section.McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide13

3Installing and upgrading the VPN ClientDownload the installation fileDownload the installation fileThe VPN Client installation files are available on the McAfee NGFW download page.Before you beginYou must have a grant number to access product downloads.Windows does not have MD5 or SHA-1 checksum programs by default, but there are several third-partyprograms available.Task1Go to www.mcafee.com/us/downloads/downloads.aspx, enter your grant number, then select theappropriate product and version.2Download the installation files.These packages are available: .exe — Standard installations .msi — Custom installation package creation3Change to the directory that contains the files to be checked.4Generate a checksum of the file using the command md5sum filename or sha1sum filename,where filename is the name of the installation file.Example:sha1sum 85a744a993be75473c6930 McAfee-VPN-Client-5.9.0.0000.exe5Verify the checksums.aCompare the displayed output to the checksum on the website.bProceed according to the result of the comparison: If the values match, the files are safe to use. If there is a difference in the values, try downloading the files again.Do not use files that have invalid checksums. If downloading the files again does not help, contactMcAfee technical support to resolve the issue.Install with the wizardYou can use the VPN Client .exe file to install the VPN Client with a wizard.Before you beginYou must have downloaded the installation .exe file.Task1Right-click the installation executable file and select Run as Administrator.The McAfee VPN Client Setup window opens.14McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide

Installing and upgrading the VPN ClientInstall using a custom installation package23Click Install.The McAfee VPN Client Setup wizard opens.3Click Next.4Accept the License Agreement and click Next to continue.5Click Install.If you see one or more confirmation messages from Windows during the installation, accept them.The installation of all drivers and components must be allowed for the VPN Client to work correctly.6When the installation is complete, click Finish.The McAfee VPN Client Setup window shows a confirmation message.7Click Close.Install using a custom installation packageCustomizing the installation allows you to add information into the installation package and to installand update the VPN Clients remotely.Tasks Save the gateway contact information to a file on page 15You can save the contact information for security gateways to a file. The file can then beadded into a customized installation package or copied to the end-user computers thatalready have a VPN Client installed. Install with a transform file on page 16Use an .mst transform file that you created with the .msi file to install the VPN Client eitherremotely or locally on the command line of the client computer.Save the gateway contact information to a fileYou can save the contact information for security gateways to a file. The file can then be added into acustomized installation package or copied to the end-user computers that already have a VPN Clientinstalled.The gateway contact information allows end users to connect to new gateways without needing to addthe security gateway address manually and without verifying the gateway certificate fingerprint.Tasks Export gateway contact information on page 15You must first use the Management Client to export the contact information of eachsecurity gateway that the end users connect to. Copy gateway contact information files manually on page 16You can add new gateways to existing VPN Clients by copying the exported gatewaycontact information files to the client computers.Export gateway contact informationYou must first use the Management Client to export the contact information of each security gatewaythat the end users connect to.Exporting the gateway contact information allows you to distribute the contact information files to endusers. You can add the files to a customized installation package or send them to end users so thatthey can copy the files manually to their computer.McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide15

3Installing and upgrading the VPN ClientInstall using a custom installation packageThe contact information is always gateway-specific.Task1From the Management Client, select Configuration Configuration VPN.2In the element tree, select Gateways.3For each contact you want to export:aRight-click the internal Gateway element for which you want to save the configuration and selectTools Save Gateway Contact Information.bBrowse to the folder where you want to save the contact information file.cEnter a file name and click Save.The contact information of the selected security gateway is saved in an .xml file.Copy gateway contact information files manuallyYou can add new gateways to existing VPN Clients by copying the exported gateway contactinformation files to the client computers.Provide the files to the VPN Client end users and instruct them to copy the files to the correct location.Task1Place the exported gateway contact information file in a location that is accessible to the clientcomputer.2Copy the security gateway contact information .xml file to the system drive \ProgramData\McAfee\McAfee VPN Client\gateway info directory on the client computer.Install with a transform fileUse an .mst transform file that you created with the .msi file to install the VPN Client either remotelyor locally on the command line of the client computer.Before you beginYou can create a customized installation package from the .msi file with any Windowsinstallation package editor, for example, with Orca.See Installing with a custom installation package for an example.If you want the end users to install the VPN Client on the command line, provide them the transformfile, the gateway contact information files, and installation instructions.Task1Copy the transform file to the same directory as the .msi file.2Create the path in the directory where you have the installation files:All Users\Application Data\McAfee\McAfee VPN Client\ gateway info316Copy the exported gateway contact information files to the gateway info directory.McAfee Next Generation Firewall 5.9.0McAfee VPN Client for WindowsProduct Guide

Installing and upgrading the VPN ClientUpgrade the VPN Client43Start the installation: Remote installation — Run the .msi file with the transform .mst file following the instructionsof the software solution you are using. Command-line installation If an earlier version of the McAfee VPN Client is already installed on the computer, run one ofthese commands:msiexec /i McAfee-VPN-Client- version -x64.msi REINSTALLMODE vomus REINSTALL ALLTRANSFORMS transform file msiexec /i McAfee-VPN-Client- version -x86.msi REINSTALLMODE vomus REINSTALL ALLTRANSFORMS transform file If an earlier version of the McAfee VPN Client is not installed on the computer, run one ofthese commands:msiexec /i McAfee-VPN-Client- version -x64.msi TRAN

Configuring VPN access for the VPN Client end users — See the McAfee Next Generation Firewall Product Guide and the Management Client online Help. Using the VPN Client — See the McAfee VPN Client User Guide. Windows platform requirements — See the McAfee VPN Client Release Notes. Contents How the VPN Client works