Transcription
CREATING TOMORROW’S SOLUTIONSUSER GUIDEBUSINESS PARTNER ACCESSWhat methods can an external-company employee use to access thedata network of Wacker Chemie AG and its subsidiaries?
Inhalt1General information . 322.12.2VPN-Client based business partner access . 4Pre-requisites . 4Installing and configuring the MFA SmartphoneApp . 4Installation of the VPN client. 4Logging on . 5Logging off . 7Technical information . 72.32.42.52.633.33.43.5VPN access without VPN client for businesspartners with direct connection to the Wackernetwork . 8Pre-requisites . 8Installing and configuring the MFA SmartphoneApp . 8Authentication. 8Security restrictions. 8Alternative method . 94Contact. 93.13.2Version 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 2/10
1General informationWacker Chemie AG gives external-company employees of itsbusiness partners access to the WACKER data network.Depending on the requirements of the business partner there aredifferent ways for remotely accessing the Wacker network.1.Citrix Access Gateway (CAG) – STANDARDThe preferred access method for business partners is theusage of the Citrix Access Gateway (CAG).2.VPN client based business partner accessIf due to technical reasons the remote access by CitrixAccess Gateway is not possible, the remote access to theWacker network is also possible using a VPN (virtualprivate network) connection.3.VPN access without a VPN client for business partnercompanies with a direct connection to the WackernetworkFor some special business partners, it may also benecessary that the business partner company gets directlyconnected to the Wacker network by a permanent VPNconnection between the Wacker network and the businesspartner’s network.You will be informed via e-mail which type of access has beenprovided for you.This document describes the two following access methods: VPN client based business partner access VPN access without a VPN client for business partnercompanies with a direct connection to the WackernetworkAttention: If you have access via the Citrix Access Gateway(CAG), please use the documentation for the Citrix AccessGateway (CAG).Please refer to the Userhelpdesk (Chapter 4 Contact) to get theCAG documentationVersion 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 3/10
2VPN-Client based business partner accessUsers who want to access the Wacker network via VPN need aVPN client on their computer: the Palo Alto Global Protect client.Attention: The Palo Alto Global Protect client is not necessarywhen the business partner is using a business partner directconnection which has explicitly been setup for the connectionbetween the business partner’s company and Wacker Chemie AG.Please proceed with chapter 3 - VPN access without VPN client forbusiness partners with direct connection to the Wacker network2.1Pre-requisitesUsage of the VPN client business partner access requires: Approved IDM USS “Request for VPN access for businessAfter successfully logging on, you can download the VPN software.partners”Select the version designed for your operating system. Computer with an internet connection Single-use administrative rights for the installation of the VPNclient Palo Alto Global Protect User name and logon password installed & configured Smartphone App “netIQ AdvancedAuthentication” Access rights for the application.Attention: Initial setting of the logon password AD-Account: If you logon to the Wacker network using an ADaccount please contact the Wacker UserHelpDesk for settingthe initial AD password. CD-Account: If you logon to the Wacker network using an CDaccount please set your CD password according to themethod described in the email, which you received aftersuccessful completion of the IDM USS „Request for VPNaccess for business partner“.2.2Click Next to launch the installation assistant.Installing and configuring the MFA SmartphoneAppThe instruction for our MFA Smartphone App is tomer service/quickstart guide.pdf2.3Installation of the VPN clientStart your web browser and enter the URL (web address)https://bpa.vpn.wacker.com. Then enter your user name in theName field and your logon password in the Password field.Version 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 4/10
After successful installation the configuration window appearsautomatically. In the Portal field enter „bpa.vpn.wacker.com“. Thenclick Connect to start logging on for the first time.As soon as a VPN connection has been established the followingwindow appears. The GlobalProtect icon in the taskbar also showsthat the connection is established.Logging onEnter your user-id in the field Username and your password ion thefield Password. Click on Apply to start logging in.NoteFrom now, you log on to the WACKER VPN Gateway asdescribed section 2.4Logging on.2.4Logging onIn the GlobalProtect Gateway Authentication window, enter your 6-To log on at the next VPN gateway start the GlobalProtect clientdigit one-time password (OTP) from your Smartphone App.and click on Connect.Click OK to confirm this.Version 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 5/10
In the GlobalProtect Gateway Authentication window, enter your 6digit one-time password (OTP) from your Smartphone AppThen choose “Best available gateway”.As soon as a VPN connection has been established the followingwindow appears. The GlobalProtect icon in the taskbar also showsthat the connection is established.Enter your user-id in the field Username and your password ion thefield Password. Click on Apply to start logging in.Version 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 6/10
2.5Logging offTo end the VPN connection, right-click the GlobalProtect icon inthe taskbarand select Disconnect.NoteIf you are using proxies they are automatically detected and usedby the VPN software GlobalProtect. In case of a proxyauthentication GlobalProtect is showing an additionally loginwindow for requesting the login information for your proxy.Because it is difficult for users to distinguish between the proxylogin window and the WACKER login window we recommend toallow the access to the above mentioned WACKER networkswithout authentication.When you have been disconnected, the message Disconnectedappears in the taskbar and a red „X“ appears on the GlobalProtecticon in the taskbar.2.6Technical informationNoteThe installation and usage of the VPN software Palo AltoNetworks GlobalProtect does not require a license.WACKER uses the following networks, and after you havesuccessfully logged on, the information you enter is transmitted inencrypted form to the WACKER VPN 8.0.0/16193.18.0.0/16193.19.0.0/19The following networks are exempt, so the information you enter inthese networks is not transmitted to WACKER and you can alsouse these networks The DNS configuration is handled automatically when you log on tothe VPN gateway.If you are using a firewall please make sure that this firewall ispermitting SSL (TCP port 443) and IPsec-ESP-UDP (UDP port4501) to the following WACKER .128/25Version 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 7/10
3VPN access without VPN client for businesspartners with direct connection to the Wackernetwork3.1Pre-requisitesUsage of a VPN access without a VPN client requires thefollowing: Direct connection between your company’s network and User name and logon passwordinstalled & configured Smartphone App “netIQ AdvancedAuthentication”Access rights for the application.the network of WACKER Chemie AG You are now prompted to enter your 6-digit one-time password(OTP) from your Smartphone App. Confirm by clicking Login.NoteTo find out if your company has a connection to WACKERʼsBusiness Partner MPLS, please contact your IT department.To access applications in the WACKER network, you must firstauthenticate yourself at the business partner firewall.Attention: Initial setting of the logon password AD-Account: If you logon to the Wacker network using an ADaccount please contact the Wacker UserHelpDesk for settingthe initial AD password. CD-Account: If you logon to the Wacker network using an CDaccount please set your CD password according to themethod described in the email, which you received afterIf the authentication is successful, the message You aresuccessful completion of the IDM USS „Request for VPNauthenticated appears.access for business partner“.3.43.2Installing and configuring the MFA SmartphoneAppSecurity restrictionsThe authentication is valid for 10 hours, after which all connectionsare terminated for security reasons.The instruction for our MFA Smartphone App is here:The authentication provides a 15-minute window for you while mer service/quican launch the applications.ckstart guide.pdfAs long as you keep the authentication window (the window withthe message You are authenticated) open in your web browser3.3and a recent update is displayed after the word [Last check:, theAuthenticationstart window’s timeout period is automatically extended.In your web browser, enter the URL (web address) correspondingto the region in which you are Asiahttp://auth-bpa-apac.vpn.wacker.comYou are forwarded to the WACKER User Identification Portal.Enter your user name in the Name field and leave the Passwordfield blank. Then click Login.Version 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 8/10
3.5Alternative methodFor the authentication process (accessing the URL), your computermust be able to resolve the following host names and access theseweb sites using your web 3.18.80.19You can either resolve the DNS using the WACKER DNS or yourcompany’s own DNS.If this is not possible, an address-based authentication can beperformed using the following :6082/php/uid.php?vsys 5&url d.php?vsys 5&url uid.php?vsys 5&url http://193.18.80.129Security warnings related to the certificates of the sites193.18.64.19, 193.18.88.19 and 193.18.80.19 appear, but you canignore these warnings.4ContactIf you experience a problem, please contact the WACKERUserHelpDesk.USA (Americas):Tel. 1 800 430-8374help.desk@wacker.comAsia (APAC):Tel. 86 21 6100-3456helpdesk.asiapac@wacker.comEurope (EMEA):Tel. 49 89 6279-1234userhelpdesk@wacker.comVersion 5.0 / November 03, 2020 User Guide Business Partner AccessResponsible for the content: Thomas Schmidbauer, ITPage 9/10
Wacker Chemie AGHanns-Seidel-Platz 481737 Munich, GermanyTel. 49 89 6279-0www.wacker.com
Attention: The Palo Alto Global Protect client is not necessary when the business partner is using a business partner direct connection which has explicitly been setup for the connection between the business partner's company and Wacker Chemie AG. Please proceed with chapter 3 - VPN access without VPN client for
