zf net remote client faq (en) - web-ras.zf.com · net remote – client faq (en) how long is a soft...

Internal

Version 1.00.9

06.03.2018

FIII52 Dept.

ZF Net Remote Client FAQ (EN)

Net Remote – Client FAQ (EN)

Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!

Printed Copies are for information only and not subject of a change service!

2 Internal

Lenkungsinformationen / Control Information

Title:

Title: ZF Net Remote Client FAQ

Erstellt/ Prepared by: Geprüft/ Checked by: Freigegeben/ Approved by:

Datum/ Date:

2016-05-02 Datum/ Date:

(YYYY-MM-DD)

Datum/ Date:

(YYYY-MM-DD)

Name: FIII52 Name: Name:

Datum Date

(YYYY-MM-DD)

Version Version

Inhalt / Änderung Content / Change

Ersteller Author

2016-05-02 1.00.2 Control information added FIIN1

2016-06-07 1.00.3 Chapter 13 added FIIN1

2016-06-08 1.00.4 Error corrections FIIN1

2016-08-04 1.00.5 Chapter 13.5 added FIIN1

2016-09-20 1.00.6 Chapter 14 added FIIN1

2017-12-04 1.00.7 New ZF-Logo, Chapter 15+16 added FIIN1

2017-12-08 1.00.8 Video links updated FIIN1

2018-03-06 1.00.9 GHD, department, filename FIII52


Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


3 Internal

Table of Contents

1 Summary 4

2 What do I need in order to start? 4

3 What does ZF Net Remote do? 4

4 Restrictions in the local network 4

5 How long is a soft token valid for? 5

6 How often do I need to change my password (PIN)? 5

7 Can I use the old password again if I need to enter a new password (PIN)? 5

8 Is it necessary to use upper/lower case in the password (PIN)? 5

9 Can I change my password (PIN) myself? 5

10 Can I use the soft token on another device? 5

11 When should I use the ZF-EMEA, ZF-AMERICA and ZF-APA connections? 6

12 When should I use the ZF-SEED download connection? 6

13 Problems in the home office, what can I do? 6 13.1 Define the problem (various options) 6 13.1.1 Connect the notebook directly to the router 6 13.1.2 Use the notebook in the direct vicinity of the wi-fi access point 6 13.1.3 Connect the notebook to a different DSL connection 7 13.1.4 Test the ZF notebook in the ZF network 7 13.2 Router settings 7 13.3 Wi-fi level display 7 13.4 Power LAN (PLC) 7 13.5 DECT (cordless phone) 7

14 Time and time zone, what is important? 8

15 Manually exchange & activate tokens 9 15.1 Token Download and Activation before the First Connection Establishment 9 15.1.1 Connecting to the VPN gateway for the first time 14 15.2 New token: Re-personalizing the token necessary 18 15.3 ZFNR Software reinstalled: Reconnecting Pulse Secure 20 15.4 Problem: Token-Seed Download > "Token import failed" 23

16 IT HelpDesk (IT-Hotline) 24


Summary Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


4 Internal

1 Summary

Here, you will find answers to frequently asked questions relating to ZF Net Remote. Target group: ZF Net Remote users Validity: Status of the information stated below: 04/2014 Changes may be implemented at any time.

2 What do I need in order to start?

You need a valid ZF Net Remote account which can be obtained on request from User Management. If you do not have authorization, your responsible applicant must make the request for authorization. Authorized applicant ZF-internal : E.g. direct superior, cost center manager, group manager, etc. ZF-external : ZF contact person, ZF contact, …

The RSA SecureID token must be activated and personalized. The necessary information will be sent to you in two separate e-mails. The necessary steps are described in Section 2 of the operating instructions.

3 What does ZF Net Remote do?

ZF Net Remote enables secure (encrypted) access to the ZF network via the Internet. An Internet connection is required if you are working exclusively with the VPN client (Junos Pulse).

4 Restrictions in the local network

The secure tunnel "has no doors" and prevents the computer from accessing any other systems in the local network. When the tunnel is set up you can only access systems on the Internet via the ZF network and when you have Internet authorization.

Blocking caused by a firewall in the local network can hinder access to the ZF network, even if "normal" surfing on the Internet is still possible. Contact the operator or administrator of the network to have the block removed. Please also read Sections 5 and 4.6 in the operating instructions about this issue.


How long is a soft token valid for? Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


5 Internal

Additional information: Image - ZF Net Remote Overview

5 How long is a soft token valid for?

A soft token is valid for minimum 3 years. The date of purchase applies. Not the date the user starts to use it on. Any soft tokens that become available again during that period are automatically re-assigned. You can find the expiry date of your soft token in the "RSA SecureID Token" software under: Options → Manage Tokens → Token Information "Expiry date"

6 How often do I need to change my password (PIN)?

It is not necessary to regularly change your password.

7 Can I use the old password again if I need to enter a new password (PIN)?

You can use the same password again.

8 Is it necessary to use upper/lower case in the password (PIN)?

No. The PIN rules are as follows:

Precisely 8 digits

Letters and numbers only (alphanumerical)

No special characters, punctuation marks or similar.

9 Can I change my password (PIN) myself?

No. Please call the Hotline - numbers are listed in the chapter IT HelpDesk (IT-Hotline). The Hotline will set your account into a so-called New Pin Mode in the ZFNR system. You will then be prompted during the next dial-in to change your PIN.

10 Can I use the soft token on another device?

No, it is not possible to use it more than once (parallel use of several computers) because the soft token cannot be transferred to a different device. Please call the Hotline if you have a new computer or if a new operating system is installed on your existing computer. You will be assigned a new soft token to download and set up on the new computer. You will again receive two emails with the necessary access data for the activation. Your previously used soft token will be automatically blocked.


When should I use the ZF-EMEA, ZF-AMERICA and ZF-APA connections? Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


6 Internal

11 When should I use the ZF-EMEA, ZF-AMERICA and ZF-APA connections?

You use these three gateways (dial-in nodes) when you are connected to the Internet and want to access the ZF network. Three dial-in nodes (gateways) were set up worldwide for this purpose:

ZF-EMEA = Europe Middle East Africa

ZF-AMERICA = North and South America

ZF-APA = Asia and Pacific Area Recommendation: Use the gateway closest to your location to minimize any delays (latency periods). You can however also use one of the other two gateways if necessary. Comment: One exception is the group of external users - they can only use the home gateway.

12 When should I use the ZF-SEED download connection?

You only use this connection when you want to activate your access in order to download the Token Seed. After this download process, the connection is no longer required and must be closed.

13 Problems in the home office, what can I do?

ZF Net Remote presumes the Internet connection (unknown number of connection segments) between the local network and the ZF Gateway is stable. Connection problems are usually caused by interferences in the local network, in addition to interferences on the Internet.

Influencing factors:

The user and ZF Friedrichshafen AG do not have any influence on the sub-sections of the Internet connection, but have some influence on the start and end segments.

The user can use a convenient wi-fi connection or decide to use a more stable LAN connection.

The operator is responsible for the stability of the local network (LAN).

Even if the user can surf the Internet, this fact is no guarantee for a stable ZF Net Remote connection. The reason for this is that secure connections have greater requirements regarding the stability of the connection and security.

13.1 Define the problem (various options)

13.1.1 Connect the notebook directly to the router

If errors occur, connect your notebook initially via a LAN cable directly to your router. Use a suitable LAN cable for this purpose. Switch wi-fi off on the notebook while carrying out the test. Remember, even a LAN cable can be defective - if the error occurs again, try using a different LAN cable. If the problem is no longer present when connected via the LAN cable, proceed as described in 13.1.2.

13.1.2 Use the notebook in the direct vicinity of the wi-fi access point

Place your notebook close to the wi-fi access point which is usually integrated in the router. Test the dial-up connection and increase the distance from the router until the first error occurs. Move one step closer to the access point. The remaining distance to the access point marks the greatest distance that you can reach at this location. If it is not possible to work like that, we recommend only working in this local network with a LAN cable.


Problems in the home office, what can I do? Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


7 Internal

13.1.3 Connect the notebook to a different DSL connection

Connect the notebook to a different DSL connection for testing purposes. For example, ask the neighbor, family or friends if you can use their DSL connection. Ideally, the DSL connection should be from a different connection provider.

13.1.4 Test the ZF notebook in the ZF network

If the notebook is a ZF notebook, you can also test the function in the ZF LAN, ZF Office Network and even in the Guest Net. In the latter case, you will need temporary access with a username and password.

13.2 Router settings

The router configuration can also be responsible for problems. Even if you have not made any changes, the "default settings" may be the cause. Quick tips for experienced users:

Energy options → Switch off the energy-saving mode for LAN Ports

IPv6 configuration → Switch off

Bandwidths were limited → Increase for test purposes

Child-safety → Switch off or check

Firewall → E.g. SSL Port (443) blocked > Enable

Current use of IP telephony → Switch off or limit

Current use of TV or VOD → Switch off or limit

Bandwidth Up/Down link too low → Increase if possible

13.3 Wi-fi level display

The signal strength display is often misunderstood - this means the number of the relative level display = vertical "bars". These do not say anything about the quality of the connection or speed. We recommend carrying out Points 13.1 - 13.2 even when full signal strength, i.e. all bars, is displayed.

13.4 Power LAN (PLC)

Power LAN is also popular, e.g. means one less cable. Some of these "socket adapters" can cause problems. If the adapter becomes hotter than usual, this can for example be a sign of a forthcoming outage. Initial "glitches" can occur during this time and may be the cause for a poor connection. As in the case of wi-fi, we recommend following Points 13.1 - 13.2.

13.5 DECT (cordless phone)

Private phones are nowadays usually radiotelephones - specifically DECT phones. A part of the DECT telefone is the base station, unless they are coupled with the router. Is the phone, or the base station, positioned too close to the notebook (< 1m), interferences can disturb the wireless connection of the notebook. Here it helps to keep a greater distance. Example: place the base station on the shelf, not on the desktop or place the radio handset far from the notebook.


Time and time zone, what is important? Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


8 Internal

14 Time and time zone, what is important?

Please proceed as follows:

1. Change time zone 2. Check the date, time and time zone again 3. Restart computer! (very important)

Additional information: Change time zone without restarting the computer usually the result is that the login is no longer possible. The incorrect token code leads to lock access after several unsuccessful attempts. If locked, the hotline (IT helpdesk) is required to unlock the access. Why that all?

The correct time is important, as this included in the calculation of the token codes.

The time can only be changed with administrative rights.

The time zone can be changed by the user.

The time zone only will be transferred to the software "RSA Secure IT": At the startup of the computer.


Manually exchange & activate tokens Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


9 Internal

15 Manually exchange & activate tokens

15.1 Token Download and Activation before the First Connection Establishment

Learning Video to this chapter: Videos (An Internet connection is required) Before you connect to the ZF network for the first time, the RSA SecurID token must be downloaded and activated with the personal data of the user. Before you can start activation, you will need:

an Internet connection

a user ID from the ZF user management or, in the event of external users, from the ZF contact

a valid ZF Net Remote Account !!! >>> Request via your user management. This gives you

o your registration password (RPW) o your activation password, and o the relevant activation link.

You will receive the registration password via e-mail with the subject:

ZF Net Remote: Access activation process – Mail 1 of 2 From „[email protected]” *

The activation password and link will be sent in another e-mail with the subject:

ZF Net Remote: Access activation process – Mail 2 of 2 From „[email protected]” *

You will require an active Internet connection when activating the token. We recommend that ZF users perform this step in the internal ZF network. *These e-mail addresses have been set up as non-reply addresses. They cannot be used to

report problems which may arise.

https://web-ras.zf.com/zfnr/manuals/videos/ZFNR_Video-FAQ_v2.00_Chapter-15.1_en.wmv

mailto:[email protected]

mailto:[email protected]




10 Internal

ZF SEED download

Open the "Pulse Secure" software and click "Connect" on the "ZF-SEED-DOWNLOAD" item.

Entering the user ID and registration password

In this dialog box, enter your user ID and, in the Password field, the registration password (RPW) that was sent by e-mail. Upper and lower case is irrelevant when entering the user ID. Do not save

the settings.




11 Internal

Information window indicating that it is an initial connection which is only set up to download the token seed. Please go ahead by clicking "Proceed" to confirm. PS.: If you need terminate the connection clicking in "Decline".

ZF Seed download – connected

You should now be connected, do not disconnect before you have carried out the next steps.




12 Internal

Importing the RSA SecurID token Open the "RSA SecurID Token" software. When the Import personal token information dialog box appears, select "Import from Web".

Importing the token from the entered URL

In the following dialog box, enter the activation link (=URL)* and the activation code, click OK to confirm. *If not entered already: https://rsa1.int.gca-protect.de:7004/ctkip/services/CtkipService >> If error message "Error communication with server. Token import failed" appears, please

first read chapter 4.5. Your personal token information is now imported and saved on your mobile computer. Do not change the token name, click OK to confirm. The token code now appears in a display window which shows a different value every minute. Close the window via the cross.

Auth. code from e-mail 2




13 Internal

ZF Seed download – disconnecting

In Pulse Secure, now disconnect "ZF-SEED DOWNLOAD".




14 Internal

15.1.1 Connecting to the VPN gateway for the first time

Then open the connection to your ZF region (EMEA, AMERICA, APA). Contact the IT HelpDesk if you are not sure of the region to which you must log in.

Pairing Pulse Secure with the Token

A checkbox dialog then appears where you select the RSA SecurID token (short "token") which you imported in the previous step. Select the "Save settings" checkbox.

Check this box!




15 Internal

New-PIN mode on first connection In the following dialog box, enter your ZF User ID in the "User Name" field. As this is the first connection, you are in "New Pin Mode" and you can leave the PIN box empty. Proceed via "Connect".

Setting your new PIN

Once you have confirmed the dialog box above, you can now select your new PIN. In the PIN setting dialog box, type in your personal PIN and re-enter it in the box below to confirm. The pin must have 8 letters and numbers. Do not write down your PIN in such a way that an association could be made with the token. The following restrictions apply when setting a PIN:

The PIN must be exactly 8 characters long.

The PIN may only include lower case letters and numbers. No special characters or umlauts may be used.

The PIN must include at least one number and one letter.

Leave this box empty




16 Internal

First connection with the new PIN

Once you have set your PIN, a connection will be automatically established. You will then be prompted to enter your PIN again for authentication. In the login dialog box, enter the PIN you set in the previous dialog box.

You do not have to type in the token data manually, this is entered automatically in the background. You have now established an active ZF Net Remote VPN connection. From now on, you can work on your computer in almost exactly the same way as if you were connected to the ZF network. You now have access to all ZF network servers and computers for which a release has been issued to you in the firewall. The access speed to the ZF network solely depends on the access speed and quality of the data link you are using.

Disconnecting from ZF Net Remote

You can disconnect from ZF Net Remote once you have finished your work or no longer require the ZF Net Remote VPN connection. This is performed by clicking "Disconnect" in the "Pulse Secure" program.

Enter your new PIN here




17 Internal

Closing the ZF Net Remote software

The Pulse Secure client can be minimized to the taskbar by clicking the "Close" button or the close icon at the top right of the dialog box. Exit the program by right-clicking on the taskbar icon and then clicking "Exit" in the context menu.




18 Internal

15.2 New token: Re-personalizing the token necessary

Should it be necessary to download the token seed again, the old token seed and the stored setting must first be deleted. For instance, this is necessary

- if you have changed your computer or the operating system has been updated. - if an error is present or a replacement token need to activate.

Please note: You will receive two new e-mails from the IT HelpDesk or end device service as a result of the reallocation of a token seed. The old token will become unusable as a result and the old e-mails can NO LONGER be utilized. Deleting the token: Open the software "Start -> All Programs -> ZFNR -> RSA SecurID Token". Click the "Options" button to go to the dialog box where you can delete the token. Confirm you want to delete the token: The acknowledgement that the token was deleted then appears - confirm with OK. Click "No" here ….




19 Internal

… and confirm the information window by clicking on "Close". Deleting the stored setting Please then delete the stored settings in the "Pulse Secure" program. This is performed by clicking "File" –> Connections" – >"Forget Saved Settings".

Please then follow the steps described in chapter 15.1: "Token: Downloading, Activating, and Pairing before the First Connection"




20 Internal

15.3 ZFNR Software reinstalled: Reconnecting Pulse Secure

Learning Video to this chapter: Videos (An Internet connection is required) Following a software update to Pulse Secure, the software is reconnected with the downloaded active token. Before you start, please close all programs as precautionary measure (except Outlook and Internet Explorer). The step can only be performed provided that a ZF network or Internet connection exists. Deleting the stored setting Please delete the stored settings in the "Pulse Secure" program. This is performed by clicking "File" -> "Connections" –> "Forget Saved Settings".

Open the connection to your ZF region (EMEA, AMERICA, APA). Contact the IT HelpDesk if you are not sure of the region to which you must log in.

https://web-ras.zf.com/zfnr/manuals/videos/ZFNR_Video-FAQ_v2.00_Chapter-15.3_en.wmv




21 Internal

A checkbox dialog then appears where you select the RSA SecurID token (short "token") which you imported in the previous step. Select the "Save settings" checkbox.

Entering the User ID and the PIN

In the following dialog box, enter your ZF User ID in the "User Name" field and the last valid PIN prior to the update in the PIN field. Proceed via "Connect". Please get in touch with the IT HelpDesk if you no longer remember your PIN.

Check this box!

Last known PIN




22 Internal

Quickly establishing a connection

Establish a connection that, however, can be immediately disconnected once again via "Disconnect".

You can carry on with your previous work after disconnecting




23 Internal

15.4 Problem: Token-Seed Download > "Token import failed"

The token seed cannot be imported from Web with the "RSA SecurID Token" software. The following error message appears: „Error Communicating with Server. Token import failed.“

Cause: The "RSA SecurID Token" software requires proper proxy settings (PAC File). During the "Seed-Download connection" a proxy should not be used. By ZF computers a corresponding PAC file controls the use. Possible errors regarding the IE proxy configuration:

fixed proxy settings

automatic proxy detection is enabled

incorrect PAC file name entered

Solution:

External ZFNR-User: Click to IE, click Tools → Internet Options → Connections → LAN settings. Temporally disable: The use of proxy servers during the Seed-Download connection.

Internal ZFNR-User: Entering of the matching PAC file corresponding to the domain membership of the ZF user. Click to IE, click Tools → Internet Options → Connections → LAN settings. Address: EMEA http://webpac.emea.zf-world.com/global.pac AMERICA http://webpac.america.zf-world.com/global.pac APA http://webpac.apa.zf-world.com/webpac/global.pac


IT HelpDesk (IT-Hotline) Ausgedruckte Exemplare dienen nur zur Information und unterliegen nicht dem Änderungsdienst!


24 Internal

16 IT HelpDesk (IT-Hotline)

ZF EMEA IT HelpDesk Mon. to Fri., 5:00 a.m. to 10:00 p.m. (CET+CEST) Phone: +49 7541 77 3600

ZF APA IT HelpDesk Mon. to Fri., 8:00 a.m. to 5:00 p.m. (CST) Phone: +86 21 3761 3600

ZF AMERICA - North IT HelpDesk Mon. to Fri., 8:00 a.m. to 5:00 p.m. (Eastern Standard Time) Phone: +1 734 582 8330

ZF IT Global HelpDesk 24/7 Phone: +49 851 494 2210 Phone: +49 7541 77 3720

ZF AMERICA - South IT HelpDesk Mon. to Thu., 7:30 a.m. to 5:15 p.m. (GMT -3) Fri 7.30 a.m. to 3.30 p.m. (GMT -3) Phone: +55 15 4009 3600

zf net remote client faq (en) - web-ras.zf.com · net remote – client faq (en) how long is a soft...

Documents