File:         README.TXT
Product:      Secure Entry CE Client
Manufacturer: NCP engineering GmbH, Nuremberg, Germany

-------------------------------------------------------------------------------
Installation Instructions
-------------------------------------------------------------------------------

1.    Overview
1.1   NCP Secure Entry Client - Universal IPSec Client
2.    Installation
2.1   Installation Prerequisites
2.2   Installation of the PC component
2.2.1 Installation from the hard disk
2.2.2 Installation from CD
2.2.3 Diskette installation
2.3   Before Starting
2.4   Transferring the Profile Settings and the Certificates
2.4.1 Profile Settings
2.4.2 Certificates
2.5   Update and Uninstalling the PC component
2.6   Installation of the PDA component
2.7   Full version release
2.7.1 Operating System on the mobile device
2.8   Uninstalling the PDA component
2.8.1 Uninstalling from PC
2.8.2 Uninstalling from the PDA component



-------------------------------------------------------------------------------
1.    Overview
-------------------------------------------------------------------------------

1.1   NCP Secure Entry Client - universal IPsec client

The NCP Secure Entry Client can be used in any VPN environment. The client 
communicates on the basis of the IPsec standard (see -> Examples and 
explanations, Security, IPsec) with the gateways provided by a wide variety of 
vendors* and is the alternative to the uniform IPsec client technology offered 
on the market. The Secure Entry Client has additional features that introduce 
the user into a holistic remote access VPN solution.

The NCP Secure Entry Client offers:

- Support of all major operating systems
- Dial-in over all transmission networks
- Compatibility with VPN gateways from a wide variety of vendors
- Integrated personal firewall for more security
- Dialer protection (no misuse by third parties)
- Convenient operation (graphic interface)
- Central management (optional)


-------------------------------------------------------------------------------
2.    Installation
-------------------------------------------------------------------------------

The installation of the Secure Entry CE Client software is conveniently carried 
out via setup for all Windows systems. The installation procedure is identical 
for all versions of the Secure Client. Before you install the software, the 
installation prerequisites must be fulfilled for full functionality, as 
described in the following chapter. Also please be aware that the NCP Secure 
Entry CE Client software consists of two components that must be installed 
separately.
- PC component
The PC component has the NCP Secure Entry CE Client Configurator for creating 
the Profile Settings. From this Configurator, the Profile Settings are copied 
onto the PDA via ActiveSync.
- PDA component
The PDA component consists of the NCP Secure CE Client Service (NCP Client 
Service) that analyses the data for the modem, (or mobile phone), or a LAN 
adapter and the chip card reader, and the NCP Secure CE Client Configurator (NCP 
Client Configurator) for selection of the profile and the connection 
establishment to the according destination system.

Sequence from installation to starting operation
Please follow the sequence!
- Installation of the PC component
- Installation of the chip card reader on the PDA (if Smart Cards are
  implemented)
- Installation of the PDA component
- Start the NCP Client Service on the PDA (if the Strong Security version is 
  implemented)
- Configuration of the profiles on the PC
- Transfer of the Profile Settings (and the certificate for the Strong Security 
  version)
- Starting operation on the PDA

2.1   Installation Prerequisites

- Operating System

One of the following operation systems has to be installed on the mobile device:
- Windows CE 3.0 (Handheld PC 2000, Pocket PC 2002)
- Windows CE.net 4.2 (Windows Mobile 2003 for Pocker PC)
- Windows CE 5 (Windows Mobile 5)
- Windows Mobile 6

Windows Mobile 6.0 makes no differentiation whether it is used for Pocket PC's 
or Smartphones. Three versions of the software are offered: Standard, Classic, 
and Professional whereby devices with Touchscreens (formerly Pocket PC's) use 
the Classic or Professional versions and devices without Touchscreens (formerly 
Smartphones) require the Standard version. Depending on the manufacturer of the 
device, the Standard version may require a signature of the Client Software 
whereas the Classic and Professional versions may use a non signed Client 
Software. You may receive the signed Client Software as required. This is 
indicated as Smartphones Mobile2Market. Additional information is available at: 
www.ncp.de/english/home/.

System requirements for the mobile device:
- approx. 3 MB program memory
- approx. 1 MB free data memory
- StrongARM Processor (min. 200 MHz)

System requirements for the PC componente:
- Operating Systems Windows 98se/NT(4.0) SP5 /2000/XP
- 32 MB RAM
- 10 MB free memory on hard disc
- Installation of Microsoft ActiveSync Version 3.0 or later (Windows Vista requires the Windows Mobile Device Center).

- Local System

The dial-up via the selected profile to the destination system is handled via a 
PDA (Personal Digital Assistant) with Windows CE. Because the NCP dialer as well 
as the Microsoft RAS dialer can be used for dial-in, all marketable combinations 
of PDAs and mobile phones are supported. The prerequisites are appropriate CE 
compatible drivers.

Analogue modems and mobile phones

For communication via modem (or mobile phone), the modem must have been 
correctly recognized by Windows CE.

Drivers for modems that support the Hayes command set are integrated in Windows 
CE. Likewise Windows CE supports most mobile phones with IR interface or 
Bluetooth and built-in modem.

Data connections requiring an initialization string for their establishment 
(mostly GPRS) can be established only with the NCP dialer, that is if the 
Microsoft RAS dialer is not in use.

The modem data will be downloaded by the PDA when starting the PC component. 
Please insure that an ActiveSynch connection between PC and PDA exists at this 
point in time.

LAN adapter (LAN over IP)

In order to operate the client software with the connection type "LAN over IP" 
in a local area network, a LAN adapter (Ethernet or Wireless LAN) must be 
installed on the PDA.

- Prerequisites for Strong Security

If you use the VPN/PKI/ CE Client software (Strong Security version of the 
client), that supports certification (X.509), then either a chip card reader 
must be connected to the PDA or a soft certificate must be loaded on it.

Chip Card reader (PC/SC conformant)

The client software automatically supports all chip card readers that are PC/SC 
conformant. These chip card readers will only be listed after the reader is 
connected and the associated driver software has been loaded. When starting the 
"NCP Client Service" on the PDA, the chip card reader is searched in the system. 
Consequently it is absolutely necessary that the card reader be installed and 
connected at this point in time!

Certificate configuration

Please note: Before you undertake a certificate configuration with the Client 
Configurator (see -> Client Configurator, configuration, certificates), the 
information about available chip card readers must have been transferred from 
the PDA to the PC. Because the NCP Client Service creates these, the NCP Client 
Service must have been loaded before starting the PC component. An existing 
ActiveSynch connection is required to transfer this data. 

Chip cards (Smart Cards)

The Strong Security version of the client supports chip cards from Signtrust, 
NetKey 2000 and TC Trust (CardOS M4). NCP continuously strives to support the 
new chip card readers and chip cards. Refer to the NCP website to check the most 
current list of supported products.

Chip card or Token (PKCS#11)

The PKCS#11 Modules of other manufacturers are supported by their driver library 
(DLL).

Soft certificates (PKCS#12 file)

Instead of reading out the certificate of a Smart Card via a chip card reader, a 
soft certificate (PKCS#12 file) can also be used.

Certificate configuration

Please note: Path and name of the PKCS#12 file required for the configuration 
(see -> Client Configurator, configuration, certificates) must agree with the 
location of the file on the PDA!

The menu item "Configuration - transfer PKCS#12 file to the PDA" in the Client 
Configurator can be used for transferring the PKCS#12 file. If this function is 
used, then the path can be specified as follows:
%INSTALLDIR%\certs\<PKCS#12-file name>



2.2   Installation of the PC component

There is no difference in the software installation procedure used under the 
operating systems Windows Windows 2000/XP and Windows Vista. However please note 
whether you are installing from the hard disk, from the CD, or from the 
diskette. If you have already installed an older version of the software then 
please see the chapter "Update and Uninstall"

2.2.1 Installation from the hard disk

If you would like to install the software after a download from the NCP FTP 
server, then unpack the ZIP file first. The directories "DISK1", "DISK2", 
"DISK3" will automatically be created while unpacking. If the request message 
"Install program from diskette or CD" appears when starting the installation, 
then click "Next" and afterwards click "Browse" in order to select SETUP.EXE in 
the "DISK1" directory. All further installation procedures are identical to 
those described in the section "Installation from diskette".

2.2.2 Installation from CD

After you have inserted the CD in the drive of your computer, after a few 
seconds the NCP greeting screen automatically appears on your monitor. Select 
which product you would like to install and then click on "Install". The 
subsequent procedure is identical with the diskette installation from the point 
"Select the setup language".

2.2.3 Installation from removable disk

The first installation step is to select "Start -> Settings -> Control Panel" in 
the main Windows menu. Select "Add/Remove Programs" in the Control Panel. Then 
click on the "Install..." button in the "Install/Uninstall" tab. Now insert the 
first diskette with the client software in the drive of your computer, if you 
have not already done so, and click "Next..."

When "SETUP.EXE" is displayed, click on "Finish". In the next window you can 
select the setup language. Then click on "OK". Then the setup program prepares 
the install shield assistant, with whose help the installation is continued. 
Please read the instructions in the welcome window of the setup program before 
you click on "Next".

Then the licence conditions are displayed. If you agree with the contract, then 
select "Yes" otherwise the installation will be aborted. (The licensing is done 
first on your PDA device.) This is where you specify the destination directory 
for the client software. (Standard is programs\ncp\ceclient). Otherwise you can 
specify the program file folder. Then the files are copied over.

Follow the instructions on the screen and change the diskettes when you are 
requested to do so. After all required files have been copied over from the 
installation diskettes, and the program group has been created, click on "End" 
to conclude Setup.

Leaving the setting "Start PDA Installation", the PDA component is automatically 
installed after finishing the installation of the PC component. If you here 
swich off the automatically installation, you can install the PDA component 
later. For that see chapter "Installation of the PDA component".

After installation you will find in the Windows start menu, in the program group 
"NCP Secure Client", the program "Secure Entry CE Client Configurator". The 
configuration of the profiles, the composition of the Profile Settings, and the 
transmission of the Profile Settings to the PDA (see -> Client Configurator) are 
executed with this program Configurator.


2.3   Before Starting

After installing, the Client Monitor is displayed without configuration. To use 
the Secure Entry Client you first have to generate an entry in the phonebook, 
what means that you have to define a profile to which an IPSec connection can be 
established.

In a Confirmation window the program offers to configure a profile together with 
the help of a Configuration Assistant. 

Click on "Yes" in the Confirmation window and refer the description in the 
handbook under "3. NCP Client Configurator":
- Configuration / Profile Settings (The entries in the Profile Settings)
Only if a profile has been set in the profile settings, a connection to the 
according destination can be made:
- Establishing a Connection


2.4   Transferring the Profile Settings and the Certificates

2.4.1 Profile Settings

Before transferring the profile settings, the profile system must first be 
configured in the PC and the profile settings must be completed. See the 
sections "Client Configurator of the PC component" and "Configuration 
parameters" in the manual to do this. If you are using the Strong Security 
version of the software with chip card reader, then please note the following: 
Before you undertake a certificate configuration with the PC component, the 
information about available chip card readers must have been transferred from 
the PDA to the PC. Because the NCP Client Service creates these, the NCP Client 
Service must have been loaded before the starting the PC component. An existing 
ActiveSynch connection is required for transferring this data. The transmission 
of the profile settings is described in the section "Profile Settings Upload".

2.4.2 Certificates

The supplied test certificates from NCP, CA certificate (ncpsupportca.der) and 
user certificates (user1.p12 and user2.p12) are already located on the PC and 
the PDA after the installation of the two software components. If you are using 
your own soft certificates, then these must be transferred from the PC via 
ActiveSync. In this case, insure that the PDA can only read CA certificates in 
the DER (Distinguished Encoding Rules) format with file endings DER, CER, or 
CRT! The PEM format is not supported. The destination directory on the PDA for 
the CA certificate is:
\Programs\NCP Secure CE Client\CaCerts
The destination directory on the PDA for the user certificate is:
\Programs\NCP Secure CE Client\CaCerts
The transfer of the user certificate in its directory can be facilitated by 
selecting the menu item "Transfer PKCS#12-file to the PDA" in the PC component 
Configurator (see -> Client Configurator of the PC component, configuration).


2.5   Update and Uninstalling the PC component

If an older version of the client software is found, then it is possible to 
execute an update. The Profile Settings will be maintained in the configuration 
made earlier if you are updating. To remove the PC component, go to: "Start" -> 
"Settings" -> "Control panel". Now click on "Add/Remove Programs" and select 
"NCP Secure CE Client" from the list. Then click on the "Add/Remove" button. The
Uninstall Shield Program now deletes the Client software from your PC.

Important: After the component have been removed, the client's Profile Settings 
remains intact, so that it can be used for newer versions of the Secure CE 
client. In order to completely delete the file from your PC, you must proceed 
manually. The Profile Settings is located in the directory:
\programs\ncp\ceclient\bin\ncpphone.cfg


2.6   Installation of the PDA component

If the installation of the PDA component is not done automatically after 
installing the PC component, the installation of the PDA component will be 
triggered from the PC. Click in the configurator under "Connection" the menu 
item "PDA installation". Please insure that the "Software" dialog from 
ActiveSynch is not open when you execute the PDA installation program! Now 
ActiveSynch has been requested to install the NCP Secure CE Client on the 
mobile device.

Select the standard directory as the installation directory on the PDA. 
Afterwards the data for the NCP Secure CE Client will be transmitted.

After the data transmission has been concluded, check the screen of the mobile 
device: On the PDA the installation is executed while unpacking the transferred 
data.

After unpacking you will be requested by the PDA to do a soft reset. This 
concludes the installation of the PDA component. 

After the soft reset you will find the two icons in the programs file folder for
- NCP Client Monitor
- NCP Client Service

Before a connection can be established, the telephone book with the configured 
destination systems, and the certificate data, if required, must be transferred 
to the PDA!


2.7   Full version release

Licensing no longer occurs via the popup program on the PDA, now it is executed 
via the popup menu on the monitor under the item "Activiation".

The software version implemented, and possibly the licensed version with serial 
number, are shown under the menu option "License Information" in the popup menu 
of the monitor. If the software is used as a test version then the remaining 
validity period is displayed in this window.

In order to use a valid full version that is not subject to time restrictions, 
the software must be released with the license key and serial number received.

License key and serial number can be entered after you have clicked on the 
arrow button in the window for "License Information". Now the license data can 
be entered either online or offline via an assistant.

In the offline variant, a file that is generated after entering license key and 
serial number must be sent to the NCP web server, and the activation key that is 
displayed on the website must be noted. This activation key can be entered in 
the licensing window of the Monitor menu at a later point in time.

Using the offline variant an IP-connection to the activation server must be 
established. In the online variant, an assistant forwards the licensing data to 
the activation server immediately after entry and thus the software is 
immediately released.

2.7.1 Operating System on the mobile device

With version 2.33 of the NCP Secure Entry CE Client in addition to the further operating systems Windows Mobile the operation System Windows Mobile 6 is also supported.

Installation of the Client software 2.33 under Microsoft Windows Mobile 6 requires a license key for this version. This software cannot be operated under an older license key.

You must have at least a version 2.3 to activate the Client software under Windows Mobile 6. This is the prerequisite. If a no-charge update to version 2.3 is available to you, then you will receive the associated license key when the software is activated. Otherwise, updates to version 2.3 can be purchased in the NCP E-store or purchased from your NCP dealer.


2.8   Uninstalling the PDA component

The PDA component can be removed from the PC side via ActiveSynch, and also 
directly on the PDA.

2.8.1 Uninstalling from PC

After starting ActiveSynch select "Add/Remove Programs", highlight the NCP 
Secure CE Client as in the adjacent graphic and click on "Remove". In the window 
that then appears underneath, click on "OK". On the PDA a message appears 
briefly next to it and then a request to do a soft reset appears. Click OK, 
execute a soft reset, and then redo the Uninstall as described to this point!

After that the uninstall is concluded. If certificates are still 
present on the PDA, then these must be manually removed from the specified 
directories. The Profile Settings will be deleted automatically.

2.8.2 Uninstalling from the PDA component

Select "Settings - System - Remove Programs" in the start menu of the PDA, 
select the program NCP Secure CE Client and activate the remove button. The 
system will ask you to confirm with "Yes". The client will be stopped and then 
you will be requested to execute a soft reset.

Click OK here, execute a soft reset. After that the uninstall is concluded. If 
certificates are still present on the PDA. Then these must be manually removed 
from the specified directories. The Profile Settings will be automatically 
deleted.
===============================================================================
NCP engineering GmbH, 
Juli 2007
